Page 1 Catalyst 6500 Series Switch Software Configuration Guide Software Release 8.7 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-8978-04...
Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
C H A P T E R Catalyst Command-Line Interface ROM-Monitor Command-Line Interface Switch Command-Line Interface MSFC Command-Line Interface Cisco IOS Command Modes Cisco IOS Command-Line Interface 2-10 Configuring the Switch IP Address and Default Gateway C H A P T E R...
Page 4 Contents Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching C H A P T E R Understanding How Ethernet Works Switching Frames Between Segments Building the Address Table Understanding Port Negotiation Default Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Configuration Setting the Port Configuration Configuring Supervisor Engine 720 Ports Setting the Port Name...
Page 5 Contents Specifying a Custom 802.1Q EtherType Field 5-12 Returning a Custom 802.1Q EtherType Field to the Standard EtherType 5-13 Example VLAN Trunk Configurations 5-14 ISL Trunk Configuration Example 5-14 ISL Trunk Over EtherChannel Link Example 5-15 802.1Q Trunk Over EtherChannel Link Example 5-18 Load-Sharing VLAN Traffic Over Parallel Trunks Example 5-22...
Page 6 Contents Specifying the Channel Path Cost 6-18 Specifying the Channel VLAN Cost 6-18 Configuring Channel Load Balancing 6-18 Clearing the LACP Statistics 6-18 Displaying EtherChannel Traffic Utilization 6-19 Displaying the Outgoing Ports for a Specified Address or Layer 4 Port Number 6-19 Disabling an EtherChannel 6-19...
Page 7 Contents Default PVST+ Configuration 7-26 Setting the PVST+ Bridge ID Priority 7-27 Configuring the PVST+ Port Cost 7-28 Configuring the PVST+ Port Priority 7-29 Configuring the PVST+ Default Port Cost Mode 7-29 Configuring the PVST+ Port Cost for a VLAN 7-31 Configuring the PVST+ Port Priority for a VLAN 7-31...
Page 8 Contents Disabling Global Support for 802.1Q Tunneling Understanding How Layer 2 Protocol Tunneling Works Layer 2 Protocol Tunneling Configuration Guidelines Configuring Layer 2 Protocol Tunneling on the Switch Specifying a Layer 2 Protocol Configuring Layer 2 Protocol Tunneling on Trunk Ports Layer 2 Protocol Tunneling on Trunks Example Specifying Drop and Shutdown Thresholds on Layer 2 Protocol Tunneling Ports 8-10...
Page 9 Contents Disabling Loop Guard 9-20 Configuring VTP 10-1 C H A P T E R Understanding How VTP Version 1 and Version 2 Work 10-1 Understanding the VTP Domain 10-2 Understanding VTP Modes 10-2 Understanding VTP Advertisements 10-3 Understanding VTP Version 2 10-3 Understanding VTP Pruning 10-4...
Page 10 Contents Configurable VLAN Parameters 11-3 Default VLAN Configuration 11-3 Configuring VLANs on the Switch 11-4 Normal-Range VLAN Configuration Guidelines 11-5 Creating Normal-Range VLANs 11-5 Modifying Normal-Range VLANs 11-6 Configuring Extended-Range VLANs on the Switch 11-6 Extended-Range VLAN Configuration Guidelines 11-6 Creating Extended-Range VLANs 11-7 Mapping VLANs to VLANs...
Page 11 Contents Creating or Modifying a Token Ring TrCRF VLAN 11-35 Configuring VLANs for the Firewall Services Module 11-37 Configuring InterVLAN Routing 12-1 C H A P T E R Understanding How InterVLAN Routing Works 12-1 Configuring InterVLAN Routing on the MSFC 12-2 MSFC Routing Configuration Guidelines 12-2...
Page 12 Using Cisco IOS ACLs in your Network 15-9 Hardware and Software Handling of Cisco IOS ACLs with PFC 15-10 Hardware and Software Handling of Cisco IOS ACLs with PFC2 and PFC3A/PFC3B/PFC3BXL 15-13 Using VACLs with Cisco IOS ACLs 15-17 Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines...
Page 13 Contents Dynamic ARP Inspection 15-39 Configuring ACLs on Private VLANs 15-43 Capturing Traffic Flows 15-43 Unsupported Features 15-44 Configuring VACLs 15-44 VACL Configuration Guidelines 15-45 VACL Configuration Summary 15-46 Configuring VACLs from the CLI 15-46 Configuring MAC-Based ACL Lookups for All Packet Types 15-61 Overview of MAC-Based ACLs 15-61...
Page 14 Contents Downloadable ACLs 15-116 Configuring a Downloaded ACL for dot1x 15-117 Configuring a Downloaded ACL for Dot1x for an IP Phone 15-119 Creating a Placeholder for a Downloaded ACL 15-120 Creating a Placeholder for an IP Phone 15-121 Displaying Downloaded ACL Information 15-121 Configuring NDE 16-1...
Page 15 Contents Enabling GVRP Globally 17-3 Enabling GVRP on Individual 802.1Q Trunk Ports 17-3 Enabling GVRP Dynamic VLAN Creation 17-4 Configuring GVRP Registration 17-5 Configuring GVRP VLAN Declarations from Blocking Ports 17-6 Setting the GARP Timers 17-7 Displaying GVRP Statistics 17-8 Clearing GVRP Statistics 17-8 Disabling GVRP on Individual 802.1Q Trunk Ports...
Page 16 Contents Configuring VMPS 19-5 Configuring Dynamic Ports on VMPS Clients 19-5 Administering and Monitoring VMPS 19-6 Configuring Static VLAN Port Membership 19-7 Backing up the VMPS Configuration File 19-8 Troubleshooting VMPS and Dynamic Port VLAN Membership 19-9 Troubleshooting VMPS 19-9 Troubleshooting Dynamic Port VLAN Membership 19-10 Dynamic Port VLAN Membership with VMPS Configuration Examples...
Page 17 Contents Using IP Traceroute 20-18 Understanding How IP Traceroute Works 20-18 Executing IP Traceroute 20-19 Using System Warnings on Port Counters 20-19 Executing System Warnings on Port Counters 20-20 Executing Hardware Level Warnings on Port Counters 20-23 Executing Spanning-Tree Warnings on Port Counters 20-23 Configuring Packet-Buffer Error Handling 20-24...
Page 18 Creating a Login Banner on the Switch 22-4 Configuring a Login Banner 22-5 Clearing a Login Banner 22-5 Displaying or Suppressing the “Cisco Systems Console” Telnet Login Banner on the Switch 22-5 Defining Command Aliases on the Switch 22-6 Defining IP Aliases on the Switch 22-7...
Page 19 Contents Generating a System Status Report 22-17 Using System Dump Files 22-17 Using System Crash-Info Files 22-19 Logging System Information to a TFTP or rcp Server 22-20 Enabling System Information Logging 22-20 Specifying show Commands for System Information Logging 22-21 Specifying How Often System Information Logging Occurs 22-22 Specifying the Filename and Server for System Information Logging...
Page 20 Contents Verifying CEF NSF 24-7 Configuring BGP NSF 24-8 Verifying BGP NSF 24-8 Configuring OSPF NSF 24-9 Verifying OSPF NSF 24-10 Configuring IS-IS NSF 24-10 Verifying IS-IS NSF 24-11 Displaying Redundancy-Related Information 24-13 Performing an MSFC Switchover 24-13 Performing an MSFC Software Reload 24-13 Using Redundancy-Related Debug Commands 24-13...
Page 21 Contents Working With the Flash File System 26-1 C H A P T E R Understanding How the Flash File System Works 26-1 Working with the Flash File System on the Switch 26-2 Setting the Default Flash Device 26-2 Setting the Text File Configuration Mode 26-2 Setting the Text File Configuration Mode to Auto-Save 26-3...
Page 22 Contents Preparing to Download an Image Using SCP 27-23 Downloading the Crypto Images Using SCP 27-23 Example SCP Download Procedure 27-24 Uploading the Crypto Images to an SCP Server 27-25 Preparing to Upload an Image to an SCP Server 27-25 Uploading the Crypto Images to an SCP Server 27-26 Downloading the Crypto Images Using SFTP...
Page 23 Contents System Log Message Format 29-3 Default System Message Logging Configuration 29-4 Configuring the System Message Logging on the Switch 29-5 Enabling and Disabling the Session Logging Settings 29-5 Setting the System Message Logging Levels 29-6 Enabling and Disabling the Logging Time-Stamp Enable State 29-7 Setting the Logging Buffer Size 29-7...
Page 24 Contents Default UDLD Configuration 32-2 Configuring UDLD on the Switch 32-3 Enabling UDLD Globally 32-3 Enabling UDLD on Individual Ports 32-3 Disabling UDLD on Individual Ports 32-4 Disabling UDLD Globally 32-4 Specifying the UDLD Message Interval 32-4 Enabling UDLD Aggressive Mode 32-5 Displaying the UDLD Configuration 32-5...
Page 25 Contents Setting the Time Zone 34-5 Enabling the Daylight Saving Time Adjustment 34-6 Disabling the Daylight Saving Time Adjustment 34-7 Clearing the Time Zone 34-7 Clearing NTP Servers 34-8 Disabling NTP 34-8 Configuring Broadcast Suppression 35-1 C H A P T E R Understanding How Broadcast Suppression Works 35-1 Configuring Broadcast Suppression on the Switch...
Page 26 Contents Enabling Port Security 38-4 Setting the Maximum Number of Secure MAC Addresses 38-5 Automatically Configuring Dynamically Learned MAC Addresses 38-6 Setting the Port Security Age Time 38-7 Setting the Port Security Aging Type 38-8 Clearing the MAC Addresses 38-8 Configuring Unicast Flood Blocking on the Secure Ports 38-9 Specifying the Security Violation Action...
Page 27 Contents Configuring Kerberos Authentication 39-33 Authentication Example 39-43 Understanding How Authorization Works 39-44 Authorization Overview 39-44 Authorization Events 39-45 TACACS+ Primary Options and Fallback Options 39-45 TACACS+ Command Authorization 39-45 RADIUS Authorization 39-46 Configuring Authorization on the Switch 39-46 TACACS+ Authorization Default Configuration 39-46 TACACS+ Authorization Configuration Guidelines 39-47...
Page 28 Contents Understanding How 802.1X Authentication with Port Security Works 40-10 Understanding How 802.1X Authentication with ARP Traffic Inspection Works 40-11 Default Authentication Configuration 40-11 Authentication Configuration Guidelines 40-12 Configuring 802.1X Authentication on the Switch 40-13 Enabling 802.1X Authentication Globally 40-14 Disabling 802.1X Authentication Globally 40-14 Enabling 802.1X Authentication for Individual Ports...
Page 29 Configuring Agentless Hosts for NAC Auditing with MAB 41-14 NAC Agentless Hosts Auditing Overview 41-14 Configuring the Switch 41-14 Configuring the Cisco Secure ACS Server 41-15 Installing and Configuring the NAC Audit Server 41-16 Displaying the Agentless Host Posture Tokens 41-16...
Page 30 Contents Multiple Hosts Per Port 42-6 High Availability 42-6 Host State 42-6 Interaction with Other Features 42-7 Default Web-Based Proxy Authentication Configuration 42-8 Web-Based Authentication Guidelines and Restrictions 42-8 Configuring Web-Based Proxy Authentication 42-9 Enabling or Disabling Web-Based Proxy Authentication Globally 42-10 Enabling or Disabling Web-Based Proxy Authentication on a Port 42-10...
Page 31 Contents LAN Port IP Enhancements in Software Release 8.6(1) and Later Releases 44-32 Configuring Network Admission Control with LAN Port 802.1X 44-34 Understanding How Network Admission Control with LAN Port 802.1X Works 44-34 LAN Port 802.1X Enhancements in Software Release 8.6(1) and Later Releases 44-36 Configuring Unicast Flood Blocking 45-1...
Page 32 Contents SNMPv1 and SNMPv2c Default Configuration 47-11 Configuring SNMPv1 and SNMPv2c from an NMS 47-11 Configuring SNMPv1 and SNMPv2c from the CLI 47-11 SNMPv1 and SNMPv2c Enhancements in Software Release 7.5(1) 47-12 Setting Multiple SNMP Community Strings 47-13 Clearing the SNMP Community Strings 47-14 Specifying the Access Numbers for Hosts 47-14...
Page 33 Contents Configuring RSPAN on the Switch 49-10 RSPAN Hardware Requirements 49-10 Understanding How RSPAN Works 49-10 RSPAN Configuration Guidelines 49-11 Configuring RSPAN 49-12 RSPAN Configuration Examples 49-15 Configuring the Mini Protocol Analyzer on the Switch 49-19 Mini Protocol Analyzer Hardware Requirements 49-19 Understanding How the Mini Protocol Analyzer Works 49-19...
Page 34 Contents Enabling IGMP Version 3 Fast-Block Processing 51-15 Enabling IGMP Rate Limiting 51-15 Enabling the IGMP Querier 51-16 Displaying Multicast Router Information 51-17 Displaying Multicast Group Information 51-18 Displaying IGMP Snooping Statistics 51-18 Disabling IGMP Fast-Leave Processing 51-19 Disabling IGMP Snooping 51-19 Configuring GMRP on the Switch 51-20...
Page 35 Contents Configuring QoS 52-1 C H A P T E R Understanding How QoS Works 52-1 QoS Terminology 52-2 Flowcharts 52-3 QoS Feature Set Summary 52-10 Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification 52-12 Classification, Marking, and Policing with a Layer 3 Switching Engine 52-15 Classification and Marking on a Supervisor Engine 1 with a Layer 2 Switching Engine 52-28...
Page 36 Understanding How Automatic QoS Works 53-1 QoS Overview 53-2 Typical CoS and DSCP Values for Voice and Video Networks 53-2 QoS Scenario—Cisco IP Phone 53-3 QoS Scenario—Cisco SoftPhone 53-3 Using the Automatic QoS Macro on the Switch 53-3 Automatic QoS Overview...
Page 37 Configuring the Auxiliary VLANs on Catalyst LAN Switches 55-20 Configuring the Access Gateways 55-23 Displaying the Active Call Information 55-29 Configuring QoS in the Cisco IP Phone 7960 55-31 Configuring a Trusted Boundary to Ensure Port Security 55-33 Using SmartPorts 55-38...
Page 38 Contents Configuring the MSFC Cisco IOS Features 56-1 C H A P T E R IP-in-IP Tunneling 56-1 IP-in-IP Configuration Guidelines 56-2 WCCP 56-2 Acronyms A P P E N D I X Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7...
Page 39: Chapter 1 Product Overview
Preface Revised:OL-8978-04 This preface describes who should read the Catalyst 6500 Series Switch Software Configuration Guide, how it is organized, and its document conventions. Audience This publication is for experienced network administrators who are responsible for configuring and maintaining Catalyst 6500 series switches. Organization This publication includes the information that previously was in the Catalyst 6000 Family Multilayer Note...
Page 40: Chapter 10 Configuring Vtp
Configuring InterVLAN Routing Describes how to configure interVLAN routing on the MSFC. Chapter 13 Configuring CEF for PFC2 and PFC3A Describes how to configure Cisco Express Forwarding for Policy Feature Card 2 (CEF for PFC2). Chapter 14 Configuring MLS Describes how to configure Multilayer Switching (MLS).
Page 41: Appendix A Acronym
Describes how to configure a Voice-over-IP (VoIP) network. Chapter 56 Configuring the MSFC Cisco IOS Features Describes how Cisco IOS features that are used with the Catalyst operating system provide feature functionality and parity between these operating systems. Appendix A Acronyms Lists the acronyms used in this publication.
Page 42: Related Documentation
Release Notes for Catalyst 6500 Series Switch Software Release 7.x • Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC, MSM, and ATM modules. For information about MIBs, refer to this URL: •...
Page 43: Obtaining Documentation And Submitting A Service Request
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 44 Preface Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 xliv OL-8978-04...
Page 45: Product Overview
This publication includes the information that previously was in the Catalyst 6000 Family Multilayer Switch Feature Card (12.x) and Policy Feature Card Configuration Guide. For the complete descriptions of all Cisco IOS commands that are used in this publication, refer to the Note Catalyst 6500 Series Switch Cisco IOS Command Reference at this URL: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_command_reference_list.html...
Page 46 Chapter 1 Product Overview Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 OL-8978-04...
Page 47: Catalyst Command-Line Interface
For descriptions of all switch and ROM monitor commands, refer to the Catalyst 6500 Series Switch Command Reference publication. For a description of the ATM Cisco IOS CLI and commands, refer to the ATM Software Configuration Note Guide and Command Reference—Catalyst 5000 Family and 6000 Family Switches publication.
Page 48: Switch Command-Line Interface
Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface To access the ROM monitor through a terminal server, you can escape to the Telnet prompt and enter the send break command for your terminal emulation program to break into ROM-monitor mode. Once you are in ROM-monitor mode, the prompt changes to rommon>. Use the ? command to see the available ROM-monitor commands.
Page 49 Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface After accessing the switch through the console port, you see this display: Cisco Systems Console Enter password: Console> Accessing the CLI through Telnet Before you can open a Telnet session to the switch, you must first set the IP address for the switch. For information about setting the IP address, see the “Assigning the In-Band (sc0 and sc1) Interface IP...
Page 50 Note If no module number is specified, the console will switch to the MSFC on the active supervisor engine. To access the Cisco IOS CLI on the standby MSFC, connect to the console port of the standby supervisor Note engine.
Page 51 Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface Working With the Command-Line Interface These sections describe how to work with the switch CLI: Switch CLI Command Modes, page 2-5 • Designating Modules, Ports, and VLANs on the Command Line, page 2-5 •...
Page 52 Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface Table 2-1 Designating Ports and Port Ranges Example Function Specifies port 1 on module 2. Specifies ports 4, 5, 6, 7, and 8 on module 3. 3/4-8 Specifies ports 2 and 4 on module 5 and port 10 on module 6. 5/2,5/4,6/10 Specifies ports 1 and 2 on module 3 and port 8 on module 4.
Page 53 Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface Table 2-3 Command-Line Editing Keyboard Shortcuts Keystroke Function Ctrl-A Jumps to the first character of the command line. Ctrl-B or the left arrow key Moves the cursor back one character. Ctrl-C Escapes and terminates prompts and tasks. Ctrl-D Deletes the character at the cursor.
Page 54: Msfc Command-Line Interface
To get a list of the commands in a given mode, type a question mark (?) at the system prompt. For more information, see the “Getting a List of Cisco IOS Commands and Syntax”...
Page 55 The Cisco IOS command interpreter, called the EXEC, interprets and executes the commands that you enter. You can abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. For example, you can abbreviate the show command to sh and the configure terminal command to config t.
Page 56: Cisco Ios Command-Line Interface
Press Ctrl-Z in any mode to return to privileged EXEC mode. Enter exit to return to the previous mode. Cisco IOS Command-Line Interface These sections describe basic Cisco IOS configuration tasks that you need to understand before you configure routing: Accessing Cisco IOS Configuration Mode, page 2-10 •...
Page 57 (Refer to the appropriate configuration tasks later in this chapter.) routing. Step 5 Exit configuration mode. Router(config)# Ctrl-Z Viewing and Saving the Cisco IOS Configuration To view and save the configuration after you make changes, perform this task: Task Command Step 1...
Page 58 Chapter 2 Command-Line Interfaces MSFC Command-Line Interface Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 2-12 OL-8978-04...
Page 59: Understanding How The Switch Management Interfaces Work
The in-band (sc0 and sc1) management interfaces are connected to the switching fabric and participate in all of the functions of a normal switch port, such as spanning tree, Cisco Discovery Protocol (CDP), VLAN membership, and so forth. The out-of-band management interface (sl0) is not connected to the switching fabric and does not participate in any of these functions.
Page 60: Understanding How Automatic Ip Configuration Works
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding How Automatic IP Configuration Works When you configure the IP address, subnet mask, broadcast address, and VLAN membership of the sc0 and sc1 interfaces, you can access the switch through Telnet or Simple Network Management Protocol (SNMP).
Page 61: Understanding Dhcp
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding How Automatic IP Configuration Works Understanding DHCP There are three methods for obtaining an IP address from the DHCP server: • Manual allocation—The network administrator maps the switch MAC address to an IP address at the DHCP server.
Page 62: Understanding Bootp And Rarp
Two Multilayer Switch Feature Card (MSFC) images are provided on the MSFC bootflash: a boot loader image and a system image. The boot loader image is a limited function system image that has network interface code and end-host protocol code. The system image is the main Cisco IOS software image with full multiprotocol routing support.
Page 63: Booting From A Melody Compact Flash Adapter Card
Chapter 3 Configuring the Switch IP Address and Default Gateway Booting from a Melody Compact Flash Adapter Card Before you use a system image that is stored on the supervisor engine Flash PC card, set the BOOTLDR Note environment variable. In privileged mode, enter the boot bootldr bootflash:boot_loader_image command.
Page 64: Default Ip Address And Default Gateway Configuration
Chapter 3 Configuring the Switch IP Address and Default Gateway Default IP Address and Default Gateway Configuration Standby and active supervisor engines must have the same file system. If the standby supervisor • engine has a different file system, it is moved into ROMMON with syslog and nvlog messages when it becomes active.
Page 65: Assigning The In-Band (Sc0 And Sc1) Interface Ip Address
Chapter 3 Configuring the Switch IP Address and Default Gateway Assigning the In-Band (sc0 and sc1) Interface IP Address Assigning the In-Band (sc0 and sc1) Interface IP Address Before you can use Telnet to access the switch or use SNMP to manage the switch, you must assign an IP address to one of the in-band (sc0 or sc1) logical interfaces.
Page 66: Configuring The Default Gateways
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring the Default Gateways vlan 0 inet 0.0.0.0 netmask 0.0.0.0 broadcast 0.0.0.0 Console> (enable) Configuring the Default Gateways The supervisor engine sends IP packets that are destined for other IP subnets to the default gateway (typically, a router interface in the same network or subnet as the switch IP address).
Page 67: Configuring The Slip (Sl0) Interface On The Console Port
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring the SLIP (sl0) Interface on the Console Port Console> (enable) set ip route default 10.1.1.10 Route added. Console> (enable) set ip route default 10.1.1.20 Route added. Console> (enable) set ip route default 10.1.1.1 primary Route added.
Page 68: Using Bootp, Dhcp, Or Rarp To Obtain An Ip Address
This example shows how to configure SLIP on the console port and verify the configuration: sparc20% telnet 172.20.52.38 Trying 172.20.52.38 ... Connected to 172.20.52.38. Escape character is '^]'. Cisco Systems, Inc. Console Enter password: Console> enable Enter password: Console> (enable) set interface sl0 10.1.1.1 10.1.1.2 Interface sl0 slip and destination address set.
Page 69: Renewing And Releasing A Dhcp-Assigned Ip Address
Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address Task Command Step 5 Reset the switch. The switch broadcasts DHCP reset system and RARP requests only when the switch boots Step 6 When the switch reboots, confirm that the sc0 show interface interface IP address, subnet mask, and broadcast...
Page 70 Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address <...output truncated...> This example shows how to release the lease on a DHCP-assigned IP address: Console> (enable) set interface sc0 dhcp release Releasing IP address... Console>...
Page 71: Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, And 10-Gigabit Ethernet Switching
C H A P T E R Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching This chapter describes how to use the command-line interface (CLI) to configure Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet switching on the Catalyst 6500 series switches. The configuration tasks in this chapter apply to Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet switching modules, as well as to the uplink ports on the supervisor engine.
Page 72: Switching Frames Between Segments
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Understanding How Ethernet Works These sections describe Ethernet: Switching Frames Between Segments, page 4-2 • Building the Address Table, page 4-2 • Understanding Port Negotiation, page 4-2 • Switching Frames Between Segments Each Ethernet port on a Catalyst 6500 series switch can connect to a single workstation or server or to a hub through which workstations or servers connect to the network.
Page 73: Default Ethernet, Fast Ethernet, Gigabit Ethernet, And 10-Gigabit Ethernet Configuration
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Default Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Configuration Port negotiation does not involve negotiating port speed. You cannot disable port negotiation with the Note set port speed command. Port negotiation exchanges flow-control parameters, remote fault information, and duplex information.
Page 74: Setting The Port Configuration
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration Table 4-2 Ethernet Default Configuration (continued) Feature Default Value Duplex mode • Half duplex for 10-Mbps Ethernet ports Autonegotiate speed and duplex for 10/100-Mbps Fast Ethernet •...
Page 75: Configuring Supervisor Engine 720 Ports
Supervisor Engine 720, port 1 has a small form-factor pluggable (SFP) connector and no unique configuration options. Cisco WS-X6408A-GBIC, which is an 8-port Gigabit Ethernet interface module for the Catalyst 6500 Note Series switches, is supported on Supervisor Engine 720.
Page 76: Setting The Port Speed
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration Console> (enable) show port 1 Port Name Status Vlan Duplex Speed Type ----- ------------------ ---------- ---------- ------ ----- ------------ Router Connection connected trunk full 1000 1000BaseSX Server Link connected...
Page 77: Enabling Or Disabling Auto-Mdi/Mdix
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration If the port speed is set to auto on a 10/100-Mbps Ethernet port, both speed and duplex are Note autonegotiated. You cannot change the duplex mode of autonegotiation ports. To set the duplex mode of a port, perform this task in privileged mode: Task Command...
Page 78: Configuring Ieee 802.3X Flow Control
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration With software release 8.3(1) and later releases, the set port auto-mdix mod/port {enable | disable} command is introduced to disable auto-MDI/MDIX on all the modules that currently have this feature enabled by default.
Page 79: Enabling And Disabling Port Negotiation
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration Console> (enable) set port flowcontrol 3/1 receive on Port 3/1 will require far end to send flow control Console> (enable) show port flowcontrol Port Send-Flowcontrol Receive-Flowcntl RxPause...
Page 80: Setting The Port Debounce Timer
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration When you enter the clear config all command or in the event of a configuration loss, all ports collapse into VLAN 1. This situation might cause a security and network instability problem. Entering the set default portstatus command puts all ports into a disable state and blocks the traffic flowing through the ports during a configuration loss.
Page 81: Modifying The Port Debounce Timer Setting
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration Table 4-4 Port Debounce Timer Delay Time (continued) Port Type Debounce Timer Disabled Debounce Timer Enabled Fiber Gigabit Ethernet ports 10 milliseconds 100 milliseconds 10-Gigabit Ethernet ports 10 milliseconds 100 milliseconds...
Page 82: Configuring A Timeout Period For Ports In Errdisable State
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration This example shows how to modify the port debounce timer setting on port 2/1: Console> (enable) set port debounce 2/1 delay 500 Debounce time for port 2/1 set to 500 ms. Warning:Enabling port debounce causes Link Up/Down detections to be delayed.
Page 83 Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration UDLD • Other (reasons other than the above) • All (apply errdisable timeout for all of the above reasons) • You can enable or disable errdisable timeout for each of the above listed reasons. If you specify “other,” all ports that are errdisabled by causes other than the reasons listed are enabled for errdisable timeout.
Page 84: Configuring Automatic Module Shutdown
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration This example shows how to display the errdisable timeout configuration: Console> (enable) show errdisable-timeout ErrDisable Reason Timeout Status --------------------------------------- -------------- arp-inspection enable bcast-suppression enable bpdu-guard enable cam-monitor...
Page 85 Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration When the frequency threshold is reached and occurs within the defined period, the Ethernet module automatically shuts down and this sample syslog message is displayed: %SYS-5-MOD_AUTOSHUT: Module 2 shutdown automatically, reset 4 times in last 5 minutes due to inband failure When the frequency threshold is reached and occurs outside the defined period, the module does not...
Page 86: Configuring Port Error Detection
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration This example shows how to enable an automatic module shutdown on a module: Console> (enable) set module autoshut enable 2 This example shows how to disable an automatic module shutdown on a module: Console>...
Page 87: Configuring Redundant Flex Links
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration This example shows how to enable RXCRC port error detection on port 3/1: Console> (enable) set port errordetection 3/1 rxcrc enable Port(s) 3/1 set to errordetection rxcrc enable. Console>...
Page 88 Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration Redundant flex links are for simple access topologies (two uplinks from a leaf node). You need to • make sure that there is a loop-free path from the wiring closet to the access network. Unlike STP, the flex-link port is not designed to detect loops.
Page 89: Configuring Jumbo Frames
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration This example shows how to clear port 3/48 as the flex-link active port and port 3/47 as the flex-link backup (peer) port: Console> (enable) clear port flexlink 3/48 peer 3/47 Port 3/48 and 3/47 flexlink pair cleared Console>...
Page 90 Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration The Multilayer Switching Feature Card 2 (MSFC2) supports jumbo frame routing with Cisco IOS • Release 12.1(2)E and later releases. The Multilayer Switching Feature Card (MSFC) and the Multilayer Switch Module (MSM) do not •...
Page 91: Checking Connectivity
Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration To configure the MTU value, perform this task: Task Command Step 1 Access VLAN interface configuration mode. Router(config)# interface vlan vlan_ID Step 2 Set the MTU size. The valid values are from 64 to Router(config-if)# mtu mtu_size 17952 bytes Step 3...
Page 92 Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching Setting the Port Configuration Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 4-22 OL-8978-04...
Page 93: Understanding How Vlan Trunks Work
Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network. Two trunking encapsulations are available on all Ethernet ports: Inter-Switch Link (ISL)—ISL is a Cisco-proprietary trunking encapsulation • IEEE 802.1Q—802.1Q is an industry-standard trunking encapsulation •...
Page 94: Trunking Modes And Encapsulation Type
For a complete list of modules that do not support ISL encapsulation, refer to the Catalyst 6500 Series Note Release Notes at this URL: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_notes_list.html Table 5-1 lists the trunking modes that are used with the set trunk command and describes how they function on Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet ports.
Page 95 Chapter 5 Configuring Ethernet VLAN Trunks Understanding How VLAN Trunks Work Table 5-2 Ethernet Trunk Encapsulation Types Encapsulation Function Specifies ISL encapsulation on the trunk link. dot1q Specifies 802.1Q encapsulation on the trunk link. negotiate Specifies that the port negotiate with the neighboring port to become an ISL (preferred) or 802.1Q trunk, depending on the configuration and capabilities of the neighboring port.
Page 96: 802.1Q Trunk Configuration Guidelines And Restrictions
When manually enabling trunking on a link to a Cisco router, enter the nonegotiate keyword to cause the port to become a trunk but not generate DTP frames.
Page 97: Default Trunk Configuration
Common Spanning Tree (CST). When you connect a Cisco switch to a non-Cisco switch, the CST is always on VLAN 1. The Cisco switch sends an untagged IEEE BDPU (01-80-C2-00-00-00) on VLAN 1 for the CST. On the native...
Page 98: Configuring An Isl Trunk
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link Defining the Allowed VLANs on a Trunk, page 5-8 • Disabling a Trunk Port, page 5-9 • Disabling VLAN 1 on Trunks, page 5-10 • Enabling 802.1Q Tagging of Native VLAN Traffic, page 5-11 •...
Page 99: Configuring An 802.1Q Trunk
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link Console> (enable) show trunk 1/2 Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ ----------- desirable trunking Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1-1005, 1025-4094 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1,521-524...
Page 100: Configuring An Isl/802.1Q Negotiating Trunk Port
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link Configuring an ISL/802.1Q Negotiating Trunk Port To configure a trunk port to negotiate the trunk encapsulation type (either ISL or 802.1Q), perform this task in privileged mode: Task Command Step 1 Configure a port to negotiate the trunk set trunk mod/port [on | off | desirable | auto | encapsulation type.
Page 101: Disabling A Trunk Port
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link In software releases prior to software release 8.3(1), to define the allowed VLANs list for a trunk port, perform this task in privileged mode: Task Command Step 1 Remove VLANs from the allowed VLANs list for clear trunk mod/port vlans a trunk.
Page 102: Disabling Vlan 1 On Trunks
Cisco Discovery Protocol (CDP), VTP, Port Aggregation Protocol (PAgP), and DTP. When a trunk port with VLAN 1 disabled becomes a nontrunk port, it is added to the native VLAN. If the native VLAN is VLAN 1, the port is enabled and added to VLAN 1.
Page 103: Enabling 802.1Q Tagging Of Native Vlan Traffic
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link Enabling 802.1Q Tagging of Native VLAN Traffic The set dot1q-all-tagged enable command is a global command that configures a switch to forward all frames from 802.1Q trunks with 802.1Q tagging in the native VLAN, and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN.
Page 104: Specifying A Custom 802.1Q Ethertype Field
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link To disable the forwarding of 802.1Q tagged frames on specific ports, perform this task in privileged mode: Task Command Step 1 Enable or disable the forwarding of 802.1Q set port dot1q-all-tagged mod/port enable | tagged frames on specific ports or on all ports.
Page 105: Returning A Custom 802.1Q Ethertype Field To The Standard Ethertype
Additionally, you should configure the custom EtherType value the same on both ends of a link. By specifying a custom EtherType field, your network can support Cisco and non-Cisco switches that do not use the standard 0x8100 EtherType to identify 802.1Q-tagged frames. When you specify a custom EtherType field, you can identify 802.1Q tagged frames and switch the frames to a specified VLAN.
Page 106: Example Vlan Trunk Configurations
Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations This example shows how to return the 802.1Q EtherType field to the standard EtherType field (0x8100) on port 2/1 and verify the configuration: Console> (enable) set port dot1q-ethertype 2/1 default All the group ports 2/1-2 associated with port 2/1 will be modified.
Page 107: Isl Trunk Over Etherchannel Link Example
Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Check the configuration by entering the show trunk command. The Status field in the screen output Step 2 indicates that port 1/1 is trunking. Switch1> (enable) show trunk 1/1 Port Mode Encapsulation Status...
Page 108 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Figure 5-1 ISL Trunk Over Fast EtherChannel Link Switch A Switch B Fast EtherChannel ISL trunk link To configure the switches to form a two-port EtherChannel bundle and then configure the EtherChannel bundle as an ISL trunk link, perform these steps: Confirm the channeling and trunking status of the switches by entering the show port channel and show Step 1...
Page 109 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations mode status device port ----- ---------- --------- ----------- ------------------------- ---------- connected auto channel WS-C5500 069003103(Sw connected auto channel WS-C5500 069003103(Sw ----- ---------- --------- ----------- ------------------------- ---------- Switch_B> (enable) Configure one of the ports in the EtherChannel bundle to negotiate an ISL trunk by entering the set trunk Step 4 command.
Page 110: 802.1Q Trunk Over Etherchannel Link Example
Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations 1-1005, 1025-4094 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 1-5,10,20,50,152,200,300,400,500,521-524,570,801,850,917,999 1-5,10,20,50,152,200,300,400,500,521-524,570,801,850,917,999 Switch_B> (enable) 802.1Q Trunk Over EtherChannel Link Example This example shows how to configure an 802.1Q trunk over an EtherChannel link between two switches.
Page 111 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_A> (enable) show trunk No ports trunking. Switch_A> (enable) Switch_B> (enable) show port channel No ports channelling Switch_B> (enable) show trunk No ports trunking. Switch_B> (enable) Configure the ports on Switch A to negotiate an EtherChannel bundle with the neighboring switch by Step 3 entering the set port channel command.
Page 112 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations connected auto channel WS-C4003 JAB023806(Sw connected auto channel WS-C4003 JAB023806(Sw ----- ---------- --------- ----------- ------------------------- ---------- Switch_B> (enable) Configure one of the ports in the EtherChannel bundle to negotiate an 802.1Q trunk by entering the set Step 5 trunk command.
Page 113 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations After the 802.1Q trunk link is negotiated, verify the configuration by entering the show trunk command. Step 6 Switch_A> (enable) show trunk Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ -----------...
Page 114: Load-Sharing Vlan Traffic Over Parallel Trunks Example
Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Load-Sharing VLAN Traffic Over Parallel Trunks Example Using spanning-tree port-VLAN priorities, you can load-share VLAN traffic over parallel trunk ports so that traffic from some VLANs travels over one trunk, while traffic from other VLANs travels over the other trunk.
Page 115 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_1> (enable) set vlan 50 Vlan 50 configuration successful Switch_1> (enable) set vlan 60 Vlan 60 configuration successful Switch_1> (enable) Verify the VTP and VLAN configuration on Switch 1 by entering the show vtp domain and show vlan Step 3 commands.
Page 116 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1-1005, 1025-4094 1-1005, 1025-4094 Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1,10,20,30,40,50,60 1,10,20,30,40,50,60 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- Switch_1>...
Page 117 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_1> (enable) show spantree 1/2 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ blocking disabled blocking disabled blocking disabled blocking disabled blocking disabled blocking disabled blocking disabled...
Page 118 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations On Switch 2, change the port-VLAN priority for the Group 1 VLANs on Trunk 1 (port 1/1) to the same Step 11 value that you configured for those VLANs on Switch 1 by entering the set spantree portvlanpri command.
Page 119 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_1> (enable) show spantree 1/2 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ blocking disabled blocking disabled blocking disabled blocking disabled forwarding disabled forwarding disabled forwarding disabled...
Page 120 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_1> (enable) show spantree 1/2 Port Vlan Port-State Cost Priority Fast-Start Group-method --------- ---- ------------- ----- -------- ---------- ------------ learning disabled learning disabled learning disabled learning disabled forwarding disabled forwarding disabled forwarding disabled...
Page 121: Configuring Etherchannel
C H A P T E R Configuring EtherChannel This chapter describes how to use the command-line interface (CLI) to configure EtherChannel on the Catalyst 6500 series switches. The configuration tasks in this chapter apply to Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet switching modules and the uplink ports on the supervisor engine.
Page 122: Understanding How Etherchannel Works
EtherChannel frame distribution is based on a Cisco-proprietary hashing algorithm. The algorithm is deterministic; given the same addresses and session information, you always hash to the same port in the channel, preventing out-of-order packet delivery.
Page 123: Port Aggregation Control Protocol And Link Aggregation Control Protocol
PAgP is a Cisco-proprietary protocol that can be run only on Cisco switches and those switches that are released by licensed vendors. LACP, which is defined in IEEE 802.3ad, allows Cisco switches to manage Ethernet channeling with devices that conform to the...
Page 124: Vlan And Trunk Configuration Guidelines
Chapter 6 Configuring EtherChannel EtherChannel Configuration Guidelines You can change the protocol at any time, but this change causes all existing EtherChannels to reset to the • default channel mode for the new protocol. Configure all ports in an EtherChannel to operate at the same speed and duplex mode (full duplex •...
Page 125: Understanding How The Port Aggregation Protocol Works
• An EtherChannel does not form if protocol filtering is set differently on the ports. • Cisco Discovery Protocol (CDP) runs on the physical port even after the port is added to a channel. • • VLAN Trunking Protocol (VTP) and Dual Ring Protocol (DRiP) run on the channel.
Page 126: Pagp Modes
Chapter 6 Configuring EtherChannel Understanding How the Port Aggregation Protocol Works PAgP Modes PAgP facilitates the automatic creation of EtherChannels by exchanging packets between Ethernet ports. PAgP packets are exchanged only between ports in auto and desirable modes. Ports that are configured in on or off mode do not exchange PAgP packets.
Page 127: Pagp Administrative Groups
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using PAgP PAgP Administrative Groups Configuring an EtherChannel creates an administrative group, which is designated by an integer between 1 and 1024, to which the EtherChannel belongs. When an administrative group is created, you can assign an administrative group number or let the next available administrative group number be assigned automatically.
Page 128: Configuring An Etherchannel
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using PAgP To specify the EtherChannel protocol, perform this task in privileged mode: Task Command Specify the EtherChannel protocol. set channelprotocol [pagp | lacp] mod This example shows how to specify the PAgP protocol for module 3: Console>...
Page 129: Setting The Etherchannel Port Path Cost
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using PAgP Setting the EtherChannel Port Path Cost Note You accomplish this task using a global command that configures both LACP and PAgP. The channel path cost is achieved by adjusting the port costs of each port belonging to the channel. If you do not specify the cost, it is updated based on the current port costs of the channeling ports.
Page 130 Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using PAgP The EtherChannel VLAN cost feature provides load balancing of VLAN traffic across multiple channels that are configured with trunking. You enter the set spantree channelvlancost command to set the initial spanning-tree costs for all VLANs in the channel.
Page 131: Configuring Etherchannel Load Balancing
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using PAgP Console> (enable) set spantree channelvlancost 856 10 Port(s) 3/47-48 vlan cost are updated to 16. Channel 856 vlancost is set to 10. Console> (enable) set spantree portvlancost 3/47 cost 16 1-1005 Port 3/47 VLANs 1025-4094 have path cost 19.
Page 132: Displaying The Outgoing Ports For A Specified Address Or Layer 4 Port Number
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using PAgP This example shows how to display traffic utilization on EtherChannel ports: Console> (enable) show channel traffic ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst ------ ----- ------- ------- ------- ------- ------- ------- 2/16 0.00% 0.00%...
Page 133: Understanding How The Link Aggregation Control Protocol Works
Chapter 6 Configuring EtherChannel Understanding How the Link Aggregation Control Protocol Works Understanding How the Link Aggregation Control Protocol Works Use the information in these sections if you are configuring EtherChannel using LACP. If you are using Note PAgP, see the “Understanding How the Port Aggregation Protocol Works”...
Page 134 Chapter 6 Configuring EtherChannel Understanding How the Link Aggregation Control Protocol Works You must assign a port priority that can be specified automatically or through the CLI (see the “Specifying the Port Priority” section on page 6-16) to each port in the switch. The port priority is used with the port number to form the port identifier.
Page 135: Configuring An Etherchannel Using Lacp
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using LACP Configuring an EtherChannel Using LACP These sections describe how to configure EtherChannel using LACP: Specifying the EtherChannel Protocol, page 6-15 • Specifying the System Priority, page 6-16 • Specifying the Port Priority, page 6-16 •...
Page 136: Specifying The System Priority
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using LACP Specifying the System Priority Note Although this command is a global option, the command applies only to modules on which LACP is enabled; it is ignored on modules running PAgP. The system priority value must be a number in the range of 1–65535, where higher numbers represent lower priority.
Page 137 Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using LACP You can specify an administrative key value to a set of ports or the system automatically selects a value if you do not specify the parameter admin_key. In both cases, the admin_key value can range from 1–1024.
Page 138: Changing The Channel Mode
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using LACP Changing the Channel Mode You can change the channel mode for a set of ports that were previously assigned the same administrative key (see the “Specifying an Administrative Key Value” section on page 6-16).
Page 139: Displaying Etherchannel Traffic Utilization
Chapter 6 Configuring EtherChannel Configuring an EtherChannel Using LACP Displaying EtherChannel Traffic Utilization To display the traffic utilization on the EtherChannel ports, perform this task: Task Command Display traffic utilization on the show lacp-channel traffic EtherChannel ports. This example shows how to display traffic utilization on the EtherChannel ports: Console>...
Page 140: Displaying The Spanning-Tree Information For Etherchannels
Chapter 6 Configuring EtherChannel Clearing and Restoring the EtherChannel Counters Displaying the Spanning-Tree Information for EtherChannels You can display the channel ID and the truncated port list for all ports that are channeling. The ports that are not channeling are identified by their port number. To display the spanning-tree information for EtherChannels, perform this task: Task Command...
Page 141: Restoring The Etherchannel Counters
Chapter 6 Configuring EtherChannel Clearing and Restoring the EtherChannel Counters These examples show the various methods of clearing the EtherChannel counters: Console> (enable) show channel traffic ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst ------ ----- ------- ------- ------- ------- ------- ------- 0.00% 0.00% 9.09%...
Page 142 Chapter 6 Configuring EtherChannel Clearing and Restoring the EtherChannel Counters Console> (enable) show channel traffic 769 ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst ------ ----- ------- ------- ------- ------- ------- ------- 0.00% 0.00% 7.69% 92.30% 0.00% 0.00% 0.00% 0.00% 92.31% 7.70% 0.00%...
Page 143: Configuring Spanning Tree
Configuring Spanning Tree This chapter describes the IEEE 802.1D bridge Spanning Tree Protocol (STP) and how to use and configure Cisco’s proprietary spanning-tree protocols, Per VLAN Spanning Tree + (PVST+) and Multi-Instance Spanning Tree Protocol (MISTP), on the Catalyst 6500 series switches.
Page 144: Understanding How Spanning Tree Protocols Work
Understanding How Spanning Tree Protocols Work Understanding How Spanning Tree Protocols Work This section describes the specific functions that are common to all spanning-tree protocols. Cisco’s proprietary spanning-tree protocols, PVST+ and MISTP, are based on IEEE 802.1D STP. (See the “Understanding How PVST+ and MISTP Modes Work”...
Page 145: Understanding How A Topology Is Created
Chapter 7 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Understanding How a Topology is Created All switches in an extended LAN participating in a spanning tree gather information about other switches in the network through an exchange of data messages that are known as bridge protocol data units (BPDUs).
Page 146: Understanding How Bridge Protocol Data Units Work
Chapter 7 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work For example, assume that a port on Switch B is a fiber-optic link. Also, another port on Switch B (an unshielded twisted-pair [UTP] link) is the root port. Network traffic might be more efficient over the high-speed fiber-optic link.
Page 147 Chapter 7 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Calculating the Port Cost Using the Short Method The IEEE 802.1D specification assigns 16-bit (short) default port cost values to each port that is based on bandwidth. You can also manually assign port costs between 1–65535. The 16-bit values are only used for the ports that have not been specifically configured for port cost.
Page 148: Spanning-Tree Port States
LAN before they can start forwarding frames. Also, they must allow the frame lifetime to expire for frames that have been forwarded using the old topology. With Cisco IOS Release 12.1.(1)E or later releases on the Multilayer Switch Feature Card (MSFC), the Note...
Page 149: Blocking State
Chapter 7 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Figure 7-2 STP Port States Boot-up initialization Blocking state Listening Disabled state state Learning state Forwarding state You can modify each port state by using management software, for example, VLAN Trunking Protocol (VTP).
Page 150: Listening State
Chapter 7 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Figure 7-3 Port 2 in Blocking State Segment Forwarding frames Port 1 Network Station management addresses BPDUs and data frames Filtering System Frame database module forwarding BPDUs Network management frames Data frames...
Page 151 Chapter 7 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Figure 7-4 Port 2 in Listening State All segment Forwarding frames Port 1 Network Station management addresses BPDUs and data frames Filtering System Frame database module forwarding BPDUs Network management frames Data...
Page 152: Learning State
Chapter 7 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Learning State A port in the learning state prepares to participate in frame forwarding. The port enters the learning state from the listening state. Figure 7-5 shows a port in the learning state. A port in the learning state performs as follows: Discards frames that are received from the attached segment.
Page 153: Forwarding State
Chapter 7 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Forwarding State A port in the forwarding state forwards frames, as shown in Figure 7-6. The port enters the forwarding state from the learning state. Figure 7-6 Port 2 in Forwarding State All segment Forwarding frames...
Page 154: Understanding How Pvst+ And Mistp Modes Work
Chapter 7 Configuring Spanning Tree Understanding How PVST+ and MISTP Modes Work Disabled State A port in the disabled state does not participate in frame forwarding or STP, as shown in Figure 7-7. A port in the disabled state is virtually nonoperational. Figure 7-7 Port 2 in Disabled State All segment...
Page 155: Pvst+ Mode
Chapter 7 Configuring Spanning Tree Understanding How PVST+ and MISTP Modes Work An overview of each mode is provided in this section. Each mode is described in detail in these sections: Configuring PVST+ on the Switch, page 7-26 • Configuring MISTP-PVST+ or MISTP on the Switch, page 7-34 •...
Page 156: Mistp-Pvst+ Mode
Chapter 7 Configuring Spanning Tree Understanding How Bridge Identifiers Work Each MISTP instance root switch propagates the information that is associated with it to all other switches in the network. This process maintains the network topology because it ensures that each switch has the same information about the network.
Page 157: Mac Address Reduction
Chapter 7 Configuring Spanning Tree Understanding How Bridge Identifiers Work MAC Address Reduction For Catalyst 6500 series switches that support 4096 VLANs, MAC address reduction allows up to 4096 VLANs running under PVST+ or 16 MISTP instances to have unique identifiers without increasing the number of MAC addresses that are required on the switch.
Page 158: Understanding How Multiple Spanning Tree Works
If another bridge in the same spanning-tree domain does not run the MAC address reduction feature, it could claim and win root bridge ownership because of the finer granularity in the selection of its bridge MAC address reduction is enabled by default on Cisco switches that have 64 MAC addresses (to find the Note number of MAC addresses supported on a switch, refer to the Catalyst 6500 Series Switch Release Notes for Software Release 8.x publication).
Page 159 Chapter 7 Configuring Spanning Tree Understanding How Multiple Spanning Tree Works A bridge running MST provides interoperability with single spanning-tree bridges as follows: • MST bridges run a variant of STP (IST) that augments the Common Spanning Tree (CST) – information with internal information about the MST region.
Page 160: Rapid Spanning Tree Protocol
Chapter 7 Configuring Spanning Tree Understanding How Multiple Spanning Tree Works These sections describe MST: Rapid Spanning Tree Protocol, page 7-18 • MST-to-SST Interoperability, page 7-19 • Common Spanning Tree, page 7-21 • MST Instances, page 7-21 • MST Configuration, page 7-21 •...
Page 161: Mst-To-Sst Interoperability
Chapter 7 Configuring Spanning Tree Understanding How Multiple Spanning Tree Works Backup—A backup for the path that is provided by a designated port toward the leaves of the • spanning tree. Backup ports can exist only where two ports are connected together in a loopback by a point-to-point link or bridge with two or more connections to a shared LAN segment.
Page 162 Chapter 7 Configuring Spanning Tree Understanding How Multiple Spanning Tree Works Figure 7-10 Network with Interconnected SST and MST Regions Region Region Region F/f = Forwarding B/b = Blocking R = Root Bridge Region = Root port To the spanning-tree protocol running in the SST region, an MST region appears as a single SST or pseudobridge.
Page 163: Common Spanning Tree
Chapter 7 Configuring Spanning Tree Understanding How Multiple Spanning Tree Works Common Spanning Tree CST (802.1Q) is a single spanning tree for all the VLANs. In a Catalyst 6500 series switch running PVST+, the VLAN 1 spanning tree corresponds to CST. In a Catalyst 6500 series switch running MST, IST (instance 0) corresponds to CST.
Page 164: Mst Region
Chapter 7 Configuring Spanning Tree Understanding How Multiple Spanning Tree Works MST Region Interconnected bridges that have the same MST configuration are referred to as an MST region. There is no limit on the number of MST regions in the network. To form an MST region, bridges can be either of the following: An MST bridge that is the only member of the MST region.
Page 165: Message Age And Hop Count
Chapter 7 Configuring Spanning Tree Understanding How Multiple Spanning Tree Works Edge Ports A port that is connected to a nonbridging device (for example, a host or a router) is an edge port. A port that connects to a hub is also an edge port if the hub or any LAN that is connected by it does not have a bridge.
Page 166: Mst-To-Pvst+ Interoperability
Chapter 7 Configuring Spanning Tree Understanding How BPDU Skewing Works MST-to-PVST+ Interoperability These guidelines apply in a topology where you configure MST switches (all in the same region) to interact with PVST+ switches that have VLANs 1–100 set up to span throughout the network: Configure the root for all VLANs inside the MST region.
Page 167: Understanding How Layer 2 Pdu Rate Limiting Works
Chapter 7 Configuring Spanning Tree Understanding How Layer 2 PDU Rate Limiting Works The root switch advertises its presence by sending out BPDUs for the configured hello time interval. The nonroot switches receive and process one BPDU during each configured time period. A VLAN may not receive the BPDU as scheduled.
Page 168: Configuring Pvst+ On The Switch
Chapter 7 Configuring Spanning Tree Configuring PVST+ on the Switch Configuring PVST+ on the Switch These sections describe how to configure PVST+ on Ethernet VLANs: Default PVST+ Configuration, page 7-26 • Setting the PVST+ Bridge ID Priority, page 7-27 • Configuring the PVST+ Port Cost, page 7-28 •...
Page 169: Setting The Pvst+ Bridge Id Priority
Chapter 7 Configuring Spanning Tree Configuring PVST+ on the Switch Setting the PVST+ Bridge ID Priority The bridge ID priority is the priority of a VLAN when the switch is in PVST+ mode. When the switch is in PVST+ mode without MAC address reduction enabled, you can enter a bridge priority value between 0–65535.
Page 170: Configuring The Pvst+ Port Cost
Chapter 7 Configuring Spanning Tree Configuring PVST+ on the Switch Designated Root 00-60-70-4c-70-00 Designated Root Priority 16384 Designated Root Cost Designated Root Port Root Max Age 14 sec Hello Time 2 sec Forward Delay 10 sec Bridge ID MAC ADDR 00-d0-00-4c-18-00 Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)
Page 171: Configuring The Pvst+ Port Priority
Chapter 7 Configuring Spanning Tree Configuring PVST+ on the Switch Configuring the PVST+ Port Priority You can configure the port priority of switch ports in PVST+ mode. The port with the lowest priority value forwards frames for all VLANs. The possible port priority value is a multiple of 16 from 0–240. The default is 32.
Page 172 Chapter 7 Configuring Spanning Tree Configuring PVST+ on the Switch The long mode has these parameters: • Portcost – Portvlancost (trunk ports only) – When UplinkFast is enabled, the actual cost is incremented by 10,000,000 – EtherChannel computes the cost of a bundle using the formula, –...
Page 173: Configuring The Pvst+ Port Cost For A Vlan
Chapter 7 Configuring Spanning Tree Configuring PVST+ on the Switch Configuring the PVST+ Port Cost for a VLAN You can configure the port cost for a port on a per-VLAN basis. Ports with a lower port cost in the VLAN are more likely to be chosen to forward frames.
Page 174: Disabling The Pvst+ Mode On A Vlan
Chapter 7 Configuring Spanning Tree Configuring PVST+ on the Switch Console> (enable) show config all set spantree portcost 2/12,2/15 19 set spantree portcost 2/1-2,2/4-11,2/13-14,2/16-48 100 set spantree portcost 2/3 12 set spantree portpri 2/1-48 32 set spantree portvlanpri 2/1 0 set spantree portvlanpri 2/2 0 set spantree portvlanpri 2/48 0 set spantree portvlancost 2/1 cost 99...
Page 175: Configuring Rapid-Pvst+ On The Switch
Chapter 7 Configuring Spanning Tree Configuring Rapid-PVST+ on the Switch Configuring Rapid-PVST+ on the Switch Rapid-PVST+ is the default spanning tree protocol that is used on all Ethernet, Fast Ethernet, and Gigabit Ethernet port-based VLANs on Catalyst 6500 series switches. To configure Rapid-PVST+, you need to also configure PVST+ on your switch.
Page 176: Configuring Mistp-Pvst+ Or Mistp On The Switch
Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch listening DESG 20000 listening DESG 20000 listening DESG 20000 listening DESG 20000 listening DESG 20000 listening DESG 20000 listening DESG 20000 listening DESG 20000 listening DESG 20000 listening DESG 20000 listening...
Page 177: Default Mistp And Mistp-Pvst+ Configuration
Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch Mapping VLANs to an MISTP Instance, page 7-41 • Disabling MISTP-PVST+ or MISTP, page 7-44 • Default MISTP and MISTP-PVST+ Configuration Table 7-5 shows the default MISTP and MISTP-PVST+ configuration. Table 7-5 MISTP and MISTP-PVST+ Default Configuration Feature...
Page 178 Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch If you are working from a Telnet connection to your switch, the first time that you enable MISTP-PVST+ Caution or MISTP mode, you must do so from the switch console; do not use a Telnet connection through the data port or you will lose your connection to the switch.
Page 179: Configuring An Mistp Instance
Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch 00-50-3e-78-70-00 - 00-50-3e-78-70-00 - 00-50-3e-78-70-00 - Configuring an MISTP Instance These sections describe how to configure MISTP instances: Configuring the MISTP Bridge ID Priority, page 7-37 • • Configuring the MISTP Port Cost, page 7-38 Configuring the MISTP Port Priority, page 7-39 •...
Page 180 Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch Port Inst Port-State Cost Prio Portfast Channel_id ------------------------ ---- ------------- --------- ---- -------- ---------- forwarding 20000 32 disabled 0 forwarding 200000 32 disabled 0 3/25 forwarding 200000 32 disabled 0 3/26 forwarding 200000...
Page 181 Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch Port Inst Port-State Cost Prio Portfast Channel_id ------------------------ ---- ------------- --------- ---- -------- ---------- forwarding 20000 32 disabled 0 forwarding 200000 32 disabled 0 3/25 forwarding 200000 32 disabled 0 3/26 forwarding 200000...
Page 182 Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch Port Inst Port-State Cost Prio Portfast Channel_id ------------------------ ---- ------------- --------- ---- -------- ---------- forwarding 20000 32 disabled 0 forwarding 200000 32 disabled 0 3/25 forwarding 200000 32 disabled 0 3/26 forwarding 200000...
Page 183: Enabling An Mistp Instance
Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch This example shows how to configure the port instance priority on an MISTP instance and verify the configuration: Console> (enable) set spantree portinstancepri 1/1 16 2 Port 1/1 MISTP Instances 2 using portpri 16. Port 1/1 mistp-instance 1,3-16 using portpri 32.
Page 184 Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch Follow these guidelines when mapping VLANs to an MISTP instance: You can map only Ethernet VLANs to MISTP instances. • At least one VLAN in the instance must have an active port in order for MISTP-PVST+ or MISTP •...
Page 185 Chapter 7 Configuring Spanning Tree Configuring MISTP-PVST+ or MISTP on the Switch entry is printed or when all the entries are associated to the same instance, the VLAN is mapped to that instance. If two or more entries in the list are associated with different MISTP instances, the VLAN is in conflict.
Page 186: Disabling Mistp-Pvst+ Or Mistp
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Unmapping VLANs from an MISTP Instance The none keyword is used to unmap the specified VLANs from the MISTP instances to which they are currently mapped. When you unmap a VLAN from an MISTP instance, the resulting state of all the ports of the VLAN (if the VLAN exists) is blocking.
Page 187: Configuring A Primary Root Switch
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Configuring a Primary Root Switch You can set a root switch on a VLAN when the switch is in PVST+ mode or on an MISTP instance when the switch is in MISTP mode. You enter the set spantree root command to reduce the bridge priority (the value that is associated with the switch) from the default (32768) to a lower value, which allows the switch to become the root switch.
Page 188: Configuring A Secondary Root Switch
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Configuring a Secondary Root Switch You can set a secondary root switch on a VLAN when the switch is in PVST+ mode or on an MISTP instance when the switch is in MISTP mode. The set spantree root secondary command reduces the bridge priority to 16,384, making it the probable candidate to become the root switch if the primary root switch fails.
Page 189 Chapter 7 Configuring Spanning Tree Configuring a Root Switch When a link failure occurs in a bridged network, the network reconfiguration is not immediate. Reconfiguring the default parameters (specified by IEEE 802.1D) for the Hello Time, Forward Delay Timer, and Maximum Age Timer requires a 50-second delay. This reconfiguration time depends on the network diameter, which is the maximum number of bridges between any two end stations.
Page 190: Using Root Guard-Preventing Switches From Becoming Root
Chapter 7 Configuring Spanning Tree Configuring a Root Switch Spantree 100 max aging time set to 36 seconds. Console> (enable) Console> (enable) set spantree root 1-10 dia 4 VLANs 1-10 bridge priority set to 8192 VLANs 1-10 bridge max aging time set to 14 seconds. VLANs 1-10 bridge hello time set to 2 seconds.
Page 191: Configuring Spanning-Tree Timers On The Switch
Chapter 7 Configuring Spanning Tree Configuring Spanning-Tree Timers on the Switch This example shows how to display spanning-tree BPDU statistics: Console> show spantree statistics bpdu Transmitted Received Processed Dropped -------------- -------------- -------------- -------------- Total 52943073 52016589 52016422 Rate(/sec) This example shows how to clear spanning-tree BPDU statistics: Console>...
Page 192: Configuring The Hello Time
Chapter 7 Configuring Spanning Tree Configuring Spanning-Tree Timers on the Switch Configuring the Hello Time Enter the set spantree hello command to change the hello time for a VLAN, an MISTP instance, or on a per-port basis. The possible range of interval is 1–10 seconds. To configure the spanning-tree bridge hello time for a VLAN or an MISTP instance, perform this task in privileged mode: Task...
Page 193: Configuring The Maximum Aging Time
Chapter 7 Configuring Spanning Tree Configuring Multiple Spanning Tree on the Switch Console> (enable) set spantree fwddelay 16 mistp-instance 1 Instance 1 forward delay set to 16 seconds. Console> (enable) Configuring the Maximum Aging Time Enter the set spantree maxage command to change the spanning-tree maximum aging time for a VLAN or an instance.
Page 194 32 disabled 0 forwarding 32 enabled Console> (enable) set spantree mst config name cisco revision 1 Edit Buffer modified. Use 'set spantree mst config commit' to apply the changes Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration:...
Page 195 Current (NVRAM) MST Region Configuration: 1 instance Configuration Name: Revision: 0 Instance VLANs -------- -------------------------------------------------------------- 1-4094 ======================================================================= NEW MST Region Configuration (Not committed yet) 5 instances Configuration Name: cisco Revision: 1 Instance VLANs -------- -------------------------------------------------------------- 1,11-20,51-4094 2-10 21-30 31-40 41-50 ======================================================================= Edit buffer is locked by: Console (pid 143) Console>...
Page 196 Prio VLANs ---- ------------- ---- --------- ---- ----------------------------------- 0 forwarding DESG 20000 32 1 Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: 5 instances Configuration Name: cisco Revision: 1 Instance VLANs -------- -------------------------------------------------------------- 1,11-20,51-4094 2-10 21-30 31-40 41-50 ======================================================================= Console>...
Page 197 Chapter 7 Configuring Spanning Tree Configuring Multiple Spanning Tree on the Switch Console> (enable) show spantree mst 3 Spanning tree mode Instance VLANs Mapped: 31-40 Designated Root 00-00-00-00-00-00 Designated Root Priority (root priority: 0, sys ID ext: 0) Designated Root Cost Remaining Hops 0 Designated Root Port Bridge ID MAC ADDR...
Page 198 Chapter 7 Configuring Spanning Tree Configuring Multiple Spanning Tree on the Switch Configuring the MST Port Priority You can configure the port priority of ports. The port with the lowest priority value forwards the frames for all VLANs. The possible port priority value is a multiple of 16 from 0–240. The default is 32. If all the ports have the same priority value, the port with the lowest port number forwards the frames.
Page 199 Chapter 7 Configuring Spanning Tree Configuring Multiple Spanning Tree on the Switch ---------- --------------------------------------------------------- 5000 Default 200000 0-3,5-4094 Console> (enable) set spantree portinstancecost 4/1 cost 6000 mst 4000 Command successful. Modified port 4/1 configuration: Cost Instances ---------- --------------------------------------------------------- 5000 6000 4000 Default 200000 0-3,5-3999,4001-4094...
Page 200: Mapping And Unmapping Vlans To An Mst Instance
Chapter 7 Configuring Spanning Tree Configuring Multiple Spanning Tree on the Switch Hello: 4, (Local port hello:4) Inst State Role Cost Prio VLANs ---- ------------- ---- --------- ---- ----------------------------------- 0 forwarding DESG 200000 32 None 2 forwarding DESG 200000 16 1 200 forwarding DESG 200000...
Page 201: Configuring Bpdu Skewing On The Switch
Chapter 7 Configuring Spanning Tree Configuring BPDU Skewing on the Switch Console> (enable) show spantree mst config Current (NVRAM) MST Region Configuration: 3 instances Configuration Name:arthur Revision:23703 Instance VLANs -------- -------------------------------------------------------------- 1,31-4094 2-20 21-30 ======================================================================= NEW MST Region Configuration (Not committed yet) 4 instances Configuration Name:arthur Revision:23703...
Page 202 Chapter 7 Configuring Spanning Tree Configuring BPDU Skewing on the Switch Task Command Step 1 Configure BPDU skewing. set spantree bpdu-skewing [enable | disable] Step 2 Verify the configuration. show spantree bpdu-skewing vlan [mod/port] show spantree bpdu-skewing mistp-instance [instance] [mod/port] This example shows how to configure BPDU skewing and display the skewing statistics: Console>...
Page 203: Configuring Layer 2 Pdu Rate Limiting On The Switch
• Enable, disable, or set rate limiting for the spanning-tree BPDUs—IEEE and PVST/Shared Spanning Tree Protocol (SSTP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), UniDirectional Link Detection (UDLD), VLAN Trunking Protocol (VTP), Link Aggregation Control Protocol (LACP), and Port Aggregation Protocol (PAgP)—globally on the switch.
Page 204 Chapter 7 Configuring Spanning Tree Configuring Layer 2 PDU Rate Limiting on the Switch CDP/DTP/UDLD/LACP/PAgP/VTP—destination MAC address 01-00-0C-CC-CC-CC • Rate limiting Layer 2 protocols works as follows: 1) Frames are classified as Layer 2 control frames by Note the destination MAC address (listed above). 2) The software allocates an LTL index for these frames. 3) The LTL index is submitted to the forwarding engine for (aggregate) rate limiting of all the associated frames.
Page 205 Chapter 7 Configuring Spanning Tree Configuring Layer 2 PDU Rate Limiting on the Switch This example shows how to display the Layer 2 rate-limiter administrative and operation status information: Console> show rate-limit config Rate Limiter Type Admin Status Oper Status -------------------- ------------ ----------- l2pdu l2protocol-tunnel...
Page 206 Chapter 7 Configuring Spanning Tree Configuring Layer 2 PDU Rate Limiting on the Switch Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 7-64 OL-8978-04...
Page 207: Understanding How 802.1Q Tunneling Works
C H A P T E R Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling This chapter describes how to configure IEEE 802.1Q tunneling and Layer 2 protocol tunneling on the Catalyst 6500 series switches. This chapter consists of these sections: Understanding How 802.1Q Tunneling Works, page 8-1 •...
Page 208: 802.1Q Tunneling Configuration Guidelines
Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling 802.1Q Tunneling Configuration Guidelines When a tunnel port receives the tagged customer traffic from an 802.1Q trunk port, it does not strip the received 802.1Q tag from the frame header; instead, the tunnel port leaves the 802.1Q tag intact, adds a 2-byte EtherType field (0x8100) and a 2-byte length field, and puts the received customer traffic into the VLAN to which the tunnel port is assigned.
Page 209 • On an asymmetrical link, the Cisco Discovery Protocol (CDP) reports a native VLAN mismatch if the VLAN of the tunnel port does not match the native VLAN of the 802.1Q trunk. The 802.1Q tunnel feature does not require that the VLANs match. Ignore the messages if your configuration requires nonmatching VLANs.
Page 210: Configuring 802.1Q Tunneling On The Switch
Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling on the Switch Configuring 802.1Q Tunneling on the Switch These sections describe how to configure 802.1Q tunneling: Configuring 802.1Q Tunnel Ports, page 8-4 • Clearing 802.1Q Tunnel Ports, page 8-4 •...
Page 211: Disabling Global Support For 802.1Q Tunneling
Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling on the Switch This example shows how to clear tunneling on port 4/1 and verify the configuration: Console> (enable) set port dot1qtunnel 4/1 disable Dot1q tunnel feature disabled on port 4/1. Console>...
Page 212: Understanding How Layer 2 Protocol Tunneling Works
MAC address of the PDUs that are received on a tunneled port with the Cisco proprietary multicast address (01-00-0c-cd-cd-d0). The PDU is then flooded to the native VLAN of the tunneled port. If you enable Layer 2 protocol tunneling on a port, the PDUs of an enabled protocol are not sent out.
Page 213: Layer 2 Protocol Tunneling Configuration Guidelines
Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines Layer 2 Protocol Tunneling Configuration Guidelines This section provides the guidelines for configuring protocol tunneling in your network: The protocol tunneling functions independently from 802.1Q tunneling. •...
Page 214: Configuring Layer 2 Protocol Tunneling On Trunk Ports
Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling on the Switch This example shows how to specify a Layer 2 protocol on a port and verify the configuration: You can specify more than one protocol type at a time. In the CLI, separate protocol types with a space. Note Console>...
Page 215: Layer 2 Protocol Tunneling On Trunks Example
Another example is when a customer wants to tunnel CDP and VTP packets. The CDP/VTP packets are received by a Catalyst 6500 series switch from a third-party switch that is tunneled from other Cisco switches. If the service provider wants to support multiple customers, the service provider must tunnel CDP and VTP packets on a VLAN other than VLAN 1 because Catalyst 6500 series switches use VLAN 1 for transmitting CDP and VTP packets.
Page 216: Specifying Drop And Shutdown Thresholds On Layer 2 Protocol Tunneling Ports
Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling on the Switch Figure 8-2 Layer 2 Protocol Tunneling on Trunks Network Example Layer 2 protocol tunneling trunk port Layer 2 protocol tunneling access port (received packets must be with 802.1Q tunneling double tagged)
Page 217 Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling on the Switch After reaching the shutdown threshold factor, the port or range of ports goes into the errdisable state and Note is restored after the errdisable timeout interval. The shutdown threshold factor should exceed the drop threshold factor.
Page 218: Specifying Cos On Layer 2 Protocol Tunneling Ports
Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling on the Switch Console> (enable) show port l2protocol-tunnel 3/1 Port Tunnel Protocol(s) Drop Threshold Shutdown Threshold ------------------------ ------------------ -------------- ------------------ None Port Drop Shutdown Drop Shutdown Drop...
Page 219: Clearing Layer 2 Protocol Tunneling Statistics
Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling on the Switch Clearing Layer 2 Protocol Tunneling Statistics To clear the Layer 2 protocol tunneling statistics on a port or on all the tunneling ports, perform this task in privileged mode: Task Command...
Page 220 Chapter 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling on the Switch Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 8-14 OL-8978-04...
Page 221 C H A P T E R Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard This chapter describes how to configure the spanning-tree PortFast, UplinkFast, BackboneFast, and loop guard features on the Catalyst 6500 series switches. Note For information on configuring the Spanning Tree Protocol (STP), see Chapter 7, “Configuring Spanning Tree.”...
Page 222: Understanding How Portfast Works
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How PortFast Works Understanding How PortFast Works Spanning-tree PortFast causes a switch or trunk port to enter the spanning-tree forwarding state immediately, bypassing the listening and learning states. You can use PortFast on switch or trunk ports that are connected to a single workstation, switch, or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
Page 223: Understanding How Portfast Bpdu Filtering Works
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How PortFast BPDU Filtering Works Understanding How PortFast BPDU Filtering Works BPDU filtering allows you to avoid transmitting BPDUs on a port that is connected to an end system. When you enable BPDU filtering on the switch, spanning tree places that port in the forwarding state immediately, instead of going through the listening, learning, and forwarding states.
Page 224: Understanding How Backbonefast Works
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How BackboneFast Works Figure 9-1 UplinkFast Example Before Direct Link Failure Switch A Switch B (Root) Blocked port Switch C If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
Page 225 Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How BackboneFast Works If the switch has alternate paths to the root bridge, it uses these alternate paths to transmit a new kind of PDU called the Root Link Query PDU out all alternate paths to the root bridge. If the switch determines that it still has an alternate path to the root, it causes the maximum aging time on the ports on which it received the inferior BPDU to expire.
Page 226: Understanding How Loop Guard Works
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How Loop Guard Works If a new switch is introduced into a shared-medium topology, BackboneFast is not activated. Figure 9-5 shows a shared-medium topology in which a new switch is added. The new switch begins sending inferior BPDUs that say it is the root switch.
Page 227 Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How Loop Guard Works Figure 9-6 Triangle Switch Configuration with Loop Guard Designated port Root port Alternate port Figure 9-6 illustrates the following configuration: Switches A and B are distribution switches. •...
Page 228: Configuring Portfast On The Switch
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast on the Switch If your network has a type-inconsistent port or a PVID-inconsistent port, all BPDUs are dropped • until the misconfiguration is corrected. The port transitions out of the inconsistent state after the message age expires.
Page 229: Enabling Spanning-Tree Portfast On A Trunk Port
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast on the Switch To enable PortFast on a switch port, perform this task in privileged mode: Task Command Step 1 Enable PortFast on a switch port that is connected set spantree portfast mod_num/port_num enable to a single workstation, switch, or server.
Page 230: Disabling Portfast
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast on the Switch This example shows how to enable PortFast on port 1 of module 4 of a trunk port, bring the trunk port to a forwarding state, and verify the configuration (the PortFast status is shown in the “Fast-Start” column): Console>...
Page 231: Resetting Portfast
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Guard on the Switch Resetting PortFast To reset PortFast on a switch or trunk port to its default settings, perform this task in privileged mode: Task Command Step 1 Reset PortFast to its default settings on a switch set spantree portfast mod_num/port_num...
Page 232: Disabling Portfast Bpdu Guard
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Guard on the Switch This example shows how to enable PortFast BPDU guard on the switch and verify the configuration in the Per VLAN Spanning Tree + (PVST+) mode: Note For additional PVST+ information, see Chapter 7, “Configuring Spanning Tree.”...
Page 233: Configuring Portfast Bpdu Filtering On The Switch
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Filtering on the Switch This example shows how to disable PortFast BPDU guard on the switch and verify the configuration: Console> (enable) set spantree portfast bpdu-guard disable Spantree portfast bpdu-guard disabled on this switch.
Page 234: Enabling Portfast Bpdu Filtering
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Filtering on the Switch Enabling PortFast BPDU Filtering To enable PortFast BPDU filtering on a nontrunking port, perform this task in privileged mode: Task Command Step 1 Set the BPDU filter state on the port.
Page 235: Disabling Portfast Bpdu Filtering
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring UplinkFast on the Switch Disabling PortFast BPDU Filtering To disable PortFast BPDU filtering on the switch, perform this task in privileged mode: Task Command Step 1 Disable PortFast BPDU filtering on the switch. set spantree portfast bpdu-filter disable Step 2 Verify the PortFast BPDU filter setting.
Page 236: Enabling Uplinkfast
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring UplinkFast on the Switch Enabling UplinkFast The set spantree uplinkfast enable command increases the path cost of all ports on the switch, making it unlikely that the switch will become the root switch. The station_update_rate value represents the number of multicast packets that are transmitted per 100 milliseconds (the default is 15 packets per millisecond).
Page 237: Disabling Uplinkfast
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring UplinkFast on the Switch With MISTP mode enabled, this example shows the output when you enable UplinkFast: Console> (enable) set spantree uplinkfast enable Instances 1-16 bridge priority set to 49152. The port cost and portinstancecost of all ports set to above 10000000.
Page 238: Configuring Backbonefast On The Switch
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring BackboneFast on the Switch Configuring BackboneFast on the Switch These sections describe how to configure BackboneFast: Enabling BackboneFast, page 9-18 • Displaying BackboneFast Statistics, page 9-18 • Disabling BackboneFast, page 9-19 •...
Page 239: Disabling Backbonefast
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring Loop Guard on the Switch Vlan Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total BackboneFast statistics -----------------------...
Page 240: Disabling Loop Guard
Chapter 9 Configuring Spanning-Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring Loop Guard on the Switch This example shows how to enable loop guard: Console> (enable) set spantree guard loop 5/1 Rootguard is enabled on port 5/1, enabling loopguard will disable rootguard on this port. Do you want to continue (y/n) [n]? y Loopguard on port 5/1 is enabled.
Page 241 C H A P T E R Configuring VTP This chapter describes how to configure the VLAN Trunking Protocol (VTP) on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 242: Configuring Vtp
Chapter 10 Configuring VTP Understanding How VTP Version 1 and Version 2 Work These sections describe how VTP works: Understanding the VTP Domain, page 10-2 • Understanding VTP Modes, page 10-2 • Understanding VTP Advertisements, page 10-3 • Understanding VTP Version 2, page 10-3 •...
Page 243: Understanding Vtp Advertisements
Chapter 10 Configuring VTP Understanding How VTP Version 1 and Version 2 Work Transparent—VTP transparent switches do not participate in VTP. A VTP transparent switch does • not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements.
Page 244: Understanding Vtp Pruning
Chapter 10 Configuring VTP Understanding How VTP Version 1 and Version 2 Work Consistency Checks—In VTP version 2, VLAN consistency checks (such as VLAN names and • values) are performed only when you enter new information through the CLI or SNMP. Consistency checks are not performed when new information is obtained from a VTP message, or when information is read from NVRAM.
Page 245: Default Vtp Version 1 And Version 2 Configuration
Chapter 10 Configuring VTP Default VTP Version 1 and Version 2 Configuration Figure 10-2 shows the same switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links indicated (port 5 on Switch 2 and port 4 on Switch 4).
Page 246: Configuring Vtp Version 1 And Version 2
Chapter 10 Configuring VTP Configuring VTP Version 1 and Version 2 All switches in a VTP domain must run the same VTP version. • You must configure a password on each switch in the management domain when you are in secure •...
Page 247: Configuring A Vtp Client
Chapter 10 Configuring VTP Configuring VTP Version 1 and Version 2 Task Command Step 1 Define the VTP domain name. set vtp domain name Step 2 Place the switch in VTP server mode. set vtp mode server Step 3 (Optional) Set a password for the VTP domain. set vtp passwd passwd Step 4 Verify the VTP configuration.
Page 248: Configuring Vtp (Vtp Transparent Mode)
Chapter 10 Configuring VTP Configuring VTP Version 1 and Version 2 VLAN Client Pruning : disabled VLANs prune eligible: 2-1000 Console> (enable) Configuring VTP (VTP Transparent Mode) When you configure the switch as VTP transparent, you disable VTP on the switch. A VTP transparent switch does not send VTP updates and does not act on VTP updates that are received from other switches.
Page 249: Enabling Vtp Version 2
Chapter 10 Configuring VTP Configuring VTP Version 1 and Version 2 Task Command Step 1 Disable VTP using the off mode. set vtp mode off Step 2 Verify the VTP configuration. show vtp domain This example shows how to disable VTP using the off mode: Console>...
Page 250: Disabling Vtp Version 2
Chapter 10 Configuring VTP Configuring VTP Version 1 and Version 2 Version : running VTP2 (VTP3 capable) Domain Name : Lab_Network Password : configured (hidden) Notifications: disabled Updater ID: 172.20.52.19 Feature Mode Revision -------------- -------------- ----------- VLAN Pruning : disabled VLANs prune eligible: 2-1000 Console>...
Page 251: Show Trunk
Chapter 10 Configuring VTP Configuring VTP Version 1 and Version 2 Task Command Step 4 Verify the VTP pruning configuration. show vtp domain Step 5 Verify that the appropriate VLANs are being show trunk pruned on trunk ports. This example shows how to enable VTP pruning in the management domain and how to make VLANs 2–99, 250–255, and 501–1000 pruning eligible on the particular device: Console>...
Page 252: Disabling Vtp Pruning
Chapter 10 Configuring VTP Understanding How VTP Version 3 Works Disabling VTP Pruning To disable VTP pruning, perform this task in privileged mode: Task Command Step 1 Disable VTP pruning in the management domain. set vtp pruning disable Step 2 Verify that VTP pruning is disabled.
Page 253: Vtp Version 3 Authentication
Chapter 10 Configuring VTP Understanding How VTP Version 3 Works Support for extended VLANs. • Support for the creation and advertising of private VLANs. • Support for VLAN instances and MST mapping propagation instances. • Improved server authentication. • Protection from the “wrong” database accidentally being inserted into a VTP domain. •...
Page 254: Vtp Version 3 Per-Port Configuration
Chapter 10 Configuring VTP Understanding How VTP Version 3 Works If you try to configure the switch as a primary server, you are prompted for the password. If your – password matches the secret password, the switch becomes a primary server allowing you to configure the domain.
Page 255 10-4). Figure 10-4, the Cisco VTP domain is partitioned between switches accepting server X or server Y as a primary server. The switches that are from different partitions do not exchange database information even though they are part of the same domain. If server X changes the VTP configuration, only the left partition of the network accepts it.
Page 256 Chapter 10 Configuring VTP Understanding How VTP Version 3 Works Figure 10-4 VTP Version 3: Partitioned VTP Domain Domain Cisco Domain Cisco Primary Server X Primary Server Y Partitions exist because of discrepancies in the domain configuration that cannot automatically be resolved by VTP.
Page 257: Vtp Version 3 Modes
Chapter 10 Configuring VTP Understanding How VTP Version 3 Works Figure 10-5 VTP Version 3: Reconfiguring a Partitioned VTP Domain VTP Instance Partition Y Partition W Partition Z Partition X Initiating a takeover is a critical operation due to the following reasons: •...
Page 258: Client Mode
Chapter 10 Configuring VTP Understanding How VTP Version 3 Works Switches running VTP version 3 have the following common characteristics: They accept only VTP packets from the same VTP domain. • If they do not have a primary server, they accept the primary server that is associated with the first •...
Page 259: Vtp Version 3 Databases
Chapter 10 Configuring VTP Understanding How VTP Version 3 Works Primary Server The primary server can initiate or change the VTP configuration. To reach the primary server state, you must issue a successful takeover from the switch. The takeover is propagated to the entire domain. All other potential primary servers in the domain resign to secondary server mode to ensure that there is only one primary server in the VTP domain.
Page 260 Chapter 10 Configuring VTP Understanding How VTP Version 3 Works When you move from VTP version 1 to VTP version 3, the VLAN database and MST database are • not deleted but they are marked invalid because they have been generated by a VTP version 1 server, not by a VTP version 3 primary server.
Page 261: Default Vtp Version 3 Configuration
Chapter 10 Configuring VTP Default VTP Version 3 Configuration You should configure VTP version 1 and VTP version 2 switches as clients to allow them to work Note properly with VTP version 3. See the “Limitations” section on page 10-21 for more information.
Page 262: Configuring Vtp Version 3
Chapter 10 Configuring VTP Configuring VTP Version 3 Table 10-2 VTP Version 3 Default Configuration Feature Default Value VTP domain name Null VTP mode Server VTP version 3 enable state Version 1 is enabled VTP password None VTP pruning Disabled Configuring VTP Version 3 These sections describe how to configure VTP version 3: Enabling VTP Version 3, page 10-22...
Page 263: Changing Vtp Version 3 Modes
Chapter 10 Configuring VTP Configuring VTP Version 3 Version : running VTP3 Domain Name : ENG Password : configured Notifications: disabled Switch ID : 00d0.004c.1800 Feature Mode Revision Primary ID Primary Description -------------- -------------- ----------- -------------- ---------------------- VLAN Server 0000.0000.0000 Transparent UNKNOWN Transparent...
Page 264 Chapter 10 Configuring VTP Configuring VTP Version 3 VTP3 domain map1 modified Console> (enable) show vtp domain Version : running VTP3 Domain Name : ENG Password : configured Notifications: disabled Switch ID : 00d0.004c.1800 Feature Mode Revision Primary ID Primary Description -------------- -------------- ----------- -------------- ---------------------- VLAN Server...
Page 265 Chapter 10 Configuring VTP Configuring VTP Version 3 Feature Mode Revision Primary ID Primary Description -------------- -------------- ----------- -------------- ---------------------- VLAN Client 0000.0000.0000 Server 0000.0000.0000 UNKNOWN Transparent Pruning : disabled VLANs prune eligible: 2-1000 Console> (enable) Configuring VTP Version 3 Transparent Mode When you configure the switch as VTP transparent, you disable VTP on the switch.
Page 266: Configuring Vtp Version 3 Passwords
Chapter 10 Configuring VTP Configuring VTP Version 3 Task Command Step 1 Disable VTP using the off mode. set vtp mode off Step 2 Verify the VTP configuration. show vtp domain This example shows how to disable VTP using the off mode: Console>...
Page 267: Configuring A Vtp Version 3 Takeover
Chapter 10 Configuring VTP Configuring VTP Version 3 This example shows how to configure a VTP password and verify the configuration: Console> (enable) set vtp passwd toto Generating the secret associated to the password. VTP3 domain server modified Console> (enable) show config set vtp passwd toto Console>...
Page 268: Disabling Vtp Version 3 On A Per-Port Basis
Chapter 10 Configuring VTP Configuring VTP Version 3 If you do not specify the force keyword, the switch tries to discover some conflicting servers in the domain. Conflicting servers follow a different primary server than the one in the configuration of the local switch.
Page 269: Vtp Version 3 Show Commands
Chapter 10 Configuring VTP Configuring VTP Version 3 Use the set port vtp mod/port {enable | disable} command to enable or disable all VTP interaction on a per-port basis. This capability might be used on trunks leading to nontrusted hosts. When a port is disabled, no VTP packets are sent on the port, and any VTP packets that are received on the port are dropped.
Page 270 Chapter 10 Configuring VTP Configuring VTP Version 3 Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 10-30 OL-8978-04...
Page 271: Configuring Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure VLANs for the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 272: Vlan Ranges
VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Fast Ethernet Floor 2 Floor 1 VLANs are often associated with the IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. The traffic between the VLANs must be routed. Port VLAN membership on the switch is assigned manually on a port-by-port basis.
Page 273: Configurable Vlan Parameters
Chapter 11 Configuring VLANs Understanding How VLANs Work Extended-range VLANs: 1024–4094 • With VTP version 3, you can manage VLANs 1006–4094. These VLANs are propagated Note with VTP version 3. Configurable VLAN Parameters Whenever you create or modify VLANs 2–1005, you can set the parameters as follows: Ethernet VLANs 1 and 1025–4094 can use the defaults only.
Page 274: Configuring Vlans On The Switch
Chapter 11 Configuring VLANs Configuring VLANs on the Switch Table 11-1 VLAN Default Configuration Feature Default Value Native (default) VLAN VLAN 1 Port VLAN assignments All ports assigned to VLAN 1 Token Ring ports assigned to VLAN 1003 (trcrf-default) VLAN state Active MTU size 1500 bytes...
Page 275: Normal-Range Vlan Configuration Guidelines
Chapter 11 Configuring VLANs Configuring VLANs on the Switch Normal-Range VLAN Configuration Guidelines This section describes the guidelines for creating and modifying the user VLANs in your network: • The default VLAN type is Ethernet; if you do not specify a VLAN type, the VLAN will be an Ethernet VLAN.
Page 276: Modifying Normal-Range Vlans
Chapter 11 Configuring VLANs Configuring Extended-Range VLANs on the Switch VLAN Type SAID Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------ enet 100500 1500 enet 100501 1500 enet 100502 1500 enet 100503 1500...
Page 277: Creating Extended-Range Vlans
VLAN 1006. If you use these devices, you must allow the required number of VLANs for them. If not enough VLANs are available for the FlexWAN module, some ports may not work. Refer to the Catalyst 6500 Series and Cisco 7600 Series Router FlexWAN Module Installation and Configuration Note for more information.
Page 278: Mapping Vlans To Vlans
ISL trunks now support the entire VLAN range (1 to 4094). You can map the VLANs from the 802.1Q trunks that are connected to the VLANs on the non-Cisco devices to the ISL trunks that are connected to the other VLANs on the Catalyst 6500 series switches.
Page 279: Mapping 802.1Q Vlans To Isl Vlans
Mapping VLANs to VLANs Mapping 802.1Q VLANs to ISL VLANs Your network might have non-Cisco devices that are connected to the Catalyst 6500 series switches through the 802.1Q trunks. The valid range of the user-configured Inter-Switch Link (ISL) VLANs is 1–1000 (and 1002–1005) and 1025–4094.
Page 280: Deleting 802.1Q-To-Isl Vlan Mappings
Chapter 11 Configuring VLANs Allocating Internal VLANs Console> (enable) set vlan mapping dot1q 4000 isl 400 Vlan mapping successful Console> (enable) show vlan mapping 802.1q vlan ISL vlan Effective ------------------------------------------ 2000 true 3000 true 4000 true Console> (enable) Deleting 802.1Q-to-ISL VLAN Mappings To delete an 802.1Q-to-ISL VLAN mapping, perform this task in privileged mode: Task Command...
Page 281 Chapter 11 Configuring VLANs Assigning Switch Ports to a VLAN Make sure that you assign the switch ports to a VLAN of the proper type. For example, assign the Note Ethernet, Fast Ethernet, and Gigabit Ethernet ports to the Ethernet-type VLANs. To assign one or more switch ports to a VLAN, perform this task in privileged mode: Task Command...
Page 282: Enabling Or Disabling Vlan Port-Provisioning Verification
Chapter 11 Configuring VLANs Enabling or Disabling VLAN Port-Provisioning Verification Enabling or Disabling VLAN Port-Provisioning Verification When VLAN port-provisioning verification is enabled, you must specify the VLAN name in addition to the VLAN number when assigning the switch ports to the VLANs. Because you are required to specify both the VLAN name and the VLAN number, this verification feature helps to ensure that the ports are not inadvertently placed in the wrong VLAN.
Page 283: Deleting A Vlan
Chapter 11 Configuring VLANs Deleting a VLAN This example shows how to add port 3/17 to VLAN 150 with VLAN port-provisioning verification enabled: Console> (enable) set vlan 150 name Eng VTP advertisements transmitting temporarily stopped, and will resume after the command finishes. Vlan 150 configuration successful Console>...
Page 284: Configuring Vlan Mappings On A Per-Port Or Per-Asic Basis
Chapter 11 Configuring VLANs Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis These sections describe how to configure VLAN mapping on a per-port or per-ASIC basis: Understanding VLAN Mapping, page 11-14 •...
Page 285 Chapter 11 Configuring VLANs Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis Global VLAN mapping supports a maximum of eight VLANs. If VLAN X is mapped to VLAN Y, VLAN Y is mapped to a discarded VLAN internally. Per-port/per-ASIC VLAN mapping does not work that way.
Page 286 Chapter 11 Configuring VLANs Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis Before designing your spanning-tree topology, you should take into account the way in which VLANs are merged. You should clear the source VLAN from the port on which VLAN mapping is enabled and clear the translated VLAN from the neighboring end.
Page 287: Enabling Or Disabling Vlan Mapping On An Individual Port
Chapter 11 Configuring VLANs Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis 4. WS-X6748-SFP does not have per-ASIC VLAN mapping. VLAN mapping is per-two ASICs: Ports 1 through 24 and ports 25 through 48 (instead of only 12 ports per ASIC). 5.
Page 288: Clearing The Vlan Mapping
Chapter 11 Configuring VLANs Configuring VLAN Mappings on a Per-Port or Per-ASIC Basis To configure VLAN mapping on an individual port, perform this task in privileged mode: Task Command Step 1 Enable the port VLAN mapping. set port vlan-mapping mod/port {enable | disable} Step 2 Configure VLAN mapping on an individual port.
Page 289: Displaying The Vlan Mapping Information
Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch To clear VLAN mapping, perform this task in privileged mode: Task Command Clear VLAN mapping. clear port vlan-mapping mod/port all clear port vlan-mapping mod/port [source-vlan-id] clear port vlan-mapping all This example shows how to clear the VLAN mapping from port 7/1: Console>(enable) clear port vlan-mapping 7/1 2002 VLAN mapping for VLAN 2002 removed from port 7/1-12.
Page 290: Understanding How Private Vlans Work
Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch Understanding How Private VLANs Work The private VLANs provide the Layer-2 isolation between the ports within the same private VLAN on the Catalyst 6500 series switches. The ports that belong to a private VLAN are associated with a common set of supporting VLANs that are used to create the private VLAN structure.
Page 291: Private Vlan Configuration Guidelines
Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch To create a private VLAN, you assign two or more normal VLANs in the normal VLAN range: one VLAN is designated as a primary VLAN, and a second VLAN is designated as either an isolated, community, or two-way community VLAN.
Page 292 Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch You have the option of using the private VLAN communities, but you need to designate a • community VLAN for each community. Bind the isolated and/or community VLAN(s) to the primary VLAN and assign the isolated or •...
Page 293 Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch Table 11-3 Modules with Ports Listed by ASIC Groups Module Number Description Ports by ASIC WS-X6224-100FX-MT 24-port 100BASE-FX multimode, Ports 1–12 MT-RJ Ports 13–24 WS-X6324-100FX-SM 24-port 100BASE-FX single mode Ports 1–12 WS-X6324-100FX-MM or multimode, MT-RJ Ports 13–24...
Page 294 VLAN in order to be applied to all outgoing traffic from the MSFC. • If you map a Cisco IOS ACL to a primary VLAN, the Cisco IOS ACL automatically maps to the associated isolated and community VLANs. You cannot map the Cisco IOS ACLs to an isolated or community VLAN.
Page 295: Creating A Primary Private Vlan
Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch Creating a Primary Private VLAN To create a primary private VLAN, perform this task in privileged mode: Task Command Step 1 Create the primary private VLAN. set vlan vlan pvlan-type primary Step 2 Set the isolated, community, or two-way set vlan vlan pvlan-type {isolated | community...
Page 296 Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch This example shows how to specify VLAN 901 as the isolated VLAN and VLANs 902 and 903 as community VLANs: Console> (enable) set vlan 901 pvlan-type isolated Vlan 901 configuration successful Console>...
Page 297: Viewing The Port Capability Of A Private Vlan Port
Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch Console> (enable) show vlan 902 VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- ------------------------ VLAN0007 active 4/4-6 VLAN Type SAID Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------ enet 100010 1500...
Page 298: Deleting A Private Vlan
Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch Console> (enable) show pvlan capability 3/1 Port 3/1 cannot be made a private vlan port due to: ------------------------------------------------------ Promiscuous ports cannot be made private vlan ports. Console> (enable) show pvlan capability 5/1 Ports 5/1 - 5/12 are in the same ASIC range as port 5/1.
Page 299: Deleting An Isolated, Community, Or Two-Way Community Vlan
Chapter 11 Configuring VLANs Configuring Private VLANs on the Switch Deleting an Isolated, Community, or Two-Way Community VLAN If you delete an isolated, community, or two-way community VLAN, the binding with the primary VLAN is broken, any isolated, community, or two-way community ports that are associated to the VLAN become inactive, and any related mappings on the promiscuous port(s) are deleted.
Page 300: Private Vlan Support On The Msfc
Chapter 11 Configuring VLANs Configuring FDDI VLANs on the Switch Private VLAN Support on the MSFC These items describe the private VLAN support on the MSFC: • Enter the show pvlan command to display information about the private VLANs. The show pvlan command displays information about the private VLANs only when the primary private VLAN is Entering the set pvlan mapping or the clear pvlan mapping command on the supervisor engine •...
Page 301: Configuring Token Ring Vlans On The Switch
Chapter 11 Configuring VLANs Configuring Token Ring VLANs on the Switch To modify the VLAN parameters on an existing FDDI VLAN, perform this task in privileged mode: Task Command Step 1 Modify an existing FDDI or FDDI NET-type set vlan vlan [name name] [state {active | VLAN.
Page 302: Understanding How Token Ring Trcrf Vlans Work
Chapter 11 Configuring VLANs Configuring Token Ring VLANs on the Switch For source routing, the switch appears as a single bridge between the logical rings. The TrBRF can function as a source-route bridge (SRB) or as a source-route transparent (SRT) bridge running either the IBM or IEEE STP.
Page 303 Chapter 11 Configuring VLANs Configuring Token Ring VLANs on the Switch By default, the Token Ring ports are associated with the default TrCRF (VLAN 1003, trcrf-default), Note which has the default TrBRF (VLAN 1005, trbrf-default) as its parent. In this configuration, a distributed TrCRF is possible (see Figure 11-5), and the traffic is passed between the default TrCRFs that are located...
Page 304: Token Ring Vlan Configuration Guidelines
Chapter 11 Configuring VLANs Configuring Token Ring VLANs on the Switch Token Ring VLAN Configuration Guidelines This section describes the guidelines for creating or modifying the Token Ring VLANs: • For the Token Ring VLANs, the default TrBRF (VLAN 1005) can only be the parent of the default TrCRF (VLAN 1003).
Page 305: Creating Or Modifying A Token Ring Trcrf Vlan
Chapter 11 Configuring VLANs Configuring Token Ring VLANs on the Switch Creating or Modifying a Token Ring TrCRF VLAN Note You must enable VTP version 2 before you create the Token Ring VLANs. For information on enabling VTP version 2, see Chapter 10, “Configuring VTP.”...
Page 306 Chapter 11 Configuring VLANs Configuring Token Ring VLANs on the Switch If the backup TrCRF port is attached to a Token Ring multistation access unit (MSAU), it does not Caution provide a backup path unless the ring speed and port mode are set by another device. We recommend that you configure the ring speed and port mode for the backup TrCRF.
Page 307: Configuring Vlans For The Firewall Services Module
Vlan 3 declared secure for firewall module 5 Console> (enable) Note For detailed Firewall Services Module configuration information, refer to the Firewall Services Module documentation at this URL: http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home .html Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 11-37 OL-8978-04...
Page 308 Chapter 11 Configuring VLANs Configuring VLANs for the Firewall Services Module Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 11-38 OL-8978-04...
Page 309: Configuring Intervlan Routing
C H A P T E R Configuring InterVLAN Routing This chapter describes how to configure the Multilayer Switch Feature Card (MSFC) for interVLAN routing on the Catalyst 6500 series switches. For complete syntax and usage for the commands that are used in this chapter, refer to the Catalyst 6500 Note Series Switch Command Reference publication.
Page 310: Configuring Intervlan Routing On The Msfc
Configuring InterVLAN Routing on the MSFC Note This section is for users who are familiar with Cisco IOS software and have some experience configuring Cisco IOS routing. If you are not familiar with configuring Cisco routing, refer to the Cisco IOS documentation on Cisco.com.
Page 311: Configuring Ip Intervlan Routing On The Msfc
Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC Configuring IP InterVLAN Routing on the MSFC To configure interVLAN routing for IP, perform this task: Task Command Step 1 (Optional) Enable IP routing on Router(config)# ip routing the router Step 2 (Optional) Specify an IP routing Router(config)# router ip_routing_protocol...
Page 312: Configuring Appletalk Intervlan Routing On The Msfc
Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC To configure interVLAN routing for Internetwork Packet Exchange (IPX), perform this task: Task Command Step 1 (Optional) Enable IPX routing on the router Router(config)# ipx routing Step 2 (Optional) Specify an IPX routing protocol Router(config)# ipx router ipx_routing_protocol Step 3 Specify a VLAN interface on the MSFC.
Page 313: Configuring Msfc Features
Follow these guidelines when using this feature: WCCP Layer 2 redirection sets the IP flow mask to full-flow mode. • You can configure the Cisco Cache Engine software release 2.2 or later releases to use WCCP • Layer 2 redirection.
Page 314 Layer 2 redirection. Entering the show mls entries command on the supervisor engine displays the other packets in the Layer 2 redirected flows. Configure the Cisco IOS WCCP as described in the Cisco IOS Configuration Fundamentals Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd305.html...
Page 315 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC Autostate exclude mode affects all VLANs to which the port belongs and is supported on Ethernet, Fast Ethernet, and Gigabit Ethernet ports only. Note You cannot configure both autostate exclude mode and autostate track mode on the same port. Autostate Track Mode You can use autostate track mode to track key VLAN or port connections to the MSFC.
Page 316 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC Configuring Autostate Track Mode To configure autostate track mode, perform one of these tasks in privileged mode: Task Command Configure autostate to track the specified VLANs. set msfcautostate track [disable | enable vlan_list] Configure autostate to track the specified ports.
Page 317 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC To check which MSM interfaces are currently autostated, perform this task in enabled mode from the MSM prompt: Task Command Check which MSM interfaces are currently show autostate entries autostated.
Page 318 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 12-10 OL-8978-04...
Page 319: Configuring Cef For Pfc2 And Pfc3A
C H A P T E R Configuring CEF for PFC2 and PFC3A This chapter describes how to configure Cisco Express Forwarding (CEF) for Policy Feature Card 2 (PFC2) and PFC3A on the Catalyst 6500 series switches. CEF for PFC2 provides IP and Internetwork Packet Exchange (IPX) unicast Layer 3 switching and IP multicast Layer 3 switching for Supervisor Engine 2, PFC2, and Multilayer Switch Feature Card 2 (MSFC2).
Page 320: Understanding How Layer 3 Switching Works
Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works Understanding How Layer 3 Switching Works These sections describe Layer 3 switching with PFC2: Layer 3 Switching Overview, page 13-2 • Understanding Layer 3-Switched Packet Rewrite, page 13-2 •...
Page 321 Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works The packet rewrite alters these five fields: Layer 2 (MAC) destination address • Layer 2 (MAC) source address • Layer 3 IP Time to Live (TTL) or IPX Transport Control •...
Page 322 Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works Understanding IPX Unicast Rewrite Received IPX packets are (conceptually) formatted as follows: Layer 2 Frame Header Layer 3 IPX Header Data FCS Destination Source Checksum/ Destination Net/ Source Net/ IPX Length/ Node/...
Page 323: Understanding Cef For Pfc2/Pfc3A
CEF for PFC2/PFC3A Overview Supervisor Engine 2, PFC2, and MSFC2 provide Layer 3 switching with CEF for PFC2. CEF for PFC2 is permanently enabled on Supervisor Engine 2. Cisco IOS CEF is permanently enabled on MSFC2 in support of CEF for PFC2.
Page 324 Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works Understanding the Forwarding Decisions CEF for PFC2/PFC3A provides Layer 3 switching that is based on the following: Entries in the ACL ternary content addressable memory (TCAM) for policy-based routing decisions •...
Page 325 Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works Next-hop mask • Next-hop load-sharing weight • Console> (enable) show mls entry cef Mod FIB-Type Destination-IP Destination-Mask NextHop-IP Weight --- --------- --------------- ---------------- --------------- ------ 15 receive 0.0.0.0 255.255.255.255 15 receive...
Page 326 Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works Table 13-1 lists the adjacency types. Table 13-1 Adjacency Types Adjacency Type Description connect Entry type that contains complete rewrite information punt Entry to send traffic to MSFC2/MSFC3 no r/w Entry to send traffic to MSFC2/MSFC3 when rewrite information is incomplete frc drp...
Page 327 Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works Partially and Completely Switched Multicast Flows Some flows might be partially Layer 3 switched instead of completely Layer 3 switched in these situations: MSFC2/MSFC3 is configured as a member of the IP multicast group (using the ip igmp join-group •...
Page 328 Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works CEF for PFC2/PFC3A Examples Figure 13-1 shows a simple IP CEF network topology. In this example, Host A is on the Sales VLAN (IP subnet 171.59.1.0), Host B is on the Marketing VLAN (IP subnet 171.59.3.0), and Host C is on the Engineering VLAN (IP subnet 171.59.2.0).
Page 329: Understanding The Netflow Statistics
Chapter 13 Configuring CEF for PFC2 and PFC3A Understanding How Layer 3 Switching Works Figure 13-2 IPX CEF Example Topology Source IPX Destination Rewrite Src/Dst Destination Address IPX Address MAC Address VLAN 01.Aa 03.Bb Dd:Bb Marketing 01.Aa 02.Cc Dd:Cc Engineering 02.Cc 01.Aa Dd:Aa...
Page 330: Default Cef For Pfc2/Pfc3A Configuration
Chapter 13 Configuring CEF for PFC2 and PFC3A Default CEF for PFC2/PFC3A Configuration NetFlow statistics support unicast and multicast flows as follows: A unicast flow can be any of the following: • Destination only: All traffic to a particular IP destination –...
Page 331: Cef For Pfc2/Pfc3A Configuration Guidelines And Restrictions
Chapter 13 Configuring CEF for PFC2 and PFC3A CEF for PFC2/PFC3A Configuration Guidelines and Restrictions Table 13-2 Default CEF for PFC2/PFC3A Configuration Feature Default Value CEF for PFC2 enable state Enabled (cannot be disabled) CEF enable state on MSFC2/MSFC3 Enabled (cannot be disabled) Multicast services (IGMP snooping) Enabled Multicast services (GMRP)
Page 332: Configuring Cef For Pfc2/Pfc3A On The Switch
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch When the ingress encapsulation for IPX traffic is SAP1, CEF for PFC2 provides Layer 3 Note switching only when the egress encapsulation is also SAP1. MSFC2 routes IPX SAP1 traffic that requires an encapsulation change.
Page 333: Displaying The Layer 3-Switching Entries On The Supervisor Engine
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch Displaying the Layer 3-Switching Entries on the Supervisor Engine CEF for PFC2/PFC3A is permanently enabled on Supervisor Engine 2 with PFC2 and MSFC2 and on Supervisor Engine 720 with PFC3A and MSFC3.
Page 334: Configuring Cef On Msfc2/Msfc3
The ip load-sharing per-packet, ip cef accounting per-prefix, and ip cef accounting non-recursive Note Cisco IOS CEF commands on MSFC2/MSFC3 apply only to traffic that is switched by CEF on MSFC/MSFC3. The commands do not affect traffic that is switched by CEF for PFC2/PFC3A on the supervisor engine.
Page 335 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch Follow these guidelines when specifying the maximum number of routes that can be programmed in the FIB TCAM: Routes that exceed the specified number of routes are not installed in the hardware. Packets that take •...
Page 336: Configuring Ip Multicast On Msfc2/Msfc3
Enabling IP MMLS on MSFC2/MSFC3 Interfaces, page 13-20 This section describes how to enable IP multicast routing on MSFC2/MSFC3. For more detailed IP Note multicast configuration information, refer to the “IP Multicast” section of the Cisco IOS IP and IP Routing Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_1/iproute/configuration/guide/ip_c.html...
Page 337 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch To enable IP multicast routing globally on MSFC2/MSFC3, perform this task in global configuration mode: Task Command Enable IP multicast routing globally. Router(config)# ip multicast-routing This example shows how to enable IP multicast routing globally: Router(config)# ip multicast-routing Router(config)#...
Page 338: Displaying Ip Multicast Information
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch To configure the IP MMLS threshold, perform this task: Task Command Configure the IP MMLS threshold. Router(config)# [no] mls ip multicast threshold ppsec This example shows how to configure the IP MMLS threshold to 10 packets per second: Router(config)# mls ip multicast threshold 10 Router(config)# Use the no keyword to deconfigure the threshold.
Page 339 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch Displaying IP Multicast Information on MSFC2/MSFC3 These sections describe displaying IP multicast information on MSFC2/MSFC3: Displaying IP MMLS Interface Information, page 13-21 • Displaying the IP Multicast Routing Table, page 13-21 •...
Page 340 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch This example shows how to display the IP multicast routing table: Router# show ip mroute 239.252.1.1 IP Multicast Routing Table Flags:D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT M - MSDP created entry, X - Proxy Join Timer Running A - Advertised via MSDP...
Page 341 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch MLS Multicast statistics: Flow install Ack:9 Flow install Nack:0 Flow update Ack:2 Flow update Nack:0 Flow delete Ack:0 Complete flow install Ack:10 Complete flow install Nack:0 Complete flow delete Ack:1 Input VLAN delete Ack:4 Output VLAN delete Ack:0...
Page 342 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch Using the Debug Commands Table 13-3 describes the IP MMLS-related debug troubleshooting commands. Table 13-3 IP MMLS Debug Commands Command Description [no] debug mls ip multicast group Configures filtering that applies to all other multicast group_id group_mask debugging commands.
Page 343 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch Displaying the IP Multicast Statistics The show mls multicast statistics command displays the IP multicast statistics. To display the IP multicast statistics, perform this task: Task Command Display the IP multicast statistics.
Page 344 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring CEF for PFC2/PFC3A on the Switch Clearing the IP Multicast Statistics The clear mls multicast statistics command clears the IP multicast statistics. To clear the IP multicast statistics, perform this task in privileged mode: Task Command Clear the IP multicast statistics.
Page 345: Configuring The Netflow Statistics On The Switch
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch This example shows how to display the IP multicast entries for a specific MSFC2/MSFC3: Console> (enable) show mls multicast entry 15 Router IP Dest IP Source IP Pkts Bytes...
Page 346: Specifying Netflow Table Entry Creation On A Per-Interface Basis
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch Specifying NetFlow Table Entry Creation on a Per-Interface Basis Note This feature requires PFC3B, PFC3BXL or later. With software release 8.4(1) and later releases, you can create the NetFlow table entries on a per-interface basis.
Page 347: Specifying The Netflow Table Entry Aging-Time Value
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch Specifying the NetFlow Table Entry Aging-Time Value The entry aging time for each protocol (IP and IPX) applies to all the protocol-specific NetFlow table entries. Any entry that has not been used for agingtime seconds is aged out. The default is 16 seconds. For normal aging time, you can specify the aging time in the range of 1–1092 seconds in 8-second increments.
Page 348: Specifying The Netflow Table Ip Entry Fast Aging Time And Packet Threshold Values
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch Specifying the NetFlow Table IP Entry Fast Aging Time and Packet Threshold Values The IPX entries do not use fast aging. Note To increase the utilization of the NetFlow table, enable IP entry fast aging time. The IP entry fast aging time applies to the NetFlow table entries that have no more than pkt_threshold packets that are routed within fastagingtime seconds after they are created.
Page 349: Setting The Minimum Statistics Flow Mask
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch Setting the Minimum Statistics Flow Mask You can set the minimum granularity of the flow mask for the NetFlow table. The actual flow mask will be at least of the granularity that is specified by this command.
Page 350 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch To display a summary of the NetFlow table entries and statistics, perform this task in privileged mode: Task Command Display all the NetFlow table entries show mls and statistics.
Page 351 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch The show mls statistics entry command can display all statistics or the statistics for the specific NetFlow table entries. Specify the destination address, source address, and for IP, the protocol, and source and destination ports to see the statistics for a specific NetFlow table entry.
Page 352: Clearing The Netflow Ip And Ipx Statistics
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch This example shows how to display the statistics for a specified number of NetFlows with the maximum network usage: Console> show mls statistics entry ip top-talkers 2 Last Used Destination IP...
Page 353 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the NetFlow Statistics on the Switch The flow keyword specifies the following additional flow information: Protocol family (protocol)—Specify tcp, udp, icmp, or a decimal number for other protocol • families. A value of zero (0) for protocol is treated as a wildcard (unspecified options are treated as wildcards).
Page 354: Displaying The Netflow Statistics Debug Information
Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the MLS IP-Directed Broadcasts on the Switch Clearing the NetFlow Statistics Totals The clear mls statistics command clears the following NetFlow statistics: • Total packets that are switched (IP and IPX) Total packets that are exported (for NDE) •...
Page 355 With software release 7.2(2) and later releases, you can configure MSFC2 to handle the IP-directed broadcasts in the hardware using PFC2. Note Cisco IOS Release 12.1(11b)E is required on MSFC2. This example shows how to enable the IP-directed broadcasts: Router(config-if)# mls ip directed-broadcast ?
Page 356 Chapter 13 Configuring CEF for PFC2 and PFC3A Configuring the MLS IP-Directed Broadcasts on the Switch Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 13-38 OL-8978-04...
Page 357: Chapter 14 Configuring Mls
(CEF for PFC3). See Chapter 13, “Configuring CEF for PFC2 and PFC3A,” for more information. Supervisor Engine 2, PFC2, and MSFC2 provide Layer 3 switching with Cisco Express Forwarding for Note PFC2 (CEF for PFC2). See Chapter 13, “Configuring CEF for PFC2 and PFC3A,”...
Page 358: Understanding Layer 3-Switched Packet Rewrite
Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Layer 3 switching on Catalyst 6500 series switches provides traffic statistics that you can use to identify traffic characteristics for administration, planning, and troubleshooting. Layer 3 switching uses NetFlow Data Export (NDE) to export flow statistics (for more information about NDE, see Chapter 16, “Configuring NDE”)
Page 359 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Understanding IP Unicast Rewrite Received IP unicast packets are (conceptually) formatted as follows: Layer 2 Frame Header Layer 3 IP Header Data FCS Destination Source Destination Source TTL Checksum MSFC MAC Source A MAC Destination B IP Source A IP...
Page 360: Understanding Mls
Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works After the switch rewrites an IP multicast packet, it is (conceptually) formatted as follows: Layer 2 Frame Header Layer 3 IP Header Data FCS Destination Source Destination Source Checksum Group G1 MAC MSFC MAC Group G1 IP Source A IP...
Page 361 IP multicast group. The PFC uses this list to identify the VLANs on which traffic to a given multicast flow should be replicated. These Cisco IOS commands affect the multicast MLS cache entries on the switch: Using the clear ip mroute command to clear the multicast routing table on the MSFC clears all •...
Page 362 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works MLS Cache Aging The state and identity of flows are maintained while the packet traffic is active; when the traffic for a flow ceases, the entry ages out. You can configure the aging time for the MLS entries that are kept in the MLS cache.
Page 363 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Flow Mask Modes—Software Release 8.5(1) and Later Releases With software release 8.5(1) and later releases, the multiple flow mask feature is supported on Supervisor Engine 720. This feature results in some changes to the NetFlow Data Export (NDE) functionality.
Page 364 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Because multiple flow masks can now coexist on the switch, the show mls statistics entry command displays only the relevant fields per flow. Depending on the flow mask that is used to create a particular flow, the relevant fields are zeroed out.
Page 365 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works This example shows the output when NAT is configured on the MSFC: Console> show mls flowmask The MSFC features are using NotVlanFullFlow and VlanFullFlowOnly flow mask on vlan(s) 10-11,50-51,90-91. Netflow Data Export is disabled NDE Flowmask is configured to at least the Null flowmask Console>...
Page 366 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works This example shows how the show mls entry command output appears in source-destination-ip mode: Console> (enable) show mls entry ip short Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan --------------- --------------- ----- ------ ------ ----------------- ---- ESrc EDst SPort DPort Stat-Pkts Stat-Byte Uptime ---- ---- ----- ----- --------- ------------ -------- --------...
Page 367 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works The PFC prevents multicast traffic in flows that are completely Layer 3 switched from reaching the MSFC, reducing the load on the MSFC. The show ip mroute and show mls ip multicast commands identify completely Layer 3-switched flows with the text string “RPF-MFD.”...
Page 368: Default Mls Configuration
Chapter 14 Configuring MLS Default MLS Configuration When Host A initiates a file transfer to Host B, an IPX MLS entry for this flow is created (this entry is the first item in the table shown in Figure 14-1). The PFC stores the MAC addresses of the MSFC and Host B in the IPX MLS entry when the MSFC forwards the first packet from Host A through the switch to Host B.
Page 369: Configuration Guidelines And Restrictions
Chapter 14 Configuring MLS Configuration Guidelines and Restrictions Table 14-2 shows the default IP MMLS switch configuration. Table 14-2 Default IP MMLS Supervisor Engine Configuration Feature Default Value Multicast services (IGMP snooping or GMRP) Disabled IP MMLS Enabled Table 14-3 shows the default IP MMLS MSFC configuration.
Page 370: Ip Mmls
Chapter 14 Configuring MLS Configuration Guidelines and Restrictions Maximum Transmission Unit Size The default maximum transmission unit (MTU) for IP MLS is 1500. To change the MTU on an IP MLS-enabled interface, enter the ip mtu mtu command. Restrictions on Using IP Routing Commands with IP MLS Enabled Enabling certain IP processes on an interface will affect IP MLS on the interface.
Page 371: Ipx Mls
IPX MLS and Maximum Transmission Unit Size, page 14-16 • IPX MLS Interaction with Other Features Other Cisco IOS software features affect IPX MLS as follows: IPX accounting—IPX accounting cannot be enabled on an IPX MLS-enabled interface. • IPX EIGRP—To support MLS on EIGRP interfaces, you must set the Transport Control (TC) •...
Page 372: Configuring Mls
Chapter 14 Configuring MLS Configuring MLS IPX MLS and Maximum Transmission Unit Size In IPX, the two end points of communication negotiate the maximum transmission unit (MTU) to be used. The MTU size is limited by the media type. Configuring MLS These sections describe how to configure MLS: Configuring Unicast MLS on the MSFC, page 14-16 •...
Page 373: Configuring Mls
Chapter 14 Configuring MLS Configuring MLS This example shows how to disable IP MLS on an MSFC interface: Router(config)# interface vlan 100 Router(config-if)# no mls ip Router(config-if)# This example shows how to disable IPX MLS on an MSFC interface: Router(config)# interface vlan 100 Router(config-if)# no mls ipx Router(config-if)# Unicast MLS is enabled by default;...
Page 374 Chapter 14 Configuring MLS Configuring MLS Using Debug Commands on the MSFC Table 14-6 describes the MLS-related debug commands that you can use to troubleshoot the MLS problems on the MSFC. Table 14-6 MLS Debug Commands Command Description [no] debug l3-mgr events Displays the Layer 3 manager-related events.
Page 375: Configuring Mls On Supervisor Engine 1
Chapter 14 Configuring MLS Configuring MLS Configuring MLS on Supervisor Engine 1 MLS is enabled by default on Catalyst 6500 series switches. You only need to configure Supervisor Engine 1 in these circumstances: You want to change the MLS aging time •...
Page 376 Chapter 14 Configuring MLS Configuring MLS We recommend that you keep the size of the MLS cache below 32,000 entries. If the number of MLS Note entries exceeds 32,000, some flows are sent to the MSFC. To keep the size of the MLS cache down, for IP, enable IP MLS fast aging as described in the “Specifying IP MLS Long-Duration Aging Time, Fast Aging Time, and Packet Threshold Values”...
Page 377 Chapter 14 Configuring MLS Configuring MLS To keep the MLS cache size below 32,000 entries, enable IP MLS fast aging time. The IP MLS fast aging time applies to the MLS entries that have no more than pkt_threshold packets that are switched within fastagingtime seconds after they are created.
Page 378 Chapter 14 Configuring MLS Configuring MLS The set mls flow destination-source command purges all the existing shortcuts in the MLS cache and Caution affects the number of the active shortcuts on the PFC. Exercise care when using this command. To set the minimum IP MLS flow mask, perform this task in privileged mode: Task Command Set the minimum IP MLS flow mask.
Page 379 Chapter 14 Configuring MLS Configuring MLS This example shows how to display the CAM entries for a specified VLAN: Console> show cam msfc 192 VLAN Destination MAC Destination-Ports or VCs Xtag Status ---- ------------------ ------------------------------ ---- ------ 00-00-0c-07-ac-c0R 00-e0-f9-d1-2c-00R Console> Displaying MLS Information The show mls command displays protocol-specific MLS information and MSFC-specific information.
Page 380: Displaying Ip Mls Cache Entries
Chapter 14 Configuring MLS Configuring MLS This example shows how to display IPX MLS information: Console> (enable) show mls ipx IPX Multilayer switching aging time = 256 seconds IPX flow mask is Destination flow IPX max hop is 15 Active IPX MLS entries = 356 IPX MSFC ID Module XTAG MAC Vlans...
Page 381 Chapter 14 Configuring MLS Configuring MLS Displaying All MLS Entries To display all the MLS entries (IP and IPX), perform this task in privileged mode: Task Command Display all the MLS entries. show mls entry [short | long] This example shows how to display all the MLS entries (IP and IPX): Console>...
Page 382 Chapter 14 Configuring MLS Configuring MLS This example shows how to display the MLS entries for a specific destination IP address: Console> (enable) show mls entry ip destination 172.20.22.14/24 Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan EDst ESrc DPort SPort Stat-Pkts Stat-Bytes Uptime...
Page 383 Chapter 14 Configuring MLS Configuring MLS Displaying MLS Entries for a Specific IP Flow The show mls entry ip flow command displays the MLS entries for a specific IP flow. The protocol argument can be tcp, udp, icmp, or a decimal number for other protocol families. The src_port and dst_port arguments specify the protocol ports if the protocol is TCP or User Datagram Protocol (UDP).
Page 384 Chapter 14 Configuring MLS Configuring MLS 11.0000.0000.0010 00-00-00-00-00-10 11 ARPA ARPA 3/11 7875 362250 00:15:52 00:00:00 11.0000.0000.8310 00-00-00-00-83-10 11 ARPA ARPA 3937 181102 00:15:52 00:00:00 10.0000.0000.0109 00-00-00-00-01-09 10 ARPA ARPA 3/10 96364 4432744 00:15:52 00:00:00 11.0000.0000.4F10 00-00-00-00-4f-10 11 ARPA ARPA 7877 362342 00:15:53 00:00:00...
Page 385 Chapter 14 Configuring MLS Configuring MLS Clearing MLS Cache Entries The clear mls entry command removes specific MLS cache entries. The all keyword clears all the MLS entries. The destination and source keywords specify the source and destination IP addresses. The destination and source ip_addr_spec can be a full IP address or a subnet address in the format ip_subnet_addr, ip_addr/subnet_mask, or ip_addr/subnet_mask_bits.
Page 386 Chapter 14 Configuring MLS Configuring MLS Displaying IP MLS Statistics by Protocol The show mls statistics protocol command displays the IP MLS statistics by protocol (such as Telnet, FTP, and WWW). The protocol keyword functions only if the flow mask mode is full flow. Enter the show mls command to see the current flow mask.
Page 387: Configuring Ip Mmls
Chapter 14 Configuring MLS Configuring MLS Clearing MLS Statistics The clear mls statistics command clears the following statistics: Total packets that are switched (IP and IPX) • Total packets that are exported (for NDE) • To clear the IP MLS statistics, perform this task in privileged mode: Task Command Clear the IP MLS statistics.
Page 388 This section describes how to enable IP multicast routing on the MSFC. For more detailed IP multicast Note configuration information, refer to the “IP Multicast” section of the Cisco IOS IP and IP Routing Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_1/iproute/configuration/guide/ip_c.html...
Page 389 Chapter 14 Configuring MLS Configuring MLS Enabling IP PIM on MSFC Interfaces You must enable IP PIM on the MSFC interfaces before IP MMLS will function on those interfaces. To enable IP PIM on an interface, perform this task: Task Command Enable IP PIM on an MSFC interface.
Page 390 Chapter 14 Configuring MLS Configuring MLS To enable IP MMLS on an MSFC interface, perform this task: Task Command Enable IP MMLS on an MSFC interface. Router(config-if)# [no] mls ip multicast This example shows how to enable IP MMLS on an MSFC interface: Router(config-if)# mls ip multicast Router(config-if)# Use the no keyword to disable IP MMLS on an MSFC interface.
Page 391 Chapter 14 Configuring MLS Configuring MLS Interface state:Interface, Next-Hop or VCD, State/Mode (*, 239.252.1.1), 04:04:59/00:02:59, RP 80.0.0.2, flags:SJ Incoming interface:Vlan800, RPF nbr 80.0.0.2 Outgoing interface list: Vlan10, Forward/Dense, 01:29:57/00:00:00, H (22.0.0.10, 239.252.1.1), 00:00:19/00:02:41, flags:JT Incoming interface:Vlan800, RPF nbr 80.0.0.2, RPF-MFD Outgoing interface list: Vlan10, Forward/Dense, 00:00:19/00:00:00, H Monitoring IP MMLS on the MSFC...
Page 392 Chapter 14 Configuring MLS Configuring MLS Group delete Ack:0 Global delete sent:7 Global delete Ack:7 L2 entry not found error:0 Generic error :3 LTL entry not found error:0 MET entry not found error:0 L3 entry exists error :0 Hash collision error :0 L3 entry not found error:0 Complete flow exists error :0 This example shows how to display information on a specific IP MMLS entry on the MSFC:...
Page 393 Chapter 14 Configuring MLS Configuring MLS Table 14-9 IP MMLS Debug Commands Command Description [no] debug mls ip multicast group group_id Configures filtering that applies to all the other multicast debugging group_mask commands. [no] debug mls ip multicast events Displays the IP MMLS events. [no] debug mls ip multicast errors Turns on the debug messages for the multicast MLS-related errors.
Page 394 Chapter 14 Configuring MLS Configuring MLS Displaying IP MMLS Configuration Information The show mls multicast command displays the global IP MMLS configuration information and the state of the participating MSFCs. To display the global IP MMLS configuration information, perform this task: Task Command Display the global IP MMLS configuration...
Page 395 Chapter 14 Configuring MLS Configuring MLS Router IP Router Name Router MAC ------------------------------------------------------- 1.1.5.252 00-10-29-8d-88-01 Transmit: Delete Notifications: Acknowledgements: Flow Statistics: Receive: Open Connection Requests: Keep Alive Messages: Shortcut Messages: Shortcut Install TLV: Selective Delete TLV: Group Delete TLV: Update TLV: Input VLAN Delete TLV: Output VLAN Delete TLV: Global Delete TLV:...
Page 396 Chapter 14 Configuring MLS Configuring MLS This example shows how to display all the IP MMLS entries: Console> (enable) show mls multicast entry all Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans --------------- --------------- --------------- ---------- ----------- ------- -------- 1.1.5.252 224.1.1.1 1.1.11.1...
Page 397: Chapter 15 Configuring Access Control
• Hardware Requirements, page 15-2 • Supported ACLs, page 15-3 • Applying Cisco IOS ACLs and VACLs on VLANs, page 15-7 • • Using Cisco IOS ACLs in your Network, page 15-9 Using VACLs with Cisco IOS ACLs, page 15-17 •...
Page 398: Understanding How Acls Work
The standard and extended Cisco IOS ACLs are used to classify the packets. The classified packets can be subject to a number of features such as access control (security), encryption, policy-based routing, and so on. The standard and extended Cisco IOS ACLs are configured only on the router interfaces and applied on the routed packets.
Page 399: Supported Acls
As an example, TCP intercept uses a global ACL that is applied on all outbound interfaces. One Cisco IOS ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs. When a single ACL is used by multiple features, Cisco IOS software examines it multiple times.
Page 400: Vacls
Configuring Access Control Supported ACLs After the packets are routed and before they are forwarded out to the next hop, Cisco IOS software examines all ACLs that are associated with the outbound features configured on the egress interface for the following: Outbound ACLs (standard, extended, and/or reflexive) •...
Page 401 Chapter 15 Configuring Access Control Supported ACLs ACEs Supported in VACLs A VACL contains an ordered list of access control entries (ACEs). Each VACL can contain ACEs of only one type. Each ACE contains a number of fields that are matched against the contents of a packet. Each field can have an associated bit mask to indicate which bits are relevant.
Page 402 Chapter 15 Configuring Access Control Supported ACLs Handling Fragmented and Unfragmented Traffic TCP/UDP or any Layer 4 protocol traffic, when fragmented, loses the Layer 4 information (Layer 4 source/destination ports). This situation makes it difficult to enforce security that is based on the application.
Page 403: Applying Cisco Ios Acls And Vacls On Vlans
[...] Applying Cisco IOS ACLs and VACLs on VLANs This section describes how to apply the Cisco IOS ACLs and VACLs to the VLAN for the bridged, routed, and multicast packets. These sections show how the ACLs and the VACLs are applied: Bridged Packets, page 15-7 •...
Page 404: Routed Packets
Chapter 15 Configuring Access Control Applying Cisco IOS ACLs and VACLs on VLANs Figure 15-1 Applying ACLs on Bridged Packets VACL Bridged VACL Catalyst 6500 Series Switch Host A Host B with PFC (VLAN 10) (VLAN 10) Routed Packets Figure 15-2 shows how the ACLs are applied on the routed/Layer 3-switched packets.
Page 405: Using Cisco Ios Acls In Your Network
Configuration Guide, Part 1. When a feature is configured on the router to process traffic (such as NAT), the Cisco IOS ACL that is associated with the feature determines the specific traffic that is bridged to the router instead of being switched in Layer 3.
Page 406: Hardware And Software Handling Of Cisco Ios Acls With Pfc
Hardware and Software Handling of Cisco IOS ACLs with PFC This section describes how Cisco IOS ACLs with the PFC are handled by the hardware and the software. For information on Cisco IOS ACLs with PFC2 and PFC3A/PFC3B/PFC3BXL, see the “Hardware and...
Page 407 Bridge-Groups, page 15-12 • Security Cisco IOS ACLs The IP and IPX security Cisco IOS ACLs with PFC are as follows: The flows that match a “deny” statement in a security ACL are dropped by the hardware if • “ip unreachables” is disabled. The flows matching a “permit” statement are switched in the hardware.
Page 408: Policy Routing
CPU. Under heavy traffic conditions, this process could cause high CPU utilization. The drop-suppress statistics for the ACL-based RPF check is not supported. Note Bridge-Groups Cisco IOS bridge-group ACLs are handled in the software. Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 15-12 OL-8978-04...
Page 409: Hardware And Software Handling Of Cisco Ios Acls With Pfc2 And Pfc3A/Pfc3B/Pfc3Bxl
Note The IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software. This process significantly degrades the system performance.
Page 410 Rate limiting for Cisco IOS ACL logging limits the number of packets that are sent to the MSFC CPU for the bridged ACEs. An ACE is bridged when the result for the Cisco IOS ACL is a deny or permit with the log option specified.
Page 411 Step 2 Show the ACL logging status. show acllog This example shows how to enable the ACL logging and specify a rate of 500 for Cisco IOS ACL logging rate limiting: Console> (enable) set acllog ratelimit 500 If the ACLs-LOG were already applied, the rate limit mechanism will be effective on system restart, or after shut/no shut the interface.
Page 412 Chapter 15 Configuring Access Control Using Cisco IOS ACLs in your Network The hardware support for TCP intercept on a PFC2 is as follows: Once you configure TCP intercept, all TCP SYN packets that match the ACEs with a permit clause in the TCP intercept ACL, and which are permitted by the security ACL, are sent to the software to apply the TCP intercept functionality.
Page 413: Using Vacls With Cisco Ios Acls
The Catalyst 6500 series switch hardware provides one lookup for the security ACLs for each direction (input and output); you must merge a Cisco IOS ACL and a VACL when they are configured on the same VLAN. Merging the Cisco IOS ACL with the VACL might significantly increase the number of ACEs.
Page 414 To display the percentage of ACL storage that is being used, enter the show security acl resource-usage Note command. These sections provide the Cisco IOS ACL and VACL configuration guidelines and examples: Using the Implicit Deny Action, page 15-18 •...
Page 415 The show aclmerge {bdd | algo} command has been reduced to show aclmerge algo. These examples show the merge results for the various Cisco IOS ACL and VACL configurations. One VACL and one Cisco IOS ACL are configured on the same VLAN.
Page 416 Chapter 15 Configuring Access Control Using VACLs with Cisco IOS ACLs Example 1 This example shows that the VACL does not follow the recommended guidelines (in line 9, a deny action is defined instead of using the implicit deny action at the end of the ACL), and the resultant merge...
Page 417 Chapter 15 Configuring Access Control Using VACLs with Cisco IOS ACLs deny ip any 0.0.0.255 255.255.255.0 permit tcp any range 0 65534 any range 0 65534 permit udp any range 0 65534 any range 0 65534 permit icmp any any...
Page 418 The show aclmerge {bdd | algo} command has been reduced to show aclmerge algo. Examples These examples show the merge results for the various Cisco IOS ACL and VACL configurations. One VACL and one Cisco IOS ACL are configured on the same VLAN. Example 1...
Page 419: Layer 4 Operations Configuration Guidelines
Chapter 15 Configuring Access Control Using VACLs with Cisco IOS ACLs Example 3 ******** VACL *********** deny ip 0.0.0.0 255.255.255.0 any deny ip 0.0.0.255 255.255.255.0 any deny ip any 0.0.0.0 255.255.255.0 permit ip any host 239.255.255.255 permit ip any host 255.255.255.255 deny ip any 0.0.0.255 255.255.255.0...
Page 420 ACE to be translated into more than one ACE. If you have a Cisco IOS ACL and a VACL on the same VLAN interface, the recommended total number Note of Layer 4 operations is still nine or less.
Page 421: Using Vacls In Your Network
Chapter 15 Configuring Access Control Using VACLs in Your Network range uses 1 LOU • eq does not require a LOU • For example, this ACL would use a single LOU to store two different operator/operand couples: ... Src gt 10 ..
Page 422: Wiring Closet Configuration
Chapter 15 Configuring Access Control Using VACLs in Your Network Wiring Closet Configuration In a wiring closet configuration, Catalyst 6500 series switches might not be equipped with the MSFCs (routers). In this configuration, the switch can still support a VACL and a QoS ACL. Suppose that Host X and Host Y are in different VLANs and are connected to wiring closet Switch A and Switch C (see Figure...
Page 423: Restricting The Dhcp Response For A Specific Server
Chapter 15 Configuring Access Control Using VACLs in Your Network To redirect the broadcast traffic to a specific server port, perform this task in privileged mode (TCP port 5000 is the intended server application port): Task Command Step 1 Redirect the broadcast packets. set security acl ip SERVER redirect 4/1 tcp any host 255.255.255.255 eq 5000 Step 2...
Page 424: Denying Access To A Server On Another Vlan
Chapter 15 Configuring Access Control Using VACLs in Your Network To restrict the DHCP responses for a specific server, perform this task in privileged mode (the target DHCP server IP address is 1.2.3.4): Task Command Step 1 Permit a DHCP response from set security acl ip SERVER permit udp host 1.2.3.4 any eq 68 host 1.2.3.4.
Page 425: Restricting Arp Traffic
Chapter 15 Configuring Access Control Using VACLs in Your Network To deny access to a server on another VLAN, perform this task in privileged mode: Task Command Step 1 Deny traffic from hosts in subnet set security acl ip SERVER deny ip 10.1.2.0 0.0.0.255 host 10.1.2.0/8.
Page 426: Inspecting Arp Traffic
Chapter 15 Configuring Access Control Using VACLs in Your Network The ARP traffic is permitted on each VLAN by default. You can disallow the ARP traffic on a per-VLAN basis using the set security acl ip acl_name deny arp command. When you enter this command, the ARP traffic is disallowed on the VLAN to which the ACL is mapped.
Page 427 Chapter 15 Configuring Access Control Using VACLs in Your Network The above set of rules allows only 00-00-00-01-00-02 to be advertised as the MAC address for IP address 10.0.0.1. Similarly, MAC address 00-00-00-02-00-03 is bound to IP address 20.0.0.1. The ARP packets that advertise any other MAC addresses for 10.0.0.1 and 20.0.0.1 are dropped (achieved by the deny actions in lines 3 and 4).
Page 428 Chapter 15 Configuring Access Control Using VACLs in Your Network This example shows you how to avoid a common configuration error. The following is a typical ARP • traffic-inspection ACL: ------------------------------ set security acl ip my_arp --------------------------------------------------- arp permit 1. permit arp-inspection host 10.6.62.86 00-b0-c2-3b-db-fd 2.
Page 429 Chapter 15 Configuring Access Control Using VACLs in Your Network Displaying ARP Traffic-Inspection Statistics, page 15-36 • Clearing the ARP Traffic-Inspection Statistics, page 15-37 • Configuring Rate Limiting for ARP Traffic Inspection Configuring Rate Limiting on a Global Basis, page 15-37 •...
Page 430 Chapter 15 Configuring Access Control Using VACLs in Your Network This example shows how to permit the ARP packets that advertise a binding of IP address 172.20.52.19: Console> (enable) set security acl ip ACL2 permit arp-inspection host 172.20.52.19 any Operation successful. Console>...
Page 431 Chapter 15 Configuring Access Control Using VACLs in Your Network ACL 'ACL4' successfully committed. Dropping Packets Without Matching MAC Addresses To drop the packets where the source Ethernet MAC address (in the Ethernet header) is not the same as the source MAC address in the ARP header, perform this task in privileged mode. If you do not specify the drop keyword, the packet is not dropped but a syslog message is displayed.
Page 432 Chapter 15 Configuring Access Control Using VACLs in Your Network To drop the packets with invalid MAC or IP addresses, perform this task in privileged mode (if you do not specify the drop keyword, the packet is not dropped but a syslog message is displayed): Task Command Step 1...
Page 433 Chapter 15 Configuring Access Control Using VACLs in Your Network Clearing the ARP Traffic-Inspection Statistics To clear the ARP traffic-inspection statistics, perform this task in privileged mode: Task Command Clear the ARP traffic-inspection statistics. clear security acl arp-inspection statistics [acl_name] Without the optional argument, entering the command clears the ARP traffic-inspection global statistics counters and the ARP traffic-inspection statistics counters for all the ACLs.
Page 434 Chapter 15 Configuring Access Control Using VACLs in Your Network Console> (enable) show rate-limit Configured Rate Limiter Settings: Rate Limiter Type Status Rate (pps) Burst -------------------- ------ -------------- ----- VACL LOG 2500 ARP INSPECTION 1000 FIB RECEIVE FIB GLEAN L3 SEC FEATURES Console>...
Page 435: Dynamic Arp Inspection
Chapter 15 Configuring Access Control Using VACLs in Your Network Configuring Logging for ARP Traffic Inspection To configure the logging option to log the ARP traffic-inspection packets that are dropped, perform this task in privileged mode: Task Command Log the ARP traffic-inspection packets that are set security acl ip acl_name deny dropped.
Page 436 Chapter 15 Configuring Access Control Using VACLs in Your Network Figure 15-8 Dynamic ARP Inspection Flow Chart ARP packet redirected to Received Packet on ARP- inspection forwarded trusted port? Source and Drop Match-MAC enabled on payload MAC enabled? enabled? VLAN? match? Search DHCP bind entries...
Page 437 Chapter 15 Configuring Access Control Using VACLs in Your Network When you create a security ACL, you need to be careful because the statically configured ARP inspection rules have a higher priority than the DAI checks of the DHCP bindings. Do not put a permit arp-inspection any any clause in the security ACL because it will prevent any checks from occurring.
Page 438 Chapter 15 Configuring Access Control Using VACLs in Your Network To make sure DAI ports function properly, a permit arp-inspection any any ACE should be present in Note the PACL (ACL mapped to a DAI-enabled port). For DAI to function with hosts that have static IP, make sure to add static DHCP-snooping binding Note entries on the port instead of a static ARP-inspection rule in the PACL (ACL mapped to a DAI-enabled port).
Page 439: Configuring Acls On Private Vlans
VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows: You can map VACLs to secondary VLANs or primary VLANs. • • Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary VLANs. You cannot map Cisco IOS ACLs to secondary VLANs. •...
Page 440: Unsupported Features
With Supervisor Engine 720 (PFC3A/PFC3B/PFC3BXL) and Supervisor Engine 32 Note (PFC3B/PFC3BXL), the IPX routing is done through the software and IPX Cisco IOS ACLs and IPX VACLs are not supported. You can match the IPX packets using the MAC VACLs. You can enter the ipx-arpa keyword to match the IPX ARPA frames.
Page 441: Vacl Configuration Guidelines
You must commit a VACL before you can map it to a VLAN. There are no default VACLs and no • default VACL-to-VLAN mappings. If no Cisco IOS ACL is configured to deny the traffic on a routed VLAN interface (input or output), • and no VACL is configured, all traffic is permitted.
Page 442: Vacl Configuration Summary
Chapter 15 Configuring Access Control Configuring VACLs Note these guidelines for using the redirect option: • The redirected packets can only go out a port that supports the VLAN that the traffic is in. – The redirect option only involves taking the packets and sending them out the redirect port; –...
Page 443 Chapter 15 Configuring Access Control Configuring VACLs Displaying a VACL-to-VLAN Mapping, page 15-54 • Clearing the Edit Buffer, page 15-55 • Removing ACEs from Security ACLs, page 15-55 • Clearing the Security ACL Map, page 15-56 • Displaying VACL Management Information, page 15-56 •...
Page 444 Chapter 15 Configuring Access Control Configuring VACLs This example shows how to disable BDD: Console> (enable) set aclmerge bdd disable Bdd will be disabled on system restart. Console> (enable) This example shows how to display the current BDD status and whether BDD will be enabled or disabled at the next system restart: Console>...
Page 445 Chapter 15 Configuring Access Control Configuring VACLs Because the VACLs have an implicit deny feature at the end of the list, all other traffic is denied. Note This example shows how to create an ACE for IPACL1 to allow the traffic from all source addresses: Console>...
Page 446 With Supervisor Engine 720 (PFC3A/PFC3B/PFC3BXL) and Supervisor Engine 32 Note (PFC3B/PFC3BXL), the IPX routing is done through the software and the IPX Cisco IOS ACLs and IPX VACLs are not supported. You can match the IPX packets using the MAC VACLs. You can enter the ipx-arpa keyword to match the IPX ARPA frames.
Page 447 Chapter 15 Configuring Access Control Configuring VACLs This example shows how to create an ACE for IPXACL1 to block all traffic from source network 1234: Console> (enable) set security acl ipx IPXACL1 deny any 1234 IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes. Console>...
Page 448 Chapter 15 Configuring Access Control Configuring VACLs 2. permit any 1 3. deny any any 1.A.3.4 4. redirect 4/1 any 3456 5. permit any any ACL IPXACL1 Status: Not Committed Console> (enable) This example shows how to commit the ACEs to NVRAM: Console>...
Page 449 Chapter 15 Configuring Access Control Configuring VACLs This example shows how to display the contents of the edit buffer: Console> (enable) show security acl info MACACL1 editbuffer set security acl mac MACACL1 ----------------------------------------------------------------- 1. deny 8-2-3-4-7-A any 2. deny any A-B-C-D-1-2 3.
Page 450 Chapter 15 Configuring Access Control Configuring VACLs Task Command Map a VACL to a VLAN. set security acl map acl_name vlans This example shows how to map IPACL1 to VLAN 10: Console> (enable) set security acl map IPACL1 10 ACL IPACL1 mapped to vlan 10 Console>...
Page 451 Chapter 15 Configuring Access Control Configuring VACLs To display a VACL-to-VLAN mapping, perform this task in privileged mode: Task Command Display a VACL-to-VLAN show security acl map {acl_name | vlan | all} mapping. This example shows how to display the mappings of a specific VACL: Console>...
Page 452 Chapter 15 Configuring Access Control Configuring VACLs This example shows how to remove the ACEs from all the ACLs: Console> (enable) clear security acl all All editbuffers modified. Use ‘commit’ command to apply changes. Console> (enable) This example shows how to remove a specific ACE from a specific ACL: Console>...
Page 453 Chapter 15 Configuring Access Control Configuring VACLs This example shows how to display VACL management information: Console> (enable) show security acl resource-usage ACL resource usage: ACL storage (mask/value): 0.29%/0.10% ACL to switch interface mapping table: 0.39% ACL layer 4 port operators: 0.0% Console (enable) Capturing Traffic Flows on Specified Ports You can enter the capture keyword in the set security acl (ip, ipx, and mac) commands to specify that...
Page 454 Chapter 15 Configuring Access Control Configuring VACLs To capture the traffic flows, perform these steps: An IP VACL is used in this description; you can configure IPX and non-IP Note version 4/non-IPX VACLs using the same basic steps. Enter the set security acl ip command to create a VACL and add the ACEs; include the capture Step 1 keyword.
Page 455 Chapter 15 Configuring Access Control Configuring VACLs This example shows that ports 1/1 and 2/1 were cleared: Console> (enable) show security acl capture-ports ACL Capture Ports:1/2,2/2 Console> (enable) Configuring VACL Logging This feature is available only with Supervisor Engine 2 with PFC2, Supervisor Engine 720 with Note PFC3A/PFC3B/PFC3BXL, and Supervisor Engine 32 with PFC3B/PFC3BXL.
Page 456 Chapter 15 Configuring Access Control Configuring VACLs Enter the set security acl ip acl_name deny log command to create an IP VACL and enable logging. Step 4 Enter the commit security acl acl_name command to commit the VACL to NVRAM. Step 5 Enter the set security acl map acl_name vlan command to map the VACL to a VLAN.
Page 457: Configuring Mac-Based Acl Lookups For All Packet Types
Chapter 15 Configuring Access Control Configuring MAC-Based ACL Lookups for All Packet Types This example shows how to display the flow information in the log table: Console> (enable) show security acl log flow ip any any Total matched entry number = 1 Entry No.
Page 458: Using Mac-Based Acl Lookups For All Packet Types
Chapter 15 Configuring Access Control Configuring MAC-Based ACL Lookups for All Packet Types Using MAC-Based ACL Lookups for All Packet Types PFC3B and PFC3BXL allow the ACL lookups on all packet types using the MAC ACL. This feature is useful for doing MAC-based matching on all packets regardless of whether the packet is IP version 4, IP version 6, IPX, MPLS, and so on.
Page 459: Configuration Guidelines
Chapter 15 Configuring Access Control Configuring MAC-Based ACL Lookups for All Packet Types Configuration Guidelines Use the following guidelines when configuring MAC-based ACL lookups: • This feature should be enabled on Layer 2 VLANs only. (This recommendation is for Metro customers.) If you enable the feature on a Layer 3 VLAN, be aware of the following: •...
Page 460: Configuring And Storing Vacls And Qos Acls In Flash Memory
Note Note All Cisco IOS ACLs become inoperable when the set acl mac-packet-classify vlans command is used. The EtherType has been extended to include an IP version 4 option to allow you to specifically target the IP version 4 packets using the MAC ACL lookup. If you select the IP version 4 option, you must ensure that the corresponding VLAN is enabled using the set acl mac-packet-classify vlans command.
Page 461: Automatically Moving The Vacl And Qos Acl Configuration To Flash Memory
Chapter 15 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory Chapter 25, “Modifying the Switch Boot Configuration,” for additional information on using the Note commands that are described in this section. Automatically Moving the VACL and QoS ACL Configuration to Flash Memory Moving the VACL and QoS ACL configuration to flash memory is done automatically only during the system software upgrades and then only if there is not sufficient NVRAM for the upgrade.
Page 462 Chapter 15 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory Specify if the auto-config file should be used to overwrite the NVRAM configuration or be appended to Step 3 what is currently in NVRAM. Console> (enable) set boot config-register auto-config append Configuration register is 0x12F ignore-config: disabled auto-config: recurring, append, sync disabled...
Page 463: Running With The Vacl And Qos Acl Configuration In Flash Memory
Chapter 15 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory If you cannot write the configuration to flash memory, you must copy the configuration to a file, make Note additional room available in flash memory, and then try to write the VACL and QoS ACL configuration to flash memory.
Page 464: Interacting With High Availability
VLAN. If the packet is Layer 3 forwarded and is permitted by the VACL, it is filtered by the Cisco IOS ACL on the same VLAN. The same process happens in reverse in the egress direction. However, there is currently no hardware support for the egress PACLs.
Page 465: Pacl Configuration Guidelines
Configuring Port-Based ACLs The PACLs have three modes of operation that are configurable on a per-port basis: Port-based—The PACL overrides the existing VACL and Cisco IOS ACL. With this mode, the • features such as context-based access control (CBAC) and network address translation (NAT) are not functional on the physical port.
Page 466 PACL Interaction with VACLs and Cisco IOS ACLs This section describes the guidelines for the PACL interaction with the VACLs and Cisco IOS ACLs: The PACLs override both the VACLs and Cisco IOS ACLs when the port is configured in port-based •...
Page 467 You can map the VACLs to either the primary or the secondary private VLAN. In contrast, you can map only Cisco IOS ACLs to the primary VLANs. An ingress Cisco IOS ACL that is mapped to the primary VLAN gets mapped to all the corresponding secondary VLANs and not to the primary VLAN. An egress Cisco IOS ACL that is mapped to the primary VLAN gets mapped to the primary VLAN.
Page 468: Configuring Pacls From The Cli
Chapter 15 Configuring Access Control Configuring Port-Based ACLs Config: Port ACL name Type ----- -------------------------------- ---- ipacl1 Runtime: Port ACL name Type ----- -------------------------------- ---- No ACL is mapped to port 3/1. dhcp-snooping: Port Trust Source-Guard Source-Guarded IP Addresses ----- ----------- ------------ --------------------------- untrusted...
Page 469 Chapter 15 Configuring Access Control Configuring Port-Based ACLs Specifying the PACL Mode The default PACL mode is VLAN based and keeps any existing VACL configurations active. To specify the PACL mode, perform this task in privileged mode: Task Command Specify the PACL mode. set port security-acl mod/ports..
Page 470 Chapter 15 Configuring Access Control Configuring Port-Based ACLs This example shows how to display PACL information for port 3/1: Console> (enable) show port security-acl 3/1 Port Interface Type Interface Type Interface Merge Status config runtime runtime ----- -------------- -------------- ---------------------- port-based port-based not applicable...
Page 471 Chapter 15 Configuring Access Control Configuring Port-Based ACLs Console> (enable) set port security-acl 3/1 vlan-based ACL interface is set to vlan-based mode for port(s) 3/1. Console> (enable) set security acl map ipacl1 3/1 Port 3/1 is set to vlan-based mode, config is saved in Nvram. Config will be applied when the port is set to port-based/merge mode.
Page 472: Pacl Configuration Examples
Chapter 15 Configuring Access Control Configuring Port-Based ACLs This example shows how to display the ACL information for an EtherChannel: Console> (enable) show port channel 3/40 info security-acl Port ACL-Interface Type ----- ------------------ 3/37 port-based 3/38 port-based Port ACL name Type ----- -------------------------------- ------ 3/37 ipacl1...
Page 473 Chapter 15 Configuring Access Control Configuring Port-Based ACLs Example 2 This example shows a failure that occurs when changing the security ACL mode due to an ACL mapping error. In this example, the ACL is mapped only in NVRAM and not in the hardware. Console>...
Page 474 Chapter 15 Configuring Access Control Configuring Port-Based ACLs Example 3 This example shows a port that is configured in merge mode but the port has not been mapped to an ACL: Console> (enable) set port security-acl 3/1 merge ACL interface is set to merge mode for port(s) 3/1. Console>...
Page 475 Chapter 15 Configuring Access Control Configuring Port-Based ACLs Example 4 This example shows that a merge failure occurs when mapping an ACL to a port. In this case, the configuration is not saved. Console> (enable) set port security-acl 3/1 merge ACL interface is set to merge for port(s) 3/1.
Page 476 Chapter 15 Configuring Access Control Configuring Port-Based ACLs Example 6 This example shows that a syslog is generated for any ports that fail to merge with the VACL and these ports are temporarily placed in VLAN-based mode. The status of the merge is “merge disabled.” Console>...
Page 477: Configuring Acl Statistics
Chapter 15 Configuring Access Control Configuring ACL Statistics Example 7 This example is a continuation from Example 6 and shows that you can recover from the failure state by either mapping or unmapping the VACL or PACL. This example shows that detaching the MAC PACL can release some TCAM resources, allowing the merge to succeed.
Page 478: Configuring Acl Statistics From The Cli
Chapter 15 Configuring Access Control Configuring ACL Statistics Optimizing an ACL involves removing the redundant ACEs, merging the ACEs, and reordering the ACEs. Removing the redundant ACEs and merging the ACEs reduces the number of TCAM entries. Reordering the ACEs reduces the number of TCAM entries and the number of TCAM masks. The ACL statistics are derived from the counters of the ACEs that comprise the optimized ACL.
Page 479 Chapter 15 Configuring Access Control Configuring ACL Statistics Enabling ACL Statistics on a Per-ACL Basis The ARP entry statistics collection is always enabled because the ARP ACE entry is added after the ACL Note merge and is always the first ACE in the TCAM list. Enter the set security acl statistics {acl_name | all} command to enable the aggregated ACL statistics on a per-ACL basis or for all ACLs.
Page 480 Chapter 15 Configuring Access Control Configuring ACL Statistics Enabling ACL Statistics on a Per-VLAN Basis Enter the set security acl map acl-name {vlan/mod_port} [statistics enable | disable] command to enable the ACL statistics on a per-VLAN basis. In the per-VLAN mode, label sharing is disabled. For example, if you have an ACL that is mapped to Note 10 VLANs and you enable per-VLAN statistics on one of the VLANs, you will have nine VLANs sharing a label.
Page 481: Clearing Acl Statistics
Chapter 15 Configuring Access Control Configuring ACL Statistics To enable the ACL statistics on a per-ACE basis, perform this task in privileged mode: Task Command Enable the ACL statistics on a set security acl ip/mac acl_name … [statistics] per-ACE basis. This example shows how to enable the ACL statistics on a per-ACE basis: Console>...
Page 482 Chapter 15 Configuring Access Control Configuring ACL Statistics Displaying ACL Statistics Information Use the commands described in this section to display information about the ACL statistics: show security acl info acl_name [statistics [ace_index]] • Displays the statistics for the specified ACL. The ace_index is the index in the ACL list (committed ACLs).
Page 483: Configuring The Compression And Reordering Of Acl Masks
Chapter 15 Configuring Access Control Configuring the Compression and Reordering of ACL Masks Disable - statistics are not enabled per ACL Enable - stats are enabled per ACL The number shows the VLANs where per-vlan stattistics are enabled Type VLANS (Statistics) -------------------------------- ---- ---------------- (2-3 Enable)
Page 484 Chapter 15 Configuring Access Control Configuring the Compression and Reordering of ACL Masks Enabling a Test Run of the CRAM Feature Enter the set security acl cram testrun command to determine the ACL mask usage. Running this command is for informational purposes only; no software or hardware structures are modified and there is no disruption of traffic.
Page 485 Chapter 15 Configuring Access Control Configuring the Compression and Reordering of ACL Masks To enable the automatic execution of the CRAM feature, perform this task in privileged mode: Task Command Enable the automatic execution of the set security acl cram auto [nsec] CRAM feature.
Page 486: Configuring Policy-Based Forwarding
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Configuring Policy-Based Forwarding Policy-based forwarding (PBF) is an extension of VACL redirection that is supported by the PFC2 and PFC3A/PFC3B/PFC3BXL. PBF is particularly beneficial in any flat Layer 2 network that is used for transparent bridging where a limited amount of inter-VLAN communication is required and in server farms or demilitarized zones (DMZs) where bridging devices (like server load-balancing appliances) are involved or where firewall load balancing is performed.
Page 487: Understanding How Pbf Works
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Understanding How PBF Works The PBF configuration involves these tasks: • Enabling PBF and specifying a MAC address for the PFC2 or PFC3A/PFC3B/PFC3BXL Configuring the VACLs for PBF • Configuring the attached hosts for PBF •...
Page 488: Configuring Pbf From The Cli
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Configuring PBF from the CLI Note In addition to the guidelines and configuration examples in this section, see the “Enhancements to PBF Configuration (Software Releases 7.5(1) and Later)” section on page 15-102 and the “Enhancements to the PBF Configuration (Software Releases 8.3(1) and Later)”...
Page 489 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding We recommend that you use the default MAC address that is provided by the MAC address PROM. When you specify your own MAC address using the set pbf mac command, if the MAC address is a duplicate of a MAC address that is already in use, some packets might get dropped.
Page 490 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding This example shows how to clear the PBF MAC address: Console> (enable) clear pbf PBF cleared. Console> (enable) Console> (enable) show pbf Pbf status Mac address ----------- ------------------ not set 00-00-00-00-00-00 Console> (enable) Specifying the PBF MAC Address on a VLAN This PBF configuration step is required only on the Supervisor Engine 720 with Note...
Page 491 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding You can configure a maximum of 256 adjacency table entries for a VLAN. The maximum number of Note adjacency table entries is 1023. To enable jumbo frame forwarding using PBF, enter the mtu keyword in the set security acl adjacency Note command.
Page 492 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding ACL 'IPACL1' successfully committed. Console> (enable) set security acl map IPACL1 10 Mapping in progress. ACL IPACL1 successfully mapped to VLAN 10. Console> (enable) This example shows how to create the PBF VACL for VLAN 11 (see Figure 15-10): Console>...
Page 493 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding 1. 10 00-00-00-00-00-0a Console> show pbf adjacency Index DstVlan DstMac SrcMac Name ------------------------------------------------------------------ 00-00-00-00-00-0a 00-00-00-00-00-0b ADJ1 00-00-00-00-00-0a 00-00-00-00-00-0b ADJ2 Console> show pbf statistics Index DstVlan DstMac SrcMac HitCount(hex) Name ------------------------------------------------------------------------- 00-00-00-00-00-0a 00-00-00-00-00-0b 0x00000000 ADJ1 00-00-00-00-00-0a...
Page 494 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Rolling Back Adjacency Table Entries in the Edit Buffer You can clear the adjacency table entries in the edit buffer that were made prior to the last commit by using the rollback command. The adjacency table entries are rolled back to their state at the last commit. To roll back the adjacency table entries in the edit buffer, perform this task in privileged mode: Task Command...
Page 495 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Sun Workstation When using PBF to enable forwarding between two VLANs with the Sun Workstation end hosts, note these limitations when configuring the hosts: PBF Limitations • PBF does not support ARP; you must set a static ARP entry on each Sun Workstation that participates in PBF.
Page 496: Pbf Configuration Example
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding MS-Windows/NT/2000 Hosts You must set the static ARP entries on Windows-based PCs. For Windows-based PCs, you do not need to set up any dummy gateways for switching between the VLANs with PBF. This example shows how to configure the static ARP entries in Windows-based platforms: C:\>...
Page 497 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding set security acl ip ip1 permit arp set security acl ip ip1 redirect ip host 44.0.0.1 host 43.0.0.1 set security acl ip ip1 redirect ip host 44.0.0.2 host 43.0.0.2 set security acl ip ip1 redirect ip host 44.0.0.3 host 43.0.0.3 set security acl ip ip1 redirect ip host 44.0.0.4 host 43.0.0.4...
Page 498: Enhancements To Pbf Configuration (Software Releases 7.5(1) And Later)
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding This example shows how to display the MAC addresses that were learned by the switch for port 6/9 on VLAN 2: Console> (enable) show cam dynamic 6/9 * = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry. X = Port Security Entry $ = Dot1x Security Entry VLAN Dest MAC/Route Des...
Page 499 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Displaying the PBF_MAP_ACL Information, page 15-104 • Clearing the PBF_MAP_ACL Configuration, page 15-105 • PBF Configuration Enhancement Overview The set command has changed in software release 8.3(1). For more information, see the “Enhancements Note to the PBF Configuration (Software Releases 8.3(1) and Later)”...
Page 500 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Specifying a PBF_MAP_ACL The ACL name that is used by the set pbf-map command is reserved for this command. When you enter Note the set security acl command, you cannot use any name that starts with PBF_MAP_ACL. The name that is used for the adjacency information is also reserved for the set pbf-map command.
Page 501: Enhancements To The Pbf Configuration (Software Releases 8.3(1) And Later)
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Clearing the PBF_MAP_ACL Configuration To clear the PBF_MAP_ACL configuration, perform this task in normal mode: Task Command Clear the PBF_MAP_ACL clear pbf-map all | vlan vlan | ip_addr_1 mac_1 vlan_1 configuration. ip_addr_2 mac_2 vlan_2 This example shows how to clear all the ACLs and adjacency information that were created by the set pbf-map command: Console>...
Page 502 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding These sections describe the PBF configuration enhancements: PBF Usage Guidelines and Restrictions, page 15-106 • Setting and Committing Security ACLs and Adjacency Information, page 15-106 • clear Commands, page 15-108 • show Commands, page 15-109 •...
Page 503 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding An example is as follows: Console> (enable) set pbf client cl1 21.1.1.1 00-00-00-00-40-01 101 Commit operation successful. Console> (enable) set pbf gw gw1 21.0.0.128 255.0.0.0 00-a0-c9-81-e1-13 102 Commit operation successful. Console> (enable) set pbf-map cl1 gw1 .ccl1 editbuffer modified.
Page 504: Clear Commands
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding clear Commands The clear pbf client command cannot be used to remove the last remaining PBF client without first removing the PBF map. To clear a single client or all clients from the list, perform this task in normal mode: Task Command...
Page 505: Show Commands
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding show Commands To display all the PBF maps, perform this task in normal mode: Task Command Display all the PBF maps. show pbf-map This example shows how to display all the PBF maps: Console>...
Page 506: Enhancements To Pbf Configuration (Software Releases 8.6(1) And Later)
Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Using the sc1 Interface as a Diagnostic Interface To temporarily place the sc1 interface in a PBF-client VLAN to test the connection between your switch and a customer’s switch or router, perform these steps: Enter the clear pbf arp-inspection list_name command to remove the ARP-inspection ACL statement Step 1 from the PBF-client VLAN in which the test is to be conducted.
Page 507 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Configuring the PBF Before Software Release 8.6(1) To configure a PBF with a software release before release 8.6(1), follow these steps: Configure the PBF MAC address for the PFC and enable PBF. Step 1 Console>...
Page 508 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Configure one PBF gateway called GATEWAY-TEST. Step 3 Console> (enable) set pbf gw GATEWAY-TEST 10.0.0.100 255.255.255.0 11-11-22-22-33-3 3 1 Commit operation successful. Console> (enable) The following PBF gateway has been created: Console> (enable) show pbf gw Name : GATEWAY-TEST : CLIENT-TEST,...
Page 509 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Console> (enable) The PBF client is now mapped to the PBF gateway as follows: Console> (enable) show pbf client Name : CLIENT-TEST : GATEWAY-TEST, VLAN : 10 Clients Adjacency ------------------------------------------------- .c0000CLIENT-TEST 10.0.0.10 00-00-11-11-22-22 Console>...
Page 510 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding set security acl map .gGATEWAY-TEST 1 <SNIP> Unrelated configuration information cut out Console> (enable) Looking at the above configuration, it is not obvious that the following three commands were used to create the adjacency and security ACLs on the switch: •...
Page 511 Chapter 15 Configuring Access Control Configuring Policy-Based Forwarding Configure one PBF gateway called GATEWAY-TEST. Step 3 Console> (enable) set pbf gw GATEWAY-TEST 10.0.0.100 255.255.255.0 11-11-22-22-3 3-3 3 1 Commit operation successful. Console> (enable) show pbf gw Name : GATEWAY-TEST : No map VLAN Gateways Adjacency...
Page 512: Downloadable Acls
Chapter 15 Configuring Access Control Downloadable ACLs Display the PBF configuration commands. Step 5 Console> (enable) show run <SNIP> Unrelated configuration information cut out #security ACLs clear security acl all #pbf set set pbf mac 00-0d-65-35-ed-83 #set pbf client set pbf client CLIENT-TEST 10.0.0.10 00-00-11-11-22-22 10 #set pbf gw set pbf gw GATEWAY-TEST 10.0.0.100 255.255.255.0 11-11-22-22-33-03 3 #set pbf-map...
Page 513: Configuring A Downloaded Acl For Dot1X
Chapter 15 Configuring Access Control Downloadable ACLs Configuring a Downloaded ACL for dot1x To configure a downloaded ACL for dot1x without an IP phone, perform these steps: Step 1 Create a base ACL with an include dot1x keyword. Console> (enable) set security acl ip dacl1x permit arp-inspection any any dacl1x editbuffer modified.
Page 514 Chapter 15 Configuring Access Control Downloadable ACLs ----- ------------------ ------------------------ 5/35 Authenticate the dot1x port and that the downloadable ACL is downloaded and the child ACL is Step 6 generated. Check the authentication status. Console> (enable) show port dot1x 5/35 Port Auth-State BEnd-State Port-Control...
Page 515: Configuring A Downloaded Acl For Dot1X For An Ip Phone
Chapter 15 Configuring Access Control Downloadable ACLs 7. deny ip host 9.6.6.104 67.104.129.189 255.255.0.0 8. include downloaded-acl dot1x Displays the dot1x user all O/P: • Console> (enable) show dot1x user all Username Mod/Port UserIP VLAN ---------------------- -------- ------ ------ host 5/35 9.6.6.104 Downloaded ACL...
Page 516: Creating A Placeholder For A Downloaded Acl
Chapter 15 Configuring Access Control Downloadable ACLs dacl1x editbuffer modified. Use 'commit' command to apply changes. Console> (enable) set security acl ip dacl1x permit dhcp-snooping Successfully configured DHCP Snooping for ACL dacl1x. Use 'commit' command to save changes. Console> (enable) set security acl ip dacl1x include downloaded-acl dot1x Successfully configured placeholder download ACL dacl1x.
Page 517: Creating A Placeholder For An Ip Phone
Chapter 15 Configuring Access Control Downloadable ACLs The feature variable can be one of the following: dot1x • webauth • macauth-bypass • • This example shows how to create a placeholder for a downloaded ACL: Console> set security acl ip test include downloaded-acl dot1x Console>...
Page 518 Chapter 15 Configuring Access Control Downloadable ACLs To display detailed information about a downloaded ACL, perform this task in enable mode: Task Command Display detailed information about a show security acl downloaded-acl ACL name downloaded ACL. This example shows detailed information about a downloaded ACL: Console>...
Page 519 Chapter 15 Configuring Access Control Downloadable ACLs To display the IP phone information that has been detected on a port on which downloaded ACLs are present, perform this task in enable mode: Task Command Display the IP phone information on a show security acl downloaded-acl ipphone-map port.
Page 520 Chapter 15 Configuring Access Control Downloadable ACLs Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 15-124 OL-8978-04...
Page 521: Chapter 16 Configuring Nde
• Overview of NDE and Integrated Layer 3 Switching Management Catalyst 6500 series switches provide Layer 3 switching with Cisco Express Forwarding (CEF) for Supervisor Engine 2, Supervisor Engine 720, and Supervisor Engine 32. For Supervisor Engine 1 with the PFC, Layer 3 switching is provided with Multilayer Switching (MLS). You can use NDE to monitor all Layer 3-switched traffic through the Multilayer Switch Feature Card (MSFC).
Page 522: Traffic Statistics Data Collection
An external data collector gathers the flow entries from the statistics cache of one or more switches or Cisco routers. The switch or router transmits the data to the flow collector by grouping the flow entries for the expired flows from its statistics cache into a User Datagram Protocol (UDP) datagram, which consists of a header and a series of flow entries.
Page 523: Using Nde Filters
Chapter 16 Configuring NDE Understanding How NDE Works Using NDE Filters By default, all the expired flows are exported until you specify a filter. After specifying a filter, only the expired and purged flows matching the specified filter criteria are exported. The filter values are stored in NVRAM and are not cleared when NDE is disabled.
Page 524 Chapter 16 Configuring NDE Understanding How NDE Works Supervisor Engine 32 and PFC3B/PFC3BXL—NDE versions 5 and 7 (Supervisor Engine 32 was • initially supported in software release 8.4[1]). Depending on the current flow mask, some fields in the flow records might not have values. When the PFC exports the cached entries, the unsupported fields are filled with a zero (0).
Page 525 Chapter 16 Configuring NDE Understanding How NDE Works Table 16-2 NDE Version 5 Flow Record Format (continued) Flow masks: X=Populated Destination Bytes Content Description Destination Source Full Full VLAN 34–35 dstport Layer 4 destination port number or equivalent pad1 Unused (zero) byte tcp_flags Cumulative OR of TCP flags prot...
Page 526: Default Nde Configuration
Chapter 16 Configuring NDE Default NDE Configuration Table 16-4 NDE Version 7 Flow Record Format (continued) Flow masks: X=Populated Destination Bytes Content Description Destination Source Full Full VLAN 14–15 output Egress interface SNMP ifIndex 16–19 dPkts Packets in the flow 20–23 dOctets Octets (bytes) in the flow...
Page 527: Configuring Nde On The Switch
Chapter 16 Configuring NDE Configuring NDE on the Switch Configuring NDE on the Switch These sections describe how to configure NDE: NDE Configuration Guidelines, page 16-7 • Specifying an NDE Collector, page 16-9 • Clearing an NDE Collector, page 16-10 •...
Page 528 Chapter 16 Configuring NDE Configuring NDE on the Switch If there are protocols with fewer packets per flow running, reduce the MLS fast aging time. For • information on how to change the MLS fast aging time, see the “Specifying IP MLS Long-Duration Aging Time, Fast Aging Time, and Packet Threshold Values”...
Page 529: Specifying An Nde Collector
Chapter 16 Configuring NDE Configuring NDE on the Switch Specifying an NDE Collector Before enabling NDE for the first time, you must specify an NDE collector and UDP port to receive the exported statistics. The collector address and UDP port number are saved in NVRAM and are preserved if NDE is disabled and reenabled or if the switch is power cycled.
Page 530: Clearing An Nde Collector
Refer to these publications for more information about configuring NetFlow on the MSFC: http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/switch_c.html, “NetFlow,” • at this URL: http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdnfov.html Cisco IOS Switching Services Command Reference, Release 12.1, at this URL: • http://www.cisco.com/en/US/docs/ios/12_1/switch/command/reference/switch_r.html These sections describe how to configure NetFlow on the MSFC: •...
Page 531: Enabling Nde
Chapter 16 Configuring NDE Configuring NDE on the Switch Enabling NetFlow To enable NetFlow, perform this task on each Layer 3 interface: Task Command Step 1 Select a VLAN interface to configure. Router(config)# interface vlan vlan_ID Step 2 Enable NetFlow. Router(config-if)# ip route-cache flow Configuring the MSFC NDE Source Interface To configure the interface that is used as the source of the NDE packets containing the statistics from...
Page 532: Enabling And Disabling Bridged-Flow Statistics On Vlans
Chapter 16 Configuring NDE Configuring NDE on the Switch This example shows how to enable NDE on the switch: Console> (enable) set mls nde enable Netflow data export enabled. Netflow data export to port 9996 on 172.20.15.1 (Stargate) Console> (enable) If you attempt to enable NDE without first specifying a collector, you see this display: Console>...
Page 533: Specifying A Destination Host Filter
Chapter 16 Configuring NDE Configuring NDE on the Switch Specifying a Destination Host Filter To specify a destination host filter, perform this task in privileged mode: Task Command Specify a destination host filter for an set mls nde flow destination [ip_addr_spec] NDE flow.
Page 534: Specifying A Source Host And Destination Tcp/Udp Port Filter
Chapter 16 Configuring NDE Configuring NDE on the Switch This example shows how to specify a destination TCP/UDP port filter so that only the expired flows to destination port 23 are exported (the flow mask is set to full): Console> (enable) set mls nde flow dst-port 23 Netflow Data Export successfully set Destination port filter is 23 Filter type: include...
Page 535: Removing Protocols For Statistics Collection
Chapter 16 Configuring NDE Configuring NDE on the Switch To specify the protocols for statistics collection, perform this task in privileged mode: Task Command Specify the protocols for statistics set mls statistics protocol protocol port collection. This example shows how to specify a protocol for statistics collection: Console>...
Page 536: Disabling Nde
Chapter 16 Configuring NDE Configuring NDE on the Switch This example shows how to clear the NDE flow filter so that all the flows are exported: Console> (enable) clear mls nde flow Netflow data export filter cleared. Console> (enable) Disabling NDE With Supervisor Engine 1 and a PFC, if NDE is enabled and you disable MLS, you lose the statistics for Note existing cache entries because the statistics are not exported.
Page 537 Chapter 16 Configuring NDE Configuring NDE on the Switch This example shows how to display the NDE configuration on the switch: Console> (enable) show mls nde Netflow Data Export enabled Netflow Data Export configured for port 7772 on host 10.6.1.10 Secondary Data Export configured for port 7775 on host 10.6.1.10 Source filter is 171.69.194.140/255.255.255.0 Destination port filter is 23...
Page 538 Chapter 16 Configuring NDE Configuring NDE on the Switch Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 16-18 OL-8978-04...
Page 539: Chapter 17 Configuring Gvrp
C H A P T E R Configuring GVRP This chapter describes how to configure the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 540: Default Gvrp Configuration
Chapter 17 Configuring GVRP Default GVRP Configuration Default GVRP Configuration Table 17-1 shows the default GVRP configuration. Table 17-1 GVRP Default Configuration Feature Default Value GVRP global enable state Disabled GVRP per-trunk enable state Disabled on all ports GVRP dynamic creation of VLANs Disabled GVRP registration mode normal, with VLAN 1 set to fixed, for all ports...
Page 541: Enabling Gvrp Globally
Chapter 17 Configuring GVRP Configuring GVRP on the Switch Enabling GVRP Globally You must enable GVRP globally before any GVRP processing occurs on the switch. Enabling GVRP globally enables GVRP to perform the VLAN pruning on the 802.1Q trunk links. The pruning occurs only on the GVRP-enabled trunks.
Page 542: Enabling Gvrp Dynamic Vlan Creation
Chapter 17 Configuring GVRP Configuring GVRP on the Switch To enable GVRP on the individual 802.1Q-capable ports, perform this task in privileged mode: Task Command Step 1 Enable GVRP on an individual 802.1Q-capable set port gvrp mod/port enable port. Step 2 Verify the configuration.
Page 543: Configuring Gvrp Registration
Chapter 17 Configuring GVRP Configuring GVRP on the Switch Configuring GVRP Registration These sections describe how to configure GVRP registration modes on switch ports: • Configuring GVRP Normal Registration, page 17-5 Configuring GVRP Fixed Registration, page 17-5 • Configuring GVRP Forbidden Registration, page 17-6 •...
Page 544: Configuring Gvrp Vlan Declarations From Blocking Ports
Chapter 17 Configuring GVRP Configuring GVRP on the Switch Configuring GVRP Forbidden Registration Configuring an 802.1Q trunk port in forbidden registration mode deregisters all the VLANs (except VLAN 1) and prevents any further VLAN creation or registration on the trunk port. To configure GVRP forbidden registration on an 802.1Q trunk port, perform this task in privileged mode: Task Command...
Page 545: Setting The Garp Timers
Chapter 17 Configuring GVRP Configuring GVRP on the Switch Setting the GARP Timers Note The set gvrp timer and show gvrp timer commands are aliases for the set garp timer and show garp timer commands. The aliases may be used if desired. Modifying the GARP timer values affects the behavior of all the GARP applications running on the Note switch, not just GVRP.
Page 546: Displaying Gvrp Statistics
Chapter 17 Configuring GVRP Configuring GVRP on the Switch Displaying GVRP Statistics To display the GVRP statistics on the switch, perform this task: Task Command Display the GVRP statistics. show gvrp statistics [mod/port] This example shows how to display the GVRP statistics for port 1/1: Console>...
Page 547: Disabling Gvrp Globally
Chapter 17 Configuring GVRP Configuring GVRP on the Switch This example shows how to disable GVRP on 802.1Q trunk port 1/1: Console> (enable) set gvrp disable 1/1 GVRP disabled on 1/1. Console> (enable) Disabling GVRP Globally To disable GVRP globally on the switch, perform this task in privileged mode: Task Command Disable GVRP on the switch.
Page 548 Chapter 17 Configuring GVRP Configuring GVRP on the Switch Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 17-10 OL-8978-04...
Page 549: Configuring Mvrp
C H A P T E R Configuring MVRP This chapter describes how to configure the IEEE 802.1ak Multiple VLAN Registration Protocol (MVRP) on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 550: Default Mvrp Configuration
Chapter 18 Configuring MVRP Default MVRP Configuration Default MVRP Configuration Table 18-1 shows the default MVRP configuration. Table 18-1 MVRP Default Configuration Feature Default Value MVRP global enable state Disabled MVRP per-trunk enable state Disabled on all ports MVRP dynamic creation of VLANs Disabled MVRP registration mode normal, with VLAN 1 set to fixed, for all ports...
Page 551: Configuring Mvrp On The Switch
Chapter 18 Configuring MVRP Configuring MVRP on the Switch Configuring MVRP on the Switch These sections describe how to configure MVRP: Enabling MVRP Globally, page 18-3 • Enabling MVRP on Individual Trunk Ports, page 18-4 • Enabling MVRP Dynamic VLAN Creation, page 18-5 •...
Page 552: Enabling Mvrp On Individual Trunk Ports
Chapter 18 Configuring MVRP Configuring MVRP on the Switch Console> (enable) show mvrp configuration Global MVRP Configuration: MVRP Feature is currently enabled on the switch. MVRP dynamic VLAN creation is disabled. Port based MVRP Configuration: MVRP-Status Registration Applicant Port(s) ----------- ------------ --------- ------------ Enabled Normal Normal...
Page 553: Enabling Mvrp Dynamic Vlan Creation
Chapter 18 Configuring MVRP Configuring MVRP on the Switch Enabling MVRP Dynamic VLAN Creation You can enable MVRP dynamic VLAN creation only if these conditions are met: • The switch is in VTP transparent or off mode. The switch does not have any PVLAN configuration. •...
Page 554 Chapter 18 Configuring MVRP Configuring MVRP on the Switch This example shows how to configure normal registration on an 802.1ak trunk port: Console> (enable) set port mvrp 3/1 registration normal Registrar Administrative Control set to normal on port(s) 3/1. Console> (enable) Configuring MVRP Fixed Registration Configuring an 802.1ak trunk port in fixed registration mode ignores further MVRP requests and messages while retaining all existing registrations on the trunk port.
Page 555: Configuring Mvrp On Ports With Stp Blocking State
Chapter 18 Configuring MVRP Configuring MVRP on the Switch Configuring MVRP on Ports with STP Blocking State To prevent Spanning Tree Protocol (STP) topology reconfiguration on a port that is connected to a device that does not support Per-VLAN STP+ (PVST+), configure the MVRP active applicant state on the port. The ports in the MVRP active applicant state send MVRP VLAN declarations when they are in the STP blocking state, which prevents the STP bridge protocol data units (BPDUs) from being pruned from the other port.
Page 556: Enabling The Periodic Timer
Chapter 18 Configuring MVRP Configuring MVRP on the Switch To set the MVRP timer values, perform this task in privileged mode: Task Command Step 1 Set the MVRP timer values. set port mvrp mod/port timer {join | leave | leaveall} timer_value Step 2 Verify the configuration.
Page 557: Displaying Mvrp Statistics
Chapter 18 Configuring MVRP Configuring MVRP on the Switch MVRP-Status Registration Applicant Port(s) ----------- ------------ --------- ------------ Enabled Normal Normal 3/1-10,3/14,3/24 Disabled Normal Normal 2/2-3,3/11-13,3/15-23,3/25-48 Disabled Fixed Normal MVRP Participants running on no ports. MVRP Timers(centiseconds): ------------------------- JoinTimer LvTimer LvAllTimer Port(s) --------- -------...
Page 558: Displaying Mvrp State Machines
Chapter 18 Configuring MVRP Configuring MVRP on the Switch Displaying MVRP State Machines To display the MVRP state machines on the switch, perform this task: Task Command Display the MVRP states on the port. show mvrp machines [vlan/mod/port] This example shows how to display the MVRP state machines for port 3/14: Console>...
Page 559: Disabling Mvrp Globally
Chapter 18 Configuring MVRP Configuring MVRP on the Switch Task Command Step 1 Disable MVRP on an individual trunk port. set port mvrp mod/port disable Step 2 Verify the configuration. show mvrp configuration This example shows how to disable MVRP on a port 3/14: Console>...
Page 560: Clearing Mvrp Statistics
Chapter 18 Configuring MVRP Configuring MVRP on the Switch This example shows how to clear all MVRP counters on the switch: Console> (enable) clear mvrp counters Warning:MVRP counters will be cleared. Do you want to continue (y/n) [y]? y MVRP counters cleared for all ports on the swtich. Console>...
Page 561: Configuring Dynamic Port Vlan Membership With Vmps
C H A P T E R Configuring Dynamic Port VLAN Membership with VMPS This chapter describes how to configure dynamic port VLAN membership using the VLAN Management Policy Server (VMPS) on the Catalyst 6500 series switches. Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
Page 562: Default Vmps And Dynamic Port Configuration
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Default VMPS and Dynamic Port Configuration If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is not in secure mode, the host receives an “access denied”...
Page 563: Dynamic Port Vlan Membership And Vmps Configuration Guidelines
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership and VMPS Configuration Guidelines Table 19-1 Default VMPS and Dynamic Port Configuration (continued) Feature Default Configuration VMPS Client VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count Dynamic ports No dynamic ports configured...
Page 564: Creating The Vmps Database
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership on the Switch Creating the VMPS Database To use VMPS, you must create a VMPS database and store it on a TFTP server. The VMPS parser is line based.
Page 565: Configuring Vmps
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership on the Switch Configuring VMPS When you enable VMPS, the switch downloads the VMPS database from the TFTP or rcp server and begins accepting VMPS requests. To configure VMPS, perform this task in privileged mode: Task Command...
Page 566: Administering And Monitoring Vmps
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership on the Switch This example shows how to specify the VMPS server, verify the VMPS server specification, assign the dynamic ports, and verify the configuration: Console>...
Page 567: Configuring Static Vlan Port Membership
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership on the Switch To clear the VMPS statistics, perform this task in privileged mode: Task Command Clear the VMPS statistics. clear vmps statistics To clear a VMPS server entry, perform this task in privileged mode: Task Command Clear a VMPS server entry.
Page 568: Backing Up The Vmps Configuration File
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Backing up the VMPS Configuration File This example shows how to return a port to static VLAN port membership: Console> (enable) set port membership 3/1 static Port 3/1 vlan assignment set to static. Console>...
Page 569: Troubleshooting Vmps And Dynamic Port Vlan Membership
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Troubleshooting VMPS and Dynamic Port VLAN Membership VMPS Client Status: --------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: VMPS domain server: No dynamic ports configured. Console> Troubleshooting VMPS and Dynamic Port VLAN Membership These sections describe how to troubleshoot VMPS and dynamic port VLAN membership: Troubleshooting VMPS, page 19-9 •...
Page 570: Troubleshooting Dynamic Port Vlan Membership
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples Troubleshooting Dynamic Port VLAN Membership A dynamic port might shut down under these circumstances: • VMPS is in secure mode and it is illegal for the host to connect to the port. The port shuts down to prevent the host from connecting to the network.
Page 571 Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples vmps-mac-addrs ! address <addr> vlan-name <vlan_name> address 0012.2233.4455 vlan-name hardware address 0000.6509.a080 vlan-name hardware address aabb.ccdd.eeff vlan-name Green address 1223.5678.9abc vlan-name ExecStaff address fedc.ba98.7654 vlan-name --NONE-- address fedc.ba23.1245 vlan-name Purple !Port Groups !vmps-port-group <group-name>...
Page 572: Dynamic Port Vlan Membership Configuration Example
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples Dynamic Port VLAN Membership Configuration Example Figure 19-1 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply: The VMPS server and the VMPS client are separate switches.
Page 573 Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples Figure 19-1 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switches Primary VMPS Server 1 Switch 1 172.20.22.7 172.20.26.150 Client Switch 2 End station 1 172.20.26.151 Catalyst 6000...
Page 574: Dynamic Port Vlan Membership With Auxiliary Vlans
As the auxiliary VLAN ID is manually configured, the VMPS server is queried for packets coming from the PC, not for the packets coming from the IP phone. All the packets except the Cisco Discovery Protocol (CDP) packets from the IP phone are tagged •...
Page 575: Configuring Dynamic Port Vlan Membership With Auxiliary Vlans
Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs When configuring the auxiliary VLAN ID with 802.1p or untagged frames, you need to configure • the VMPS server with the IP phone’s MAC address (see the “Dynamic Port VLAN Membership with VMPS Configuration Examples”...
Page 576 Chapter 19 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 19-16 OL-8978-04...
Page 577: Chapter 20 Checking Status And Connectivity
C H A P T E R Checking Status and Connectivity This chapter describes how to check the status and connectivity on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 578: Checking The Module Status
Chapter 20 Checking Status and Connectivity Checking the Module Status Checking the Module Status Catalyst 6500 series switches are multimodule systems. You can see what modules are installed and the MAC address ranges and version numbers for each module using the show module [mod] command. Specify a particular module number to see detailed information on that module.
Page 579: Checking The Port Status
Chapter 20 Checking Status and Connectivity Checking the Port Status Checking the Port Status You can see summary or detailed information on the switch ports using the show port [mod[/port]] command. To see summary information on all of the ports on the switch, enter the show port command with no arguments.
Page 580: Displaying The Port Mac Address
Chapter 20 Checking Status and Connectivity Displaying the Port MAC Address This example shows how to see information on an individual port: Console> (enable) show port 1/1 Port Name Status Vlan Duplex Speed Type ----- ------------------ ---------- ---------- ------ ----- ------------ connected full 1000 1000BaseSX...
Page 581: Displaying The Duplicate Mac Entries In The Cam Table
Chapter 20 Checking Status and Connectivity Displaying the Duplicate MAC Entries in the CAM Table This example shows how to display the MAC addresses of all ports on a module: Console> show port mac-address 4 Port Mac address ----- ---------------------- 00-50-54-bf-59-64 00-50-54-bf-59-65 00-50-54-bf-59-66...
Page 582: Displaying Port Capabilities
Chapter 20 Checking Status and Connectivity Displaying Port Capabilities 00-d0-02-94-4f-ff 00-d0-02-83-eb-fc 00-d0-02-83-eb-ff & Total Matching CAM Entries Displayed = 3 ========================================================================= Displaying Port Capabilities You can display the capabilities of any port in a switch using the show port capabilities [[mod][/port]] command.
Page 583: Understanding How The Mac Utilization Load Interval Works
Chapter 20 Checking Status and Connectivity Configuring the MAC Utilization Load Interval Understanding How the MAC Utilization Load Interval Works The show mac utilization command displays the packet rate, bit rate, and octet rate per port, per module, and per VLAN, based on the load interval. You can set the load interval to either 30 or 300 seconds. You can also clear the MAC utilization counters on a port, range of ports, or for all ports in a module.
Page 584 Chapter 20 Checking Status and Connectivity Configuring the MAC Utilization Load Interval 12/1 23658 189264 12/2 12/3 614539 921816483 7374531864 12/4 13/1 33960 50941147 407529176 13/2 33960 50941151 407529208 13/3 33960 50941190 407529520 Port Rcv-Packet-Rate Rcv-Octet-Rate Rcv-Bit-Rate ----- -------------------- -------------------- -------------------- 845671 108247607 865980856...
Page 585: Clearing Mac Utilization Counters
Chapter 20 Checking Status and Connectivity Configuring the MAC Utilization Load Interval This example shows how to display MAC utilization statistics for a module: Console> (enable) show mac utilization 12 30 seconds input/output port rates: Port Xmit-Packet-Rate Xmit-Octet-Rate Xmit-Bit-Rate ----- -------------------- -------------------- -------------------- 12/1 396702 594010991...
Page 586: Checking The 10-Gigabit Ethernet Link Status
Chapter 20 Checking Status and Connectivity Checking the 10-Gigabit Ethernet Link Status Checking the 10-Gigabit Ethernet Link Status Cable diagnostics allow you to activate the pseudorandom binary sequence (PRBS) test on the 10-Gigabit Ethernet links. The PRBS test is currently available on the 1-port 10GBASE-E serial 10-Gigabit Ethernet module Note (WS-X6502-10GE).
Page 587: Checking The Cable Status Using Tdr
Chapter 20 Checking Status and Connectivity Checking the Cable Status Using TDR Console> (enable) This example shows how to display the PRBS counter values and the ports that are running the PRBS test: Console> (enable) show port prbs Port PRBS state Error Counters 6/1 start 30 7/1 stop - Console>...
Page 588: Using Telnet
Chapter 20 Checking Status and Connectivity Using Telnet Port Speed Local pair Pair length Remote pair Pair status ----- ------ ----------- ------------------- ------------ ------------ 1000 Pair A +/- 3 meters Pair A Terminated Pair B +/- 3 meters Pair B Terminated Pair C +/- 3 meters...
Page 589 171.69.66.45 3DES SESSION_OPEN dove.cisco.com SSH server mode : V1 and V2 Console> (enable) The nbits value specifies the RSA key size. The valid key size range is from 512–2048 bits. For SSH version 2, the minimum recommended key size is 768 bits. A key size with a larger number provides higher security but takes longer to generate.
Page 590: Monitoring User Sessions
Chapter 20 Checking Status and Connectivity Monitoring User Sessions Monitoring User Sessions You can display the currently active user sessions on the switch using the show users command. The command output displays all the active console port and Telnet sessions on the switch. To display the active user sessions on the switch, perform this task in privileged mode: Task Command...
Page 591: Using Ping
Chapter 20 Checking Status and Connectivity Using Ping This example shows how to disconnect an active console port session and an active Telnet session: Console> (enable) show users Session User Location -------- ---------------- ------------------------- console telnet jake jake-mac.bigcorp.com telnet tim-nt.bigcorp.com * telnet suzy suzy-pc.bigcorp.com...
Page 592: Executing Ping
Chapter 20 Checking Status and Connectivity Using Ping Ping returns one of the following responses: Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds depending on • the network traffic. • Destination does not respond—If the host does not respond, a no answer message is returned. Unknown host—If the host does not exist, an unknown host message is returned.
Page 593: Using Layer 2 Traceroute
This section describes the guidelines for using the Layer 2 Traceroute utility: The Layer 2 Traceroute utility works for unicast traffic only. • You must enable Cisco Discovery Protocol (CDP) on all of the Catalyst 5000 and 6500 series • switches in the network. (See Chapter 31, “Configuring CDP”...
Page 594: Identifying A Layer 2 Path
Chapter 20 Checking Status and Connectivity Using IP Traceroute Identifying a Layer 2 Path To identify a Layer 2 path, perform one of these tasks in privileged mode: Task Command (Optional) Trace a Layer 2 path using MAC l2trace {src-mac-addr} {dest-mac-addr} [vlan] [detail] addresses.
Page 595: Executing Ip Traceroute
Chapter 20 Checking Status and Connectivity Using System Warnings on Port Counters To determine when a datagram reaches its destination, traceroute sets the UDP destination port in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram with an unrecognized port number, it sends an ICMP port unreachable error to the source.
Page 596: Executing System Warnings On Port Counters
Chapter 20 Checking Status and Connectivity Using System Warnings on Port Counters Spanning-tree error information is provided for the following: Ports that go from the blocking to the forwarding state • Bridge protocol data unit (BPDU) skewing that exceeds a fixed threshold •...
Page 597 Chapter 20 Checking Status and Connectivity Using System Warnings on Port Counters Console> (enable) Some sample syslog messages are as follows: 2000 Jan 11 06:00:27 PST -07:00 %SYS-4-SYS_HITRFC: 62% traffic detected on switching bus 2000 Feb 21 12:00:27 PST -07:00 %SYS-4-SYS_HITRFC: 65% traffic detected on switching bus Low Remaining Memory When memory allocation of clusters and buffers on the Catalyst 6500 series switch goes above a high watermark of 90 percent, the syslog messages are generated.
Page 598 Chapter 20 Checking Status and Connectivity Using System Warnings on Port Counters Console> (enable) A sample syslog message is as follows: 1999 Nov 23 16:32:21 PDT -07:00 %SYS-3-SYS_MEMERR: Out of range while freeing address 0xabcdefab NVRAM Logs The syslog errors are generated for each configuration-related NVRAM log event. These events may indicate configuration or hardware errors or NVRAM configurations that are made without notification of users.The hardware errors NVRAM log is not syslogged.
Page 599: Executing Hardware Level Warnings On Port Counters
Chapter 20 Checking Status and Connectivity Using System Warnings on Port Counters When you enter the show netstat udp/tcp command, each bad UDP/TCP checksum generates a message similar to the following: 1999 Oct 31 23:59:59 PDT -07:00 %IP-3-UDP_BADCKSUM: UDP bad checksum 1999 Oct 31 23:59:59 PDT -07:00 %IP-3-TCP_BADCKSUM: TCP bad checksum Executing Hardware Level Warnings on Port Counters You can poll selected error counters of each switch port every 30 minutes.
Page 600: Configuring Packet-Buffer Error Handling
Chapter 20 Checking Status and Connectivity Configuring Packet-Buffer Error Handling SNMP A matching SNMP trap generation for each of the syslog warnings using the existing clogMessageGenerated trap is sent every time that any syslog message is generated. Configuring Packet-Buffer Error Handling The set errordetection packet-buffer {errdisable | powercycle | supervisor {errdisable | shutdown}} command allows you to specify packet-buffer error handling as follows (the default is errdisable): errdisable—If you enter the errdisable keyword, the ports that experience the packet-buffer errors...
Page 601 Chapter 20 Checking Status and Connectivity Configuring EtherChannel/Link Error Handling The link errors that are monitored are based on three counters: Inerrors, RXCRC (CRCAlignErrors), and Note TXCRC. If the errdisable timer for the link is enabled (using the set errdisable-timeout enable command), the errdisabled port is automatically reenabled after the timeout interval expires (the timeout interval is specified using the set errdisable-timeout interval {interval} command).
Page 602: Configuring Ieee 802.3Ah Ethernet Oam
Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM set errordetection link-errors sampling {sampling_count} • To minimize accidentally putting a port into the errdisable state due to a one-time event that is not a true system error condition, you can specify a sampling_count. The sampling_count determines the number of times that a port must reach the high or low threshold value before the port is placed in the errdisable state.
Page 603: Ethernet Oam Configuration Guidelines And Restrictions
Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM OAM is a relatively slow protocol with low bandwidth requirements (the frame transmission rate is Note limited to a maximum of 10 frames per second), and it is not required for normal link operation. OAM frames, referred to as OAM protocol data units (OAMPDUs), use the slow protocol destination MAC address (0180.c200.0002), are intercepted by the MAC sublayer, and cannot propagate beyond a single hop within an Ethernet network.
Page 604 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM Clearing User-Configured Parameters for OAM Link Monitoring, page 20-34 • Clearing User-Configured Actions for OAM Critical Link Events, page 20-34 • Displaying Ethernet OAM-Related Information, page 20-35 • Displaying Ethernet OAM Neighbor Information, page 20-36 •...
Page 605 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM To specify the OAM port mode on the specified ports, perform this task in privileged mode: Task Command Specify the OAM port mode on the specified set port ethernet-oam mod/port mode {active | ports.
Page 606 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM To enable or disable the OAM remote loopback test on the specified ports, perform this task in privileged mode: Task Command Enable or disable the OAM remote loopback test set port ethernet-oam mod/port on the specified ports.
Page 607 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM Enabling or Disabling Ethernet OAM Link Monitoring You can use the commands in this section to enable or disable OAM link monitoring on the specified ports. The default is enabled. To enable or disable OAM link monitoring on the specified ports, perform this task in privileged mode: Task Command...
Page 608 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM Specifying the Low-Threshold Error Count and the Associated Action for Ethernet OAM Link Monitoring You can use the commands in this section to specify the OAM link monitoring low-threshold error count and the associated action on the specified ports.
Page 609 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM Specifying the Associated Action for OAM Critical Link Events You can use the commands in this section to specify the associated action for OAM critical link events (critical-event, dying-gasp, or link-fault) on the specified ports. The default is warning. If you specify the dying-gasp keyword, the errordisable option is not available.
Page 610 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM Successfully cleared OAM statistics on port(s) 2/1-2,3/1-48,8/1-8. Console> (enable) This example shows how to clear OAM statistics from a specific port: Console> (enable) clear port ethernet-oam 3/1 statistics Successfully cleared OAM statistics on port(s) 3/1. Console>...
Page 611 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM Displaying Ethernet OAM-Related Information To display the OAM configuration and status for all OAM ports or on the specified OAM ports, perform this task in normal mode: Task Command Display the OAM configuration and status for all show port ethernet-oam [mod | mod/port] OAM ports or on the specified OAM ports.
Page 612 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM Displaying Ethernet OAM Neighbor Information You can use the commands in this section to display OAM neighbor information. The neighbor is the connected OAM peer. To display OAM information for the specified neighbor or for all neighbors, perform this task in normal mode: Task Command...
Page 613 Chapter 20 Checking Status and Connectivity Configuring IEEE 802.3ah Ethernet OAM This example shows how to display information about the OAM remote loopback test for the current session: Console> (enable) show port ethernet-oam 1/2 remote-loopback current-session Port Loopback at OAM Rx OAM Tx ---- ----------- ---------- ---------- Remote...
Page 614: Configuring Metro Ethernet Connectivity Fault Management
Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Displaying Ethernet OAM Statistics To display OAM statistics, perform this task in normal mode: Task Command Display OAM statistics. show port ethernet-oam [mod | mod/port] statistics This example shows how to display OAM statistics for port 1/2: Console>...
Page 615: Understanding How Metro Ethernet Connectivity Fault Management Works
Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Understanding How Metro Ethernet Connectivity Fault Management Works Metro Ethernet connects multiple customer sites to form one virtual private network (VPN). A Metro Ethernet network consists of networks from multiple operators that are supported by one service provider.
Page 616: Maintenance Associations
Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Figure 20-2 Ethernet CFM Maintenance Domain Edge Edge Bridge Bridge Edge Bridge Edge Edge Bridge Bridge Exterior ports Interior ports Often, three different organizations are involved in a Metro Ethernet service: customers, service providers, and operators.
Page 617 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Table 20-3 Maintenance Point Classifications Maintenance Functions Maintenance Endpoint Intermediate Point Transparent Point Initiate CFM messages Respond to loopback and link trace messages Catalog continuity-check information received Forward CFM messages No Maintenance endpoints reside at the edge of a maintenance domain, while maintenance intermediate points are internal to the domain.
Page 618: Cfm Configuration Guidelines And Restrictions
Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Figure 20-3 Maintenance Points and Maintenance Domains CFM Configuration Guidelines and Restrictions When configuring CFM, follow these guidelines: The CFM configuration is allowed only in text configuration mode. •...
Page 619 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Scalability Data for Connectivity Fault Management and Alarm Indication Signal On a Catalyst 6500 series switch with Supervisor Engine 720 that runs software release 8.7(3), when • CFM or CFM with MVRP are enabled together on dot1q trunk ports with a 10 second CC interval, the switch supports the following: –...
Page 620: Configuring Metro Ethernet Cfm
Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management On a Catalyst 6500 series switch that runs software release 8.7(3), when an AIS detects the link fault Note condition occurs the configured number of AIS PDUs will be sent (default 5) at 1 second transmission interval for each of the affected VLAN on the failed trunk.
Page 621 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Task Command Enable or disable Metro Ethernet CFM globally set ethernet-cfm {disable | enable} on a switch. This example shows how to enable Metro Ethernet CFM globally on a switch: Console>...
Page 622 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Configuring CFM on a Port as a Maintenance Point To enable or disable CFM on a port and to configure a port as a Maintenance End Point (MEP) and Maintenance Intermediate Point (MIP) for a specific maintenance level and VLAN, perform this task in privileged mode: Task...
Page 623 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Succesfully enabled CC for level 4 for vlan(s) 100. Console> (enable) Configuring Ethernet CFM traceroute Protocol Parameters To enable or disable caching of Ethernet Connectivity Fault Management (CFM) data entered using traceroute messages, perform this task in priviliged mode: Task Command...
Page 624 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management For LTMs/LBMs to be successful with DOWN MEPs, you should configure the system CAM entry for Note that VLAN on the DOWN MEP port. Displaying Metro Ethernet CFM Domains To display all the configured CFM domains, perform this task in privileged mode: Task Command...
Page 625 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management ------------------------------------------------------------------------------------------ Vlan Domain Lvl MA MA-Name Loss Name Format Intv Thres Enable state ------------------------------------------------------------------------------------------ 2000 dom3 3 text vlan2000 10 sec TRUE TRUE 2001 dom3 3 text vlan2001 10 sec TRUE TRUE...
Page 626 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Displaying the Metro Ethernet CFM Status To display the global CFM and AIS status, the maximum configured maintenance level, and CFM MAC addresses, perform this task in privileged mode: Task Command Display the global CFM and AIS status and the...
Page 627 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management 2006 2005 1406 2007 2006 1406 2008 2007 1406 2009 2008 1406 2010 2009 1405 2011 2010 1407 2012 2011 1406 2013 2012 1407 2014 2013 1405 Console> (enable) Displaying Metro Ethernet CFM Errors To display the CFM continuity check and AIS error conditions logged since the last reload, perform this task in privileged mode:...
Page 628 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management Traceroute to 00-50-3e-78-fb-fb on Domain dom3, Level 3, Vlan 2000 issued at Wed Aug 12 2009, 03:12:17 B = Intermediary Bridge ! = Target Destination * = Per hop Timeout -------------------------------------------------------------------------------- Ingress Ingr Action...
Page 629 Chapter 20 Checking Status and Connectivity Configuring Metro Ethernet Connectivity Fault Management This example shows how to clear the maintenance association, customerXYA in customerXYADomain: Console> (enable) clear ethernet-cfm maintenance-association ma-name-fmt text customerXYA domain customerXYADomain Maintenance Association customerXYA cleared from domain customerXYADomain. Console>...
Page 630: Configuring The Alarm Indication Signal
Chapter 20 Checking Status and Connectivity Configuring the Alarm Indication Signal Successfully deleted entries for port(s) 3/14 vlan(s) 10. Console> (enable) Clearing the Ethernet CFM traceroute Database To clear the contents of the traceroute database, perform one of these tasks in privileged mode: Task Command Clear the CFM traceroute database information.
Page 631: Understanding How Cfm Works With 802.3Ah Link-Oam For Ais-Rdi
Chapter 20 Checking Status and Connectivity Configuring the Alarm Indication Signal Understanding How CFM Works with 802.3ah Link-OAM for AIS-RDI The Ethernet Alarm Indication function (ETH-AIS) and the Ethernet Remote Defect Indication (ETH-RDI) are new functional extensions to Metro Ethernet Connectivity Fault Management (CFM). The ETH-AIS is a standard defined by ITU Y.1731 and the ETH-RDI is part of IEEE 802.1ag.
Page 632: Ethernet Remote Defect Indication
A Server MEP represents both the server layer termination function and Server/Ethernet adaptation Note function. In the Cisco IOS software, the Link OAM and Interface/Line Protocol state act as Server MEPs. Timer Spread Design Logic and Guidelines: The AIS transmission interval has been hard coded to 1 second and it can be changed to1 minute •...
Page 633: Configuring An Alarm Indication Signal
Chapter 20 Checking Status and Connectivity Configuring the Alarm Indication Signal All the AIS attributes (level, interval, enable/disable, alarm suppression) relate to the MA. The MEP • inherits these attributes from the MA. You must create an MA so that you can set any of the AIS parameters.
Page 634 Chapter 20 Checking Status and Connectivity Configuring the Alarm Indication Signal Console> (enable) set ethernet-cfm ais disable Link-Status AIS feature is already disabled on the switch. Console> (enable) Configuring Continuity-Check Protocol AIS Parameters To configure the AIS attributes for all MEPs that belong to a specific MA or service, perform this task in privileged mode: Task Command...
Page 635 Chapter 20 Checking Status and Connectivity Configuring the Alarm Indication Signal This example shows how to configure the CFM AIS level globally on a switch: Console> (enable) set ethernet-cfm ais level 4 Link-Status AIS transmission level configured to 4 on the switch. Console>...
Page 636: Configuring The Ethernet Local Management Interface
Chapter 20 Checking Status and Connectivity Configuring the Ethernet Local Management Interface Task Command Step 1 Display the CFM error conditions for show ethernet-cfm errors [level level] maintenance points that have a specific maintenance level. Step 1 Display the CFM error conditions for show ethernet-cfm errors [domain maintenance points and to specify the name of the domain_name]...
Page 637: Configuring Elmi
Chapter 20 Checking Status and Connectivity Configuring the Ethernet Local Management Interface In a MEN, the EVC status is determined by the OAM protocol. In the Catalyst operating system, ELMI relies on CFM to provide an end-to-end status of the EVC across CFM domains (PE device) in MEN and updates the CE device through ELMI.
Page 638: Configuring Elmi On The Switch
PE1, PE2, and PE3 switches have VLANs 10 and 250 (switch VLANs) configured as CFM VLANs. • • The ELMI protocol runs between the PE1 switch and CE1-Cisco Internet Switch and Router (ISR) 3845. The remote MEPs Continuity Check Database (CCDB) cataloging occurs on all 3 PE switches for •...
Page 639 Chapter 20 Checking Status and Connectivity Configuring the Ethernet Local Management Interface Configuring a UNI ID on an Individual Port, page 20-65 • Configuring UNI-TYPE on an Individual Port, page 20-65 • Configuring an EVC on an Individual Port, page 20-65 •...
Page 640 Chapter 20 Checking Status and Connectivity Configuring the Ethernet Local Management Interface These examples show how to configure various EVC parameters: Console>(enable) set ethernet-evc EVC1 uni-count 2 UNI count for EVC1 is configured as 2. Console> (enable) set ethernet-evc EVC1 domain ELMI ma-name-fmt text CFM1 Successfully create EVC EVC1 and CFM service name CFM1.
Page 641 Chapter 20 Checking Status and Connectivity Configuring the Ethernet Local Management Interface These examples show how to set the ELMI port: Console>(enable) set port ethernet-lmi 3/1 enable Ethernet LMI is enabled on port 3/1. Console>(enable) set port ethernet-lmi 3/1 t392 30 Ethernet LMI polling verification timer is set to 30 seconds for port 3/1.
Page 642 Chapter 20 Checking Status and Connectivity Configuring the Ethernet Local Management Interface This example shows how to set the Ethernet EVC ID as EVC1 for module 7, port 1: Console> (enable) set port ethernet-evc 7/1 EVC1 EVC1 is associated to port 7/1. Console>...
Page 643 Chapter 20 Checking Status and Connectivity Configuring the Ethernet Local Management Interface Task Command Display the CE-VLAN/EVC mapping. show port ethernet-evc mod/port {[detail] | evc-id [detail]} These examples show how to display the CE-VLAN/EVC mapping configured for module 7, port 1: Console>(enable) show port ethernet-evc 7/1 UNI Id: PE-CUSTA-PORT1 St EVC Id CE-Vlan...
Page 644 Chapter 20 Checking Status and Connectivity Configuring the Ethernet Local Management Interface E-LMI parameters for port 7/1 Port Ethernet LMI: Enabled Operational Status: Disabled Mode: PE T391: NA T392: 15 N391: NA N393: 4 Console <enable> Clearing an EVC To clear an EVC configured in the switch, perform this task in privileged mode: Task Command Clear an EVC configured in the switch.
Page 645: Configuring Mac Address Move Counters
Chapter 20 Checking Status and Connectivity Configuring MAC Address Move Counters Clearing a UNI Configuration To clear the UNI configuration on the port, perform this task in priviledged mode: Task Command Clear a UNI configuration on the port. clear port ethernet-evc mod/port [id | type] This example shows how to clear the UNI configuration on module 7, port 1: Console>...
Page 646: Mac Address Move Counter Configuration Guidelines And Restrictions
Chapter 20 Checking Status and Connectivity Configuring MAC Address Move Counters MAC Address Move Counter Configuration Guidelines and Restrictions When configuring MAC address move counters, follow these configuration guidelines and restrictions : • Layer 2 AISCs learn any new MAC addresses and associate them with a port. Only dynamic CAM entries are learned.
Page 647: Executing Mac Address Move Counters
Chapter 20 Checking Status and Connectivity Configuring MAC Address Move Counters Table 20-4 MAC Address Move Counter Syslog Generation (continued) Are MAC Address Move Counter Scenario Syslogs Generated? MAC address move counter entries have been cleared for a specified VLAN by entering the clear cam notification move counters vlan command, and one or more MAC address moves occurred after entries were cleared.
Page 648 Chapter 20 Checking Status and Connectivity Configuring MAC Address Move Counters MAC move counters are disabled Console> (enable) Displaying MAC Address Move Counter Statistics To display MAC address move counter statistics, perform this task in normal mode: Task Command Display MAC address move counter statistics. show cam notification move counters [vlan] This example shows how to display MAC address move counter statistics for all VLANs: Console>...
Page 649: Digital Optical Monitoring
Chapter 20 Checking Status and Connectivity Digital Optical Monitoring Clearing MAC Address Move Counter Statistics To clear MAC address move counter statistics, perform this task in privileged mode: Task Command Clear MAC address move counter statistics. clear cam notification move counters {all | vlan} This example shows how to clear MAC address move counter statistics for all VLANs: Console>...
Page 650 Chapter 20 Checking Status and Connectivity Digital Optical Monitoring Displaying General Port Transceiver Information To display general port transceiver information, perform this task in enabled mode: Task Command Display general port transceiver information. show port transceiver This example shows how to display general port transceiver information: Console>...
Page 651 Chapter 20 Checking Status and Connectivity Digital Optical Monitoring High Alarm High Warn Low Warn Low Alarm Current Threshold Threshold Threshold Threshold Port (milliamperes) (mA) (mA) (mA) (mA) ----- ----------------- -------------- -------------- ------------- -------------- 29.3 30.4 Optical High Alarm High Warn Low Warn Low Alarm Transmit Power Threshold...
Page 652 Chapter 20 Checking Status and Connectivity Digital Optical Monitoring This example shows how to display port transceiver information: Console> show port transceiver 2/1 sh port transceiver 5/1 Transceiver monitoring is enabled. Monitor interval is set to 1 minute ITU Channel not available (1550 nm) ## : high alarm, # : high warning, @ : low warning, @@ : low alarm.
Page 653: Setting Transceiver Monitoring And Thresholds
Chapter 20 Checking Status and Connectivity Digital Optical Monitoring Setting Transceiver Monitoring and Thresholds The following sections describe how to set transceiver monitoring parameters and thresholds: • Enabling or Disabling Transceiver Monitoring, page 20-77 Setting the Transceiver Monitoring Interval, page 20-77 •...
Page 654 Chapter 20 Checking Status and Connectivity Digital Optical Monitoring Console> (enable) set port transceiver 3/1 temperature high-alarm threshold 750 Optical temperature high-alarm threshold is set to 75.0 celsius for port 3/1 This example shows how to set a transceiver temperature threshold including the severity: Console>...
Page 655: Chapter 21 Configuring Gold
C H A P T E R Configuring GOLD This chapter describes how to configure generic online diagnostics (GOLD) on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 656: Configuring Online Diagnostics
Chapter 21 Configuring GOLD Configuring Online Diagnostics Online diagnostics are categorized as follows: Bootup—Bootup diagnostics run during bootup, module OIR, or switchover to a backup supervisor • engine. • On-demand—On-demand diagnostics run from the CLI. Schedule—Schedule diagnostics run at user-designated intervals or specified times when the switch •...
Page 657: Configuring On-Demand Online Diagnostics
Chapter 21 Configuring GOLD Configuring Online Diagnostics The bootup diagnostic level applies to the entire switch and cannot be configured on a per-module basis. Note To specify the bootup diagnostic level, perform this task in privileged mode: Task Command Step 1 Specify the bootup diagnostic level.
Page 658 Chapter 21 Configuring GOLD Configuring Online Diagnostics Use the diagnostic start command to start running specific test(s) based on the test IDs. The command accepts one test ID, a range of test IDs, a subgroup of tests, or all for all tests. The test ID for a particular test can be different from one module type to another module type or even from one software release to another software release.
Page 659 Chapter 21 Configuring GOLD Configuring Online Diagnostics Not all functional test groups are present for every module because the supported functional test groups Note vary depending on the module type. If you are not sure which functional test group to select, run all the packet switching tests that are run during bootup when the diagnostic level is set to “complete”...
Page 660 Chapter 21 Configuring GOLD Configuring Online Diagnostics Table 21-2 On-Demand Tests: Fabric-Enabled Modules Functional Test Group Individual Tests Per-port tests TestLoopback Multicast function TestL3VlanMet SPAN function TestIngressSpan TestEgressSpan Fabric Tests TestSynchedFabChannel Table 21-3 On-Demand Tests: Non-Fabric-Enabled Modules Functional Test Group Individual Tests Per-port tests TestLoopback...
Page 661 Chapter 21 Configuring GOLD Configuring Online Diagnostics Exhaustive memory tests exist for the supervisor engine and other modules. You should execute the memory tests on the supervisor engine only after the memory tests have been run on the other modules. This order is required because after running the supervisor engine memory tests, the system is in an unusable state and needs to be rebooted to return to a normal operating state.
Page 662: Configuring Online Diagnostic Health-Monitoring Tests
Chapter 21 Configuring GOLD Configuring Online Diagnostics After running the test: • For supervisor engines—Reboot the switch but do not save the configuration while rebooting – because the configuration was changed during the test. – For other modules—Power cycle the modules. After the modules come online, reenable the health-monitor tests that were disabled.
Page 663: Scheduling Online Diagnostics
Chapter 21 Configuring GOLD Configuring Online Diagnostics Console> (enable) This example shows how to enable test 18 on module 7: Console> (enable) set diagnostic monitor module 7 test 18 Module 7 test 18 diagnostic monitor enable. Console> (enable) This example shows how to enable syslog generation when a test fails: Console>...
Page 664: Specifying The Online Diagnostic Failure Response
Chapter 21 Configuring GOLD Configuring Online Diagnostics Schedule #1: To be run daily 12:12 Test ID(s) to be executed: 1-2. Schedule #2: To be run daily 16:16 Test ID(s) to be executed: 3. Port(s) to be tested: 1. Console> (enable) Specifying the Online Diagnostic Failure Response You can specify the online diagnostic failure response for the supervisor engine.
Page 665: Displaying Online Diagnostic Tests And Test Results
Chapter 21 Configuring GOLD Configuring Online Diagnostics Displaying Online Diagnostic Tests and Test Results You can display the online diagnostic tests that are configured for specific modules and check the results of the tests using the show commands. To display online diagnostic test information, perform these tasks in normal mode: Task Command Display the bootup diagnostic level.
Page 666 Chapter 21 Configuring GOLD Configuring Online Diagnostics Task Command Disable syslog generation that occurs when a test clear diagnostic monitor syslog fails. Clear online diagnostic scheduling information. clear diagnostic schedule module mod_num test {test-id | test-id-range | all} {[port {port_num | port_range | all}] | [device {device_num | device_range | all}]} This example shows how to clear the bootup online diagnostic level:...
Page 667: Chapter 22 Administering The Switch
Setting the System Clock on the Switch, page 22-4 • Creating a Login Banner on the Switch, page 22-4 • Displaying or Suppressing the “Cisco Systems Console” Telnet Login Banner on the Switch, • page 22-5 Defining Command Aliases on the Switch, page 22-6 •...
Page 668: Setting The System Name And System Prompt On The Switch
Chapter 22 Administering the Switch Setting the System Name and System Prompt on the Switch Setting the System Name and System Prompt on the Switch The system name on the switch is a user-configurable string that is used to identify the device. The default configuration has no system name configured.
Page 669: Setting The System Contact And Location On The Switch
Chapter 22 Administering the Switch Setting the System Contact and Location on the Switch This example shows how to configure the system name on the switch: Console> (enable) set system name Catalyst 6500 System name set. Catalyst 6500> (enable) Setting the Static System Prompt To set the static system prompt, perform this task in privileged mode: Task Command...
Page 670: Setting The System Clock On The Switch
Chapter 22 Administering the Switch Setting the System Clock on the Switch This example shows how to set the system contact and location and verify the configuration: Catalyst 6500> (enable) set system contact sysadmin@corp.com System contact set. Catalyst 6500> (enable) set system location Sunnyvale CA System location set.
Page 671: Configuring A Login Banner
Displaying or Suppressing the “Cisco Systems Console” Telnet Login Banner on the Switch To display or suppress the “Cisco Systems Console” Telnet login banner, perform this task in privileged mode: By default, the Cisco Systems Console Telnet login banner is enabled.
Page 672: Defining Command Aliases On The Switch
Console> (enable) set banner telnet disable Cisco Systems Console banner will not be printed at telnet. Console> (enable) This example shows how to display the Cisco Systems Console Telnet login banner setting: Console> (enable) show banner MOTD banner: LCD config:...
Page 673: Defining Ip Aliases On The Switch
Chapter 22 Administering the Switch Defining IP Aliases on the Switch show module 8 show port 8 Console> (enable) sm8 Mod Module-Name Ports Module-Type Model Serial-Num Status --- ------------------- ----- --------------------- --------- --------- ------- DS3 Dual PHY ATM WS-X5166 007243262 ok Mod MAC-Address(es) --- -------------------------------------- ------ ---------- ----------------- 00-60-2f-45-26-2f...
Page 674: Configuring Static Routes On The Switch
Chapter 22 Administering the Switch Configuring Static Routes on the Switch Console> (enable) ping sparc sparc is alive Console> (enable) ping cat6509 cat6509 is alive Console> (enable) Configuring Static Routes on the Switch For information on configuring a default gateway (default route), see the “Configuring the Default Note Gateways”...
Page 675: Configuring Permanent And Static Arp Entries On The Switch
Chapter 22 Administering the Switch Configuring Permanent and Static ARP Entries on the Switch Configuring Permanent and Static ARP Entries on the Switch To enable your Catalyst LAN switch to communicate with devices that do not respond to Address Resolution Protocol (ARP) requests, you can configure a static or permanent ARP entry that maps the IP addresses of those devices to their MAC addresses.
Page 676: Scheduling A System Reset On The Switch
Chapter 22 Administering the Switch Scheduling a System Reset on the Switch To clear the ARP entries, perform this task in privileged mode: Task Command Step 1 Clear a dynamic, static, or permanent ARP entry. clear arp [dynamic | permanent | static] {ip_addr hw_addr} Step 2 Clear ARP entry for a single host...
Page 677: Scheduling A Reset Within A Specified Amount Of Time
Chapter 22 Administering the Switch Scheduling a System Reset on the Switch The maximum scheduled reset time is 24 days. Note To schedule a reset at a specific time, perform this task in privileged mode: Task Command Step 1 Schedule the reset time at a specific time. reset [mindown] at {hh:mm} [mm/dd] [reason] Step 2 Verify the scheduled reset.
Page 678: Power Management
Chapter 22 Administering the Switch Power Management The minimum downtime argument is valid only if the system has a standby supervisor engine. Note This example shows how to schedule a reset in a specified time: Console> (enable) reset in 5:20 Configuration update Reset scheduled in 5 hours 20 minutes.
Page 679 Chapter 22 Administering the Switch Power Management In a nonredundant configuration, the power that is available to the system is the combined power capability of both power supplies. The system powers up as many modules as the combined capacity allows. However, if one supply should fail and there is not enough power for all the previously powered up modules, the system powers down some modules.
Page 680: Using The Cli To Power Modules Up Or Down
Chapter 22 Administering the Switch Environmental Monitoring Table 22-1 Effects of Power Supply Configuration Changes (continued) Configuration Change Effect Higher or lower wattage • System log and syslog messages are generated. power supply is inserted The system power is increased to the combined power capability of •...
Page 681: Environmental Monitoring Using Cli Commands
Chapter 22 Administering the Switch Environmental Monitoring Environmental monitoring of chassis components provides early warning indications of possible component failure to ensure safe and reliable system operation and avoid network interruptions. This section describes how to monitor these critical system components, enabling you to identify and rapidly correct the hardware-related problems in your system.
Page 682: Displaying System Status Information For Technical Support
Chapter 22 Administering the Switch Displaying System Status Information for Technical Support Table 22-2 Environmental Monitoring for Supervisor Engine and Switching Modules Alarm Component Type LED Indication Action Supervisor engine Major STATUS LED red syslog message and SNMP trap temperature sensor exceeds generated.
Page 683: Generating A System Status Report
The core dump and the stack dump generate reports that contain the status information about your switch. Send the images that are captured by the core dump or the stack dump to Cisco TAC for analysis. Enabling and Disabling the Core Dump A core dump produces a comprehensive report of images when your system fails due to a software error.
Page 684 Chapter 22 Administering the Switch Displaying System Status Information for Technical Support (4) Please make sure the above device has been installed, and ready to use Core-dump enabled Console> (enable) This example shows how to disable the core dump: Console> (enable) set system core-dump disable Core-dump disabled Console>...
Page 685: Using System Crash-Info Files
Similar to the crash-dump file, the crash-info file is stored in the file system. You should look at the information in the crash-info file in addition to the core dump information. By examining both the crash-info file and core dump file, Cisco TAC can better analyze the error. Enabling and Disabling the Crash-Info File...
Page 686: Logging System Information To A Tftp Or Rcp Server
Chapter 22 Administering the Switch Logging System Information to a TFTP or rcp Server Console> (enable) set system crashinfo enable Crashinfo enabled Specifying the Crash-Info Filename Enter the set system crash-info-file command to specify the crash-info filename. This command automatically checks the validity of the device name that you input. To specify the crash-info filename, perform this task in privileged mode: Task Command...
Page 687: Specifying Show Commands For System Information Logging
Chapter 22 Administering the Switch Logging System Information to a TFTP or rcp Server This example shows how to enable system information logging and verify that it is enabled: Console> (enable) set system info-log enable Successfully enabled system information logging. Console>...
Page 688: Specifying How Often System Information Logging Occurs
Chapter 22 Administering the Switch Logging System Information to a TFTP or rcp Server Specifying How Often System Information Logging Occurs You can specify the amount of time that elapses between the occurrences of system information logging. Specify the amount of time in minutes; the valid values are between 1–35000 minutes (25 days). By default, the amount of time between the logging occurrences is 1440 minutes (1 day).
Page 689: Clearing A Show Command From System Information Logging
Chapter 22 Administering the Switch Logging System Information to a TFTP or rcp Server This example shows how to specify the filename and the server and verify the configuration: Console> (enable) set system info-log rcp hcavende 10.5.2.10 sysinfo Successfully set the system information logging file to rcp:sysinfo Console>...
Page 690: Disabling System Information Logging
Chapter 22 Administering the Switch TCL Scripting This example shows how to clear the configuration of system information logging and restore the defaults: Console> (enable) clear config sysinfo-log Successfully cleared the system information logging configuration. Console> (enable) show system info-log System Logging Host File...
Page 691 Chapter 22 Administering the Switch TCL Scripting Table 22-3 lists the supported TCL commands. The commands with a t prefix (tformat, trename, tset, and tswitch) have been customized from the standard TCL command set to avoid conflicts with the Catalyst 6500 series switch software. The following two commands have been specifically added to the software: •...
Page 692: Entering Tcl Commands
Chapter 22 Administering the Switch TCL Scripting Table 22-3 TCL Commands append array auto answer break case catch concat continue echo error eval expr foreach global incr info join lappend lindex linsert list llength lrange lreplace lsearch lsort proc puts regexp regsub return...
Page 693: Configuring Redundancy
• Configuring Redundant Supervisor Engines on the Switch, page 23-4 • MSFC Redundancy, page 23-21 For information on configuring MSFC redundancy using Cisco nonstop forwarding (NSF) with stateful Note switchover (SSO), see Chapter 24, “Configuring NSF with SSO MSFC Redundancy.”...
Page 694: Understanding How Supervisor Engine Redundancy Works
All administrative and network management functions, such as SNMP, command-line interface (CLI) console, Telnet, Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), and VLAN Trunking Protocol (VTP) are processed on the active supervisor engine.
Page 695 Chapter 23 Configuring Redundancy Understanding How Supervisor Engine Redundancy Works If you hot insert a second supervisor engine, the second module communicates with the active supervisor engine after completing its initial module-level diagnostics. Because the active supervisor engine is already switching traffic on the backplane, no switching-bus diagnostics are run for the second supervisor engine because running diagnostics can disrupt the normal traffic.
Page 696: Configuring Redundant Supervisor Engines On The Switch
Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch Configuring Redundant Supervisor Engines on the Switch These sections describe how to configure the redundant supervisor engines: Synchronization Process Initiation, page 23-4 • Redundant Supervisor Engine Configuration Guidelines and Restrictions, page 23-5 •...
Page 697: Redundant Supervisor Engine Configuration Guidelines And Restrictions
Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch Redundant Supervisor Engine Configuration Guidelines and Restrictions These conditions and events can cause the synchronization of the images between the redundant supervisor engines to fail or to produce unexpected results: Downloading a new image to the active supervisor engine •...
Page 698: Forcing A Switchover To The Standby Supervisor Engine
Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch This example shows how to check the status of the standby supervisor engine by entering the show module and show test commands: Console> (enable) show module 2 Mod Slot Ports Module-Type Model Status --- ---- ----- ------------------------- ------------------- --------...
Page 699 In addition, you can also force a switchover to the standby supervisor engine by setting the CISCO-STACK-MIB moduleAction variable to reset(2) on the active supervisor engine. When the switchover occurs, the system sends a standard SNMP warm-start trap to the configured trap receivers.
Page 700: High Availability
Configuring Redundant Supervisor Engines on the Switch This example shows the console output on the standby supervisor engine when you force a switchover from the active to the standby supervisor engine: Cisco Systems Console Enter password: 12/07/1998,17:04:43:MLS-5:Multilayer switching is enabled...
Page 701 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch High-Availability Overview For high availability, a system database is maintained on the active supervisor engine and the updates are sent to the standby supervisor engine for any change of data in the system database. The active supervisor engine communicates and updates the standby supervisor engine when any state changes occur, ensuring that the standby supervisor engine knows the current protocol state of the supported features.
Page 702 Supported Features Compatible Features Incompatible Features ASLB Dynamic VLAN COPS-DS GVRP COPS-PR GMRP Protocol filtering IGMP snooping EtherChannel RMON Cisco IOS ACLs RSVP SNMP PAgP Telnet sessions UplinkFast SPAN VTP pruning Trunking UDLD VACLs Port security 802.1x Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7...
Page 703 High availability does not preserve the routing table entries on the active MSFC because high • availability is not run on the Cisco IOS software. However, you can configure both MSFCs on the active and standby supervisor engines with the same configuration to preserve the routing table entries across the active and standby MSFCs.
Page 704 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch Supervisor Engine 2 • 6.1(3) and 6.1(4) – 6.2(2) and 6.2(3) – 6.3(2) and 6.3(3) – Images that are compatible with all modules except Gigabit Ethernet switching modules are as follows: Supervisor Engine 1 •...
Page 705 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch This example shows how to enable high availability: Console> (enable) set system highavailability enable System high availability enabled. Console> (enable) This example shows how to disable high availability: Console> (enable) set system highavailability disable System high availability disabled.
Page 706 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch OFF (standby-supervisor-not-operational-yet): The standby supervisor engine is detected but is – not operational (not online yet). OFF (high-availability-not-operational-yet): The standby supervisor engine is operational – (online), but high availability is not operational yet (when the system is booted from reset, it takes a few minutes before high availability is operational).
Page 707: Configuring Supervisor Engine Redundancy Using Nsf With Sso
Console> (enable) Configuring Supervisor Engine Redundancy Using NSF with SSO Cisco NSF works with SSO to minimize the amount of time that a network is unavailable to its users following a switchover while continuing to forward the IP packets. For information about configuring NSF with SSO, refer to “Configuring Supervisor Engine Redundancy using NSF with SSO”...
Page 708 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch Synchronizing the Run-Time Image with the Bootstring This section contains four examples in which the active supervisor engine run-time image is synchronized with the standby supervisor engine. Example 1: Run-time image not synchronized The configuration for example 1 is as follows: The active supervisor engine configuration is as follows (if the image in the standby supervisor •...
Page 709 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch Example 3: File not copied, bootstring changed, standby supervisor engine reset The configuration for example 3 is as follows: The active supervisor engine configuration is as follows: • – Run-time image: bootflash:f1 –...
Page 710 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch The expected results are as follows: • The active supervisor engine run-time image is synchronized with the standby supervisor – engine. – The active supervisor engine attempts to copy its f1 image to the standby supervisor engine. Because there is not enough space on the standby supervisor engine bootflash, the redundant –...
Page 711 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch Example 2: File copied, bootflash modified, standby supervisor engine not reset The configuration for this example is as follows: The active supervisor engine configuration is as follows: • – Run-time image: bootflash:f1 –...
Page 712 Chapter 23 Configuring Redundancy Configuring Redundant Supervisor Engines on the Switch The expected results are as follows: • The active supervisor engine f1 image is not copied to the standby supervisor engine. – The standby supervisor engine bootstring is modified to the following: –...
Page 713: Msfc Redundancy
Single Router Mode Redundancy, page 23-43 • Manual-Mode MSFC Redundancy, page 23-49 • For information on configuring MSFC redundancy using Cisco nonstop forwarding (NSF) with stateful Note switchover (SSO), see Chapter 24, “Configuring NSF with SSO MSFC Redundancy.” Single router mode redundancy is the only supported MSFC redundancy option for Supervisor Note Engine 720 and Supervisor Engine 32.
Page 714 – Same VLAN interfaces – 1, 2 – Same Cisco IOS ACLs • All interfaces must have the same administrative status 1. The dynamic and reflexive ACLs, which are based on actual data flow, may be programmed by either MSFC.
Page 715 PFC2: With PFC2, only the designated MSFC programs the forwarding information base (FIB), the Note adjacency table, Cisco IOS software, and policy routing ACLs on the active supervisor engine. If you configure static routes or policy routing, you must have the identical configuration on both MSFCs. If you have a static route on the nondesignated MSFC that is not on the designated MSFC, that route will not be programmed in the PFC2.
Page 716 Access Control List Configuration If you use the Cisco IOS access control lists (ACLs) on the MSFC, you must configure the ACLs on both MSFCs identically, globally, and at the interface level. Only the designated MSFC (the MSFC to come online first or the MSFC that has been online the longest) programs the PFC with ACL information.
Page 717 Chapter 23 Configuring Redundancy MSFC Redundancy To determine the status of the designated MSFC, enter the show fm features or the show redundancy command: Router-15# show redundancy Designated Router: 1 Non-designated Router:2 Redundancy Status: non-designated Config Sync AdminStatus : enabled Config Sync RuntimeStatus: enabled Router-16# show redundancy Designated Router: 1 Non-designated Router:2...
Page 718 Chapter 23 Configuring Redundancy MSFC Redundancy You can achieve further load sharing by using MSFC #2 in Switch S1 as the primary HSRP router for VLAN 12 and MSFC #2 as the primary HSRP router in Switch S2 for VLAN 23 (see Figure 23-3).
Page 719 Chapter 23 Configuring Redundancy MSFC Redundancy While the examples are specific to the PFC, the failover scenarios for the PFC2/MSFC2 would be similar Note for handling the ACLs and the CEF table entries. On a Supervisor Engine 2, the designated MSFC2 programs many of the ASICs on the PFC2 including building the CEF table.
Page 720 Chapter 23 Configuring Redundancy MSFC Redundancy Failure Case 3: Active Sup #1 Fails This sequence occurs when the active supervisor engine (Sup #1) fails: Because the Layer 3 state is maintained, the MLS entries of MSFC #1 gracefully age out of the Sup #2 Layer 3 cache while MSFC #2 takes temporary ownership of these MLS entries using its XTAG value.
Page 721 CAM address for the standby VLAN interface. Without the router CAM entry, no shortcuts are created. This problem is independent of any MSFC Cisco IOS release. (This problem is documented in caveat CSCdz17169.)
Page 722: Configuration Examples
Chapter 23 Configuring Redundancy MSFC Redundancy This example shows how to configure an interface as part of HSRP group 100: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface vlan100 Router(config-if)# standby 100 ip 172.20.100.10 Router(config-if)# standby 100 priority 110 Router(config-if)# standby 100 preempt Router(config-if)# standby 100 timers 5 15...
Page 723 Chapter 23 Configuring Redundancy MSFC Redundancy This example shows how to configure HSRP on the MSFC in Switch S1: Console> (enable) switch console 15 Trying Router-15... Connected to Router-15. Type ^C^C^C to switch back... Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Page 724 Chapter 23 Configuring Redundancy MSFC Redundancy Figure 23-6 Single Chassis with Redundant Supervisor Engines and MSFCs VLAN 10 VLAN 21 Slot 1 Sup#1(active)/MSFC#1 HSRP Active VLAN 10: priority 110 HSRP Standby VLAN 21: priority 109 Slot 2 Switch S1 Sup#2(standby)/MSFC#2 HSRP Active VLAN 21: priority 110 HSRP Standby VLAN 10: priority 109 This example shows how to configure HSRP on the MSFC in Switch S1:...
Page 725 Chapter 23 Configuring Redundancy MSFC Redundancy Example 3: Double Chassis with Dual Supervisor Engines and MSFCs Figure 23-7 shows two Catalyst 6500 series switches (S1 and S2), each with a supervisor engine and MSFC in slot 1 (Sup #1/MSFC #1) and slot 2 (Sup #2/MSFC #2). Because there is no Layer-2 loop, HSRP is used for convergence and load sharing.
Page 726 Chapter 23 Configuring Redundancy MSFC Redundancy Router(config-if)# standby 21 preempt Router(config-if)# standby 21 timers 5 15 Router(config-if)# standby 21 authentication Secret Router(config-if)# ^Z Router# ^C^C^C This example shows how to configure HSRP on the MSFC in Switch S2: Console> (enable) switch console 15 Trying Router-15...
Page 727 Chapter 23 Configuring Redundancy MSFC Redundancy To determine the status of the designated MSFC, enter the show fm features or the show redundancy command: Router-15# show redundancy Designated Router: 1 Non-designated Router:2 Redundancy Status: non-designated Config Sync AdminStatus : enabled Config Sync RuntimeStatus: enabled Router-16# show redundancy Designated Router: 1 Non-designated Router:2...
Page 728 Chapter 23 Configuring Redundancy MSFC Redundancy alt Keyword Usage When you enable the Config Sync RuntimeStatus, the configuration mode on the nondesignated MSFC is disabled; only the EXEC mode is still available. The configuration of both MSFCs is made through the console or a Telnet session on the designated MSFC.
Page 729 Chapter 23 Configuring Redundancy MSFC Redundancy This example shows how to enable high-availability redundancy and configuration synchronization (Router-15 is the designated MSFC): Console>(enable) session 15 Trying Router-15... Connected to Router-15. Escape character is ’^]’. Router-15> enable Router-15# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Page 730 Chapter 23 Configuring Redundancy MSFC Redundancy The designated MSFC is configured first. This example shows a missing alternate configuration for the VLAN 1 interface: Router-16# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router-16(config)# redundancy Router-16(config-r)# high-availability Router-16(config-r-ha)# config-sync Alternate IP address missing for Vlan1 The alternate configuration is missing.
Page 731 Chapter 23 Configuring Redundancy MSFC Redundancy This message, which acknowledges that the high-availability redundancy is enabled and that the configuration mode is automatically exited, is displayed on the nondesignated MSFC: 00:18:57: %RUNCFGSYNC-6-SYNCEVENT: The High-Availability Redundancy Feature is enabled The config mode is no longer accessible Router-15# 00:19:41: %RUNCFGSYNC-6-SYNCEVENT: Non-Designated Router is now online...
Page 732 Chapter 23 Configuring Redundancy MSFC Redundancy line con 0 transport input none line vty 0 4 login transport input lat pad mop telnet rlogin udptn nasi <nondesignated MSFC> Router-15# show running-config Building configuration... Current configuration: version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Router1 alt hostname Router2...
Page 733 Chapter 23 Configuring Redundancy MSFC Redundancy Scenario 2: Disabling Configuration Synchronization on the Designated MSFC In this scenario, the configuration synchronization is enabled. These examples show how to disable the configuration synchronization: Router-16# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Page 734 Chapter 23 Configuring Redundancy MSFC Redundancy A 1-minute timer will start, allowing the nondesignated MSFC to stabilize. When the timer expires, a snapshot of the current running configuration is sent to the nondesignated MSFC. This message is displayed before synchronizing the running configuration: 00:01:51: %RUNCFGSYNC-6-SYNCEVENT: Syncing Running Configuration to the Non-Designated Router Config Sync AdminStatus is Disabled...
Page 735: Single Router Mode Redundancy
Note With Cisco IOS Release 12.1(11b)E and later releases, you can specify the transition time that the newly designated router waits before downloading the new Layer 3 switching information to the supervisor engine switch processor. For configuration details, see the “Specifying the Transition...
Page 736 This section describes the guidelines for configuring SRM redundancy: • Both the designated router and nondesignated router must run the same Cisco IOS image. A Cisco IOS image must be present in the bootflash of both the designated router and nondesignated • router.
Page 737 Chapter 23 Configuring Redundancy MSFC Redundancy When using the authentication methods to control access to the switch, such as RADIUS or • TACACS+, you must configure a fallback option to log in with a local username and password if you want to access the nondesignated router through the switch console or session commands. Chapter 39, “Configuring the Switch Access Using AAA”...
Page 738 If you have a console connection, enter the switch console command to access the designated router. If Step 3 connected through a Telnet session, enter the session mod command to access the designated router. Copy the Cisco IOS Release 12.1(8a)E2 or later image to the bootflash of the designated router and Step 4 nondesignated router.
Page 739 Specifying the Transition Time on the Newly Designated Active Router With Cisco IOS releases prior to Release 12.1(11b)E, the transition time was 120 seconds and was not configurable. Because of the differences in the routing convergence times, 120 seconds might not be long enough.
Page 740 Upgrading Images with Single Router Mode Enabled This section describes how to upgrade the Cisco IOS image on the active and standby MSFC when SRM is running. The new image name is c6msfc2-jsv-mz.9E. The standby MSFC cannot load an image using TFTP, but it can load an image from the supervisor engine Flash PC card (sup-slot0:).
Page 741: Manual-Mode Msfc Redundancy
Chapter 23 Configuring Redundancy MSFC Redundancy On the active MSFC, enter the write memory command to ensure that the standby MSFC startup Step 7 configuration gets the boot information. Enter the reload command to reload the standby MSFC. Step 8 Step 9 Enter the show redundancy command on the active and standby MSFCs to ensure that both have the following configuration statement:...
Page 742: Hardware And Software Requirements
Manual-mode MSFC redundancy requires the following software: • – Supervisor engine software release 6.1(3) or later releases and Cisco IOS Release 12.1(7)E or later releases Supervisor engine software release 5.5.8 or later releases and Cisco IOS Release 12.1(7a)E1 or –...
Page 743 Chapter 23 Configuring Redundancy MSFC Redundancy To conserve the IP address space and reduce the overall Layer 3 complexity, ensure that • configuration synchronization is disabled on both MSFCs and that all “alt” addresses are removed. If the alt addresses are used, the IP address space is not conserved and in cases where link-level peering is present (such as BGP), the Layer 3 complexity is increased.
Page 744 MSFC Redundancy Setting the MSFC Configuration Register For manual-mode MSFC redundancy, set the configuration registers as follows: From Cisco IOS configuration mode on the active MSFC (MSFC-15), enter the config-register 0x2102 Step 1 command. On the MSFC in ROM-monitor mode (MSFC-16), enter the config-register 0x0 command.
Page 745 Step 2 continually rebooting). You need to time the break so that it is issued after the system bootstrap message, but before the main Cisco IOS image is decompressed (see the two arrows in the following display output): System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE Copyright (c) 1998 by cisco Systems, Inc.
Page 746 2 > Enter the reset command at the ROMMON prompt to boot the system. Step 10 Once the MSFC has booted, enter the config-register 0x2102 command from Cisco IOS configuration Step 11 mode on the newly active MSFC’s console port.
Page 747: Configuring Nsf With Sso Msfc Redundancy
C H A P T E R Configuring NSF with SSO MSFC Redundancy This chapter describes how to configure MSFC redundancy using Cisco nonstop forwarding (NSF) with stateful switchover (SSO) on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series MSFC Cisco IOS Command Reference.
Page 748: Hardware And Software Requirements
The Catalyst operating system that runs on the supervisor engine provides a Layer 2 high availability for redundant supervisor engines. Cisco IOS Release 12.2(18)SXF and later releases with NSF and SSO that run on the MSFC provide Layer 3 (and above) high availability for redundant MSFCs. MSFC SSO high-availability benefits are as follows: Reduced downtime.
Page 749: Rpr Overview
Chapter 24 Configuring NSF with SSO MSFC Redundancy RPR Overview In NSF/SSO mode, one MSFC is active and the other MSFC is in a hot-standby mode. The hot-standby MSFC maintains a constant readiness state by receiving state information from the active MSFC. At any given moment, the standby MSFC may be called on by the supervisor engine to take over the responsibilities held by the active MSFC.
Page 750: Types Of Msfc Switchovers
SRM CLI. The CLI is accepted when entered but it is not acted on in any way. The SRM CLI was kept in Cisco IOS Release 12.2(18)SXF and later software releases to assist you in migrating to NSF/SSO. However, the SRM CLI does not cause NVRAM updates. If you have SRM CLI in your configuration and you decide to modify the SRM configuration and enter the write mem command, the SRM CLI commands in the configuration are lost.
Page 751: Using The Cli To Configure Nsf/Sso
Chapter 24 Configuring NSF with SSO MSFC Redundancy Using the CLI to Configure NSF/SSO Standby supervisor engine/MSFC insertion—With NSF/SSO redundancy, you can hot swap the • standby supervisor engine/MSFC for maintenance. When you hot insert the standby MSFC, the active MSFC detects the presence of the standby MSFC and starts to drive the standby MSFC state transition to hot-standby.
Page 752: Configuring Sso
Chapter 24 Configuring NSF with SSO MSFC Redundancy Using the CLI to Configure NSF/SSO Configuring SSO SSO is the default mode. By default, even if you do not configure the system explicitly as SSO, the system comes up in SSO mode. However, we recommend that you explicitly configure SSO mode. The following task can also be used to configure RPR mode (use mode rpr instead of mode sso).
Page 753: Configuring Cef Nsf
Chapter 24 Configuring NSF with SSO MSFC Redundancy Using the CLI to Configure NSF/SSO Configuring CEF NSF CEF NSF operates by default while the networking device is running in SSO mode. No configuration is necessary. Verifying CEF NSF To verify that CEF is NSF-capable, perform this task: Task Command Verify that CEF is NSF-capable.
Page 754: Configuring Bgp Nsf
Chapter 24 Configuring NSF with SSO MSFC Redundancy Using the CLI to Configure NSF/SSO Configuring BGP NSF Note You must configure BGP graceful restart on all peer devices that participate in BGP NSF. To configure BGP for NSF, perform this task (repeat this procedure on each of the BGP NSF peer devices): Purpose Command...
Page 755: Configuring Ospf Nsf
Chapter 24 Configuring NSF with SSO MSFC Redundancy Using the CLI to Configure NSF/SSO On the SSO device and the neighbor device, verify that the graceful restart function is shown as both Step 3 advertised and received, and confirm the address families that have the graceful restart capability. Note If no address families are listed, then BGP NSF also will not occur.
Page 756: Verifying Ospf Nsf
Chapter 24 Configuring NSF with SSO MSFC Redundancy Using the CLI to Configure NSF/SSO Verifying OSPF NSF To verify OSPF NSF, you must check that the NSF function is configured on the SSO-enabled networking device. To verify OSPF NSF, follow these steps: Verify that “nsf”’...
Page 757: Verifying Is-Is Nsf
<...Output Truncated...> If the NSF configuration is set to cisco, enter the show isis nsf command to verify that NSF is enabled Step 2 on the device. Using the Cisco configuration, the display output will be different on the active and redundant MSFCs (RPs).
Page 758 Using the CLI to Configure NSF/SSO Local state:ACTIVE, Peer state:STANDBY HOT, Mode:SSO This example shows the sample output for the Cisco configuration on the standby RP. In this example, note the presence of “NSF restart enabled”: router# show isis nsf NSF enabled, mode 'cisco'...
Page 759: Displaying Redundancy-Related Information
Chapter 24 Configuring NSF with SSO MSFC Redundancy Using the CLI to Configure NSF/SSO Displaying Redundancy-Related Information Use the show redundancy [qualifier] command to display redundancy-related information. The supported qualifiers are as follows: Router# show redundancy ? clients Redundancy Facility (RF) client list counters Redundancy Facility (RF) operational counters events...
Page 760: Upgrading Software
MSFC initializes and comes up in RPR mode. Additionally, any configuration changes that are not saved are lost. This procedure requires that the Cisco IOS Release on both MSFCs supports RPR (at a minimum), and Note both MSFCs must be running the same software version.
Page 761: Upgrading To Sso From Single Router Or Dual Router Modes
DRM configurations need to be reconfigured for use with SSO. Cisco IOS software prior to Cisco IOS Release 12.2(18)SXF is either SRM and/or DRM capable but does not support upgrading to SSO. These software images cannot be upgraded using the fast software upgrade procedure.
Page 762 Chapter 24 Configuring NSF with SSO MSFC Redundancy Upgrading Software Another example of a mixed-mode upgrade scenario is when the SRM and/or DRM image is running on the active MSFC and the SSO-based image is running on the standby MSFC. In this mode, the active MSFC running the SRM and/or DRM image will boot completely, but the SSO-based image running on the standby MSFC will incorrectly determine that it is the active MSFC and will try to boot as the active MSFC.
Page 763: Chapter 25 Modifying The Switch Boot Configuration
C H A P T E R Modifying the Switch Boot Configuration This chapter describes how to modify the switch boot configuration on the Catalyst 6500 series switches, including the BOOT environment variable, the CONFIG_FILE environment variable, and the configuration register. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 764: Understanding The Boot Process
Chapter 25 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works Understanding the Boot Process The boot process involves two software images: ROM monitor and supervisor engine system code. When you power up or reset the switch, the ROM-monitor code is executed. Depending on the nonvolatile RAM (NVRAM) configuration, the switch either stays in ROM-monitor mode or loads the supervisor engine system code.
Page 765: Understanding The Boot Environment Variable
Chapter 25 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works The lowest four bits (bits 3, 2, 1, and 0) of the 16-bit configuration register form the boot field. The default boot field value is 0x10F. The possible configuration register boot field settings are as follows: When the boot field equals 0000, the switch does not load a system image.
Page 766: Understanding The Config_File Environment Variable
Chapter 25 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works Understanding the CONFIG_FILE Environment Variable You can use the CONFIG_FILE environment variable to specify a list of configuration files (auto-config files) on the various devices to use to configure the switch at startup. You can specify the following functions: Nonrecurring—When you add a list of configuration files to the CONFIG_FILE environment •...
Page 767: Default Switch Boot Configuration
Chapter 25 Modifying the Switch Boot Configuration Default Switch Boot Configuration Default Switch Boot Configuration Table 25-1 shows the default switch boot configuration. Table 25-1 Default Switch Boot Configuration Feature Default Configuration Configuration register value 0x10f Boot method System boots from the image that is specified in the BOOT environment variable ROM-monitor console port baud rate 9600 baud...
Page 768: Setting The Boot Field In The Configuration Register
Chapter 25 Modifying the Switch Boot Configuration Setting the Configuration Register Setting the Boot Field in the Configuration Register You can determine the boot method that the switch will use at the next startup by setting the boot field in the configuration register. This command affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered.
Page 769: Setting Config_File Recurrence
Chapter 25 Modifying the Switch Boot Configuration Setting the Configuration Register This example shows how to set the ROM-monitor console-port baud rate in the configuration register to 2400: Console> (enable) set boot config-register baud 2400 Configuration register is 0x1800 ignore-config: disabled auto-config: non-recurring console baud: 2400 boot: the ROM monitor...
Page 770: Setting Config_File Overwrite
Chapter 25 Modifying the Switch Boot Configuration Setting the Configuration Register Setting CONFIG_FILE Overwrite This command allows you to specify if the auto-config file should be used to overwrite the NVRAM configuration or if the file configuration should be appended to what is currently in NVRAM. Overwriting means that the NVRAM configuration will be cleared before executing the auto-config file;...
Page 771: Setting The Switch To Ignore The Nvram Configuration
Chapter 25 Modifying the Switch Boot Configuration Setting the Configuration Register The CONFIG_FILE variable from the active supervisor engine is made identical on the standby supervisor engine. Each auto-config file on the active supervisor engine is compared against each corresponding auto-config file on the standby supervisor engine. Two files are considered identical if their lengths and cyclic redundancy check (CRC) are the same.
Page 772: Setting The Configuration Register Value
Chapter 25 Modifying the Switch Boot Configuration Setting the BOOT Environment Variable This example shows how to set the switch to ignore the NVRAM configuration at the next startup: Console> (enable) set boot config-register ignore-config enable Configuration register is 0x1860 ignore-config: enabled auto-config: recurring console baud: 2400...
Page 773: Clearing The Boot Environment Variable Settings
Chapter 25 Modifying the Switch Boot Configuration Setting the CONFIG_FILE Environment Variable This example shows how to set the BOOT environment variable: Console> (enable) set boot system flash bootflash:cat6000-sup.5-5-1.bin BOOT variable = bootflash:cat6000-sup.5-5-1.bin,1; Console> (enable) set boot system flash bootflash:cat6000-sup.4-5-2.bin BOOT variable = bootflash:cat6000-sup.5-1-1.bin,1;bootflash:cat6000-sup.4-5-2.
Page 774: Clearing The Config_File Environment Variable Settings
Chapter 25 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration To set the CONFIG_FILE environment variable, perform this task in privileged mode: Task Command Set the CONFIG_FILE environment variable. set boot auto-config device:filename[;device:filename...] This example shows how to set the CONFIG_FILE environment variable: Console>...
Page 775 Chapter 25 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration This example shows how to display the current configuration register, the BOOT environment variable, and the CONFIG_FILE environment variable settings: Console> (enable) show boot BOOT variable = bootflash:cat6000-sup.5-2-1.bin,1; CONFIG_FILE variable = bootflash:generic.cfg;bootflash:6509_1_noc.cfg Configuration register is 0x12f ignore-config: disabled...
Page 776 Chapter 25 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 25-14 OL-8978-04...
Page 777: Working With The Flash File System
C H A P T E R Working With the Flash File System This chapter describes how to use the flash file system on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 778: Working With The Flash File System On The Switch
Chapter 26 Working With the Flash File System Working with the Flash File System on the Switch Working with the Flash File System on the Switch These sections describe how to work with the flash file system: Setting the Default Flash Device, page 26-2 •...
Page 779: Setting The Text File Configuration Mode To Auto-Save
Chapter 26 Working With the Flash File System Working with the Flash File System on the Switch When operating in text file configuration mode, most user settings are not immediately saved to NVRAM; the configuration changes are only written to DRAM. You will need to enter the write memory command to store the configuration in nonvolatile storage.
Page 780 Chapter 26 Working With the Flash File System Working with the Flash File System on the Switch To set the text file configuration mode to auto-save, perform this task: Task Command Step 1 Set the file configuration mode for the system to set config mode text {nvram | device:file-id} text.
Page 781: Listing The Files On A Flash Device
Chapter 26 Working With the Flash File System Working with the Flash File System on the Switch Listing the Files on a Flash Device To list the files on a flash device, perform one of these tasks: Task Command Display a list of files on a flash device. dir [[m/]device:][filename] Display a list of the deleted files on a flash device.
Page 782: Copying Files
Chapter 26 Working With the Flash File System Working with the Flash File System on the Switch Copying Files To copy a file, perform one of these tasks in privileged mode: Task Command Copy a flash file to a TFTP server, rcp server, copy file-id {tftp | rcp | flash | file-id | config} flash memory, another flash device, or to the running configuration.
Page 783 Chapter 26 Working With the Flash File System Working with the Flash File System on the Switch This example shows how to download a configuration file from a TFTP server for storage on a flash device: Console> (enable) copy tftp flash IP address or name of remote host []? 172.20.52.3 Name of file to copy from []? dns-config.cfg Flash device [slot0]?
Page 784: Deleting Files
Chapter 26 Working With the Flash File System Working with the Flash File System on the Switch Deleting Files If you enter the squeeze command on a flash device, you cannot restore the files that were deleted prior Caution to the squeeze command. To delete the files on a flash device, perform this task in privileged mode: Task Command...
Page 785: Verifying A File Checksum
The Flash PC cards that are formatted on Supervisor Engine 1 or on a route-switch processor Note (RSP)-based Cisco 7500 series router are interchangeable if the router is running software at least at the same level as the supervisor engine. You cannot use the Flash PC cards that are formatted on a route processor (RP)-based Cisco 7000 series router without reformatting.
Page 786 Chapter 26 Working With the Flash File System Working with the Flash File System on the Switch In the format command syntax, use the device2 argument to specify the device that contains the monlib file to use. If you omit the entire device2 argument, the switch formats the device using the monlib file that is bundled with the software.
Page 787: Working With System Software Images
C H A P T E R Working with System Software Images This chapter describes how to work with system software image files on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 788: Software Image Naming Conventions
Chapter 27 Working with System Software Images Software Image Naming Conventions Software Image Naming Conventions The software images on the Catalyst 6500 series switches use the following naming conventions (software release 7.3(1) images for a Supervisor Engine 2 are used in the examples): 7.3(1) flash image (standard)—cat6000-sup2k8.7-3-1.bin •...
Page 789: Upgrading The Nonsupervisor Engine Module Epld Images
Chapter 27 Working with System Software Images Upgrading the EPLD Images This example shows how to specify the automatic keyword for the EPLD upgrades: Console> (enable) set system supervisor-update automatic Down-rev supervisor EPLD's will be re-programmed next reset. Console> (enable) This example shows how to specify the force keyword for the EPLD upgrades: Console>...
Page 790 Chapter 27 Working with System Software Images Upgrading the EPLD Images This example shows how to upgrade the EPLD image on the module in slot 5: Console> (enable) download epld aq_cr128_art.bin 5 force CCCCCC Device found requiring upgrade in slot 5. ######################################################## W A R N I N G # Any disruptions to the module during programming may #...
Page 791: Comparing File Transfer Protocols
Chapter 27 Working with System Software Images Comparing File Transfer Protocols Comparing File Transfer Protocols Table 27-1 compares the supported file transfer protocols. Table 27-1 Comparison of File Transfer Protocols Requirement TFTP SFTP Username needed Password needed Can run as a client Can run as a server Secure authentication Secure file transfer...
Page 792: Specifying The Ftp Username And Password
Chapter 27 Working with System Software Images Downloading the Software Images Using FTP or TFTP Depending on the type of software image that you are downloading, one of the following occurs: Supervisor engine software image—The image file is downloaded to the supervisor engine flash •...
Page 793: Preparing To Download An Image Using Ftp Or Tftp
Chapter 27 Working with System Software Images Downloading the Software Images Using FTP or TFTP Preparing to Download an Image Using FTP or TFTP Before you begin downloading a software image using FTP or TFTP, do the following: • Verify that the workstation acting as the TFTP server is configured properly. When using TFTP on a Sun workstation, verify that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpboot Verify that the /etc/services file contains this line:...
Page 794: Downloading The Switching Module Images Using Ftp Or Tftp
Chapter 27 Working with System Software Images Downloading the Software Images Using FTP or TFTP To download a supervisor engine software image to the switch from an FTP or TFTP server, perform these steps: Copy the software image file to the appropriate FTP or TFTP directory on the workstation. Step 1 Step 2 Log into the switch through the console port or through a Telnet session.
Page 795: Ftp And Tftp Download Procedures Example
Chapter 27 Working with System Software Images Downloading the Software Images Using FTP or TFTP If there are multiple modules of the type that is appropriate for the image but you only want to update a Step 4 single module, enter the copy ftp m/bootflash: or copy tftp m/bootflash: command, where m is the number of the module to which to download the software image.
Page 796 This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 07/21/1998,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 4.2 Copyright (c) 1994-1998 by cisco Systems, Inc. c6k_sup1 processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup.5-2-1-CSX.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
Page 797 This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 04/29/2003,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 4.2 Copyright (c) 1994-1998 by cisco Systems, Inc. c6k_sup1 processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup2k8.7-7-1.bin,1" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
Page 798 0x00000001 RIn Local Test Mode, Pinnacle Synch Retries: 2 Running System Diagnostics from this Supervisor (Module 1) This may take up to 2 minutes..please wait Cisco Systems Console Enter password: 07/21/1998,13:52:51:SYS-5:Module 1 is online 07/21/1998,13:53:11:SYS-5:Module 4 is online 07/21/1998,13:53:11:SYS-5:Module 5 is online 07/21/1998,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
Page 799 Chapter 27 Working with System Software Images Downloading the Software Images Using FTP or TFTP Console> (enable) 07/21/1998,13:13:54:SYS-5:Module 4 is online Console> (enable) show version 4 Mod Port Model Serial # Versions --- ---- ---------- --------- ---------------------------------------- WS-X6101 003414855 Hw : 1.2 Fw : 1.3 Sw : 3.2(7) Console>...
Page 800: Uploading The System Software Images To An Ftp Or Tftp Server
Chapter 27 Working with System Software Images Uploading the System Software Images to an FTP or TFTP Server Console> (enable) show version 5 Mod Port Model Serial # Versions --- ---- ---------- --------- ---------------------------------------- WS-X6101 003414463 Hw : 1.2 Fw : 1.3 Sw : 3.2(6) Console>...
Page 801: Preparing To Upload An Image To An Ftp Or Tftp Server
Chapter 27 Working with System Software Images Uploading the System Software Images to an FTP or TFTP Server Preparing to Upload an Image to an FTP or TFTP Server Before you attempt to upload a software image to an FTP or TFTP server, do the following: •...
Page 802: Downloading The System Software Images Using Rcp
Chapter 27 Working with System Software Images Downloading the System Software Images Using rcp This example shows how to upload the supervisor engine software image using TFTP: Console> (enable) copy flash tftp Flash device [bootflash]? slot0: Name of file to copy from []? cat6000-sup.5-4-1.bin IP address or name of remote host [172.20.52.3]? 172.20.52.10 Name of file to copy to [cat6000-sup.5-4-1.bin]? CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
Page 803: Downloading The Switching Module Images Using Rcp
Chapter 27 Working with System Software Images Downloading the System Software Images Using rcp Download the software image from the rcp server by entering the copy rcp flash command. When Step 3 prompted, enter the IP address or host name of the rcp server and the name of the file to download. On those platforms that support the flash file system, you are also prompted for the flash device to which to copy the file and the destination filename.
Page 804: Example Rcp Download Procedures
Chapter 27 Working with System Software Images Downloading the System Software Images Using rcp The switch downloads the image file, erases the flash memory on the appropriate modules, and reprograms the flash memory with the downloaded flash code. Note All the modules in the switch remain operational while the image downloads. Reset the appropriate modules using the reset mod command.
Page 805 Chapter 27 Working with System Software Images Downloading the System Software Images Using rcp System Bootstrap, Version 4.2 Copyright (c) 1994-1999 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup.5-2-1-csx.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCC...
Page 806 Chapter 27 Working with System Software Images Downloading the System Software Images Using rcp Single Module Image rcp Download Example For a procedure on downloading the software images to the intelligent modules, see the “Downloading Note the Switching Module Images Using rcp” section on page 27-17.
Page 807: Uploading The System Software Images To An Rcp Server
Chapter 27 Working with System Software Images Uploading the System Software Images to an rcp Server This example shows a complete rcp download procedure of an ATM software image to multiple ATM modules: Console> (enable) show version 4 Mod Port Model Serial # Versions --- ---- ---------- --------- ----------------------------------------...
Page 808: Preparing To Upload An Image To An Rcp Server
Chapter 27 Working with System Software Images Downloading the Crypto Images Using SCP Preparing to Upload an Image to an rcp Server Before you attempt to upload a software image to an rcp server, do the following: • Verify that the workstation acting as the rcp server is configured properly. Verify that the switch has a route to the rcp server.
Page 809: Preparing To Download An Image Using Scp
Chapter 27 Working with System Software Images Downloading the Crypto Images Using SCP These sections describe how to download the system software crypto images to the switch supervisor engine: Preparing to Download an Image Using SCP, page 27-23 • • Downloading the Crypto Images Using SCP, page 27-23 Example SCP Download Procedure, page 27-24 •...
Page 810: Example Scp Download Procedure
This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 11/25/2003,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 4.2 Copyright (c) 1994-2003 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup720cvk9.8-3-1.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
Page 811: Uploading The Crypto Images To An Scp Server
0x00000001 RIn Local Test Mode, Pinnacle Synch Retries: 2 Running System Diagnostics from this Supervisor (Module 1) This may take up to 2 minutes..please wait Cisco Systems Console Enter password: 11/25/2003,13:52:51:SYS-5:Module 1 is online 11/25/2003,13:53:11:SYS-5:Module 4 is online 11/25/2003,13:53:11:SYS-5:Module 5 is online 11/25/2003,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
Page 812: Uploading The Crypto Images To An Scp Server
Chapter 27 Working with System Software Images Downloading the Crypto Images Using SFTP Uploading the Crypto Images to an SCP Server To upload a crypto image on a switch to an SCP server for storage, perform these steps: Step 1 Log into the switch through the console port or an SSH session.
Page 813: Uploading The Crypto Images To An Sftp Server
Chapter 27 Working with System Software Images Uploading the Crypto Images to an SFTP Server Enter the copy sftp destination command. When prompted, enter the IP address or hostname of the SFTP Step 4 server and the name of the file to download. You are also prompted for the flash device to which to copy the file and the destination filename.
Page 814: Downloading The Software Images Over A Serial Connection On The Console Port
Chapter 27 Working with System Software Images Downloading the Software Images Over a Serial Connection on the Console Port Copying a file to an SFTP server is similar. You will be asked for the destination host and pathname and the copy process will occur without additional confirmation. Console>...
Page 815: Downloading The Software Images Using Kermit (Pc Procedure)
Chapter 27 Working with System Software Images Downloading the Software Images Over a Serial Connection on the Console Port Downloading the Software Images Using Kermit (PC Procedure) Note This procedure applies to the PC serial downloads only. For information on performing a serial download on a UNIX workstation, see the “Downloading the Software Images Using Kermit (UNIX Procedure)”...
Page 816: Downloading The Software Images Using Kermit (Unix Procedure)
Chapter 27 Working with System Software Images Downloading the Software Images Over a Serial Connection on the Console Port Downloading the Software Images Using Kermit (UNIX Procedure) Note This procedure applies to the UNIX serial downloads only. For information on performing a serial download on a PC, see the “Downloading the Software Images Using Kermit (PC Procedure)”...
Page 817: Example Serial Software Image Download Procedures
Chapter 27 Working with System Software Images Downloading the Software Images Over a Serial Connection on the Console Port If you enter the connect command more than 2 minutes after the Kermit> prompt reappears, you Note might see only a Console> prompt instead of the status information about erasing and programming flash code.
Page 818 Flash erase in progress ... Erase done Programming Flash: Flash Programming Complete The system needs to be reset to run the new image. Cisco Systems Console Enter password: Mon Apr 06, 1998, 14:35:08 Console> UNIX Workstation Serial Download Procedure Example...
Page 819: Downloading A System Image Using Xmodem Or Ymodem
? to see other options. Download OK Initializing Flash Programming Flash Base..Code..Length..Time..Done Cisco Systems Console Enter password: Mon Apr 06, 1998, 17:35:08 Console> Downloading a System Image Using Xmodem or Ymodem When you need a system image on the switch, but the switch does not have network access and you do...
Page 820 Place a supervisor engine software image on the computer’s hard drive. You can download an image from Step 1 Cisco.com (see the “Preface”section for details). To download from a local computer, connect the console port (port mode switch in the in position) to a Step 2 serial port on the computer using a null-modem cable.
Page 821: Verifying The Software Images
Because a software image goes through a sequence of transfers before it is copied into the memory of the switch, the integrity of the image is at risk each time that it is downloaded from Cisco.com. The image size and checksum are automatically checked when the image is copied, but these types of checks do not ensure that the downloaded image has not been corrupted.
Page 822 Chapter 27 Working with System Software Images Verifying the Software Images Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 27-36 OL-8978-04...
Page 823: Chapter 28 Working With Configuration Files
C H A P T E R Working with Configuration Files This chapter describes how to work with the switch configuration files on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 824: Creating And Using Configuration File Guidelines
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch Creating and Using Configuration File Guidelines Creating configuration files can help you configure your switch. The configuration files can contain some or all the commands that are needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration so that they have identical module and port configurations.
Page 825: Downloading The Configuration Files To The Switch Using Tftp
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch This example shows an example configuration file. This file could be used to set the Domain Name System (DNS) configuration on multiple switches. begin #dns set ip dns server 172.16.10.70 primary set ip dns server 172.16.10.140 set ip dns enable set ip dns domain corp.com...
Page 826 Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch Configuring the Switch Using a File on a TFTP Server To configure the switch using a configuration file that is downloaded from a TFTP server, perform these steps: Copy the configuration file to the appropriate TFTP directory on the workstation.
Page 827: Uploading The Configuration Files To A Tftp Server
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch This example shows how to configure the switch using a configuration file that is stored on a flash device: Console> (enable) copy slot0:dns-config.cfg config Configure using slot0:dns-config.cfg (y/n) [n]? y Finished network download.
Page 828: Copying The Configuration Files Using Scp Or Rcp
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch Uploading a Configuration File to a TFTP Server To upload a configuration file from a switch to a TFTP server for storage, perform these steps: Log into the switch through the console port or a Telnet session. Step 1 Upload the switch configuration to the TFTP server with the copy config tftp command.
Page 829: Downloading The Configuration Files From An Rcp Or Scp Server
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch SCP Overview The Secure Copy (SCP) provides a secure method for copying the crypto image files. SCP relies on Secure Shell (SSH) and allows you to copy a crypto file to and from the system through an encrypted channel.
Page 830: Uploading Configuration Files To An Rcp Or Scp Server
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch This example shows how to configure a Catalyst 6500 series switch using a configuration file that is downloaded from a server: Console> (enable) copy rcp config IP address or name of remote host []? 172.20.52.3 Name of file to copy from []? dns-config.cfg Configure using rcp:dns-config.cfg (y/n) [n]? y...
Page 831: Clearing The Configuration
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch This example shows how to upload the running configuration on a Catalyst 6500 series switch to an rcp server for storage: Console> (enable) copy config rcp IP address or name of remote host []? 172.20.52.3 Name of file to copy to []? cat6000_config.cfg Upload configuration to rcp:cat6000_config.cfg, (y/n) [n]? y...
Page 832: Comparing The Configuration Files
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch If you remove a module and replace it with a module of another type (for example, if you remove a Note 10/100 Ethernet module and insert a Gigabit Ethernet module), the module configuration is inconsistent. The output of the show module command indicates this problem.
Page 833: Creating The Configuration Checkpoint Files For Configuration Rollback
Chapter 28 Working with Configuration Files Working with the Configuration Files on the Switch Creating the Configuration Checkpoint Files for Configuration Rollback You can roll back the current switch configuration file to a previously saved configuration file (also known as a “checkpoint” file) if the current file produces undesirable system results. This rollback feature provides a command to set multiple configuration “checkpoint”...
Page 834: Working With The Configuration Files On The Msfc
Chapter 28 Working with Configuration Files Working with the Configuration Files on the MSFC To roll the current configuration file back to a previously created configuration checkpoint file, perform this task in privileged mode: Task Command Roll the current configuration file back to a set config rollback name configuration checkpoint file.
Page 835: Uploading The Configuration File To A Tftp Server
Chapter 28 Working with Configuration Files Working with the Configuration Files on the MSFC Saving and retrieving the configuration file is not necessary if you are temporarily removing an MSFC that you are going to reinstall; the lithium batteries retain the configuration in memory. This procedure requires the privileged-level access to the EXEC command interpreter, which usually requires a password.
Page 836: Uploading The Configuration File To The Supervisor Engine Flash Pc Card
Chapter 28 Working with Configuration Files Working with the Configuration Files on the MSFC Note that before the MSFC executes the copy process, it displays the instructions that you entered for Step 7 confirmation. If the instructions are not correct, enter n (no) and press Return to abort the process. To accept the instructions, press Return or y (yes) and then press Return, and the system begins the copy process.
Page 837 Chapter 28 Working with Configuration Files Working with the Configuration Files on the MSFC To download the currently running configuration from a remote host, perform these steps: Check if the system prompt displays a pound sign (#) to indicate the privileged level of the EXEC Step 1 command interpreter.
Page 838: Downloading The Configuration File From The Supervisor Engine Flash Pc Card
Chapter 28 Working with Configuration Files Working with Profile Files Enter the write term command to display the currently running configuration on the terminal. Review Step 9 the display and ensure that the configuration information is complete and correct. If it is not, verify the filename and repeat the preceding steps to retrieve the correct file, or enter the configure command to add or modify the existing configuration.
Page 839 Chapter 28 Working with Configuration Files Working with Profile Files If you choose to create the profile files by editing a system-generated configuration file, most of the required notations will already be in the file. The keywords that are currently supported are ALL_MODULES, ALL_PORTS, ALL_MODULE_PORTS, and ALL_VLANS.
Page 840 Chapter 28 Working with Configuration Files Working with Profile Files # vtp mode off, enable password and dummy domain (edit as needed) set vtp domain locked_down set vtp mode off set vtp passwd locked_down # default VLAN is "Quarantine" (edit as needed) set vlan 999 name Quarantine # Management VLAN is "Management"...
Page 841 Chapter 28 Working with Configuration Files Working with Profile Files Note that the following ACLs might not be up to date. ! Refer to www.iana.org/assignments/ipv4-address-space for a current list. ! Bogons set security acl ip Anti-spoofing deny ip 0.0.0.0 0.255.255.255 any log set security acl ip Anti-spoofing deny ip 1.0.0.0 0.255.255.255 any log...
Page 842 Chapter 28 Working with Configuration Files Working with Profile Files set security acl ip Anti-spoofing deny ip 177.0.0.0 0.255.255.255 any log set security acl ip Anti-spoofing deny ip 178.0.0.0 0.255.255.255 any log set security acl ip Anti-spoofing deny ip 179.0.0.0 0.255.255.255 any log set security acl ip Anti-spoofing deny ip 180.0.0.0 0.255.255.255 any log set security acl ip Anti-spoofing deny ip 181.0.0.0 0.255.255.255 any log set security acl ip Anti-spoofing deny ip 182.0.0.0 0.255.255.255 any log...
Page 843: Chapter 29 Configuring System Message Logging
C H A P T E R Configuring System Message Logging This chapter describes how to configure the system message logging on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 844 Table 29-1 System Message Log Facility Types Facility Name Definition All facilities ACL facility Cisco Discovery Protocol cops Common Open Policy Server Dynamic Trunking Protocol dvlan Dynamic VLAN earl...
Page 845: System Log Message Format
Chapter 29 Configuring System Message Logging System Log Message Format Table 29-1 System Message Log Facility Types (continued) Facility Name Definition telnet Terminal Emulation Protocol tftp Trivial File Transfer Protocol udld User Datagram Protocol vmps VLAN Membership Policy Server VLAN Trunking Protocol Table 29-2 describes the severity levels that are supported by the system message logs.
Page 846: Default System Message Logging Configuration
Chapter 29 Configuring System Message Logging Default System Message Logging Configuration This example shows some typical switch system messages (at system startup): 1999 Apr 16 10:01:26 %MLS-5-MLSENABLED:IP Multilayer switching is enabled 1999 Apr 16 10:01:26 %MLS-5-NDEDISABLED:Netflow Data Export disabled 1999 Apr 16 10:01:26 %SYS-5-MOD_OK:Module 1 is online 1999 Apr 16 10:01:47 %SYS-5-MOD_OK:Module 3 is online 1999 Apr 16 10:01:42 %SYS-5-MOD_OK:Module 6 is online 1999 Apr 16 10:02:27 %PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1...
Page 847: Configuring The System Message Logging On The Switch
Chapter 29 Configuring System Message Logging Configuring the System Message Logging on the Switch Configuring the System Message Logging on the Switch These sections describe how to configure the system message logging on the switch: Enabling and Disabling the Session Logging Settings, page 29-5 •...
Page 848: Setting The System Message Logging Levels
Chapter 29 Configuring System Message Logging Configuring the System Message Logging on the Switch This example shows how to disable logging to the current and future console sessions: Console> (enable) set logging console disable System logging messages will not be sent to the console. Console>...
Page 849: Enabling And Disabling The Logging Time-Stamp Enable State
Chapter 29 Configuring System Message Logging Configuring the System Message Logging on the Switch Enabling and Disabling the Logging Time-Stamp Enable State To enable or disable the logging time-stamp state, perform this task in privileged mode: Task Command Step 1 Enable or disable the logging time-stamp state.
Page 850: Configuring The Syslog Daemon On A Unix Syslog Server
Chapter 29 Configuring System Message Logging Configuring the System Message Logging on the Switch Configuring the syslog Daemon on a UNIX syslog Server Before you can send the system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Page 851: Displaying The Logging Configuration
Chapter 29 Configuring System Message Logging Configuring the System Message Logging on the Switch This example shows how to specify a syslog server, set the facility and severity levels, and enable logging to the server: Console> (enable) set logging server 10.10.10.100 10.10.10.100 added to System logging server table.
Page 852 Chapter 29 Configuring System Message Logging Configuring the System Message Logging on the Switch This example shows how to display the current system message logging configuration: Console> (enable) show logging Logging buffered size: timestamp option: enabled Logging history size: severity: notifications(5) Logging console: enabled...
Page 853: Displaying The System Messages
Chapter 29 Configuring System Message Logging Configuring the System Message Logging on the Switch Displaying the System Messages Enter the show logging buffer command to display the messages in the switch logging buffer. If you do not specify number_of_messages, the default is to display the last 20 messages in the buffer (-20). To display the messages in the switch logging buffer, perform one of these tasks: Task Command...
Page 854: Specifying The System Syslog Dump Flash Device And Filename
Chapter 29 Configuring System Message Logging Configuring the System Message Logging on the Switch This example shows how to disable the system syslog dump: Console> (enable) set system syslog-dump disable Syslog-dump disabled Console> (enable) This example shows how to display the status of the system syslog dump: Console>...
Page 855: Configuring Callhome
Chapter 29 Configuring System Message Logging Configuring CallHome This example shows how to set the flash device and the filename: Console> (enable) set system syslog-file bootflash:sysmsgs1 System syslog-file set. Console> (enable) This example shows how to restore the flash device and the filename to the default settings: Console>...
Page 856 Console> (enable) set logging callhome from adminjoe@cisco.com From address of callhome messages is set to adminjoe@cisco.com Console> (enable) This example shows how to set the Reply to address to adminjane@cisco.com: Console> (enable) set logging callhome reply-to adminjane@cisco.com Reply-To address of callhome messages is set to adminjane@cisco.com Console>...
Page 857: Disabling Callhome
CallHome messages. Email or Epage Address This example shows how to clear the destination address adminboss@cisco.com from the list of addresses that receive CallHome messages: Console> (enable) clear logging callhome destination adminboss@cisco.com Removed adminboss@cisco.com from the table of callhome destination addresses.
Page 858 Chapter 29 Configuring System Message Logging Configuring CallHome To clear the “from” address, perform this task in privileged mode: Task Command Clear the “from” address. clear logging callhome from This example shows how to clear the “from” address: Console> (enable) clear logging callhome from Cleared the from address field of callhome messages.
Page 859: Configuring Dns
C H A P T E R Configuring DNS This chapter describes how to configure the Domain Name System (DNS) on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 860: Dns Default Configuration
Chapter 30 Configuring DNS DNS Default Configuration DNS Default Configuration Table 30-1 shows the default DNS configuration. Table 30-1 DNS Default Configuration Feature Default Value DNS enable state Disabled DNS default domain name Null DNS servers None specified Configuring DNS on the Switch These sections describe how to configure DNS: Setting Up and Enabling DNS, page 30-2 •...
Page 861: Clearing A Dns Server
Chapter 30 Configuring DNS Configuring DNS on the Switch Console> (enable) show ip dns DNS is currently enabled. The default DNS domain name is: corp.com DNS name server status ---------------------------------------- ------- dns_serv2 dns_serv1 primary dns_serv3 Console> (enable) Clearing a DNS Server To clear the DNS servers from the DNS server table, perform this task in privileged mode: Task Command...
Page 862: Disabling Dns
Chapter 30 Configuring DNS Configuring DNS on the Switch Disabling DNS To disable DNS, perform this task in privileged mode: Task Command Step 1 Disable DNS on the switch. set ip dns disable Step 2 Verify the DNS configuration. show ip dns [noalias] This example shows how to disable DNS on the switch: Console>...
Page 863: Configuring Cdp
CDP is a media- and protocol-independent protocol that runs on all the Cisco-manufactured equipment including routers, bridges, access and communication servers, and switches. Using CDP, you can view information about all the Cisco devices that are directly attached to the switch. In addition, CDP detects the native VLAN and port duplex mismatches.
Page 864: Default Cdp Configuration
Chapter 31 Configuring CDP Default CDP Configuration Default CDP Configuration Table 31-1 shows the default CDP configuration. Table 31-1 CDP Default Configuration Feature Default Value CDP global enable state Enabled CDP port enable state Enabled on all ports CDP message interval 60 seconds CDP holdtime 180 seconds...
Page 865: Setting The Cdp Enable And Disable States On A Port
Chapter 31 Configuring CDP Configuring CDP on the Switch Console> (enable) show cdp : disabled Message Interval : 60 Hold Time : 180 Console> (enable) Setting the CDP Enable and Disable States on a Port You can enable or disable CDP on a per-port basis. You must enable CDP globally before the switch will transmit the CDP messages on any ports.
Page 866: Setting The Cdp Message Interval
Console> (enable) Setting the CDP Message Interval The CDP message interval specifies how often the switch will transmit the CDP messages to the directly connected Cisco devices. To set the default CDP message interval, perform this task in privileged mode: Task...
Page 867: Displaying Cdp Neighbor Information
Display information about the CDP neighbors. show cdp neighbors [mod[/port]] [vlan | duplex | capabilities | detail] This example shows how to display the CDP neighbor information for the connected Cisco devices: Console> (enable) show cdp neighbors * - indicates vlan mismatch.
Page 868 IP Address: 172.20.52.36 Holdtime: 132 sec Capabilities: TRANSPARENT_BRIDGE SWITCH Version: WS-C2948 Software, Version McpSW: 5.1(57) NmpSW: 5.1(1) Copyright (c) 1995-1999 by Cisco Systems, Inc. Platform: WS-C2948 Port-ID (Port on Neighbors's Device): 2/2 VTP Management Domain: Lab_Network Native VLAN: 522 Duplex: full Console>...
Page 869: Configuring Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 870: Default Udld Configuration
Chapter 32 Configuring UDLD Default UDLD Configuration The switch periodically transmits the UDLD messages (packets) to the neighbor devices on the ports that have UDLD enabled. If the messages are echoed back to the sender within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the port is shut down.
Page 871: Configuring Udld On The Switch
Chapter 32 Configuring UDLD Configuring UDLD on the Switch Configuring UDLD on the Switch These sections describe how to configure UDLD: Enabling UDLD Globally, page 32-3 • Enabling UDLD on Individual Ports, page 32-3 • Disabling UDLD on Individual Ports, page 32-4 •...
Page 872: Disabling Udld On Individual Ports
Chapter 32 Configuring UDLD Configuring UDLD on the Switch Disabling UDLD on Individual Ports To disable UDLD on the individual ports, perform this task in privileged mode: Task Command Step 1 Disable UDLD on a specific port. set udld disable mod/port Step 2 Verify the configuration.
Page 873: Enabling Udld Aggressive Mode
Software release 5.4(3) and later releases have UDLD aggressive mode. UDLD aggressive mode is disabled by default and its use is recommended only for point-to-point links between the Cisco switches running software release 5.4(3) or later releases. With UDLD aggressive mode enabled, when a port on a bidirectional link that has a UDLD neighbor relationship established stops receiving the UDLD packets, UDLD tries to reestablish the connection with the neighbor.
Page 874 Chapter 32 Configuring UDLD Configuring UDLD on the Switch This example shows how to display the UDLD enable state: Console> (enable) show udld UDLD : enabled Message Interval : 15 seconds Console> (enable) To display UDLD configuration for a module or port, perform this task in privileged mode: Task Command Display the UDLD configuration for a module or...
Page 875: Chapter 33 Configuring Dhcp Snooping And Ip Source Guard
For complete syntax and usage information for the switch commands that are used in this chapter, refer Note to the Catalyst 6500 Series Switch Command Reference and related publications at http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/command/reference/cmd_ref.ht Understanding How DHCP Snooping Works DHCP snooping provides the security against the Denial-Of-Service (DoS) attacks that are launched using the DHCP messages by filtering the DHCP packets and building and maintaining a DHCP-snooping binding table.
Page 876: Dhcp Snooping Configuration Guidelines
Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN The DHCP-snooping binding table contains the MAC address, IP address, lease time in seconds, and VLAN port information for the DHCP clients on the untrusted ports of a switch. The information that is contained in a DHCP-snooping binding table is removed from the binding table once its lease expires or DHCP snooping is disabled in the VLAN.
Page 877 Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN In software release 8.5(1) and later releases, you can enable DHCP snooping on the management VLANs Note sc0 and sc1. Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 33-3 OL-8978-04...
Page 878: Default Configuration For Dhcp Snooping
Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN These sections describe how to configure DHCP snooping: Default Configuration for DHCP Snooping, page 33-4 • Enabling DHCP Snooping, page 33-4 • Enabling DHCP Snooping on a Private VLAN, page 33-5 •...
Page 879: Enabling Dhcp Snooping On A Private Vlan
Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN Task Command Step 3 Save the VACL. commit security acl acl_name Step 4 Add an ACL to a VLAN. set security acl map acl_name 10 This example shows how to configure DHCP snooping on a VLAN: Console>...
Page 880: Enabling The Dhcp Snooping Mac-Address Matching Option
Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN To configure the host-tracking information option for DHCP snooping, perform this task in privileged mode: Task Command Step 1 Enable the DHCP-snooping host-tracking set dhcp-snooping information host-tracking enable information option.
Page 881: Configuration Examples For Dhcp Snooping
Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN Configuration Examples for DHCP Snooping These configuration examples show how to enable DHCP snooping. Example 1: Enabling DHCP Snooping This example shows how to enable DHCP snooping for VLAN 10 with a DHCP server on port 1/2: Console>...
Page 882 Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN Example 2: Enabling DHCP Snooping with an MSFC as a DHCP Relay Agent This example shows how to configure the Multilayer Switch Feature Card (MSFC) as a relay agent with the DHCP host tracking enabled.
Page 883 Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN Enter the show command to display the security-acl mode: Console> (enable) show port security-acl 1/2 Port Interface Type Interface Type Interface Merge Status config runtime runtime ----- -------------- -------------- ---------------------- port-based...
Page 884 Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on a VLAN Config: Port ACL name Type ----- -------------------------------- ---- dhcp Runtime: Port ACL name Type ----- -------------------------------- ---- dhcp dhcp-snooping: Port Trust Source-Guard Source-Guarded IP Addresses ----- ----------- ------------...
Page 885: Specifying The Dhcp-Snooping Binding Limit On A Per-Port Basis
Chapter 33 Configuring DHCP Snooping and IP Source Guard Specifying the DHCP-Snooping Binding Limit on a Per-Port Basis Specifying the DHCP-Snooping Binding Limit on a Per-Port Basis Use the set port dhcp-snooping mod/port binding-limit count command to specify the DHCP-snooping binding limit on a per-port basis.
Page 886: Specifying The Dhcp-Snooping Ip Address-To-Mac Address Binding On A Per-Port Basis
Chapter 33 Configuring DHCP Snooping and IP Source Guard Specifying the DHCP-Snooping IP Address-to-MAC Address Binding on a Per-Port Basis Specifying the DHCP-Snooping IP Address-to-MAC Address Binding on a Per-Port Basis To specify the IP address-to-MAC address binding for the specified port, perform this task in privileged mode: Task Command...
Page 887: Displaying The Dhcp-Snooping Configuration And Statistics
Chapter 33 Configuring DHCP Snooping and IP Source Guard Displaying DHCP-Snooping Information Table 33-2 show dhcp-snooping bindings Command Output Field Description MAC Address Client-hardware MAC address. IP Address Client IP address assigned from the DHCP server. Lease (seconds) IP address lease time. VLAN VLAN number of the client port.
Page 888 Chapter 33 Configuring DHCP Snooping and IP Source Guard Displaying DHCP-Snooping Information Console> (enable) show port dhcp-snooping Port Trust Source-Guard Source-Guarded IP Addresses ----- ----------- ------------ --------------------------- untrusted disabled trusted disabled untrusted disabled untrusted disabled untrusted disabled untrusted disabled untrusted disabled untrusted disabled...
Page 889: Storing Dhcp-Snooping Binding Entries To A Flash Device
Chapter 33 Configuring DHCP Snooping and IP Source Guard Storing DHCP-Snooping Binding Entries to a Flash Device 5/12 5/13 5/14 5/15 5/16 5/17 5/18 5/19 5/20 5/21 5/22 5/23 5/24 Console> (enable) Storing DHCP-Snooping Binding Entries to a Flash Device The DHCP-snooping binding entries can be stored to a flash device so the bindings can be restored immediately after the switch is reset.
Page 890: Understanding How Ip Source Guard Works
Chapter 33 Configuring DHCP Snooping and IP Source Guard Understanding How IP Source Guard Works DHCP Snooping bindings storage file set to disk1:dhcp-bindings. Console> (enable) This example shows how to display the DHCP-snooping bindings-database configuration: Console> (enable) show dhcp-snooping config DHCP Snooping MAC address matching is enabled.
Page 891: Enabling Ip Source Guard On A Port
Chapter 33 Configuring DHCP Snooping and IP Source Guard Enabling IP Source Guard on a Port IP source guard cannot coexist with PACLs. • IP source guard is not supported on EtherChannel-enabled ports, and EtherChannel is not supported • on IP source guard-enabled ports. •...
Page 892: Displaying The Ip Source Guard Information
Chapter 33 Configuring DHCP Snooping and IP Source Guard Displaying the IP Source Guard Information ACL dhcp successfully mapped to port(s) 5/1. Console> Figure 33-3 shows the typical topology that is used when you configure IP source guard on an untrusted port.
Page 893: Chapter 34 Configuring Ntp
C H A P T E R Configuring NTP This chapter describes how to configure the Network Time Protocol (NTP) on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 894: Ntp Default Configuration
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that you obtain the time service for your network from the public NTP servers that are available in the IP Internet.
Page 895: Enabling Ntp In Broadcast-Client Mode
Chapter 34 Configuring NTP Configuring NTP on the Switch Clearing the Time Zone, page 34-7 • Clearing NTP Servers, page 34-8 • Disabling NTP, page 34-8 • Enabling NTP in Broadcast-Client Mode Configure the switch in NTP broadcast-client mode if an NTP broadcast server, such as a router, regularly broadcasts time-of-day information on the network.
Page 896: Configuring Ntp In Client Mode
Chapter 34 Configuring NTP Configuring NTP on the Switch Configuring NTP in Client Mode Configure the switch in NTP client mode if you want the client switch to regularly send time-of day requests to an NTP server. You can configure up to ten server addresses per client. To configure the switch in NTP client mode, perform this task in privileged mode: Task Command...
Page 897: Setting The Time Zone
Chapter 34 Configuring NTP Configuring NTP on the Switch To configure authentication, perform this task in privileged mode: Task Command Step 1 Configure an authentication key pair for NTP and set ntp key public_key [trusted | untrusted] md5 specify whether the key is trusted or untrusted. secret_key Step 2 Specify the IP address of the NTP server and the...
Page 898: Enabling The Daylight Saving Time Adjustment
Chapter 34 Configuring NTP Configuring NTP on the Switch This example shows how to set the time zone on the switch: Console> (enable) set timezone Pacific -8 Timezone set to 'Pacific', offset from UTC is -8 hours Console> (enable) Enabling the Daylight Saving Time Adjustment Following the U.S.
Page 899: Disabling The Daylight Saving Time Adjustment
Chapter 34 Configuring NTP Configuring NTP on the Switch To enable the daylight saving time adjustment to a nonrecurring specific date, perform this task in privileged mode: Task Command Step 1 Enable the daylight saving time adjustment. set summertime date month date year hh:mm month date year hh:mm offset Step 2 Verify the configuration.
Page 900: Clearing Ntp Servers
Chapter 34 Configuring NTP Configuring NTP on the Switch Clearing NTP Servers To clear an NTP server address from the NTP servers table on the switch, perform this task in privileged mode: Task Command Step 1 Specify the NTP server to clear. clear ntp server [ip_addr | all] Step 2 Verify the NTP configuration.
Page 901: Chapter 35 Configuring Broadcast Suppression
C H A P T E R Configuring Broadcast Suppression This chapter describes how to configure broadcast suppression on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 902 Chapter 35 Configuring Broadcast Suppression Understanding How Broadcast Suppression Works Figure 35-1 Broadcast Suppression Total number of Threshold broadcast packets or bytes Time The broadcast suppression threshold numbers and the time interval make the broadcast suppression algorithm work with different levels of granularity. A higher threshold allows more broadcast packets to pass through.
Page 903: Configuring Broadcast Suppression On The Switch
Chapter 35 Configuring Broadcast Suppression Configuring Broadcast Suppression on the Switch Configuring Broadcast Suppression on the Switch These sections describe how to configure broadcast suppression on the Catalyst 6500 series switches: Enabling Broadcast Suppression, page 35-3 • Disabling Broadcast Suppression, page 35-5 •...
Page 904 Chapter 35 Configuring Broadcast Suppression Configuring Broadcast Suppression on the Switch 75.25 % 0 drop-packets 0 drop-packets .<snip> Console> (enable) Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 35-4 OL-8978-04...
Page 905: Disabling Broadcast Suppression
Chapter 35 Configuring Broadcast Suppression Configuring Broadcast Suppression on the Switch This example shows how to limit the multicast and broadcast traffic to 80 percent for port 1 on module 2 and verify the configuration: Console> (enable) set port broadcast 2/1 80% multicast enable Port 2/1 broadcast and multicast traffic limited to 80.00%.
Page 906 Chapter 35 Configuring Broadcast Suppression Configuring Broadcast Suppression on the Switch To enable the errdisable state on a port, perform this task in privileged mode: Task Command Step 1 Enable the errdisable state. set port broadcast mod/port threshold% [violation {drop-packets | errdisable}] [multicast {enable | disable}] [unicast {enable | disable}] Step 2...
Page 907: Chapter 36 Configuring Layer 3 Protocol Filtering
Layer 3 protocol filtering is not performed on the trunk ports. Layer 2 protocols, such as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by Layer 3 protocol filtering. The dynamic ports and ports that have port security enabled are members of all protocol groups.
Page 908: Default Layer 3 Protocol Filtering Configuration
Chapter 36 Configuring Layer 3 Protocol Filtering Default Layer 3 Protocol Filtering Configuration For example, if a host that supports both IP and Internetwork Packet Exchange (IPX) is connected to a switch port that is configured as auto for IPX, but the host is transmitting only the IP traffic, the port to which the host is connected does not forward any IPX flood traffic to the host.
Page 909: Enabling Layer 3 Protocol Filtering
Chapter 36 Configuring Layer 3 Protocol Filtering Configuring Layer 3 Protocol Filtering on the Switch Enabling Layer 3 Protocol Filtering Note Protocol filtering is supported only on the Ethernet VLANs and on the nontrunking EtherChannel ports. The set protocolfilter command is not supported on the Network Analysis Module (NAM), the Supervisor Engine 720, or the Supervisor Engine 32.
Page 910 Chapter 36 Configuring Layer 3 Protocol Filtering Configuring Layer 3 Protocol Filtering on the Switch Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 36-4 OL-8978-04...
Page 911: Chapter 37 Configuring The Ip Permit List
C H A P T E R Configuring the IP Permit List This chapter describes how to configure the IP permit list on the Catalyst 6500 series switches. The functionality of the IP permit list can also be achieved with the VLAN access control lists (VACLs). Note Because the VACLs are handled by the hardware (Policy Feature Card [PFC]), the VACL processing is faster than the IP permit list processing.
Page 912: Ip Permit List Default Configuration
Chapter 37 Configuring the IP Permit List IP Permit List Default Configuration If you do not specify the mask for an IP permit list entry, or if you enter a host name instead of an IP address, the mask has an implicit value of all bits that are set to one (255.255.255.255 or 0xffffffff), which matches only the IP address of that host.
Page 913: Enabling The Ip Permit List
Chapter 37 Configuring the IP Permit List Configuring the IP Permit List on the Switch This example shows how to add the IP addresses to the IP permit list and verify the configuration: Console> (enable) set ip permit 172.16.0.0 255.255.0.0 telnet 172.16.0.0 with mask 255.255.0.0 added to telnet permit list.
Page 914: Disabling The Ip Permit List
Chapter 37 Configuring the IP Permit List Configuring the IP Permit List on the Switch This example shows how to enable the IP permit list and verify the configuration: Console> (enable) set ip permit enable IP permit list enabled. Console> (enable) set snmp trap enable ippermit SNMP IP Permit traps enabled.
Page 915: Clearing An Ip Permit List Entry
Chapter 37 Configuring the IP Permit List Configuring the IP Permit List on the Switch Clearing an IP Permit List Entry You can clear an IP address from the SNMP permit list, the Telnet permit list, or both lists. If you do not specify which permit list to clear the IP address from, the IP address is deleted from both permit lists.
Page 916 Chapter 37 Configuring the IP Permit List Configuring the IP Permit List on the Switch Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 37-6 OL-8978-04...
Page 917: Chapter 38 Configuring Port Security
C H A P T E R Configuring Port Security This chapter describes how to configure port security and how to limit the number of MAC addresses that are learned on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 918: Understanding How Port Security Works
Chapter 38 Configuring Port Security Understanding How Port Security Works Understanding How Port Security Works You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port.
Page 919: Restricting The Traffic Based On The Host Mac Address
Chapter 38 Configuring Port Security Understanding How MAC-Address Monitoring Works If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC Note address is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of restricting the traffic from that station.
Page 920: Port Security Configuration Guidelines
Chapter 38 Configuring Port Security Port Security Configuration Guidelines For information on configuring MAC-address monitoring, see the “Configuring MAC-Address Monitoring” section on page 38-14. Port Security Configuration Guidelines This section describes the guidelines for configuring port security: Do not enable port security on a SPAN destination port and vice versa. •...
Page 921: Setting The Maximum Number Of Secure Mac Addresses
Chapter 38 Configuring Port Security Configuring Port Security on the Switch This example shows how to enable port security using the learned MAC address on a port and verify the configuration: Console> (enable) set port security 2/1 enable Port 2/1 security enabled. Console>...
Page 922: Automatically Configuring Dynamically Learned Mac Addresses
Chapter 38 Configuring Port Security Configuring Port Security on the Switch In software releases 8. 1 and 8.2, you can configure a single MAC address on the access ports that are located on different VLANs but you cannot configure port security on them. In software release 8.3(1) and later releases, which support port security on the trunk ports, a single MAC address can be configured and secured on multiple ports that are in different VLANs.
Page 923: Setting The Port Security Age Time
Chapter 38 Configuring Port Security Configuring Port Security on the Switch This example shows how to enable the automatic configuration of dynamically learned MAC addresses globally on the switch: Console> (enable) set port security auto-configure enable Automatic configuration of secure learnt addresses enabled. Console>...
Page 924: Setting The Port Security Aging Type
Chapter 38 Configuring Port Security Configuring Port Security on the Switch Setting the Port Security Aging Type Note The set port security mod/port timer-type {absolute | inactivity} command is supported on the Supervisor Engine 720 and Supervisor Engine 32 only. In software release 8.2(1) and later releases, you can set the type of aging to be applied to the addresses that were learned dynamically on a per-port basis.
Page 925: Configuring Unicast Flood Blocking On The Secure Ports
Chapter 38 Configuring Port Security Configuring Port Security on the Switch To clear all or a particular MAC address from the list of secure MAC addresses, perform this task in privileged mode: Task Command Clear all or a particular MAC address from the list clear port security mod/port all | mac_addr [all | of secure MAC addresses.
Page 926: Specifying The Security Violation Action
Chapter 38 Configuring Port Security Configuring Port Security on the Switch This example shows how to configure the switch to disable the unicast flood packets on a port and how to verify its configuration: Console> (enable) set port security 4/1 unicast-flood disable Port 4/1 security flood mode set to disable.
Page 927: Setting The Shutdown Timeout
Chapter 38 Configuring Port Security Configuring Port Security on the Switch Setting the Shutdown Timeout You can set the time that a port remains disabled in case of a security violation. By default, the port is shut down permanently. The valid range is from 1–1440 minutes. If the time is set to zero, the shutdown is disabled for this port.
Page 928: Restricting The Traffic Based On A Host Mac Address
Chapter 38 Configuring Port Security Configuring Port Security on the Switch Restricting the Traffic Based on a Host MAC Address To restrict the traffic for a specific MAC address, perform this task in privileged mode: Task Command Step 1 Restrict the traffic destined to or originating from set cam {static | permanent} filter unicast_mac a specific MAC address.
Page 929 Chapter 38 Configuring Port Security Configuring Port Security on the Switch This example shows how to display the port security configuration information and statistics: Console> (enable) show port security 4/1 * = Configured MAC Address Port Security Violation Shutdown-Time Age-Time Maximum-Addrs Trap IfIndex ----- -------- --------- ------------- -------- ------------- -------- ------- enabled...
Page 930: Configuring Mac-Address Monitoring
Chapter 38 Configuring Port Security Configuring MAC-Address Monitoring This example shows how to display the port security statistics on the system: Console> (enable) show port security statistics system Auto-Configure Option: Enabled Module 2: Total ports: 24 Total secure ports: 0 Total MAC addresses: 24 Total global address space used (out of 4096): 0 Status: installed...
Page 931: Monitoring The Mac Addresses In The Cam Table
Chapter 38 Configuring Port Security Configuring MAC-Address Monitoring To enable or disable MAC-address monitoring globally, perform this task in privileged mode: Task Command Enable or disable MAC-address monitoring set cam monitor {disable | enable} globally. Monitoring is enabled globally by default. Note This example shows how to disable and enable the global MAC-address monitoring configuration: Console>...
Page 932: Specifying The Polling Interval For Monitoring
Chapter 38 Configuring Port Security Configuring MAC-Address Monitoring Specifying the Polling Interval for Monitoring MAC-address monitoring is supported in the software. If there are a large number of MAC addresses in the CAM table and a large number of configured interfaces (ports, VLANs, or port-VLANs), the CPU usage might go up.
Page 933: Specifying The Upper Threshold For Mac-Address Monitoring
Chapter 38 Configuring Port Security Configuring MAC-Address Monitoring Specifying the Upper Threshold for MAC-Address Monitoring To specify the upper threshold for MAC-address monitoring, perform this task in privileged mode: Task Command Specify the upper threshold or MAC-address set cam monitor high-threshold value [action monitoring and the action to be taken when the {no-learn | shutdown | warning}] {mod/port | system exceeds this threshold.
Page 934: Displaying The Configuration For The Cam Monitor
Chapter 38 Configuring Port Security Configuring MAC-Address Monitoring This example shows how to clear all CAM table monitoring and MAC-address monitoring configurations from all ports: Console> (enable) clear cam monitor all Cleared all cam monitor configuration Console> (enable) Displaying the Configuration for the CAM Monitor To display the configuration for the CAM monitor, perform this task in privileged mode: Task Command...
Page 935: Configuring The Switch Access Using Aaa
C H A P T E R Configuring the Switch Access Using AAA This chapter describes how to configure authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 936: Understanding How Authentication Works
Chapter 39 Configuring the Switch Access Using AAA Understanding How Authentication Works Understanding How Authentication Works These sections describe how the different authentication methods work: • Authentication Overview, page 39-2 Understanding How Login Authentication Works, page 39-2 • Understanding How Local Authentication Works, page 39-3 •...
Page 937: Understanding How Local Authentication Works
Chapter 39 Configuring the Switch Access Using AAA Understanding How Authentication Works If you are locked out at the console, the console does not allow you to log in during that lockout time. If you are locked out with a Telnet session, the connection closes when the time limit is reached. The switch closes any subsequent access from that station during the lockout time and provides an appropriate notice.
Page 938: Understanding How Tacacs+ Authentication Works
Chapter 39 Configuring the Switch Access Using AAA Understanding How Authentication Works Understanding How TACACS+ Authentication Works TACACS+ controls access to the network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or an entity.
Page 939: Understanding How Radius Authentication Works
Chapter 39 Configuring the Switch Access Using AAA Understanding How Authentication Works Understanding How RADIUS Authentication Works RADIUS is a client-server authentication and authorization access protocol that is used by the NAS to authenticate the users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers.
Page 940 Chapter 39 Configuring the Switch Access Using AAA Understanding How Authentication Works Table 39-1 defines the Kerberos terms. Table 39-1 Kerberos Terminology Term Definition Kerberized Applications and services that have been modified to support the Kerberos credential infrastructure. Kerberos credential Authentication tickets, such as ticket granting tickets (TGTs), and service credentials.
Page 941 Chapter 39 Configuring the Switch Access Using AAA Understanding How Authentication Works Using a Kerberized Login Procedure You can use a Kerberized Telnet session if you are logging in through the in-band management port. When the Telnet client and services have been Kerberized, you follow this process when attempting to access the switch through Telnet: The Telnet client asks you for the username and issues a request for a TGT to the KDC on the Kerberos server.
Page 942 Chapter 39 Configuring the Switch Access Using AAA Understanding How Authentication Works Figure 39-1 Kerberized Telnet Connection Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 39-8 OL-8978-04...
Page 943: Configuring Authentication On The Switch
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Using a Non-Kerberized Login Procedure If you use a non-Kerberized login procedure to log in to the switch, the switch takes care of the authentication to the KDC on behalf of the login client. However, the user password is now transferred in clear text from the login client to the switch.
Page 944: Authentication Default Configuration
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Configuring TACACS+ Authentication, page 39-19 • Configuring RADIUS Authentication, page 39-25 • Configuring Kerberos Authentication, page 39-33 • Authentication Example, page 39-43 • Authentication Default Configuration Table 39-2 shows the default authentication configuration.
Page 945: Authentication Configuration Guidelines
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Authentication Configuration Guidelines This section describes the guidelines for configuring authentication on the switch: • Authentication configuration applies to both console and Telnet connection attempts unless you use the console and telnet keywords to specify the authentication methods to use for each connection type individually.
Page 946 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch This example shows how to limit login attempts to 5, set the lockout time for both console and Telnet connections to 50 seconds, and verify the configuration: Console>...
Page 947: Configuring Local Authentication
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Console> (enable) show authentication Login Authentication: Console Session Telnet Session Http Session --------------------- ---------------- ---------------- ---------------- tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled(primary)
Page 948 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch This example shows how to enable local login, enable authentication for both console and Telnet connections, and verify the configuration: Console> (enable) set authentication login local enable local login authentication set to enable for console and telnet session.
Page 949 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Setting the Enable Password The login password controls access to the user mode CLI. The passwords are case sensitive, contain up to 19 characters, and use any printable character including a space. The passwords that were set in releases prior to software release 5.4 remain non-case sensitive.
Page 950: Recovering A Lost Password
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch You must have either RADIUS or TACACS+ authentication enabled before you disable local Note authentication. This example shows how to disable local login authentication, enable authentication for both console and Telnet connections, and verify the configuration: Console>...
Page 951: Configuring Local User Authentication
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Configuring Local User Authentication These sections describe how to configure local user authentication on the switch: • Creating a Local User Account, page 39-17 Enabling Local User Authentication, page 39-17 •...
Page 952: Show Authentication
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch kerberos disabled disabled disabled local enabled(primary) enabled(primary) enabled(primary) attempt limit lockout timeout (sec) disabled disabled Enable Authentication: Console Session Telnet Session Http Session ---------------------- ----------------- ---------------- ---------------- tacacs disabled disabled...
Page 953: Configuring Tacacs+ Authentication
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Deleting a Local User Account To delete a local user account on the switch, perform this task in privileged mode: Task Command Step 1 Delete a local user account. clear localuser picard Step 2 Verify that the local user account has been deleted.
Page 954 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch To specify one or more TACACS+ servers, perform this task in privileged mode: Task Command Step 1 Specify the IP address of one or more TACACS+ set tacacs server ip_addr [primary] servers.
Page 955 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch To enable TACACS+ authentication, perform this task in privileged mode: Task Command Step 1 Enable TACACS+ authentication for normal login set authentication login tacacs enable [all | mode.
Page 956 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch This example shows how to specify a TACACS+ key and verify the configuration: Console> (enable) set tacacs key Secret_TACACS_key The tacacs key has been set to Secret_TACACS_key. Console>...
Page 957 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch This example shows how to specify the number of login attempts and verify the configuration: Console> (enable) set tacacs attempts 5 Tacacs number of attempts set to 5. Console>...
Page 958 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch This example shows how to disable TACACS+ directed request: Console> (enable) set tacacs directedrequest disable Tacacs direct request has been disabled. Console> (enable) Clearing TACACS+ Servers To clear one or more TACACS+ servers, perform this task in privileged mode: Task Command Step 1...
Page 959: Configuring Radius Authentication
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Disabling TACACS+ Authentication When local authentication is disabled and only TACACS+ authentication is enabled, if you disable TACACS+ authentication, local authentication is reenabled automatically. To disable TACACS+ authentication, perform this task in privileged mode: Task Command Step 1...
Page 960: Specifying Radius Servers
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Clearing RADIUS Servers, page 39-32 • Clearing the RADIUS Key, page 39-32 • Disabling RADIUS Authentication, page 39-33 • Specifying RADIUS Servers To specify one or more RADIUS servers, perform this task in privileged mode: Task Command Step 1...
Page 961 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch To specify a RADIUS key, perform this task in privileged mode: Task Command Step 1 Specify the RADIUS key that is used to encrypt set radius key key packets that are sent to the RADIUS server.
Page 962 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch To set up the RADIUS username and enable RADIUS authentication, perform this task in privileged mode: Task Command Step 1 Enable RADIUS authentication set authentication login radius enable [all | console | http | for normal login mode.
Page 963 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Specifying the RADIUS Timeout Interval You can specify the timeout interval between the retransmissions to the RADIUS server. The default timeout is 5 seconds. To specify the RADIUS timeout interval, perform this task in privileged mode: Task Command Step 1...
Page 964 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch This example shows how to specify the RADIUS retransmit count and verify the configuration: Console> (enable) set radius retransmit 4 Radius retransmit count set to 4. Console> (enable) show radius Login Authentication: Console Session Telnet Session...
Page 965 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Radius Deadtime: 5 minutes Radius Key: Secret_RADIUS_key Radius Retransmit: Radius Timeout: 10 seconds Radius-Server...
Page 966 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Clearing RADIUS Servers To clear one or more RADIUS servers, perform this task in privileged mode: Task Command Step 1 Specify the IP address of the RADIUS server to clear radius server [ip_addr | all] clear from the configuration.
Page 967: Configuring Kerberos Authentication
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Radius Deadtime: 0 minutes Radius Key: Radius Retransmit: Radius Timeout: 5 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 Console> (enable) Disabling RADIUS Authentication When local authentication is disabled and only RADIUS authentication is enabled, if you disable RADIUS authentication, local authentication is reenabled automatically.
Page 968 Step 1 KDC will use. In the following example, a database called CISCO.EDU is created: /usr/local/sbin/kdb5_util create -r CISCO.EDU -s Add the switch to the database. The following example adds a switch called Cat6509 to the CISCO.EDU Step 2 database: ank host/Cat6509.cisco.edu@CISCO.EDU...
Page 969: Verify The Configuration
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Enabling Kerberos To enable Kerberos authentication, perform this task in privileged mode: Task Command Step 1 Specify Kerberos as the authentication method. set authentication login kerberos enable [all | console | http | telnet] [primary] Step 2 Verify the configuration.
Page 970 This example shows how to define a local realm and verify the configuration: kerberos> (enable) set kerberos local-realm CISCO.COM Kerberos local realm for this switch set to CISCO.COM. kerberos> (enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM,...
Page 971 This example shows how to specify which Kerberos server will serve as the KDC for the specified Kerberos realm and clear the entry: kerberos> (enable) set kerberos server CISCO.COM 187.0.2.1 750 Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750 kerberos> (enable) Console> (enable) clear kerberos server CISCO.COM 187.0.2.1 750 Kerberos Realm-Server-Port entry CISCO.COM-187.0.2.1-750...
Page 972 This example shows how to retrieve an SRVTAB file from the KDC, enter an SRVTAB directly into the switch, and verify the configuration: kerberos> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab kerberos> (enable) kerberos> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.cisco.com@CISCO.COM...
Page 973 Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:;9 kerberos> (enable) This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services: Console>...
Page 974 Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch Disabling Credentials Forwarding To disable the credentials forwarding, perform this task in privileged mode: Task Command Disable the credentials forwarding configuration. clear kerberos credentials forward This example shows how to disable the credentials forwarding and verify the change: Console>...
Page 975 Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key:abcd Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 12151><88?=>>3>11 kerberos> (enable) To clear the DES key, perform this task in privileged mode: Task Command Clear a DES key from the switch.
Page 976 Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Srvtab Entry 2:host/niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?58:127:223=:;9 kerberos> (enable) To display the Kerberos credentials, perform this task in privileged mode:...
Page 977: Authentication Example
Chapter 39 Configuring the Switch Access Using AAA Configuring Authentication on the Switch To clear all the Kerberos credentials, perform this task in privileged mode: Task Command Clear all the credentials. clear kerberos creds This example shows how to clear all the Kerberos credentials from the switch: Console>...
Page 978: Understanding How Authorization Works
Chapter 39 Configuring the Switch Access Using AAA Understanding How Authorization Works Console> (enable) set tacacs server 172.20.52.10 172.20.52.10 added to TACACS server table as primary server. Console> (enable) set tacacs key tintin_et_milou The tacacs key has been set to tintin_et_milou. Console>...
Page 979: Authorization Events
Chapter 39 Configuring the Switch Access Using AAA Understanding How Authorization Works Authorization Events You can enable authorization for the following: • Commands—When you enable authorization for commands, the user must supply a valid username and password pair to execute certain commands. You can require authorization for all commands or for configuration (enable mode) commands only.
Page 980: Radius Authorization
Chapter 39 Configuring the Switch Access Using AAA Configuring Authorization on the Switch squeeze • switch • undelete • The following TACACS+ authorization process occurs for every command that you enter: If you have disabled the command authorization feature, the TACACS+ server will allow you to •...
Page 981: Tacacs+ Authorization Configuration Guidelines
Chapter 39 Configuring the Switch Access Using AAA Configuring Authorization on the Switch TACACS+ Authorization Configuration Guidelines This section describes the guidelines for configuring TACACS+ authorization on the switch: • TACACS+ authorization is disabled by default. Authorization configuration applies to console connections, Telnet connections, or both types of •...
Page 982 Chapter 39 Configuring the Switch Access Using AAA Configuring Authorization on the Switch This example shows how to enable TACACS+ EXEC mode authorization for both console and Telnet connections. Authorization is configured with the tacacs+ option. The fallback option is deny. Console>...
Page 983 Chapter 39 Configuring the Switch Access Using AAA Configuring Authorization on the Switch Disabling TACACS+ Authorization To disable TACACS+ authorization on the switch, perform this task in privileged mode: Task Command Step 1 Disable authorization for normal mode. Enter the set authorization exec disable [console | telnet | console or telnet keyword if you want to disable both]...
Page 984: Configuring Radius Authorization
Chapter 39 Configuring the Switch Access Using AAA Configuring Authorization on the Switch This example shows how to verify the configuration: Console> (enable) show authorization Telnet: ------- Primary Fallback ------- -------- exec: tacacs+ deny enable: tacacs+ deny commands: config: tacacs+ deny all: Console:...
Page 985: Authorization Example
Chapter 39 Configuring the Switch Access Using AAA Configuring Authorization on the Switch Authorization Example Figure 39-4 shows a simple network topology using TACACS+. When Workstation A initiates a command on the switch, the switch registers a request with the TACACS+ daemon.
Page 986: Understanding How Accounting Works
Chapter 39 Configuring the Switch Access Using AAA Understanding How Accounting Works Understanding How Accounting Works These sections describe how the different accounting methods work: Accounting Overview, page 39-52 • Accounting Events, page 39-52 • Specifying When to Create Accounting Records, page 39-53 •...
Page 987: Specifying When To Create Accounting Records
Chapter 39 Configuring the Switch Access Using AAA Understanding How Accounting Works System accounting—Provides information on the system events that are not related to users • (includes system reset, system boot, and user configuration of accounting). Command accounting—Sends a record for each command that is issued by the user. This feature •...
Page 988: Updating The Server
Chapter 39 Configuring the Switch Access Using AAA Understanding How Accounting Works This example shows how to specify a RADIUS server and verify the configuration: Console> (enable) set radius server 172.20.52.3 172.20.52.3 with auth-port 1812 added to radius server table as primary server. Console>...
Page 989: Configuring Accounting On The Switch
Chapter 39 Configuring the Switch Access Using AAA Configuring Accounting on the Switch Configuring Accounting on the Switch These sections describe how to configure accounting for both TACACS+ and RADIUS: Accounting Default Configuration, page 39-55 • Accounting Configuration Guidelines, page 39-55 •...
Page 990 Chapter 39 Configuring the Switch Access Using AAA Configuring Accounting on the Switch Enabling Accounting To enable accounting on the switch, perform this task in privileged mode: Task Command Step 1 Enable accounting for connection events. set accounting connect enable {start-stop | stop-only} {tacacs+ | radius} Step 2 Enable accounting for EXEC mode.
Page 991 Chapter 39 Configuring the Switch Access Using AAA Configuring Accounting on the Switch This example shows how to verify the configuration: Console> (enable) show accounting Event Method Mode ----- ------- ---- exec: tacacs+ stop-only connect: tacacs+ stop-only system: tacacs+ stop-only commands: config: all:...
Page 992: Accounting Example
Chapter 39 Configuring the Switch Access Using AAA Configuring Accounting on the Switch This example shows how to disable suppression of unknown users: Console> (enable) set accounting suppress null-username disable Accounting will be not be suppressed for user with no username. Console>...
Page 993 Chapter 39 Configuring the Switch Access Using AAA Configuring Accounting on the Switch Figure 39-5 TACACS+ Example Network Topology TACACS+ server 172.20.52.10 Switch Console port connection Terminal Workstation A In this example, TACACS+ accounting is enabled for connection, EXEC, system, and all command accounting: Console>...
Page 994 Chapter 39 Configuring the Switch Access Using AAA Configuring Accounting on the Switch Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7 39-60 OL-8978-04...
Page 995 C H A P T E R Configuring 802.1X Authentication This chapter describes how to configure IEEE 802.1X authentication on the Catalyst 6500 series switches. For complete syntax and usage information for the commands that are used in this chapter, refer to the Note Catalyst 6500 Series Switch Command Reference publication.
Page 996: Understanding How 802.1X Authentication Works
Chapter 40 Configuring 802.1X Authentication Understanding How 802.1X Authentication Works Configuring 802.1X Authentication on the Switch, page 40-13 • Understanding How 802.1X Authentication Works 802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1X controls network access by creating two distinct virtual access points at each port.
Page 997: Authentication Initiation And Message Exchange
In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 998: Ports In Authorized And Unauthorized States
Chapter 40 Configuring 802.1X Authentication Understanding How 802.1X Authentication Works When the host supplies its identity, the switch acts as the intermediary, passing the EAP frames between the host and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port becomes authorized.
Page 999 Chapter 40 Configuring 802.1X Authentication Understanding How 802.1X Authentication Works You control the port authorization state by using the set port dot1x mod/port port-control command and these keywords: force-authorized—Disables 802.1X authentication and causes the port to transition to the • authorized state without any authentication exchange required.
Page 1000: Authentication Server
Chapter 40 Configuring 802.1X Authentication Understanding How 802.1X Authentication Works Table 40-1 802.1X Terminology (continued) Term Definition Flow control only on incoming frames in an unauthorized switch port. Port Single point of attachment to the LAN infrastructure (for example, MAC bridge ports). Port access entity protocol object that is associated with a specific system port.

This manual is also suitable for:

Catalyst 6506 Catalyst 6509 Catalyst 6513

Cisco WS-C6506 Software Manual

Chapter 1 Product Overview

Chapter 2 Command-Line Interface

Chapter 10 Configuring VTP

Chapter 11 Configuring VLAN

Chapter 13 Configuring CEF for PFC2 and PFC3A

Chapter 15 Configuring Acces Control

Chapter 32 Configuring UDLD

Appendix A Acronym

Product Overview

CHAPTER 3 Configuring the Switch IP Address and Default Gateway

Chapter 4 Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching

CHAPTER 5 Configuring Ethernet VLAN Trunks5-1

Configuring Etherchannel

Configuring Spanning Tree

CHAPTER 8 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling

CHAPTER 9 Configuring Spanning-Tree Portfast, Uplinkfast, Backbonefast, and Loop Guard

Configuring VTP

Configuring Vlans

Quick Links

Troubleshooting

Related Manuals for Cisco WS-C6506

Summary of Contents for Cisco WS-C6506