manualshive.com logo in svg

Cisco WS-X6148-FE-SFP= - Classic Interface Module Switch, Software Manual

The Cisco WS-X6148-FE-SFP= Classic Interface Module Switch is a versatile networking solution. Enhance your network performance with this reliable switch featuring 48 ports. For seamless setup and configuration, download the free software manual from manualshive.com. Maximize your networking potential effortlessly with this high-quality product.

Share
Download
background image

21-9

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02

Chapter 21      Configuring Switch Access Using AAA

Configuring Authentication

Traffic Control

You can restrict traffic in both directions or just incoming traffic.

Authentication Server

The frames exchanged between the authenticator and the authentication server are dependent on the 
authentication mechanism, so they are not defined by the 802.1x standard. You can use other protocols, 
but we recommend RADIUS for authentication, particularly when the authentication server is located 
remotely, because RADIUS has extensions that support encapsulation of EAP frames built into it.

802.1x Parameters Configurable on the Switch

You can configure these 802.1x parameters on the switch:

  •

Force-Authorized, Force-Unauthorized, or Automatic 802.1x port control

  •

Enable or disable multiple hosts on a specific port

  •

Enable or disable system authentication control

  •

Specify quiet time interval

  •

Specify the authenticator to supplicant retransmission time interval

  •

Specify the back-end authenticator to supplicant retransmission time interval

  •

Specify the back-end authenticator to authentication server retransmission time interval

  •

Specify the number of frames retransmitted from the back-end authenticator to supplicant

  •

Specify the automatic supplicant reauthentication time interval

  •

Enable or disable automatic supplicant reauthentication

Configuring Authentication

These sections describe how to configure the different authentication methods:

  •

Authentication Default Configuration, page 21-10

  •

Authentication Configuration Guidelines, page 21-11

  •

Configuring Login Authentication, page 21-12

 

  •

Configuring Local Authentication, page 21-13

  •

Configuring Authentication, page 21-17

  •

Configuring RADIUS Authentication, page 21-23

  •

Configuring Kerberos Authentication, page 21-31

  •

Configuring 802.1x Authentication, page 21-40

  •

Authentication Example, page 21-48

Summary of Contents for WS-X6148-FE-SFP= - Classic Interface Module Switch

Page 1: ...asman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Catalyst 6000 Family Software Configuration Guide Software Releases 6 3 and 6 4 Customer Order Number DOC 7813315 Text Part Number 78 13315 02 ...

Page 2: ...UT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP the Cisco Arrow logo the Cisco Powered Network mark the Cisco Systems Verified logo Cisco Unity Follow Me Browsing FormShare iQ Breakthrough iQ Expertise iQ FastTrack the iQ Logo iQ Net Readiness Scoreca...

Page 3: ... T E R 1 Product Overview 1 C H A P T E R 2 Command Line Interfaces 1 Catalyst Command Line Interface 1 ROM Monitor Command Line Interface 1 Switch Command Line Interface 2 MSFC Command Line Interface 8 Cisco IOS Command Modes 8 Cisco IOS Command Line Interface 10 C H A P T E R 3 Configuring the Switch IP Address and Default Gateway 1 Understanding the Switch Management Interfaces 1 Understanding ...

Page 4: ...Ethernet Configuration 3 Setting the Port Configuration 4 Setting the Port Name 4 Setting the Port Speed 5 Setting the Port Duplex Mode 5 Configuring IEEE 802 3X Flow Control 6 Enabling and Disabling Port Negotiation 7 Changing the Default Port Enable State 7 Setting the Port Debounce Timer 8 Configuring a Timeout Period for Ports in errdisable State 9 Configuring the Jumbo Frame Feature 11 Checki...

Page 5: ...therChannel Port Mode 5 Setting the EtherChannel Port Path Cost 6 Setting the EtherChannel VLAN Cost 6 Configuring EtherChannel Frame Distribution 8 Displaying EtherChannel Traffic Utilization 8 Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number 8 Disabling an EtherChannel 9 C H A P T E R 7 Configuring IEEE 802 1Q Tunneling 1 Understanding How 802 1Q Tunneling Works 1 802 1Q ...

Page 6: ...e PVST Mode on a VLAN 20 Using MISTP PVST or MISTP 22 Default MISTP and MISTP PVST Configuration 23 Setting MISTP PVST Mode or MISTP Mode 23 Configuring an MISTP Instance 25 Enabling an MISTP Instance 28 Mapping VLANs to an MISTP Instance 29 Disabling MISTP PVST or MISTP 31 Configuring a Root Switch 31 Configuring a Primary Root Switch 31 Configuring a Secondary Root Switch 32 Configuring a Root S...

Page 7: ...ng PortFast BPDU Filter 11 Disabling PortFast BPDU Filter 12 Configuring UplinkFast 13 Enabling UplinkFast 13 Disabling UplinkFast 14 Configuring BackboneFast 15 Enabling BackboneFast 15 Displaying BackboneFast Statistics 16 Disabling BackboneFast 16 Configuring Loop Guard 17 Enabling Loop Guard 17 Disabling Loop Guard 17 C H A P T E R 10 Configuring VTP 1 Understanding How VTP Works 1 Understandi...

Page 8: ...VLANs 7 Mapping VLANs to VLANs 8 Mapping Reserved VLANs to Nonreserved VLANs 9 Deleting Reserved to Nonreserved VLAN Mappings 10 Mapping 802 1Q VLANs to ISL VLANs 10 Deleting 802 1Q to ISL VLAN Mappings 11 Assigning Switch Ports to a VLAN 12 Deleting a VLAN 13 Configuring Private VLANs 13 Understanding How Private VLANs Work 14 Private VLAN Configuration Guidelines 15 Creating a Primary Private VL...

Page 9: ... 2 Understanding CEF for PFC2 4 Understanding NetFlow Statistics 9 Default CEF for PFC2 Configuration 10 CEF for PFC2 Configuration Guidelines and Restrictions 11 Configuring CEF for PFC2 12 Displaying Layer 3 Switching Entries on the Supervisor Engine 12 Configuring CEF on the MSFC2 14 Configuring IP Multicast on the MSFC2 14 Displaying IP Multicast Information 16 Configuring NetFlow Statistics 2...

Page 10: ...uring NDE 3 Usage Guidelines 4 Specifying an NDE Collector 4 Specifying an NDE Destination Address on the MSFC 5 Specifying an NDE Source Address on the MSFC 5 Enabling NDE 6 Specifying a Destination Host Filter 6 Specifying a Destination and Source Subnet Filter 6 Specifying a Destination TCP UDP Port Filter 7 Specifying a Source Host and Destination TCP UDP Port Filter 7 Specifying a Protocol Fi...

Page 11: ...ess to a Server on Another VLAN 25 Restricting ARP Traffic 26 Configuring ACLs on Private VLANs 26 Capturing Traffic Flows 27 Unsupported Features 27 Configuring VACLs 28 VACL Configuration Guidelines 28 VACL Configuration Summary 29 Configuring VACLs From the CLI 29 Configuring and Storing VACLs and QoS ACLs in Flash Memory 42 Automatically Moving the VACL and QoS ACL Configuration to Flash Memor...

Page 12: ...Timers 7 Displaying GVRP Statistics 8 Clearing GVRP Statistics 8 Disabling GVRP on Individual 802 1Q Trunk Ports 8 Disabling GVRP Globally 9 C H A P T E R 18 Configuring Dynamic Port VLAN Membership with VMPS 1 Understanding How VMPS Works 1 Default VMPS and Dynamic Port Configuration 2 Dynamic Port VLAN Membership and VMPS Configuration Guidelines 3 Configuring VMPS and Dynamic Port VLAN Membersh...

Page 13: ...ng Layer 2 Traceroute 9 Layer 2 Traceroute Usage Guidelines 9 Identifying a Layer 2 Path 10 Using IP Traceroute 10 Understanding How IP Traceroute Works 10 Executing IP Traceroute 11 C H A P T E R 20 Administering the Switch 1 Setting the System Name and System Prompt 1 Setting the Static System Name and Prompt 2 Setting the System Contact and Location 3 Setting the System Clock 4 Creating a Login...

Page 14: ...S Authentication Works 3 Understanding How RADIUS Authentication Works 4 Understanding How Kerberos Authentication Works 4 Understanding How 802 1x Authentication Works 7 Configuring Authentication 9 Authentication Default Configuration 10 Authentication Configuration Guidelines 11 Configuring Login Authentication 12 Configuring Local Authentication 13 Configuring TACACS Authentication 17 Configur...

Page 15: ...iguring Redundant Supervisor Engines 3 Synchronization Process Initiation 4 Redundant Supervisor Engine Configuration Guidelines and Restrictions 4 Verifying Standby Supervisor Engine Status 5 Forcing a Switchover to the Standby Supervisor Engine 6 High Availability 8 Supervisor Engine Synchronization Examples 14 MSFC Redundancy 18 Dual MSFC Redundancy 19 Single Router Mode Redundancy 41 Manual Mo...

Page 16: ...oot Configuration 12 C H A P T E R 24 Working With the Flash File System 1 Understanding How the Flash File System Works 1 Working with the Flash File System 1 Setting the Default Flash Device 2 Setting the Text File Configuration Mode 2 Listing the Files on a Flash Device 3 Copying Files 4 Deleting Files 6 Restoring Deleted Files 7 Verifying a File Checksum 7 Formatting a Flash Device 8 C H A P T...

Page 17: ...iguration Files 1 Working with Configuration Files on the Switch 1 Creating and Using Configuration File Guidelines 1 Creating a Configuration File 2 Downloading Configuration Files to the Switch Using TFTP 3 Uploading Configuration Files to a TFTP Server 5 Copying Configuration Files Using rcp 6 Downloading Configuration Files from an rcp Server 6 Uploading Configuration Files to an rcp Server 7 ...

Page 18: ... Clearing the DNS Domain Name 3 Disabling DNS 3 C H A P T E R 29 Configuring CDP 1 Understanding How CDP Works 1 Default CDP Configuration 2 Configuring CDP 2 Setting the CDP Global Enable and Disable States 2 Setting the CDP Enable and Disable States on a Port 3 Setting the CDP Message Interval 4 Setting the CDP Holdtime 4 Displaying CDP Neighbor Information 5 C H A P T E R 30 Configuring UDLD 1 ...

Page 19: ...pression Works 1 Configuring Broadcast Suppression 2 Enabling Broadcast Suppression 3 Disabling Broadcast Suppression 4 C H A P T E R 33 Configuring Layer 3 Protocol Filtering 1 Understanding How Layer 3 Protocol Filtering Works 1 Default Layer 3 Protocol Filtering Configuration 2 Configuring Layer 3 Protocol Filtering 2 Enabling Layer 3 Protocol Filtering 3 Disabling Layer 3 Protocol Filtering 3 ...

Page 20: ... Host MAC Address 7 Displaying Port Security 8 C H A P T E R 36 Configuring SNMP 1 SNMP Terminology 1 Understanding SNMP 3 Security Models and Levels 4 SNMP ifindex Persistence Feature 5 Understanding How SNMPv1 and SNMPv2c Works 5 Using Managed Devices 5 Using SNMP Agents and MIBs 5 Using CiscoWorks2000 6 Understanding SNMPv3 7 SNMP Entity 7 Applications 9 Configuring SNMPv1 and SNMPv2c 10 SNMPv1...

Page 21: ...lines 6 Configuring SPAN from the CLI 7 Configuring RSPAN 8 RSPAN Hardware Requirements 9 Understanding How RSPAN Works 9 RSPAN Configuration Guidelines 10 Configuring RSPAN 11 RSPAN Configuration Examples 14 C H A P T E R 39 Using Switch TopN Reports 1 Understanding How the Switch TopN Reports Utility Works 1 TopN Reports Overview 1 Running Switch TopN Reports without the Background Option 2 Runn...

Page 22: ... Processing 12 Disabling IGMP Snooping 12 Configuring GMRP 12 GMRP Software Requirements 13 Default GMRP Configuration 13 Enabling GMRP Globally 13 Enabling GMRP on Individual Switch Ports 14 Disabling GMRP on Individual Switch Ports 14 Enabling GMRP Forward All Option 15 Disabling GMRP Forward All Option 15 Configuring GMRP Registration 16 Setting the GARP Timers 17 Displaying GMRP Statistics 19 ...

Page 23: ...es 34 Deleting Policing Rules 36 Creating or Modifying ACLs 37 Attaching ACLs to Interfaces 46 Detaching ACLs from Interfaces 46 Mapping a CoS Value to a Host Destination MAC Address VLAN Pair 47 Deleting a CoS Value to a Host Destination MAC Address VLAN Pair 47 Enabling or Disabling Microflow Policing of Bridged Traffic 48 Configuring Standard Receive Queue Tail Drop Thresholds 48 Configuring 2q...

Page 24: ...ddresses 22 MAC Addresses 23 Catalyst 6000 Family Switch 1 Configuration 23 Catalyst 6000 Family Switch 2 Configuration 23 Router 1 Configuration 23 Router 2 Configuration 24 LocalDirector Configuration 24 Troubleshooting the ASLB Configuration 25 C H A P T E R 43 Configuring the Switch Fabric Modules 1 Understanding How the Switch Fabric Module Works 1 Configuring and Monitoring the Switch Fabric...

Page 25: ... Understanding How VLANs Work 8 Configuring VoIP on a Switch 9 Voice Related CLI Commands 9 Configuring Per Port Power Management 10 Configuring Auxiliary VLANs on Catalyst LAN Switches 19 Configuring the Access Gateways 21 Displaying Active Call Information 27 Configuring QoS in the Cisco IP Phone 7960 29 I N D E X ...

Page 26: ...Contents 26 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 ...

Page 27: ...Catalyst 6000 family switches Chapter 2 Command Line Interfaces Describes how to use the command line interface CLI Chapter 3 Configuring the Switch IP Address and Default Gateway Describes how to perform a baseline configuration of the switch Chapter 4 Configuring Ethernet Fast Ethernet and Gigabit Ethernet Switching Describes how to configure Ethernet Fast Ethernet and Gigabit Ethernet switching...

Page 28: ...r and perform other administrative tasks on the switch Chapter 21 Configuring Switch Access Using AAA Describes how to configure authentication authorization and accounting AAA to monitor and control access to the CLI Chapter 22 Configuring Redundancy Describes how to install and configure redundant supervisor engines and MSFCs in the Catalyst 6000 family switches Chapter 23 Modifying the Switch B...

Page 29: ... cmtk mibs shtml Chapter 35 Configuring Port Security Describes how to configure secure port filtering Chapter 36 Configuring SNMP Describes how to configure SNMP Chapter 37 Configuring RMON Describes how to configure Remote Monitoring RMON Chapter 38 Configuring SPAN and RSPAN Describes how to configure the Switch Port Analyzer SPAN and Remote SPAN RSPAN Chapter 39 Using Switch TopN Reports Descr...

Page 30: ...lic font Arguments for which you supply values are in italics Elements in square brackets are optional x y z Alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and separated by vertical bars string A nonquoted set of characters Do not use quotation marks around the string or the string will include the quotation mar...

Page 31: ...e current than printed documentation The CD ROM package is available as a single unit or through an annual subscription Registered Cisco com users can order the Documentation CD ROM product number DOC CONDOCCD through the online Subscription Store http www cisco com go subscription Ordering Documentation You can find instructions for ordering documentation at this URL http www cisco com univercd c...

Page 32: ...cess to the technical support resources on the Cisco TAC website including TAC tools and utilities Cisco com Cisco com offers a suite of interactive networked services that let you access Cisco information networking solutions services programs and resources at any time from anywhere in the world Cisco com provides a broad range of features and services to help you with these tasks Streamline busi...

Page 33: ...es on the Cisco TAC website require a Cisco com login ID and password If you have a valid service contract but do not have a login ID or password go to this URL to register http tools cisco com RPF register register do If you are a Cisco com registered user and you cannot resolve your technical issues by using the Cisco TAC website you can open a case online at this URL http www cisco com en US su...

Page 34: ...e at this URL http www ciscopress com Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking You can access Packet magazine at this URL http www cisco com en US about ac123 ac114 about_cisco_packet_magazine html iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with ...

Page 35: ... MSFC or MSFC2 Supervisor Engine 1 and PFC Supervisor Engine 1 Note The Switch Fabric Module is supported only in Catalyst 6500 series switches Refer to the Release Notes for Catalyst 6000 Family Software Release 6 x publication for complete information about the chassis modules software features protocols and MIBs supported by the Catalyst 6000 family switches Note This publication includes the i...

Page 36: ...1 2 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 1 Product Overview ...

Page 37: ...e Interface page 2 1 MSFC Command Line Interface page 2 8 Catalyst Command Line Interface These sections describe the Catalyst CLI ROM Monitor Command Line Interface page 2 1 Switch Command Line Interface page 2 2 ROM Monitor Command Line Interface The ROM monitor is a ROM based program that executes upon platform power up reset or when a fatal exception occurs The system enters ROM monitor mode i...

Page 38: ...ole port or through a Telnet session These sections describe how to access the switch CLI Accessing the CLI through the Console Port page 2 2 Accessing the CLI through Telnet page 2 3 Accessing the CLI through the Console Port To access the switch CLI through the console port you must connect a console terminal to the console port through an EIA TIA 232 RS 232 cable Note For complete information o...

Page 39: ... perform this task This example shows how to open a Telnet session to the switch unix_host telnet Catalyst_1 Trying 172 16 10 10 Connected to Catalyst_1 Escape character is Cisco Systems Console Enter password Catalyst_1 Accessing the MSFC from the Switch These sections describe how to access the Multilayer Switch Feature Card MSFC from a directly connected console port or from a Telnet session Ac...

Page 40: ... to Router 15 Type C C C to switch back Router C C C Console enable Accessing the MSFC from a Telnet Session You can enter the session mod command to access the MSFC from the switch CLI using a Telnet session To exit from the MSFC CLI back to the switch CLI enter the exit command at the Router prompt Note The supervisor engine software sees the MSFC as module 15 when installed on a supervisor engi...

Page 41: ...sword Console enable Designating Modules Ports and VLANs on the Command Line Switch commands are not case sensitive You can abbreviate commands and parameters as long as they contain enough letters to be distinguished from any other currently available commands or parameters Catalyst 6000 family switches are multimodule systems Commands you enter from the CLI might apply to the entire system or to...

Page 42: ... in place of the dotted decimal IP address This is true for most commands that use an IP address except for commands that define the IP address or IP alias For information on using IP aliases see the Defining IP Aliases section on page 20 6 If DNS is configured on the switch you can use DNS host names in place of IP addresses For information on configuring DNS see Chapter 28 Configuring DNS Comman...

Page 43: ...nd line Ctrl W Deletes last word typed Esc B Moves the cursor back one word Esc D Deletes from the cursor to the end of the word Esc F Moves the cursor forward one word Delete key or Backspace key Erases mistake when entering a command reenter command after using this key 1 The arrow keys function only on ANSI compatible terminals such as VT100s Table 2 3 Command Line Editing Keyboard Shortcuts co...

Page 44: ...commands in a given mode type a question mark at the system prompt For more information see the Getting a List of IOS Commands and Syntax section on page 2 9 When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in EXEC mode To have access to all commands you must enter privileged EXEC mode Normally you must ty...

Page 45: ...figure Table 2 5 Frequently Used IOS Command Modes Mode Description of Use How to Access Prompt User EXEC Connect to remote devices change terminal settings on a temporary basis perform basic tests and display system information Log in Router Privileged EXEC enable Set operating parameters The privileged command set includes the commands in user EXEC mode as well as the configure command Use this ...

Page 46: ...on mark for a list of available commands You might be in the wrong command mode or using incorrect syntax Press Ctrl Z in any mode to immediately return to privileged EXEC mode Enter exit to return to the previous mode Cisco IOS Command Line Interface These sections describe basic Cisco IOS configuration tasks you need to understand before you configure routing Accessing Cisco IOS Configuration Mo...

Page 47: ...ually shut down the matching interface on the redundant MSFC To bring up an MSFC interface that is administratively shut down perform this task in privileged mode Step 4 Enter the commands to configure routing Refer to the appropriate configuration tasks later in this chapter Step 5 Exit configuration mode Router config Ctrl Z Task Command Task Command Step 1 View the current operating configurati...

Page 48: ...2 12 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 2 Command Line Interfaces MSFC Command Line Interface ...

Page 49: ...ault IP Address and Default Gateway Configuration page 3 5 Assigning the In Band sc0 Interface IP Address page 3 5 Configuring Default Gateways page 3 6 Configuring the SLIP sl0 Interface on the Console Port page 3 7 Using BOOTP DHCP or RARP to Obtain an IP Address page 3 9 Renewing and Releasing a DHCP Assigned IP Address page 3 10 Understanding the Switch Management Interfaces Catalyst 6000 fami...

Page 50: ...omatic IP Configuration Overview The switch can obtain its IP configuration automatically using one of the following protocols Bootstrap Protocol BOOTP Dynamic Host Configuration Protocol DHCP Reverse Address Resolution Protocol RARP The switch makes BOOTP DHCP and RARP requests only if the sc0 interface IP address is set to 0 0 0 0 when the switch boots up This address is the default for a new sw...

Page 51: ...or BOOTP response is received in reply the switch rebroadcasts the request using an exponential backoff algorithm the amount of time between requests increases exponentially If no response is received after ten minutes the sc0 interface IP address remains set to 0 0 0 0 provided that BOOTP and RARP requests fail as well If you reset or power cycle a switch with a DHCP or BOOTP obtained IP address ...

Page 52: ...tch Feature Card MSFC images are provided on the MSFC bootflash a boot loader image and a system image The boot loader image is a limited function system image that has network interface code and end host protocol code The system image is the main Cisco IOS software image with full multiprotocol routing support As shipped the MSFC is configured to boot the boot loader image first which then boots ...

Page 53: ... in band sc0 logical interface You can specify the subnet mask netmask using the number of subnet bits or using the subnet mask in dotted decimal format To set the IP address and VLAN membership of the in band sc0 management interface perform this task in privileged mode Table 3 2 Switch IP Address and Default Gateway Default Configuration Feature Default Value In band sc0 interface IP address sub...

Page 54: ...ected devices the switch forwards only IP traffic generated by the switch itself for example Telnet TFTP and ping Note In some cases you might want to configure static IP routes in addition to default gateways For information on configuring static routes see the Configuring Static Routes section on page 20 7 You can define up to three default IP gateways Use the primary keyword to make a gateway t...

Page 55: ...Console Port Use the SLIP sl0 interface for point to point SLIP connections between the switch and an IP host Caution You must use the console port for the SLIP connection When the SLIP connection is enabled and SLIP is attached on the console port an EIA TIA 232 terminal cannot connect through the console port If you are connected to the switch CLI through the console port and you enter the slip ...

Page 56: ... Enter password Console enable Enter password Console enable set interface sl0 10 1 1 1 10 1 1 2 Interface sl0 slip and destination address set Console enable show interface sl0 flags 51 UP POINTOPOINT RUNNING slip 10 1 1 1 dest 10 1 1 2 sc0 flags 63 UP BROADCAST RUNNING vlan 522 inet 172 20 52 38 netmask 255 255 255 240 broadcast 172 20 52 7 Console enable slip attach Console Port now running SLI...

Page 57: ... server table as backup server 172 16 32 32 added to DNS server table as backup server NTP server 172 16 25 253 added NTP server 172 16 25 252 added MGMT 5 DHCP_S Assigned IP address 172 20 25 244 from DHCP Server 172 20 25 254 Task Command Step 1 Make sure that there is a DHCP BOOTP or RARP server on the network Step 2 Obtain the last address in the MAC address range for module 1 the supervisor e...

Page 58: ...ssigned IP address Release the lease on a DHCP assigned IP address To renew or release a DHCP assigned IP address on the in band sc0 management interface perform one of these tasks in privileged mode This example shows how to renew the lease on a DHCP assigned IP address Console enable set interface sc0 dhcp renew Renewing IP address Console enable Sending DHCP packet with address 00 90 0c 5a 8f f...

Page 59: ...ns between Ethernet segments last only for the duration of the packet New connections can be made between different segments for the next packet Catalyst 6000 family switches solve congestion problems caused by high bandwidth devices and a large number of users by assigning each device for example a server to its own 10 100 or 1000 Mbps segment Because each Ethernet port on the switch represents a...

Page 60: ...ciates the MAC address of the sending station with the port on which it was received Building the Address Table Catalyst 6000 family switches build the address table by using the source address of the frames received When the switch receives a frame for a destination address not listed in its address table it floods the frame to all ports of the same VLAN except the port that received the frame Wh...

Page 61: ...n Up Up Off On Up Down On Off Down Up Table 4 2 Ethernet Default Configuration Feature Default Value Port enable state All ports are enabled Port name None Duplex mode Half duplex for 10 Mbps Ethernet ports Autonegotiate speed and duplex for 10 100 Mbps Fast Ethernet ports Autonegotiate duplex for 100 Mbps Fast Ethernet ports Full duplex for 1000 Mbps Gigabit Ethernet ports Flow control Gigabit Et...

Page 62: ...uring the Jumbo Frame Feature page 4 11 Checking Connectivity page 4 13 Setting the Port Name You can set port names on Ethernet Fast Ethernet and Gigabit Ethernet switching modules to facilitate switch administration To set the port name perform this task in privileged mode This example shows how to set the name for ports 1 1 and 1 2 and how to verify that the port names are configured correctly ...

Page 63: ...negotiate speed and duplex with the neighboring port Console enable set port speed 2 1 auto Port 2 1 speed set to auto sensing mode Console enable Setting the Port Duplex Mode You can set the port duplex mode to full or half duplex for Ethernet and Fast Ethernet ports Note Gigabit Ethernet is full duplex only You cannot change the duplex mode on Gigabit Ethernet ports Note If the port speed is set...

Page 64: ...ons To configure flow control perform this task in privileged mode This example shows how to turn transmit and receive flow control on and how to verify the flow control configuration Console enable set port flowcontrol 3 1 send on Port 3 1 will send flowcontrol to far end Console enable set port flowcontrol 3 1 receive on Port 3 1 will require far end to send flow control Table 4 3 Ethernet Flow ...

Page 65: ...ation 2 1 Port Link Negotiation 2 1 enabled Console enable To disable port negotiation perform this task in privileged mode This example shows how to disable port negotiation and verify the configuration Console enable set port negotiation 2 1 disable Port 2 1 negotiation disabled Console enable show port negotiation 2 1 Port Link Negotiation 2 1 disabled Console enable Changing the Default Port E...

Page 66: ... The output of the show config command shows the current default port status configuration To change the port enable state perform this task in privileged mode This example shows how to change the default port enable state from enabled to disabled Console enable set default portstatus disable Default port status set to disable Console enable This example shows how to display the port enable state ...

Page 67: ...Detection UDLD detects a unidirectional link the port shuts down at runtime However because the NVRAM configuration for the port is enabled you have not disabled the port the port status is shown as errdisable Once a port is in the errdisable state you have to reenable it manually The errdisable timeout feature allows you to configure a timeout period for ports in errdisable state the ports are re...

Page 68: ...d by default The default interval for enabling a port is 300 seconds The allowable interval range is 30 to 86400 seconds 30 seconds to 24 hours This example shows how to enable errdisable timeout for BPDU guard causes Console enable set errdisable timeout enable bpdu guard Successfully enabled errdisable timeout for bpdu guard Console enable This example shows how to enable errdisable timeout for ...

Page 69: ... bytes WS X6148 RJ 45V WS X6148 RJ21V WS X6248 RJ 45 WS X6248A RJ 45 WS X6248 TEL WS X6248A TEL WS X6348 RJ 45 WS X6348 RJ45V WS X6348 RJ 21 and WX X6348 RJ21V The WS X6548 RJ 21 and WS X6548 RJ 45 modules use different hardware at the PHY level and support the full jumbo frame default value of 9216 bytes Note The WS X6516 GE TX 10 100 1000 module only supports a maximum of 8092 bytes at the 100 M...

Page 70: ...nfigure the MTU size on VLAN interfaces to support routing of jumbo frames The jumbo frame feature supports only a single larger than default MTU size on the switch Configuring a VLAN interface with an MTU size greater than the default automatically configures all other VLAN interfaces that have an MTU size greater than the default to the newly configured size VLAN interfaces that have not been ch...

Page 71: ...g a remote host and how to trace the hop by hop path of packets through the network using traceroute Console enable ping somehost somehost is alive Console enable traceroute somehost traceroute to somehost company com 10 1 2 3 30 hops max 40 byte packets 1 engineering 1 company com 173 31 192 206 2 ms 1 ms 1 ms 2 engineering 2 company com 173 31 196 204 2 ms 3 ms 2 ms 3 gateway_a company com 173 1...

Page 72: ...4 14 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 4 Configuring Ethernet Fast Ethernet and Gigabit Ethernet Switching Setting the Port Configuration ...

Page 73: ... a Trunk Link page 5 5 Example VLAN Trunk Configurations page 5 9 Disabling VLAN 1 on Trunks page 5 23 Understanding How VLAN Trunks Work These sections describe how VLAN trunks work on the Catalyst 6000 family switches Trunking Overview page 5 1 Trunking Modes and Encapsulation Types page 5 2 802 1Q Trunk Restrictions page 5 4 Trunking Overview A trunk is a point to point link between one or more...

Page 74: ... mode the trunk encapsulation type and the hardware capabilities of the two connected ports determine whether a trunk link comes up and the type of trunk the link becomes Table 5 3 shows the result of the possible trunking configurations Table 5 1 Ethernet Trunking Modes Mode Function on Puts the port into permanent trunking mode and negotiates to convert the link into a trunk link The port become...

Page 75: ...k Neighbor ISL trunk Local Nontrunk Neighbor Nontrunk Local 1Q trunk Neighbor Nontrunk Local Nontrunk Neighbor Nontrunk Local Nontrunk Neighbor Nontrunk Local ISL trunk Neighbor ISL trunk Local Nontrunk Neighbor Nontrunk on dot1q Local Nontrunk Neighbor 1Q trunk Local ISL trunk1 Neighbor 1Q trunk1 Local Nontrunk Neighbor 1Q trunk Local Nontrunk Neighbor 1Q trunk Local 1Q trunk Neighbor 1Q trunk Lo...

Page 76: ...o the reserved Cisco Shared Spanning Tree SSTP multicast MAC address 01 00 0c cc cc cd Non Cisco 802 1Q switches maintain only a single instance of spanning tree the Mono Spanning Tree or MST that defines the spanning tree topology for all VLANs When you connect a Cisco switch to a non Cisco switch through an 802 1Q trunk the MST of the non Cisco switch and the native VLAN spanning tree of the Cis...

Page 77: ...ged mode This example shows how to configure a port as a trunk and how to verify the trunk configuration This example assumes that the neighboring port is in auto mode Console enable set trunk 1 1 on Port s 1 1 trunk mode set to on Console enable 06 16 1998 22 16 39 DTP 5 Port 1 1 has become isl trunk 06 16 1998 22 16 40 PAGP 5 Port 1 1 left bridge port 1 1 06 16 1998 22 16 40 PAGP 5 Port 1 1 join...

Page 78: ... Port Mode Encapsulation Status Native vlan 1 2 desirable isl trunking 1 Port Vlans allowed on trunk 1 2 1 1005 1025 4094 Port Vlans allowed and active in management domain 1 2 1 521 524 Port Vlans in spanning tree forwarding state and not pruned 1 2 Console enable Configuring an 802 1Q Trunk To configure an 802 1Q trunk perform this task in privileged mode This example shows how to configure an 8...

Page 79: ...de with encapsulation set to isl or negotiate Console enable set trunk 4 11 desirable negotiate Port s 4 11 trunk mode set to desirable Port s 4 11 trunk type set to negotiate Console enable show trunk 4 11 Port Mode Encapsulation Status Native vlan 4 11 desirable n isl trunking 1 Port Vlans allowed on trunk 4 11 1 1005 1025 4094 Port Vlans allowed and active in management domain 4 11 1 5 10 32 55...

Page 80: ...n s 101 499 from allowed list Port 1 1 allowed vlans modified to 1 100 500 1005 Console enable set trunk 1 1 2500 Adding vlans 2500 to allowed list Port s 1 1 allowed vlans modified to 1 100 500 1005 2500 Console enable show trunk 1 1 Port Mode Encapsulation Status Native vlan 1 1 desirable isl trunking 1 Port Vlans allowed on trunk 1 1 1 100 500 1005 2500 Port Vlans allowed and active in manageme...

Page 81: ...see the Default Trunk Configuration section on page 5 5 Step 1 Configure port 1 1 on Switch 1 as an ISL trunk port by entering the set trunk command By specifying the desirable keyword the trunk is automatically negotiated with the neighboring port port 1 2 on Switch 2 ISL encapsulation is assumed based on the hardware type Switch1 enable set trunk 1 1 desirable Port s 1 1 trunk mode set to desira...

Page 82: ...ode Encapsulation Status Native vlan 1 1 desirable isl trunking 1 Port Vlans allowed on trunk 1 1 1 520 530 Port Vlans allowed and active in management domain 1 1 1 521 524 Port Vlans in spanning tree forwarding state and not pruned 1 1 1 521 524 Switch1 enable Step 4 Verify connectivity across the trunk by entering the ping command Switch1 enable ping switch2 switch2 is alive Switch1 enable ISL T...

Page 83: ...1 joined bridge port 1 1 2 PAGP 5 PORTTOSTP Port 1 2 joined bridge port 1 1 2 Switch_B enable PAGP 5 PORTFROMSTP Port 3 1 left bridge port 3 1 PAGP 5 PORTFROMSTP Port 3 2 left bridge port 3 2 PAGP 5 PORTFROMSTP Port 3 2 left bridge port 3 2 PAGP 5 PORTTOSTP Port 3 1 joined bridge port 3 1 2 PAGP 5 PORTTOSTP Port 3 2 joined bridge port 3 1 2 Step 3 After the EtherChannel bundle is negotiated verify...

Page 84: ...iguration by entering the show trunk command Switch_A enable show trunk Port Mode Encapsulation Status Native vlan 1 1 desirable isl trunking 1 1 2 desirable isl trunking 1 Port Vlans allowed on trunk 1 1 1 1005 1025 4094 1 2 1 1005 1025 4094 Port Vlans allowed and active in management domain 1 1 1 5 10 20 50 152 200 300 400 500 521 524 570 850 917 999 1 2 1 5 10 20 50 152 200 300 400 500 521 524 ...

Page 85: ...s example all ports are configured as members of VLAN 1 Switch_A enable set vlan 1 2 3 6 VLAN Mod Ports 1 2 1 6 Switch_A enable Switch_B enable set vlan 1 3 3 6 VLAN Mod Ports 1 3 1 6 Switch_B enable Step 2 Confirm the channeling and trunking status of the switches by entering the show port channel and show trunk commands Switch_A enable show port channel No ports channelling Switch_A enable show ...

Page 86: ... Port 3 4 joined bridge port 3 3 6 PAGP 5 PORTTOSTP Port 3 5 joined bridge port 3 3 6 PAGP 5 PORTTOSTP Port 3 6 joined bridge port 3 3 6 Step 4 After the EtherChannel bundle is negotiated verify the configuration by entering the show port channel command Switch_A enable show port channel Port Status Channel Channel Neighbor Neighbor mode status device port 2 3 connected desirable channel WS C4003 ...

Page 87: ...ORTFROMSTP Port 3 6 left bridge port 3 3 6 DTP 5 TRUNKPORTON Port 3 5 has become dot1q trunk DTP 5 TRUNKPORTON Port 3 6 has become dot1q trunk PAGP 5 PORTFROMSTP Port 3 5 left bridge port 3 3 6 PAGP 5 PORTFROMSTP Port 3 6 left bridge port 3 3 6 PAGP 5 PORTTOSTP Port 3 3 joined bridge port 3 3 6 PAGP 5 PORTTOSTP Port 3 4 joined bridge port 3 3 6 PAGP 5 PORTTOSTP Port 3 5 joined bridge port 3 3 6 PA...

Page 88: ... Vlans in spanning tree forwarding state and not pruned 3 3 1 5 10 20 50 152 200 300 400 500 521 524 570 850 917 999 3 4 1 5 10 20 50 152 200 300 400 500 521 524 570 850 917 999 3 5 1 5 10 20 50 152 200 300 400 500 521 524 570 850 917 999 3 6 1 5 10 20 50 152 200 300 400 500 521 524 570 850 917 999 Switch_B enable Load Sharing VLAN Traffic Over Parallel Trunks Example Using spanning tree port VLAN...

Page 89: ...h 2 as a VTP client or as a VTP server Switch_1 enable set vtp domain BigCorp mode server VTP domain BigCorp modified Switch_1 enable Switch_2 enable set vtp domain BigCorp mode server VTP domain BigCorp modified Switch_2 enable Step 2 Create the VLANs on Switch 1 by entering the set vlan command In this example you see VLANs 10 20 30 40 50 and 60 Switch_1 enable set vlan 10 Vlan 10 configuration ...

Page 90: ...le Step 4 Configure the supervisor engine uplinks on Switch 1 as ISL trunk ports by entering the set trunk command Specifying the desirable mode on the Switch 1 ports causes the ports on Switch 2 to negotiate to become trunk links assuming that the Switch 2 uplinks are in the default auto mode Switch_1 enable set trunk 1 1 desirable Port s 1 1 trunk mode set to desirable Switch_1 enable 04 21 1998...

Page 91: ...the spanning tree state of each trunk port on Switch 1 by entering the show spantree command Trunk 1 is forwarding for all VLANs Trunk 2 is blocking for all VLANs On Switch 2 both trunks are forwarding for all VLANs but no traffic passes over Trunk 2 because port 1 2 on Switch 1 is blocking Switch_1 enable show spantree 1 1 Port Vlan Port State Cost Priority Fast Start Group method 1 1 1 forwardin...

Page 92: ...p 10 On Switch 1 change the port VLAN priority for the Group 2 VLANs on Trunk 2 port 1 2 to an integer value lower than the default of 32 by entering the set spantree portvlanpri command Switch_1 enable set spantree portvlanpri 1 2 1 40 Port 1 2 vlans 1 39 41 1004 using portpri 32 Port 1 2 vlans 40 using portpri 1 Port 1 2 vlans 1005 using portpri 4 Switch_1 enable set spantree portvlanpri 1 2 1 5...

Page 93: ...th ends of the link the spanning tree converges to use the new configuration Step 13 Check the spanning tree port states on Switch 1 by entering the show spantree command The Group 1 VLANs should forward on Trunk 1 and block on Trunk 2 The Group 2 VLANs should block on Trunk 1 and forward on Trunk 2 Switch_1 enable show spantree 1 1 Port Vlan Port State Cost Priority Fast Start Group method 1 1 1 ...

Page 94: ...show spantree 1 2 Port Vlan Port State Cost Priority Fast Start Group method 1 2 1 learning 19 32 disabled 1 2 10 learning 19 32 disabled 1 2 20 learning 19 32 disabled 1 2 30 learning 19 32 disabled 1 2 40 forwarding 19 1 disabled 1 2 50 forwarding 19 1 disabled 1 2 60 forwarding 19 1 disabled 1 2 1003 not connected 19 32 disabled 1 2 1005 not connected 19 4 disabled Switch_1 enable show spantree...

Page 95: ...ation Protocol PAgP and DTP When a trunk port with VLAN 1 disabled becomes a nontrunk port it is added to the native VLAN If the native VLAN is VLAN 1 the port is enabled and added to VLAN 1 Disabling VLAN 1 on a Trunk Link To disable VLAN 1 on a trunk interface perform this task in privileged mode This example shows how to disable VLAN 1 on a trunk link and verify the configuration Console enable...

Page 96: ...5 24 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 5 Configuring Ethernet VLAN Trunks Disabling VLAN 1 on Trunks ...

Page 97: ...rts in the Catalyst 6000 family switches Understanding How EtherChannel Works EtherChannel bundles individual Ethernet links into a single logical link that provides bandwidth up to 1600 Mbps Fast EtherChannel full duplex or 16 Gbps Gigabit EtherChannel between a Catalyst 6000 family switch and another switch or host All Ethernet ports on all modules including those on a standby supervisor engine ...

Page 98: ...oup designated by an integer between 1 and 1024 to which the EtherChannel belongs When an administrative group is created you can assign an administrative group number or let the next available administrative group number be assigned automatically Forming a channel without specifying an administrative group number creates a new automatically numbered administrative group An administrative group ma...

Page 99: ...determine if EtherChannel frame distribution is configurable on your switch If the display shows the Sub Type to be L2 Switching Engine I WS F6020 then EtherChannel frame distribution is not configurable on your switch it uses source and destination Media Access Control MAC addresses EtherChannel frame distribution is configurable with all other switching engines The default is to use source and d...

Page 100: ...erent trunk modes can have unexpected results An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking EtherChannel If the allowed range of VLANs is not the same for a port list the ports do not form an EtherChannel even when set to the auto or desirable mode with the set port channel command Ports with different port path costs set by the set spantree portcost comma...

Page 101: ...nnel on a group of Ethernet ports perform this task in privileged mode This example shows how to configure a seven port EtherChannel in a new administrative group Console enable set port channel 2 2 8 mode desirable Ports 2 2 8 left admin_group 1 Ports 2 2 8 joined admin_group 2 Console enable Setting the EtherChannel Port Mode To set a port s EtherChannel mode perform this task in privileged mode...

Page 102: ...44 cat26 lnf NET25 2 1 WS C6009 Console enable Console enable set channel cost 768 12 Port s 1 1 1 2 port path cost are updated to 31 Channel 768 cost is set to 12 Warning channel cost may not be applicable if channel is broken Console enable Setting the EtherChannel VLAN Cost The EtherChannel VLAN cost feature provides load balancing of VLAN traffic across multiple channels configured with trunki...

Page 103: ... 3 47 VLANs 1025 4094 have path cost 19 Port 3 47 VLANs 1 1005 have path cost 16 Port 3 48 VLANs 1 1005 have path cost 16 To set the EtherChannel VLAN cost perform this task in privileged mode This example shows how to set the EtherChannel VLAN cost for channel ID 856 Console enable show channel group 22 Admin Port Status Channel Channel group Mode id 22 1 1 notconnect on 856 22 1 2 connected on 8...

Page 104: ...tilization on EtherChannel ports Console enable show channel traffic ChanId Port Rx Ucst Tx Ucst Rx Mcst Tx Mcst Rx Bcst Tx Bcst 808 2 16 0 00 0 00 50 00 75 75 0 00 0 00 808 2 17 0 00 0 00 50 00 25 25 0 00 0 00 816 2 31 0 00 0 00 25 25 50 50 0 00 0 00 816 2 32 0 00 0 00 75 75 50 50 0 00 0 00 Console enable Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number To display the outg...

Page 105: ...nation IP addresses Console enable show channel hash 808 172 20 32 10 172 20 32 66 Selected channel port 2 17 Console enable Disabling an EtherChannel To disable an EtherChannel perform this task in privileged mode This example shows how to disable an EtherChannel Console enable set port channel 2 2 8 mode off Ports 2 2 8 channel mode set to off Console enable Task Command Disable an EtherChannel ...

Page 106: ...6 10 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 6 Configuring EtherChannel Configuring EtherChannel ...

Page 107: ... customer device and the tunnel port is called an asymmetrical link because one end is configured as an 802 1Q trunk port and the other end is configured as a tunnel port When a tunnel port receives tagged customer traffic from an 802 1Q trunk port it does not strip the received 802 1Q tag from the frame header instead the tunnel port leaves the 802 1Q tag intact adds a 1 byte Ethertype field 0x81...

Page 108: ... header length imposes the following restrictions The Layer 3 packet within the Layer 2 frame cannot be identified Layer 3 and higher parameters are not identifiable in tunnel traffic for example Layer 3 destination and source addresses Tunnel traffic cannot be routed The switch can filter tunnel traffic using only Layer 2 parameters VLANs and source and destination MAC addresses The switch can pr...

Page 109: ...ning Tree Protocol MISTP The ISP infrastructure must use either PVST or MISTP PVST Configuring Support for 802 1Q Tunneling These sections describe 802 1Q tunneling configuration Configuring the Switch to Support 802 1Q Tunneling page 7 3 Configuring 802 1Q Tunnel Ports page 7 4 Clearing 802 1Q Tunnel Ports page 7 4 Removing Global Support for 802 1Q Tunneling page 7 4 Caution Ensure that only the...

Page 110: ... port dot1qtunnel 4 1 Port Dot1q tunnel mode 4 1 access Clearing 802 1Q Tunnel Ports To clear 802 1Q tunneling support from a port perform this task in privileged mode This example shows how to clear tunneling on port 4 1 and verify the configuration Console enable set port dot1qtunnel 4 1 disable Dot1q tunnel feature disabled on port 4 1 Console enable show port dot1qtunnel 4 1 Port Dot1q tunnel ...

Page 111: ...h perform this task in privileged mode This example shows how to remove tunneling support on the switch and verify the configuration Console enable set dot1q all tagged disable Dot1q tagging is disabled Console enable show dot1q all tagged Dot1q all tagged mode disabled Console enable Task Command Step 1 Remove tunneling support on the switch set dot1q all tagged disable all Step 2 Verify the conf...

Page 112: ...7 6 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 7 Configuring IEEE 802 1Q Tunneling Configuring Support for 802 1Q Tunneling ...

Page 113: ... page 8 13 Using PVST page 8 15 Using MISTP PVST or MISTP page 8 22 Configuring a Root Switch page 8 31 Configuring Spanning Tree Timers page 8 35 Understanding How BPDU Skewing Works page 8 37 Configuring BPDU Skewing page 8 38 Note For complete syntax and usage information for the commands used in this chapter refer to the Catalyst 6000 Family Command Reference publication Understanding How Span...

Page 114: ...e network send and receive spanning tree packets that they use to identify the path If one network segment becomes unreachable or if spanning tree costs change the spanning tree algorithm reconfigures the spanning tree topology and reestablishes the link by activating the standby path Spanning tree operation is transparent to end stations which do not detect whether they are connected to a single ...

Page 115: ...ng tree topology is based on default parameters the path between source and destination stations in a switched network might not be ideal Connecting higher speed links to a port that has a higher number than the current root port can cause a root port change The goal is to make the fastest link the root port For example assume that a port on Switch B is a fiber optic link Also another port on Swit...

Page 116: ...transmit data You can calculate and assign lower path cost values port costs to higher bandwidth ports by using either the short method which is the default or the long method Two methods are available for calculating the default port cost the short method and the long method The short method uses a 16 bit format that yields values from 1 to 65535 The long method uses a 32 bit format that yields v...

Page 117: ...e the same port cost parameters as a stand alone port Spanning Tree Port States Topology changes can take place in a switched network due to a link coming up or a link going down failing When a switch port transitions directly from nonparticipation in the topology to the forwarding state it can create temporary data loops Ports must wait for new topology information to propagate through the switch...

Page 118: ...col VTP When you enable spanning tree every switch in the network goes through the blocking state and the transitory states of listening and learning at power up If properly configured each port stabilizes into the forwarding or blocking state When the spanning tree algorithm places a port in the forwarding state the following occurs The port is put into the listening state while it waits for prot...

Page 119: ...performs as follows Discards frames received from the attached segment Discards frames switched from another port for forwarding Does not incorporate station location into its address database There is no learning on a blocking port so there is no address database update Receives BPDUs and directs them to the system module Does not transmit BPDUs received from the system module Receives and respon...

Page 120: ...ystem module Receives and responds to network management messages Learning State A port in the learning state prepares to participate in frame forwarding The port enters the learning state from the listening state Figure 8 5 shows a port in the learning state A port in the learning state performs as follows Discards frames received from the attached segment Discards frames switched from another po...

Page 121: ...Us received from the system module Receives and responds to network management messages Figure 8 5 Port 2 in Learning State Filtering database Frame forwarding System module Port 1 BPDUs All segment frames BPDU and network management frames All segment frames Forwarding Learning BPDUs Station addresses Network management and data frames Port 2 S5694 Network management frames Station addresses Data...

Page 122: ...cesses BPDUs received from the system module Receives and responds to network management messages Caution Use spanning tree PortFast mode only on ports directly connected to individual workstations to allow these ports to come up and go directly to the forwarding state instead of having to go through the entire spanning tree initialization process To prevent illegal topologies enable spanning tree...

Page 123: ...s database There is no learning so there is no address database update Receives BPDUs but does not direct them to the system module Does not receive BPDUs for transmission from the system module Receives and responds to network management messages Understanding PVST and MISTP Modes Catalyst 6000 family switches provide two proprietary spanning tree modes based on the IEEE 802 1D standard and one m...

Page 124: ... the network MISTP Mode MISTP is an optional spanning tree protocol that runs on Catalyst 6000 family switches MISTP allows you to group multiple VLANs under a single instance of spanning tree an MISTP instance MISTP combines the Layer 2 load balancing benefits of PVST with the lower CPU load of IEEE 802 1Q An MISTP instance is a virtual logical topology defined by a set of bridge and port paramet...

Page 125: ...with the first MAC address in the range assigned to VLAN 1 the second MAC address in the range assigned to VLAN 2 and so on The last MAC address in the range is assigned to the supervisor engine in band sc0 management interface For example if the MAC address range is 00 e0 1e 9b 2e 00 to 00 e0 1e 9b 31 ff the VLAN 1 bridge ID is 00 e0 1e 9b 2e 00 the VLAN 2 bridge ID is 00 e0 1e 9b 2e 01 the VLAN ...

Page 126: ... ieee Bridge ID MAC ADDR 00 d0 00 4c 18 00 Bridge ID Priority 32769 bridge priority 32768 sys ID ext 1 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec If you have a Catalyst switch in your network with MAC address reduction enabled you should also enable MAC address reduction on all other Layer 2 connected switches to avoid undesirable root election and spanning tree topology issues Wh...

Page 127: ...onfiguration Table 8 3 shows the default PVST configuration Table 8 3 PVST Default Configuration Feature Default Value VLAN 1 All ports assigned to VLAN 1 Enable state PVST enabled for all VLANs MAC address reduction Disabled Bridge priority 32768 Bridge ID priority 32769 bridge priority plus system ID extension of VLAN 1 Port priority 32 Port cost Gigabit Ethernet 4 Fast Ethernet 191 FDDI CDDI 10...

Page 128: ...d default Console enable set spantree priority 30000 1 Spantree 1 bridge priority set to 30000 Console enable show spantree 1 VLAN 1 Spanning tree mode PVST Spanning tree type ieee Spanning tree enabled Designated Root 00 60 70 4c 70 00 Designated Root Priority 16384 Designated Root Cost 19 Designated Root Port 2 3 Root Max Age 14 sec Hello Time 2 sec Forward Delay 10 sec Bridge ID MAC ADDR 00 d0 ...

Page 129: ...ting port cost and from 1 to 200000000 when using the long method The default cost differs for different media For information about calculating port cost see the Calculating and Assigning Port Costs section on page 8 4 To configure the PVST port cost for a port perform this task in privileged mode Note When you enter the set channel cost command it does not appear in the configuration file The co...

Page 130: ... not connected 4 32 disabled 0 2 1 1 not connected 100 32 disabled 0 2 2 1 not connected 100 32 disabled 0 2 3 1 forwarding 19 16 disabled 0 2 4 1 not connected 100 32 disabled 0 Configuring the PVST Default Port Cost Mode If any switch in your network is using a port speed of 10 Gb or over and the network is using PVST spanning tree mode all switches in the network must have the same path cost de...

Page 131: ...sing the short method for calculating port cost and from 1 to 200000000 when using the long method The default cost differs for different media For information about calculating port cost see the Calculating and Assigning Port Costs section on page 8 4 To configure the PVST port VLAN cost for a port perform this task in privileged mode Note When you use the set channel cost command it does not app...

Page 132: ...eter applies to trunking ports only Console enable show config all set spantree portcost 2 12 2 15 19 set spantree portcost 2 1 2 2 4 11 2 13 14 2 16 48 100 set spantree portcost 2 3 12 set spantree portpri 2 1 48 32 set spantree portvlanpri 2 1 0 set spantree portvlanpri 2 2 0 set spantree portvlanpri 2 48 0 set spantree portvlancost 2 1 cost 99 set spantree portvlancost 2 2 cost 99 set spantree ...

Page 133: ...ss all switches or routers in the VLAN have spanning tree disabled You cannot disable spanning tree on some switches or routers in a VLAN and leave spanning tree enabled on other switches or routers in the VLAN If spanning tree remains enabled on the switches and routers they will have incomplete information about the physical topology of the network which may cause unexpected results ...

Page 134: ... that if you use MISTP mode you should configure all of your Catalyst 6000 family switches to run MISTP To use MISTP mode you first enable an MISTP instance then map at least one VLAN to the instance You must have at least one forwarding port in the VLAN in order for the MISTP instance to be active Note Map VLANs to MISTP instances on Catalyst 6000 family switches that are either in VTP server mod...

Page 135: ...you must do so from the switch console do not use a Telnet connection through the data port or you will lose your connection to the switch After you map a VLAN to an MISTP instance you can Telnet to the switch Table 8 4 MISTP and MISTP PVST Default Configuration Feature Default Value Enable state Disabled until a VLAN is mapped to an MISTP instance MAC address reduction Disabled Bridge priority 32...

Page 136: ...e MAC addresses are not displayed when you specify the keyword config To display spanning tree mapping perform this task in privileged mode This example shows how to display the spanning tree VLAN instance mapping in MISTP mode MISTP MISTP PVST Console enable set spantree mode mistp PVST database cleaned up Spantree mode set to MISTP Console enable show spantree mapping Inst Root Mac Vlans 1 00 50...

Page 137: ...nfigure the bridge ID priority for an MISTP instance perform this task in privileged mode The example shows how to configure the bridge ID priority for an MISTP instance Console enable set spantree priority 8192 mistpinstance 1 Spantree 1 bridge ID priority set to 8193 bridge priority 8192 sys ID extension 1 Console enable show spantree mistp instance 1 VLAN 1 Spanning tree mode MISTP Spanning tre...

Page 138: ...e type ieee Spanning tree instance enabled Designated Root 00 d0 00 4c 18 00 Designated Root Priority 32769 root priority 32768 sys ID ext 1 Designated Root Cost 0 Designated Root Port none VLANs mapped 6 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00 d0 00 4c 18 00 Bridge ID Priority 32769 bridge priority 32768 sys ID ext 1 VLANs mapped 6 Bridge Max Age 20 sec Hel...

Page 139: ...e the port instance cost for an instance of MISTP or MISTP PVST Ports with a lower instance cost are more likely to be chosen to forward frames You should assign lower numbers to ports attached to faster media such as full duplex and higher numbers to ports attached to slower media The default cost differs for different media The possible value for port instance cost is 1 268435456 To configure th...

Page 140: ...der for it to be active You can enable a single MISTP instance a range of instances or all instances at once using the all keyword Note The software does not display the status of an MISTP instance until it has a VLAN with an active port mapped to it To enable an MISTP instance perform this task in privileged mode Note Enter the active keyword to display active ports only This example shows how to...

Page 141: ...ion See the Creating Extended Range VLANs section on page 11 7 in Chapter 11 Configuring VLANs for details on using extended range VLANs To map a VLAN to an MISTP instance perform this task in privileged mode This example shows how to map a VLAN to MISTP instance 1 and verify the mapping Console enable set vlan 6 mistp instance 1 Vlan 6 configuration successful Console enable show spantree mist in...

Page 142: ...e shows there is an attempt to map VLAN 2 to MISTP instance 1 and to MISTP instance 3 on two different switches as seen from a third switch in the topology Console enable show spantree conflicts 2 Inst MAC Delay Time left 1 00 30 a3 4a 0c 00 inactive 20 3 00 30 f1 e5 00 01 inactive 10 The Delay timer shows the time in seconds remaining before the VLAN joins the instance The field displays inactive...

Page 143: ...ode You enter the set spantree root command to reduce the bridge priority the value associated with the switch from the default 32768 to a lower value which allows the switch to become the root switch When you specify a switch as the primary root the default bridge priority is modified so that it becomes the root for the specified VLANs The switch checks the bridge priority of the current root swi...

Page 144: ...an set a secondary root switch on a VLAN when the switch is in PVST mode or on an MISTP instance when the switch is in MISTP mode The set spantree root secondary command reduces the bridge priority to 16 384 making it the probable candidate to become the root switch if the primary root switch fails You can run this command on more than one switch to create multiple backup switches in case the prim...

Page 145: ...ork with links of 10 Mbps or faster the network diameter can reach the maximum value of 7 With WAN connections you cannot reduce the parameters When a link failure occurs in a bridged network the network reconfiguration is not immediate Reconfiguring the default parameters specified by IEEE 802 1D for the Hello Time Forward Delay Timer and Maximum Age Timer requires a 50 second delay This reconfig...

Page 146: ... 1 10 bridge forward delay set to 9 seconds Switch is now the root switch for active VLANs 1 6 Console enable Using Root Guard Preventing Switches from Becoming Root You may want to prevent switches from becoming the root switch The root guard feature forces a port to become a designated port so that no switch on the other end of the link can become a root switch When you enable root guard on a pe...

Page 147: ... commands to modify the spanning tree performance parameters Table 8 6 describes the switch variables that affect spanning tree performance Configuring the Hello Time Enter the set spantree hello command to change the hello time for a VLAN or for an MISTP instance The possible range of interval is 1 to 10 seconds Task Command Step 1 Enable root guard on a port set spantree guard root none mod port...

Page 148: ...ime for a VLAN perform this task in privileged mode This example shows how to configure the spanning tree forward delay time for VLAN 100 to 21 seconds Console enable set spantree fwddelay 21 100 Spantree 100 forward delay set to 21 seconds Console enable This example shows how to set the bridge forward delay for an instance to 16 seconds Console enable set spantree fwddelay 16 mistp instance 1 In...

Page 149: ... each configured time period A VLAN may not receive the BPDU as scheduled If the BPDU is not received on a VLAN at the configured time interval the BPDU is skewed Spanning tree uses the Hello Time see the Configuring the Hello Time section on page 8 35 to detect when a connection to the root switch exists through a port and when that connection is lost This feature applies to both PVST and MISTP I...

Page 150: ...configure BPDU skewing and view the skewing statistics Console enable set spantree bpdu skewing Usage set spantree bpdu skewing enable disable Console enable set spantree bpdu skewing enable Spantree bpdu skewing enabled on this switch Console enable Console enable show spantree bpdu skewing 1 Bpdu skewing statistics for vlan 1 Port Last Skew ms Worst Skew ms Worst Skew Time 8 2 5869 108370 Tue No...

Page 151: ...g The show spantree summary command displays if BPDU skew detection is enabled and also lists the VLANs or instances affected in the skew This example shows the output when using the show spantree summary command Console enable show spantree summary Root switch for vlans 1 BPDU skewing detection enabled for the bridge BPDU skewed for vlans 1 Portfast bpdu guard disabled for bridge Portfast bpdu fi...

Page 152: ...8 40 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 8 Configuring Spanning Tree Configuring BPDU Skewing ...

Page 153: ... and usage information for the commands used in this chapter refer to the Catalyst 6000 Family Command Reference publication This chapter consists of these sections Understanding How PortFast Works page 9 2 Understanding How PortFast BPDU Guard Works page 9 2 Understanding How PortFast BPDU Filter Works page 9 2 Understanding How UplinkFast Works page 9 3 Understanding How BackboneFast Works page ...

Page 154: ...rks PortFast BPDU guard prevents spanning tree loops by moving a nontrunking port into the errdisable state when a BPDU is received on that port When you enable BPDU guard on the switch spanning tree shuts down PortFast configured interfaces that receive BPDUs rather than putting them into the spanning tree blocking state In a valid configuration PortFast configured interfaces do not receive BPDUs...

Page 155: ... most useful in wiring closet switches This feature may not be useful for other types of applications Figure 9 1 shows an example topology with no link failures Switch A the root switch is connected directly to Switch B over link L1 and to Switch C over link L2 The port on Switch C that is connected directly to Switch B is in blocking state Figure 9 1 UplinkFast Example Before Direct Link Failure ...

Page 156: ...it uses these alternate paths to transmit a new kind of PDU called the Root Link Query PDU out all alternate paths to the root bridge If the switch determines that it still has an alternate path to the root it causes the maximum aging time on the ports on which it received the inferior BPDU to expire If all the alternate paths to the root bridge indicate that the switch has lost connectivity to th...

Page 157: ...tch Figure 9 5 Adding a Switch in a Shared Medium Topology Understanding How Loop Guard Works Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent Some software failures may introduce temporary loops in the network The loop guard feature checks if a root port or an alternate root port receives BPDUs If the port is not receiving BPDUs...

Page 158: ...ollowing configuration Switches A and B are distribution switches Switch C is an access switch Loop guard is enabled on ports 3 1 and 3 2 on Switches A B and C Use loop guard only in topologies where there are blocked ports Topologies that have no blocked ports which are loop free do not need to enable this feature Enabling loop guard on a root switch has no effect but provides protection when a r...

Page 159: ...er to the redundant supervisor engine The newly activated supervisor engine recovers the port only after receiving a BPDU on that port Loop guard uses the ports known to spanning tree Loop guard can take advantage of logical ports provided by the Port Aggregation Protocol PAgP However to form a channel all the physical ports grouped in the channel must have compatible configurations PAgP enforces ...

Page 160: ... caution Spantree port 4 1 fast start enabled Console enable show spantree 4 1 Port Vlan Port State Cost Priority Fast Start Group method 4 1 1 blocking 19 20 enabled 4 1 100 forwarding 10 20 enabled 4 1 521 blocking 19 20 enabled 4 1 522 blocking 19 20 enabled 4 1 523 blocking 19 20 enabled 4 1 524 blocking 19 20 enabled 4 1 1003 not connected 19 20 enabled 4 1 1005 not connected 19 4 enabled Con...

Page 161: ...o enable PortFast BPDU guard on the switch and verify the configuration in the Per VLAN Spanning Tree PVST mode Note For additional PVST information see Chapter 8 Configuring Spanning Tree Console enable set spantree portfast bpdu guard enable Spantree portfast bpdu guard enabled on this switch Console enable show spantree summary Root switch for vlans none Portfast bpdu guard enabled for bridge U...

Page 162: ...pantree portfast bpdu guard disable Spantree portfast bpdu guard disabled on this switch Console enable show spantree summary Summary of connected spanning tree ports by vlan Portfast bpdu guard disabled for bridge Uplinkfast disabled for bridge Backbonefast disabled for bridge Vlan Blocking Listening Learning Forwarding STP Active 1 0 0 0 4 4 2 0 0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 ...

Page 163: ...ortFast BPDU filtering on the port and verify the configuration in PVST mode Note For PVST information see Chapter 8 Configuring Spanning Tree Console enable set spantree portfast bpdu filter enable Usage set spantree portfast mod port enable disable set spantree portfast bpdu guard enable disable set spantree portfast bpdu filter enable disable Spantree portfast bpdu filter enabled on this switch...

Page 164: ...ileged mode This example shows how to disable PortFast BPDU filtering on the switch and verify the configuration Console enable set spantree portfast bpdu filter disable Spantree portfast bpdu filter disabled on this switch Console enable show spantree summary Summary of connected spanning tree ports by vlan Portfast bpdu filter disabled for bridge Uplinkfast disabled for bridge Backbonefast disab...

Page 165: ...me the root switch The station_update_rate value represents the number of multicast packets transmitted per 100 milliseconds the default is 15 packets per millisecond Note When you enable the set spantree uplinkfast command it affects all VLANs on the switch You cannot configure UplinkFast on an individual VLAN To enable UplinkFast on the switch perform this task in privileged mode With PVST mode ...

Page 166: ...ISTP mode enabled this example shows the output when you enable UplinkFast Console enable set spantree uplinkfast enable Instances 1 16 bridge priority set to 49152 The port cost and portinstancecost of all ports set to above 10000000 Station update rate set to 15 packets 100ms uplinkfast all protocols field set to off uplinkfast enabled for bridge Console enable This example shows how to display ...

Page 167: ...1 2 100 1 2 fwd 521 1 1 fwd 1 2 522 1 1 fwd 1 2 523 1 1 fwd 1 2 524 1 1 fwd 1 2 Console enable Configuring BackboneFast These sections describe how to configure BackboneFast Enabling BackboneFast page 9 15 Displaying BackboneFast Statistics page 9 16 Disabling BackboneFast page 9 16 Enabling BackboneFast Note For BackboneFast to work you must enable it on all switches in the network BackboneFast i...

Page 168: ...ocking Listening Learning Forwarding STP Active 1 0 0 0 1 1 Blocking Listening Learning Forwarding STP Active Total 0 0 0 1 1 BackboneFast statistics Number of inferior BPDUs received all VLANs 0 Number of RLQ req PDUs received all VLANs 0 Number of RLQ res PDUs received all VLANs 0 Number of RLQ req PDUs transmitted all VLANs 0 Number of RLQ res PDUs transmitted all VLANs 0 Console enable Disabli...

Page 169: ... 5 1 enabling loopguard will disable rootguard on this port Do you want to continue y n n y Loopguard on port 5 1 is enabled Console enable Disabling Loop Guard To disable loop guard on the switch perform this task in privileged mode This example shows how to disable loop guard Console enable set spantree guard none 5 1 Rootguard is disabled on port 5 1 disabling loopguard will disable rootguard o...

Page 170: ...9 18 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 9 Configuring Spanning Tree PortFast UplinkFast BackboneFast and Loop Guard Configuring Loop Guard ...

Page 171: ...istency by managing the addition deletion and renaming of VLANs on a network wide basis VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of problems such as duplicate VLAN names incorrect VLAN type specifications and security violations You can use VTP to manage VLANs 1 to 1005 in your network Note that VTP does not support VLANs 1025 to 4094 With VTP y...

Page 172: ...itch Link ISL IEEE 802 1Q IEEE 802 10 and ATM LAN Emulation LANE VTP maps VLANs dynamically across multiple LAN types with unique names and internal index associations Mapping eliminates excessive device administration required from network administrators Understanding VTP Modes You can configure a switch to operate in any one of these VTP modes Server In VTP server mode you can create modify and ...

Page 173: ... engine software VTP version 2 forwards VTP messages in transparent mode without checking the version Consistency Checks In VTP version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information through the CLI or SNMP Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM If the...

Page 174: ...4 on Switch 4 Figure 10 2 Flooding Traffic with VTP Pruning Enabling VTP pruning on a VTP server enables pruning for the entire management domain VTP pruning takes effect several seconds after you enable it By default VLANs 2 through 1000 are pruning eligible VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 is always pruning ineligible traffic from VLAN 1 cannot be ...

Page 175: ...version 1 provided VTP version 2 is disabled on the VTP version 2 capable switch VTP version 2 is disabled by default Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2 capable When you enable VTP version 2 on a switch all of the version 2 capable switches in the domain enable VTP version 2 In a Token Ring environment you must enable VTP version...

Page 176: ...verify the configuration Console enable set vtp domain Lab_Network VTP domain Lab_Network modified Console enable set vtp mode server VTP domain Lab_Network modified Console enable show vtp domain Domain Name Domain Index VTP Version Local Mode Password Lab_Network 1 2 server Vlan count Max vlan storage Config Revision Notifications 10 1023 40 enabled Last Updater V2 Mode Pruning PruneEligible on ...

Page 177: ...isable VTP on the switch A VTP transparent switch does not send VTP updates and does not act on VTP updates received from other switches However a VTP transparent switch running VTP version 2 does forward received VTP advertisements out all of its trunk links Note Network devices in VTP transparent mode do not send VTP Join messages On Catalyst 6000 family switches with trunk connections to networ...

Page 178: ...e same VTP domain Every switch in the VTP domain must use the same VTP version Do not enable VTP version 2 unless every switch in the VTP domain supports version 2 Note In a Token Ring environment you must enable VTP version 2 for Token Ring VLAN switching to function properly To enable VTP version 2 perform this task in privileged mode This example shows how to enable VTP version 2 and verify the...

Page 179: ...entire management domain All devices in the management domain should be pruning capable before enabling Do you want to continue y n n y VTP domain Lab_Network modified Console enable clear vtp pruneeligible 100 500 Vlans 1 100 500 1001 1005 will not be pruned on this device VTP domain Lab_Network modified Console enable set vtp pruneeligible 250 255 Vlans 2 99 250 255 501 1000 eligible for pruning...

Page 180: ...nt domain 1 1 1 522 524 Port Vlans in spanning tree forwarding state and not pruned 1 1 1 522 524 Console enable Disabling VTP Pruning To disable VTP pruning perform this task in privileged mode This example shows how to disable VTP pruning in the management domain Console enable set vtp pruning disable This command will disable the pruning function in the entire management domain Do you want to c...

Page 181: ...le show vtp statistics VTP statistics summary advts received 4690 subset advts received 7 request advts received 0 summary advts transmitted 4397 subset advts transmitted 8 request advts transmitted 0 No of config revision errors 0 No of config digest errors 0 VTP pruning statistics Trunk Join Trasmitted Join Received Summary advts received from non pruning capable device 1 1 0 0 0 1 2 0 0 0 Conso...

Page 182: ...10 12 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 10 Configuring VTP Configuring VTP ...

Page 183: ...age 11 13 Configuring Private VLANs page 11 13 Configuring FDDI VLANs page 11 24 Configuring Token Ring VLANs page 11 24 Understanding How VLANs Work A VLAN is a group of end stations with a common set of requirements independent of their physical location A VLAN has the same attributes as a physical LAN but allows you to group end stations even if they are not located physically on the same LAN s...

Page 184: ...y without a router Only one IP address at a time can be assigned to the in band interface If you change the IP address and assign the interface to a different VLAN the previous IP address and VLAN assignment are overwritten VLAN Ranges Catalyst 6000 family switches support 4096 VLANs in accordance with the IEEE 802 1Q standard These VLANs are organized into several ranges you use each range slight...

Page 185: ...A 1 Normal range Cisco default You can use this VLAN but you cannot delete it Yes 2 1000 Normal range Used for Ethernet VLANs you can create use and delete these VLANs Yes 1001 Normal range You cannot create or use this VLAN May be available in the future Yes 1002 1005 Reserved range Cisco defaults for FDDI and Token Ring Not supported on Catalyst 6000 family switches You cannot delete these VLANs...

Page 186: ...ng Remote Switched Port Analyzer RSPAN Default VLAN Configuration Table 11 2 shows the default VLAN configuration for the Catalyst 6000 family switches Table 11 2 VLAN Default Configuration Feature Default Value Native default VLAN VLAN 1 Port VLAN assignments All ports assigned to VLAN 1 Token Ring ports assigned to VLAN 1003 trcrf default VLAN state Active MTU size 1500 bytes 4472 bytes for Toke...

Page 187: ...n on your network configure VTP before you create any normal range VLANs See Chapter 10 Configuring VTP for configuring VTP You cannot use VTP to manage extended range VLANs 1025 4094 FlexWAN modules and routed ports automatically allocate a number of VLANs for their own use starting at VLAN 1025 If you use these devices you must allow for the number of VLANs required Creating Normal Range VLANs Y...

Page 188: ... active 344 503 active 345 520 active 362 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 500 enet 100500 1500 0 0 501 enet 100501 1500 0 0 502 enet 100502 1500 0 0 503 enet 100503 1500 0 0 520 enet 100520 1500 0 0 VLAN AREHops STEHops Backup CRF Console enable Modifying Normal Range VLANs To modify the VLAN parameters on an existing normal range VLAN perform this task in privil...

Page 189: ...uired by the FlexWAN module all of the VLANs required will not be allocated because VLANs are never allocated from the user s VLAN area Caution FlexWAN modules and routed ports automatically allocate a sequential block of internal VLANs starting at VLAN 1025 If you use these devices you must allow the required number of VLANs for them and must not use the lower range VLANs starting with VLAN 1025 ...

Page 190: ...sole enable Mapping VLANs to VLANs You can map VLANs to other VLANS on the Catalyst 6000 family switches in two ways Note If the list of VLANs does match in both the switches packet loss might occur 1 From non Cisco devices in your network using VLANs 1006 1024 to nonreserved VLANs on the Catalyst 6000 family switches 2 From VLANs on non Cisco devices on 802 1Q trunks to ISL trunks on the Catalyst...

Page 191: ...e network To map a reserved VLAN to a nonreserved VLAN perform this task in privileged mode This example shows how to clear old VLAN mappings map a reserved VLAN and verify the mappings on the mapping table Console enable clear vlan mapping dot1q all All dot1q vlan mapping entries deleted Console enable set vlan mapping reserved 1020 non reserved 4070 Vlan 1020 successfully mapped to 4070 Console ...

Page 192: ... 1002 1024 The valid range of user configured Inter Switch Link ISL VLANs is 1 1000 The valid range of VLANs specified in the IEEE 802 1Q standard is 0 4095 In a network environment with non Cisco devices connected to Cisco switches through 802 1Q trunks you can map 802 1Q VLAN numbers greater than 1000 to ISL VLAN numbers Note that if you use any VLANs in the extended range 1025 4094 for dot1q ma...

Page 193: ...apping successful Console enable set vlan mapping dot1q 4000 isl 400 Vlan mapping successful Console enable show vlan mapping 802 1q vlan ISL vlan Effective 2000 200 true 3000 300 true 4000 400 true Console enable Deleting 802 1Q to ISL VLAN Mappings To delete an 802 1Q to ISL VLAN mapping perform this task in privileged mode This example shows how to delete the VLAN mapping for 802 1Q VLAN 2000 C...

Page 194: ...a VLAN perform this task in privileged mode This example shows how to assign switch ports to a VLAN and verify the assignment Console enable set vlan 560 4 10 VLAN 560 modified VLAN 1 modified VLAN Mod Ports 560 4 10 Console enable show vlan 560 VLAN Name Status IfIndex Mod Ports Vlans 560 Engineering active 348 4 10 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 560 enet 10056...

Page 195: ...lete a single VLAN or a range of VLANs To delete a VLAN on the switch perform this task in privileged mode This example shows how to delete a VLAN in this case the switch is a VTP server Console enable clear vlan 500 This command will deactivate all ports on vlan s 500 Do you want to continue y n n y Vlan 500 deleted Console enable This command will deactivate all ports on vlan s 10 All ports on n...

Page 196: ...LAN Conveys incoming traffic from the promiscuous port to all other promiscuous isolated community and two way community ports Isolated VLAN Used by isolated ports to communicate to the promiscuous ports The traffic from an isolated port is blocked on all adjacent ports within its PVLAN and can only be received by its promiscuous ports Community VLAN Unidirectional VLAN used by a group of communit...

Page 197: ... promiscuous port to the server port of a LocalDirector to remap a number of isolated or community VLANs to the server VLAN so that the LocalDirector can load balance the servers present in the isolated or community VLANs or you can use a nontrunk promiscuous port to monitor and or back up all the private VLAN servers from an administration workstation Note A two way community VLAN can only be map...

Page 198: ...rt sc0 in a private VLAN Note With software release 6 3 1 and later releases the sc0 port can be configured as a private VLAN port however it cannot be configured as a promiscuous port You cannot set private VLAN ports to trunking mode channeling or have dynamic VLAN memberships with the exception of MSFC ports that always have trunking activated You cannot set ports belonging to the same ASIC whe...

Page 199: ...duction on a Catalyst 6000 series switch you might want to enable MAC address reduction on all the switches in your network to ensure that the STP topologies of the private VLANs match Otherwise in a network where private VLANs are configured if you enable MAC address reduction on some switches and disable it on others mixed environment you will have to use the default bridge priorities to make su...

Page 200: ... command You cannot set a VLAN to a private VLAN if the VLAN has dynamic access control entries ACEs configured on it You can stop Layer 3 switching on an isolated or community VLAN by destroying the binding of that VLAN with its primary VLAN Deleting the corresponding mapping is not sufficient Creating a Primary Private VLAN To create a primary private VLAN perform this task in privileged mode Ta...

Page 201: ...s On the edge switches that do not have any isolated community two way community or promiscuous ports typically access switches with no private ports you do not need to create private VLANs and you can prune the private VLANs from the trunks for security reasons This example shows how to specify VLAN 7 as the primary VLAN Console enable set vlan 7 pvlan type primary Vlan 7 configuration successful...

Page 202: ... Console enable set pvlan mapping 7 903 3 1 Successfully set mapping between 7 and 903 on 3 1 This example shows how to verify the private VLAN configuration Console enable show vlan 7 VLAN Name Status IfIndex Mod Ports Vlans 7 VLAN0007 active 35 4 4 6 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 7 enet 100010 1500 0 0 VLAN DynCreated RSPAN 7 static disabled VLAN AREHops STEH...

Page 203: ...s in the following configuration Console enable set pvlan 10 20 Console enable set pvlan mapping 10 20 3 1 Console enable set pvlan mapping 10 20 5 2 Console enable set trunk 5 1 desirable isl 1 1005 1025 4094 Console enable show pvlan capability 5 20 Ports 5 13 5 24 are in the same ASIC range as port 5 20 Port 5 20 can be made a private vlan port Console enable show pvlan Primary Secondary Second...

Page 204: ...te VLAN perform this task in privileged mode This example shows how to delete primary VLAN 7 Console enable clear vlan 7 This command will de activate all ports on vlan 7 Do you want to continue y n n y Vlan 7 deleted Console enable Deleting an Isolated Community or Two Way Community VLAN If you delete an isolated community or two way community VLAN the binding with the primary VLAN is broken any ...

Page 205: ...SFC Enter the show pvlan command to display information about private VLANs The show pvlan command displays information about private VLANs only when the primary private VLAN is up Entering a set pvlan mapping or a clear pvlan mapping command on the supervisor engine generates MSFC syslog messages See the following for an example PV 6 PV_MSG Created a private vlan mapping Primary 100 Secondary 101...

Page 206: ... 102 PV 6 PV_MSG Created a private vlan mapping Primary 100 Secondary 103 Configuring FDDI VLANs To create a new FDDI VLAN perform this task in privileged mode To modify the VLAN parameters on an existing FDDI VLAN perform this task in privileged mode Configuring Token Ring VLANs These sections describe the two Token Ring VLAN types that are supported on switches running VTP version 2 Understandin...

Page 207: ...s STP removes loops in the logical ring For TrBRF VLANs STP interacts with external bridges to remove loops from the bridge topology similar to STP operation on Ethernet VLANs Caution Certain parent TrBRF STP and TrCRF bridge mode configurations can place the logical ports the connection between the TrBRF and the TrCRF of the TrBRF in a blocked state For more information see the Default VLAN Confi...

Page 208: ...e connected through an ISL trunk Figure 11 4 Distributed TrCRF Within a TrCRF source route switching forwards frames based on either MAC addresses or route descriptors The entire VLAN can operate as a single ring with frames switched between ports within a single TrCRF You can specify the maximum hop count for All Routes and Spanning Tree Explorer frames for each TrCRF This limits the maximum numb...

Page 209: ...CRF You must configure a TrBRF before you configure the TrCRF that is the parent TrBRF VLAN you specify for the TrCRF must already exist In a Token Ring environment the logical ports of the TrBRF the connection between the TrBRF and the TrCRF are placed in a blocked state if either of these conditions exists The TrBRF is running the IBM STP and the TrCRF is in SRT mode The TrBRF is running the IEE...

Page 210: ...rm this task in privileged mode Creating or Modifying a Token Ring TrCRF VLAN Note You must enable VTP version 2 before you create Token Ring VLANs For information on enabling VTP version 2 see Chapter 10 Configuring VTP To create a new Token Ring TrCRF VLAN perform this task in privileged mode Note You must specify a ring number either in hexadecimal or in decimal and a parent TrBRF VLAN when cre...

Page 211: ... If the backup TrCRF port is attached to a Token Ring multistation access unit MSAU it does not provide a backup path unless the ring speed and port mode are set by another device We recommend that you configure the ring speed and port mode for the backup TrCRF To specify the maximum number of hops for All Routes Explorer frames or Spanning Tree Explorer frames in the TrCRF perform this task in pr...

Page 212: ...g Tree Explorer frames to ten hops and how to verify the configuration Console enable set vlan 998 aremaxhop 10 stemaxhop 10 Vlan 998 configuration successful Console enable show vlan 998 VLAN Name Status IfIndex Mod Ports Vlans 998 VLAN0998 active 357 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 998 trcrf 100998 4472 999 0xff srb 0 0 VLAN AREHops STEHops Backup CRF 998 10 10...

Page 213: ...faces Understanding How InterVLAN Routing Works Network devices in different VLANs cannot communicate with one another without a router to forward traffic between the VLANs In most network environments VLANs are associated with individual networks or subnetworks For example in an IP network each subnetwork is mapped to an individual VLAN In an IPX network each VLAN is mapped to an IPX network numb...

Page 214: ...guring Cisco routing refer to the Cisco IOS documentation on Cisco com These sections describe how to configure interVLAN routing on the MSFC MSFC Routing Configuration Guidelines page 12 2 Configuring IP InterVLAN Routing on the MSFC page 12 3 Configuring IPX InterVLAN Routing on the MSFC page 12 3 Configuring AppleTalk InterVLAN Routing on the MSFC page 12 4 Configuring MSFC Features page 12 4 M...

Page 215: ...figuration command to specify the networks to route Refer to the documentation for your router platform for detailed information on configuring routing protocols Router config router ip_routing_protocol Step 3 Specify a VLAN interface on the MSFC Router config interface vlan id Step 4 Assign an IP address to the VLAN Router config if ip address n n n n mask Step 5 Exit configuration mode Router co...

Page 216: ...LAN interface and assign the interface an AppleTalk cable range and zone name Router configure terminal Enter configuration commands one per line End with CNTL Z Router config appletalk routing Router config interface vlan100 Router config if appletalk cable range 100 100 Router config if appletalk zone Engineering Router config if Z Router Configuring MSFC Features These sections describe feature...

Page 217: ...GRE You can configure a directly connected Cache Engine to negotiate use of WCCP Layer 2 redirection WCCP Layer 2 redirection requires no configuration on the MSFC Enter the show ip wccp web cache detail command to display which redirection method is in use for each cache Follow these guidelines when using this feature WCCP Layer 2 redirection feature sets the IP flow mask to full flow mode You ca...

Page 218: ...tEthernet0 0 0 200 interface is not auto stated if any of these configuration errors are made VLAN 200 is not configured on the switch Trunking is not configured on the corresponding Gigabit Ethernet switch port Trunking is configured but VLAN 200 is not an allowed VLAN on that trunk Displaying the Auto State Configuration To display the current line protocol state determination for the MSM perfor...

Page 219: ...ble set msmautostate disable MSM port auto state disabled Console enable To disable the line protocol state determination of the MSFC perform this task in privileged mode Note If you toggle enable to disable and or disable to enable the msfcautostate command you might have to use the shutdown and no shutdown commands to disable and then restart the VLAN and WAN interfaces on the MSFC to bring them...

Page 220: ...12 8 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC ...

Page 221: ... 3 Switching Works page 13 1 Default CEF for PFC2 Configuration page 13 10 CEF for PFC2 Configuration Guidelines and Restrictions page 13 11 Configuring CEF for PFC2 page 13 12 Configuring NetFlow Statistics page 13 22 Note Supervisor Engine 1 with the PFC1 and the MSFC or MSFC2 provide Layer 3 switching with Multilayer Switching MLS See Chapter 14 Configuring MLS for more information Note To conf...

Page 222: ...DE Note Traffic is Layer 3 switched after being processed by the VLAN access control list VACL feature and the quality of service QoS feature Understanding Layer 3 Switched Packet Rewrite When a packet is Layer 3 switched from a source in one VLAN to a destination in another VLAN the switch performs a packet rewrite at the egress port based on information learned from the MSFC2 so that the packets...

Page 223: ...ted as follows After the switch rewrites an IP unicast packet it is conceptually formatted as follows Understanding IPX Unicast Rewrite Received IPX packets are conceptually formatted as follows After the switch rewrites an IPX packet it is conceptually formatted as follows Layer 2 Frame Header Layer 3 IP Header Data FCS Destination Source Destination Source TTL Checksum MSFC2 MAC Source A MAC Des...

Page 224: ...C2 works with CEF for unicast traffic and PIM for multicast traffic on the MSFC2 to support IP IP multicast and IPX traffic CEF and PIM on the MSFC2 are enhanced to support CEF for PFC2 CEF for PFC2 generates flow statistics for Layer 3 switched traffic that can be displayed at the CLI or used for NDE CEF for PFC2 provides Layer 3 switching for all packets that match a complete forwarding informat...

Page 225: ...tion about the entries used to make forwarding decisions CEF for PFC2 makes a forwarding decision for each packet and sends the rewrite information for each packet to the egress port where the rewrite occurs when the packet is transmitted from the switch Understanding the FIB The FIB resides in a separate TCAM The adjacency table is stored separately in DRAM The NetFlow table is stored separately ...

Page 226: ...ach FIB entry CEF for PFC2 stores Layer 2 information from the designated MSFC2 for adjacent nodes in the adjacency table Adjacent nodes are nodes that are directly connected at Layer 2 To forward traffic CEF for PFC2 selects a route from a FIB entry which points to an adjacency entry and uses the Layer 2 header for the adjacent node in the adjacency table entry to rewrite the packet during Layer ...

Page 227: ...e is the Layer 4 port numbers For partially switched flows all multicast traffic belonging to the flow reaches the MSFC and is software switched for any interface that is not Layer 3 switched Note All G flows are always partially Layer 3 switched The PFC prevents multicast traffic in flows that are completely Layer 3 switched from reaching the MSFC reducing the load on the MSFC The show ip mroute ...

Page 228: ...neering VLAN IPX address 02 Cc When Host A initiates a file transfer to Host C the PFC2 uses the information in the FIB and adjacency table to forward packets from Host A to Host C Source IP Address 171 59 1 2 171 59 1 2 Host A 171 59 1 2 Host B 171 59 3 1 Host C 171 59 2 2 171 59 2 2 171 59 1 2 171 59 2 2 Data 171 59 3 1 171 59 2 2 171 59 1 2 Dd Bb Dd Cc Dd Aa Marketing Engineering Sales Destinat...

Page 229: ... displayed with show commands and are also available to NetFlow Data Export NDE Note A NetFlow table with more than 32K entries increases the probability that there will be insufficient room to store statistics To reduce the number of entries in the NetFlow table you can exclude specified IP protocols from the statistics see the Excluding IP Protocol Entries from the NetFlow Table section on page ...

Page 230: ...ble entries are created CEF for PFC2 supports only one flow mask the most specific one for all statistics If CEF for PFC2 detects different flow masks from different MSFCs for which it is performing Layer 3 switching it changes its flow mask to the most specific flow mask detected When the flow mask changes the entire NetFlow table is purged When CEF for PFC2 exports cached entries flow records ar...

Page 231: ...ons For IP unicast Ethernet V2 0 ARPA 802 3 with 802 2 with 1 byte control SAP1 802 3 with 802 2 and SNAP For IPX Ethernet V2 0 ARPA 802 3 raw 802 2 with 1 byte control SAP1 SNAP Note When the ingress encapsulation for IPX traffic is SAP1 CEF for PFC2 provides Layer 3 switching only when the egress encapsulation is also SAP1 The MSFC2 routes IPX SAP1 traffic that requires an encapsulation change F...

Page 232: ...ever packets in the flow that are not fragmented or that do not specify IP options are multilayer switched For source traffic received on tunnel interfaces such as MBONE traffic For any RPF interface with multicast tag switching enabled Configuring CEF for PFC2 These sections describe how to configure CEF for PFC2 Displaying Layer 3 Switching Entries on the Supervisor Engine page 13 12 Configuring...

Page 233: ...55 255 16 receive 21 2 0 5 255 255 255 255 16 receive 42 0 0 20 255 255 255 255 15 connected 43 0 0 0 255 0 0 0 15 drop 224 0 0 0 240 0 0 0 15 wildcard 0 0 0 0 0 0 0 0 Mod FIB Type Dest IPX net NextHop IPX Weight 15 connected 21 15 connected 44 15 connected 42 15 resolved 450 42 0050 3EA9 ABFD 1 15 resolved 480 42 0050 3EA9 ABFD 1 15 wildcard 0 Destination IP Source IP Prot DstPrt SrcPrt Destinati...

Page 234: ...4 Enabling IP PIM on an MSFC2 Interface page 13 15 Configuring the IP MMLS Global Threshold page 13 15 Enabling IP MMLS on MSFC Interfaces page 13 15 Note This section describes how to enable IP multicast routing on the MSFC2 For more detailed IP multicast configuration information refer to the IP Multicast section of the Cisco IOS IP and IP Routing Configuration Guide at http www cisco com univer...

Page 235: ...ticast flows such as join requests Note This command does not affect flows that are already being routed To apply the threshold to existing routes clear the route and let it reestablish To configure the IP MMLS threshold perform this task This example shows how to configure the IP MMLS threshold to 10 packets per second Router config mls ip multicast threshold 10 Router config Use the no keyword t...

Page 236: ...ying IP multicast information on the MSFC2 Displaying IP MMLS Interface Information page 13 16 Displaying the IP Multicast Routing Table page 13 17 Displaying IP Multicast Details page 13 17 Using Debug Commands page 13 19 Using Debug Commands on the SCP page 13 19 Displaying IP MMLS Interface Information The show ip pim interface count command displays the IP MMLS enable state on MSFC IP PIM inte...

Page 237: ... 80 0 0 2 Outgoing interface list Vlan10 Forward Dense 01 29 57 00 00 00 H 22 0 0 10 239 252 1 1 00 00 19 00 02 41 flags JT Incoming interface Vlan800 RPF nbr 80 0 0 2 RPF MFD Outgoing interface list Vlan10 Forward Dense 00 00 19 00 00 00 H Displaying IP Multicast Details The show mls ip multicast command displays detailed information about IP MMLS To display detailed MMLS information on the MSFC ...

Page 238: ...elete Ack 1 Input VLAN delete Ack 4 Output VLAN delete Ack 0 Group delete sent 0 Group delete Ack 0 Global delete sent 7 Global delete Ack 7 L2 entry not found error 0 Generic error 3 LTL entry not found error 0 MET entry not found error 0 L3 entry exists error 0 Hash collision error 0 L3 entry not found error 0 Complete flow exists error 0 This example shows how to display information on a specif...

Page 239: ...otocol SCP related debug commands to troubleshoot the SCP that runs over the Ethernet out of band channel EOBC Table 13 3 IP MMLS Debug Commands Command Description no debug mls ip multicast group group_id group_mask Configures filtering that applies to all other multicast debugging commands no debug mls ip multicast events Displays IP MMLS events no debug mls ip multicast errors Turns on debug me...

Page 240: ...tics for the MSFC2 Console enable show mls multicast statistics Router IP Router Name Router MAC 1 1 9 254 00 50 0f 06 3c a0 Transmit Delete Notifications 23 Acknowledgements 92 Flow Statistics 56 Receive Open Connection Requests 1 Keep Alive Messages 72 Shortcut Messages 19 Shortcut Install TLV 8 Selective Delete TLV 4 Group Delete TLV 0 Update TLV 3 Input VLAN Delete TLV 0 Output VLAN Delete TLV...

Page 241: ...ticast entry command displays a variety of information about the multicast flows being handled by the PFC You can display entries based on any combination of the participating MSFC2 the VLAN the multicast group address or the multicast traffic source To display information about IP multicast entries perform this task in privileged mode This example shows how to display all IP multicast entries Con...

Page 242: ...3 short Router IP Dest IP Source IP InVlan Pkts Bytes OutVlans 171 69 2 1 226 0 1 3 172 2 3 8 20 171 23512 10 201 22 45 171 69 2 1 226 0 1 3 172 3 4 9 12 25 3120 8 20 Total Entries 2 Console enable This example shows how to display IP multicast entries for a specific MSFC2 and a specific multicast source address Console enable show mls multicast entry 15 source 1 1 11 1 short Router IP Dest IP Sou...

Page 243: ... this task in privileged mode This example shows how to specify the entry aging time Console enable set mls agingtime 512 Multilayer switching agingtime IP and IPX set to 512 Console enable To specify the IP entry aging time perform this task in privileged mode This example shows how to specify the IP entry aging time Console enable set mls agingtime ip 512 Multilayer switching aging time IP set t...

Page 244: ...packets If you need to enable IP entry fast aging time initially set the value to 128 seconds If the NetFlow table remains full decrease the setting If the NetFlow table continues to remain full decrease the normal IP entry aging time Typical values for fastagingtime and pkt_threshold are 32 seconds and 0 packets no packets switched within 32 seconds after the entry is created To specify the IP en...

Page 245: ...to exclude Telnet traffic from the NetFlow table Console enable set mls exclude protocol tcp telnet NetFlow table will not create entries for TCP packets with protocol port 23 Note MLS exclusion only works in full flow mode Console enable Displaying NetFlow Statistics Note To display the forwarding decision entries enter the show mls entry cef command see the Displaying Layer 3 Switching Entries o...

Page 246: ...options are treated as wildcards If the protocol specified is not TCP or UDP set the src_port and dst_prt to 0 or no NetFlow statistics will display To display statistics for NetFlow table entries perform this task in privileged mode This example shows how to display NetFlow statistics for a particular NetFlow table entry Console show mls statistics entry ip destination 172 20 22 14 Last Used Dest...

Page 247: ...cified options are treated as wildcards TCP or UDP source and destination port numbers src_port and dst_port If the protocol you specify is TCP or UDP specify the source and destination TCP or UDP port numbers A value of zero 0 for src_port or dst_port is treated as a wildcard unspecified options are treated as wildcards For other protocols set the src_port and dst_port to 0 or no entries will cle...

Page 248: ...ts switched IP and IPX Total packets exported for NDE To clear NetFlow statistic totals perform this task in privileged mode This example shows how to clear NetFlow statistics totals Console enable clear mls statistics All mls statistics cleared Console enable Displaying NetFlow Statistics Debug Information The show mls debug command displays NetFlow statistics debug information that you can send ...

Page 249: ...g with Cisco Express Forwarding for PFC2 CEF for PFC2 See Chapter 13 Configuring CEF for PFC2 for more information Understanding How Layer 3 Switching Works Layer 3 switching allows the switch instead of a router to forward IP and IPX unicast traffic and IP multicast traffic between VLANs Layer 3 switching is implemented in hardware and provides wire speed interVLAN forwarding on the switch rather...

Page 250: ... MSFC to be routed to Destination B the switch recognizes that the packet was sent to the Layer 2 MAC address of the MSFC To perform Layer 3 switching the switch rewrites the Layer 2 frame header changing the Layer 2 destination address to the Layer 2 address of Destination B and the Layer 2 source address to the Layer 2 address of the MSFC The Layer 3 addresses remain the same In IP unicast and I...

Page 251: ...TL Checksum Destination B MAC MSFC MAC Destination B IP Source A IP n 1 calculation2 Layer 2 Frame Header Layer 3 IPX Header Data FCS Destination Source Checksum IPX Length Transport Control Destination Net Node Socket Source Net Node Socket MSFC MAC Source A MAC n Destination B IPX Source A IPX Layer 2 Frame Header Layer 3 IPX Header Data FCS Destination Source Checksum IPX Length Transport Contr...

Page 252: ...nversations or flows between users or applications MLS supports unicast and multicast flows A unicast flow can be any of the following All traffic to a particular destination All traffic from a particular source to a particular destination All traffic from a particular source to a particular destination that shares the same protocol and transport layer information A multicast flow is all traffic w...

Page 253: ... the MLS cache using information learned from the MSFC Whenever the MSFC receives traffic for a new multicast flow it updates its multicast routing table and forwards the new information to the PFC In addition if an entry in the multicast routing table ages out the MSFC deletes the entry and forwards the updated information to the PFC For each multicast flow cache entry the PFC maintains a list of...

Page 254: ...me fields in the flow record might not have values Unsupported fields are filled with a zero 0 The MLS flow masks are as follows destination ip The least specific flow mask The PFC maintains one MLS entry for each Layer 3 destination address All flows to a given Layer 3 destination address use this MLS entry destination ipx The only flow mask mode for IPX MLS is destination mode The PFC maintains ...

Page 255: ...e port and destination port fields display the details of the last packet that was Layer 3 switched using the MLS cache entry This example shows how the show mls entry command output appears in source destination ip mode Console enable show mls entry ip short Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan ESrc EDst SPort DPort Stat Pkts Stat Byte Uptime Age 171 69 200 234 171 69 ...

Page 256: ...nd is software switched for any interface that is not Layer 3 switched The PFC prevents multicast traffic in flows that are completely Layer 3 switched from reaching the MSFC reducing the load on the MSFC The show ip mroute and show mls ip multicast commands identify completely Layer 3 switched flows with the text string RPF MFD Multicast Fast Drop MFD indicates that from the perspective of the MS...

Page 257: ...wards the first packet from Host A through the switch to Host B The PFC uses this information to rewrite subsequent packets from Host A to Host B Similarly a separate IPX MLS entry is created in the MLS cache for the traffic from Host A to Host C and for the traffic from Host C to Host A The destination VLAN is stored as part of each IPX MLS entry so that the correct VLAN identifier is used when e...

Page 258: ...Marketing Engineering Sales Destination IPX Address Rewrite Src Dst MAC Address Destination VLAN MSFC Net 1 Sales 01 MAC Aa MAC Dd MAC Bb MAC Cc Net 3 Marketing 03 Net 2 Engineering 02 Aa Dd 01 Aa 02 Cc Data Dd Cc 25482 Host A Host B Host C Table 14 1 Default IP MLS Configuration Feature Default Value IP MLS enable state Enabled IP MLS aging time 256 seconds IP MLS fast aging time 0 seconds no fas...

Page 259: ...s Maximum Transmission Unit Size page 14 11 Restrictions on Using IP Routing Commands with IP MLS Enabled page 14 12 Maximum Transmission Unit Size The default maximum transmission unit MTU for IP MLS is 1500 To change the MTU on an IP MLS enabled interface enter the ip mtu mtu command Table 14 3 Default IP MMLS MSFC Configuration Feature Default Value Multicast routing Disabled globally IP PIM ro...

Page 260: ...er to use IP MMLS IP multicast flows are not multilayer switched if there is no entry in the Layer 2 multicast forwarding table for example if no Layer 2 multicast services are enabled or the forwarding table is full Enter the show multicast group command to check for a Layer 2 entry for a particular IP multicast destination If a Layer 2 entry is cleared the corresponding Layer 3 flow information ...

Page 261: ...ce or group is running IP PIM sparse mode If the shortest path tree SPT bit for the flow is cleared when running IP PIM sparse mode for the interface or group For fragmented IP packets and packets with IP options However packets in the flow that are not fragmented or that do not specify IP options are multilayer switched For source traffic received on tunnel interfaces such as MBONE traffic For an...

Page 262: ...ommands on the SCP page 14 16 For information on configuring routing on the MSFC see Chapter 12 Configuring InterVLAN Routing For information on configuring unicast Layer 3 switching on Supervisor Engine 1 see the Configuring MLS on Supervisor Engine 1 section on page 14 17 Note The MSFC can be specified as the MLS route processor MLS RP for Catalyst 5000 family switches using MLS Refer to the Lay...

Page 263: ...g interface vlan 100 Router config if mls ip Router config if This example shows how to enable IPX MLS on an MSFC interface Router config interface vlan 100 Router config if mls ipx Router config if Displaying MLS Information on the MSFC The show mls status command displays MLS details To display MLS information on the MSFC perform this task This example shows how to display MLS status on the MSFC...

Page 264: ...ugtrace of ip global purge events no debug l3 mgr all Turns on all Layer 3 manager debugging messages Table 14 7 MLS Debug Commands External Router Function Command Description no debug mls ip Turns on IP related events for MLS including route purging and changes of access lists and flow masks no debug mls ipx Turns on IPX related events for MLS including route purging and changes of access lists ...

Page 265: ...n page 14 28 For information on configuring VLANs on the switch see Chapter 11 Configuring VLANs For information on configuring MLS on the MSFC see the Configuring Unicast MLS on the MSFC section on page 14 14 Note When you disable IP or IPX MLS on the MSFC IP or IPX MLS is automatically disabled on Supervisor Engine 1 All existing protocol specific MLS cache entries are purged To disable MLS on t...

Page 266: ...vileged mode This example shows how to specify the IP MLS aging time Console enable set mls agingtime ip 512 Multilayer switching aging time IP set to 512 Console enable To specify the IPX MLS aging time perform this task in privileged mode This example shows how to specify the IPX MLS aging time Console enable set mls agingtime ipx 512 Multilayer switching aging time IPX set to 512 Console enable...

Page 267: ... within 32 seconds after the entry is created To specify the IP MLS fast aging time and packet threshold perform this task in privileged mode This example shows how to set the IP MLS fast aging time to 32 seconds with a packet threshold of 0 packets Console enable set mls agingtime fast 32 0 Multilayer switching fast aging time set to 32 seconds for entries with no more than 0 packets switched Con...

Page 268: ...splay CAM entries perform this task This example shows how to display the CAM entries Console show cam msfc VLAN Destination MAC Destination Ports or VCs Xtag Status 194 00 e0 f9 d1 2c 00R 7 1 2 H 193 00 00 0c 07 ac c1R 7 1 2 H 193 00 00 0c 07 ac 5dR 7 1 2 H 202 00 00 0c 07 ac caR 7 1 2 H 204 00 e0 f9 d1 2c 00R 7 1 2 H 195 00 e0 f9 d1 2c 00R 7 1 2 H 192 00 00 0c 07 ac c0R 7 1 2 H 192 00 e0 f9 d1 2...

Page 269: ...Netflow Data Export version 8 Netflow Data Export disabled Netflow Data Export port host is not configured Total packets exported 0 MSFC ID Module XTAG MAC Vlans 52 0 03 15 1 01 10 29 8a 0c 00 1 10 123 434 121 222 666 959 Console enable This example shows how to display IPX MLS information Console enable show mls ipx IPX Multilayer switching aging time 256 seconds IPX flow mask is Destination flow...

Page 270: ...entries see the Flow Mask Mode and show mls entry Command Output section on page 14 7 Displaying All MLS Entries To display all MLS entries IP and IPX perform this task in privileged mode This example shows how to display all MLS entries IP and IPX Console enable show mls entry short Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan ESrc EDst SPort DPort Stat Pkts Stat Bytes Created...

Page 271: ...on IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan EDst ESrc DPort SPort Stat Pkts Stat Bytes Uptime Age MSFC 172 20 25 1 Module 15 172 20 22 14 00 60 70 6c fc 22 4 ARPA ARPA 5 39 5 40 115 5290 00 12 20 00 00 04 MSFC 172 20 27 1 Module 16 Total entries 1 Console enable Displaying IPX MLS Entries for a Specific IPX Destination Address To display IPX MLS entries for a specific destination IPX a...

Page 272: ...cp udp icmp or a decimal number for other protocol families The src_port and dst_port arguments specify the protocol ports if the protocol is TCP or User Datagram Protocol UDP A value of zero 0 for src_port dst_port or protocol is treated as a wildcard and all entries are displayed unspecified options are treated as wildcards If the protocol selected is not TCP or UDP set the src_port and dst_prt ...

Page 273: ...RPA ARPA 3937 181102 00 15 52 00 00 00 10 0000 0000 0109 00 00 00 00 01 09 10 ARPA ARPA 3 10 96364 4432744 00 15 52 00 00 00 11 0000 0000 4F10 00 00 00 00 4f 10 11 ARPA ARPA 7877 362342 00 15 53 00 00 00 11 0000 0000 CC10 00 00 00 00 cc 10 11 ARPA ARPA 3938 181148 00 15 53 00 00 00 11 0000 0000 5610 00 00 00 00 56 10 11 ARPA ARPA 7879 362434 00 15 53 00 00 00 11 0000 0000 D510 00 00 00 00 d5 10 11...

Page 274: ...and entries for all source or destination ports are cleared unspecified options are treated as wildcards For other protocols set the src_port and dst_port to 0 or no entries will clear To clear an MLS entry perform this task in privileged mode This example shows how to clear MLS entries with destination IP address 172 20 26 22 Console enable clear mls entry ip destination 172 20 26 22 MLS IP entry...

Page 275: ...for MLS cache entries Specify the destination IP address source IP address protocol and source and destination ports to see specific MLS cache entries A value of zero 0 for src_port or dst_port is treated as a wildcard and all statistics are displayed unspecified options are treated as wildcards If the protocol specified is not TCP or UDP set the src_port and dst_prt to 0 or no statistics will dis...

Page 276: ...lay MLS debug information perform this task Note The show tech support command displays supervisor engine system information Use application specific commands to get more information about particular applications Configuring IP MMLS These sections describe how to configure IP MMLS Configuring IP MMLS on the MSFC page 14 28 Displaying Global IP MMLS Information on the Supervisor Engine page 14 34 C...

Page 277: ...cast routing on the MSFC For more detailed IP multicast configuration information refer to the IP Multicast section of the Cisco IOS IP and IP Routing Configuration Guide at http www cisco com univercd cc td doc product software ios121 121cgcr ip_c ipcprt3 index htm Enabling IP Multicast Routing Globally You must enable IP multicast routing globally on the MSFC before you can enable IP MMLS on MSF...

Page 278: ...d perform this task This example shows how to configure the IP MMLS threshold to 10 packets per second Router config mls ip multicast threshold 10 Router config Use the no keyword to deconfigure the threshold Enabling IP MMLS on MSFC Interfaces IP MMLS is enabled by default on the MSFC interface when you enable IP PIM on the interface Perform this task only if you disabled IP MMLS on the interface...

Page 279: ...1 1 Router show ip mroute 239 252 1 1 IP Multicast Routing Table Flags D Dense S Sparse C Connected L Local P Pruned R RP bit set F Register flag T SPT bit set J Join SPT M MSDP created entry X Proxy Join Timer Running A Advertised via MSDP Outgoing interface flags H Hardware switched Timers Uptime Expires Interface state Interface Next Hop or VCD State Mode 239 252 1 1 04 04 59 00 02 59 RP 80 0 0...

Page 280: ...48 MLS Multicast statistics Flow install Ack 9 Flow install Nack 0 Flow update Ack 2 Flow update Nack 0 Flow delete Ack 0 Complete flow install Ack 10 Complete flow install Nack 0 Complete flow delete Ack 1 Input VLAN delete Ack 4 Output VLAN delete Ack 0 Group delete sent 0 Group delete Ack 0 Global delete sent 7 Global delete Ack 7 L2 entry not found error 0 Generic error 3 LTL entry not found e...

Page 281: ...1 1 Incoming interface Vlan11 Packets switched 62430 Hardware switched outgoing interfaces Vlan20 Vlan9 RFD MFD installed Vlan11 Total hardware switched installed 6 Router This example shows how to display a summary of IP MMLS information on the MSFC Router show mls ip multicast summary 7 MMLS entries using 560 bytes of memory Number of partial hardware switched flows 2 Number of complete hardware...

Page 282: ...d on Supervisor Engine 1 and cannot be disabled Note To configure IP MMLS on the MSFC see the Configuring IP MMLS on the MSFC section on page 14 28 Displaying IP MMLS Configuration Information The show mls multicast command displays global IP MMLS configuration information and the state of participating MSFCs To display global IP MMLS configuration information perform this task Table 14 10 SCP Deb...

Page 283: ...tics for multicast MSFCs perform this task This example shows how to display IP MMLS statistics for multicast MSFCs Console enable show mls multicast statistics Router IP Router Name Router MAC 1 1 9 254 00 50 0f 06 3c a0 Transmit Delete Notifications 23 Acknowledgements 92 Flow Statistics 56 Receive Open Connection Requests 1 Keep Alive Messages 72 Shortcut Messages 19 Shortcut Install TLV 8 Sele...

Page 284: ...multicast entry command displays a variety of information about the multicast flows being handled by the PFC You can display entries based on any combination of the participating MSFC the VLAN the multicast group address or the multicast traffic source To display information about IP MMLS entries perform this task in privileged mode This example shows how to display all IP MMLS entries Console ena...

Page 285: ...840 2756160 20 1 1 5 252 224 1 1 1 1 1 12 1 15840 2756160 20 Total Entries 5 Console enable This example shows how to display IP MMLS entries for a specific multicast group address Console enable show mls multicast entry group 226 0 1 3 short Router IP Dest IP Source IP InVlan Pkts Bytes OutVlans 171 69 2 1 226 0 1 3 172 2 3 8 20 171 23512 10 201 22 45 171 69 2 1 226 0 1 3 172 3 4 9 12 25 3120 8 2...

Page 286: ...14 38 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 14 Configuring MLS Configuring MLS ...

Page 287: ...scribe how NDE works Overview of NDE and Integrated Layer 3 Switching Management page 15 1 Traffic Statistics Data Collection page 15 2 Using NDE Filters page 15 3 Overview of NDE and Integrated Layer 3 Switching Management Catalyst 6000 family switches provide Layer 3 switching with Cisco Express Forwarding for Policy Feature Card 2 CEF for PFC2 or with Multilayer Switching MLS You can use NDE to...

Page 288: ... as the Cisco SwitchProbe and NetFlow FlowCollector gather and classify flows This flow information is then aggregated and fed to applications such as TrafficDirector NetSys or NetFlow Analyzer Traffic Statistics Data Collection An external data collector gathers flow entries from the statistics cache of one or more switches or Cisco routers The switch or router transmits data to the flow collecto...

Page 289: ...9 1 2 15 32 source 10 1 2 15 32 Netflow data export destination filter set to 9 1 2 15 32 Netflow data export source filter set to 10 1 2 15 32 Console enable Default NDE Configuration Table 15 1 shows the default NDE configuration Configuring NDE These sections describe how to configure NDE Usage Guidelines page 15 4 Specifying an NDE Collector page 15 4 Specifying an NDE Destination Address on t...

Page 290: ... need to decrease the MLS aging time because a full flow mask increases the number of flows per second For information on setting the flow mask see the Setting the Minimum IP MLS Flow Mask section on page 14 19 in Chapter 14 Configuring MLS Exclude entries with fewer packets per flow Some query protocols like Domain Name System DNS generate fewer packets per flow and can be excluded from the NetFl...

Page 291: ... on the MSFC The MSFC and the PFC use the NDE source address when sending statistics to the data collection application You configure the source address on the MSFC so the data collection application can aggregate export data from both the MSFC and the PFC for the same flow by entering the ip flow export source vlan command on the MSFC Note The ip flow export source vlan command is optional If you...

Page 292: ...Host Filter To specify a destination host filter perform this task in privileged mode This example shows how to specify a destination host filter so that only expired flows to host 171 69 194 140 are exported Console enable set mls nde flow destination 171 69 194 140 Netflow Data Export successfully set Destination filter is 171 69 194 140 255 255 255 255 Filter type include Console enable Specify...

Page 293: ...ted assuming the flow mask is set to ip flow Console enable set mls nde flow dst_port 23 Netflow Data Export successfully set Destination port filter is 23 Filter type include Console enable Specifying a Source Host and Destination TCP UDP Port Filter To specify a source host and destination TCP UDP port filter perform this task in privileged mode This example shows how to specify a source host an...

Page 294: ...tocols for statistics collection perform this task in privileged mode This example shows how to specify a protocol for statistics collection Console enable set mls statistics protocol 17 1934 Protocol 17 port 1934 is added to protocol statistics list Console enable Removing Protocols for Statistics Collection You can enter the clear mls statistics protocol protocol port all command to specify up t...

Page 295: ...le enable clear mls nde flow Netflow data export filter cleared Console enable Disabling NDE Note With Supervisor Engine 1 and a PFC if NDE is enabled and you disable MLS you lose the statistics for existing cache entries they are not exported To disable NDE on the switch perform this task in privileged mode This example shows how to disable NDE on the switch Console enable set mls nde disable Net...

Page 296: ... Configuration To display the NDE configuration on the switch perform this task in privileged mode This example shows how to display the NDE configuration on the switch Console enable show mls nde Netflow Data Export enabled Netflow Data Export configured for port 1098 on host 172 20 15 1 Source filter is 171 69 194 140 255 255 255 0 Destination port filter is 23 Total packets exported 26784 Conso...

Page 297: ...on VLANs page 16 7 Using Cisco IOS ACLs in your Network page 16 9 Using VACLs with Cisco IOS ACLs page 16 15 Using VACLs in your Network page 16 22 Unsupported Features page 16 27 Configuring VACLs page 16 28 Configuring and Storing VACLs and QoS ACLs in Flash Memory page 16 42 Configuring Policy Based Forwarding page 16 48 Note Except where specifically differentiated the information and procedur...

Page 298: ...ovide access control based on Layer 3 addresses for IP and IPX protocols Unsupported protocols are access controlled through MAC addresses A VACL is applied to all packets bridged and routed and can be configured on any VLAN interface Once a VACL is configured on a VLAN all packets routed or bridged entering the VLAN are checked against the VACL Packets can either enter the VLAN through a switch p...

Page 299: ...at are configured on a given interface and a direction As packets enter the router on a given interface Cisco IOS software examines ACLs that are associated with all inbound features that are configured on that interface for the following Inbound access control ACLs standard extended and or reflexive Encryption ACLs not supported on the MSFC Policy routing ACLs Network Address Translation NAT for ...

Page 300: ...n contain ACEs of only one type Each ACE contains a number of fields that are matched against the contents of a packet Each field can have an associated bit mask to indicate which bits are relevant An action is associated with each ACE that describes what the system should do with the packet when a match occurs The action is feature dependent Catalyst 6000 family switches support three types of AC...

Page 301: ...s are fragmented the first fragment hits this entry and is permitted fragments that have an offset other than 0 are also permitted as a default result for fragments permit tcp host 1 1 1 1 eq 68 host 2 2 2 2 eq 34 This example shows that the fragment that has offset 0 of the traffic from 1 1 1 1 port 68 going to 2 2 2 2 port 34 is denied The fragments that have an offset other than 0 are permitted...

Page 302: ...tall the global permit TCP or UDP fragments statement When you specify the fragment keyword for at least one ACE the software implicitly installs ACEs to permit flows to a specific IP address or subnet that you specify In this ACL example the deny tcp any host 10 1 1 2 fragment entry stops fragmented traffic going to all TCP ports on host 10 1 1 2 Later in the ACL the permit udp any host 10 1 1 2 ...

Page 303: ...Packets page 16 7 Routed Packets page 16 7 Multicast Packets page 16 8 Bridged Packets Figure 16 1 shows how an ACL is applied on bridged packets For bridged packets only Layer 2 ACLs are applied to the input VLAN Figure 16 1 Applying ACLs on Bridged Packets Routed Packets Figure 16 2 shows how ACLs are applied on routed Layer 3 switched packets For routed Layer 3 switched packets the ACLs are app...

Page 304: ... that need multicast expansion For packets that need multicast expansion the ACLs are applied in the following order 1 Packets that need multicast expansion a VACL for input VLAN b Input Cisco IOS ACL 2 Packets after multicast expansion a Output Cisco IOS ACL b VACL for output VLAN 3 Packets originating from router a VACL for output VLAN Catalyst 6500 series switches with MSFC Host B VLAN 20 Host ...

Page 305: ...ng IP Services chapter in the Network Protocols Configuration Guide Part 1 When a feature is configured on the router to process traffic such as NAT the Cisco IOS ACL associated with the feature determines the specific traffic that is bridged to the router instead of being Layer 3 switched The router then applies the feature and routes the packet normally Note that there are some exceptions to thi...

Page 306: ...e Handling of Cisco IOS ACLs with PFC2 page 16 12 Hardware and Software Handling of Cisco IOS ACLs with PFC This section describes hardware and software handling of Cisco IOS ACLs with the PFC Note For information on Cisco IOS ACLs with PFC2 see the Hardware and Software Handling of Cisco IOS ACLs with PFC2 section on page 16 12 ACL feature processing requires forwarding of some flows by the softw...

Page 307: ...in the software IPX extended input and output ACLs are supported in the hardware when the ACL parameters are IPX source network destination network destination node and or protocol type ACL flows requiring logging are handled in the software without impacting non log flow forwarding in the hardware Reflexive ACLs Up to 512 simultaneous reflexive sessions are supported in the hardware Note that whe...

Page 308: ...cy routing is applied in the hardware for all interfaces regardless of which interface was configured for policy routing WCCP HTTP requests subject to Web Cache Coordination Protocol WCCP redirection are handled in the software HTTP replies from the server and the Cache Engine are handled in the hardware NAT NAT required flows are handled in the software without impacting non NAT flow forwarding i...

Page 309: ...PF Check page 16 15 Bridge Groups page 16 15 Security Cisco IOS ACLs The IP and IPX security Cisco IOS ACLs with PFC2 are as follows If either the ip unreachables or ip redirect options are enabled most of the packets of the flows that match a deny statement in an ACL are dropped by the hardware only a few packets are processed in software in order for the router to send the appropriate ICMP unrea...

Page 310: ...which are permitted by the security ACL are sent to the software to apply the TCP intercept functionality This process occurs even if the security ACL does not have the SYN flag specified 2 If a connection is established successfully the following applies a If the TCP intercept is using intercept mode with timeout all traffic belonging to the given connection flow is handled in the software b For ...

Page 311: ... control both bridged and routed traffic you can use VACLs only or a combination of Cisco IOS ACLs and VACLs You can define Cisco IOS ACLs on both input and output routed VLAN interfaces and you can define a VACL to access control the bridged traffic If a flow matches a VACL deny or redirect clause in the ACL irrespective of the IOS ACL configuration the flow is denied or redirected The following ...

Page 312: ... Action page 16 16 Grouping Actions Together page 16 16 Limiting the Number of Actions page 16 16 Avoiding Layer 4 Port Information page 16 17 Estimating Merge Results page 16 17 Examples page 16 17 Using the Implicit Deny Action If possible use the implicit deny action at the end of an ACL deny any any and define ACEs to permit only allowed traffic You can achieve this same effect by defining all...

Page 313: ...uring ACLs you can get a rough estimate of the merge results for ACLs The following example uses ACL A ACL B and ACL C If ACL C is the result of merging ACL A and ACL B and you know the size of ACL A and ACL B you can estimate the upper limit of the size of ACL C when no Layer 4 port information has been specified on ACL A and ACL B as follows size of ACL C size of ACL A x size of ACL B x 2 If Lay...

Page 314: ...mit tcp any eq domain host 194 72 6 51 neq ftp 12 permit tcp any host 194 72 6 51 gt 1023 13 permit ip any host 1 1 1 1 IOS ACL 1 deny ip any host 239 255 255 255 2 permit ip any any MERGE has 78 entries Example 3 This example shows the VACL does not follow the recommended guidelines and the resultant merge significantly increases the number of ACEs VACL 1 deny ip 0 0 0 0 255 255 255 0 any 2 deny ...

Page 315: ... any lt 30 7 permit ip any any IOS ACL 1 permit ip 147 150 213 64 0 0 0 31 194 72 6 64 0 0 0 15 2 permit ip 147 150 213 64 0 0 0 31 194 72 6 160 0 0 0 15 3 permit ip 147 150 213 64 0 0 0 31 host 194 72 6 205 4 permit ip 147 151 77 0 0 0 0 255 194 72 6 64 0 0 0 15 5 permit ip 147 151 77 0 0 0 0 255 194 72 6 160 0 0 0 15 6 permit ip 147 151 77 0 0 0 0 255 194 72 6 208 0 0 0 15 7 permit ip 147 151 77...

Page 316: ...ns provide guidelines for specifying Layer 4 port operations Determining Layer 4 Operation Usage page 16 20 Determining Logical Operation Unit Usage page 16 21 Determining Layer 4 Operation Usage The switch hardware allows you to specify these types of operations gt greater than lt less than neq not equal eq equal range inclusive range We recommend that you do not specify more than nine different ...

Page 317: ... operations resource usage using the show security acl resource usage command Determining Logical Operation Unit Usage LOUs are registers that store operator operand couples All ACLs use LOUs There can be up to 32 LOUs each LOU can store two different operator operand couples with the exception of the range operator LOU usage per Layer 4 operation is as follows gt uses 1 2 LOU lt uses 1 2 LOU neq ...

Page 318: ...er VLAN page 16 25 Restricting ARP Traffic page 16 26 Configuring ACLs on Private VLANs page 16 26 Capturing Traffic Flows page 16 27 Wiring Closet Configuration In a wiring closet configuration Catalyst 6000 family switches might not be equipped with MSFCs routers In this configuration the switch can still support a VACL and a QoS ACL Suppose Host X and Host Y are in different VLANs and are conne...

Page 319: ...direct broadcast traffic to a specific server port perform this task in privileged mode TCP port 5000 is the intended server application port Note You could apply the same concept to direct broadcast traffic to a multicast destination by redirecting the traffic to a group of ports see Figure 16 5 Catalyst 6500 series switches with MSFC Switch A with PFC only Switch C with PFC only VACL deny http f...

Page 320: ...er and drop the other responses To restrict DHCP responses for a specific server perform this task in privileged mode the target DHCP server IP address is 1 2 3 4 Catalyst 6500 series switches with PFC Target server Host B Host A Host C VLAN 10 Application broadcast packet 26960 4 1 VACL Task Command Step 1 Permit a DHCP response from host 1 2 3 4 set security acl ip SERVER permit udp host 1 2 3 4...

Page 321: ...nd 10 1 1 8 in VLAN 10 should not have access To deny access to a server on another VLAN perform this task in privileged mode Catalyst 6500 series switches with PFC Target server Host B Host A Host C VLAN 10 DHCP response packets 26962 VACL 1 2 3 4 Task Command Step 1 Deny traffic from hosts in subnet 10 1 2 0 8 set security acl ip SERVER deny ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Step 2 Deny traf...

Page 322: ... VLAN into sub VLANs secondary VLANs that can be either community VLANs or isolated VLANs In releases prior to software release 6 1 1 you could configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary VLANs In software release 6 1 1 and later releases ACLs can be applied as follows You can map VACLs to secondary VLANs or primary VLANs Cisco IOS ACLs that are map...

Page 323: ...ection lists ACL related features that are not supported or have limited support on the Catalyst 6000 family switches Non IP version 4 non IPX Cisco IOS ACLs The following types of Cisco IOS security ACLs cannot be enforced on the switch in the hardware the MSFC has to process the ACL in the software and this significantly degrades system performance Bridge group ACLs IP accounting Inbound and out...

Page 324: ...es See the Unsupported Features section on page 16 27 Note that a VACL has to be committed before you can map it to a VLAN There are no default VACLs and no default VACL to VLAN mappings Note that if there is no Cisco IOS ACL configured to deny traffic on a routed VLAN interface input or output and no VACL configured all traffic is permitted Note that the order of ACEs in an ACL is important A pac...

Page 325: ...e port VACL Configuration Summary To create a VACL and map it to a VLAN perform these steps Step 1 Enter the set security acl ip command to create a VACL and add ACEs Step 2 Enter the commit command to commit the VACL and its associated ACEs to NVRAM Step 3 Enter the set security acl map command to map the VACL to a VLAN Note An IP VACL is used in this description you can configure IPX and non IP ...

Page 326: ...ACL1 to allow traffic from all source addresses Console enable set security acl ip IPACL1 permit any IPACL1 editbuffer modified Use commit command to apply changes Console enable This example shows how to create an ACE for IPACL1 to block traffic from source address 171 3 8 2 Console enable set security acl ip IPACL1 deny host 171 3 8 2 IPACL1 editbuffer modified Use commit command to apply change...

Page 327: ... editbuffer modified Use commit command to apply changes Console enable This example shows how to create an ACE for IPACL2 to redirect IP traffic to port 3 1 from source address 1 2 3 4 with the destination address of 255 255 255 255 Note that host can be used as an abbreviation for a source and source wildcard of 0 0 0 0 This ACE also specifies the following precedence IP precedence values that r...

Page 328: ...reate an ACE for IPXACL1 to block all traffic with destination address 1 A 3 4 Console enable set security acl ipx IPXACL1 deny any any 1 A 3 4 IPXACL1 editbuffer modified Use commit command to apply changes Console enable This example shows how to create an ACE for IPXACL1 to redirect broadcast traffic to port 4 1 from source network 3456 Console enable set security acl ipx IPXACL1 redirect 4 1 a...

Page 329: ...ample shows how to create an ACE for IPXACL1 to allow traffic from all source addresses Console enable set security acl ipx IPXACL1 permit any any IPXACL1 editbuffer modified Use commit command to apply changes Console enable This example shows how to display the contents of the edit buffer Console enable show security acl info IPXACL1 editbuffer set security acl ipx IPXACL1 1 deny any 1234 2 perm...

Page 330: ... mac MACACL1 deny any host A B C D 1 2 MACACL1 editbuffer modified Use commit command to apply changes Console enable This example shows how to create an ACE for MACACL1 to allow traffic from all sources Console enable set security acl mac MACACL1 permit any any MACACL1 editbuffer modified Use commit command to apply changes Console enable This example shows how to display the contents of the edit...

Page 331: ...e shows how to commit a specific security ACL to NVRAM Console enable commit security acl IPACL2 ACL commit in progress ACL IPACL2 is committed to hardware Console enable Mapping a VACL to a VLAN You can map a VACL to a VLAN with the set security acl map command Note that there is no default ACL to VLAN mapping all VACLs need to be mapped to a VLAN To map a VACL to a VLAN perform this task in priv...

Page 332: ...uffer set security acl ip IPACL1 1 deny A 2 deny ip B any 3 deny C 4 deny D 5 permit any Console enable Showing VACL to VLAN Mapping You can display VACL to VLAN mapping for a specified ACL or VLAN with the show security acl map command To show VACL to VLAN mapping perform this task in privileged mode This example shows how to show the mappings of a specific VACL Console enable show security acl m...

Page 333: ...om a security ACL perform this task in privileged mode This example shows how to remove ACEs from all the ACLs Console enable clear security acl all All editbuffers modified Use commit command to apply changes Console enable This example shows how to remove a specific ACE from a specific ACL Console enable clear security acl IPACL1 2 IPACL1 editbuffer modified Use commit command to apply changes C...

Page 334: ...nformation Console enable show security acl resource usage ACL resource usage ACL storage mask value 0 29 0 10 ACL to switch interface mapping table 0 39 ACL layer 4 port operators 0 0 Console enable Capturing Traffic Flows on Specified Ports You can use the capture option in the set security acl ip ipx and mac commands to specify that packets that match the specified flows are captured and transm...

Page 335: ...he VACL If you want to capture traffic from one VLAN going to many VLANs the capture port has to be a trunk carrying all output VLANs For bridged traffic because all the traffic remains in the same VLAN ensure that the capture port is in the same VLAN as the bridged traffic To capture traffic you can configure one ACL and map it to a group of VLANs or you can configure a number of ACLs and map eac...

Page 336: ...ture Ports 1 2 2 2 Console enable Configuring VACL Logging Note This feature is only available with Supervisor Engine 2 with Layer 3 Switching Engine II PFC2 You can log messages about denied packets for the standard IP access list by entering the log keyword for deny VACLs That is any packet that matches the access list will cause an informational logging message about the packet to be sent to th...

Page 337: ...figuration is over the range the command is discarded and the range is displayed on the console Valid values are from 500 to 5000 the default value is 2500 Note If the redirect rate is over the pps range the command is dropped and the range is displayed on the console Messages are not logged for these packets Step 4 Enter the set security acl ip acl_name deny log command to create an IP VACL and e...

Page 338: ...00 Jul 19 01 25 06 ACL 6 VACLLOG VLAN 1 Port 2 2 denied ip tcp 21 0 0 1 2000 255 255 255 255 3000 1 packets This example shows how to display the flow information in the log table Console enable show security acl log flow ip any any Total matched entry number 1 Entry No 1 IP Packet Vlan Number 1 Mod Port Number 2 1 Source IP address 21 0 0 1 Destination IP address 255 255 255 255 TCP Source port 2...

Page 339: ...d from NVRAM and the ACL configuration is automatically moved to Flash memory When this occurs these syslog messages display 1999 Sep 01 17 00 00 SYS 1 CFG_FLASH ACL configuration moved to bootflash switchapp cfg 1999 Sep 01 17 00 00 SYS 1 CFG_ACL_DEALLOC NVRAM full Qos Security ACL configuration deleted from NVRAM The VACL and QoS ACL configuration has now been successfully moved to Flash memory ...

Page 340: ...VRAM configuration or be appended to what is currently in NVRAM Console enable set boot config register auto config append Configuration register is 0x12F ignore config disabled auto config recurring append sync disabled console baud 9600 boot image specified by the boot system commands Console enable Step 4 Specify if synchronization should be enabled or disabled With synchronization enabled the ...

Page 341: ...uration to revert to the default Note If you cannot write the configuration to Flash memory you must copy the configuration to a file make additional room available in Flash memory and then try to write the VACL and QoS ACL configuration to Flash memory At system startup if the VACL and QoS ACL configuration location is set to Flash memory but either the CONFIG_FILE variable is not set or none of ...

Page 342: ...ter a supervisor engine switchover the VACL and QoS ACL configuration on the standby supervisor engine is consistent with what was on the active supervisor engine just as in the case where the VACL and QoS ACL configuration is saved in NVRAM The only difference is that the data is stored in DRAM but the functional behavior of a switchover does not change Configuring Policy Based Forwarding The pol...

Page 343: ... VACLs on both VLANs that participate in PBF When the packet from the source VLAN comes into the PFC2 it hits the PBF VACL Based on the information provided in the adjacency table the packet header is rewritten destination VLAN and source and destination MAC addresses and the packet is forwarded to the destination VLAN The packets are forwarded between VLANs only if they hit the VACL entries that ...

Page 344: ...ck Adjacency Table Entries in the Edit Buffer page 16 53 Configuring Hosts for PBF page 16 53 Figure 16 8 Policy Based Forwarding Enabling PBF and Specifying a MAC Address for the PFC2 Note The MAC address can be a default or user specified MAC address The default MAC address is taken from a MAC address PROM on the Catalyst 6000 family switch chassis When specifying a MAC address using the set pbf...

Page 345: ... PBF committed successfully Operation successful Console enable Console enable show pbf Pbf status Mac address ok 00 01 64 61 39 c2 Console enable This example shows how to enable PBF with a specific MAC address Console enable set pbf mac 00 11 11 11 11 11 PBF committed successfully Operation successful Console enable Console enable show pbf Pbf status Mac address ok 00 11 11 11 11 11 Console enab...

Page 346: ...s the system defaults to the PBF MAC address Note You can configure a maximum of 256 adjacency table entries for a VLAN The maximum number of adjacency table entries is 1023 Note To enable jumbo frame forwarding using PBF enter the mtu keyword in the set security acl adjacency command The order of entries in a PBF VACL is important The adjacency table entry has to be defined in the VACL before the...

Page 347: ... successfully committed Console enable commit security acl IPACL1 ACL commit in progress ACL IPACL1 successfully committed Console enable set security acl map IPACL1 10 Mapping in progress ACL IPACL1 successfully mapped to VLAN 10 Console enable This example shows how to create the PBF VACL for VLAN 11 see Figure 16 8 Console enable set security acl adjacency ADJ2 10 00 00 00 00 00 0A ADJ2 editbuf...

Page 348: ...0 00 0a 00 00 00 00 00 0b 0x00000000 ADJ1 2 10 00 00 00 00 00 0a 00 00 00 00 00 0b 0x00000000 ADJ2 Console show pbf map Adjacency ACL ADJ1 IPACL1 ADJ2 IPACL2 Console enable Clearing Entries in PBF VACLs The adjacency table entry cannot be cleared before the redirect ACE You should clear the redirect ACE and the adjacency table entry in PBF VACLs in the following order 1 Clear the redirect ACE 2 Co...

Page 349: ...e Adjacency committed successfully Commit operation in progress Console enable Rolling Back Adjacency Table Entries in the Edit Buffer You can clear adjacency table entries in the edit buffer that were made prior to the last commit by using the rollback command The adjacency table entries are rolled back to their state at the last commit To roll back the adjacency table entries in the edit buffer ...

Page 350: ...ach Sun Workstation that participates in PBF Each static ARP entry must point to the PBF MAC address that is mapped to the destination host You must also configure the Sun Workstation to have a gateway If the Sun Workstation needs to communicate to a different network you must define the host routes for all networks that go through PBF and if required you must define a default gateway For example ...

Page 351: ... of the startup scripts You can create the file in a directory that has full permissions for the root superuser set a soft link pointing to that file in etc rc2 d or create the file in the etc rc2 d directory itself MS Windows NT 2000 Hosts Similar to Sun Workstations setup you must also set static ARP entries on Windows based PCs For Windows based PCs you do not need to set up any dummy gateways ...

Page 352: ... 20 23 ip1 set security acl ip ip1 permit arp set security acl ip ip1 redirect a_1 ip host 44 0 0 1 host 43 0 0 1 set security acl ip ip1 redirect a_2 ip host 44 0 0 2 host 43 0 0 2 set security acl ip ip1 redirect a_3 ip host 44 0 0 3 host 43 0 0 3 set security acl ip ip1 redirect a_4 ip host 44 0 0 4 host 43 0 0 4 set security acl ip ip1 permit ip any any ip2 set security acl ip ip2 permit arp s...

Page 353: ...0 20 28 6 17 ALL 1 00 20 20 20 20 2f 6 17 ALL 1 00 20 20 20 20 2e 6 17 ALL 1 00 20 20 20 20 2d 6 17 ALL 1 00 20 20 20 20 2c 6 17 ALL Total Matching CAM Entries Displayed for 6 17 16 for port 6 9 vlan 2 This example shows how to display MAC addresses learned by the switch for port 6 9 on VLAN 2 Console enable show cam dynamic 6 9 Static Entry Permanent Entry System Entry R Router Entry X Port Secur...

Page 354: ... the PBF statistics Console enable show pbf statistics Index DstVlan DstMac SrcMac HitCount hex Name 1 2 00 0a 0a 0a 0a 0a 00 11 22 33 44 55 0x00026d7c a_1 2 2 00 0a 0a 0a 0a 0b 00 11 22 33 44 55 0x00026d83 a_2 3 2 00 0a 0a 0a 0a 0c 00 11 22 33 44 55 0x00026d89 a_3 4 2 00 0a 0a 0a 0a 0d 00 11 22 33 44 55 0x00026d90 a_4 5 1 00 20 20 20 20 20 00 11 22 33 44 55 0x000260e3 b_1 6 1 00 20 20 20 20 21 00...

Page 355: ...tanding How GVRP Works page 17 1 Default GVRP Configuration page 17 2 GVRP Configuration Guidelines page 17 2 Configuring GVRP page 17 2 Note GVRP requires supervisor engine software release 5 2 or later releases Understanding How GVRP Works GVRP is a GARP application that provides IEEE 802 1Q compliant VLAN pruning and dynamic VLAN creation on 802 1Q trunk ports With GVRP the switch can exchange ...

Page 356: ...configure GVRP Enabling GVRP Globally page 17 3 Enabling GVRP on Individual 802 1Q Trunk Ports page 17 3 Enabling GVRP Dynamic VLAN Creation page 17 4 Configuring GVRP Registration page 17 5 Configuring GVRP VLAN Declarations from Blocking Ports page 17 6 Setting the GARP Timers page 17 7 Displaying GVRP Statistics page 17 8 Clearing GVRP Statistics page 17 8 Disabling GVRP on Individual 802 1Q Tr...

Page 357: ... VLAN creation is disabled GVRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GVRP Configuration Port GVRP Status Registration 2 1 2 3 1 8 7 1 24 8 1 24 Enabled Normal GVRP Participants running on 3 7 8 Console Enabling GVRP on Individual 802 1Q Trunk Ports Note You can change the per trunk GVRP configuration regardless of whether GVRP is enabled globally However GVRP will not f...

Page 358: ...GVRP on a trunk port running GVRP If any port on the switch becomes an Inter Switch Link ISL trunk either by CLI configuration or negotiated using DTP while dynamic VLAN creation is enabled dynamic VLAN creation is disabled automatically until the conditions for enabling dynamic VLAN creation are restored Note VLANs can only be created dynamically on 802 1Q trunks in the normal registration mode N...

Page 359: ...trunk port Console enable set gvrp registration normal 1 1 Registrar Administrative Control set to normal on port 1 1 Console enable Configuring GVRP Fixed Registration Configuring an 802 1Q trunk port in fixed registration mode allows manual creation and registration of VLANs prevents VLAN deregistration and registers all VLANs known on other ports on the trunk port To configure GVRP fixed regist...

Page 360: ...the port Ports in the GVRP active applicant state send GVRP VLAN declarations when they are in the STP blocking state which prevents the STP bridge protocol data units BPDUs from being pruned from the other port Note Configuring fixed registration on the other device s port also prevents undesirable STP topology reconfiguration To configure an 802 1Q trunk port to send VLAN declarations when in th...

Page 361: ...d you attempt to configure the join timer to 350 ms an error is returned Set the leave timer to at least 1050 ms and then set the join timer to 350 ms Caution Set the same GARP timer values on all Layer 2 connected devices If the GARP timers are set differently on Layer 2 connected devices GARP applications for example GMRP and GVRP do not operate successfully To set the GARP timer values perform ...

Page 362: ...ed 0 Leave All Transmitted 41 VTP Message Received 0 Console enable Clearing GVRP Statistics To clear all GVRP statistics on the switch perform this task in privileged mode This example shows how to clear all GVRP statistics on the switch Console enable clear gvrp statistics all GVRP Statistics cleared for all ports Console enable Disabling GVRP on Individual 802 1Q Trunk Ports To disable GVRP on ...

Page 363: ...n 802 1Q trunk port 1 1 Console enable set gvrp disable 1 1 GVRP disabled on 1 1 Console enable Disabling GVRP Globally To disable GVRP globally on the switch perform this task in privileged mode This example shows how to disable GVRP globally on the switch Console enable set gvrp disable GVRP disabled Console enable Task Command Disable GVRP on the switch set gvrp disable ...

Page 364: ...17 10 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 17 Configuring GVRP Configuring GVRP ...

Page 365: ...embership with VMPS Configuration Examples page 18 9 Dynamic Port VLAN Membership with Auxiliary VLANs page 18 12 Understanding How VMPS Works With VMPS you can assign switch ports to VLANs dynamically based on the source Media Access Control MAC address of the device connected to the port When you move a host from a port on one switch in the network to a port on another switch in the network the ...

Page 366: ...VMPS sends an access denied or port shutdown response A dynamic port can belong to only one native VLAN in software releases prior to release 6 2 1 with software release 6 2 1 a port can belong to a native VLAN and an auxiliary VLAN See the Dynamic Port VLAN Membership with Auxiliary VLANs section on page 18 12 for complete details When the link comes up a dynamic port is isolated from its static ...

Page 367: ... host on the dynamic port after a certain period Static secure ports cannot become dynamic ports You must turn off security on the static secure port before it can become dynamic Static ports that are trunking cannot become dynamic ports You must turn off trunking on the trunk port before changing it from static to dynamic Note The VTP management domain and the management VLAN of VMPS clients and ...

Page 368: ...connected host is not defined in the database Define the MAC address to VLAN name mappings Enter the MAC address of each host and the VLAN to which each should belong Use the NONE keyword as the VLAN name to deny the specified host network connectivity A port is identified by the IP address of the switch and the module port number of the port in the form mod port Define port groups A port group is...

Page 369: ... to continue y n n y Vlan Membership Policy Server disabled Console enable Configuring Dynamic Ports on VMPS Clients To configure dynamic ports on VMPS client switches perform this task in privileged mode Task Command Step 1 Specify the download method set vmps downloadmethod rcp tftp username Step 2 Configure the IP address of the TFTP or rcp server on which the ASCII text VMPS database configura...

Page 370: ...namic Console show port Port Name Status Vlan Level Duplex Speed Type 1 1 connect dyn 3 normal full 100 100 BASE TX 1 2 connect trunk normal half 100 100 BASE TX 2 1 connect trunk normal full 155 OC3 MMF ATM 3 1 connect dyn 5 normal half 10 10 BASE T 3 2 connect dyn 5 normal half 10 10 BASE T 3 3 connect dyn 5 normal half 10 10 BASE T Console enable Note The show port command displays dyn under th...

Page 371: ...ged database configuration file or retry after a failed download attempt perform this task in privileged mode Configuring Static VLAN Port Membership To return a port to static VLAN port membership perform this task in privileged mode Task Command Clear VMPS statistics clear vmps statistics Task Command Clear a VMPS server entry clear vmps server ip_addr Task Command Step 1 Reconfirm dynamic port ...

Page 372: ... information on VMPS parsing errors set the syslog level for VMPS to 3 using the set logging level vmps 3 command Troubleshooting Dynamic Port VLAN Membership A dynamic port might shut down under these circumstances VMPS is in secure mode and it is illegal for the host to connect to the port The port shuts down to prevent the host from connecting to the network More than 50 active hosts reside on ...

Page 373: ...e security mode is open The default is used for the fallback VLAN MAC address to VLAN name mappings The MAC address of each host and the VLAN to which each host belongs is defined Port groups are defined VLAN groups are defined VLAN port policies are defined for the ports associated with restricted VLANs VMPS File Format version 1 1 Always begin the configuration file with the word VMPS vmps domai...

Page 374: ...ies vmps port policies vlan name vlan_name vlan group group name port group group name device device id port port name vmps port policies vlan group Engineering port group WiringCloset1 vmps port policies vlan name Green device 198 92 30 32 port 4 8 vmps port policies vlan name Purple device 198 4 254 22 port 1 2 port group Executive Row Dynamic Port VLAN Membership Configuration Example Figure 18...

Page 375: ... Primary VMPS Server 1 Secondary VMPS Server 2 Secondary VMPS Server 3 Catalyst 6500 series switches Catalyst 6000 172 20 26 150 172 20 26 151 Catalyst 6500 series switches 172 20 26 152 Ethernet segment 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client Client End station 2 End station 1 TFTP server 3 1 Switch 10 Switch 9 Switch 8 Switch 7 Swi...

Page 376: ...e set vmps server 172 20 26 159 c Verify the VMPS server addresses Console enable show vmps server Step 3 Configure port 3 1 on Switch 2 as dynamic Console enable set port membership 3 1 dynamic Step 4 Connect End Station 2 on port 3 1 When End Station 2 sends a packet Switch 2 sends a query to the primary VMPS server Switch 1 Switch 1 responds with the VLAN to assign to port 3 1 Because spanning ...

Page 377: ...AN ID is dynamic for the PC connected to the access port of the IP phone Configuration of the auxiliary VLAN ID is not dynamic you need to configure it manually As the auxiliary VLAN ID is manually configured the VMPS server is queried for packets coming from the PC not for packets coming from the IP phone All packets except Cisco Discovery Protocol CDP packets from the IP phone are tagged with th...

Page 378: ...Console enable This example shows how to specify port 5 9 as a dynamic port Console enable set port membership 5 9 dynamic Warning Auxiliary Vlan set to dot1p untagged on dynamic port VMPS will be queried for IP phones Port 5 9 vlan assignment set to dynamic Spantree port fast start option enabled for ports 5 9 Console enable This example shows that the auxiliary VLAN ID specified cannot be the sa...

Page 379: ...ge 19 2 Checking Port Capabilities page 19 4 Using Telnet page 19 4 Using Secure Shell Encryption for Telnet Sessions page 19 5 Monitoring User Sessions page 19 6 Using Ping page 19 7 Using Layer 2 Traceroute page 19 9 Using IP Traceroute page 19 10 Checking Module Status Catalyst 6000 family switches are multimodule systems You can see what modules are installed as well as the MAC address ranges ...

Page 380: ... 5 2 1 CSX 5 00 50 f0 ac 30 54 to 00 50 f0 ac 30 83 1 0 4 2 0 24 V 5 2 1 CSX Mod Sub Type Sub Model Sub Serial Sub Hw 1 L2 Switching Engine I WS F6020 SAD03040312 1 0 Console enable This example shows how to check module status on a specific module Console enable show module 4 Mod Slot Ports Module Type Model Status 4 4 48 10 100BaseTX Telco WS X6248 TEL ok Mod Module Name Serial Num 4 SAD03140787...

Page 381: ... 1 desired off off off 0 0 1 2 desired off off off 0 0 Port Status Channel Admin Ch Neighbor Neighbor Mode Group Id Device Port 1 1 connected auto 65 0 1 2 notconnect auto 65 0 Port Align Err FCS Err Xmit Err Rcv Err UnderSize 1 1 0 0 0 0 0 1 2 0 0 0 0 0 Port Single Col Multi Coll Late Coll Excess Col Carri Sen Runts Giants 1 1 0 0 0 0 0 0 0 1 2 0 0 0 0 0 0 0 Last Time Cleared Tue Jun 8 1999 10 01...

Page 382: ... example shows you how to display the port capabilities for switch ports Console enable show port capabilities 1 1 Model WS X6K SUP1A 2GE Port 1 1 Type No Connector Speed 1000 Duplex full Trunk encap type 802 1Q ISL Trunk mode on off desirable auto nonegotiate Channel yes Broadcast suppression percentage 0 100 Flow control receive off on desired send off on desired Security yes Membership static d...

Page 383: ...ovides security for Telnet sessions to the switch Secure Shell encryption is supported for remote logins to the switch only Telnet sessions initiated from the switch cannot be encrypted To use this feature you must install the application on the client accessing the switch and you must configure Secure Shell encryption on the switch The current implementation of Secure Shell encryption supports SS...

Page 384: ...hentication is enabled for console and Telnet sessions the asterisk indicates the current session Console enable show users Session User Location console telnet sam pc bigcorp com telnet jake mac bigcorp com Console enable This example shows the output of the show users command when TACACS authentication is enabled for console and Telnet sessions Console enable show users Session User Location con...

Page 385: ...ibe how to use IP ping Understanding How Ping Works page 19 7 Executing Ping page 19 8 Understanding How Ping Works You can use IP ping to test connectivity to remote hosts If you attempt to ping a host in a different IP subnetwork you must define a static route to the network or configure a router to route between those subnets The ping command is configurable from normal executive and privileged...

Page 386: ...tasks in normal or privileged mode This example shows how to ping a remote host from normal executive mode Console ping labsparc labsparc is alive Console ping 72 16 10 3 12 16 10 3 is alive Console This example shows how to ping a remote host using the ping s option Console ping s 12 20 5 3 800 10 PING 12 20 2 3 800 data bytes 808 bytes from 12 20 2 3 icmp_seq 0 time 2 ms 808 bytes from 12 20 2 3...

Page 387: ...er 2 Path page 19 10 Layer 2 Traceroute Usage Guidelines Follow these guidelines for using the Layer 2 Traceroute utility The Layer 2 Traceroute utility works for unicast traffic only You must enable CDP on all of the Catalyst 5000 and 6000 family switches in the network See Chapter 29 Configuring CDP for information about enabling CDP If any devices in the path are transparent to CDP l2trace will...

Page 388: ...The command output displays all network layer Layer 3 devices such as routers that the traffic passes through on the way to the destination These sections describe how to use IP Traceroute Understanding How IP Traceroute Works page 19 10 Executing IP Traceroute page 19 11 Understanding How IP Traceroute Works The traceroute command uses the Time To Live TTL field in the IP header to cause routers ...

Page 389: ...Executing IP Traceroute To trace the path that packets take through the network perform this task in privileged mode This example shows how to use the traceroute command Console enable traceroute 10 1 1 100 traceroute to 10 1 1 100 10 1 1 100 30 hops max 40 byte packets 1 10 1 1 1 10 1 1 1 1 ms 2 ms 1 ms 2 10 1 1 100 10 1 1 100 2 ms 2 ms 2 ms Console enable This example shows how to perform a trac...

Page 390: ...19 12 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 19 Checking Port Status and Connectivity Using IP Traceroute ...

Page 391: ... Aliases page 20 5 Defining IP Aliases page 20 6 Configuring Static Routes page 20 7 Configuring Permanent and Static ARP Entries page 20 8 Scheduling a System Reset page 20 9 Power Management page 20 11 Environmental Monitoring page 20 16 Displaying System Status Information for Technical Support page 20 17 Setting the System Name and System Prompt The system name on the switch is a user configur...

Page 392: ...ace using the command line interface CLI or Simple Network Management Protocol SNMP You configure a route using the set ip route command You clear the system name using the set system name command You enable DNS or specify DNS servers If the system name is user configured no DNS lookup is performed Setting the Static System Name and Prompt These sections describe how to set the static system name ...

Page 393: ...system contact and location to help you with resource management tasks To set the system contact and location perform this task in privileged mode This example shows how to set the system contact and location and verify the configuration Catalyst 6000 enable set system contact sysadmin corp com System contact set Catalyst 6000 enable set system location Sunnyvale CA System location set Catalyst 60...

Page 394: ...stem clock and display the current date and time Console enable set time Mon 06 15 98 12 30 00 Mon Jun 15 1998 12 30 00 Console enable show time Mon Jun 15 1998 12 30 02 Console enable Creating a Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch The first character following the motd keyword is used to delimit the beginni...

Page 395: ... enable Defining Command Aliases You can use the set alias command to define command aliases shorthand versions of commands for frequently used or long and complex commands Command aliases can save you time and can help prevent typing errors when you are configuring or monitoring the switch The name argument defines the command alias The command and parameter arguments define the command to enter ...

Page 396: ...166 007243262 ok Mod MAC Address es Hw Fw Sw 8 00 60 2f 45 26 2f 2 0 1 3 51 1 103 Console enable sp8 Port Name Status Vlan Level Duplex Speed Type 8 1 notconnect trunk normal full 45 DS3 ATM 8 2 notconnect trunk normal full 45 DS3 ATM Port ifIndex 8 1 285 8 2 286 Use session command to see ATM counters Last Time Cleared Thu Sep 10 1998 16 56 08 Console enable Defining IP Aliases You can use the se...

Page 397: ...etwork address the IP address of the next hop router and the metric hop count for the route The destination IP network address can be variably subnetted to support Classless Interdomain Routing CIDR You can specify the subnet mask netmask for a destination network using the number of subnet bits or using the subnet mask in dotted decimal format If no subnet mask is specified the default classful m...

Page 398: ... set arp permanent command the ARP entry is retained even after a system reset Because most hosts support dynamic resolution you usually do not need to specify static or permanent ARP cache entries When a device does not respond to ARP requests you can configure an ARP entry to be statically or permanently entered into the ARP cache so that those devices can still be reached To configure a static ...

Page 399: ...port 8 1 on vlan 1 Console enable Scheduling a System Reset These sections describe how to schedule a system reset Scheduling a Reset at a Specific Time page 20 10 Scheduling a Reset Within a Specified Amount of Time page 20 10 You can use the schedule reset command to schedule a system to reset at a future time This feature allows you to upgrade software during business hours and schedule the sys...

Page 400: ...w to schedule a reset at a specific time and include a reason for the reset Console enable reset at 23 00 8 18 Software upgrade to 5 3 1 Reset scheduled at 23 00 00 Wed Aug 18 1999 Reset reason Software upgrade to 5 3 1 Proceed with scheduled reset y n n y Reset scheduled for 23 00 00 Wed Aug 18 1999 in 0 day 8 hours 39 minutes Console enable This example shows how to schedule a reset with a minim...

Page 401: ...mily switches allow you to mix AC input and DC input power supplies in the same chassis For detailed information on supported power supply configurations for each chassis refer to the Catalyst 6000 Family Installation Guide Catalyst 6000 family modules have different power requirements and depending upon the wattage of the power supply certain switch configurations might require more power than a ...

Page 402: ...undant to a redundant configuration both power supplies are initially enabled and if they are of the same wattage remain enabled If they are of different wattage a syslog message displays and the lower wattage supply is disabled Table 20 1 describes how the system responds to changes in the power supply configuration Table 20 1 Effects of Power Supply Configuration Changes Configuration Change Eff...

Page 403: ...m log and syslog messages are generated If the power supplies are of equal wattage there is no change in the module status because the power capability is unchanged If the power supplies are of unequal wattage and the lower wattage supply is removed there is no change in the module status If the power supplies are of unequal wattage and the higher wattage supply is removed and if there is not enou...

Page 404: ...ower Requirements Module Power Requirement Supervisor Engine 1 WS X6K SUP1A 2GE WS X6K SUP1 2GE 1 70A 1 70A Supervisor Engine 1 with PFC WS X6K SUP1A PFC 2 50A Supervisor Engine 1 with PFC and MSFC WS X6K SUP1A MSFC 3 30A Supervisor Engine 1 with PFC and MSFC2 WS X6K S1A MSFC2 2 90A Supervisor Engine 2 with PFC2 WS X6K S2 PFC2 3 06A Supervisor Engine 2 with PFC2 and MSFC2 WS X6K S2 MSFC2 3 46A MSF...

Page 405: ...M 8OC3 POS MM SI SL OSM 16OC3 POS MM SI SL OSM 10C48 POS SS SI SL OSM 4GE WAN GBIC 3 36A 4 78A 3 57A 5 09A 4 25A 3 59 Server load balancing WS X6066 SLB APG 3 00A 8 Port T1 E1 PSTN Interface WS X6608 T1 WS X6608 E1 1 98A 1 98A 24 Port FXS Analog Interface WS X6624 FXS 1 54A Cisco IP Phone 7960 when plugged into the WS X6348 RJ 45 and WS X6648 PWR modules 0 167A default 0 120A after bootup initiali...

Page 406: ...tus field Enter the show environment temperature all power command to display system status information Keyword descriptions follow temperature Optional Displays temperature information all Optional Displays environmental status for example power supply fan status and temperature information and information about the power available to the system power Optional Displays environmental power informa...

Page 407: ...the SYSTEM LED is red also syslog message and SNMP trap generated If redundancy system switches to redundant supervisor engine and the active supervisor engine shuts down If there is no redundancy and the overtemperature condition is not corrected the system shuts down after 5 minutes Supervisor engine temperature sensor exceeds minor threshold Minor STATUS LED orange syslog message and SNMP trap ...

Page 408: ... txt on 172 20 32 10 y n n y Finished network upload 67784 bytes Console enable Using System Dump Files The core dump and the stack dump features generate reports that contain status information about your switch Send images captured by the core dump or the stack dump to the Cisco TAC for analysis Enabling and Disabling the Core Dump A core dump produces a comprehensive report of images when your ...

Page 409: ...he system DRAM Make sure that you have enough memory available to store the core dump file Specifying the Core Image Filename Enter the set system core file command to specify the core image filename The default filename is slot0 crash hz This command automatically checks the validity of the device name that you input To specify the core image filename perform this task in privileged mode This exa...

Page 410: ...8 sp 80 00000002 000009E4 80110160 80110088 sp 90 82040670 80A71EB4 81F1E9F8 00000004 sp A0 00000000 81F25EAC 81FF5750 00000000 sp B0 00000000 00000000 81F1E314 800840BC sp C0 0000000B 80084EB0 00000001 8073A358 sp D0 00000003 0000000D 00000000 0000000A sp E0 00000020 00000000 800831B4 0000001A sp F0 00000000 00000000 00000000 000D84F0 Register content Status 3401FC23 Cause 00000024 AT 81640000 V0...

Page 411: ...iguring Authentication page 21 9 Authentication Example page 21 48 Understanding How Authorization Works page 21 49 Configuring Authorization page 21 51 Authorization Example page 21 55 Understanding How Accounting Works page 21 56 Configuring Accounting page 21 59 Accounting Example page 21 63 Understanding How Authentication Works These sections describe how the different authentication methods ...

Page 412: ...three the default to ten tries When a user reaches the set limit without successfully logging in SNMP traps and syslog messages are generated and the lockout restriction occurs Setting the login authentication to zero 0 disables the login limit checking If a user attempts to log in to privileged mode and fails the system disables execution of the enable command for the lockout period The lockout t...

Page 413: ...g functions These services while all part of TACACS are independent of one another so a given TACACS configuration can use any or all of the three services When the TACACS server receives the packet it does the following Authenticates the user information and notifies the client that authentication has either passed or failed Notifies the client that authentication will continue and that the clien...

Page 414: ...P ports of the RADIUS servers Specify the RADIUS key used to encrypt RADIUS packets Specify the RADIUS server timeout interval Specify the RADIUS retransmit count Specify the RADIUS server deadtime interval RADIUS authentication is disabled by default You can enable RADIUS authentication and other authentication methods at the same time You can specify which method to use first using the primary k...

Page 415: ...ros principal The Kerberos principal is who you are or what a service is according to the Kerberos server Also known as a Kerberos identity Kerberos realm A domain consisting of users hosts and network services that are registered to a Kerberos server The Kerberos server is trusted to verify the identity of a user or network service to another user or network service Kerberos realms must always be...

Page 416: ...ontains the user s identity and a message saying that it wants to Telnet to the switch This request is encrypted using the TGT 4 When the KDC successfully decrypts the service credential request with the TGT that it issued to the client it builds a service to the switch The service credential has the client s identity and the identity of the desired Telnet server The KDC then encrypts the credenti...

Page 417: ...ration time 4 The switch tries to decrypt the TGT with the password that you entered If the decryption is successful you are authenticated to the switch 5 If you want to access other network services the KDC must be contacted directly for authentication To obtain the TGT you can run the program kinit the client software provided with the Kerberos package Figure 21 2 shows the non Kerberized login ...

Page 418: ... server and authorizes the supplicant when instructed to do so by the authentication server Authentication server Entity that provides the authentication service for the authenticator PAE It checks the credentials of the supplicant PAE and then notifies its client the authenticator PAE whether the supplicant PAE is authorized to access the LAN switch services Authorized state Status of the port af...

Page 419: ...e hosts on a specific port Enable or disable system authentication control Specify quiet time interval Specify the authenticator to supplicant retransmission time interval Specify the back end authenticator to supplicant retransmission time interval Specify the back end authenticator to authentication server retransmission time interval Specify the number of frames retransmitted from the back end ...

Page 420: ...ntication console and Telnet Disabled RADIUS server IP address None specified RADIUS server UDP auth port Port 1812 RADIUS key None specified RADIUS server timeout 5 seconds RADIUS server deadtime 0 servers not marked dead RADIUS retransmit attempts 2 times Kerberos login authentication console and Telnet Disabled Kerberos enable authentication console and Telnet Disabled Kerberos server IP addres...

Page 421: ...server You cannot enable 802 1x on a secure port until you turn off the security feature on that port You cannot enable security on an 802 1x port 802 1x is only supported on Ethernet ports You cannot enable 802 1x on a trunk port until you turn off the trunking feature on that port You cannot enable trunking on an 802 1x port You cannot enable 802 1x on a dynamic port until you turn off the DVLAN...

Page 422: ...w authentication Login Authentication Console Session Telnet Session Http Session tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabled primary attempt limit 5 5 lockout timeout sec 50 50 Enable Authentication Console Session Telnet Session Http Session tacacs disabled disabled disabled radius disabled ...

Page 423: ...t 5 5 lockout timeout sec 50 50 Enable Authentication Console Session Telnet Session Http Session tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabled primary attempt limit 5 5 lockout timeout sec 50 50 Console enable Configuring Local Authentication These sections describe how to configure local authe...

Page 424: ...radius disabled disabled kerberos disabled disabled local enabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled kerberos disabled disabled local enabled primary enabled primary Console enable Setting the Login Password The login password controls access to the user mode CLI Passwords are case sensitive contain up to 1...

Page 425: ...set the enable password for local authentication perform this task in privileged mode This example shows how to set the enable password on the switch Console enable set enablepass Enter old password old_password Enter new password new_password Retype new password new_password Password changed Console enable Disabling Local Authentication Caution Make sure that RADIUS or TACACS authentication is co...

Page 426: ...us enabled primary enabled primary kerberos disabled disabled local disabled disabled Console enable Recovering a Lost Password Use the following procedure to recover a lost local authentication password You must complete Steps 3 through 7 within 30 seconds of a power cycle or the recovery will fail If you lost both the login and enable passwords repeat the process for each password To recover a l...

Page 427: ...ecifying the TACACS Login Attempts page 21 20 Enabling TACACS Directed Request page 21 21 Disabling TACACS Directed Request page 21 21 Clearing TACACS Servers page 21 22 Clearing the TACACS Key page 21 22 Disabling TACACS Authentication page 21 23 Specifying TACACS Servers Specify one or more TACACS servers before you enable TACACS authentication on the switch The first server you specify is the p...

Page 428: ... If desired you can use the console and telnet keywords to specify that TACACS authentication be used only on console or Telnet connections If you are using both RADIUS and TACACS you can use the primary keyword to force the switch to try TACACS authentication first To enable TACACS authentication perform this task in privileged mode This example shows how to enable TACACS authentication for conso...

Page 429: ...ote If you configure a TACACS key on the client make sure you configure an identical key on the TACACS server To specify the TACACS key perform this task in privileged mode This example shows how to specify the TACACS key and verify the configuration Console enable set tacacs key Secret_TACACS_key The tacacs key has been set to Secret_TACACS_key Console enable show tacacs Tacacs key Secret_TACACS_...

Page 430: ... the TACACS Login Attempts You can specify the number of failed login attempts allowed To specify the number of login attempts allowed perform this task in privileged mode This example shows how to specify the number of login attempts and verify the configuration Console enable set tacacs attempts 5 Tacacs number of attempts set to 5 Console enable show tacacs Tacacs key Secret_TACACS_key Tacacs l...

Page 431: ...onsole enable set tacacs directedrequest enable Tacacs direct request has been enabled Console enable show tacacs Tacacs key Secret_TACACS_key Tacacs login attempts 5 Tacacs timeout 30 seconds Tacacs direct request enabled Tacacs Server Status 172 20 52 3 172 20 52 2 primary 172 20 52 10 Console enable Disabling TACACS Directed Request To disable TACACS directed request perform this task in privil...

Page 432: ...servers from the configuration Console enable clear tacacs server all All TACACS servers cleared Console enable Clearing the TACACS Key To clear the TACACS key perform this task in privileged mode This example shows how to clear the TACACS key Console enable clear tacacs key TACACS server key cleared Console enable Task Command Step 1 Specify the IP address of the TACACS server to clear from the c...

Page 433: ...bled local enabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Console enable Configuring RADIUS Authentication These sections describe how to configure RADIUS authentication on the switch Specifying RADIUS Servers page 21 24 Specifying the RADIUS Key page 21 24 Enabling RADIUS ...

Page 434: ...ession tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Radius Deadtime 0 minutes Radius Key Radius Retransmit 2 Radius Timeout 5 seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Specifying the RADIUS Key Note If you specify a RADIUS key on the client make sure you specify an identical key on the RADIUS server The RADIUS key is u...

Page 435: ...l enabled enabled Radius Deadtime 0 minutes Radius Key Secret_RADIUS_key Radius Retransmit 2 Radius Timeout 5 seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Enabling RADIUS Authentication Note Specify at least one RADIUS server before enabling RADIUS authentication on the switch For information on specifying a RADIUS server see the Specifying RADIUS Servers section ...

Page 436: ...nsole enable set authentication login radius enable radius login authentication set to enable for console and telnet session Console enable set authentication enable radius enable radius enable authentication set to enable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary enabled pri...

Page 437: ... radius enabled primary enabled primary local enabled enabled Radius Deadtime 0 minutes Radius Key Secret_RADIUS_key Radius Retransmit 2 Radius Timeout 10 seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Specifying the RADIUS Retransmit Count You can specify the number of times the switch will attempt to contact a RADIUS server before the next configured server is tri...

Page 438: ...eadtime interval such as other users attempting to log in to the switch are not sent to a RADIUS server marked dead Configuring a deadtime speeds up the authentication process by eliminating timeouts and retransmissions to the dead RADIUS server If you configure only one RADIUS server or if all of the configured servers are marked dead the deadtime is ignored because there are no alternate servers...

Page 439: ...rvers from the configuration Console enable clear radius server all All radius servers cleared from radius server table Console enable Clearing the RADIUS Key To clear the RADIUS key perform this task in privileged mode This example shows how to clear the RADIUS key and verify the configuration Console enable clear radius key Radius key cleared Console enable show radius Login Authentication Conso...

Page 440: ...shows how to disable RADIUS authentication Console enable set authentication login radius disable radius login authentication set to disable for console and telnet session Console enable set authentication enable radius disable radius enable authentication set to disable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs dis...

Page 441: ...Kerberos as an authentication method on the switch you need to configure the Kerberos server You will need to create a database for the KDC and add the switch to the database Note Kerberos authentication requires that NTP is enabled Additionally we recommend that you enable DNS To configure the Kerberos server perform this procedure Step 1 Before you can enter the switch in the Kerberos server s k...

Page 442: ...entication Console Session Telnet Session tacacs disabled disabled radius disabled disabled kerberos disabled enabled primary local enabled primary enabled kerberos enable This example shows how to enable Kerberos as the login authentication method for the console and verify the configuration kerberos enable set authentication login kerberos enable console kerberos login authentication set to enab...

Page 443: ...os server entries Realm CISCO COM Server 187 0 2 1 Port 750 Kerberos Domain Realm entries Domain cisco com Realm CISCO COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host niners cisco com CISCO COM 0 932423923 1 1 8 01 8 00 50 0 0 0 kerberos enable Specifying a Kerb...

Page 444: ...e enable Copying SRVTAB Files To make it possible for remote users to authenticate to the switch using Kerberos credentials the switch must share a key with the KDC To allow this configuration you must give the switch a copy of the file stored in the KDC that contains the key These files are called SRVTAB files on the switch and KEYTAB files on the servers The most secure method to copy SRVTAB fil...

Page 445: ... COM Kerberos server entries Realm CISCO COM Server 187 0 2 1 Port 750 Realm CISCO COM Server 187 20 2 1 Port 750 Kerberos Domain Realm entries Domain cisco com Realm CISCO COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host niners cisco com CISCO COM 0 932423923 1 ...

Page 446: ...rk service For example Telnet prompts for a password To configure clients to forward user credentials as they connect to other hosts in the Kerberos realm perform this task in privileged mode This example shows how to configure clients to forward user credentials and verify the configuration kerberos enable set kerberos credentials forward Kerberos credentials forwarding enabled kerberos enable sh...

Page 447: ...eros clients mandatory configuration perform this task in privileged mode This example shows how to clear the clients mandatory configuration and verify the change Console enable clear kerberos clients mandatory Kerberos clients mandatory cleared Console enable show kerberos Kerberos Local Realm not configured Kerberos server entries Kerberos Domain Realm entries Kerberos Clients NOT Mandatory Ker...

Page 448: ...ealm CISCO COM Kerberos Clients Mandatory Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key abcd Kerberos SRVTAB Entries Srvtab Entry 1 host aspen niners cisco edu CISCO EDU 0 933974942 1 1 8 12151 88 3 11 kerberos enable To clear the DES key perform this task in privileged mode This example shows how to clear the DES k...

Page 449: ...ISCO COM Kerberos server entries Realm CISCO COM Server 187 0 2 1 Port 750 Realm CISCO COM Server 187 20 2 1 Port 750 Kerberos Domain Realm entries Domain cisco com Realm CISCO COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host niners cisco com CISCO COM 0 93242392...

Page 450: ...for EAP Request Identity Frames page 21 44 Setting the Back End Authenticator to Supplicant Retransmission Time for EAP Request Frames page 21 44 Setting theBack End Authenticator to Authentication Server Retransmission Time for Transport Layer Packets page 21 45 Setting the Back End Authenticator to Supplicant Frame Retransmission Number page 21 45 Resetting the 802 1x Configuration Parameters to...

Page 451: ...orts To globally enable 802 1x authentication see the Enabling 802 1x Globally section on page 21 40 Note You must specify at least one RADIUS server before you can enable 802 1x authentication on the switch For information on specifying a RADIUS server see the Specifying RADIUS Servers section on page 21 24 To enable and initialize 802 1x authentication for access to the switch perform this task ...

Page 452: ...t how often 802 1x authentication reauthenticates the supplicant and enable automatic 802 1x reauthentication perform this task in privileged mode This example shows how to set automatic reauthentication to 7200 seconds enable 802 1x reauthentication and verify the configuration Console enable set dot1x re authperiod 7200 dot1x re authperiod set to 7200 seconds Console enable set port dot1x re aut...

Page 453: ...form this task in privileged mode This example shows how to enable access for multiple hosts on port 1 on module 4 Console enable set port dot1x 4 1 multiple host enable Port 4 1 multiple hosts allowed Disabling Multiple Hosts You can disable multiple user access on any port where it is enabled To disable multiple user access on a specific port perform this task in privileged mode This example sho...

Page 454: ...uest identity frame to 15 seconds Console enable set dot1x tx period 15 dot1x tx period set to 15 seconds Setting the Back End Authenticator to Supplicant Retransmission Time for EAP Request Frames The supplicant notifies the back end authenticator that it received the EAP request frame When the back end authenticator does not receive this notification the back end authenticator waits a set period...

Page 455: ...x server timeout set to 15 seconds Setting the Back End Authenticator to Supplicant Frame Retransmission Number The authentication server notifies the back end authenticator each time it receives a specific number of frames When the back end authenticator does not receive this notification after sending the frames the back end authenticator waits a set period of time and then retransmits the frame...

Page 456: ...t period 60 seconds re authperiod 3600 seconds server timeout 30 seconds supp timeout 30 seconds tx period 30 seconds Using the show Commands You can use these show commands to access information about 802 1x authentication and its configuration show port dot1x help show port dot1x show port dot1x statistics show dot1x To display the usage options for the show port dot1x command perform this task ...

Page 457: ...dule perform this task in normal mode This example shows how to display the statistics for the different types of EAP frames transmitted and received by the authenticator on port 1 on module 4 Console enable show port dot1x statistics 4 1 Port Tx_Req Id Tx_Req Tx_Total Rx_Start Rx_Logoff Rx_Resp Id Rx_Resp 4 1 97 0 97 0 0 0 0 Port Rx_Invalid Rx_Len_Err Rx_Total Last_Rx_Frm_Ver Last_Rx_Frm_Src_Mac ...

Page 458: ...en Workstation A attempts to connect to the switch the user is challenged for a TACACS username and password However only local authentication is enabled for both login and enable access on the console port Any user with access to the directly connected terminal can access the switch using the login and enable passwords Figure 21 3 TACACS Example Network Topology This example shows how to configur...

Page 459: ...ribe how authorization works Authorization Overview page 21 49 Authorization Events page 21 49 TACACS Primary Options and Fallback Options page 21 50 TACACS Command Authorization page 21 50 RADIUS Authorization page 21 51 Authorization Overview Catalyst 6000 family switches support TACACS and RADIUS authorization Authorization limits access to specified users using a dynamically applied access lis...

Page 460: ...s Available options and fallback options include the following tacacs If you have been authenticated and there is no response from the TACACS server then authorization will succeed immediately deny Deny is strictly a fallback option Authorization will fail if the TACACS server fails to respond This is the default behavior if authenticated If you have been authenticated and there is no response fro...

Page 461: ... you and then logs you in to the EXEC mode If you have Administrative Shell 6 Service Type access the NAS authenticates you and then logs you in to the privileged mode Configuring Authorization These sections describe how to configure authorization TACACS Authorization Default Configuration page 21 51 TACACS Authorization Configuration Guidelines page 21 51 Configuring TACACS Authorization page 21...

Page 462: ...Authorization is configured with the tacacs option The fallback option is deny Console enable set authorization exec enable tacacs deny both Successfully enabled enable authorization Console Task Command Step 1 Enable authorization for normal mode Enter the console or telnet keyword if you want to enable authorization only for console port or Telnet connection attempts Enter the both keyword to en...

Page 463: ...uration Console enable show authorization Telnet Primary Fallback exec tacacs deny enable tacacs deny commands config tacacs deny all Console Primary Fallback exec tacacs deny enable tacacs deny commands config tacacs deny all Console enable Disabling TACACS Authorization To disable TACACS authorization on the switch perform this task in privileged mode Task Command Step 1 Disable authorization fo...

Page 464: ...nd authorization for both console and Telnet connections and how to verify the configuration Console enable set authorization commands disable both Successfully disabled commands authorization Console enable This example shows how to verify the configuration Console enable show authorization Telnet Primary Fallback exec tacacs deny enable tacacs deny commands config tacacs deny all Console Primary...

Page 465: ...user to Admistrative that is a value of 6 in the RADIUS server to launch the user into enable mode in the RADIUS server If the service type is set for anything other than 6 administrative for example 1 login 7 shell or 2 framed you will be at the switch EXEC prompt not the enable prompt Disabling RADIUS Authorization Enter the set authentication login radius disable command in privileged mode to d...

Page 466: ...onfig tacacs deny all Console enable Understanding How Accounting Works These sections describe how the different accounting methods work Accounting Overview page 21 56 Accounting Events page 21 57 Specifying When to Create Accounting Records page 21 57 Specifying RADIUS Servers page 21 58 Updating the Server page 21 59 Suppressing Accounting page 21 59 Accounting Overview You can configure these ...

Page 467: ...n Note If you get a connection immediately upon login and then your connection terminates the EXEC and connect events overlap and have almost identical start and stop times System accounting Provides information on system events not related to users includes system reset system boot and user configuration of accounting Command accounting Sends a record for each command issued by the user This perm...

Page 468: ...72 20 52 3 with auth port 1812 added to radius server table as primary server Console enable show radius Login Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Radius Deadtim...

Page 469: ...from 1 to 71 582 minutes Suppressing Accounting You can configure the system to suppress accounting when an unknown user with no username accesses the switch by using the set accounting suppress null username enable command Note RADIUS and TACACS accounting are the same except that RADIUS does not do command accounting periodic updates or allow null username suppression Configuring Accounting Thes...

Page 470: ...be how to configure RADIUS and TACACS accounting on the switch Enabling Accounting page 21 60 Disabling Accounting page 21 61 Enabling Accounting To enable accounting on the switch perform this task in privileged mode This example shows how to enable stop only TACACS accounting events Console enable set accounting connect enable stop only tacacs Accounting set to enable for connect events in stop ...

Page 471: ...y update the server Console enable set accounting update periodic 120 Accounting updates will be periodic at 120 minute intervals Console enable This example shows how to verify the configuration Console enable show accounting Event Method Mode exec tacacs stop only connect tacacs stop only system tacacs stop only commands config all tacacs stop only TACACS Suppress for no username enabled Update ...

Page 472: ...ession of unknown users Console enable set accounting suppress null username disable Accounting will be not be suppressed for user with no username Console enable This example shows how to verify the configuration Console enable show accounting Event Method Mode exec connect system commands config all TACACS Suppress for no username disabled Update Frequency new info Accounting information Active ...

Page 473: ...nection exec system and all command accounting Console enable set accounting connect enable stop only tacacs Accounting set to enable for connect events in stop only mode Console enable set accounting exec enable stop only tacacs Accounting set to enable for exec events in stop only mode Console enable set accounting commands enable all stop only tacacs Accounting set to enable for commands all ev...

Page 474: ... Configuring Switch Access Using AAA Accounting Example Accounting information Active Accounted actions on tty0 User null Priv 0 Active Accounted actions on tty288091924 User null Priv 0 Overall Accounting Traffic Starts Stops Active Exec 0 0 0 Connect 0 0 0 Command 0 0 0 System 1 0 0 Console enable ...

Page 475: ...al configurations See the MSFC Redundancy section on page 22 18 for detailed information We do not support configurations where the MSFCs are not configured identically Note Except where specifically differentiated the information and procedures in this chapter apply to both Supervisor Engine 2 with Layer 3 Switching Engine II Policy Feature Card 2 or PFC2 and Supervisor Engine 1 with Layer 3 Swit...

Page 476: ...nd the supervisor engine in slot 2 enters standby mode If the software versions of the two supervisor engines are different or if the NVRAM configuration of the two supervisor engines is different the active supervisor engine automatically downloads its software image and configuration to the standby supervisor engine If the background diagnostics on the active supervisor engine detect a major pro...

Page 477: ... term PCMCIA card Because you can store multiple boot images you must specify the name of the boot file image and the location of the image file in the Flash file system in order to boot and synchronize properly For information about how to specify the name and location of the boot image see Chapter 23 Modifying the Switch Boot Configuration In the synchronization process the active supervisor eng...

Page 478: ...ion parameter Flash PC cards with same boot image filename If you change the Flash device on either the active or standby supervisor engine and the new Flash device contains a boot image that has the same name but a different time stamp as the boot image from the previous Flash device the Flash file management module initiates synchronization Current runtime image deleted If you delete the current...

Page 479: ...e boot file configuration Verifying Standby Supervisor Engine Status You can verify the status of the standby supervisor engine using a number of CLI commands Note The show module output provides information about installed daughter cards The show test command provides information about onboard application specific integrated circuits ASICs To verify the status of the standby supervisor engine per...

Page 480: ... the active supervisor engine disconnects any open Telnet sessions To force a switchover to the standby supervisor engine perform this task in privileged mode In addition you can also force a switchover to the standby supervisor engine by setting the CISCO STACK MIB moduleAction variable to reset 2 on the active supervisor engine When the switchover occurs the system sends a standard SNMP warm sta...

Page 481: ... successful for Altera 10K50 SRAM EPLD This module is now in standby mode Console is disabled for standby supervisor This example shows the console output on the standby supervisor engine when you force a switchover from the active to the standby supervisor engine Cisco Systems Console Enter password 12 07 1998 17 04 43 MLS 5 Multilayer switching is enabled 12 07 1998 17 04 43 MLS 5 Netflow Data E...

Page 482: ...gine for any change of data in the system database The active supervisor engine communicates and updates the standby supervisor engine when any state changes occur ensuring that the standby supervisor engine knows the current protocol state of supported features The standby supervisor engine knows the current protocol states for all modules ports and VLANs the protocols can initialize with this st...

Page 483: ...the global synchronization to complete High Availability Supported Features Note MLS flows are preserved from the active supervisor engine to the standby supervisor engine Note High availability does not preserve routing table entries on the active MSFC because high availability is not run on the MSFC IOS software However you can configure both MSFCs on the active and standby supervisor engines wi...

Page 484: ...nabled high availability is fully supported with the active and standby supervisor engines running different images as long as the images are compatible The only fully compatible images are as follows 5 5 3 and 5 5 4 6 1 3 and 6 1 4 Images that are compatible with all modules except Gigabit Ethernet switching modules are as follows 5 4 3 and 5 4 4 5 5 3 and 5 5 5 5 5 4 and 5 5 5 Images that are co...

Page 485: ... for high availability and versioning Enabling or Disabling High Availability High availability is disabled by default To enable or disable high availability perform this task in privileged mode This example shows how to enable high availability Console enable set system highavailability enable System high availability enabled Console enable This example shows how to disable high availability Cons...

Page 486: ... supervisor engine because of the version incompatibility OFF standby supervisor image nvram only compat The standby supervisor engine is running a different image than the active supervisor engine versioning option in NVRAM is enabled and the image is only NVRAM compatible that is a configuration change in NVRAM on the active supervisor engine is propagated to the standby supervisor engine Howeve...

Page 487: ...y versioning Console enable set system highavailability enable System high availability enabled Console enable Step 2 Download the new image to the active supervisor engine bootflash Console enable copy tftp image2 bin bootflash IP address or name of remote host 172 20 52 3 8763532 bytes available on device bootflash proceed y n n y display text truncated Console enable Step 3 Copy the new image t...

Page 488: ...Synchronizing the Runtime Image with the Bootstring This section contains four examples in which the active supervisor engine runtime image is synchronized with the standby supervisor engine Example 1 Runtime image not synchronized The configuration for example 1 is as follows The active supervisor engine configuration is as follows if the image in the standby supervisor engine is identical to the...

Page 489: ...eset The configuration for example 3 is as follows The active supervisor engine configuration is as follows Runtime image bootflash f1 Boot string bootflash f1 1 Bootflash f1 The standby supervisor engine configuration is as follows Runtime image bootflash f2 Boot string bootflash f2 1 Bootflash f1 f2 The time stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor...

Page 490: ...e standby supervisor engine and renames it RTSYNC_f1 The standby supervisor engine bootflash is modified to the following f3 f4 RTSYNC_f1 The standby supervisor engine boot string is modified to the following RTSYNC_f1 1 f2 1 The standby supervisor engine is reset Synchronizing the Boot Images on the Active and Standby Supervisor Engines This section contains four examples in which the bootstrings...

Page 491: ...ootstring to the following f2 1 The expected results are as follows The active supervisor engine copies its f2 image to the standby supervisor engine and renames it BTSYNC_f2 The standby supervisor engine bootflash is modified to the following f1 BTSYNC_f2 The standby supervisor engine bootstring is modified to the following bootflash BTSYNC_f2 1 f1 1 The standby supervisor engine is not reset Exa...

Page 492: ...e stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor engine The time stamp for f0 is older than f1 and the time stamp for f1 is older than f3 The active supervisor engine bootstring is modified to the following bootflash f2 1 bootflash f1 1 The expected results are as follows The active supervisor engine attempts to copy its f2 image to the standby supervisor ...

Page 493: ...ons Supervisor Engine 1 with Policy Feature Card PFC and MSFC or MSFC2 both supervisor engines must have the same type of MSFC Supervisor Engine 2 with PFC2 and MSFC2 Two chassis with a supervisor engine in each You must have at least one supervisor engine in each chassis Each supervisor engine must be equipped with a PFC and an MSFC Note Each MSFC must be running the same release of Cisco IOS sof...

Page 494: ...ne switches the packets Note PFC2 With PFC2 only the designated MSFC programs the forwarding information base FIB the adjacency table Cisco IOS software and policy routing ACLs on the active supervisor engine If you configure static routes or policy routing you must have the identical configuration on both MSFCs If you have a static route on the nondesignated MSFC that is not on the designated MSF...

Page 495: ...ayer 2 and Layer 3 functions roll over to the redundant supervisor engine and MSFC combination Layer 3 redundancy and load sharing for the two MSFCs If one MSFC fails the other MSFC takes over almost immediately using HSRP without any Layer 2 disruption the active supervisor engine continues to forward Layer 2 traffic The Layer 3 entries programmed by the failed MSFC on the active supervisor engin...

Page 496: ...ply the ACLs to the same VLAN interfaces on both MSFCs Note Dynamic and reflexive ACLs which are based on actual data flow may be programmed by either MSFC Note PFC For detailed information on hardware and software handling of IOS ACLs with the PFC see the Hardware and Software Handling of Cisco IOS ACLs with PFC section on page 16 10 Note PFC2 For detailed information on hardware and software han...

Page 497: ...21 odd numbered VLANs Configure MSFC 1 in Switch S2 as the primary HSRP router priority 110 and configure MSFC 2 as the standby router priority 109 Load sharing is achieved by having the even numbered VLANs routed by Switch S1 and the odd numbered VLANs by Switch S2 In a complete switch failure the remaining switch would service both even and odd VLANs You can achieve further load sharing by using...

Page 498: ...es HSRP is used for unicast traffic first hop redundancy for traffic received through another router attached to VLAN 10 for example the actual MAC address of Sup 1 MSFC 1 is used Understanding Failure Scenarios The five examples in this section describe possible failure scenarios within a single chassis with dual supervisor engines and dual MSFCs see Figure 22 4 when you enable high availability ...

Page 499: ...1 Fails This sequence occurs when the designated MSFC 1 fails 1 MLS entries for MSFC 1 gracefully age out of the Sup 1 Layer 3 cache while MSFC 2 takes temporary ownership of these MLS entries using its XTAG value 2 MLS entries for MSFC 2 are not affected 3 MSFC 2 removes all dynamic and reflexive ACLs programmed in hardware by MSFC 1 4 MSFC 2 reprograms the static ACLs in the Sup 1 ACL ASIC becau...

Page 500: ...y failed supervisor engine Sup 2 comes online 1 Sup 1 continues to be the active supervisor engine 2 Sup 2 synchronizes its image and configuration with Sup 1 unless high availability versioning is enabled 3 MSFC 2 on Sup 2 comes up If the HSRP preempt for VLAN 21 is configured then MSFC 2 becomes HSRP active The MLS entries for MSFC 1 are purged and then relearned via MSFC 2 4 MSFC 1 remains the ...

Page 501: ...pt Router config if standby 100 timers 5 15 Router config if standby 100 authentication Secret Router config if Z Router Task Command Step 1 Enable HSRP and specify the HSRP IP address If you do not specify a group_number group 0 is used To assist in troubleshooting configure the group number to match the VLAN number Router config if standby group_number ip ip_address Step 2 Specify the priority f...

Page 502: ...edundancy Status designated Config Sync AdminStatus enabled Config sync RuntimeStatus enabled Example 1 Two Chassis with One Supervisor Engine and One MSFC Each In the example in Figure 22 5 high availability cannot be configured on the supervisor engines but HSRP can be configured on the MSFCs Figure 22 5 Two Chassis with One Supervisor Engine and One MSFC Each This example shows how to configure...

Page 503: ...face vlan21 Router config if standby 21 ip 192 20 100 21 Router config if standby 21 priority 110 Router config if standby 21 preempt Router config if standby 21 timers 5 15 Router config if standby 21 authentication Secret Router config if Z Router C C C Example 2 Single Chassis with Dual Supervisor Engines and MSFCs In the example in Figure 22 6 high availability is configured on the supervisor ...

Page 504: ...nfig if standby 10 authentication Secret Router config if interface vlan21 Router config if standby 21 ip 192 20 100 21 Router config if standby 21 priority 110 Router config if standby 21 preempt Router config if standby 21 timers 5 15 Router config if standby 21 authentication Secret Router config if Z Router C C C Example 3 Double Chassis with Dual Supervisor Engines and MSFCs Figure 22 7 shows...

Page 505: ...e End with CNTL Z Router config interface vlan10 Router config if standby 10 ip 172 20 100 10 Router config if standby 10 priority 109 Router config if standby 10 preempt Router config if standby 10 timers 5 15 Router config if standby 10 authentication Secret Router config if interface vlan21 Router config if standby 21 ip 192 20 100 21 Router config if standby 21 priority 107 Router config if st...

Page 506: ...he designated MSFC the MSFC to come online first or the MSFC that has been online the longest and the nondesignated MSFC High availability redundancy is disabled by default Caution Configuration synchronization is only supported for IP and IPX configurations Before enabling synchronization you must ensure that both MSFCs have identical configurations for all protocols If you are using AppleTalk DE...

Page 507: ... keyword is available and required see the alt Keyword Usage section on page 22 33 for more information on the alt keyword The running and startup configurations are synchronized When the Config Sync RuntimeStatus is in disabled mode the following occurs Configuration mode is available on the CLI of both MSFCs The alt keyword is available but optional The running and startup configurations are not...

Page 508: ...lability redundancy the configuration mode is disabled on the nondesignated MSFC only the EXEC mode is available Table 22 3 Interface and Global Configuration Commands Containing the alt Keyword Interface Configuration Commands Global Configuration Commands no standby group_number ip ip_address secondary alt no standby group_number ip ip_address secondary no standby group_number priority priority ...

Page 509: ...nterfaces are checked first If an IP address is specified for the designated MSFC but not specified for the nondesignated MSFC a message is displayed indicating the first interface for which the alternate IP address was not specified After checking IP addresses the HSRP addresses are checked if an HSRP address is specified for the designated MSFC but not specified for the nondesignated MSFC a mess...

Page 510: ... nondesignated MSFC Router 151 config redundancy Router 15 config r high availability Router 15 config r ha config sync Router 15 config r ha end Router 15 00 03 31 SYS 5 CONFIG_I Configured from console by console Note When you enable high availability redundancy the configuration mode is disabled on the console of the nondesignated MSFC only the EXEC mode is available The following message ackno...

Page 511: ...z 120 7 XE1 ip subnet zero ip cef redundancy high availability config sync cns event service server interface Vlan1 ip address 70 0 70 4 255 255 0 0 alt ip address 70 0 70 5 255 255 0 0 interface Vlan10 ip address 192 10 10 1 255 255 255 0 alt ip address 192 10 10 2 255 255 255 0 no ip redirects shutdown standby ip 192 20 20 1 alt standby ip 192 20 20 1 ip classless ip route 223 255 254 0 255 255 ...

Page 512: ...100 0 no ip http server line con 0 transport input none line vty 0 4 login transport input lat pad mop telnet rlogin udptn nasi end Scenario 2 Disabling Configuration Synchronization on the Designated MSFC In this scenario configuration synchronization is enabled These examples show how to disable configuration synchronization Router 16 configure terminal Enter configuration commands one per line ...

Page 513: ...ig Sync RuntimeStatus The following message is displayed on the nondesignated MSFC 00 00 07 RUNCFGSYNC 6 SYNCEVENT The High Availability Redundancy Feature is enabled The config mode is no longer accessible 00 00 51 RUNCFGSYNC 6 SYNCEVENT Non Designated Router is now online Running Configuration Synchronization will begin in 1 minute A one minute timer will start allowing the nondesignated MSFC to...

Page 514: ...iguration 00 01 51 RUNCFGSYNC 6 SYNCEVENT Syncing Running Configuration to the Non Designated Router These examples show that Config Sync AdminStatus and RuntimeStatus are enabled on the designated and nondesignated MSFCs Router 15 show redundancy Designated Router 1 Non designated Router 2 Redundancy Status non designated Config Sync AdminStatus enabled Config Sync RuntimeStatus enabled Router 16...

Page 515: ...ter and the designated router but all nondesignated router interfaces are in a line down state they do not send or receive updates from the network When the designated router fails the nondesignated router changes its state from a nondesignated router to a designated router and its interface state changes to link up It builds up its routing table while the existing supervisor engine switch process...

Page 516: ...n configuring the fallback option Configuring Single Router Mode Redundancy To configure SRM redundancy perform these steps Caution Before going from dual router mode to SRM redundancy we recommend that you use the copy running config command on the MSFCs to save the non SRM configuration to bootflash When going to SRM redundancy the alternative configuration the configuration following the alt ke...

Page 517: ...nfiguration mode on both designated and nondesignated routers Step 8 Enable SRM on the designated router first and then enable SRM on the nondesignated router as follows Router config redundancy Router config r high availability Router config r ha single router mode Step 9 Enter the write memory command on the designated router to ensure that the nondesignated router s start up configuration has S...

Page 518: ...py the new image from the supervisor engine Flash PC card to the MSFC bootflash as follows copy sup slot0 c6msfc2 jsv mz 9E bootflash c6msfc2 jsv mz 9E Step 4 Access the standby MSFC by entering the switch supervisor command and then the switch console command on the active supervisor engine Note The standby MSFC does not appear in the show module command display that is issued from the active sup...

Page 519: ...ted router Step 3 Enter the show startup config command on the designated and nondesignated routers to ensure that single router mode is not in the startup configuration Step 4 Enter the reload command to reload the designated router and nondesignated router SRM is now disabled on the designated router and nondesignated router Manual Mode MSFC Redundancy Note Manual mode MSFC redundancy will be su...

Page 520: ...e either HSRP is used or some form of gateway discovery is implemented on hosts Ensure that the configuration register on the active MSFC MSFC 15 is set to 0x2102 and that the configuration register on the MSFC in ROM monitor mode MSFC 16 is set to 0x0 This setting prevents both MSFCs from becoming active at the same time and allows the active MSFC to come online after a reset See the Setting the ...

Page 521: ... requires that the MSFC be manually booted each time the switch is reset To manually boot the MSFC perform these steps Step 1 Enter the switch console command to gain access to the MSFC ROMMON prompt Step 2 Enter the boot bootflash image command Step 3 Once the MSFC has booted enter C C C at the Router prompt to return to the supervisor engine prompt Now you may enter the session command to access...

Page 522: ...s Step 1 Enter the switch console command Step 2 From the ROMMON prompt enter the boot bootflash image command Step 3 After the standby MSFC has booted from Cisco IOS configuration mode enter the config register 0x2102 command to ensure the MSFC will boot when the switch is reset Option 2 If You Have Remote Access Only to the Switch If you only have remote access to the switch use this option From...

Page 523: ...rrently Step 5 Enter C C C to return to the supervisor engine prompt Step 6 Ensure that high availability has synchronized the supervisor engine state by entering the show system highavailability command and verifying that high availability Operational status is ON Step 7 Enter the switch supervisor command Step 8 Enter the switch console command Step 9 From the standby MSFC s ROMMON prompt perfor...

Page 524: ...22 50 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 22 Configuring Redundancy MSFC Redundancy Step 12 Enter C C C to return to the supervisor engine prompt ...

Page 525: ...ration Register page 23 5 Setting the BOOT Environment Variable page 23 10 Setting the CONFIG_FILE Environment Variable page 23 11 Displaying the Switch Boot Configuration page 23 12 Understanding How the Switch Boot Configuration Works These sections describe how the boot configuration works Understanding the Boot Process page 23 1 Understanding the ROM Monitor page 23 2 Understanding the Configu...

Page 526: ...system regardless of whether the configuration register setting has the Break key disabled The following functionality is built into the ROM monitor Power on confidence test Hardware initialization Boot capability allows manual boot and autoboot Debug utility and crash analysis Monitor call interface EMT calls the ROM monitor provides information and some functionality to the running system images...

Page 527: ...able The BOOT environment variable specifies a list of image files on various devices from which the switch can boot at startup You can add several images to the BOOT environment variable to provide a fail safe boot configuration If the first file fails to boot the switch subsequent images specified in the BOOT environment variable are tried until the switch boots or there are no additional images...

Page 528: ...isables synchronization For information on specifying synchronization see the Setting CONFIG_FILE Synchronization section on page 23 8 Tip Remember that you can alter the CONFIG_FILE environment variable or change its other properties by commands in the configuration files used to configure the switch at startup You can add multiple configuration files to the CONFIG_FILE environment variable The s...

Page 529: ...the switch will use at the next startup by setting the boot field in the configuration register This command affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered The following boot methods are supported ROM monitor Enter the rommon keyword to force the switch to remain in ROM monitor mode at startup Bootflash Enter the bootflash keyword t...

Page 530: ...figuration register bits that control the baud rate and leaves the remaining bits unaltered Note The baud rate specified in the configuration register is used by the ROM monitor only and is different from the baud rate specified by the set system baud command To set the ROM monitor console port baud rate in the configuration register perform this task in privileged mode This example shows how to s...

Page 531: ...he current configuration in NVRAM is erased at the next restart and the switch is configured using the specified configuration files The NVRAM configuration is retained after subsequent restarts unless you again set the CONFIG_FILE variable To set the switch to retain the current CONFIG_FILE environment variable indefinitely perform this task in privileged mode This example shows how to set the sw...

Page 532: ... s to synchronize automatically to the standby supervisor engine The file s are kept consistent with what is on the active supervisor engine The default is disabled These events can trigger a synchronization check and a synchronization if necessary Changing the auto config file s on either supervisor engine if the file is deleted on the active supervisor engine it is also deleted on the standby su...

Page 533: ...e the configuration information stored in NVRAM the next time the switch is restarted This command affects only the configuration register bits that control whether the switch ignores the NVRAM configuration and leaves the remaining bits unaltered This command affects the next system restart only Caution Enabling the ignore config parameter is the same as entering the clear config all command that...

Page 534: ...witch These sections describe how to modify the BOOT environment variable Setting the BOOT Environment Variable page 23 10 Clearing the BOOT Environment Variable Settings page 23 11 Setting the BOOT Environment Variable To set the BOOT environment variable perform this task in privileged mode This example shows how to set the BOOT environment variable Console enable set boot system flash bootflash...

Page 535: ...ONFIG_FILE environment variable Setting the CONFIG_FILE Environment Variable page 23 11 Clearing the CONFIG_FILE Environment Variable Settings page 23 12 Setting the CONFIG_FILE Environment Variable You can specify multiple configuration files with the set boot auto config command by separating them with a semicolon You must specify both the device name and the filename for each configuration file...

Page 536: ...ble Console enable clear boot auto config CONFIG_FILE variable Console enable Displaying the Switch Boot Configuration To display the current configuration register the BOOT environment variable and the CONFIG_FILE environment variable settings perform this task This example shows how to display the current configuration register the BOOT environment variable and the CONFIG_FILE environment variab...

Page 537: ...sh File System Works The Flash file system on a Catalyst 6000 family supervisor engine provides a number of useful commands to help you manage software image and configuration files The Flash file system on the supervisor engine consists of two Flash devices on which you can store files bootflash onboard Flash memory slot0 Flash PC card in the PCMCIA slot Working with the Flash File System These s...

Page 538: ...y uses less NVRAM or Flash memory space than binary configuration mode Because the text file in most cases requires less space NVRAM is a good place to store the file If the text file exceeds NVRAM space it can also be saved to Flash memory When operating in text file configuration mode most user settings are not immediately saved to NVRAM configuration changes are only written to DRAM You will ne...

Page 539: ...EFAULT and NON DEFAULT CONFIGURATION time Wed Jul 18 2001 06 51 56 version 6 3 0 74 set password 2 FMFQ HfZR5DUszVHIRhrz4h6V70 set enablepass 2 FMFQ HfZR5DUszVHIRhrz4h6V70 set prompt Console set length 24 default set logout 20 set config mode text nvram set banner motd C C set banner lcd C C test set test diaglevel complete errordetection set errordetection inband disable set errordetection memory...

Page 540: ...mple shows how to list the deleted files on the default Flash device Console enable dir deleted ED type crc seek nlen length date time name 1 D ffffffff 81a027ca 41bdc 22 7004 Apr 01 1998 15 27 45 5002 config 4 1 98 cfg 2 D ffffffff ccce97a3 43644 23 6630 Apr 01 1998 15 36 47 5002 default config cfg 3 D ffffffff 81a027ca 45220 15 7004 Apr 19 1998 10 05 59 5002_config cfg 1213952 bytes available 63...

Page 541: ...a TFTP server to the running configuration Console enable copy tftp config IP address or name of remote host 172 20 52 3 Name of file to copy from dns_config cfg Configure using tftp dns_config cfg y n n y Finished network download 135 bytes set ip dns server 172 16 10 70 primary 172 16 10 70 added to DNS server table as primary server set ip dns server 172 16 10 140 172 16 10 140 added to DNS ser...

Page 542: ...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCC File has been copied successfully Console enable Deleting Files Caution If you enter the squeeze command on a Flash device you cannot restore files deleted prior to the squeeze command To delete files on a Flash device perform this task in privileged mode This example shows how to delete a file from a Flash device ...

Page 543: ...ig cfg 1213952 bytes available 6388224 bytes used Console enable undelete 6 Console enable dir length date time name 4 3134688 Apr 27 1998 08 27 01 cat6000 sup 5 2 1 bin 5 3231989 Jun 24 1998 12 04 40 cat6000 sup 5 2 1 bin 6 135 Jul 17 1998 11 30 05 dns_config cfg 1213952 bytes available 6388224 bytes used Console enable Verifying a File Checksum To verify the checksum of a file on a Flash device ...

Page 544: ...vice using the monlib file that is bundled with the software If you omit just the device name device2 from the device2 monlib filename argument the switch formats the device using the named monlib file from the default Flash device If you omit the monlib filename from the device2 monlib filename argument the switch formats the device using the monlib file from device2 If you specify the entire dev...

Page 545: ...ware Images Using rcp page 25 9 Uploading System Software Images to an rcp Server page 25 14 Downloading Software Images Over a Serial Connection on the Console Port page 25 15 Downloading a System Image Using Xmodem or Ymodem page 25 21 Software Image Naming Conventions The software images on the Catalyst 6000 family switches use the following naming conventions software release 6 1 3 is used in ...

Page 546: ... The image file is downloaded to the supervisor engine Flash memory You can store multiple image files on the Flash memory system devices such as boot Flash and Flash PC cards Intelligent module software images If you specified a module number the image file is downloaded to the specified module only provided the image file is designed for the specified module type If you do not specify a module n...

Page 547: ...TP server to the Flash memory on the standby supervisor engine When you download the image to the active supervisor engine the standby supervisor engine synchronizes automatically with the new image In addition you cannot copy an image from the standby supervisor engine to the active supervisor engine To download a supervisor engine software image to the switch from a TFTP server perform these ste...

Page 548: ...er the name of the file to download the Flash device to which to copy the file and the destination filename Step 4 If there are multiple modules of the type appropriate for the image but you only want to update a single module enter the copy tftp m bootflash command where m is the number of the module to which to download the software image Note If you do not specify a module number the switch exa...

Page 549: ...72 20 52 3 Name of file to copy from cat6000 sup 5 2 1 CSX bin Flash device bootflash Name of file to copy to cat6000 sup 5 2 1 CSX bin 4369664 bytes available on device bootflash proceed y n n y CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCC File has been copied successfully Console enable set boot system flash bootflash cat6000 sup 5 2 1 CSX ...

Page 550: ...e 07 21 1998 13 53 11 SYS 5 Module 5 is online 07 21 1998 13 53 14 PAGP 5 Port 1 1 joined bridge port 1 1 07 21 1998 13 53 14 PAGP 5 Port 1 2 joined bridge port 1 2 07 21 1998 13 53 40 SYS 5 Module 2 is online 07 21 1998 13 53 45 SYS 5 Module 3 is online Console Single Module Image TFTP Download Example Note For a step by step procedure for downloading software images to intelligent modules see th...

Page 551: ... software image to multiple ATM modules Console enable show version 4 Mod Port Model Serial Versions 4 1 WS X6101 003414855 Hw 1 2 Fw 1 3 Sw 3 2 6 Console enable show version 5 Mod Port Model Serial Versions 5 1 WS X6101 003414463 Hw 1 2 Fw 1 3 Sw 3 2 6 Console enable copy tftp flash IP address or name of remote host 172 20 52 3 Name of file to copy from cat6000 atm 3 2 7 bin Download image tftp c...

Page 552: ... contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p s tftpboot Make sure that the etc services file contains this line tftp 69 udp Note You must restart the inetd daemon after modifying the etc inetd conf and etc services files To restart the daemon either stop the inetd process and restart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or S...

Page 553: ...copy from cat6000 sup 5 4 1 bin IP address or name of remote host 172 20 52 3 172 20 52 10 Name of file to copy to cat6000 sup 5 4 1 bin CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC File has been copied successfully Console enable Downloading System Software Images Using rcp These sections describe how to download system sof...

Page 554: ...onnects when you reset the switch to run the new software Step 3 Download the software image from the rcp server by entering the copy rcp flash command When prompted enter the IP address or host name of the rcp server and the name of the file to download On those platforms that support the Flash file system you are also prompted for the Flash device to which to copy the file and the destination fi...

Page 555: ...age is then downloaded to all the modules of that type The switch downloads the image file erases the Flash memory on the appropriate modules and reprograms the Flash memory with the downloaded Flash code Note All modules in the switch remain operational while the image downloads Step 4 Reset the appropriate modules using the reset mod command If you are connected through Telnet your Telnet sessio...

Page 556: ...09 2 1999 13 51 39 SYS 5 System reset from Console System Bootstrap Version 4 2 Copyright c 1994 1999 by cisco Systems Inc Presto processor with 32768 Kbytes of main memory Autoboot executing command boot bootflash cat6000 sup 5 2 1 csx bin CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCC Uncompressing file System Power On Diagnostics DRAM Size 3...

Page 557: ...ws a complete rcp download procedure of an ATM software image to a single ATM module Console enable show version 4 Mod Port Model Serial Versions 4 1 WS X6101 003414855 Hw 1 2 Fw 1 3 Sw 3 2 6 Console enable copy rcp 4 flash IP address or name of remote host 172 20 52 3 Name of file to copy from cat6000 atm 3 2 7 bin Download image rcp cat6000 atm 3 2 7 bin to Module 4 FLASH y n n y This command wi...

Page 558: ...will reset Download Module s you selected Do you wish to continue download flash y n n y Download done for module 4 please wait for it to come online Download done for module 5 please wait for it to come online File has been copied successfully Console enable 09 2 1999 12 25 10 SYS 5 Module 4 is online 09 2 1999 12 25 10 SYS 5 Module 5 is online Console enable show version 4 Mod Port Model Serial ...

Page 559: ...sing the copy flash rcp command When prompted specify the rcp server address and destination filename On platforms that support the Flash file systems you are first prompted for the Flash device and source filename If desired you can use the copy file id rcp command on these platforms The software image is uploaded to the rcp server This example shows how to upload the supervisor engine software i...

Page 560: ...rmit is using the proper serial port On a PC specify the serial port using the set port comx command where x is the PC serial port number 1 through 8 that you connected to the switch On a UNIX workstation specify the serial port using the set port dev ttyx command where x is the serial port a or b that you connected to the switch Downloading Software Images Using Kermit PC Procedure Note This proc...

Page 561: ...ing and programming Flash code Step 10 Reset the switch using the reset system command Step 11 When the switch reboots enter the show version mod command to check the version of the code on the switch Note For an example that shows a complete serial download procedure using Kermit on a PC see the PC Serial Download Procedure Example section on page 25 19 Downloading Software Images Using Kermit UN...

Page 562: ... of the transaction The switch downloads the image file erases the Flash memory on the supervisor engine or the appropriate module and reprograms the Flash memory with the downloaded Flash code Note The switch remains operational while the image downloads Step 9 Press Return to return to the C Kermit prompt When the Kermit prompt reappears enter the connect command to return to the switch Console ...

Page 563: ...it send command from there Send Filename CONTROL c to return to Local Machine Kermit send c6509_xx bin File name c6509_xx bin KBytes transferred xxxx Percent transferred 100 Sending Complete Number of Packets xxxx Number of retries None Last error None Last warning None Kermit connect Finished network download 1136844 bytes Flash erase in progress Erase done Programming Flash Flash Programming Com...

Page 564: ... Kermit connect Connecting thru dev ttya speed 9600 The escape character is CTRL 28 Type the escape character followed by C to get back or followed by to see other options Console enable Console enable download serial c5009_xx bin Download CBI image via console port y n n y Waiting for DOWNLOAD Return to your local Machine by typing its escape sequence Issue Kermit send command from there Send Fil...

Page 565: ...Line Interfaces chapter for more information about the ROM monitor The computer from which you transfer the supervisor engine software image must be running terminal emulation software that supports the Xmodem or Ymodem protocol The following procedure shows a file transfer using the Xmodem protocol To use the Ymodem protocol include the y option with the xmodem command Caution A modem connection ...

Page 566: ... engine modem from the remote computer Step 4 Enter the xmodem command at the ROM monitor prompt in the terminal emulation window rommon xmodem s 38400 c Step 5 Start an Xmodem or Ymodem send operation with the computer s terminal emulation software The computer downloads the system image to the supervisor engine See your terminal emulation software application manual for instructions on how to ex...

Page 567: ...e 26 1 Creating a Configuration File page 26 2 Downloading Configuration Files to the Switch Using TFTP page 26 3 Uploading Configuration Files to a TFTP Server page 26 5 Copying Configuration Files Using rcp page 26 6 Downloading Configuration Files from an rcp Server page 26 6 Uploading Configuration Files to an rcp Server page 26 7 Clearing the Configuration page 26 8 Note For more information ...

Page 568: ... a session the switch prompts you for confirmation The blank line acts as a carriage return which indicates a negative response to the prompt and retains the Telnet session Include a blank line after each occurrence of these commands in a configuration file set interface sc0 ip_addr netmask set interface sc0 disable set module disable mod set port disable mod port Creating a Configuration File Whe...

Page 569: ...contains this line tftp 69 udp Note You must restart the inetd daemon after modifying the etc inetd conf and etc services files To restart the daemon either stop the inetd process and restart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x Refer to the documentation for your workstation for more information about the TFTP daemon Ensure that the switc...

Page 570: ...o configure a switch using a configuration file stored on a Flash device in the Flash file system perform these steps Step 1 Log into the switch through the console port or a Telnet session Step 2 Locate the configuration file using the cd and dir commands for more information see Chapter 24 Working With the Flash File System Step 3 Configure the switch using the configuration file stored on the F...

Page 571: ...estart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x Refer to the documentation for your workstation for more information about the TFTP daemon Ensure that the switch has a route to the TFTP server The switch and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the TFT...

Page 572: ...he remote system To copy files using rcp you do not need to create a server for file distribution as you do with TFTP You need only to have access to a server that supports the remote shell rsh Most UNIX systems support rsh Because you are copying a file from one place to another you must have read permission on the source file and write permission on the destination file If the destination file d...

Page 573: ... a Telnet session Step 3 Configure the switch using the configuration file downloaded from the rcp server using the copy rcp config command Specify the IP address or host name of the rcp server and the name of the file to download The configuration file downloads and the commands are executed as the file is parsed line by line This example shows how to configure a Catalyst 6000 family switch using...

Page 574: ...ns on the file should be user write Uploading a Configuration File to an rcp Server To upload a configuration file from a switch to an rcp server for storage perform these steps Step 1 Log into the switch through the console port or a Telnet session Step 2 Upload the switch configuration to the rcp server using the copy config rcp command Specify the IP address or host name of the rcp server and t...

Page 575: ...king with Configuration Files on the MSFC These sections describe how to work with configuration files on the Multilayer Switch Feature Card MSFC Uploading the Configuration File to a TFTP Server page 26 10 Uploading the Configuration File to the Supervisor Engine Flash PC Card page 26 11 Downloading the Configuration File from a Remote Host page 26 11 Downloading the Configuration File from the S...

Page 576: ...ends a copy of the currently running configuration to the remote host The system default is to store the configuration in a file called by the name of the MSFC with confg appended You can either accept the default filename by pressing Return at the prompt or enter a different name before pressing Return To upload copy the currently running configuration to a remote host perform these steps Step 1 ...

Page 577: ...isplay indicates that the process failed with the series of as shown in the following example Writing Router confg your configuration was not saved Repeat the preceding steps or select a different remote file server and repeat the preceding steps If you are unable to copy the configuration to a remote host successfully contact your network administrator or see http www cisco com en US support tsd_...

Page 578: ...g Step 7 Note that before the system reboots with the new configuration it displays the instructions you entered for confirmation If the instructions are not correct enter n no and then press Return to cancel the process To accept the instructions press Return or y and then Return Configure using router confg from 1 1 1 1 confirm Booting router confg from 1 1 1 1 OK 874 16000 bytes While the MSFC ...

Page 579: ...start the system This completes the procedure for downloading retrieving the configuration file Downloading the Configuration File from the Supervisor Engine Flash PC Card To download the configuration file from the supervisor engine Flash PC card in PCMCIA slot 0 perform this task Task Command Step 1 At the EXEC prompt enter enable mode Router enable Step 2 Copy the stored running configuration f...

Page 580: ...26 14 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 26 Working with Configuration Files Working with Configuration Files on the MSFC ...

Page 581: ...sage logging software can save messages in a log file or direct the messages to other devices The system message logging facility has these features Provides you with logging information for monitoring and troubleshooting Allows you to select the types of logging information captured Allows you to select the destination of captured logging information By default the switch logs normal but signific...

Page 582: ... All facilities acl ACL facility cdp Cisco Discovery Protocol cops Common Open Policy Server dtp Dynamic Trunking Protocol dvlan Dynamic VLAN earl Enhanced Address Recognition Logic filesys File System gvrp GARP VLAN Registration Protocol ip Internet Protocol kernel Kernel ld ASLB facility mcast Multicast mgmt Management mls Multilayer Switching pagp Port Aggregation Protocol protfilt Protocol Fil...

Page 583: ...ity Types continued Facility Name Definition Table 27 2 Severity Level Definitions Severity Level Description 0 emergencies System unusable 1 alerts Immediate action required 2 critical Critical condition 3 errors Error conditions 4 warnings Warning conditions 5 notifications Normal bug significant condition 6 informational Informational messages 7 debugging Debugging messages Table 27 3 System Lo...

Page 584: ...efault system message logging configuration Configuring System Message Logging These sections describe how to configure system message logging on the switch Enabling and Disabling Session Logging Settings page 27 5 Setting the System Message Logging Levels page 27 6 Enabling and Disabling the Logging Time Stamp Enable State page 27 6 Setting the Logging Buffer Size page 27 6 Configuring the syslog...

Page 585: ... If you enter the set logging session command while connected through the console port the command has the same effect as entering the set logging console command However if you enter the set logging console command while connected through a Telnet session the default console logging enable state is changed To enable or disable the logging state for console sessions perform this task in privileged...

Page 586: ...logging severity level to 3 for the cdp facility Console enable set logging level cdp 3 default System logging facility cdp set to severity 3 errors Console enable Enabling and Disabling the Logging Time Stamp Enable State To enable or disable the logging time stamp perform this task in privileged mode This example shows how to enable the time stamp display on system logging messages Console enabl...

Page 587: ...he UNIX logging facility used The messages from the switch are generated by user processes The debug keyword specifies the severity level of the condition being logged You can set UNIX systems to receive all messages from the switch Step 2 Create the log file by entering these commands at the UNIX shell prompt touch var log myfile log chmod 666 var log myfile log Step 3 Make sure that the syslog d...

Page 588: ...ver table perform this task in privileged mode This example shows how to delete a syslog server from the syslog server table Console enable clear logging server 10 10 10 100 System logging server 10 10 10 100 removed from system logging server table Console enable To disable logging to the syslog server perform this task in privileged mode This example shows how to disable logging to syslog server...

Page 589: ...e current system message logging configuration Console enable show logging Logging buffered size 500 timestamp option enabled Logging history size 1 Logging console enabled Logging server disabled server facility LOCAL7 server severity warnings 4 Current Logging Session enabled Facility Default Severity Current Session Sever acl 5 5 cdp 4 4 cops 3 3 dtp 5 5 dvlan 2 2 earl 2 2 filesys 2 2 gvrp 2 2 ...

Page 590: ...999 Apr 16 08 40 11 SYS 5 MOD_OK Module 1 is online 1999 Apr 16 08 40 14 SYS 5 MOD_OK Module 3 is online 1999 Apr 16 08 40 14 SYS 5 MOD_OK Module 2 is online 1999 Apr 16 08 41 15 PAGP 5 PORTTOSTP Port 2 1 joined bridge port 2 1 1999 Apr 16 08 41 15 PAGP 5 PORTTOSTP Port 2 2 joined bridge port 2 2 This example shows how to display the last five messages in the buffer Console enable show logging buf...

Page 591: ...names to IP addresses through the DNS protocol from a DNS server When you configure DNS on the switch you can substitute the host name for the IP address with all IP commands such as ping telnet upload and download To use DNS you must have a DNS name server present on your network You can specify a primary DNS name server on the switch as well as two backup servers The first server specified is th...

Page 592: ...S server table as primary server Console enable set ip dns server 10 2 24 54 primary 10 2 24 54 added to DNS server table as primary server Console enable set ip dns server 10 12 12 24 10 12 12 24 added to DNS server table as backup server Console enable set ip dns domain corp com Default DNS domain name set to corp com Console enable set ip dns enable DNS is enabled Console enable show ip dns DNS...

Page 593: ...r the default DNS domain name perform this task in privileged mode This example shows how to clear the default DNS domain name Console enable clear ip dns domain Default DNS domain name cleared Console enable Disabling DNS To disable DNS perform this task in privileged mode This example shows how to disable DNS on the switch Console enable set ip dns disable DNS is disabled Console enable Task Com...

Page 594: ...28 4 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 28 Configuring DNS Configuring DNS ...

Page 595: ... equipment including routers bridges access and communication servers and switches Using CDP you can view information about all the Cisco devices directly attached to the switch In addition CDP detects native VLAN and port duplex mismatches Network management applications can retrieve the device type and SNMP agent address of neighboring Cisco devices using CDP This enables applications to send SN...

Page 596: ...le state perform this task in privileged mode This example shows how to enable CDP globally and verify the configuration Console enable set cdp enable CDP enabled globally Console enable show cdp CDP enabled Message Interval 60 Hold Time 180 Console enable This example shows how to disable CDP globally and verify the configuration Console enable set cdp disable CDP disabled globally Console enable...

Page 597: ...nabled Message Interval 60 Hold Time 180 Port CDP Status 3 1 enabled 3 2 enabled 3 3 disabled 3 4 disabled 3 5 disabled 3 6 disabled 3 7 enabled 3 8 enabled 3 9 enabled 3 10 enabled 3 11 enabled 3 12 enabled Console enable This example shows how to disable CDP on ports 3 1 6 and verify the configuration Console enable set cdp disable 3 1 6 CDP disabled on ports 3 1 6 Console enable show cdp port 3...

Page 598: ...ting the CDP Holdtime The CDP holdtime specifies how much time can pass between CDP messages from neighboring devices before the device is no longer considered connected and the neighboring entry is aged out To set the default CDP holdtime perform this task in privileged mode This example shows how to set the default CDP holdtime to 225 seconds and verify the configuration Console enable set cdp h...

Page 599: ...p neighbors indicates vlan mismatch indicates duplex mismatch Port Device ID Port ID Platform 2 3 JAB023807H1 2948 2 2 WS C2948 3 1 JAB023806JR 4003 2 1 WS C4003 3 2 JAB023806JR 4003 2 2 WS C4003 3 5 JAB023806JR 4003 2 5 WS C4003 3 6 JAB023806JR 4003 2 6 WS C4003 Console enable This example shows how to display the native VLAN for each port connected on the neighboring device there is a native VLA...

Page 600: ...15 02 Chapter 29 Configuring CDP Configuring CDP Version WS C2948 Software Version McpSW 5 1 57 NmpSW 5 1 1 Copyright c 1995 1999 by Cisco Systems Inc Platform WS C2948 Port ID Port on Neighbors s Device 2 2 VTP Management Domain Lab_Network Native VLAN 522 Duplex full Console enable ...

Page 601: ... that works with the Layer 1 mechanisms to determine the physical status of a link At Layer 1 autonegotiation takes care of physical signaling and fault detection UDLD performs tasks that autonegotiation cannot perform such as detecting the identities of neighbors and shutting down misconnected ports When you enable both autonegotiation and UDLD Layer 1 and Layer 2 detections work together to prev...

Page 602: ...erval UDLD reacts much faster to link failures Note By default UDLD is locally disabled on copper ports to avoid sending unnecessary control traffic on this type of media since it is often used for access ports Figure 30 1 shows an example of a unidirectional link condition Each switch can send packets to a neighbor switch but is not able to receive packets from the same switch that it is sending ...

Page 603: ...ble UDLD globally and verify the configuration Console enable set udld enable UDLD enabled globally Console enable show udld UDLD enabled Console enable Enabling UDLD on Individual Ports To enable UDLD on individual ports perform this task in privileged mode This example shows how to enable UDLD on port 4 1 and verify the configuration Console enable set udld enable 4 1 UDLD enabled on port 4 1 Co...

Page 604: ...le Specifying the UDLD Message Interval To specify the UDLD message interval perform this task in privileged mode This example shows how to specify the UDLD message interval on the switch Console enable set udld interval 20 UDLD message interval set to 20 seconds Console enable This example shows how to verify the message interval on the switch Console enable show udld UDLD enabled Message Interva...

Page 605: ...l benefits in the following cases One side of a link has a port stuck both Tx and Rx One side of a link remains up while the other side of the link has gone down In these cases UDLD aggressive mode errdisables one of the ports on the link and stops the blackholing of traffic Even with aggressive mode disabled there would have been no risk for a broadcast storm due to a spanning tree loop in this s...

Page 606: ...directional Console enable Table 30 2 describes the fields in the show udld command output Task Command Display the UDLD configuration for a module or port show udld port mod mod port Table 30 2 show udld Command Output Fields Field Description UDLD Status of whether UDLD is enabled or disabled Message Interval Message interval in seconds Port Module and port number s Admin Status Status of whethe...

Page 607: ... same as Greenwich Mean Time An NTP network usually gets its time from an authoritative time source such as a radio clock or an atomic clock attached to a time server NTP distributes this time across the network NTP is extremely efficient no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another NTP uses a stratum to describe how many NTP ho...

Page 608: ...Internet Cisco s NTP implementation allows a machine to be configured so that it acts as though it is synchronized using NTP when in fact it has determined the time using other means Other machines then synchronize to that machine using NTP A number of manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is ...

Page 609: ...abled Console enable set ntp broadcastdelay 4000 NTP Broadcast delay set to 4000 microseconds Console enable show ntp Current time Tue Jun 23 1998 20 25 43 Timezone offset from UTC is 0 hours Summertime disabled Last NTP update Broadcast client mode enabled Broadcast delay 4000 microseconds Client mode disabled NTP Server Console enable Configuring NTP in Client Mode Configure the switch in NTP cl...

Page 610: ...n feature is documented in RFC 1305 You can configure up to ten authentication keys per client Each authentication key is actually a pair of two keys A public key number A 32 bit integer that can range from 1 to 4294967295 A secret key string An arbitrary string of 32 characters including all printable characters and spaces To authenticate the message the client authentication key must match that ...

Page 611: ... Number Mode Key String Console enable Setting the Time Zone You can specify a time zone for the switch to display the time in that time zone You must enable NTP before you set the time zone If NTP is not enabled this command has no effect If you enable NTP and do not specify a time zone UTC is shown by default To set the time zone perform this task in privileged mode This example shows how to set...

Page 612: ... 30 minute offset forward in February and back in August Console enable set summertime recurring 3 mon feb 3 00 2 saturday aug 15 00 30 Summer time is disabled and set to start Sun Feb 13 2000 03 00 00 end Sat Aug 26 2000 14 00 00 Offset 30 minutes Recurring yes starting at 3 00am Sunday of the third week of February and ending 14 00pm Saturday of the fourth week of August Console enable To enable...

Page 613: ...able the daylight saving time adjustment Console enable set summertime disable Arizona Summertime is disabled and set to Arizona Console enable Clearing the Time Zone To clear the time zone settings and return the time zone to Coordinated Universal Time UTC perform this task in privileged mode This example shows how to clear the time zone settings Console enable clear timezone Timezone name and of...

Page 614: ...ws how to disable NTP client mode on the switch Console enable set ntp broadcastclient disable NTP Broadcast Client mode disabled Console enable To disable NTP client mode on the switch perform this task in privileged mode This example shows how to disable NTP client mode on the switch Console enable set ntp client disable NTP Client mode disabled Console enable Task Command Step 1 Disable NTP bro...

Page 615: ...rm on one of the ports A LAN broadcast storm occurs when broadcast or multicast packets flood the LAN creating excessive traffic and degrading network performance Errors in the protocol stack implementation or in the network configuration can cause a broadcast storm Broadcast suppression uses filtering that measures broadcast activity on a LAN over a one second time period and compares the measure...

Page 616: ... implementation factor is setting the percentage of total available bandwidth that can be used by broadcast traffic A threshold value of 100 percent means that no limit is placed on broadcast traffic Using the set port broadcast command you can set up the broadcast suppression threshold value Because packets do not arrive at uniform intervals the one second time interval during which broadcast act...

Page 617: ...ast 3 1 6 75 25 Port s 3 1 24 broadcast traffic limited to 75 25 Console enable show port broadcast 3 Port Broadcast Limit Broadcast Drop 3 1 75 25 3 2 75 25 3 3 75 25 3 4 75 25 3 5 75 25 3 6 75 25 3 7 0 3 8 0 3 90 3 10 0 3 110 3 120 This example shows how to limit the multicast and broadcast traffic to 80 percent for port 2 on module 1 and verify the configuration Console enable set port broadcas...

Page 618: ... Broadcast Suppression To disable broadcast suppression on one or more ports perform this task in privileged mode This example shows how to disable broadcast suppression on one or more ports Console enable clear port broadcast 3 1 Port 3 1 8 broadcast traffic unlimited Console enable Task Command Disable broadcast suppression on one or more ports clear port broadcast mod port ...

Page 619: ...VLAN membership Layer 3 protocol filtering is supported only on nontrunking Ethernet Fast Ethernet and Gigabit Ethernet ports Trunking ports are always members of all protocol groups To avoid compatibility issues with other networking devices Layer 3 protocol filtering is not performed on trunk ports Layer 2 protocols such as Spanning Tree Protocol STP and Cisco Discovery Protocol CDP are not affe...

Page 620: ...or IP if there is a directly connected end station out the port The default port configuration for IPX and Group is auto With Layer 3 protocol filtering enabled ports are identified on a protocol basis A port can be a member of one or more of the protocol groups Flood traffic for each protocol group is forwarded out a port only if that port belongs to the appropriate protocol group Packets are cla...

Page 621: ... 7 1 4 group auto Group protocol set to auto mode on ports 7 1 4 Console enable show port protocol 7 1 4 Port Vlan IP IP Hosts IPX IPX Hosts Group Group Hosts 7 1 4 on 1 off 0 auto off 0 7 2 5 on 1 off 0 auto on 1 7 3 2 on 1 off 0 auto off 0 7 4 4 on 1 off 0 auto on 1 Console enable Disabling Layer 3 Protocol Filtering To disable Layer 3 protocol filtering perform this task in privileged mode This...

Page 622: ...33 4 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 33 Configuring Layer 3 Protocol Filtering Configuring Layer 3 Protocol Filtering ...

Page 623: ...ally when you enable the IP permit list Outbound Telnet TFTP and other IP based services are unaffected by the IP permit list Telnet attempts from unauthorized source IP addresses are denied a connection SNMP requests from unauthorized IP addresses receive no response the request times out If you want to log unauthorized access attempts to the console or a syslog server you must change the logging...

Page 624: ... the IP permit list the system displays the address after the mask is applied IP Permit List Default Configuration Table 34 1 shows the default IP permit list configuration Configuring the IP Permit List These sections describe how to configure the IP permit list Adding IP Addresses to the IP Permit List page 34 2 Enabling the IP Permit List page 34 3 Disabling the IP Permit List page 34 4 Clearin...

Page 625: ...sts If you do not specify a permit list both the SNMP and Telnet permit lists are enabled Caution Before enabling the IP permit list make sure you add the IP address of your workstation or network management system to the permit list especially when configuring through SNMP Failure to do so could result in your connection being dropped by the switch you are configuring We recommend that you disabl...

Page 626: ...e private read write all secret Trap Rec Address Trap Rec Community Console enable Disabling the IP Permit List To disable the IP permit list on the switch perform this task in privileged mode This example shows how to disable the IP permit list Console enable set ip permit disable IP permit list disabled Console enable Clearing an IP Permit List Entry An IP address can be cleared from the SNMP pe...

Page 627: ...eared from IP permit list Console enable clear ip permit 172 160 161 0 255 255 192 0 snmp 172 160 128 0 with mask 255 255 192 0 cleared from snmp permit list Console enable clear ip permit 172 100 101 102 telnet 172 100 101 102 cleared from telnet permit list Console enable clear ip permit all IP permit list cleared Console enable Task Command Step 1 Disable the IP permit list set ip permit disabl...

Page 628: ...34 6 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 34 Configuring the IP Permit List Configuring the IP Permit List ...

Page 629: ... port Alternatively you can use port security to filter traffic destined to or received from a specific host based on the host MAC address This section describes the following traffic filtering methods Allowing Traffic Based on the Host MAC Address page 35 1 Restricting Traffic Based on the Host MAC Address page 35 2 Allowing Traffic Based on the Host MAC Address The total number of MAC addresses ...

Page 630: ...ss on another port on the switch the port in restrictive mode shuts down instead of restricting traffic from that station For example if you configure MAC 1 as the secure MAC address on port 2 1 and MAC 2 as the secure MAC address on port 2 2 and then connect the station with MAC 1 to port 2 2 when port 2 2 is configured for restrictive mode port 2 2 shuts down instead of restricting traffic from ...

Page 631: ... Age Time page 35 5 Clearing MAC Addresses page 35 5 Specifying the Security Violation Action page 35 6 Setting the Shutdown Timeout page 35 6 Disabling Port Security page 35 7 Restricting Traffic Based on a Host MAC Address page 35 7 Displaying Port Security page 35 8 Enabling Port Security To enable port security perform this task in privileged mode This example shows how to enable port security...

Page 632: ...Setting the Maximum Number of Secure MAC Addresses You can set the number of MAC addresses to secure on a port By default at least one MAC address per port can be secured In addition to this default a global resource of up to 1024 MAC addresses is available to be shared by the ports This means that if the entire global resource of 1024 MAC addresses is used on some ports you can still enable port ...

Page 633: ...et the age time on a port perform this task in privileged mode This example shows how to set the age time on port 7 7 Console enable set port security 7 7 age 600 Secure address age time set to 600 minutes for port 7 7 Console enable Clearing MAC Addresses Enter the clear port security command to clear MAC addresses from a list of secure addresses on a port Note If the clear command is executed on...

Page 634: ...d Console enable Note If you restrict the number of secure MAC addresses on a port to one and additional hosts attempt to connect to that port port security blocks these additional hosts from connecting to that port and to any other port in the same VLAN for the duration of the VLAN aging time By default the VLAN aging time is five minutes If a host is blocked from joining a port in the same VLAN ...

Page 635: ... Src Addr Age Left Last Src Addr Shutdown Time Left 3 24 1 00 e0 4f ac b4 00 Console enable Restricting Traffic Based on a Host MAC Address To restrict incoming or outgoing traffic for a specific MAC address perform this task in privileged mode This example shows how to create a filter that restricts traffic for a specific MAC address Console enable set cam static filter 00 02 03 04 05 06 1 Filter...

Page 636: ...ay port security configuration information and statistics perform this task in privileged mode This example shows how to display port security configuration information and statistics Console enable show port security 3 24 Port Security Violation Shutdown Time Age Time Max Addr Trap IfIndex 3 24 enabled shutdown 300 60 10 disabled 921 Port Num Addr Secure Src Addr Age Left Last Src Addr Shutdown T...

Page 637: ...7 22 0 1 7 23 0 1 7 24 0 1 Module 7 Total ports 24 Total MAC address es 223 Total global address space used out of 1024 199 Status installed Console enable This example shows how to display port security statistics on the system Console enable show port security statistics system Module 1 Total ports 2 Total MAC address es 2 Total global address space used out of 1024 0 Status installed Module 3 M...

Page 638: ...35 10 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 35 Configuring Port Security Configuring Port Security ...

Page 639: ...rence publication SNMP Terminology Table 36 1 lists the terms used in SNMP technology Table 36 1 SNMP Terminology Term Definition authentication The process of ensuring message integrity and protection against message replays including both data integrity and data origin authentication authoritative SNMP engine One of the SNMP copies involved in network communication is designated the allowed SNMP...

Page 640: ... sent to each user in the group privacy An encrypted state of the contents of an SNMP packet in this state the contents are prevented from being disclosed on a network Encryption is performed with an algorithm called CBC DES DES 56 read view A view name not to exceed 64 characters for each group the view name defines the list of object identifiers OIDs that can be read by users belonging to the gr...

Page 641: ... significant enhancements to administration and security See the Understanding SNMPv3 section on page 36 7 for more information on SNMPv3 SNMP engine A copy of SNMP that can reside on the local or remote device SNMP entity Unlike SNMPv1 and SNMPv2c in SNMPv3 the terms SNMP Agents and SNMP Managers are no longer used These concepts have been combined and called an SNMP entity An SNMP entity is made...

Page 642: ... user belongs to a group A group defines the access policy for a set of users SNMP objects access an access policy for reading writing and creating A group determines the list of notifications its users can receive A group also defines the security model and security level for its users Table 36 2 SNMP Security Levels Model Level Authentication Encryption What Happens v1 noAuthNoPriv Community Str...

Page 643: ...emote Monitoring RMON MIBs which run on managed devices SNMP network management applications such as CiscoWorks2000 which communicate with agents to get statistics and alerts from the managed devices See the Using CiscoWorks2000 section on page 36 6 for more information on CiscoWorks2000 Note An SNMP management application together with the computer it runs on is called a Network ManagementSystem ...

Page 644: ...ures When power supply errors occur SNMP community strings SNMP community strings authenticate access to MIB objects and function as embedded passwords Read only Gives read access to all objects in the MIB except the community strings but does not allow write access Read write Gives read and write access to all objects in the MIB but does not allow access to the community strings Read write all Gi...

Page 645: ... a packet to prevent it from being seen by an unauthorized source SNMP Entity Unlike SNMPv1 and SNMPv2c in SNMPv3 the concept of SNMP Agents and SNMP Managers no longer apply These concepts have been combined into an SNMP entity An SNMP entity consists of an SNMP engine and SNMP applications An SNMP engine consists of the following four components Dispatcher Message processing subsystem Security s...

Page 646: ...pporting a different version of SNMP Security Subsystem The security subsystem authenticates and encrypts messages Each outgoing message is passed to the security subsystem from the message processing subsystem Depending on the services required the security subsystem may encrypt the enclosed PDU and some fields in the message header In addition the security subsystem may generate an authenticatio...

Page 647: ... protocols and CBC DES as the privacy protocol SNMPv1 and SNMPv2c security models provide only community names for authentication and no privacy Access Control Subsystem The responsibility of the access control subsystem is to determine whether access to a managed object should be allowed One access control model the view based access control model VACM currently has been defined With VACM you can...

Page 648: ... SNMP from the command line interface CLI perform this task in privileged mode This example shows how to define community strings assign a trap receiver and specify which traps to send to the trap receiver Console enable set snmp community read only Everyone SNMP read only community string set to Everyone Console enable set snmp community read write Administrators SNMP read write community string ...

Page 649: ...all Console enable Note To disable access for an SNMP community set the community string for that community to the null string do not enter a value for the community string Configuring SNMPv3 This section provides basic SNMPv3 configuration information For detailed information on the SNMP commands supported by the Catalyst 6000 family switches refer to the Catalyst 6000 Family Command Reference pu...

Page 650: ...ytag trap inform volatile nonvolatile Step 5 Set the snmpTargetAddrEntry in the target address table set snmp targetaddr hex addrname param hex paramsname ipaddr udpport port timeout value retries value volatile nonvolatile taglist hex tag hex tag Step 6 Set the SNMP parameters used to generate a message to a target set snmp targetparams hex paramsname user hex username security model v3 message p...

Page 651: ...r1 security model v3 message processing v3 authentication Snmp target params was set to p1 v3 authentication message processing v3 user guestuser1 nonvolatile Console enable set snmp targetparams p2 user guestuser2 security model v3 message processing v3 privacy Snmp target params was set to p2 v3 privacy message processing v3 user guestuser2 nonvolatile These examples show how to configure guestu...

Page 652: ...e 1 3 6 1 6 3 10 2 1 included nonvolatile Console enable set snmp access guestgroup security model v3 authentication read snmpEngineMibView Snmp access group was set to guestgroup version v3 level authentication readview snmpEngineMibView nonvolatile This example shows how to verify the SNMPv3 access for guestuser1 from a workstation workstation getnext v3 10 6 4 201 guestuser1 snmpEngineID Enter ...

Page 653: ...ystems to exchange network monitoring data The supervisor engine software provides embedded support for these components of the RMON specification see the Supported RMON and RMON2 MIB Objects section on page 37 2 for details The following RMON groups are defined in RFC 1757 Statistics RMON group 1 for Ethernet Fast Ethernet Fast EtherChannel and Gigabit Ethernet switch ports uses 140 bytes of supe...

Page 654: ...led Extended RMON Extended RMON module is not present Traps Enabled Port Module Chassis Bridge Repeater Vtp Auth ippermit Vmps config entity stpx Port Traps Enabled 1 1 2 4 1 48 5 1 Community Access Community String read only Everyone read write Administrators read write all Root Trap Rec Address Trap Rec Community 172 16 10 10 read write 172 16 10 20 read write all Console enable Viewing RMON Dat...

Page 655: ...2 etherHistoryTable 2 RFC 1757 RMON MIB RFC 1757 RMON MIB Periodically samples and saves statistics group counters for later retrieval mib 2 1 rmon 16 alarm 3 RFC 1757 RMON MIB A threshold that can be set on critical RMON variables for network management mib 2 1 rmon 16 event 9 RFC 1757 RMON MIB Generates SNMP traps when an Alarms group threshold is exceeded and logs the events mib 2 1 rmon 16 usr...

Page 656: ...37 4 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 37 Configuring RMON Supported RMON and RMON2 MIB Objects ...

Page 657: ... these sections Understanding How SPAN and RSPAN Works page 38 1 SPAN and RSPAN Session Limits page 38 4 Configuring SPAN page 38 5 Configuring RSPAN page 38 8 Note To configure SPAN or RSPAN from a network management station NMS refer to the NMS documentation see the Using CiscoWorks2000 section on page 36 6 Understanding How SPAN and RSPAN Works These sections describe the concepts and terminolo...

Page 658: ... SPAN from the CLI section on page 38 7 for information on how to prevent loops in your network topology Only one destination port is allowed per SPAN session and the same port cannot be a destination port for multiple SPAN sessions A switch port configured as a destination port cannot be configured as a source port EtherChannel ports cannot be SPAN destination ports If the trunking mode of a SPAN...

Page 659: ...AN as ingress SPAN egress SPAN or both All the ports in the source VLANs become operational source ports for the VSPAN session The destination port if it belongs to any of the administrative source VLANs is excluded from the operational source If you add or remove ports from the administrative source VLANs the operational sources are modified accordingly Use the following guidelines for VSPAN sess...

Page 660: ...BPDU packets or Layer 2 protocol packets such as CDP DTP and VTP Multicast packet monitoring is enabled by default In some SPAN configurations multiple copies of the same source packet are sent to the SPAN destination port For example a bidirectional both ingress and egress SPAN session is configured for sources a1 and a2 to a destination port d1 If a packet enters the switch through a1 and gets s...

Page 661: ...ON probe SPAN mirrors traffic from one or more source ports on any VLAN from one or more VLANs or from the sc0 console interface to a destination port for analysis see Figure 38 1 In Figure 38 1 all traffic on Ethernet port 5 the source port is mirrored to Ethernet port 10 A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 without being physically attached to ...

Page 662: ...nabled by default Use the inpkts keyword with the learning option to enable or disable learning for a specific port You can specify a Multilayer Switch Module MSM port as the SPAN source port However you cannot specify an MSM port as the SPAN destination port When you configure multiple SPAN sessions the destination module number port number must be known to index the particular SPAN session If an...

Page 663: ...hows how to configure SPAN so that both transmit and receive traffic from port 1 1 the SPAN source is mirrored on port 2 1 the SPAN destination Console enable set span 1 1 2 1 Destination Port 2 1 Admin Source Port 1 1 Oper Source Port 1 1 Direction transmit receive Incoming Packets disabled Learning enabled Multicast enabled Filter This example shows how to set VLAN 522 as the SPAN source and por...

Page 664: ... Port 2 2 Admin Source port 3 2 Oper Source Port 3 2 Direction transmit Incoming Packets disabled Learning enabled Multicast enabled Filter Console enable To disable SPAN perform this task in privileged mode This example shows how to disable SPAN on the switch Console enable set span disable 2 1 This command will disable your span session Do you want to continue y n n y Disabled port 2 1 to monito...

Page 665: ...w SPAN and RSPAN Works section on page 38 1 for concepts and terminology that apply to both SPAN and RSPAN configuration RSPAN has all the features of SPAN see the Understanding How SPAN Works section on page 38 5 plus support for source ports and destination ports distributed across multiple switches allowing remote monitoring of multiple switches across your network see Figure 38 2 The traffic f...

Page 666: ...RSPAN configuration you can distribute the source ports and the destination port across multiple switches For RSPAN trunking is required if you have a source switch with all source ports in one VLAN VLAN 2 for example and it is connected to the destination switch through an uplink port that is also in VLAN 2 With RSPAN the traffic is forwarded to remote switches in the RSPAN VLAN The RSPAN VLAN is...

Page 667: ...flooding of RSPAN traffic across the network If you enable GARP VLAN Registration Protocol GVRP and GVRP requests conflict with existing RSPAN VLANs you might observe unwanted traffic might in the respective RSPAN sessions You can use RSPAN VLANs in Inter Switch Link ISL to dot1q mapping However ensure that the special properties of RSPAN VLANs are supported in all the switches to avoid unwanted t...

Page 668: ...ileged mode This example shows how to specify VLAN 200 as a source VLAN for RSPAN VLAN 500 selecting the rx option makes all the ports in the VLAN ingress ports Console enable set rspan source 200 500 rx Rspan Type Source Destination Rspan Vlan 500 Admin Source VLAN 200 Oper Source None Direction receive Incoming Packets Learning Multicast enabled Filter Console enable Task Command Step 1 Configur...

Page 669: ...vlan number Console enable set rspan disable source 903 Disabled monitoring of all source s on the switch for rspan_vlan 903 Console enable This example shows how to disable all enabled destination sessions Console enable set rspan disable destination all This command will disable all remote span destination session s Do you want to continue y n n y Disabled monitoring of remote span traffic for a...

Page 670: ... VLAN 901 for this session on all the switches using the set vlan vlan rspan command With VTP enabled in the network you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in the VTP domain Note that in the configuration example shown in Table 38 2 the RSPAN session may be disabled in Switch A or B or both without modifying the configuration in Switch C or Switch D...

Page 671: ...s in Intermediate Switch Table 38 3 Making Modifications to an Active RSPAN Session Switch Action RSPAN CLI Commands A source Disable the RSPAN session set rspan disable source 901 B source Remove source port 3 2 from RSPAN session set rspan source 3 1 3 3 901 B source Add back source port 3 2 to RSPAN session set rspan source 3 1 3 901 Table 38 4 Adding RSPAN Source Ports in Intermediate Switch S...

Page 672: ...of the respective trunks for the RSPAN VLAN s You need to configure the RSPAN VLANs in each of the switches for the respective RSPAN sessions With VTP enabled in the network you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in that VTP domain With VTP disabled create the RSPAN VLANs in each switch Figure 38 5 Configuring Multiple RSPAN Sessions Table 38 5 Conf...

Page 673: ...u can add probe 3 in Switch B to monitor RSPAN VLAN 901 using the set rspan destination 1 2 901 command Similarly you could add source ports to Switch C Figure 38 6 Adding Multiple Probes to an RSPAN Session 1 1 1 2 2 1 2 2 3 1 1 2 1 1 3 1 3 2 3 3 3 2 3 3 1 2 2 1 2 2 1 1 1 2 4 1 4 2 1 1 1 2 4 3 Switch D 3 1 3 2 1 2 1 1 Switch B Switch C Switch A Switch F Switch E Probe 2 Probe 1 Destination switch...

Page 674: ...38 18 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN ...

Page 675: ...These sections describe how the Switch TopN Reports utility works TopN Reports Overview page 39 1 Running Switch TopN Reports without the Background Option page 39 2 Running Switch TopN Reports with the Background Option page 39 2 TopN Reports Overview The Switch TopN Reports utility allows you to collect and analyze data for each physical port on a switch Note The Switch TopN Reports utility cann...

Page 676: ...een and you cannot enter other commands while the report is being generated You can terminate the Switch TopN process before it finishes by pressing Ctrl C from the same console or Telnet session or by opening a separate console or Telnet session and entering the clear top report_num command After the Switch TopN Reports utility finishes processing the data it displays the output on the screen imm...

Page 677: ...able all active Switch TopN processes and all available Switch TopN reports for the switch are displayed All Switch TopN processes both with and without the background option are shown in the list This example shows how to run the Switch TopN Reports utility with the background option Console enable show top 5 pkts background Console enable 06 16 1998 17 21 08 MGMT 5 TopN report 4 started by Conso...

Page 678: ...ecific report and how to display all stored and pending reports Console enable show top report 5 Start Time 06 16 1998 17 29 40 End Time 06 16 1998 17 30 11 PortType all Metric overflow Port Band Uti Bytes Pkts Bcst Mcst Error Over width Tx Rx Tx Rx Tx Rx Tx Rx Rx flow 1 1 100 0 7880 83 0 83 0 0 2 12 100 0 0 0 0 0 0 0 2 11 100 0 0 0 0 0 0 0 2 10 100 0 0 0 0 0 0 0 2 9 100 0 0 0 0 0 0 0 Console enab...

Page 679: ... This example shows how to remove a specific report and how to remove all stored reports Console enable clear top 4 Console enable 06 16 1998 17 36 45 MGMT 5 TopN report 4 killed by Console Console enable clear top all 06 16 1998 17 36 52 MGMT 5 TopN report 1 killed by Console 06 16 1998 17 36 52 MGMT 5 TopN report 2 killed by Console Console enable 06 16 1998 17 36 52 MGMT 5 TopN report 3 killed ...

Page 680: ...39 6 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 39 Using Switch TopN Reports Running and Viewing Switch TopN Reports ...

Page 681: ...these sections Understanding How Multicasting Works page 40 1 Configuring IGMP Snooping page 40 6 Configuring GMRP page 40 12 Configuring Multicast Router Ports and Group Entries page 40 20 Configuring RGMP page 40 22 Displaying Multicast Protocol Status page 40 25 Understanding How Multicasting Works These sections describe how multicasting works on the Catalyst 6000 family switches Multicasting ...

Page 682: ... Cisco Group Management Protocol CGMP is not supported on the Catalyst 6000 family switches although CGMP server is supported on the MSFC To support CGMP client devices configure the MSFC as a CGMP server IGMP snooping manages multicast traffic at Layer 2 on the Catalyst 6000 family switches by allowing directed switching of IP multicast traffic Switches can use IGMP snooping to configure Layer 2 ...

Page 683: ...h an IGMP join for each group in which they are interested The switch intercepts these IGMP joins and only the first join per VLAN and per IP multicast group is forwarded on the multicast router ports Subsequent reports for the same VLAN and group are suppressed not sent to the router Note If there are CGMP switches in the network join and leave suppression does not occur In a network that has bot...

Page 684: ...MRP software components run on both the switch and on the host Cisco is not a source for GMRP host software On the host in an IP multicast environment you must use IGMP with GMRP the host GMRP software spawns Layer 2 GMRP versions of the host s Layer 3 IGMP control packets The switch receives both the Layer 2 GMRP and the Layer 3 IGMP traffic from the host The switch forwards the Layer 3 IGMP cont...

Page 685: ...le 40 1 provides a summary of the RGMP packet types Suppressing Multicast Traffic On Gigabit Ethernet ports you can limit the amount of bandwidth to be used for multicast traffic Use the set port broadcast command to specify a percentage of the total bandwidth to be used for multicast traffic on Gigabit Ethernet ports Nonreverse Path Forwarding Multicast Fast Drop In a redundant configuration wher...

Page 686: ...mask 224 4 entries installed in the hardware FIB allow both G flows to remain completely hardware switched flows and new directly connected sources to be learned correctly Installation of directly connected subnets is enabled globally by default One subnet mask 224 4 is installed per PIM enabled interface Use the show mls ip multicast connected command to view such FIB entries To enable installati...

Page 687: ... shows how to enable IGMP snooping and verify the configuration Console enable set igmp enable IGMP Snooping is enabled Console enable show igmp statistics IGMP enabled IGMP statistics for vlan 1 Total valid pkts rcvd 18951 Total invalid pkts recvd 0 General Queries recvd 377 Group Specific Queries recvd 0 MAC Based General Queries recvd 0 Leaves recvd 14 Reports recvd 16741 Queries Xmitted 0 GS Q...

Page 688: ...the default rate limit is 100 packets per 30 seconds for all packet types Valid rate limit values are from 1 to 65535 packets per 30 seconds Note If IGMP rate limiting and multicast are enabled multicast router ports might age out sporadically because the rate of the multicast control packets such as PIMv2 hellos or IGMP general queries exceeds the IGMP rate limit watermarks that were configured T...

Page 689: ...ng and verify the configuration Console enable set igmp fastleave enable IGMP fastleave set to enable Console enable show igmp statistics IGMP enabled IGMP fastleave enabled IGMP statistics for vlan 1 Total valid pkts rcvd 18951 Total invalid pkts recvd 0 General Queries recvd 377 Group Specific Queries recvd 0 MAC Based General Queries recvd 0 Leaves recvd 14 Reports recvd 16741 Other Pkts recvd ...

Page 690: ...ulticast router ports that were learned dynamically through IGMP Console enable show multicast router igmp IGMP enabled Port Vlan 1 1 1 2 1 2 99 255 Total Number of Entries 2 Configured Console enable Displaying Multicast Group Information To display information about multicast groups perform these tasks in privileged mode Task Command Display information on dynamically learned and manually config...

Page 691: ...e shows how to display IGMP snooping statistics Console enable show igmp statistics IGMP enabled IGMP statistics for vlan 1 Total valid pkts rcvd 18951 Total invalid pkts recvd 0 General Queries recvd 377 Group Specific Queries recvd 0 MAC Based General Queries recvd 0 Leaves recvd 14 Reports recvd 16741 Queries Xmitted 0 GS Queries Xmitted 16 Reports Xmitted 0 Leaves Xmitted 0 Failures to add GDA...

Page 692: ...eature for IP multicast disabled Console enable Configuring GMRP These sections describe how to configure the GARP Multicast Registration Protocol GMRP GMRP Software Requirements page 40 13 Default GMRP Configuration page 40 13 Enabling GMRP Globally page 40 13 Enabling GMRP on Individual Switch Ports page 40 14 Disabling GMRP on Individual Switch Ports page 40 14 Enabling GMRP Forward All Option ...

Page 693: ...rm this task in privileged mode This example shows how to enable GMRP globally and verify the configuration Console enable set gmrp enable GMRP enabled Console enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Table 40 3 GMRP Default Configuration Feature Default Value GMRP enable sta...

Page 694: ...e enable set port gmrp enable 6 12 GMRP enabled on port 6 12 Console enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GMRP Configuration Port GMRP Status Registration ForwardAll 1 1 2 3 1 6 1 9 6 12 6 15 48 7 1 24 Enabled Normal Disabled 6 10 11 6 13 14 Disabled Normal Dis...

Page 695: ...nable the forward all option on any port connected to a router that needs to receive any multicasts routers do not support GMRP and so cannot send GMRP join mesages The forward all option can also be used to forward all registered multicast traffic to a port with a network analyzer or probe attached To enable the GMRP forward all option on a switch port perform this task in privileged mode This ex...

Page 696: ... to set normal registration on port 2 10 Console enable set gmrp registration normal 2 10 GMRP Registration is set normal on port 2 10 Console enable Setting Fixed Registration When you configure a port in fixed registration mode all the multicast groups currently registered on all ports are registered on the port but the port ignores any subsequent registrations or deregistrations on other ports ...

Page 697: ...on the port To set forbidden registration on a port perform this task in privileged mode This example shows how to set forbidden registration on port 2 10 and verify the configuration Console enable set gmrp registration forbidden 2 10 GMRP Registration is set forbidden on port 2 10 Console enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GM...

Page 698: ...er value that does not adhere to these rules an error is returned For example if you set the leave timer to 600 ms and you attempt to configure the join timer to 350 ms an error is returned Set the leave timer to at least 1050 ms and then set the join timer to 350 ms Caution Set the same GARP timer values on all Layer 2 connected devices If the GARP timers are set differently on the Layer 2 connec...

Page 699: ...00 Join Empties 200 Join INs 150 Leaves 45 Leave Alls 200 Empties 5 Fwd Alls 0 Fwd Unregistered 0 Total valid GMRP Packets Received 0 Total GMRP packets dropped 0 Total GMRP Registrations Failed 0 Console Clearing GMRP Statistics To clear all GMRP statistics on the switch perform this task in privileged mode This example shows how to clear the GMRP statistics for all VLANs Console enable clear gmr...

Page 700: ...st Router Ports When you enable IGMP snooping the switch automatically learns to which ports a multicast router is connected However if desired you can manually specify multicast router ports To specify multicast router ports manually perform this task in privileged mode This example shows how to specify a multicast router port manually and verify the configuration the asterisk next to the multica...

Page 701: ...cam static 01 33 44 55 66 77 2 6 12 Static multicast entry added to CAM table Console enable show multicast group IGMP disabled VLAN Dest MAC Route Des Destination Ports or VCs Protocol Type 1 01 00 11 22 33 44 2 6 12 1 01 11 22 33 44 55 2 6 12 1 01 22 33 44 55 66 2 6 12 1 01 33 44 55 66 77 2 6 12 Total Number of Entries 4 Console enable Clearing Multicast Router Ports To clear manually configured...

Page 702: ... page 40 22 Configuring RGMP on the MSFC page 40 25 Configuring RGMP on the Supervisor Engine These sections describe the commands for configuring RGMP Default RGMP Configuration page 40 22 Enabling and Disabling RGMP page 40 22 Displaying RGMP Group Information page 40 23 Displaying RGMP VLAN Statistics page 40 23 Displaying Ports Connected to RGMP Capable Routers page 40 24 Clearing RGMP Statist...

Page 703: ...ormation perform these tasks in privileged mode This example shows how to display RGMP group information Console enable show rgmp group VlanDest MAC Route DesRGMP Joined Router Ports 101 00 5e 00 01 285 1 5 15 101 00 5e 01 01 015 1 201 00 5e 27 23 70 3 1 5 1 Total Number of Entries 3 Configured Console enable Console enable show rgmp group count 1 Total Number of Entries 2 Displaying RGMP VLAN Sta...

Page 704: ...laying Ports Connected to RGMP Capable Routers This command displays detected RGMP capable router ports A in front of the port indicates that it is an RGMP capable router To display RGMP capable router ports perform this task in privileged mode This example shows how to display ports connected to RGMP capable routers Console enable show multicast router Port Vlan 5 1 1 5 14 2 5 15 1 Total Number o...

Page 705: ... To configure RGMP on a VLAN interface on the MSFC perform this task You can use the debug ip rgmp command to monitor RGMP on the MSFC Displaying Multicast Protocol Status This command displays the status enabled or disabled of the Layer 2 multicast protocols on the switch To display the multicast protocol status perform this task in privileged mode Task Command Clear RGMP statistics clear rgmp st...

Page 706: ...nd 6 4 78 13315 02 Chapter 40 Configuring Multicast Services Displaying Multicast Protocol Status This example shows how to display the multicast protocol status Console enable show multicast protocols status IGMP disabled IGMP fastleave enabled RGMP enabled GMRP disabled ...

Page 707: ...w QoS Works page 41 1 QoS Default Configuration page 41 28 Configuring QoS page 41 30 Understanding How QoS Works Note Throughout this publication and all Catalyst 6500 series documents the term QoS refers to the QoS feature as implemented on the Catalyst 6500 series Supervisor Engine 1 and Supervisor Engine 2 provide policing only for ingress traffic Typically networks operate on a best effort de...

Page 708: ... three least significant bits Layer 2 802 1Q frame headers have a 2 byte Tag Control Information field that carries the CoS value in the three most significant bits which are called the User Priority bits Other frame types cannot carry CoS values Note On ports configured as ISL trunks all traffic is in ISL frames On ports configured as 802 1Q trunks all traffic is in 802 1Q frames except for traff...

Page 709: ... Switching Engine II Policy Feature Card 2 or PFC2 Supervisor Engine 1 with Layer 3 Switching Engine WS F6K PFC Policy Feature Card or PFC Flowcharts Figure 41 1 shows how traffic flows through the QoS features Figure 41 2 through Figure 41 7 show more details of the traffic flow through QoS features Figure 41 1 Traffic Flow Through QoS Features Note Traffic that is Layer 3 switched does not go th...

Page 710: ...ds 100 for CoS 6 and 7 80 for CoS 4 and 5 60 for CoS 2 and 3 50 for CoS 0 and 1 Strict priority queue 100 for CoS 5 Standard queue 100 for CoS 6 and 7 80 for CoS 4 60 for CoS 2 and 3 50 for CoS 0 and 1 Apply port CoS No No Yes Port set to trust ipprec Port set to trust dscp No No Port is set to trust cos To switching engine Apply port CoS Default values shown Ethernet ingress port classification m...

Page 711: ...P precedence 2 Set DSCP from received IP precedence No No Yes Yes Markdown 3 Set DSCP from received or port CoS Use DSCP from ACE 4 Set DSCP to marked down value Use default ACL To egress interface Yes No No Match ACE in ACL Yes Yes Yes Yes 25041 L3 Switching Engine PFC classification marking and policing 1 Traffic is from an untrusted port 1 Trust received or port CoS Use received DSCP 2 Specifie...

Page 712: ...1 5 Multilayer Switch Feature Card Marking MSFC and MSFC2 Yes From Ingress port To Egress port Match Destination MAC Address VLAN Apply configured CoS No From SET QOS MAC COS command L2 Switching Engine Classification and Marking 25031 27107 To egress port IP traffic from PFC Write ToS byte into packet No Yes Multilayer Switch Feature Card MSFC marking From PFC Route traffic CoS 0 for all traffic ...

Page 713: ...Q IP traffic from PFC Write ToS byte into packet No No Yes Yes Ethernet egress port scheduling congestion avoidance and marking Transmit frame From switching engine or MSFC 1p2q2t port Strict priority queue 100 for CoS 5 High priority standard queue WRED drop thresholds 70 100 for CoS 6 and 7 40 70 for CoS 4 Low priority standard queue WRED drop thresholds 70 100 for CoS 2 and 3 40 70 for CoS 0 an...

Page 714: ...2GE or WS X6K SUP1 2GE with one of the following Layer 3 Switching Engine WS F6K PFC Policy Feature Card or PFC Layer 2 Switching Engine II WS F6020A Layer 2 Switching Engine I WS F6020 The Layer 3 Switching Engine WS F6K PFC and Layer 3 Switching Engine II support similar feature sets The two Layer 2 switching engines support the same QoS feature set These sections describe the QoS feature sets E...

Page 715: ...ne section on page 41 14 During processing a Layer 3 switching engine associates a DSCP value with all traffic including non IP traffic for more information see the Internal DSCP Values section on page 41 15 Layer 2 Switching Engine Features With a Layer 2 Switching Engine QoS can classify traffic using Layer 2 destination MAC addresses VLANs and marking using Layer 2 CoS values Classification and...

Page 716: ...rust cos Note 1q4t ports except Gigabit Ethernet do not support the trust ipprec and trust dscp port keywords You must configure a trust ipprec or trust dscp ACL that matches the ingress traffic to apply the trust ipprec or trust dscp trust state On 1q4t ports except Gigabit Ethernet the trust cos port keyword displays an error message activates receive queue drop thresholds and as indicated by th...

Page 717: ... configured with the trust cos keyword for more information see the Configuring the Trust State of a Port section on page 41 32 Receive Queues Enter a show port capabilities command to see the queue structure of a port The command displays one of the following rx 1p1q4t one strict priority queue and one standard queue with four thresholds rx 1q4t one standard queue with four thresholds rx 1p1q0t o...

Page 718: ...itch drops incoming frames with CoS 2 or 3 when the receive queue buffer is 60 percent or more full Using standard receive queue drop threshold 3 the switch drops incoming frames with CoS 4 when the receive queue buffer is 80 percent or more full Using standard receive queue drop threshold 4 the switch drops incoming frames with CoS 6 or 7 when the receive queue buffer is 100 percent full Frames w...

Page 719: ... ACEs that classify traffic on a per packet basis for IP and IPX traffic see the Named IP ACLs section on page 41 38 and the Creating or Modifying Named IPX ACLs section on page 41 42 or on a per frame basis for other traffic see the Creating or Modifying Named MAC ACLs section on page 41 43 regardless of the port configuration see the Marking Rules section on page 41 21 To mark traffic in respons...

Page 720: ...Switching Engine CoS and ToS Values page 41 24 Note Classification with a Layer 3 switching engine uses Layer 2 3 and 4 values Marking with a Layer 3 switching engine uses Layer 2 CoS values and Layer 3 IP precedence or DSCP values Table 41 1 Marking Based on Per Port Classification Port Keyword ACE Keyword Marking Rule untrusted dscp Set internal and egress DSCP as specified in the ACE trust ippr...

Page 721: ...ue from CoS or IP precedence which are 3 bit values see the Mapping Received CoS Values to Internal DSCP Values section on page 41 55 or the Mapping Received IP Precedence Values to Internal DSCP Values section on page 41 56 Egress DSCP and CoS Sources For egress IP traffic QoS creates a ToS byte from the internal DSCP value which you can set equal to an IP precedence value and sends it to the egr...

Page 722: ... Classification Criteria page 41 18 IP ACE Layer 4 IGMP Classification Criteria page 41 19 IPX ACE Classification Criteria page 41 19 MAC ACE Layer 2 Classification Criteria page 41 20 IP ACE Layer 3 Classification Criteria You can create IP ACEs that match traffic with specific Layer 3 values by including these Layer 3 parameters see the Named IP ACLs section on page 41 38 IP source address and m...

Page 723: ...grp 9 icmp 1 igmp 2 igrp 9 ip 0 ipinip 4 nos 94 ospf 89 pcp 108 pim 103 tcp 6 or udp 17 Note IP ACEs that do not include a Layer 4 protocol parameter or that include the ip keyword match all IP traffic IP ACE Layer 4 TCP Classification Criteria You can create Transmission Control Protocol TCP ACEs that match traffic for specific TCP ports by including TCP source and or destination port parameters ...

Page 724: ...es and codes numerically 0 255 or with these keywords Keyword Port Keyword Port Keyword Port Keyword Port biff 512 echo 7 rip 520 talk 517 bootpc 68 mobile ip 434 snmp 161 tftp 69 bootps 67 nameserver 42 snmptrap 162 time 37 discard 9 netbios dgm 138 sunrpc 111 who 513 dns 53 netbios ns 137 syslog 514 xdmcp 177 dnsix 195 ntp 123 tacacs 49 Keyword Type Code Keyword Type Code administratively prohib...

Page 725: ...lds Note IGMP ACEs that do not include a Layer 4 IGMP type parameter match all IGMP traffic IPX ACE Classification Criteria You can create IPX ACEs that match specific IPX traffic by including these parameters for more information see the Creating or Modifying Named IPX ACLs section on page 41 42 IPX source network 1 matches any network number Protocol which can be specified numerically 0 255 or w...

Page 726: ...8039 or dec dsm 0x8040 or dec netbios 0x8041 or dec msdos 0x8042 no keyword 0x0BAD no keyword 0x0baf or banyan vines echo 0x0600 or xerox ns idp QoS MAC ACLs that do not include an ethertype parameter match traffic with any value in the ethertype field which allows MAC level QoS to be applied to any traffic except IP and IPX Default ACLs There are three default ACLs one each for IP and with a Laye...

Page 727: ...configured on the port default is zero dscp all ACLs except IPX and MAC with a PFC2 Instructs QoS to mark traffic as indicated by the port trust keywords In IP traffic from ingress ports configured with the trust dscp port keyword the dscp ACE keyword instructs QoS to set the internal and egress DSCP values from the received DSCP values In non IP traffic QoS sets the DSCP from the received or port...

Page 728: ...own occurs the marked down DSCP values are equal to the received DSCP values To enable markdown configure the table appropriately for your network You give each policing rule a unique name when you create it and then use the name to include the policing rule in an ACE The same policing rule can be used in multiple ACEs You can create these policing rules Microflow QoS applies the bandwidth limit s...

Page 729: ...ly microflow policing rules to Multilayer Switching MLS candidate frames MSFC2 does not use candidate and enabler frames To avoid inconsistent results all ACEs that include the same aggregate policing rule must use the same ACE keyword trust dscp trust ipprec trust cos or dscp If the ACE uses the dscp keyword all traffic that matches the ACE must come through ports configured with the same port ke...

Page 730: ...t based QoS traffic in all VLANs received through the port is compared to any named ACLs attached to the port If you do not attach any named ACLs to the port or if the traffic does not match an ACE in a named ACL QoS compares the traffic received through the port to the default ACLs Final Layer 3 Switching Engine CoS and ToS Values With a Layer 3 switching engine QoS associates CoS and ToS values ...

Page 731: ...imum of 80 percent of the total transmit queue size to the low priority standard queue and a minimum of 20 percent to the high priority standard queue On 1p2q2t and 1p3q1t ports the switch services traffic in the strict priority queue before servicing the standard queues When the switch is servicing a standard queue after transmitting a packet it checks for traffic in the strict priority queue If ...

Page 732: ...nsmit queues each have two drop thresholds that function as follows Frames with CoS 0 1 2 or 3 go to the low priority standard transmit queue queue 1 Using standard transmit queue 1 drop threshold 1 the switch drops frames with CoS 0 or 1 when the low priority transmit queue buffer is 80 percent full Using standard transmit queue 1 drop threshold 2 the switch drops frames with CoS 2 or 3 when the ...

Page 733: ...witching Engine CoS and ToS Values section on page 41 24 QoS Statistics Data Export The QoS statistics data export feature generates per port and per aggregate policer utilization information and forwards this information in UDP packets to traffic monitoring planning or accounting applications You can enable QoS statistics data export on a per port or on a per aggregate policer basis The statistic...

Page 734: ...32 CoS 5 DSCP 40 CoS 6 DSCP 48 CoS 7 DSCP 56 IP precedence to internal DSCP map internal DSCP set from IP precedence values IP precedence 0 DSCP 0 IP precedence 1 DSCP 8 IP precedence 2 DSCP 16 IP precedence 3 DSCP 24 IP precedence 4 DSCP 32 IP precedence 5 DSCP 40 IP precedence 6 DSCP 48 IP precedence 7 DSCP 56 Internal DSCP to egress CoS map egress CoS set from internal DSCP values DSCP 0 7 CoS ...

Page 735: ...gh priority queue threshold 2 100 1p2q2t transmit queue WRED drop threshold percentages Low priority queue threshold 1 Low WRED drop threshold 40 High WRED drop threshold 70 Low priority queue threshold 2 Low WRED drop threshold 70 High WRED drop threshold 100 High priority queue threshold 1 Low WRED drop threshold 40 High WRED drop threshold 70 High priority queue threshold 2 Low WRED drop thresh...

Page 736: ...and transmit queue 2 drop threshold 2 CoS 6 and 7 1p1q0t 1p3q1t ports Receive queue 1 standard tail drop threshold CoS 0 1 2 3 4 6 and 7 Receive queue 2 priority CoS 5 With QoS disabled Runtime Port based or VLAN based VLAN based Config Port based or VLAN based Port based Port trust state trust cos Layer 2 switching engine trust dscp Layer 3 switching engine Receive queue drop threshold percentage...

Page 737: ...Thresholds page 41 52 Configuring DSCP Value Maps page 41 55 Displaying QoS Information page 41 58 Displaying QoS Statistics page 41 59 Reverting to QoS Defaults page 41 60 Disabling QoS page 41 60 Configuring COPS Support page 41 60 Configuring RSVP Support page 41 66 Configuring QoS Statistics Data Export page 41 70 Note Some QoS show commands support the config and runtime keywords Use the runt...

Page 738: ...ernet Ingress Port Marking Scheduling Congestion Avoidance and Classification section on page 41 10 By default all ports are untrusted To configure the trust state of a port perform this task in privileged mode Note the following syntax guidelines whenconfiguring the trust state of a port The trust ipprec and trust dscp keywords are supported only with a Layer 3 switching engine 1q4t ports except ...

Page 739: ...d through the port To use the CoS value applied with the set port qos cos command configure a trust CoS ACL that matches the ingress traffic or for a port that receives no tagged traffic configure the port to trust CoS Unmarked frames from ports configured as trusted and all frames from ports configured as untrusted are assigned the CoS value specified with this command To configure the CoS value ...

Page 740: ...ty for rate values Within each range QoS programs the hardware with rate values that are multiples of the granularity values The valid values for the burst parameter are 1 Kb entered as 1 to 32 Mb entered as 32000 Task Command Step 1 Create a policing rule set qos policer microflow microflow_name rate rate burst burst drop policed dscp With PFC or PFC2 set qos policer aggregate aggregate_name rate...

Page 741: ... page 41 57 This example shows how to create a microflow policing rule with a 1 Mbps rate limit and a 10 Mb burst limit that marks down out of profile traffic Console enable set qos policer microflow my micro rate 1000 burst 10000 policed dscp Hardware programming in progress QoS policer for microflow my micro created successfully Console enable For PFC2 this example shows how to create an aggrega...

Page 742: ...e test3 rate 64 policed dscp erate 128 drop burst 96 QoS policer for aggregate test3 created successfully Console enable show qos policer config aggregate test3 QoS aggregate policers Aggregate name Normal rate kbps Burst size kb Normal action test3 64 96 policed dscp Excess rate kbps Burst size kb Excess action 128 96 drop ACL attached Console enable Deleting Policing Rules Note You can only dele...

Page 743: ...r ACL names must start with an alphabetic character and must be unique across all QoS ACLs of all types You cannot use keywords from any command as an ACL name ACE Name Marking Rule Policing and Filtering Syntax ACE command syntax is organized as follows ACL_command ACL_type_and_name marking_rule policing_rule filtering For example in an IP ACE the command syntax is as follows set qos acl ip acl_n...

Page 744: ...spec and dest_ip_spec parameters in the following sections in the form ip_address mask The mask is mandatory Use one bits which need not be contiguous where you want wildcards Use any of the following formats for the address and mask Four part dotted decimal 32 bit values The keyword any as an abbreviation for a wildcard address and wildcard mask of 0 0 0 0 255 255 255 255 The abbreviation host ip...

Page 745: ...hows how to create an IP ACE for UDP traffic Console enable set qos acl ip my_IPacl trust ipprec microflow my micro aggregate my agg udp any any my_IPacl editbuffer modified Use commit command to apply changes Console enable Task Command Step 1 Create or modify an IP ACE for TCP traffic set qos acl ip acl_name dscp dscp trust cos trust ipprec trust dscp microflow microflow_name aggregate aggregate...

Page 746: ...abled To create or modify an IP ACE for IGMP traffic perform this task in privileged mode Task Command Step 1 Create or modify an IP ACE for ICMP traffic set qos acl ip acl_name dscp dscp trust cos trust ipprec trust dscp microflow microflow_name aggregate aggregate_name icmp src_ip_spec dest_ip_spec icmp_type icmp_code icmp_message precedence precedence dscp field dscp before editbuffer_index mod...

Page 747: ... for IPINIP traffic Console enable set qos acl ip my_IPacl trust ipprec microflow my micro aggregate my agg ipinip any any my_IPacl editbuffer modified Use commit command to apply changes Console enable IP ACEs for Any IP Traffic To create or modify an IP ACE that matches all IP traffic perform this task in privileged mode Task Command Step 1 Create or modify an IP ACE set qos acl ip acl_name dscp...

Page 748: ...n be specified numerically 0 255 or with these keywords any ncp 17 netbios 20 rip 1 sap 4 or spx 5 The src_net and dest_net parameters are IPX network numbers entered as up to 8 hexadecimal digits in the range 1 to FFFFFFFE 1 matches any network number You do not need to enter leading zeros Task Command Step 1 Modify the default IP ACL set qos acl default action ip dscp dscp trust cos trust ipprec...

Page 749: ..._spec parameters as a MAC address and a mask Each parameter is 12 hexadecimal digits 48 bits formatted as dash separated pairs Use one bits which need not be contiguous where you want wildcards Use the any keyword for a MAC address and mask of 0 0 0 0 0 0 ff ff ff ff ff ff Use the host keyword with a MAC address to specify an all zero mask mac_address 0 0 0 0 0 0 Enter the ethertype parameter as 4...

Page 750: ...cmp_acl Console enable clear qos acl icmp_acl 1 ACL icmp_acl ACE 1 is deleted icmp_acl editbuffer modified Use commit command to apply changes Console enable Reverting to Default Values in Default ACLs To revert to the default values for a default ACL perform this task in privileged mode Task Command Step 1 Modify the default IPX or MAC ACL With PFC set qos acl default action ipx mac dscp dscp tru...

Page 751: ... When you create change or delete a named ACL the changes exist temporarily in an edit buffer in memory To commit the ACL so that it can be used perform this task in privileged mode This example shows how to commit an ACL named my_acl Console enable commit qos acl my_acl Hardware programming in progress ACL my_acl is committed to hardware Console enable Note When you commit an ACL that has already...

Page 752: ...CL named my_acl to port 2 1 Console enable set qos acl map my_acl 2 1 Hardware programming in progress ACL my_acl is attached to port 2 1 Console enable This example shows how to attach an ACL named my_acl to VLAN 4 Console enable set qos acl map my_acl 4 Hardware programming in progress ACL my_acl is attached to vlan 4 Console enable Note The default ACLs do not need to be attached to any interfa...

Page 753: ...ed for a particular host destination MAC address and VLAN number value pair perform this task in privileged mode This example shows how to map CoS 2 to a destination MAC address and VLAN 525 Console enable set qos mac cos 00 40 0b 30 03 48 525 2 CoS 2 is assigned to 00 40 0b 30 03 48 vlan 525 Console enable Deleting a CoS Value to a Host Destination MAC Address VLAN Pair Note QoS only supports thi...

Page 754: ...tion see the Policing Rules section on page 41 22 This example shows how to enable microflow policing of traffic in VLANs 1 through 20 Console enable set qos bridged microflow policing enable 1 20 QoS microflow policing is enabled for bridged packets on vlans 1 20 Console enable Configuring Standard Receive Queue Tail Drop Thresholds To configure the standard receive queue tail drop thresholds on ...

Page 755: ... standard transmit queue tail drop thresholds on all 2q2t ports perform this task in privileged mode Queue number 1 is the low priority transmit queue and queue number 2 is high priority In each queue the low priority threshold number is 1 and the high priority threshold number is 2 The thresholds are all specified as percentages ranging from 1 to 100 A value of 10 indicates a threshold when the b...

Page 756: ...s the queue fills The default low WRED threshold is zero all traffic has some chance of being dropped This example shows how to configure the low priority transmit queue WRED drop thresholds Console enable set qos wred 1p2q2t queue 1 40 70 70 100 WRED thresholds for queue 1 set to 40 70 and 70 100 on all WRED capable 1p2q2t ports Console enable Note The threshold in the strict priority queue is no...

Page 757: ...io is set successfully Console enable Configuring the Transmit Queue Size Ratio Estimate the mix of traffic of various priorities on your network for example 75 percent low priority traffic 15 percent high priority traffic and 10 percent strict priority traffic Specify queue ratios with the estimated percentages which must range from 1 to 99 and together add up to 100 To configure the transmit que...

Page 758: ...smit queue 2 standard high priority threshold 1 Receive queue 1 standard threshold 4 transmit queue 2 standard high priority threshold 2 Use the transmit queue and transmit queue drop threshold values in this command This example shows how to associate the CoS values 0 and 1 to both standard receive queue 1 threshold 1 and standard transmit queue 1 threshold 1 Console enable set qos map 2q2t tx 1 ...

Page 759: ...ue 3 drop threshold 1 Console enable set qos map 1p2q2t tx 3 1 cos 5 Qos tx strict queue and threshold mapped to cos successfully Console enable Associating 1p1q0t 1p3q1t Ports On 1p1q0t 1p3q1t ports you configure the receive queues and the transmit queues separately 1p1q0t Receive Queues To associate CoS values to a 1p1q0t receive queue perform this task in privileged mode Queue 1 is the standard...

Page 760: ...t the threshold number or enter 0 The WRED drop threshold number is 1 This example shows how to associate the CoS value 0 to transmit queue 1 drop threshold 1 Console enable set qos map 1p3q1t tx 1 1 cos 0 Qos tx strict queue and threshold mapped to cos successfully Console enable Reverting to CoS Map Defaults To revert to default CoS value drop threshold mapping perform this task in privileged mo...

Page 761: ... 8 DSCP values to which QoS maps received CoS values 0 through 7 This example shows how to map received CoS values to internal DSCP values Console enable set qos cos dscp map 20 30 1 43 63 12 13 8 QoS cos dscp map set successfully Console enable To revert to default CoS to DSCP value mapping perform this task in privileged mode This example shows how to revert to CoS DSCP map defaults Console enab...

Page 762: ...ble Mapping Internal DSCP Values to Egress CoS Values To map internal DSCP values to the egress CoS values used for egress port scheduling and congestion avoidance perform this task in privileged mode For more information see the Internal DSCP Values section on page 41 15 and the Ethernet Egress Port Scheduling Congestion Avoidance and Marking section on page 41 24 Task Command Step 1 Map received...

Page 763: ...airs This example shows how to map DSCP markdown values Console enable set qos policed dscp map 20 25 7 33 38 3 QoS dscp dscp map set successfully Console enable This example shows how to map DSCP markdown values for packets exceeding the excess rate Console enable set qos policed dscp map 33 30 QoS normal rate policed dscp map set successfully Console enable set qos policed dscp map excess rate 3...

Page 764: ...playing QoS Information To display QoS information perform this task This example shows how to display the QoS runtime information for port 2 1 Console show qos info config 2 1 QoS setting in NVRAM QoS is enabled Port 2 1 has 2 transmit queue with 2 drop thresholds 2q2t Port 2 1 has 1 receive queue with 4 drop thresholds 1q4t Interface type vlan based ACL attached The qos trust type is set to untr...

Page 765: ...e s 2 Threshold s Q Threshold Packets dropped 1 1 0 pkts 2 0 pkts 2 1 0 pkts 2 0 pkts On Receive Port 2 1 has 1 Queue s 4 Threshold s Q Threshold Packets dropped 1 1 0 pkts 2 0 pkts 3 0 pkts 4 0 pkts This example shows how to display QoS Layer 3 statistics Console enable show qos statistics l3stats QoS Layer 3 Statistics show statistics since last read Packets dropped due to policing 0 IP packets ...

Page 766: ...able Disabling QoS To disable QoS perform this task in privileged mode This example shows how to disable QoS Console enable set qos disable QoS is disabled Console enable Configuring COPS Support Note The commands in this section are not supported with a Layer 2 Switching Engine Note COPS can configure QoS only for IP traffic Use the CLI or SNMP to configure QoS for all other traffic These section...

Page 767: ...s on the same port ASIC The port ASICs on Gigabit Ethernet switching modules control up to 4 ports each 1 4 5 8 9 12 and 13 16 There is a port ASIC on 10 Mbps 10 100 Mbps and 100 Mbps Ethernet switching modules that controls all ports On 10 Mbps 10 100 Mbps and 100 Mbps Ethernet switching modules there is another set of port ASICs that control 12 ports each 1 12 13 24 25 36 and 37 48 but COPS cann...

Page 768: ... Configured QoS Policy To select locally configured QoS policy perform this task in privileged mode This example shows how to select locally configured QoS policy Console enable set qos policy source local QoS policy source for the switch set to local Console enable show qos policy source QoS policy source for the switch set to local Console enable Enabling Use of Locally Configured QoS Policy Whe...

Page 769: ...and may consist of a z A Z 0 9 the dash character the underscore character _ and the period character Role names cannot start with the underscore character The first assignment of a new role to a port creates the role To assign roles to a port ASIC perform this task in privileged mode This example shows how to assign two new roles to the ASIC controlling port 2 1 Console enable set port cops 2 1 r...

Page 770: ...he port variable is the PDP server TCP port number Use the diff serv keyword to set the address only for COPS This example shows how to configure a PDP server Console enable set cops server my_server1 primary my_server1 added to the COPS diff serv server table as primary server my_server1 added to the COPS rsvp server table as primary server Console enable Deleting PDP Server Configuration To dele...

Page 771: ...t to my_domain Console enable Deleting the COPS Domain Name To delete the COPS domain name perform this task in privileged mode This example shows how to delete the COPS domain name Console enable clear cops domain name Domain name cleared Console enable Configuring the COPS Communications Parameters To configure the parameters COPS uses to communicate with the PDP server perform this task in priv...

Page 772: ...ge 41 66 Disabling RSVP Support page 41 67 Enabling Participation in the DSBM Election page 41 67 Disabling Participation in the DSBM Election page 41 67 Configuring Policy Decision Point Servers page 41 68 Deleting PDP Server Configuration page 41 68 Configuring RSVP Policy Timeout page 41 69 Configuring RSVP Use of Local Policy page 41 69 Note Throughout this publication and all Catalyst 6000 fa...

Page 773: ...the participation of a port in the election of the DSBM perform this task in privileged mode The range for the priority parameter is 128 to 255 This example shows how to enable the participation of ports 2 1 and 3 2 in the election of the DSBM Console enable set port rsvp 2 1 3 2 dsbm election enable 232 DSBM enabled and priority set to 232 for ports 2 1 3 2 Console enable Disabling Participation ...

Page 774: ...ver TCP port number Use the rsvp keyword to set the address only for RSVP This example shows how to configure a PDP server Console enable set cops server my_server1 primary rsvp my_server1 added to the COPS rsvp server table as primary server Console enable Deleting PDP Server Configuration To delete PDP server configuration perform this task in privileged mode Use the rsvp keyword to delete only ...

Page 775: ... timeout 45 RSVP database policy timeout set to 45 minutes Console enable Configuring RSVP Use of Local Policy To configure how RSVP operates after communication with the PDP is lost perform this task in privileged mode The forward keyword sets the local policy to forward all new or modified RSVP path messages The reject keyword sets the local policy to reject all new or modified RSVP path message...

Page 776: ...st configure the feature globally To enable QoS statistics data export globally perform this task in privileged mode This example shows how to enable QoS statistics data export globally and verify the configuration Console enable set qos statistics export enable Export is enabled Export destination 172 20 52 3 SYSLOG facility LOG_LOCAL6 176 severity LOG_DE BUG 7 Aggregate policer export is not sup...

Page 777: ...nable show qos statistics export info Statistics export status and configuration information Export status enabled Export time interval 300 Export destination 172 20 52 3 SYSLOG facility LOG_LOCAL6 176 severity LOG_DE BUG 7 Port Export 1 1 disabled 1 2 disabled 3 1 disabled 3 2 disabled 5 1 enabled 5 2 disabled output truncated Console enable When enabled on a port QoS statistics data export conta...

Page 778: ... enable show qos statistics export info Statistics export status and configuration information Export status enabled Export time interval 300 Export destination 172 20 52 3 SYSLOG facility LOG_LOCAL6 176 severity LOG_DE BUG 7 Port Export 1 1 disabled 1 2 disabled 3 1 disabled 3 2 disabled 5 1 enabled 5 2 disabled output truncated Aggregate name Export ipagg_3 enabled Console enable When enabled fo...

Page 779: ...cated Aggregate name Export ipagg_3 enabled Console enable Configuring QoS Statistics Data Export Destination Host and UDP Port To configure the QoS statistics data export destination host and UDP port number perform this task in privileged mode This example shows how to configure the QoS statistics data export destination host and UDP port number and verify the configuration Console enable set qo...

Page 780: ...laying QoS Statistics Information To display the QoS statistics per aggregate policer packet and byte rates perform this task in privileged mode This example shows how to display the QoS statistics per aggregate policer packet and byte rates Console show qos statistics aggregate policer QoS aggregate policer statistics Aggregate Policer Packet Count Packets exceed Packets exceed normal rate excess...

Page 781: ...ot supported on Supervisor Engine 2 with Layer 3 Switching Engine II PFC2 This chapter consists of these sections Hardware and Software Requirements page 42 1 Understanding How ASLB Works page 42 2 Cabling Guidelines page 42 7 Configuring ASLB page 42 7 ASLB Configuration Example page 42 19 ASLB Redundant Configuration Example page 42 21 Troubleshooting the ASLB Configuration page 42 25 Hardware a...

Page 782: ...r Other Cisco routers can also be used as participating routers for ASLB Understanding How ASLB Works Note Refer to the Cisco LocalDirector Installation and Configuration Guide Version 3 2 for an overview on load balancing TCP IP traffic These sections describe ASLB Layer 3 Operations for ASLB page 42 3 Layer 2 Operations for ASLB page 42 3 Client to Server Data Forwarding page 42 4 Server to Clie...

Page 783: ...ndex and the server VLAN has entries for the router MAC addresses associated with port indexes In these port indexes the ports appear as 0 0 Display system CAM entries by entering the show cam system command Table 42 1 shows the entries in the CAM table the ASLB configuration is shown in Figure 42 1 The first entry identifies the MAC address of the LocalDirector on VLAN 10 The CAM table shows that...

Page 784: ...s its standard load balancing decision and forwards the frame to port PB The LocalDirector changes the destination MAC address to that of the appropriate server When this frame enters the switch it is considered an enabler frame The switch hardware does a lookup in the Layer 3 table and searches for the entry created by the previous candidate packet the packet forwarded through the LocalDirector I...

Page 785: ...3 table 2 20 Server MAC4 4 MAC address of the server that the LocalDirector selected Router MAC1 VIP CIP Enabler frame 3 N 10 LocalDirector MAC1 Router MAC VIP CIP Full ASLB MLS entry created N 1 10 LocalDirector MAC1 Router MAC VIP CIP FIN RST Path 1 redirect N 2 20 Server MAC Router MAC1 VIP CIP FIN RST Path 2 Table 42 3 Client to Server ASLB Layer 3 Table Entries IP Destination Address IP Sourc...

Page 786: ...irection the source MAC address of the packet was unmodified Figure 42 3 Server to Client ASLB Packet Flow Table 42 4 Server to Client ASLB Packet Flow Path Number VLAN MAC Destination Address MAC Source Address IP Destination Address IP Source Address Flags Action 1 20 Router MAC1 1 This MAC address has an Xtag value of 14 in the Layer 2 table for this packet s VLAN Server MAC2 2 MAC address of t...

Page 787: ...erfaces See the Configuring ASLB from the CLI section on page 42 11 to configure the switch Configuring ASLB This section lists the tasks necessary to configure ASLB Configuring the LocalDirector Interfaces page 42 7 ASLB Configuration Guidelines page 42 8 To implement these tasks follow the guidelines and use the detailed configuration procedures in the sections that follow Configuring the LocalD...

Page 788: ...using the set lda mac router command When ASLB is configured a VACL is created to redirect TCP traffic on the two VLANs that the LocalDirector is connected to no security IOS ACLs or VACLs can be configured on these VLANs Servers Follow these server configuration guidelines The servers must be either directly attached to the switch or within the same bridging domain as the LocalDirector port in th...

Page 789: ...n need to follow RFC 1918 for privacy use the following as a guideline the virtual IP address in this example is 171 1 1 200 Supervisor Engine Follow these supervisor engine configuration guidelines Up to 32 router MAC addresses are supported Up to 1024 virtual IP TCP port pairs are supported Backup LocalDirector Configuration Optional Connect the ports on the backup LocalDirector to the switch an...

Page 790: ...u cannot use ASLB if you enable NDE VLANs Follow these VLAN configuration guidelines When you configure ASLB a VACL is created to redirect TCP traffic on the two VLANs to which the LocalDirector is connected router VLAN and server VLAN You cannot configure any security IOS access control lists ACLs or VLAN access control lists VACLs on these VLANs Dedicate the router VLAN and server VLAN for ASLB ...

Page 791: ...page 42 16 Displaying the ASLB MLS Statistics page 42 17 Clearing the ASLB Configuration page 42 18 Configuring the Switch Ports Connected to the LocalDirector To configure the 10 100 Ethernet switch ports connected to the LocalDirector perform these steps Step 1 Enter the set vlan vlan_num mod_ports command to add the switch ports to the correct VLANs router VLAN and server VLAN Step 2 Note that ...

Page 792: ...er the clear lda vip command Note You can use a zero 0 as a wildcard don t care digit for the destination_tcp_port To specify server virtual IP addresses and TCP ports for acceleration perform this task in privileged mode This example shows how to specify a server virtual IP address and TCP port for acceleration Console enable set lda vip 10 0 0 8 8 Successfully set server virtual ip and port info...

Page 793: ...t the LocalDirector is connected to you must enter the set lda router command again to specify the new configuration Note Specifying a backup LocalDirector port is optional unless you are setting up a failover configuration of LocalDirectors If you are setting up a failover configuration you must specify the ports for the backup LocalDirector If this is not done failover will not work because the ...

Page 794: ...nable set lda server 105 4 40 Successfully set server vlan and LD port Use commit lda command to save settings to hardware Console enable Configuring UDP Aging To configure User Datagram Protocol UDP aging perform this task in privileged mode You can set aging from 1 to 2024000 milliseconds ms Enter a value of zero to disable UDP aging This example shows how to configure UDP aging to 500 ms Consol...

Page 795: ...ation settings To display committed or uncommitted ASLB configuration settings perform this task in privileged mode This example shows how to display committed ASLB configuration settings Console enable show lda committed Status Committed Virtual IP addresses Local Director Flow 10 0 0 8 TCP port 8 Router MAC 00 23 45 67 ee 7f LD MAC 00 11 22 33 55 66 LD Router Side Router and LD are on VLAN 110 L...

Page 796: ...all ASLB MLS entries in short format Console enable show lda mls entry short Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan EDst ESrc DPort SPort Stat Pkts Stat Bytes Uptime Age 10 0 0 8 172 20 20 10 TCP 8 64 00 33 66 99 22 44 105 ARPA ARPA 4 25 0 0 00 00 02 00 00 05 10 0 0 8 172 20 20 11 TCP 8 64 00 33 66 99 22 44 105 ARPA ARPA 4 25 0 0 00 00 05 00 00 08 Console enable This exam...

Page 797: ... Console enable This example shows how to display the number of ASLB active MLS entries Console enable show lda mls statistics count LDA active shortcuts 20 Console enable This example shows how to display the statistics for a specific destination IP address Console enable show lda mls statistics entry destination 172 20 22 14 Last Used Last Used Destination IP Source IP Prot DstPrt SrcPrt Stat Pk...

Page 798: ...ar lda mls destination 172 20 26 22 MLS IP entry cleared Console enable This example shows how to delete a virtual IP address and port pair 10 0 0 8 port 8 Console enable clear lda vip 10 0 0 8 8 Successfully deleted vip port pairs Console enable This example shows how to clear all ASLB router MAC addresses Console enable clear lda mac all Successfully cleared Router MAC address Console enable Thi...

Page 799: ...sts for the virtual IP address 192 255 201 55 The example in Figure 42 4 shows how to do the following Load balance HTTP connections in a round robin fashion among servers 192 255 201 3 through 192 255 201 10 Forward connections to port 8001 to server 192 255 201 11 Load balance FTP connections to servers 192 255 201 3 through 192 255 201 8 in a leastconns fashion which is the default for the Loca...

Page 800: ...syslog output 20 3 no syslog console hostname LD430 no shutdown ethernet 0 no shutdown ethernet 1 shutdown ethernet 2 shutdown ethernet 3 interface ethernet 0 100full interface ethernet 1 100full interface ethernet 2 auto interface ethernet 3 auto mtu 0 1500 mtu 1 1500 mtu 2 1500 mtu 3 1500 no multiring all no secure 0 no secure 1 no secure 2 no secure 3 ping allow 0 ping allow 1 no ping allow 2 n...

Page 801: ...80 0 tcp bind 192 255 201 55 80 0 tcp 192 255 201 7 80 0 tcp bind 192 255 201 55 80 0 tcp 192 255 201 8 80 0 tcp bind 192 255 201 55 80 0 tcp 192 255 201 9 80 0 tcp bind 192 255 201 55 80 0 tcp 192 255 201 10 80 0 tcp bind 192 255 201 55 8001 0 tcp 192 255 201 11 8001 0 tcp bind 192 255 201 55 21 0 tcp 192 255 201 3 21 0 tcp bind 192 255 201 55 21 0 tcp 192 255 201 4 21 0 tcp bind 192 255 201 55 2...

Page 802: ...address 7 0 0 1 for network 7 Router 1 f2 IP address 5 0 0 100 network 5 Router 2 f2 IP address 5 0 0 101 network 5 HSRP IP address 5 0 0 2 for network 5 LocalDirector IP address 5 0 0 1 Server IP address 5 100 100 100 VIP address for servers 13 13 13 13 LocalDirector 1 LocalDirector 2 Clients Router 2 Router 1 VLAN 9 VLAN 9 VLAN 9 VLAN 5 VLAN 5 9 ISL trunk VLAN 5 VLAN 5 VLAN 9 VLAN 5 3 41 3 42 3 ...

Page 803: ... lda mac router 00 00 0c 07 ac 01 set lda mac router 00 d0 79 7b 20 88 set lda mac router 00 d0 79 7b 18 88 set lda mac ld 00 e0 b6 00 47 ec set lda router 9 3 7 3 23 set lda server 5 3 8 3 23 commit lda Catalyst 6000 Family Switch 2 Configuration The switch 2 configuration is as follows set trunk 3 23 on isl 1 5 9 set lda enable clear lda vip all set lda vip 13 13 13 13 80 13 13 13 13 23 clear ld...

Page 804: ...o ip route cache distributed load interval 30 no keepalive full duplex standby 1 ip 7 0 0 1 standby 1 track FastEthernet2 interface FastEthernet2 ip address 5 0 0 101 255 0 0 0 no ip redirects no ip directed broadcast no ip route cache distributed no keepalive full duplex standby priority 250 standby 2 ip 5 0 0 2 standby 2 track FastEthernet1 ip route 13 13 13 13 255 255 255 255 5 0 0 1 LocalDirec...

Page 805: ...he supervisor engine set lda vip command and the LocalDirector Ensure that the LocalDirector is in the dispatched assisted mode Ensure that you configured the IP addresses of the routers LocalDirector and servers following the guidelines in the IP Addresses section on page 42 9 Ensure that the router knows how to reach the LocalDirector when traffic goes to the virtual IP address if the virtual IP...

Page 806: ...not committed or determine what changes will occur if the current set lda commands are committed by entering the show lda uncommitted command You see collisions or port disabled on the Catalyst 6000 port Ensure that the port speed and duplex settings are compatible on both ends of the link between the LocalDirector and the switch For example if port 3 7 on the switch is connected to interface ethe...

Page 807: ... Engine 2 in the Catalyst 6500 series switch The Switch Fabric Module creates a dedicated connection between fabric enabled modules and provides uninterrupted transmission of frames between these modules The Switch Fabric Module also provides fabric enabled modules with a direct connection to the Catalyst 6500 32 Gbps forwarding bus You can use the set system crossbar fallback bus mode none comman...

Page 808: ...bric enabled module the data goes through the switch fabric channel and the data bus The Switch Fabric Module does not get involved when traffic is forwarded between nonfabric enabled modules Compact mode A compact version of the DBus header is forwarded over the switch fabric channel delivering the best possible switching rate Nonfabric enabled modules do not support the compact mode and generate...

Page 809: ...ion to bus mode Console enable set system crossbar fallback bus mode System crossbar fallback set to bus mode Console enable Configuring the Switching Mode To improve performance you can manually specify which switching mode the system uses If you have one or more nonfabric enabled modules installed in the chassis configure the switch to use flow through mode If you have only fabric enabled module...

Page 810: ...ric Module This section describes how to monitor the Switch Fabric Module Displaying the Module Information page 43 4 Displaying the Fabric Channel Counters page 43 5 Displaying the Fabric Channel Switching Mode and Channel Status page 43 5 Displaying the Fabric Channel Utilization page 43 6 Displaying the Backplane Traffic and Fabric Channel Input and Output page 43 7 Displaying Switching Mode Co...

Page 811: ...aying the Fabric Channel Counters To display the fabric channel counters perform this task in privileged mode This example shows how to display the fabric channel counters Console show fabric channel counters 5 Channel 0 counters 0 rxTotalPkts 0 1 txTotalPkts 0 2 rxGoodPkts 0 3 rxErrors 0 4 txErrors 0 5 txDropped 0 Displaying the Fabric Channel Switching Mode and Channel Status To display the fabr...

Page 812: ... 16 16 n a unused 5 18 17 17 n a unused In the show fabric channel switchmode command output the Switch Mode field displays one of the following modes Flow through mode Truncated mode Compact mode Note See the Understanding How the Switch Fabric Module Works section on page 43 1 for definitions for the different modes Displaying the Fabric Channel Utilization To display the fabric channel utilizat...

Page 813: ...ric channel input and output Console enable show system PS1 Status PS2 Status ok none Fan Status Temp Alarm Sys Status Uptime d h m s Logout ok off ok 0 00 02 52 20 min PS1 Type PS2 Type WS CAC 1000W none Modem Baud Backplane Traffic Peak Peak Time disable 9600 0 0 Thu Jul 27 2000 14 03 27 PS1 Capacity 852 60 Watts 20 30 Amps 42V System Name System Location System Contact CC Fab Chan Input Output ...

Page 814: ...2 0 0 3 0 0 4 0 0 14 0 0 15 0 0 16 0 0 17 0 0 Console enable Displaying Switching Mode Configuration To display the switching mode configuration perform this task in privileged mode This example shows how to display the switching mode configuration Console enable show system switchmode Switchmode allow truncated Switchmode threshold 2 Console enable Configuring the LCD Banner You can modify the LC...

Page 815: ...ontent is modified this information is sent to the Switch Fabric Modules installed in the chassis and displayed in the LCDs To modify the LCD banner content perform this task in privileged mode This example shows how to modify the LCD banner for the Switch Fabric Module Console enable set banner lcd HelloWorld LCD banner set Console enable show banner MOTD banner LCD config Hello World Task Comman...

Page 816: ...43 10 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module ...

Page 817: ...work Note For complete syntax and usage information for the commands used in this chapter refer to the Catalyst 6000 Family Command Reference publication This chapter consists of these sections Hardware and Software Requirements page 44 1 Understanding How a VoIP Network Works page 44 2 Understanding How VLANs Work page 44 8 Configuring VoIP on a Switch page 44 9 Hardware and Software Requirements...

Page 818: ...s two RJ 45 jacks for connecting to external devices a LAN to phone jack and a PC to phone jack The jacks use either Category 3 or Category 5 unshielded twisted pair UTP cable The LAN to phone jack is used to connect the phone to the LAN using a crossover cable a workstation or a PC can be connected to the PC to phone jack using a straight through cable The IP phone is Dynamic Host Configuration P...

Page 819: ...and PCs to the Catalyst 6000 family switch Figure 44 2 Connecting the Cisco IP Phone 7960 to the Catalyst 6000 Family Switch Example 1 Single Cisco IP Phone 7960 Example 1 shows one IP phone connected to the 10 100 port on the Catalyst 6000 family switch The PC to phone jack on the phone is not used The phone can be powered through either the 10 100 port or wall powered Example 2 Single PC Example...

Page 820: ...s the devices within its zone and exchanges information with the Cisco CallManager in charge of another zone to make calls possible across multiple zones Additionally Cisco CallManager can work with existing PBX systems to route a call over the Public Switched Telephone Network PSTN Note For information on configuring Cisco CallManager to work with the IP devices described in this chapter refer to...

Page 821: ...t is not connected to POTS end devices such as POTS phones or fax machines The analog trunk gateway requires an IP address is registered with Cisco CallManager in its domain and is managed by Cisco CallManager To configure the analog trunk gateways refer to the documentation that shipped with the gateway Table 44 1 24 Port FXS Analog Interface Module Features Digital Signal Processing Per Port G 7...

Page 822: ...face Module Features Digital Signal Processing Per T1 E1 Port G 711 to G 723 and G 729a transcoding maximum of 8 x 32 channels of transcoding Conference bridging meet me and ad hoc conference modes maximum of 8 x 16 channels of conferencing Comfort noise generation Fax passthrough Silence suppression voice activity detection Line echo cancellation Common channel signaling For T1 23 DS0 channels fo...

Page 823: ...Cisco CallManager always maintains a table mapping the phone MAC address and phone number Each time a phone registers the table is updated with the new IP address During registration Cisco CallManager downloads the key pad template and the feature capability for the phone It tells the phone which run time image it should use The phone then goes to the TFTP server to get its run time image Each pho...

Page 824: ...h to Phone Connections When the IP phone connects to a 10 100 port on the Catalyst 6000 family switch the access port PC to phone jack of the IP phone can be used to connect a PC Packets to and from the PC and to and from the phone share the same physical link to the switch and the same port of the switch Various configurations of connecting the phone and the PC are possible see the Cisco IP Phone...

Page 825: ...scribes the command line interface CLI commands and the procedures used to configure the Catalyst 6000 family switch for VoIP operation Voice Related CLI Commands page 44 9 Configuring Per Port Power Management page 44 10 Configuring Auxiliary VLANs on Catalyst LAN Switches page 44 19 Configuring the Access Gateways page 44 21 Displaying Active Call Information page 44 27 Configuring QoS in the Ci...

Page 826: ...wer can be applied on an individual port basis Only one IP phone can be powered per port the phone must be connected directly to the switch port If a second phone is daisy chained off the phone connected to the switch port the second phone cannot be powered by the switch Voice related commands set port auxiliaryvlan X X show port auxiliaryvlan X X set port voice interface X X show port voice inter...

Page 827: ...en you enter the show module command the WS X6348 modules both display as WS X6348 RJ 45 in the Model field To determine if the module has a voice daughter card installed look at the Sub field For example in the following display the 10 100BASE TX module in slot 8 does not have a voice daughter card while the module in slot 9 does have a voice daughter card To display module status and information...

Page 828: ...2GE SAD04450LF1 Hw 1 1 Fw 6 1 2 Fw1 6 1 3 Sw 6 3 0 62 PAN Sw1 6 3 0 62 PAN WS F6K PFC2 SAD04440HVU Hw 1 0 Console Power Management Modes Each port is configured through the CLI SNMP or a configuration file to be in one of the following modes configured through the set port inlinepower CLI command Auto The supervisor engine directs the switching module to power up the port only if the switching mod...

Page 829: ...p within 4 seconds the supervisor engine instructs the switching module to turn power off The entire cycle is repeated and the switching module performs discovery and reports to the supervisor engine if a device is present on the port Power Requirements IP Phones may have different power requirements The supervisor engine initially allocates the configured default of 7W 167 mA at 42V to the Cisco ...

Page 830: ...evice could be damaged We recommend that you wait at least 10 seconds between unplugging a device and plugging in a new device High Availability Support To support high availability during a failover from the active supervisor engine to the standby supervisor engine the per port power management and phone status information is synchronized between the active and standby supervisor engines The info...

Page 831: ...e will not discover the phone because CDP is not supported However the supervisor engine detects the phone and powers it up without CDP or third party phone Phone is inserted but has not booted Network Cisco phone Wall power Supervisor engine discovers the phone through CDP and or IEEE or third party phone device with CDP 10 100 module 10 100 module 10 100 module 10 100 module 10 100 module discov...

Page 832: ...to Provide Inline Power to the Device The switching module detects if there is a problem providing inline power to the device and reports this problem to the supervisor engine This syslog message is displayed 1999 Jul 14 10 05 58 SYS 5 PORT_INLINEPWRFLTY Port 4 7 reporting inline power as faulty Not Enough Available Power to Power the Device The supervisor engine tracks the available power left in...

Page 833: ...lt power allocation for a port perform this task in privileged mode This example shows how to set the default power allocation for a port Console enable set inlinepower defaultallocation 9500 Default inline power allocation set to 9500 mWatt per applicable port Console enable Displaying the Power Status for Modules and Individual Ports To display the power status for modules and individual ports p...

Page 834: ... enable show environment power 5 Feature not supported on module 5 Console enable show environment power 9 Module 9 Default Inline Power allocation per port 9 500 Watts 0 22 Amps 42V Total inline power drawn by module 9 0 Watt Slot power Requirement Usage Slot Card Type PowerRequested PowerAllocated CardStatus Watts A 42V Watts A 42V 9 WS X6348 123 06 2 93 123 06 2 93 ok Default Inline Power alloc...

Page 835: ...e ports on the module are inline powered Configuring Auxiliary VLANs on Catalyst LAN Switches These sections describe how to configure auxiliary VLANs Understanding Auxiliary VLANs page 44 19 Auxiliary VLAN Configuration Guidelines page 44 20 Configuring Auxiliary VLANs page 44 20 Verifying Auxiliary VLAN Configuration page 44 21 Understanding Auxiliary VLANs You can configure switch ports to send...

Page 836: ...s because traffic between devices in the same subnet is not routed routing would eliminate the frame type difference You cannot use switch commands to configure the frame type used by traffic received from a device attached to the phone s access port With software release 6 2 1 and later releases dynamic ports can belong to two VLANs a native VLAN and an auxiliary VLAN See Chapter 18 Configuring D...

Page 837: ...terface module Digital trunk gateway 8 port T1 E1 PSTN interface module Configuring Port Voice Interface If DHCP is enabled for a port the port obtains all other configuration information from the TFTP server When disabling DHCP on a port you must specify some mandatory parameters as follows If you do not specify DNS parameters the software uses the system DNS configuration on the supervisor engin...

Page 838: ...led Console enable Displaying Port Voice Interface To display the port voice interface configuration perform this task in privileged mode This example shows how to display the port voice interface configuration this display is from the 24 port FXS analog interface module Console show port voice interface 5 Port DHCP MAC Address IP Address Subnet Mask 5 1 24 disable 00 10 7b 00 13 ea 10 6 15 158 25...

Page 839: ...rt FailedSignalState FailedSignalSecond Last 15 Last 24h Last 15 Last 24h 7 1 37 38 39 40 7 2 37 38 39 40 7 3 37 38 39 40 Port LES BES LCV Last 15 Last 24h Last 15 Last 24h Last 15 Last 24h 7 1 41 48 49 50 53 54 7 2 41 48 49 50 53 54 7 3 41 48 49 50 53 54 Console enable Table 44 5 describes the possible fields depending on the port type queried in the show port voice fdl command output Task Comman...

Page 840: ...sable 1 full 1 544 T1 7 4 connected 11 full 1 544 T1 7 5 connected 123 full 1 544 T1 7 6 connected 1 full 1 544 T1 7 7 faulty 2 full 1 544 T1 7 8 faulty 2 full 1 544 T1 Port DHCP MAC Address IP Address Subnet Mask 7 1 enable 00 10 7b 00 0a 58 172 20 34 68 255 255 255 0 7 2 enable 00 10 7b 00 0a 59 172 20 34 70 255 255 255 0 7 3 enable 00 10 7b 00 0a 5a 172 20 34 64 255 255 255 0 7 4 enable 00 10 7...

Page 841: ...abled disabled 7 5 enabled disabled 7 6 disabled enabled 7 7 Port host processor not online 7 8 Port host processor not online Primary Console 8 Port T1 E1 PSTN Interface Module Configured for Trancoding Conferencing MTP media termination point and Conf Bridge conference bridge are types of ports Transcoding applies to a call on an MTP port In this example a transcoding port shows as MTP and a con...

Page 842: ... 15 155 10 6 15 155 10 6 15 155 7 7 10 6 15 155 10 6 15 155 10 6 15 155 7 8 10 6 15 155 10 6 15 155 10 6 15 155 Port DNS Server s Domain 7 1 7 2 7 3 7 4 7 5 7 6 7 7 7 8 Port CallManagerState DSP Type 7 1 registered C549 7 2 registered C549 7 3 registered C549 7 4 registered C549 7 5 registered C549 7 6 registered C549 7 7 registered C549 7 8 registered C549 Port NoiseRegen NonLinearProcessing 7 1 ...

Page 843: ...ll 64k FXS 3 24 onhook 1 full 64k FXS Port DHCP MAC Address IP Address Subnet Mask 3 1 24 enable 00 10 7b 00 13 e4 172 20 34 50 255 255 255 0 Port Call Manager s DHCP Server TFTP Sever Gateway 3 1 24 172 20 34 207 172 20 34 207 172 20 34 207 Port DNS Server s Domain 3 1 24 172 20 34 207 cisco com 172 34 23 111 Port CallManagerState DSP Type 3 1 24 registered C549 Port ToneLocal Impedance InputGain...

Page 844: ...e show port voice active Port Type Total Conference ID Party ID IP Address Transcoding ID 3 1 call 1 199 22 25 254 3 2 call 1 172 225 25 54 4 5 call 3 165 34 234 111 172 32 34 12 198 96 23 111 3 8 conferencing 2 1 1 255 255 255 241 2 173 23 13 42 3 198 97 123 98 5 182 34 54 26 2 1 199 22 25 25 3 182 34 54 2 6 121 43 23 43 3 2 call 1 172 225 25 54 3 8 transcoding 1 1 1 255 255 255 241 2 183 32 43 3...

Page 845: ...472377 Transmit packets 94540 Channel 3 display text omitted Console This example shows how to display a specific call at a specified IP address Console show port voice active 3 2 171 69 67 91 Remote IP address 171 69 67 91 Remote UDP port 125 Call state Ringing Codec Type G 711 Coder Type Rate 35243 Tx duration 438543 sec Voice Tx duration 34534 sec ACOM Level Current 123213 ERL Level 123 dB Fax ...

Page 846: ... the access port is marked with a configured Layer 2 CoS value The default Layer 2 CoS value is 0 Untrusted mode is the default when the phone is connected to a Cisco LAN switch Trusted mode means that all traffic received through the access port passes through the phone switch unchanged Trusted mode is the default when the phone is not connected to a Cisco LAN switch Traffic in frame types other ...

Page 847: ...nable Setting the Phone Access Port CoS Value To set the phone access port CoS value perform this task in privileged mode This example shows how to set the Layer 2 CoS value used by a phone access port in untrusted mode Console enable set port qos 2 1 cos ext 3 Port 2 1 qos cos ext set to 3 Console enable Verifying the Phone Access Port QoS Configuration To verify QoS configuration information per...

Page 848: ...44 32 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch ...

Page 849: ...41 initializing 41 manual reauthentication 42 overview 7 returning to default values 45 setting automatic reauthentication 42 setting idle time 43 setting reauthentication manually 42 setting retransmission number 45 supplicant automatic reauthentication 42 manual reauthentication 42 transport layer packets setting retransmission time 45 8 port T1 E1 PSTN interface module configuring 25 descriptio...

Page 850: ...6 aliases creating for commands 5 IP creating 6 designating 6 AppleTalk configuring interVLAN routing 4 ARP configuring permanent and static entries 8 restricting ARP traffic using VACLs 26 ASLB cabling guidelines 7 configuration examples 19 configuring ASLB on the switch 7 configuring the LocalDirector interfaces 7 data forwarding 4 hardware and software requirements 1 Layer 2 operation 3 Layer 3...

Page 851: ... value 10 ignoring NVRAM 9 booting the MSFC for the first time 4 BOOTP and in band sc0 interface 9 Bootstrap Protocol See BOOTP BPDU skewing 38 overview 37 BPDU guard disabling 10 12 enabling 9 11 note 9 BPDU overview 2 Break key note 1 bridge ID and MAC addresses 13 bridge ID priority PVST 16 bridge protocol data units See BPDUs broadcast suppression 1 disabling 4 enabling 3 suppressing multicast...

Page 852: ...co IP Phone 7960 2 Cisco VG200 7 classless interdomain routing See CIDR clear boot system flash command 11 clearing the configuration 8 clearing VLAN mappings See VLANs clear mls entry command 27 26 clear mls entry ipx command 26 clear mls statistics command 28 CLI backing out one level 9 configuration mode 8 console configuration mode 9 getting list of commands 9 global configuration mode 9 inter...

Page 853: ... ignoring NVRAM at boot 9 overview 2 ROM monitor console port baud rate 6 setting 10 congestion avoidance See QoS congestion avoidance console configuration mode 9 console port accessing MSFC 4 downloading software images example PC download 19 example UNIX download 20 PC procedure 16 preparation 16 UNIX procedure 17 ROM monitor baud rate 6 SLIP and 7 system message logging settings 5 user session...

Page 854: ... default configuration 1 disabling 3 domain name clearing 3 setting 2 enabling 2 overview 1 server clearing 3 specifying 2 setting up 2 system name and 1 system prompt and 1 documentation related 29 document organization 27 domain name clearing 3 setting 2 Domain Name System See DNS dot1x disabling multiple hosts 43 EAP request frames setting retransmit time 44 enabling automatic reauthentication ...

Page 855: ... MSFC interfaces 14 enabling IP MMLS on MSFC interfaces 15 30 encapsulation type descriptions trunks table 2 environmental monitoring LED indications 16 SNMP traps 16 supervisor engine and switching modules 16 syslog messages 16 using CLI commands 16 environment variables See BOOT environment variables errdisable timeout configuring 9 error messages system message logging syslog 1 VMPS table 8 Eth...

Page 856: ...ash file system checksum 7 files copying 4 deleting 6 listing 3 restoring 7 setting default 2 formatting device 8 overview 1 setting configuration modes 2 Flash memory storing ACLs 42 Flash PC cards formatting 8 Flash synchronization examples 14 overview 3 flowcharts QoS 3 flow control 6 configuring 6 keywords table 6 flow masks CEF 10 destination ip 10 destination ipx 10 full flow 10 source desti...

Page 857: ...rmal 16 statistics clearing 19 viewing 19 timers 17 GVRP configuration guidelines 2 declarations from blocking ports 6 default configuration 2 disabling globally 9 on 802 1Q ports 8 enabling dynamic VLAN creation 4 globally 3 on 802 1Q ports 3 registration fixed 5 forbidden 6 normal 5 setting GARP timers 7 statistics clearing 8 viewing 8 timers 7 H high availability configuring 11 downloading diff...

Page 858: ...ew 1 4 RARP and 9 VLAN assignment 2 inferior BPDU BackboneFast and 4 interface configuration mode 9 interfaces in band sc0 4 5 2 SLIP sl0 4 7 Internet Group Management Protocol See IGMP interVLAN routing AppleTalk configuring 4 IP configuring 3 IPX configuring 3 overview 1 IOS bringing up interface 11 viewing and saving configuration 11 IOS ACLs 3 common uses for 9 features supported in PFC 10 sup...

Page 859: ... group information 10 groups clearing 22 configuring 10 21 joining 3 IGMP fast leave processing 12 IGMP snooping and 6 IGMP statistics 11 overview 1 router clearing ports 21 specifying port for 20 router information 10 router ports clearing 21 router ports and 20 routing table 17 31 IP permit list addresses adding 2 caution 4 clearing entries 4 default configuration 2 disabling 4 enabling 3 overvi...

Page 860: ...g table IP MMLS and 4 Layer 2 traceroute utility 9 Layer 3 switched packet rewrite CEF 2 MLS 2 Layer 3 switching CEF 2 MLS 1 Layer 4 port operations ACLs 20 leave processing IGMP disabling 12 enabling 9 load sharing on trunks 16 local authentication configuration guidelines 11 default configuration 10 disabling 15 enable password setting 15 enabling 14 login password setting 14 overview 2 password...

Page 861: ...splaying by IP source address 24 displaying by IPX destination address 23 displaying by specific flow 24 entries clearing 26 entries displaying IP multicast 36 entries displaying IP unicast 22 overview 5 size note 18 CAM entries displaying 20 clearing cache entries 26 statistics 28 configuration guidelines MTU 11 routing commands with IP MLS 12 configuration guidelines for IP MMLS MSFC 13 switches...

Page 862: ... threshold values for IP 19 restrictions 12 restrictions for IP MMLS MSFC 13 restrictions for IP MMLS switches 12 route processor note 29 routers enabling globally 14 multicast routing table displaying 17 PIM enabling 15 routing command restrictions 12 setting minimum flow mask 19 specifying aging time 17 specifying fast aging time 19 statistics clearing 28 displaying by protocol 27 displaying for...

Page 863: ...console command and 4 MSFC2 Catalyst 5000 support 1 configuring IP multicast 14 unicast Layer 3 switching 14 enabling IP multicast routing 14 multicast routing table displaying 17 PIM enabling on MSFC2 VLAN interfaces 15 MTU IP MLS and 11 IPX MLS and 14 multicast groups leaving 3 See IP multicast multicast suppression 2 5 Multilayer Switch Feature Card See MSFC or MSFC2 Multilayer Switching See ML...

Page 864: ...ring 3 disabling 8 client mode configuring 3 disabling 8 daylight saving time adjustment disabling 7 enabling 5 default configuration 2 disabling 8 overview 1 server clearing 7 specifying 3 time zone clearing 7 setting 5 NVRAM caution 9 ignoring content at boot 9 setting configuration modes 2 O out of profile See QoS out of profile P packet rewrite CEF 2 MLS and 2 packets bridged 7 multicast 8 rou...

Page 865: ... clearing 26 statistics specifying aging time 23 statistics aging time 23 table displaying entries 25 QoS policing rule 22 statistics 9 displaying for NetFlow table entries 26 phones Cisco IP Phone 7960 2 PIM 5 PIM IP MMLS and 29 PIM IP multicast and 15 ping command 13 executing 8 overview 7 testing connectivity 13 policy based forwarding see PBF policy decision point servers See COPS or RSVP PDP ...

Page 866: ...violation action specifying 6 shutdown time specifying 6 port status checking 2 power management determining system power requirements nine slot chassis 14 enabling disabling redundancy 11 overview 11 powering modules up or down 13 voice 15 10 private VLANs 13 community VLAN 14 configuration guidelines 15 configuring ACLs 26 creating 18 delete mapping 23 deleting 22 deleting isolated community or ...

Page 867: ...tions 18 QoS ACL 15 attaching 23 46 committing 45 creating 37 default 20 default IP 42 default IPX creating 44 default MAC creating 44 deleting named 44 detaching 46 discarding uncommitted 45 IP named 38 marking rules 21 modifying 37 named 16 names 37 policing rules 22 policing rules creating 34 policing rules deleting 36 reverting to default values 44 storing in Flash memory 42 QoS classification...

Page 868: ... set summary 8 QoS filtering 37 QoS final Layer 3 Switching Engine CoS and ToS values 24 QoS flowcharts 3 QoS internal DSCP values 15 QoS IP phone configuring 29 QoS IPX ACE 19 QoS labels definition 2 QoS Layer 2 Switching Engine classification and marking 6 24 feature summary 9 QoS Layer 3 Switching Engine classification marking and policing 5 14 feature summary 9 QoS MAC ACE Layer 2 20 QoS mappi...

Page 869: ...ed or port based 23 32 QoS WRED drop thresholds 49 R RADIUS accounting configuration guidelines 60 creating records 57 disabling 61 enabling 60 events 57 example configuration 63 overview 56 servers specifying 58 suppressing 59 updating the server 59 RADIUS authentication configuration guidelines 11 deadtime setting 28 default configuration 10 disabling 30 enabling 25 key clearing 29 key specifyin...

Page 870: ...ket types 5 RGMP capable router ports 24 RGMP related router commands 25 RGMP statistics displaying 23 statistics clearing 25 VLAN statistics displaying 23 RMON 1 enabling 2 overview 1 supported MIB objects 2 viewing data 2 ROM monitor BOOT environment variable and 3 boot process and 2 CLI 1 configuration register and 2 console port baud rate 6 root guard disabling 34 enabling 34 root switch impro...

Page 871: ...ommand 13 set power redundancy enable disable command 11 set spantree portcost command 17 26 set spantree portpri command 18 set spantree portvlancost command 19 set spantree priority command 16 25 shortcuts Layer 3 See MLS short keyword note 7 show cam command 20 show mls command 12 21 show mls debug command 28 show mls entry command 25 7 22 show mls entry ip destination command 23 show mls entry...

Page 872: ...visor 5 11 overview 2 preparation 2 9 supervisor 3 10 switching module 4 10 uploading preparation 8 15 rcp server 15 supervisor 9 15 supervisor engine 9 source destination ip flow mask 10 6 source destination vlan flow mask 10 6 SPAN caution 7 configuration guidelines 6 configuring from CLI 7 destination port 2 disabling 8 13 egress 3 hardware requirements 5 ingress 3 NMS and 1 overview 5 session ...

Page 873: ...r baud rate setting 6 setting 10 configuring 1 console port ROM monitor baud rate 6 SLIP and 7 default boot configuration 4 default configuration 5 default gateways 6 downloading software images 3 10 Flash file system See Flash file system IP address setting 5 management interfaces overview 1 sc0 in band configuring 5 sl0 SLIP configuring 7 preparing to configure 4 redundant configuration guidelin...

Page 874: ...tion 2 foreground execution 2 metric values table 2 overview 1 running 3 viewing 3 syslog buffer size setting 6 configuration displaying 9 configuring 4 daemon configuring 7 default configuration 4 logging levels setting 6 message format 3 message log displaying 10 overview 1 session settings setting 5 timestamp changing enable state 6 system clock setting 4 system contact setting 3 system image s...

Page 875: ... configuration guidelines 11 51 default configuration 10 51 directed request enabling and disabling 17 21 disabling 23 53 enabling 18 52 example configuration 48 55 key clearing 22 key specifying 19 login attempts allowed 20 overview 3 49 primary options and fallback options 50 servers clearing 22 servers specifying 17 timeout interval 19 TACACS authorization overview 49 TCP intercept with PFC 11 ...

Page 876: ...queues See QoS transmit queues TrBRF See VLANS Token Ring TrCRF See VLANS Token Ring Trivial File Transfer Protocol See TFTP troubleshooting system message logging and 1 VMPS 8 trunks 802 1Q configuring 6 negotiating 7 restrictions 4 allowed VLANs 7 autonegotiation 2 configuring 802 1Q trunk 6 ISL 802 1Q negotiating trunk port 7 ISL trunk 5 default configuration 5 defining allowed VLANs 7 disablin...

Page 877: ...XEC mode 9 user sessions disconnecting 6 monitoring 6 V VACLs 3 ACEs overview 4 applying on bridged packets 7 multicast packets 8 routed packets 7 capturing traffic flows 38 common uses for 22 configuration figure 23 guidelines 28 summary 29 configuration guidelines 28 configuring 28 configuring for policy based forwarding 46 configuring on private VLANs 26 denying access to a server on another VL...

Page 878: ... 9 mapping VLANs to VLANs 9 MISTP VLAN conflicts See MISTP native 802 1Q and 4 normal range 2 5 private See private VLANs protocol filtering and 1 reserved range 2 sc0 in band interface assignment 2 Token Ring 24 trunks See trunks VTP domain and 1 VLAN Trunk Protocol See VTP VLSM static routes and 7 VMPS administering 6 configuring 5 database creating 4 downloading 7 example configuration file 9 d...

Page 879: ...advertisements 2 caution 5 client configuring 6 configuration guidelines 5 configuring client 6 server 6 default configuration 5 disabling 7 domains 2 modes client 2 server 2 transparent 2 monitoring 10 overview 1 pruning configuring 9 disabling 10 figure 4 overview 3 server configuring 6 statistics 10 transparent mode configuring 7 version 2 disabling 9 enabling 8 overview 3 VLANs and 1 VTP pruni...

Page 880: ...Index IN 32 Catalyst 6000 Family Software Configuration Guide Releases 6 3 and 6 4 78 13315 02 ...

Reviews:

No comments

Related manuals for WS-X6148-FE-SFP= - Classic Interface Module Switch

H3C s5800 series Quick Start Manual preview
s5800 series
Brand: H3C Pages: 33
H3C S5500-SI Series Operation Manual preview
S5500-SI Series
Brand: H3C Pages: 1217
3Com MSR 50 Series Configuration Manual preview
MSR 50 Series
Brand: 3Com Pages: 2443
H3C SR6600 Series Installation Manual preview
SR6600 Series
Brand: H3C Pages: 3
H3C SR6616 Installation, Quick Start preview
SR6616
Brand: H3C Pages: 4
ICP DAS USA ZT-2510 Series Quick Start Manual preview
ZT-2510 Series
Brand: ICP DAS USA Pages: 8
Clavister NetWall W20A Getting Started Manual preview
NetWall W20A
Brand: Clavister Pages: 89
Allied Telesis AT-9424Ts/XP AC Datasheet preview
AT-9424Ts/XP AC
Brand: Allied Telesis Pages: 3
KEMP Technologies LoadMaster 1500 Installation And Configuration Manual preview
LoadMaster 1500
Brand: KEMP Technologies Pages: 71
Winext GW5000A Manual preview
GW5000A
Brand: Winext Pages: 37
Renesas Compact Emulator M30620T-CPE User Manual preview
Compact Emulator M30620T-CPE
Brand: Renesas Pages: 52
Dazzle Hollywood DV-Bridge User Manual preview
Hollywood DV-Bridge
Brand: Dazzle Pages: 63
Roland Super Sound Set SR-JV80-07 Owner'S Manual preview
Super Sound Set SR-JV80-07
Brand: Roland Pages: 8
Schrack Technik HSERG245GS Instruction Sheet preview
HSERG245GS
Brand: Schrack Technik Pages: 2
ProCurve J8454A Quick Start Manual preview
J8454A
Brand: ProCurve Pages: 2
EK EK-Quantum Momentum ROG Rampage VI Encore User Manual preview
EK-Quantum Momentum ROG Rampage VI Encore
Brand: EK Pages: 11
StarTech.com ST1000SMPEX Instruction Manual preview
ST1000SMPEX
Brand: StarTech.com Pages: 9
Nakayo NYC-16VDSL-B Instruction & Installation Manual preview
NYC-16VDSL-B
Brand: Nakayo Pages: 119

Brands by name

Popular brands

Load more brands