manualshive.com logo in svg

Cisco Catalyst 6509, Software Manual

The Cisco Catalyst 6509 is a highly efficient networking device designed for enterprise-level connectivity and scalability. To maximize its potential, you can easily obtain the comprehensive "Power Manual" from our website, where you can download the manual for free. Explore the full capabilities of this remarkable device at manualshive.com.

Share
Download
background image

 

15-49

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

OL-8978-04

Chapter 15      Configuring Access Control

Configuring VACLs

Note

Because the VACLs have an implicit deny feature at the end of the list, 

all

 other traffic is denied.

This example shows how to create an ACE for IPACL1 to allow the traffic from all source addresses:

Console> (enable) 

set security acl ip IPACL1 permit any

IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.

Console> (enable) 

This example shows how to create an ACE for IPACL1 to block the traffic from source address 171.3.8.2:

Console> (enable) 

set security acl ip IPACL1 deny host 171.3.8.2

IPACL1 editbuffer modified.  Use ‘commit’ command to apply changes.

Console> (enable) 

This example shows how to display the contents of the edit buffer:

Console> (enable) 

show security acl info IPACL1 editbuffer

set security acl ip IPACL1

-----------------------------------------------------------------

1. permit ip host 172.20.53.4 any

2. permit ip any any

3. deny ip host 171.3.8.2 any

Console> (enable) 

This example shows how to commit the ACEs to NVRAM:

Console> (enable) 

commit security acl all

ACL commit in progress.

ACL IPACL1 is committed to hardware.

Console> (enable) 

Note

For more information about the 

commit security acl all

 command, see the 

“Committing ACLs” section 

on page 15-53

.

Enter the 

show security acl info IPACL1

 command to verify that the changes were committed. If this 

VACL has not been mapped to a VLAN, enter the 

set security acl map

 command to map it to a VLAN.

This example shows how to create an ACE for IPACL2 to block the traffic from source address 
172.20.3.2 and place this ACE before ACE number 2 in the VACL. Optionally, you can enter the 

modify

 

keyword to replace an existing ACE with a new ACE. Enter the 

show security acl info

 

acl_name

 

[

editbuffer

] command to see the current ACE listing that is stored in NVRAM (enter the 

editbuffer

 

keyword to see edit buffer contents). 

Console> (enable) 

set security acl ip IPACL2 deny host 172.20.3.2 before 2 

IPACL2 editbuffer modified. Use ‘commit’ command to apply changes.

Console> (enable)

This example shows how to create an ACE for IPACL2 to redirect IP traffic to port 3/1 from source 
address 1.2.3.4 with the destination address of 255.255.255.255. The host can be used as an abbreviation 
for a source and source-wildcard of 0.0.0.0. This ACE also specifies the following:

precedence

—IP precedence values that range between zero for low priority and seven for high 

priority.

tos

—Type of service levels that range between 0 and 15.

Note

The ToS values are bits 3 through 6 of the IP ToS byte as defined by RFC 1349. The precedence values are 
bits 0 through 2 as defined by RFC 791.

Summary of Contents for Catalyst 6509

Page 1: ...ems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 6500 Series Switch Software Configuration Guide Software Release 8 7 Text Part Number OL 8978 04 ...

Page 2: ...Cisco TelePresence Cisco Unified Computing System Cisco WebEx DCE Flip Channels Flip for Good Flip Mino Flipshare Design Flip Ultra Flip Video Flip Video Design Instant Broadband and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn Cisco Capital Cisco Capital Design Cisco Financed Stylized Cisco Store and Flip Gift Card are service marks and Access Registrar...

Page 3: ... IP Address and Default Gateway 3 1 Understanding How the Switch Management Interfaces Work 3 1 Understanding How Automatic IP Configuration Works 3 2 Automatic IP Configuration Overview 3 2 Understanding DHCP 3 3 Understanding BOOTP and RARP 3 4 Preparing to Configure the IP Address and Default Gateway 3 4 Booting the MSFC for the First Time 3 4 Booting from a Melody Compact Flash Adapter Card 3 ...

Page 4: ...lt Port Enable State 4 9 Setting the Port Debounce Timer 4 10 Modifying the Port Debounce Timer Setting 4 11 Configuring a Timeout Period for Ports in errdisable State 4 12 Configuring Automatic Module Shutdown 4 14 Configuring Port Error Detection 4 16 Configuring Redundant Flex Links 4 17 Configuring Jumbo Frames 4 19 Checking Connectivity 4 21 C H A P T E R 5 Configuring Ethernet VLAN Trunks 5 ...

Page 5: ...Guidelines 6 4 Interaction with Other Features Guidelines 6 4 Understanding How the Port Aggregation Protocol Works 6 5 PAgP Modes 6 6 PAgP Administrative Groups 6 7 PAgP EtherChannel IDs 6 7 Configuring an EtherChannel Using PAgP 6 7 Specifying the EtherChannel Protocol 6 7 Configuring an EtherChannel 6 8 Setting the EtherChannel Port Mode 6 8 Setting the EtherChannel Port Path Cost 6 9 Setting t...

Page 6: ...ning Tree Protocols Work 7 2 Understanding How a Topology is Created 7 3 Understanding How a Switch Becomes the Root Switch 7 3 Understanding How Bridge Protocol Data Units Work 7 4 Calculating and Assigning Port Costs 7 4 Spanning Tree Port States 7 6 Understanding How PVST and MISTP Modes Work 7 12 PVST Mode 7 13 Rapid PVST 7 13 MISTP Mode 7 13 MISTP PVST Mode 7 14 Understanding How Bridge Ident...

Page 7: ...iguring a Root Switch 7 44 Configuring a Primary Root Switch 7 45 Configuring a Secondary Root Switch 7 46 Configuring a Root Switch to Improve Convergence 7 46 Using Root Guard Preventing Switches from Becoming Root 7 48 Displaying Spanning Tree BPDU Statistics 7 48 Configuring Spanning Tree Timers on the Switch 7 49 Configuring the Hello Time 7 50 Configuring the Forward Delay Time 7 50 Configur...

Page 8: ...st Works 9 2 Understanding How PortFast BPDU Guard Works 9 2 Understanding How PortFast BPDU Filtering Works 9 3 Understanding How UplinkFast Works 9 3 Understanding How BackboneFast Works 9 4 Understanding How Loop Guard Works 9 6 Configuring PortFast on the Switch 9 8 Enabling PortFast on an Access Port 9 8 Enabling Spanning Tree PortFast on a Trunk Port 9 9 Disabling PortFast 9 10 Resetting Por...

Page 9: ...arent Mode 10 8 Disabling VTP Using the Off Mode 10 8 Enabling VTP Version 2 10 9 Disabling VTP Version 2 10 10 Enabling VTP Pruning 10 10 Disabling VTP Pruning 10 12 Displaying VTP Statistics 10 12 Understanding How VTP Version 3 Works 10 12 VTP Version 3 Authentication 10 13 VTP Version 3 Per Port Configuration 10 14 VTP Version 3 Domains Modes and Partitions 10 14 VTP Version 3 Modes 10 17 VTP ...

Page 10: ...11 14 Understanding VLAN Mapping 11 14 Configuration Guidelines and Restrictions 11 14 Enabling or Disabling VLAN Mapping on an Individual Port 11 17 Configuring VLAN Mapping on an Individual Port 11 17 Clearing the VLAN Mapping 11 18 Displaying the VLAN Mapping Information 11 19 Configuring Private VLANs on the Switch 11 19 Understanding How Private VLANs Work 11 20 Private VLAN Configuration Gui...

Page 11: ... the NetFlow Statistics 13 11 Default CEF for PFC2 PFC3A Configuration 13 12 CEF for PFC2 PFC3A Configuration Guidelines and Restrictions 13 13 Configuring CEF for PFC2 PFC3A on the Switch 13 14 Displaying the Layer 3 Switching Entries on the Supervisor Engine 13 15 Configuring CEF on MSFC2 MSFC3 13 16 Specifying CEF Maximum Routes 13 16 Configuring IP Multicast on MSFC2 MSFC3 13 18 Displaying IP ...

Page 12: ... ACLs 15 3 QoS ACLs 15 3 Cisco IOS ACLs 15 3 VACLs 15 4 Applying Cisco IOS ACLs and VACLs on VLANs 15 7 Bridged Packets 15 7 Routed Packets 15 8 Multicast Packets 15 8 Using Cisco IOS ACLs in your Network 15 9 Hardware and Software Handling of Cisco IOS ACLs with PFC 15 10 Hardware and Software Handling of Cisco IOS ACLs with PFC2 and PFC3A PFC3B PFC3BXL 15 13 Using VACLs with Cisco IOS ACLs 15 17...

Page 13: ...ash Memory 15 65 Running with the VACL and QoS ACL Configuration in Flash Memory 15 67 Moving the VACL and QoS ACL Configuration Back to NVRAM 15 67 Redundancy Synchronization Support 15 67 Interacting with High Availability 15 68 Configuring Port Based ACLs 15 68 PACL Configuration Overview 15 68 PACL Configuration Guidelines 15 69 Configuring PACLs from the CLI 15 72 PACL Configuration Examples ...

Page 14: ...16 7 NDE Configuration Guidelines 16 7 Specifying an NDE Collector 16 9 Clearing an NDE Collector 16 10 Configuring NetFlow on the MSFC 16 10 Enabling NDE 16 11 Enabling and Disabling Bridged Flow Statistics on VLANs 16 12 Specifying a Destination Host Filter 16 13 Specifying a Destination and Source Subnet Filter 16 13 Specifying a Destination TCP UDP Port Filter 16 13 Specifying a Source Host an...

Page 15: ...8 3 Enabling MVRP on Individual Trunk Ports 18 4 Enabling MVRP Dynamic VLAN Creation 18 5 Configuring MVRP Registration 18 5 Configuring MVRP on Ports with STP Blocking State 18 7 Configuring the MVRP Timers 18 7 Enabling the Periodic Timer 18 8 Displaying MVRP Configuration Summary 18 8 Displaying MVRP Statistics 18 9 Displaying MVRP State Machines 18 10 Displaying MVRP Trunks 18 10 Disabling MVR...

Page 16: ...uring Dynamic Port VLAN Membership with Auxiliary VLANs 19 15 C H A P T E R 20 Checking Status and Connectivity 20 1 Checking the Module Status 20 2 Checking the Port Status 20 3 Displaying the Port MAC Address 20 4 Displaying the Duplicate MAC Entries in the CAM Table 20 5 Displaying Port Capabilities 20 6 Configuring the MAC Utilization Load Interval 20 6 Understanding How the MAC Utilization Lo...

Page 17: ...ent Protocols 20 39 Maintenance Domains 20 39 Maintenance Associations 20 40 Maintenance Points 20 40 CFM Configuration Guidelines and Restrictions 20 42 Configuring Metro Ethernet CFM 20 44 Configuring the Alarm Indication Signal 20 54 Understanding How CFM Works with 802 3ah Link OAM for AIS RDI 20 55 Ethernet Alarm Indication Signal 20 55 Ethernet Remote Defect Indication 20 56 ASI and RDI Conf...

Page 18: ...tem Prompt on the Switch 22 2 Setting the Static System Name and Prompt 22 2 Setting the System Contact and Location on the Switch 22 3 Setting the System Clock on the Switch 22 4 Creating a Login Banner on the Switch 22 4 Configuring a Login Banner 22 5 Clearing a Login Banner 22 5 Displaying or Suppressing the Cisco Systems Console Telnet Login Banner on the Switch 22 5 Defining Command Aliases ...

Page 19: ... Redundancy 23 1 Understanding How Supervisor Engine Redundancy Works 23 2 Configuring Redundant Supervisor Engines on the Switch 23 4 Synchronization Process Initiation 23 4 Redundant Supervisor Engine Configuration Guidelines and Restrictions 23 5 Verifying the Standby Supervisor Engine Status 23 5 Forcing a Switchover to the Standby Supervisor Engine 23 6 High Availability 23 8 Configuring Supe...

Page 20: ...nderstanding the ROM Monitor 25 2 Understanding the Configuration Register 25 2 Understanding the BOOT Environment Variable 25 3 Understanding the CONFIG_FILE Environment Variable 25 4 Default Switch Boot Configuration 25 5 Setting the Configuration Register 25 5 Setting the Boot Field in the Configuration Register 25 6 Setting the ROM Monitor Console Port Baud Rate 25 6 Setting CONFIG_FILE Recurr...

Page 21: ...ownloading the Software Images Using FTP or TFTP 27 5 Understanding How FTP and TFTP Software Image Downloads Work 27 5 Specifying the FTP Username and Password 27 6 Preparing to Download an Image Using FTP or TFTP 27 7 Downloading the Supervisor Engine Images Using FTP or TFTP 27 7 Downloading the Switching Module Images Using FTP or TFTP 27 8 FTP and TFTP Download Procedures Example 27 9 Uploadi...

Page 22: ...figuration Files 28 1 Working with the Configuration Files on the Switch 28 1 Creating and Using Configuration File Guidelines 28 2 Creating a Configuration File 28 2 Downloading the Configuration Files to the Switch Using TFTP 28 3 Uploading the Configuration Files to a TFTP Server 28 5 Copying the Configuration Files Using SCP or rcp 28 6 Downloading the Configuration Files from an rcp or SCP Se...

Page 23: ...9 11 Enabling and Disabling the System syslog Dump 29 11 Specifying the System syslog Dump Flash Device and Filename 29 12 Configuring CallHome 29 13 Disabling CallHome 29 15 C H A P T E R 30 Configuring DNS 30 1 Understanding How DNS Works 30 1 DNS Default Configuration 30 2 Configuring DNS on the Switch 30 2 Setting Up and Enabling DNS 30 2 Clearing a DNS Server 30 3 Clearing the DNS Domain Name...

Page 24: ...ng Host Tracking Information Option 33 5 Enabling the DHCP Snooping MAC Address Matching Option 33 6 Configuration Examples for DHCP Snooping 33 7 Specifying the DHCP Snooping Binding Limit on a Per Port Basis 33 11 Specifying the DHCP Snooping IP Address to MAC Address Binding on a Per Port Basis 33 12 Displaying DHCP Snooping Information 33 12 Displaying the Binding Table 33 12 Displaying the DH...

Page 25: ...g Configuration 36 2 Configuring Layer 3 Protocol Filtering on the Switch 36 2 Enabling Layer 3 Protocol Filtering 36 3 Disabling Layer 3 Protocol Filtering 36 3 C H A P T E R 37 Configuring the IP Permit List 37 1 Understanding How the IP Permit List Works 37 1 IP Permit List Default Configuration 37 2 Configuring the IP Permit List on the Switch 37 2 Adding IP Addresses to the IP Permit List 37 ...

Page 26: ...AC Address Monitoring 38 16 Specifying the Upper Threshold for MAC Address Monitoring 38 17 Clearing the Configuration for MAC Address Monitoring 38 17 Displaying the Configuration for the CAM Monitor 38 18 Displaying the Global Configuration for the CAM Monitor 38 18 C H A P T E R 39 Configuring the Switch Access Using AAA 39 1 Understanding How Authentication Works 39 2 Authentication Overview 3...

Page 27: ... Specifying When to Create Accounting Records 39 53 Specifying RADIUS Servers 39 53 Updating the Server 39 54 Suppressing Accounting 39 54 Configuring Accounting on the Switch 39 55 Accounting Default Configuration 39 55 Accounting Configuration Guidelines 39 55 Configuring Accounting 39 55 Accounting Example 39 58 C H A P T E R 40 Configuring 802 1X Authentication 40 1 Understanding How 802 1X Au...

Page 28: ...ing the Back End Authenticator to Host Retransmission Time for the EAP Request Frames 40 20 Setting the Back End Authenticator to Authentication Server Retransmission Time for the Transport Layer Packets 40 21 Setting the Back End Authenticator to Host Frame Retransmission Number 40 21 Setting the Critical Recovery Delay for an Authentication Feature 40 21 Resetting the 802 1X Configuration Parame...

Page 29: ...y Violation Mode 41 9 Enabling or Disabling MAC Authentication Bypass RADIUS Accounting 41 9 Configuring a PVLAN on a MAC Authentication Bypass Enabled Port 41 10 Configuring MAC Authentication Bypass on a PVLAN Port 41 11 Displaying MAC Authentication Bypass Information 41 11 Displaying the MAC Authentication Bypass Global Configuration 41 12 Configuring MAC Authentication Bypass with ACL Assignm...

Page 30: ... Host Aging is Tracked 43 2 Configuring IP Device Tracking Globally 43 2 Specifying the IP Device Tracking Interval 43 2 Specifying the IP Device Tracking Count 43 3 Configuring IP Device Tracking on a Port 43 3 Enabling or Disabling IP Device Tracking on a Port with 802 1x Authentication 43 4 Enabling or Disabling IP Device Tracking on a Port with MAC Authentication Bypass 43 4 Enabling or Disabl...

Page 31: ...nfiguring the Switch Fabric Modules 46 1 Understanding How the Integrated 720 Gbps Switch Fabric Works 46 2 Understanding How the External Switch Fabric Module Works 46 2 Forwarding Modes 46 3 Configuring and Monitoring the Integrated Switch Fabric and Switch Fabric Module on the Switch 46 4 Configuring a Fallback Option 46 4 Configuring the Switching Mode 46 5 Redundancy 46 6 Monitoring the Integ...

Page 32: ...Configuring SNMPv3 from an NMS 47 16 Configuring SNMPv3 from the CLI 47 17 C H A P T E R 48 Configuring RMON 48 1 Understanding How RMON Works 48 1 Enabling RMON on the Switch 48 2 Viewing the RMON Data 48 2 Supported RMON and RMON2 MIB Objects 48 3 C H A P T E R 49 Configuring SPAN RSPAN and the Mini Protocol Analyzer 49 1 Understanding How SPAN and RSPAN Work 49 1 SPAN Session 49 2 Destination P...

Page 33: ...t the Background Keyword 50 2 Running Switch TopN Reports with the Background Keyword 50 2 Running and Viewing Switch TopN Reports 50 3 C H A P T E R 51 Configuring Multicast Services 51 1 Understanding How Multicasting Works 51 1 Multicasting and Multicast Services Overview 51 2 Understanding How IGMP Snooping Works 51 2 Understanding How GMRP Works 51 6 Understanding How RGMP Works 51 6 Suppress...

Page 34: ...rt 51 23 Configuring GMRP Registration 51 23 Setting the GARP Timers 51 25 Displaying GMRP Statistics 51 26 Clearing GMRP Statistics 51 26 Disabling GMRP Globally on the Switch 51 27 Configuring Multicast Router Ports and Group Entries on the Switch 51 27 Specifying Multicast Router Ports 51 27 Configuring Multicast Groups 51 28 Clearing Multicast Router Ports 51 29 Clearing Multicast Group Entrie...

Page 35: ...tate of a Port 52 41 Configuring the CoS Value for a Port 52 41 Creating Policers 52 42 Deleting Policers 52 45 Creating or Modifying ACLs 52 45 Attaching an ACL to an Interface 52 56 Detaching an ACL from an Interface 52 57 Configuring PFC3 Egress DSCP Mutation 52 58 Configuring CoS to CoS Maps on 802 1Q Tunnel Ports 52 60 Mapping a CoS Value to a Host Destination MAC Address VLAN Pair 52 61 Dele...

Page 36: ...ictions 53 4 Global Automatic QoS Macro 53 6 Port Specific Automatic QoS Macro 53 9 CLI Interface for Automatic QoS 53 13 Detailed Automatic QoS Configuration Statements 53 18 Warning and Error Conditions 53 23 syslog Additions 53 25 Other Relevant syslog Messages 53 26 Summary of Automatic QoS Features 53 27 Using Automatic QoS in Your Network 53 28 C H A P T E R 54 Configuring ASLB 54 1 Hardware...

Page 37: ... 8 Understanding How VLANs Work 55 8 Understanding How CDP and VoIP Work 55 10 Configuring VoIP on a Switch 55 10 Voice Related CLI Commands 55 10 Configuring Per Port Power Management 55 11 Configuring the Auxiliary VLANs on Catalyst LAN Switches 55 20 Configuring the Access Gateways 55 23 Displaying the Active Call Information 55 29 Configuring QoS in the Cisco IP Phone 7960 55 31 Configuring a ...

Page 38: ... Series Switch Software Configuration Guide Release 8 7 OL 8978 04 C H A P T E R 56 Configuring the MSFC Cisco IOS Features 56 1 IP in IP Tunneling 56 1 IP in IP Configuration Guidelines 56 2 WCCP 56 2 A P P E N D I X A Acronyms A 1 ...

Page 39: ...ation is organized as follows Chapter Title Description Chapter 1 Product Overview Presents an overview of the Catalyst 6500 series switches Chapter 2 Command Line Interfaces Describes how to use the command line interface CLI Chapter 3 Configuring the Switch IP Address and Default Gateway Describes how to perform a baseline configuration of the switch Chapter 4 Configuring Ethernet Fast Ethernet ...

Page 40: ...mbership with VMPS Describes how to configure dynamic port VLAN membership on the switch using the VLAN Management Policy Server VMPS Chapter 20 Checking Status and Connectivity Describes how to display information about modules and switch ports and how to check connectivity using ping Telnet and IP traceroute Chapter 21 Configuring GOLD Describes how to configure the online diagnostics Chapter 22...

Page 41: ...o configure IP device tracking Chapter 44 Configuring Network Admission Control Describes how to configure Network Admission Control NAC Chapter 45 Configuring Unicast Flood Blocking Describes how to configure unicast flood blocking Chapter 47 Configuring SNMP Describes how to configure SNMP Chapter 48 Configuring RMON Describes how to configure Remote Monitoring RMON Chapter 49 Configuring SPAN R...

Page 42: ... specifically differentiated the term supervisor engine is used to refer to Supervisor Engine 1 Supervisor Engine 2 and Supervisor Engine 720 The term MSFC is used to refer to the MSFC MSFC2 and MSFC3 except where specifically differentiated This publication uses the following conventions Convention Description boldface font Commands command options and keywords are in boldface italic font Argumen...

Page 43: ...request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a re...

Page 44: ...xliv Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Preface ...

Page 45: ...dules software features protocols and MIBs that are supported by the Catalyst 6500 series switches Note Throughout this publication except where specifically differentiated the term supervisor engine is used to refer to Supervisor Engine 1 Supervisor Engine 2 Supervisor Engine 720 and Supervisor Engine 32 The term MSFC is used to refer to the MSFC MSFC2 MSFC2A and MSFC3 except where specifically d...

Page 46: ...1 2 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 1 Product Overview ...

Page 47: ...e Interface These sections describe the Catalyst CLI ROM Monitor Command Line Interface page 2 1 Switch Command Line Interface page 2 2 ROM Monitor Command Line Interface The ROM monitor is a ROM based program that executes upon platform power up reset or when a fatal exception occurs The system enters ROM monitor mode if the switch does not find a valid system image if the NVRAM configuration is ...

Page 48: ...e port or through a Telnet session These sections describe how to access the switch CLI Accessing the CLI through the Console Port page 2 2 Accessing the CLI through Telnet page 2 3 Accessing the CLI through the Console Port To access the switch CLI through the console port you must connect a console terminal to the console port through an EIA TIA 232 RS 232 cable Note For complete information on ...

Page 49: ... Cisco Systems Console Enter password Catalyst_1 Accessing the MSFC from the Switch These sections describe how to access the Multilayer Switch Feature Card MSFC from a directly connected console port or from a Telnet session Accessing the MSFC from the Console Port page 2 3 Accessing the MSFC from a Telnet Session page 2 4 See the MSFC Command Line Interface section on page 2 8 Accessing the MSFC...

Page 50: ...gine in slot 2 With the Supervisor Engine 720 the mod argument specifies the module number of the MSFC3 A module number of 15 indicates that the MSFC3 is installed on the Supervisor Engine 720 in slot 5 6 or 9 slot switches or slot 7 13 slot switches A module number of 16 indicates that the MSFC3 is installed on the Supervisor Engine 720 in slot 6 6 or 9 slot switches or slot 8 13 slot switches Th...

Page 51: ...word Console enable Designating Modules Ports and VLANs on the Command Line Switch commands are not case sensitive You can abbreviate commands and parameters as long as they contain enough letters to be distinguished from any other currently available commands or parameters Catalyst 6500 series switches are multimodule systems Commands that you enter from the CLI might apply to the entire system o...

Page 52: ...6 2 54 1 If you have configured IP aliases on the switch you can use IP aliases in place of the dotted decimal IP address This is true for most commands that use an IP address except for commands that define the IP address or IP alias For information on using IP aliases see the Defining IP Aliases on the Switch section on page 22 7 If DNS is configured on the switch you can use DNS host names in p...

Page 53: ...nd line Ctrl L Ctrl R Repeats the current command line on a new line Ctrl N or the down arrow key1 Enters the next command line in the history buffer Ctrl P or the up arrow key1 Enters the previous command line in the history buffer Ctrl U Ctrl X Deletes from the cursor to the beginning of the command line Ctrl W Deletes the last word typed Esc B Moves the cursor back one word Esc D Deletes from t...

Page 54: ...nds that are available to you depend on which mode you are currently in To get a list of the commands in a given mode type a question mark at the system prompt For more information see the Getting a List of Cisco IOS Commands and Syntax section on page 2 10 When you start a session on the switch you begin in user mode which is often called user EXEC mode Only a limited subset of the commands are a...

Page 55: ... press Ctrl Z Table 2 5 Frequently Used Cisco IOS Command Modes Mode Description of Use How to Access Prompt User EXEC Connect to remote devices change terminal settings on a temporary basis perform basic tests and display system information Log in Router Privileged EXEC enable Set operating parameters The privileged command set includes the commands in user EXEC mode as well as the configure comm...

Page 56: ...mory from TFTP network host terminal Configure from the terminal To redisplay a command that you previously entered press the up arrow key or Ctrl P You can continue to press the up arrow key to see the last 20 commands that you entered Tip If you are having trouble entering a command check the system prompt and enter the question mark for a list of available commands You might be in the wrong com...

Page 57: ...t down perform this task in privileged mode Task Command Step 1 If you are in the switch CLI enter the MSFC CLI Console switch console mod Step 2 At the EXEC prompt enter enable mode Router enable Step 3 At the privileged EXEC prompt enter global configuration mode Router configure terminal Step 4 Enter the commands to configure routing Refer to the appropriate configuration tasks later in this ch...

Page 58: ...2 12 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 2 Command Line Interfaces MSFC Command Line Interface ...

Page 59: ...efault Gateway Configuration page 3 6 Features Supported by the sc0 and sc1 In Band Interfaces page 3 6 Assigning the In Band sc0 and sc1 Interface IP Address page 3 7 Configuring the Default Gateways page 3 8 Configuring the SLIP sl0 Interface on the Console Port page 3 9 Using BOOTP DHCP or RARP to Obtain an IP Address page 3 10 Renewing and Releasing a DHCP Assigned IP Address page 3 11 Underst...

Page 60: ...e switch Understanding How Automatic IP Configuration Works These sections describe how the switch can obtain its IP configuration automatically Automatic IP Configuration Overview page 3 2 Understanding DHCP page 3 3 Understanding BOOTP and RARP page 3 4 Note These sections apply only to the sc0 interface The automatic IP configuration features do not apply to the sc1 or sl0 interfaces Automatic ...

Page 61: ...r all of the switch ports are online The switch always requests an infinite lease time in the DHCPDISCOVER message If a DHCP or Bootstrap Protocol BOOTP server responds to the request the switch takes appropriate action If a DHCPOFFER message is received from a DCHP server the switch processes all the supported options that are contained in the message Table 3 1 shows the supported DHCP options Ot...

Page 62: ...ion as appropriate IP address for the switch sc0 and sc1 interfaces only Subnet mask number of subnet bits sc0 and sc1 interfaces only Optional Broadcast address sc0 and sc1 interfaces only VLAN membership sc0 and sc1 interfaces only SLIP and SLIP destination addresses sl0 interface only Interface connection type In band sc0 and sc1 interfaces Configure these interfaces when assigning an IP addres...

Page 63: ...alyst software release 8 7 1 supports Melody Compact Flash memory replacing the traditional bootflash memory on Supervisor Engine 720 When a Melody adapter card is detected by the Supervisor engine the bootdisk file system is loaded instead of the traditional bootflash file system The configuration commands that list bootflash as an option will list the bootdisk if the Melody adapter card is prese...

Page 64: ...ation Features Supported by the sc0 and sc1 In Band Interfaces Table 3 3 lists the features that are supported by the sc0 and sc1 in band interfaces Table 3 2 Switch IP Address and Default Gateway Default Configuration Feature Default Value In band sc0 interface IP address subnet mask and broadcast address set to 0 0 0 0 Assigned to VLAN 1 In band sc1 interface IP address subnet mask and broadcast...

Page 65: ...nterface Console enable set interface sc0 172 20 52 124 29 Interface sc0 IP address and netmask set Console enable set interface sc0 5 Interface sc0 vlan set Console enable This example shows how to specify the VLAN assignment assign an IP address specify the subnet mask in dotted decimal format and verify the configuration In this example the sc0 interface is configured the sc1 and sl0 interfaces...

Page 66: ...st primary gateway that is configured is the primary default gateway The switch sends all off network IP traffic to the primary default gateway If connectivity to the primary gateway is lost the switch attempts to use the backup gateways in the order that they were configured The switch sends periodic ping messages to determine whether each default gateway is up or down If connectivity to the prim...

Page 67: ...e SLIP connection When the SLIP connection is enabled and SLIP is attached on the console port an EIA TIA 232 terminal cannot connect through the console port If you are connected to the switch CLI through the console port and you enter the slip attach command you will lose the console port connection Use Telnet to access the switch enter privileged mode and enter the slip detach command to restor...

Page 68: ... detach SLIP detached on Console port Console enable Using BOOTP DHCP or RARP to Obtain an IP Address Note For complete information on how the switch uses BOOTP DHCP or RARP to obtain its IP configuration see the Understanding How Automatic IP Configuration Works section on page 3 2 To use BOOTP DHCP or RARP to obtain an IP address for the switch perform this task Task Command Step 1 Make sure tha...

Page 69: ... 0 0 sc0 flags 63 UP BROADCAST RUNNING vlan 1 inet 172 20 25 244 netmask 255 255 255 0 broadcast 172 20 25 255 dhcp server 172 20 25 254 Console Renewing and Releasing a DHCP Assigned IP Address If you are using DHCP for IP address assignment you can perform either of these DHCP related tasks Renew the lease on a DHCP assigned IP address Release the lease on a DHCP assigned IP address To renew or ...

Page 70: ... Address and Default Gateway Renewing and Releasing a DHCP Assigned IP Address output truncated This example shows how to release the lease on a DHCP assigned IP address Console enable set interface sc0 dhcp release Releasing IP address Console enable Sending DHCP packet with address 00 90 0c 5a 8f ff Done Console enable ...

Page 71: ...hernet segments last only for the duration of the packet New connections can be made between different segments for the next packet Catalyst 6500 series switches solve congestion problems that are caused by high bandwidth devices and a large number of users by assigning each device for example a server to its own 10 100 1000 or 10000 Mbps segment Because each Ethernet port on the switch represents...

Page 72: ...MAC address of the sending station with the port on which it was received Building the Address Table Catalyst 6500 series switches build the address table by using the source address of the received frames When the switch receives a frame for a destination address that is not listed in its address table it floods the frame to all ports of the same VLAN except for the port that received the frame W...

Page 73: ...he ports on both ends of a link must have the same setting The link will not come up if the ports at each end of the link are set inconsistently port negotiation is enabled on one port and is disabled on the other port Table 4 1 shows the four possible port negotiation configurations and the resulting link status for each configuration Default Ethernet Fast Ethernet Gigabit Ethernet and 10 Gigabit...

Page 74: ... Autonegotiate duplex for 100 Mbps Fast Ethernet ports Full duplex for 1000 Mbps Gigabit Ethernet ports Full duplex for 10000 Mbps Gigabit Ethernet ports Flow control 10 Gigabit Ethernet Flow control set to on for receive Rx and off for transmit Tx 1 Flow control Gigabit Ethernet Flow control set to off for receive Rx and desired for transmit Tx Flow control other Ethernet Flow control set to off ...

Page 75: ...connector default To use the RJ 45 connector you must change the configuration To configure port 2 on Supervisor Engine 720 perform this task in privileged mode This example shows how to configure port 2 on Supervisor Engine 720 to use the RJ 45 connector Console enable set port media type 5 2 rj45 Port 5 2 media type set to RJ 45 Console enable Setting the Port Name You can set the port names on ...

Page 76: ...s the port behave the same as a 10 100 Mbps port that has the speed set to auto The speed and duplex are negotiated the 1000 Mbps speed does not take part in the negotiation To set the port speed of an Ethernet port perform this task in privileged mode This example shows how to set the port speed to 100 Mbps on port 2 2 Console enable set port speed 2 2 100 Port 2 2 speed set to 100 Mbps Console e...

Page 77: ...000 command The link comes up even if the speed is autonegotiated at 10 Mbps or 100 Mbps in auto mode However if you enter the set port speed mod port 10 command or the set port speed mod port 100 command the link fails to come up if the wrong cable is used Auto MDI MDIX has always been enabled on the following modules WS X6548 RJ 45 WS X6548 RJ 21 WS X6148 GE TX WS X6548 GE TX Auto MDI MDIX works...

Page 78: ...ir functions To configure flow control perform this task in privileged mode This example shows how to turn on transmit and receive flow control and verify the flow control configuration Console enable set port flowcontrol 3 1 send on Port 3 1 will send flowcontrol to far end Table 4 3 Ethernet Flow Control Keyword Functions Keywords Function receive on1 1 On WS X6502 10 Gigabit Ethernet ports flow...

Page 79: ... enable set port negotiation 2 1 enable Port 2 1 negotiation enabled Console enable show port negotiation 2 1 Port Link Negotiation 2 1 enabled Console enable To disable port negotiation perform this task in privileged mode This example shows how to disable port negotiation and verify the configuration Console enable set port negotiation 2 1 disable Port 2 1 negotiation disabled Console enable sho...

Page 80: ...e set default portstatus disable Default port status set to disable Console enable This example shows how to display the port enable state Console enable show default portstatus disable Console enable Setting the Port Debounce Timer You can set the port debounce timer on a per port basis for Ethernet Fast Ethernet Gigabit Ethernet and 10 Gigabit Ethernet ports When you set the port debounce timer ...

Page 81: ...ebounce timer setting is possible only on fiber Gigabit Ethernet ports You can increase the port debounce timer value in increments of 100 up to 5000 milliseconds You do not need to enable the debounce timer on the port before adjusting the timer value Specifying any timer value that is greater than the default value in the disabled state enables the debounce timer To modify the port debounce time...

Page 82: ...e port is enabled you have not disabled the port the port status is shown as errdisable If a port goes into errdisable state it is reenabled automatically after a selected time interval With the timeout enhancement you can manually prevent a port from being enabled by setting the errdisable timeout for that port to disable using the set port errdisable timeout mod port disable command A global tim...

Page 83: ...er it goes into the errdisable state Console enable set port errdisable timeout 3 3 disable Successfully disabled errdisable timeout for port 3 3 Console enable This example shows how to enable errdisable timeout for BPDU guard causes Console enable set errdisable timeout enable bpdu guard Successfully enabled errdisable timeout for bpdu guard Console enable This example shows how to enable errdis...

Page 84: ...an disrupt traffic load balancing By enabling the automatic module shutdown you can disable a module that continually resets due to any hardware or software problems and limit the number of times that the module resets itself before shutting down completely You can also shut down a module manually using the set module disable or the set module power down commands After the module shuts down you mu...

Page 85: ...utoshut command the output stays the same You do not have to enable an automatic module shutdown in order to track the number of resets You can track resets even if you do not enable an automatic module shutdown The runtime counters are cleared only for these conditions When you enter the clear autoshut command When the switch resets At module power up At supervisor engine switchover Note An autom...

Page 86: ...dule shutdown frequency to the default setting Console enable clear autoshut frequency This example shows how to reset the automatic module shutdown period to the default setting Console enable clear autoshut period This example shows how to display the automatic module shutdown configuration and current status information Console enable show autoshut AutoShut Frequency 3 times AutoShut Period 5 m...

Page 87: ...r convergence time depends on the number of VLANs and the number of MAC addresses You cannot enable STP on the flex link ports but you can run STP on other ports in the switch Tip We recommend that you use redundant flex links for configurations that have multiple Layer 2 access switches with common VLANs that are connected to a Layer 2 concentrator switch through two uplink ports These sections d...

Page 88: ...ode This example shows how to specify port 3 48 as the flex link active port and port 3 47 as the flex link backup peer port Console enable set port flexlink 3 48 peer 3 47 Flexlink is successfully set on the port 3 48 and 3 47 Console enable Displaying the Port Configuration of the Flex Links To display information about the flex link port configuration perform this task in normal mode This examp...

Page 89: ...ze is increased to 9216 bytes To enable jumbo frames on a per port basis follow these guidelines Note The WS X6148 and WS X6548 GE TX modules do not support jumbo frames Jumbo frames are supported on the following All Ethernet ports Trunk ports EtherChannels sc0 interface jumbo frames are passed through the sc0 interface as a nonconfigurable default no CLI configuration is necessary These switchin...

Page 90: ... set port jumbo 2 1 enable Jumbo frames enabled on port 2 1 Console enable show port jumbo Jumbo frames MTU size is 9216 bytes Jumbo frames enabled on port s 2 1 To disable jumbo frames on an Ethernet port perform this task in privileged mode This example shows how to disable jumbo frames on a port Console enable set port jumbo 2 1 disable Jumbo frames disabled on port 2 1 Console enable Configuri...

Page 91: ...traceroute to somehost company com 10 1 2 3 30 hops max 40 byte packets 1 engineering 1 company com 173 31 192 206 2 ms 1 ms 1 ms 2 engineering 2 company com 173 31 196 204 2 ms 3 ms 2 ms 3 gateway_a company com 173 16 1 201 6 ms 3 ms 3 ms 4 somehost company com 10 1 2 3 3 ms 2 ms Console enable Task Command Step 1 Access VLAN interface configuration mode Router config interface vlan vlan_ID Step ...

Page 92: ...Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 4 Configuring Ethernet Fast Ethernet Gigabit Ethernet and 10 Gigabit Ethernet Switching Setting the Port Configuration ...

Page 93: ...Configuring a Trunk Link page 5 5 Example VLAN Trunk Configurations page 5 14 Understanding How VLAN Trunks Work These sections describe how VLAN trunks work on the Catalyst 6500 series switches Trunking Overview page 5 1 Trunking Modes and Encapsulation Type page 5 2 802 1Q Trunk Configuration Guidelines and Restrictions page 5 4 Trunking Overview A trunk is a point to point link between one or m...

Page 94: ...le 5 1 lists the trunking modes that are used with the set trunk command and describes how they function on Fast Ethernet Gigabit Ethernet and 10 Gigabit Ethernet ports Table 5 2 lists the encapsulation types that are used with the set trunk command and describes how they function on Ethernet ports You can enter the show port capabilities command to determine which encapsulation types that a parti...

Page 95: ...r Nontrunk on isl Local Nontrunk Neighbor ISL trunk Local ISL trunk Neighbor ISL trunk Local ISL trunk Neighbor ISL trunk Local ISL trunk Neighbor ISL trunk Local 1Q trunk1 Neighbor ISL trunk1 Local Nontrunk Neighbor ISL trunk Local Nontrunk Neighbor ISL trunk Local ISL trunk Neighbor ISL trunk Local ISL trunk Neighbor ISL trunk desirable isl Local Nontrunk Neighbor Nontrunk Local ISL trunk Neighb...

Page 96: ...he switches exchange spanning tree BPDUs on each VLAN that is allowed on the trunks The BPDUs on the native VLAN of the trunk are sent untagged to the reserved IEEE 802 1D spanning tree multicast MAC address 01 80 C2 00 00 00 The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree SSTP multicast MAC address 01 00 0c cc cc cd auto dot1q Local Nontrunk Ne...

Page 97: ...Q switches The non Cisco 802 1Q cloud separating the Cisco switches is treated as a single broadcast segment between all switches that are connected to the non Cisco 802 1Q cloud through the 802 1Q trunks Make sure that the native VLAN is the same on all of the 802 1Q trunks connecting the Cisco switches to the non Cisco 802 1Q cloud If you are connecting multiple Cisco switches to a non Cisco 802...

Page 98: ...16 1998 22 16 39 DTP 5 Port 1 1 has become isl trunk 06 16 1998 22 16 40 PAGP 5 Port 1 1 left bridge port 1 1 06 16 1998 22 16 40 PAGP 5 Port 1 1 joined bridge port 1 1 Console enable show trunk Port Mode Encapsulation Status Native vlan 1 1 on isl trunking 1 Port Vlans allowed on trunk 1 1 1 1005 1025 4094 Port Vlans allowed and active in management domain 1 1 1 521 524 Port Vlans in spanning tre...

Page 99: ...d verify the trunk configuration Console enable set trunk 2 9 desirable dot1q Port s 2 9 trunk mode set to desirable Port s 2 9 trunk type set to dot1q Console enable 07 02 1998 18 22 25 DTP 5 Port 2 9 has become dot1q trunk Console enable show trunk Port Mode Encapsulation Status Native vlan 2 9 desirable dot1q trunking 1 Port Vlans allowed on trunk 2 9 1 1005 1025 4094 Port Vlans allowed and act...

Page 100: ...n trunk 4 11 1 1005 1025 4094 Port Vlans allowed and active in management domain 4 11 1 5 10 32 55 101 120 998 1000 Port Vlans in spanning tree forwarding state and not pruned 4 11 1 5 10 32 55 101 120 998 1000 Console enable Defining the Allowed VLANs on a Trunk When you configure a trunk port all VLANs are added to the allowed VLANs list for that trunk However you can remove VLANs from the allow...

Page 101: ...n trunk 1 1 1 100 500 1005 2500 Port Vlans allowed and active in management domain 1 1 1 521 524 Port Vlans in spanning tree forwarding state and not pruned 1 1 1 521 524 Console enable In software release 8 3 1 and later releases if you want to configure a trunk but do not want to allow any VLANs on the trunk enter the none keyword as follows Console enable set trunk 7 1 on none dot1q Removing Vl...

Page 102: ... and DTP When a trunk port with VLAN 1 disabled becomes a nontrunk port it is added to the native VLAN If the native VLAN is VLAN 1 the port is enabled and added to VLAN 1 To disable VLAN 1 on a trunk interface perform this task in privileged mode This example shows how to disable VLAN 1 on a trunk link and verify the configuration Console enable clear trunk 8 1 1 Removing Vlan s 1 from allowed li...

Page 103: ...e show dot1q all tagged Dot1q all tagged feature globally enabled Console enable Disabling 802 1Q Tagging on Specific Ports The set port dot1q all tagged mod port enable disable command allows you to disable 802 1Q tagging on specific ports Enter the set port dot1q all tagged disable command to selectively disable 802 1Q tagging on ports that connect to the devices that do not support 802 1Q tagge...

Page 104: ...16A GBIC WS X6516 GE TX WS X6148 GE TX WS X6148V GE TX WS X6548 GE TX WS X6548V GE TX WS X6748 GE TX WS X6724 SFP WS X6704 10GE and WS X6501 10GEX4 Note A custom 802 1Q EtherType field is not supported on EtherChannels If you configure a port with a custom 802 1Q EtherType field the port cannot join a channel If a channel is already configured you cannot change the 802 1Q EtherType on any of the c...

Page 105: ... This example shows how to set the 802 1Q EtherType to 0x1234 on port 2 1 and verify the configuration Console enable set port dot1q ethertype 2 1 1234 All the group ports 2 1 2 associated with port 2 1 will be modified Do you want to continue y n n y Dot1q Ethertype value set to 0x1234 on ports 2 1 2 Console enable Console enable show port dot1q ethertype 2 1 Port Dot1q ethertype value 2 1 1234 C...

Page 106: ...e page 5 22 ISL Trunk Configuration Example This example shows how to configure an ISL trunk between two switches and limit the allowed VLANs on the trunk to VLAN 1 and VLANs 520 530 In this example port 1 1 on Switch 1 is connected to a Fast Ethernet port on another switch Both ports are in their default state with the trunk mode set to auto for more information see the Default Trunk Configuratio...

Page 107: ...c over the trunk link Switch1 enable clear trunk 1 1 2 519 Removing Vlan s 2 519 from allowed list Port 1 1 allowed vlans modified to 1 520 1005 Switch1 enable clear trunk 1 1 531 1005 Removing Vlan s 531 1005 from allowed list Port 1 1 allowed vlans modified to 1 520 530 Switch1 enable show trunk 1 1 Port Mode Encapsulation Status Native vlan 1 1 desirable isl trunking 1 Port Vlans allowed on tru...

Page 108: ...information about the formation of the EtherChannel bundle Switch_A enable set port channel 1 1 2 desirable Port s 1 1 2 channel mode set to desirable Switch_A enable PAGP 5 PORTFROMSTP Port 1 1 left bridge port 1 1 PAGP 5 PORTFROMSTP Port 1 2 left bridge port 1 2 PAGP 5 PORTFROMSTP Port 1 2 left bridge port 1 2 PAGP 5 PORTTOSTP Port 1 1 joined bridge port 1 1 2 PAGP 5 PORTTOSTP Port 1 2 joined br...

Page 109: ...P 5 PORTTOSTP Port 1 1 joined bridge port 1 1 2 PAGP 5 PORTTOSTP Port 1 2 joined bridge port 1 1 2 Switch_B enable DTP 5 TRUNKPORTON Port 3 1 has become isl trunk DTP 5 TRUNKPORTON Port 3 2 has become isl trunk PAGP 5 PORTFROMSTP Port 3 1 left bridge port 3 1 2 PAGP 5 PORTFROMSTP Port 3 2 left bridge port 3 1 2 PAGP 5 PORTTOSTP Port 3 1 joined bridge port 3 1 2 PAGP 5 PORTTOSTP Port 3 2 joined bri...

Page 110: ... that are connected through four 1000BASE SX Gigabit Ethernet ports Figure 5 2 802 1Q Trunk Over EtherChannel Link To configure the switches to form a four port EtherChannel bundle and then configure the EtherChannel bundle as an 802 1Q trunk link perform these steps Step 1 Make sure that all ports on both Switch A and Switch B are assigned to the same VLAN by entering the set vlan command This VL...

Page 111: ...OSTP Port 2 4 joined bridge port 2 3 6 PAGP 5 PORTTOSTP Port 2 5 joined bridge port 2 3 6 PAGP 5 PORTTOSTP Port 2 6 joined bridge port 2 3 6 Switch_B enable PAGP 5 PORTFROMSTP Port 3 3 left bridge port 3 3 PAGP 5 PORTFROMSTP Port 3 4 left bridge port 3 4 PAGP 5 PORTFROMSTP Port 3 5 left bridge port 3 5 PAGP 5 PORTFROMSTP Port 3 6 left bridge port 3 6 PAGP 5 PORTFROMSTP Port 3 4 left bridge port 3 ...

Page 112: ...ort 2 5 has become dot1q trunk PAGP 5 PORTFROMSTP Port 2 4 left bridge port 2 3 6 PAGP 5 PORTFROMSTP Port 2 5 left bridge port 2 3 6 DTP 5 TRUNKPORTON Port 2 6 has become dot1q trunk PAGP 5 PORTFROMSTP Port 2 6 left bridge port 2 3 6 PAGP 5 PORTFROMSTP Port 2 3 left bridge port 2 3 PAGP 5 PORTTOSTP Port 2 3 joined bridge port 2 3 6 PAGP 5 PORTTOSTP Port 2 4 joined bridge port 2 3 6 PAGP 5 PORTTOST...

Page 113: ... 200 300 400 500 521 524 570 850 917 999 Port Vlans in spanning tree forwarding state and not pruned 2 3 2 4 2 5 2 6 Switch_A enable Switch_B enable show trunk Port Mode Encapsulation Status Native vlan 3 3 auto dot1q trunking 1 3 4 auto dot1q trunking 1 3 5 auto dot1q trunking 1 3 6 auto dot1q trunking 1 Port Vlans allowed on trunk 3 3 1 1005 1025 4094 3 4 1 1005 1025 4094 3 5 1 1005 1025 4094 3 ...

Page 114: ... to prevent forwarding loops Trunk 2 is not used to forward traffic unless Trunk 1 fails To configure the switches so that traffic from multiple VLANs is load balanced over the parallel trunks perform these steps Step 1 Configure a VTP domain on both Switch 1 and Switch 2 by entering the set vtp command so that the VLAN information that is configured on Switch 1 is learned by Switch 2 Make sure th...

Page 115: ...0 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 60 VLAN0060 active 1002 fddi default active 1003 token ring default active 1004 fddinet default active 1005 trnet default active Switch_1 enable Step 4 Configure the supervisor engine uplinks on Switch 1 as ISL trunk ports by entering the set trunk command Specifying the desirable mode on the Switch 1 ports causes the ports on Switc...

Page 116: ...0 active 50 VLAN0050 active 60 VLAN0060 active 1002 fddi default active 1003 token ring default active 1004 fddinet default active 1005 trnet default active Switch_2 enable Step 7 Note that spanning tree takes 1 to 2 minutes to converge After the network stabilizes check the spanning tree state of each trunk port on Switch 1 by entering the show spantree command Trunk 1 is forwarding for all VLANs...

Page 117: ...han the default of 32 by entering the set spantree portvlanpri command Switch_1 enable set spantree portvlanpri 1 1 1 10 Port 1 1 vlans 1 9 11 1004 using portpri 32 Port 1 1 vlans 10 using portpri 1 Port 1 1 vlans 1005 using portpri 4 Switch_1 enable set spantree portvlanpri 1 1 1 20 Port 1 1 vlans 1 9 11 19 21 1004 using portpri 32 Port 1 1 vlans 10 20 using portpri 1 Port 1 1 vlans 1005 using po...

Page 118: ...Switch 1 by entering the set spantree portvlanpri command Switch_2 enable set spantree portvlanpri 1 2 1 40 Port 1 2 vlans 1 39 41 1004 using portpri 32 Port 1 2 vlans 40 using portpri 1 Port 1 2 vlans 1005 using portpri 4 Switch_2 enable set spantree portvlanpri 1 2 1 50 Port 1 2 vlans 1 39 41 49 51 1004 using portpri 32 Port 1 2 vlans 40 50 using portpri 1 Port 1 2 vlans 1005 using portpri 4 Swi...

Page 119: ...ion After Configuring VLAN Traffic Load Sharing Figure 5 4 shows that both trunks are used when the network is operating normally if one trunk link fails the other trunk link acts as an alternate forwarding path for the traffic previously traveling over the failed link If Trunk 1 fails in the network that is shown in Figure 5 4 STP reconverges to use Trunk 2 to forward traffic from all the VLANs a...

Page 120: ... 2 40 forwarding 19 1 disabled 1 2 50 forwarding 19 1 disabled 1 2 60 forwarding 19 1 disabled 1 2 1003 not connected 19 32 disabled 1 2 1005 not connected 19 4 disabled Switch_1 enable show spantree 1 2 Port Vlan Port State Cost Priority Fast Start Group method 1 2 1 forwarding 19 32 disabled 1 2 10 forwarding 19 32 disabled 1 2 20 forwarding 19 32 disabled 1 2 30 forwarding 19 32 disabled 1 2 40...

Page 121: ...e Distribution Works page 6 2 Port Aggregation Control Protocol and Link Aggregation Control Protocol page 6 3 EtherChannel Configuration Guidelines page 6 3 Understanding How the Port Aggregation Protocol Works page 6 5 Configuring an EtherChannel Using PAgP page 6 7 Understanding How the Link Aggregation Control Protocol Works page 6 13 Configuring an EtherChannel Using LACP page 6 15 Clearing a...

Page 122: ...annel Frame Distribution Works EtherChannel distributes frames across the links in a channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel EtherChannel frame distribution is based on a Cisco proprietary hashing algorithm The algorithm is deterministic given the same addresses and session information y...

Page 123: ... 13 EtherChannel Configuration Guidelines If improperly configured some EtherChannel ports are disabled automatically to avoid network loops and other problems Note Except where specifically differentiated these guidelines apply to both PAgP and LACP These sections provide the guidelines for EtherChannel configuration Port Configuration Guidelines page 6 3 VLAN and Trunk Configuration Guidelines p...

Page 124: ...wn as connected when you enter the show port command and as not connected when you enter the show spantree command This discrepancy occurs because the port is physically connected but never joined spanning tree To get the port to join spanning tree either set the duplex to full or set the channel mode to off for that port With software release 7 3 1 and later releases the LACP behavior for the hal...

Page 125: ...nt dot1q port types cannot form a channel Ports with different jumbo frame configurations cannot form a channel Ports with different dynamic configurations cannot form a channel During high availability switchover to the standby supervisor engine all channeling ports remain operational Ports are reset only if there are events missing during the switchover Note With software release 6 3 1 and later...

Page 126: ... mode A port in auto mode cannot form an EtherChannel with another port that is also in auto mode because neither port will initiate negotiation When configurable EtherChannel frame distribution can use MAC addresses IP addresses and Layer 4 port numbers You can specify either the source or the destination address or both the source and destination addresses and Layer 4 port numbers The mode that ...

Page 127: ...admin_group command if necessary to assign ports to the same administrative group PAgP EtherChannel IDs Each EtherChannel is automatically assigned a unique EtherChannel ID Enter the show channel group admin_group command to display the EtherChannel ID Configuring an EtherChannel Using PAgP These sections describe how to configure an EtherChannel using PAgP Specifying the EtherChannel Protocol pag...

Page 128: ...sign ports to the same administrative group This example shows how to configure a seven port EtherChannel in a new administrative group Console enable set port channel 2 2 8 mode desirable Ports 2 2 8 left admin_group 1 Ports 2 2 8 joined admin_group 2 Console enable Setting the EtherChannel Port Mode To set a port s EtherChannel mode perform this task in privileged mode This example shows how to ...

Page 129: ...Cost section in Chapter 7 Configuring Spanning Tree for information on using the set spantree portcost command This example shows how to set the EtherChannel port path cost for channel ID 768 Console enable show channel group 20 Admin Port Status Channel Channel group Mode id 20 1 1 notconnect on 768 20 1 2 connected on 768 Admin Port Device ID Port ID Platform group 20 1 1 20 1 2 066510644 cat26 ...

Page 130: ... what occurs when you enter each command Console enable set spantree channelvlancost 856 10 Port s 3 47 48 vlan cost are updated to 16 Channel 856 vlancost is set to 10 These commands are added to the configuration file set spantree portvlancost 3 47 cost 16 set spantree portvlancost 3 48 cost 16 To add the desired VLANs to the above created commands enter this command Console enable set spantree ...

Page 131: ...the next lower level category is considered If the hardware cannot support the frame distribution method that is selected a Feature not supported error message is displayed To configure EtherChannel load balancing perform this task in privileged mode Note The set port channel all distribution session command option is supported on Supervisor Engine 2 Supervisor Engine 720 and Supervisor Engine 32 ...

Page 132: ... in an EtherChannel for a specific address or Layer 4 port number perform this task This example shows how to display the outgoing port for the specified source and destination IP addresses Console enable show channel hash 808 172 20 32 10 172 20 32 66 Selected channel port 2 17 Console enable Disabling an EtherChannel To disable an EtherChannel perform this task in privileged mode This example sh...

Page 133: ...itiation and never initiate the sending of LACP packets Table 6 2 describes the EtherChannel modes that are available in LACP LACP Parameters The parameters that are used in configuring LACP are as follows System priority You must assign a system priority that can be specified automatically or through the CLI see the Specifying the System Priority section on page 6 16 to each switch running LACP T...

Page 134: ...aggregate with other ports is determined by these factors Port physical characteristics such as data rate duplex capability and point to point or shared medium Configuration constraints that you establish When enabled LACP always tries to configure the maximum number of compatible ports in a channel up to the maximum that is allowed by the hardware eight ports If LACP is not able to aggregate all ...

Page 135: ...tilization page 6 19 Displaying the Outgoing Ports for a Specified Address or Layer 4 Port Number page 6 19 Disabling an EtherChannel page 6 19 Displaying the Spanning Tree Information for EtherChannels page 6 20 Note Before you configure the EtherChannel see the EtherChannel Configuration Guidelines section on page 6 3 Specifying the EtherChannel Protocol Note The default protocol is PAgP Note Yo...

Page 136: ...e range of 1 255 where higher numbers represent lower priority The default priority is 128 To specify the port priority perform this task in privileged mode This example shows how to specify the port priority as 10 for ports 1 1 to 1 4 and 2 6 to 2 8 Console enable set port lacp channel 1 1 4 2 6 8 port priority 10 Port s 1 1 4 2 6 8 port priority set to 10 Console enable Use the show lacp channel...

Page 137: ...ey value perform this task in privileged mode This example shows how to assign the same administrative key to ports 4 1 to 4 4 with the system picking its value automatically Console enable set port lacp channel 4 1 4 Port s 4 1 4 are assigned to admin key 96 Console enable This example shows how to assign the administrative key 96 you specify the 96 to ports 4 4 to 4 6 In this example the adminis...

Page 138: ...fy the channel path cost by using a global command that configures both LACP and PAgP For more information see the Setting the EtherChannel Port Path Cost section on page 6 9 Specifying the Channel VLAN Cost You can specify the channel VLAN cost by using a global command that configures both LACP and PAgP For more information see the Setting the EtherChannel VLAN Cost section on page 6 9 Configuri...

Page 139: ... is used in an EtherChannel for a specified address or Layer 4 port number perform this task This example shows how to display the outgoing port for the specified source and destination IP addresses Console enable show lacp channel hash 808 172 20 32 10 172 20 32 66 Selected channel port 2 17 Console enable Disabling an EtherChannel To disable an EtherChannel perform this task in privileged mode T...

Page 140: ...ercentage of traffic that passes through each channel port The counters are maintained for different types of packets Before software release 8 3 1 you could not clear the channel hardware counter bases because the bases are MIB objects that do not clear Enter the clear counters all command to reset the channel counter bases With software release 8 3 1 and later releases you can clear and restore ...

Page 141: ...st Tx Ucst Rx Mcst Tx Mcst Rx Bcst Tx Bcst 769 1 1 0 00 0 00 9 52 90 47 0 00 0 00 769 2 1 0 00 0 00 90 48 9 53 0 00 0 00 Console enable clear counter channel 769 This command will reset MAC and port counters reported by the CLI for PAGP channel 769 Counters reported by SNMP will not be affected Do you want to continue y n n y MAC and Port counters cleared Console enable show channel traffic 769 Ch...

Page 142: ...8 04 Chapter 6 Configuring EtherChannel Clearing and Restoring the EtherChannel Counters Console enable show channel traffic 769 ChanId Port Rx Ucst Tx Ucst Rx Mcst Tx Mcst Rx Bcst Tx Bcst 769 1 1 0 00 0 00 7 69 92 30 0 00 0 00 769 2 1 0 00 0 00 92 31 7 70 0 00 0 00 Console enable ...

Page 143: ... Work page 7 2 Understanding How PVST and MISTP Modes Work page 7 12 Understanding How Bridge Identifiers Work page 7 14 Understanding How Multiple Spanning Tree Works page 7 16 Understanding How BPDU Skewing Works page 7 24 Understanding How Layer 2 PDU Rate Limiting Works page 7 25 Configuring PVST on the Switch page 7 26 Configuring Rapid PVST on the Switch page 7 33 Configuring MISTP PVST or M...

Page 144: ...hes that have ports with these assigned roles are called the root or designated switches For more information see the Understanding How a Switch Becomes the Root Switch section on page 7 3 In Ethernet networks only one active path may exist between any two stations Multiple active paths between stations can cause loops in the network When loops occur some switches recognize the stations on both si...

Page 145: ...work the root switch is the logical center of the spanning tree topology A spanning tree protocol uses BPDUs to elect the root switch and root port for the switched network as well as the root port and designated port for each switched segment Understanding How a Switch Becomes the Root Switch If all switches are enabled with default settings the switch with the lowest MAC address in the network b...

Page 146: ...AN on which the frame is transmitted receive the BPDU The BPDUs are not directly forwarded by the switch but the receiving switch uses the information in the frame to calculate a BPDU and if the topology changes initiates a BPDU transmission A BPDU exchange results in the following One switch is elected as the root switch The shortest distance to the root switch is calculated for each switch A des...

Page 147: ...s individual links are added or removed from an aggregate link port bundle the bandwidth of the aggregate link increases or decreases These changes in bandwidth lead to recalculation of the default port cost for the aggregated port Changes to the default port cost or changes resulting from links that autonegotiate their bandwidth could lead to recalculation of the spanning tree topology which may ...

Page 148: ...e ensures that excessive flooding does not occur when the MSFC receives a topology change notification TCN from the supervisor engine The feature causes the MSFC to send ARP requests for all the ARP entries belonging to the VLAN interface where the TCN is received When the ARP replies come back the Policy Feature Card PFC learns the MAC entries which were lost as a result of the topology change Le...

Page 149: ... expiration of a protocol timer that moves the port to the learning state In the learning state the port continues to block frame forwarding as it learns station location information for the forwarding database The expiration of a protocol timer moves the port to the forwarding state where both learning and forwarding are enabled Blocking State A port in the blocking state does not participate in ...

Page 150: ...update Receives BPDUs and directs them to the system module Does not transmit BPDUs that are received from the system module Receives and responds to network management messages Listening State The listening state is the first transitional state that a port enters after the blocking state The port enters this state when the spanning tree determines that the port should participate in frame forward...

Page 151: ...warding Does not incorporate station location into its address database There is no learning at this point so there is no address database update Receives BPDUs and directs them to the system module Processes BPDUs that are received from the system module Receives and responds to network management messages Filtering database Frame forwarding System module Port 1 BPDUs All segment frames BPDU and ...

Page 152: ... the attached segment Discards frames that are switched from another port for forwarding Incorporates station location into its address database Receives BPDUs and directs them to the system module Receives processes and transmits BPDUs that are received from the system module Receives and responds to network management messages Figure 7 5 Port 2 in Learning State Filtering database Frame forwardi...

Page 153: ... BPDUs that are received from the system module Receives and responds to network management messages Caution Use spanning tree PortFast mode only on ports that are directly connected to individual workstations to allow these ports to come up and go directly to the forwarding state instead of having to go through the entire spanning tree initialization process To prevent illegal topologies enable s...

Page 154: ...atabase There is no learning so there is no address database update Receives BPDUs but does not direct them to the system module Does not receive BPDUs for transmission from the system module Receives and responds to network management messages Understanding How PVST and MISTP Modes Work Catalyst 6500 series switches provide two proprietary spanning tree modes that are based on the IEEE 802 1D sta...

Page 155: ...T uses a rapid STP that is based on IEEE 802 1w instead of 802 1D Rapid PVST uses the same configuration as PVST with minimal additional configuration See the Configuring Rapid PVST on the Switch section on page 7 33 for configuration information In Rapid PVST dynamic CAM entries are flushed immediately on a per port basis when any topology change is made UplinkFast and BackboneFast are enabled bu...

Page 156: ...h using PVST mode that is connected to a switch using MISTP mode cannot see the BPDUs of the other switch which is a condition that can cause loops in the network MISTP PVST allows interoperability between PVST and pure MISTP because it sees the BPDUs of both modes To convert your network to MISTP use MISTP PVST to transition the network from PVST to MISTP Because MISTP PVST conforms to the limits...

Page 157: ... 100 is 100 and the system ID extension for MISTP instance 2 is 2 Figure 7 8 shows the bridge identifier when you do not enable MAC address reduction The bridge identifier consists of the bridge priority and the MAC address Figure 7 8 Bridge Identifier without MAC Address Reduction Figure 7 9 shows the bridge identifier when you enable MAC address reduction The bridge identifier consists of the br...

Page 158: ...re release 8 3 1 the MST protocol is compliant with IEEE 802 1s and is backward compatible with 802 1D STP 802 1w the Rapid Spanning Tree Protocol RSTP and the Cisco PVST architecture that was implemented in previous software releases The MST protocol in software release 8 3 1 will interoperate with MST in earlier software releases MST allows you to build multiple spanning trees over VLAN trunks Y...

Page 159: ...MSTP record M record M records are always encapsulated within MST BPDUs MST BPDUs The original spanning trees that are computed by MSTP are called M trees M trees are active only within the MST region M trees merge with the IST at the boundary of the MST region and form the CST MST provides interoperability with PVST by generating PVST BPDUs for the non CST VLANs MST supports some of the PVST exte...

Page 160: ...cified in 802 1w supersedes STP which is specified in 802 1D while remaining compatible with STP RSTP provides the structure on which the MST operates You configure RSTP when you configure the MST feature For more information see the Configuring Multiple Spanning Tree on the Switch section on page 7 51 RSTP provides backward compatibility with 802 1D bridges as follows RSTP selectively sends 802 1...

Page 161: ...ates The port state controls the forwarding and learning processes and provides the values of discarding learning and forwarding Table 7 3 provides a comparison between STP port states and RSTP port states In a stable topology RSTP ensures that every root port and designated port transition to forwarding while all alternate ports and backup ports are always in the discarding state MST to SST Inter...

Page 162: ... Because the message age increases by 1 second for each hop the difference in the message age is in the order of seconds Data traffic from one port of a pseudobridge a port at the edge of a region to another port follows a path that is entirely contained within the pseudobridge or MST region Data traffic belonging to different VLANs may follow different paths within the MST regions that are establ...

Page 163: ...y each time that the MST configuration is committed MST configuration table An array of 4096 elements representing all the possible extended range VLANs The value of element number X represents the instance to which VLAN X is mapped VLAN 0 and VLAN 4095 are unused and are always mapped to the instance 0 You must configure each byte manually You can use SNMP or the CLI to perform the configuration ...

Page 164: ...nects to a LAN the designated bridge of which is either an SST bridge or a bridge with a different MST configuration A designated port knows that it is on the boundary if it detects an STP bridge or receives an agreement message from an RST or MST bridge with a different configuration At the boundary the role of MST ports does not matter the MST port state is forced to be the same as the IST port ...

Page 165: ...vent a misconfiguration the PortFast operation is turned off if the port receives a BPDU You can display the configured and operational status of PortFast by using the show spantree mst mod port command Link Type Rapid connectivity is established only on point to point links You must configure ports explicitly to a host or router However cabling in most networks meets this requirement and you can ...

Page 166: ...ration To correct the loop inconsistent state you must disable and reenable loop guard on that PVST switch Do not locate the root for some or all of the VLANs inside the PVST side of the MST switch because when the MST switch at the boundary receives PVST BPDUs for all or some of the VLANs on its designated ports root guard sets the port to the blocking state Do not designate switches with a slowe...

Page 167: ...og messages that are reported the slower the switching process will be To reduce the impact on the switch the syslog messages are as follows Generated 50 percent of the maximum age time see the Configuring the Maximum Aging Time section on page 7 51 Rate limited at one for every 60 seconds Understanding How Layer 2 PDU Rate Limiting Works You can use rate limiters to prevent receiving an unwanted ...

Page 168: ...the default PVST configuration Table 7 4 PVST Default Configuration Feature Default Value VLAN 1 All ports assigned to VLAN 1 Enable state PVST enabled for all VLANs MAC address reduction Disabled Bridge priority 32768 Bridge ID priority 32769 bridge priority plus system ID extension of VLAN 1 Port priority 32 Port cost 10 Gigabit Ethernet 2 Gigabit Ethernet 4 Fast Ethernet 191 FDDI CDDI 10 Ethern...

Page 169: ... not enabled default Console enable set spantree priority 30000 1 Spantree 1 bridge priority set to 30000 Console enable show spantree 1 VLAN 1 Spanning tree mode PVST Spanning tree type ieee Spanning tree enabled Designated Root 00 60 70 4c 70 00 Designated Root Priority 16384 Designated Root Cost 19 Designated Root Port 2 3 Root Max Age 14 sec Hello Time 2 sec Forward Delay 10 sec Bridge ID MAC ...

Page 170: ...from 1 200000000 when using the long method The default cost differs for different media For information about calculating the port cost see the Calculating and Assigning Port Costs section on page 7 4 To configure the PVST port cost for a port perform this task in privileged mode Note When you enter the set spantree channelcost command it does not appear in the configuration file The command caus...

Page 171: ... 3 1 forwarding 19 48 disabled 0 2 4 1 not connected 100 32 disabled 0 This example shows that values that are not multiples of 16 between the values of 0 63 are converted to the nearest multiple of 16 Console enable set spantree portpri 2 3 2 Vlan port priority must be one of these numbers 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 converting 2 to 0 nearest multiple of 16 Bridge port...

Page 172: ... the formula AVERAGE_COST NUM_PORT The default port cost mode is set to short in PVST mode For port speeds of 10 Gb and greater the default port cost mode must be set to long To configure the PVST default port cost mode perform this task in privileged mode This example shows how to configure the PVST default port cost mode Console enable set spantree defaultcostmode long Portcost and portvlancost ...

Page 173: ...e PVST port VLAN cost on port 2 3 for VLANs 1 5 Console enable set spantree portvlancost 2 3 cost 20000 1 5 Port 2 3 VLANs 6 11 13 1005 1025 4094 have path cost 12 Port 2 3 VLANs 1 5 12 have path cost 20000 This parameter applies to trunking ports only Console enable Configuring the PVST Port Priority for a VLAN When the switch is in PVST mode you can set the port priority for a trunking port in a...

Page 174: ...AN are flooded on all ports Caution We do not recommend disabling spanning tree even in a topology that is free of physical loops Spanning tree serves as a safeguard against misconfigurations and cabling errors Do not disable spanning tree in a VLAN without ensuring that there are no physical loops present in the VLAN Caution Do not disable spanning tree on a VLAN unless all switches or routers in...

Page 175: ... This example shows how to verify the Rapid PVST configuration for VLAN 1 Notice that the first line in the output displays the spanning tree mode Console show spantree 1 Spanning tree mode RAPID PVST Spanning tree type ieee Spanning tree enabled Port State Role Cost Prio Type 6 1 forwarding ROOT 20000 16 Shared PEER STP Console enable This example shows how to verify the link type edge port and g...

Page 176: ...iguration parameters are preserved for the previous mode If you return to the previous mode the configuration is still there Note We recommend that if you use MISTP mode you should configure all of your Catalyst 6500 series switches to run MISTP To use MISTP mode you first enable an MISTP instance and then map at least one VLAN to the instance You must have at least one forwarding port in the VLAN...

Page 177: ...mber of configured VLAN ports on your switch to no more than 6000 to avoid losing connectivity Table 7 5 MISTP and MISTP PVST Default Configuration Feature Default Value Enable state Disabled until a VLAN is mapped to an MISTP instance MAC address reduction Disabled Bridge priority 32768 Bridge ID priority 32769 bridge priority plus the system ID extension of MISTP instance 1 Port priority 32 glob...

Page 178: ...he root switch at runtime This display is available only in the MISTP or MISTP PVST mode In the PVST mode use the optional keyword config to display the list of mappings that is configured on the local switch Note MAC addresses are not displayed when you specify the config keyword To display spanning tree mapping perform this task in privileged mode This example shows how to display the spanning t...

Page 179: ...6864 40960 45056 49152 53248 57344 and 61440 To configure the bridge ID priority for an MISTP instance perform this task in privileged mode This example shows how to configure the bridge ID priority for an MISTP instance Console enable set spantree priority 32768 mistp instance 1 Spantree 1 bridge ID priority set to 32769 bridge priority 32768 sys ID extension 1 Console enable show spantree mistp ...

Page 180: ...dia The possible range of cost is from 1 65535 when using the short method for calculating port cost and from 1 200000000 when using the long method The default cost differs for different media For information about calculating path cost see the Calculating and Assigning Port Costs section on page 7 4 To configure the port cost for a port perform this task in privileged mode This example shows how...

Page 181: ...Ns The possible port priority value is a multiple of 16 from 0 240 The default is 32 If all ports have the same priority value the port with the lowest port number forwards frames To configure the port priority for a port perform this task in privileged mode This example shows how to configure the port priority and verify the configuration Console enable set spantree portpri 1 1 32 Bridge port 1 1...

Page 182: ...bers to ports that are attached to slower media The default cost differs for different media The possible value for port instance cost is 1 268435456 To configure the port instance cost for a port perform this task in privileged mode This example shows how to configure the MISTP port instance cost on a port Console enable set spantree portinstancecost 1 1 cost 110110 2 Port 1 1 instances 1 3 16 ha...

Page 183: ...until it has a VLAN with an active port that is mapped to it To enable an MISTP instance perform this task in privileged mode Note Enter the active keyword to display active ports only This example shows how to enable an MISTP instance Console enable set spantree enable mistp instance 2 Spantree 2 enabled Console enable show spantree mistp instance 2 Instance 2 Spanning tree mode MISTP Spanning tr...

Page 184: ...nabled Designated Root 00 d0 00 4c 18 00 Designated Root Priority 49153 root priority 49152 sys ID ext 1 Designated Root Cost 0 Designated Root Port none VLANs mapped 6 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00 d0 00 4c 18 00 Bridge ID Priority 49153 bridge priority 49152 sys ID ext 1 VLANs mapped 6 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec P...

Page 185: ... already mapped to an instance the timer has expired or if the VLAN is in conflict between instances The Time Left timer shows the time in seconds left before the entry expires and is removed from the table The timer is restarted every time an incoming BPDU confirms the mapping Entries pertaining to the root switch show inactive on the root switch itself The following examples are with VTP version...

Page 186: ...n an instance not for the whole switch When you disable spanning tree on an MISTP instance the instance still exists on the switch all of the VLANs mapped to it have all of their ports forwarding and the instance BPDUs are flooded To disable an MISTP instance perform this task in privileged mode This example shows how to disable an MISTP instance Console enable set spantree disable mistp instance ...

Page 187: ...as 1 still does not make the switch the root switch the system displays a message Caution Enter the set spantree root command on backbone switches or distribution switches only do not enter this command on access switches To configure a switch as the primary root switch perform this task in privileged mode This example shows how to configure the primary root switch for VLANs 1 10 Console enable se...

Page 188: ...this task in privileged mode This example shows how to configure the secondary root switch for an instance Console enable set spantree root secondary mistp instance 2 4 dia 4 Instances 2 4 bridge priority set to 8192 VLInstances 2 4 bridge max aging time set to 14 seconds Instances 2 4 bridge hello time set to 2 seconds Instances 2 4 bridge forward delay set to 9 seconds Switch is now the root swi...

Page 189: ...iguring Spanning Tree PortFast UplinkFast BackboneFast and Loop Guard To configure the spanning tree parameters to improve convergence perform this task in privileged mode This example shows how to configure the spanning tree hello time Forward Delay Timer and Maximum Age Timer to 2 4 and 4 seconds Console enable set spantree hello 2 100 Spantree 100 hello time set to 7 seconds Console enable Cons...

Page 190: ...e root inconsistent state it automatically goes into the listening state To prevent switches from becoming root perform this task in privileged mode This example shows how to enable root guard Console enable set spantree guard root 5 1 Rootguard on port 5 1 is enabled Warning Enabling rootguard may result in a topolopy change Console enable Displaying Spanning Tree BPDU Statistics Enter the show s...

Page 191: ...ed These sections describe how to configure the spanning tree timers Configuring the Hello Time page 7 50 Configuring the Forward Delay Time page 7 50 Configuring the Maximum Aging Time page 7 51 Caution Be careful when using these commands For most situations we recommend that you use the set spantree root and set spantree root secondary commands to modify the spanning tree performance parameters...

Page 192: ...rt 4 5 to 4 seconds Console enable set spantree hello 4 mst 4 1 MST hello time set to 4 on port 4 1 Console enable Configuring the Forward Delay Time Enter the set spantree fwddelay command to configure the spanning tree forward delay time for a VLAN The possible range of delay is 4 30 seconds To configure the spanning tree forward delay time for a VLAN perform this task in privileged mode This ex...

Page 193: ...ole enable This example shows how to set the maximum aging time for an instance to 25 seconds Console enable set spantree maxage 25 mistp instance 1 Instance 1 max aging time set to 25 seconds Console enable Configuring Multiple Spanning Tree on the Switch These sections describe how to configure MST Enabling Multiple Spanning Tree page 7 51 Mapping and Unmapping VLANs to an MST Instance page 7 58...

Page 194: ...e set spantree mst config commit to apply the changes Console enable show spantree mst config Current NVRAM MST Region Configuration 1 instance Configuration Name Revision 0 Instance VLANs 0 1 4094 NEW MST Region Configuration Not committed yet 1 instance Configuration Name cisco Revision 1 Instance VLANs 0 1 4094 Edit buffer is locked by Console pid 143 Console enable set spantree mst 1 vlan 2 10...

Page 195: ... pid 143 Console enable set spantree mst config commit Console enable show spantree mst config Current NVRAM MST Region Configuration 5 instances Configuration Name cisco Revision 1 Instance VLANs 0 1 11 20 51 4094 1 2 10 2 21 30 3 31 40 4 41 50 Console enable set spantree mode mst PVST database cleaned up Spantree mode set to MST Console enable show spantree mst 0 Spanning tree mode MST Instance ...

Page 196: ...nces Configuration Name cisco Revision 1 Instance VLANs 0 1 11 20 51 4094 1 2 10 2 21 30 3 31 40 4 41 50 Console enable Configuring the MST Bridge ID Priority You can set the bridge ID priority for an MST instance when the switch is in MST mode The bridge priority value is combined with the system ID extension the ID of the MST instance to create the bridge ID priority You can set 16 possible brid...

Page 197: ...attached to slower media The possible range of cost is from 1 65535 when using the short method for calculating port cost and from 1 200000000 when using the long method The default cost differs for different media For information about calculating the path cost see the Calculating and Assigning Port Costs section on page 7 4 To configure the port cost for a port perform this task in privileged mo...

Page 198: ... MSTR 10000 30 41 50 Console enable Configuring the MST Port Instance Cost You can configure the port instance cost for an instance of MST The ports with a lower instance cost are more likely to be chosen to forward frames You should assign lower numbers to the ports that are attached to faster media such as full duplex and higher numbers to the ports that are attached to slower media The default ...

Page 199: ... ports have the same priority value for an MST instance the port with the lowest port priority number forwards the frames for that instance You can assign a different port instance priority for instances within a trunk port To configure the port instance priority on an MST instance perform this task in privileged mode This example shows how to configure the port instance priority on an MST instanc...

Page 200: ...be active You can map as many Ethernet VLANs as you wish to an MST instance You cannot map a VLAN to more than one MST instance The Hello Time Maximum Age timer and Forward Delay timer set for mode and all spanning trees are used globally by MST Note To use VLANs 1025 4094 you must enable MAC address reduction See the Creating Extended Range VLANs section on page 11 7 in Chapter 11 Configuring VLA...

Page 201: ...Configuration 4 instances Configuration Name arthur Revision 23703 Instance VLANs 0 1 31 998 1000 4094 2 2 20 3 21 30 1400 999 Console enable Configuring BPDU Skewing on the Switch Commands that support the spanning tree BPDU skewing allow you to perform these functions Enable or disable BPDU skewing The default is disabled Modify the show spantree summary output to show if the skew detection is e...

Page 202: ...4110 113922 Tue Nov 21 2000 06 26 05 8 26 113926 113926 Tue Nov 21 2000 06 26 05 8 28 4111 113931 Tue Nov 21 2000 06 26 05 Console enable This example shows how to configure BPDU skewing for VLAN 1 on module 8 port 2 and display the skewing statistics Console enable show spantree bpdu skewing 1 8 4 Bpdu skewing statistics for vlan 1 Port Last Skew ms Worst Skew ms Worst Skew Time 8 4 5869 108370 T...

Page 203: ...g Protocol VTP Link Aggregation Control Protocol LACP and Port Aggregation Protocol PAgP globally on the switch Enable disable or set rate limiting for the Layer 2 protocol tunnel encapsulated PDUs globally on the switch Enable disable or set the 802 1X port security rate limiters globally on the switch All three types of rate limiters work independently of each other To enable or disable Layer 2 ...

Page 204: ... 0C CD CD D0 This example shows how to enable Layer 2 rate limiting set the rate limiter value and verify the configuration Console enable set rate limit l2pdu enable Layer 2 rate limiter for PDUs enabled on the switch Console enable Console enable set rate limit l2pdu rate 1000 Layer 2 rate limiter for PDU rate set to 1000 Console enable Console enable set rate limit l2protocol tunnel disable Lay...

Page 205: ...anning Tree Configuring Layer 2 PDU Rate Limiting on the Switch This example shows how to display the Layer 2 rate limiter administrative and operation status information Console show rate limit config Rate Limiter Type Admin Status Oper Status l2pdu On On l2protocol tunnel On On l2port security On On Console ...

Page 206: ...7 64 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 7 Configuring Spanning Tree Configuring Layer 2 PDU Rate Limiting on the Switch ...

Page 207: ...the Catalyst 6500 Series Switch Command Reference publication Understanding How 802 1Q Tunneling Works 802 1Q tunneling enables the service providers to use a single VLAN to support the customers who have multiple VLANs while preserving the customer VLAN IDs and keeping traffic in the different customer VLANs segregated A port that is configured to support 802 1Q tunneling is called a tunnel port ...

Page 208: ...herType field you can connect the switch to a Gigabit Interface Converter GBIC or 10 Gigabit port and separate untagged IP traffic from the IP management traffic with a specified EtherType The untagged IP traffic is automatically assigned to the native VLAN and the traffic with the specified EtherType is switched to a specified VLAN 802 1Q Tunneling Configuration Guidelines This section provides t...

Page 209: ...te To set the correct maximum transmission unit MTU size you must enable jumbo frames on all ports that carry 802 1 tunnel traffic You cannot configure 802 1Q tunneling on ports that are configured to support the following Private VLANs Voice over IP Cisco IP Phone 7960 The following Layer 2 protocols work between devices that are connected by an asymmetrical link CDP UniDirectional Link Detection...

Page 210: ...hat you use one VLAN for each tunnel Incorrect assignment of tunnel ports to VLANs can cause traffic forwarding problems To configure 802 1Q tunneling on a port perform this task in privileged mode This example shows how to configure tunneling on port 4 1 and verify the configuration Console enable set port dot1qtunnel 4 1 access Dot1q tunnel feature set to access mode on port 4 1 Port 4 1 trunk m...

Page 211: ... enter the set dot1q all tagged disable command to clear 802 1Q tunneling To disable global support for 802 1Q tunneling on the switch perform this task in privileged mode This example shows how to disable tunneling support on the switch and verify the configuration Console enable set port dot1qtunnel all disable Dot1q tunnel feature disabled on all applicable ports Console enable show port dot1qt...

Page 212: ...nning tree topology on Switches 1 2 and 3 without considering the convergence parameters that are based on Switches 4 and 5 To provide a single spanning tree domain for the customer a generic scheme to tunnel BPDUs was created for control protocol PDUs CDP STP and VTP This process is referred to as Layer 2 protocol tunneling Figure 8 1 Layer 2 Protocol Tunneling Network Configuration Layer 2 proto...

Page 213: ...erChannels from going into the errdisable state because of channel misconfiguration With a PFC3A you can enter the set rate limit l2protocol tunnel commands to enable disable or set rate limiting for the Layer 2 protocol tunnel encapsulated PDUs globally on the switch For detailed information on configuring rate limiting see the Configuring Layer 2 PDU Rate Limiting on the Switch section on page 7...

Page 214: ...s Encap VTP Frames De encap 3 15 1212 1213 Console enable Configuring Layer 2 Protocol Tunneling on Trunk Ports Layer 2 protocol tunneling on trunks allows third party vendors equipment to interoperate with the Catalyst 6500 series switch in service provider networks Layer 2 protocol tunneling makes control protocol PDUs such as STP CDP and VTP transparent to the service provider cloud when passin...

Page 215: ...eling configured and two trunk ports with Layer 2 protocol tunneling configured Service provider A sends double tagged encapsulated packets through the service provider cloud with the expectation that the packets will be received in the same double tagged format on the other end If customer switch 2 and customer switch 3 send single tagged packets to service provider B there is no way to identify ...

Page 216: ...ches and the number of customer VLANs per Layer 2 protocol tunneling port In determining the recommended maximum value of 1000 egress tunneling from the service provider network was also taken into consideration To determine the number of Layer 2 protocol tunneling ports links and the number of customer VLANs per Layer 2 protocol tunneling port VLANs per link that an edge switch can handle multipl...

Page 217: ...ts The range for the per port protocols drop threshold and shutdown threshold is from 0 65535 To specify the drop and shutdown thresholds on a port perform this task in privileged mode This example shows how to specify a drop threshold of 500 and a shutdown threshold of 1000 on a port Console enable set port l2protocol tunnel 3 15 drop threshold 500 shutdown threshold 1000 Drop Threshold 500 Shutd...

Page 218: ...g ports Because the CoS value applies to all the ingress tunneling ports all the encapsulated PDUs that are sent out by the switch have the same CoS value The valid values are from 0 7 and the default CoS is 5 To specify a CoS value globally on all the ingress Layer 2 protocol tunneling ports perform this task in privileged mode This example shows how to set the CoS value to 6 Console enable set l...

Page 219: ...neling Statistics To clear the Layer 2 protocol tunneling statistics on a port or on all the tunneling ports perform this task in privileged mode This example shows how to clear the Layer 2 tunnel port statistics on port 7 1 Console enable clear l2protocol tunnel statistics 7 1 Layer 2 Protocol Tunnel statistics cleared on ports 7 1 Console enable Task Command Clear Layer 2 tunnel port statistics ...

Page 220: ...Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 8 Configuring IEEE 802 1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling on the Switch ...

Page 221: ...n this chapter refer to the Catalyst 6500 Series Switch Command Reference publication This chapter consists of these sections Understanding How PortFast Works page 9 2 Understanding How PortFast BPDU Guard Works page 9 2 Understanding How PortFast BPDU Filtering Works page 9 3 Understanding How UplinkFast Works page 9 3 Understanding How BackboneFast Works page 9 4 Understanding How Loop Guard Wor...

Page 222: ...timer expires a second time the port transitions to the forwarding or blocking state When you enable PortFast on a switch or trunk port the port transitions immediately to the spanning tree forwarding state Understanding How PortFast BPDU Guard Works BPDU guard prevents spanning tree loops by moving a port into the errdisable state when a BPDU is received on that port When you enable BPDU guard on...

Page 223: ...st Works UplinkFast provides fast convergence after a spanning tree topology change and achieves load balancing between redundant links using uplink groups An uplink group is a set of ports per VLAN only one of which is forwarding at any given time Specifically an uplink group consists of the root port which is forwarding and a set of blocked ports The blocked ports do not include self looping por...

Page 224: ...erior BPDU it indicates that a link to which the switch is not directly connected an indirect link has failed that is the designated bridge has lost its connection to the root bridge Under normal spanning tree rules the switch ignores inferior BPDUs for the configured maximum aging time as specified by the agingtime variable of the set spantree maxage command The switch tries to determine if it ha...

Page 225: ...he listening and learning states and into the forwarding state Figure 9 3 shows an example topology with no link failures Switch A the root switch connects directly to Switch B over link L1 and to Switch C over link L2 The port on Switch C that connects directly to Switch B is in the blocking state Figure 9 3 BackboneFast Example Before Indirect Link Failure If link L1 fails Switch C detects this ...

Page 226: ...oftware failures may introduce temporary loops in the network Loop guard checks if a root port or an alternate root port receives BPDUs If the port is not receiving BPDUs loop guard puts the port into an inconsistent state until it starts receiving BPDUs again Loop guard isolates the failure and lets spanning tree converge to a stable topology without the failed link or bridge You can enable loop ...

Page 227: ...t on loop guard enabled ports You cannot enable loop guard if root guard is enabled Loop guard interacts with other features as follows Loop guard does not affect the functionality of UplinkFast or BackboneFast Do not enable loop guard on ports that are connected to a shared link Note We recommend that you enable loop guard on root ports and alternate root ports on access switches Root guard force...

Page 228: ...o form a channel These caveats apply to loop guard Spanning tree always chooses the first operational port in the channel to send the BPDUs If that link becomes unidirectional loop guard blocks the channel even if other links in the channel are functioning properly If a set of ports that are already blocked by loop guard are grouped together to form a channel spanning tree loses all the state info...

Page 229: ...nected 19 4 enabled Console enable Note If the designation for a port is displayed as edge that port is also a PortFast port See the Edge Ports section on page 7 23 Enabling Spanning Tree PortFast on a Trunk Port Caution You can use PortFast to connect a single end station or a switch port to a switch port If you enable PortFast on a port that is connected to another Layer 2 device such as a switc...

Page 230: ...bled 0 4 1 100 forwarding 4 32 enabled 0 4 1 521 blocking 4 32 enabled 0 4 1 524 blocking 4 32 enabled 0 4 1 1003 not connected 4 32 enabled 0 4 1 1005 not connected 4 32 enabled 0 Console enable show spantree portfast 4 1 Portfast enable trunk Portfast BPDU guard is disabled Portfast BPDU filter is disabled Console Note When PortFast is enabled between two switches the system will verify that the...

Page 231: ...PortFast BPDU Guard page 9 12 Enabling PortFast BPDU Guard The PortFast feature is configured on an individual port and the PortFast BPDU guard option is configured either globally or on a per port basis When you disable PortFast on a port PortFast BPDU guard becomes inactive Port configuration overrides global configuration unless port configuration is set to default If port configuration is set ...

Page 232: ...bridge Uplinkfast disabled for bridge Backbonefast disabled for bridge Vlan Blocking Listening Learning Forwarding STP Active 1 0 0 0 4 4 2 0 0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 10 0 0 0 4 4 20 0 0 0 4 4 50 0 0 0 4 4 100 0 0 0 4 4 152 0 0 0 4 4 200 0 0 0 5 5 300 0 0 0 4 4 400 0 0 0 4 4 500 0 0 0 4 4 521 0 0 0 4 4 524 0 0 0 4 4 570 0 0 0 4 4 801 0 0 0 0 0 802 0 0 0 0 0 850 0 0 0...

Page 233: ...plinkfast disabled for bridge Backbonefast disabled for bridge Vlan Blocking Listening Learning Forwarding STP Active 1 0 0 0 4 4 2 0 0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 10 0 0 0 4 4 20 0 0 0 4 4 50 0 0 0 4 4 100 0 0 0 4 4 152 0 0 0 4 4 200 0 0 0 5 5 300 0 0 0 4 4 400 0 0 0 4 4 500 0 0 0 4 4 521 0 0 0 4 4 524 0 0 0 4 4 570 0 0 0 4 4 801 0 0 0 0 0 802 0 0 0 0 0 850 0 0 0 4 4 917...

Page 234: ...ter 6 1 enable Warning Ports enabled with bpdu filter will not send BPDUs and drop all received BPDUs You may cause loops in the bridged network if you misuse this feature Console enable show spantree summary Root switch for vlans none Portfast bpdu filter enabled for bridge Uplinkfast disabled for bridge Backbonefast disabled for bridge Vlan Blocking Listening Learning Forwarding STP Active 1 0 0...

Page 235: ...sabled for bridge Vlan Blocking Listening Learning Forwarding STP Active 1 0 0 0 4 4 2 0 0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 10 0 0 0 4 4 802 0 0 0 0 0 850 0 0 0 4 4 917 0 0 0 4 4 999 0 0 0 4 4 1003 0 0 0 0 0 1005 0 0 0 0 0 Blocking Listening Learning Forwarding STP Active Total 0 0 0 85 85 Console enable Configuring UplinkFast on the Switch You can configure UplinkFast for PVS...

Page 236: ...ds and verify that UplinkFast is enabled Console enable set spantree uplinkfast enable VLANs 1 4094 bridge priority set to 49152 The port cost and portvlancost of all ports set to above 3000 Station update rate set to 15 packets 100ms uplinkfast all protocols field set to off uplinkfast enabled for bridge Console enable show spantree uplinkfast 1 100 521 524 Station update rate set to 15 packets 1...

Page 237: ...UplinkFast The set spantree uplinkfast disable command disables UplinkFast on the switch but the switch priority and port cost values are not reset to the factory defaults Note When you enter the set spantree uplinkfast disable command it affects all VLANs on the switch You cannot disable UplinkFast on an individual VLAN To disable UplinkFast on the switch perform this task in privileged mode With...

Page 238: ...st on the switch perform this task in privileged mode This example shows how to enable BackboneFast on the switch and verify the configuration Console enable set spantree backbonefast enable Backbonefast enabled for all VLANs Console enable show spantree backbonefast Backbonefast is enabled Console enable Displaying BackboneFast Statistics To display BackboneFast statistics perform this task in pr...

Page 239: ...how to disable BackboneFast on the switch and verify the configuration Console enable set spantree backbonefast disable Backbonefast enabled for all VLANs Console enable show spantree backbonefast Backbonefast is disable Console enable Configuring Loop Guard on the Switch These sections describe how to configure BackboneFast Enabling Loop Guard page 9 19 Disabling Loop Guard page 9 20 Enabling Loo...

Page 240: ...ontinue y n n y Loopguard on port 5 1 is enabled Console enable Disabling Loop Guard To disable loop guard on the switch perform this task in privileged mode This example shows how to disable loop guard Console enable set spantree guard none 5 1 Rootguard is disabled on port 5 1 disabling loopguard will disable rootguard on this port Do you want to continue y n n y Loopguard on port 5 1 is disable...

Page 241: ... VTP Version 3 Works page 10 12 Default VTP Version 3 Configuration page 10 21 Configuring VTP Version 3 page 10 22 Understanding How VTP Version 1 and Version 2 Work VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition deletion and renaming of VLANs on a network wide basis VTP minimizes misconfigurations and configuration inconsistencies that ...

Page 242: ...ame and the VTP configuration revision number The switch ignores advertisements with a different management domain name or an earlier configuration revision number If you configure the switch as VTP transparent you can create and modify VLANs but the changes affect only the individual switch When you make a change to the VLAN configuration on a VTP server the change is propagated to all switches i...

Page 243: ...names for ATM LANE 802 10 SAID values FDDI VTP domain name VTP configuration revision number VLAN configuration including the maximum transmission unit MTU size for each VLAN Frame format Understanding VTP Version 2 If you use VTP in your network you must decide whether to use VTP version 1 version 2 or version 3 for details on version 3 see the Understanding How VTP Version 3 Works section on pag...

Page 244: ...ting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices By default VTP pruning is disabled Make sure that all devices in the management domain support VTP pruning before enabling it VTP pruning is supported in supervisor engine software release 5 1 1 and later releases Note If you use routers to route between emulated LANs you should disable VT...

Page 245: ...uned To make a VLAN pruning ineligible enter the clear vtp pruneeligible command To make a VLAN pruning eligible again enter the set vtp pruneeligible command You can set VLAN pruning eligibility regardless of whether VTP pruning is enabled or disabled for the domain Pruning eligibility always applies to the local device only not for the entire VTP domain Figure 10 2 Flooding Traffic with VTP Prun...

Page 246: ...must enable VTP version 2 for Token Ring VLAN switching to function properly Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain Making VLANs pruning eligible or pruning ineligible on a switch affects pruning eligibility for those VLANs on that device only not on all switches in the VTP domain With software release 8 1 1 all VTP versio...

Page 247: ...TP server in the management domain and modifies its configuration accordingly To configure the switch as a VTP client perform this task in privileged mode This example shows how to configure the switch as a VTP client and verify the configuration Console enable set vtp domain Lab_Network VTP domain Lab_Network modified Console enable set vtp mode client Changing VTP mode for all features VTP domai...

Page 248: ...ed to be carried across trunks as pruning ineligible use the clear vtp pruneeligible command To disable VTP on the switch perform this task in privileged mode This example shows how to configure the switch as VTP transparent and verify the configuration Console enable set vtp mode transparent Changing VTP mode for all features VTP domain Lab_Net modified Console enable show vtp domain Version runn...

Page 249: ...d VTP version 2 are not interoperable on switches in the same VTP domain Every switch in the VTP domain must use the same VTP version Do not enable VTP version 2 unless every switch in the VTP domain supports version 2 Note In a Token Ring environment you must enable VTP version 2 for Token Ring VLAN switching to function properly To enable VTP version 2 perform this task in privileged mode This e...

Page 250: ...y in this version Do you want to continue y n n y VTP domain Lab_Network modified Console enable show vtp domain Version running VTP1 VTP3 capable Domain Name Lab_Network Password configured hidden Notifications disabled Updater ID 172 20 52 19 Feature Mode Revision VLAN Off 0 Pruning disabled VLANs prune eligible 2 1000 Console enable Enabling VTP Pruning To enable VTP pruning perform this task i...

Page 251: ...s 1 100 500 1001 1023 will not be pruned on this device VTP domain Lab_Network modified Console enable set vtp pruneeligible 250 255 Vlans 2 99 250 255 501 1000 1024 4094 eligible for pruning on this device VTP domain Lab_Network modified Console enable show vtp domain Version running VTP1 VTP3 capable Domain Name Lab_Network Password configured hidden Notifications disabled Updater ID 172 20 52 1...

Page 252: ... statistics summary advts received 0 subset advts received 0 request advts received 0 summary advts transmitted 7843 subset advts transmitted 4 request advts transmitted 20 No of config revision errors 0 No of config digest errors 0 VTP pruning statistics Trunk Join Transmitted Join Received Summary advts received from GVRP PDU non pruning capable device Received 16 1 75 0 0 0 Console enable Under...

Page 253: ...support is added to propagate the MST database These sections describe VTP version 3 VTP Version 3 Authentication page 10 13 VTP Version 3 Per Port Configuration page 10 14 VTP Version 3 Domains Modes and Partitions page 10 14 VTP Version 3 Modes page 10 17 VTP Version 3 Databases page 10 19 VTP Version 3 Authentication VTP version 3 introduces an enhancement to the handling of VTP passwords VTP v...

Page 254: ...Modes and Partitions This section describes how the domains modes and partitions are handled in VTP version 3 as compared to VTP versions 2 and 3 A VTP version 3 server can be configured as primary or secondary The VTP version 3 modes server client and transparent are specific to a VTP instance A VTP version 3 domain can be partitioned For more information about these features see these sections P...

Page 255: ... 3 switches lock on the primary server that generated their configuration and only listen to further VTP database updates from this primary server This process differs significantly from VTP version 1 and VTP version 2 where a switch would always accept a superior configuration from a neighbor in the same domain A VTP version 3 switch accepts only a superior configuration that is from the same dom...

Page 256: ...on using the takeover mechanism to reconfigure partitioned VTP domains see the Reconfiguring a Partitioned VTP Domain section on page 10 16 Reconfiguring a Partitioned VTP Domain Partitioning of a VTP domain is specific to the instance one instance may be partitioned while another might not be partitioned In VTP version 3 you are required to remove any partitions because the protocol cannot determ...

Page 257: ... to do a takeover Switches refuse the takeover request if they are not correctly authenticated If no authentication is enabled any server is able to take over After a takeover there should be only one primary server controlling the entire VTP domain for a particular instance If this is not the case it might be due to the following Some switches may be temporarily disconnected and unreachable when ...

Page 258: ...guration A VTP client stores the VTP configuration that it receives in RAM not NVRAM When a VTP client boots it needs to reacquire the entire configuration that is propagated by VTP including the identity of the primary server A VTP client that cannot store the entire VTP configuration that is received in an instance to RAM immediately transitions to transparent mode Server Mode Primary and second...

Page 259: ...at VTP is controlling This configuration also appears in the running configuration if applicable The feature stores its local configuration in the same NVRAM block that is used by VTP All NVRAM handling for the feature happens through VTP whether or not the switch is transparent to the feature In VTP transparent mode all VTP messages that are received by the switch are still flooded In VTP off mod...

Page 260: ...se a valid configuration Because it has an invalid database a newly inserted switch in a domain immediately accepts the network configuration instead of erasing it Database Revision Number Each VTP instance is associated with a database revision number The database revision number is incremented when the value of the database that is covered by the advertised checksum is modified When a device rec...

Page 261: ...an modify reserved VLANs 1002 1005 however these VLANs are set to their default in the scaled down database in VTP version 2 format A VTP version 3 switch never accepts a configuration from a VTP version 1 or VTP version 2 neighbor Limitations The limitations of VTP version 3 are as follows Two VTP version 3 regions can communicate only over a VTP version 1 and VTP version 2 region in transparent ...

Page 262: ... mode This example shows how to enable VTP version 3 and verify the configuration Console enable set vtp version 3 VTP version 3 cannot be enabled on a switch with No Domain Console enable set vtp domain ENG VTP domain ENG modified Console enable set vtp version 3 VTP version 3 Server Client for VLANDB requires Reduced Mac Address feature to be enabled use set spantree macreduction enable command ...

Page 263: ...ions of VTP version 3 If you enter the set vtp mode transparent unknown command the packets for the unknown features are flooded through the switch If you enter the set vtp mode off unknown command the packets are dropped The unknown feature can only be configured with off or transparent modes The default mode is off for all databases The mode of the VLAN database and MST database are preserved wh...

Page 264: ... ID Primary Description VLAN Server 0 0000 0000 0000 MST Server 0 0000 0000 0000 UNKNOWN Transparent Pruning disabled VLANs prune eligible 2 1000 Console enable Configuring a VTP Version 3 Client When a switch is in VTP client mode you cannot change the VLAN configuration on the switch The client switch receives VTP updates from a VTP server in the management domain and modifies its configuration ...

Page 265: ...ng ineligible use the clear vtp pruneeligible command To disable VTP on the switch perform this task in privileged mode This example shows how to configure the switch as VTP VLAN transparent and verify the configuration Console enable set vtp mode transparent vlan Changing VTP mode for vlan feature VTP3 domain ENG modified Console enable show vtp domain Version running VTP3 Domain Name ENG Passwor...

Page 266: ...ection on page 10 13 In VTP version 3 you can hide the VTP password from the configuration by adding the hidden keyword to the password configuration When you use the hidden keyword the hexadecimal secret key that is generated from the password is shown in the configuration instead of the password in plain text If you configure a password with the hidden keyword you need to reenter the password to...

Page 267: ...VTP secret has to be 32 characters in length Console enable This example shows how to copy the secret hexadecimal value from the configuration paste it into the command line and verify the configuration Console enable set vtp passwd 9fbdf74b43a2815037c1b33aa00445e2 secret Setting secret VTP3 domain server modified Console enable show config set vtp passwd 9fbdf74b43a2815037c1b33aa00445e2 secret Co...

Page 268: ...onfiguration Console enable set vtp primary force Switch can become primary server for vlan feature only when configured as a server Switch can become primary server for mst feature only when configured as a server Console enable set vtp mode server mst Changing VTP mode for mst feature VTP3 domain ENG modified Console enable set vtp mode server vlan Changing VTP mode for vlan feature VTP3 domain ...

Page 269: ... verify the configuration Console enable set port vtp 3 1 2 disable VTP is disabled on ports 3 1 2 Console enable show port vtp 3 Port VTP Status 3 1 disabled 3 2 disabled 3 3 enabled 3 4 enabled Console enable VTP Version 3 show Commands Use the show vtp conflicts devices domain statistics command to show other devices in the domain or devices in the domain with conflicting conflicts configuratio...

Page 270: ...10 30 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 10 Configuring VTP Configuring VTP Version 3 ...

Page 271: ...ge 11 12 Deleting a VLAN page 11 13 Configuring VLAN Mappings on a Per Port or Per ASIC Basis page 11 14 Configuring Private VLANs on the Switch page 11 19 Configuring FDDI VLANs on the Switch page 11 30 Configuring Token Ring VLANs on the Switch page 11 31 Configuring VLANs for the Firewall Services Module page 11 37 Understanding How VLANs Work A VLAN is a group of end stations with a common set...

Page 272: ...e of a switch can be assigned to any VLAN so that you can access another switch on the same VLAN directly without a router Only one IP address at a time can be assigned to the in band interface If you change the IP address and assign the interface to a different VLAN the previous IP address and VLAN assignment are overwritten VLAN Ranges Catalyst 6500 series switches support 4096 VLANs in accordan...

Page 273: ...rCRF VLAN state active or suspended Multi Instance Spanning Tree Protocol MISTP instance Private VLAN type primary isolated community two way community or none Security Association Identifier SAID Maximum transmission unit MTU for the VLAN Ring number for FDDI and TrCRF VLANs Bridge identification number for TrBRF VLANs Parent VLAN number for TrCRF VLANs STP type for TrCRF VLANs IEEE IBM or auto V...

Page 274: ... VLAN 1 Token Ring ports assigned to VLAN 1003 trcrf default VLAN state Active MTU size 1500 bytes 4472 bytes for Token Ring VLANs SAID value 100 000 plus the VLAN number for example the SAID for VLAN 8 is 100008 and the SAID for VLAN 4050 is 104050 Pruning eligibility VLANs 2 1000 are pruning eligible VLANs 1025 4094 are not pruning eligible MAC address reduction Disabled Spanning tree mode PVST ...

Page 275: ...own use starting at VLAN 1025 If you use these devices you must allow for the number of VLANs required Creating Normal Range VLANs You can create one VLAN at a time or you can create a range of VLANs with a single command If you create a range of VLANs you cannot specify a name the VLAN names must be unique To create a normal range VLAN perform this task in privileged mode This example shows how t...

Page 276: ...ing Extended Range VLANs page 11 7 Extended Range VLAN Configuration Guidelines This section describes the guidelines for creating extended range VLANs 1024 4094 You can create only Ethernet type VLANs in the extended range You must enable MAC address reduction in order to use the extended range VLANs You can only create and delete the extended range VLANs from the CLI or SNMP You cannot use VTP t...

Page 277: ...Catalyst 6500 Series and Cisco 7600 Series Router FlexWAN Module Installation and Configuration Note for more information Caution If you move a FlexWAN module from one slot to another on the same switch it will allocate another block of VLANs without deleting the previous block You should reboot the switch if you move the FlexWAN module Creating Extended Range VLANs To create the extended range VL...

Page 278: ...unt Vlans VTP Active 504 1 100 102 500 1000 1002 1005 VTP Suspended 1 101 Extended 1 2000 Console enable Mapping VLANs to VLANs Note To configure the VLAN mappings on a per port or per ASIC basis see the Configuring VLAN Mappings on a Per Port or Per ASIC Basis section on page 11 14 Note With software release 8 3 1 and later releases the global VLAN mapping feature is not needed because ISL trunks...

Page 279: ... the Configuring VLAN Mappings on a Per Port or Per ASIC Basis section on page 11 14 are mutually exclusive only one feature can be enabled at any time If there are any extended range VLANs present on the switch you cannot map any new 802 1Q VLANs to ISL VLANs You can configure up to eight 802 1Q to ISL VLAN mappings on the switch You can only map the 802 1Q VLANs to the Ethernet type ISL VLANs Do...

Page 280: ... VLAN from 1 4094 created by a user The internal VLANs are the VLANs that are used by the software features that require the dedicated VLANs in order to function The internal VLANs are allocated by the VLAN Manager as needed using VLANs 1006 4094 The internal VLANs are allocated in ascending order starting at VLAN 1006 You should assign the user VLANs as close to VLAN 4094 as possible in order to ...

Page 281: ...Console enable set vlan 560 4 10 VLAN 560 modified VLAN 1 modified VLAN Mod Ports 560 4 10 Console enable show vlan 560 VLAN Name Status IfIndex Mod Ports Vlans 560 Engineering active 348 4 10 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 560 enet 100560 1500 0 0 VLAN AREHops STEHops Backup CRF Console enable show port 4 10 Port Name Status Vlan Duplex Speed Type 4 10 connecte...

Page 282: ...g verification perform this task in privileged mode This example shows how to enable VLAN port provisioning verification Console enable set vlan verify port provisioning enable vlan verify port provisioning feature enabled Console enable This example shows how to verify the status of VLAN port provisioning verification Console enable show vlan verify port provisioning Vlan Verify Port Provisioning...

Page 283: ...nly on the current switch You can delete an extended range VLAN only on the switch where it was created You cannot delete the default VLANs To delete a Token Ring TrBRF VLAN you must first reassign its child TrCRFs to another parent TrBRF or delete the child TrCRFs Caution When you delete a VLAN any ports that are assigned to that VLAN become inactive Such ports remain associated with the VLAN and...

Page 284: ... restrictions for configuring VLAN mapping With VLAN mapping you have the following options depending on the type of ASIC on the switching module or supervisor engine for the individual module ASIC specifics see Table 11 2 VLAN mapping is not supported Per port VLAN mapping is supported Per ASIC VLAN mapping without the ability to enable or disable VLAN mapping on an individual port basis is suppo...

Page 285: ...tion works on the translated VLAN The RSPAN VLAN cannot be translated you must not configure the RSPAN VLAN to be mapped to any VLAN Similarly the translated VLAN cannot be used as an RSPAN VLAN Spanning tree In the PVST implementation spanning tree BPDUs are tagged with a TLV of VLAN ID on each trunk port This TLV helps spanning tree in determining the port VLAN ID consistency In PVST and Rapid P...

Page 286: ...unks WS X6K S2U MSFC2 WS X6K S2 MSFC2 WS X6K S2 PFC2 WS SUP720 3B WS SUP720 3BXL WS SUP720 WS X6516A GBIC2 WS X6516 GE TX 2 WS X6516A GBIC does not have per ASIC VLAN mapping VLAN mapping is per two ASICs Ports 1 through 8 and ports 9 through 16 instead of only 4 ports per ASIC 32 Per ASIC VLAN mapping Mapping can be enabled or disabled on individual ports in the ASIC Supports any to any type of V...

Page 287: ...e set port vlan mapping 7 1 enable VLAN mapping enabled on port 7 1 Console enable Configuring VLAN Mapping on an Individual Port Note Before using the set port vlan mapping command you must enable the port VLAN mapping by entering the set port vlan mapping mod port enable command Note The source VLAN is the trunk VLAN external to the switch and the translated VLAN is internal to the switch Enter ...

Page 288: ...VLAN mapping 1 ASIC supports 12 ports In this example ports 7 1 4 are part of an EtherChannel Console enable set port vlan mapping 7 1 2002 3003 VLAN 2002 mapped to VLAN 3003 on ports 7 1 12 Console enable In this example module 7 and module 8 are the 48 port 10 100 1000 switching modules WS X6748 GE TX These modules support per ASIC VLAN mapping 1 ASIC supports 12 ports In this example ports 7 1 ...

Page 289: ...ed Current Entries 7 1 2002 3003 Enabled 128 1 Console enable Note Enter the show port capabilities mod mod port command to display the mapping type per port or per ASIC for each port This command also displays the maximum allowed mappings for each port Configuring Private VLANs on the Switch These sections describe how the private VLANs work Understanding How Private VLANs Work page 11 20 Private...

Page 290: ...curs The traffic that is received from an isolated port is forwarded to all promiscuous ports only A private VLAN has four distinct classifications a single primary VLAN a single isolated VLAN and a series of community or two way community VLANs You must define each supporting VLAN within a private VLAN structure before you can configure the private VLAN Primary VLAN Conveys the incoming traffic f...

Page 291: ...one IP subnet to the entire group of stations because all stations reside in one common private VLAN On an MSFC port or a nontrunk promiscuous port you can remap as many isolated or community VLANs as desired however while a nontrunk promiscuous port can remap to only one primary VLAN an MSFC port can only connect an MSFC router With a nontrunk promiscuous port you can connect a wide range of devi...

Page 292: ...N can have one isolated VLAN and or multiple communities that are associated with it An isolated or community VLAN can have only one primary VLAN that is associated with it The private VLANs can use VLANs 2 1000 and 1025 4096 If you delete either the primary or secondary VLAN the ports that are associated with the VLAN become inactive When configuring the private VLANs note the hardware and softwa...

Page 293: ... change the isolated or community VLANs If you enable MISTP you can only configure the MISTP instance with the primary VLAN The changes will be applied to the primary VLAN and will propagate to the isolated and community VLANs Table 11 3 Modules with Ports Listed by ASIC Groups Module Number Description Ports by ASIC WS X6224 100FX MT 24 port 100BASE FX multimode MT RJ Ports 1 12 Ports 13 24 WS X6...

Page 294: ... that is used by any nonroot bridge BPDU guard mode is system wide and is enabled after you add the first port to a private VLAN You cannot configure a destination SPAN port as a private VLAN port and vice versa A source SPAN port can belong to a private VLAN You can use VLAN based SPAN VSPAN to span the primary isolated and community VLANs together or use SPAN on only one VLAN to separately monit...

Page 295: ... that need to carry the private VLANs on their trunks On the edge switches that do not have any isolated community two way community or promiscuous ports typically the access switches with no private ports you do not need to create the private VLANs and you can prune the private VLANs from the trunks for security reasons This example shows how to specify VLAN 7 as the primary VLAN Console enable s...

Page 296: ...le This example shows how to bind VLAN 903 to primary VLAN 7 and assign ports 4 7 through 4 9 as the community ports Console enable set pvlan 7 903 Successfully set association between 7 and 903 Console enable set pvlan 7 903 4 7 9 Successfully set the following ports to Private Vlan 7 903 4 7 9 Console enable This example shows how to map the isolated community VLAN to the primary VLAN on the pro...

Page 297: ... 3 notconnect 7 901 half 100 100BaseFX MM 4 4 notconnect 7 902 half 100 100BaseFX MM 4 5 notconnect 7 902 half 100 100BaseFX MM 4 6 notconnect 7 902 half 100 100BaseFX MM 4 7 notconnect 7 903 half 100 100BaseFX MM 4 8 notconnect 7 903 half 100 100BaseFX MM 4 9 notconnect 7 903 half 100 100BaseFX MM truncated output Viewing the Port Capability of a Private VLAN Port You can view the port capability...

Page 298: ...g port s 5 1 Console enable show pvlan capability 5 3 Ports 5 1 5 12 are in the same ASIC range as port 5 3 Port 5 3 cannot be made a private vlan port due to Conflict with Promiscuous port s 5 2 Conflict with Trunking port s 5 1 Console enable show pvlan capability 15 1 Port 15 1 cannot be made a private vlan port due to Only ethernet ports can be added to private vlans Deleting a Private VLAN Yo...

Page 299: ...community ports and the promiscuous port If you delete all the mappings on a promiscuous port the promiscuous port becomes inactive When a private VLAN port is set to inactive it displays pvlan as its VLAN number in the show port output You might set a private VLAN port to inactive for the following reasons The primary isolated community or two way community VLAN to which it belongs is cleared All...

Page 300: ...RP entries For security reasons the private VLAN interface sticky ARP entries do not age out Connecting new equipment with the same IP address generates a message and the ARP entry is not created Because the private VLAN interface ARP entries do not age out you must manually remove the private VLAN interface ARP entries if a MAC address changes You can add or remove the private VLAN ARP entries ma...

Page 301: ...n 2 to configure and manage the Token Ring VLANs Note Catalyst 6500 series switches do not support the ISL encapsulated Token Ring frames Understanding How Token Ring TrBRF VLANs Work The Token Ring Bridge Relay Function TrBRF VLANs interconnect multiple the Token Ring Concentrator Relay Function TrCRF VLANs in a switched Token Ring network see Figure 11 3 The TrBRF can be extended across a networ...

Page 302: ... as a single bridge between the logical rings The TrBRF can function as an SRB or SRT bridge running either the IBM or IEEE STP If SRB is used the duplicate MAC addresses can be defined on the different logical rings To accommodate the IBM System Network Architecture SNA traffic you can use a combination of SRT and SRB modes In a mixed mode the TrBRF considers some ports logical ports that are con...

Page 303: ...hops that an explorer is allowed to traverse If a port determines that the explorer frame it is receiving has traversed more than the number of specified hops it does not forward the frame The TrCRF determines the number of hops that an explorer has traversed based on the number of bridge hops in the route information field A backup TrCRF enables you to configure an alternate route for the traffic...

Page 304: ...ore you create the Token Ring VLANs For information on enabling VTP version 2 see Chapter 10 Configuring VTP You must specify a bridge number when you create a new TrBRF To create a new Token Ring TrBRF VLAN perform this task in privileged mode This example shows how to create a new Token Ring TrBRF VLAN and verify the configuration Console enable set vlan 999 name TrBRF_999 type trbrf bridge a Vl...

Page 305: ...AN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 998 trcrf 100998 4472 999 0xa srb 0 0 VLAN AREHops STEHops Backup CRF 998 7 7 off Console enable To modify the VLAN parameters on an existing Token Ring TrCRF VLAN perform this task in privileged mode To create a backup TrCRF assign one port on each switch that the TrBRF traverses to the backup TrCRF To configure a TrCRF VLAN as a ba...

Page 306: ...ple shows how to limit the All Routes Explorer frames and Spanning Tree Explorer frames to ten hops and how to verify the configuration Console enable set vlan 998 aremaxhop 10 stemaxhop 10 Vlan 998 configuration successful Console enable show vlan 998 VLAN Name Status IfIndex Mod Ports Vlans 998 VLAN0998 active 357 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 998 trcrf 10099...

Page 307: ...le Console enable set vlan 2 55 firewall vlan 7 Console enable Enter the set firewall multiple vlan interfaces enable disable command to set the multiple VLAN interface feature for a Firewall Services Module Disabling the multiple VLAN interface feature sets the Firewall Services Module to single VLAN interface mode The multiple VLAN interface feature is disabled by default An example is as follow...

Page 308: ...11 38 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 11 Configuring VLANs Configuring VLANs for the Firewall Services Module ...

Page 309: ...es Understanding How InterVLAN Routing Works The network devices in different VLANs cannot communicate with one another without a router to forward traffic between the VLANs In most network environments the VLANs are associated with individual networks or subnetworks For example in an IP network each subnetwork is mapped to an individual VLAN In an IPX network each VLAN is mapped to an IPX network...

Page 310: ...cumentation on Cisco com These sections describe how to configure interVLAN routing on the MSFC MSFC Routing Configuration Guidelines page 12 2 Configuring IP InterVLAN Routing on the MSFC page 12 3 Configuring IPX InterVLAN Routing on the MSFC page 12 3 Configuring AppleTalk InterVLAN Routing on the MSFC page 12 4 Configuring MSFC Features page 12 5 MSFC Routing Configuration Guidelines This sect...

Page 311: ...Configuring IPX InterVLAN Routing on the MSFC Note With Supervisor Engine 720 MSFC3 IPX routing is done through the software Task Command Step 1 Optional Enable IP routing on the router1 1 This step is necessary if you have multiple routers in the network Router config ip routing Step 2 Optional Specify an IP routing protocol2 2 This step is necessary if you enabled IP routing in Step 1 This step ...

Page 312: ...ol2 2 This step is necessary if you enabled IPX routing in Step 1 This step might include other commands such as using the network router configuration command to specify the networks to route Refer to the documentation for your router platform for detailed information on configuring routing protocols Router config ipx router ipx_routing_protocol Step 3 Specify a VLAN interface on the MSFC Router ...

Page 313: ... by the configuration on the switch to which they are connected Local proxy ARP is disabled by default Enter the ip local proxy arp interface configuration command to enable local proxy ARP on an interface Enter the no ip local proxy arp interface configuration command to disable the feature The Internet Control Message Protocol ICMP redirects are disabled on the interfaces where local proxy ARP i...

Page 314: ... on that VLAN shut down are autostated unless sc0 is on the VLAN or another router is in the chassis with an interface subinterface in the VLAN When the first port on the VLAN is brought back up all the Layer 3 interfaces on that VLAN that were previously shut down are brought up The Catalyst 6500 series switch does not have knowledge of or control over the MSM or MSFC configuration just as the sw...

Page 315: ... tracked by autostate the tracked SVIs remain down until at least one tracked Ethernet port in the VLAN moves to the Spanning Tree Protocol STP forwarding state Conversely tracked SVIs remain up if at least one tracked Ethernet port stays in the STP forwarding state Autostate track mode is supported on Ethernet Fast Ethernet and Gigabit Ethernet ports only Note You cannot configure both autostate ...

Page 316: ...form this task in normal mode This example shows how to display the current line protocol state determination for the MSM Console show msmautostate MSM Auto port state enabled Console To display the line protocol state determination for the MSFC perform this task in privileged mode This example shows how to display the line protocol state determination for the MSFC Console enable show msfcautostat...

Page 317: ...autostate disable MSM port auto state disabled Console enable To disable the line protocol state determination of the MSFC perform this task in privileged mode Note If you toggle enable to disable and or disable to enable the msfcautostate command you might have to use the shutdown and no shutdown commands to disable and then restart the VLAN and WAN interfaces on the MSFC to bring them back up Un...

Page 318: ...12 10 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC ...

Page 319: ... usage information for the supervisor engine commands that are used in this chapter refer to the Catalyst 6500 Series Switch Command Reference publication This chapter consists of these sections Understanding How Layer 3 Switching Works page 13 2 Default CEF for PFC2 PFC3A Configuration page 13 12 CEF for PFC2 PFC3A Configuration Guidelines and Restrictions page 13 13 Configuring CEF for PFC2 PFC3...

Page 320: ...g protocols that are configured on MSFC2 MSFC3 Layer 3 switching does not replace the routing protocols that are configured on MSFC2 MSFC3 Layer 3 switching uses Protocol Independent Multicast PIM for multicast route determination Layer 3 switching on Catalyst 6500 series switches provides flow statistics that you can use to identify the traffic characteristics for administration planning and trou...

Page 321: ...dresses remain the same In IP unicast and IP multicast traffic the switch decrements the Layer 3 TTL value by 1 and recomputes the Layer 3 packet checksum In IPX traffic the switch increments the Layer 3 Transport Control value by 1 and recomputes the Layer 3 packet checksum The switch recomputes the Layer 2 frame checksum and forwards or for multicast packets replicates as necessary the rewritten...

Page 322: ...Header Data FCS Destination Source Checksum IPX Length Transport Control Destination Net Node Socket Source Net Node Socket MSFC2 MAC Source A MAC n Destination B IPX Source A IPX Layer 2 Frame Header Layer 3 IPX Header Data FCS Destination Source Checksum IPX Length Transport Control Destination Net Node Socket Source Net Node Socket Destination B MAC MSFC2 MAC n 1 Destination B IPX Source A IPX ...

Page 323: ...ermanently enabled on Supervisor Engine 720 Cisco IOS CEF is permanently enabled on MSFC3 in support of CEF for PFC3A CEF for PFC2 PFC3A works with CEF for unicast traffic and PIM for multicast traffic on MSFC2 MSFC3 to support IP IP multicast and IPX traffic CEF and PIM on MSFC2 MSFC3 are enhanced to support CEF for PFC2 PFC3A CEF for PFC2 PFC3A generates flow statistics for Layer 3 switched traf...

Page 324: ...network the unicast and multicast routing tables on MSFC2 MSFC3 are updated and those changes are reflected in the FIB The FIB maintains next hop address information that is based on the information in the routing tables on MSFC2 MSFC3 The FIB supports 256 000 entries which includes 16 000 IP multicast entries 128 000 IP multicast entries on MSFC3 With reverse path forwarding RPF check enabled the...

Page 325: ...ows aging time 320 seconds IP statistics flows fast aging time 0 seconds packet threshold 0 IP Current flow mask is Full Vlan flow Netflow Data Export version 7 Netflow Data Export disabled Netflow Data Export port host is not configured Total packets exported 0 Destination Ifindex export is enabled Source Ifindex export is enabled Rate limiting is turned off packets are bridged to router Load bal...

Page 326: ...s Tx Octets connect 140 140 1 5 00 00 d0 00 00 05 140 ARPA 0 0 Mod 15 Destination IP 150 150 1 5 Destination Mask 255 255 255 255 FIB Type resolved AdjType NextHop IP NextHop Mac Vlan Encp Tx Packets Tx Octets connect 150 150 1 5 00 00 e0 00 00 05 150 ARPA 0 0 Mod 15 Destination IP 153 153 1 5 Destination Mask 255 255 255 255 FIB Type resolved AdjType NextHop IP NextHop Mac Vlan Encp Tx Packets Tx...

Page 327: ...C2 PFC3A provides Layer 3 switching when the extended access list deny condition on the RPF interface specifies something other than the Layer 3 source Layer 3 destination or IP protocol an example is the Layer 4 port numbers For partially switched flows all multicast traffic belonging to the flow reaches MSFC2 MSFC3 and is software switched for any interface that is not Layer 3 switched Note All ...

Page 328: ...IP CEF Example Topology Figure 13 2 shows a simple IPX CEF network topology In this example Host A is on the Sales VLAN IPX address 01 Aa Host B is on the Marketing VLAN IPX address 03 Bb and Host C is on the Engineering VLAN IPX address 02 Cc When Host A initiates a file transfer to Host C PFC2 uses the information in the FIB and adjacency table to forward packets from Host A to Host C Source IP ...

Page 329: ...le NetFlow statistics can be displayed with show commands and are also available to NetFlow Data Export NDE Note A NetFlow table with more than 32 000 entries increases the probability that there will be insufficient room to store statistics To reduce the number of entries in the NetFlow table you can exclude specified IP protocols from the statistics or use the least granular flow mask see the Ex...

Page 330: ...Flow Masks Flow masks determine how the NetFlow table entries are created CEF for PFC2 supports only one flow mask the most specific one for all statistics If NetFlow for PFC2 detects different flow masks from different MSFCs for which it is performing Layer 3 switching it changes its flow mask to the most specific flow mask detected this applies to the PFC2 MSFC2 only When the flow mask changes t...

Page 331: ... if you configure bridging on the MSFC Because of the restriction to 16 unique HSRP group numbers CEF for PFC2 cannot support the standby use bia HSRP command PFC3A supports 256 HSRP groups CEF for PFC2 supports the following ingress and egress encapsulations Note CEF for PFC3A supports Ethernet V2 0 ARPA only For IP unicast Ethernet V2 0 ARPA 802 3 with 802 2 with 1 byte control SAP1 802 3 with 8...

Page 332: ...re xx is in the range 0 0xFF For PIM auto RP multicast groups IP multicast group addresses 224 0 1 39 and 224 0 1 40 Note In systems with redundant MSFC2s MSFC3s the PIM interface configuration must be the same on both the active and the redundant MSFC2 MSFC3 If the shortest path tree SPT bit for the flow is cleared when running PIM sparse mode for the interface or group For fragmented IP packets ...

Page 333: ...127 255 255 255 255 255 255 255 15 resolved 127 0 0 11 255 255 255 255 127 0 0 11 1 15 receive 21 2 0 4 255 255 255 255 16 receive 21 0 0 0 255 255 255 255 16 receive 21 255 255 255 255 255 255 255 15 receive 44 0 0 1 255 255 255 255 16 receive 44 0 0 0 255 255 255 255 16 receive 44 255 255 255 255 255 255 255 15 receive 42 0 0 1 255 255 255 255 16 receive 42 0 0 0 255 255 255 255 16 receive 42 25...

Page 334: ...ter the show mls entry netflow route command to display only the entries from the TCP intercept feature and reflexive access control lists ACLs Enter the show mls entry pbr route command to display only the PBR entries Enter the show mls entry qos command to display only the QoS entries Configuring CEF on MSFC2 MSFC3 CEF is permanently enabled on MSFC2 MSFC3 No configuration is required to support...

Page 335: ...ferent from the bootup setting of the active supervisor engine An informational message FIB_MAXROUTES_RESET is printed on the active supervisor engine console if this situation occurs To maximize the TCAM utilization we recommend that you set the maximum routes for IP unicast as a multiple of 16 000 and set the maximum routes for IP multicast as a multiple of 8 000 The internal allocation scheme u...

Page 336: ...re MSFC2 MSFC3 for IP multicast Enabling IP Multicast Routing Globally page 13 18 Enabling IP PIM on an MSFC2 MSFC3 Interface page 13 19 Configuring the IP MMLS Global Threshold page 13 19 Enabling IP MMLS on MSFC2 MSFC3 Interfaces page 13 20 Note This section describes how to enable IP multicast routing on MSFC2 MSFC3 For more detailed IP multicast configuration information refer to the IP Multic...

Page 337: ...n an MSFC2 MSFC3 interface using the default mode sparse dense mode Router config if ip pim Router config if This example shows how to enable PIM sparse mode on an MSFC2 MSFC3 interface Router config if ip pim sparse mode Router config if Configuring the IP MMLS Global Threshold You can configure a global multicast rate threshold specified in packets per second below which all multicast traffic is...

Page 338: ... all participating MSFC2 MSFC3 interfaces before IP MMLS will function For information on configuring IP PIM on MSFC2 MSFC3 interfaces see the Enabling IP PIM on an MSFC2 MSFC3 Interface section on page 13 19 To enable IP MMLS on an MSFC2 MSFC3 interface perform this task This example shows how to enable IP MMLS on an MSFC2 MSFC3 interface Router config if mls ip multicast Router config if Use the...

Page 339: ... these interfaces An H is displayed on interfaces where IP MMLS is enabled The show ip interface command displays the IP MMLS enable state on an MSFC2 MSFC3 interface To display IP MMLS information for an IP PIM MSFC2 MSFC3 interface perform one of these tasks This example shows how to display information about the IP MMLS interfaces Router show ip pim interface count States FS Fast Switched H Har...

Page 340: ...s ip multicast command displays detailed information about IP MMLS To display detailed MMLS information on MSFC2 MSFC3 perform one of these tasks This example shows how to display IP MMLS statistics on MSFC2 MSFC3 Router show mls ip multicast statistics MLS Multicast configuration and state Router Mac 0050 0f2d 9bfd Router IP 1 12 123 234 MLS multicast operating state ACTIVE Maximum number of allo...

Page 341: ... Vlan13 Packets switched 61590 Hardware switched outgoing interfaces Vlan20 Vlan9 RFD MFD installed Vlan13 1 1 9 3 224 1 1 1 Incoming interface Vlan9 Packets switched 0 Hardware switched outgoing interfaces Vlan20 RFD MFD installed Vlan9 1 1 12 1 224 1 1 1 Incoming interface Vlan12 Packets switched 62010 Hardware switched outgoing interfaces Vlan20 Vlan9 RFD MFD installed Vlan12 1 1 12 3 224 1 1 1...

Page 342: ...roup_id group_mask Configures filtering that applies to all other multicast debugging commands no debug mls ip multicast events Displays the IP MMLS events no debug mls ip multicast errors Turns on the debug messages for multicast MLS related errors no debug mls ip multicast messages Displays the IP MMLS messages from to the hardware switching engine no debug mls ip multicast all Turns on all the ...

Page 343: ...ents 92 Flow Statistics 56 Receive Open Connection Requests 1 Keep Alive Messages 72 Shortcut Messages 19 Shortcut Install TLV 8 Selective Delete TLV 4 Group Delete TLV 0 Update TLV 3 Input VLAN Delete TLV 0 Output VLAN Delete TLV 0 Global Delete TLV 0 MFD Install TLV 7 MFD Delete TLV 0 Router IP Router Name Router MAC 1 1 5 252 00 10 29 8d 88 01 Transmit Delete Notifications 22 Acknowledgements 7...

Page 344: ...ulticast group address or the multicast traffic source To display information about the IP multicast entries perform this task in privileged mode This example shows how to display all the IP multicast entries Console enable show mls multicast entry all Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans 1 1 5 252 224 1 1 1 1 1 11 1 15870 2761380 20 1 1 9 254 224 1 1 1 1 1 12 3 473220 82340280 1...

Page 345: ...l Entries 2 Console enable This example shows how to display the IP multicast entries for a specific MSFC2 MSFC3 and a specific multicast source address Console enable show mls multicast entry 15 source 1 1 11 1 short Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans 172 20 49 159 224 1 1 6 1 1 40 4 368 57776 40 23 25 172 20 49 159 224 1 1 71 1 1 22 2 99 65142 22 30 37 172 20 49 159 224 1 1 8...

Page 346: ...er interface entry feature In addition the bridged flow statistics are automatically enabled when you enable the NetFlow entry creation on a per interface basis for VLANs The CLI allows you to disable NetFlow per interface if you do not want this overlap in the Netflow table entry creation The status of this feature is displayed as part of the show mls command The VLANs that have entry creation en...

Page 347: ...r both IP and IPX perform this task in privileged mode This example shows how to specify the entry aging time Console enable set mls agingtime 16 Multilayer switching agingtime IP and IPX set to 16 Console enable To specify the IP entry aging time perform this task in privileged mode This example shows how to specify the IP entry aging time Console enable set mls agingtime ip 16 Multilayer switchi...

Page 348: ...osest one For Supervisor Engine 1 and Supervisor Engine 2 you can configure the pkt_threshold value to 0 1 3 7 15 31 63 or 127 packets For Supervisor Engine 720 you can configure the pkt_threshold value from 1 127 packets in increments of 1 packet If you need to enable IP entry fast aging time initially set the value to 128 seconds If the NetFlow table remains full decrease the setting If the NetF...

Page 349: ...stination source flow Console enable Excluding the IP Protocol Entries from the NetFlow Table You can configure the NetFlow table to exclude specified IP protocols To exclude the IP protocols from the NetFlow table perform this task in privileged mode The port parameter can be a port number or a keyword dns ftp smtp telnet x X Windows or www This example shows how to exclude the Telnet traffic fro...

Page 350: ...PX max hop is 15 Module 15 Physical MAC Address 00 50 3e a9 ab fc Vlan Virtual MAC Address es 42 00 00 0c 07 ac 00 Console This example shows how to display all the NetFlow table entries the display is from a Supervisor Engine 720 Console enable show mls Total packets switched 35254 Total bytes switched 2256256 Total routes 120569 Total number of Netflow entries 120000 IP statistics flows aging ti...

Page 351: ...tistics for the netflows with the maximum amount of network usage The NetFlow entries are pulled out of the NetFlow table based on the number of packets that each flow has The results are displayed in descending order with the top talkers being the entries with the largest packet count You can get the statistics for the network the top 32 talkers are displayed or for a specified number of flows su...

Page 352: ... NetFlow Statistics Totals page 13 36 Note The clear mls commands affect only the statistics None of the clear mls commands affect the forwarding entries or the NetFlow table entries that correspond to the forwarding entries Clearing All the NetFlow Statistics To clear all the NetFlow IP and IPX statistics perform this task in privileged mode This example shows how to clear all the NetFlow statist...

Page 353: ...ion 172 20 26 22 MLS IP entry cleared Console enable This example shows how to clear the statistics for the NetFlow table entries with destination IP address 172 20 22 113 TCP source port 1652 and TCP destination port 23 Console enable clear mls statistics entry ip destination 172 20 26 22 source 172 20 22 113 flow tcp 1652 23 MLS IP entry cleared Console enable Clearing the NetFlow IPX Statistics...

Page 354: ...lar applications Configuring the MLS IP Directed Broadcasts on the Switch The IP directed broadcasts are used primarily for ticker type stock quote devices however when the feature is enabled on router interfaces it provides a means to enable malicious denial of service attacks An IP directed broadcast is a datagram that is sent to the broadcast address of a subnet to which the sending machine is ...

Page 355: ...hosts in the VLAN except the router The include router option forwards the IP directed broadcast packet in the hardware to all the hosts in the VLAN including the router With this option the router does not forward the IP directed broadcast packet again The no form of the command is as follows Router config if no mls ip directed broadcast exclude router include router The no form returns the inter...

Page 356: ...13 38 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the MLS IP Directed Broadcasts on the Switch ...

Page 357: ...XL and MSFC3 and Supervisor Engine 32 with PFC3B PFC3BXL and MSFC2A provide Layer 3 switching with Cisco Express Forwarding for PFC3 CEF for PFC3 See Chapter 13 Configuring CEF for PFC2 and PFC3A for more information Note Supervisor Engine 2 PFC2 and MSFC2 provide Layer 3 switching with Cisco Express Forwarding for PFC2 CEF for PFC2 See Chapter 13 Configuring CEF for PFC2 and PFC3A for more inform...

Page 358: ...these five fields Layer 2 MAC destination address Layer 2 MAC source address Layer 3 IP Time to Live TTL or IPX Transport Control Layer 3 checksum Layer 2 MAC checksum also called the frame checksum or FCS If Source A and Destination B are on different VLANs and Source A sends a packet to the MSFC to be routed to Destination B the switch recognizes that the packet was sent to the Layer 2 MAC addre...

Page 359: ... TTL Checksum MSFC MAC Source A MAC Destination B IP Source A IP n calculation1 Layer 2 Frame Header Layer 3 IP Header Data FCS Destination Source Destination Source TTL Checksum Destination B MAC MSFC MAC Destination B IP Source A IP n 1 calculation2 Layer 2 Frame Header Layer 3 IPX Header Data FCS Destination Source Checksum IPX Length Transport Control Destination Net Node Socket Source Net Nod...

Page 360: ...LS Flows Layer 3 protocols such as IP and IPX are connectionless they deliver every packet independently of every other packet However actual network traffic consists of many end to end conversations or flows between users or applications MLS supports unicast and multicast flows A unicast flow can be any of the following All traffic to a particular destination All traffic from a particular source ...

Page 361: ... be Layer 3 switched based on the cached information The MLS cache maintains flow information for all the active flows Unicast Traffic For unicast traffic the PFC creates an MLS cache entry for the initial routed packet of each unicast flow Upon receipt of a routed packet that does not match any unicast flow currently in the MLS cache the PFC creates a new MLS entry Multicast Traffic For multicast...

Page 362: ...tching it changes its flow mask to the most specific flow mask detected When the PFC flow mask changes the entire MLS cache is purged When the PFC exports the cached entries the flow records are created based on the current flow mask Depending on the current flow mask some fields in the flow record might not have values The unsupported fields are filled with a zero 0 The MLS flow masks are as foll...

Page 363: ...ination source null full command and specify a keyword other than the null keyword If NDE is enabled when the null flow mask is configured NDE will not export any flows An example is as follows Console enable set mls nde enable Netflow export enabled Console enable 2005 Sep 18 18 04 43 MLS 5 FLOWMASK_NULL IP Flowmask set to Null Flows will not be exported Conversely if NDE is enabled and you set t...

Page 364: ...r attempts to merge the flow mask requirements of different features The basic idea is to allocate a new flow mask only for a strict flow mask requirement that is incompatible with already allocated flow masks NDE does not have a strict flow mask requirement so the flow mask for NDE can be moved up To use the hardware acceleration functionality for NAT if a flow mask has been configured for NDE en...

Page 365: ...NDE Flowmask is configured to use at least Full Vlan flowmask Console Flow Mask Modes and show mls entry Command Outputs With the destination ip flow mask the source IP protocol and source and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry This example shows how the show mls entry command output appears in destination ip mode Console...

Page 366: ...69 1 133 171 69 192 42 UDP 2049 41636 00 60 70 6c fc 23 2 SNAP ARPA 5 8 1 1 2345 123456 09 03 32 09 08 12 Total Entries 2 indicates TCP flow has ended Console enable Partially and Completely Switched Multicast Flows Some flows might be partially Layer 3 switched instead of completely Layer 3 switched in these situations The MSFC is configured as a member of the IP multicast group using the ip igmp...

Page 367: ...les VLAN IP subnet 171 59 1 0 Host B is on the Marketing VLAN IP subnet 171 59 3 0 and Host C is on the Engineering VLAN IP subnet 171 59 2 0 When Host A initiates an HTTP file transfer to Host C an MLS entry for this flow is created this entry is the second item in the MLS cache shown in Figure 14 1 The PFC stores the MAC addresses of the MSFC and Host C in the MLS entry when the MSFC forwards th...

Page 368: ... the traffic from Host C to Host A The destination VLAN is stored as part of each IPX MLS entry so that the correct VLAN identifier is used when encapsulating traffic on the trunk links Figure 14 2 IPX MLS Example Topology Default MLS Configuration Table 14 1 shows the default IP MLS configuration Source IPX Address 01 Aa 01 Aa 02 Cc 01 Aa 02 Cc Data 03 Bb 02 Cc 01 Aa Dd Bb Dd Cc Dd Aa Marketing E...

Page 369: ...These sections describe the IP MLS configuration guidelines Maximum Transmission Unit Size page 14 14 Restrictions on Using IP Routing Commands with IP MLS Enabled page 14 14 Table 14 2 Default IP MMLS Supervisor Engine Configuration Feature Default Value Multicast services IGMP snooping or GMRP Disabled IP MMLS Enabled Table 14 3 Default IP MMLS MSFC Configuration Feature Default Value Multicast ...

Page 370: ...ported You must enable one of the multicast services IGMP snooping or GMRP on the switch in order to use IP MMLS The IP multicast flows are not multilayer switched if there is no entry in the Layer 2 multicast forwarding table for example if no Layer 2 multicast services are enabled or the forwarding table is full Enter the show multicast group command to check for a Layer 2 entry for a particular...

Page 371: ...nning IP PIM sparse mode If the shortest path tree SPT bit for the flow is cleared when running IP PIM sparse mode for the interface or group For the fragmented IP packets and packets with IP options However the packets in the flow that are not fragmented or that do not specify the IP options are multilayer switched For the source traffic that is received on the tunnel interfaces such as MBONE tra...

Page 372: ...s on the SCP page 14 18 For information on configuring routing on the MSFC see Chapter 12 Configuring InterVLAN Routing For information on configuring unicast Layer 3 switching on Supervisor Engine 1 see the Configuring MLS on Supervisor Engine 1 section on page 14 19 Note The MSFC can be specified as the MLS route processor MLS RP for Catalyst 5000 family switches using MLS Refer to the Layer 3 S...

Page 373: ...nterface vlan 100 Router config if mls ip Router config if This example shows how to enable IPX MLS on an MSFC interface Router config interface vlan 100 Router config if mls ipx Router config if Displaying MLS Information on the MSFC The show mls status command displays the MLS details To display the MLS information on the MSFC perform this task This example shows how to display the MLS status on...

Page 374: ...f IP global purge events no debug l3 mgr all Turns on all the Layer 3 manager debugging messages Table 14 7 MLS Debug Commands External Router Function Command Description no debug mls ip Turns on the IP related events for MLS including route purging and changes of access lists and flow masks no debug mls ipx Turns on the IPX related events for MLS including route purging and changes of access lis...

Page 375: ...ormation page 14 31 For information on configuring the VLANs on the switch see Chapter 11 Configuring VLANs For information on configuring MLS on the MSFC see the Configuring Unicast MLS on the MSFC section on page 14 16 Note When you disable IP or IPX MLS on the MSFC IP or IPX MLS is automatically disabled on Supervisor Engine 1 All the existing protocol specific MLS cache entries are purged To d...

Page 376: ...mode This example shows how to specify the IP MLS aging time Console enable set mls agingtime ip 512 Multilayer switching aging time IP set to 512 Console enable To specify the IPX MLS aging time perform this task in privileged mode This example shows how to specify the IPX MLS aging time Console enable set mls agingtime ipx 512 Multilayer switching aging time IPX set to 512 Console enable Specify...

Page 377: ...fy the IP MLS fast aging time and packet threshold perform this task in privileged mode This example shows how to set the IP MLS fast aging time to 32 seconds with a packet threshold of 0 packets Console enable set mls agingtime fast 32 0 Multilayer switching fast aging time set to 32 seconds for entries with no more than 0 packets switched Console enable To specify that an active flow gets aged o...

Page 378: ...ended to the MAC address If you specify a VLAN number only those CAM entries that correspond to that VLAN number are displayed If a VLAN is not specified the entries for all the VLANs are displayed To display the CAM entries perform this task This example shows how to display the CAM entries Console show cam msfc VLAN Destination MAC Destination Ports or VCs Xtag Status 194 00 e0 f9 d1 2c 00R 7 1 ...

Page 379: ...ole enable show mls ip Total Active MLS entries 0 Total packets switched 0 IP Multilayer switching enabled IP Multilayer switching aging time 256 seconds IP Multilayer switching fast aging time 0 seconds packet threshold 0 IP Flow mask Full Flow Configured flow mask is Destination flow Active IP MLS entries 0 Netflow Data Export version 8 Netflow Data Export disabled Netflow Data Export port host ...

Page 380: ... 33 17 8c 25 00 10 07 38 22 22 26 66 77 88 99 111 00 d0 d3 33 17 8c 112 Console enable Displaying IP MLS Cache Entries These sections describe how to display the MLS cache entries on Supervisor Engine 1 Displaying All MLS Entries page 14 25 Displaying MLS Entries for a Specific IP Destination Address page 14 25 Displaying IPX MLS Entries for a Specific IPX Destination Address page 14 26 Displaying...

Page 381: ... 09 03 32 09 08 12 171 69 1 133 171 69 192 42 UDP 2049 41636 00 60 70 6c fc 23 2 SNAP ARPA 5 8 1 1 2345 1234567 09 03 32 09 08 12 171 69 1 133 171 69 192 42 UDP 2049 41636 00 60 70 6c fc 23 2 SNAP ARPA 5 8 1 1 2345 1234567 09 03 32 09 08 12 Total IP entries 5 indicates TCP flow has ended Destination IPX Source IPX net Destination Mac Vlan Port Stat Pkts Stat Bytes BABE 0000 0000 0001 00 a0 c9 0a 8...

Page 382: ...e show mls entry ipx destination 3E 0010 298a 0c00 Destination IPX Source IPX net Destination Mac Vlan Port MSFC 22 1 0 56 Module 15 3E 0010 298a 0c00 13 00 00 00 00 00 09 26 4 7 Console enable Displaying MLS Entries for a Specific IP Source Address To display the MLS entries for a specific source IP address perform this task in privileged mode This example shows how to display the MLS entries for...

Page 383: ...8 00 20 7a 07 75 10 3 1 Console enable Displaying IPX MLS Entries for a Specific MSFC To display the IPX MLS entries for a specific MSFC perform this task in privileged mode This example shows how to display the IPX MLS entries for a specific MSFC Console enable show mls entry ipx 15 Destination IPX Destination Mac Vlan EDst ESrc Port Stat Pkts Stat Bytes Uptime Age MSFC 22 1 0 56 Module 15 11 000...

Page 384: ...1 181286 00 15 53 00 00 00 11 0000 0000 6010 00 00 00 00 60 10 11 ARPA ARPA 7885 362710 00 15 53 00 00 00 11 0000 0000 E310 00 00 00 00 e3 10 11 ARPA ARPA 3942 181332 00 15 53 00 00 00 11 0000 0000 7910 00 00 00 00 79 10 11 ARPA ARPA 3943 181378 00 15 54 00 00 00 Console enable Displaying MLS Entries for Bridged Flow Statistics To display the MLS entries for the bridged flow statistics perform thi...

Page 385: ...nd the entries for all source or destination ports are cleared the unspecified options are treated as wildcards For other protocols set the src_port and dst_port to 0 or no entries will clear To clear an MLS entry perform this task in privileged mode This example shows how to clear the MLS entries with destination IP address 172 20 26 22 Console enable clear mls entry ip destination 172 20 26 22 M...

Page 386: ...he entries Specify the destination IP address source IP address protocol and source and destination ports to see the specific MLS cache entries A value of zero 0 for src_port or dst_port is treated as a wildcard and all the statistics are displayed the unspecified options are treated as wildcards If the protocol specified is not TCP or UDP set the src_port and dst_prt to 0 or no statistics will di...

Page 387: ...e show mls debug command displays MLS debug information that you can send to your technical support representative for analysis if necessary To display the MLS debug information perform this task Note The show tech support command displays supervisor engine system information Use the application specific commands to get more information about particular applications Configuring IP MMLS These secti...

Page 388: ... MLS route processor MLS RP for Catalyst 5000 family switches using MLS Refer to the Layer 3 Switching Configuration Guide Catalyst 5000 Family 2926G Series 2926 Series Switches for the Catalyst 5000 family switch MLS configuration procedures Note This section describes how to enable IP multicast routing on the MSFC For more detailed IP multicast configuration information refer to the IP Multicast...

Page 389: ...join requests Note This command does not affect the flows that are already being routed To apply the threshold to existing routes clear the route and let it reestablish To configure the IP MMLS threshold perform this task This example shows how to configure the IP MMLS threshold to 10 packets per second Router config mls ip multicast threshold 10 Router config Use the no keyword to deconfigure the...

Page 390: ...ese tasks Displaying the IP Multicast Routing Table The show ip mroute command displays the IP multicast routing table on the MSFC To display the IP multicast routing table perform this task This example shows how to display the IP multicast routing table for 239 252 1 1 Router show ip mroute 239 252 1 1 IP Multicast Routing Table Flags D Dense S Sparse C Connected L Local P Pruned R RP bit set F ...

Page 391: ...S multicast operating state ACTIVE Maximum number of allowed outstanding messages 1 Maximum size reached from feQ 1 Feature Notification sent 5 Feature Notification Ack received 4 Unsolicited Feature Notification received 0 MSM sent 33 MSM ACK received 33 Delete notifications received 1 Flow Statistics messages received 248 MLS Multicast statistics Flow install Ack 9 Flow install Nack 0 Flow updat...

Page 392: ...FD installed Vlan9 1 1 12 1 224 1 1 1 Incoming interface Vlan12 Packets switched 62010 Hardware switched outgoing interfaces Vlan20 Vlan9 RFD MFD installed Vlan12 1 1 12 3 224 1 1 1 Incoming interface Vlan12 Packets switched 61980 Hardware switched outgoing interfaces Vlan20 Vlan9 RFD MFD installed Vlan12 1 1 11 1 224 1 1 1 Incoming interface Vlan11 Packets switched 62430 Hardware switched outgoin...

Page 393: ... ip multicast group group_id group_mask Configures filtering that applies to all the other multicast debugging commands no debug mls ip multicast events Displays the IP MMLS events no debug mls ip multicast errors Turns on the debug messages for the multicast MLS related errors no debug mls ip multicast messages Displays IP MMLS messages from to the hardware switching engine no debug mls ip multic...

Page 394: ...P MMLS Statistics The show mls multicast statistics command displays the IP MMLS statistics for the multicast MSFCs To display the IP MMLS statistics for the multicast MSFCs perform this task This example shows how to display the IP MMLS statistics for the multicast MSFCs Console enable show mls multicast statistics Router IP Router Name Router MAC 1 1 9 254 00 50 0f 06 3c a0 Transmit Delete Notif...

Page 395: ...rticipating MSFCs To clear the IP MMLS statistics perform this task in privileged mode This example shows how to clear the IP MMLS statistics Console enable clear mls multicast statistics All statistics for the MLS routers in include list are cleared Console enable Displaying IP MMLS Entries The show mls multicast entry command displays information about the multicast flows that are handled by the...

Page 396: ...icast entry 15 Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans 1 1 5 252 224 1 1 1 1 1 11 1 15870 2761380 20 1 1 5 252 224 1 1 1 1 1 12 3 15759 2742066 20 1 1 5 252 224 1 1 1 1 1 11 3 15810 2750940 20 1 1 5 252 224 1 1 1 1 1 13 1 15840 2756160 20 1 1 5 252 224 1 1 1 1 1 12 1 15840 2756160 20 Total Entries 5 Console enable This example shows how to display the IP MMLS entries for a specific ...

Page 397: ...detailed information on configuring policy based ACLs PBACLs see the Configuring Policy Based ACLs section on page 44 21 This chapter consists of these sections Understanding How ACLs Work page 15 2 Hardware Requirements page 15 2 Supported ACLs page 15 3 Applying Cisco IOS ACLs and VACLs on VLANs page 15 7 Using Cisco IOS ACLs in your Network page 15 9 Using VACLs with Cisco IOS ACLs page 15 17 U...

Page 398: ...ontrol security encryption policy based routing and so on The standard and extended Cisco IOS ACLs are configured only on the router interfaces and applied on the routed packets The VACLs can provide access control that is based on the Layer 3 addresses for the IP and IPX protocols The unsupported protocols are access controlled through the MAC addresses A VACL is applied to all packets bridged an...

Page 399: ...ws For example Web Cache Redirect through the Web Cache Coordination Protocol WCCP uses the ACLs to specify the HTTP flows that can be redirected to a Web cache engine Most Cisco IOS features are applied on the interfaces for specific directions inbound versus outbound However some features use the ACLs globally For such features the ACLs are applied on all interfaces for a given direction As an e...

Page 400: ...re not defined by direction input or output You can configure the VACLs on the Layer 3 addresses for IP and IPX All other protocols are access controlled through the MAC addresses and EtherType using the MAC VACLs Caution The IP traffic and IPX traffic are not access controlled by the MAC VACLs All other traffic types AppleTalk DECnet and so on are classified as MAC traffic the MAC VACLs are used ...

Page 401: ... switches support three types of ACEs in the hardware IP ACEs IPX ACEs Ethernet ACEs Table 15 1 lists the parameters that are associated with each ACE type Table 15 1 ACE Types and Parameters ACE Type TCP or UDP1 1 IP ACEs ICMP1 Other IP1 IPX Ethernet2 2 For Ethernet packets that are not IP version 4 or IPX Layer 4 parameters Source port Source port operator Destination port Destination port opera...

Page 402: ...set other than 0 are permitted as a default deny tcp host 1 1 1 1 eq 68 host 2 2 2 2 eq 34 In the releases prior to software release 6 1 1 the fragment filtering was completely transparent you would type an ACE such as permit tcp port eq port_number and the software would implicitly install the following ACE at the top of the ACL permit tcp any any fragments Software release 6 1 1 and later releas...

Page 403: ... www 3 permit udp any host 10 1 1 2 eq 69 4 permit udp any gt 1023 10 1 1 2 gt 1023 5 deny ip any host 10 1 1 2 6 permit ip any any If you explicitly want to stop the fragmented UDP traffic to host 10 1 1 2 enter deny udp any host 10 1 1 2 fragment before entry number 3 as shown in this example 3 deny udp any host 10 1 1 2 fragment 4 permit udp any host 10 1 1 2 eq 69 5 permit udp any gt 1023 10 1...

Page 404: ...ut Cisco IOS ACL 3 Output Cisco IOS ACL 4 VACL for output VLAN Figure 15 2 Applying ACLs on Routed Packets Multicast Packets Figure 15 3 shows how the ACLs are applied on the packets that need multicast expansion For the packets that need multicast expansion the ACLs are applied in the following order 1 Packets that need multicast expansion a VACL for input VLAN b Input Cisco IOS ACL Catalyst 6500...

Page 405: ...dition refer to the Cisco IOS configuration guides and command reference publication To configure the ACLs for IP refer to the Configuring IP Services chapter in the Network Protocols Configuration Guide Part 1 When a feature is configured on the router to process traffic such as NAT the Cisco IOS ACL that is associated with the feature determines the specific traffic that is bridged to the router...

Page 406: ...are handling of the ACLs with PFC PFC2 and PFC3A PFC3B PFC3BXL Hardware and Software Handling of Cisco IOS ACLs with PFC page 15 10 Hardware and Software Handling of Cisco IOS ACLs with PFC2 and PFC3A PFC3B PFC3BXL page 15 13 Hardware and Software Handling of Cisco IOS ACLs with PFC This section describes how Cisco IOS ACLs with the PFC are handled by the hardware and the software Note For informa...

Page 407: ... idle timeout is not supported IPX standard input and output ACLs are supported in the hardware when the ACL parameters are IPX source network destination network and or destination node If the ACL contains any other parameters it is handled in the software IPX extended input and output ACLs are supported in the hardware when the ACL parameters are IPX source network destination network destinatio...

Page 408: ...ble hardware policy routing using the mls ip pbr global command all policy routing occurs in the hardware Caution If you use the mls ip pbr command to enable policy routing policy routing is applied in the hardware for all interfaces regardless of which interface was configured for the policy routing WCCP The HTTP requests that are subject to Web Cache Coordination Protocol WCCP redirection are ha...

Page 409: ...nnot be enforced on the switch in the hardware the MSFC has to process the ACL in the software This process significantly degrades the system performance Note With Supervisor Engine 720 PFC3A PFC3B PFC3BXL and Supervisor Engine 32 PFC3B PFC3BXL the IPX routing is done through the software and the IPX Cisco IOS ACLs and IPX VACLs are not supported You can match the IPX packets using the MAC VACLs Y...

Page 410: ...andled in the software without impacting non log flow forwarding in the hardware Rate Limiting for Cisco IOS ACL Logging Rate limiting for Cisco IOS ACL logging limits the number of packets that are sent to the MSFC CPU for the bridged ACEs An ACE is bridged when the result for the Cisco IOS ACL is a deny or permit with the log option specified The bridge action can result in Cisco IOS ACL logging...

Page 411: ...ndled in the software For the TCP UDP flows once the flow is established they are handled in the hardware When the reflexive ACLs are applied the flow mask is changed to VLAN full flow TCP Intercept Note TCP intercept is not supported with Supervisor Engine 720 PFC3A PFC3B PFC3BXL or Supervisor Engine 32 PFC3B PFC3BXL TCP intercept implements the software to protect the TCP servers from the TCP SY...

Page 412: ...P address clause and the set clause contains the next hop and the next hop is reachable then the packet is forwarded in the hardware When a route map contains multiple match clauses all conditions that are imposed by these match clauses must be met before a packet is policy routed However for the route maps that contain both a match IP address clause and match length clause all traffic matching th...

Page 413: ... outbound ACLs are not logged if they are denied by a VACL NAT VACLs are applied on the packets before NAT translation If the translated flow should not be access controlled the flow might get access controlled after the translation because of the VACL configuration Note The VACLs have an implicit deny at the end of the list a packet is denied if it does not match any VACL ACE These sections descr...

Page 414: ...her To define multiple actions in an ACL permit deny redirect group each action type Example 3 page 15 20 shows what can happen when you do not group each type In the example the deny action in line 6 was grouped with the permit actions If this deny action is removed the result of merging would be 53 entries instead of 329 entries Limiting the Number of Actions An ACL with only the permit ACEs has...

Page 415: ...L C is the result of merging ACL A and ACL B and you know the size of ACL A and ACL B you can estimate the upper limit of the size of ACL C when no Layer 4 port information has been specified on ACL A and ACL B as follows size of ACL C size of ACL A x size of ACL B x 2 Note In software releases prior to release 7 1 1 the formula is used as a guideline but the number of entries could go beyond the ...

Page 416: ...ollow the guidelines and remove line 9 the implicit deny is then used at the end of the ACL and modify lines 11 and 12 lines 11 and 12 are modified so that the traffic that line 9 would have dropped is not permitted you see the following equivalent ACL with improved merge results VACL 1 permit udp host 194 72 72 33 194 72 6 160 0 0 0 15 2 permit udp host 147 150 213 94 194 72 6 64 0 0 0 15 eq boot...

Page 417: ...st 255 255 255 255 2 redirect 4 25 udp host 192 168 1 67 host 255 255 255 255 3 permit ip any any Cisco IOS ACL 1 deny ip any host 239 255 255 255 2 permit ip any any MERGE has 4 entries Estimating Merge Results with Supervisor Engine Software Releases 7 1 1 or Later Releases In supervisor engine software releases prior to software release 7 1 1 the following formula is true for software release 7...

Page 418: ...72 6 205 gt 1023 7 permit tcp any host 194 72 6 52 8 permit tcp any host 194 72 6 52 eq 113 9 deny tcp any host 194 72 6 51 eq ftp 10 permit tcp any host 194 72 6 51 eq ftp data 11 permit tcp any host 194 72 6 51 12 permit tcp any eq domain host 194 72 6 51 13 permit tcp any host 194 72 6 51 gt 1023 14 permit ip any host 1 1 1 1 Cisco IOS ACL 1 deny ip any host 239 255 255 255 2 permit ip any any ...

Page 419: ...303 entries Example 4 VACL 1 redirect 4 25 tcp host 192 168 1 67 host 255 255 255 255 2 redirect 4 25 udp host 192 168 1 67 host 255 255 255 255 3 deny tcp any any lt 30 4 deny udp any any lt 30 5 permit ip any any Cisco IOS ACL 1 deny ip any host 239 255 255 255 2 permit ip any any MERGE Using the new algorithm 6 entries Using the old algorithm 142 entries Example 5 VACL 1 redirect 4 25 tcp host ...

Page 420: ...gt 11 are considered two different Layer 4 operations gt 10 permit lt 9 deny gt 11 deny neq 6 redirect Note There is no limit to the use of eq operators because the eq operator does not use a logical operator unit LOU or a Layer 4 operation bit See the Determining Logical Operation Unit Usage section on page 15 24 for a description of LOUs 2 Layer 4 operations are considered different if the same ...

Page 421: ... operations and LOU usage are as follows ACL1 Layer 4 operations 5 ACL2 Layer 4 operations 4 LOUs 4 An explanation of the LOU usage is as follows LOU 1 stores gt 10 and lt 9 LOU 2 stores gt 11 and neq 6 LOU 3 stores gt 20 with space for one more LOU 4 stores range 11 13 range needs the entire LOU Using VACLs in Your Network These sections describe some typical uses for the VACLs Wiring Closet Conf...

Page 422: ... point Switch A If you do not want the HTTP traffic that is switched from Host X to Host Y you can configure a VACL on Switch A All HTTP traffic from Host X to Host Y would be dropped at Switch A and not be bridged to the switch with the MSFC Figure 15 4 Wiring Closet Configuration Redirecting Broadcast Traffic to a Specific Server Port Some application traffic uses the broadcast packets that reac...

Page 423: ...ting the DHCP Response for a Specific Server When the Dynamic Host Configuration Protocol DHCP requests are broadcast they reach every DHCP server in the VLAN and multiple responses are returned With the VACLs you can restrict the response from a specific DHCP server and drop the other responses Task Command Step 1 Redirect the broadcast packets set security acl ip SERVER redirect 4 1 tcp any host...

Page 424: ...ple server 10 1 1 100 in VLAN 10 needs to have access restricted as follows seeFigure 15 7 Hosts in subnet 10 1 2 0 24 in VLAN 20 should not have access Hosts 10 1 1 4 and 10 1 1 8 in VLAN 10 should not have access Task Command Step 1 Permit a DHCP response from host 1 2 3 4 set security acl ip SERVER permit udp host 1 2 3 4 any eq 68 Step 2 Deny the DHCP responses from any other host set security...

Page 425: ...fic from host 10 1 1 4 set security acl ip SERVER deny ip host 10 1 1 4 host 10 1 1 100 Step 3 Deny traffic from host 10 1 1 8 set security acl ip SERVER deny ip host 10 1 1 8 host 10 1 1 100 Step 4 Permit the other IP traffic set security acl ip SERVER permit ip any any Step 5 Commit the VACL commit security acl SERVER Step 6 Map the VACL to VLAN 10 set security acl map SERVER 10 CoS 0 a n d 1 Co...

Page 426: ...A the malicious user can send unsolicited ARP replies or gratuitous ARP packets to the other hosts on the subnet with the IP address of the default router and the MAC address of Host A With some earlier operating systems even if a host already has a static ARP entry for the default router the newly advertised binding from Host A is learned If Host A enables IP forwarding and forwards all packets f...

Page 427: ...ollowing fields from the ARP header to define a logging flow source IP address source MAC address and ARP opcode request reply You can limit the number of logged flows by entering the set security acl log maxflow max_flows command However the set security acl log ratelimit max_rate command does not apply to the ARP traffic inspection logged flows The RARP packets are not used to learn the ARP entr...

Page 428: ...ing ACL is used to protect the two IP addresses that are specified and will not do ARP traffic inspection with any MAC addresses other than those specified set security acl ip ACL_VLAN951 permit arp inspection host 132 216 251 129 00 d0 b7 11 13 14 set security acl ip ACL_VLAN951 deny arp inspection host 132 216 251 129 any log set security acl ip ACL_VLAN951 permit arp inspection host 132 216 251...

Page 429: ...s how to permit the ARP packets that advertise a binding of IP address 172 20 52 54 to MAC address 00 01 64 61 39 c2 Console enable set security acl ip ACL1 permit arp inspection host 172 20 52 54 00 01 64 61 39 c2 Operation successful Console enable commit security acl ACL1 Console enable ACL commit in progress ACL ACL1 successfully committed Permitting or Denying ARP Packets Advertising a Partic...

Page 430: ...gs for IP Addresses on a Particular Network To permit or deny the ARP packets that advertise a binding for the IP addresses on a particular network perform this task in privileged mode Note The ip_mask is a reverse mask The 0 bit means match and the 1 bit means ignore For example 10 3 5 6 and 0 0 0 255 are equivalent to 10 3 5 24 This example shows how to permit the ARP packets that advertise a bi...

Page 431: ...kets where the source Ethernet MAC address is not the same as the source MAC address in the ARP header Console enable set security acl arp inspection match mac enable drop ARP Inspection match mac feature enabled with drop option Console enable Console enable show security acl arp inspection config Match mac feature is enabled with drop option Address validation feature is disabled Dynamic ARP Ins...

Page 432: ...the ARP traffic inspection task perform this task in normal mode Note You can enter the show security acl commands to display certain ARP traffic inspection configuration information This example shows how to display the number of packets that are permitted and denied by the ARP traffic inspection task Console enable show security acl arp inspection statistics ARP Inspection statistics Packets for...

Page 433: ...ackets per second values between 1 9 are set to 10 To disable rate limiting set the value to 0 Note Rate limiting might be shared by multiple features To display the features that share rate limiting enter the show security acl feature ratelimit command To rate limit the number of ARP traffic inspection packets that are sent to the CPU on a global basis perform this task in privileged mode This ex...

Page 434: ...number of ARP traffic inspection packets that are sent to the CPU on a per port basis The drop threshold is set to 700 and the shutdown threshold is set to 800 for port 3 1 Console enable set port arp inspection 3 1 drop threshold 700 shutdown threshold 800 Drop Threshold 700 Shutdown Threshold 800 set on port 3 1 Console enable Console enable show port arp inspection 3 1 Port Drop Threshold Shutd...

Page 435: ... 2 with PFC2 Supervisor Engine 720 with PFC3A PFC3B PFC3BXL and Supervisor Engine 32 with PFC3B PFC3BXL These sections describe DAI Overview page 15 39 Dynamic ARP Inspection Configuration Procedures page 15 41 Overview DAI uses the binding information that is built by DHCP snooping to enforce the advertisement of bindings to prevent man in the middle attacks These attacks can occur when an attack...

Page 436: ...e system configures the MSFC port as ARP inspection trusted ARP packet redirected to NMP Received on ARP inspection trusted port Match MAC enabled Source and payload MAC match Address validation enabled ARP inspection ACE on VLANs ACL Check ARP inspection ACE rules Match found DAI enabled on VLAN Entry found lease not expired Payload and bind entry IP addresses match Search DHCP bind entries wtih ...

Page 437: ...nd that you enable high availability when using DAI DHCP snooping and IP source guard If high availability is not enabled the clients have to renew their IP addresses for these features to work after a switchover For the configuration details on DHCP snooping and IP source guard see Chapter 33 Configuring DHCP Snooping and IP Source Guard Note Prior to software release 8 6 1 you could enable dynam...

Page 438: ... 1 1 47 4 1 48 5 1 2 Logging for Dynamic ARP Inspection rules is disabled Console enable set security acl ip dai permit dhcp snooping Successfully configured DHCP Snooping for ACL dai Use commit command to save changes Console enable set security acl ip dai permit arp inspection any any dai editbuffer modified Use commit command to apply changes Console enable set security acl ip dai permit ip any...

Page 439: ...n software release 6 1 1 and later releases ACLs can be applied as follows You can map VACLs to secondary VLANs or primary VLANs Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary VLANs You cannot map Cisco IOS ACLs to secondary VLANs You cannot map dynamic ACEs to a private VLAN You can map QoS ACLs to secondary VLANs or primary VLANs If you map a VACL to a pr...

Page 440: ...h in the hardware the MSFC has to process the ACL in the software and this significantly degrades system performance Bridge group ACLs IP accounting Inbound and outbound rate limiting Standard IPX with source node number IPX extended access lists that specify a source node number or socket numbers are not enforced in the hardware Standard XNS access list Extended XNS access list DECnet access list...

Page 441: ...LAN Interface Guidelines section on page 15 17 See the Using VACLs in Your Network section on page 15 25 for configuration examples See the Unsupported Features section on page 15 44 See the Specifying the ACL Merge Algorithm section on page 15 47 You must commit a VACL before you can map it to a VLAN There are no default VACLs and no default VACL to VLAN mappings If no Cisco IOS ACL is configured...

Page 442: ...iguration Summary To create a VACL and map it to a VLAN perform these steps Step 1 Enter the set security acl ip command to create a VACL and add ACEs Step 2 Enter the commit command to commit the VACL and its associated ACEs to NVRAM Step 3 Enter the set security acl map command to map the VACL to a VLAN Note An IP VACL is used in this description you can configure IPX and non IP version 4 non IP...

Page 443: ...and changes appear The set aclmerge algo and set aclmerge bdd commands have been removed The show aclmerge bdd algo command has been reduced to show aclmerge algo Note For examples of the ODM algorithm see the Estimating Merge Results with Supervisor Engine Software Releases 7 1 1 or Later Releases section on page 15 21 The default algorithm is ODM If BDD is disabled the merge algorithm can only b...

Page 444: ...CL and Adding ACEs To create a new IP VACL and add the ACEs or to add the ACEs to an existing IP VACL perform one of these tasks in privileged mode This example shows how to create an ACE for IPACL1 to allow the traffic from source address 172 20 53 4 Console enable set security acl ip IPACL1 permit host 172 20 53 4 0 0 0 0 IPACL1 editbuffer modified Use commit command to apply changes Console ena...

Page 445: ...and see the Committing ACLs section on page 15 53 Enter the show security acl info IPACL1 command to verify that the changes were committed If this VACL has not been mapped to a VLAN enter the set security acl map command to map it to a VLAN This example shows how to create an ACE for IPACL2 to block the traffic from source address 172 20 3 2 and place this ACE before ACE number 2 in the VACL Opti...

Page 446: ...how security acl info IPACL2 command to verify that the changes were committed If this VACL has not been mapped to a VLAN enter the set security acl map command to map it to a VLAN Creating an IPX VACL and Adding ACEs Note With Supervisor Engine 720 PFC3A PFC3B PFC3BXL and Supervisor Engine 32 PFC3B PFC3BXL the IPX routing is done through the software and the IPX Cisco IOS ACLs and IPX VACLs are n...

Page 447: ...eny any 1234 2 deny any any 1 A 3 4 3 redirect 4 1 any 3456 Console enable Note For more information about the show security acl info command see the Displaying the Contents of a VACL section on page 15 54 This example shows how to commit the ACEs to NVRAM Console enable commit security acl all ACL commit in progress ACL IPXACL1 is committed to hardware Console enable Enter the show security acl i...

Page 448: ...are used to access control this traffic To create a new non IP version 4 non IPX VACL and add the ACEs or to add the ACEs to an existing non IP version 4 non IPX VACL perform this task in privileged mode This example shows how to create an ACE for MACACL1 to block all traffic from 8 2 3 4 7 A Console enable set security acl mac MACACL1 deny host 8 2 3 4 7 A any MACACL1 editbuffer modified Use comm...

Page 449: ...nd see the Committing ACLs section on page 15 53 Enter the show security acl info MACACL1 command to verify that the changes were committed If this VACL has not been mapped to a VLAN enter the set security acl map command to map it to a VLAN Committing ACLs You can commit all ACLs or a specific ACL to NVRAM with the commit command Any committed ACL with no ACEs will be deleted To commit an ACL to ...

Page 450: ... perform this task in privileged mode This example shows how to display the contents of a VACL that has been saved in NVRAM Console enable show security acl info IPACL1 set security acl ip IPACL1 1 deny A 2 deny ip B any 3 deny c 4 permit any This example shows how to display the contents of a VACL that is still in the edit buffer Console enable show security acl info IPACL1 editbuffer set securit...

Page 451: ...h the rollback command The ACL is rolled back to its state at the last commit command To clear the ACL edit buffer perform this task in privileged mode This example shows how to clear the edit buffer of a specific security ACL Console enable rollback security acl IPACL1 Editbuffer for IPACL1 rolled back to last commit state Console enable Removing ACEs from Security ACLs You can remove a specific ...

Page 452: ... to VLAN mappings Console enable clear security acl map all Map deletion in progress Successfully cleared mapping between ACL ip1 and VLAN 10 Successfully cleared mapping between ACL ipx1 and VLAN 10 display text omitted Console enable This example shows how to clear the mapping for a specific VACL on a specific VLAN Console enable clear security acl map IPACL1 50 Map deletion in progress Successf...

Page 453: ...ure port list and the configuration is saved in NVRAM Only permit traffic is captured If a packet is dropped due to an ACL the packet cannot be captured The capture ports do not transmit out all captured traffic They transmit only traffic belonging to the capture port VLAN To capture the traffic going to many VLANs the capture port should be a trunk carrying the required VLANs For the routed traff...

Page 454: ... 1 1 1 host 60 1 1 98 capture my_cap editbuffer modified Use commit command to apply changes Console enable This example shows how to commit the my_cap ACL to NVRAM Console enable commit security acl my_cap ACL commit in progress ACL my_cap successfully committed Console enable This example shows how to map my_cap to VLAN 10 Console enable set security acl map my_cap 10 Mapping in progress VLAN 10...

Page 455: ...ging see Chapter 29 Configuring System Message Logging Configuration Guidelines This section describes the guidelines for configuring VACL logging Log only the deny traffic from the IP VACLs You must set the logging level to 6 information or 7 debugging To enable VACL logging perform these steps Step 1 Enter the set logging level acl severity command to set the logging level to 6 information or 7 ...

Page 456: ...rate set to 1000pps This example shows how to display the VACL log configuration Console enable show security acl log config VACL LOG Configration Max Flow Pattern 512 Max Logging Eligible rate pps 1000 This example shows how to create an ACE for my_cap and specify that the denied traffic is logged Console enable set security acl ip my_cap deny ip host 21 0 0 1 log my_cap editbuffer modified Use c...

Page 457: ...s describe how to configure the MAC based ACL lookups for all packet types Overview of MAC Based ACLs page 15 61 Using MAC Based ACL Lookups for All Packet Types page 15 62 Including the VLAN and CoS in MAC Based ACLs page 15 62 Configuration Guidelines page 15 63 Configuring MAC Based ACL Lookups for All Packet Types page 15 63 Overview of MAC Based ACLs PFC3A supports two ACL protocol types IP a...

Page 458: ...FC3B and PFC3BXL overload the VLAN field with the frame type field in the MAC lookup key Because CoS and VLAN fields are maskable both fields are added as optional parameters that allow support for the old MAC ACL configurations VLAN Matching With PFC3B and PFC3BXL if the MAC ACL is mapped to the input the packet s input VLAN is used to match against the MAC ACL Similarly if the MAC ACL is mapped ...

Page 459: ...on back to the default for the specified VLAN The default behavior is to match only MAC packets with MAC ACLs If you do not specify a VLAN with the clear acl mac packet classify vlans command the feature is disabled for all VLANs The show acl mac packet classify command displays the list of VLANs that have the MAC packet classify feature enabled Include CoS VLAN and Packet Type in MAC ACLs and Ext...

Page 460: ... enable show acl mac packet classify Feature enabled on source vlan s 1 5 Console enable clear acl mac packet classify 5 Disabled mac packet classify on vlan s 5 Console enable Note The all keyword with the set and clear commands allow you to specify all VLANs Configuring and Storing VACLs and QoS ACLs in Flash Memory This section describes how to configure and store the VACLs and the QoS ACLs in ...

Page 461: ...sages display 1999 Sep 01 17 00 00 SYS 1 CFG_FLASH_ERR Failed to write ACL configuration to bootflash switchapp cfg 1999 Sep 01 17 00 00 SYS 1 CFG_ACL_DEALLOC NVRAM full Qos Security ACL configuration deleted from NVRAM If you receive these error messages the VACL and QoS ACL configuration is stored in DRAM only You need to make more space available in flash memory and then save the configuration ...

Page 462: ... n n y ACL configuration has been copied successfully Console enable Step 6 Delete the VACL and QoS ACL configuration from NVRAM Console enable clear config acl nvram ACL configuration has been deleted from NVRAM Warning Use the copy commands to save the ACL configuration to a file and the set boot config register auto config commands to configure the auto config feature Note The VACL and QoS ACL ...

Page 463: ... the VACL and QoS ACL configuration to this file after the commit operations If you do not use the set boot config register auto config append option the auto config feature clears the configuration before executing the auto config file at system startup Any changes made in NVRAM are lost You should always copy your entire configuration not just the VACL and QoS ACL configuration to the auto confi...

Page 464: ...The VACLs were applied to Layer 2 and Layer 3 forwarded traffic while Cisco IOS ACLs were applied only to the Layer 3 forwarded packets Both access list types were applied to the VLANs and filtered traffic based on the packet header information In software release 8 3 1 there is an additional type of access list a PACL A PACL is an access list that is mapped to a physical port typically a VLAN is ...

Page 465: ... be incorrect to apply a VACL that is meant for VLAN x to a packet that is tagged with VLAN y Because the PFC3A cannot perform a lookup based on a port VLAN pair you cannot map a PACL to a port in merge mode Note The CLI syntax for creating a PACL is identical to that of a VACL An instance of an ACL that is mapped to a port is called a PACL An instance of an ACL that is mapped to a VLAN is called ...

Page 466: ...AN based or merge and the same ACL name to form a port channel If you change one port in an EtherChannel from a port based ACL to a VLAN based ACL all ports in the channel are changed to VLAN based ACL mode Changing the configuration on one port affects all the ports in the channel When an ACL is mapped to a port belonging to a channel it is mapped to all ports in the channel including the logical...

Page 467: ...N Association Changes Applies to Merge Mode Only The port VLAN association changes are allowed in all cases However when a port is configured in merge mode it is possible that a change in the port VLAN association can result in a merge failure In such cases the port is placed in merge disable mode Unmapping and then mapping a PACL VACL or Cisco IOS ACL automatically triggers a remerge This example...

Page 468: ...hich is stored in NVRAM The configuration is retained in NVRAM but is not displayed When you insert or bring a module online the configuration is repopulated from NVRAM or text configuration file and remapped in runtime Enabling or disabling a port has no impact on the ACL mapping or the security ACL mode unless the port is in merge mode In the merge mode a port that is disabled or cleared from a ...

Page 469: ...1 4 merge ACL interface cannot be in merge mode on multi vlan access port 3 1 ACL interface is set to merge mode for port s 3 2 ACL interface is set to merge mode for port s 3 3 ACL interface is set to merge mode for port s 3 4 Displaying PACL Information The show port security acl mod port command displays PACL information for the specified port The Config field displays what is stored in NVRAM T...

Page 470: ...based or merge mode This functionality is similar to QoS Mapping an ACL to a VLAN causes the following operations to occur 1 The ACL is mapped to the VLAN 2 A merge is automatically triggered with all the constituent ports that are in merge mode If 1 fails the operation fails and a syslog message is generated For 2 a syslog is generated for any ports that failed to merge with the VACL These ports ...

Page 471: ...igured VACLs and PACLs To display the ACL mapping information perform this task in normal mode These examples show how to display the ACL mapping information Console enable show security acl map config all ACL Name Type Ports Vlans ipacl1 IP 11 ipacl2 IP 3 1 Console enable show security acl map config all ports ACL Name Type Ports ipacl2 IP 3 1 Console enable show security acl map runtime 3 1 Port...

Page 472: ...he port is in VLAN based mode Console enable set port security acl 3 1 vlan based ACL interface is set to vlan based mode for port s 3 1 Console enable set security acl map ipacl1 3 1 Port 3 1 is set to vlan based mode config is saved in Nvram Config will be applied when the port is set to port based merge Console enable show security acl map config 3 1 Port ACL name Type 3 1 ipacl1 IP Console ena...

Page 473: ...ecurity acl 3 1 port based Warning Vlan based ACL features will be disabled on port s 3 1 ACL interface is set to port based mode for port s 3 1 2003 Sep 05 22 34 50 ACL 3 TCAMFULL Acl engine TCAM table is full 2003 Sep 05 22 34 50 ACL 3 PACLMAPCOMMITFAIL Failed to Map Security ACL ipacl1 to Port 3 1 Console enable show security acl map config 3 1 Port ACL name Type 3 1 ipacl1 IP Console enable sh...

Page 474: ...me runtime 3 1 merge merge VLAN 5 inactive Config Port ACL name Type No ACL is mapped to port 3 1 Runtime Port ACL name Type No ACL is mapped to port 3 1 dhcp snooping Port Trust Source Guard Source Guarded IP Addresses 3 1 untrusted disabled Console enable set security acl map ipacl1 3 1 ACL ipacl1 is successfully mapped to port s 3 1 Console enable show port security acl 3 1 Port Interface Type ...

Page 475: ... Port ACL name Type No ACL is mapped to port 3 1 Console enable show security acl map runtime 3 1 Port ACL name Type No ACL is mapped to port 3 1 Console enable Example 5 This example shows that you cannot change the mode if a failure occurs when changing port based mode to merge mode Console enable set port security acl 3 1 port based ACL interface is set to port based for port s 3 1 Console enab...

Page 476: ... ACL name Type 3 1 ipacl1 IP 3 1 macacl1 MAC dhcp snooping Port Trust Source Guard Source Guarded IP Addresses 3 1 untrusted disabled Console enable set security acl map ipacl2 5 ACL ipacl2 is successfully mapped to VLAN 5 2003 Oct 01 20 01 04 ACL 3 MERGEFAILED Failed to merge Security ACLs on ports s 3 1 4 with VLAN 5 2003 Oct 01 20 01 04 ACL 3 PACLSMERGEDFORVLAN Merge completed for all ports on ...

Page 477: ... ACL name Type 3 1 ipacl1 IP Runtime Port ACL name Type 3 1 ipacl1 IP dhcp snooping Port Trust Source Guard Source Guarded IP Addresses 3 1 untrusted disabled Console enable Configuring ACL Statistics These sections describe how to configure the ACL statistics ACL Statistics Overview page 15 81 Configuring ACL Statistics from the CLI page 15 82 ACL Statistics Overview When you select the statistic...

Page 478: ...e same result with a PFC2 PFC3A PFC3B PFC3BXL and later PFCs do not have this limitation Note The ACL statistics could differ between the active and standby supervisor engines because the ACLs cannot be programmed into the active standby TCAMs at the exact time However if the traffic starts hitting the TCAM after the TCAM is programmed the ACL statistics should be the same Configuring ACL Statisti...

Page 479: ...ites the per ACE command set security acl ip mac acl_name statistics Note The aggregated statistics mode disables the merge optimization and can result in a larger number of ACEs In some cases an ACL that was previously installed in the TCAM might not fit in the TCAM after the aggregated statistics mode is enabled To enable the aggregated ACL statistics on a per ACL basis perform this task in priv...

Page 480: ...ple if you enter the set security acl map ip1 1 statistics enable command followed by the set security acl map mac1 1 command the mac1 ACL will also have the per VLAN statistics enabled If you enter the set security acl map ip1 1 statistics enable command followed by the set security acl map mac1 1 statistics disable command the ip1 ACL will also have the per VLAN statistics disabled To enable the...

Page 481: ...bed in this section to clear the ACL statistics clear security acl statistics acl_name Disables the collection of statistics for all the ACEs in the specified ACL This command works only for the ACL statistics that are configured on a per ACL basis The command does not work for the ACL statistics that are configured on a per VLAN or per ACE basis This command is effective only after you enter the ...

Page 482: ...tches 45745 1 deny l3 tcp any any fragment matches 0 2 deny l3 ip host 21 0 0 130 any matches 0 3 deny l3 udp 1 2 2 0 0 0 0 255 any matches 0 4 deny l3 tcp any any 2001 matches 0 5 deny l3 ip host 21 0 0 128 any matches 0 6 deny ip any any matches 3 Output 0 permit arp matches 0 1 deny l3 tcp any any fragment matches 0 2 deny l3 ip host 21 0 0 130 any matches 0 3 deny l3 udp 1 2 2 0 0 0 0 255 any ...

Page 483: ...ntry is shared among eight value entries When programming the ACLs it is possible to see the error condition where the TCAM is full and can no longer program any new ACLs into the TCAM hardware This problem is almost always caused by a shortage of TCAM masks You can run CRAM in two modes In the manual mode you execute the feature when desired In the automatic mode the feature is run whenever a TCA...

Page 484: ...nd to manually enable the CRAM feature To manually enable the CRAM feature perform this task in privileged mode This example shows how to manually enable the CRAM feature Console enable set security acl cram run Traffic may be disrupted for some time while programming hardware Agree y n n y CRAM execution in progress CRAM execution complete Previous ACL storage mask usage 60 0 Current ACL storage ...

Page 485: ...formation perform this task in normal mode This example shows how to display the CRAM feature status information Console enable show security acl cram Cram auto mode is enabled Timer is 300 Cram last run on Fri Jun 18 2004 10 06 29 Security ACL mask usage before 0 17 Security ACL mask usage after 0 12 Total number of cram executions 2 Console enable Disabling the CRAM Feature Automatic Mode Enter ...

Page 486: ...ases have further PBF enhancements that simplify the process of setting and committing the security ACLs and adjacency information For more information see the Enhancements to the PBF Configuration Software Releases 8 3 1 and Later section on page 15 105 Note PBF does not support IPX and multicast traffic Note PBF does not work with 802 1Q tunnel traffic PBF is supported on the Layer 3 IP unicast ...

Page 487: ...destination VLAN and source and destination MAC addresses is rewritten and the packet is forwarded to the destination VLAN The packets are forwarded between VLANs only if they hit the VACL entries that are associated with the adjacency information Note Because the VACLs are applied to the incoming and outgoing traffic you must configure all VACLs carefully when using PBF If the VACLs are not speci...

Page 488: ... example procedures Enabling PBF and Specifying a MAC Address for the PFC2 or PFC3A PFC3B PFC3BXL page 15 92 Specifying the PBF MAC Address on a VLAN page 15 94 Configuring VACLs for PBF page 15 94 Displaying PBF Information page 15 96 Clearing Entries in PBF VACLs page 15 97 Rolling Back Adjacency Table Entries in the Edit Buffer page 15 98 Configuring Hosts for PBF page 15 98 Figure 15 10 Policy...

Page 489: ...ss and verify the change Console enable show pbf Pbf status Mac address not set 00 00 00 00 00 00 Console enable Console enable set pbf PBF committed successfully Operation successful Console enable Console enable show pbf Pbf status Mac address ok 00 01 64 61 39 c2 Console enable This example shows how to enable PBF with a specific MAC address Console enable set pbf mac 00 11 11 11 11 11 PBF comm...

Page 490: ...F MAC address on a VLAN Console enable set pbf vlan 11 12 Console enable PBF enabled on vlan s 11 12 Operation successful Console enable show pbf Pbf status Mac address Vlans ok 00 01 64 f8 39 18 11 12 Console enable The message Operation successful indicates that the PBF MAC address was saved in NVRAM Entering the clear pbf command does not clear the VLANs that are enabled for PBF The clear pbf c...

Page 491: ...entry can be used by more than one redirect ACE To specify an adjacency table entry for the PFC2 or PFC3A PFC3B PFC3BXL perform this task in privileged mode This example shows how to specify the adjacency table entry Console enable set security acl adjacency ADJ1 11 00 00 00 00 00 0B ADJ1 editbuffer modified Use commit command to apply changes Console enable This example shows how to create the PB...

Page 492: ...Console enable commit security acl IPACL2 ACL commit in progress ACL IPACL2 successfully committed Console enable set security acl map IPACL2 11 Mapping in progress ACL IPACL2 successfully mapped to VLAN 11 Console enable Displaying PBF Information This section describes how to display the PBF related information To display the adjacency table entries perform one of these tasks in normal mode This...

Page 493: ...ency table entry in PBF VACLs in the following order 1 Clear the redirect ACE 2 Commit the PBF VACL 3 Clear the adjacency table entry 4 Commit the adjacency table entry To clear a PBF adjacency table entry perform this task in privileged mode This example shows how to clear a PBF adjacency table entry Console enable clear security acl adjacency ADJ1 Adj is in use by a VACL clear the VACL first the...

Page 494: ...e following platforms and operating systems Linux page 15 98 Sun Workstation page 15 99 MS Windows NT 2000 Hosts page 15 100 Note When a router is not present in the network you need to specify the static ARP entries on the participating hosts The host s ARP table maps the IP address of the host device to the MAC address of the PFC2 or PFC3A PFC3B PFC3BXL Note The IP addresses in the following exa...

Page 495: ...f the destination is part of a different network 11 x x x in this example This is an ARP limitation in all Sun Workstations To overcome this problem you need to define a dummy gateway which is a host route and set a static ARP entry pointing to the PBF MAC address that is mapped to the destination host Using the example above you need to first define a dummy static ARP entry for the gateway The IP...

Page 496: ...hosts on VLAN 2 see Figure 15 11 Figure 15 11 Policy Based Forwarding Configuration Example This example shows the switch configuration file that was created to enable PBF between the hosts on VLAN 1 and VLAN 2 Only the first four hosts from each VLAN are shown in the example 44 0 0 1 through 44 0 0 4 and 43 0 0 1 through 43 0 0 4 security ACLs clear security acl all adj set set security acl adjac...

Page 497: ... 44 0 0 4 set security acl ip ip2 permit ip any any pbf set set pbf mac 00 11 22 33 44 55 commit security acl all set security acl map ip1 1 set security acl map ip2 2 This example shows how to display the MAC addresses that were learned by the switch for port 6 17 on VLAN 1 Console enable show cam dynamic 6 17 Static Entry Permanent Entry System Entry R Router Entry X Port Security Entry Dot1x Se...

Page 498: ...ing CAM Entries Displayed for 6 9 16 This example shows how to display the PBF status and the PFC2 or PFC3A PFC3B PFC3BXL MAC address Console enable show pbf Pbf status Mac address ok 00 11 22 33 44 55 This example shows how to display the PBF statistics Console enable show pbf statistics Index DstVlan DstMac SrcMac HitCount hex Name 1 2 00 0a 0a 0a 0a 0a 00 11 22 33 44 55 0x00026d7c a_1 2 2 00 0a...

Page 499: ... 2 12 The new set pbf map command is equivalent to all of the following pre release 7 5 1 commands set security acl adjacency PBF_MAP_ADJ_0 11 0 0 0 0 0 1 set security acl adjacency PBF_MAP_ADJ_1 12 0 0 0 0 0 2 commit security acl adjacency set security acl ip PBF_MAP_ACL_11 redirect PBF_MAP_ADJ_1 ip host 1 1 1 1 host 2 2 2 2 set security acl ip PBF_MAP_ACL_12 redirect PBF_MAP_ADJ_0 ip host 2 2 2 ...

Page 500: ...essful ACL PBF_MAP_ACL_11 successfully committed Console enable ACL PBF_MAP_ACL_11 successfully mapped to VLAN 11 Console enable ACL PBF_MAP_ACL_22 successfully committed Console enable ACL PBF_MAP_ACL_22 successfully mapped to VLAN 22 Console enable Operation successful Console enable Displaying the PBF_MAP_ACL Information To display the PBF_MAP_ACL information perform this task in normal mode Th...

Page 501: ...ty acl command a message is displayed indicating that the specific entry was already cleared The actual entries that were deleted are two ACEs redirect to adjacency ACEs and two entries in the adjacency table Console enable clear pbf map 1 1 1 1 0 0 0 0 0 1 11 2 2 2 2 0 0 0 0 0 2 22 ACL PBF_MAP_ACL_11 successfully committed Console enable ACL PBF_MAP_ACL_22 successfully committed Console enable En...

Page 502: ...ACLs attached the PBF ACLs overwrite the previous configuration The opposite is also true If you have created the PBF ACLs by entering the set pbf map command and the PBF ACLs are attached to the VLANs if you decide to map a new VACL to the same VLANs the new VACL overwrites the previous configuration Setting and Committing Security ACLs and Adjacency Information The new set pbf client command add...

Page 503: ...onfigure VLAN 102 ACL ggw1 successfully mapped to VLAN 102 Console enable The new and enhanced command set is equivalent to all of the following commands adj set set security acl adjacency c0001cl1 101 00 00 00 00 40 01 21 1 1 1 set security acl adjacency g0002gw1 102 00 a0 c9 81 e1 13 21 0 0 128 7 ccl1 set security acl ip ccl1 permit arp set security acl ip ccl1 permit arp inspection any any set ...

Page 504: ...single gateway or all gateways perform this task in normal mode This example shows how to clear a PBF gateway Console enable clear pbf gw gw1 g0002gw1 editbuffer modified Use commit command to apply changes Commit operation successfull Console enable To clear the PBF mapping perform this task in normal mode This example shows how to clear the PBF mapping Console enable clear pbf map cl1 gw1 ccl1 e...

Page 505: ...to display the PBF client configuration Console enable show pbf client Client cl1 Map gw1 VLAN 101 Adjacency ip mac c0001cl1 21 1 1 1 00 00 00 00 40 01 Console enable To display the PBF gateway configuration perform this task in normal mode This example shows how to display the PBF gateway configuration Console enable show pbf gw Client gw1 Map cl1 VLAN 102 Adjacency ip mask mac g0002gw1 21 0 0 12...

Page 506: ... The sc1 interface sends the ARP requests for the customer s MAC address and the customer s router or switch responds If and when the customer s device sends out an ARP response before sending an ICMP reply the sc1 interface responds with the MAC address Step 4 After testing is completed reconfigure the sc1 interface so that it is no longer a part of the customer s VLAN Step 5 Enter the set pbf ar...

Page 507: ...00 00 11 11 22 22 10 Commit operation successful Console enable The PBF client has been created Console enable Console enable show pbf client Name CLIENT TEST Map No map VLAN 10 Clients 1 Adjacency ip mac c0000CLIENT TEST 10 0 0 10 00 00 11 11 22 22 Console enable The set pbf client command macro has created the security ACL adjacency for the client but the macro command set pbf client CLIENT TEST...

Page 508: ...urity acl all pbf set set pbf mac 00 0d 65 36 1e eb adj set set security acl adjacency c0000CLIENT TEST 10 00 00 11 11 22 22 10 0 0 10 set security acl adjacency g0001GATEWAY TEST 1 11 11 22 22 33 33 10 0 0 100 23 commit security acl all SNIP Unrelated configuration information cut out Console enable Step 4 Build the PBF map between the client CLIENT TEST and the gateway GATEWAY TEST Console enabl...

Page 509: ...ists and security ACL map lists for the PBF client and PBF gateway but the macro command set pbf map CLIENT TEST GATEWAY TEST that created these security ACLs does not appear in the following configuration Console enable show run SNIP Unrelated configuration information cut out security ACLs clear security acl all pbf set set pbf mac 00 0d 65 36 1e eb adj set set security acl adjacency c0000CLIENT...

Page 510: ...figurations In the PBF map for the above configuration the clear commands are as follows clear pbf client CLIENT TEST 10 0 0 10 clear pbf gateway GATEWAY TEST 10 0 0 100 clear pbf map CLIENT TEST GATEWAY TEST Listing the set and clear commands for the PBF clients PBF gateways and PBF maps allows you to manage configure and use the PBF map feature Configuring PBF in Software Release 8 6 1 and Later...

Page 511: ... command to apply changes gGATEWAY TEST editbuffer modified Use commit command to apply changes cCLIENT TEST editbuffer modified Use commit command to apply changes gGATEWAY TEST editbuffer modified Use commit command to apply changes Console enable ACL commit in progress ACL commit in progress Console enable Console enable Mapping in progress Please configure VLAN 10 ACL cCLIENT TEST successfully...

Page 512: ...with an include keyword to the port Do not reconfigure the security ACL with the include keyword once it has been mapped to the port Make sure to clear the security ACL with the include keyword if you make any modifications Once authentication is successful a downloaded ACL is initiated with DHCP snooping ARP inspection or static DHCP bindings The set of ACEs that were downloaded get recommitted a...

Page 513: ... acl 5 35 port based Warning Vlan based ACL features will be disabled on ports 5 35 ACL interface is set to port based mode for port s 5 35 Step 3 Map the base ACL with the include keyword to that port Console enable set security acl map dacl1x 5 35 Mapping in progress ACL dacl1x successfully mapped to port s 5 35 Step 4 Enable dot1x globally and on that port Console enable set dot1x system auth c...

Page 514: ...e dot1x Auth state is in the ipawaiting state add IP to the host through DHCP or ARP or the addition of static DHCP snooping bindings A downloadable ACL will be downloaded and a child ACL will be created If an MSFC is the router to obtain DHCP snooping bindings map the DHCP snooping ACL to the authenticated host VLAN If an external router configuration is used map the DHCP snooping ACL to the host...

Page 515: ...t 44bb6f49 User Count 1 Num of Aces 5 Ip Address mNo pNo Feature 1 9 6 6 104 5 35 dot1x Displays the DACL information specific to the port Console enable show security acl downloaded acl port 5 35 Port IP Address Feature Downloaded ACL 5 35 9 6 6 104 dot1x ACSACL IP test 44bb6f49 Displays the ACEs that were downloaded from the RADIUS server Console enable show security acl downloaded acl ACSACL IP...

Page 516: ...rt IP Address 4 1 9 6 6 135 Console enable show security acl tcam interface 4 1 Input IP 0 redirect arp matches 0 1 redirect udp any any matches 0 2 redirect udp any 21862 host 9 6 6 3 53000 matches 0 3 redirect tcp any any 80 matches 0 4 permit ip host 9 6 6 135 any matches 10 5 deny ip any any matches 0 Console enable show security acl info dacl_4_1 set security acl ip dacl_4_1 arp permit 1 perm...

Page 517: ...r for an IP Phone To create a placeholder for an IP phone perform this task in enable mode This example shows how to create a placeholder for an IP phone Console enable set security acl ip test include ip phone Successfully configured placeholder download ACL test Use commit command to save changes Displaying Downloaded ACL Information To display downloaded ACL information perform this task in ena...

Page 518: ... perform this task in enable mode This example shows how to display mapping information about a downloaded ACL Console enable show security acl downloaded acl user map Downloaded ACL User Map ACL Name ACSACL IP test_acl2 44cf4bcd User Count 1 Num of Aces 7 Ip Address mNo pNo Feature 1 10 1 1 5 3 13 dot1x To display the host information on a port perform this task in enable mode This example shows ...

Page 519: ...a feature and port specific information Console enable show port dot1x 3 45 Port Auth State BEnd State Port Control Port Status 3 45 authenticated idle auto authorized Port Port Mode Re authentication Shutdown timeout Control Mode admin oper 3 45 SingleAuth disabled disabled Both Both Port Posture Token Critical Status Termination action Session timeout 3 45 no NoReAuth Port Session Timeout Overri...

Page 520: ...15 124 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 15 Configuring Access Control Downloadable ACLs ...

Page 521: ... and Integrated Layer 3 Switching Management page 16 1 Traffic Statistics Data Collection page 16 2 Using NDE Filters page 16 3 Using Bridged Flow Statistics page 16 3 NDE Versions page 16 3 Overview of NDE and Integrated Layer 3 Switching Management Catalyst 6500 series switches provide Layer 3 switching with Cisco Express Forwarding CEF for Supervisor Engine 2 Supervisor Engine 720 and Superviso...

Page 522: ...nning and accounting The flow collectors such as the Cisco SwitchProbe and NetFlow FlowCollector gather and classify the flows This flow information is then aggregated and fed to applications such as TrafficDirector NetSys or NetFlow Analyzer Traffic Statistics Data Collection An external data collector gathers the flow entries from the statistics cache of one or more switches or Cisco routers The...

Page 523: ...or Engine 32 You can set the bridged flow statistics reporting per VLAN The bridged flows are exported through NDE when you enable the bridged flow statistics Caution Use this feature carefully As the NetFlow entries increase in the NetFlow table the NDE performance may degrade See the NDE Configuration Guidelines section on page 16 7 for information on configuring the bridged flow statistics Note...

Page 524: ... 1 30 4 7 SysUptime Current time in milliseconds since router booted 8 11 unix_secs Current seconds since 0000 UTC 1970 12 15 unix_nsecs Residual nanoseconds since 0000 UTC 1970 16 19 flow_sequence Sequence counter of total flows seen 20 21 engine_type Type of flow switching engine VS_ENGINE_TYPE_CATALYST_SWITCH 21 23 engine_id 0 Table 16 2 NDE Version 5 Flow Record Format Bytes Content Descriptio...

Page 525: ... as reflexive ACLs are set up 2 This feature is not supported on Supervisor Engine 1 or 1A Table 16 3 NDE Version 7 Header Format Bytes Content Description 0 1 version NetFlow export format version number 2 3 count Number of flows exported in this packet 1 30 4 7 SysUptime Current time in milliseconds since router booted 8 11 unix_secs Current seconds since 0000 UTC 1970 12 15 unix_nsecs Residual ...

Page 526: ... for example 6 TCP 17 UDP 0 0 X X 39 tos IP type of service byte X X X X 40 41 src_as Autonomous system number of the source either origin or peer 0 0 0 0 42 43 dst_as Autonomous system number of the destination either origin or peer 0 0 0 0 44 src_mask Source address prefix mask bits 0 0 0 0 45 dst_mask Destination address prefix mask bits 0 0 0 0 46 47 pad2 Pad 2 uses two bytes 48 51 MLS RP IP a...

Page 527: ... the NDE IP Address page 16 16 Displaying the NDE Configuration page 16 16 NDE Configuration Guidelines This section describes the configuration guidelines if the NetFlow table has too many entries With software release 8 5 1 and later releases the multiple flow mask feature is supported on Supervisor Engine 720 This feature results in some changes to the NDE functionality For detailed information...

Page 528: ...lows from being added to the NetFlow table with the set mls nde flow exclude command Enable the bridged flow statistics on a VLAN to increase the number of flows in the NetFlow table with the bridged flows for VLANs appearing with the Layer 3 flows As the NetFlow entries increase in the NetFlow table the performance degrades On the Supervisor Engine 1 if there is no space in the hardware NetFlow t...

Page 529: ...e time that the two destinations were created The count of the packets sent to the individual collectors is maintained separately The other NetFlow parameters for both the destinations are the same NDE cannot be enabled unless a collector is set up You should set up both the primary and secondary destinations before enabling NDE The secondary destination IP address and port number cannot be identi...

Page 530: ...ble Configuring NetFlow on the MSFC Note If the MSFC is not present you can only collect and export bridged flow statistics if the bridged flow statistics feature is enabled You must enable NetFlow on the MSFC Layer 3 interfaces to support NDE for routed and Layer 3 switched traffic Refer to these publications for more information about configuring NetFlow on the MSFC http www cisco com en US docs...

Page 531: ... this task This example shows how to configure the NDE flow destination IP address and UDP port Router config ip flow export destination 172 20 52 37 200 Router config Enabling NDE To enable NDE perform this task in privileged mode Task Command Step 1 Select a VLAN interface to configure Router config interface vlan vlan_ID Step 2 Enable NetFlow Router config if ip route cache flow Task Command Co...

Page 532: ...statistics for the specified VLANs You can enter one or multiple VLANs Note You can enable NetFlow table entry creation on a per VLAN basis However because the bridged flow statistics and per VLAN entry creation use the same mechanism for collecting the statistics the VLAN entries may overlap See the Specifying NetFlow Table Entry Creation on a Per Interface Basis section on page 13 28 To enable o...

Page 533: ...shows how to specify a destination and source subnet filter so that only the expired flows to subnet 171 69 194 0 from subnet 171 69 173 0 are exported assuming that the flow mask is set to source destination ip Console enable set mls nde flow destination 171 69 194 140 24 source 171 69 173 5 24 Netflow Data Export successfully set Source filter is 171 69 173 0 24 Destination filter is 171 69 194 ...

Page 534: ...a Export successfully set Source filter is 171 69 194 140 255 255 255 255 Destination port filter is 23 Filter type include Console enable Specifying a Protocol Filter To specify a protocol filter perform this task in privileged mode This example shows how to specify a protocol filter so that only the expired flows from protocol 17 are exported Console enable set mls nde flow protocol 17 Netflow D...

Page 535: ... icmp or a decimal number for the other protocol families The port argument specifies the protocol port Use the all keyword to remove all the protocols for statistics collection To remove the protocols for statistics collection perform this task in privileged mode This example shows how to remove a protocol for statistics collection Console enable clear mls statistics protocol 17 1934 Protocol 17 ...

Page 536: ...s task in privileged mode This example shows how to disable NDE on the switch Console enable set mls nde disable Netflow data export disabled Console enable Removing the NDE IP Address To remove the NDE IP address from the MSFC perform this task in global configuration mode This example shows how to remove the NDE IP address from the MSFC Router config no mls nde address 170 170 2 1 Router config ...

Page 537: ...red for port 7775 on host 10 6 1 10 Source filter is 171 69 194 140 255 255 255 0 Destination port filter is 23 Total packets exported 26784 Console enable This example shows how to display the NDE configuration when the bridged flow statistics are enabled on the switch Console enable show mls nde Netflow Data Export version 7 Netflow Data Export enabled Netflow Data Export configured for port 777...

Page 538: ...16 18 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 16 Configuring NDE Configuring NDE on the Switch ...

Page 539: ...es page 17 2 Configuring GVRP on the Switch page 17 2 Note GVRP requires supervisor engine software release 5 2 or later releases With a Supervisor Engine 720 the minimum required software release is 8 3 1 With a Supervisor Engine 32 the minimum required software release is 8 4 1 Understanding How GVRP Works GVRP is a GARP application that provides IEEE 802 1Q compliant VLAN pruning and dynamic VL...

Page 540: ...abling GVRP Globally page 17 3 Enabling GVRP on Individual 802 1Q Trunk Ports page 17 3 Enabling GVRP Dynamic VLAN Creation page 17 4 Configuring GVRP Registration page 17 5 Configuring GVRP VLAN Declarations from Blocking Ports page 17 6 Setting the GARP Timers page 17 7 Displaying GVRP Statistics page 17 8 Clearing GVRP Statistics page 17 8 Disabling GVRP on Individual 802 1Q Trunk Ports page 17...

Page 541: ...ic VLAN creation is disabled GVRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GVRP Configuration Port GVRP Status Registration 2 1 2 3 1 8 7 1 24 8 1 24 Enabled Normal GVRP Participants running on 3 7 8 Console Enabling GVRP on Individual 802 1Q Trunk Ports Note You can change the per trunk GVRP configuration regardless of whether GVRP is enabled globally However GVRP does not...

Page 542: ... disable GVRP on a trunk port running GVRP If any port on the switch becomes an Inter Switch Link ISL trunk either by CLI configuration or negotiated using DTP while dynamic VLAN creation is enabled dynamic VLAN creation is disabled automatically until the conditions for enabling dynamic VLAN creation are restored Note The VLANs can only be created dynamically on 802 1Q trunks in the normal regist...

Page 543: ... trunk port Console enable set gvrp registration normal 1 1 Registrar Administrative Control set to normal on port 1 1 Console enable Configuring GVRP Fixed Registration Configuring an 802 1Q trunk port in fixed registration mode allows manual creation and registration of VLANs prevents VLAN deregistration and registers all the VLANs that are known on other ports on the trunk port To configure GVR...

Page 544: ...n the port The ports in the GVRP active applicant state send GVRP VLAN declarations when they are in the STP blocking state which prevents the STP bridge protocol data units BPDUs from being pruned from the other port Note Configuring fixed registration on the other device s port also prevents undesirable STP topology reconfiguration To configure an 802 1Q trunk port to send VLAN declarations when...

Page 545: ...00 ms and you attempt to configure the join timer to 350 ms an error is returned Set the leave timer to at least 1050 ms and then set the join timer to 350 ms Caution Set the same GARP timer values on all the Layer 2 connected devices If the GARP timers are set differently on the Layer 2 connected devices the GARP applications for example GMRP and GVRP do not operate successfully To set the GARP t...

Page 546: ...ed 0 Leave All Transmitted 41 VTP Message Received 0 Console enable Clearing GVRP Statistics To clear all the GVRP statistics on the switch perform this task in privileged mode This example shows how to clear all the GVRP statistics on the switch Console enable clear gvrp statistics all GVRP Statistics cleared for all ports Console enable Disabling GVRP on Individual 802 1Q Trunk Ports To disable ...

Page 547: ...VRP on 802 1Q trunk port 1 1 Console enable set gvrp disable 1 1 GVRP disabled on 1 1 Console enable Disabling GVRP Globally To disable GVRP globally on the switch perform this task in privileged mode This example shows how to disable GVRP globally on the switch Console enable set gvrp disable GVRP disabled Console enable Task Command Disable GVRP on the switch set gvrp disable ...

Page 548: ...17 10 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 17 Configuring GVRP Configuring GVRP on the Switch ...

Page 549: ...uration Guidelines page 18 2 Configuring MVRP on the Switch page 18 3 Note MVRP requires Catalyst 6500 series switch software release 8 7 1 or later Understanding How MVRP Works MVRP is an MRP application that provides IEEE 802 1ak compliant VLAN pruning and dynamic VLAN creation on trunk ports With MVRP the switch can exchange VLAN configuration information with other MVRP switches prune the unne...

Page 550: ...isor Engine 720 that runs software release 8 7 3 the switch supports the following within an optimal operational CPU utilization MVRP pruning for 4094 VLANs on 6 trunks channels MVRP pruning for 2500 VLANs on 11 trunks channels The default timer values are Join 20 Centi seconds Leave 150 Centi seconds and Leave All 6000 Centi seconds Caution Increase in number of VLANs and decreased timer values f...

Page 551: ...Counters page 18 11 Clearing MVRP Statistics page 18 12 Enabling MVRP Globally You must enable MVRP globally before any MVRP processing occurs on the switch Enabling MVRP globally enables MVRP to perform the VLAN pruning on the trunk links The pruning occurs only on the MVRP enabled trunks For information on setting the per trunk port MVRP enable state refer to the Enabling MVRP on Individual Trun...

Page 552: ...1000 3 14 200 600 1000 3 24 Console Enabling MVRP on Individual Trunk Ports Note You can change the per trunk MVRP configuration even if MVRP is enabled globally However MVRP does not function on any ports until you enable it globally For information on configuring MVRP globally on the switch see the Enabling MVRP Globally section on page 18 3 You can enable MVRP on any of the individual trunk por...

Page 553: ... switch Console enable set mvrp dynamic vlan creation enable MVRP Dynamic VLAN creation is enabled Console enable Configuring MVRP Registration These sections describe how to configure MVRP registration modes on switch ports Configuring MVRP Normal Registration page 18 5 Configuring MVRP Fixed Registration page 18 6 Configuring MVRP Forbidden Registration page 18 6 Configuring MVRP Normal Registra...

Page 554: ... 802 1ak trunk port Console enable set port mvrp 3 1 registration fixed Registrar Administrative Control set to fixed on port s 3 1 Console enable Configuring MVRP Forbidden Registration Configuring an 802 1ak trunk port in forbidden registration mode deregisters all the VLANs except VLAN 1 on the trunk port To configure MVRP forbidden registration on an 802 1ak trunk port perform this task in pri...

Page 555: ... port s 4 2 3 4 9 10 4 12 24 Console enable Use the normal keyword to return to the default state active mode disabled Configuring the MVRP Timers An MVRP enabled port uses the timers listed in Table 18 2 to transmit receive and respond to requests The leave time should be at least twice the join time to allow reregistration after a leave or leaveall message even if a message is lost To minimize t...

Page 556: ...ified but can either be enabled or disabled The defaut is disabled To enable the MVRP periodic timer perform this task in privileged mode This example shows how to enable the MVRP periodic timer on a range of ports Console enable set port mvrp 4 2 3 4 9 10 4 12 24 periodictimer enable MVRP periodic timer is enabled on port s 4 2 3 4 9 10 4 12 24 console Displaying MVRP Configuration Summary To dis...

Page 557: ...e enable Displaying MVRP Statistics To display the MVRP statistics on the switch perform this task This example shows how to display the MVRP statistics for port 3 1 Console enable show mvrp statistics 3 1 Valid packets Received 186 Invalid Packets Received 0 New Received 0 Join In Received 1167 In Received 0 Join Empty Received 22387 Empty Received 31 Leave Received 210 Leave All Received 63 Pack...

Page 558: ...Normal MT Normal_registration 3 14 1007 Vo Very_anxious Normal MT Normal_registration 3 14 1008 Vo Very_anxious Normal MT Normal_registration 3 14 1009 Vo Very_anxious Normal MT Normal_registration 3 14 1010 Vo Very_anxious Normal MT Normal_registration 3 14 1011 Vo Very_anxious Normal MT Normal_registration 3 14 1012 Vo Very_anxious Normal MT Normal_registration 3 14 1016 Vo Very_anxious Normal M...

Page 559: ... MVRP configuration on the switch perform this task in privileged mode This example shows how to clear all MVRP configuration on the switch Console enable clear mvrp configuration all Warning MVRP configuration will be cleared Do you want to continue y n y y MVRP configuration is cleared for all ports on the switch Console enable Clearing MVRP Counters To clear all MVRP counters on the switch perf...

Page 560: ...ontinue y n y y MVRP counters cleared for all ports on the swtich Console enable Clearing MVRP Statistics To clear all the MVRP statistics on the switch perform this task in privileged mode This example shows how to clear all MVRP statistics on the switch Console enable clear mvrp statistics all Warning MVRP statistics will be cleared Do you want to continue y n y y MVRP Statistics for all ports a...

Page 561: ...LAN Membership page 19 9 Dynamic Port VLAN Membership with VMPS Configuration Examples page 19 10 Dynamic Port VLAN Membership with Auxiliary VLANs page 19 14 Understanding How VMPS Works With VMPS you can assign the switch ports to the VLANs dynamically based on the source Media Access Control MAC address of the device that is connected to the port When you move a host from a port on one switch i...

Page 562: ...se VMPS sends an access denied or port shutdown response A dynamic port can belong to only one native VLAN in software releases prior to release 6 2 1 with software release 6 2 1 a port can belong to a native VLAN and an auxiliary VLAN See the Dynamic Port VLAN Membership with Auxiliary VLANs section on page 19 14 for complete details When the link comes up a dynamic port is isolated from its stat...

Page 563: ...ort after a certain period The static secure ports cannot become dynamic ports You must turn off security on the static secure port before it can become dynamic The static ports that are trunking cannot become dynamic ports You must turn off trunking on the trunk port before changing it from static to dynamic Note The VLAN Trunking Protocol VTP management domain and the management VLAN of the VMPS...

Page 564: ...ected host is not defined in the database Define the MAC address to VLAN name mappings Enter the MAC address of each host and the VLAN to which each should belong Use the NONE keyword as the VLAN name to deny the specified host network connectivity A port is identified by the IP address of the switch and the module port number of the port in the form mod port Define port groups A port group is a l...

Page 565: ...ant to continue y n n y Vlan Membership Policy Server disabled Console enable Configuring Dynamic Ports on VMPS Clients To configure dynamic ports on VMPS client switches perform this task in privileged mode Task Command Step 1 Specify the download method set vmps downloadmethod rcp tftp username Step 2 Configure the IP address of the TFTP or rcp server on which the ASCII text VMPS database config...

Page 566: ...amic Console show port Port Name Status Vlan Level Duplex Speed Type 1 1 connect dyn 3 normal full 100 100 BASE TX 1 2 connect trunk normal half 100 100 BASE TX 2 1 connect trunk normal full 155 OC3 MMF ATM 3 1 connect dyn 5 normal half 10 10 BASE T 3 2 connect dyn 5 normal half 10 10 BASE T 3 3 connect dyn 5 normal half 10 10 BASE T Console enable Note The show port command displays dyn under the...

Page 567: ...atabase configuration file or retry after a failed download attempt perform this task in privileged mode Configuring Static VLAN Port Membership To return a port to static VLAN port membership perform this task in privileged mode Task Command Clear the VMPS statistics clear vmps statistics Task Command Clear a VMPS server entry clear vmps server ip_addr Task Command Step 1 Reconfirm the dynamic po...

Page 568: ...e perform this task in privileged mode This example shows how to manually back up the VMPS configuration file Console enable set vmps config file disk0 Vlan Membership Policy Server back up file name is set to disk0 vmps backup conf ig database 1 Console enable This example shows how to configure the system to automatically back up the VMPS configuration file Console enable set vmps config file au...

Page 569: ...the file and builds a database When the parsing is complete VMPS outputs statistics about the total number of lines that are parsed and the number of parsing errors To obtain more information on the VMPS parsing errors set the syslog level for VMPS to 3 using the set logging level vmps 3 command Table 19 2 VMPS Error Messages VMPS Error Message Recommended Action TFTP server IP address is not conf...

Page 570: ...ship Configuration Example page 19 12 VMPS Database Configuration File Example This example shows a sample VMPS database configuration file A VMPS database configuration file is an ASCII text file that is stored on a TFTP server accessible to the switch configured as the VMPS server A summary of the configuration example follows The security mode is open The default is used for the fallback VLAN M...

Page 571: ... name device device id port port name all ports vmps port group WiringCloset1 device 198 92 30 32 port 3 2 device 172 20 26 141 port 2 8 vmps port group Executive Row device 198 4 254 222 port 1 2 device 198 4 254 222 port 1 3 device 198 4 254 223 all ports VLAN groups vmps vlan group group name vlan name vlan name vmps vlan group Engineering vlan name hardware vlan name software VLAN port Policie...

Page 572: ...enable set vmps tftpserver 172 20 22 7 Bldg G db b Enable VMPS Console enable set vmps state enable After entering these commands the file Bldg G db is downloaded to Switch 1 Switch 1 becomes the VMPS server Step 2 Configure the VMPS server addresses on each VMPS client a Configure the primary VMPS server IP address Console enable set vmps server 172 20 26 150 primary b Configure the secondary VMP...

Page 573: ...Primary VMPS Server 1 Secondary VMPS Server 2 Secondary VMPS Server 3 Catalyst 6500 series switches Catalyst 6000 172 20 26 150 172 20 26 151 Catalyst 6500 series switches 172 20 26 152 Ethernet segment 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client Client End station 2 End station 1 TFTP server 3 1 Switch 10 Switch 9 Switch 8 Switch 7 Swit...

Page 574: ...auxiliary VLAN Data traffic to and from the PC that is connected to the switch through the access port of the IP phone native VLAN These sections include configuration guidelines and examples Dynamic Port VLAN Membership with Auxiliary VLANs Guidelines page 19 14 Configuring Dynamic Port VLAN Membership with Auxiliary VLANs page 19 15 Note For detailed information on the auxiliary VLANs and Cisco ...

Page 575: ... This example shows how to add voice ports to the auxiliary VLANs and specify an encapsulation type Console enable set port auxiliaryvlan 5 9 222 Auxiliaryvlan 222 configuration successful AuxiliaryVlan AuxVlanStatus Mod Ports 222 active 5 9 Console enable Console enable set port auxiliaryvlan 5 9 dot1p Port 5 9 allows the connected device send and receive packets with 802 1p priority Console enab...

Page 576: ...19 16 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs ...

Page 577: ...ort Capabilities page 20 6 Configuring the MAC Utilization Load Interval page 20 6 Checking the 10 Gigabit Ethernet Link Status page 20 10 Checking the Cable Status Using TDR page 20 11 Using Telnet page 20 12 Using Secure Shell Encryption for Telnet Sessions page 20 12 Monitoring User Sessions page 20 14 Using Ping page 20 15 Using Layer 2 Traceroute page 20 17 Using IP Traceroute page 20 18 Usin...

Page 578: ...0BaseTX Telco WS X6248 TEL ok 5 5 48 10 100BaseTX RJ 45 WS X6248 RJ 45 ok Mod Module Name Serial Num 1 SAD03040546 2 SAD03110020 3 SAD03070194 4 SAD03140787 5 SAD03181291 Mod MAC Address es Hw Fw Sw 1 00 50 f0 a8 26 b2 to 00 50 f0 a8 26 b3 1 4 5 1 1 5 2 1 CSX 00 50 f0 a8 26 b0 to 00 50 f0 a8 26 b1 00 50 3e 8d 64 00 to 00 50 3e 8d 67 ff 2 00 50 54 6c e9 a8 to 00 50 54 6c e9 bf 1 3 4 2 0 24 V 5 2 1 ...

Page 579: ...s perform this task in normal mode This example shows how to see information on the ports on a specific module only Console enable show port 1 Port Name Status Vlan Duplex Speed Type 1 1 connected 1 full 1000 1000BaseSX 1 2 notconnect 1 full 1000 1000BaseSX Port Security Secure Src Addr Last Src Addr Shutdown Trap IfIndex 1 1 disabled No disabled 3 1 2 disabled No disabled 4 Port Broadcast Limit B...

Page 580: ...Neighbor Mode Group Id Device Port 1 1 connected auto 65 0 Port Align Err FCS Err Xmit Err Rcv Err UnderSize 1 1 0 0 0 0 0 Port Single Col Multi Coll Late Coll Excess Col Carri Sen Runts Giants 1 1 0 0 0 0 0 0 0 Last Time Cleared Tue Jun 8 1999 10 01 35 Console enable Displaying the Port MAC Address In addition to displaying the MAC address range for a module using the show module command you can ...

Page 581: ...e MAC entries in the CAM table Console enable show cam duplicate Static Entry Permanent Entry System Entry R Router Entry X Port Security Entry Dot1x Security Entry M Mac Auth Bypass Entry Duplicate MAC entry Destination Ports or VLAN Dest MAC Route Des CoS Age VCs Protocol Type 42 00 d0 02 83 eb 89 3 3 142 00 d0 02 83 eb 89 5 3 42 d8 d9 02 83 ef ff 2 3 3 d8 d9 02 83 ef ff 3 4 Total Matching CAM E...

Page 582: ...tor Speed 1000 Duplex full Trunk encap type 802 1Q ISL Trunk mode on off desirable auto nonegotiate Channel yes Broadcast suppression percentage 0 100 Flow control receive off on desired send off on desired Security yes Membership static dynamic Fast start yes QOS scheduling rx 1p1q4t tx 1p2q2t CoS rewrite yes ToS rewrite DSCP UDLD yes Inline power no AuxiliaryVlan no SPAN source destination COPS ...

Page 583: ...set the MAC utilization load interval to 30 seconds Console enable set mac utilization load interval 30 Load interval set to 30 seconds Displaying MAC Utilization Statistics To display MAC utilization statistics perform this task in enabled mode This example shows how to display the MAC utilization statistics globally Console enable show mac utilization 30 seconds input output port rates Port Xmit...

Page 584: ...0 0 3 29 0 73 584 3 43 0 73 584 3 44 0 73 584 3 45 0 14 112 3 46 0 9 72 3 47 0 12 96 3 48 0 12 96 4 1 0 0 0 4 2 0 18 144 4 3 0 18 144 4 25 0 18 144 4 26 0 18 144 4 27 0 18 144 4 28 0 18 144 4 29 0 18 144 8 1 0 0 0 8 2 0 0 0 12 1 614201 921296589 7370372712 12 2 614198 921301441 7370411528 12 3 0 12 96 12 4 0 0 0 13 1 82362 123544992 988359936 13 21 33960 50941535 407532280 13 22 33960 50940833 407...

Page 585: ... for a port Console enable show mac utilization 12 1 30 seconds input output port rates Port Xmit Packet Rate Xmit Octet Rate Xmit Bit Rate 12 1 405825 607683712 4861469696 Port Rcv Packet Rate Rcv Octet Rate Rcv Bit Rate 12 1 408276 612401845 4899214760 Console enable Clearing MAC Utilization Counters To clear the MAC utilization counters perform this task in enabled mode This example shows how t...

Page 586: ...nnection a value of 255 signifies that the port is faulty not connected or that there is no communication through the link If the counter does not remain at 0 for a predetermined length of time the link is faulty For example for a baud error rate BER of 10 12 the counter should remain at 0 for 100 seconds Each time that you access the PRBS counter by entering the show port prbs command the PRBS er...

Page 587: ...to a maximum length of 115 meters Use TDR to determine if the cabling is at fault if you cannot establish a link This test is especially important when replacing an existing switch upgrading to Gigabit Ethernet or installing new cable plants To start or stop the TDR test perform this task in privileged mode This example shows how to start the TDR test on port 1 on module 2 Console enable test cabl...

Page 588: ... commands you must be running an encryption image See Chapter 27 Working with System Software Images for the software image naming conventions that are used for the encryption images Note The Secure Shell encryption feature includes cryptographic software written by Eric Young eay cryptsoft com Secure Shell encryption provides security for Telnet sessions and other remote connections to the switch...

Page 589: ...ryption on the switch perform this task in privileged mode This example shows how to create the RSA host key Console enable set crypto key rsa 1024 Generating RSA keys OK Console enable set ssh mode v2 SSH protocol mode set to SSHv2 Only Console enable show ssh Session Protocol Cipher State PID Userid Host 0 V2 3DES SESSION_OPEN 146 dkoya 171 69 66 45 1 V1 3DES SESSION_OPEN 147 dove cisco com SSH ...

Page 590: ...telnet sam pc bigcorp com telnet jake mac bigcorp com Console enable This example shows the output of the show users command when TACACS authentication is enabled for console and Telnet sessions Console enable show users Session User Location console sam telnet jake jake mac bigcorp com telnet tim tim nt bigcorp com telnet suzy suzy pc bigcorp com Console enable This example shows how to display i...

Page 591: ...scribe how to use IP ping Understanding How Ping Works page 20 15 Executing Ping page 20 16 Understanding How Ping Works You can use IP ping to test connectivity to remote hosts If you attempt to ping a host in a different IP subnetwork you must define a static route to the network or configure a router to route between those subnets The ping command is configurable from normal EXEC mode and privi...

Page 592: ... tasks in normal or privileged mode This example shows how to ping a remote host from normal EXEC mode Console ping labsparc labsparc is alive Console ping 72 16 10 3 12 16 10 3 is alive Console This example shows how to ping a remote host using the ping s option Console ping s 12 20 5 3 800 10 PING 12 20 2 3 800 data bytes 808 bytes from 12 20 2 3 icmp_seq 0 time 2 ms 808 bytes from 12 20 2 3 icm...

Page 593: ...raceroute Usage Guidelines This section describes the guidelines for using the Layer 2 Traceroute utility The Layer 2 Traceroute utility works for unicast traffic only You must enable Cisco Discovery Protocol CDP on all of the Catalyst 5000 and 6500 series switches in the network See Chapter 31 Configuring CDP for information about enabling CDP If any devices in the path are transparent to CDP l2t...

Page 594: ...tput displays all network layer Layer 3 devices such as the routers that the traffic passes through on the way to the destination These sections describe how to use IP Traceroute Understanding How IP Traceroute Works page 20 18 Executing IP Traceroute page 20 19 Understanding How IP Traceroute Works The traceroute command uses the Time To Live TTL field in the IP header to cause the routers and th...

Page 595: ...1 1 100 10 1 1 100 2 ms 2 ms 2 ms Console enable This example shows how to perform a traceroute with six queries to each hop with packets of 1400 bytes each Console enable traceroute q 6 10 1 1 100 1400 traceroute to 10 1 1 100 10 1 1 100 30 hops max 1440 byte packets 1 10 1 1 1 10 1 1 1 2 ms 2 ms 2 ms 1 ms 2 ms 2 ms 2 10 1 1 100 10 1 1 100 2 ms 4 ms 3 ms 3 ms 3 ms 3 ms Console enable Using System...

Page 596: ...21 NVRAM Logs page 20 22 Inband Errors page 20 22 UDP Errors page 20 22 Backplane Traffic You can configure backplane threshold detection by using a high threshold as a percentage When backplane traffic goes over the specified threshold compared with the previous traffic poll a syslog message is generated However if you specify a 100 percent threshold the default no syslog message is generated For...

Page 597: ...ove a high watermark of 90 percent the throttle interval is 1 hour A sample syslog message is as follows 1999 Sep 9 00 00 00 PDT 07 00 SYS 3 SYS_MEMLOW Memory cluster usage exceeded 90 1999 Sep 9 00 00 00 PDT 07 00 SYS 3 SYS_MEMLOW Mbuf usage exceeded 90 1999 Sep 9 00 00 00 PDT 07 00 SYS 3 SYS_MEMLOW Malloc usage exceeded 90 Detected Memory Corruption By default memory corruption that is detected ...

Page 598: ...og messages are enabled This example shows how to enable inband error detection Console enable set errordetection inband Usage set errordetection inband enable disable Conosle enable set errordetection inband enable Inband errordetection enabled When the resource errors on the receive side reach a multiple of 500 this syslog error is generated 2000 Jun 24 06 37 25 PDT 07 00 SYS 3 INBAND_NORESOURCE...

Page 599: ...Jan 11 09 03 03 PDT 07 00 SYS 3 PORT_ERR Port 3 4 swBusResultEvent 223 1999 Jan 11 09 03 03 PDT 07 00 SYS 4 PORT_WARN Port 3 4 dmaTxFull 7 dmaRetry 33 dmaLevel2Request 21 Executing Spanning Tree Warnings on Port Counters These sections describe how to execute the spanning tree warnings on the port counters Blocking to Listening Transitions page 20 23 BPDU Skewing page 20 23 SNMP page 20 24 Blockin...

Page 600: ...keywords the supervisor engine ports that experience the packet buffer errors are put in the errdisable state If you enter the supervisor shutdown keywords the supervisor engine ports that experience the packet buffer errors are shut down Caution Do not power cycle the module when the ROMMON image is downloading Doing so might damage the module The rapid boot feature is available on the following ...

Page 601: ...able state if it is a single port The default action setting is port failover set errordetection link errors interval timer value The interval timer value specified determines how often the port s error counters are read The default timer value specified is 30 seconds and the allowed range is from 30 to 1800 seconds Note If the EtherChannel link error handling feature is not enabled you can still ...

Page 602: ...or detection configuration Configuring IEEE 802 3ah Ethernet OAM The Ethernet Operations Administrations and Maintenance OAM feature follows the specifications provided in the IEEE 802 3ah document The major Ethernet OAM features covered by this protocol are link monitoring remote failure indication and a remote loopback test Note We do not support remote failure indication This section describes ...

Page 603: ...ly supported on physical external Ethernet ports The port that is running OAM must be in full duplex mode Remote failure indication is not supported To support OAM remote loopback mode the port needs to specifically be configured as follows The trunk mode must be set to off The channel mode must be set to off The port cannot be a private VLAN port MIB variable requests and responses are not suppor...

Page 604: ...ied port Console enable set port ethernet oam 3 1 enable Successfully enabled OAM on port s 3 1 Console enable Specifying the Ethernet OAM Port Mode You can use the commands in this section to specify the OAM port mode on the specified ports Table 20 2 lists the OAM port functions that are allowed in the active and passive modes By default the OAM mode is active on all ports Task Command Enable or...

Page 605: ...le enable set port ethernet oam 3 1 remote loopback deny Successfully updated OAM remote loopback capability to deny on port s 3 1 Console enable Enabling or Disabling the Ethernet OAM Remote Loopback Test You can use the commands in this section to enable or disable the OAM remote loopback test on the specified ports The ports that you specify to run this test must be connected to a peer OAM devi...

Page 606: ...oopback test is run and the test result summary is displayed after the test finishes By default 10 000 64 byte packets are sent The number of packets allowed is 1 to 99999999 packets The allowable packet size is from 64 to 1518 bytes Note The commands in this section are not saved in your configuration file or NVRAM To specify the number of packets and the packet size for the OAM remote loopback t...

Page 607: ...isecond increments 1 to 6553 5 seconds frame period The default is 10 million frames The range is from 200 to 2 000 000 000 frames To specify the OAM link monitoring window size for corresponding link events on the specified ports perform this task in privileged mode This example shows how to specify a link monitoring symbol period window size of 10000 Console enable set port ethernet oam 3 1 link...

Page 608: ...OAM frame low threshold on port s 3 1 Console enable Specifying the High Threshold Error Count and the Associated Action for Ethernet OAM Link Monitoring You can use the commands in this section to specify the OAM link monitoring high threshold error count and the associated action on the specified ports The default high threshold error count is 65535 errors The default action is warning To specif...

Page 609: ...port s 3 1 Console enable This example shows how to set the critical link event action to error block for a port Console enable set port ethernet oam 3 2 critical event action error block Successfully updated OAM critical event action on port s 3 2 Clearing Ethernet OAM Statistics and the Ethernet OAM Configuration To clear OAM statistics and OAM related configurations on all ports or individual p...

Page 610: ...reshold on port s 3 1 Console enable Console enable clear port ethernet oam 3 1 link monitor frame period window Successfully cleared OAM frame period window on port s 3 1 Console enable Clearing User Configured Actions for OAM Critical Link Events To clear the user configured actions for OAM critical link events on the specified ports perform this task in privileged mode These examples show how t...

Page 611: ... enable disable 4 6 Deny enable disable disable Port ErrSymbol Period ErrSymbol Period ErrSymbol Period Window LowThreshold HighThreshold millions Count Action Count Action 1 1 625 1 None 10 Warning 3 5 65535 1 Warning 1000 ErrDisable 4 6 1 1 None 1 ErrDisable Port Errored Frame Errored Frame Errored Frame Window LowThreshold HighThreshold 100 msec Count Action Count Action 1 1 300 1 None 10 Warni...

Page 612: ...opback Test Information You can use the commands in this section to display information about the OAM remote loopback test for the specified ports The current session keyword displays the statistics of the current OAM remote loopback session Specifying the detail keyword with the current session keyword displays MAC statistics The last session keyword displays the statistics of the last OAM remote...

Page 613: ...est statistics OAM Rx 10000 OAM Tx 10000 MAC Rx 13415 MAC Tx 13403 OAMPDU Rx 3415 OAMPDU Tx 3403 MAC Rx Drop 0 Console enable This example shows how to display information about the OAM remote loopback test for the last session Console enable show port ethernet oam 1 2 remote loopback last session Port Last Loopback at OAM Rx OAM Tx 1 2 Remote 33333 55555 Console enable show port ethernet oam 1 2 ...

Page 614: ...hernet Connectivity Fault Management This section describes how to configure Metro Ethernet Connectivity Fault Management CFM CFM is part of the Metro Ethernet OAM feature These sections describe how to configure Metro Ethernet CFM Understanding How Metro Ethernet Connectivity Fault Management Works page 20 39 Connectivity Fault Management Protocols page 20 39 Maintenance Domains page 20 39 Mainte...

Page 615: ...d periodically by the maintenance endpoints They allow maintenance endpoints to detect a loss of service connectivity among themselves They also allow maintenance endpoints to discover other maintenance endpoints within a domain and allow maintenance intermediate points to discover maintenance endpoints Link Trace These messages are transmitted by a maintenance endpoint by the request of the admin...

Page 616: ...ains and the customer has its own end to end domain which is a superset of the service provider s domain In this scenario the involved administering organizations communicate between the maintenance levels of the various nesting domains For example the service provider would assign the maintenance levels to the operators Maintenance Associations A maintenance association identifies a service that ...

Page 617: ...ther maintenance endpoints or maintenance intermediate points at the service provider level Maintenance intermediate points at the Operator A level translate into transparent points at the service provider level Also the demarcation of maintenance points as maintenance endpoints or maintenance intermediate points within a domain is left to the discretion of the administrator because these points i...

Page 618: ...AN within a particular domain To avoid a misconfiguration error use a unique MPID when configuring an MEP and when the customer shifts the local MEP from one port to another port for the MEP that is down or from one bridge brain switch to another bridge brain switch for an MEP that is up When configuring a maintenance association across two domains a shared VLAN is allowed only if a maintenance as...

Page 619: ...erval the switch supports the following The CCM traffic up to 1000 services or VLANs 1000 customer level MIPs and 1000 higher level flood traffic traffic coming at the level higher than the maximum Maintenance level configured on the switch 200 Provider Level Up MEPs Caution An increase in the number of ports to the EtherChannel or increase in the number of MIPs on a bundled port will increase the...

Page 620: ...t CFM page 20 44 Configuring Metro Ethernet CFM Domains page 20 45 Configuring a Metro Ethernet CFM Maintenance Association page 20 45 Configuring CFM on a Port as a Maintenance Point page 20 46 Configuring Continuity Check Protocol Parameters page 20 46 Configuring Ethernet CFM traceroute Protocol Parameters page 20 47 Configuring a System CAM Entry page 20 47 Displaying Metro Ethernet CFM Domain...

Page 621: ...enable Configuring a Metro Ethernet CFM Maintenance Association To configure a maintenance association within the maintenance domain perform this task in privileged mode This example shows how to configure a maintenance association in a domain with a VLAN ID Console enable set ethernet cfm maintenance association ma name fmt text customerXMA domain customerXYDomain vlan 1 direction up Maintenance ...

Page 622: ...nance End Points MEPs perform this task in privileged mode This example shows how to configure continuity check message attributes for level 5 VLAN ID 11 at an interval of 1 minute and a loss threshold of three messages Console enable set ethernet cfm continuity check level 5 vlan 11 interval 2 loss threshold 3 CC Attributes set for level s 5 Console enable This example shows how to enable the con...

Page 623: ... traceroute database to 300 Console enable set ethernet cfm traceroute database size 300 Ethernet TRDB size is set to 300 Console enable Configuring a System CAM Entry To configure a system CAM entry for a specified module port number and a specific VLAN or VLANs perform this task in priviledged mode This example shows how to configure a system CAM entry for module 6 port 2 and VLAN 10 Console ena...

Page 624: ...ole enable This example shows how to display information on only the sjlabf1 domain Console enable show ethernet cfm domain customerXYZ detail indicates vlan does not exist indicates vlan is suspended Domain ID 2 Domain Name customerXYZ Level 4 Total Services 1 Services Vlan Direction CC Enable shortMAName 100 Up Y CUST MA 10 Console enable Displaying CFM Maintenance Association Information To dis...

Page 625: ...on To display all the local or remote maintenance points perform this task in privileged mode This example shows how to display local MEPs MIPs configured on the switch Console enable show ethernet cfm maintenance point local indicates vlan does not exist indicates vlan is suspended indicates vlan is not allowed on this port LOCAL MEPS Port MPID Dir Level Domain CC Vlan MA name Name stat 3 20 200 ...

Page 626: ...mitted at 1 sec Interval is 8 Console enable Displaying Metro Ethernet CFM Statistics To display the CFM packet statistics such as the Continuity Check Messages CCMs sent CCMs received with out of order transaction IDs Loopback Replies LBRs or Linktrace Replies LTRs perform this task in privileged mode This example shows how to display the CFM statistics SW8 enable SW8 enable SW8 enable show ether...

Page 627: ...r vlan2560 dom6 6 2560 561 00 11 bc 99 af fb Lifetime Expiry vlan2560 dom6 6 2304 8190 00 0b 45 a8 c4 3b AIS Error vlan2304 dom6 6 2304 305 00 11 bc 99 af fb Lifetime Expiry vlan2304 dom6 6 2048 8190 00 0b 45 a8 c4 3b AIS Error vlan2048 dom6 6 2048 49 00 11 bc 99 af fb Lifetime Expiry vlan2048 dom6 6 3328 1329 00 11 bc 99 af fb Lifetime Expiry vlan3328 dom6 6 3072 1073 00 11 bc 99 af fb Lifetime E...

Page 628: ...a VLAN Console enable clear ethernet cfm continuity check level 3 vlan 1 cc attributes are cleared for level s 3 Console enable This example shows how to clear an Ethernet CFM domain Console enable clear ethernet cfm domain test level 1 Domain test is cleared from level 1 Console enable Clearing a Metro Ethernet CFM Maintenance Association To clear the maintenance association configured within the...

Page 629: ...n for module 2 port 1 Console enable clear port ethernet cfm 2 1 mip MIP config on Port 6 1 is cleared Console enable Clearing the MAC Configuration for Maintenance End Points To clear the port MAC configuration for Maintenance End Points MEPs that are down in a particular module and port number of a VLAN perform one of these tasks in priviledged mode This example shows how to clear the port MAC c...

Page 630: ...fm traceroute database size Ethernet TRDB Size cleared and set to default Console enable Configuring the Alarm Indication Signal This section describes how to configure the Alarm Indication Signal AIS and the Remote Defect Indication RDI which are fault management functions of the Connectivity Fault Management CFM protocol The CFM module works with 802 3ah Link OAM to support these new extensions ...

Page 631: ...ected originates from a lower level 3 Enables the customer to monitor service availability The main functions of the AIS module is as follows To generate the AIS protocol data units PDUs upon a signal fault condition that has occurred due to an AIS defect condition To receive to process AIS PDUs and to maintain an expiry timer To inform the continuity check module about the remote MEP connectivity...

Page 632: ...ect condition has occurred A MEP uses an ETH RDI only when an Ethernet Continuity Check transmission is enabled A MEP that is in a defect condition transmits frames with the ETH RDI information When a MEP receives frames with ETH RDI information it determines that its peer MEP has encountered a defect condition However in a multipoint Ethernet connection when a MEP receives frames with ETH RDI inf...

Page 633: ...mote MEP You must explicitly disable alarm suppression for the lifetime expiry trap to be generated For EtherChannel and Server MEP configurations the AIS is suppressed until the last port of the EtherChannel goes down The AIS will be generated only when the last port of the EtherChannel leaves the aggregation port When one of the channel port becomes operational the AIS condition is cleared Confi...

Page 634: ...nuity check level 0 vlan 1000 ais alarm suppress enable CC Attributes set for level s 0 Console enable This example shows how to configure the AIS level for the MEPs Console enable set ethernet cfm continuity check level 5 vlan 5 ais level 6 CC Attributes set for vlan s 5 on level 5 Console enable Configuring the Metro Ethernet CFM Alarm Indication Signal Transmission Level To configure the CFM AI...

Page 635: ...s tx count 10 AIS PDU transmission count set to 10 on the switch Console enable Configuring a CFM AIS on an Individual Port To enable or disable AIS on a port and to configure an AIS parameter of the port perform this task in privileged mode This example shows how to enable a CFM AIS on a port Console enable set port ethernet cfm 2 2 ais enable Server MEP AIS generation is enabled on the port 2 2 ...

Page 636: ...evice of the operating state of an EVC when an EVC is added or deleted to the interfaces ELMI also communicates the attributes of an EVC and a user network interface UNI to a CE device Ethernet Local Management Protocols The ELMI protocols are as follows Ethernet Virtual Connections EVC An EVC can be a port level point to point or multipoint to multipoint Layer 2 circuit The CE device can use the ...

Page 637: ...and UNI type are defined on the PE port that connects to the CE device The ELMI protocol runs on the UNI interface ELMI does the following Notifies the CE when an EVC is added Notifies the CE when an EVC is deleted Notifies the CE of the availability of a configured EVC Active Not Active or Partially Active Communicates UNI and EVC attributes to the CE Configuring ELMI Figure 20 4 shows an example...

Page 638: ...y In the figure the configuration steps are required so that the PE switch for the ELMI protocol can be enabled and the ELMI frames can be exchanged between the PE1 switch and CE1 ISR3845 Note You must enable ELMI on the switch globally Enable ELMI on the PE1 port 4 4 that connects to the CE device Multipoint EVCs EVC 250 and EVC 10 that have a Uni count of 3 for UNI A UNI B and UNI C are configur...

Page 639: ...ase 8 x publication Enabling or Disabling ELMI To enable or disable the ELMI globally on a switch perform this task in privileged mode This example shows how to enable ELMI globally on a switch Console enable set ethernet lmi enable Ethernet LMI is enabled Console enable Enabling or Disabling an EVC To create an Ethernet Virtual Connection EVC in global configuration mode and configure various par...

Page 640: ...lue and polling timer to transmit the status query Note t391 is part of the CE configuration the Catalyst operating system supports only PE mode Note The polling timer range is from 5 to 30 seconds set port ethernet lmi mod port t391 value default disable Specify the polling verification timer to verify the status query that is sent by the CE device and to which the PE responds with status message...

Page 641: ... on an Individual Port To configure the UNI TYPE for a particular port perform this task in privileged mode This example shows how to to set the UNI TYPE as all to one for module 5 and port 1 Console enable set port ethernet uni 5 1 type all to one Uni type on port 5 1 successfully set to all to one This example shows how to to set the UNI TYPE as multiplex for module 5 and port 1 Console enable s...

Page 642: ...y Active I Inactive ELMI Link Down Console enable show ethernet evc detail EVC Id EVC1 EVC Type P P EVC Status Active EVC Uni Count 2 Number of Remote UNIs up 1 Number of Local UNIs up 1 CFM Service Maintenance Domain ELMI CFM Service Maintenance Name CFM1 EVC CE Vlan Mapping 10 Ports associated to this EVC 7 1 Remote UNI Details UNI Id UNI Status Port SANFRANCISCO Up 4 47 EVC Id EVC2 EVC Type P P...

Page 643: ...f these tasks in privileged mode This example shows how to display the ELMI statistics and configuration for module 7 port 1 Console enable show port ethernet lmi 7 1 statistics E LMI statistics for port 7 1 Ethernet LMI Link Status Up UNI Status Up UNI Id PE1 CustA Port1 Reliability Errors Status Enq Timeouts 0 Invalid Sequence Number 0 Protocol Errors Invalid Protocol Version 0 Invalid EVC Refer...

Page 644: ...the UNI or a specified EVC perform this task in privileged mode This example shows how to clear EVCs associated with module 7 port 1 Console enable clear port ethernet evc 7 1 EVCs associated with port 7 1 are cleared Console enable Clearing ELMI Statistics Counters To clear ELMI statistics counters for all ports or a specified port perform this task in priviledged mode This example shows how to c...

Page 645: ...er port in the same VLAN If you see the same MAC address on another port this situation can indicate a problem in the network such as a spanning tree loop HSRP flapping or a server link flapping However this situation does not always indicate a problem The following events can result in the same MAC address that is seen on another port but are considered normal behavior and are not indications of ...

Page 646: ...r tuples per VLAN When the maximum limit of 1000 tuples is exceeded new moves that occur in that VLAN are not recorded For proper syslog generation you need to set the logging level for the EARL facility to 4 or higher by entering the set logging level earl severity command MAC Address Move Counter syslog Generation The MAC address move counters generate the syslogs that are described in these sec...

Page 647: ...e enable set cam notification move counters enable MAC move counters are enabled Please change the logging level for the Earl facility as the current logging level is set to 2 and Mac Move Counters requires a logging level of at least 4 Console enable This example shows that the logging level for the EARL facility needs to be set to 4 or higher as follows Console enable set logging level earl 4 Sy...

Page 648: ...01 2 3 3 1 15 Console enable This example shows how to display MAC address move counter statistics where the To Mod Port field is part of an EtherChannel Console enable show cam notification move counters Vlan Mac Address From Mod Port To Mod Port Count 1 00 01 02 07 08 01 3 1 2 1 2 3 2 5 2 7 10 Console enable This example shows how to display MAC address move counter statistics where the From Mod...

Page 649: ...toring DOM feature provides real time access for optical transceivers to operating parameters such as temperature voltage laser bias current and receive transmit optical power Note Xenpak transceivers do not support the voltage parameter For Xenpak transceivers voltage will be displayed as n a To display the default values provided for the transceivers use the show transceivers threshold table com...

Page 650: ...etailed Transceiver Information To display detailed transceiver information perform this task in enabled mode This example shows how to display detailed transceiver information Console show port transceiver detail Transceiver monitoring is disabled for all ports Monitor interval is set to 10 minutes mA milliamperes dBm decibels milliwatts NA or N A not applicable high alarm high warning low warnin...

Page 651: ...ations To display transceiver threshold violations perform this task in enabled mode This example shows how to display transceiver threshold violations Console show port transceiver 3 threshold violations Transceiver monitoring is enabled for all ports Monitor interval is set to 5 minutes Rx Receive Tx Transmit DDDD days HH hours MM minutes SS seconds Time since Last Known Time in slot Threshold V...

Page 652: ...iver monitoring is disabled Monitor interval is set to 1 minute Transmit Power dBm High Alarm High Warn Low Warn Low Alarm Threshold Threshold Threshold Threshold Port Value Severity Value Severity Value Severity Value Severity 3 1 default critical default critical default critical default critical Receiver Power dBm High Alarm High Warn Low Warn Low Alarm Threshold Threshold Threshold Threshold P...

Page 653: ...ring Console enable set transceiver monitoring disable Transceiver monitoring is successfully disabled Setting the Transceiver Monitoring Interval To set the transceiver monitoring interval perform this task in enabled mode This example shows how to set the transceiver monitoring interval Console enable set transceiver monitoring interval 10 Transceiver monitoring interval is set to 10 minutes Set...

Page 654: ...perature high alarm threshold 750 Optical temperature high alarm threshold is set to 75 0 celsius for port 3 1 This example shows how to set a transceiver temperature threshold including the severity Console enable set port transceiver 3 1 temperature high alarm threshold 75 severity critical Optical temperature high alarm threshold is set to 75 0 celsius for port 3 1 and severity is set to critic...

Page 655: ...Understanding How Online Diagnostics Work Note GOLD is supported on the Supervisor Engine 720 and Supervisor Engine 32 only However earlier diagnostic commands are still supported on the Supervisor Engine 1 and Supervisor Engine 2 Online diagnostics performs the following functions Test and verify the hardware functionality of the supervisor engine modules and switch while the switch is connected ...

Page 656: ...y is detecting hardware failures and taking corrective action while the switch runs in a live network Online diagnostics in high availability detect hardware failures and provide feedback to high availability software components to make switchover decisions Configuring Online Diagnostics These sections describe how to configure online diagnostics Specifying the Bootup Online Diagnostic Level page ...

Page 657: ...stic tests use the EOBC channel to communicate with the rest of the system Proper working of the EOBC channel between the supervisor engine and the SLCP LCP and the module processors is required for performing the online diagnostic tests Use the information in these sections for configuring on demand online diagnostics Running On Demand Online Diagnostic Tests page 21 3 On Demand Online Diagnostic...

Page 658: ...not work You may need to perform certain actions before and after running a test These actions are described in the configuration procedure Some of the tests are disruptive The configuration procedure provides guidance for running any disruptive tests You should run packet switching tests before you run memory tests Memory tests should always be run on modules first and then on the supervisor engi...

Page 659: ... spurious packets are interfering with the loopback test and causing it to fail Also if the module has an inline power daughter card disable power to the inline power daughter card before running the test Additional test requirements are as follows User actions before running the test None User actions after running the test None Table 21 1 On Demand Tests Supervisor Engine Functional Test Group I...

Page 660: ...sPing test is not available This test might be available in subsequent releases If the test is not available proceed to the next step This disruptive test checks the EOBC connection for the specified module The test takes a couple of minutes to finish You cannot run the packet switching tests described in previous steps after running this test However you can run the tests described in Step 5 Addi...

Page 661: ...dual basis Some of the tests can take several hours to finish due to the size of the memory Since each module has several memory tests and they are interdependent the order of running these tests on each module is critical Note With software release 8 5 1 the TestFibTcamSSRAM test is the only available exhaustive memory test The other memory tests items 2 through 5 below are planned for subsequent...

Page 662: ...or each health monitoring test whether or not to generate a system message upon test failure or whether an individual test should be enabled or disabled The disruptive tests are disabled by default A set number of nondisruptive tests not all are enabled by default Use the show diagnostic content module mod_list command to determine which tests are disruptive D and nondisruptive N by checking the A...

Page 663: ...r example if you schedule the online diagnostics to run at 3 00 pm then change the system time to 2 59 pm the online diagnostics will not run at 3 00 pm To schedule online diagnostics perform this task in privileged mode This example shows how to schedule diagnostic testing tests 1 and 2 specified to occur on a specific date and time for a specific module Console enable set diagnostic schedule mod...

Page 664: ... after failing the online diagnostics Console enable set diagnostic diagfail action system Diagnostic failure action set to system Console enable show diagnostic diagfail action Diagnostic failure action at last bootup system Diagnostic failure action at next reset system Console enable Specifying the Online Diagnostic Event Log Size The default setting is 500 entries and the range is 1 to 10000 e...

Page 665: ...lure response for the supervisor engine show diagnostic diagfail action Display the diagnostic event log show diagnostic events event type error info warning show diagnostic events module mod_list all show diagnostic events Display the online diagnostic on demand configuration settings show diagnostic ondemand settings Display the diagnostic test results for the specified module s or all modules s...

Page 666: ...module 7 test 3 Clear diagnostic monitor interval for module 7 test 3 Console enable Console enable clear diagnostic monitor module 7 test 1 Module 7 test 1 diagnostic monitor disable Console enable Console enable clear diagnostic monitor syslog Diagnostic monitor syslog disable Console enable Clear the online diagnostic scheduling configuration for tests 1 and 2 on module 7 Console enable clear d...

Page 667: ...em Contact and Location on the Switch page 22 3 Setting the System Clock on the Switch page 22 4 Creating a Login Banner on the Switch page 22 4 Displaying or Suppressing the Cisco Systems Console Telnet Login Banner on the Switch page 22 5 Defining Command Aliases on the Switch page 22 6 Defining IP Aliases on the Switch page 22 7 Configuring Static Routes on the Switch page 22 8 Configuring Perm...

Page 668: ...mpt a greater than symbol is appended The prompt is updated whenever the system name changes unless you manually configure the prompt using the set prompt command The switch performs a DNS lookup for the system name whenever one of the following occurs The switch is initialized power on or reset You configure the IP address on the sc0 interface using the command line interface CLI or Simple Networ...

Page 669: ...09 enable Clearing the System Name To clear the system name perform this task in privileged mode This example shows how to clear the system name Console enable set system name System name cleared Console enable Setting the System Contact and Location on the Switch You can set the system contact and location to help you with resource management tasks To set the system contact and location perform t...

Page 670: ...using the Network Time Protocol NTP For information on configuring NTP see Chapter 34 Configuring NTP To set the system clock perform this task in privileged mode This example shows how to set the system clock and display the current date and time Console enable set time Mon 06 15 98 12 30 00 Mon Jun 15 1998 12 30 00 Console enable show time Mon Jun 15 1998 12 30 02 Console enable Creating a Login...

Page 671: ...p com for access MOTD banner set Console enable Clearing a Login Banner To clear a login banner perform this task in privileged mode This example shows how to clear a login banner Console enable set banner motd MOTD banner cleared Console enable Displaying or Suppressing the Cisco Systems Console Telnet Login Banner on the Switch To display or suppress the Cisco Systems Console Telnet login banner...

Page 672: ...me and can help to prevent typing errors when you are configuring or monitoring the switch The name argument defines the command alias The command and parameter arguments define the command to enter when the command alias is entered at the command line To define a command alias on the switch perform this task in privileged mode This example shows how to define two command aliases sm8 and sp8 sm8 i...

Page 673: ... IP aliases can make it easier to refer to other network devices when using ping telnet and other commands even when DNS is not enabled The name argument defines the IP alias The ip_addr argument defines the IP address to which the name refers To define an IP alias on the switch perform this task in privileged mode This example shows how to define two IP aliases sparc and cat6509 sparc refers to I...

Page 674: ...d the default classful mask is used The switch forwards the IP traffic that is generated by the switch using the longest address match in the IP routing table The switch does not use the IP routing table to forward the traffic from the connected devices only the IP traffic that is generated by the switch itself for example Telnet TFTP and ping To configure a static route perform this task in privi...

Page 675: ... ARP entry to be statically or permanently entered into the ARP cache so that those devices can still be reached To configure a static or permanent ARP entry perform this task in privileged mode This example shows how to define a static ARP entry Console enable set arp static 20 1 1 1 00 80 1c 93 80 40 Static ARP entry added as 20 1 1 1 at 00 80 1c 93 80 40 on vlan 1 Console enable This example sh...

Page 676: ...llows you to upgrade the software during business hours and schedule the system upgrade after business hours to avoid a major impact on users You can also use schedule reset when trying new features on a switch To avoid misconfiguring or losing the network connectivity to the device you can set the startup configuration and schedule a reset to occur in 30 minutes You can then change the configurat...

Page 677: ... enable This example shows how to schedule a reset with a minimum downtime Console enable reset mindown at 23 00 8 18 Software upgrade to 5 3 1 Reset scheduled at 23 00 00 Wed Aug 18 1999 Reset reason Software upgrade to 5 3 1 Proceed with scheduled reset y n n y Reset mindown scheduled for 23 00 00 Wed Aug 18 1999 in 0 day 8 hours 39 minutes Console enable Scheduling a Reset Within a Specified Am...

Page 678: ...pon the wattage of the power supply certain switch configurations might require more power than a single power supply can provide Although the power management feature allows you to power all installed modules with two power supplies redundancy is not supported in this configuration The redundant and nonredundant power configurations are discussed in the following sections Enabling or Disabling Po...

Page 679: ...ant to nonredundant System log and syslog messages are generated The system power is increased to the combined power capability of both supplies The modules marked as power deny in the show module Status field are brought up if there is sufficient power Nonredundant to redundant System log and syslog messages are generated The system power is the power capability of the larger wattage supply If th...

Page 680: ...ere is no change in the module status because the power capability is unchanged If the power supplies are of unequal wattage and the lower wattage supply is removed there is no change in the module status If the power supplies are of unequal wattage and the higher wattage supply is removed and if there is not enough power for all previously powered up modules some modules are powered down and mark...

Page 681: ...us information The keyword descriptions are as follows temperature Optional Displays temperature information all Optional Displays environmental status for example power supply fan status and temperature information and information about the power that is available to the system power Optional Displays environmental power information Note By default the alarm thresholds for environment temperature...

Page 682: ...no redundant supervisor engine the SYSTEM LED is red also syslog message and SNMP trap generated If redundancy system switches to the redundant supervisor engine and the active supervisor engine shuts down If there is no redundancy and the overtemperature condition is not corrected the system shuts down after 5 minutes Supervisor engine temperature sensor exceeds minor threshold Minor STATUS LED o...

Page 683: ...p and the stack dump generate reports that contain the status information about your switch Send the images that are captured by the core dump or the stack dump to Cisco TAC for analysis Enabling and Disabling the Core Dump A core dump produces a comprehensive report of images when your system fails due to a software error This report contains the system memory content including the text code and ...

Page 684: ...e perform this task in privileged mode This example shows how to specify the core image filename Console enable set system core file slot0 core hz System core file set Console enable Displaying the Stack Dump A stack dump provides only the images that are related to a particular process that has caused the system to fail This image stack is displayed on the console and is also saved in the log are...

Page 685: ... S4 80C8DBDC S5 000006E8 S6 00000000 S7 00000000 T8 F0D09E3A T9 82940828 K0 3041C001 K1 80C73038 GP 811F39C0 SP 83F84010 S8 83F84010 RA 807523F4 HIGH 00000001 LOW D5555559 BADVADDR 7DFF7FFF ERR EPC 58982466 GDB Breakpoint Exception GDB The system has trapped into the debugger GDB It will hang until examined with gdb Using System Crash Info Files The crash info file contains extended system informa...

Page 686: ... use the information in the output for debugging and troubleshooting purposes These sections describe how to configure system information logging on the switch Enabling System Information Logging page 22 20 Specifying show Commands for System Information Logging page 22 21 Specifying How Often System Information Logging Occurs page 22 22 Specifying the Filename and Server for System Information Lo...

Page 687: ...ument is the number of the show command in the system information logging index To specify the show commands whose output is logged in a file perform this task in privileged mode This example shows how to specify a show command and verify that it is included in the system information logging Console enable set system info log command show version System command was successfully added to the list C...

Page 688: ... to 4320 minutes Console enable show system info log System Logging Host File Interval Enabled tftp sysinfo 4320 Index System Command 1 show config 2 show version 3 show module 4 show environment Console enable Specifying the Filename and Server for System Information Logging You can specify the filename and the server for system information logging If you do not specify a path for the file the de...

Page 689: ...its removal perform this task in privileged mode This example shows how to clear the show command number 1 from the system information logging index Console enable clear system info log command 2 Successfully cleared the configured command Console enable show system info log System Logging Host File Interval Enabled 10 5 2 10 rcp sysinfo 4320 Index System Command 1 show config 2 show module 3 show...

Page 690: ...onsole enable set system info log disable Successfully disabled system information logging Console enable show system info log System Logging Host File Interval Disabled tftp sysinfo 1440 Index System Command Console enable TCL Scripting Tool Command Language TCL is a simple programmable text based language that allows you to write the command procedures that expand the capabilities of the built i...

Page 691: ...have been customized from the standard TCL command set to avoid conflicts with the Catalyst 6500 series switch software The following two commands have been specifically added to the software auto answer on off When set to on the TCL shell will answer yes if prompted by the switch for a yes or no answer The default setting is off echo on off When set to off the output from the switch commands is n...

Page 692: ...nable To close the TCL shell perform this task in privileged mode This example shows how to close the TCL shell Console enable tclquit Console enable Table 22 3 TCL Commands append array auto answer break case catch concat continue echo error eval expr for foreach global if incr info join lappend lindex linsert list llength lrange lreplace lsearch lsort proc puts regexp regsub return scan source s...

Page 693: ...esigned to be used in redundant mode only and must have identical configurations See the MSFC Redundancy section on page 23 21 for detailed information We do not support configurations where the MSFCs are not configured identically Note Except where specifically differentiated the information and procedures in this chapter apply to Supervisor Engine 32 with PFC3B PFC3BXL Supervisor Engine 720 with...

Page 694: ...ither slot 7 or 8 You must install redundant supervisor engines in both slots The redundant supervisor engines are hot swappable The system continues to operate with the same configuration after switching over to the redundant supervisor engine Note To allow you to control the booting of each supervisor engine separately the configuration registers are not synchronized between the supervisor engin...

Page 695: ...oot image of the active supervisor engine in the standby supervisor engine bootflash For more information about using the flash file system see Chapter 26 Working With the Flash File System Supervisor Engine 1 and Supervisor Engine 2 have a Flash PC card PCMCIA slot slot0 in addition to the onboard flash memory this slot can hold a Flash PC card that can store additional boot images The keywords f...

Page 696: ... if you change the BOOT environment variable Current boot image overwritten If you overwrite the current boot image that is stored on one of the flash devices the file system management module detects this event and initiates synchronization The active supervisor engine copies its new boot image to the standby supervisor engine BOOT environment variables changed If you change the BOOT environment ...

Page 697: ...rror condition If you insert or reset the standby supervisor engine flash synchronization does not occur In addition the STATUS LED on the standby supervisor engine turns red and the system generates a syslog error message Active supervisor engine in slot 2 When the active supervisor engine is in slot 2 the standby supervisor engine is in slot 1 If you change the configuration to specify a new boo...

Page 698: ...0 7b bb 2e ff Mod Sub Type Sub Model Sub Serial Sub Hw 2 L2 Switching Engine WS F6020 SAD02350211 0 101 Console enable Console enable show test 2 Module 2 2 port 1000BaseX Supervisor Network Management Processor NMP Status Pass F Fail U Unknown ROM Flash EEPROM Ser EEPROM NVRAM EOBC Comm Line Card Status for Module 1 PASS Port Status Ports 1 2 Line Card Diag Status for Module 2 Pass F Fail N N A M...

Page 699: ...tstrap Version 3 1 2 Copyright c 1994 1997 by cisco Systems Inc System Bootstrap Version 3 1 2 Copyright c 1994 1997 by cisco Systems Inc Presto processor with 32768 Kbytes of main memory Autoboot executing command boot bootflash cat6000 sup 5 4 1a bin CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC Uncompressing file System Power On Diagnostics NVRAM Size 512KB ID...

Page 700: ...or has synchronized the NMP image Console High Availability High availability allows you to minimize the switchover time from the active supervisor engine to the standby supervisor engine if the active supervisor engine fails Prior to this feature fast switchover ensured that a switchover to the standby supervisor engine happened quickly However with fast switchover because the state of the switch...

Page 701: ...atibility is checked and if found compatible the database synchronization is started High availability compatible features continue from the saved states on the standby supervisor engine after a switchover When you disable high availability the database synchronization is not done and all features must restart on the standby supervisor engine after a switchover If you change high availability from...

Page 702: ...ive supervisor engine to the standby supervisor engine However you can enable the compatible features when you enable high availability Incompatible features High availability is not supported The feature s database is not synchronized from the active supervisor engine to the standby supervisor engine You cannot enable the incompatible features if you enable high availability and you cannot enable...

Page 703: ...iable in the record changes The 802 1X reauthentication timers for the authorized ports restart after the switchover occurs The port security statistics are not synchronized from the active to the standby supervisor engine When you enable high availability or hot insert a standby supervisor engine on a switch that has secure ports all the per port and MAC related information is synchronized from t...

Page 704: ... in configuration loss Note When you install two supervisor engines the first supervisor engine to come online becomes the active module the second supervisor engine goes into standby mode If two supervisor engines are installed in your system at power up the supervisor engine in slot 1 becomes active and the supervisor engine in slot 2 enters standby mode If the software versions of the two super...

Page 705: ...ing High availability setting enabled or disabled Versioning setting enabled or disabled High availability operational status based on whether the standby supervisor engine is present and operational The operational status field displays one of the following OFF high availability not enabled The high availability option in NVRAM is disabled OFF standby supervisor not present The standby supervisor...

Page 706: ...ilability Operational status OFF high availability not enabled Console enable This example shows how to enable high availability Console enable set system highavailability enable System high availability enabled Console enable Console enable show system highavailability Highavailability enabled Highavailability versioning disabled Highavailability Operational status ON Console enable Loading a Dif...

Page 707: ...is unavailable to its users following a switchover while continuing to forward the IP packets For information about configuring NSF with SSO refer to Configuring Supervisor Engine Redundancy using NSF with SSO in the Catalyst 6500 Series Cisco IOS Software Configuration Guide 12 2SX at this URL http www cisco com en US docs switches lan catalyst6500 ios 12 2SXF native configuration guide n sfsso h...

Page 708: ... are as follows The active supervisor engine f1 image is not copied to the standby supervisor engine The standby supervisor engine bootstring is not modified The standby supervisor engine is not reset Example 2 File copied bootstring changed standby supervisor engine reset The configuration for example 2 is as follows The active supervisor engine configuration is as follows Run time image bootflas...

Page 709: ...gine The expected results are as follows The active supervisor engine run time image is synchronized to the standby supervisor engine The active supervisor engine f1 image is not copied to the standby supervisor engine The standby supervisor engine bootstring is modified to the following f1 1 f2 1 The standby supervisor engine is reset Example 4 Oldest bootflash file deleted bootflash squeezed The...

Page 710: ...reset Synchronizing the Boot Images on the Active and Standby Supervisor Engines This section contains four examples in which the bootstrings on the active and standby supervisor engines are synchronized Example 1 Unable to allocate the boot image The configuration for this example is as follows The active supervisor engine configuration is as follows Run time image bootflash f1 Bootstring bootfla...

Page 711: ...isor engine copies its f2 image to the standby supervisor engine and renames it BTSYNC_f2 The standby supervisor engine bootflash is modified to the following f1 BTSYNC_f2 The standby supervisor engine bootstring is modified to the following bootflash BTSYNC_f2 1 f1 1 The standby supervisor engine is not reset Example 3 File not copied bootstring modified standby supervisor engine not reset The co...

Page 712: ...time image bootflash f1 Bootstring bootflash f1 1 Bootflash f0 f1 f3 less than 1 MB left on device The time stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor engine The time stamp for f0 is older than f1 and the time stamp for f1 is older than f3 The active supervisor engine bootstring is modified to the following bootflash f2 1 bootflash f1 1 The expected re...

Page 713: ...support configurations where the MSFCs are not configured identically These sections describe how to configure MSFC redundancy Hardware and Software Requirements page 23 21 Layer 3 Redundancy for a Single Chassis page 23 22 Routing Protocol Peering page 23 23 Access Control List Configuration page 23 24 Dual MSFC Operational Model for Redundancy and Load Sharing page 23 25 Understanding Failure Sc...

Page 714: ...Table 23 2 see the alt Keyword Usage section on page 23 36 The redundant supervisor engines must have identical hardware MSFC and PFC See the Hardware and Software Requirements section on page 23 21 for more information Note For the MSFC and MSFC2 memory requirements refer to the Release Notes for MSFC publication at this URL http www cisco com en US products hw switches ps708 prod_release_notes_l...

Page 715: ... two MSFCs in a single Catalyst 6500 series switch chassis each configured with interface VLAN 10 and VLAN 21 the MSFCs are peered to each other over these VLANs Combined with a dual chassis and dual MSFC design for the same VLANs each MSFC has 6 peers its peer in the same chassis and the 2 MSFCs in the second chassis 3 in VLAN 10 and 3 in VLAN 21 See Figure 23 1 Figure 23 1 Dual Chassis and Dual ...

Page 716: ... HSRP priorities Access Control List Configuration If you use the Cisco IOS access control lists ACLs on the MSFC you must configure the ACLs on both MSFCs identically globally and at the interface level Only the designated MSFC the MSFC to come online first or the MSFC that has been online the longest programs the PFC with ACL information The active supervisor engine s PFC multilayer switches the...

Page 717: ...The supervisor engines automatically perform image and configuration synchronization you must manually synchronize the images and configurations on the MSFCs Figure 23 2 Dual MSFC Operational Model for Redundancy and Load Sharing VLANs 10 and 21 In Figure 23 2 you should configure redundancy and load sharing as follows VLAN 10 even numbered VLANs Configure MSFC 1 in Switch S1 as the primary HSRP r...

Page 718: ...s arriving at the HSRP MAC addresses and those packets arriving with the router s real MAC addresses HSRP is used for unicast traffic first hop redundancy for traffic that is received through another router attached to VLAN 10 for example the actual MAC address of Sup 1 MSFC 1 is used Understanding Failure Scenarios These five examples describe the possible failure scenarios within a single chassi...

Page 719: ...curs when the designated MSFC 1 fails 1 The MLS entries for MSFC 1 gracefully age out of the Sup 1 Layer 3 cache while MSFC 2 takes temporary ownership of these MLS entries using its XTAG value 2 The MLS entries for MSFC 2 are not affected 3 MSFC 2 removes all the dynamic and reflexive ACLs that are programmed in the hardware by MSFC 1 4 MSFC 2 reprograms the static ACLs in the Sup 1 ACL ASIC beca...

Page 720: ...ins the designated MSFC Failure Case 5 New or Previously Failed Supervisor Comes Back Online This sequence occurs when the previously failed supervisor engine Sup 2 comes online 1 Sup 1 continues to be the active supervisor engine 2 Sup 2 synchronizes its image and configuration with Sup 1 unless high availability versioning is enabled 3 MSFC 2 on Sup 2 comes up If the HSRP preempt for VLAN 21 is ...

Page 721: ...ace configuration mode Task Command Step 1 Enable HSRP and specify the HSRP IP address If you do not specify a group_number group 0 is used To assist in troubleshooting configure the group number to match the VLAN number Router config if standby group_number ip ip_address Step 2 Specify the priority for the HSRP interface Increase the priority of at least one interface in the HSRP group the defaul...

Page 722: ...nes and MSFCs page 23 33 For the following examples the designated MSFC is on the active supervisor engine To determine the status of the designated MSFC enter the show fm features or the show redundancy command This example shows that Router 16 is the designated MSFC Router 15 show redundancy Designated Router 1 Non designated Router 2 Redundancy Status non designated Config Sync AdminStatus enab...

Page 723: ... Router config if standby 21 authentication Secret Router config if Z Router C C C This example shows how to configure HSRP on the MSFC in Switch S2 Console enable switch console 15 Trying Router 15 Connected to Router 15 Type C C C to switch back Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface vlan10 Router config if standby 10 ip 172 20...

Page 724: ...empt Router config if standby 21 timers 5 15 Router config if standby 21 authentication Secret Router config if Z Router C C C Console enable switch console 16 Trying Router 16 Connected to Router 16 Type C C C to switch back Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface vlan10 Router config if standby 10 ip 172 20 100 10 Router config ...

Page 725: ...g if standby 10 authentication Secret Router config if interface vlan21 Router config if standby 21 ip 192 20 100 21 Router config if standby 21 priority 108 Router config if standby 21 preempt Router config if standby 21 timers 5 15 Router config if standby 21 authentication Secret Router config if Z Router C C C Console enable switch console 16 Trying Router 16 Connected to Router 16 Type C C C ...

Page 726: ...ter 16 Type C C C to switch back Router configure terminal Enter configuration commands one per line End with CNTL Z Router config interface vlan10 Router config if standby 10 ip 172 20 100 10 Router config if standby 10 priority 107 Router config if standby 10 preempt Router config if standby 10 timers 5 15 Router config if standby 10 authentication Secret Router config if interface vlan21 Router...

Page 727: ...mand on the designated MSFC These sections provide information about the MSFC configuration synchronization Configuration Synchronization States page 23 35 alt Keyword Usage page 23 36 Configuration Synchronization States The two states for the configuration synchronization are as follows Config Sync AdminStatus Signifies what the user has configured for this feature at that moment Config Sync Run...

Page 728: ...dress command Router 1 config if ip address 1 2 3 4 255 255 255 0 alt ip address 1 2 3 5 255 255 255 0 Enabling or Disabling Configuration Synchronization To enable high availability redundancy perform this task in privileged mode Table 23 3 Interface and Global Configuration Commands Containing the alt Keyword Interface Configuration Commands Global Configuration Commands no standby group_number ...

Page 729: ...outer High Availability Redundancy Configuration Examples This section describes the different scenarios for enabling high availability and configuration synchronization Scenario 1 Enabling Configuration Synchronization on Both MSFCs page 23 37 Scenario 2 Disabling Configuration Synchronization on the Designated MSFC page 23 41 Scenario 3 Designated MSFC Comes Up page 23 41 Scenario 4 Nondesignate...

Page 730: ...fig interface vlan 1 Router 16 config if ip address 70 0 70 4 255 255 0 0 alt ip address 70 0 70 5 255 255 0 0 Router 16 config if exit This example shows that high availability redundancy is accepted Router 16 config redundancy Router 16 config r high availability Router 16 config r ha config sync Router 16 config r ha end Router 16 00 03 31 SYS 5 CONFIG_I Configured from console by console Becau...

Page 731: ...ronized 00 20 41 RUNCFGSYNC 6 SYNCEVENT Syncing Running Configuration to the Non Designated Router 00 20 41 RUNCFGSYNC 6 SYNCEVENT Syncing Startup Configuration to the Non Designated Router These examples show that the designated MSFC and nondesignated MSFC have the same running configuration after synchronization designated MSFC Router 16 show running config Building configuration Current configu...

Page 732: ...ord encryption hostname Router1 alt hostname Router2 boot bootldr bootflash c6msfc boot mz 120 7 XE1 ip subnet zero ip cef redundancy high availability config sync cns event service server interface Vlan1 ip address 70 0 70 4 255 255 0 0 alt ip address 70 0 70 5 255 255 0 0 interface Vlan10 ip address 192 10 10 1 255 255 255 0 alt ip address 192 10 10 2 255 255 255 0 no ip redirects shutdown stand...

Page 733: ... to occur when the nondesignated MSFC comes up Because the nondesignated MSFC is not up yet Config Sync RuntimeStatus is disabled and there is no configuration synchronization See the Scenario 4 Nondesignated MSFC Comes Up section on page 23 41 for information on the nondesignated MSFC This example shows that Router 16 is the designated MSFC Config Sync AdminStatus is enabled and Config Sync Runti...

Page 734: ...tion commands one per line End with CNTL Z Router 15 config redundancy Router 15 config r high availability Router 15 config r ha config sync Router 15 config r ha 00 03 47 SYS 5 CONFIG_I Configured from console by console 00 03 47 RUNCFGSYNC 6 SYNCEVENT The High Availability Redundancy Feature is enabled The config mode is no longer accessible 00 00 51 RUNCFGSYNC 6 SYNCEVENT Non Designated Router...

Page 735: ...ondesignated router s configuration is exactly the same as the designated router but its interfaces are kept in a line down state and are not visible to the network The processes such as the routing protocols are created on the nondesignated router and the designated router but all the nondesignated router interfaces are in a line down state they do not send or receive updates from the network Whe...

Page 736: ...loaded with the multicast traffic during the switchover The switch caches the flows from the MSFC2 that went down and uses the cached flows to forward traffic until the newly activated MSFC2 learns the routes Only a few flows at a time are provided to the MSFC2 to prevent it from being overwhelmed Supervisor engine software release 6 3 1 or later releases Supervisor Engine 720 requires supervisor ...

Page 737: ...ying that the SRM run time status is enabled enter the write memory command on the designated MSFC and reload the nondesignated MSFC do not save the configuration on the nondesignated MSFC at the reload prompt Tip We recommend that you use the second method where the nondesignated MSFC starts with the same configuration as the designated MSFC This method lessens the chance of encountering any unfo...

Page 738: ...hat appear in the running configuration show running config using the no form of the boot system command For the nondesignated router set the configuration register to auto boot by entering the config register 0x102 command Note If you already have SRM capable Cisco IOS images loaded you do not need to perform Step 6 Step 6 Enter the reload command to reload the designated router and nondesignated...

Page 739: ...entries might be erased and the newly downloaded Layer 3 switching information might be incomplete With Cisco IOS Release 12 1 11b E and later releases you can specify the transition time that the newly designated router waits before downloading the new Layer 3 switching information to the switch processor On a switchover the old Layer 3 switching information is used for a configurable number of s...

Page 740: ...erform these steps Step 1 On the active supervisor engine enter the copy tftp sup slot0 command and follow the prompts to load the new c6msfc2 jsv mz 9E image onto the supervisor engine Flash PC card Step 2 If you have a console connection enter the switch console command to access the active MSFC If you are connected through a Telnet session enter the session mod command to access the active MSFC...

Page 741: ...uter_config startup config command on both MSFCs After the configurations are copied reload the MSFCs using the reload command To get out of SRM perform these steps Step 1 On the designated router disable SRM by entering the no form of the command as follows Router config redundancy Router config r high availability Router config r ha no single router mode Step 2 Enter the write memory command on ...

Page 742: ...and an MSFC Manual mode MSFC redundancy requires the following software Supervisor engine software release 6 1 3 or later releases and Cisco IOS Release 12 1 7 E or later releases Supervisor engine software release 5 5 8 or later releases and Cisco IOS Release 12 1 7a E1 or later releases Note Each MSFC must run the same release of Cisco IOS software Manual Mode MSFC Redundancy Guidelines This sec...

Page 743: ...N Registration Protocol GVRP we recommend that you disable these features when using manual mode MSFC redundancy Ensure that the console port on both supervisor engines is accessible to the operations personnel out of band access through the terminal server or modem Note The procedures in this section use the switch console command to access the MSFC from the supervisor engine The switch console c...

Page 744: ...r the reset 15 command from the active supervisor engine s console port and see if the active MSFC reboots without problems If it does not you have these two options to switch over to the standby MSFC Option 1 If You Have Physical Access to the Switch If you have physical access to the switch use this option You can remove the active supervisor engine with the problematic MSFC so that the redundan...

Page 745: ...at the do you wish to change the configuration y n n prompt b Press Enter to accept the default for all questions until you reach this prompt change the boot characteristics y n n c Enter y d Enter 0 to select the 0 ROM Monitor option at the next prompt e Review the Configuration Summary to ensure the following value boot the ROM Monitor f You are again prompted with do you wish to change the conf...

Page 746: ...age 2 15 boot system 2 2 Configuration Summary enabled are load rom after netboot fails console baud 9600 boot the ROM Monitor do you wish to change the configuration y n n n You must reset or power cycle for new config to take effect rommon 2 Step 10 Enter the reset command at the ROMMON prompt to boot the system Step 11 Once the MSFC has booted enter the config register 0x2102 command from Cisco...

Page 747: ...Note The term MSFC is used throughout this chapter to refer to MSFC2 MSFC2A and MSFC3 except where specifically differentiated Note Except where specifically differentiated the information and procedures in this chapter apply to Supervisor Engine 32 with PFC3B PFC3BXL Supervisor Engine 720 with PFC3A PFC3B PFC3BXL and Supervisor Engine 2 with PFC2 This chapter consists of these sections Hardware a...

Page 748: ...system that runs on the supervisor engine provides a Layer 2 high availability for redundant supervisor engines Cisco IOS Release 12 2 18 SXF and later releases with NSF and SSO that run on the MSFC provide Layer 3 and above high availability for redundant MSFCs MSFC SSO high availability benefits are as follows Reduced downtime The ability to upgrade software without shutting down the MSFC The ab...

Page 749: ...mode and fail to run the high availability feature on the supervisor engine any switchover that may occur will result in a nonstateful switchover and the standby MSFC will reset itself and reload at the time of the switchover This reset reload of the standby MSFC occurs because there is insufficient state information on the supervisor engine to support a stateful switchover of the MSFC This reset ...

Page 750: ... to assist you in migrating to NSF SSO However the SRM CLI does not cause NVRAM updates If you have SRM CLI in your configuration and you decide to modify the SRM configuration and enter the write mem command the SRM CLI commands in the configuration are lost If you want to downgrade to an image that has SRM your original SRM CLI configuration is lost and you will have to reconfigure SRM For this ...

Page 751: ...re not synchronized between MSFCs Not all subsystems are high availability aware and those that are high availability aware may have their own set of limitations Some subsystems have their own high availability specific configurations and status commands such as the show isis nsf command MSFC software images do not currently support the in service software upgrade ISSU Diagnostics are not integrat...

Page 752: ...ndancy Router config red mode sso Router config red end Router show redundancy states my state 13 ACTIVE peer state 1 DISABLED Mode Simplex Unit Primary Unit ID 7 Redundancy Mode Operational Stateful SwitchOver SSO Redundancy Mode Configured Stateful SwitchOver SSO Redundancy State Non Redundant Split Mode Disabled Manual Swact Disabled Reason Simplex mode Communications Down Reason Simplex mode c...

Page 753: ... dCEF switching yes Default CEF switching yes Default dCEF switching yes Drop multicast packets no OK to punt packets yes NVGEN CEF state yes fastsend used no CEF NSF capable yes RPR SSO standby capable yes IPC delayed func on SSO no FIB auto repair supported yes LCs not running at init time yes Hardware forwarding supported yes Hardware forwarding in use yes Load sharing pr packet supported no RR...

Page 754: ...bgp graceful restart appears in the BGP configuration of the SSO enabled router by entering the show running config command Router show running config router bgp 120 bgp graceful restart neighbor 10 2 2 2 remote as 300 Step 2 Repeat step 1 on each of the BGP neighbors Purpose Command Step 1 Enter global configuration mode Router configure terminal Step 2 Enable a BGP routing process which places t...

Page 755: ...dvertised and received new Address family IPv4 Unicast advertised and received Address famiiy IPv4 Multicast advertised and received Graceful Restart Capabilty advertised and received Remote Restart timer is 120 seconds Address families preserved by peer IPv4 Unicast IPv4 Multicast Received 1539 messages 0 notifications 0 in queue Sent 1544 messages 0 notifications 0 in queue Default minimum time ...

Page 756: ... Process ospf 1 with ID 192 168 2 1 and Domain ID 0 0 0 1 Supports only single TOS TOS0 routes Supports opaque LSA SPF schedule delay 5 secs Hold time between two SPFs 10 secs Minimum LSA interval 5 secs Minimum LSA arrival 1 secs Number of external LSA 0 Checksum Sum 0x0 Number of opaque AS LSA 0 Checksum Sum 0x0 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opa...

Page 757: ...RP is ACTIVE standby ready bulk sync complete NSF interval timer expired NSF restart enabled Checkpointing enabled no errors Step 3 Enable NSF operation for IS IS Enter the ietf keyword to enable IS IS in a homogeneous network where adjacencies with networking devices supporting IETF draft based restartability is guaranteed Enter the cisco keyword to run IS IS in heterogeneous networks that might ...

Page 758: ... interfaces awaiting L1 CSNP 0 Awaiting L1 LSPs NSF L2 active interfaces 0 NSF L2 active LSPs 0 NSF interfaces awaiting L2 CSNP 0 Awaiting L2 LSPs Interface Serial3 0 2 NSF L1 Restart state Running NSF p2p Restart retransmissions 0 Maximum L1 NSF Restart retransmissions 3 L1 NSF ACK requested FALSE L1 NSF CSNP requested FALSE NSF L2 Restart state Running NSF p2p Restart retransmissions 0 Maximum L...

Page 759: ...elf command to reload the standby MSFC peer keyword or all modules in the chassis shelf keyword Using Redundancy Related Debug Commands Use the debug redundancy qualifier command to display redundancy related debug information The supported qualifiers are as follows Router debug redundancy config sync HA config sync debug option ehsa Redundancy Facility RF EHSA errors Redundancy Facility RF Errors...

Page 760: ... procedure does not work with SRM and DRM images Note The redundant supervisor engines must be the same type with the same model PFC and MSFC The fast software upgrade allows you to reduce planned downtime for software upgrades or downgrades The fast software upgrade procedure consists of loading a new image onto both the standby MSFC and the active MSFC and then rebooting the standby MSFC The new...

Page 761: ...online Note When upgrading to SSO from SRM or DRM you must save your configuration before performing the upgrade DRM configurations generate parse errors when the system reloads the new image After the upgrade DRM configurations need to be reconfigured for use with SSO Cisco IOS software prior to Cisco IOS Release 12 2 18 SXF is either SRM and or DRM capable but does not support upgrading to SSO T...

Page 762: ...ng on the standby MSFC will incorrectly determine that it is the active MSFC and will try to boot as the active MSFC When the inventory message is received from the supervisor engine indicating it should be the standby MSFC it will report an MSFC role mismatch error and reload itself This problem can happen whenever an SRM DRM or boothelper image is running on the active MSFC and you try to load a...

Page 763: ...cation This chapter consists of these sections Understanding How the Switch Boot Configuration Works page 25 1 Default Switch Boot Configuration page 25 5 Setting the Configuration Register page 25 5 Setting the BOOT Environment Variable page 25 10 Setting the CONFIG_FILE Environment Variable page 25 11 Displaying the Switch Boot Configuration page 25 12 Understanding How the Switch Boot Configura...

Page 764: ...m image from flash memory from a network server file or from bootflash You can enter ROM monitor mode by restarting the switch and then pressing the Break key during the first 60 seconds of startup If you are connected through a terminal server you can escape to the Telnet prompt and enter the send break command to enter ROM monitor mode Note The Break key is always enabled for 60 seconds after re...

Page 765: ... 7 0x0080 Enables OEM bit not used Bit 8 0x0100 Disables break Bit 9 0x0200 Uses secondary bootstrap not used by the ROM monitor Bit 10 0x0400 Provides IP broadcast with all zeros not used Bits 11 12 0x0800 0x1000 Provide console line speed 0 0 9600 0 1 1200 1 0 4800 1 1 2400 default is 9600 Bit 13 0x2000 Boots default flash software if network boot fails not used Bit 14 0x4000 IP broadcasts do no...

Page 766: ...guration files Overwrite is the default setting Append Append means that the configuration files will be executed without first clearing NVRAM For information on specifying overwriting or appending see the Setting CONFIG_FILE Overwrite section on page 25 8 Sync enable Enables synchronization to force the configuration files to synchronize automatically to the standby supervisor engine The file s a...

Page 767: ...e Port Baud Rate page 25 6 Setting CONFIG_FILE Recurrence page 25 7 Setting CONFIG_FILE Overwrite page 25 8 Setting CONFIG_FILE Synchronization page 25 8 Setting the Switch to Ignore the NVRAM Configuration page 25 9 Setting the Configuration Register Value page 25 10 Table 25 1 Default Switch Boot Configuration Feature Default Configuration Configuration register value 0x10f Boot method System bo...

Page 768: ...configuration register boot field perform this task in privileged mode This example shows how to set the boot field in the configuration register Console enable set boot config register boot rommon Configuration register is 0x0 ignore config disabled auto config non recurring console baud 9600 boot the ROM monitor Console enable Setting the ROM Monitor Console Port Baud Rate You can set the consol...

Page 769: ...re recurring or nonrecurring The remaining configuration register bits are unaltered Caution With the CONFIG_FILE environment variable set to recurring the current configuration in NVRAM is erased each time that the switch is restarted and the switch is configured using the specified configuration files With the CONFIG_FILE environment variable set to non recurring the current configuration in NVR...

Page 770: ...age specified by the boot system commands Console enable This example shows how to specify that the auto config file is appended to what is currently in NVRAM Console enable set boot config register auto config append Configuration register is 0x12F ignore config disabled auto config recurring append sync disabled console baud 9600 boot image specified by the boot system commands Console enable Se...

Page 771: ...ed by the boot system commands Console enable This example shows how to disable synchronization Console enable set boot config register auto config sync disable Configuration register is 0x12F ignore config disabled auto config recurring append sync disabled console baud 9600 boot image specified by the boot system commands Console enable Setting the Switch to Ignore the NVRAM Configuration You ca...

Page 772: ...g register 0x90f Configuration register is 0x90f ignore config disabled auto config non recurring console baud 4800 boot image specified by the boot system commands Console enable Setting the BOOT Environment Variable Note The BOOT environment variable settings are not copied automatically to a redundant supervisor engine if present You must set the BOOT variable separately for each supervisor eng...

Page 773: ...ash bootflash cat6000 sup 5 1 1 bin BOOT variable bootflash cat6000 sup 5 2 1 bin 1 bootflash cat6000 sup 4 5 2 bin 1 Console enable This example shows how to clear the entire BOOT environment variable Console enable clear boot system all BOOT variable Console enable Setting the CONFIG_FILE Environment Variable These sections describe how to modify the CONFIG_FILE environment variable Setting the ...

Page 774: ...Environment Variable Settings To clear the entries from the CONFIG_FILE environment variable perform this task in privileged mode This example shows how to clear the entries in the CONFIG_FILE environment variable Console enable clear boot auto config CONFIG_FILE variable Console enable Displaying the Switch Boot Configuration To display the current configuration register the BOOT environment vari...

Page 775: ...the current configuration register the BOOT environment variable and the CONFIG_FILE environment variable settings Console enable show boot BOOT variable bootflash cat6000 sup 5 2 1 bin 1 CONFIG_FILE variable bootflash generic cfg bootflash 6509_1_noc cfg Configuration register is 0x12f ignore config disabled auto config recurring console baud 9600 boot image specified by the boot system commands ...

Page 776: ...25 14 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 25 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration ...

Page 777: ... Switch page 26 2 Understanding How the Flash File System Works The flash file system on a Catalyst 6500 series supervisor engine provides a number of useful commands to help you manage the software image and configuration files The flash file system on the supervisor engine consists of the flash devices on which you can store the files Supervisor Engine 1 and Supervisor Engine 2 bootflash Onboard...

Page 778: ... device perform this task This example shows how to change the default flash device to slot0 and verify the default device Console enable cd slot0 Console enable pwd slot0 Console enable Setting the Text File Configuration Mode When you use text file configuration mode the switch stores its configuration as a text file in nonvolatile storage either in NVRAM or flash memory This text file consists ...

Page 779: ...terval keyword to set the time interval between the occurrences of saving the text configuration in NVRAM You can specify the time interval between the occurrences of saving the text configuration in NVRAM even if the system is in binary mode If you do not specify the number of minutes after entering the interval keyword the interval is set to the default of 30 minutes Note In software release 8 4...

Page 780: ...pt to enable auto save when the configuration is not set to text mode and the system is not configured to save the text configuration in NVRAM Console enable set config mode text auto save enable auto save cannot be enabled unless config mode is set to text and config file is stored in nvram Use the set config mode text nvram command to enable automatic saving of the system configuration to nvram ...

Page 781: ... 1 CSX bin 2 135 Jul 17 1998 11 32 53 dns config cfg 3 3231989 Jul 17 1998 16 54 23 cat5000 sup3 4 1 2 bin 4 8589 Jul 17 1998 17 02 52 6000_config cfg 9933504 bytes available 6450496 bytes used Console enable This example shows how to list the deleted files on the default flash device Console enable dir deleted ED type crc seek nlen length date time name 1 D ffffffff 81a027ca 41bdc 22 7004 Apr 01 ...

Page 782: ...CCCCCCCCCCCCCCCC File has been copied successfully Console enable This example shows how to copy a file from a TFTP server to the running configuration Console enable copy tftp config IP address or name of remote host 172 20 52 3 Name of file to copy from dns_config cfg Configure using tftp dns_config cfg y n n y Finished network download 135 bytes set ip dns server 172 16 10 70 primary 172 16 10 ...

Page 783: ... to 6000_config cfg Upload configuration to slot0 6000_config cfg 9942096 bytes available on device slot0 proceed y n n y Configuration has been copied successfully Console enable This example shows how to upload a configuration file on a flash device to a TFTP server Console enable copy slot0 6000_config cfg tftp IP address or name of remote host 172 20 52 3 Name of file to copy to 6000_config cf...

Page 784: ...he first column of the dir command output A file cannot be undeleted if a valid file with the same name already exists Instead you must delete the existing file and then undelete the desired file A file can be deleted and undeleted up to 15 times To restore the deleted files on a flash device perform this task in privileged mode This example shows how to restore a deleted file Console enable dir d...

Page 785: ...use when other sectors fail by default none are reserved If you do not reserve spare sectors and later some sectors fail you will have to reformat the entire flash memory which erases all existing data Note Supervisor Engine 2 and Supervisor Engine 1 do not support the same Flash PC card format To use a Flash PC card with Supervisor Engine 2 format the card with Supervisor Engine 2 To use a Flash ...

Page 786: ...me argument the switch formats the device using the monlib file from device2 If you specify the entire device2 monlib filename argument the switch formats the device using the specified monlib file from the specified device If the switch cannot find a monlib file it terminates the formatting process Note If the flash device has a volume ID you must provide the volume ID to format the device The vo...

Page 787: ...rotocols page 27 5 Upgrading the EPLD Images page 27 2 Downloading the Software Images Using FTP or TFTP page 27 5 Uploading the System Software Images to an FTP or TFTP Server page 27 14 Downloading the System Software Images Using rcp page 27 16 Uploading the System Software Images to an rcp Server page 27 21 Downloading the Crypto Images Using SCP page 27 22 Uploading the Crypto Images to an SC...

Page 788: ...isor Engine 720 The EPLD image for Supervisor Engine 2 and Supervisor Engine 720 is included in the Catalyst supervisor engine software image The EPLD image for the nonsupervisor engine modules is provided in a separate downloadable image Upgrading the Supervisor Engine EPLD Image The supervisor engine EPLD upgrade is performed automatically when you reset or power cycle the switch You can use the...

Page 789: ...on Do not power off or reset the switch or module during the upgrade process Powering off or resetting the switch or module could leave the module in an unusable state Note Before you begin the procedures in this chapter make sure that you have downloaded the new EPLD upgrade image to the supervisor engine flash memory bootflash or slot0 You can upgrade the nonsupervisor engine module EPLD image b...

Page 790: ... on the number of devices updated Please wait for the module to come back online before continuing W A R N I N G This command may reset module 5 Updating fabric modules may significantly affect system performance while the update is occurring Do you wish to update the devices in slot 5 y n n y Updating programmable devices in slot 5 This may take a minute Programming successful updating EPLD revis...

Page 791: ...ds Work You can download the system software images to the switch using the File Transfer Protocol FTP or Trivial File Transfer Protocol TFTP TFTP allows you to download the system image files over the network from a TFTP server FTP allows you to download the system image files over the network from a FTP server Some modules such as the ATM modules have their own onboard flash memory When you down...

Page 792: ...ftware image to multiple modules significantly speeds up the process of updating the software on multiple modules of the same type Note For more information on working with the system software image files on the flash file system see Chapter 26 Working With the Flash File System Specifying the FTP Username and Password FTP allows you to specify a username and password to be used for the FTP connec...

Page 793: ...ntation for your workstation for more information on using the FTP or TFTP daemon Verify that the switch has a route to the FTP or TFTP server The switch and the FTP or TFTP server must be in the same subnetwork if you do not have a router to route the traffic between the subnets Check connectivity to the FTP or TFTP server by entering the ping command Verify that the software image to be download...

Page 794: ...device device and the filename of the downloaded image filename Step 5 Reset the switch by entering the reset system command If you are connected to the switch through Telnet your Telnet session disconnects During startup the flash memory on the supervisor engine is reprogrammed with the new flash code Step 6 When the switch reboots enter the show version command to check the version of the code o...

Page 795: ...the image downloads Step 5 Reset the appropriate modules by entering the reset mod command If you are connected through Telnet your Telnet session disconnects if you reset the module through which your connection was made Step 6 When the upgraded modules come online enter the show version mod command to check the version of the code on the switch Note For examples that show the complete procedures...

Page 796: ...5 2 1 CSX bin 1 Console enable reset system This command will reset the system Do you want to continue y n n y Console enable 07 21 1998 13 51 39 SYS 5 System reset from Console System Bootstrap Version 4 2 Copyright c 1994 1998 by cisco Systems Inc c6k_sup1 processor with 32768 Kbytes of main memory Autoboot executing command boot bootflash cat6000 sup 5 2 1 CSX bin CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...

Page 797: ...ame of file to copy to cat6000 sup2k8 7 7 1 bin 4369664 bytes available on device bootflash proceed y n n y CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCC File has been copied successfully Console enable set boot system flash bootflash cat6000 sup2k8 7 7 1 bin BOOT variable bootflash cat6000 sup2k8 7 7 1 bin 1 Console enable reset system This c...

Page 798: ...53 14 PAGP 5 Port 1 2 joined bridge port 1 2 07 21 1998 13 53 40 SYS 5 Module 2 is online 07 21 1998 13 53 45 SYS 5 Module 3 is online Console Single Module Image Download Example Note For a procedure on downloading the software images to the intelligent modules see the Downloading the Switching Module Images Using FTP or TFTP section on page 27 8 This example shows a complete TFTP download proced...

Page 799: ... mz 121 14 E1 bin Download image tftp c6atm lc mz 121 14 E1 bin to Module 4 FLASH y n n y This command will reset Download Module s you selected Do you wish to continue download flash y n n y Download done for module 4 please wait for it to come online File has been copied successfully Console enable 04 29 2003 13 13 54 SYS 5 Module 4 is online Console enable show version 4 Mod Port Model Serial V...

Page 800: ...wait for it to come online Download done for module 5 please wait for it to come online File has been copied successfully Console enable 07 21 1998 12 25 10 SYS 5 Module 4 is online 07 21 1998 12 25 10 SYS 5 Module 5 is online Console enable show version 4 Mod Port Model Serial Versions 4 1 WS X6101 003414855 Hw 1 2 Fw 1 3 Sw 3 2 7 Console enable show version 5 Mod Port Model Serial Versions 5 1 W...

Page 801: ... that the switch has a route to the FTP or TFTP server The switch and the FTP or TFTP server must be in the same subnetwork if you do not have a router to route the traffic between the subnets Check the connectivity to the FTP or TFTP server by entering the ping command Note that you might need to create an empty file on the FTP or TFTP server before uploading the image To create an empty file ent...

Page 802: ...s a route to the rcp server The switch and the rcp server must be in the same subnetwork if you do not have a router to route the traffic between the subnets Check the connectivity to the rcp server by entering the ping command If you are accessing the switch through the console or a Telnet session without a valid username make sure that the current rcp username is the one that you want to use for...

Page 803: ...ng the Switching Module Images Using rcp To download a software image to an intelligent module on a Catalyst 6500 series switch perform these steps Step 1 Copy the software image file to the appropriate rcp directory on the workstation Step 2 Log into the switch through the console port or a Telnet session If you log in using Telnet your Telnet session might disconnect when you reset the modules t...

Page 804: ... 20 Multiple Module Image rcp Download Example page 27 20 Supervisor Engine Image rcp Download Example Note For a procedure on downloading a supervisor engine software image from an rcp server see the Downloading the Supervisor Engine Images Using rcp section on page 27 16 This example shows a complete rcp download procedure of a supervisor engine software image to a Catalyst 6500 series switch Co...

Page 805: ...B Saving NVRAM Testing NVRAM Passed Restoring NVRAM Level2 Cache Present Level2 Cache test Passed Leaving power_on_diags Cafe Daughter Present EOBC link up Boot image bootflash cat6000 sup 5 2 1 CSX bin Flash Size 0X1000000 num_flash_sectors 64 readCafe2Version 0x00000001 RIn Local Test Mode Pinnacle Synch Retries 2 Running System Diagnostics from this Supervisor Module 1 This may take up to 2 min...

Page 806: ... Sw 3 2 6 Console enable copy rcp 4 flash IP address or name of remote host 172 20 52 3 Name of file to copy from cat6000 atm 3 2 7 bin Download image rcp cat6000 atm 3 2 7 bin to Module 4 FLASH y n n y This command will reset Download Module s you selected Do you wish to continue download flash y n n y Download done for module 4 please wait for it to come online File has been copied successfully ...

Page 807: ...set Download Module s you selected Do you wish to continue download flash y n n y Download done for module 4 please wait for it to come online Download done for module 5 please wait for it to come online File has been copied successfully Console enable 09 2 1999 12 25 10 SYS 5 Module 4 is online 09 2 1999 12 25 10 SYS 5 Module 5 is online Console enable show version 4 Mod Port Model Serial Version...

Page 808: ...systems you are first prompted for the flash device and source filename If desired you can use the copy file id rcp command on these platforms The software image is uploaded to the rcp server This example shows how to upload the supervisor engine software image to an rcp server Console enable copy flash rcp Flash device bootflash slot0 Name of file to copy from cat6000 sup 5 3 1 bin IP address or ...

Page 809: ...and boot from an uncorrupted system image on a Flash PC card Downloading the Crypto Images Using SCP To download a supervisor engine software image to the switch from an SCP server perform these steps Step 1 Copy the software image file to the appropriate SCP directory on the workstation Step 2 Log into the switch through the console port or through an SSH session If you log in using Telnet your T...

Page 810: ...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCC File has been copied successfully Console enable set boot system flash bootflash cat6000 sup720cvk9 8 3 1 bin prepend BOOT variable bootflash cat6000 sup720cvk9 8 3 1 bin 1 bootflash cat6000 sup720cvk9 8 3 1 bin 1 csx bin 1 Console enable reset system This command will reset the system Do you want to continue y n n y Console enable 11 2...

Page 811: ...le Uploading the Crypto Images to an SCP Server These sections describe how to upload the system software images from a switch to an SCP server Preparing to Upload an Image to an SCP Server page 27 25 Uploading the Crypto Images to an SCP Server page 27 26 Note For more information on working with the system software image files on the flash file system see Chapter 26 Working With the Flash File S...

Page 812: ...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC File has been copied successfully Console enable Downloading the Crypto Images Using SFTP Note The Secure File Transfer Protocol SFTP is available only in crypto images FTP provides a file transfer capability but with FTP passwords and data files are transferred in plain text SFTP provides a secure encrypted channel f...

Page 813: ... command to check the version of the code on the switch Uploading the Crypto Images to an SFTP Server To upload a supervisor engine crypto software image from the switch to an SFTP server perform these steps Step 1 Log into the switch through the console port or a Telnet session Step 2 Upload the software image to the SFTP server with the copy source sftp command When prompted specify the SFTP ser...

Page 814: ... Download Procedures page 27 31 Preparing to Download an Image Using Kermit Before you begin a serial download of a software image using Kermit do the following On a UNIX workstation verify that your shell window is local not an rlogin window to a different workstation Verify that the supervisor engine console port is connected to a serial port on your PC or workstation with a serial cable Verify ...

Page 815: ...privileged mode Step 5 Enter the download serial command The file is downloaded to module 1 by default Step 6 When prompted confirm the download Step 7 Enter the escape sequence Ctrl c by holding down the Ctrl key while you press and then press c Step 8 At the Kermit prompt enter the send filename command to send the file to the switch The switch downloads the image file erases the flash memory on...

Page 816: ... command to connect to the switch If your line and speed are set correctly the switch Console prompt appears Step 4 Enter the enable command to enter privileged mode Step 5 Enter the download serial command The file downloads to module 1 by default Step 6 When prompted confirm the download Step 7 Enter the escape sequence Ctrl c by holding down the Ctrl key while you press and then press c Step 8 ...

Page 817: ...re Image Download Procedures These sections show the example serial download procedures over the supervisor engine console port using Kermit PC Serial Download Procedure Example page 27 31 UNIX Workstation Serial Download Procedure Example page 27 32 PC Serial Download Procedure Example This screen output shows an example of a complete serial download procedure on a PC C copy A copying c6509_xx bi...

Page 818: ...ase in progress Erase done Programming Flash Flash Programming Complete The system needs to be reset to run the new image Cisco Systems Console Enter password Mon Apr 06 1998 14 35 08 Console UNIX Workstation Serial Download Procedure Example This screen output shows an example of a complete serial download procedure on a UNIX workstation workstation cd tmp workstation tar xvfp dev rfd0 c5009_xx b...

Page 819: ...ave a software image on a Flash PC card you can download an image from a local or remote computer such as a PC UNIX workstation or Macintosh through the console port using the Xmodem or Ymodem protocol The Xmodem and Ymodem protocols are used to transfer files and are included in applications such as Windows 3 1 TERMINAL EXE Windows 95 HyperTerminal Windows NT 3 5x TERMINAL EXE Windows NT 4 0 Hype...

Page 820: ...sole port speed must match the speed that is configured on the local computer Note If you are transferring from a local computer you may need to configure the terminal emulation program to ignore the RTS DTR signals Step 3 To download from a remote computer do the following a Connect a modem to the console port and to the telephone network b Note that the modem and console port must communicate at...

Page 821: ...nloaded from Cisco com The image size and checksum are automatically checked when the image is copied but these types of checks do not ensure that the downloaded image has not been corrupted To ensure the integrity of any images that you download use the set image verification command You can set image verification to work when booting after the image has been copied or before a system reset To en...

Page 822: ...27 36 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 27 Working with System Software Images Verifying the Software Images ...

Page 823: ...e Configuration Files on the MSFC page 28 12 Working with the Configuration Files on the Switch These sections describe how to work with the configuration files on the switch Creating and Using Configuration File Guidelines page 28 2 Creating a Configuration File page 28 2 Downloading the Configuration Files to the Switch Using TFTP page 28 3 Uploading the Configuration Files to a TFTP Server page...

Page 824: ...tion will fail If you enter the passwords in the configuration file the switch mistakenly attempts to execute the passwords as commands as it executes the file Certain commands must be followed by a blank line in the configuration file The blank line is necessary without the blank line these commands might disconnect your Telnet session Before disconnecting a session the switch prompts you for con...

Page 825: ...guring the Switch Using a File on a Flash Device page 28 4 Preparing to Download a Configuration File Using TFTP Before you begin downloading a configuration file using TFTP do the following Ensure that the workstation acting as the TFTP server is configured properly On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p ...

Page 826: ...ownloaded from a TFTP server Console enable copy tftp config IP address or name of remote host 172 20 52 3 Name of file to copy from dns config cfg Configure using tftp dns config cfg y n n y Finished network download 134 bytes set ip dns server 172 16 10 70 primary 172 16 10 70 added to DNS server table as primary server set ip dns server 172 16 10 140 172 16 10 140 added to DNS server table as b...

Page 827: ...ollowing Ensure that the workstation acting as the TFTP server is configured properly On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p s tftpboot Make sure that the etc services file contains this line tftp 69 udp Note You must restart the inetd daemon after modifying the etc inetd conf and etc services files To res...

Page 828: ...ied successfully Console enable Copying the Configuration Files Using SCP or rcp This section describes how to copy the files using SCP or rcp rcp Overview page 28 6 SCP Overview page 28 7 rcp Overview Remote copy protocol rcp provides another method of downloading uploading and copying the configuration files between the remote hosts and the switch Unlike TFTP which uses User Datagram Protocol UD...

Page 829: ...to route the traffic between the subnets Check the connectivity to the rcp server using the ping command If you are accessing the switch through the console or a Telnet session without a valid username make sure that the current rcp username is the one that you want to use for the rcp download You can enter the show users command to view the current valid username If you do not want to use the cur...

Page 830: ... 28 8 Uploading a Configuration File to an rcp or SCP Server page 28 8 Preparing to Upload a Configuration File to an rcp or SCP Server Before you attempt to upload a configuration file to an rcp or SCP server do the following Ensure that the workstation acting as the rcp or SCP server is configured properly Ensure that the switch has a route to the rcp or SCP server The system and the server must...

Page 831: ...nsole enable copy scp flash scp IP address or name of remote host 172 20 52 3 Name of file to copy from cat6000 sup720cvk9 8 3 1 bin Username for scp bob Password for User bob CCC File has been copied successfully Clearing the Configuration To clear the configuration on the entire switch perform this task in privileged mode This example shows how to clear the configuration for the entire switch Co...

Page 832: ... configuration files that are stored on the system to determine the differences between the configuration files or to check if changes have been made to the system configuration To compare the configuration files perform this task in privileged mode This example shows how to compare the differences between two different configuration files Console enable show config differences 1 cfg 2 cfg bootfla...

Page 833: ...fault device The configuration checkpoint file is stored as a text file that can be read and edited We strongly advise that you do not edit the file When a checkpoint filename is cleared from the system the associated configuration checkpoint file is deleted You should squeeze the device to reclaim space You can create a maximum of five configuration checkpoint files on a system You can roll back ...

Page 834: ...he default permanent configuration in NVRAM and the running temporary memory in RAM The default configuration always remains available NVRAM retains the information even when the power is shut down The current information is lost if the system power is shut down The current configuration contains all the nondefault configuration information that you added by entering the configure command or the s...

Page 835: ...ame by pressing Return at the prompt or enter a different name before pressing Return To upload the currently running configuration to a remote host perform these steps Step 1 Check if the system prompt displays a pound sign to indicate the privileged level of the EXEC command interpreter Step 2 Enter the ping command to check the connection between the MSFC and the remote host Step 3 Enter the wr...

Page 836: ... The configuration is safely stored in the temporary file on the remote file server If the display indicates that the process failed with the series of as shown in the following example Writing Router confg your configuration was not saved Repeat the preceding steps or select a different remote file server and repeat the preceding steps If you are unable to copy the configuration to a remote host ...

Page 837: ...ep 6 Note that the system prompts you for the configuration filename When uploading the file the default is to use the name of the MSFC with the suffix confg router confg in the following example If you specified a different filename when you uploaded the configuration enter the filename otherwise press Return to accept the default Name of configuration file router confg Step 7 Note that before th...

Page 838: ...s the default configuration on the switch The profile file allows you to load a custom default configuration that enables or disables certain features at bootup or when a new module is installed With the profile files you can eliminate the features or processes that may pose security risks for example disabling CDP or turning off auto trunking on a port to your switch A profile file that has most ...

Page 839: ... a specified module Console enable set system profile disable 2 System profile loading is disabled for module 2 Console enable This example shows a sample lockdown profile file You can use an exact copy of this file if you want to use what would be considered a typical lockdown profile file as your default configuration You can also change the file and use the altered version of the file if the pa...

Page 840: ...disabled set cdp disable ALL_PORTS default STP status is with BPDU guard enabled set spantree portfast bpdu guard ALL_PORTS enable default PAgP LACP status is disabled set port channel ALL_PORTS mode off Default DTP status is disabled no allowed vlans and dot1q all tagged mode on Warning A max of 128 trunks can have non default configuration in CatOS 8 4 Warning Edit port list as needed set trunk ...

Page 841: ...ofing deny ip 99 0 0 0 0 255 255 255 any log set security acl ip Anti spoofing deny ip 100 0 0 0 0 255 255 255 any log set security acl ip Anti spoofing deny ip 101 0 0 0 0 255 255 255 any log set security acl ip Anti spoofing deny ip 102 0 0 0 0 255 255 255 any log set security acl ip Anti spoofing deny ip 103 0 0 0 0 255 255 255 any log set security acl ip Anti spoofing deny ip 104 0 0 0 0 255 2...

Page 842: ...og set security acl ip Anti spoofing deny ip 185 0 0 0 0 255 255 255 any log set security acl ip Anti spoofing deny ip 186 0 0 0 0 255 255 255 any log set security acl ip Anti spoofing deny ip 187 0 0 0 0 255 255 255 any log set security acl ip Anti spoofing deny ip 192 0 2 0 0 0 0 255 any log set security acl ip Anti spoofing deny ip 192 168 0 0 0 0 255 255 any log set security acl ip Anti spoofi...

Page 843: ...ware can save messages in a log file or direct the messages to other devices The system message logging facility has these features Provides you with logging information for monitoring and troubleshooting Allows you to select the types of logging information that is captured Allows you to select the destination of the captured logging information By default the switch logs normal but significant s...

Page 844: ...tem message logs Table 29 1 System Message Log Facility Types Facility Name Definition all All facilities acl ACL facility cdp Cisco Discovery Protocol cops Common Open Policy Server dtp Dynamic Trunking Protocol dvlan Dynamic VLAN earl Enhanced Address Recognition Logic filesys File System gvrp GARP VLAN Registration Protocol ip Internet Protocol kernel Kernel ld ASLB facility mcast Multicast mgm...

Page 845: ...cility Types continued Facility Name Definition Table 29 2 Severity Level Definitions Severity Level Description 0 emergencies System unusable 1 alerts Immediate action required 2 critical Critical condition 3 errors Error conditions 4 warnings Warning conditions 5 notifications Normal bug significant condition 6 informational Informational messages 7 debugging Debugging messages Table 29 3 System...

Page 846: ...GP 5 PORTTOSTP Port 3 2 joined bridge port 3 2 Default System Message Logging Configuration Table 29 4 describes the default system message logging configuration Table 29 4 Default System Message Logging Configuration Configuration Parameter Default Setting System message logging to the console Enabled System message logging to Telnet sessions Enabled Logging buffer size 500 default and maximum se...

Page 847: ...that are based on the default logging facility and severity values If desired you can disable logging to the console or logging to a given Telnet session When you disable or enable logging to the console sessions the enable state is applied to all future console sessions For example if you disable logging to the console disconnect from the console port and later reconnect logging is still disabled...

Page 848: ...he specified severity level the default for the specified facilities If you do not enter the default keyword the specified severity level applies only to the current session To set the system message logging severity level setting for a logging facility perform this task in privileged mode This example shows how to set the logging severity level to 5 for all the facilities for the current session ...

Page 849: ...he Number of syslog Messages You can limit the number of syslog messages that are sent to the history table and the SNMP network management station based on the severity The default severity is set to warnings 4 To limit the number of syslog messages perform this task in privileged mode This example shows how to limit the number of syslog messages to the messages with a severity level of notificat...

Page 850: ...u can set the UNIX systems to receive all the messages from the switch Step 2 Create the log file by entering these commands at the UNIX shell prompt touch var log myfile log chmod 666 var log myfile log Step 3 Make sure that the syslog daemon reads the new changes by entering this command kill HUP cat etc syslog pid Configuring the syslog Servers Note Before you can send the system log messages t...

Page 851: ... from the syslog server table Console enable clear logging server 10 10 10 100 System logging server 10 10 10 100 removed from system logging server table Console enable To disable logging to the syslog server perform this task in privileged mode This example shows how to disable logging to the syslog servers Console enable set logging server disable System logging messages will not be sent to the...

Page 852: ...Logging console enabled Logging server disabled server facility LOCAL7 server severity warnings 4 Current Logging Session enabled Facility Default Severity Current Session Sever acl 5 5 cdp 4 4 cops 3 3 dtp 5 5 dvlan 2 2 earl 2 2 filesys 2 2 gvrp 2 2 ip 2 2 kernel 2 2 ld 3 3 mcast 2 2 mgmt 5 5 mls 5 5 pagp 5 5 protfilt 2 2 pruning 2 2 privatevlan 3 3 qos 3 3 radius 2 2 rsvp 3 3 security 2 2 snmp 2...

Page 853: ...SPANTREE 5 PORTDEL_SUCCESS 3 2 deleted from vlan 1 PAgP_Group_Rx PAGP 5 PORTFROMSTP Port 3 2 left bridge port 3 2 PAGP 5 PORTTOSTP Port 3 1 joined bridge port 3 1 2 PAGP 5 PORTTOSTP Port 3 2 joined bridge port 3 1 2 Console enable Enabling and Disabling the System syslog Dump If the system fails a file containing the system messages in the syslog buffer as displayed when entering the show logging ...

Page 854: ...yslog Dump Flash Device and Filename You can change the flash device and the filename when the syslog dump is enabled or disabled If you only specify the flash device the filename is automatically set to sysloginfo If you do not specify the flash device or the filename the previous filename for the syslog dump is cleared and the default flash device and filename slot0 sysloginfo are used To specif...

Page 855: ...nd If you configure a very fine syslog severity level such as for alerts level 1 and a coarse CallHome severity level such as for notifications level 5 the destination addresses will receive the alerts and the emergencies only levels 0 and 1 The destination addresses do not receive the remaining CallHome severity level notifications levels 2 3 and 4 that you specified To ensure that the destinatio...

Page 856: ...e sent to this address without fragmentation Console enable This example shows how to set the SMTP server with the IP address 172 16 8 19 Console enable set logging callhome smtp server 172 20 8 16 Included 172 20 8 16 in the table of callhome SMTP servers Console enable This example shows how to set the severity to level 3 critical and error messages Console enable set logging callhome severity 3...

Page 857: ... CallHome on your switch perform this task in privileged mode This example shows how to disable CallHome Console enable set logging callhome disable Callhome functionality is disabled Callhome messages will not be sent to the configured destination addresses Console enable To clear an address from the list of addresses that receive CallHome messages perform this task in privileged mode This exampl...

Page 858: ... of CallHome SMTP servers perform this task in privileged mode This example shows how to delete the SMTP server 172 20 8 16 from the list of CallHome servers Console enable clear logging callhome smtp server 172 20 8 16 Removed 172 20 8 16 from the table of callhome SMTP servers Console enable To clear the CallHome severity level perform this task in privileged mode This example shows how to clear...

Page 859: ...DNS on the Switch page 30 2 Understanding How DNS Works DNS is a distributed database with which you can map the host names to the IP addresses through the DNS protocol from a DNS server When you configure DNS on the switch you can substitute the host name for the IP address with all IP commands such as ping telnet upload and download To use DNS you must have a DNS name server on your network You ...

Page 860: ...onsole enable set ip dns server 10 2 2 1 10 2 2 1 added to DNS server table as primary server Console enable set ip dns server 10 2 24 54 primary 10 2 24 54 added to DNS server table as primary server Console enable set ip dns server 10 12 12 24 10 12 12 24 added to DNS server table as backup server Console enable set ip dns domain corp com Default DNS domain name set to corp com Console enable se...

Page 861: ...0 12 12 24 cleared from DNS table Console enable This example shows how to clear all of the DNS servers from the DNS server table Console enable clear ip dns server all All DNS servers cleared Console enable Clearing the DNS Domain Name To clear the default DNS domain name perform this task in privileged mode This example shows how to clear the default DNS domain name Console enable clear ip dns d...

Page 862: ...g DNS on the Switch Disabling DNS To disable DNS perform this task in privileged mode This example shows how to disable DNS on the switch Console enable set ip dns disable DNS is disabled Console enable Task Command Step 1 Disable DNS on the switch set ip dns disable Step 2 Verify the DNS configuration show ip dns noalias ...

Page 863: ...ensure that it does not oversubscribe the available power CDP is a media and protocol independent protocol that runs on all the Cisco manufactured equipment including routers bridges access and communication servers and switches Using CDP you can view information about all the Cisco devices that are directly attached to the switch In addition CDP detects the native VLAN and port duplex mismatches ...

Page 864: ...on page 31 5 Setting the CDP Global Enable and Disable States To set the CDP global enable state perform this task in privileged mode This example shows how to enable CDP globally and verify the configuration Console enable set cdp enable CDP enabled globally Console enable show cdp CDP enabled Message Interval 60 Hold Time 180 Console enable This example shows how to disable CDP globally and veri...

Page 865: ...le enable set cdp enable 3 1 2 CDP enabled on ports 3 1 2 Console enable show cdp port 3 CDP enabled Message Interval 60 Hold Time 180 Port CDP Status 3 1 enabled 3 2 enabled 3 3 disabled 3 4 disabled 3 5 disabled 3 6 disabled 3 7 enabled 3 8 enabled 3 9 enabled 3 10 enabled 3 11 enabled 3 12 enabled Console enable This example shows how to disable CDP on ports 3 1 6 and verify the configuration C...

Page 866: ...sage Interval 100 Hold Time 180 Console enable Setting the CDP Holdtime The CDP holdtime specifies how much time can pass between the CDP messages from the neighboring devices before the device is no longer considered connected and the neighboring entry is aged out To set the default CDP holdtime perform this task in privileged mode This example shows how to set the default CDP holdtime to 225 sec...

Page 867: ...o devices perform this task This example shows how to display the CDP neighbor information for the connected Cisco devices Console enable show cdp neighbors indicates vlan mismatch indicates duplex mismatch Port Device ID Port ID Platform 2 3 JAB023807H1 2948 2 2 WS C2948 3 1 JAB023806JR 4003 2 1 WS C4003 3 2 JAB023806JR 4003 2 2 WS C4003 3 5 JAB023806JR 4003 2 5 WS C4003 3 6 JAB023806JR 4003 2 6 ...

Page 868: ...ce Console enable show cdp neighbors 2 3 detail Port Our Port 2 3 Device ID JAB023807H1 2948 Device Addresses IP Address 172 20 52 36 Holdtime 132 sec Capabilities TRANSPARENT_BRIDGE SWITCH Version WS C2948 Software Version McpSW 5 1 57 NmpSW 5 1 1 Copyright c 1995 1999 by Cisco Systems Inc Platform WS C2948 Port ID Port on Neighbors s Device 2 2 VTP Management Domain Lab_Network Native VLAN 522 D...

Page 869: ... that works with the Layer 1 mechanisms to determine the physical status of a link At Layer 1 autonegotiation takes care of physical signaling and fault detection UDLD performs the tasks that autonegotiation cannot perform such as detecting the identities of neighbors and shutting down the misconnected ports When you enable both autonegotiation and UDLD the Layer 1 and Layer 2 detections work toge...

Page 870: ...age interval UDLD reacts much faster to link failures Note By default UDLD is locally disabled on the copper ports to avoid sending unnecessary control traffic on this type of media since it is often used for the access ports Figure 32 1 shows an example of a unidirectional link condition Each switch can send packets to a neighbor switch but is not able to receive packets from the same switch that...

Page 871: ...how to enable UDLD globally and verify the configuration Console enable set udld enable UDLD enabled globally Console enable show udld UDLD enabled Console enable Enabling UDLD on Individual Ports To enable UDLD on the individual ports perform this task in privileged mode This example shows how to enable UDLD on port 4 1 and verify the configuration Console enable set udld enable 4 1 UDLD enabled ...

Page 872: ...ole enable Specifying the UDLD Message Interval To specify the UDLD message interval perform this task in privileged mode This example shows how to specify the UDLD message interval on the switch Console enable set udld interval 20 UDLD message interval set to 20 seconds Console enable This example shows how to verify the message interval on the switch Console enable show udld UDLD enabled Message...

Page 873: ...e following cases One side of a link has a port stuck both Tx and Rx One side of a link remains up while the other side of the link has gone down In these cases UDLD aggressive mode errdisables one of the ports on the link and stops discarding the traffic Even with aggressive mode disabled there would be no risk for a broadcast storm due to a spanning tree loop because one port is unable to pass t...

Page 874: ...led bidirectional Console enable Table 32 2 describes the fields in the show udld command output Task Command Display the UDLD configuration for a module or port show udld port mod mod port Table 32 2 show udld Command Output Fields Field Description UDLD Status of whether UDLD is enabled or disabled Message Interval Message interval in seconds Port Module and port number s Admin Status Status of ...

Page 875: ...17 Displaying the IP Source Guard Information page 33 18 Note For complete syntax and usage information for the switch commands that are used in this chapter refer to the Catalyst 6500 Series Switch Command Reference and related publications at http www cisco com en US docs switches lan catalyst6500 catos 8 x command reference cmd_ref ht ml Understanding How DHCP Snooping Works DHCP snooping provi...

Page 876: ...a relay agent or DHCP server should be trusted DHCP Snooping Configuration Guidelines This section describes the guidelines for configuring DHCP snooping in your network In software release 8 6 1 and later releases you can enable DHCP snooping on a per port basis If you do a non high availability switchover with DHCP snooping enabled you will lose the contents of the DHCP snooping binding table We...

Page 877: ...figuration Guide Release 8 7 OL 8978 04 Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN Note In software release 8 5 1 and later releases you can enable DHCP snooping on the management VLANs sc0 and sc1 ...

Page 878: ... adding a DHCP snooping access control entry ACE to a new or existing security ACL You must determine where to position DHCP snooping in the ACL depending on your policy for the DHCP packets For example if you want to deny the DHCP packets that come from a certain host and perform DHCP snooping for the other DHCP packets then you must place a deny ACE before the DHCP snooping ACE To enable DHCP sn...

Page 879: ...ndary isolated or community private VLANs PVLANs The DHCP snooping binding table contains binding information about the primary VLAN only and not the secondary VLANs If you enable DHCP snooping on a PVLAN and not on the secondary VLAN the DHCP snooping binding table entries are not added even though the packet is seen on the PVLAN Enabling the DHCP Snooping Host Tracking Information Option If you ...

Page 880: ...ckets that are coming from the untrusted ports If the match fails the packets are dropped and the counter for the packets that are dropped on the untrusted ports is incremented This feature is enabled by default To configure the MAC address matching option for DHCP snooping perform this task in privileged mode This example shows how to configure the DHCP snooping MAC address matching option Consol...

Page 881: ...lly committed Console enable set security acl map dhcpsnoop 10 Mapping in progress ACL dhcpsnoop successfully mapped to VLAN 10 Console enable set port dhcp snooping 1 2 trust enable Port s 1 2 state set to trusted for DHCP Snooping Console show dhcp snooping config DHCP Snooping MAC address matching is enabled DHCP Snooping host tracking information option is disabled Remote ID used in informatio...

Page 882: ...ss 192 168 94 241 255 255 255 0 This example shows how to configure the MSFC as a DHCP server service dhcp ip dhcp excluded address 192 168 80 241 ip dhcp pool net810 network 192 168 80 0 255 255 255 0 on int vlan 4094 ip address 192 168 94 247 255 255 255 0 Note The MSFC port is configured by the system as a DHCP snooping trusted port Figure 33 2 shows the typical topology that is used when you c...

Page 883: ...to enable DHCP snooping in port based mode with an external router configuration DHCP snooping ACL is mapped to the host and the DHCP server port Note Both the host and server ports are in port based security ACL mode Console enable set port security acl 1 2 port based Warning Vlan based ACL features will be disabled on ports 1 2 ACL interface is set to port based mode for port s 1 2 Console enabl...

Page 884: ...ndings 1 2 32 0 Console enable show port security acl 5 2 Port Interface Type Interface Type Interface Merge Status config runtime runtime 5 2 port based port based not applicable Config Port ACL name Type 5 2 dhcp IP Runtime Port ACL name Type 5 2 dhcp IP dhcp snooping Port Trust Source Guard Source Guarded IP Addresses 5 2 trusted disabled Port Binding Limit No of Existing Bindings 5 2 32 0 Ente...

Page 885: ...t 48 Port 5 9 DHCP Snooping binding limit set to 48 Console enable This example shows how to display the DHCP snooping binding limit on port 5 9 Console enable show port dhcp snooping 5 9 Port Trust Source Guard Source Guarded IP Addresses 5 9 untrusted disabled Port Binding Limit 5 9 48 Console enable This example shows how to display DHCP snooping static bindings Console enable show dhcp snoopin...

Page 886: ...sing the commands in this section Displaying the Binding Table The DHCP snooping binding table for each switch contains the binding entries that correspond to the untrusted ports The table does not contain information about the hosts that are interconnected with a trusted port because each interconnected switch has its own binding table To display DHCP snooping binding table information perform th...

Page 887: ...ay the DHCP snooping statistics for a switch perform this task in privileged mode This example shows how to display the DHCP snooping statistics for a switch Console show dhcp snooping statistics Packets forwarded 125 Packets dropped 3 Packets dropped from untrusted ports 0 Number of bindings entries 5 Console To display the DHCP snooping port configuration for a switch perform this task in privil...

Page 888: ...ntrusted disabled 5 7 untrusted disabled 5 8 untrusted disabled 5 9 untrusted disabled 5 10 untrusted disabled 5 11 untrusted disabled 5 12 untrusted disabled 5 13 untrusted disabled 5 14 untrusted disabled 5 15 untrusted disabled 5 16 untrusted disabled 5 17 untrusted disabled 5 18 untrusted disabled 5 19 untrusted disabled 5 20 untrusted disabled 5 21 untrusted disabled 5 22 untrusted disabled 5...

Page 889: ...toring the bindings By default the flash device is bootflash and the default filename is dhcp snooping bindings database If you have not configured a filename the bindings are automatically saved with the default filename on the flash device To enable the auto save option for DHCP snooping binding entries and specify the interval to periodically save the bindings perform this task in privileged mo...

Page 890: ...ess Note If you enable IP source guard on a trunk port with a large number of VLANs that have DHCP snooping enabled you might run out of the ACL hardware resources and some clients that are connected to the ports may not be able to send the traffic We do not recommend using this configuration because you are limited to ten IP addresses per port Note In software releases prior to software release 8...

Page 891: ... Console enable set port security acl 3 1 port based Warning Vlan based ACL features will be disabled on ports 3 1 ACL interface is set to port based mode for port s 3 1 Console enable set port dhcp snooping 3 1 source guard enable IP Source Guard enabled on port s 3 1 Console enable set port dhcp snooping 1 2 trust enable Port s 1 2 state set to trusted for DHCP Snooping Console enable set securi...

Page 892: ...guard for all ports on a switch using the show port dhcp snooping command To display information about IP source guard on a module perform this task in normal mode This example shows how to display the configuration for IP source guard on a port Console enable show port dhcp snooping 3 25 Port Trust Source Guard Source Guarded IP Addresses 3 25 untrusted enabled 192 168 80 6 192 168 80 5 192 168 8...

Page 893: ... is the same as Greenwich Mean Time An NTP network usually gets its time from an authoritative time source such as a radio clock or an atomic clock that is attached to a time server NTP distributes this time across the network NTP is extremely efficient no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another NTP uses a stratum to describe ...

Page 894: ... is isolated from the Internet Cisco s NTP implementation allows a machine to be configured so that it acts as though it is synchronized using NTP when in fact it has determined the time using other means Other machines then synchronize to that machine using NTP A number of manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its v...

Page 895: ... switch perform this task in privileged mode This example shows how to enable NTP broadcast client mode on the switch set a broadcast delay of 4000 microseconds and verify the configuration Console enable set ntp broadcastclient enable NTP Broadcast Client mode enabled Console enable set ntp broadcastdelay 4000 NTP Broadcast delay set to 4000 microseconds Console enable show ntp Current time Tue J...

Page 896: ...adcast delay 3000 microseconds Client mode enabled NTP Server 172 16 52 65 Console enable Configuring Authentication in Client Mode Authentication can enhance the security of a system running NTP When you enable authentication the client switch sends the time of day requests to the trusted NTP servers only Authentication is documented in RFC 1305 You can configure up to ten authentication keys per...

Page 897: ...t mode enabled Authentication enabled NTP Server Server Key 172 16 52 65 Key Number Mode Key String Console enable Setting the Time Zone You can specify a time zone for the switch to display the time in that time zone You must enable NTP before you set the time zone If NTP is not enabled this command has no effect If you enable NTP and do not specify a time zone UTC is shown by default To set the ...

Page 898: ...g Summertime is enabled and set to PDT Console enable To enable the daylight saving time adjustment that recurs every year on different days or with a different offset than the U S standards perform this task in privileged mode This example shows how to set the daylight saving time adjustment repeating every year starting on the third Monday of February at noon and ending on the second Saturday of...

Page 899: ...light saving time adjustment perform this task in privileged mode This example shows how to disable the daylight saving time adjustment Console enable set summertime disable Arizona Summertime is disabled and set to Arizona Console enable Clearing the Time Zone To clear the time zone settings and return the time zone to Coordinated Universal Time UTC perform this task in privileged mode This examp...

Page 900: ... how to disable NTP broadcast client mode on the switch Console enable set ntp broadcastclient disable NTP Broadcast Client mode disabled Console enable To disable NTP client mode on the switch perform this task in privileged mode This example shows how to disable NTP client mode on the switch Console enable set ntp client disable NTP Client mode disabled Console enable Task Command Step 1 Specify...

Page 901: ... disrupted by a broadcast storm on one of the ports A LAN broadcast storm occurs when the broadcast or multicast packets flood the LAN creating excessive traffic and degrading the network performance Errors in the protocol stack implementation or in the network configuration can cause a broadcast storm Broadcast suppression uses filtering that measures the broadcast activity on a LAN over a time p...

Page 902: ...broadcast suppression threshold value Because the packets do not arrive at uniform intervals the time interval during which the broadcast activity is measured can affect the behavior of broadcast suppression On the Gigabit Ethernet ports you can use the broadcast suppression to filter the multicast and unicast traffic You can suppress the multicast or unicast traffic separately on a port both requ...

Page 903: ...modules adjust to that level of precision Most thresholds vary between 0 01 percent and 0 05 percent If you specify a finer threshold the threshold percent adjusts as closely as possible Note On these modules a level value of 0 33 percent or less suppresses all traffic WS X6704 10GE WS X6748 SFP WS X6724 SFP WS X6748 GE TX This example shows how to enable bandwidth based broadcast suppression and ...

Page 904: ...eries Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 35 Configuring Broadcast Suppression Configuring Broadcast Suppression on the Switch 3 6 75 25 0 drop packets 3 7 0 drop packets snip Console enable ...

Page 905: ...t 2 1 traffic unlimited Console enable Enabling the errdisable State Note A port is in the errdisable state if it is enabled in NVRAM but is disabled at runtime by any process For example if UniDirectional Link Detection UDLD detects a unidirectional link the port shuts down at runtime However because the NVRAM configuration for the port is enabled you have not disabled the port the port status is...

Page 906: ...suppression command to enable the errdisable timeout feature for broadcast suppression Once a port is put into errdisable state it can be reenabled after a specific timeout interval has expired Enter the set errdisable timeout interval command to specify the timeout interval Enter the set port errdisable timeout command to control on a per port basis whether a port should be enabled after a certai...

Page 907: ...ort VLAN membership Layer 3 protocol filtering is supported only on the nontrunking Ethernet Fast Ethernet and Gigabit Ethernet ports The trunking ports are always members of all protocol groups To avoid compatibility issues with the other networking devices Layer 3 protocol filtering is not performed on the trunk ports Layer 2 protocols such as Spanning Tree Protocol STP and Cisco Discovery Proto...

Page 908: ... IP only if there is a directly connected end station out the port The default port configuration for IPX and Group is auto With Layer 3 protocol filtering enabled the ports are identified on a protocol basis A port can be a member of one or more protocol groups The flood traffic for each protocol group is forwarded out a port only if that port belongs to the appropriate protocol group The packets...

Page 909: ... ports 7 1 4 Console enable set port protocol 7 1 4 ipx off IPX protocol disabled on ports 7 1 4 Console enable set port protocol 7 1 4 group auto Group protocol set to auto mode on ports 7 1 4 Console enable show port protocol 7 1 4 Port Vlan IP IP Hosts IPX IPX Hosts Group Group Hosts 7 1 4 on 1 off 0 auto off 0 7 2 5 on 1 off 0 auto on 1 7 3 2 on 1 off 0 auto off 0 7 4 4 on 1 off 0 auto on 1 Co...

Page 910: ...36 4 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 36 Configuring Layer 3 Protocol Filtering Configuring Layer 3 Protocol Filtering on the Switch ...

Page 911: ...ou enable the IP permit list The outbound Telnet TFTP and other IP based services are unaffected by the IP permit list The Telnet attempts from the unauthorized source IP addresses are denied a connection When the SNMP requests from the unauthorized IP addresses receive no response the request times out If you want to log the unauthorized access attempts to the console or a syslog server you must ...

Page 912: ...he IP permit list the system displays the address after the mask is applied IP Permit List Default Configuration Table 37 1 shows the default IP permit list configuration Configuring the IP Permit List on the Switch These sections describe how to configure the IP permit list Adding IP Addresses to the IP Permit List page 37 2 Enabling the IP Permit List page 37 3 Disabling the IP Permit List page ...

Page 913: ...ist You can enable either the SNMP permit list the Telnet permit list or both lists If you do not specify a permit list both the SNMP and Telnet permit lists are enabled Caution Before enabling the IP permit list make sure that you add the IP address of your workstation or network management system to the permit list especially when configuring through SNMP Failure to do so could result in your co...

Page 914: ...72 20 52 32 255 255 255 224 snmp Denied IP Address Last Accessed Time Type Telnet Count SNMP Count 172 100 101 104 01 20 97 07 45 20 SNMP 14 1430 172 187 206 222 01 21 97 14 23 05 Telnet 7 236 Console enable show snmp RMON Disabled Extended Rmon Extended RMON module is not present Traps Enabled ippermit Port Traps Enabled None Community Access Community String read only public read write private r...

Page 915: ... will disable the Telnet access to the switch but the Telnet process will be still running on the switch To clear an IP permit list entry perform this task in privileged mode This example shows how to clear an IP permit list entry Console enable set ip permit disable all Console enable clear ip permit 172 100 101 102 172 100 101 102 cleared from IP permit list Console enable clear ip permit 172 16...

Page 916: ...37 6 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 37 Configuring the IP Permit List Configuring the IP Permit List on the Switch ...

Page 917: ...1X authentication to restrict the unauthorized devices from connecting to a LAN through the publicly accessible ports see Chapter 40 Configuring 802 1X Authentication Note For information on configuring authentication authorization and accounting AAA to monitor and control access to the command line interface CLI on the Catalyst 6500 series switches see Chapter 39 Configuring the Switch Access Usi...

Page 918: ...cations for the software releases prior to 8 1 1 the logic is the same for software release 8 1 1 and later releases 1025 1 1024 addresses on 1 port and 1 address each on the rest of the ports 513 1 512 each on 2 ports in a system and 1 address each on the rest of the ports 901 1 900 on 1 port 101 1 100 on another port 25 1 24 on the third port and 1 address each on the rest of the ports After you...

Page 919: ...ctive violation mode A trap is sent only if you configure the port to shut down during a security violation Restricting the Traffic Based on the Host MAC Address You can filter the traffic that is based on a host MAC address so that the packets that are tagged with a specific source MAC address are discarded When you specify a MAC address filter with the set cam filter command the incoming traffic...

Page 920: ...ty Aging Type page 38 8 Clearing the MAC Addresses page 38 8 Configuring Unicast Flood Blocking on the Secure Ports page 38 9 Specifying the Security Violation Action page 38 10 Setting the Shutdown Timeout page 38 11 Disabling Port Security page 38 11 Restricting the Traffic Based on a Host MAC Address page 38 12 Displaying Port Security page 38 12 Enabling Port Security When you enable port secu...

Page 921: ... enabled with 00 90 2b 03 34 08 as the secure mac address Trunking disabled for Port 2 1 due to Security Mode Console enable This example shows how to set port security on a trunk port Console enable set port security 2 2 00 90 2b 03 34 09 1 20 30 Mac address 00 90 2b 03 34 09 set for port 2 2 on vlan 1 20 20 Console enable Setting the Maximum Number of Secure MAC Addresses You can set the number ...

Page 922: ...ys the cleared MAC addresses Console enable set port security 7 7 maximum 18 Maximum number of secure addresses set to 18 for port 7 7 00 11 22 33 44 55 cleared from secure address list for port 7 7 00 11 22 33 44 66 cleared from secure address list for port 7 7 Console enable Automatically Configuring Dynamically Learned MAC Addresses The automatic configuration of dynamically learned MAC address...

Page 923: ...ports 2 Total secure ports 0 Total MAC addresses 2 Total global address space used out of 4096 0 Status installed Total secure ports in the system 0 Total secure MAC addresses in the system 74 Total global MAC address resource used in the system out of 4096 0 Console enable Setting the Port Security Age Time The age time on a port specifies how long all addresses on that port will be secured This ...

Page 924: ...e_time of inactivity from the corresponding host has been exceeded To set the port security aging type for the dynamically learned addresses on a per port basis perform this task in privileged mode This example shows how to set the different port security aging types on port 5 1 Console enable set port security 5 1 timer type absolute Port 5 1 security timer type absolute Console enable set port s...

Page 925: ...om VLAN 1 on trunk port 2 2 Console enable clear port security 2 2 00 90 2b 03 34 09 1 Secure MAC address 00 90 2b 03 34 09 cleared for port 2 2 and Vlan 1 Console enable Configuring Unicast Flood Blocking on the Secure Ports To configure unicast flood blocking on a secure port you must disable the unicast flood feature Note The port disables the unicast flooding once the MAC address limit is reac...

Page 926: ...ity Violation Action You can set the port for the following two modes to handle a security violation Shutdown Shuts down the port permanently or for a specified time Permanent shutdown is the default mode Restrictive Drops all packets from the insecure hosts but remains enabled To specify the security violation action to be taken perform this task in privileged mode This example shows how to speci...

Page 927: ...on port 7 7 Console enable set port security 7 7 shutdown 600 Secure address shutdown time set to 600 minutes for port 7 7 Console enable Disabling Port Security To disable port security perform this task in privileged mode This example shows how to disable port security Console enable set port security 2 1 disable Port 2 1 port security disabled Console enable Console enable show port security 2 ...

Page 928: ...stination Ports or VCs Protocol Type 3 04 04 05 06 07 08 FILTER Displaying Port Security The show port security command displays the following information List of secure MAC addresses for a port Maximum number of secure addresses that are allowed on a port Total number of secure MAC addresses Age Age left and shutdown timeout left Shutdown security mode Statistics that are related to port security...

Page 929: ...1 22 33 44 55 4 00 11 22 33 44 55 No 00 10 14 da 77 f1 100 Port Flooding on Address Limit 4 1 Enabled Console enable show port security statistics 4 1 Port Total Addrs Maximum Addrs 4 1 4 10 Console enable This example shows how to display the port security statistics on a module Console enable show port security statistics 7 Port Total Addrs Maximum Addrs 7 1 0 1 7 2 0 1 7 3 0 1 7 4 0 1 7 5 0 1 7...

Page 930: ...e ports in the system 0 Total secure MAC addresses in the system 74 Total global MAC address resource used in the system out of 4096 0 Console enable Configuring MAC Address Monitoring These sections describe how to configure MAC address monitoring Configuring Global MAC Address Monitoring page 38 14 Monitoring the MAC Addresses in the CAM Table page 38 15 Specifying the Polling Interval for Monit...

Page 931: ...hows how to monitor the MAC addresses that are learned on a specific port and stored in the CAM table Console enable set cam monitor enable 3 1 Successfully enabled cam monitor on 3 1 Console enable This example shows how to disable monitoring of the MAC addresses that are learned on a specific port Console enable set cam monitor disable 3 1 Successfully disabled cam monitor on 3 1 Console enable ...

Page 932: ...reshold for MAC address monitoring perform this task in privileged mode This example shows how to specify the low threshold for a port and the action to be taken when this threshold is exceeded Console enable set cam monitor low threshold 500 action warning 3 1 Successfully configured cam monitor on 3 1 Console enable Task Command Specify the polling interval in seconds for monitoring the CAM tabl...

Page 933: ...monitor high threshold 3 1 Successfully cleared high threshold on 3 1 Task Command Specify the upper threshold or MAC address monitoring and the action to be taken when the system exceeds this threshold The valid range for the high threshold is 5 32000 Note If you specify the no learn keyword and the configuration is a port VLAN combination the violation action stops learning the MAC addresses on ...

Page 934: ...tor Console enable show cam monitor all Cam monitor global configuration status enabled interval 5 seconds violation occured Port Status Low Low High High No of Threshold Action Threshold Action mac addrs 3 1 enabled 500 warning 32000 warning 0 4 2 enabled 500 warning 32000 warning 0 Total port entries 2 Console enable Displaying the Global Configuration for the CAM Monitor To display the global C...

Page 935: ... to a LAN through publicly accessible ports see Chapter 40 Configuring 802 1X Authentication Note For information on configuring MAC address authentication bypass see Chapter 41 Configuring MAC Authentication Bypass Note For information on configuring ports to allow or restrict traffic based on host MAC addresses see Chapter 38 Configuring Port Security Note For information on configuring network ...

Page 936: ...methods for the console and Telnet connections For example you might use local authentication for the console connections and RADIUS authentication for the Telnet connections Understanding How Login Authentication Works Login authentication increases the security of the system by keeping the unauthorized users from guessing the password The user is limited to a specific number of attempts to succe...

Page 937: ...entication uses local user accounts and passwords that you create to validate the login attempts of local users Each switch can have a maximum of 25 local user accounts Before you can enable local user authentication you must define at least one local user account You set up local user accounts by creating a unique username and password combination for each local user Each username must be fewer t...

Page 938: ...unctions These services while all part of TACACS are independent of one another so a given TACACS configuration can use any or all of the three services When the TACACS server receives the packet it does the following Authenticates the user information and notifies the client that authentication has either passed or failed Notifies the client that authentication will continue and that the client m...

Page 939: ...DP ports of the RADIUS servers Specify the RADIUS key that is used to encrypt the RADIUS packets Specify the RADIUS server timeout interval Specify the RADIUS retransmit count Specify the RADIUS server dead time interval RADIUS authentication is disabled by default You can enable RADIUS authentication and other authentication methods at the same time You can specify which method to use first using...

Page 940: ...eros principal is who you are or what a service is according to the Kerberos server Also known as a Kerberos identity Kerberos realm A domain consisting of users hosts and network services that are registered to a Kerberos server The Kerberos server is trusted to verify the identity of a user or network service to another user or network service Kerberos realms must always be in uppercase characte...

Page 941: ...rvice credential request and sends it to the KDC This request contains your user identity and a message saying that it wants to access the switch through Telnet This request is encrypted using the TGT 4 When the KDC successfully decrypts the service credential request with the TGT that it issued to the client it builds a service to the switch The service credential has the client s identity and th...

Page 942: ...talyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 39 Configuring the Switch Access Using AAA Understanding How Authentication Works Figure 39 1 Kerberized Telnet Connection ...

Page 943: ... to the switch 3 The KDC sends an encrypted TGT to the switch which contains your identity KDC s identity and TGT s expiration time 4 The switch tries to decrypt the TGT with the password that you entered If the decryption is successful you are authenticated to the switch 5 If you want to access the other network services the KDC must be contacted directly for authentication To obtain the TGT you ...

Page 944: ...isabled TACACS enable authentication console and Telnet Disabled TACACS key None specified TACACS login attempts 3 TACACS server timeout 5 seconds TACACS directed request Disabled RADIUS login authentication console and Telnet Disabled RADIUS enable authentication console and Telnet Disabled RADIUS server IP address None specified RADIUS server UDP auth port Port 1812 RADIUS key None specified RAD...

Page 945: ... TACACS is also used as an authentication mechanism Before you can enable local user authentication you must define at least one username Local user accounts and passwords must be fewer than 65 characters and can consist of any alphanumeric characters Local user accounts must contain at least one alphabetic character Configuring Login Authentication These sections describe how to configure login a...

Page 946: ...bled primary enabled primary attempt limit 3 3 lockout timeout sec disabled disabled Console enable Setting Authentication Login Attempts for the Privileged Mode To set up login authentication for privileged mode perform this task in privileged mode This example shows how to limit enable mode login attempts to 5 set the enable mode lockout time for both console and Telnet connections to 50 seconds...

Page 947: ...ge 39 13 Setting the Login Password page 39 14 Setting the Enable Password page 39 15 Disabling Local Authentication page 39 15 Recovering a Lost Password page 39 16 Enabling Local Authentication Note Local login and enable authentication are enabled for both console and Telnet connections by default You do not need to perform this task unless you want to modify the default configuration or you ha...

Page 948: ...n tacacs disabled disabled radius disabled disabled kerberos disabled disabled local enabled primary enabled primary Console enable Setting the Login Password The login password controls access to the user mode CLI The passwords are case sensitive contain up to 19 characters and use any printable character including a space Note The passwords that were set in releases prior to software release 5 4...

Page 949: ...thentication is configured and operating correctly before disabling local login or enable authentication If you disable local authentication and RADIUS or TACACS is not configured correctly or if the RADIUS or TACACS server is not online you may be unable to log in to the switch To disable local authentication on the switch perform this task in privileged mode Task Command Set the password for pri...

Page 950: ...sabled radius enabled primary enabled primary kerberos disabled disabled local disabled disabled Console enable Recovering a Lost Password Use the following procedure to recover a lost local authentication password You must complete Steps 3 through 7 within 30 seconds of a power cycle or the recovery will fail If you lost both the login and enable passwords repeat the process for each password To ...

Page 951: ... verify the configuration Console enable set localuser user picard password captain privilege 15 Added local user picard Console enable show localusers Local User Authentication disabled Username Privilege Level picard 15 Console enable Enabling Local User Authentication To enable local user authentication on the switch perform this task in privileged mode This example shows how to create a local ...

Page 952: ...ws how to disable local user authentication for the switch and how to verify the configuration Console enable set localuser authentication disable local user authentication set to disable Console enable show authentication Login Authentication Console Session Telnet Session Http Session tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local en...

Page 953: ...o configure TACACS authentication on the switch Specifying TACACS Servers page 39 19 Enabling TACACS Authentication page 39 20 Specifying the TACACS Key page 39 21 Specifying the TACACS Timeout Interval page 39 22 Specifying the TACACS Login Attempts page 39 22 Enabling TACACS Directed Request page 39 23 Disabling TACACS Directed Request page 39 23 Clearing TACACS Servers page 39 24 Clearing the T...

Page 954: ...le Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Tacacs key Tacacs login attempts 3 Tacacs timeout 5 seconds Tacacs direct request disabled Tacacs Server Status 172 20 52 3 172 20 52 2 primary 172 20 52 10 Console enable Enabling TACACS Authentication Note Specify at least one TACACS server before enabling TACA...

Page 955: ...Session Telnet Session tacacs enabled primary enabled primary radius disabled disabled local enabled enabled Console enable Specifying the TACACS Key Note If you configure a TACACS key on the client make sure that you configure an identical key on the TACACS server To specify a TACACS key perform this task in privileged mode Task Command Step 1 Enable TACACS authentication for normal login mode En...

Page 956: ... specify a TACACS timeout interval perform this task in privileged mode This example shows how to specify the server timeout interval and verify the configuration Console enable set tacacs timeout 30 Tacacs timeout set to 30 seconds Console enable show tacacs Tacacs key Secret_TACACS_key Tacacs login attempts 3 Tacacs timeout 30 seconds Tacacs direct request disabled Tacacs Server Status 172 20 52...

Page 957: ...ation will fail if the server that the switch contacts does not have an account for the user that is attempting to log in To enable TACACS directed request perform this task in privileged mode This example shows how to enable TACACS directed request and verify the configuration Console enable set tacacs directedrequest enable Tacacs direct request has been enabled Console enable show tacacs Tacacs...

Page 958: ...52 3 cleared from TACACS table Console enable This example shows how to clear all TACACS servers from the configuration Console enable clear tacacs server all All TACACS servers cleared Console enable Clearing the TACACS Key To clear the TACACS key perform this task in privileged mode This example shows how to clear the TACACS key Console enable clear tacacs key TACACS server key cleared Console e...

Page 959: ...nabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Console enable Configuring RADIUS Authentication These sections describe how to configure RADIUS authentication on the switch Specifying RADIUS Servers page 39 26 Specifying the RADIUS Key page 39 26 Enabling RADIUS Authenticati...

Page 960: ...tion Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Radius Deadtime 0 minutes Radius Key Radius Retransmit 2 Radius Timeout 5 seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Specifying the RADIUS Key Note If you specify a RADIUS key on the client make sure that you specify an identical key on the...

Page 961: ...nabled enabled Radius Deadtime 0 minutes Radius Key Secret_RADIUS_key Radius Retransmit 2 Radius Timeout 5 seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Enabling RADIUS Authentication Note Specify at least one RADIUS server before enabling RADIUS authentication on the switch For information on specifying a RADIUS server see the Specifying RADIUS Servers section on ...

Page 962: ...ation Console enable set authentication login radius enable radius login authentication set to enable for console and telnet session Console enable set authentication enable radius enable radius enable authentication set to enable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary ena...

Page 963: ...mary local enabled enabled Enable Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary enabled primary local enabled enabled Radius Deadtime 0 minutes Radius Key Secret_RADIUS_key Radius Retransmit 2 Radius Timeout 10 seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Specifying the RADIUS Retransmit Count You can specify the num...

Page 964: ...to an authentication request the switch marks that server as dead for the length of time that is specified by the dead time Any authentication requests that are received during the dead time interval such as other users attempting to log in to the switch are not sent to a RADIUS server that is marked dead Configuring a dead time speeds up the authentication process by eliminating the timeouts and ...

Page 965: ...is disabled by default Note Software release 7 5 1 supports only the Framed IP address Attribute 8 To specify the optional attributes for the RADIUS server perform this task in privileged mode This example shows how to specify and enable the Framed IP address attribute by number and verify the configuration Console enable set radius attribute 8 include in access req enable Transmission of Framed i...

Page 966: ... To clear the RADIUS key perform this task in privileged mode This example shows how to clear the RADIUS key and verify the configuration Console enable clear radius key Radius key cleared Console enable show radius Login Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Enable Authentication Console Session Telnet...

Page 967: ...le set authentication enable radius disable radius enable authentication set to disable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled loc...

Page 968: ...ase Note Kerberos authentication requires that NTP is enabled Additionally we recommend that you enable DNS To configure the Kerberos server perform these steps Step 1 Before you can enter the switch in the Kerberos server s key table you must create the database that the KDC will use In the following example a database called CISCO EDU is created usr local sbin kdb5_util create r CISCO EDU s Step...

Page 969: ...ession tacacs disabled disabled radius disabled disabled kerberos disabled enabled primary local enabled primary enabled kerberos enable This example shows how to enable Kerberos as the login authentication method for the console and verify the configuration kerberos enable set authentication login kerberos enable console kerberos login authentication set to enable for console session kerberos ena...

Page 970: ...Kerberos server entries Realm CISCO COM Server 187 0 2 1 Port 750 Kerberos Domain Realm entries Domain cisco com Realm CISCO COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host niners cisco com CISCO COM 0 932423923 1 1 8 01 8 00 50 0 0 0 kerberos enable Specifying ...

Page 971: ...ted Console enable Copying SRVTAB Files To allow the remote users to authenticate to the switch using the Kerberos credentials the switch must share a key with the KDC You must give the switch a copy of the key which is on a file that is stored in the KDC These files are called SRVTAB files on the switch and KEYTAB files on the servers The most secure method to copy the SRVTAB files to the hosts i...

Page 972: ...m CISCO COM Kerberos server entries Realm CISCO COM Server 187 0 2 1 Port 750 Realm CISCO COM Server 187 20 2 1 Port 750 Kerberos Domain Realm entries Domain cisco com Realm CISCO COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host niners cisco com CISCO COM 0 93242...

Page 973: ...r that network service For example Telnet prompts for a password To configure the clients to forward the user credentials as they connect to the other hosts in the Kerberos realm perform this task in privileged mode This example shows how to configure the clients to forward the user credentials and verify the configuration kerberos enable set kerberos credentials forward Kerberos credentials forwa...

Page 974: ...clients mandatory configuration perform this task in privileged mode This example shows how to clear the clients mandatory configuration and verify the change Console enable clear kerberos clients mandatory Kerberos clients mandatory cleared Console enable show kerberos Kerberos Local Realm not configured Kerberos server entries Kerberos Domain Realm entries Kerberos Clients NOT Mandatory Kerberos...

Page 975: ...m CISCO COM Kerberos Clients Mandatory Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key abcd Kerberos SRVTAB Entries Srvtab Entry 1 host aspen niners cisco edu CISCO EDU 0 933974942 1 1 8 12151 88 3 11 kerberos enable To clear the DES key perform this task in privileged mode This example shows how to clear the DES key ...

Page 976: ...ealm CISCO COM Kerberos server entries Realm CISCO COM Server 187 0 2 1 Port 750 Realm CISCO COM Server 187 20 2 1 Port 750 Kerberos Domain Realm entries Domain cisco com Realm CISCO COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host niners cisco com CISCO COM 0 93...

Page 977: ...tempts to connect to the switch the user is challenged for a TACACS username and password However only local authentication is enabled for both the login and enable access on the console port Any user with access to the directly connected terminal can access the switch using the login and enable passwords Figure 39 3 TACACS Example Network Topology This example shows how to configure the switch so...

Page 978: ...l disable telnet local enable authentication set to disable for telnet session Console enable show tacacs Tacacs key tintin_et_milou Tacacs login attempts 3 Tacacs timeout 5 seconds Tacacs direct request disabled Tacacs Server Status 172 20 52 10 primary Console enable Understanding How Authorization Works These sections describe how authorization works Authorization Overview page 39 44 Authorizat...

Page 979: ...ivileged login When authorization is enabled for enable mode the user must supply a valid username and password pair to gain access to enable mode Authorization is required only if you have enabled authorization for enable mode TACACS Primary Options and Fallback Options You can specify the primary options and the fallback options that are used in the authorization process The available options an...

Page 980: ...n the authentication protocol that provides authorization information This attribute is part of the user profile When you log in using RADIUS authentication and you do not have Administrative Shell 6 Service Type access the network access server NAS authenticates you and logs you in to the EXEC mode If you have Administrative Shell 6 Service Type access the NAS authenticates you and logs you in to...

Page 981: ...nabling TACACS Authorization page 39 47 Disabling TACACS Authorization page 39 49 Enabling TACACS Authorization To enable TACACS authorization on the switch perform this task in privileged mode Task Command Step 1 Enable authorization for normal mode Enter the console or telnet keyword if you want to enable authorization only for the console port or Telnet connection attempts Enter the both keywor...

Page 982: ...rization is configured with the tacacs option The fallback option is deny Console enable set authorization enable enable tacacs deny both Successfully enabled enable authorization Console This example shows how to enable TACACS command authorization for both console and Telnet connections Authorization is configured with the tacacs option The fallback option is deny Console enable set authorizatio...

Page 983: ...ds disable both Successfully disabled commands authorization Console enable Task Command Step 1 Disable authorization for normal mode Enter the console or telnet keyword if you want to disable authorization only for the console port or Telnet connection attempts Enter the both keyword to disable authorization for both console port and Telnet connection attempts set authorization exec disable conso...

Page 984: ... 50 Disabling RADIUS Authorization page 39 50 Enabling RADIUS Authorization To enable RADIUS authorization and authentication on the switch perform these steps in privileged mode Step 1 Enter the set authentication login radius enable command in privileged mode This command enables both RADIUS authentication and authorization Step 2 Set the Service Type RADIUS attribute 6 for the user to Admistrat...

Page 985: ...Network Topology In this example TACACS authorization is enabled for enable mode access and for the configuration commands to be entered on the switch over the Telnet and console connections Console enable set authorization enable enable tacacs deny both Successfully enabled enable authorization Console enable set authorization commands enable config tacacs deny both Successfully enabled commands ...

Page 986: ... operates in a client server model using TCP for transport The NAS acts as the client and the accounting server acts as the daemon The NAS sends accounting information to the server The server after successfully processing the information sends a response to the NAS acknowledging the request All transactions between the NAS and server are authenticated using a key Once accounting has been enabled ...

Page 987: ...sent to the server at two events Start stop Records are sent at both the start and stop of an action if the action has duration If the NAS fails to send the accounting record at the start of the action it still allows you to proceed with the action Stop only Records are sent only at the termination of the event Commands are assumed to have zero duration so only stop records are generated for comma...

Page 988: ...seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Updating the Server You can configure the switch to send accounting information to the TACACS server There are two options Newinfo Sends the accounting information to the server only when new accounting information becomes available Periodic Sends the accounting update records at regular intervals This option could be u...

Page 989: ...ection on page 39 19 or the Specifying RADIUS Servers section on page 39 26 for more information on the server setup Configure the RADIUS and TACACS keys to encrypt the protocol packets before enabling accounting See the Specifying the TACACS Key section on page 39 21 or the Specifying the RADIUS Key section on page 39 26 for more information on the key setup Note The amount of DRAM that is alloca...

Page 990: ...s example shows how to suppress accounting of unknown users Console enable set accounting suppress null username enable Accounting will be suppressed for user with no username Console enable This example shows how to update the server periodically Console enable set accounting update periodic 120 Accounting updates will be periodic at 120 minute intervals Console enable Task Command Step 1 Enable ...

Page 991: ... task in privileged mode This example shows how to disable stop only accounting Console enable set accounting connect disable Accounting set to disable for connect events Console enable Console enable set accounting exec disable Accounting set to disable for exec events Console enable Console enable set accounting system disable Accounting set to disable for system events Console enable Console en...

Page 992: ...CACS Suppress for no username disabled Update Frequency new info Accounting information Active Accounted actions on tty0 User null Priv 0 Active Accounted actions on tty288091924 User null Priv 0 Overall Accounting Traffic Starts Stops Active Exec 0 0 0 Connect 0 0 0 Command 0 0 0 System 1 2 0 Console enable Accounting Example Figure 39 5 shows a simple network topology using TACACS When Workstati...

Page 993: ...ting commands enable all stop only tacacs Accounting set to enable for commands all events in stop only mode Console enable set accounting update periodic 120 Accounting updates will be periodic at 120 minute intervals Console enable show accounting Event Method Mode exec tacacs stop only connect tacacs stop only system tacacs stop only commands config all tacacs stop only TACACS Suppress for no u...

Page 994: ...39 60 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 39 Configuring the Switch Access Using AAA Configuring Accounting on the Switch ...

Page 995: ... the MAC addresses that are specified for that port see Chapter 38 Configuring Port Security That chapter also provides information on using port security to filter the traffic that is destined to or received from a specific host that is based on the host MAC address Note For information on configuring authentication authorization and accounting AAA to monitor and control access to the command lin...

Page 996: ...ic through the port to which the device is connected After authentication is successful normal traffic can pass through the port You can restrict the traffic in both directions or you can restrict just the incoming traffic These sections provide the following information Device Roles page 40 2 Authentication Initiation and Message Exchange page 40 3 Ports in Authorized and Unauthorized States page...

Page 997: ...entication server When the switch receives the Extensible Authentication Protocol over LAN EAPOL frames and relays them to the authentication server the Ethernet header is stripped and the remaining EAP frame is reencapsulated in the RADIUS format The EAP frames are not modified or examined during encapsulation and the authentication server must support EAP within the native frame format When the ...

Page 998: ...he port disallows all the ingress and egress traffic except for the 802 1X protocol packets When a host is successfully authenticated the port transitions to the authorized state which allows all traffic for the host to flow normally If a host that does not support 802 1X is connected to an unauthorized 802 1X port the switch requests the host s identity In this situation the host does not respond...

Page 999: ...ed through the port If the authentication fails the port remains in the unauthorized state but authentication can be retried If the switch cannot reach the authentication server it can retransmit the request If no response is received from the server after the specified number of attempts authentication fails and network access is not granted When a host logs off the server sends an EAPOL logoff m...

Page 1000: ... interval Specify the back end authenticator to authentication server retransmission time interval Specify the number of frames that are retransmitted from the back end authenticator to the host Specify the automatic host reauthentication time interval Specify the port shutdown timeout period after a security violation Enable or disable automatic host reauthentication In Flow control only on incom...

Page 1001: ... in a different VLAN it is moved to the RADIUS supplied VLAN If the RADIUS supplied VLAN is not active in the management domain the port is put in an inactive state If the RADIUS supplied VLAN is invalid or there is a problem with the port hardware the port is moved to the 802 1X unauthorized state When you enable the multiple hosts option on an 802 1X port all the hosts are placed in the same RAD...

Page 1002: ...s for transmission on another interface When the supplicant does DHCP discovery following authentication the DHCP Relay Agent on the supervisor engine receives the packet and adds the stored attributes that it received from the RADIUS server to the DHCP discovery packet and submits the discovery broadcast again The mapping of user to IP address can be on a one to one one to many or many to many ba...

Page 1003: ...de Note Contrast the guest VLAN feature with the authentication failure VLAN feature On a traditional 802 1X port the switch does not provide access to the network until the supplicant that is connected to the port is authenticated by verifying its identity information with an authentication server With an authentication failure VLAN you can configure the authentication failure VLAN on a per port ...

Page 1004: ...or multiple MAC addresses each address needs to authenticate through the 802 1X RADIUS server Note When 802 1X authentication and port security are enabled on any 802 1X port the 802 1X authentication takes precedence over the port security on the port The host is authenticated first and is then secured by port security You can enable port security for any 802 1X mode single authentication mode mu...

Page 1005: ...ithout an authentication mechanism a malicious user host can corrupt the ARP tables of the other hosts on the same VLAN in a Layer 2 network or bridge domain For example user Host A the malicious user can send the unsolicited ARP replies or the gratuitous ARP packets to the other hosts on the subnet with the IP address of the default router and the MAC address of Host A With some earlier operating...

Page 1006: ...u cannot configure SPAN destination on an 802 1X port However you can configure an 802 1X port as a SPAN source port You cannot set the auxiliary VLAN to dot1p or untagged and the auxiliary VLAN should not be equal to the native VLAN on the 802 1X enabled port You cannot enable the multiple authentication option on an 802 1X enabled auxiliary VLAN port We recommend that you do not enable the multi...

Page 1007: ...thentication Globally page 40 14 Disabling 802 1X Authentication Globally page 40 14 Enabling 802 1X Authentication for Individual Ports page 40 15 Enabling 802 1X with Inaccessible Authentication Bypass page 40 15 Enabling Multiple 802 1X Authentications page 40 16 Setting and Enabling Automatic Reauthentication of the Host page 40 17 Manually Reauthenticating the Host page 40 18 Enabling Multipl...

Page 1008: ... 802 1X authentication you can configure the individual ports for 802 1X authentication if the port meets the specific requirements that are required by 802 1X To enable 802 1X authentication for the individual ports see the Enabling 802 1X Authentication for Individual Ports section on page 40 15 To enable 802 1X authentication globally perform this task in privileged mode This example shows how ...

Page 1009: ...o unauthorized Port Port Mode Re authentication Shutdown timeout Control Mode admin oper 3 1 SingleAuth disabled disabled Both Both Console enable Note To clear the current state machines for a new authentication enter the set port dot1x mod port initialize command Enabling 802 1X with Inaccessible Authentication Bypass You can enable 802 1X inaccessible authentication bypass on a per port basis T...

Page 1010: ...tdown timeout Control Mode admin oper 5 48 SingleAuth disabled disabled Both Port Posture Token Critical Termination action Session timeout 5 48 YES Console enable Enabling Multiple 802 1X Authentications You can specify multiple authentications so that more than one host can gain access to an 802 1X port Cisco proprietary multiple authentication allows multiple dot1x hosts on a port every host is...

Page 1011: ...Setting and Enabling Automatic Reauthentication of the Host You can specify how often 802 1X authentication reauthenticates the host if you do so before you enable automatic 802 1X host reauthentication If you do not specify a time period before you enable host reauthentication 802 1X defaults to 3600 seconds the valid values are from 1 65535 seconds You can enable automatic 802 1X host reauthenti...

Page 1012: ...on see the Setting and Enabling Automatic Reauthentication of the Host section on page 40 17 To manually reauthenticate a host that is connected to a specific port perform this task in privileged mode This example shows how to manually reauthenticate the host that is connected to port 1 on module 3 Console enable set port dot1x 3 1 re authenticate Port 3 1 re authenticating dot1x re authentication...

Page 1013: ...e the host it remains idle for a set period of time and then tries again The idle time is determined by the quiet period value The default is 60 seconds You may set the value from 0 65535 seconds To set the value for the quiet period perform this task in privileged mode This example shows how to set the quiet period to 45 seconds Console enable set dot1x quiet period 45 dot1x quiet period set to 4...

Page 1014: ...AP request identity frame to 15 seconds Console enable set dot1x tx period 15 dot1x tx period set to 15 seconds Console enable Setting the Back End Authenticator to Host Retransmission Time for the EAP Request Frames The host notifies the back end authenticator that it received the EAP request frame When the back end authenticator does not receive this notification the back end authenticator waits...

Page 1015: ...to Host Frame Retransmission Number The authentication server notifies the back end authenticator each time that it receives a specific number of frames When the back end authenticator does not receive this notification after sending the frames the back end authenticator waits a set period of time and then retransmits the frames You may set the number of frames that the back end authenticator retr...

Page 1016: ...y delay set to 10 milliseconds Console enable Resetting the 802 1X Configuration Parameters to the Default Values You can reset the 802 1X configuration parameters to the default values with a single command which also globally disables 802 1X To reset the 802 1X configuration parameters to the default values perform this task in privileged mode This example shows how to reset the 802 1X configura...

Page 1017: ...nsole enable set security acl ip dhcp_relay permit any dhcp_relay editbuffer modified Use commit command to apply changes console enable This example shows how to commit the ACE to NVRAM Console enable commit security acl dhcp_relay Commit operation in progress ACL dhcp_relay successfully committed This example shows how to map the VLANs that should be applied to dhcp relay acl Console enable set ...

Page 1018: ...hen the set port dot1x mod port port control auto command option is used If you change the set port dot1x mod port port control command option from auto to force authorized or force unauthorized the host is removed from the guest VLAN and added back to the port VLAN To add a port to an 802 1X guest VLAN perform this task in privileged mode This example shows how to add port 3 1 to 802 1X guest VLA...

Page 1019: ...ort in keyword and set the port to auto using the set port dot1x mod port port control auto command the bridge port is moved into the spanning tree forwarding state where all the traffic to the port is redirected to the supervisor engine for processing With the wake on LAN functionality when the connected host is in sleeping mode or a power down state the host does not exchange the traffic with an...

Page 1020: ...ion mode for a port configured as a unidirectional port must be single authentication mode the default port mode Using the CLI to Configure an 802 1X Unidirectional or Bidirectional Port If you specify the in keyword all the incoming traffic is dropped and the outgoing traffic is allowed If you specify the both keyword the default all the receiving traffic and transmitting traffic on the port is d...

Page 1021: ...e IP address per ACE With this new feature you specify a group_name in the ACE such as set security acl ip grpacl permit ip group ip permit group any where the ip permit group is a group and all the users that are part of that group are authenticated After a successful user authentication and after the user s IP address is obtained if the user is part of the group the user s IP address is added to...

Page 1022: ...he authentication success packet and the user can be added to all those groups on the switch If a policy group sent by the RADIUS server is not configured on the switch the policy is either ignored or the port goes into the unauthorized state If the RADIUS server sends a group ID that is not present in any ACL on the switch authentication fails With software release 8 3 1 and later releases you ca...

Page 1023: ...uration Guidelines This section describes the guidelines for configuring 802 1X with QoS ACLs If a QoS policy misconfiguration exists and 802 1X attempts to authenticate a user on an interface the authentication will fail If you misconfigure a QoS policy after 802 1X has properly authenticated the interface authentication will fail when reauthentication is attempted on the interface with that same...

Page 1024: ...ion The AV pairs at the RADIUS server require the following input qos inpacl Dot1xDscp5Policy After supplicant authentication on port 3 1 the QoS run time mapping to port 3 1 occurs The other options for the AV pairs are as follows qos invacl policy name and qos outpacl policy name If the policy name in the AV pairs does not match a policy name in the switch the supplicant is not authenticated Con...

Page 1025: ...icy IP ACL name Type Ports Dot1xDscp5Policy IP QoS ACL mappings on output side ACL name Type Vlans Dot1xDscp5Policy IP Console enable show qos acl map runtime Dot1xDscp5Policy QoS ACL mappings on input side ACL name Type Vlans Dot1xDscp5Policy IP ACL name Type Ports Dot1xDscp5Policy IP 3 1 QoS ACL mappings on output side ACL name Type Vlans Dot1xDscp5Policy IP Console enable Configuring the RADIUS...

Page 1026: ... to send a VLAN group name for a user The VLAN group name can be sent as part of the response to the user The selected VLAN group name is searched among the VLAN group names that you configured using the Catalyst CLI see the Using the CLI to Configure 802 1X User Distribution section on page 40 33 If the VLAN group name is found the corresponding VLANs that are configured under this VLAN group nam...

Page 1027: ...to an existing VLAN group and verify that the VLAN was added Console enable set dot1x vlan group eng dept 30 Vlan 30 is successfully mapped to vlan group eng dept Console enable show dot1x vlan group eng dept Group Name Vlans Mapped eng dept 10 30 Console enable This example shows how to clear a VLAN from a VLAN group Console enable clear dot1x vlan group eng dept 10 Vlan 10 is successfully cleare...

Page 1028: ...es are optional Attribute 1 USERNAME The username that is going to be authenticated Attribute 4 NAS IP The IP address of the switch that initiated the authentication accounting session typically this is the sc0 interface IP address Attribute 40 ACCT STATUS TYPE START STOP INTERIM START is sent when the authentication succeeds and the port is moved to the authorized state STOP is sent when the user...

Page 1029: ...ribute 49 ACCT TERMINATION CAUSE The cause can be due to a user logoff a port going down reauthentication failures and so on CISCO AV PAIRS Cisco Input Octets A 64 byte integer that provides the number of bytes of ingress traffic that is received on the port Cisco Output Octets A 64 byte integer that provides the number of bytes of egress traffic that is forwarded from the port Using the CLI to En...

Page 1030: ...alive command In software release 8 3 through 8 5 the command that you used to enable or disable the RADIUS keepalive feature was the set dot1x radius keepalive command In software release 8 6 and later releases the command to enable or disable the RADIUS keepalive feature is the set radius keepalive command To enable or disable the RADIUS keepalive feature perform this task in privileged mode the...

Page 1031: ...on for a RADIUS Server Configuration When you configure the DNS resolution for a RADIUS server you can configure the RADIUS server using a DNS name in addition to the IP addresses The switch automatically resolves the DNS name using a DNS server that is configured to associate a DNS name with an IP address The configured DNS name can coexist with the other IP addresses that are configured as prima...

Page 1032: ... on page 40 9 Authentication Failure VLAN Configuration Guidelines and Restrictions This section describes the configuration guidelines and restrictions for configuring the authentication failure VLAN After three failed 802 1X authentication attempts by the supplicant the port is moved to the authentication failure VLAN where the supplicant can access the network These three attempts introduce a d...

Page 1033: ...bility is supported with an authentication failure VLAN Creating an Authentication Failure VLAN and Adding 802 1X Ports To create an authentication failure VLAN and add 802 1X ports to the VLAN perform this task in privileged mode This example shows how to create the authentication failure VLAN VLAN 81 and add port 3 33 Console enable set port dot1x 3 33 auth fail vlan 81 Port 3 33 Auth Fail Vlan ...

Page 1034: ...enable set dot1x max req 8 dot1x max req set to 8 Console enable set dot1x server timeout Specifies the time constant for the retransmission of packets by the back end authenticator to the authentication server the valid values are from 1 to 65535 seconds When the authentication server does not notify the back end authenticator that it received specific packets the back end authenticator waits a p...

Page 1035: ...LAN through 802 1X authentication With guest VLANs you might have ports from different customers residing in the same guest VLAN if the supplicant is identified as incapable of 802 1X before becoming 802 1X capable With this behavior the traffic from one customer might be accessible to every other customer To avoid this situation you can select different guest VLANs for each port however this acti...

Page 1036: ...t VLAN or authentication failure VLAN the following checks are automatically made It is verified that the private VLAN is a secondary VLAN It is verified that the secondary VLAN is associated to a valid primary VLAN If any of the checks fail an error message is generated and the port is not placed in the private VLAN Promiscuous ports and the sc0 interface cannot participate in 802 1X When you con...

Page 1037: ...Console enable set vlan 401 pvlan type isolated VTP advertisements transmitting temporarily stopped and will resume after the command finishes Vlan 401 configuration successful Console enable set pvlan 400 401 Host mode set to enable for ports BPDU guard set to enable for ports Trunk mode set to off for ports Successfully set association between 400 and 401 Console enable set vlan 200 pvlan type p...

Page 1038: ...tate 802 1X Port Status 2 2 force authorized authorized Port Broadcast Limit Multicast Unicast Total Drop Action 2 2 0 drop packets Port Send FlowControl Receive FlowControl RxPause TxPause admin oper admin oper 2 2 off off off off 0 0 Port Status Channel Admin Ch Mode Group Id 2 2 connected off 2 0 Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout 2 2 connected Enable No Chan...

Page 1039: ... to 401 Console enable set port dot1x 2 2 auth fail vlan 201 Port 2 2 Auth Fail Vlan is set to 201 Console enable Verifying the Config Time 802 1X Private VLAN Settings This example shows how to verify the config time 802 1x private VLAN settings Console enable show port 2 2 Configured MAC Address 802 1X Authenticated Port Name Port Name Status Vlan Duplex Speed Type 2 2 connected 999 a half a 10 ...

Page 1040: ...able show port 2 2 Configured MAC Address 802 1X Authenticated Port Name Port Name Status Vlan Duplex Speed Type 2 2 connected fail 200 201 a half a 10 10 100BaseTX snip Console enable clear port dot1x 2 2 dot1x port statistics cleared successfully for port Console enable show port dot1x 2 2 Port Auth State BEnd State Port Control Port Status 2 2 auth fail idle auto authorized snip Console enable ...

Page 1041: ...dot1x statistics show dot1x show cam static To display the usage options for the show port dot1x command perform this task in normal mode This example shows how to display the usage options for the show port dot1x command Console enable show port dot1x guest vlan Show Port guest vlan information statistics Show statistic information mod Module number mod port Module number and Port number s Output...

Page 1042: ...mitted and received by the authenticator on port 1 on module 3 Console enable show port dot1x statistics 3 1 Port Tx_Req Id Tx_Req Tx_Total Rx_Start Rx_Logoff Rx_Resp Id Rx_Resp 3 1 43 0 43 0 0 0 0 Port Rx_Invalid Rx_Len_Err Rx_Total Last_Rx_Frm_Ver Last_Rx_Frm_Src_Mac 3 1 2 0 2 0 00 00 00 00 00 00 Console enable To display the global 802 1X parameters perform this task in normal mode This example...

Page 1043: ...de This example shows how to display the 802 1X authenticated MAC addresses In this example both 802 1X and port security are enabled Console enable show cam static 8 17 Static Entry Permanent Entry System Entry R Router Entry X Port Security Entry Dot1x Security Entry VLAN Dest MAC Route Des CoS Destination Ports or VCs Protocol Type 12 00 40 ca 13 ae bf 8 17 17 00 30 94 c2 c3 c1 X 8 17 Total Mat...

Page 1044: ...40 50 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 40 Configuring 802 1X Authentication Configuring 802 1X Authentication on the Switch ...

Page 1045: ...pecified for that port see Chapter 38 Configuring Port Security That chapter also provides information on using port security to filter the traffic that is destined to or received from a specific host that is based on the host MAC address Note For information on configuring authentication authorization and accounting AAA to monitor and control access to the command line interface CLI on the Cataly...

Page 1046: ...ne When the supervisor engine sees a new MAC address it installs a content addressable memory CAM entry with a trap bit that is set to protect the supervisor engine from unnecessary flooding from that MAC address The supervisor engine does not redirect further packets until the MAC authentication is finished After a successful authentication the RADIUS server sends a VLAN and the port is moved to ...

Page 1047: ...es on the old VLAN are removed If authentication fails the port moves to the AuthFail State If there is a RADIUS timeout or initialization the port moves to the waiting state again Authenticated In the authenticated state the RADIUS received policy VLAN is configured on the port The port then transitions to the waiting state in case there is an initialization and moves to the authenticating state ...

Page 1048: ... AuthFail state RADIUS timeout This event is received when the RADIUS server is not responding This event which is accepted only when the port is in the authenticating state transitions the port to the waiting state after the maximum number of retries expire and the RADIUS server does not respond AuthFail timeout This event is received when the port is in the AuthFail state because of a RADIUS ser...

Page 1049: ...hentication for the Guest VLAN Works section on page 40 9 Port security When a new MAC address is redirected the MAC authentication bypass function sees the MAC address before port security If the MAC address is successfully authenticated the port security feature is informed of the newly learned MAC address In the inband path the MAC authentication bypass function starts before any port security ...

Page 1050: ...C Authentication Bypass Enabled Port page 41 10 Configuring MAC Authentication Bypass on a PVLAN Port page 41 11 Displaying MAC Authentication Bypass Information page 41 11 Displaying the MAC Authentication Bypass Global Configuration page 41 12 Enabling or Disabling MAC Authentication Bypass Globally The default is disabled To enable or disable MAC authentication bypass globally perform this task...

Page 1051: ... Port To reauthenticate the MAC address for a port perform this task in privileged mode This example shows how to reauthenticate the MAC address for a port Console enable set port mac auth bypass 3 1 reauthenticate Reauthenticating MAC address 00 00 00 00 00 01 on port 3 1 using Mac Auth Bypass Console enable Specifying the Shutdown Timeout Period If there is a security violation on a port the por...

Page 1052: ... shows how to specify the AuthFail timeout period Console enable set mac auth bypass auth fail timeout 60 Authfail Timeout set to 60 seconds Console enable Specifying the Reauthentication Timeout Period The global set mac auth bypass reauth timeout seconds command specifies the time in seconds that elapse before reauthentication is triggered after global reauthentication is enabled The range is fr...

Page 1053: ... causes the security violation is added as a trap entry into the forwarding table The default is shutdown To specify the security violation mode globally perform this task in privileged mode This example shows how to specify restricted for the security violation mode Console enable set mac auth bypass violation restrict Mac Auth Bypass security violation mode set to restrict Console enable Enablin...

Page 1054: ...ed port perform these tasks in enabled mode This example shows how to configure MAC authentication bypass enabled on PVLAN port 3 13 Console enable set mac auth bypass enable Mac Auth Bypass enabled globally Console enable set port mac auth bypass 3 13 enable Mac Auth Bypass successfully enabled on port s 3 13 Console enable show port mac auth bypass 3 13 Port Mac Auth Bypass State MAC Address Aut...

Page 1055: ... port state such as authenticating authenticated and waiting to learn the source MAC address and the port s RADIUS server specified VLAN To display MAC authentication bypass information perform these tasks in normal mode This example shows how to display MAC authentication bypass information for port 5 1 Console enable show port mac auth bypass 5 1 Port Mac Auth Bypass State MAC Address Auth State...

Page 1056: ...action Session Timeout Shutdown Time Left 5 1 3600 5 2 reauthenticate 3600 NO 5 3 reauthenticate 3600 NO 5 4 reauthenticate 3600 NO 5 5 reauthenticate 3600 NO 5 6 reauthenticate 3600 NO 5 7 reauthenticate 3600 NO 5 8 reauthenticate 3600 NO Console enable Displaying the MAC Authentication Bypass Global Configuration The show mac auth bypass config command displays MAC authentication bypass global c...

Page 1057: ... 802 1X enabled ports For more information see Configuring 802 1X with QoS ACLs section on page 40 29 When configuring MAB with QoS ACLs follow these guidelines The QoS ACLs must be predefined and committed on the switch If more than one QoS ACL of the same attribute type invacl outvacl or inpacl is sent to the MAB port only the first ACL for an attribute type is configured The minimum acceptable ...

Page 1058: ... determined using either the Posture Agent PA or using the audit server for agentless hosts if the PA is not installed on the host Several methods in NAC allow network access to hosts that cannot perform authentication because of the lack of posture agent Agentless hosts are such as printers scanners and hosts with unsupported operating systems One method is to use an external audit server with ag...

Page 1059: ... 1 Import the NAC audit vendor trusted root CA to the certificate store on ACS by using the CSUtil tool Step 2 Import an audit device type attribute file for the NAC audit server by using CSUtil Step 3 Import NAC attribute value pairs for the audit vendor by using CSUtil Step 4 Enable posture validation on the ACS Step 5 Configure the external audit server on ACS using the external posture validat...

Page 1060: ...cached and expire after 5 minutes Quarantine When at least one Severity 4 vulnerability is detected Quarantine host audit reports are cached and expire after 10 minutes Check up When at least one Severity 3 vulnerability is detected Check up host audit reports are cached and expire after 1 hour Healthy When no severity 5 4 or 3 vulnerabilities are detected Healthy host audit reports are cached and...

Page 1061: ...C audit with other security features 802 1X When ACS audits a 802 1X authenticated port it checks for the MAB configuration ACS audits the port only if MAB is enabled otherwise it considers the port to be part of a guest VLAN MAB Regardless of how MAB is triggered audit runs unless MAB fails Layer 3 features Not affected by MAB enabled agentless host audit Critical Auth Because there is no RADIUS ...

Page 1062: ...41 18 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 41 Configuring MAC Authentication Bypass Configuring Agentless Hosts for NAC Auditing with MAB ...

Page 1063: ...ication Bypass Note For information on using port security to block input to an Ethernet Fast Ethernet or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port see Chapter 38 Configuring Port Security That chapter also provides information on using port security to filter the traffic that ...

Page 1064: ...tems for client identity and credential input With 802 1X port based authentication a supplicant is required to provide access to the LAN and switch services and respond to requests from the switch Note 802 1X uses the term supplicant for client or host In this publication we use host instead of supplicant because host is used in the Catalyst 6500 series CLI syntax Web based proxy authentication s...

Page 1065: ...he RADIUS server and one or more RADIUS clients Authentication Initiation and Message Exchange The host is connected to the switch port that needs to perform web authentication When the host receives an IP address a web browser is opened When an HTTP packet is intercepted the network access device NAD establishes the TCP connection with the host and sends the login page if it is stored locally on ...

Page 1066: ...on Protocol DHCP snooping table If a DHCP snooping entry does not exist web based proxy authentication is not triggered until a DHCP snooping entry is created or an ARP request is received Once the host is detected the HTTP traffic from the host is intercepted and redirected to the supervisor engine This process is called URL redirection To configure URL redirection you must configure an ACL to re...

Page 1067: ...ccess specified by the PBACL only Note We recommend that you enable web based proxy authentication on all ports in the VLAN Supported HTML Pages for Web Based Proxy Authentication This section describes the following HTML pages required to support web based proxy authentication Login Page page 42 5 Success Page page 42 6 Login Fail Page page 42 6 Login Page The login page displays at the client in...

Page 1068: ...web based proxy authentication on a port that has multiple DHCP bindings already created web based proxy authentication is initialized for all IP addresses High Availability Web based proxy authentication supports high availability Only the information from the authenticated hosts is synchronized to the standby supervisor engine All authenticated hosts remain authenticated upon a switchover The no...

Page 1069: ...on retry count exceeds the configured maximum number of retry attempts No HTTP packets are intercepted Port initialize and DHCP binding removal removes the Held state designation Interaction with Other Features Web based proxy authentication interacts with these features as follows DHCP snooping You can enable web based proxy authentication and DHCP snooping on the same port VLAN The default acces...

Page 1070: ...ng DHCP in the guest VLAN Web based proxy authentication occurs after the IP address is received Auth Fail VLAN You can enable web based proxy authentication and the authentication fail VLAN on the same port VLAN Network Admission Control NAC You can enable web based proxy authentication and NAC LAN port IP on the same port VLAN NAC with LAN port IP is independent of web based proxy authentication...

Page 1071: ...cy and configured in the PBACL The HTTP traffic is redirected to the supervisor engine Web based proxy authentication registers this IP with URL redirection when it receives a trigger from DHCP or ARP The URL redirection module on the supervisor engine receives the packet and passes it to web based proxy authentication After successful authentication web based proxy authentication adds the host IP...

Page 1072: ...oxy authentication globally Console enable set web auth enable enabled web auth Console enable This example shows how to disable web based proxy authentication globally Console enable set web auth disable disabled web auth Console enable Enabling or Disabling Web Based Proxy Authentication on a Port You can enable web based proxy authentication for individual ports after you enable web based proxy...

Page 1073: ... do not specify the ip_addr argument web based proxy authentication is initialized for all hosts You must enable web based proxy authentication globally and on the individual port before you can initialize a web based proxy authentication port for authentication again To initialize a web based proxy authentication port for authentication again perform this task in privileged mode This example show...

Page 1074: ...is session is valid After the time has been exceeded the web authenticated session is terminated The RADIUS supplied session timeout takes precedence over the locally configured value To specify the timeout period for the global web based proxy authentication sessions perform this task in privileged mode This example shows how to specify the timeout period for the global web based proxy authentica...

Page 1075: ...unt Console enable Displaying Web Based Proxy Authentication Information This section describes how you can display the following web based proxy authentication information Displaying Summary of Session Information page 42 13 Displaying Per Port Information page 42 14 Displaying Summary of Session Information If you specify the vlan vlan_id keyword and argument a summary of information for the spe...

Page 1076: ... Session Time VLAN 9 9 150 1 1 1 Authenticated 7200 200 100 9 9 150 2 1 2 Authenticating 3600 100 9 9 150 3 1 3 Authentication fai 3600 100 9 9 160 10 1 4 Held 3600 200 9 9 170 15 1 5 Connecting 3600 300 Console enable This example shows how to display a summary of information about the web based proxy authentication session for a specific VLAN Console enable show web auth summary vlan 100 IP Addr...

Page 1077: ...8 300 300 No Port IP Address Policy Groups 3 48 9 6 7 8 Console enable Displaying Statistics To display web based proxy authentication statistics perform this task in enable mode This example shows how to display web based proxy authentication statistics Console enable show web auth statistics Total GET Requests received 0 Total POST Requests received 0 Total responses sent 0 Total web auth hosts ...

Page 1078: ...42 16 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 42 Configuring Web Based Proxy Authentication Configuring Web Based Proxy Authentication ...

Page 1079: ...ication Note For information on configuring MAC Authentication Bypass see Chapter 41 Configuring MAC Authentication Bypass Note For information on configuring Web Based Proxy Authentication see Chapter 42 Configuring Web Based Proxy Authentication Note For information on configuring EoU see Chapter 44 Configuring Network Admission Control This chapter consists of the following sections Understandi...

Page 1080: ...t of aging the hosts are removed from the EARL Configuring IP Device Tracking Globally When enabled the IP device tracking feature sends out a probe to check if the host is still present The probe can be sent out at regular intervals for a specified number of times The default is enabled To enable or disable IP device tracking globally perform this task in privileged mode This example shows how to...

Page 1081: ...to set the IP device tracking probe count Console enable set ip device tracking probe count 5 Device tracking probe count set to 5 Console enable Configuring IP Device Tracking on a Port The following topics describe how to configure IP device tracking on a port Enabling or Disabling IP Device Tracking on a Port with 802 1x Authentication page 43 4 Enabling or Disabling IP Device Tracking on a Por...

Page 1082: ... authenticated idle auto authorized Port Port Mode Re authentication Shutdown timeout Control Mode admin oper 3 13 SingleAuth enabled disabled Both Both Port Posture Token Critical Status Termination action Session timeout 3 13 Healthy no Initialize 3600 Port Session Timeout Override Url Redirect 3 13 disabled Port Critical ReAuth When IP Device Tracking 3 13 disabled 105 enabled Console enable En...

Page 1083: ...action Session Timeout Shutdown Time Left 3 1 initialize 300 NO Port PolicyGroups 3 1 Port Security ACL Sec ACL Type QoS ACL Type 3 1 Port QoS Ingress ACL QoS Egress ACL 3 1 Port Critical Critical Status Ip Device Tracking 3 1 Disabled Enabled Port Session ID 3 1 Port Posture Token URL Redirect 3 1 Enabling or Disabling IP Device Tracking on a Port with Web Based Proxy Authentication To enable or ...

Page 1084: ...n a Port with EoU To enable or disable IP device tracking on a port with EoU perform this task in privileged mode This example shows how to enable IP device tracking on a port with EoU Console enable set port eou 3 1 ip device tracking enable Port 3 1 ip device tracking option is enabled Console enable This example shows how to view the current configuration of IP device tracking on a port with Eo...

Page 1085: ...n using port security to block input to an Ethernet Fast Ethernet or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port see Chapter 38 Configuring Port Security That chapter also provides information on using port security to filter the traffic that is destined to or received from a spe...

Page 1086: ...t page 44 4 Cisco Secure ACS page 44 4 Redirection page 44 5 Overview NAC addresses the increased threat and impact of worms and viruses to networked businesses This feature is part of the Cisco Self Defending Network Initiative that helps customers identify prevent and adapt to security threats In its initial phase NAC enables switches and routers to restrict access privileges from an end point t...

Page 1087: ...twork through an upstream Cisco network access device Cisco switch or router the network access device challenges the end point for its antivirus state The end point systems run a client called Cisco Trust Agent which collects antivirus state information from the end device and transports the information to the network access device This information is then communicated to a Cisco Secure ACS where...

Page 1088: ...dit function is for hosts that do not have Cisco CTA enabled The audit can be triggered by the ACS by sending down a policy required for audit when there is a clientless authentication done by the network access device NAD The audit is accomplished by sending down the audit server s URL as the URL redirect policy for the host When HTTP traffic is seen from the host it is given the URL of the audit...

Page 1089: ...ry in the downloadable ACL that permits the access of the end point system to the redirect URL address LAN Port IP Posture Validation Summary LAN port IP allows posture validating end user devices to access the network based on their posture End user devices are classified into one of five possible states after posture validation healthy checkup quarantine infected or unknown Network access is giv...

Page 1090: ...red policy is installed LAN Port IP Hardware and Software Requirements Follow these hardware and software requirements when configuring LAN port IP You must have a Catalyst 6500 series switch running software release 8 5 1 or later releases You must have CTA installed on the end point devices for example on PCs and laptops You must have an ACS for AAA LAN Port IP Configuration Guidelines and Restr...

Page 1091: ...g for posture validation you must also enable ARP inspection If ARP inspection is not enabled the posture validation completes but the session is torn down within a few minutes because the ARP probe replies from the client are not seen by the EOU state machinery Note Supervisor Engine 1 does not support ARP inspection With a Supervisor Engine 1 you must enable DHCP snooping Port security LAN port ...

Page 1092: ...EoU globally enabled Console enable Step 2 Enable LAN port IP on a per port basis by entering the set port eou mod port bypass auto disable initialize revalidate command Console enable set port eou 7 1 auto EoU enabled on 7 1 Console enable Step 3 Define the RADIUS server and RADIUS key by entering the following commands set radius server ip_addr auth port port acct port port primary set radius ke...

Page 1093: ...enting Network Admission Control Phase One Configuration and Deployment publication at this URL http www cisco com application pdf en us guest netsol ns466 c654 cdccont_0900aecd80217e26 pdf Ensure that the policy groups that are used in the ACLs are configured with the posture token VSA such as 26 9 1 sec pg healthy_hosts If you define a policy group in ACS but the VACL that is mapped to the VLAN ...

Page 1094: ...EOU Configuration page 44 16 Displaying a Summary of the LAN Port IP State on All LAN Port IP Enabled Ports page 44 17 Displaying a Summary of the LAN Port IP State on a Per Port Basis page 44 17 Displaying Host Specific Information page 44 18 Displaying EOU Authentication Related Information page 44 18 Displaying the EOU Log page 44 19 Displaying the EOU Results on a Posture Token Basis page 44 1...

Page 1095: ...s not exist entering these commands creates the policy template To statically authorize an IP device and apply an associated policy to the device perform this task in privileged mode This example shows how to statically authorize an IP device and apply an associated policy to the device Console enable set eou authorize ip 172 20 52 19 255 255 255 224 policy poll Mapped IP address 172 20 52 0 IP ma...

Page 1096: ...u for ipAddress 172 20 52 19 Console enable Specifying the CTA Packet Retransmit Time and RADIUS Server Retransmit Time To specify the number of times that a packet is retransmitted to the CTA before declaring the CTA as nonresponsive and to specify the RADIUS server retransmit time perform this task in privileged mode the default is 3 and the range is 1 through 10 Task Command Statically authoriz...

Page 1097: ...all clientless hosts Console enable set eou revalidate authentication clientless Revalidate all clientless hosts Console enable Enabling or Disabling EOU Logging for LAN Port IP Events To enable or disable EOU logging for LAN port IP events perform this task in privileged mode the default is disable This example shows how to enable EOU logging for LAN port IP events Console enable set eou logging ...

Page 1098: ...00 seconds This example shows how to set the revalidation timer to 200 seconds Console enable set eou timeout revalidation 200 Console enable Setting EOU Rate Limiting To set EOU rate limiting the default is 0 and the range is 10 through 200 perform this task in privileged mode Note The default rate limit value of 0 disables rate limiting With rate limiting disabled there is no limit on simultaneo...

Page 1099: ...is task in privileged mode This example shows how to enable an aaa fail policy on a port Console enable set port eou 1 2 aaa fail policy test_policy Policy test_policy mapped as aaa fail policy on port 1 2 Console enable This example shows how to enable LAN port IP on port 5 1 Console enable set port eou 5 1 auto EoU enabled on 5 1 Console enable This example shows how to set port 7 1 to bypass mo...

Page 1100: ...EAP over UDP packets perform this task in privileged mode This example shows how to redirect all LAN port IP control packets to the supervisor engine EAP over UDP packets Console enable set security acl ip test permit eapoudp mask1 before pos1 Successfully configured EAPoUDP ACL test Use commit command to save changes Displaying the Global EOU Configuration To display the global EOU configuration ...

Page 1101: ...w to display a summary of the LAN port IP state on all LAN port IP enabled ports Console enable show eou all Eou Summary Eou Global State enabled Currently Validating EOU Sessions 0 mNo pNo Host Ip Nac_Token Host_Fsm_State Username Console enable Displaying a Summary of the LAN Port IP State on a Per Port Basis To display a summary of the LAN port IP state on a per port basis for LAN port IP enabl...

Page 1102: ...6 2 15 authenticated eap 301 3600 Console enable Displaying EOU Authentication Related Information To display the following authentication related information perform this task in normal mode clientless Display all clientless ports eap Display all ports with EAP authentication static Display all hosts in the exception list This example shows how to display authentication related information Consol...

Page 1103: ...e EOU Results on a Posture Token Basis To display the EOU results on a posture token basis perform this task in normal mode Clearing the LAN Port IP Configuration To clear the LAN port IP configuration and return to default values perform this task in privileged mode This example shows how to clear the LAN port IP configuration and return to default values Console enable clear eou config This comm...

Page 1104: ... mode This example shows how to clear an EOU session for a host with a specified IP address Console enable clear eou host 9 9 10 10 EOU session of host with IP 9 9 10 10 cleared Console enable Clearing an IP Address from an Exception Group or Clearing an Exception Group To clear an IP address from an exception group or clear an exception group perform this task in privileged mode Task Command Clea...

Page 1105: ...mit Time To clear the global CTA packet retransmit time perform this task in privileged mode this command sets the retransmit time back to the default value of 3 This example shows how to clear the global CTA packet retransmit time Console enable clear eou max retry Eou max retry set to 3 Console enable Configuring Policy Based ACLs This section describes how to configure policy based ACLs PBACLs ...

Page 1106: ... If a policy template does not exist it is created Similarly if the policy group name does not exist it is created To add a policy group to the policy template perform this task in privileged mode This example shows how to add a policy group to the policy template Console enable set policy name pol1 group grp1 Added group grp1 to policy template pol1 Console enable Clearing an IP Address from a Po...

Page 1107: ...late pol1 Console enable Displaying Policy Group Information To display policy group information perform this task in normal mode This example shows how to display policy group information Console enable show policy group all Group Name grp1 Group Id 1 No of IP Addresses 3 Src Type ACL CLI List of Hosts in group Interface 0 0 IpAddress 100 1 1 1 Src type CONFIG Interface 0 0 IpAddress 100 1 1 2 Sr...

Page 1108: ...nfigured access VLAN If the port is already authorized and reauthentication occurs the switch puts the critical port in the critical authentication state in the current VLAN which might be the one previously assigned by the RADIUS server If the RADIUS server becomes unavailable during an authentication exchange the current exchanges times out and the switch puts the critical port in the critical a...

Page 1109: ...n a Port page 44 29 Clearing Policy Mapping on a Port page 44 29 Enabling and Disabling Inaccessible Authentication Bypass To enable or disable IAB perform this task in enable mode This example shows how to enable IAB Console enable set port critical 5 1 enable Port 5 1 Critical feature enabled Console enable This example shows how to enable IAB Console enable set port critical 5 1 disable Port 5 ...

Page 1110: ...sole enable set radius keepalive enable Radius Keepalive enabled This example shows how to disable the RADIUS keepalive timer Console enable set radius keepalive disable Radius Keepalive disabled Setting the RADIUS Auto Initialize Feature To enable or disable the RADIUS auto initialize feature perform this task in enable mode This example shows how to enable the RADIUS auto initialize feature Cons...

Page 1111: ...to display AAA fail policy on a port Console enable show port eou 5 1 aaa fail policy Port AAA Fail Policy 5 1 To display the AAA fail policy for web auth on a port perform this task in enable mode This example shows how to display AAA fail policy on a port Console enable show port web auth 5 1 aaa fail policy Port AAA Fail Policy 5 1 Displaying RADIUS Server Information To display RADIUS server i...

Page 1112: ...bypass settings on a port perform this task in enable mode This example shows how to display the MAC authorization bypass settings on a port Console enable show port mac auth bypass 5 1 Port Mac Auth Bypass State MAC Address Auth State Vlan 5 1 Disabled 1 Port Termination action Session Timeout Shutdown Time Left 5 1 3600 NO Port PolicyGroups 5 1 Port Critical Critical Status 5 1 Disabled Console ...

Page 1113: ...ws how to display the EOU settings on a port Console enable show port eou 5 1 Port EOU State IP Address MAC Address Critical Status 5 1 disabled Port FSM State Auth Type SQ Timeout Session Timeout 5 1 Port Posture URL Redirect 5 1 Port Termination action Session id 5 1 Port PolicyGroups 5 1 Port Critical 5 1 enabled Clearing Policy Mapping on a Port To clear the policy mapping on a port perform th...

Page 1114: ... DEFAULT CONFIGURATION time Fri Mar 4 2005 17 11 20 version 8 5 0 44 JAC Nac set eou enable set eou allow clientless enable set policy name exception_policy group exception_hosts set eou authorize ip 77 0 0 90 policy exception_policy radius set radius server 10 76 39 93 auth port 1812 primary set radius key cisco vtp set vtp mode transparent vlan set vlan 12 name RADIUS_CONNECTIVIY type ethernet m...

Page 1115: ...t 10 100BaseTX Ethernet set vlan 12 8 14 set vlan 77 8 13 8 24 set port name 8 13 HOSTS set port name 8 14 RADIUS set port name 8 24 HOSTS set port eou 8 13 enable set port eou 8 24 bypass set port dhcp snooping 8 14 trust enable module 9 empty module 15 1 port Multilayer Switch Feature Card module 16 empty switch port analyzer set span permit list disable set span permit list include end sup2 ena...

Page 1116: ...ion hosts URL redirection is accomplished through information that is received from the RADIUS server after a successful posture validation Because the RADIUS server is not contacted exception hosts must find a way to access a server or you must provide a URL through which the hosts can download software components such as antivirus updates Configuration Guidelines and Restrictions Follow these co...

Page 1117: ...n_policy URL Redirect http cisco com Console enable This example shows how to display the policy names and URL redirect string mappings for all policies Console enable show policy name all Policy Name TEST Associated IP Address Mask Information 0 0 0 18 255 255 255 224 Policy Name poll Associated IP Address Mask Information 0 0 0 19 255 255 255 224 Policy Name BLDG_F Policy Name exception_policy U...

Page 1118: ...P address of the host Configuring Network Admission Control with LAN Port 802 1X These sections describe how to configure NAC with LAN port 802 1X Understanding How Network Admission Control with LAN Port 802 1X Works page 44 34 LAN Port 802 1X Enhancements in Software Release 8 6 1 and Later Releases page 44 36 Understanding How Network Admission Control with LAN Port 802 1X Works Note There are ...

Page 1119: ... the PBACL groups Legacy supplicants and legacy CTA These hosts do not have the enhanced CTA they have the standard 802 1X supplicant that cannot connect to CTA and they also have the legacy CTA that can do posture validation using EAPoUDP With these hosts after LAN port 802 1X completes the switch checks for posture validation results If the posture results are not received it is assumed that the...

Page 1120: ... URL redirection requires that the IP address of an authenticated host appears in a URL redirect list The IP address of the host can be obtained in three ways Framed IP address sent from the RADIUS server DHCP snooping ARP inspection DHCP snooping is given the highest precedence followed by ARP inspection and then framed IP If the IP address is received through a higher precedence mechanism than t...

Page 1121: ...ort 802 1X there must be an ACL mapped to the VLAN of the port that has DHCP snooping ARP inspection and the URL redirect ACE Enabling and Disabling the Session Timeout Override for LAN Port 802 1X After a successful 802 1X authentication and if reauthentication is enabled on a port 802 1X authentication will reauthenticate the port when the reauthentication timer expires The reauthentication time...

Page 1122: ...out override option is enabled Console enable This example shows how to display the session timeout override setting for LAN port 802 1X Console enable show port dot1x 5 8 Port Auth State BEnd State Port Control Port Status 5 8 force authorized Port Port Mode Re authentication Shutdown timeout Control Mode admin oper 5 8 SingleAuth disabled disabled Both Port Posture Token Critical Status Terminat...

Page 1123: ...You can enable unicast flood blocking on any Ethernet port on a per port basis Unicast flood blocking provides you the option to drop the unicast flood packets on an Ethernet port that has only one host that is connected to the port All the Ethernet ports on a switch are configured to allow unicast flooding unicast flood blocking allows you to drop the unicast flood packets before they reach the p...

Page 1124: ...t channel on a unicast flood blocking port Unicast flood blocking and GARP VLAN Registration Protocol GVRP are mutually exclusive You cannot configure the port to block the unicast flood packets and exchange VLAN configuration information with the GVRP switches at the same time Configuring Unicast Flood Blocking on the Switch These sections describe how to configure unicast flood blocking Enabling...

Page 1125: ...icast flood blocking perform this task in privileged mode This example shows how to disable unicast flood blocking on a port Console enable set port unicast flood 4 1 enable Unicast Flooding is successfully enabled on the port 4 1 Console enable Displaying Unicast Flood Blocking To display unicast flood blocking information perform this task in privileged mode This example shows how to display uni...

Page 1126: ...45 4 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 45 Configuring Unicast Flood Blocking Configuring Unicast Flood Blocking on the Switch ...

Page 1127: ...s Module FWSM the Secure Socket Layer Services Module SSLM the Virtual Private Network Services Module VPNSM the Network Analysis Module 1 NAM 1 the NAM 2 the Intrusion Detection System Module IDSM 2 the Content Services Gateway CSG and the Communications Media Module CMM These modules connect to either the integrated 720 Gbps switch fabric on the Supervisor Engine 720 or to the external 256 Gbps ...

Page 1128: ... the integrated 720 Gbps switch fabric these modules have a direct connection to the 32 Gbps switching bus Understanding How the External Switch Fabric Module Works Note The external Switch Fabric Modules are supported only with Supervisor Engine 2 in the Catalyst 6500 series switch The external Switch Fabric Modules create a dedicated connection between the CEF256 modules and provide an uninterru...

Page 1129: ...ot 5 the module in slot 6 becomes active When you install two Switch Fabric Modules at the same time in a 13 slot chassis insert the primary module into slot 7 and the backup module into slot 8 If you reset the module in slot 7 the module in slot 8 becomes active Forwarding Modes The CEF256 CEF720 modules operate in one of three modes when using centralized forwarding Compact mode Operational mode...

Page 1130: ...6 6 Configuring the LCD Banner page 46 12 Configuring a Fallback Option The set system crossbar fallback bus mode none command allows you to configure a fallback option if the Switch Fabric Module connection fails If a switch is in compact mode setting the crossbar fallback to none prohibits the switch from running in any other switching mode Assuming there are no non fabric enabled modules in the...

Page 1131: ... fabric enabled modules do not support compact mode Note If there is a combination of a Supervisor Engine 720 with switch fabric capability and CEF720 modules in the chassis the bus only operation is not permitted The system stays in truncated mode To configure the switch to use flow through mode if you have the non fabric enabled modules installed perform this task This example shows how to confi...

Page 1132: ... supervisor engine switchover will also cause a switch fabric switchover Monitoring the Integrated Switch Fabric and Switch Fabric Module This section describes how to monitor the integrated switch fabric and the Switch Fabric Module Displaying the Module Information page 46 6 Displaying the Fabric Channel Counters page 46 7 Displaying the Fabric Channel Switching Mode and Channel Status page 46 7...

Page 1133: ...4 f8 ca 00 to 00 01 64 f8 cd ff 4 00 10 7b c2 3a c0 to 00 10 7b c2 3a d7 0 204 4 2 0 24 V 6 2 0 14 KEY 5 00 40 0b ff 00 00 0 204 6 1 0 133 6 2 0 14 KEY Mod Sub Type Sub Model Sub Serial Sub Hw 1 L3 Switching Engine II WS F6K PFC2 SAD04110B5S 0 305 Console enable Displaying the Fabric Channel Counters To display the fabric channel counters perform this task This example shows how to display the fab...

Page 1134: ...4 4 n a unused 5 18 5 5 n a unused 5 18 6 6 n a unused 5 18 7 7 n a unused 5 18 8 8 n a unused 5 18 9 9 n a unused 5 18 10 10 n a unused 5 18 11 11 n a unused 5 18 12 12 n a unused 5 18 13 13 n a unused 5 18 14 14 n a unused 5 18 15 15 n a unused 5 18 16 16 n a unused 5 18 17 17 n a unused In the show fabric channel switchmode command output the Switch Mode field displays one of the following mode...

Page 1135: ...tput 0 n a 0 0 1 n a 0 0 2 n a 0 0 3 n a 0 0 4 20G 0 0 5 n a 0 0 6 n a 0 0 7 20G 0 0 8 8G 0 0 9 n a 0 0 10 n a 0 0 11 n a 0 0 12 n a 0 0 13 n a 0 0 14 n a 0 0 15 n a 0 0 16 20G 0 0 17 n a 0 0 Displaying the Fabric Errors To display the fabric errors of one or all modules perform this task This example shows how to display the fabric errors Console enable show fabric errors all Module errors Slot C...

Page 1136: ...tatus including backplane traffic and fabric channel input and output Console enable show system PS1 Status PS2 Status ok none Fan Status Temp Alarm Sys Status Uptime d h m s Logout ok off ok 13 19 01 16 20 min PS1 Type PS2 Type WS CAC 1300W none Modem Baud Backplane Traffic Peak Peak Time disable 9600 0 0 Tue Oct 19 2004 12 04 18 PS1 Capacity 1153 32 Watts 27 46 Amps 42V System Name System Locati...

Page 1137: ...affic Threshold 100 Backplane Traffic Peak Peak Time 0 0 Tue Oct 19 2004 12 04 18 Slot Channel Fab Chan Input Output 2 0 1 0 0 Console enable Displaying the Switching Mode Configuration To display the switching mode configuration perform this task This example shows how to display the switching mode configuration Console show system switchmode Switchmode allow truncated Switchmode threshold 2 Cons...

Page 1138: ...address System name Supervisor engine version Multilayer Switch Feature Card MSFC version on active and standby supervisor engine System contact After the LCD banner content is modified this information is sent to the Switch Fabric Modules that are installed in the chassis and displayed in the LCDs Note The set banner lcd command is not supported in the systems with an integrated switch fabric To ...

Page 1139: ...standing How SNMPv1 and SNMPv2c Work page 47 5 Understanding How SNMPv3 Works page 47 7 Enabling and Disabling SNMP Processing page 47 10 Configuring SNMPv1 and SNMPv2c on the Switch page 47 11 SNMPv1 and SNMPv2c Enhancements in Software Release 7 5 1 page 47 12 Configuring SNMPv3 on the Switch page 47 16 Note For complete syntax and usage information for the commands that are used in this chapter...

Page 1140: ...origin authentication The ability to verify the identity of a user on whose behalf that the message is supposedly sent This ability protects the users against both message capture and replay by a different SNMP engine and against the packets that are received or sent to a particular user that uses an incorrect password or security level encryption A method of hiding data from an unauthorized user ...

Page 1141: ...ent information SMI protocol operations management architecture and security SNMP engine A copy of SNMP that can reside on the local or remote device SNMP entity Unlike SNMPv1 and SNMPv2c in SNMPv3 the terms SNMP Agents and SNMP Managers are no longer used These concepts have been combined and are called an SNMP entity An SNMP entity is made up of an SNMP engine and SNMP applications SNMP group A ...

Page 1142: ...and SNMPv2c remain intact however SNMPv3 has significant enhancements to administration and security See the Understanding How SNMPv3 Works section on page 47 7 for more information on SNMPv3 Security Models and Levels A security model is an authentication strategy that is set up for a user and the group in which the user resides A security level is the permitted level of security within a securit...

Page 1143: ...t EtherChannel interfaces the ifIndex value is only retained and used after a high availability switchover Understanding How SNMPv1 and SNMPv2c Work The components of SNMPv1 and SNMPv2c network management fall into three categories Managed devices such as a switch SNMP agents and MIBs including the Remote Monitoring RMON MIBs which run on managed devices SNMP network management applications such a...

Page 1144: ...t or module goes up or down When the temperature limitations are exceeded When there are spanning tree topology changes When there are authentication failures When power supply errors occur SNMP community strings SNMP community strings authenticate access to the MIB objects and function as embedded passwords Read only Gives read access to all objects in the MIB except the community strings but doe...

Page 1145: ...he contents of a packet to prevent it from being seen by an unauthorized source SNMP Entity Unlike SNMPv1 and SNMPv2c in SNMPv3 the concept of SNMP Agents and SNMP Managers no longer apply These concepts have been combined into an SNMP entity An SNMP entity consists of an SNMP engine and SNMP applications An SNMP engine consists of the following four components Dispatcher Message processing subsys...

Page 1146: ...ach supporting a different version of SNMP Security Subsystem The security subsystem authenticates and encrypts the messages Each outgoing message is passed to the security subsystem from the message processing subsystem Depending on the services required the security subsystem may encrypt the enclosed PDU and some fields in the message header In addition the security subsystem may generate an aut...

Page 1147: ...the authentication protocols and CBC DES as the privacy protocol SNMPv1 and SNMPv2c security models provide only the community names for authentication and no privacy Access Control Subsystem The access control subsystem determines whether access to a managed object should be allowed With the view based access control model VACM you can control which users and which operations can have access to w...

Page 1148: ...NMP configurations The RMON related processes are not affected in either mode To enable SNMP processing from the command line interface CLI perform this task in privileged mode enable mode is the default This example shows how to enable SNMP processing Console enable set snmp enable SNMP enabled Console enable This example shows how to disable SNMP processing Console enable set snmp disable SNMP d...

Page 1149: ... up to 20 trap receivers through the RMON2 trap destination table You configure the RMON2 trap destination table from the NMS Configuring SNMPv1 and SNMPv2c from the CLI Note For the enhanced SNMP features in software release 7 5 1 see the SNMPv1 and SNMPv2c Enhancements in Software Release 7 5 1 section on page 47 12 To configure SNMP from the CLI perform this task in privileged mode Task Command...

Page 1150: ...All SNMP traps enabled Console enable show snmp RMON Disabled Extended RMON Extended RMON module is not present Traps Enabled Port Module Chassis Bridge Repeater Vtp Auth ippermit Vmps config entity stpx Port Traps Enabled 1 1 2 4 1 48 5 1 Community Access Community String read only Everyone read write Administrators read write all Root Trap Rec Address Trap Rec Community 172 16 10 10 read write 1...

Page 1151: ...h access type as read only Console enable This example shows how to restrict the community string to an access number Console enable set snmp community ext private1 read write access 2 Community string private1 is created with access type as read write access number 2 Console enable This example shows how to change the access number to the community string Console enable set snmp community ext pri...

Page 1152: ...le enable Specifying the Access Numbers for Hosts You can specify a list of access numbers that are associated with one or more hosts to limit which hosts can use a specific community string to access the system You can specify more than one IP address that is associated with an access number by separating each IP address with a space If an existing access number is used the new IP addresses are a...

Page 1153: ...1 1 1 2 172 20 60 7 2 2 2 2 3 2 2 2 2 155 0 0 0 4 1 1 1 1 2 1 2 4 2 2 2 2 2 2 2 5 Console enable Clearing the IP Addresses Associated with Access Numbers To clear the IP addresses that are associated with the access numbers from the CLI perform this task in privileged mode These examples show how to clear the IP addresses that are associated with the access numbers Console enable clear snmp access...

Page 1154: ...nable Console enable clear snmp ifalias all Console enable Configuring SNMPv3 on the Switch This section provides the basic SNMPv3 configuration information For detailed information on the SNMP commands that are supported by the Catalyst 6500 series switches refer to the Catalyst 6500 Series Switch Command Reference publication SNMPv3 Default Configuration Refer to the Catalyst 6500 Series Switch ...

Page 1155: ... volatile nonvolatile Step 5 Set the snmpTargetAddrEntry in the target address table set snmp targetaddr hex addrname param hex paramsname ipaddr udpport port timeout value retries value volatile nonvolatile taglist hex tag hex tag Step 6 Set the SNMP parameters that are used to generate a message to a target set snmp targetparams hex paramsname user hex username security model v3 message processi...

Page 1156: ...guestuser1 security model v3 message processing v3 authentication Snmp target params was set to p1 v3 authentication message processing v3 user guestuser1 nonvolatile Console enable set snmp targetparams p2 user guestuser2 security model v3 message processing v3 privacy Snmp target params was set to p2 v3 privacy message processing v3 user guestuser2 nonvolatile These examples show how to configur...

Page 1157: ...tree 1 3 6 1 6 3 10 2 1 included nonvolatile Console enable set snmp access guestgroup security model v3 authentication read snmpEngineMibView Snmp access group was set to guestgroup version v3 level authentication readview snmpEngineMibView nonvolatile This example shows how to verify the SNMPv3 access for guestuser1 from a workstation workstation getnext v3 10 6 4 201 guestuser1 snmpEngineID Ent...

Page 1158: ...47 20 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 47 Configuring SNMP Configuring SNMPv3 on the Switch ...

Page 1159: ...etwork agents and console systems to exchange network monitoring data The supervisor engine software provides embedded support for these components of the RMON specification see the Supported RMON and RMON2 MIB Objects section on page 48 3 for details The following RMON groups are defined in RFC 1757 Statistics RMON group 1 for Ethernet Fast Ethernet Fast EtherChannel and Gigabit Ethernet switch p...

Page 1160: ...n enable SNMP RMON support enabled Console enable show snmp RMON Enabled Extended RMON Extended RMON module is not present Traps Enabled Port Module Chassis Bridge Repeater Vtp Auth ippermit Vmps config entity stpx Port Traps Enabled 1 1 2 4 1 48 5 1 Community Access Community String read only Everyone read write Administrators read write all Root Trap Rec Address Trap Rec Community 172 16 10 10 r...

Page 1161: ... 1 rmon 16 history 2 historyControlTable 1 mib 2 1 rmon 16 history 2 etherHistoryTable 2 RFC 1757 RMON MIB RFC 1757 RMON MIB Periodically samples and saves statistics group counters for later retrieval mib 2 1 rmon 16 alarm 3 RFC 1757 RMON MIB A threshold that can be set on critical RMON variables for network management mib 2 1 rmon 16 event 9 RFC 1757 RMON MIB Generates SNMP traps when an Alarms ...

Page 1162: ...48 4 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 48 Configuring RMON Supported RMON and RMON2 MIB Objects ...

Page 1163: ...PAN Work page 49 1 Understanding How the Mini Protocol Analyzer Works page 49 4 SPAN RSPAN and Mini Protocol Analyzer Session Limits page 49 5 Configuring SPAN on the Switch page 49 6 Configuring RSPAN on the Switch page 49 10 Configuring the Mini Protocol Analyzer on the Switch page 49 19 Note To configure SPAN RSPAN or the Mini Protocol Analyzer from a network management station NMS refer to the...

Page 1164: ... traffic from the network to the switching bus unless you specifically enable the port If the incoming traffic is enabled for the destination port it is switched in the native VLAN of the destination port The destination port does not participate in spanning tree while the SPAN session is active See the caution statement in the Configuring SPAN from the CLI section on page 49 8 for information on ...

Page 1165: ...t are forwarded by the destination port are determined by the trunk settings of the destination port during the SPAN session configuration Ingress SPAN Ingress SPAN copies the network traffic that is received by the source ports for analysis at the destination ports Egress SPAN Egress SPAN copies the network traffic that is transmitted from the source ports for analysis at the destination ports VS...

Page 1166: ...does not support monitoring of BPDU packets or Layer 2 protocol packets such as CDP DTP and VTP Multicast packet monitoring is enabled by default In some SPAN configurations multiple copies of the same source packet are sent to the SPAN destination ports For example a bidirectional both ingress and egress SPAN session is configured for sources a1 and a2 to a destination port d1 If a packet enters ...

Page 1167: ...ic meets any of the criteria specified in any of the filters it will be captured If you specify a filter based on the packet size the packets that are larger than the specified size are captured and truncated to the specified size You can specify a maximum of 16 filters for a Mini Protocol Analyzer session Enter the set packet capture snap length command to specify the length to which the packets ...

Page 1168: ...other Remote Monitoring RMON probe SPAN mirrors the traffic from one or more source ports on any VLAN from one or more VLANs or from the sc0 console interface to the destination ports for analysis see Figure 49 1 In Figure 49 1 all traffic on Ethernet port 5 the source port is mirrored to Ethernet port 10 A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 with...

Page 1169: ...ts section on page 49 5 The RSPAN sessions can coexist with the SPAN sessions within the SPAN RSPAN limits that are described in the SPAN RSPAN and Mini Protocol Analyzer Session Limits section on page 49 5 The optional inpkts keyword is disabled by default Use the inpkts keyword with the optional enable keyword to allow the SPAN destination ports to receive the normal incoming traffic Enter the o...

Page 1170: ...uring SPAN from the CLI To configure SPAN you specify the source the destination ports the direction of the traffic through the source that you want to mirror to the destination ports and if the destination port can receive the packets To configure a SPAN port perform this task in privileged mode Caution If the SPAN destination port is connected to another device and you enable reception of the in...

Page 1171: ...on Port 2 12 Admin Source VLAN 522 Oper Source Port 2 1 2 Direction transmit Incoming Packets enabled Learning enabled Multicast enabled Filter Console enable This example shows how to set port 3 2 as the SPAN source and port 2 2 as the SPAN destination Console enable set span 3 2 2 2 tx create Destination Port 2 1 Admin Source port 3 1 Oper Source Port 3 1 Direction transmit receive Incoming Pack...

Page 1172: ...MSFC2A WS SUP32 GE 3B For destination or intermediate switches Any Cisco switch supporting RSPAN VLAN No third party or other Cisco switches can be placed in the end to end path for RSPAN traffic Understanding How RSPAN Works Note See the Understanding How SPAN and RSPAN Work section on page 49 1 for the concepts and terminology that apply to both the SPAN and RSPAN configurations RSPAN has all th...

Page 1173: ...the RSPAN configuration you can distribute the source ports and the destination ports across multiple switches For RSPAN trunking is required if you have a source switch with all the source ports in one VLAN VLAN 2 for example and it is connected to the destination switch through an uplink port that is also in VLAN 2 With RSPAN the traffic is forwarded to the remote switches in the RSPAN VLAN The ...

Page 1174: ...d in the RSPAN VLAN If you enable VTP and VTP pruning the RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of the RSPAN traffic across the network If you enable the GARP VLAN Registration Protocol GVRP and the GVRP requests conflict with the existing RSPAN VLANs you might observe unwanted traffic in the RSPAN sessions You can use the RSPAN VLANs in Inter Switch Link ISL to do...

Page 1175: ...ole enable set rspan source 4 1 2 500 rx Rspan Type Source Destination Rspan Vlan 500 Admin Source Port 4 1 2 Oper Source None Direction receive Incoming Packets Learning Multicast enabled Filter Console enable To configure the RSPAN source VLANs perform this task in privileged mode Task Command Step 1 Configure the RSPAN source ports Use this command on each of the source switches that participat...

Page 1176: ...ination Port 3 1 Rspan Vlan 500 Admin Source Oper Source Direction Incoming Packets disabled Learning enabled Multicast Filter Console enable To disable RSPAN perform this task in privileged mode This example shows how to disable all the enabled source sessions Console enable set rspan disable source all This command will disable all remote span source session s Do you want to continue y n n y Dis...

Page 1177: ...e span traffic on port 4 1 Console enable RSPAN Configuration Examples These sections describe how to configure RSPAN Configuring a Single RSPAN Session page 49 15 Modifying an Active RSPAN Session page 49 16 Adding the RSPAN Source Ports in Intermediate Switches page 49 17 Configuring Multiple RSPAN Sessions page 49 17 Adding Multiple Network Analyzers to an RSPAN Session page 49 19 Configuring a...

Page 1178: ... Commands A source 4 1 4 2 901 Ingress set rspan source 4 1 2 901 rx B source 3 1 3 2 3 3 901 Bidirectional set rspan source 3 1 3 901 C intermediate 901 No RSPAN CLI command needed D destination 1 2 901 set rspan destination 1 2 901 1 1 1 2 3 1 3 2 1 2 4 1 4 2 1 2 3 1 3 2 1 1 3 3 Switch A Switch C Switch D Switch B Probe Destination switch data center Intermediate switch distribution Source switc...

Page 1179: ...ic the destination switch and the intermediate switches need to be configured only once In Figure 49 5 two RSPAN sessions are used with RSPAN VLANs 901 for probe 1 and 902 for probe 2 The direction of traffic over trunks T1 through T6 is shown only for understanding the direction of the trunks depends on the STP states of the trunks for the RSPAN VLAN s You need to configure the RSPAN VLANs in eac...

Page 1180: ...ation 2 2 902 set rspan destination 2 2 902 B intermediate 901 902 No RSPAN CLI command needed C intermediate 901 902 No RSPAN CLI command needed D source 2 1 2 901 Ingress set rspan source 2 1 2 901 rx E source 3 1 2 901 Egress set rspan source 3 1 2 901 tx F source 4 1 3 902 Both set rspan source 4 1 3 902 1 1 1 2 2 1 2 2 3 1 1 2 3 1 3 2 3 3 3 2 3 3 1 2 2 1 2 2 1 1 1 2 4 1 4 2 1 1 1 2 4 3 Switch...

Page 1181: ...ocol Analyzer on the switch Mini Protocol Analyzer Hardware Requirements page 49 19 Understanding How the Mini Protocol Analyzer Works page 49 19 Mini Protocol Analyzer Configuration Guidelines page 49 20 Configuring the Mini Protocol Analyzer from the CLI page 49 21 Mini Protocol Analyzer Hardware Requirements Supervisor Engine 720 and Supervisor Engine 32 support the Mini Protocol Analyzer Under...

Page 1182: ...hernet 10 100 1000 Mbps ports and 10 Gbps ports as Mini Protocol Analyzer source ports You cannot use ATM ports MSFC ports or service module ports as Mini Protocol Analyzer source ports When enabled the Mini Protocol Analyzer uses any previously entered configuration If you have not entered any configuration commands the Mini Protocol Analyzer uses the default parameters Only one Mini Protocol Ana...

Page 1183: ...ou might see extra packets that are saved on the flash memory that were not actually transmitted out the source port The extra packets are sent through the switch fabric to the flash memory and are blocked by spanning tree at the source port Configuring the Mini Protocol Analyzer from the CLI To configure the Mini Protocol Analyzer you specify the source port and optionally the name of the output ...

Page 1184: ...o specify the direction of the traffic to be captured Console enable set packet capture direction tx Packets from transmit tx direction will be captured This example shows how to specify that all packets will be captured but packets that have a length of 5 000 bytes or larger will be truncated to 5 000 bytes Console enable set packet capture snap length 5000 Packets captured will be truncated to 5...

Page 1185: ...LD PAGP etc getting dropped resulting in network instability Also it can affect system performance or inband connectivity as sc0 sc1 interface packets can be dropped without warning Do you want to continue y n n y Console enable 2006 Jul 28 16 54 08 SYS 5 SPAN_CFGSTATECHG local span sessio n active for session Number 1 2006 Jul 28 16 54 08 SYS 5 PKTCAP_START Packet capture session active 2006 Jul ...

Page 1186: ...9 24 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 49 Configuring SPAN RSPAN and the Mini Protocol Analyzer Configuring the Mini Protocol Analyzer on the Switch ...

Page 1187: ... sections describe how the Switch TopN Reports utility works TopN Reports Overview page 50 1 Running Switch TopN Reports without the Background Keyword page 50 2 Running Switch TopN Reports with the Background Keyword page 50 2 TopN Reports Overview The Switch TopN Reports utility allows you to collect and analyze data for each physical port on a switch Note You cannot use the Switch TopN Reports ...

Page 1188: ...e screen and you cannot enter the other commands while the report is being generated You can terminate the Switch TopN process before it finishes by pressing Ctrl C from the same console or Telnet session or by opening a separate console or Telnet session and entering the clear top report_num command After the Switch TopN Reports utility finishes processing the data it displays the output on the s...

Page 1189: ...ciated report is displayed Each process is associated with a unique report number If you do not specify the report_num variable all active Switch TopN processes and all available Switch TopN reports for the switch are displayed All Switch TopN processes both with and without the background keyword are shown in the list This example shows how to run the Switch TopN Reports utility with the backgrou...

Page 1190: ...ored and pending reports do not specify a report_num This example shows how to display a specific report and how to display all stored and pending reports Console enable show top report 5 Start Time 06 16 1998 17 29 40 End Time 06 16 1998 17 30 11 PortType all Metric overflow Port Band Uti Bytes Pkts Bcst Mcst Error Over width Tx Rx Tx Rx Tx Rx Tx Rx Rx flow 1 1 100 0 7880 83 0 83 0 0 2 12 100 0 0...

Page 1191: ...s that have completed are cleared This example shows how to remove a specific report and how to remove all stored reports Console enable clear top 4 Console enable 06 16 1998 17 36 45 MGMT 5 TopN report 4 killed by Console Console enable clear top all 06 16 1998 17 36 52 MGMT 5 TopN report 1 killed by Console 06 16 1998 17 36 52 MGMT 5 TopN report 2 killed by Console Console enable 06 16 1998 17 3...

Page 1192: ...50 6 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 50 Using Switch TopN Reports Running and Viewing Switch TopN Reports ...

Page 1193: ... on the Switch page 51 10 Configuring GMRP on the Switch page 51 20 Configuring Multicast Router Ports and Group Entries on the Switch page 51 27 Understanding How RGMP Works page 51 29 Configuring RGMP on the Switch page 51 31 Displaying the Multicast Protocol Status page 51 35 Understanding How Bidirectional PIM Works page 51 35 Configuring Bidirectional PIM on the Switch page 51 36 Understandin...

Page 1194: ...ng or GMRP Understanding How IGMP Snooping Works Note You cannot enable IGMP snooping on a switch if GMRP is already enabled on the switch Note You can run IGMP snooping on any Catalyst 6500 series supervisor engine model Supervisor Engine 1 Supervisor Engine 1A Supervisor Engine 2 Supervisor Engine 720 and Supervisor Engine 32 A PFC is not required to enable IGMP snooping Cisco Group Management P...

Page 1195: ...ng reports for SSM the reports are forwarded to the MSFC2 and a system error message is generated Note For IGMP version 3 snooping use Cisco IOS Release 12 1 11b E1 or later releases on MSFC2 IGMP Version 3 Snooping Restrictions The following restrictions apply to IGMP version 3 snooping With software release 8 3 1 it is mandatory that you run Cisco IOS Release 12 2 17d SXB1 if you plan on using I...

Page 1196: ...hip to a multicast group and provides a list of source IP addresses the INCLUDE list from which it wants to receive the traffic EXCLUDE mode In this mode the host announces membership to a multicast group and provides a list of source IP addresses the EXCLUDE list from which it does not want to receive the traffic This mode indicates that the host wants to receive the traffic only from those sourc...

Page 1197: ... the MAC multicast group address the port is removed from the multicast forwarding entry If the port is not the last nonmulticast router port in the entry the switch suppresses the IGMP leave does not send it to the router If the port is the last nonmulticast router port in the entry the IGMP leave is forwarded to the multicast router ports and the MAC group forwarding entry is removed When the ro...

Page 1198: ...ng If a host does not want to remain in the multicast group it can either send a leave message or not respond to the periodic queries from the switch If the switch receives a leave message or receives no response from the host for the duration of the leaveall timer the switch removes the host from the multicast group Note To use GMRP in a routed environment enable the GMRP forwardall option on all...

Page 1199: ...chanism to function properly so that all non RPF packets cannot be dropped in the hardware PFC3A has enhanced hardware support for non RPF packet rate limiting On receiving a non RPF packet PFC3A creates a non RPF entry which contains source group and ingress interface information in the NetFlow table if there is no matching entry already present and then bridges the non RPF packet on the incoming...

Page 1200: ...ast connected Router config Understanding IGMP Querier IGMP querier enables IGMP snooping within a VLAN where PIM and IGMP are not configured because the multicast traffic does not need to be routed Note You must enable IGMP querier for IGMP snooping to work correctly in a VLAN in which no multicast routers are present When you configure IGMP querier for a VLAN the switch sends out IGMP general qu...

Page 1201: ...so that the RPF checks used by PIM continue to work and show valid unicast paths to and from the source IP address of the server sourcing the multicast stream PIM configured on all related Layer 3 interfaces The unicast routing table is used to do path selection for PIM PIM uses RPF checks to ultimately determine the shortest path tree SPT between the client receiver VLAN and the source multicast ...

Page 1202: ...IGMP Fast Leave Processing page 51 13 Enabling IGMP Version 3 Snooping page 51 14 Enabling IGMP Version 3 Fast Block Processing page 51 15 Enabling IGMP Rate Limiting page 51 15 Enabling the IGMP Querier page 51 16 Displaying Multicast Router Information page 51 17 Displaying Multicast Group Information page 51 18 Displaying IGMP Snooping Statistics page 51 18 Disabling IGMP Fast Leave Processing ...

Page 1203: ...eboots IGMP version 2 snooping reports are captured and sent to the supervisor engine The IGMP version 3 snooping reports are sent to the 224 0 0 22 address Because snooping is not supported in this range the reports are captured for the supervisor engine in addition to being flooded With this release of IGMP version 3 snooping the RGMP SPAN and RSPAN interaction is not enabled IGMP querier intero...

Page 1204: ...e and disable IGMP flooding Console enable set igmp flooding enable IGMP Flooding enabled default Console enable set igmp flooding disable IGMP Flooding disabled Console enable Console enable show igmp flooding Mcast flooding disabled Console enable Specifying the IGMP Snooping Mode IGMP snooping runs in either IGMP only mode or IGMP CGMP mode The switch dynamically chooses either IGMP only or IGM...

Page 1205: ... specify auto mode a group specific query is sent if there are no version 1 hosts in the network and a general query is sent if there are version 1 hosts in the network A group specific query provides faster network convergence By default a MAC based general query is sent when a port receives a leave message To specify the leave query type perform this task in privileged mode This example shows ho...

Page 1206: ...v3 group Displaying V3 group information for all vlans G C 227 1 1 1 2 V3 state INC V1 V2 Compatibility mode none V3 Include list 2 2 2 6 Src timer 125 sec Ports 6 29 15 1 2 2 2 5 Src timer 125 sec Ports 6 29 15 1 Exclude list NULL G C 227 1 1 1 60 V3 state INC V1 V2 Compatibility mode none V3 Include list 2 2 2 7 Src timer 115 sec Ports 13 30 15 1 2 2 2 5 Src timer 115 sec Ports 13 30 15 1 2 2 2 ...

Page 1207: ...tocols status IGMP enabled IGMP fastleave disabled IGMP V3 processing enabled IGMP V3 fastblock feature enabled RGMP disabled GMRP disabled Console enable Enabling IGMP Rate Limiting Enter the set multicast ratelimit command to rate limit the multicast packets The multicast packet rate limiting is disabled by default and the default rate limit is 0 packets per second pps To enable multicast rate l...

Page 1208: ...rier in a VLAN perform one of these tasks in privileged mode This example shows how to enable the IGMP querier and display querier information Console enable set igmp querier enable 4001 IGMP querier is enabled for VLAN s 4001 Console enable set igmp querier 4001 qi 130 QI for VLAN s 4001 set to 130 second s Console enable set igmp querier address 40 1 1 1 4001 Querier Address for vlan 4001 set to...

Page 1209: ...onsole enable show multicast router Port Vlan 2 1 99 2 2 201 16 1 10 200 201 Total Number of Entries 3 Configured RGMP capable Channeled Port IGMP V3 Router IGMP Querier Router Console enable This example shows how to display only those multicast router ports that were learned dynamically through IGMP Console enable show multicast router igmp IGMP enabled Port Vlan 1 1 1 2 1 2 99 255 Total Number ...

Page 1210: ...play the IGMP snooping statistics on the switch perform this task This example shows how to display the IGMP snooping statistics Console enable show igmp statistics IGMP enabled IGMP statistics for vlan 1 Transmit General Queries 0 Group Specific Queries 0 Reports 0 Leaves 0 Receive General Queries 10 Group Specific Queries 0 Task Command Display information about the multicast groups show multica...

Page 1211: ...P V3 TO_EX messages 0 IGMP V3 ALLOW messages 0 IGMP V3 BLOCK messages 0 Console enable Disabling IGMP Fast Leave Processing To disable IGMP fast leave processing perform this task in privileged mode This example shows how to disable IGMP fast leave processing Console enable set igmp fastleave disable IGMP fastleave set to disable Console enable Disabling IGMP Snooping To disable IGMP snooping perf...

Page 1212: ... All Option on a Switch Port page 51 23 Configuring GMRP Registration page 51 23 Setting the GARP Timers page 51 25 Displaying GMRP Statistics page 51 26 Clearing GMRP Statistics page 51 26 Disabling GMRP Globally on the Switch page 51 27 Note For an overview of GMRP operation see the Understanding How GMRP Works section on page 51 6 GMRP Software Requirements GMRP requires supervisor engine softw...

Page 1213: ...dual Switch Ports Note You can change the per port GMRP configuration regardless of whether GMRP is enabled globally However GMRP will not function on any ports until you enable it globally For information on configuring GMRP globally see the Enabling GMRP Globally section on page 51 21 To enable GMRP on the individual switch ports perform this task in privileged mode This example shows how to ena...

Page 1214: ...l GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GMRP Configuration Port GMRP Status Registration ForwardAll 1 1 2 3 1 6 1 9 6 15 48 7 1 24 Enabled Normal Disabled 6 10 14 Disabled Normal Disabled Console enable Enabling the GMRP Forward All Option on a Switch Port When you enable the GMRP forward all option...

Page 1215: ...ons describe how to configure the GMRP registration modes on the switch ports Setting Normal Registration page 51 23 Setting Fixed Registration page 51 24 Setting Forbidden Registration page 51 24 Setting Normal Registration Configuring a switch port in normal registration mode allows dynamic GMRP multicast registration and deregistration on the port Normal mode is the default on all switch ports ...

Page 1216: ...ently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GMRP Configuration GMRP Status Registration ForwardAll Port s Enabled Normal Disabled 1 1 4 2 1 9 2 11 48 3 1 24 5 1 Enabled Fixed Disabled 2 10 Console enable Setting Forbidden Registration Setting a switch port in forbidden registration mode deregisters all GMRP multicasts and prevents any further ...

Page 1217: ... to or greater than three times the join value leave join 3 The value for leaveall must be greater than the value for leave leaveall leave The more registered attributes on the switch the greater you should configure the difference between the leave value and the join value For better performance on the switches with many registered multicast groups increase the timer values to the order of second...

Page 1218: ...g GMRP Statistics To display the GMRP statistics on the switch perform this task in privileged mode This example shows how to display the GMRP statistics for VLAN 23 Console show gmrp statistics 23 GMRP Statistics for vlan 23 Total valid GMRP Packets Received 500 Join Empties 200 Join INs 250 Leaves 10 Leave Alls 35 Empties 5 Fwd Alls 0 Fwd Unregistered 0 Total valid GMRP Packets Transmitted 600 J...

Page 1219: ...itch These sections describe how to specify the multicast router ports manually and configure the multicast group entries Specifying Multicast Router Ports page 51 27 Configuring Multicast Groups page 51 28 Clearing Multicast Router Ports page 51 29 Clearing Multicast Group Entries page 51 29 Specifying Multicast Router Ports When you enable IGMP snooping the switch automatically learns to which p...

Page 1220: ...er 2 multicast entries is 15488 This example shows how to configure the multicast groups manually and verify the configuration the asterisks indicate that the entry was manually configured Console enable set cam static 01 00 11 22 33 44 2 6 12 Static multicast entry added to CAM table Console enable set cam static 01 11 22 33 44 55 2 6 12 Static multicast entry added to CAM table Console enable se...

Page 1221: ...rains the multicast traffic that exits the switch through the ports to which only the disinterested multicast routers are connected Catalyst 6500 series switches support RGMP which enables a switch to reduce network congestion by forwarding the multicast data traffic to only those routers that are configured to receive it Note To use RGMP you must enable IGMP snooping on the switch IGMP snooping c...

Page 1222: ...traffic that exits through the ports on which it detects an RGMP enabled router If a non RGMP enabled router is detected on a port that port receives all multicast traffic RGMP does not support the directly connected sources in the network A directly connected source will send the traffic into the network without signaling this through RGMP or PIM This traffic will not be received by an RGMP enabl...

Page 1223: ...ulticast addresses can map to one MAC address see RFC 1112 RGMP cannot differentiate between the IP multicast groups that might map to a MAC address The capability of the switch to constrain the traffic is limited by its content addressable memory CAM table capacity Configuring RGMP on the Switch These sections describe the commands for configuring RGMP Configuring RGMP on the Supervisor Engine pa...

Page 1224: ...ble routers and to display the count of multicast groups that were joined by one or more RGMP capable routers To display RGMP group information perform one of these tasks in privileged mode This example shows how to display RGMP group information Console enable show rgmp group VlanDest MAC Route DesRGMP Joined Router Ports 1 01 00 5e 00 01 285 1 5 15 1 01 00 5e 01 01 015 1 2 01 00 5e 27 23 70 3 1 ...

Page 1225: ...ns 0 Leaves 0 Byes 0 Console enable Displaying RGMP Capable Router Ports This command displays the detected RGMP capable router ports A in front of the port indicates that it is an RGMP capable router To display the RGMP capable router ports perform this task in privileged mode This example shows how to display the ports that are connected to the RGMP capable routers Console enable show multicast ...

Page 1226: ...ged mode This example shows how to clear the RGMP statistics Console enable clear rgmp statistics RGMP statistics cleared Console enable RGMP Related CLI Commands This command enables or disables the RGMP related commands from the router To enable or disable RGMP perform one of these tasks in configuration mode This command enables or disables RGMP debugging To enable or disable RGMP debugging per...

Page 1227: ... the hardware forwarding of the bidirectional Protocol Independent Multicast PIM groups To support the bidirectional PIM groups Supervisor Engine 720 implements a new mode called designated forwarder DF mode The designated forwarder is the router that is elected to forward the packets to and from a segment for a bidirectional PIM group In DF mode the supervisor engine accepts the packets from the ...

Page 1228: ...M Information page 51 38 Configuring Bidirectional PIM To configure bidirectional PIM perform these steps Step 1 Enable bidirectional PIM globally Step 2 Configure the rendezvous point for the bidirectional group These steps are described in detail in the following sections Enabling or Disabling Bidirectional PIM Globally To enable or disable bidirectional PIM perform one of these tasks This examp...

Page 1229: ...asks This example shows how to set the bidirectional RP RPF scan interval Router config mls ip multicast bidir gm scan interval 30 Router config This example shows how to restore the default bidirectional RP RPF scan interval Router config no mls ip multicast bidir gm scan interval Router config Task Command Step 1 Statically configure the IP address of the rendezvous point for the group When you ...

Page 1230: ... list GigabitEthernet2 1 Bidir Upstream Sparse Dense 00 00 02 00 00 00 H Vlan30 Forward Sparse Dense 00 00 02 00 02 57 H 225 1 2 0 00 00 04 00 02 55 RP 3 3 3 3 flags BC Bidir Upstream GigabitEthernet2 1 RPF nbr 10 53 1 7 RPF MFD Outgoing interface list GigabitEthernet2 1 Bidir Upstream Sparse Dense 00 00 04 00 00 00 H Vlan30 Forward Sparse Dense 00 00 04 00 02 55 H 225 1 4 1 00 00 00 00 02 59 RP 3...

Page 1231: ...lay the entries for a specific multicast group address Router show mls ip multicast group 230 31 31 1 Multicast hardware switched flows 230 31 31 1 Incoming interface Vlan611 Packets switched 1778 Hardware switched outgoing interfaces Vlan131 Vlan151 Vlan415 Gi4 16 Vlan611 RPF MFD installed This example shows how to display the PIM group to the active rendezvous point mappings Router show mls ip m...

Page 1232: ...51 40 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 51 Configuring Multicast Services Configuring Bidirectional PIM on the Switch ...

Page 1233: ...y functionality Command line interface CLI This chapter consists of these sections Understanding How QoS Works page 52 1 QoS Default Configuration page 52 30 Configuring QoS on the Switch page 52 38 Understanding How QoS Works Note Throughout this publication and all Catalyst 6500 series publications the term QoS refers to the QoS feature as implemented on the Catalyst 6500 series switch Typically...

Page 1234: ...affic at Layer 2 The Layer 2 frames carry the Layer 3 packets Labels are prioritization values that are carried in the packets and the frames Layer 2 class of service CoS values range between zero for low priority and seven for high priority The Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p CoS value in the three least significant bits The Layer 2...

Page 1235: ...d drop thresholds A drop threshold is the percentage of buffer utilization at which the traffic with a specified CoS value is dropped leaving the buffer available for the traffic with the higher priority CoS values Policing is the process by which the switch limits the bandwidth that is consumed by a flow of traffic Policing can mark or drop traffic Except where specifically differentiated the Lay...

Page 1236: ... Multilayer Switch Feature Card MSFC or MSFC2 and retains the CoS value that is assigned by the Layer 3 switching engine Enter the show port capabilities command to see the queue structure of a port for more information see the Receive Queues section on page 52 13 and the Transmit Queues section on page 52 28 Transmit WAN traffic WAN egress QoS features Multilayer Switch Feature Card MSFC Transmit...

Page 1237: ...ort Classification Marking Scheduling and Congestion Avoidance 68001 Yes Frame enters switch Port set to untrusted ISL or 802 1Q Drop thresholds Apply port CoS No No Yes Port set to trust ipprec Port set to trust dscp No No Port is set to trust cos To switching engine Apply port CoS Ethernet ingress port classification marking scheduling and congestion avoidance Yes Yes ...

Page 1238: ... internal DSCP from received or port CoS Use DSCP from ACE 1 Traffic is from an untrusted port 1 Trust received or port CoS 2 Specified by ACE keyword or by port keyword and dscp ACE keyword 3 From IP precedence to DSCP map 5 From CoS to DSCP map 4 For traffic forwarded by PFC3 only the ingress or egress policing rule is applied whichever is more severe 7 F 6 Specified by ACE keyword From DSCP to ...

Page 1239: ...se default ingress ACL To egress interface Yes No No Match ACE in ACL Yes Yes Yes Yes 77830 L3 Switching Engine PFC PFC2 classification marking and policing Use received DSCP 2 Set DSCP from received IP precedence 3 Set DSCP from received or port CoS Use DSCP from ACE 1 Traffic is from an untrusted port 1 Trust received or port CoS 2 Specifiedby ACE keyword or by port keyword anddscp ACE keyword 3...

Page 1240: ... 7 Multilayer Switch Feature Card Marking MSFC and MSFC2 Yes From Ingress port To Egress port Match Destination MAC Address VLAN Apply configured CoS No From SET QOS MAC COS command L2 Switching Engine Classification and Marking 25031 27107 To egress port IP traffic from PFC Write ToS byte into packet No Yes Multilayer Switch Feature Card MSFC marking From PFC Route traffic CoS 0 for all traffic n...

Page 1241: ...OC 12 Switching Module Marking 68002 Write CoS into frame ISL or 802 1Q IP traffic from PFC Write ToS byte into packet DSCP rewrite enabled No No No Yes Yes Yes Ethernet egress port scheduling congestion avoidance and marking Transmit frame From switching engine or MSFC Drop thresholds PFC3 only 27105 Transmit cell IP traffic from PFC Write ToS byte into packet No Yes Single port ATM OC 12 switchi...

Page 1242: ...upported by the other two Layer 3 switching engines PFC3A supports these features Egress QoS Egress DSCP mutation Optional egress DSCP rewrite These sections describe the QoS feature sets Ethernet Ingress Port Features page 52 10 Layer 3 Switching Engine Features page 52 10 Layer 2 Switching Engine Features page 52 11 Ethernet Egress Port Features page 52 11 Single Port ATM OC 12 Switching Module ...

Page 1243: ...g the Layer 2 destination MAC addresses VLANs and marking using the Layer 2 CoS values Classification and marking with a Layer 2 Switching Engine do not use or set the Layer 3 IP precedence or DSCP values For more information see the Classification and Marking on a Supervisor Engine 1 with a Layer 2 Switching Engine section on page 52 28 Ethernet Egress Port Features With any switching engine QoS ...

Page 1244: ... Layer 3 switching engine only not supported on 1q4t ports except Gigabit Ethernet trust cos Note On 1q4t ports except Gigabit Ethernet the trust cos port keyword displays an error message activates the receive queue drop thresholds and as indicated by the error message does not apply the trust cos trust state to the traffic You must configure the trust cos ACL that matches the ingress traffic to ...

Page 1245: ... the switch through a port that is configured with the trust cos keyword for more information see the Configuring the Trust State of a Port section on page 52 41 Receive Queues Enter the show port capabilities command to see the queue structure of a port The command displays one of the following rx 1q8t indicates one standard queue with eight configurable tail drop thresholds rx 1q2t indicates one...

Page 1246: ...ueue to use both a tail drop and a WRED drop threshold by mapping a CoS value to the queue or to the queue and a threshold The switch uses the tail drop threshold for the traffic carrying the CoS values that are mapped only to the queue The switch uses the WRED drop thresholds for the traffic carrying the CoS values that are mapped to the queue and a threshold For more information see the 1p1q8t R...

Page 1247: ...their default configuration the ACEs in the default ACLs contain the dscp ACE keyword Table 52 1 lists the per port classifications and the marking rules that they invoke QoS uses the configurable mapping tables to set the internal and egress DSCP which is a 6 bit value from the CoS and IP precedence which are 3 bit values for more information see the Internal DSCP Values section on page 52 16 and...

Page 1248: ...fic including non IP traffic is represented with an internal DSCP value QoS derives the internal DSCP value from the following For the trust cos traffic from the received or port Layer 2 CoS values the traffic from an untrusted port has the port CoS value and if the traffic from an untrusted port matches a trust cos ACL QoS derives the internal DSCP value from the port CoS value For the trust ippr...

Page 1249: ...ria in an ACE QoS marks and polices the packet as specified in the ACE and makes no further comparisons There are three ACL types IP and with a Layer 3 switching engine IPX and MAC QoS compares the traffic of each type IP IPX and MAC only to the corresponding ACL type see Table 52 2 QoS supports the user created named ACLs each containing an ordered list of ACEs and the user configurable default A...

Page 1250: ...eyword or with the host keyword and a host address IP destination address and mask entered as specific values or with the any keyword or with the host keyword and a host address DSCP value 0 63 or IP precedence that is specified with a numeric value 0 7 or these keywords Network IP precedence 7 Internet IP precedence 6 Critical IP precedence 5 Flash override IP precedence 4 Flash IP precedence 3 I...

Page 1251: ... page 52 48 You can specify the UDP port parameters numerically 0 65535 or with these keywords Note The UDP ACEs that do not include a Layer 4 UDP port parameter match all UDP traffic IP ACE Layer 4 ICMP Classification Criteria You can create the Internet Control Management Protocol ICMP ACEs that match the traffic containing specific ICMP messages by including the ICMP types and optionally the IC...

Page 1252: ...ork unknown 3 6 dod host prohibited 3 10 no room for option 12 2 dod net prohibited 3 9 option missing 12 1 echo 8 0 packet too big 3 4 echo reply 0 0 parameter problem 12 0 general parameter problem1 12 port unreachable 3 3 host isolated 3 8 precedence unreachable 3 15 host precedence unreachable 3 14 protocol unreachable 3 2 host redirect 5 1 reassembly timeout 11 1 host tos redirect 5 3 redirec...

Page 1253: ...ate the IPX ACEs that match the specific IPX traffic by including these parameters for more information see the Creating or Modifying the Named IPX ACLs section on page 52 51 IPX source network 1 matches any network number Protocol which can be specified numerically 0 255 or with these keywords any ncp 17 netbios 20 rip 1 sap 4 spx 5 IPX ACEs support the following optional parameters IPX destinati...

Page 1254: ...the EtherType field which allows the MAC level QoS to be applied to any traffic except IP and IPX Default ACLs There are three default ACLs one each for IP and with a Layer 3 switching engine IPX and MAC traffic Each ACL has a single ACE that has a configurable marking rule and configurable policers The default ACLs have nonconfigurable classification criteria that matches all traffic QoS compares...

Page 1255: ...t are configured with the trust cos keyword QoS uses the CoS value that is received in the ISL and 802 1Q frames in all other cases QoS uses the CoS value that is configured on the port default is zero dscp all ACLs except IPX and MAC with PFC2 and IPX with PFC3 Instructs QoS to mark the traffic as indicated by the port trust keywords In the IP traffic from the ingress ports that are configured wi...

Page 1256: ...led markdown Because the out of profile packets do not retain their original priority they are not counted as part of the bandwidth that is consumed by the in profile packets For all policers QoS uses a configurable table that maps the received DSCP values to the marked down DSCP values for more information see the Mapping the DSCP Markdown Values section on page 52 75 When the markdown occurs QoS...

Page 1257: ...ped otherwise QoS applies a new DSCP value Follow these guidelines when creating policers You can include a microflow policer in the IP ACEs You cannot include a microflow policer in the IPX or MAC ACEs The IPX and MAC ACEs support only the aggregate policers By default the microflow policers do not affect the bridged traffic To enable microflow policing of the bridged traffic enter the set qos br...

Page 1258: ...and an egress policing rule QoS evaluates both the rules simultaneously and applies the most severe rule Because the policing rules are evaluated simultaneously the markdown from an ingress policing rule is never used as the basis for the egress policing markdown Policing Software Forwarded LAN Traffic The software forwarded LAN traffic LAN traffic that is forwarded in the software by the MSFC can...

Page 1259: ...amed ACL QoS compares the traffic that is received through the port to the default ACLs On a trunk that is configured for port based QoS the traffic in all VLANs that are received through the port is compared to any named ACLs that are attached to the port If you do not attach any named ACLs to the port or if the traffic does not match an ACE in a named ACL QoS compares the traffic that is receive...

Page 1260: ...heduling and Congestion Avoidance page 52 29 Marking page 52 29 Overview QoS schedules the traffic through the transmit queues based on the CoS values and uses the CoS value based transmit queue drop thresholds to avoid congestion in the traffic that is transmitted from the Ethernet ports Note Ethernet egress port scheduling and congestion avoidance uses the Layer 2 CoS values Ethernet egress port...

Page 1261: ...drop threshold and a configurable WRED drop threshold see the 1p3q1t Transmit Queues section on page 52 70 and the 1p2q1t 1p3q8t and 1p7q8t Transmit Queues section on page 52 72 The switch uses the tail drop thresholds for the traffic carrying the CoS values that are mapped only to a queue The switch uses the WRED drop thresholds for the traffic carrying the CoS values that are mapped to a queue a...

Page 1262: ...efault Configuration Feature Default Value QoS enable state Disabled Note With QoS enabled and all other QoS parameters at the default values QoS sets Layer 3 DSCP to zero and Layer 2 CoS to zero in all traffic that is transmitted from the switch DSCP Rewrite Enabled Egress DSCP Mutation Disabled Port CoS value 0 IntraVLAN microflow policing Disabled CoS to internal DSCP map internal DSCP set from...

Page 1263: ...ic from the untrusted ports no policing COPS1 support Disabled RSVP support Disabled QoS statistics data export Disabled With QoS enabled Runtime Port based or VLAN based Port based Config Port based or VLAN based Port based Port trust state Untrusted 2q2t transmit queue size percentages Low priority 80 High priority 20 1p1q0t receive queue size percentages Standard 80 Strict priority 20 1p2q2t tr...

Page 1264: ...rity bandwidth allocation ratio 5 255 1p3q1t standard transmit queue low medium high priority bandwidth allocation ratio 100 150 200 1q4t 2q2t receive and transmit queue CoS value drop threshold mapping Receive queue 1 drop threshold 1 50 and transmit queue 1 drop threshold 1 80 CoS 0 and 1 Receive queue 1 drop threshold 2 60 and transmit queue 1 drop threshold 2 100 CoS 2 and 3 Receive queue 1 dr...

Page 1265: ... and high WRED drop thresholds 70 and 100 Receive queue 1 drop threshold 3 and transmit queue 2 drop threshold 1 CoS 4 Transmit queue low and high WRED drop thresholds 40 and 70 Receive queue 1 drop threshold 4 and transmit queue 2 drop threshold 2 CoS 6 and 7 Transmit queue low and high WRED drop thresholds 70 and 100 1p1q0t receive queue CoS value mapping Receive queue 1 standard nonconfigurable...

Page 1266: ...hrough 8 100 and 100 Standard transmit queue 2 medium priority low and high WRED drop thresholds Threshold 1 70 and 100 CoS 1 and 2 Thresholds 2 through 8 100 and 100 Standard transmit queue 3 high priority low and high WRED drop thresholds Thresholds 1 and 2 40 and 70 Thresholds 3 and 4 50 and 80 Threshold 5 60 and 90 CoS 3 and 4 Threshold 6 60 and 90 Threshold 7 70 and 100 CoS 6 and 7 Threshold ...

Page 1267: ...d high WRED drop thresholds Threshold 1 70 and 100 CoS 4 Thresholds 2 through 8 100 and 100 Standard transmit queue 6 low and high WRED drop thresholds Threshold 1 100 and 100 Threshold 2 70 and 100 CoS 6 Thresholds 3 through 8 100 and 100 Standard transmit queue 7 low and high WRED drop thresholds Threshold 1 100 and 100 Threshold 2 70 and 100 CoS 7 Thresholds 3 through 8 100 and 100 Strict trans...

Page 1268: ...old 6 CoS 6 Low WRED threshold 60 High WRED drop threshold 90 Drop threshold 6 CoS 7 Low WRED threshold 70 High WRED drop threshold 100 Receive queue 2 strict priority CoS 5 1p2q1t transmit queue port CoS value drop threshold mapping Standard transmit queue 1 low priority WRED drop threshold CoS 0 1 2 and 3 Low WRED threshold 70 High WRED drop threshold 100 Standard transmit queue 2 high priority ...

Page 1269: ...y 100 High priority Not used CoS value drop threshold mapping Receive drop threshold 1 and transmit queue 1 drop threshold 1 CoS 0 7 1 COPS Common Open Policy Service Table 52 3 QoS Default Configuration continued Feature Default Value CIR and PIR Rate Value Range Granularity 1 to 2097152 2 Mbs 65536 64 Kb 2097153 to 4194304 4 Mbs 131072 128 Kb 4194305 to 8388608 8 Mbs 262144 256 Kb 8388609 to 167...

Page 1270: ...52 58 Configuring CoS to CoS Maps on 802 1Q Tunnel Ports page 52 60 Mapping a CoS Value to a Host Destination MAC Address VLAN Pair page 52 61 Deleting a CoS Value to a Host Destination MAC Address VLAN Pair page 52 62 Enabling or Disabling Microflow Policing of Bridged Traffic page 52 62 Configuring the Standard Receive Queue Tail Drop Thresholds page 52 63 Configuring the 2q2t Port Standard Tran...

Page 1271: ...ammed into the hardware When you disable QoS the display with the runtime keyword is QoS is disabled Use the config keyword to display the values from the commands that have been entered but which may not currently be programmed into the hardware for example the locally configured QoS values that are currently not used because COPS has been selected as the QoS policy source or the QoS values that ...

Page 1272: ... in this section By default QoS uses the ACLs that are attached to the ports On a per port basis you can configure QoS to use the ACLs that are attached to a VLAN To enable VLAN based QoS on a port perform this task in privileged mode For more information see the Attaching ACLs section on page 52 26 This example shows how to enable the VLAN based QoS on a port Console enable set port qos 1 1 2 vla...

Page 1273: ...o apply the trust cos trust state This example shows how to configure port 1 1 with the trust cos keyword Console enable set port qos 1 1 trust trust cos Port 1 1 qos set to trust cos Console enable Note Only the ISL or 802 1Q frames carry the CoS values Configure the ports with the trust cos keyword only when the received traffic is ISL or 802 1Q frames carrying the CoS values that you know to be...

Page 1274: ... in this section To create a policer perform this task in privileged mode For more information see the Policers section on page 52 24 and the PFC2 Policing Decisions section on page 52 25 Task Command Step 1 Configure the CoS value for a port set port qos cos cos_value Step 2 Verify the configuration show port qos Task Command Step 1 Revert to the default CoS value for a port clear port qos cos St...

Page 1275: ... bucket needs to be at least as large as the burst size to sustain the specified rate If you do not enter the eburst keyword and the eburst_value parameter QoS sets both token buckets to the size that is configured with the burst keyword and the burst_value parameter Because any packet larger than the burst size is considered an out of profile packet make sure that the burst size is greater than o...

Page 1276: ... Console enable set qos policer aggregate test2 rate 64 burst 100 policed dscp QoS policer for aggregate test2 created successfully Console enable show qos policer config aggregate test2 QoS aggregate policers Aggregate name Normal rate kbps Burst size kb Normal action test2 64 100 policed dscp Excess rate kbps Burst size kb Excess action 8000000 100 policed dscp ACL attached Console enable For PF...

Page 1277: ...CE Name Marking Rule Policing and Filtering Syntax page 52 46 Named IP ACLs page 52 46 Modifying the Default IP ACLs page 52 50 Creating or Modifying the Named IPX ACLs page 52 51 Creating or Modifying the Named MAC ACLs page 52 53 Creating or Modifying the Default IPX and MAC ACLs page 52 54 Deleting a Named ACL page 52 54 Reverting to the Default Values in the Default ACLs page 52 55 Discarding ...

Page 1278: ...ge 52 24 src_ip_spec precedence precedence dscp field dscp The rest of the parameters except the editbuffer keywords configure filtering Named IP ACLs These sections describe how to create or modify the IP ACLs Source and Destination IP Addresses and Masks page 52 46 Port Operator Parameters page 52 47 Precedence Parameter Options page 52 47 IP ACEs for TCP Traffic page 52 47 IP ACEs for UDP Traff...

Page 1279: ...privileged mode For the port parameter keyword options see the IP ACE Layer 4 TCP Classification Criteria section on page 52 19 The established keyword matches the traffic with the ACK or RST bits set This example shows how to create an IP ACE for the TCP traffic Console enable set qos acl ip my_IPacl trust ipprec microflow my micro aggregate my agg tcp any any my_IPacl editbuffer modified Use com...

Page 1280: ...e an IP ACE for ICMP echo traffic Console enable set qos acl ip my_IPacl trust ipprec microflow my micro aggregate my agg icmp any any echo my_IPacl editbuffer modified Use commit command to apply changes Console enable Task Command Step 1 Create or modify an IP ACE for the UDP traffic set qos acl ip acl_name dscp dscp_value trust cos trust ipprec trust dscp microflow microflow_name aggregate aggr...

Page 1281: ... in privileged mode Note With software Release 8 3 1 and later the ACLs with the output keyword applied also support the trust cos and trust ipprec keywords For the protocol parameter keyword options see the IP ACE Layer 4 Protocol Classification Criteria section on page 52 18 Task Command Step 1 Create or modify an IP ACE for the IGMP traffic set qos acl ip acl_name dscp dscp_value trust cos trus...

Page 1282: ...tions describe how to modify the default IP ACLs Modifying the Default IP Ingress ACL page 52 50 Modifying the Default IP Egress ACL page 52 51 Modifying the Default IP Ingress ACL To modify the default IP ingress ACL perform this task in privileged mode Note Only PFC3 supports the input keyword For more information see the Default ACLs section on page 52 22 Task Command Step 1 Create or modify an...

Page 1283: ...t the internal DSCP value not a received DSCP value see the Internal DSCP Values section on page 52 16 For more information see the Default ACLs section on page 52 22 This example shows how to modify the default IP ACL Console enable set qos acl default action ip dscp 5 microflow my micro aggregate my agg QoS default action for IP ACL is set successfully Console enable Creating or Modifying the Na...

Page 1284: ...48 bits formatted as a dotted triplet of four digit hexadecimal digits each xxxx xxxx xxxx If you specify an IPX destination node the IPX ACEs support an IPX destination node mask entered as 12 hexadecimal digits 48 bits formatted as a dotted triplet of four digit hexadecimal digits each xxxx xxxx xxxx Use one bits which need not be contiguous where you want the wildcards This example shows how to...

Page 1285: ...meter as 4 hexadecimal digits 16 bits prefaced with 0x for example 0x0600 or as a keyword see the MAC ACE Layer 2 Classification Criteria section on page 52 21 This example shows how to create a MAC ACE Console enable set qos acl mac my_MACacl trust cos aggregate my agg any any my_MACacl editbuffer modified Use commit command to apply changes Console enable Note The QoS MAC ACLs that do not includ...

Page 1286: ...the microflow policers Deleting a Named ACL To delete a named ACL perform this task in privileged mode This example shows how to delete the ACL named icmp_acl Console enable clear qos acl icmp_acl 1 ACL icmp_acl ACE 1 is deleted icmp_acl editbuffer modified Use commit command to apply changes Console enable Task Command Step 1 Create or modify the default IPX or MAC ACL With a PFC set qos acl defa...

Page 1287: ...mmitted ACL named my_acl Console enable rollback qos acl my_acl Rollback for QoS ACL my_acl is successful Console enable Note The changes to the default ACLs take effect immediately and cannot be discarded Committing an ACL When you create change or delete a named ACL the changes exist temporarily in an edit buffer in memory To commit the ACL so that it can be used perform this task in privileged ...

Page 1288: ... IPX MAC Layer to each port that is configured for port based QoS You cannot attach the ACLs to a port that is configured for VLAN based QoS for more information see the Enabling Port Based or VLAN Based QoS section on page 52 40 With PFC3 for the egress traffic attach an IP ACL to each VLAN When an ACL of a particular type IP IPX or MAC Layer is already attached to an interface attaching a differ...

Page 1289: ... ACL from a port or a VLAN perform this task in privileged mode Note Only PFC3 supports the input and output keywords This example shows how to detach an ACL named my_acl from port 2 1 Console enable clear qos acl map my_acl 2 1 Hardware programming in progress ACL my_acl is detached from port 2 1 Console enable This example shows how to detach an ACL named my_acl from VLAN 4 Console enable clear ...

Page 1290: ...tation maps define the internal DSCP to egress DSCP relationships To configure a DSCP mutation map perform this task in privileged mode This example shows how to configure DSCP mutation map 1 Console enable set qos dscp mutation map 1 30 2 QoS dscp mutation map with mutation table id 1 has been set correctly Console enable This example shows how to verify DSCP mutation map 1 Console enable show qo...

Page 1291: ...s task in privileged mode This example shows how to apply DSCP mutation map 1 to VLANs 3 and 20 through 30 Console enable set qos dscp mutation table map 1 3 20 30 VLAN s 3 20 30 are mapped to mutation table id 1 Console enable This example shows how to verify the VLAN to mutation map mapping Console enable show qos maps config mutation table id 1 VLAN ID map Map ID VLANs 1 1 20 30 Task Command St...

Page 1292: ...lear qos dscp mutation table map all All VLANs are removed from mutation table ids Configuring CoS to CoS Maps on 802 1Q Tunnel Ports Ingress Cos to CoS mapping is supported on 802 1Q tunnel ports on the WS X6704 10GE WS X6724 SFP and WS X6748 GE TX switching modules CoS to CoS mapping is disabled on the ports that are not configured as 802 1Q tunnel ports Defining a CoS to CoS Map To define a CoS...

Page 1293: ...ng restored to default Console enable Mapping a CoS Value to a Host Destination MAC Address VLAN Pair Note QoS supports this command only with a Layer 2 Switching Engine To map a CoS value to all frames that are destined for a particular host destination MAC address and VLAN number value pair perform this task in privileged mode Task Command Step 1 Enable the CoS to CoS map on an 802 1Q tunnel por...

Page 1294: ...a Layer 2 Switching Engine does not support the commands in this section By default the microflow policers affect only the Layer 3 switched traffic To enable or disable microflow policing of the bridged traffic on the switch or on specified VLANs perform one of these tasks in privileged mode Note With Layer 3 Switching Engine II to do any microflow policing you must enable microflow policing of th...

Page 1295: ...ue of 10 indicates a threshold when the buffer is 10 percent full This example shows how to configure the standard receive queue tail drop thresholds Console enable set qos drop threshold 1q4t rx queue 1 20 40 75 100 Receive drop thresholds for queue 1 set at 20 40 75 100 Console enable Note You cannot configure a drop threshold in a 1p1q0t receive queue Configuring the 2q2t Port Standard Transmit...

Page 1296: ...sholds To configure the standard queue WRED drop thresholds on all ports of each type perform this task in privileged mode When configuring the 1p1q8t ports note the following Queue 1 is the single standard receive queue When you configure the single standard receive queue note the following The first percentage that you enter sets the lowest priority threshold The second percentage that you enter...

Page 1297: ...threshold When configuring the 1p2q2t ports note the following Queue 1 is the low priority standard transmit queue Queue 2 is the high priority standard transmit queue When configuring each standard transmit queue note the following The first percentage that you enter sets the low priority threshold The second percentage that you enter sets the high priority threshold When configuring the 1p3q1t p...

Page 1298: ...y allows a queue to use the specific amount of bandwidth that the weight allocates Deficit weighted round robin DWRR Supported on 1p3q1t 1p2q1t 1p3q8t and 1p7q8t ports DWRR keeps track of any low priority queue under transmission and compensates in the next round Weighted round robin WRR Supported on all other ports WRR allows a queue to use more than the allocated bandwidth if the other queues ar...

Page 1299: ...o For the 2q2t 1p2q2t 1p2q1t 1p3q8t and 1p7q8t ports estimate the mix of the traffic of various priorities on your network for example 75 percent low priority traffic 15 percent high priority traffic and 10 percent strict priority traffic Specify the queue ratios with the estimated percentages which must range from 1 99 and together add up to 100 To configure the transmit queue size ratio for each...

Page 1300: ... queue 1 standard threshold 3 transmit queue 2 standard high priority threshold 1 Receive queue 1 standard threshold 4 transmit queue 2 standard high priority threshold 2 Use the transmit queue and transmit queue drop threshold values in this command This example shows how to associate the CoS values 0 and 1 to both the standard receive queue 1 threshold 1 and the standard transmit queue 1 thresho...

Page 1301: ... map 1q2t rx 1 1 cos 3 QoS rx priority queue and threshold mapped to cos successfully Console enable 1p1q4t Receive Queues To associate the CoS values to the 1p1q4t receive queue drop thresholds perform this task in privileged mode Queue 1 is the standard queue Queue 2 is the strict priority queue The threshold numbers range from 1 for low priority to 4 for high priority This example shows how to ...

Page 1302: ... the 1p1q0t receive queues perform this task in privileged mode Queue 1 is the standard queue and queue 2 is the strict priority queue This example shows how to associate the CoS value 5 to the strict priority receive queue 2 Console enable set qos map 1p1q0t rx 2 cos 5 QoS queue mapped to cos successfully Console enable 1p3q1t Transmit Queues With the 1p3q1t transmit queues you can associate a Co...

Page 1303: ...e with either the nonconfigurable tail drop threshold or the configurable WRED drop threshold To associate a CoS value with the tail drop threshold map the CoS value to the queue To associate a CoS value with the WRED drop threshold map the CoS value to the queue and threshold 1p1q8t Receive Queues To associate the CoS values to the 1p1q8t receive queue drop thresholds perform this task in privile...

Page 1304: ...rity transmit queue To map the CoS values to the tail drop threshold omit the threshold number or enter 0 This example shows how to associate the CoS value 0 to the transmit queue 1 drop threshold 1 Console enable set qos map 1p2q1t tx 1 1 cos 0 Qos tx strict queue and threshold mapped to cos successfully Console enable Reverting to the CoS Map Default To revert to the default CoS value drop thres...

Page 1305: ...sk in privileged mode Enter 8 DSCP values to which the QoS maps received CoS values 0 7 This example shows how to map the received CoS values to the internal DSCP values Console enable set qos cos dscp map 20 30 1 43 63 12 13 8 QoS cos dscp map set successfully Console enable To revert to the default CoS to DSCP value mapping perform this task in privileged mode This example shows how to revert to...

Page 1306: ...Mapping the Internal DSCP Values to the Egress CoS Values To map the internal DSCP values to the egress CoS values that are used for egress port scheduling and congestion avoidance perform this task in privileged mode For more information see the Internal DSCP Values section on page 52 16 and the Ethernet Egress Port Scheduling Congestion Avoidance and Marking section on page 52 28 Task Command St...

Page 1307: ...e pairs This example shows how to map the DSCP markdown values Console enable set qos policed dscp map 20 25 7 33 38 3 QoS dscp dscp map set successfully Console enable This example shows how to map the DSCP markdown values for the packets exceeding the excess rate Console enable set qos policed dscp map 33 30 QoS normal rate policed dscp map set successfully Console enable set qos policed dscp ma...

Page 1308: ...ced dscp map Displaying QoS Information To display the QoS information perform this task This example shows how to display the QoS runtime information for port 2 1 Console show qos info config 2 1 QoS setting in NVRAM QoS is enabled Port 2 1 has 2 transmit queue with 2 drop thresholds 2q2t Port 2 1 has 1 receive queue with 4 drop thresholds 1q4t Interface type vlan based ACL attached The qos trust...

Page 1309: ...the QoS statistics perform this task This example shows how to display the QoS statistics for port 2 1 Console enable show qos statistics 5 1 Tx port type of port 5 1 2q2t Q Threshold Packets Average Packet Peak Packet dropped pkts drop rate pps drop rate pps 1 1 963646 2052 4369 1 2 0 0 0 2 1 0 0 0 2 2 0 0 0 Rx port type of port 5 1 1q4t For untrusted ports all the packets are sent to the same qu...

Page 1310: ...te ag1 2171253 411450 QoS aggregate policer average rate statistics over 5 minutes Aggregate policer Allowed packet Traffic exceeding count excess rate ag1 5399 1024 QoS aggregate policer peak rate statistics over 5 minutes collected every 30 seconds Aggregate policer Peak Allowed rate pps ag1 20802 For PFC3B or PFC3BXL based switches the peak allowed packet count rate will not be displayed The pe...

Page 1311: ... privileged mode This example shows how to disable QoS Console enable set qos disable QoS is disabled Console enable Configuring COPS Support Note Supervisor Engine 1 with a Layer 2 Switching Engine does not support the commands in this section COPS can configure QoS only for the IP traffic Use the CLI or SNMP to configure QoS for all the other traffic Throughout this publication and all Catalyst ...

Page 1312: ...10 100 Mbps and 100 Mbps Ethernet switching modules controls all ports On the 10 Mbps 10 100 Mbps and 100 Mbps Ethernet switching modules another set of port ASICs control 12 ports each 1 12 13 24 25 36 and 37 48 but COPS cannot configure them Changes to an EtherChannel port apply to all ports in the EtherChannel and to all ports that are controlled by the ASIC or ASICs that control the EtherChann...

Page 1313: ...cy source for the switch set to local Console enable Enabling Use of the Locally Configured QoS Policy When enabled COPS is the default QoS policy source for all ports You can use a locally configured QoS policy on a per ASIC basis To enable use of the locally configured QoS policy on a port ASIC perform this task in privileged mode This example shows how to enable use of the locally configured Qo...

Page 1314: ...rst assignment of a new role to a port creates the role To assign the roles to a port ASIC perform this task in privileged mode This example shows how to assign two new roles to the ASIC controlling port 2 1 Console enable set port cops 2 1 roles mod2ports1 12 access New role mod2ports1 12 created New role access created Roles added for port 2 1 12 Console enable Removing a Role from the Port ASIC...

Page 1315: ...rver The port variable is the PDP server TCP port number Use the diff serv keyword to set the address only for COPS This example shows how to configure a PDP server Console enable set cops server my_server1 primary my_server1 added to the COPS diff serv server table as primary server my_server1 added to the COPS rsvp server table as primary server Console enable Deleting the PDP Server Configurati...

Page 1316: ... name set to my_domain Console enable Deleting the COPS Domain Name To delete the COPS domain name perform this task in privileged mode This example shows how to delete the COPS domain name Console enable clear cops domain name Domain name cleared Console enable Configuring the COPS Communications Parameters To configure the parameters that COPS uses to communicate with the PDP server perform this...

Page 1317: ...late and receiver proxy functionality support as implemented on the Catalyst 6500 series switches These sections describe how to configure the RSVP null service template and receiver proxy functionality support Enabling RSVP Support page 52 85 Disabling RSVP Support page 52 86 Enabling the Participation in the DSBM Election page 52 86 Disabling the Participation in the DSBM Election page 52 86 Con...

Page 1318: ...enable the participation of a port in the election of the DSBM perform this task in privileged mode The range for the priority parameter is from 128 255 This example shows how to enable the participation of ports 2 1 and 3 2 in the election of the DSBM Console enable set port rsvp 2 1 3 2 dsbm election enable 232 DSBM enabled and priority set to 232 for ports 2 1 3 2 Console enable Disabling the P...

Page 1319: ...erver TCP port number Use the rsvp keyword to set the address only for RSVP This example shows how to configure a PDP server Console enable set cops server my_server1 primary rsvp my_server1 added to the COPS rsvp server table as primary server Console enable Deleting the PDP Server Configuration To delete the PDP server configuration perform this task in privileged mode Use the rsvp keyword to de...

Page 1320: ... qos rsvp policy timeout 45 RSVP database policy timeout set to 45 minutes Console enable Configuring the RSVP Use of Local Policy To configure how RSVP operates after communication with the PDP is lost perform this task in privileged mode The forward keyword sets the local policy to forward all new or modified RSVP path messages The reject keyword sets the local policy to reject all new or modifi...

Page 1321: ...nd the aggregate policers you must first configure the feature globally To enable QoS statistics data export globally perform this task in privileged mode This example shows how to enable QoS statistics data export globally and verify the configuration Console enable set qos statistics export enable Export is enabled Export destination 172 20 52 3 SYSLOG facility LOG_LOCAL6 176 severity LOG_DE BUG...

Page 1322: ... enable show qos statistics export info Statistics export status and configuration information Export status enabled Export time interval 300 Export destination 172 20 52 3 SYSLOG facility LOG_LOCAL6 176 severity LOG_DE BUG 7 Port Export 1 1 disabled 1 2 disabled 3 1 disabled 3 2 disabled 5 1 enabled 5 2 disabled output truncated Console enable When enabled on a port QoS statistics data export con...

Page 1323: ...how qos statistics export info Statistics export status and configuration information Export status enabled Export time interval 300 Export destination 172 20 52 3 SYSLOG facility LOG_LOCAL6 176 severity LOG_DE BUG 7 Port Export 1 1 disabled 1 2 disabled 3 1 disabled 3 2 disabled 5 1 enabled 5 2 disabled output truncated Aggregate name Export ipagg_3 enabled Console enable When enabled for a named...

Page 1324: ...ime interval for the QoS statistics data export perform this task in privileged mode This example shows how to set the QoS statistics data export interval and verify the configuration Console enable set qos statistics export interval 500 Time interval set to 500 Console enable show qos statistics export info Statistics export status and configuration information Export status enabled Export time i...

Page 1325: ...ort 9996 Port Export 1 1 disabled 1 2 disabled 3 1 disabled 3 2 disabled 5 1 enabled 5 2 disabled output truncated Aggregate name Export ipagg_3 enabled Console enable Displaying the QoS Statistics To display the QoS statistics per aggregate policer packet and byte rates perform this task in privileged mode This example shows how to display the QoS statistics per aggregate policer packet and byte ...

Page 1326: ...52 94 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 52 Configuring QoS Configuring QoS on the Switch ...

Page 1327: ... the Switch page 53 3 Using Automatic QoS in Your Network page 53 28 Understanding How Automatic QoS Works Automatic QoS consists of a macro that simplifies the QoS configuration on the Catalyst 6500 series switches The automatic QoS macro covers all the QoS configuration tasks that are required for implementing the recommended Architecture for Voice Video and Integrated Data AVVID settings for a ...

Page 1328: ...d by AFXY where X is the class number and Y is the drop precedence number X corresponds to a queue and Y corresponds to a drop precedence value within the queue either WRED or tail drop EF has the highest priority BE has the lowest priority and the priority for AF is somewhere in between See Table 53 1 for the recommended CoS and DSCP values for the voice networks and other traffic types The value...

Page 1329: ...switch can also use the DSCP field for the same purpose In most Cisco IP Phone 79xx configurations the traffic that comes from the phone and enters the switch is trusted You set the port trust to trust cos to prioritize the voice traffic over other types of traffic in the network The Cisco IP Phone 79xx has a built in switch that mixes the traffic that comes from the PC the phone and the switch po...

Page 1330: ... for a particular port to reflect the desired traffic type voice video and applications Tip To ensure that automatic QoS works properly you should execute both components Automatic QoS Configuration Guidelines and Restrictions These sections provide the configuration guidelines and restrictions for automatic QoS Configuration Files page 53 4 Supported Phones page 53 5 CDP Dependencies page 53 5 CO...

Page 1331: ...sion 1 You need to enable CDP only for the ciscoipphone QoS configuration CDP does not affect the other components of the automatic QoS features When you use the ciscoipphone keyword with the port specific automatic QoS feature a warning displays if the port does not have CDP enabled See the CDP Warning section on page 53 24 COPS Considerations You can configure a port for the local policy or the ...

Page 1332: ...bal QoS settings For more information see the Typical CoS and DSCP Values for Voice and Video Networks section on page 53 2 Clearing the QoS Configuration Clearing the QoS configuration resets the configuration to the default QoS values The automatic QoS features do not alter the default values PFC PFC2 Support No PFC or PFC2 is required for the ciscoipphone and trust cos keywords A PFC or PFC2 is...

Page 1333: ...obal Automatic QoS Detail Settings Table 53 2 through Table 53 6 list the values of all the QoS parameters that are configured through the global automatic QoS command Note The 1p1q8t default WRED settings are not changed from the current QoS defaults only the CoS to threshold map is changed Table 53 2 Switch Wide Settings Global QoS Settings QoS Parameter Setting CoS to DSCP map 0 10 18 26 34 46 ...

Page 1334: ...2 70 100 5 6 7 Q2t2 5 6 7 100 Q3t1 3 4 70 90 Q3 6 7 WRED disabled Q4t1 5 Table 53 5 Scheduling Specific Settings Global QoS Settings Field Value 1p2q2t txq ratio 70 15 15 q1 q2 1p 1p2q2t wrr 50 255 q1 q2 1p1q8t rxq ratio 80 20 q1 1p 1p2q1t txq ratio 70 15 15 q1 q2 1p 1p2q1t wrr 50 255 q1 q2 Table 53 6 CoS to Queue Maps and Tail WRED Settings Global QoS Settings 1p2q2t WRED 1p1q4t Tail 1p2q1t WRED ...

Page 1335: ...3 Port Specific Automatic QoS Settings ciscoipphone Use the ciscoipphone keyword to set the port to trust cos and to enable trusted boundary Combined with the global automatic QoS command all settings are configured on the switch to properly handle the signaling voice bearer and PC data entering and leaving the port In addition to the switch side QoS settings that are covered by the global automat...

Page 1336: ... You must disable trusted boundary for the Cisco SoftPhone ports Table 53 8 lists the port specific settings that are implemented after executing the automatic QoS voip ciscosoftphone macro on a port See the Port Specific Automatic QoS voip ciscosoftphone section on page 53 22 for detailed configuration examples Table 53 7 Port Specific Settings for Voice ciscoipphone Keyword Item Value Interface ...

Page 1337: ...packet length of 1000 bytes Signaling is transmitted with DSCP 24 and the bearer channel of the SoftPhone stream with DSCP 46 Trust type config untrusted Item Value Trust type runtime untrusted Default CoS config 0 Default CoS runtime 0 Trust device none Trust ext Untrusted Cos ext 0 QoS ACL attached to port trust dscp aggregate POLICE_SOFTPHONE DSCP46 x y any dscp field 461 2 trust dscp aggregate...

Page 1338: ...out of NVRAM space you might need to use the text configuration mode For more information see the Out of TCAM Space section on page 53 23 Port Specific Automatic QoS Settings trust cos Use the trust cos automatic QoS keyword for the ports that require a trust all solution Use the keyword only on the ports that connect other switches or known servers because the port trusts all inbound traffic mark...

Page 1339: ...tomatic QoS Macro set qos autoqos page 53 14 Port Specific Automatic QoS Macro set port qos autoqos page 53 14 Displaying the QoS Settings page 53 14 Clearing the Automatic QoS Settings page 53 15 Tracking the QoS Configuration page 53 17 Table 53 10 Port Specific Settings for Trusts trust dscp Keyword Item Value Interface type Port based Policy source config Local Policy source runtime Local as p...

Page 1340: ...d Console enable set port qos 3 1 autoqos help Usage set port qos mod port autoqos trust cos dscp set port qos mod port autoqos voip ciscoipphone ciscosoftphone Console enable set port qos 3 1 autoqos voip ciscoipphone Port 3 1 ingress QoS configured for Cisco IP Phone It is recommended to execute the set qos autoqos global command if not executed previously Console enable This example shows how t...

Page 1341: ...rts cos ext Clear QoS default CoS extension on ports Console enable clear port qos 3 1 autoqos Port based QoS settings will be restored back to factory defaults for port 3 1 Do you want to continue y n n y Port 3 1 autoqos settings have been cleared It is recommended to execute the clear qos autoqos global command if not executed previously to clear global autoqos settings Console enable The port ...

Page 1342: ...ith POLICE_SOFTPHONE DSCP If a policer is found and there is no QoS ACL that is associated with it it is deleted If a policer is found and there is a QoS ACL that is associated with it a warning is displayed indicating that the policer is still in use Various error conditions can occur when you use the global clear command If you have properly executed the port based clear commands before entering...

Page 1343: ...ent appears in the configuration file to help you determine where the QoS configuration originated Traditional QoS or automatic QoS The comment is created after you enter the global set qos autoqos command and remains in the configuration file until you enter either the clear global autoqos command or the clear qos config command An example is as follows Console enable set qos autoqos All ingress ...

Page 1344: ...S trust dscp page 53 22 Global Automatic QoS Macro Entering the global automatic QoS command results in the following configuration set qos autoqos set qos enable set qos policy source local set qos ipprec dscp map 0 10 18 26 34 46 48 56 set qos cos dscp map 0 10 18 26 34 46 48 56 set qos dscp cos map 0 7 0 8 15 1 16 23 2 24 31 3 32 39 4 40 47 5 48 55 6 56 63 7 set qos acl default action ip dscp 0...

Page 1345: ...q8t rx 1 1 cos 0 set qos map 1p1q8t rx 1 5 cos 1 2 set qos map 1p1q8t rx 1 8 cos 3 4 set qos map 1p1q8t rx 2 cos 5 6 7 set qos wred 1p1q8t queue 1 1 40 70 set qos wred 1p1q8t queue 1 5 60 90 set qos wred 1p1q8t queue 1 8 70 100 set qos rxq ratio 1p1q8t 80 20 set qos policed dscp map 0 0 set qos policed dscp map 1 1 set qos policed dscp map 2 2 set qos policed dscp map 3 3 set qos policed dscp map ...

Page 1346: ...2 62 set qos policed dscp map 63 63 set qos policed dscp map excess rate 0 0 set qos policed dscp map excess rate 1 1 set qos policed dscp map excess rate 2 2 set qos policed dscp map excess rate 3 3 set qos policed dscp map excess rate 4 4 set qos policed dscp map excess rate 5 5 set qos policed dscp map excess rate 6 6 set qos policed dscp map excess rate 7 7 set qos policed dscp map excess rate...

Page 1347: ...54 54 set qos policed dscp map excess rate 55 55 set qos policed dscp map excess rate 56 56 set qos policed dscp map excess rate 57 57 set qos policed dscp map excess rate 58 58 set qos policed dscp map excess rate 59 59 set qos policed dscp map excess rate 60 60 set qos policed dscp map excess rate 61 61 set qos policed dscp map excess rate 62 62 set qos policed dscp map excess rate 63 63 Port Sp...

Page 1348: ...p field 26 commit qos acl ACL_IP SOFTPHONE mod port set qos acl map ACL_IP SOFTPHONE mod port mod port Port Specific Automatic QoS trust cos Entering the port specific automatic QoS command results in the following configuration set port qos mod port autoqos trust cos set port qos mod port policy source local set port qos mod port port based set port qos mod port cos 0 set port qos mod port cos ex...

Page 1349: ...o fix the trust problem you may note that the following QoS ACL names are already in use where x 1 to 99 ACL_IP PHONESx for ciscoipphone ACL_IP SOFTPHONE m p x for ciscosoftphone ACL_IP TRUSTCOSx for trust cos ACL_IP TRUSTDSCPx for trust dscp This example shows the display when the system is out of ACL names Console enable set port qos 4 1 autoqos voip ciscoipphone ERROR IP QoS ACL name in use cou...

Page 1350: ...to DSCP DSCP to COS and IP Precedence to DSCP maps configured Global QoS configured port specific autoqos recommended set port qos mod port autoqos trust cos dscp set port qos mod port autoqos voip ciscoipphone ciscosoftphone Console enable CDP Warning When executing the port specific automatic QoS command with the ciscoipphone keyword without the trust option the trust device feature is enabled T...

Page 1351: ...nd on an interface where QoS is disabled a notification message appears in the CLI as follows Console enable set port qos 4 1 autoqos voip ciscosoftphone Port 4 1 ingress QoS configured for ciscosoftphone Policing configured on 4 1 QoS is disabled changes will take effect after QoS is enabled It is recommended to execute the set qos autoqos global command if not executed previously Console enable ...

Page 1352: ...pphone keyword if the phone is detected to have left the port a syslog message displays stating that the device has left and the port trust state has been changed as follows Console enable 2001 Jun 02 09 20 42 QOS 5 DEVICE_LOST ciscoipphone not detected on port 4 1 port set to untrusted Console enable Device Detected on the Port Notice Level If the trusted device joins the port a syslog message di...

Page 1353: ...ngs that were previously applied Works with the port based automatic QoS command Port Based Automatic QoS Features The port based automatic QoS features are summarized as follows voip ciscoipphone Changes the port to port based QoS For the 1p1q0t 1p3q1t ports changes all ports to port based mode Creates a trust cos QoS ACL for the ports that need it 1q4t 2q2t ports Applies the trust cos ACL to the...

Page 1354: ...ACL for the ports that need it 1q4t 2q2t ports Applies the trust dscp ACL to the port 1q4t 2q2t ports Disables trusted boundary on the port Sets port trust to untrusted 1q4t 2q2t ports or trust dscp not on 1q4t 2q2t ports Supports the ports with or without an auxiliary VLAN Supported on all ports Requires the PFC or the PFC2 Using Automatic QoS in Your Network Tip To ensure that automatic QoS work...

Page 1355: ...ect a Cisco IP Phone 79xx with a PC running Cisco SoftPhone the control traffic through CTI communication with the Cisco CallManager is tagged but is remarked to DSCP 0 ciscosoftphone Ports that connect a PC running Cisco SoftPhone without a Cisco IP Phone 79xx trust Ports that connect to other places in the network where all automatic QoS traffic types exist2 2 For ports connecting to other netwo...

Page 1356: ...53 30 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 53 Using Automatic QoS Using Automatic QoS in Your Network ...

Page 1357: ...ervisor Engine 720 with PFC3A PFC3B PFC3BXL or Supervisor Engine 32 with PFC3B PFC3BXL This chapter consists of these sections Hardware and Software Requirements page 54 1 Understanding How ASLB Works page 54 2 Cabling Guidelines page 54 7 Configuring ASLB on the Switch page 54 7 ASLB Configuration Example page 54 18 ASLB Redundant Configuration Example page 54 21 Troubleshooting the ASLB Configur...

Page 1358: ...xternally attached Catalyst 6500 series switch can also be used as a participating router Other Cisco routers can also be used as participating routers for ASLB Understanding How ASLB Works Note Refer to the Cisco LocalDirector Installation and Configuration Guide Version 3 2 for an overview on load balancing TCP IP traffic These sections describe ASLB Layer 3 Operations for ASLB page 54 3 Layer 2...

Page 1359: ...ntry for the MAC address of the LocalDirector that is associated with a port index and the server VLAN has entries for the router MAC addresses that are associated with the port indexes In these port indexes the ports appear as 0 0 You can display system CAM entries by entering the show cam system command Table 54 1 shows the entries in the CAM table the ASLB configuration is shown in Figure 54 1 ...

Page 1360: ...ts standard load balancing decision and forwards the frame to port PB The LocalDirector changes the destination MAC address to that of the appropriate server When this frame enters the switch it is considered an enabler frame The switch hardware does a lookup in the Layer 3 table and searches for the entry that is created by the previous candidate packet the packet that is forwarded through the Lo...

Page 1361: ...able 2 20 Server MAC4 4 The MAC address of the server that the LocalDirector selected Router MAC1 VIP CIP Enabler frame 3 N 10 LocalDirector MAC1 Router MAC VIP CIP Full ASLB MLS entry created N 1 10 LocalDirector MAC1 Router MAC VIP CIP FIN RST Path 1 redirect N 2 20 Server MAC Router MAC1 VIP CIP FIN RST Path 2 Table 54 3 Client to Server ASLB Layer 3 Table Entries IP Destination Address IP Sour...

Page 1362: ... the source MAC address of the packet was unmodified Figure 54 3 Server to Client ASLB Packet Flow Table 54 4 Server to Client ASLB Packet Flow Path Number VLAN MAC Destination Address MAC Source Address IP Destination Address IP Source Address Flags Action 1 20 Router MAC1 1 This MAC address has an Xtag value of 14 in the Layer 2 table for this packet s VLAN Server MAC2 2 The MAC address of the s...

Page 1363: ... on page 54 7 to configure the LocalDirector interfaces See the Configuring ASLB from the CLI section on page 54 11 to configure the switch Configuring ASLB on the Switch This section lists the tasks to configure ASLB Configuring the LocalDirector Interfaces page 54 7 ASLB Configuration Guidelines page 54 8 Configuring ASLB from the CLI page 54 11 Configuring the LocalDirector Interfaces Refer to ...

Page 1364: ...c router command When ASLB is configured a VLAN access control list VACL is created to redirect the TCP traffic on the two VLANs to which the LocalDirector is connected no security Cisco IOS access control lists ACLs or VACLs can be configured on these VLANs Servers The server configuration guidelines are as follows The servers must be either directly attached to the switch or within the same brid...

Page 1365: ...tion need to follow RFC 1918 for privacy use the following as a guideline the virtual IP address in this example is 171 1 1 200 Supervisor Engine The supervisor engine configuration guidelines are as follows Up to 32 router MAC addresses are supported Up to 1024 virtual IP TCP port pairs are supported Backup LocalDirector Configuration Optional Connect the ports on the backup LocalDirector to the ...

Page 1366: ...you cannot use ASLB if you enable NDE VLANs The VLAN configuration guidelines are as follows When you configure ASLB a VACL is created to redirect the TCP traffic on the two VLANs to which the LocalDirector is connected router VLAN and server VLAN You cannot configure any security Cisco IOS ACLs or VACLs on these VLANs Dedicate the router VLAN and server VLAN for ASLB use only Do not connect the o...

Page 1367: ...Displaying the ASLB MLS Statistics page 54 17 Clearing the ASLB Configuration page 54 17 Configuring the Switch Ports Connected to the LocalDirector To configure the 10 100 Ethernet switch ports that are connected to the LocalDirector perform these steps Step 1 Enter the set vlan vlan_num mod_ports command to add the switch ports to the correct VLANs router VLAN and server VLAN Step 2 Note that th...

Page 1368: ...e clear lda vip command Note You can use a zero 0 as a wildcard don t care digit for the destination_tcp_port To specify the server virtual IP addresses and TCP ports for acceleration perform this task in privileged mode This example shows how to specify a server virtual IP address and TCP port for acceleration Console enable set lda vip 10 0 0 8 8 Successfully set server virtual ip and port infor...

Page 1369: ...tch port s to which the LocalDirector is connected you must enter the set lda router command again to specify the new configuration Note Specifying a backup LocalDirector port is optional unless you are setting up a failover configuration of LocalDirectors If you are setting up a failover configuration you must specify the ports for the backup LocalDirector If this is not done failover does not wo...

Page 1370: ...da server 105 4 40 Successfully set server vlan and LD port Use commit lda command to save settings to hardware Console enable Configuring the UDP Aging To configure the User Datagram Protocol UDP aging perform this task in privileged mode You can set the aging from 1 2024000 milliseconds ms Enter a value of zero to disable UDP aging This example shows how to configure the UDP aging to 500 ms Cons...

Page 1371: ...onfiguration settings To display the committed or uncommitted ASLB configuration settings perform this task in privileged mode This example shows how to display the committed ASLB configuration settings Console enable show lda committed Status Committed Virtual IP addresses Local Director Flow 10 0 0 8 TCP port 8 Router MAC 00 23 45 67 ee 7f LD MAC 00 11 22 33 55 66 LD Router Side Router and LD ar...

Page 1372: ... all the ASLB MLS entries in short format Console enable show lda mls entry short Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan EDst ESrc DPort SPort Stat Pkts Stat Bytes Uptime Age 10 0 0 8 172 20 20 10 TCP 8 64 00 33 66 99 22 44 105 ARPA ARPA 4 25 0 0 00 00 02 00 00 05 10 0 0 8 172 20 20 11 TCP 8 64 00 33 66 99 22 44 105 ARPA ARPA 4 25 0 0 00 00 05 00 00 08 Console enable This...

Page 1373: ...ive shortcuts 20 Console enable This example shows how to display the statistics for a specific destination IP address Console enable show lda mls statistics entry destination 172 20 22 14 Last Used Last Used Destination IP Source IP Prot DstPrt SrcPrt Stat Pkts Stat Bytes 172 20 22 14 172 20 25 10 6 50648 80 3152 347854 Console enable Clearing the ASLB Configuration Caution If you do not enter an...

Page 1374: ...pecific ASLB router MAC address Console enable clear lda mac 1 2 3 4 5 6 Successfully cleared Router MAC address Console enable ASLB Configuration Example This section provides an example of a typical ASLB network configuration Figure 54 4 shows the example network The configuration specifications are as follows The virtual IP address is 192 255 201 55 The router interface MAC address is 00 d0 bc ...

Page 1375: ...guration Example The router configuration is as follows MSM is used in this example interface Port channel1 7 encapsulation isl 7 ip address 192 255 201 1 255 255 255 0 no ip redirects no ip directed broadcast The Catalyst 6500 series switch configuration is as follows Console enable show lda Status Committed Virtual IP addresses Local Director Flow 192 255 201 55 www TCP port 80 Local Director Fl...

Page 1376: ...ress 192 255 201 2 255 255 255 0 route 0 0 0 0 0 0 0 0 192 255 201 1 1 no rip passive rip version 1 failover ip address 0 0 0 0 no failover snmp server enable traps no snmp server contact no snmp server location virtual 192 255 201 55 80 0 tcp is virtual 192 255 201 55 8001 0 tcp is virtual 192 255 201 55 21 0 tcp is predictor 192 255 201 55 80 0 tcp roundrobin redirection 192 255 201 55 80 0 tcp ...

Page 1377: ...cp bind 192 255 201 55 21 0 tcp 192 255 201 3 21 0 tcp bind 192 255 201 55 21 0 tcp 192 255 201 4 21 0 tcp bind 192 255 201 55 21 0 tcp 192 255 201 5 21 0 tcp bind 192 255 201 55 21 0 tcp 192 255 201 6 21 0 tcp bind 192 255 201 55 21 0 tcp 192 255 201 7 21 0 tcp bind 192 255 201 55 21 0 tcp 192 255 201 8 21 0 tcp ASLB Redundant Configuration Example This section provides an example of a typical AS...

Page 1378: ...dress 7 0 0 1 for network 7 Router 1 f2 IP address 5 0 0 100 network 5 Router 2 f2 IP address 5 0 0 101 network 5 HSRP IP address 5 0 0 2 for network 5 LocalDirector IP address 5 0 0 1 Server IP address 5 100 100 100 VIP address for servers 13 13 13 13 LocalDirector 1 LocalDirector 2 Clients Router 2 Router 1 VLAN 9 VLAN 9 VLAN 9 VLAN 5 VLAN 5 9 ISL trunk VLAN 5 VLAN 5 VLAN 9 VLAN 5 3 41 3 42 3 27...

Page 1379: ...da mac router 00 00 0c 07 ac 01 set lda mac router 00 d0 79 7b 20 88 set lda mac router 00 d0 79 7b 18 88 set lda mac ld 00 e0 b6 00 47 ec set lda router 9 3 7 3 23 set lda server 5 3 8 3 23 commit lda Catalyst 6500 Series Switch 2 Configuration The switch 2 configuration is as follows set trunk 3 23 on isl 1 5 9 set lda enable clear lda vip all set lda vip 13 13 13 13 80 13 13 13 13 23 clear lda ...

Page 1380: ...ip route cache distributed load interval 30 no keepalive full duplex standby 1 ip 7 0 0 1 standby 1 track FastEthernet2 interface FastEthernet2 ip address 5 0 0 101 255 0 0 0 no ip redirects no ip directed broadcast no ip route cache distributed no keepalive full duplex standby priority 250 standby 2 ip 5 0 0 2 standby 2 track FastEthernet1 ip route 13 13 13 13 255 255 255 255 5 0 0 1 LocalDirecto...

Page 1381: ...gine set lda vip command and the LocalDirector Ensure that the LocalDirector is in the dispatched assisted mode Ensure that you configured the IP addresses of the routers LocalDirector and servers following the guidelines in the IP Addresses section on page 54 9 Ensure that the router knows how to reach the LocalDirector when the traffic goes to the virtual IP address if the virtual IP address is ...

Page 1382: ...t changes will occur if the current set lda commands are committed by entering the show lda uncommitted command You see collisions or port disabled on the Catalyst 6500 series switch port Ensure that the port speed and duplex settings are compatible on both ends of the link between the LocalDirector and the switch For example if port 3 7 on the switch is connected to interface ethernet 0 on the Lo...

Page 1383: ...s Switch Command Reference publication This chapter consists of these sections Hardware and Software Requirements page 55 1 Understanding How a VoIP Network Works page 55 2 Understanding How VLANs Work page 55 8 Understanding How CDP and VoIP Work page 55 10 Configuring VoIP on a Switch page 55 10 Using SmartPorts page 55 38 Hardware and Software Requirements The hardware and software requirements...

Page 1384: ... PC to phone jack The jacks use either Category 3 or Category 5 unshielded twisted pair UTP cable The LAN to phone jack is used to connect the phone to the LAN using a crossover cable a workstation or a PC can be connected to the PC to phone jack using a straight through cable The inline power is designed to work in cables from Category 3 Category 4 Category 5 and later up to 100 meters The inline...

Page 1385: ...es WS X6148 RJ 45 10 100 switching module with either the WS F6K VPWR inline power field upgrade module or the WS F6K FE48 AF inline power field upgrade module Provides the inline power to the IP phone WS X6148 RJ 21 10 100 switching module with either the WS F6K VPWR inline power field upgrade module or the WS F6K FE48 AF inline power field upgrade module Provides the inline power to the IP phone...

Page 1386: ...e 10 100 port on the Catalyst 6500 series switch The phone can be powered through the 10 100 port or wall powered The PC must be wall powered Example 4 Two Cisco IP Phone 7960s and One PC Example 4 shows two IP phones that are connected to the 10 100 port on the Catalyst 6500 series switch and one PC that is connected to the PC to phone jack on the phone The PC behaves as if it is connected direct...

Page 1387: ...nd the Cisco CallManager Remote Serviceability Users Guide publications Access Gateways The access gateways allow the IP PBX system to talk to the existing PSTN or PBX systems The access gateways consist of analog station gateways analog trunk gateways digital trunk gateways and a converged voice gateway These sections describe the gateways Analog Station Gateway page 55 5 Analog Trunk Gateway pag...

Page 1388: ...face module can support both digital T1 E1 connectivity to the PSTN or transcoding and conferencing The module requires an IP address is registered with Cisco CallManager in its domain and is managed by Cisco CallManager The module software is downloaded from a TFTP server Depending upon which software you download the ports can serve as the T1 E1 interfaces or the ports support transcoding and co...

Page 1389: ...of transcoding Conference bridging meet me and ad hoc conference modes maximum of 8 x 16 channels of conferencing Comfort noise generation Fax pass through Silence suppression voice activity detection Line echo cancellation Common channel signaling For T1 23 DS0 channels for voice traffic 24th channel is used for signaling For E1 29 DS0 channels for voice traffic 16th channel is reserved for signa...

Page 1390: ...ntrol channel All control information such as key pressing goes from the phone to Cisco CallManager through this channel Instructions to generate ring tone busy tone and so on comes from Cisco CallManager to the phone through this channel Cisco CallManager stores the IP address to phone number mapping and vice versa in its tables When a user wants to call another user the user keys in the called p...

Page 1391: ... and additional IP addresses might not be available to assign the phone to a port so that it belongs to the same subnet as other devices PC that are connected to the same port The data traffic present on the VLAN supporting phones might reduce the quality of the VoIP traffic You can resolve these issues by isolating the voice traffic onto a separate VLAN on each of the ports that are connected to ...

Page 1392: ...res that are used to configure the Catalyst 6500 series switch for VoIP operation Voice Related CLI Commands page 55 10 Configuring Per Port Power Management page 55 11 Configuring the Auxiliary VLANs on Catalyst LAN Switches page 55 20 Configuring the Access Gateways page 55 23 Displaying the Active Call Information page 55 29 Configuring QoS in the Cisco IP Phone 7960 page 55 31 Configuring a Tr...

Page 1393: ...n apply the power on an individual port basis Only one IP phone can be powered per port the phone must be connected directly to the switch port If a second phone is daisy chained off the phone that is connected to the switch port the second phone cannot be powered by the switch show environment power X X X Voice related commands set port auxiliaryvlan X X show port auxiliaryvlan X X set port voice...

Page 1394: ... display the module status and information perform this task in normal mode This example shows a submodule field that provides information about the submodules The inline power daughter card that is installed on module 3 as shown in the display is WS F6K SVDB FE and the inline power daughter card that is installed on module 6 as shown in the display is WS F6K VPWR GE TX Console enable show module ...

Page 1395: ...he wattage that you specify only if the switching module discovers the phone You can specify the maximum wattage that is allowed on the port If you do not specify a wattage then the switch allows the hardware supported maximum value The maximum wattage whether determined by the switch or specified by you is preallocated to the port If the switch does not have enough power for the allocation the co...

Page 1396: ... for the different classes of IP phones The supervisor engine initially calculates the power allocation for each port based on the per port configuration classification IEEE only and default power When the correct amount of power is determined from the CDP messaging with the Cisco IP Phone the supervisor engine reduces or increases the allocated power for any ports that are set to Auto mode The al...

Page 1397: ...e loses power but the switching module discovers the phone and applies the preallocated inline power to the phone Powering Off the Phone The supervisor engine can turn off power to a specific port by sending a message to the switching module The power for a port in Auto mode is then added back to the available system power The power for the ports in Static mode is not added back to the available s...

Page 1398: ... power one module at a time Once the power for each module has been allocated the supervisor engine allocates the power to the phones beginning with the lowest slot number until all inline powered ports have been either powered on off or denied Phone Detection Summary Figure 55 4 shows how the system detects a phone that is connected to a Catalyst 6500 series switch port Figure 55 4 Power Detectio...

Page 1399: ...uto and max wattage to 800 Console enable Setting the Default Power Allocation The set inlinepower defaultallocation command is global and only affects Cisco IP phones The inline power threshold notification generates a syslog message when the inline power usage exceeds the specified threshold To set the default power allocation perform this task in privileged mode the default allocation value is ...

Page 1400: ...hreshold to 50 for module 4 Console enable set inlinepower notify threshold 50 mod 4 Module 4 inlinepower notify threshold is set to 50 Console enable Displaying the Power Status for Modules and Individual Ports To display the power status for the modules and individual ports perform this task in normal mode This example shows how to display the power status for the modules and individual ports Co...

Page 1401: ...switch power environment for the modules Console enable show environment power 2 Feature not supported on module 2 Console enable Console enable show environment power PS1 Capacity 1153 32 Watts 27 46 Amps 42V PS2 Capacity none PS Configuration PS1 and PS2 in Redundant Configuration Total Power Available 1153 32 Watts 27 46 Amps 42V Total Power Available for Line Card Usage 1153 32 Watts 27 46 Amp...

Page 1402: ...nfiguration page 55 22 Disabling the Auxiliary VLANs Until an IP Phone is Detected page 55 22 Understanding the Auxiliary VLANs You can configure the switch ports to send CDP packets that instruct an attached Cisco IP Phone 7960 to transmit the voice traffic to the switch in these frame types 802 1Q frames carrying the auxiliary VLAN ID and Layer 2 CoS set to 5 the switch port drops all 802 1Q fra...

Page 1403: ... the traffic between the devices in the same subnet is not routed routing would eliminate the frame type difference You cannot use the switch commands to configure a frame type that is used by the traffic that is received from a device that is attached to the phone s access port With software release 6 2 1 and later releases the dynamic ports can belong to two VLANs a native VLAN and an auxiliary ...

Page 1404: ...cket exchange between the switch and the phone This detection method is used for both the inline powered and wall powered IP phones Note If the auxiliary VLAN ID equals the port VLAN ID or when the auxiliary VLAN ID is configured as none dot1p or untagged this feature cannot be applied to the port If any command entry results in the auxiliary VLAN ID equaling the port VLAN ID the feature is disabl...

Page 1405: ...station gateway 24 port FXS analog interface module Digital trunk gateway 8 port T1 E1 PSTN interface module Configuring a Port Voice Interface If DHCP is enabled for a port the port obtains all other configuration information from the TFTP server When disabling DHCP on a port you must specify some mandatory parameters as follows If you do not specify the DNS parameters the software uses the syste...

Page 1406: ...onfiguration perform this task in privileged mode This example shows how to display the port voice interface configuration this display is from the 24 port FXS analog interface module Console show port voice interface 5 Port DHCP MAC Address IP Address Subnet Mask 5 1 24 disable 00 10 7b 00 13 ea 10 6 15 158 255 255 255 0 Port Call Manager s DHCP Server TFTP Server Gateway 5 1 24 10 6 15 155 10 6 ...

Page 1407: ...4h 7 1 41 48 49 50 53 54 7 2 41 48 49 50 53 54 7 3 41 48 49 50 53 54 Console enable Table 55 7 describes the possible fields depending on the port type queried in the show port voice fdl command output Displaying the Port Configuration for the Individual Ports To display the port configuration for the individual ports perform this task in normal mode Table 55 7 FDL Field Descriptions Field Descrip...

Page 1408: ...ull 1 544 T1 Port DHCP MAC Address IP Address Subnet Mask 7 1 enable 00 10 7b 00 0a 58 172 20 34 68 255 255 255 0 7 2 enable 00 10 7b 00 0a 59 172 20 34 70 255 255 255 0 7 3 enable 00 10 7b 00 0a 5a 172 20 34 64 255 255 255 0 7 4 enable 00 10 7b 00 0a 5b 172 20 34 66 255 255 255 0 7 5 enable 00 10 7b 00 0a 5c 172 20 34 59 255 255 255 0 7 6 enable 00 10 7b 00 0a 5d 172 20 34 67 255 255 255 0 7 7 en...

Page 1409: ...t as Conf Bridge Console enable show port 7 Port Name Status Vlan Duplex Speed Type 7 1 notconnect 1 full 1 544 T1 7 2 notconnect 1 full 1 544 T1 7 3 connected 1 full 1 544 T1 7 4 connected 1 full 1 544 T1 7 5 connected 1 full 1 544 T1 7 6 connected 1 full 1 544 T1 7 7 enabled 1 full Conf Bridge 7 8 enabled 1 full MTP Port DHCP MAC Address IP Address Subnet Mask 7 1 enable 00 10 7b 00 12 08 10 6 1...

Page 1410: ... enabled enabled 7 6 enabled enabled 7 7 disabled disabled 7 8 disabled disabled Console enable 24 Port FXS Analog Interface Module This example shows that all ports should have a Type field of FXS and all ports in the same module should belong to one VLAN Console enable show port 3 Port Name Status Vlan Duplex Speed Type 3 1 onhook 1 full 64k FXS 3 2 onhook 1 full 64k FXS 3 3 onhook 1 full 64k FX...

Page 1411: ...rmation Enter the show port voice active command to display the active call information on a port There are up to 8 calls per port for the 8 port T1 E1 PSTN interface module but only one call per port for the 24 port FXS analog station interface module To display the active call information perform this task in normal mode Entering the show port voice active command without any parameters shows al...

Page 1412: ...example shows the detailed call information for all the ports on the module Console show port voice active 3 2 Port 3 2 Channel 1 Remote IP address 165 34 234 111 Remote UDP port 124 Call state Ringing Codec Type G 711 Coder Type Rate 35243 Tx duration 438543 sec Voice Tx duration 34534 sec ACOM Level Current 123213 ERL Level 123 dB Fax Transmit Duration 332433 Hi Water Playout Delay 23004 ms Logi...

Page 1413: ... index 4 Low water playout delay 234 ms Receive delay 23423 ms Receive bytes 2342342332423 Receive packets 23423423402384 Transmit bytes 23472377 Transmit packets 94540 Console Configuring QoS in the Cisco IP Phone 7960 These sections describe QoS in the Cisco IP Phone 7960 Understanding How QoS Works in the Cisco IP Phone 7960 page 55 31 Configuring QoS in the Cisco IP Phone 7960 page 55 32 Note ...

Page 1414: ...02 1Q or 802 1p passes through the phone switch unchanged regardless of the access port trust state Figure 55 5 Configuring QoS on the IP Phone Ports Configuring QoS in the Cisco IP Phone 7960 These sections describe how to configure QoS in the Cisco IP Phone 7960 Setting the Phone Access Port Trust Mode page 55 32 Setting the Phone Access Port CoS Value page 55 33 Verifying the Phone Access Port ...

Page 1415: ...ation perform this task in normal mode This example shows how to verify the phone access port QoS configuration Console enable show port qos 3 4 Output Truncated Port Ext Trust Ext Cos 3 4 untrusted 0 Output Truncated Configuring a Trusted Boundary to Ensure Port Security This section describes the trusted boundary that is used to prevent security problems if users disconnect their PCs from the ne...

Page 1416: ...tion is sent to the phone using CDP from the switch The QoS configuration determines the trust state of the phone and the classification information Ext Cos The phone supports two trust states Trusted Untrusted and marked with a new COS value Ext Cos If the phone is in trusted mode all the labels that are produced by the PC are sent directly through the phone toward the switch untouched If the pho...

Page 1417: ...nfiguration settings are supported trust cos trust ipprec trust dscp but you should use trust cos for the Cisco IP Phone networks System log messaging New QoS syslogs were added for the trusted boundary to notify you of the changes to a port s trust state and to warn of improper configuration To see these syslogs set the QoS logging level to 5 set logging level qos 5 The default is 3 Refer to the ...

Page 1418: ...onfiguration page 55 37 Specifying a Cisco IP Phone as the Trust Device page 55 37 Verifying a Port s Trust Device State page 55 37 QoS Enabled COPS Enabled Trust Device Type CDP Enabled on Port IP Phone Persent on Port Port trust state set to untrusted other QoS parameters set per the configuration Port set to QoS parameters as defined per the configuration Port set to policy defined by COPS serv...

Page 1419: ...e enable Verifying a Port s Trust Device State To verify a port s trust device state perform this task in normal mode When the trusted boundary is active the run time trust state of the port changes depending on the presence of the phone Note The moment that the phone leaves the switch port there is a slight convergence time for the port to change to the untrusted state a maximum time of 15 second...

Page 1420: ...osoftphone keywords to initiate the macros that specify the type of voice parameters that you desire on a particular port SmartPorts is described in these sections Understanding SmartPorts Macros page 55 38 SmartPorts Cisco IP Phone page 55 39 SmartPorts Cisco Softphone page 55 39 SmartPorts Guidelines and Restrictions page 55 40 CLI Interface for SmartPorts page 55 41 Detailed SmartPorts Statemen...

Page 1421: ...t comes from the phone and enters the switch is trusted You set the port trust to trust cos to properly prioritize the voice traffic over other types of traffic in the network The Cisco IP Phone 79xx has a built in switch that mixes the traffic that comes from the PC the phone and the switch port The Cisco IP Phone 79xx has the trust and classification capabilities that you need to configure The p...

Page 1422: ... Phone 7935 However the ciscoipphone keyword is not exclusive to these models only any phone can benefit from all the other QoS settings that are configured on the switch The Cisco SoftPhone is supported through the ciscoipsoftphone keyword CDP Dependencies To configure the QoS settings and the trusted boundary on the Cisco IP Phone you must enable CDP version 2 or later on the port You need to en...

Page 1423: ...le Note The set port macro mod ports ciscoipphone vlan vlan auxvlan auxvlan command enables the cdpverify feature on the port ciscoipphone Command Output When you enter the ciscoipphone keyword the following displays specifying the auxiliary VLAN is optional Console enable set port macro 3 1 ciscoipphone vlan 2 auxvlan 3 Port 3 1 enabled Layer 2 protocol tunneling disabled for CDP STP VTP on port ...

Page 1424: ...otocol tunneling disabled for CDP STP VTP on port s 3 1 Port 3 1 vlan assignment set to static Spantree port fast start option set to default for ports 3 1 Port s 3 1 channel mode set to off Warning Connecting Layer 2 devices to a fast start port can cause temporary spanning tree loops Use with caution Spantree port 3 1 fast start enabled Dot1q tunnel feature disabled on port s 3 1 Port s 3 1 trun...

Page 1425: ...l2protocol tunnel mod port cdp stp vtp disable set port membership mod port static set port host mod port set vlan mod port vlan set port auxiliaryvlan mod port none set qos autoqos set port qos mod port autoqos voip ciscosoftphone How to Use SmartPorts in Your Network Depending on the interface and what is connected to it you need to execute different automatic voice macros For each port enter th...

Page 1426: ...fying the nativevlan is required Specifying the allowedvlans is optional set port macro mod port ciscorouter nativevlan nativevlan allowedvlans vlans set port enable mod port set vlan nativevlan mod port set port auxiliaryvlan mod port auxvlan none set port inlinepower mod port auto set cdp enable mod port set port membership mod port static set port l2protocol tunnel mod port cdp stp vtp dis set ...

Page 1427: ... to point set trunk mod port nonegotiate dot1q If the allowedvlans parameter is not specified the following configuration is used set trunk mod port 1 4094 if all specified If the allowedvlans parameter is specified the following configuration is used set trunk mod port none set trunk mod port vlans if specified set port qos mod port autoqos trust dscp Ciscodesktop SmartPorts Template The ciscodes...

Page 1428: ...n nativevlan mod port set port auxiliaryvlan mod port auxvlan set to none if not specified set port inlinepower mod port auto if supported by module set cdp enable mod port set port security mod port enable age 2 maximum 3 violation restrict set port qos mod port autoqos voip ciscoipphone Ciscosoftphone SmartPorts Template The ciscosoftphone interface macro command results in the following configu...

Page 1429: ...using the set macro name name command after which you enter a list of commands that become part of the macro Creating variables for macros When defining macros some commands require parameters that need to be specified by variables such as the VLAN ID for Ethernet ports or the IP address for ACLs The variables are defined as keyword value pairs where the first parameter must be the name of the var...

Page 1430: ...cro Configuration page 55 55 Configuring a Macro within a Macro page 55 55 Creating User Defined Macros To create define a macro use the set macro name name command to enter a list of commands one command per line To end the macro and exit from the macro mode type the break character and then press Enter An example is as follows Console enable set macro name videophone Enter macro commands one per...

Page 1431: ...ify y n y Console enable Defining Variables To define a variable use the set macro variable name_of_variable variable_of_value mod port command You can define the variable on a per port basis or a global basis When a macro is applied to a port the variables are replaced with the values that you have defined The maximum length of a variable name is 16 characters A macro definition can use multiple ...

Page 1432: ... set vlan DATAVLAN MODPORT set port auxiliaryvlan MODPORT AUXVLAN Console enable In the above example MODPORT is a special variable that gets its value when the macro videophone is applied on a port Note MODPORT is currently the only special variable supported Applying a User Defined Macro After the macro is created it can be applied to a port When a macro is applied to a port the commands in the ...

Page 1433: ...obal definition 99 and then the following commands are executed set port enable 3 7 set vlan 99 3 7 set port auxiliaryvlan 3 7 77 set cdp enable set cdp version v2 set qos autoqos Follow these guidelines and restrictions when applying user defined macros If you attempt to apply a macro on a port and the macro has a variable that is not defined in its definition the macro is not applied on the port...

Page 1434: ...ORT AUXVLAN Console enable Display the names of all the macros in the switch by entering the show macro all command as follows Console enable show macro all Macro Names fileserver videophone Console enable Displaying Macro Variables This section describes the various methods of displaying macro variables The syntax is as follows show macro variable all name name_of_macro mod port show macro variab...

Page 1435: ...mod port command as follows Console enable show macro variables name videophone 3 2 Variable Name Variable Value Port DATAVLAN 3 3 2 AUXVLAN 4 3 2 Console enable Clearing Macros and Macro Variables When you clear a macro by entering the the clear macro name name_of_macro command you clear the commands from the macro and remove the macro from the switch The configurations that were applied using th...

Page 1436: ... mod ports command as follows Console enable clear macro variable AUXVLAN 3 7 Clearing variable AUXVLAN for mod port 3 7 Console enable Clear all macro variables from all ports as follows Console enable clear macro variable all Clearing all variables for all mod ports All variables in the switch are cleared Console enable Displaying Macro Port Mappings This section describes the various methods of...

Page 1437: ...w both default and non default configurations begin NON DEFAULT CONFIGURATION time Tue Mar 22 2005 09 39 57 version 8 5 0 52 JAC Macros set macro name videophone set port enable MODPORT set vlan DATAVLAN MODPORT set port auxiliaryvlan MODPORT AUXVLAN Macro Port mapping set port macro 3 2 videophone set port macro 3 7 videophone Configuring a Macro within a Macro You can have a macro within a macro...

Page 1438: ...55 56 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 55 Configuring a VoIP Network Using SmartPorts ...

Page 1439: ...GRE tunneling The PFC3 and DFC3s support the following tunnel commands tunnel destination tunnel mode gre tunnel mode ipip tunnel source tunnel ttl tunnel tos Other supported types of tunneling are run in the software on the MSFC3 Enter the tunnel ttl command default 255 to set the TTL of encapsulated packets Enter the tunnel tos command if present to set the ToS byte of a packet when it is encaps...

Page 1440: ...anslation TCP intercept context based access control CBAC and encryption WCCP The Web Cache Communication Protocol WCCP allows you to redirect traffic to a cache engine web caches and manage cache engine clusters cache farms Note Release 12 2 17d SXB1 and later releases support WCCP on Supervisor Engine 2 Release 12 2 18 SXD1 and later releases support WCCP on Supervisor Engine 720 To use the WCCP...

Page 1441: ... Release 12 2 18 SXD4 Network Address Translation NAT does not work with WCCP configured This problem is resolved in Release 12 2 18 SXD1 WCCP redirected packets that have no next hop ARP cache entry are process switched to generate an ARP request but because of the WCCP redirection no ARP request is sent and the ARP cache is never populated for the next hop and subsequent WCCP redirected packets ...

Page 1442: ...56 4 Catalyst 6500 Series Switch Software Configuration Guide Release 8 7 OL 8978 04 Chapter 56 Configuring the MSFC Cisco IOS Features WCCP ...

Page 1443: ...nt APaRT automated packet recognition and translation ARP Address Resolution Protocol ASLB accelerated server load balancing ATM Asynchronous Transfer Mode BES bursty errored seconds BIA bottom interface adapter BPDU bridge protocol data unit BRF bridge relay function BUS broadcast and unknown server CAM content addressable memory CDP Cisco Discovery Protocol CEF Cisco Express Forwarding CIR commi...

Page 1444: ...service access point DSBM Designated Subnet Bandwidth Manager DSCP differentiated services code point DSP digital signal processing or processor DTP Dynamic Trunking Protocol EAP Extensible Authentication Protocol EARL Enhanced Address Recognition Logic EEPROM electrically erasable programmable read only memory ESI end system identifier FCS frame check sequence FEFI far end fault indication GARP G...

Page 1445: ...rk LANE LAN Emulation LCP Link Control Protocol LCV line code violation seconds LD LocalDirector LEC LAN Emulation Client LECS LAN Emulation Configuration Server LEM link error monitor LER link error rate LES LAN Emulation Server or line errored seconds LLC logical link control MAC Media Access Control MDG multiple default gateway MIB Management Information Base MII media independent interface MIS...

Page 1446: ...ess entity PAgP Port Aggregation Protocol PBF policy based forwarding PCM pulse code modulation PCR peak cell rate PDP policy decision point PDU protocol data unit PEP policy enforcement point PFC Policy Feature Card PHY physical sublayer PIB policy information base PPP Point to Point Protocol PRID policy rule identifiers PROM programmable read only memory PVID port VLAN identifier PVST per VLAN s...

Page 1447: ...dging SRT source route transparent bridging SSH Secure Shell SSL Secure Sockets Layer SSLM Secure Sockets Layer Module STE Spanning Tree Explorer STP Spanning Tree Protocol SVC switched virtual circuit TAC Technical Assistance Center Cisco TACACS Terminal Access Controller Access Control System Plus TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol TGT tick...

Page 1448: ...gy virtual channel circuit VCI virtual circuit identifier VCR virtual configuration register VID VLAN ID VIP virtual IP address VLAN virtual LAN VMPS VLAN Membership Policy Server VoIP Voice over IP VPN Virtual Private Network VPNSM Virtual Private Network Services Module VTP VLAN Trunk Protocol VVID voice VLAN identifier WRED weighted random early detection WRR weighted round robin Table A 1 List...

Page 1449: ...g 8 1 802 1Q tunnel ports CoS to CoS maps configuring 51 60 802 1X authentication 40 23 40 24 authentication failure VLAN configuring 40 38 authentication server defined 40 3 client defined 40 3 configuring 802 1X with ACL assignments 40 26 configuring a unidirectional controlled port 40 25 configuring authenticated identity to port description mappings 40 37 configuring DNS resolution for a RADIU...

Page 1450: ...celerated Server Load Balancing See ASLB access control entries See IOS ACLs See QoS ACE See VACLs access control lists See IOS ACLs See QoS ACL See VACLs access control subsystem SNMP entity 46 7 accessing the MSFC console port 2 3 Telnet session 2 4 accounting configuration guidelines 39 55 creating accounting records 39 53 default configuration 39 55 disabling 39 57 enabling 39 56 events 39 52 ...

Page 1451: ...are requirements 53 1 Layer 2 operation 53 3 Layer 3 operation 53 3 overview 53 1 53 2 audience xxxix auditing agentless hosts 41 14 Auth 42 8 authentication login enabling 39 11 39 12 overview 39 2 password 39 14 login lockout enhancement 39 2 NTP and 34 4 overview 39 2 recovering password 39 16 See also Kerberos authentication local authentication login authentication RADIUS authentication TACAC...

Page 1452: ...er blocking transitions 20 23 BOOT environment variables clearing 25 11 25 12 default 25 5 displaying 25 12 overview 25 3 25 4 setting 25 10 25 11 boot field overview 25 3 setting 25 6 boot image and switch 23 3 booting configuration register setting value 25 10 from Melody Compact Flash 3 5 ignoring NVRAM 25 9 booting the MSFC for the first time 3 4 BOOTP and in band sc0 interface 3 10 Bootstrap ...

Page 1453: ... 15 examples 13 10 FIB 13 6 flow masks 13 12 destination ip 13 12 destination ipx 13 12 full flow 13 12 modes 13 12 source destination ip 13 12 source destination vlan 13 12 guidelines 13 13 56 1 Layer 3 switching 13 2 overview 13 5 packet rewrite 13 2 restrictions for multicast 13 14 CEF for PFC2 See CEF CGMP leaving multicast group 50 5 channel modes EtherChannel table LACP 6 13 PAgP 6 6 channel...

Page 1454: ...ing Tree See also CIST 7 17 Common Open Policy Service See COPS Common Spanning Tree See CST 7 16 7 17 community ports 11 20 Compact Flash memory 3 5 CONFIG_FILE variable setting recurrence 25 7 configuration clearing switch 28 9 MISTP 7 37 7 54 configuration files clearing using rcp 28 9 copying using rcp 28 6 creating 28 2 downloading from Flash device 28 4 preparation 28 3 rcp 28 7 via TFTP 28 ...

Page 1455: ...0 QoS policy source 51 80 roles 51 81 deleting 51 83 removing 51 82 selecting locally configured QoS policy 51 81 CoS See QoS CoS to CoS maps configuring 51 60 counters configuring for IOS ACLs PACLs and VACLs 15 81 CRAM feature 15 87 critical recovery delay setting 40 21 crypto image uploading using RCP 27 26 CST 7 16 7 17 common spanning tree 7 21 D DAI 15 39 database VMPS downloading 19 7 examp...

Page 1456: ...7 DNS default configuration 30 2 disabling 30 4 domain name clearing 30 3 setting 30 2 enabling 30 2 overview 30 1 server clearing 30 3 specifying 30 2 setting up 30 2 system name and 22 2 system prompt and 22 2 documentation related 1 xlii DOM See Digital Optical Monitoring domain name clearing 30 3 setting 30 2 Domain Name System See DNS dot1x disabling multiple hosts 40 19 EAP request frames se...

Page 1457: ...LANs 19 14 overview 19 1 reconfirming 19 7 troubleshooting 19 10 Dynamic Trunking Protocol See DTP E efficiency PoE daughter cards 55 15 enable mode 2 9 enable password recovering lost 39 16 setting 39 15 enabling 40 23 MLS on MSFC interfaces 14 16 enabling IP MMLS on MSFC interfaces 13 20 14 33 encapsulation type descriptions trunks table 5 3 environmental monitoring LED indications 22 15 SNMP tr...

Page 1458: ...net ingress port ACLs 51 17 QoS ACLs 51 17 Ethernet OAM configuring 20 26 EtherTypes 51 17 extended range VLANs See VLANs extended trust for CDP devices trusted boundary feature 55 33 F fast aging time 14 21 PFC2 statistics 13 30 Fast EtherChannel See EtherChannel Fast Ethernet See Ethernet FIB 13 6 fiber optic detecting unidirectional links 32 1 file transfer protocols comparison of 27 5 filterin...

Page 1459: ...ansmission number 40 21 FTP uploading software images 27 15 full flow flow mask 13 12 14 6 full vlan flow mask 13 12 G GARP Multicast Registration Protocol See GMRP GARP timers setting 17 7 50 24 GARP VLAN Registration Protocol See GVRP General Attribute Registration Protocol See GARP setting timers Gigabit Ethernet See Ethernet Gigabit Ethernet trunks See trunks global configuration mode 2 9 GMRP...

Page 1460: ... examples 23 30 configuration requirements 23 22 configuring 23 28 designated MSFC 23 24 failure scenarios 23 26 hardware and software requirements 23 21 23 50 overview 23 21 routing protocol peering 23 23 I I BPDU 7 17 ICMP ping executing 20 16 overview 20 15 testing connectivity with 4 21 time exceeded messages 20 18 traceroute and 20 18 IGMP configuration guidelines 50 9 disabling 50 18 enablin...

Page 1461: ...5 13 unsupported 15 44 hardware and software handling in PFC 15 10 hardware and software handling in PFC2 15 13 hardware requirements 15 2 overview 15 2 reflexive ACLs with PFC 15 11 reflexive ACLs with PFC2 15 15 supported features 15 10 15 13 with VACLs 15 17 IP accounting IP MMLS and 14 15 CIDR and 22 8 configuring interVLAN routing 12 3 default gateway configuring 3 8 static routes 22 8 subnet...

Page 1462: ... addresses adding 37 2 caution 37 5 clearing entries 37 5 default configuration 37 2 disabling 37 4 enabling 37 3 overview 37 1 IP phones detecting an IP phone 55 16 high availability support 55 16 powering off phones 55 15 removing a phone from the network 55 15 wall powered phones 55 15 IP PIM 13 19 14 33 IP Source Guard See IPSG IP source guard configuring 33 16 displaying 33 17 overview 33 15 ...

Page 1463: ...EF 13 2 MLS 14 2 Layer 3 switching CEF 13 2 MLS 14 1 Layer 4 port operations ACLs 15 24 leave processing IGMP disabling 50 18 enabling 50 12 Link Aggregation Control Protocol See LACP link error handling configuring 20 24 load balancing 7 16 load sharing on trunks 5 22 local authentication configuration guidelines 39 11 40 12 default configuration 39 10 40 11 42 8 disabling 39 15 enable password s...

Page 1464: ...nfiguring 20 62 MAC address reduction 7 15 MAC authentication bypass ACL assignments 41 13 agentless hosts auditing 41 14 bypass events 41 4 bypass states 41 3 configuration guidelines and restrictions 41 4 configuring 41 6 device tracking 43 1 43 4 host aging 43 1 43 4 overview 41 2 QoS ACLs configuring 41 13 reauthentication of MAC addresses 41 2 MAC utilization clearing counters 20 9 overview 2...

Page 1465: ...14 22 clearing cache entries 14 29 statistics 13 36 14 31 configuration guidelines MTU 14 14 routing commands with IP MLS 14 14 configuration guidelines for IP MMLS MSFC 14 15 switches 14 14 configuration guidelines for IPX MLS interaction with other features 14 15 MTU 14 16 configuration information displaying IP or IPX 14 23 multicast 14 38 configuring IP directed broadcasts 13 36 configuring th...

Page 1466: ...laying 13 21 PIM enabling 13 19 routing command restrictions 14 14 setting minimum flow mask 14 21 specifying aging time 14 19 specifying fast aging time 14 21 statistics clearing 13 36 14 31 displaying by protocol 14 30 displaying for MLS cache entries 14 30 switches cache entries displaying 14 39 configuration displaying 14 38 disabling note 14 19 NetFlow table entries displaying 13 26 statistic...

Page 1467: ...icast 13 18 unicast Layer 3 switching 13 16 enabling IP multicast routing 13 18 multicast routing table displaying 13 21 PIM enabling on MSFC2 VLAN interfaces 13 19 MST 7 16 boundary ports 7 22 bridge ID priority 7 54 configuration 7 21 configuring 7 51 edge ports 7 23 enabling 7 51 hop count 7 23 instances 7 21 interoperability 7 19 interoperability with PVST 7 17 link type 7 23 mapping VLANs to ...

Page 1468: ... 16 9 disabling 16 16 displaying configuration 16 16 filters clearing 16 15 destination and source subnet 16 13 destination host specifying 16 13 destination TCP UDP port specifying 16 13 overview 16 3 protocol specifying 16 14 source host and destination TCP UDP port specifying 16 14 overview 16 1 protocols removing for statistics collection 16 15 specifying for statistics collection 16 14 RMON 1...

Page 1469: ...ver clearing 34 8 specifying 34 4 time zone clearing 34 7 setting 34 5 NVRAM caution 25 9 ignoring content at boot 25 9 setting configuration modes 26 2 O OAM configuring 20 26 Obtaining Documentation xliii online diagnostics generic configuring 21 2 overview 21 1 understanding 21 1 Organization xxxix out of profile See QoS out of profile P packet buffer error handling configuring 20 24 packet rew...

Page 1470: ...w 15 91 PC card See Flash PC card PCMCIA See Flash PC card PDP server See COPS or RSVP PDU rate limiters configuring 7 61 disabling 7 61 enabling 7 61 permit list See IP permit list PFC IGMP snooping and 50 9 protocol filtering and 36 1 QoS see Layer 3 Switching Engine PFC2 NetFlow fast aging time 13 30 flow masks 13 31 packet threshold values for IP 13 30 statistics 13 27 statistics clearing 13 3...

Page 1471: ...default port enable state 4 9 checking status 20 3 community 11 20 configuring error detection 4 16 designating on command line 2 5 duplex 4 6 dynamic VLAN membership configuring 19 5 default configuration 19 2 example 19 12 overview 19 1 reconfirming 19 7 troubleshooting 19 10 errdisable timeout configuring 4 12 isolated 11 20 modifying the port debounce timer settings 4 11 name 4 5 PRBS test for...

Page 1472: ...col filtering configuring 36 3 default configuration 36 2 disabling 36 3 enabling 36 3 overview 36 1 protocol support 36 2 protocol tunneling configuration guidelines 8 7 configuring 8 7 understanding 8 6 pruning VTP See VTP pruning PVST 7 26 bridge ID priority configuring 7 27 default configuration 7 26 default port cost mode 7 29 disabling 7 32 port cost 7 28 port priority 7 29 port VLAN priorit...

Page 1473: ...S classification definition 51 3 QoS classification criteria IP ACEs Layer 3 51 18 Layer 4 ICMP 51 19 Layer 4 IGMP 51 21 Layer 4 protocol 51 18 Layer 4 TCP 51 19 Layer 4 UDP 51 19 IPX ACE 51 21 MAC ACE Layer 2 51 21 QoS configuring 51 38 QoS configuring on Cisco IP Phone 7960 55 31 QoS congestion avoidance definition 51 3 dual transmit queue ports 51 29 receive queue 51 14 QoS CoS and ToS final va...

Page 1474: ...oS values to DSCP values 51 73 DSCP markdown values 51 75 DSCP values to CoS values 51 74 IP precedence values to DSCP values 51 74 QoS markdown 51 24 QoS marking 51 29 based on per port classification 51 15 definition 51 3 MSFC 51 8 trusted ports 51 13 untrusted ports 51 13 QoS MSFC 51 8 QoS out of profile 51 24 QoS policing definition 51 3 microflow enabling for nonrouted traffic 51 62 token buc...

Page 1475: ...ey clearing 39 32 key specifying 39 26 overview 39 5 retransmit count setting 39 29 servers clearing 39 32 specifying 39 26 specifying optional attributes 39 31 timeout setting 39 29 using a RADIUS server for 802 1X VLAN assignment 40 7 RADIUS authorization disabling 39 50 enabling 39 50 Rapid PVST configuring 7 33 overview 7 13 Rapid Spanning Tree See RSTP 7 18 RARP in band SC0 interface and 3 4 ...

Page 1476: ...disabling 50 31 enabling 50 31 joining multicast group 50 4 multicast groups 50 31 multicast protocols 50 34 overview 50 6 50 29 packet types 50 6 50 29 RGMP capable router ports 50 32 RGMP related router commands 50 33 RGMP statistics displaying 50 32 statistics clearing 50 33 VLAN statistics displaying 50 32 RMON 16 1 enabling 47 2 overview 47 1 supported MIB objects 47 3 viewing data 47 2 ROM m...

Page 1477: ...nfiguring 39 14 39 15 security ACL removing VACL to VLAN mapping 15 56 Serial Control Protocol commands table 14 18 serial download example PC software image download 27 31 example UNIX software image download 27 32 PC software image download procedure 27 29 preparing to download 27 28 UNIX software image download procedure 27 30 session command MSFC and 2 4 set defaultcostmode command 7 30 set in...

Page 1478: ...See SRM Single Spanning Tree See SST 7 16 7 17 skewing BPDU configuring 7 59 sl0 SLIP interface configuring 3 9 overview 3 1 SLIP caution 3 9 console port and 3 9 enabling 3 9 overview 3 1 54 2 sl0 interface 3 4 slip attach command 3 9 slip detach command 3 9 SLIP sl0 interface configuring 3 9 SmartPorts 55 38 SNMP clearing IP addresses associated with access numbers 46 15 clearing SNMP community ...

Page 1479: ... STP speed 10 100 Ethernet port setting 4 6 SRM configuration guidelines 23 44 configuring on Supervisor Engine 1 and Supervisor Engine 2 23 45 configuring on Supervisor Engine 720 23 45 getting out of SRM 23 49 hardware and software requirements 23 43 upgrading images with SRM enabled 23 48 SRR 51 66 SSH 20 12 SSH keyboard interactive 20 13 SST 7 16 7 17 interoperability 7 19 standby supervisor e...

Page 1480: ...ant configuration guidelines 23 5 Flash synchronization 23 4 23 15 forcing switchover to standby 23 6 overview 23 2 slot assignment 23 2 understanding 23 2 verifying status 23 5 ROM monitor 25 2 sc0 and sc1 in band interface 3 7 sl0 SLIP interface 3 9 software images downloading 27 7 27 16 27 23 startup specifying 25 1 uploading 27 22 27 26 startup configuration 25 1 static routes 22 8 switchover ...

Page 1481: ...w 29 1 session settings setting 29 5 system syslog dump enabling and disabling 29 11 system syslog dump specifying the device and filename 29 12 time stamp changing enable state 29 7 syslog dump enabling and disabling 29 11 system monitoring 20 19 system clock setting 22 4 system contact setting 22 3 system image switch downloading 27 7 27 16 downloading using SCP 27 23 startup specifying 25 1 upl...

Page 1482: ...fault configuration 39 10 39 46 40 11 42 8 directed request enabling and disabling 39 19 39 23 disabling 39 25 39 49 enabling 39 20 39 47 example configuration 39 43 39 51 key clearing 39 24 key specifying 39 21 login attempts allowed 39 22 overview 39 4 39 44 primary options and fallback options 39 45 servers clearing 39 24 servers specifying 39 19 timeout interval 39 22 TACACS authorization over...

Page 1483: ...orts ToS See QoS traceroute See IP traceroute traceroute command 4 21 traffic handling fragmented 15 6 unfragmented 15 6 transceivers monitoring See Digital Optical Monitoring transmit queues See QoS transmit queues TrBRF See VLANs Token Ring TrCRF See VLANs Token Ring Trivial File Transfer Protocol See TFTP troubleshooting system message logging and 29 1 VMPS 19 9 trunks 802 1Q configuring 5 7 ne...

Page 1484: ...5 3 disabling on a secure port 38 9 displaying 45 3 enabling 45 2 enabling on a secure port 38 9 unicast suppression 35 2 UniDirectional Link Detection Protocol See UDLD untrusted see QoS trust cos See QoS untrusted UplinkFast 9 3 disabling 9 17 enabling 9 16 figure 9 4 MISTP mode 9 15 multiple spanning tree 7 17 PVST mode 9 15 uploading configuration files preparation 28 5 28 8 running configurat...

Page 1485: ...rs 15 5 types and parameters 15 5 with IOS ACLs 15 17 virtual LAN See VLANs VLAN Access Control Lists See VACLs VLAN based SPAN See VSPAN VLAN filtering trunk 48 4 VLAN Management Policy Server See VMPS VLAN mapping 11 14 VLANs allowed on trunk 5 8 auxiliary 55 8 55 20 configuring for use with the Firewall Services Module 11 37 configuring VLAN mapping 11 14 default configuration 11 3 deleting 11 ...

Page 1486: ...0 55 2 CLI commands 55 10 configuring access gateways 55 23 converged voice gateway Cisco VG200 55 7 digital trunk gateway 8 port T1 E1 PSTN interface module 55 6 display active call information 55 29 extended trust for CDP devices trusted boundary feature 55 33 how a call is made 55 8 overview 55 1 QoS configuring 55 31 SmartPorts 55 38 Cisco IP Phone overview 55 39 Cisco SoftPhone overview 55 39...

Page 1487: ...CP 15 3 15 12 15 16 web based proxy authentication access control PBACLs 42 5 authentication server defined 42 3 RADIUS server 42 3 configuring ACL for ACE 42 9 maximum login attempts allowed 42 13 quiet period 42 12 session timeout period 42 12 URL for Login Fail page 42 12 URL for Login page 42 11 defined 42 2 defining host 42 3 NAD 42 3 supplicant 42 3 switch 42 3 device roles 42 2 device track...

Page 1488: ...uest VLAN 42 8 IPSG 42 7 MAC autthentication bypass 42 7 NAC 42 8 port security 42 8 VVID 42 8 multiple hosts per port 42 6 overview 42 2 supported HTML pages 42 5 Login Fail page defined 42 6 Login page defined 42 5 Success page defined 42 6 Web Cache Coordination Protocol See WCCP 15 12 15 16 web caches See cache engines weighted round robin 51 66 WRED 51 64 write tech support 22 16 WRR 51 66 X ...

Reviews:

No comments

Related manuals for Catalyst 6509

D-Link Express Ethernetwork DI-704P Quick Install Manual preview
Express Ethernetwork DI-704P
Brand: D-Link Pages: 17
3Com 3CR860-95 - OfficeConnect Secure Router Features And Benefits preview
3CR860-95 - OfficeConnect Secure Router
Brand: 3Com Pages: 2
3Com 3C905-TX Installation Manual preview
3C905-TX
Brand: 3Com Pages: 26
B2 ABB2050 Instruction Manual preview
ABB2050
Brand: B2 Pages: 52
XAVI Technologies Corp. 7721r User Manual preview
7721r
Brand: XAVI Technologies Corp. Pages: 71
Allnet ALL1682504 Quick Installation preview
ALL1682504
Brand: Allnet Pages: 12
Telebyte 458-LM-E2-36 Quick Start Manual preview
458-LM-E2-36
Brand: Telebyte Pages: 19
B&B Electronics 232CC1A Product Information preview
232CC1A
Brand: B&B Electronics Pages: 2
insys icom EBW-E Quick Installation Manual preview
EBW-E
Brand: insys icom Pages: 4
TP-Link TD-8816 Quick Installation Manual preview
TD-8816
Brand: TP-Link Pages: 2
VoiceLine InnoMedia MTA 3328-2R Getting Started Manual preview
InnoMedia MTA 3328-2R
Brand: VoiceLine Pages: 18
Magma ExpressBox2 EB2 User Manual preview
ExpressBox2 EB2
Brand: Magma Pages: 74
MSNswitch UIS-322b Quick Installation Manual preview
UIS-322b
Brand: MSNswitch Pages: 2
G&D DVI-Vision-IP-Fiber Installation And Operation Manual preview
DVI-Vision-IP-Fiber
Brand: G&D Pages: 240
Anthem Audio SFD-2 MkIII Jumper Configurations preview
SFD-2 MkIII Jumper
Brand: Anthem Audio Pages: 2
AES BeBoPr++ User Manual preview
BeBoPr++
Brand: AES Pages: 44
Proxim TeraBridge 5845 Specifications preview
TeraBridge 5845
Brand: Proxim Pages: 4
Sennheiser GSP 300 User Manual preview
GSP 300
Brand: Sennheiser Pages: 22

Brands by name

Popular brands

Load more brands