Page 1 Catalyst 6000 Family Software Configuration Guide Software Releases 6.3 and 6.4 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7813315= Text Part Number: 78-13315-02...
Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
Catalyst Command-Line Interface ROM-Monitor Command-Line Interface Switch Command-Line Interface MSFC Command-Line Interface Cisco IOS Command Modes Cisco IOS Command-Line Interface Configuring the Switch IP Address and Default Gateway C H A P T E R Understanding the Switch Management Interfaces...
Page 4 Contents Default IP Address and Default Gateway Configuration Assigning the In-Band (sc0) Interface IP Address Configuring Default Gateways Configuring the SLIP (sl0) Interface on the Console Port Using BOOTP, DHCP, or RARP to Obtain an IP Address Renewing and Releasing a DHCP-Assigned IP Address Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching C H A P T E R Understanding How Ethernet Works...
Page 5 Contents ISL Trunk Configuration Example ISL Trunk Over EtherChannel Link Example 802.1Q Trunk Over EtherChannel Link Example Load-Sharing VLAN Traffic Over Parallel Trunks Example Disabling VLAN 1 on Trunks Disabling VLAN 1 on a Trunk Link Configuring EtherChannel C H A P T E R Understanding How EtherChannel Works Understanding Administrative Groups Understanding EtherChannel IDs...
Page 6 Contents Calculating and Assigning Port Costs Spanning Tree Port States Understanding PVST+ and MISTP Modes PVST+ Mode MISTP Mode MISTP-PVST+ Mode Bridge Identifiers MAC Address Allocation MAC Address Reduction Using PVST+ Default PVST+ Configuration Setting the PVST+ Bridge ID Priority Configuring the PVST+ Port Cost Configuring the PVST+ Port Priority Configuring the PVST+ Default Port Cost Mode...
Page 7 Contents Understanding How PortFast BPDU Guard Works Understanding How PortFast BPDU Filter Works Understanding How UplinkFast Works Understanding How BackboneFast Works Understanding How Loop Guard Works Configuring PortFast Enabling PortFast Disabling PortFast Configuring PortFast BPDU Guard Enabling PortFast BPDU Guard Disabling PortFast BPDU Guard Configuring PortFast BPDU Filter Enabling PortFast BPDU Filter...
Page 8 Contents Enabling VTP Version 2 Disabling VTP Version 2 Enabling VTP Pruning Disabling VTP Pruning Displaying VTP Configuring VLANs C H A P T E R Understanding How VLANs Work VLAN Ranges Configurable VLAN Parameters Default VLAN Configuration Configuring Normal-Range VLANs Normal-Range VLAN Configuration Guidelines Creating Normal-Range VLANs Modifying Normal-Range VLANs...
Page 9 Contents Creating or Modifying a Token Ring TrBRF VLAN Creating or Modifying a Token Ring TrCRF VLAN Configuring InterVLAN Routing C H A P T E R Understanding How InterVLAN Routing Works Configuring InterVLAN Routing on the MSFC MSFC Routing Configuration Guidelines Configuring IP InterVLAN Routing on the MSFC Configuring IPX InterVLAN Routing on the MSFC Configuring AppleTalk InterVLAN Routing on the MSFC...
Page 10 Contents Default MLS Configuration Configuration Guidelines and Restrictions IP MLS IP MMLS IPX MLS Configuring MLS Configuring Unicast MLS on the MSFC Configuring MLS on Supervisor Engine 1 Configuring IP MMLS Configuring NDE C H A P T E R Understanding How NDE Works Overview of NDE and Integrated Layer 3 Switching Management Traffic Statistics Data Collection...
Page 11 Hardware and Software Handling of Cisco IOS ACLs with PFC2 Using VACLs with Cisco IOS ACLs Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines for Using Layer 4 Operations Using VACLs in your Network...
Page 12 Contents Displaying PBF Information Clearing Entries in PBF VACLs Rolling Back Adjacency Table Entries in the Edit Buffer Configuring Hosts for PBF Policy-Based Forwarding Configuration Example Configuring GVRP C H A P T E R Understanding How GVRP Works Default GVRP Configuration GVRP Configuration Guidelines Configuring GVRP Enabling GVRP Globally...
Page 13 Contents Dynamic Port VLAN Membership with Auxiliary VLANs Configuration Guidelines Configuring Dynamic Port VLAN Membership with Auxiliary VLANs Checking Port Status and Connectivity C H A P T E R Checking Module Status Checking Port Status Checking Port Capabilities Using Telnet Using Secure Shell Encryption for Telnet Sessions Monitoring User Sessions Using Ping...
Page 14 Contents Enabling or Disabling Power Redundancy Using the CLI to Power Modules Up or Down Determining System Power Requirements Environmental Monitoring Environmental Monitoring Using CLI Commands LED Indications Displaying System Status Information for Technical Support Generating a System Status Report Using System Dump Files Configuring Switch Access Using AAA C H A P T E R...
Page 15 Contents Configuring RADIUS Authorization Authorization Example Understanding How Accounting Works Accounting Overview Accounting Events Specifying When to Create Accounting Records Specifying RADIUS Servers Updating the Server Suppressing Accounting Configuring Accounting Accounting Default Configuration Accounting Configuration Guidelines Configuring Accounting Accounting Example Configuring Redundancy C H A P T E R Understanding How Supervisor Engine Redundancy Works...
Page 16 Contents Setting the Boot Field in the Configuration Register Setting the ROM-Monitor Console-Port Baud Rate Setting CONFIG_FILE Recurrence Setting CONFIG_FILE Overwrite Setting CONFIG_FILE Synchronization Setting the Switch to Ignore the NVRAM Configuration Setting the Configuration Register Value Setting the BOOT Environment Variable Setting the BOOT Environment Variable Clearing the BOOT Environment Variable Settings Setting the CONFIG_FILE Environment Variable...
Page 17 Contents Downloading System Software Images Using rcp Preparing to Download an Image Using rcp Downloading Supervisor Engine Images Using rcp Downloading Switching Module Images Using rcp Example rcp Download Procedures Uploading System Software Images to an rcp Server Preparing to Upload an Image to an rcp Server Uploading Software Images to an rcp Server Downloading Software Images Over a Serial Connection on the Console Port Preparing to Download an Image Using Kermit...
Page 18 Contents Enabling and Disabling the Logging Time Stamp Enable State Setting the Logging Buffer Size Configuring the syslog Daemon on a UNIX syslog Server Configuring syslog Servers Displaying the Logging Configuration Displaying System Messages Configuring DNS C H A P T E R Understanding How DNS Works DNS Default Configuration Configuring DNS...
Page 19 Contents Configuring NTP C H A P T E R Understanding How NTP Works NTP Default Configuration Configuring NTP Enabling NTP in Broadcast-Client Mode Configuring NTP in Client Mode Configuring Authentication in Client Mode Setting the Time Zone Enabling the Daylight Saving Time Adjustment Disabling the Daylight Saving Time Adjustment Clearing the Time Zone Clearing NTP Servers...
Page 20 Contents Allowing Traffic Based on the Host MAC Address Restricting Traffic Based on the Host MAC Address Port Security Configuration Guidelines Configuring Port Security Enabling Port Security Setting the Maximum Number of Secure MAC Addresses Setting the Port Security Age Time Clearing MAC Addresses Specifying the Security Violation Action Setting the Shutdown Timeout...
Page 21 Contents Viewing RMON Data Supported RMON and RMON2 MIB Objects Configuring SPAN and RSPAN C H A P T E R Understanding How SPAN and RSPAN Works SPAN Session Destination Port Source Port Ingress SPAN Egress SPAN VSPAN Trunk VLAN Filtering SPAN Traffic SPAN and RSPAN Session Limits Configuring SPAN...
Page 22 Contents Understanding How RGMP Works Suppressing Multicast Traffic Nonreverse Path Forwarding Multicast Fast Drop Enabling Installation of Directly Connected Subnets Configuring IGMP Snooping Default IGMP Snooping Configuration Enabling IGMP Snooping Specifying IGMP Snooping Mode Enabling IGMP Rate Limiting Enabling IGMP Fast-Leave Processing Displaying Multicast Router Information Displaying Multicast Group Information Displaying IGMP Snooping Statistics...
Page 23 Contents Configuring QoS C H A P T E R Understanding How QoS Works Definitions Flowcharts QoS Feature Set Summary Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification Classification, Marking, and Policing with a Layer 3 Switching Engine Classification and Marking with a Layer 2 Switching Engine Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking QoS Statistics Data Export QoS Default Configuration...
Page 24 Configuring a VoIP Network C H A P T E R Hardware and Software Requirements Understanding How a VoIP Network Works Cisco IP Phone 7960 Cisco CallManager Access Gateways Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02...
Page 25 Configuring Per-Port Power Management Configuring Auxiliary VLANs on Catalyst LAN Switches Configuring the Access Gateways Displaying Active Call Information Configuring QoS in the Cisco IP Phone 7960 I N D E X Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02...
Page 26 Contents Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02...
Page 27: Preface
Preface This preface describes who should read the Catalyst 6000 Family Software Configuration Guide, how it is organized, and its document conventions. Audience This publication is for experienced network administrators who are responsible for configuring and maintaining Catalyst 6000 family switches. Organization This publication includes the information that previously was in the Catalyst 6000 Family Multilayer Note...
Page 28 Configuring InterVLAN Routing Describes how to configure interVLAN routing on the MSFC. Chapter 13 Configuring CEF for PFC2 Describes how to configure Cisco Express Forwarding for Policy Feature Card 2 (CEF for PFC2). Chapter 14 Configuring MLS Describes how to configure Multilayer Switching (MLS).
Page 29: Related Documentation
Release Notes for Catalyst 6000 Family Software Release 6.x • Cisco IOS Configuration Guides and Command References—Use these publications to help you • configure the Cisco IOS software that runs on the MSFC, MSM, and ATM modules. For information about MIBs, refer to • http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4...
Page 30: Conventions
Preface Conventions Conventions Throughout this publication, except where noted, the term supervisor engine is used to refer to both Note Supervisor Engine 1 and Supervisor Engine 2. This publication uses the following conventions: Convention Description boldface font Commands, command options, and keywords are in boldface.
Page 31: Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com...
Page 32: Documentation Feedback
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.
Page 33 No workaround is available. Cisco TAC Website You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL: http://www.cisco.com/tac...
Page 34: Obtaining Additional Publications And Information
Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL: http://www.ciscopress.com Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest •...
Page 35: Chapter 1 Product Overview
C H A P T E R Product Overview The Catalyst 6000 family switches support the following configurations: Supervisor Engine 2, Policy Feature Card 2 (PFC2), and Multilayer Switch Feature Card 2 (MSFC2) • Supervisor Engine 2 and PFC2 • Supervisor Engine 1, PFC, and MSFC or MSFC2 •...
Page 36 Chapter 1 Product Overview Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02...
Page 37: Command-Line Interfaces
Catalyst 6000 Family Command Reference publication. Note For a description of the ATM Cisco IOS CLI and commands, refer to the ATM Software Configuration Guide and Command Reference—Catalyst 5000 Family and 6000 Family Switches publication. For a description of the Multilayer Switch Module (MSM) IOS CLI and commands, refer to the Multilayer Switch Module Installation and Configuration Note.
Page 38: Switch Command-Line Interface
Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface To access the ROM monitor through a terminal server, you can escape to the Telnet prompt and enter the send break command for your terminal emulation program to break into ROM-monitor mode. Once you are in ROM-monitor mode, the prompt changes to rommon>. Use the ? command to see the available ROM-monitor commands.
Page 39 Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface After accessing the switch through the console port, you see this display: Cisco Systems Console Enter password: Console> Accessing the CLI through Telnet Before you can open a Telnet session to the switch, you must first set the IP address for the switch. For information about setting the IP address, see the “Assigning the In-Band (sc0) Interface IP Address”...
Page 40 1) or 16 (if the MSFC is installed on the supervisor engine in slot 2). If no module number is specified, the console will switch to the MSFC on the active supervisor engine. To access the Cisco IOS CLI on the standby MSFC, connect to the console port of the standby Note supervisor engine.
Page 41 Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface Working With the Command-Line Interface These sections describe how to work with the switch CLI: Switch CLI Command Modes, page 2-5 • Designating Modules, Ports, and VLANs on the Command Line, page 2-5 •...
Page 42 Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface Table 2-1 Designating Ports and Port Ranges (continued) Example Function Specifies ports 2 and 4 on module 5 and port 10 on module 6 5/2,5/4,6/10 Specifies ports 1 and 2 on module 3 and port 8 on module 4 3/1-2,4/8 VLANs are identified using the VLAN ID, a single number associated with the VLAN.
Page 43 Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface Table 2-3 Command-Line Editing Keyboard Shortcuts (continued) Keystroke Function Ctrl-D Deletes the character at the cursor. Ctrl-E Jumps to the end of the current command line. Ctrl-F or the right arrow key Moves the cursor forward one character. Ctrl-K Deletes from the cursor to the end of the command line.
Page 44: Msfc Command-Line Interface
Cisco IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. To get a list of the commands in a given mode, type a question mark (?) at the system prompt.
Page 45 The Cisco IOS command interpreter, called the EXEC, interprets and executes the commands you enter. You can abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. For example, you can abbreviate the show command to sh and the configure terminal command to config t.
Page 46: Cisco Ios Command-Line Interface
Press Ctrl-Z in any mode to immediately return to privileged EXEC mode. Enter exit to return to the previous mode. Cisco IOS Command-Line Interface These sections describe basic Cisco IOS configuration tasks you need to understand before you configure routing: Accessing Cisco IOS Configuration Mode, page 2-10 •...
Page 47 (Refer to the appropriate configuration tasks later in this chapter.) routing. Step 5 Exit configuration mode. Router(config)# Ctrl-Z Viewing and Saving the Cisco IOS Configuration To view and save the configuration after you make changes, perform this task: Task Command Step 1...
Page 48 Chapter 2 Command-Line Interfaces MSFC Command-Line Interface Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 2-12 78-13315-02...
Page 49: Understanding The Switch Management Interfaces
The in-band (sc0) management interface is connected to the switching fabric and participates in all of the functions of a normal switch port, such as spanning tree, Cisco Discovery Protocol (CDP), VLAN membership, and so forth. The out-of-band management interface (sl0) is not connected to the switching fabric and does not participate in any of these functions.
Page 50: Understanding Automatic Ip Configuration
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding Automatic IP Configuration When you configure the IP address, subnet mask, broadcast address, and VLAN membership of the sc0 interface, you can access the switch through Telnet or Simple Network Management Protocol (SNMP). When you configure the SLIP (sl0) interface, you can open a point-to-point connection to the switch through the console port from a workstation.
Page 51: Understanding How Bootp And Rarp Work
Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding Automatic IP Configuration In addition to the sc0 interface IP address, the switch can obtain the subnet mask, broadcast address, and default gateway address. DHCP-learned values are not used if user-configured values are present. The switch broadcasts a DHCPDISCOVER message one to ten seconds after all of the switch ports are online.
Page 52: Preparing To Configure The Ip Address And Default Gateway
Two Multilayer Switch Feature Card (MSFC) images are provided on the MSFC bootflash: a boot loader image and a system image. The boot loader image is a limited function system image that has network interface code and end-host protocol code. The system image is the main Cisco IOS software image with full multiprotocol routing support.
Page 53: Default Ip Address And Default Gateway Configuration
Chapter 3 Configuring the Switch IP Address and Default Gateway Default IP Address and Default Gateway Configuration To boot a system image stored on the supervisor engine Flash PC card, at least one VLAN interface Note must be configured and active. By following this recommendation, there is really no need to store new system images on the bootflash.
Page 54: Configuring Default Gateways
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring Default Gateways This example shows how to assign an IP address, specify the number of subnet bits, and specify the VLAN assignment for the in-band (sc0) interface: Console> (enable) set interface sc0 172.20.52.124/29 Interface sc0 IP address and netmask set.
Page 55: Configuring The Slip (Sl0) Interface On The Console Port
Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring the SLIP (sl0) Interface on the Console Port To remove default gateway entries, perform one of these tasks in privileged mode: Task Command Clear an individual default gateway entry. clear ip route default gateway Clear all default gateways and static routes.
Page 56 This example shows how to configure SLIP on the console port and verify the configuration: sparc20% telnet 172.20.52.38 Trying 172.20.52.38 ... Connected to 172.20.52.38. Escape character is '^]'. Cisco Systems, Inc. Console Enter password: Console> enable Enter password: Console> (enable) set interface sl0 10.1.1.1 10.1.1.2 Interface sl0 slip and destination address set.
Page 57: Using Bootp, Dhcp, Or Rarp To Obtain An Ip Address
Chapter 3 Configuring the Switch IP Address and Default Gateway Using BOOTP, DHCP, or RARP to Obtain an IP Address Using BOOTP, DHCP, or RARP to Obtain an IP Address For complete information on how the switch uses BOOTP, DHCP, or RARP to obtain its IP Note configuration, see the “Understanding Automatic IP Configuration”...
Page 58: Renewing And Releasing A Dhcp-Assigned Ip Address
Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP-Assigned IP Address Console> (enable) show interface sl0: flags=51<UP,POINTOPOINT,RUNNING> slip 0.0.0.0 dest 0.0.0.0 sc0: flags=63<UP,BROADCAST,RUNNING> vlan 1 inet 172.20.25.244 netmask 255.255.255.0 broadcast 172.20.25.255 dhcp server: 172.20.25.254 Console>...
Page 59: Chapter 4 Configuring Ethernet, Fast Ethernet, And Gigabit Ethernet Switching
C H A P T E R Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching This chapter describes how to use the command-line interface (CLI) to configure Ethernet, Fast Ethernet, and Gigabit Ethernet switching on the Catalyst 6000 family switches. The configuration tasks in this chapter apply to Ethernet, Fast Ethernet, and Gigabit Ethernet switching modules, as well as to the uplink ports on the supervisor engine.
Page 60: Switching Frames Between Segments
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Understanding How Ethernet Works These sections describe Ethernet: Switching Frames Between Segments, page 4-2 • Building the Address Table, page 4-2 • Understanding How Port Negotiation Works, page 4-2 • Switching Frames Between Segments Each Ethernet port on a Catalyst 6000 family switch can connect to a single workstation or server, or to a hub through which workstations or servers connect to the network.
Page 61: Default Ethernet, Fast Ethernet, And Gigabit Ethernet Configuration
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Default Ethernet, Fast Ethernet, and Gigabit Ethernet Configuration Table 4-1 shows the four possible port negotiation configurations and the resulting link status for each configuration. Table 4-1 Port Negotiation Configuration and Possible Link Status Port Negotiation State Link Status Near End...
Page 62: Setting The Port Configuration
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration Setting the Port Configuration These sections describe how to configure Ethernet, Fast Ethernet, and Gigabit Ethernet switching on the Catalyst 6000 family switches: Setting the Port Name, page 4-4 •...
Page 63: Setting The Port Speed
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration Setting the Port Speed You can configure the port speed on 10/100-Mbps Ethernet switching modules. Use the auto keyword to autonegotiate the port’s speed and duplex mode with the neighboring port. Note If the port speed is set to auto on a 10/100-Mbps Ethernet port, both speed and duplex are autonegotiated.
Page 64: Configuring Ieee 802.3X Flow Control
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration This example shows how to set the duplex mode to half duplex on port 2/1: Console> (enable) set port duplex 2/1 half Port 2/1 set to half-duplex. Console>...
Page 65: Enabling And Disabling Port Negotiation
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration Console> (enable) show port flowcontrol Port Send-Flowcontrol Receive-Flowcntl RxPause TxPause Admin Oper Admin Oper ----- ---------------- ---------------- ------- ------- disagree disagree desired on desired off Console> (enable) Enabling and Disabling Port Negotiation To enable port negotiation, perform this task in privileged mode: Task...
Page 66: Setting The Port Debounce Timer
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration When you enter the clear config all command or in the event of a configuration loss, all ports collapse into VLAN 1. This might cause a security and network instability problem. Entering the set default portstatus command puts all ports into a disable state and blocks the traffic flowing through the ports during a configuration loss.
Page 67: Configuring A Timeout Period For Ports In Errdisable State
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration Table 4-4 lists the time delay that occurs before the switch notifies the main processor of a link change before and after the switch enables the debounce timer. Table 4-4 Port Debounce Timer Delay Time Port Type...
Page 68 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration A port enters errdisable state for the following reasons (these reasons appear as configuration options with the set errdisable-timeout enable command): • Channel misconfiguration Duplex mismatch •...
Page 69: Configuring The Jumbo Frame Feature
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration Configuring the Jumbo Frame Feature These sections describe the jumbo frame feature: Configuring the Jumbo Frame Feature on the Supervisor Engine, page 4-11 • Configuring the Jumbo Frame Feature on MSFC2, page 4-12 •...
Page 70 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration To enable the jumbo frames feature on an Ethernet port, perform this task in privileged mode: Task Command Step 1 Enable jumbo frames. set port jumbo mod/port enable Step 2 Verify the port configuration.
Page 71: Checking Connectivity
Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration This example shows how to set the MTU size on a VLAN interface and verify the configuration: Router(config)# interface vlan 111 Router(config-if)# mtu 9216 Router(config-if)# end Router# show interface vlan 111 <...Output Truncated...>...
Page 72 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Setting the Port Configuration Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 4-14 78-13315-02...
Page 73: Understanding How Vlan Trunks Work
Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network. Two trunking encapsulations are available on all Ethernet ports: Inter-Switch Link (ISL)—ISL is a Cisco-proprietary trunking encapsulation • IEEE 802.1Q—802.1Q is an industry-standard trunking encapsulation •...
Page 74: Trunking Modes And Encapsulation Types
Chapter 5 Configuring Ethernet VLAN Trunks Understanding How VLAN Trunks Work You can configure a trunk on a single Ethernet port or on an EtherChannel bundle. For more information about EtherChannel, see Chapter 6, “Configuring EtherChannel.” Ethernet trunk ports support five different trunking modes (see Table 5-1).
Page 75 Chapter 5 Configuring Ethernet VLAN Trunks Understanding How VLAN Trunks Work Table 5-3 Results of Possible Fast Ethernet and Gigabit Ethernet Trunk Configurations Local Port Trunk Mode and Trunk Encapsulation Neighbor Port Trunk Mode and Trunk isl or desirable auto desirable auto desirable...
Page 76: Q Trunk Restrictions
When manually enabling trunking on a link to a Cisco router, use the nonegotiate keyword to cause the port to become a trunk but not generate DTP frames.
Page 77: Default Trunk Configuration
Chapter 5 Configuring Ethernet VLAN Trunks Default Trunk Configuration Default Trunk Configuration Table 5-4 shows the default Ethernet trunk configuration. Table 5-4 Default Ethernet Trunk Configuration Feature Default Configuration Trunk mode auto Trunk encapsulation negotiate Allowed VLAN range VLANs 1–1005, 1025-4094 Configuring a Trunk Link These sections describe how to configure a trunk link on Ethernet ports and how to define the allowed VLAN range on a trunk:...
Page 78: Configuring An 802.1Q Trunk
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1,521-524 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- Console> (enable) This example shows how to place a port in desirable mode and how to verify the trunk configuration. This example assumes that the neighboring port is in auto mode: Console>...
Page 79: Configuring An Isl/802.1Q Negotiating Trunk Port
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link Port Vlans allowed and active in management domain -------- --------------------------------------------------------------------- 1,5,10-32,101-120,150,200,250,300,400,500,600,700,800,900,1000 Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- 5,10-32,101-120,150,200,250,300,400,500,600,700,800,900,1000 Console> (enable) Configuring an ISL/802.1Q Negotiating Trunk Port To configure a trunk port to negotiate the trunk encapsulation type (either ISL or 802.1Q), perform this task in privileged mode: Task...
Page 80: Disabling A Trunk Port
Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link When you first configure a port as a trunk, entering the set trunk command always adds all VLANs Note to the allowed VLAN list for the trunk, even if you specify a VLAN range (any specified VLAN range is ignored).
Page 81: Example Vlan Trunk Configurations
Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations To return a port to the default trunk type and mode for that port type, perform this task in privileged mode: Task Command Step 1 Return the port to the default trunking type and clear trunk mod/port mode for that port type.
Page 82: Isl Trunk Over Etherchannel Link Example
Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- Switch1> (enable) Define the allowed VLAN list for the trunk by entering the clear trunk command to remove the VLANs Step 3 that should not pass traffic over the trunk link.
Page 83 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Confirm the channeling and trunking status of the switches by entering the show port channel and show Step 1 trunk commands. Switch_A> (enable) show port channel No ports channelling Switch_A> (enable) show trunk No ports trunking.
Page 84 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_A> (enable) set trunk 1/1 desirable isl Port(s) 1/1-2 trunk mode set to desirable. Port(s) 1/1-2 trunk type set to isl. Switch_A> (enable) %DTP-5-TRUNKPORTON:Port 1/1 has become isl trunk %DTP-5-TRUNKPORTON:Port 1/2 has become isl trunk %PAGP-5-PORTFROMSTP:Port 1/1 left bridge port 1/1-2 %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/1-2 %PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-2...
Page 85: Q Trunk Over Etherchannel Link Example
Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations 802.1Q Trunk Over EtherChannel Link Example This example shows how to configure an 802.1Q trunk over an EtherChannel link between two switches. Figure 5-2 shows two switches connected through four 1000BASE-SX Gigabit Ethernet ports. Figure 5-2 802.1Q Trunk Over EtherChannel Link Switch A...
Page 86 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_A> (enable) set port channel 2/3-6 desirable Port(s) 2/3-6 channel mode set to desirable. Switch_A> (enable) %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3 %PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/4 %PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/5 %PAGP-5-PORTFROMSTP:Port 2/6 left bridge port 2/6 %PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/4 %PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/5...
Page 87 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations %DTP-5-TRUNKPORTON:Port 2/4 has become dot1q trunk %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3-6 %DTP-5-TRUNKPORTON:Port 2/5 has become dot1q trunk %PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/3-6 %PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/3-6 %DTP-5-TRUNKPORTON:Port 2/6 has become dot1q trunk %PAGP-5-PORTFROMSTP:Port 2/6 left bridge port 2/3-6 %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3...
Page 88: Load-Sharing Vlan Traffic Over Parallel Trunks Example
Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_B> (enable) show trunk Port Mode Encapsulation Status Native vlan -------- ----------- ------------- ------------ ----------- auto dot1q trunking auto dot1q trunking auto dot1q trunking auto dot1q trunking Port Vlans allowed on trunk -------- --------------------------------------------------------------------- 1-1005, 1025-4094...
Page 89 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Figure 5-3 Parallel Trunk Configuration Before Configuring VLAN-Traffic Load Sharing Trunk 2 VLANs 10, 20, 30, 40, 50, and 60: port-VLAN priority 32 (blocking) Switch 1 Switch 2 Trunk 1 VLANs 10, 20, 30, 40, 50, and 60: port-VLAN priority 32 (forwarding) By default, the port-VLAN priority for both trunks is equal (a value of 32).
Page 90 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Switch_1> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------- ------------ ----------- ----------- ---------- BigCorp server Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 1023 disabled Last Updater...
Page 91 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Port Vlans in spanning tree forwarding state and not pruned -------- --------------------------------------------------------------------- Switch_1> (enable) Note that when the trunk links come up, VTP passes the VTP and VLAN configuration to Switch 2. Step 6 Verify that Switch 2 has learned the VLAN configuration by entering the show vlan command on Switch 2.
Page 92 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Divide the configured VLANs into two groups. You might want traffic from half of the VLANs to go Step 8 over one trunk link and half over the other, or if one VLAN has heavier traffic than the others, you can forward traffic from that VLAN over one trunk and traffic from the other VLANs over the other trunk link.
Page 93 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations On Switch 2, change the port-VLAN priority for the Group 2 VLANs on Trunk 2 (port 1/2) to the same Step 12 value you configured for those VLANs on Switch 1 by entering the set spantree portvlanpri command. Switch_2>...
Page 94 Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Figure 5-4 Parallel Trunk Configuration After Configuring VLAN-Traffic Load Sharing Trunk 2 VLANs 10, 20, and 30: port-VLAN priority 32 (blocking) VLANs 40, 50, and 60: port-VLAN priority 1 (forwarding) Switch 1 Switch 2 Trunk 1...
Page 95: Disabling Vlan 1 On Trunks
Cisco Discovery Protocol (CDP), VTP, Port Aggregation Protocol (PAgP), and DTP. When a trunk port with VLAN 1 disabled becomes a nontrunk port, it is added to the native VLAN. If the native VLAN is VLAN 1, the port is enabled and added to VLAN 1.
Page 96 Chapter 5 Configuring Ethernet VLAN Trunks Disabling VLAN 1 on Trunks Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 5-24 78-13315-02...
Page 97: Chapter 6 Configuring Etherchannel
C H A P T E R Configuring EtherChannel This chapter describes how to use the command-line interface (CLI) to configure EtherChannel on the Catalyst 6000 family switches. The configuration tasks in this chapter apply to Ethernet, Fast Ethernet, and Gigabit Ethernet switching modules, as well as to the uplink ports on the supervisor engine. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication.
Page 98: Understanding Administrative Groups
Chapter 6 Configuring EtherChannel Understanding How EtherChannel Works The network device to which a Catalyst 6000 family switch is connected may impose its own limits Note on the number of ports in an EtherChannel. If a segment within an EtherChannel fails, traffic previously carried over the failed link switches to the remaining segments within the EtherChannel.
Page 99: Understanding Frame Distribution
Chapter 6 Configuring EtherChannel Understanding How EtherChannel Works Table 6-1 describes EtherChannel modes. Table 6-1 EtherChannel Modes Mode Description Mode that forces the port to channel without PAgP. With the on mode, a usable EtherChannel exists only when a port group in on mode is connected to another port group in on mode.
Page 100: Etherchannel Configuration Guidelines
Chapter 6 Configuring EtherChannel EtherChannel Configuration Guidelines When configurable, EtherChannel frame distribution can use MAC addresses, IP addresses, and Layer 4 port numbers. You can specify either source or destination address or both source and destination addresses and Layer 4 port numbers. The mode you select applies to all EtherChannels configured on the switch.
Page 101: Configuring An Etherchannel
Chapter 6 Configuring EtherChannel Configuring EtherChannel Configuring EtherChannel These sections describe how to configure EtherChannel: Configuring an EtherChannel, page 6-5 • Setting the EtherChannel Port Mode, page 6-5 • Setting the EtherChannel Port Path Cost, page 6-6 • Setting the EtherChannel VLAN Cost, page 6-6 •...
Page 102: Setting The Etherchannel Port Path Cost
Chapter 6 Configuring EtherChannel Configuring EtherChannel Setting the EtherChannel Port Path Cost To set the EtherChannel port path cost, perform this task in privileged mode: Task Command Step 1 Use the administrative group number to display show channel group admin_group the EtherChannel ID.
Page 103 Chapter 6 Configuring EtherChannel Configuring EtherChannel The set channel vlancost command creates a “set spantree portvlancost” entry to the configuration file for each port in the channel. Once you have entered the set channel vlancost command, you must enter the set spantree portvlancost command for at least one port in the channel, specifying the VLAN or VLANs that you want associated with each port.
Page 104: Configuring Etherchannel Frame Distribution
Chapter 6 Configuring EtherChannel Configuring EtherChannel Configuring EtherChannel Frame Distribution To configure EtherChannel frame distribution, perform this task in privileged mode: Task Command Configure EtherChannel frame set port channel all distribution {ip | mac} distribution. [source | destination | both] set port channel all distribution {session} [both] The set port channel all distribution session command option is supported on Supervisor Engine 2 Note...
Page 105: Disabling An Etherchannel
Chapter 6 Configuring EtherChannel Configuring EtherChannel This example shows how to display the outgoing port for the specified source and destination IP addresses: Console> (enable) show channel hash 808 172.20.32.10 172.20.32.66 Selected channel port:2/17 Console> (enable) Disabling an EtherChannel To disable an EtherChannel, perform this task in privileged mode: Task Command Disable an EtherChannel.
Page 106 Chapter 6 Configuring EtherChannel Configuring EtherChannel Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 6-10 78-13315-02...
Page 107: Chapter 7 Configuring Ieee 802.1Q Tunneling
C H A P T E R Configuring IEEE 802.1Q Tunneling This chapter describes how to configure IEEE 802.1Q tunneling on the Catalyst 6000 family switches. This chapter consists of these sections: Understanding How 802.1Q Tunneling Works, page 7-1 • 802.1Q Tunneling Configuration Guidelines, page 7-2 •...
Page 108: 802.1Q Tunneling Configuration Guidelines
Configure the 802.1Q trunk port on an asymmetrical link with the nonegotiate dot1q trunking keywords. On an asymmetrical link, the Cisco Discovery Protocol (CDP) reports a native VLAN mismatch if • the VLAN of the tunnel port does not match the native VLAN of the 802.1Q trunk. The 802.1Q tunnel feature does not require that the VLANs match.
Page 109: Configuring Support For 802.1Q Tunneling
Chapter 7 Configuring IEEE 802.1Q Tunneling Configuring Support for 802.1Q Tunneling VLAN Trunk Protocol (VTP) does not work between the following devices: • Devices connected by an asymmetrical link – Devices communicating through a tunnel – To configure an EtherChannel as an asymmetrical link, all ports in the EtherChannel must have the Note same tunneling configuration.
Page 110: Configuring 802.1Q Tunnel Ports
Chapter 7 Configuring IEEE 802.1Q Tunneling Configuring Support for 802.1Q Tunneling This example shows how to configure tunneling on the switch and verify the configuration: Console> (enable) set dot1q-all-tagged enable Dot1q tagging is enabled Console> (enable) show dot1q-all-tagged Dot1q all tagged mode enabled Console>...
Page 111 Chapter 7 Configuring IEEE 802.1Q Tunneling Configuring Support for 802.1Q Tunneling To remove global support for 802.1Q tunneling on the switch, perform this task in privileged mode: Task Command Step 1 Remove tunneling support on the switch. set dot1q-all-tagged disable [all] Step 2 Verify the configuration.
Page 112 Chapter 7 Configuring IEEE 802.1Q Tunneling Configuring Support for 802.1Q Tunneling Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02...
Page 113 Catalyst 6000 Family Command Reference publication. Understanding How Spanning Tree Protocols Work This section describes the specific functions that are common to all spanning tree protocols. Cisco’s proprietary spanning tree protocols, PVST+ and MISTP, are based on IEEE 802.1D STP. (See the “Understanding PVST+ and MISTP Modes”...
Page 114: Understanding How Spanning Tree Protocols Work
Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work The Spanning Tree Protocol (STP) uses a distributed algorithm that selects one bridge of a redundantly connected network as the root of a spanning tree connected active topology. STP assigns roles to each port depending on what the port’s function is in the active topology.
Page 115: Understanding How A Switch Becomes The Root Switch
Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work In a switched network, the root switch is the logical center of the spanning tree topology. A spanning tree protocol uses BPDUs to elect the root switch and root port for the switched network, as well as the root port and designated port for each switched segment.
Page 116: Calculating And Assigning Port Costs
Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work The switch sends configuration BPDUs to communicate and compute the spanning tree topology. A MAC frame conveying a BPDU sends the switch group address to the destination address field. All switches connected to the LAN on which the frame is transmitted receive the BPDU.
Page 117: Spanning Tree Port States
Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Calculating the Port Cost Using the Long Method 802.1t assigns 32-bit (long) default port cost values to each port using a formula that is based on the bandwidth of the port. You can also manually assign port costs between 1 and 200,000,000. The formula for obtaining default 32-bit port costs is to divide the bandwidth of the port by 200,000,000.
Page 118 Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work At any given time, each port on a switch using a spanning tree protocol is in one of these states: Blocking • Listening • Learning • Forwarding • Disabled •...
Page 119: Blocking State
Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Blocking State A port in the blocking state does not participate in frame forwarding (see Figure 8-3). After initialization, a BPDU is sent to each port in the switch. A switch initially assumes it is the root until it exchanges BPDUs with other switches.
Page 120: Learning State
Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Figure 8-4 Port 2 in Listening State All segment Forwarding frames Port 1 Network Station management addresses BPDUs and data frames Filtering System Frame database module forwarding BPDUs Network management frames Data...
Page 121 Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Receives, processes, and transmits BPDUs received from the system module. • Receives and responds to network management messages. • Figure 8-5 Port 2 in Learning State All segment Forwarding frames Port 1 Network...
Page 122: Forwarding State
Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Forwarding State A port in the forwarding state forwards frames, as shown in Figure 8-6. The port enters the forwarding state from the learning state. Figure 8-6 Port 2 in Forwarding State All segment Forwarding frames...
Page 123: Understanding Pvst+ And Mistp Modes
Chapter 8 Configuring Spanning Tree Understanding PVST+ and MISTP Modes Disabled State A port in the disabled state does not participate in frame forwarding or STP, as shown in Figure 8-7. A port in the disabled state is virtually nonoperational. Figure 8-7 Port 2 in Disabled State All segment...
Page 124: Pvst+ Mode
Chapter 8 Configuring Spanning Tree Understanding PVST+ and MISTP Modes An overview of each mode is provided in this section. Each mode is described in detail in these sections: Using PVST+, page 8-15 • Using MISTP-PVST+ or MISTP, page 8-22 •...
Page 125: Mistp-Pvst+ Mode
Chapter 8 Configuring Spanning Tree Bridge Identifiers MISTP-PVST+ Mode MISTP-PVST+ is a transition spanning tree mode that allows you to use the MISTP functionality on Catalyst 6000 family switches while continuing to communicate with Catalyst 5000 and 6000 switches in your network that use PVST+. A switch using PVST+ mode that is connected to a switch using MISTP mode cannot see the BPDUs of the other switch, a condition that can cause loops in the network.
Page 126 ID. Note The MAC address reduction feature is enabled by default on Cisco switches that have 64 MAC addresses (Cisco 7606, CISCO7603, WS-C6503, and WS-C6513). Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4...
Page 127: Using Pvst
Chapter 8 Configuring Spanning Tree Using PVST+ Using PVST+ PVST+ is the default spanning tree mode for Catalyst 6000 family switches. These sections describe how to configure PVST+ on Ethernet VLANs: Default PVST+ Configuration, page 8-15 • Setting the PVST+ Bridge ID Priority, page 8-16 •...
Page 128: Setting The Pvst+ Bridge Id Priority
Chapter 8 Configuring Spanning Tree Using PVST+ Setting the PVST+ Bridge ID Priority The bridge ID priority is the priority of a VLAN when the switch is in PVST+ mode. When the switch is in PVST+ mode without MAC address reduction enabled, you can enter a bridge priority value between 0–65535.
Page 129: Configuring The Pvst+ Port Cost
Chapter 8 Configuring Spanning Tree Using PVST+ Designated Root 00-60-70-4c-70-00 Designated Root Priority 16384 Designated Root Cost Designated Root Port Root Max Age 14 sec Hello Time 2 sec Forward Delay 10 sec Bridge ID MAC ADDR 00-d0-00-4c-18-00 Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1) Bridge Max Age 20 sec Hello Time 2 sec...
Page 130: Configuring The Pvst+ Port Priority
Chapter 8 Configuring Spanning Tree Using PVST+ not-connected 32 disabled Configuring the PVST+ Port Priority You can configure the port priority of switch ports in PVST+ mode. The port with the lowest priority value forwards frames for all VLANs. The possible port priority value is 0–63. The default is 32. If all ports have the same priority value, the port with the lowest port number forwards frames.
Page 131: Configuring The Pvst+ Port Cost For A Vlan
Chapter 8 Configuring Spanning Tree Using PVST+ EtherChannel computes the cost of a bundle using the formula, – AVERAGE_COST/NUM_PORT The default port cost mode is set to short in PVST+ mode. For port speeds of 10 Gb and greater, the default port cost mode must be set to long.
Page 132: Configuring The Pvst+ Port Priority For A Vlan
Chapter 8 Configuring Spanning Tree Using PVST+ Configuring the PVST+ Port Priority for a VLAN When the switch is in PVST+ mode, you can set the port priority for a trunking port in a VLAN. The port with the lowest priority value for a specific VLAN forwards frames for that VLAN. The possible port priority range is 0–63.
Page 133 Chapter 8 Configuring Spanning Tree Using PVST+ Do not disable spanning tree on a VLAN unless all switches or routers in the VLAN have spanning Caution tree disabled. You cannot disable spanning tree on some switches or routers in a VLAN and leave spanning tree enabled on other switches or routers in the VLAN.
Page 134: Using Mistp-Pvst+ Or Mistp
Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP To disable PVST+, perform this task in privileged mode: Task Command Disable PVST+ mode on a VLAN. set spantree disable vlans [all] This example shows how to disable PVST+ on a VLAN: Console>...
Page 135: Default Mistp And Mistp-Pvst+ Configuration
Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Default MISTP and MISTP-PVST+ Configuration Table 8-4 shows the default MISTP and MISTP-PVST+ configuration. Table 8-4 MISTP and MISTP-PVST+ Default Configuration Feature Default Value Enable state Disabled until a VLAN is mapped to an MISTP instance MAC address reduction Disabled Bridge priority...
Page 136 Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP To change from PVST+ to MISTP-PVST+ or MISTP, perform this task in privileged mode: Task Command Set a spanning tree mode. set spantree mode {mistp | pvst+ | mistp-pvst+} This example shows how to set a switch to MISTP-PVST+ mode: Console>...
Page 137: Configuring An Mistp Instance
Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Configuring an MISTP Instance These sections describe how to configure MISTP instances: Configuring the MISTP Bridge ID Priority, page 8-25 • Configuring the MISTP Port Cost, page 8-26 • Configuring the MISTP Port Priority, page 8-26 •...
Page 138 Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Configuring the MISTP Port Cost You can configure the port cost of switch ports. The ports with lower port costs are more likely to be chosen to forward frames. Assign lower numbers to ports that are attached to faster media (such as full duplex) and higher numbers to ports that are attached to slower media.
Page 139 Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP This example shows how to configure the port priority and verify the configuration: Console> (enable) set spantree portpri 2/12 40 Bridge port 2/12 port priority set to 40. Console> (enable) show spantree mistp-instance 1 Instance 1 Spanning tree mode MISTP-PVST+...
Page 140: Enabling An Mistp Instance
Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP To configure the port instance priority on an MISTP instance, perform this task in privileged mode: Task Command Configure the port instance priority on an MISTP set spantree portinstancepri {mod/port} instance. priority [instances] This example shows how to configure the port instance priority on an MISTP instance and verify the configuration:...
Page 141: Mapping Vlans To An Mistp Instance
Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Mapping VLANs to an MISTP Instance When you are using MISTP-PVST+ or MISTP on a switch, you must map at least one VLAN to an MISTP instance in order for MISTP-PVST+ or MISTP to be active. These sections describe how to configure MISTP instances: Determining MISTP Instances—VLAN Mapping Conflicts, page 8-30 •...
Page 142 Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP 2/12 forwarding 22222222 40 disabled 0 Determining MISTP Instances—VLAN Mapping Conflicts A VLAN can only be mapped to one MISTP instance. If you attempt to map a VLAN to more than one instance, all of its ports are set to blocking mode.
Page 143: Disabling Mistp-Pvst+ Or Mistp
Chapter 8 Configuring Spanning Tree Configuring a Root Switch Disabling MISTP-PVST+ or MISTP When the switch is in MISTP mode, you disable spanning tree on an instance, not for the whole switch. When you disable spanning tree on an MISTP instance, the instance still exists on the switch, all of the VLANs mapped to it have all of their ports forwarding, and the instance BPDUs are flooded.
Page 144: Configuring A Secondary Root Switch
Chapter 8 Configuring Spanning Tree Configuring a Root Switch Task Command Configure a switch as the primary root switch. set spantree root [vlans] [dia network_diameter] [hello hello_time] This example shows how to configure the primary root switch for VLANs 1–10: Console>...
Page 145: Configuring A Root Switch To Improve Convergence
Chapter 8 Configuring Spanning Tree Configuring a Root Switch To configure a switch as the secondary root switch for an instance, perform this task in privileged mode: Task Command Configure a switch as the secondary root switch set spantree root [secondary] mistp-instance for an instance.
Page 146: Using Root Guard-Preventing Switches From Becoming Root
Chapter 8 Configuring Spanning Tree Configuring a Root Switch learning before reaching the forwarding state. For information about PortFast, see the “Understanding How PortFast Works” section on page 9-2 Chapter 9, “Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard.” To configure the spanning tree parameters to improve convergence, perform this task in privileged mode: Task...
Page 147: Configuring Spanning Tree Timers
Chapter 8 Configuring Spanning Tree Configuring Spanning Tree Timers To prevent switches from becoming root, perform this task in privileged mode: Task Command Step 1 Enable root guard on a port. set spantree guard {root | none} mod/port Step 2 Verify that root guard is enabled.
Page 148: Configuring The Forward Delay Time
Chapter 8 Configuring Spanning Tree Configuring Spanning Tree Timers To configure the spanning tree bridge hello time for a VLAN or an MISTP instance, perform this task in privileged mode: Task Command Step 1 Configure the hello time for a VLAN or an set spantree hello interval [vlan] mistp-instance MISTP instance.
Page 149: Understanding How Bpdu Skewing Works
Chapter 8 Configuring Spanning Tree Understanding How BPDU Skewing Works To configure the spanning tree maximum aging time for a VLAN or an instance, perform this task in privileged mode: Task Command Step 1 Configure the maximum aging time for a VLAN set spantree maxage agingtime [vlans] or an MISTP instance.
Page 150: Configuring Bpdu Skewing
Chapter 8 Configuring Spanning Tree Configuring BPDU Skewing Configuring BPDU Skewing Commands that support the spanning tree BPDU skewing feature perform these functions: Allow you to enable or disable BPDU skewing. The default is disabled. • Modify the show spantree summary output to show if the skew detection is enabled and for which •...
Page 151 Chapter 8 Configuring Spanning Tree Configuring BPDU Skewing This example shows how to configure BPDU skewing for VLAN 1 on module 8, port 2 and view the skewing statistics: Console> (enable) show spantree bpdu-skewing 1 8/4 Bpdu skewing statistics for vlan 1 Port Last Skew ms Worst Skew ms...
Page 152 Chapter 8 Configuring Spanning Tree Configuring BPDU Skewing Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 8-40 78-13315-02...
Page 153 C H A P T E R Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard This chapter describes how to configure the spanning tree PortFast, UplinkFast, BackboneFast, and loop guard features on the Catalyst 6000 family switches. For information on configuring the Spanning Tree Protocol (STP), see Chapter 8, “Configuring Note Spanning Tree.”...
Page 154: Understanding How Portfast Works
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How PortFast Works Understanding How PortFast Works PortFast causes a spanning tree port to immediately enter the forwarding state, bypassing the listening and learning states. You can use PortFast on switch ports connected to a single workstation or server to allow those devices to connect to the network immediately, rather than waiting for spanning tree to converge.
Page 155: Understanding How Uplinkfast Works
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How UplinkFast Works Understanding How UplinkFast Works UplinkFast provides fast convergence after a spanning tree topology change and achieves load balancing between redundant links using uplink groups. An uplink group is a set of ports (per VLAN), only one of which is forwarding at any given time.
Page 156: Understanding How Backbonefast Works
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How BackboneFast Works Understanding How BackboneFast Works BackboneFast is initiated when a root port or blocked port on a switch receives inferior BPDUs from its designated bridge. An inferior BPDU identifies one switch as both the root bridge and the designated bridge.
Page 157: Understanding How Loop Guard Works
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How Loop Guard Works Figure 9-4 BackboneFast Example After Indirect Link Failure Switch A Switch B (Root) Link failure BackboneFast transitions port through listening and learning states to forwarding state Switch C If a new switch is introduced into a shared-medium topology, BackboneFast is not activated.
Page 158 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How Loop Guard Works You can enable loop guard on a per-port basis. When you enable loop guard, it is automatically applied to all of the active instances or VLANs to which that port belongs. When you disable loop guard, it is disabled for the specified ports.
Page 159: Configuring Portfast
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast Root guard forces a port to be always designated as the root port. Loop guard is effective only if the • port is a root port or an alternate port. You cannot enable loop guard and root guard on a port at the same time.
Page 160: Enabling Portfast
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast Enabling PortFast Use PortFast only when you connect a single end station to a switch port; otherwise, you might create Caution a network loop. To enable PortFast on a switch port, perform this task in privileged mode: Task Command Step 1...
Page 161: Configuring Portfast Bpdu Guard
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Guard Configuring PortFast BPDU Guard These sections describe how to configure PortFast BPDU guard on the switch: Enabling PortFast BPDU Guard, page 9-9 • Disabling PortFast BPDU Guard, page 9-10 •...
Page 162: Disabling Portfast Bpdu Guard
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Guard 1003 1005 Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total Console> (enable) Disabling PortFast BPDU Guard To disable PortFast BPDU guard on the switch, perform this task in privileged mode: Task Command Step 1...
Page 163: Configuring Portfast Bpdu Filter
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Filter 1003 1005 Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total Console> (enable) Configuring PortFast BPDU Filter These sections describe how to configure PortFast BPDU filter on the switch: Enabling PortFast BPDU Filter, page 9-11 •...
Page 164: Disabling Portfast Bpdu Filter
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring PortFast BPDU Filter Vlan Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- 1003 1005 Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total Console>...
Page 165: Configuring Uplinkfast
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring UplinkFast 1003 1005 Blocking Listening Learning Forwarding STP Active ----- -------- --------- -------- ---------- ---------- Total Console> (enable) Configuring UplinkFast You can configure UplinkFast for PVST+ or for Multi-Instance Spanning Tree Protocol (MISTP). The command is the same but the output may be slightly different.
Page 166: Disabling Uplinkfast
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring UplinkFast Console> (enable) show spantree uplinkfast 1 100 521-524 Station update rate set to 15 packets/100ms. uplinkfast all-protocols field set to off. VLAN port list ----------------------------------------------- 1/1(fwd),1/2 1/2(fwd) 1/1(fwd),1/2 1/1(fwd),1/2 1/1(fwd),1/2...
Page 167: Configuring Backbonefast
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring BackboneFast To disable UplinkFast on the switch, perform this task in privileged mode: Task Command Step 1 Disable UplinkFast on the switch. set spantree uplinkfast disable Step 2 Verify that UplinkFast is disabled.
Page 168: Displaying Backbonefast Statistics
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring BackboneFast This example shows how to enable BackboneFast on the switch and how to verify the configuration: Console> (enable) set spantree backbonefast enable Backbonefast enabled for all VLANs Console>...
Page 169: Configuring Loop Guard
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring Loop Guard Configuring Loop Guard These sections describe how to configure BackboneFast: Enabling Loop Guard, page 9-17 • Disabling Loop Guard, page 9-17 • Enabling Loop Guard Use the set spantree guard command to enable or disable the spanning tree loop guard feature on a per-port basis.
Page 170 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Configuring Loop Guard Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 9-18 78-13315-02...
Page 171: Configuring Vtp
C H A P T E R Configuring VTP This chapter describes how to configure the VLAN Trunking Protocol (VTP) on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 172: Understanding The Vtp Domain
Chapter 10 Configuring VTP Understanding How VTP Works Understanding the VTP Domain A VTP domain (also called a VLAN management domain) is made up of one or more interconnected switches that share the same VTP domain name. A switch can be configured to be in one and only one VTP domain.
Page 173: Understanding Vtp Version
Chapter 10 Configuring VTP Understanding How VTP Works VTP domain name • VTP configuration revision number • VLAN configuration, including the maximum transmission unit (MTU) size for each VLAN • Frame format • Understanding VTP Version 2 If you use VTP in your network, you must decide whether to use VTP version 1 or version 2. If you are using VTP in a Token Ring environment, you must use version 2.
Page 174 Chapter 10 Configuring VTP Understanding How VTP Works Figure 10-1 shows a switched network without VTP pruning enabled. Port 1 on Switch 1 and port 2 on Switch 4 are assigned to the Red VLAN. A broadcast is sent from the host connected to Switch 1. Switch 1 floods the broadcast and every switch in the network receives it, even though Switches 3, 5, and 6 have no ports in the Red VLAN.
Page 175: Default Vtp Configuration
Chapter 10 Configuring VTP Default VTP Configuration Default VTP Configuration Table 10-1 shows the default VTP configuration. Table 10-1 VTP Default Configuration Feature Default Value VTP domain name Null VTP mode Server VTP version 2 enable state Version 2 is disabled VTP password None VTP pruning...
Page 176: Configuring A Vtp Server
Chapter 10 Configuring VTP Configuring VTP Configuring VTP These sections describe how to configure VTP: Configuring a VTP Server, page 10-6 • Configuring a VTP Client, page 10-6 • Disabling VTP (VTP Transparent Mode), page 10-7 • Enabling VTP Version 2, page 10-8 •...
Page 177: Disabling Vtp (Vtp Transparent Mode)
Chapter 10 Configuring VTP Configuring VTP To configure the switch as a VTP client, perform this task in privileged mode: Task Command Step 1 Define the VTP domain name. set vtp domain name Step 2 Place the switch in VTP client mode. set vtp mode client Step 3 Verify the VTP configuration.
Page 178: Enabling Vtp Version 2
Chapter 10 Configuring VTP Configuring VTP This example shows how to configure the switch as VTP transparent and verify the configuration: Console> (enable) set vtp mode transparent VTP domain Lab_Net modified Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------- ------------ ----------- ----------- ---------- Lab_Net...
Page 179: Disabling Vtp Version 2
Chapter 10 Configuring VTP Configuring VTP Disabling VTP Version 2 To disable VTP version 2, perform this task in privileged mode: Task Command Step 1 Disable VTP version 2. set vtp v2 disable Step 2 Verify that VTP version 2 is disabled. show vtp domain This example shows how to disable VTP version 2: Console>...
Page 180: Disabling Vtp Pruning
Chapter 10 Configuring VTP Configuring VTP Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------- ------------ ----------- ----------- ---------- Lab_Network server Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 1023 disabled Last Updater V2 Mode Pruning PruneEligible on Vlans...
Page 181 Chapter 10 Configuring VTP Configuring VTP This example shows how to display VTP statistics on the switch: Console> (enable) show vtp statistics VTP statistics: summary advts received 4690 subset advts received request advts received summary advts transmitted 4397 subset advts transmitted request advts transmitted No of config revision errors No of config digest errors...
Page 182 Chapter 10 Configuring VTP Configuring VTP Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 10-12 78-13315-02...
Page 183: Configuring Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure VLANs for the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication. This chapter consists of these sections: Understanding How VLANs Work, page 11-1 •...
Page 184: Understanding How Vlans Work
Figure 11-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Fast Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Page 185: Configurable Vlan Parameters
0, 4095 Reserved range For system use only. You cannot see or use these VLANs. Normal range Cisco default. You can use this VLAN but you cannot delete it. 2–1000 Normal range Used for Ethernet VLANs; you can create, use, and delete these VLANs.
Page 186: Default Vlan Configuration
Chapter 11 Configuring VLANs Understanding How VLANs Work Maximum transmission unit (MTU) for the VLAN • Ring number for FDDI and TrCRF VLANs • Bridge identification number for TrBRF VLANs • Parent VLAN number for TrCRF VLANs • STP type for TrCRF VLANs: IEEE, IBM, or auto •...
Page 187: Configuring Normal-Range Vlans
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs Table 11-2 VLAN Default Configuration (continued) Feature Default Value TrCRF bridge mode Remote switched port analyzer Disabled (RSPAN) Configuring Normal-Range VLANs These sections explain how to configure normal-range VLANs 2–1000: Normal-Range VLAN Configuration Guidelines, page 11-5 •...
Page 188: Modifying Normal-Range Vlans
Chapter 11 Configuring VLANs Configuring Extended-Range VLANs This example shows how to create normal-range VLANs and verify the configuration when the switch is in Per VLAN Spanning Tree + (PVST+) mode: Console> (enable) set vlan 500-520 Vlan 500 configuration successful Vlan 501 configuration successful Vlan 502 configuration successful Vlan 503 configuration successful...
Page 189: Extended-Range Vlan Configuration Guidelines
Chapter 11 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines to create extended-range VLANs 1025–4094: You can only create Ethernet-type VLANs in the extended range. • You must enable MAC address reduction in order to use extended-range VLANs. •...
Page 190: Mapping Vlans To Vlans
If the list of VLANs does match in both the switches, packet loss might occur. From non-Cisco devices in your network using VLANs 1006–1024 to nonreserved VLANs on the Catalyst 6000 family switches. From VLANs on non-Cisco devices on 802.1Q trunks to ISL trunks on the Catalyst 6000 family switches. Note If you use method 1, you can use extended-range VLANs (1025–4094) on the switch;...
Page 191: Mapping Reserved Vlans To Nonreserved Vlans
Mapping Reserved VLANs to Nonreserved VLANs You can map reserved-range VLANs to any nonreserved VLANs that are not in use. Nonreserved VLANs are any VLANs that are not reserved by Cisco; this includes normal-range and extended-range VLANs. If you have dot1q-to-isl VLAN mappings from a previous Catalyst 6000 family switch software Note release, you cannot use the mapped VLANs to map reserved VLANs to nonreserved VLANs.
Page 192: Deleting Reserved-To-Nonreserved Vlan Mappings
Mapping 802.1Q VLANs to ISL VLANs Your network might have non-Cisco devices connected to the Catalyst 6000 family switches through 802.1Q trunks or traffic from a non-Cisco switch that has VLANs in the Catalyst 6000 family reserved range, 1002–1024. The valid range of user-configured Inter-Switch Link (ISL) VLANs is 1–1000. The valid range of VLANs specified in the IEEE 802.1Q standard is 0–4095.
Page 193: Deleting 802.1Q-To-Isl Vlan Mappings
Chapter 11 Configuring VLANs Mapping VLANs to VLANs When you map an 802.1Q VLAN to an ISL VLAN, traffic on the 802.1Q VLAN corresponding to • the mapped ISL VLAN is blocked. For example, if you map 802.1Q VLAN 2000 to ISL VLAN 200, traffic on 802.1Q VLAN 200 is blocked.
Page 194: Assigning Switch Ports To A Vlan
Chapter 11 Configuring VLANs Assigning Switch Ports to a VLAN Assigning Switch Ports to a VLAN A VLAN created in a management domain remains unused until you assign one or more switch ports to the VLAN. You can create a new VLAN and then specify the module and ports later, or you can create the VLAN and specify the module and ports in a single step.
Page 195: Deleting A Vlan
Chapter 11 Configuring VLANs Deleting a VLAN Deleting a VLAN Follow these guidelines for deleting VLANs: When you delete a normal-range Ethernet VLAN in VTP server mode, the VLAN is removed from • all switches in the VTP domain. When you delete a normal-range VLAN in VTP transparent mode, the VLAN is deleted only on the •...
Page 196: Configuring Private Vlans
Chapter 11 Configuring VLANs Configuring Private VLANs Understanding How Private VLANs Work Private VLANs provide Layer-2 isolation between ports within the same private VLAN on the Catalyst 6000 family switches. Ports belonging to a private VLAN are associated with a common set of supporting VLANs that are used to create the private VLAN structure.
Page 197: Private Vlan Configuration Guidelines
Chapter 11 Configuring VLANs Configuring Private VLANs In an Ethernet-switched environment, you can assign an individual VLAN and associated IP subnet to each individual or common group of stations. The servers only require the ability to communicate with a default gateway to gain access to end points outside the VLAN itself. By incorporating these stations, regardless of ownership, into one private VLAN, you can do the following: Designate the server ports as isolated to prevent any interserver communication at Layer 2.
Page 198 Chapter 11 Configuring VLANs Configuring Private VLANs After you configure a private VLAN, you cannot change the VTP mode to client or server mode, • because VTP does not support private VLAN types and mapping propagation. • You can configure VLANs as primary, isolated, or community only if no access ports are currently assigned to the VLAN.
Page 199 Chapter 11 Configuring VLANs Configuring Private VLANs Table 11-3 Modules with Ports Listed by ASIC Groups (continued) Module Number Description Ports by ASIC WS-X6348-RJ-45 48-port 10/100TX RJ-45 Ports 1–12 Ports 13–24 Ports 25–36 Ports 37–48 WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ Ports 1–12 Ports 13–24 Isolated and community ports should run BPDU guard features to prevent spanning tree loops due •...
Page 200: Creating A Primary Private Vlan
VLAN in order to be applied to all outgoing traffic from the MSFC. • If you map a Cisco IOS ACL to a primary VLAN, the Cisco IOS ACL automatically maps to the associated isolated and community VLANs. You cannot map Cisco IOS ACLs to an isolated or community VLAN.
Page 201 Chapter 11 Configuring VLANs Configuring Private VLANs You can bind the isolated, community, or two-way community port(s) and associated isolated, Note community, or two-way community VLANs to the private VLAN using the set pvlan primary_vlan {isolated_vlan | community_vlan | twoway_community_vlan} mod/port command. Note Ports do not have to be on the same switch as long as the switches are trunk connected and the private VLAN has not been removed from the trunk.
Page 202 Chapter 11 Configuring VLANs Configuring Private VLANs This example shows how to bind VLAN 903 to primary VLAN 7 and assign ports 4/7 through 4/9 as the community ports: Console> (enable) set pvlan 7 903 Successfully set association between 7 and 903. Console>...
Page 203: Viewing The Port Capability Of A Private Vlan Port
Chapter 11 Configuring VLANs Configuring Private VLANs Console> (enable) show pvlan mapping Port Primary Secondary ----- -------- ---------- 901-903 Console> (enable) show port Port Name Status Vlan Duplex Speed Type ----- ------------------ ---------- ---------- ------ ----- ------------ ...truncated output... notconnect 7,901 half 100 100BaseFX MM notconnect 7,902...
Page 204: Deleting A Private Vlan
Chapter 11 Configuring VLANs Configuring Private VLANs Console> (enable) show pvlan capability 5/3 Ports 5/1 - 5/12 are in the same ASIC range as port 5/3. Port 5/3 cannot be made a private vlan port due to: ------------------------------------------------------ Conflict with Promiscuous port(s) : 5/2 Conflict with Trunking port(s) : 5/1 Console>...
Page 205: Deleting A Private Vlan Mapping
Chapter 11 Configuring VLANs Configuring Private VLANs Deleting a Private VLAN Mapping If you delete the private VLAN mapping, the connectivity breaks between the isolated, community, or two-way community ports and the promiscuous port. If you delete all the mappings on a promiscuous port, the promiscuous port becomes inactive.
Page 206: Configuring Fddi Vlans
Chapter 11 Configuring VLANs Configuring FDDI VLANs You can add or remove private VLAN ARP entries manually as follows: • obelix-rp(config)# no arp 11.1.3.30 IP ARP:Deleting Sticky ARP entry 11.1.3.30 obelix-rp(config)# arp 11.1.3.30 0000.5403.2356 arpa IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by hw:0000.5403.2356 Some commands clear and recreate private VLAN mapping as follows: •...
Page 207: Configuring Token Ring Vlans
Chapter 11 Configuring VLANs Configuring Token Ring VLANs Catalyst 6000 family switches do not support ISL-encapsulated Token Ring frames. Note Understanding Token Ring TrBRF VLANs Token Ring Bridge Relay Function (TrBRF) VLANs interconnect multiple Token Ring Concentrator Relay Function (TrCRF) VLANs in a switched Token Ring network (see Figure 11-2).
Page 208 Chapter 11 Configuring VLANs Configuring Token Ring VLANs Typically, TrCRFs are undistributed, which means each TrCRF is limited to the ports on a single switch. Multiple undistributed TrCRFs on the same or separate switches can be associated with a single parent TrBRF (see Figure 11-3).
Page 209: Token Ring Vlan Configuration Guidelines
Chapter 11 Configuring VLANs Configuring Token Ring VLANs If the ISL connection between the switches fails, the port in the backup TrCRF on each affected switch automatically becomes active, rerouting traffic between the undistributed TrCRFs through the backup TrCRF. When the ISL connection is reestablished, all but one port in the backup TrCRF is disabled. Figure 11-5 illustrates the backup TrCRF.
Page 210: Creating Or Modifying A Token Ring Trcrf Vlan
Chapter 11 Configuring VLANs Configuring Token Ring VLANs This example shows how to create a new Token Ring TrBRF VLAN and verify the configuration: Console> (enable) set vlan 999 name TrBRF_999 type trbrf bridge a Vlan 999 configuration successful Console> (enable) show vlan 999 VLAN Name Status IfIndex Mod/Ports, Vlans...
Page 211 Chapter 11 Configuring VLANs Configuring Token Ring VLANs This example shows how to create a Token Ring TrCRF VLAN and verify the configuration: Console> (enable) set vlan 998 name TrCRF_998 type trcrf decring 10 parent 999 Vlan 998 configuration successful Console>...
Page 212 Chapter 11 Configuring VLANs Configuring Token Ring VLANs This example shows how to limit All-Routes Explorer frames and Spanning Tree Explorer frames to ten hops and how to verify the configuration: Console> (enable) set vlan 998 aremaxhop 10 stemaxhop 10 Vlan 998 configuration successful Console>...
Page 213: Chapter 12 Configuring Intervlan Routing
C H A P T E R Configuring InterVLAN Routing This chapter describes how to configure the Multilayer Switch Feature Card (MSFC) for interVLAN routing on the Catalyst 6000 family switches. For complete syntax and usage for the commands used in this chapter, refer to the Catalyst 6000 Note Family Command Reference publication.
Page 214: Configuring Intervlan Routing On The Msfc
Host C. Configuring InterVLAN Routing on the MSFC This section is for users who are familiar with Cisco IOS software and have some experience Note configuring Cisco IOS routing. If you are not familiar with configuring Cisco routing, refer to the Cisco IOS documentation on Cisco.com.
Page 215: Configuring Ip Intervlan Routing On The Msfc
Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC Configuring IP InterVLAN Routing on the MSFC To configure interVLAN routing for IP, perform this task: Task Command Step 1 (Optional) Enable IP routing on Router(config)# ip routing the router Step 2 (Optional) Specify an IP routing Router(config)# router ip_routing_protocol...
Page 216: Configuring Appletalk Intervlan Routing On The Msfc
Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC This example shows how to enable IPX routing on the MSFC, create a VLAN interface, and assign the interface an IPX network address: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Page 217 Follow these guidelines when using this feature: • WCCP Layer 2 redirection feature sets the IP flow mask to full-flow mode. You can configure the Cisco Cache Engine software release 2.2 or later releases to use WCCP • Layer 2 redirection.
Page 218 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC When the first external port on the VLAN is brought back up, all Layer 3 interfaces on that VLAN • that were previously shut down are brought up. This message is reported to the console for each Layer 3 interface: %AUTOSTATE-6-BRING_UP The Catalyst 6000 family switch does not have knowledge of, or control over, the MSM or MSFC...
Page 219 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC To check which MSM interfaces are currently auto stated, perform this task in enabled mode: Task Command Check which MSM interfaces are currently auto show autostate entries stated. This example shows how to check which MSM interfaces are currently auto stated (shutdown or brought up through auto state): Router# show autostate entries Port-channel1.5...
Page 220 Chapter 12 Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 12-8 78-13315-02...
Page 221: Chapter 13 Configuring Cef For Pfc2
C H A P T E R Configuring CEF for PFC2 This chapter describes how to configure Cisco Express Forwarding (CEF) for Policy Feature Card 2 (PFC2). CEF for PFC2 provides IP and Internetwork Packet Exchange (IPX) unicast Layer 3 switching and IP multicast Layer 3 switching for Supervisor Engine 2, PFC2, and Multilayer Switch Feature Card 2 (MSFC2).
Page 222: Layer 3 Switching Overview
Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Layer 3 Switching Overview Layer 3 switching allows the switch, instead of a router, to forward IP and IPX unicast traffic and IP multicast traffic between VLANs. Layer 3 switching is implemented in hardware and provides wire-speed interVLAN forwarding on the switch, rather than on the MSFC2.
Page 223 Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works In IP unicast and IP multicast traffic, the switch decrements the Layer 3 TTL value by 1 and recomputes the Layer 3 packet checksum. In IPX traffic, the switch increments the Layer 3 Transport Control value by 1 and recomputes the Layer 3 packet checksum.
Page 224: Understanding Cef For Pfc2
CEF for PFC2 Overview Supervisor Engine 2, PFC2, and MSFC2 provide Layer 3 switching with CEF for PFC2. CEF for PFC2 is permanently enabled on Supervisor Engine 2. Cisco IOS CEF is permanently enabled on the MSFC2 in support of CEF for PFC2.
Page 225 Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Access control lists (ACLs) and policy-based routing can cause CEF for PFC2 to ignore the FIB Note when making a forwarding decision (see the “Understanding Forwarding Decisions” section on page 13-5).
Page 226 Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Because the FIB mirrors the unicast and multicast routing tables on the MSFC2, any commands on Note the MSFC2 that change the unicast or multicast routing tables affect the FIB. Forwarding entries cannot be cleared from the Supervisor Engine 2 command-line interface (CLI).
Page 227 Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Partially and Completely Switched Multicast Flows Some flows might be partially Layer 3 switched instead of completely Layer 3 switched in these situations: The MSFC is configured as a member of the IP multicast group (using the ip igmp join-group •...
Page 228 Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Figure 13-1 IP CEF Example Topology Source IP Destination Rewrite Src/Dst Destination Address IP Address MAC Address VLAN 171.59.1.2 171.59.3.1 Dd:Bb Marketing 171.59.1.2 171.59.2.2 Dd:Cc Engineering 171.59.2.2 171.59.1.2 Dd:Aa Sales MAC = Bb...
Page 229: Understanding Netflow Statistics
Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Figure 13-2 IPX CEF Example Topology Source IPX Destination Rewrite Src/Dst Destination Address IPX Address MAC Address VLAN 01.Aa 03.Bb Dd:Bb Marketing 01.Aa 02.Cc Dd:Cc Engineering 02.Cc 01.Aa Dd:Aa Sales MAC = Bb...
Page 230: Default Cef For Pfc2 Configuration
Chapter 13 Configuring CEF for PFC2 Default CEF for PFC2 Configuration NetFlow statistics supports unicast and multicast flows: A unicast flow can be any of the following: • Destination only: all traffic to a particular destination – Destination-source: all traffic from a particular source to a particular destination –...
Page 231: Cef For Pfc2 Configuration Guidelines And Restrictions
Chapter 13 Configuring CEF for PFC2 CEF for PFC2 Configuration Guidelines and Restrictions Table 13-2 Default CEF for PFC2 Configuration (continued) Feature Default Value Multicast services (IGMP snooping or GMRP) Disabled Multicast routing on MSFC2 Disabled globally PIM routing on MSFC2 Disabled on all interfaces IP MMLS Threshold Unconfigured—no default value...
Page 232: Configuring Cef For Pfc2
Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Groups in the 224.0.0.* range are reserved for routing control packets and must be flooded Note to all forwarding ports of the VLAN. These addresses map to the multicast MAC address range 01-00-5E-00-00-xx, where xx is in the range 0–0xFF.
Page 233 Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 This example shows how to display the Layer 3-switching entries: Console> (enable) show mls entry Mod FIB-Type Destination-IP Destination-Mask NextHop-IP Weight --- --------- --------------- ---------------- --------------- ------ 15 receive 0.0.0.0 255.255.255.255 15 receive 255.255.255.255 255.255.255.255...
Page 234: Configuring Cef On The Msfc2
• This section describes how to enable IP multicast routing on the MSFC2. For more detailed IP Note multicast configuration information, refer to the “IP Multicast” section of the Cisco IOS IP and IP Routing Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt3/index.htm Enabling IP Multicast Routing Globally You must enable IP multicast routing globally on the MSFC2 before you can enable PIM on MSFC interfaces.
Page 235 Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Enabling IP PIM on an MSFC2 Interface You must enable PIM on MSFC2 interfaces before IP multicast will function on those interfaces. To enable IP PIM on an MSFC2 interface, perform this task in interface configuration mode: Task Command Enable IP PIM on an MSFC2...
Page 236: Displaying Ip Multicast Information
Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 To enable IP MMLS on an MSFC interface, perform this task: Task Command Enable IP MMLS on an MSFC interface. Router(config-if)# [no] mls ip multicast This example shows how to enable IP MMLS on an MSFC interface: Router(config-if)# mls ip multicast Router(config-if)# Use the no keyword to disable IP MMLS on an MSFC interface.
Page 237 Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Displaying the IP Multicast Routing Table The show ip mroute command displays the IP multicast routing table on the MSFC2. To display the IP multicast routing table, perform this task: Task Command Display the IP multicast routing table.
Page 238 Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 This example shows how to display IP MMLS statistics on the MSFC: Router# show mls ip multicast statistics MLS Multicast configuration and state: Router Mac:0050.0f2d.9bfd, Router IP:1.12.123.234 MLS multicast operating state:ACTIVE Maximum number of allowed outstanding messages:1 Maximum size reached from feQ:1...
Page 239 Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 (1.1.11.1, 224.1.1.1) Incoming interface: Vlan11, Packets switched: 62430 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan11 (1.1.11.3, 224.1.1.1) Incoming interface: Vlan11, Packets switched: 62430 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan11 Total hardware switched installed: 6 Router#...
Page 240 Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Table 13-4 SCP Debug Commands (continued) Command Description [no] debug scp timeouts Reports timeouts. [no] debug scp all Turns on all SCP debugging messages. Displaying IP Multicast Information on the Supervisor Engine These sections describe how to display IP multicast information: Displaying IP Multicast Statistics, page 13-20 •...
Page 241 Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Receive: Open Connection Requests: Keep Alive Messages: Shortcut Messages: Shortcut Install TLV: Selective Delete TLV: Group Delete TLV: Update TLV: Input VLAN Delete TLV: Output VLAN Delete TLV: Global Delete TLV: MFD Install TLV: MFD Delete TLV: Console (enable)
Page 242: Configuring Netflow Statistics
Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics 1.1.9.254 224.1.1.1 1.1.13.1 472770 82261980 1.1.5.252 224.1.1.1 1.1.12.1 15840 2756160 1.1.9.254 224.1.1.1 1.1.11.3 473667 82418058 Total Entries: 10 Console> (enable) This example shows how to display IP multicast entries for a specific MSFC2: Console>...
Page 243: Specifying The Netflow Table Entry Aging-Time Value
Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics Specifying the NetFlow Table Entry Aging-Time Value The entry aging time for each protocol (IP and IPX) applies to all protocol-specific NetFlow table entries. Any entry that has not been used for agingtime seconds is aged out. The default is 256 seconds. You can specify the aging time in the range of 8 to 2032 seconds in 8-second increments.
Page 244: Specifying Netflow Table Ip Entry Fast Aging Time And Packet Threshold Values
Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics Specifying NetFlow Table IP Entry Fast Aging Time and Packet Threshold Values IPX entries do not use fast aging. Note To minimize the size of the NetFlow table, enable IP entry fast aging time. The IP entry fast aging time applies to NetFlow table entries that have no more than pkt_threshold packets routed within fastagingtime seconds after they are created.
Page 245: Excluding Ip Protocol Entries From The Netflow Table
Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics To set the minimum NetFlow statistics flow mask, perform this task in privileged mode: Task Command Set the minimum statistics flow mask. set mls flow {destination | destination-source | full} This example shows how to set the minimum statistics flow mask to destination-source-ip: Console>...
Page 246: Clearing Netflow Ip And Ipx Statistics
Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics IP statistics flows aging time = 256 seconds IP statistics flows fast aging time = 0 seconds, packet threshold = 0 IP Current flow mask is Full flow Netflow Data Export version:7 Netflow Data Export disabled Netflow Data Export port/host is not configured.
Page 247 Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics Clearing All NetFlow Statistics To clear all NetFlow IP and IPX statistics, perform this task in privileged mode: Task Command Clear all NetFlow statistics. clear mls statistics entry all This example shows how to clear all NetFlow statistics: Console>...
Page 248: Displaying Netflow Statistics Debug Information
Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics Clearing NetFlow IPX Statistics The clear mls statistics entry ipx command clears NetFlow IPX statistics. Use the all keyword to clear all NetFlow IPX statistics. The destination and source keywords specify the source and destination IPX addresses.
Page 249: Chapter 14 Configuring Mls
• • Configuring MLS, page 14-14 Note Supervisor Engine 2, PFC2, and MSFC2 provide Layer 3 switching with Cisco Express Forwarding for PFC2 (CEF for PFC2). See Chapter 13, “Configuring CEF for PFC2,” for more information. Understanding How Layer 3 Switching Works Layer 3 switching allows the switch, instead of a router, to forward IP and IPX unicast traffic and IP multicast traffic between VLANs.
Page 250: Understanding Layer 3-Switched Packet Rewrite
Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works These sections describe Layer 3 switching and MLS on the Catalyst 6000 family switches: Understanding Layer 3-Switched Packet Rewrite, page 14-2 • Understanding MLS, page 14-4 • Understanding Layer 3-Switched Packet Rewrite When a packet is Layer 3 switched from a source in one VLAN to a destination in another VLAN, the switch performs a packet rewrite at the egress port based on information learned from the MSFC so that the packets appear to have been routed by the MSFC.
Page 251 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works After the switch rewrites an IP unicast packet, it is (conceptually) formatted as follows: Layer 2 Frame Header Layer 3 IP Header Data FCS Destination Source Destination Source TTL Checksum Destination B MAC MSFC MAC Destination B IP Source A IP n-1 calculation2 Understanding IPX Unicast Rewrite...
Page 252: Understanding Mls
Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Understanding MLS Supervisor Engine 1, PFC, and MSFC or MSFC2 can only do MLS internally with the MSFC or Note MSFC2 in the same chassis; an external MLS-RP cannot be used in place of the internal MLS-RP. Supervisor Engine 1, PFC, and MSFC or MSFC2 provide Layer 3 switching with MLS.
Page 253 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Understanding the MLS Cache These sections describe the MLS cache: MLS Cache, page 14-5 • Unicast Traffic, page 14-5 • Multicast Traffic, page 14-5 • • MLS Cache Aging, page 14-5 •...
Page 254 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works MLS Cache Size The maximum MLS cache size is 128K entries. The MLS cache is shared by all MLS processes on the switch (IP MLS, IP MMLS, and IPX MLS). An MLS cache larger than 32K entries increases the probability that a flow will not be Layer 3 switched, but will instead be forwarded to the MSFC.
Page 255 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Flow Mask Mode and show mls entry Command Output With the destination-ip flow mask, the source IP, protocol, and source and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry. This example shows how the show mls entry command output appears in destination-ip mode: Console>...
Page 256 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Partially and Completely Switched Multicast Flows Some flows might be partially Layer 3 switched instead of completely Layer 3 switched in these situations: The MSFC is configured as a member of the IP multicast group (using the ip igmp join-group •...
Page 257 Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Figure 14-1 IP MLS Example Topology Source IP Destination Rewrite Src/Dst Destination Application Address IP Address MAC Address VLAN 171.59.1.2 171.59.3.1 Dd:Bb Marketing 171.59.1.2 171.59.2.2 HTTP Dd:Cc Engineering 171.59.2.2 171.59.1.2 HTTP Dd:Aa Sales...
Page 258: Default Mls Configuration
Chapter 14 Configuring MLS Default MLS Configuration Figure 14-2 IPX MLS Example Topology Source IPX Destination Rewrite Src/Dst Destination Address IPX Address MAC Address VLAN 01.Aa 03.Bb Dd:Bb Marketing 01.Aa 02.Cc Dd:Cc Engineering 02.Cc 01.Aa Dd:Aa Sales MAC = Bb MAC = Dd MSFC Host B...
Page 259: Configuration Guidelines And Restrictions
Chapter 14 Configuring MLS Configuration Guidelines and Restrictions Table 14-3 shows the default IP MMLS MSFC configuration. Table 14-3 Default IP MMLS MSFC Configuration Feature Default Value Multicast routing Disabled globally IP PIM routing Disabled on all interfaces IP MMLS Threshold Unconfigured—no default value IP MMLS Enabled when multicast routing is enabled and IP...
Page 260: Ip Mmls
Chapter 14 Configuring MLS Configuration Guidelines and Restrictions Restrictions on Using IP Routing Commands with IP MLS Enabled Enabling certain IP processes on an interface will affect IP MLS on the interface. Table 14-5 shows the affected commands and the resulting behavior. Table 14-5 IP Routing Command Restrictions Command Behavior...
Page 261: Ipx Mls
Chapter 14 Configuring MLS Configuration Guidelines and Restrictions IP MMLS MSFC Configuration Restrictions IP MMLS does not perform multilayer switching for an IP multicast flow in the following situations: For IP multicast groups that fall into these ranges (where * is in the range 0–255): •...
Page 262: Configuring Mls
Chapter 14 Configuring MLS Configuring MLS IPX MLS and Maximum Transmission Unit Size In IPX, the two end points of communication negotiate the maximum transmission unit (MTU) to be used. The MTU size is limited by the media type. Configuring MLS These sections describe how to configure MLS: Configuring Unicast MLS on the MSFC, page 14-14 •...
Page 263 Chapter 14 Configuring MLS Configuring MLS This example shows how to disable IP MLS on an MSFC interface: Router(config)# interface vlan 100 Router(config-if)# no mls ip Router(config-if)# This example shows how to disable IPX MLS on an MSFC interface: Router(config)# interface vlan 100 Router(config-if)# no mls ipx Router(config-if)# Unicast MLS is enabled by default;...
Page 264 Chapter 14 Configuring MLS Configuring MLS Using Debug Commands on the MSFC Table 14-6 describes MLS-related debug commands that you can use to troubleshoot MLS problems on the MSFC. Table 14-6 MLS Debug Commands Command Description [no] debug l3-mgr events Displays Layer 3 manager-related events.
Page 265: Configuring Mls On Supervisor Engine 1
Chapter 14 Configuring MLS Configuring MLS Configuring MLS on Supervisor Engine 1 MLS is enabled by default on Catalyst 6000 family switches. You only need to configure Supervisor Engine 1 in these circumstances: • You want to change the MLS aging time •...
Page 266 Chapter 14 Configuring MLS Configuring MLS We recommend that you keep the size of the MLS cache below 32K entries. If the number of MLS Note entries exceeds 32K, some flows are sent to the MSFC. To help keep the size of the MLS cache down, for IP, enable IP MLS fast aging, as described in the “Specifying IP MLS Fast Aging Time and Packet Threshold Values”...
Page 267 Chapter 14 Configuring MLS Configuring MLS To keep the MLS cache size below 32K entries, enable IP MLS fast aging time. The IP MLS fast aging time applies to MLS entries that have no more than pkt_threshold packets switched within fastagingtime seconds after they are created.
Page 268 Chapter 14 Configuring MLS Configuring MLS This example shows how to set the minimum IP MLS flow mask to destination-source-ip: Console> (enable) set mls flow destination-source Configured IP flow mask is set to destination-source flow. Console> (enable) Displaying CAM Entries on the Supervisor Engine The show cam command displays the content-addressable memory (CAM) entries associated with a specific MAC address.
Page 269 Chapter 14 Configuring MLS Configuring MLS Displaying MLS Information The show mls command displays protocol-specific MLS information and MSFC-specific information. To display protocol-specific MLS information and MSFC-specific information, perform this task: Task Command Display general IP or IPX MLS show mls {ip | ipx} [mod information and MSFC-specific information for all MSFCs.
Page 270 Chapter 14 Configuring MLS Configuring MLS 22.1.0.58 00-10-07-38-22-22 2,3,4,5,6, 7,8,9,10,11, 12,13,14,15,16, 17,18,19,20 00-d0-d3-33-17-8c 25 00-10-07-38-22-22 26,66,77,88,99, 00-d0-d3-33-17-8c 112 Console> (enable) Displaying IP MLS Cache Entries These sections describe how to display MLS cache entries on Supervisor Engine 1: Displaying All MLS Entries, page 14-22 •...
Page 271 Chapter 14 Configuring MLS Configuring MLS Destination-IPX Source-IPX-net Destination-Mac Vlan Port Stat-Pkts Stat-Bytes ------------------------- -------------- ----------------- ---- ----- --------- ----------- BABE.0000.0000.0001 00-a0-c9-0a-89-1d 211 13/37 30230 1510775 201.00A0.2451.7423 00-a0-24-51-74-23 201 14/33 30256 31795084 501.0000.3100.0501 31-00-05-01-00-00 501 9/37 12121 323232 401.0000.0000.0401 00-00-04-01-00-00 401 4633 38676 Total IPX entries: 4...
Page 272 Chapter 14 Configuring MLS Configuring MLS Displaying Entries for a Specific IP Source Address To display MLS entries for a specific source IP address, perform this task in privileged mode: Task Command Display MLS entries for the specified show mls entry ip source [ip_addr] source IP address.
Page 273 Chapter 14 Configuring MLS Configuring MLS Displaying IPX MLS Entries for a Specific MSFC To display IPX MLS entries for a specific MSFC, perform this task in privileged mode: Task Command Display IPX MLS entries for a specific show mls entry ipx mod MSFC.
Page 274 Chapter 14 Configuring MLS Configuring MLS Clearing MLS Cache Entries The clear mls entry command removes specific MLS cache entries. The all keyword clears all MLS entries. The destination and source keywords specify the source and destination IP addresses. The destination and source ip_addr_spec can be a full IP address or a subnet address in the format ip_subnet_addr, ip_addr/subnet_mask, or ip_addr/subnet_mask_bits.
Page 275 Chapter 14 Configuring MLS Configuring MLS Displaying IP MLS Statistics by Protocol The show mls statistics protocol command displays IP MLS statistics by protocol (such as Telnet, FTP, and WWW). The protocol keyword functions only if the flow mask mode is full flow. Enter the show mls command to see the current flow mask.
Page 276: Configuring Ip Mmls
Chapter 14 Configuring MLS Configuring MLS Clearing MLS Statistics The clear mls statistics command clears the following statistics: Total packets switched (IP and IPX) • Total packets exported (for NDE) • To clear IP MLS statistics, perform this task in privileged mode: Task Command Clear IP MLS statistics.
Page 277 Series, 2926 Series Switches for Catalyst 5000 family switch MLS configuration procedures. This section describes how to enable IP multicast routing on the MSFC. For more detailed IP Note multicast configuration information, refer to the “IP Multicast” section of the Cisco IOS IP and IP Routing Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt3/index.htm...
Page 278 Chapter 14 Configuring MLS Configuring MLS This example shows how to enable IP PIM on an interface using the default mode (sparse-dense-mode): Router(config-if)# ip pim Router(config-if)# This example shows how to enable IP PIM sparse mode on an interface: Router(config-if)# ip pim sparse-mode Router(config-if)# Configuring the IP MMLS Global Threshold You can configure a global multicast rate threshold, specified in packets per second, below which all...
Page 279 Chapter 14 Configuring MLS Configuring MLS Displaying IP MMLS Interface Information The show ip pim interface count command displays the IP MMLS enable state on MSFC IP PIM interfaces and the number of packets received and sent on the interface. The show ip interface command displays the IP MMLS enable state on an MSFC interface.
Page 280 Chapter 14 Configuring MLS Configuring MLS Monitoring IP MMLS on the MSFC The show mls ip multicast command displays detailed information about IP MMLS. To display detailed IP MMLS information on the MSFC, perform one of these tasks: Task Command Display IP MMLS group information.
Page 281 Chapter 14 Configuring MLS Configuring MLS This example shows how to display information on a specific IP MMLS entry on the MSFC: Router# show mls ip multicast 224.1.1.1 Multicast hardware switched flows: (1.1.13.1, 224.1.1.1) Incoming interface: Vlan13, Packets switched: 61590 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan13 (1.1.9.3, 224.1.1.1) Incoming interface: Vlan9, Packets switched: 0...
Page 282 Chapter 14 Configuring MLS Configuring MLS Using Debug Commands on the SCP Table 14-10 describes the Serial Control Protocol (SCP)-related debug commands to troubleshoot the SCP that runs over the Ethernet out-of-band channel (EOBC). Table 14-10 SCP Debug Commands Command Description [no] debug scp async Displays trace for asynchronous data in and out of the SCP...
Page 283 Chapter 14 Configuring MLS Configuring MLS This example shows how to display global IP MMLS configuration information: Console> (enable) show mls multicast Admin Status: Enabled Operational Status: Active Configured flow mask is {Destination-source-vlan flow} Active Entries = 10 Router include list : 1.1.9.254 (Active) 1.1.5.252 (Active) Console>...
Page 284 Chapter 14 Configuring MLS Configuring MLS Receive: Open Connection Requests: Keep Alive Messages: Shortcut Messages: Shortcut Install TLV: Selective Delete TLV: Group Delete TLV: Update TLV: Input VLAN Delete TLV: Output VLAN Delete TLV: Global Delete TLV: MFD Install TLV: MFD Delete TLV: Console (enable) Clearing IP MMLS Statistics...
Page 285 Chapter 14 Configuring MLS Configuring MLS 1.1.9.254 224.1.1.1 1.1.13.1 472770 82261980 1.1.5.252 224.1.1.1 1.1.12.1 15840 2756160 1.1.9.254 224.1.1.1 1.1.11.3 473667 82418058 Total Entries: 10 Console> (enable) This example shows how to display IP MMLS entries for a specific MSFC: Console> (enable) show mls multicast entry 15 Router IP Dest IP Source IP...
Page 286 Chapter 14 Configuring MLS Configuring MLS Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 14-38 78-13315-02...
Page 287: Chapter 15 Configuring Nde
Overview of NDE and Integrated Layer 3 Switching Management Catalyst 6000 family switches provide Layer 3 switching with Cisco Express Forwarding for Policy Feature Card 2 (CEF for PFC2) or with Multilayer Switching (MLS). You can use NDE to monitor all Layer 3-switched traffic through the Multilayer Switch Feature Card (MSFC).
Page 288: Traffic Statistics Data Collection
NetSys, or NetFlow Analyzer. Traffic Statistics Data Collection An external data collector gathers flow entries from the statistics cache of one or more switches or Cisco routers. The switch or router transmits data to the flow collector by grouping flow entries for expired flows from its statistics cache into a User Datagram Protocol (UDP) datagram, which consists of a header and a series of flow entries.
Page 289: Using Nde Filters
Chapter 15 Configuring NDE Default NDE Configuration Using NDE Filters By default, all expired flows are exported until you specify a filter. After specifying a filter, only expired and purged flows matching the specified filter criteria are exported. Filter values are stored in NVRAM and are not cleared when NDE is disabled.
Page 290: Usage Guidelines
Chapter 15 Configuring NDE Configuring NDE Clearing the NDE Flow Filter, page 15-9 • Disabling NDE, page 15-9 • Removing the NDE IP Address, page 15-9 • Displaying the NDE Configuration, page 15-10 • Usage Guidelines If too many entries are added to the NetFlow table, follow these guidelines: Reduce the MLS aging time.
Page 291: Specifying An Nde Destination Address On The Msfc
Chapter 15 Configuring NDE Configuring NDE This example shows how to specify an NDE collector: Console> (enable) set mls nde Stargate 9996 Netflow data export not enabled. Netflow data export to port 9996 on 172.20.15.1(Stargate) Console> (enable) Specifying an NDE Destination Address on the MSFC To monitor data and statistics about Layer 3 traffic that is switched in software by the MSFC, you must specify the NDE collector and UDP port on the MSFC by entering the ip flow-export destination command on the MSFC.
Page 292: Enabling Nde
Chapter 15 Configuring NDE Configuring NDE Enabling NDE To enable NDE, perform this task in privileged mode: Task Command Enable NDE on the switch. set mls nde enable This example shows how to enable NDE on the switch: Console> (enable) set mls nde enable Netflow data export enabled.
Page 293: Specifying A Destination Tcp/Udp Port Filter
Chapter 15 Configuring NDE Configuring NDE This example shows how to specify a destination and source subnet filter so that only expired flows to subnet 171.69.194.0 from subnet 171.69.173.0 are exported (assuming the flow mask is set to source-destination-ip): Console> (enable) set mls nde flow destination 171.69.194.140/24 source 171.69.173.5/24 Netflow Data Export successfully set Source filter is 171.69.173.0/24 Destination filter is 171.69.194.0/24...
Page 294: Specifying A Protocol Filter
Chapter 15 Configuring NDE Configuring NDE Specifying a Protocol Filter To specify a protocol filter, perform this task in privileged mode: Task Command Specify a protocol filter for an NDE set mls nde flow protocol protocol flow. This example shows how to specify a protocol filter so that only expired flows from protocol 17 are exported: Console>...
Page 295: Clearing The Nde Flow Filter
Chapter 15 Configuring NDE Configuring NDE This example shows how to remove a protocol for statistics collection: Console> (enable) clear mls statistics protocol 17 1934 Protocol 17 port 1934 cleared from protocol statistics list. Console> (enable) Clearing the NDE Flow Filter To clear the NDE flow filter and reset the filter to the default (all flows exported), perform this task in privileged mode: Task...
Page 296: Displaying The Nde Configuration
Chapter 15 Configuring NDE Configuring NDE This example shows how to remove the NDE IP addresses from the MSFC: Router(config)# no mls nde-address 170.170.2.1 Router(config)# Displaying the NDE Configuration To display the NDE configuration on the switch, perform this task in privileged mode: Task Command Display the NDE configuration on the...
Page 297: Chapter 16 Configuring Access Control
Understanding How ACLs Work, page 16-1 Hardware Requirements, page 16-2 • • Supported ACLs, page 16-2 Applying Cisco IOS ACLs and VACLs on VLANs, page 16-7 • • Using Cisco IOS ACLs in your Network, page 16-9 Using VACLs with Cisco IOS ACLs, page 16-15 •...
Page 298: Hardware Requirements
Cisco IOS ACLs provide access control for routed traffic between VLANs, and VLAN ACLs (VACLs) provide access control for all packets. Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject to a number of features such as access control (security), encryption, policy-based routing, and so on.
Page 299: Cisco Ios Acls
As an example, TCP intercept uses a global ACL that is applied on all interfaces for outbound direction. One Cisco IOS ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs. When a single ACL is used by multiple features, Cisco IOS software examines it multiple times.
Page 300 Chapter 16 Configuring Access Control Supported ACLs You can configure VACLs on Layer 3 addresses for IP and IPX. All other protocols are access controlled through MAC addresses and Ethertype using MAC VACLs. IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types Caution (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.
Page 301 Chapter 16 Configuring Access Control Supported ACLs Table 16-1 ACE Types and Parameters (continued) ACE Type TCP or UDP ICMP Other IP Ethernet Layer 2 Ethertype parameters Ethernet source address Ethernet destination address 1. IP ACEs. 2. For Ethernet packets that are not IP version 4 or IPX. Handling Fragmented and Unfragmented Traffic TCP/UDP or any Layer 4 protocol traffic, when fragmented, loses the Layer 4 information (Layer 4 source/destination ports).
Page 302 Chapter 16 Configuring Access Control Supported ACLs In this example, 10.1.1.2 is configured to serve HTTP connections. If you do not use a fragment ACE, all the fragments for TCP traffic are permitted as the permit tcp any any fragments ACE is added automatically at the top of the ACL as follows: permit tcp any any fragments permit tcp any host 10.1.1.2 eq www...
Page 303: Applying Cisco Ios Acls And Vacls On Vlans
Applying Cisco IOS ACLs and VACLs on VLANs Applying Cisco IOS ACLs and VACLs on VLANs This section describes how to apply Cisco IOS ACLs and VACLs to the VLAN for bridged packets, routed packets, and multicast packets. These sections show how ACLs and VACLs are applied: Bridged Packets, page 16-7 •...
Page 304: Multicast Packets
Chapter 16 Configuring Access Control Applying Cisco IOS ACLs and VACLs on VLANs Figure 16-2 Applying ACLs on Routed Packets Routed Output IOS ACL Input IOS ACL MSFC VACL Bridged Bridged VACL Catalyst 6500 series switches with MSFC Host B...
Page 305: Using Cisco Ios Acls In Your Network
Network Protocols Configuration Guide, Part 1. When a feature is configured on the router to process traffic (such as NAT), the Cisco IOS ACL associated with the feature determines the specific traffic that is bridged to the router instead of being Layer 3 switched.
Page 306: Hardware And Software Handling Of Cisco Ios Acls With Pfc
When you enter the show ip access-list command, the match count displayed does not account for packets access controlled in the hardware. IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch Note in the hardware;...
Page 307 Bridge-Groups, page 16-12 • Security Cisco IOS ACLs The IP and IPX security Cisco IOS ACLs with PFC are as follows: The flows that match a “deny” statement in a security ACL are dropped by the hardware if • “ip unreachables” is disabled. The flows matching a “permit” statement are switched in the hardware.
Page 308: Hardware And Software Handling Of Cisco Ios Acls With Pfc2
Cisco IOS bridge-group ACLs are handled in the software. Hardware and Software Handling of Cisco IOS ACLs with PFC2 This section describes hardware and software handling of Cisco IOS ACLs with the PFC2. Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4...
Page 309 Note packets access controlled in the hardware. IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch Note in the hardware; the MSFC has to process the ACL in the software. This process significantly degrades system performance.
Page 310 Chapter 16 Configuring Access Control Using Cisco IOS ACLs in your Network Reflexive ACLs ICMP packets are handled in the software. For TCP/UDP flows, once the flow is established, they are handled in hardware. Note that when reflexive ACLs are applied, the flow mask is changed to VLAN-full flow.
Page 311: Using Vacls With Cisco Ios Acls
To access control both bridged and routed traffic, you can use VACLs only or a combination of Cisco IOS ACLs and VACLs. You can define Cisco IOS ACLs on both input and output routed-VLAN interfaces, and you can define a VACL to access control the bridged traffic.
Page 312: Guidelines For Configuring Cisco Ios Acls And Vacls On The Same Vlan Interface
The Catalyst 6000 family switch hardware provides one lookup for security ACLs for each direction (input and output); you must merge a Cisco IOS ACL and a VACL when they are configured on the same VLAN. Merging the Cisco IOS ACL with the VACL might significantly increase the number of ACEs.
Page 313 If Layer 4 port information was specified, the upper limit could be higher. Examples These examples show the merge results for various Cisco IOS ACL and VACL configurations. Note that in these examples, one VACL and one Cisco IOS ACL are configured on the same VLAN.
Page 314 Chapter 16 Configuring Access Control Using VACLs with Cisco IOS ACLs ******** IOS ACL ************ deny ip any host 239.255.255.255 permit ip any any ******** MERGE ********** has 91 entries entries Example 2 Example 1, if you follow the guidelines and remove line 9 and modify lines 11 and 12, you get the...
Page 315 4 entries Example 6 This example shows that applying the merging guidelines on a large Cisco IOS ACL (no Layer 4 port information is specified on the Cisco IOS ACL), produces a merge result of 801 entries: ******** VACL ********** 1 redirect 4/25 tcp host 192.168.1.67 255.255.255.255 0.0.0.0...
Page 316: Guidelines For Using Layer 4 Operations
ACE. Note If you have a Cisco IOS ACL and a VACL on the same VLAN interface, the recommended total number of Layer 4 operations is still nine or less. Use the following two guidelines to determine Layer 4 operation usage: Layer 4 operations are considered different if the operator or the operand differ.
Page 317 Chapter 16 Configuring Access Control Using VACLs with Cisco IOS ACLs There is no limit to the use of “eq” operators as the “eq” operator does not use a logical operator unit Note (LOU) or a Layer 4 operation bit. See the “Determining Logical Operation Unit Usage”...
Page 318: Using Vacls In Your Network
Chapter 16 Configuring Access Control Using VACLs in your Network An explanation of the LOU usage follows: LOU 1 stores “gt 10” and “lt 9” • LOU 2 stores “gt 11” and “neq 6” • LOU 3 stores “gt 20” (with space for one more) •...
Page 319: Redirecting Broadcast Traffic To A Specific Server Port
Chapter 16 Configuring Access Control Using VACLs in your Network Figure 16-4 Wiring Closet Configuration Catalyst 6500 series switches with MSFC Switch A Switch C with PFC only with PFC only VACL: deny http from X to Y http is dropped at entry point Host X Host Y...
Page 320: Restricting The Dhcp Response For A Specific Server
Chapter 16 Configuring Access Control Using VACLs in your Network Figure 16-5 Redirecting Broadcast Traffic to a Specific Server Port Target VACL server Catalyst 6500 series switches with PFC Host A Host B Host C VLAN 10 Application broadcast packet Restricting the DHCP Response for a Specific Server When Dynamic Host Configuration Protocol (DHCP) requests are broadcast, they reach every DHCP server in the VLAN and multiple responses are returned.
Page 321: Denying Access To A Server On Another Vlan
Chapter 16 Configuring Access Control Using VACLs in your Network Figure 16-6 shows that only the target server returns a DHCP response from the DHCP request. Figure 16-6 Redirect DHCP Response for a Specific Server Target VACL server 1.2.3.4 Catalyst 6500 series switches Host A Host B with PFC...
Page 322: Restricting Arp Traffic
VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows: You can map VACLs to secondary VLANs or primary VLANs. • Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary • VLANs.
Page 323: Capturing Traffic Flows
Catalyst 6000 family switches. • Non-IP version 4/non-IPX Cisco IOS ACLs—The following types of Cisco IOS security ACLs cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software and this significantly degrades system performance: Bridge-group ACLs –...
Page 324: Configuring Vacls
Note that a VACL has to be committed before you can map it to a VLAN. There are no default • VACLs and no default VACL-to-VLAN mappings. Note that if there is no Cisco IOS ACL configured to deny traffic on a routed VLAN interface (input • or output), and no VACL configured, all traffic is permitted.
Page 325: Vacl Configuration Summary
Chapter 16 Configuring Access Control Configuring VACLs Follow these guidelines for using the redirect option: • Note that redirected packets can only go out a port that supports the VLAN that the traffic is in. – Note that the redirect option only involves taking packets and sending them out the redirect –...
Page 326 Chapter 16 Configuring Access Control Configuring VACLs Clearing the Edit Buffer, page 16-37 • Removing ACEs from Security ACLs, page 16-37 • Clearing the Security ACL Map, page 16-37 • Displaying VACL Management Information, page 16-38 • Capturing Traffic Flows on Specified Ports, page 16-38 •...
Page 327 Chapter 16 Configuring Access Control Configuring VACLs This example shows how to commit the ACEs to NVRAM: Console> (enable) commit security acl all ACL commit in progress. ACL IPACL1 is committed to hardware. Console> (enable) For more information about the commit security acl all command, see the “Committing ACLs”...
Page 328 Chapter 16 Configuring Access Control Configuring VACLs ACL IPACL2 is committed to hardware. Console> (enable) For more information about the commit security acl all command see the “Committing ACLs” Note section on page 16-35. Enter the show security acl info IPACL2 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.
Page 329 Chapter 16 Configuring Access Control Configuring VACLs This example shows how to commit the ACEs to NVRAM: Console> (enable) commit security acl all ACL commit in progress. ACL IPXACL1 is committed to hardware. Console> (enable) Enter the show security acl info IPXACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.
Page 330 Chapter 16 Configuring Access Control Configuring VACLs Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types Caution (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.
Page 331 Chapter 16 Configuring Access Control Configuring VACLs For more information about the commit security acl all command, see the “Committing ACLs” Note section on page 16-35. Enter the show security acl info MACACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.
Page 332 Chapter 16 Configuring Access Control Configuring VACLs Showing the Contents of a VACL You can display the contents of a VACL with the show security acl info command. To show the contents of a VACL, perform this task in privileged mode: Task Command Show the contents of a VACL.
Page 333 Chapter 16 Configuring Access Control Configuring VACLs Clearing the Edit Buffer You can clear changes made to the ACL edit buffer since its last save with the rollback command. The ACL is rolled back to its state at the last commit command. To clear the ACL edit buffer, perform this task in privileged mode: Task Command...
Page 334 Chapter 16 Configuring Access Control Configuring VACLs This example shows how to clear all VACL-to-VLAN mappings: Console> (enable) clear security acl map all Map deletion in progress. Successfully cleared mapping between ACL ip1 and VLAN 10. Successfully cleared mapping between ACL ipx1 and VLAN 10..
Page 335 Chapter 16 Configuring Access Control Configuring VACLs You can specify any number of switch ports as capture ports. Capture ports are added to a capture • port list and the configuration is saved in NVRAM. • Only permit traffic is captured. If a packet is dropped due to an ACL, the packet cannot be captured. Capture ports do not transmit out all captured traffic.
Page 336 Chapter 16 Configuring Access Control Configuring VACLs This example shows how to map my_cap to VLAN 10: Console> (enable) set security acl map my_cap 10 Mapping in progress. VLAN 10 successfully mapped to ACL my_cap. The old mapping with ACL captest was replaced with the new one. Console>...
Page 337 Chapter 16 Configuring Access Control Configuring VACLs To enable VACL logging, perform these steps: Enter the set logging level acl severity command to set the logging level to 6 (information) or Step 1 7 (debugging). (Optional) Enter the set security acl log maxflow max_number to allocate a new log table based on Step 2 the maximum flow pattern number to store logged packet information.
Page 338: Configuring And Storing Vacls And Qos Acls In Flash Memory
Chapter 16 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory This example shows how to create an ACE for my_cap and specify that denied traffic be logged: Console> (enable) set security acl ip my_cap deny ip host 21.0.0.1 log my_cap editbuffer modified.
Page 339: Automatically Moving The Vacl And Qos Acl Configuration To Flash Memory
Chapter 16 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory This section describes the following tasks: Automatically Moving the VACL and QoS ACL Configuration to Flash Memory, page 16-43 • Manually Moving the VACL and QoS ACL Configuration to Flash Memory, page 16-44 •...
Page 340: Manually Moving The Vacl And Qos Acl Configuration To Flash Memory
Chapter 16 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory Manually Moving the VACL and QoS ACL Configuration to Flash Memory If your VACL and QoS ACL configuration requirements require more memory than the 512-KB NVRAM, you can manually move the VACL and QoS ACL configuration to Flash memory as follows: Specify the VACL and QoS ACL auto-config file to use to configure the switch at startup.
Page 341: Running With The Vacl And Qos Acl Configuration In Flash Memory
Chapter 16 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory VACL and QoS ACL mapping commands (set qos acl map and set security acl map) are also stored Note in the auto-config file. If the VACL and QoS ACL configuration is in Flash memory and you use the mapping commands, you need to enter the copy command to save the configuration to Flash memory.
Page 342: Moving The Vacl And Qos Acl Configuration Back To Nvram
Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding Moving the VACL and QoS ACL Configuration Back to NVRAM This example shows how to move the VACL and QoS ACL configuration back to NVRAM: Console> (enable) set config acl nvram ACL configuration copied to NVRAM. Console>...
Page 343: Understanding How Policy-Based Forwarding Works
Chapter 16 Configuring Access Control Understanding How Policy-Based Forwarding Works PBF is described in these sections: Understanding How Policy-Based Forwarding Works, page 16-47 • Hardware and Software Requirements, page 16-47 • Configuring Policy-Based Forwarding, page 16-48 • Policy-Based Forwarding Configuration Example, page 16-55 •...
Page 344: Configuring Policy-Based Forwarding
Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding Configuring Policy-Based Forwarding This section provides guidelines and configuration examples for PBF. The configuration examples use the example configuration shown in Figure 16-8. The Catalyst 6000 family switch redirects all the traffic coming from Host A on VLAN 10 to Host B on VLAN 11, and redirects traffic from Host B to Host A.
Page 345 Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding To display PBF status and MAC address, perform this task in privileged mode: Task Command Display PBF status and MAC address. show pbf To enable PBF, perform one of these tasks in privileged mode: Task Command Enable PBF with a default MAC address.
Page 346: Configuring Vacls For Pbf
Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding This example shows how to clear the PBF MAC address: Console> (enable) clear pbf PBF cleared. Console> (enable) Console> (enable) show pbf Pbf status Mac address ----------- ------------------ not set 00-00-00-00-00-00 Console> (enable) Configuring VACLs for PBF Enter the set security acl adjacency command to specify the rewrite information in the adjacency table Note...
Page 347 Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding To specify an adjacency table entry for the PFC2, perform this task in privileged mode: Task Command Specify an adjacency table entry for the PFC2. set security acl adjacency adjacency_name dest_vlan dest_mac [[source_mac] | [source_mac mtu mtu_size] | [ mtu mtu_size]] This example shows how to specify the adjacency table entry: Console>...
Page 348: Displaying Pbf Information
Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding Displaying PBF Information This section describes how to display PBF-related information. To display adjacency table entries, perform these tasks in normal mode: Task Command Display adjacency table entries. show security acl info [acl_name | adjacency | all] [editbuffer [editbuffer_index]] Display PBF adjacency information for all show pbf adjacency [adj name]...
Page 349: Rolling Back Adjacency Table Entries In The Edit Buffer
Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding Clear the adjacency table entry. Commit the adjacency table entry. To clear a PBF adjacency table entry, perform this task in privileged mode: Task Command Clear a PBF adjacency table entry. clear security acl adjacency adj name This example shows how to clear a PBF adjacency table entry: Console>...
Page 350 Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding When a router is not present in the network, you need to specify static ARP entries on participating Note hosts. The host’s ARP table maps the IP address of the host device to the MAC address of the PFC2. The IP addresses in the following examples are the IP addresses used in Figure 16-8.
Page 351: Policy-Based Forwarding Configuration Example
Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding You need to set only one dummy ARP entry for PBF-related traffic and the host routes for each destination host. If the number of hosts increase, you need to set the host route entries for each destination host. You can set up a startup file in /etc/rc2.d which has host route entries for each of the destination hosts.
Page 352 Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding Figure 16-9 Policy-Based Forwarding Configuration Example Catalyst 6500 series switches PFC2 MAC address: 00-11-22-33-44-55 6/17 VLAN 1 VLAN 2 VLAN 1 Hosts VLAN 2 Hosts IP: 44.0.0.1 - 44.0.0.17 IP: 43.0.0.1 - 43.0.0.17 MAC:00-20-20-20-20-20 - MAC:00-0a-0a-0a-0a-0a - 00:20:20:20:20:2f...
Page 353 Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding This example shows how to display MAC addresses learned by the switch for port 6/17 on VLAN 1: Console> (enable) show cam dynamic 6/17 * = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry. X = Port Security Entry $ = Dot1x Security Entry VLAN Dest MAC/Route Des...
Page 354 Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding This example shows how to display the PBF status and the PFC2 MAC address: Console> (enable) show pbf Pbf status Mac address ----------- ------------------ 00-11-22-33-44-55 This example shows how to display the PBF statistics: Console>...
Page 355: Chapter 17 Configuring Gvrp
C H A P T E R Configuring GVRP This chapter describes how to configure the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 356: Default Gvrp Configuration
Chapter 17 Configuring GVRP Default GVRP Configuration Default GVRP Configuration Table 17-1 shows the default GVRP configuration. Table 17-1 GVRP Default Configuration Feature Default Value GVRP global enable state Disabled GVRP per-trunk enable state Disabled on all ports GVRP dynamic creation of VLANs Disabled GVRP registration mode normal, with VLAN 1 set to fixed, for all ports...
Page 357: Enabling Gvrp Globally
Chapter 17 Configuring GVRP Configuring GVRP Enabling GVRP Globally You must enable GVRP globally before any GVRP processing occurs on the switch. Enabling GVRP globally enables GVRP to perform VLAN pruning on 802.1Q trunk links. Pruning occurs only on GVRP-enabled trunks. For information on setting the per-trunk port GVRP enable state, see the “Enabling GVRP on Individual 802.1Q Trunk Ports”...
Page 358: Enabling Gvrp Dynamic Vlan Creation
Chapter 17 Configuring GVRP Configuring GVRP To enable GVRP on individual 802.1Q-capable ports, perform this task in privileged mode: Task Command Step 1 Enable GVRP on an individual 802.1Q-capable set port gvrp mod/port enable port. Step 2 Verify the configuration. show gvrp configuration This example shows how to enable GVRP on 802.1Q-capable port 1/1: Console>...
Page 359: Configuring Gvrp Registration
Chapter 17 Configuring GVRP Configuring GVRP Configuring GVRP Registration These sections describe how to configure GVRP registration modes on switch ports: Configuring GVRP Normal Registration, page 17-5 • Configuring GVRP Fixed Registration, page 17-5 • Configuring GVRP Forbidden Registration, page 17-6 •...
Page 360: Configuring Gvrp Vlan Declarations From Blocking Ports
Chapter 17 Configuring GVRP Configuring GVRP Configuring GVRP Forbidden Registration Configuring an 802.1Q trunk port in forbidden registration mode deregisters all VLANs (except VLAN 1) and prevents any further VLAN creation or registration on the trunk port. To configure GVRP forbidden registration on an 802.1Q trunk port, perform this task in privileged mode: Task Command Step 1...
Page 361: Setting The Garp Timers
Chapter 17 Configuring GVRP Configuring GVRP Setting the GARP Timers The commands set gvrp timer and show gvrp timer are aliases for set garp timer and show garp Note timer. The aliases may be used if desired. Note Modifying the GARP timer values affects the behavior of all GARP applications running on the switch, not just GVRP.
Page 362: Displaying Gvrp Statistics
Chapter 17 Configuring GVRP Configuring GVRP Displaying GVRP Statistics To display GVRP statistics on the switch, perform this task: Task Command Display GVRP statistics. show gvrp statistics [mod/port] This example shows how to display GVRP statistics for port 1/1: Console> (enable) show gvrp statistics 1/1 Join Empty Received: Join In Received: Empty Received:...
Page 363: Disabling Gvrp Globally
Chapter 17 Configuring GVRP Configuring GVRP This example shows how to disable GVRP on 802.1Q trunk port 1/1: Console> (enable) set gvrp disable 1/1 GVRP disabled on 1/1. Console> (enable) Disabling GVRP Globally To disable GVRP globally on the switch, perform this task in privileged mode: Task Command Disable GVRP on the switch.
Page 364 Chapter 17 Configuring GVRP Configuring GVRP Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 17-10 78-13315-02...
Page 365: Chapter 18 Configuring Dynamic Port Vlan Membership With Vmps
C H A P T E R Configuring Dynamic Port VLAN Membership with VMPS This chapter describes how to configure dynamic port VLAN membership using the VLAN Management Policy Server (VMPS). For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 366: Default Vmps And Dynamic Port Configuration
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Default VMPS and Dynamic Port Configuration If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is not in secure mode, the host receives an “access denied”...
Page 367: Dynamic Port Vlan Membership And Vmps Configuration Guidelines
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership and VMPS Configuration Guidelines Table 18-1 Default VMPS and Dynamic Port Configuration (continued) Feature Default Configuration VMPS Client VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count Dynamic ports No dynamic ports configured...
Page 368: Creating The Vmps Database
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership Creating the VMPS Database To use VMPS, you first must create a VMPS database and store it on a TFTP server. The VMPS parser is line based.
Page 369: Configuring Vmps
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership Configuring VMPS When you enable VMPS, the switch downloads the VMPS database from the TFTP or rcp server and begins accepting VMPS requests. To configure VMPS, perform this task in privileged mode: Task Command Step 1...
Page 370: Administering And Monitoring Vmps
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership This example shows how to specify the VMPS server, verify the VMPS server specification, assign dynamic ports, and verify the configuration: Console> (enable) show vmps server VMPS domain server VMPS Status --------------------------------------- 192.0.0.6...
Page 371: Configuring Static Vlan Port Membership
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership To clear VMPS statistics, perform this task in privileged mode: Task Command Clear VMPS statistics. clear vmps statistics To clear a VMPS server entry, perform this task in privileged mode: Task Command Clear a VMPS server entry.
Page 372: Troubleshooting Vmps And Dynamic Port Vlan Membership
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Troubleshooting VMPS and Dynamic Port VLAN Membership This example shows how to return a port to static VLAN port membership: Console> (enable) set port membership 3/1 static Port 3/1 vlan assignment set to static. Console>...
Page 373: Dynamic Port Vlan Membership With Vmps Configuration Examples
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples Dynamic Port VLAN Membership with VMPS Configuration Examples These sections show examples of how to configure VMPS and dynamic ports: VMPS Database Configuration File Example, page 18-9 •...
Page 374: Dynamic Port Vlan Membership Configuration Example
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples !Port Groups !vmps-port-group <group-name> ! device <device-id> { port <port-name> | all-ports } vmps-port-group WiringCloset1 device 198.92.30.32 port 3/2 device 172.20.26.141 port 2/8 vmps-port-group “Executive Row”...
Page 375 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples Figure 18-1 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switches Primary VMPS Server 1 Switch 1 172.20.22.7 172.20.26.150 Client Switch 2 End station 1 172.20.26.151 Catalyst 6000...
Page 376: Dynamic Port Vlan Membership With Auxiliary Vlans
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Use this procedure to configure VMPS and dynamic ports: Configure Switch 1 as the primary VMPS server. Step 1 Configure the IP address of the TFTP server on which the ASCII file resides: Console>...
Page 377: Configuration Guidelines
VLAN ID is manually configured, the VMPS server is queried for packets coming from the PC, not for packets coming from the IP phone. All packets except Cisco Discovery Protocol (CDP) packets from the IP phone are tagged with the •...
Page 378 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Console> (enable) set port auxiliaryvlan 5/9 dot1p Port 5/9 allows the connected device send and receive packets with 802.1p priority. Console> (enable) This example shows how to specify port 5/9 as a dynamic port: Console>...
Page 379: Chapter 19 Checking Port Status And Connectivity
C H A P T E R Checking Port Status and Connectivity This chapter describes how to check switch port status and connectivity on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 380: Checking Port Status
Chapter 19 Checking Port Status and Connectivity Checking Port Status Console> (enable) show module Mod Slot Ports Module-Type Model Status --- ---- ----- ------------------------- ------------------- -------- 1000BaseX Supervisor WS-X6K-SUP1-2GE 100BaseFX MM Ethernet WS-X6224-100FX-MT 1000BaseX Ethernet WS-X6408-GBIC 10/100BaseTX (Telco) WS-X6248-TEL 10/100BaseTX (RJ-45) WS-X6248-RJ-45 Mod Module-Name Serial-Num...
Page 381 Chapter 19 Checking Port Status and Connectivity Checking Port Status This example shows how to see information on the ports on a specific module only: Console> (enable) show port 1 Port Name Status Vlan Duplex Speed Type ----- ------------------ ---------- ---------- ------ ----- ------------ connected full 1000 1000BaseSX...
Page 382: Checking Port Capabilities
Chapter 19 Checking Port Status and Connectivity Checking Port Capabilities Port Status Channel Admin Ch Neighbor Neighbor Mode Group Id Device Port ----- ---------- --------- ----- ----- ----------------------------------- ----- connected auto Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize ----- ---------- ---------- ---------- ---------- --------- Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts...
Page 383: Using Secure Shell Encryption For Telnet Sessions
Chapter 19 Checking Port Status and Connectivity Using Secure Shell Encryption for Telnet Sessions To Telnet to another device on the network from the switch, perform this task in privileged mode: Task Command Open a Telnet session with a remote host. telnet host [port] This example shows how to Telnet from the switch to a remote host: Console>...
Page 384: Monitoring User Sessions
Chapter 19 Checking Port Status and Connectivity Monitoring User Sessions The nbits value specifies the RSA key size. The valid key size range is 512 to 2048 bits. A key size with a larger number provides higher security but takes longer to generate. You can enter the optional force keyword to regenerate the keys and suppress the warning prompt of overwriting existing keys.
Page 385: Using Ping
Chapter 19 Checking Port Status and Connectivity Using Ping This example shows how to disconnect an active console port session and an active Telnet session: Console> (enable) show users Session User Location -------- ---------------- ------------------------- console telnet jake jake-mac.bigcorp.com telnet tim-nt.bigcorp.com * telnet suzy...
Page 386: Executing Ping
Chapter 19 Checking Port Status and Connectivity Using Ping Ping returns one of the following responses: Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending • on network traffic. Destination does not respond—If the host does not respond, a no answer message is returned. •...
Page 387: Using Layer 2 Traceroute
Chapter 19 Checking Port Status and Connectivity Using Layer 2 Traceroute This example shows how to enter a ping command in privileged mode specifying the number of packets, the packet size, and the timeout period: Console> (enable) ping Target IP Address []: 12.20.5.19 Number of Packets [5]: 10 Datagram Size [56]: 100 Timeout in seconds [2]: 10...
Page 388: Identifying A Layer 2 Path
Chapter 19 Checking Port Status and Connectivity Using IP Traceroute Identifying a Layer 2 Path To identify a Layer 2 path, perform one of these tasks in privileged mode: Task Command (Optional) Trace a Layer 2 path using MAC l2trace {src-mac-addr} {dest-mac-addr} [vlan] [detail] addresses.
Page 389: Executing Ip Traceroute
Chapter 19 Checking Port Status and Connectivity Using IP Traceroute To determine when a datagram reaches its destination, traceroute sets the UDP destination port in the datagram to a very large value which the destination host is unlikely to be using. When a host receives a datagram with an unrecognized port number, it sends an ICMP port unreachable error to the source.
Page 390 Chapter 19 Checking Port Status and Connectivity Using IP Traceroute Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 19-12 78-13315-02...
Page 391: Chapter 20 Administering The Switch
C H A P T E R Administering the Switch This chapter describes how to perform various administrative tasks on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 392: Setting The Static System Name And Prompt
Chapter 20 Administering the Switch Setting the System Name and System Prompt If the DNS lookup is successful, the DNS host name of the switch is configured as the system name of the switch and is saved in NVRAM (the domain name is removed). If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt (a greater-than symbol [>] is appended).
Page 393: Setting The System Contact And Location
Chapter 20 Administering the Switch Setting the System Contact and Location Setting the Static System Prompt To set the static system prompt, perform this task in privileged mode: Task Command Set the static system prompt. set prompt prompt_string This example shows how to set the static system prompt on the switch: Console>...
Page 394: Setting The System Clock
Chapter 20 Administering the Switch Setting the System Clock PS1-Type PS2-Type Modem Baud Traffic Peak Peak-Time ---------- ---------- ------- ----- ------- ---- ------------------------- other none disable 9600 0% Tue Jun 23 1998, 16:51:36 System Name System Location System Contact ------------------------ ------------------------ ------------------------ Catalyst 6000 Sunnyvale CA sysadmin@corp.com...
Page 395: Configuring A Login Banner
Chapter 20 Administering the Switch Defining Command Aliases Configuring a Login Banner To configure a login banner, perform this task in privileged mode: Task Command Step 1 Enter the message of the day. set banner motd c message_of_the_day c Step 2 Display the login banner by logging out and logging back into the switch.
Page 396: Defining Ip Aliases
Chapter 20 Administering the Switch Defining IP Aliases This example shows how to define two command aliases, sm8 and sp8. sm8 issues the show module 8 command, and sp8 issues the show port 8 command. This example also shows how to verify the currently defined command aliases and what happens when you enter the command aliases at the command line: Console>...
Page 397: Configuring Static Routes
Chapter 20 Administering the Switch Configuring Static Routes This example shows how to define two IP aliases, sparc and cat6509. sparc refers to IP address 172.20.52.3, and cat6509 refers to IP address 172.20.52.71. This example also shows how to verify the currently defined IP aliases and what happens when you use the IP aliases with the ping command: Console>...
Page 398: Configuring Permanent And Static Arp Entries
Chapter 20 Administering the Switch Configuring Permanent and Static ARP Entries The primary gateway: 172.20.52.121 Destination Gateway RouteMask Flags Interface --------------- --------------- ---------- ----- -------- --------- 172.16.16.0 172.20.52.127 0xfffff000 default 172.20.52.121 172.20.52.120 172.20.52.124 0xfffffff8 default default 0xff000000 Console> (enable) Configuring Permanent and Static ARP Entries To enable your Catalyst LAN switch to communicate with devices that do not respond to Address Resolution Protocol (ARP) requests, you can configure a static or permanent ARP entry that maps the IP addresses of those devices to their MAC addresses.
Page 399: Scheduling A System Reset
Chapter 20 Administering the Switch Scheduling a System Reset This example shows how to display the ARP cache: Console> (enable) show arp ARP Aging time = 300 sec + - Permanent Arp Entries * - Static Arp Entries + 10.1.1.1 at 00-80-1c-93-80-60 on vlan 1 172.20.52.1 at 00-60-5c-86-5b-28 port 8/1 on vlan 1 * 20.1.1.1 at 00-80-1c-93-80-40 port...
Page 400: Scheduling A Reset At A Specific Time
Chapter 20 Administering the Switch Scheduling a System Reset Scheduling a Reset at a Specific Time You can specify an absolute time and date at which the reset should take place with the reset at command. Entering the month and day argument with this command is optional. If you do not specify the month and day, the reset will take place on the current day if the time specified is later than the current time.
Page 401: Power Management
Chapter 20 Administering the Switch Power Management To schedule a reset within a specified time, perform this task in privileged mode: Task Command Step 1 Schedule the reset time within a specific amount reset [mindown] in [hh] {mm} [reason] of time. Step 2 Verify the scheduled reset.
Page 402 Chapter 20 Administering the Switch Power Management turn on two power supplies of equal wattage, each concurrently provides approximately half of the required power to the system. Load sharing and redundancy are enabled automatically; no software configuration is required. With redundancy enabled, if you power up the system with two power supplies of unequal wattage, both power supplies come online but a syslog message displays that the lower wattage power supply will be disabled.
Page 403: Using The Cli To Power Modules Up Or Down
Chapter 20 Administering the Switch Power Management Table 20-1 Effects of Power Supply Configuration Changes (continued) Configuration Change Effect Lower wattage power System log and syslog messages are generated. • supply is inserted with The system disables the lower wattage power supply; the higher •...
Page 404: Determining System Power Requirements
Chapter 20 Administering the Switch Power Management Determining System Power Requirements This section describes how to determine the system power requirements for 6-, 9-, and 13-slot chassis. Table 20-2 to determine the exact power requirements for your configuration. Note Enter the show environment power command to display current system power usage. Table 20-2 Module Power Requirements Module Power Requirement...
Page 405 1.98A 24-Port FXS Analog Interface: WS-X6624-FXS 1.54A Cisco IP Phone 7960 (when plugged into the WS-X6348-RJ-45 0.167A (default) and WS-X6648-PWR modules) 0.120A (after bootup, initialization) The total power available with the 4000W power supply is 95.70A.. The total power available with the 2500W power supply is 55.50A.
Page 406: Environmental Monitoring
Chapter 20 Administering the Switch Environmental Monitoring Environmental Monitoring Environmental monitoring of chassis components provides early warning indications of possible component failure to ensure safe and reliable system operation and avoid network interruptions. This section describes how to monitor these critical system components, enabling you to identify and rapidly correct hardware-related problems in your system.
Page 407: Displaying System Status Information For Technical Support
Chapter 20 Administering the Switch Displaying System Status Information for Technical Support Table 20-3 Environmental Monitoring for Supervisor Engine and Switching Modules Alarm Component Type LED Indication Action Supervisor engine Major STATUS LED red syslog message and SNMP trap temperature sensor exceeds generated.
Page 408: Generating A System Status Report
This report contains system memory content, including text, code, and stack segments. The core image is produced in Cisco core file format and is stored in the file system. By examining the core dump file, TAC can analyze the error condition of a terminated process.
Page 409 Chapter 20 Administering the Switch Displaying System Status Information for Technical Support This example shows how to enable the core dump feature: Console> (enable) set system core-dump enable (1) In the event of a system crash, this feature will cause a core file to be written out. (2) Core file generation may take up to 20 minutes.
Page 410 Chapter 20 Administering the Switch Displaying System Status Information for Technical Support The following is an example of an image stack that may display after you enter the show log command: Breakpoint Exception occurred. Software version = 6.2(0.83) Process ID #52, Name = Console EPC: 807523F4 Stack content:...
Page 411: Chapter 21 Configuring Switch Access Using Aaa
C H A P T E R Configuring Switch Access Using AAA This chapter describes how to configure authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 412: Authentication Overview
Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Authentication Overview You can configure any combination of these authentication methods to control access to the switch: Login authentication • Local authentication • RADIUS authentication • TACACS+ authentication • Kerberos authentication •...
Page 413: Understanding How Tacacs+ Authentication Works
Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How TACACS+ Authentication Works TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or an entity.
Page 414: Understanding How Radius Authentication Works
Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How RADIUS Authentication Works RADIUS is a client-server authentication and authorization access protocol used by the NAS to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers.
Page 415 Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Table 21-1 defines the terms used in Kerberos. Table 21-1 Kerberos Terminology Term Definition Kerberized Applications and services that have been modified to support the Kerberos credential infrastructure. Kerberos credential General term referring to authentication tickets, such as ticket granting tickets (TGTs) and service credentials.
Page 416 Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Using Kerberized Login Procedure You can use a Kerberized Telnet session if you are logging in through the in-band management port. When the Telnet client and services have been Kerberized, you will follow this process when attempting to Telnet to the switch: The Telnet client asks the user for the username and issues a request for a TGT to the KDC on the Kerberos server.
Page 417: Understanding How 802.1X Authentication Works
Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Using a Non-Kerberized Login Procedure If you use a non-Kerberized login procedure to log in to the switch, the switch takes care of authentication to the KDC on behalf of the login client. However, the user password is now transferred in clear text from the login client to the switch.
Page 418 Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works 802.1x controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points.
Page 419: Configuring Authentication
Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Traffic Control You can restrict traffic in both directions or just incoming traffic. Authentication Server The frames exchanged between the authenticator and the authentication server are dependent on the authentication mechanism, so they are not defined by the 802.1x standard. You can use other protocols, but we recommend RADIUS for authentication, particularly when the authentication server is located remotely, because RADIUS has extensions that support encapsulation of EAP frames built into it.
Page 420: Authentication Default Configuration
Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Authentication Default Configuration Table 21-3 shows the default authentication configuration. Table 21-3 Authentication Default Configuration Feature Default Value Login authentication (console and Telnet) Enabled Local authentication (console and Telnet) Enabled TACACS+ login authentication (console and Telnet) Disabled TACACS+ enable authentication (console and Telnet) Disabled...
Page 421: Authentication Configuration Guidelines
Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Table 21-3 Authentication Default Configuration (continued) Feature Default Value 802.1x back-end authenticator to authentication server 30 seconds retransmission time 802.1x number of frames retransmitted from back-end authenticator to supplicant 802.1x automatic supplicant reauthentication time 3600 seconds 802.1x automatic authenticator reauthentication of supplicant Disabled...
Page 422: Configuring Login Authentication
Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Configuring Login Authentication These sections describe how to configure login authentication on the switch: Setting Authentication Login Attempts on the Switch, page 21-12 • Setting Authentication Login Attempts for the Privileged Mode, page 21-13 •...
Page 423: Configuring Local Authentication
Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Setting Authentication Login Attempts for the Privileged Mode To set up login authentication for privileged mode, perform this task in privileged mode: Task Command Step 1 Enable the login attempt limits for privileged set authentication enable attempt {count} mode.
Page 424 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Enabling Local Authentication Local login and enable authentication are enabled for both console and Telnet connections by default. Note You do not need to perform this task unless you want to modify the default configuration or you have disabled local authentication.
Page 425 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To set the login password for local authentication, perform this task in privileged mode: Task Command Set the login password for access. Enter your old set password password (press Return on a switch with no password configured), enter your new password, and reenter your new password.
Page 426 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To disable local authentication on the switch, perform this task in privileged mode: Task Command Step 1 Disable local login authentication on the switch. set authentication login local disable [all | Enter the console or telnet keyword if you want to console | http | telnet] disable local authentication only for console port...
Page 427: Configuring Tacacs+ Authentication
Chapter 21 Configuring Switch Access Using AAA Configuring Authentication At the “Enter Password” prompt, press Return. The login password is null for 30 seconds when you are Step 3 connected to the console port. Step 4 Enter privileged mode using the enable command. At the “Enter Password”...
Page 428 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled...
Page 429 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Console> (enable) set authentication enable tacacs enable tacacs enable authentication set to enable for console and telnet session. Console> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs enabled(primary) enabled(primary)
Page 430 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To specify the TACACS+ timeout interval, perform this task in privileged mode: Task Command Step 1 Specify the TACACS+ timeout interval. set tacacs timeout seconds Step 2 Verify the TACACS+ configuration. show tacacs This example shows how to specify the server timeout interval and verify the configuration: Console>...
Page 431 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Enabling TACACS+ Directed Request When you enable TACACS+ directed request, you can optionally specify the host name of a configured TACACS+ server to direct the TACACS+ authentication request to that particular TACACS+ server. Authentication will fail if the server that the switch contacts does not have an account for the user that is attempting to log in.
Page 432 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Clearing TACACS+ Servers To clear one or more TACACS+ servers, perform this task in privileged mode: Task Command Step 1 Specify the IP address of the TACACS+ server to clear tacacs server [ip_addr | all] clear from the configuration.
Page 433: Configuring Radius Authentication
Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Disabling TACACS+ Authentication When local authentication is disabled and only TACACS+ authentication is enabled, if you disable TACACS+ authentication, local authentication is reenabled automatically. To disable TACACS+ authentication, perform this task in privileged mode: Task Command Step 1...
Page 434 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Clearing the RADIUS Key, page 21-29 • Disabling RADIUS Authentication, page 21-30 • Specifying RADIUS Servers To specify one or more RADIUS servers, perform this task in privileged mode: Task Command Step 1 Specify the IP address of up to three RADIUS set radius server ip_addr [auth-port port]...
Page 435 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To specify the RADIUS key, perform this task in privileged mode: Task Command Step 1 Specify the RADIUS key used to encrypt packets set radius key key sent to the RADIUS server. Step 2 Verify the RADIUS configuration.
Page 436 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To set up the RADIUS username and enable RADIUS authentication, perform this task in privileged mode: Step 1 Enable RADIUS authentication for normal login set authentication login radius enable [all | mode.
Page 437 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Specifying the RADIUS Timeout Interval You can specify the timeout interval between retransmissions to the RADIUS server. The default timeout is 5 seconds. To specify the RADIUS timeout interval, perform this task in privileged mode: Task Command Step 1...
Page 438 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local...
Page 439 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Radius Deadtime: 5 minutes Radius Key: Secret_RADIUS_key Radius Retransmit: Radius Timeout: 10 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 172.20.52.2 1812 Console> (enable) Clearing RADIUS Servers To clear one or more RADIUS servers, perform this task in privileged mode: Task Command Step 1...
Page 440 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Radius Deadtime: 0 minutes Radius Key: Radius Retransmit: Radius Timeout: 5 seconds Radius-Server Status Auth-port ----------------------------- -------...
Page 441: Configuring Kerberos Authentication
Step 1 will use. In the following example, a database called CISCO.EDU is created: /usr/local/sbin/kdb5_util create -r CISCO.EDU -s Add the switch to the database. The following example adds a switch called Cat6509 to the CISCO.EDU Step 2 database: ank host/Cat6509.cisco.edu@CISCO.EDU...
Page 442 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Start the KDC server as follows: Step 7 /usr/local/sbin/krb5kdc /usr/local/sbin/kadmind Enabling Kerberos To enable Kerberos authentication, perform this task in privileged mode: Task Command Step 1 Specify Kerberos as the authentication method. set authentication login kerberos enable [all | console | http | telnet] [primary] Step 2...
Page 443 This example shows how to define a local realm and how to verify the configuration: kerberos> (enable) set kerberos local-realm CISCO.COM Kerberos local realm for this switch set to CISCO.COM. kerberos> (enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM,...
Page 444 This example shows how to specify which Kerberos server will serve as the KDC for the specified Kerberos realm and how to clear the entry: kerberos> (enable) set kerberos server CISCO.COM 187.0.2.1 750 Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750 kerberos> (enable) Console> (enable) clear kerberos server CISCO.COM 187.0.2.1 750 Kerberos Realm-Server-Port entry CISCO.COM-187.0.2.1-750...
Page 445 This example shows how to retrieve an SRVTAB file from the KDC, enter an SRVTAB directly into the switch, and verify the configuration: kerberos> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab kerberos> (enable) kerberos> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.cisco.com@CISCO.COM...
Page 446 Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:;9 kerberos> (enable) This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services: Console>...
Page 447 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Disabling Credentials Forwarding To clear the credentials forwarding configuration, perform this task in privileged mode: Task Command Clear the credentials forwarding configuration. clear kerberos credentials forward This example shows how to clear the credentials forwarding configuration and verify the change: Console>...
Page 448 Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key:abcd Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 12151><88?=>>3>11 kerberos> (enable) To clear the DES key, perform this task in privileged mode: Task Command Clear a DES key from the switch.
Page 449 Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Srvtab Entry 2:host/niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?58:127:223=:;9 kerberos> (enable) To display the Kerberos credentials, perform this task in privileged mode:...
Page 450: Configuring 802.1X Authentication
Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To clear all Kerberos credentials, perform this task in privileged mode: Task Command Clear all credentials. clear kerberos creds This example shows how to clear all Kerberos credentials from the switch: Console>...
Page 451 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication This example shows how to globally enable 802.1x authentication: Console> (enable) set dot1x system-auth-control enable dot1x system-auth-control enabled. Disabling 802.1x Globally When 802.1x authentication is enabled for the entire system, you can disable it globally. When 802.1x authentication is disabled globally, it is no longer available at any port, even ports that were previously configured for it.
Page 452 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Console> (enable) show port dot1x 4/1 Port Auth-State BEnd-State Port-Control Port-Status ----- ------------------- ---------- ------------------- ------------- connecting finished auto unauthorized Port Multiple-Host Re-authentication ----- ------------- ----------------- disabled disabled Setting and Enabling Automatic Reauthentication of the Supplicant You can specify how often 802.1x authentication reauthenticates the supplicant if you do so before you enable automatic 802.1x supplicant reauthentication.
Page 453 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To manually reauthenticate a supplicant connected to a specific port, perform this task in privileged mode: Task Command Manually reauthenticate the supplicant connected set port dot1x mod/port re-authenticate to a specific port. This example shows how to manually reauthenticate the supplicant connected to port 1 on module 4: Console>...
Page 454 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To set the value for the quiet period, perform this task in privileged mode: Task Command Set the quiet-period value. set dot1x quiet-period seconds This example shows how to set the quiet period to 45 seconds: Console>...
Page 455 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Setting theBack-End Authenticator-to-Authentication-Server Retransmission Time for Transport Layer Packets The authentication server notifies the back-end authenticator each time it receives a transport layer packet. When the back-end authenticator does not receive a notification after sending a packet, the back-end authenticator waits a set period of time, and then retransmits the packet.
Page 456 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To reset the 802.1x configuration parameters to the default values, perform this task in privileged mode: Task Command Step 1 Reset the 802.1x configuration parameters to the clear dot1x config default values and globally disable 802.1x. Step 2 Verify the 802.1x configuration.
Page 457 Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To display the values for all the parameters associated with the authenticator PAE and back-end authenticator on a specific port on a specific module, perform this task in normal mode: Task Command Display the values for all configurable and current show port dot1x mod/port...
Page 458: Authentication Example
Chapter 21 Configuring Switch Access Using AAA Authentication Example This example shows how to display the global 802.1x parameters: Console> (enable) show dot1x PAE Capability Authenticator Only Protocol Version system-auth-control enabled max-req quiet-period 60 seconds re-authperiod 3600 seconds server-timeout 30 seconds supp-timeout 30 seconds tx-period...
Page 459: Understanding How Authorization Works
Chapter 21 Configuring Switch Access Using AAA Understanding How Authorization Works Console> (enable) set tacacs key tintin_et_milou The tacacs key has been set to tintin_et_milou. Console> (enable) set authentication login tacacs enable telnet tacacs login authentication set to enable for telnet session. Console>...
Page 460: Tacacs+ Primary Options And Fallback Options
Chapter 21 Configuring Switch Access Using AAA Understanding How Authorization Works EXEC mode (normal login)—When the authorization feature is enabled for EXEC mode, the user • must supply a valid username and password pair to gain access to EXEC mode. Authorization is required only if you have enabled the authorization feature.
Page 461: Radius Authorization
Chapter 21 Configuring Switch Access Using AAA Configuring Authorization If you have enabled authorization for configuration commands only, the switch will verify that the • argument string matches one of the commands listed above. If there is no match, the switch completes the command.
Page 462: Configuring Tacacs+ Authorization
Chapter 21 Configuring Switch Access Using AAA Configuring Authorization You must specify the mode, option, fallback option, and connection type when enabling • authorization. • Configure RADIUS and TACACS+ servers before enabling authorization. See the “Specifying TACACS+ Servers” section on page 21-17 or the “Specifying RADIUS Servers”...
Page 463 Chapter 21 Configuring Switch Access Using AAA Configuring Authorization This example shows how to enable TACACS+ enable mode authorization for console and Telnet connections. Authorization is configured with the tacacs+ option. The fallback option is deny: Console> (enable) set authorization enable enable tacacs+ deny both Successfully enabled enable authorization.
Page 464 Chapter 21 Configuring Switch Access Using AAA Configuring Authorization Task Command Step 3 Disable authorization of configuration set authorization commands disable [console | commands. Enter the console or telnet keyword if telnet | both] you want to disable authorization only for console port or Telnet connection attempts.
Page 465: Configuring Radius Authorization
Chapter 21 Configuring Switch Access Using AAA Authorization Example Configuring RADIUS Authorization These sections describe how to configure RADIUS authorization on the switch: Enabling RADIUS Authorization, page 21-55 • Disabling RADIUS Authorization, page 21-55 • Enabling RADIUS Authorization To enable RADIUS authorization and authentication on the switch, perform this task in privileged mode: Enter the set authentication login radius enable command in privileged mode.
Page 466: Understanding How Accounting Works
Chapter 21 Configuring Switch Access Using AAA Understanding How Accounting Works In this example, TACACS+ authorization is enabled for enable mode access to the switch for both Telnet and console connections, authorizing configuration commands: Console> (enable) set authorization enable enable tacacs+ deny both Successfully enabled enable authorization.
Page 467: Accounting Events
Chapter 21 Configuring Switch Access Using AAA Understanding How Accounting Works The accounting protocol operates in a client-server model, using TCP for transport. The NAS acts as the client and the accounting server acts as the daemon. The NAS sends accounting information to the server.
Page 468: Specifying Radius Servers
Chapter 21 Configuring Switch Access Using AAA Understanding How Accounting Works Stop records include complete information of the event (when the event started, its Note duration, and traffic statistics). However, you might want redundancy and, therefore, may monitor both start and stop records of events occurring on the NAS. Specifying RADIUS Servers To specify one or more RADIUS servers, perform this task in privileged mode: Task...
Page 469: Updating The Server
Chapter 21 Configuring Switch Access Using AAA Configuring Accounting Updating the Server You can configure the switch to send accounting information to the TACACS+ server. There are two options: • Newinfo—Sends accounting information to the server only when new accounting information becomes available.
Page 470: Accounting Configuration Guidelines
Chapter 21 Configuring Switch Access Using AAA Configuring Accounting Accounting Configuration Guidelines Follow these guidelines when configuring accounting on the switch: Configure RADIUS and TACACS+ servers before enabling accounting. See the “Specifying • TACACS+ Servers” section on page 21-17 or the “Specifying RADIUS Servers”...
Page 471 Chapter 21 Configuring Switch Access Using AAA Configuring Accounting Console> (enable) set accounting exec enable stop-only tacacs+ Accounting set to enable for exec events in stop-only mode. Console> (enable) Console> (enable) set accounting system enable stop-only tacacs+ Accounting set to enable for system events in stop-only mode. Console>...
Page 472 Chapter 21 Configuring Switch Access Using AAA Configuring Accounting Task Command Step 4 Disable accounting of configuration commands. set accounting commands disable Step 5 Disable suppression of information for unknown set accounting suppress null-username disable users. Step 6 Verify the accounting configuration. show accounting This example shows how to disable stop-only accounting: Console>...
Page 473: Accounting Example
Chapter 21 Configuring Switch Access Using AAA Accounting Example Accounting Example Figure 21-5 shows a simple network topology using TACACS+. When Workstation A initiates an accountable event on the switch, the switch gathers event information and forwards the information to the server at the conclusion of the event. Accounting information is gathered at the conclusion of the event.
Page 474 Chapter 21 Configuring Switch Access Using AAA Accounting Example Accounting information: ----------------------- Active Accounted actions on tty0, User (null) Priv 0 Active Accounted actions on tty288091924, User (null) Priv 0 Overall Accounting Traffic: Starts Stops Active ----- ----- ------ Exec Connect Command System...
Page 475: Chapter 22 Configuring Redundancy
C H A P T E R Configuring Redundancy This chapter describes how to configure redundant supervisor engines and how to configure redundancy on Multilayer Switch Feature Cards (MSFCs) on the Catalyst 6000 family switches. This chapter consists of these sections: Understanding How Supervisor Engine Redundancy Works, page 22-2 •...
Page 476: Understanding How Supervisor Engine Redundancy Works
All administrative and network management functions, such as SNMP, command-line interface (CLI) console, Telnet, Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), and VLAN Trunk Protocol (VTP) are processed on the active supervisor engine.
Page 477: Configuring Redundant Supervisor Engines
Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines The supervisor engines can have different runtime and boot images. If the boot image and the runtime image are the same, and you change the BOOT environment variable or overwrite or destroy the current boot image on the Flash device that was used to boot the system, the runtime and boot images will differ.
Page 478: Synchronization Process Initiation
Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines Synchronization Process Initiation These conditions initiate the synchronization of the runtime and boot images on the active and standby supervisor engines: • Time stamp mismatch between the runtime images on the active and standby supervisor engines—The active supervisor engine synchronizes its runtime image with the standby supervisor engine if the time stamps of their respective runtime images differ when the system is booted or reset.
Page 479: Verifying Standby Supervisor Engine Status
Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines Unable to find the current runtime image • If the active supervisor engine is unable to find the current runtime image on any of the Flash devices, it signals an error condition. In this case, if the standby supervisor engine is inserted or reset, Flash synchronization does not occur.
Page 480: Forcing A Switchover To The Standby Supervisor Engine
In addition, you can also force a switchover to the standby supervisor engine by setting the CISCO-STACK-MIB moduleAction variable to reset(2) on the active supervisor engine. When the switchover occurs, the system sends a standard SNMP warm-start trap to the configured trap receivers.
Page 481 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines Copyright (c) 1994-1997 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup.5-4-1a.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC Uncompressing file: ########################################################### System Power On Diagnostics NVRAM Size ....512KB ID Prom Test ....Passed...
Page 482: High Availability
Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines High Availability High availability allows you to minimize the switchover time from the active supervisor engine to the standby supervisor engine if the active supervisor engine fails. Prior to this feature, fast switchover ensured that a switchover to the standby supervisor engine happened quickly.
Page 483 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines If you change high availability from disabled to enabled, synchronization from the active to standby supervisor engine is started (provided the standby supervisor engine is present and its image version is compatible). NVRAM synchronization occurs irrespective of high availability being enabled or disabled (provided there are compatible NVRAM versions on the two supervisor engines).
Page 484 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines Table 22-1 High Availability Feature Support Supported Features Compatible Features Incompatible Features ASLB Dynamic VLAN COPS-DS GVRP COPS-PR GMRP Port security IGMP snooping Protocol filtering EtherChannel RMON IOS ACLs RSVP SNMP PAgP Telnet sessions UplinkFast SPAN...
Page 485 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines When you install two supervisor engines, the first supervisor engine to come online becomes the Note active module; the second supervisor engine goes into standby mode. If two supervisor engines are installed in your system, at power up the supervisor engine in slot 1 becomes active, and the supervisor engine in slot 2 enters standby mode.
Page 486 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines This example shows how to disable high-availability versioning: Console> (enable) set system highavailability versioning disable Image versioning disabled. Console> (enable) Showing High-Availability Settings and Operational Status The show system highavailability command displays the following: High-availability setting (enabled or disabled) •...
Page 487 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines This example shows how to enable high availability: Console> (enable) set system highavailability enable System high availability enabled. Console> (enable) Console> (enable) show system highavailability Highavailability: enabled Highavailability versioning: disabled Highavailability Operational-status: ON Console>...
Page 488: Supervisor Engine Synchronization Examples
Trivial File Transfer Protocol (TFTP) boot retries that are attempted. However, the supervisor engine does not support TFTP booting. The number is included in these examples to be consistent with Cisco IOS conventions. These examples are not intended to cover every possible condition.
Page 489 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines The standby supervisor engine configuration is as follows: • Runtime image: – bootflash:f2 Boot string: – bootflash:f2,1 Bootflash: – The time stamp for f1 on the active supervisor engine is not the same as f2 on the standby supervisor •...
Page 490 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines The standby supervisor engine configuration is as follows: • Runtime image: – bootflash:f2 Boot string: – bootflash:f2,1; Bootflash: (less than 1 MB left on device) – f2, f3, f4 The time stamp for f1 on the active supervisor engine is not the same as f2 on the standby supervisor •...
Page 491 Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines The active supervisor engine f1 image is not copied to the standby supervisor engine. – The standby supervisor engine bootstring is not modified. – The standby supervisor engine is not reset. – Example 2: File copied, bootflash modified, standby supervisor engine not reset The configuration for this example is as follows: The active supervisor engine configuration is as follows:...
Page 492: Msfc Redundancy
Chapter 22 Configuring Redundancy MSFC Redundancy The expected results are as follows: • The active supervisor engine f1 image is not copied to the standby supervisor engine. – The standby supervisor engine bootstring is modified to the following: – bootflash:f2,1;bootflash:f1,1;. The standby supervisor engine is not reset.
Page 493: Dual Msfc Redundancy
Two chassis with a supervisor engine in each—You must have at least one supervisor engine in each • chassis. Each supervisor engine must be equipped with a PFC and an MSFC. Each MSFC must be running the same release of Cisco IOS software. Note Layer 3 Redundancy for a Single Chassis In a single Catalyst 6000 family chassis, you can have redundant supervisor engines, each with an MSFC.
Page 494 PFC2: With PFC2, only the designated MSFC programs the forwarding information base (FIB) the Note adjacency table, Cisco IOS software, and policy routing ACLs on the active supervisor engine. If you configure static routes or policy routing, you must have the identical configuration on both MSFCs.
Page 495 Chapter 22 Configuring Redundancy MSFC Redundancy Both MSFCs are operational from a routing protocol peering perspective. For example, if you have two MSFCs in a single Catalyst 6000 family switch chassis, each configured with interface VLAN 10 and VLAN 21, the MSFCs are peered to each other over these VLANs. Combined with a dual chassis and dual MSFC design for the same VLANs, each MSFC has 6 peers: its peer in the same chassis as well as the 2 MSFCs in the second chassis (3 in VLAN 10 and 3 in VLAN 21).
Page 496 VLAN 10; therefore, each MSFC has different IP addresses and HSRP priorities. Access Control List Configuration If you use Cisco IOS access control lists (ACLs) on the MSFC, you must configure the ACLs on both MSFCs identically, globally, and at the interface level. Only the designated MSFC (the MSFC to come online first, or the MSFC that has been online the longest) programs the PFC with ACL information.
Page 497 Chapter 22 Configuring Redundancy MSFC Redundancy (Sup #2/MSFC #2). Sup #1 is active and Sup #2 is in standby mode in both switches. High availability is enabled on the supervisor engines. The supervisor engines automatically perform image and configuration synchronization; you must manually synchronize the images and configurations on the MSFCs.
Page 498 Chapter 22 Configuring Redundancy MSFC Redundancy Figure 22-3 Dual MSFC Operational Model for Redundancy and Load Sharing— VLANs 10, 12, 21, and 23 VLAN 10/21 VLAN 12/23 Trunk 1 Trunk 2 Switch S1 Switch S2 Slot 1 Slot 1 Sup#1/MSFC#1 Sup#1/MSFC#1 HSRP Active VLAN 10: priority 110 HSRP Standby VLAN 10: priority 108...
Page 499 Chapter 22 Configuring Redundancy MSFC Redundancy While the examples are specific to the PFC, the failover scenarios for the PFC2/MSFC2 would be Note similar for handling ACLs and CEF table entries. On a Supervisor Engine 2, the designated MSFC2 programs many of the ASICs on the PFC2 including building the CEF table. In a designated MSFC2 HSRP failover to the nondesignated MSFC2, the PFC2 continues to function with the CEF table programmed by the previously designated MSFC2.
Page 500 Chapter 22 Configuring Redundancy MSFC Redundancy Failure Case 3: Active Sup #1 Fails This sequence occurs when the active supervisor engine (Sup #1) fails: Because the Layer 3 state is maintained, MLS entries of MSFC #1 gracefully age out of the Sup #2 Layer 3 cache while MSFC #2 takes temporary ownership of these MLS entries using its XTAG value.
Page 501 CAM entry, no shortcuts are created. This problem is independent of any MSFC Cisco IOS release. (This problem is documented in caveat CSCdz17169.) To configure HSRP on an MSFC VLAN interface, perform this task in interface configuration mode:...
Page 502: Configuration Examples
Chapter 22 Configuring Redundancy MSFC Redundancy Configuration Examples This section describes three configuration options for achieving redundancy: Example 1—Two Chassis with One Supervisor Engine and One MSFC Each, page 22-28 • Example 2—Single Chassis with Dual Supervisor Engines and MSFCs, page 22-29 •...
Page 503 Chapter 22 Configuring Redundancy MSFC Redundancy Router(config-if)# standby 21 priority 109 Router(config-if)# standby 21 preempt Router(config-if)# standby 21 timers 5 15 Router(config-if)# standby 21 authentication Secret Router(config-if)# ^Z Router# ^C^C^C This example shows how to configure HSRP on the MSFC in Switch S2: Console>...
Page 504 Chapter 22 Configuring Redundancy MSFC Redundancy Router(config-if)# standby 10 priority 110 Router(config-if)# standby 10 preempt Router(config-if)# standby 10 timers 5 15 Router(config-if)# standby 10 authentication Secret Router(config-if)# interface vlan21 Router(config-if)# standby 21 ip 192.20.100.21 Router(config-if)# standby 21 priority 109 Router(config-if)# standby 21 preempt Router(config-if)# standby 21 timers 5 15 Router(config-if)# standby 21 authentication Secret Router(config-if)# ^Z...
Page 505 Chapter 22 Configuring Redundancy MSFC Redundancy This example shows how to configure HSRP on the MSFC in Switch S1: Console> (enable) switch console 15 Trying Router-15... Connected to Router-15. Type ^C^C^C to switch back... Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Page 506 Chapter 22 Configuring Redundancy MSFC Redundancy Router(config-if)# ^Z Router# ^C^C^C Console> (enable) switch console 16 Trying Router-16... Connected to Router-16. Type ^C^C^C to switch back... Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface vlan10 Router(config-if)# standby 10 ip 172.20.100.10 Router(config-if)# standby 10 priority 107 Router(config-if)# standby 10 preempt...
Page 507 Chapter 22 Configuring Redundancy MSFC Redundancy When you enable high-availability redundancy, every configuration command executed on the designated MSFC is sent to the nondesignated MSFC. Also, the running configuration synchronization is updated when you enter the copy source running-config command on the designated MSFC. These sections provide information about MSFC configuration synchronization: •...
Page 508 Chapter 22 Configuring Redundancy MSFC Redundancy Table 22-3 Interface and Global Configuration Commands Containing the alt Keyword Interface Configuration Commands Global Configuration Commands • [no] standby [group_number] ip [ip_address • [no] hostname hostname alt hostname hostname [secondary]] alt [no] standby [group_number] ip •...
Page 509 Chapter 22 Configuring Redundancy MSFC Redundancy In this example, Router-16 is the nondesignated MSFC; high-availability redundancy and configuration synchronization are enabled: Console>(enable) session 16 Trying Router-16... Connected to Router-16. Escape character is ’^]’. Router-16> enable Router-16# configure terminal Config mode is disabled on non-designated Router, please configure from designated Router High-Availability Redundancy Configuration Examples This section discusses different scenarios for enabling high availability and configuration synchronization:...
Page 510 Chapter 22 Configuring Redundancy MSFC Redundancy This example shows how to specify the alternate configuration for VLAN 1: Router-16(config)# interface vlan 1 Router-16(config-if)# ip address 70.0.70.4 255.255.0.0 alt ip address 70.0.70.5 255.255.0.0 Router-16(config-if)# exit This example shows that high-availability redundancy is accepted: Router-16(config)# redundancy Router-16(config-r)# high-availability Router-16(config-r-ha)# config-sync...
Page 511 Chapter 22 Configuring Redundancy MSFC Redundancy These examples show that the designated MSFC and nondesignated MSFC have the same running configuration after synchronization: <designated MSFC> Router-16# show running-config Building configuration... Current configuration: version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Router-15 alt hostname Router-16 boot bootldr bootflash:c6msfc-boot-mz.120-7.XE1...
Page 512 Chapter 22 Configuring Redundancy MSFC Redundancy hostname Router1 alt hostname Router2 boot bootldr bootflash:c6msfc-boot-mz.120-7.XE1 ip subnet-zero ip cef redundancy high-availability config-sync cns event-service server interface Vlan1 ip address 70.0.70.4 255.255.0.0 alt ip address 70.0.70.5 255.255.0.0 interface Vlan10 ip address 192.10.10.1 255.255.255.0 alt ip address 192.10.10.2 255.255.255.0 no ip redirects shutdown standby ip 192.20.20.1 alt standby ip 192.20.20.1...
Page 513 Chapter 22 Configuring Redundancy MSFC Redundancy Scenario 3: Designated MSFC Comes Up In this scenario, Config Sync AdminStatus is enabled. The designated MSFC validates the alternate configuration, allowing configuration synchronization to occur when the nondesignated MSFC comes up. Because the nondesignated MSFC is not up yet, Config Sync RuntimeStatus is disabled, and there is no configuration synchronization.
Page 514 Chapter 22 Configuring Redundancy MSFC Redundancy Router-15(config-r-ha)# 00:03:47: %SYS-5-CONFIG_I: Configured from console by console 00:03:47: %RUNCFGSYNC-6-SYNCEVENT: The High-Availability Redundancy Feature is enabled The config mode is no longer accessible 00:00:51: %RUNCFGSYNC-6-SYNCEVENT: Non-Designated Router is now online Running Configuration Synchronization will begin in 1 minute A one-minute timer will start, allowing the nondesignated MSFC to stabilize.
Page 515: Single Router Mode Redundancy
Supervisor Engine 1 with PFC and MSFC or MSFC2 – Note Cisco IOS Release 12.1(8a)E4 provides initial support for single router mode (SRM) redundancy with Supervisor Engine 1 and MSFC. When using Supevisor Engine 1 with the MSFC or MSFC2 for SRM redundancy, be aware that failover to the second MSFC is not stateful for multicast MLS.
Page 516 SRM redundancy requires that both the designated router and nondesignated router run the same • Cisco IOS image. SRM redundancy requires that a Cisco IOS image is present in the bootflash of both the designated • router and nondesignated router.
Page 517 Chapter 22 Configuring Redundancy MSFC Redundancy Copy the Cisco IOS Release 12.1(8a)E2 or later image to the bootflash of the designated router and Step 4 nondesignated router. Step 5 Set the boot image and configuration register on the designated router and nondesignated router to boot...
Page 518 Upgrading Images with Single Router Mode Enabled This section describes how to upgrade the Cisco IOS image on the active and standby MSFC when SRM is running. The new image name is c6msfc2-jsv-mz.9E. The standby MSFC cannot load an image using TFTP, but it can load an image from the supervisor engine Flash PC card (sup-slot0:).
Page 519: Manual-Mode Msfc Redundancy
Manual-mode MSFC redundancy will be supported until December, 2002, due to the release of Note supervisor engine software release 6.3(1), which contains the feature SRM. Cisco recommends using SRM rather than manual-mode MSFC redundancy to attain automatic Layer-3 failover capabilities in addition to unlimited support of the feature.
Page 520 Supervisor engine software release 5.5.8 or later releases and MSFC IOS Release 12.1(7a)E1 – or later releases Each MSFC must be running the same release of Cisco IOS software. Note Guidelines for Configuring Manual-Mode MSFC Redundancy Follow these guidelines to configure manual-mode MSFC redundancy: Because the MSFC switchover is manual, we recommend that you have this feature only in •...
Page 521 For manual-mode MSFC redundancy, set the configuration registers as follows: Step 1 From Cisco IOS configuration mode on the active MSFC (MSFC-15), perform the following: Router(config)#config-register 0x2102 Router(config)# From Cisco IOS configuration mode on the MSFC in ROM-monitor mode (MSFC-16), perform the Step 2 following: Router(config)#config-register 0x0 Router(config)#...
Page 522 Step 2 is continually rebooting). You need to time the break so that it is issued after the system bootstrap message, but before the main Cisco IOS image is decompressed (see the two arrows in the following display output): System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE Copyright (c) 1998 by cisco Systems, Inc.
Page 523 Chapter 22 Configuring Redundancy MSFC Redundancy ########################################################################################## ########################################################################################## ########################################################################################## ########################################################################################## ########################################################################################## ### [OK] At the ROMMON prompt, enter the confreg command: Step 3 Enter y at the “do you wish to change the configuration? y/n [n]:” prompt Press Enter to accept the default for all questions until you reach this prompt: “change the boot characteristics? y/n [n]:”...
Page 524 Chapter 22 Configuring Redundancy MSFC Redundancy Enter ^C^C^C to return to the supervisor engine prompt. Step 12 Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 22-50 78-13315-02...
Page 525: Chapter 23 Modifying The Switch Boot Configuration
C H A P T E R Modifying the Switch Boot Configuration This chapter describes how to modify the switch boot configuration on the Catalyst 6000 family switches, including the BOOT environment variable, the CONFIG_FILE environment variable, and the configuration register. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication.
Page 526: Understanding The Rom Monitor
Chapter 23 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works Two user-configurable parameters determine how the switch boots: the configuration register and the BOOT environment variable. The configuration register is described in the “Understanding the Configuration Register” section on page 23-2.
Page 527: Understanding The Boot Environment Variable
Chapter 23 Modifying the Switch Boot Configuration Understanding How the Switch Boot Configuration Works When the boot field equals a value between 0010 and 1111, the switch loads the system image • specified by boot system commands in the NVRAM configuration. It attempts to boot the image in the order in which you entered the boot system commands.
Page 528: Default Switch Boot Configuration
Chapter 23 Modifying the Switch Boot Configuration Default Switch Boot Configuration Recurring—When you add a list of configuration files to the CONFIG_FILE environment variable, • the list is stored indefinitely in NVRAM. Each time the switch is restarted, the system erases the configuration in NVRAM and configures the switch using the configuration files specified.
Page 529: Setting The Configuration Register
Chapter 23 Modifying the Switch Boot Configuration Setting the Configuration Register Table 23-1 Default Switch Boot Configuration (continued) Feature Default Configuration ignore-config parameter Disabled BOOT environment variable Empty CONFIG_FILE environment variable slot0:switch.cfg CONFIG_FILE recurrence configuration register Nonrecurring parameter CONFIG_FILE overwrite configuration register Overwrite parameter CONFIG_FILE synchronization configuration...
Page 530: Setting The Rom-Monitor Console-Port Baud Rate
Chapter 23 Modifying the Switch Boot Configuration Setting the Configuration Register To set the configuration register boot field, perform this task in privileged mode: Task Command Set the boot field in the configuration register. set boot config-register boot {rommon | bootflash | system} [mod] This example shows how to set the boot field in the configuration register: Console>...
Page 531: Setting Config_File Recurrence
Chapter 23 Modifying the Switch Boot Configuration Setting the Configuration Register Setting CONFIG_FILE Recurrence By default, when you set the CONFIG_FILE environment variable, the list of configuration files to use at startup is retained only until the next time the switch is restarted. You can cause the system software to retain the CONFIG_FILE environment variable settings indefinitely so that each time the switch is restarted, the specified configuration files are used to configure the switch.
Page 532: Setting Config_File Synchronization
Chapter 23 Modifying the Switch Boot Configuration Setting the Configuration Register To specify if the auto-config file should be used to overwrite the NVRAM configuration or if the file configuration should be appended to what is currently in NVRAM, perform this task in privileged mode: Task Command Specify if the auto-config file should be used to...
Page 533: Setting The Switch To Ignore The Nvram Configuration
Chapter 23 Modifying the Switch Boot Configuration Setting the Configuration Register To enable or disable synchronization, perform this task in privileged mode: Task Command Specify if synchronization should be enabled or set boot config-register auto-config sync disabled. {enable | disable} This example shows how to enable synchronization: Console>...
Page 534: Setting The Configuration Register Value
Chapter 23 Modifying the Switch Boot Configuration Setting the BOOT Environment Variable Setting the Configuration Register Value To set the configuration register value, perform this task in privileged mode: Task Command Set the configuration register. set boot config-register 0xvalue [mod] This example shows how to set the configuration register value to 0x90f: Console>...
Page 535: Clearing The Boot Environment Variable Settings
Chapter 23 Modifying the Switch Boot Configuration Setting the CONFIG_FILE Environment Variable Clearing the BOOT Environment Variable Settings To clear entries from the BOOT environment variable, perform one of these tasks in privileged mode: Task Command Clear a specific image from the BOOT clear boot system flash device:[filename] [mod] environment variable.
Page 536: Clearing The Config_File Environment Variable Settings
Chapter 23 Modifying the Switch Boot Configuration Displaying the Switch Boot Configuration This example shows how to set the CONFIG_FILE environment variable: Console> (enable) set boot auto-config bootflash:generic.cfg;bootflash:6509_1_noc.cfg CONFIG_FILE variable = bootflash:generic.cfg;bootflash:6509_1_noc.cfg WARNING: nvram configuration may be lost during next bootup, and re-configured using the file(s) specified.
Page 537: Chapter 24 Working With The Flash File System
C H A P T E R Working With the Flash File System This chapter describes how to use the Flash file system on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 538: Setting The Default Flash Device
Chapter 24 Working With the Flash File System Working with the Flash File System Setting the Default Flash Device When you set the default Flash device for the switch, the default device is assumed when you enter a Flash file system command without specifying the Flash device. To set the default Flash device, perform this task: Task Command...
Page 539: Listing The Files On A Flash Device
Chapter 24 Working With the Flash File System Working with the Flash File System This example shows how to configure the system to save its configuration as a text file in NVRAM, verify the configuration mode, and display the current runtime configuration: Console>...
Page 540: Copying Files
Chapter 24 Working With the Flash File System Working with the Flash File System This example shows how to list the files on the default Flash device: Console> (enable) dir -#- -length- -----date/time------ name 3134688 Mar 15 1999 08:27:01 cat6000-sup.5-2-1-CSX.bin 3231989 Jan 24 1999 12:04:40 cat6000-sup.5-1-1-CSX.bin 135 Feb 17 1999 11:30:05 dns_config.cfg 1213952 bytes available (6388224 bytes used)
Page 541 Chapter 24 Working With the Flash File System Working with the Flash File System This example shows how to copy a file from the default Flash device to another Flash device: Console> (enable) copy cat6000-sup.5-2-1-CSX.bin slot0: 13174216 bytes available on device slot0, proceed (y/n) [n]? y CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc...
Page 542: Deleting Files
Chapter 24 Working With the Flash File System Working with the Flash File System This example shows how to upload a configuration file on a Flash device to a TFTP server: Console> (enable) copy slot0:6000_config.cfg tftp IP address or name of remote host []? 172.20.52.3 Name of file to copy to [6000_config.cfg]? File has been copied successfully.
Page 543: Restoring Deleted Files
Chapter 24 Working With the Flash File System Working with the Flash File System Restoring Deleted Files You must specify the index number of a deleted file to identify the file to undelete. The index number for each file appears in the first column of the dir command output. A file cannot be undeleted if a valid file with the same name already exists.
Page 544: Formatting A Flash Device
Flash PC cards formatted on Supervisor Engine 1 or on a route-switch processor (RSP)-based Cisco 7500 series router are interchangeable if the router is running software at least at the same level as the supervisor engine. You cannot use Flash PC cards formatted on a route processor (RP)-based Cisco 7000 series router without reformatting.
Page 545: Chapter 25 Working With System Software Images
C H A P T E R Working with System Software Images This chapter describes how to how to work with system software image files on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 546: Downloading Software Images To The Switch With Tftp
Chapter 25 Working with System Software Images Downloading Software Images to the Switch With TFTP Downloading Software Images to the Switch With TFTP These sections describe how to download system software images to the switch supervisor engine and to intelligent modules: Understanding How TFTP Software Image Downloads Work, page 25-2 •...
Page 547: Downloading Supervisor Engine Images Using Tftp
Chapter 25 Working with System Software Images Downloading Software Images to the Switch With TFTP You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services Note files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x).
Page 548: Downloading Switching Module Images Using Tftp
Chapter 25 Working with System Software Images Downloading Software Images to the Switch With TFTP When the switch reboots, enter the show version command to check the version of the code on the Step 6 switch. For examples that show complete TFTP download procedures for the various supervisor engine and Note switch types, see the “TFTP Download Procedures Example”...
Page 549: Tftp Download Procedures Example
This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 07/21/1998,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 4.2 Copyright (c) 1994-1998 by cisco Systems, Inc. c6k_sup1 processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup.5-2-1-CSX.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
Page 550 0x00000001 RIn Local Test Mode, Pinnacle Synch Retries: 2 Running System Diagnostics from this Supervisor (Module 1) This may take up to 2 minutes..please wait Cisco Systems Console Enter password: 07/21/1998,13:52:51:SYS-5:Module 1 is online 07/21/1998,13:53:11:SYS-5:Module 4 is online 07/21/1998,13:53:11:SYS-5:Module 5 is online 07/21/1998,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
Page 551 Chapter 25 Working with System Software Images Downloading Software Images to the Switch With TFTP Do you wish to continue download flash (y/n) [n]? y Download done for module 4, please wait for it to come online File has been copied successfully. Console>...
Page 552: Uploading System Software Images To A Tftp Server
Chapter 25 Working with System Software Images Uploading System Software Images to a TFTP Server Console> (enable) show version 5 Mod Port Model Serial # Versions --- ---- ---------- --------- ---------------------------------------- WS-X6101 003414463 Hw : 1.2 Fw : 1.3 Sw : 3.2(7) Console>...
Page 553: Downloading System Software Images Using Rcp
Chapter 25 Working with System Software Images Downloading System Software Images Using rcp Uploading Software Images to a TFTP Server To upload a software image on a switch to a TFTP server for storage, perform these steps: Log into the switch through the console port or a Telnet session. Step 1 Upload the software image to the TFTP server with the copy flash tftp command.
Page 554: Downloading Supervisor Engine Images Using Rcp
Chapter 25 Working with System Software Images Downloading System Software Images Using rcp If you are accessing the switch through the console or a Telnet session without a valid username, • make sure that the current rcp username is the one you want to use for the rcp download. You can enter the show users command to view the current valid username.
Page 555: Example Rcp Download Procedures
Chapter 25 Working with System Software Images Downloading System Software Images Using rcp Enter the command appropriate for your switch and supervisor engine to download the software image Step 3 from the rcp server: • If there is only one module of the type appropriate for the image, or if there are multiple modules of the same type and you want to update the image on all of them, enter the copy rcp flash command.
Page 556 This command will reset the system. Do you want to continue (y/n) [n]? y Console> (enable) 09/2/1999,13:51:39:SYS-5:System reset from Console// System Bootstrap, Version 4.2 Copyright (c) 1994-1999 by cisco Systems, Inc. Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup.5-2-1-csx.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...
Page 557 Chapter 25 Working with System Software Images Downloading System Software Images Using rcp Enter password: 09/2/1999,13:52:51:SYS-5:Module 1 is online 09/2/1999,13:53:11:SYS-5:Module 4 is online 09/2/1999,13:53:11:SYS-5:Module 5 is online 09/2/1999,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1. 09/2/1999,13:53:14:PAGP-5:Port 1/2 joined bridge port 1/2. 09/2/1999,13:53:40:SYS-5:Module 2 is online 09/2/1999,13:53:45:SYS-5:Module 3 is online Console>...
Page 558: Uploading System Software Images To An Rcp Server
Chapter 25 Working with System Software Images Uploading System Software Images to an rcp Server This example shows a complete rcp download procedure of an ATM software image to multiple ATM modules: Console> (enable) show version 4 Mod Port Model Serial # Versions --- ---- ---------- --------- ----------------------------------------...
Page 559: Preparing To Upload An Image To An Rcp Server
Chapter 25 Working with System Software Images Downloading Software Images Over a Serial Connection on the Console Port Preparing to Upload an Image to an rcp Server Before you attempt to upload a software image to an rcp server, do the following: Ensure that the workstation acting as the rcp server is configured properly.
Page 560: Preparing To Download An Image Using Kermit
Chapter 25 Working with System Software Images Downloading Software Images Over a Serial Connection on the Console Port Preparing to Download an Image Using Kermit Before you begin a serial download of a software image using Kermit, make sure of the following: On a UNIX workstation, make sure your shell window is local (not an rlogin window to a different •...
Page 561: Downloading Software Images Using Kermit (Unix Procedure)
Chapter 25 Working with System Software Images Downloading Software Images Over a Serial Connection on the Console Port When prompted, confirm the download. Step 6 Enter the escape sequence Ctrl-]-c by holding down the Ctrl key while you press ], and then press c. Step 7 At the Kermit>...
Page 562: Example Serial Software Image Download Procedures
Chapter 25 Working with System Software Images Downloading Software Images Over a Serial Connection on the Console Port At the C-Kermit> prompt, enter the connect command to connect to the switch. If your line and speed Step 3 are set correctly, the switch Console> prompt appears. Step 4 Enter the enable command to enter privileged mode.
Page 563 Flash erase in progress ... Erase done Programming Flash: Flash Programming Complete The system needs to be reset to run the new image. Cisco Systems Console Enter password: Mon Apr 06, 1998, 14:35:08 Console> Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4...
Page 564 Type the escape character followed by C to get back, or followed by ? to see other options. Download OK Initializing Flash Programming Flash Base..Code..Length..Time..Done Cisco Systems Console Enter password: Mon Apr 06, 1998, 17:35:08 Console> Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 25-20...
Page 565: Downloading A System Image Using Xmodem Or Ymodem
Place a supervisor engine software image on the computer’s hard drive. You can download an image Step 1 from Cisco.com. Step 2 To download from a local computer, connect the console port (port mode switch in the in position) to a serial port on the computer, using a null-modem cable.
Page 566 Chapter 25 Working with System Software Images Downloading a System Image Using Xmodem or Ymodem If you are transferring from a local computer, you may need to configure the terminal Note emulation program to ignore RTS/DTR signals. Step 3 To download from a remote computer: Connect a modem to the console port and to the telephone network.
Page 567: Chapter 26 Working With Configuration Files
C H A P T E R Working with Configuration Files This chapter describes how to work with switch configuration files on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 568: Creating A Configuration File
Chapter 26 Working with Configuration Files Working with Configuration Files on the Switch Use the following guidelines when creating a configuration file: We recommend that you connect through the console port when using configuration files to • configure the switch. If you configure the switch from a Telnet session, IP addresses are not changed, and ports and modules are not disabled.
Page 569: Downloading Configuration Files To The Switch Using Tftp
Chapter 26 Working with Configuration Files Working with Configuration Files on the Switch Downloading Configuration Files to the Switch Using TFTP You can configure the switch using configuration files you create or download from another switch. In addition, you can store configuration files on Flash devices on hardware that supports the Flash file system, and you can configure the switch using a configuration stored on a Flash device.
Page 570 Chapter 26 Working with Configuration Files Working with Configuration Files on the Switch This example shows how to configure the switch using a configuration file downloaded from a TFTP server: Console> (enable) copy tftp config IP address or name of remote host []? 172.20.52.3 Name of file to copy from []? dns-config.cfg Configure using tftp:dns-config.cfg (y/n) [n]? y Finished network download.
Page 571: Uploading Configuration Files To A Tftp Server
Chapter 26 Working with Configuration Files Working with Configuration Files on the Switch Uploading Configuration Files to a TFTP Server These sections describe how to upload the running configuration or a configuration file stored on a Flash device to a TFTP server: •...
Page 572: Copying Configuration Files Using Rcp
Chapter 26 Working with Configuration Files Working with Configuration Files on the Switch This example shows how to upload the running configuration to a TFTP server for storage: Console> (enable) copy config tftp IP address or name of remote host []? 172.20.52.3 Name of file to copy to []? cat6000_config.cfg Upload configuration to tftp:cat6000_config.cfg, (y/n) [n]? y ..
Page 573: Uploading Configuration Files To An Rcp Server
Chapter 26 Working with Configuration Files Working with Configuration Files on the Switch If you are accessing the switch through the console or a Telnet session without a valid username, • make sure that the current rcp username is the one you want to use for the rcp download. You can enter the show users command to view the current valid username.
Page 574: Clearing The Configuration
Chapter 26 Working with Configuration Files Working with Configuration Files on the Switch Preparing to Upload a Configuration File to an rcp Server Before you attempt to upload a configuration file to an rcp server, do the following: Ensure that the workstation acting as the rcp server is configured properly. •...
Page 575: Working With Configuration Files On The Msfc
Chapter 26 Working with Configuration Files Working with Configuration Files on the MSFC This example shows how to clear the configuration for the entire switch: Console> (enable) clear config all This command will clear all configuration in NVRAM. This command will cause ifIndex to be reassigned on the next system startup. Do you want to continue (y/n) [n]? y ..
Page 576: Uploading The Configuration File To A Tftp Server
Chapter 26 Working with Configuration Files Working with Configuration Files on the MSFC If you replace the MSFC, you need to replace the entire configuration. If you upload (copy) the configuration file to a remote server before removing the MSFC, you can retrieve it later and write it into NVRAM on the new MSFC.
Page 577: Uploading The Configuration File To The Supervisor Engine Flash Pc Card
If you are unable to copy the configuration to a remote host successfully, contact your network administrator or see http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html instructions on contacting the technical assistance center. Uploading the Configuration File to the Supervisor Engine Flash PC Card...
Page 578 If you are unable to retrieve the configuration, contact your network administrator or see http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for instructions on contacting the technical assistance center. Enter the write term command to display the currently running configuration on the terminal. Review Step 9 the display and ensure that the configuration information is complete and correct.
Page 579: Downloading The Configuration File From The Supervisor Engine Flash Pc Card
Chapter 26 Working with Configuration Files Working with Configuration Files on the MSFC When you have verified that the currently running configuration is correct, enter the Step 10 copy running-config startup-config command to save the retrieved configuration in NVRAM. Otherwise, you will lose the new configuration if you restart the system. This completes the procedure for downloading (retrieving) the configuration file.
Page 580 Chapter 26 Working with Configuration Files Working with Configuration Files on the MSFC Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 26-14 78-13315-02...
Page 581: Chapter 27 Configuring System Message Logging
C H A P T E R Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 582 Table 27-1 describes the facility types supported by the system message logs. Table 27-1 System Message Log Facility Types Facility Name Definition All facilities ACL facility Cisco Discovery Protocol cops Common Open Policy Server Dynamic Trunking Protocol dvlan Dynamic VLAN earl...
Page 583: System Log Message Format
Chapter 27 Configuring System Message Logging System Log Message Format Table 27-1 System Message Log Facility Types (continued) Facility Name Definition telnet Terminal Emulation Protocol tftp Trivial File Transfer Protocol udld User Datagram Protocol vmps VLAN Membership Policy Server VLAN Trunking Protocol Table 27-2 describes the severity levels supported by the system message logs.
Page 584: Default System Message Logging Configuration
Chapter 27 Configuring System Message Logging Default System Message Logging Configuration This example shows typical switch system messages (at system startup): 1999 Apr 16 10:01:26 %MLS-5-MLSENABLED:IP Multilayer switching is enabled 1999 Apr 16 10:01:26 %MLS-5-NDEDISABLED:Netflow Data Export disabled 1999 Apr 16 10:01:26 %SYS-5-MOD_OK:Module 1 is online 1999 Apr 16 10:01:47 %SYS-5-MOD_OK:Module 3 is online 1999 Apr 16 10:01:42 %SYS-5-MOD_OK:Module 6 is online 1999 Apr 16 10:02:27 %PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1...
Page 585: Enabling And Disabling Session Logging Settings
Chapter 27 Configuring System Message Logging Configuring System Message Logging Configuring syslog Servers, page 27-7 • Displaying the Logging Configuration, page 27-9 • Displaying System Messages, page 27-10 • Enabling and Disabling Session Logging Settings By default, system logging messages are sent to console and Telnet sessions based on the default logging facility and severity values.
Page 586: Setting The System Message Logging Levels
Chapter 27 Configuring System Message Logging Configuring System Message Logging Setting the System Message Logging Levels You can set the severity level for each logging facility using the set logging level command. Enter the all keyword to specify all facilities. Enter the default keyword to make the specified severity level the default for the specified facilities.
Page 587: Configuring The Syslog Daemon On A Unix Syslog Server
Chapter 27 Configuring System Message Logging Configuring System Message Logging This example shows how to set the logging buffer size to 200 messages: Console> (enable) set logging buffer 200 System logging buffer size set to <200> Console> (enable) Configuring the syslog Daemon on a UNIX syslog Server Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Page 588 Chapter 27 Configuring System Message Logging Configuring System Message Logging Task Command Step 3 Enable system message logging to configured set logging server enable syslog servers. Step 4 Verify the configuration. show logging [noalias] You can configure a maximum of three syslog servers. This example shows how to specify a syslog server, set the facility and severity levels, and enable logging to the server: Console>...
Page 589: Displaying The Logging Configuration
Chapter 27 Configuring System Message Logging Configuring System Message Logging Displaying the Logging Configuration Enter the show logging command to display the current system message logging configuration. Enter the noalias keyword to display the IP addresses instead of the host names of the configured syslog servers.
Page 590: Displaying System Messages
Chapter 27 Configuring System Message Logging Configuring System Message Logging 0(emergencies) 1(alerts) 2(critical) 3(errors) 4(warnings) 5(notifications) 6(information) 7(debugging) Console> (enable) Displaying System Messages Enter the show logging buffer command to display the messages in the switch logging buffer. If you do not specify number_of_messages, the default is to display the last 20 messages in the buffer (-20).
Page 591: Chapter 28 Configuring Dns
C H A P T E R Configuring DNS This chapter describes how to configure the Domain Name System (DNS) on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 592: Configuring Dns
Chapter 28 Configuring DNS Configuring DNS Configuring DNS These sections describe how to configure DNS: Setting Up and Enabling DNS, page 28-2 • Clearing a DNS Server, page 28-3 • Clearing the DNS Domain Name, page 28-3 • Disabling DNS, page 28-3 •...
Page 593: Clearing A Dns Server
Chapter 28 Configuring DNS Configuring DNS Clearing a DNS Server To clear DNS servers from the DNS server table, perform this task in privileged mode: Task Command Step 1 Remove one or all of the DNS servers from the clear ip dns server [ip_addr | all] table.
Page 594 Chapter 28 Configuring DNS Configuring DNS Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 28-4 78-13315-02...
Page 595: Configuring Cdp
CDP is a media- and protocol-independent protocol that runs on all Cisco-manufactured equipment including routers, bridges, access and communication servers, and switches. Using CDP, you can view information about all the Cisco devices directly attached to the switch. In addition, CDP detects native VLAN and port duplex mismatches.
Page 596: Default Cdp Configuration
Chapter 29 Configuring CDP Default CDP Configuration Default CDP Configuration Table 29-1 shows the default CDP configuration. Table 29-1 CDP Default Configuration Feature Default Value CDP global enable state Enabled CDP port enable state Enabled on all ports CDP message interval 60 seconds CDP holdtime 180 seconds...
Page 597: Setting The Cdp Enable And Disable States On A Port
Chapter 29 Configuring CDP Configuring CDP Setting the CDP Enable and Disable States on a Port You can enable or disable CDP on a per-port basis. You must enable CDP globally before the switch will transmit CDP messages on any ports. To set the CDP enable state on a per-port basis, perform this task in privileged mode: Task Command...
Page 598: Setting The Cdp Message Interval
Configuring CDP Setting the CDP Message Interval The CDP message interval specifies how often the switch will transmit CDP messages to directly connected Cisco devices. To set the default CDP message interval, perform this task in privileged mode: Task Command Step 1 Set the default CDP message interval.
Page 599: Displaying Cdp Neighbor Information
Configuring CDP Displaying CDP Neighbor Information To display information about directly connected Cisco devices, enter the show cdp neighbors command. Enter the vlan keyword to display the native VLAN for the connected ports. Enter the duplex keyword to display the duplex mode for the connected ports. Enter the capabilities keyword to display the device capability codes for the connected device.
Page 600 Chapter 29 Configuring CDP Configuring CDP Version: WS-C2948 Software, Version McpSW: 5.1(57) NmpSW: 5.1(1) Copyright (c) 1995-1999 by Cisco Systems, Inc. Platform: WS-C2948 Port-ID (Port on Neighbors's Device): 2/2 VTP Management Domain: Lab_Network Native VLAN: 522 Duplex: full Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4...
Page 601: Chapter 30 Configuring Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 602: Default Udld Configuration
Chapter 30 Configuring UDLD Default UDLD Configuration The switch periodically transmits UDLD messages (packets) to neighbor devices on ports with UDLD enabled. If the messages are echoed back to the sender within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the port is shut down.
Page 603: Configuring Udld
Chapter 30 Configuring UDLD Configuring UDLD Configuring UDLD These sections describe how to configure UDLD: Enabling UDLD Globally, page 30-3 • Enabling UDLD on Individual Ports, page 30-3 • Disabling UDLD on Individual Ports, page 30-4 • Disabling UDLD Globally, page 30-4 •...
Page 604: Disabling Udld On Individual Ports
Chapter 30 Configuring UDLD Configuring UDLD Disabling UDLD on Individual Ports To disable UDLD on individual ports, perform this task in privileged mode: Task Command Step 1 Disable UDLD on a specific port. set udld disable mod/port Step 2 Verify the configuration. show udld port [mod[/port]] This example shows how to disable UDLD on port 4/1: Console>...
Page 605: Enabling Udld Aggressive Mode
Software release 5.4(3) and later releases have UDLD aggressive mode. UDLD aggressive mode is disabled by default and its use is recommended only for point-to-point links between Cisco switches running software release 5.4(3) or later releases. With UDLD aggressive mode enabled, when a port on a bidirectional link which has a UDLD neighbor relationship established stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor.
Page 606 Chapter 30 Configuring UDLD Configuring UDLD This example shows how to display the UDLD enable state: Console> (enable) show udld UDLD : enabled Message Interval : 15 seconds Console> (enable) To display UDLD configuration for a module or port, perform this task in privileged mode: Task Command Display the UDLD configuration for a module or...
Page 607: Chapter 31 Configuring Ntp
C H A P T E R Configuring NTP This chapter describes how to configure the Network Time Protocol (NTP) on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 608: Ntp Default Configuration
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that you obtain the time service for your network from the public NTP servers available in the IP Internet.
Page 609: Enabling Ntp In Broadcast-Client Mode
Chapter 31 Configuring NTP Configuring NTP Clearing NTP Servers, page 31-7 • Disabling NTP, page 31-8 • Enabling NTP in Broadcast-Client Mode Configure the switch in NTP broadcast-client mode if an NTP broadcast server, such as a router, regularly broadcasts time-of-day information on the network. To compensate for any server-to-client packet latency, you can specify an NTP broadcast delay (a time adjustment factor for the receiving of broadcast packets by the switch).
Page 610: Configuring Authentication In Client Mode
Chapter 31 Configuring NTP Configuring NTP This example shows how to configure the NTP server address, enable NTP client mode on the switch, and verify the configuration: Console> (enable) set ntp server 172.20.52.65 NTP server 172.20.52.65 added. Console> (enable) set ntp client enable NTP Client mode enabled Console>...
Page 611: Setting The Time Zone
Chapter 31 Configuring NTP Configuring NTP This example shows how to configure the NTP server address, enable NTP client and authentication modes on the switch, and verify the configuration: Console> (enable) set ntp server 172.20.52.65 key 879 NTP server 172.20.52.65 with key 879 added. Console>...
Page 612 Chapter 31 Configuring NTP Configuring NTP To enable the daylight saving time clock adjustment following the U.S. rules, perform this task in privileged mode: Task Command Step 1 Enable the daylight saving time clock adjustment. set summertime enable [zone_name] set summertime recurring Step 2 Verify the configuration.
Page 613: Disabling The Daylight Saving Time Adjustment
Chapter 31 Configuring NTP Configuring NTP This example shows how to set the nonrecurring daylight saving time clock adjustment on April 30, 1999 at 11:32, ending on February 1, 2003 at 12:02 a.m., with an offset of 50 minutes: Console> (enable) set summertime date apr 13 2000 4:30 jan 21 2002 5:30 1440 Summertime is disabled and set to '' Start : Thu Apr 13 2000, 04:30:00 : Mon Jan 21 2002, 05:30:00...
Page 614: Disabling Ntp
Chapter 31 Configuring NTP Configuring NTP This example shows how to clear an NTP server address from the NTP server table: Console> (enable) clear ntp server 172.16.64.10 NTP server 172.16.64.10 removed. Console> (enable) Disabling NTP To disable NTP broadcast-client mode on the switch, perform this task in privileged mode: Task Command Step 1...
Page 615: Chapter 32 Configuring Broadcast Suppression
C H A P T E R Configuring Broadcast Suppression This chapter describes how to configure broadcast suppression on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 616: Configuring Broadcast Suppression
Chapter 32 Configuring Broadcast Suppression Configuring Broadcast Suppression Figure 32-1 Broadcast Suppression Total number of Threshold broadcast packets or bytes Time The broadcast suppression threshold numbers and the time interval make the broadcast suppression algorithm work with different levels of granularity. A higher threshold allows more broadcast packets to pass through.
Page 617: Enabling Broadcast Suppression
Chapter 32 Configuring Broadcast Suppression Configuring Broadcast Suppression Enabling Broadcast Suppression To enable broadcast suppression for one or more ports, perform this task in privileged mode: Task Command Step 1 Configure the broadcast suppression threshold for set port broadcast mod/port threshold% one or more ports as a percentage of total [multicast {enable | disable}] [unicast {enable | bandwidth.
Page 618: Disabling Broadcast Suppression
Chapter 32 Configuring Broadcast Suppression Configuring Broadcast Suppression Disabling Broadcast Suppression To disable broadcast suppression on one or more ports, perform this task in privileged mode: Task Command Disable broadcast suppression on one or more clear port broadcast mod/port ports. This example shows how to disable broadcast suppression on one or more ports: Console>...
Page 619: Configuring Layer 3 Protocol Filtering
Layer 3 protocol filtering is not performed on trunk ports. Layer 2 protocols, such as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by Layer 3 protocol filtering. Dynamic ports and ports that have port security enabled are members of all protocol groups.
Page 620: Default Layer 3 Protocol Filtering Configuration
Chapter 33 Configuring Layer 3 Protocol Filtering Default Layer 3 Protocol Filtering Configuration For example, if a host that supports both IP and Internetwork Packet Exchange (IPX) is connected to a switch port configured as auto for IPX, but the host is transmitting only IP traffic, the port to which the host is connected will not forward any IPX flood traffic to the host.
Page 621: Enabling Layer 3 Protocol Filtering
Chapter 33 Configuring Layer 3 Protocol Filtering Configuring Layer 3 Protocol Filtering Enabling Layer 3 Protocol Filtering To configure Layer 3 protocol filtering on Ethernet ports, perform this task in privileged mode: Task Command Step 1 Enable Layer 3 protocol filtering on the switch. set protocolfilter enable Step 2 Set the protocol membership of the desired ports.
Page 622 Chapter 33 Configuring Layer 3 Protocol Filtering Configuring Layer 3 Protocol Filtering Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 33-4 78-13315-02...
Page 623: Chapter 34 Configuring The Ip Permit List
C H A P T E R Configuring the IP Permit List This chapter describes how to configure the IP permit list on the Catalyst 6000 family switches. The functionality of the IP permit list can also be achieved with VLAN access control lists (VACLs). Note Because VACLs are handled by hardware (Policy Feature Card [PFC]), VACL processing is considerably faster than IP permit list processing.
Page 624: Ip Permit List Default Configuration
Chapter 34 Configuring the IP Permit List IP Permit List Default Configuration If you do not specify the mask for an IP permit list entry, or if you enter a host name instead of an IP address, the mask has an implicit value of all bits set to one (255.255.255.255 or 0xffffffff), which matches only the IP address of that host.
Page 625: Enabling The Ip Permit List
Chapter 34 Configuring the IP Permit List Configuring the IP Permit List This example shows how to add IP addresses to the IP permit list and verify the configuration: Console> (enable) set ip permit 172.16.0.0 255.255.0.0 telnet 172.16.0.0 with mask 255.255.0.0 added to telnet permit list. Console>...
Page 626: Disabling The Ip Permit List
Chapter 34 Configuring the IP Permit List Configuring the IP Permit List Console> (enable) show ip permit Telnet permit list feature enabled. Snmp permit list feature disabled. Permit List Mask Access-Type ---------------- --------------- --------------- 172.16.0.0 255.255.0.0 telnet 172.20.52.3 snmp telnet 172.20.52.32 255.255.255.224 snmp...
Page 627 Chapter 34 Configuring the IP Permit List Configuring the IP Permit List To clear an IP permit list entry, perform this task in privileged mode: Task Command Step 1 Disable the IP permit list. set ip permit disable [telnet | snmp | ssh] Step 2 Specify the IP address to remove from the IP clear ip permit {ip_address [mask] | all} [telnet |...
Page 628 Chapter 34 Configuring the IP Permit List Configuring the IP Permit List Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 34-6 78-13315-02...
Page 629: Chapter 35 Configuring Port Security
C H A P T E R Configuring Port Security This chapter describes how to configure port security on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 630: Restricting Traffic Based On The Host Mac Address
Chapter 35 Configuring Port Security Understanding How Port Security Works After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or you can have the port dynamically configure the MAC address of the connected devices.
Page 631: Port Security Configuration Guidelines
Chapter 35 Configuring Port Security Port Security Configuration Guidelines Port Security Configuration Guidelines Follow these guidelines when configuring port security: You cannot configure port security on a trunk port. • You cannot enable port security on a SPAN destination port and vice versa. •...
Page 632: Setting The Maximum Number Of Secure Mac Addresses
Chapter 35 Configuring Port Security Configuring Port Security Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex ----- -------- ----------------- ----------------- -------- -------- ------- enabled 00-90-2b-03-34-08 00-90-2b-03-34-08 No disabled 1081 Port Broadcast-Limit Broadcast-Drop -------- --------------- -------------- Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize ----- ---------- ---------- ---------- ---------- --------- Port Single-Col Multi-Coll Late-Coll...
Page 633: Setting The Port Security Age Time
Chapter 35 Configuring Port Security Configuring Port Security This example shows how to reduce the number of MAC addresses and the list that displays the cleared MAC addresses: Console> (enable) set port security 7/7 maximum 18 Maximum number of secure addresses set to 18 for port 7/7 00-11-22-33-44-55 cleared from secure address list for port 7/7 00-11-22-33-44-66 cleared from secure address list for port 7/7 Console>...
Page 634: Specifying The Security Violation Action
Chapter 35 Configuring Port Security Configuring Port Security This example shows how to clear all MAC addresses from ports 7/5-7: Console> (enable) clear port security 7/5-7 all All addresses cleared from secure address list for ports 7/5-7 Console> (enable) Specifying the Security Violation Action You can set the port for the following two modes to handle a security violation: •...
Page 635: Disabling Port Security
Chapter 35 Configuring Port Security Configuring Port Security This example shows how to set the shutdown timeout to 600 minutes on port 7/7: Console> (enable) set port security 7/7 shutdown 600 Secure address shutdown time set to 600 minutes for port 7/7. Console>...
Page 636: Displaying Port Security
Chapter 35 Configuring Port Security Configuring Port Security This example shows how to display the static CAM entries: Console> show cam static VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type] ---- ------------------ ----- ------------------------------------------- 04-04-05-06-07-08 FILTER Displaying Port Security The show port security command displays the following information: •...
Page 637 Chapter 35 Configuring Port Security Configuring Port Security This example shows how to display port security statistics on a module: Console> (enable) show port security statistics 7 Port Total-Addrs Maximum-Addrs ----- ----------- ------------- 7/10 7/11 7/12 7/13 7/14 7/15 7/16 7/17 7/18 7/19...
Page 638 Chapter 35 Configuring Port Security Configuring Port Security Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 35-10 78-13315-02...
Page 639: Chapter 36 Configuring Snmp
C H A P T E R Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 6000 family switches. This chapter consists of these sections: SNMP Terminology, page 36-1 • Understanding SNMP, page 36-3 •...
Page 640 HMAC MD5 or SHA algorithms and encrypts the packet using the CBC-DES (DES-56) algorithm. security model The security strategy used by the SNMP agent. Currently, Cisco IOS supports three security models: SNMPv1, SNMPv2c, and SNMPv3. Simple Network Management...
Page 641: Understanding Snmp
Chapter 36 Configuring SNMP Understanding SNMP Table 36-1 SNMP Terminology (continued) Term Definition SNMP engine A copy of SNMP that can reside on the local or remote device. SNMP entity Unlike SNMPv1 and SNMPv2c, in SNMPv3 the terms SNMP Agents and SNMP Managers are no longer used. These concepts have been combined and called an SNMP entity.
Page 642: Security Models And Levels
Chapter 36 Configuring SNMP Understanding SNMP Security Models and Levels A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.
Page 643: Snmp Ifindex Persistence Feature
Chapter 36 Configuring SNMP Understanding How SNMPv1 and SNMPv2c Works SNMP ifindex Persistence Feature The SNMP ifIndex persistence feature is always enabled. With the ifIndex persistence feature, the ifIndex value of the port and VLAN is always retained and used after the following occurrences: •...
Page 644: Using Ciscoworks2000
Using CiscoWorks2000 CiscoWorks2000 is a family of Web-based and management platform-independent products for managing Cisco enterprise networks and devices. CiscoWorks2000 includes Resource Manager Essentials and CWSI Campus, which allow you to deploy, configure, monitor, manage, and troubleshoot a switched internetwork. For more information, refer to the following publications: Getting Started With Resource Manager Essentials •...
Page 645: Understanding Snmpv3
Chapter 36 Configuring SNMP Understanding SNMPv3 Understanding SNMPv3 SNMPv3 contains all the functionality of SNMPv1 and SNMPv2c, but SNMPv3 has significant enhancements to administration and security. SNMPv3 is an interoperable standards-based protocol and provides secure access to devices by authenticating and encrypting packets over the network. The security features provided in SNMPv3 are as follows: Message integrity—Collects data securely without being tampered with or corrupted •...
Page 646 Chapter 36 Configuring SNMP Understanding SNMPv3 Figure 36-1 SNMP Entity for Traditional SNMP Agents Other SNMP Entity SNMP Engine Dispatcher Message Processing Security Access Control Subsystem Subsystem Subsystem Transport Mapping v1MP User-based View-based security access control model model v2c MP Message Dispatcher Other Other...
Page 647: Applications
Chapter 36 Configuring SNMP Understanding SNMPv3 Each incoming message is passed to the security subsystem from the message processing subsystem. If required, the security subsystem checks the authentication code and performs decryption. The processed message is returned to the message processing subsystem. An implementation of the security subsystem may support one or more distinct security models.
Page 648: Configuring Snmpv1 And Snmpv2C
Chapter 36 Configuring SNMP Configuring SNMPv1 and SNMPv2c Configuring SNMPv1 and SNMPv2c This section provides basic SNMPv1 and SNMPv2c configuration information. For detailed information on the SNMP commands supported by the Catalyst 6000 family switches, refer to the Catalyst 6000 Family Command Reference publication.
Page 649: Configuring Snmpv3
Chapter 36 Configuring SNMP Configuring SNMPv3 Console> (enable) set snmp trap 172.16.10.20 read-write-all SNMP trap receiver added. Console> (enable) set snmp trap enable all All SNMP traps enabled. Console> (enable) show snmp RMON: Disabled Extended RMON: Extended RMON module is not present Traps Enabled: Port,Module,Chassis,Bridge,Repeater,Vtp,Auth,ippermit,Vmps,config,entity,stpx Port Traps Enabled: 1/1-2,4/1-48,5/1...
Page 650: Configuring Snmpv3 From The Cli
Chapter 36 Configuring SNMP Configuring SNMPv3 Configuring SNMPv3 from the CLI To configure SNMPv3 from the command-line interface (CLI), perform this task in privileged mode: Task Command Step 1 Set the SNMP-Server EngineID set snmp engineid engineid name for the local SNMP engine. Step 2 Configure the MIB views.
Page 651 Chapter 36 Configuring SNMP Configuring SNMPv3 This example shows how to set the access rights for a group called guestgroup to SNMPv3 authentication read mode: Console> (enable) set snmp access guestgroup security-model v3 authentication read interfacesMibView Snmp access group was set to guestgroup version v3 level authentication, readview interfacesMibView, context match:exact, nonvolatile.
Page 652 Chapter 36 Configuring SNMP Configuring SNMPv3 This example shows how to verify the SNMPv3 setup for guestuser1 from a workstation: workstation% getnext -v3 10.6.4.201 guestuser1 ifDescr.0 Enter Authentication password :guestuser1password Enter Privacy password :privacypasswd1 ifDescr.1 = sc0 This example shows how to verify the SNMPv3 setup for guestgroup in the snmpEngineID MIB from a workstation: workstation% getnext -v3 10.6.4.201 guestuser1 snmpEngineID Enter Authentication password :guestuser1pasword...
Page 653: Chapter 37 Configuring Rmon
C H A P T E R Configuring RMON This chapter describes how to configure RMON on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication. This chapter consists of these sections: Understanding How RMON Works, page 37-1 •...
Page 654: Enabling Rmon
The embedded RMON agent allows the switch to monitor network traffic from all ports simultaneously at Layer 2 without requiring a dedicated monitoring probe or network analyzer. For more information on RMON, visit: http://www.cisco.com/en/US/docs/internetworking/technology/handbook/RMON.html Enabling RMON RMON is disabled by default.
Page 655 Chapter 37 Configuring RMON Supported RMON and RMON2 MIB Objects Table 37-1 Supervisor Engine RMON and RMON2 Support Object Identifier (OID) and Description Source ...mib-2(1).rmon(16).statistics(1).etherStatsTable(1) RFC 1757 (RMON-MIB) Counters for packets, octets, broadcasts, errors, etc..mib-2(1).rmon(16).history(2).historyControlTable(1) RFC 1757 (RMON-MIB) ...mib-2(1).rmon(16).history(2).etherHistoryTable(2) RFC 1757 (RMON-MIB) Periodically samples and saves statistics group counters for later retrieval.
Page 656 Chapter 37 Configuring RMON Supported RMON and RMON2 MIB Objects Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 37-4 78-13315-02...
Page 657: Chapter 38 Configuring Span And Rspan
C H A P T E R Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 658: Span Session
Chapter 38 Configuring SPAN and RSPAN Understanding How SPAN and RSPAN Works SPAN Session A SPAN session is an association of a destination port with a set of source ports, configured with parameters that specify the monitored network traffic. You can configure multiple SPAN sessions in a switched network.
Page 659: Ingress Span
Chapter 38 Configuring SPAN and RSPAN Understanding How SPAN and RSPAN Works The destination port, if it belongs to any of the administrative source VLANs, is excluded from the operational source. You can configure a port as a source port in multiple active SPAN sessions, but you cannot configure an active source port as a destination port for any SPAN session.
Page 660: Trunk Vlan Filtering
Chapter 38 Configuring SPAN and RSPAN SPAN and RSPAN Session Limits Trunk VLAN Filtering Trunk VLAN filtering is analysis of network traffic on a selected set of VLANs on trunk source ports. You can combine trunk VLAN filtering with other source ports that belong to any of the selected VLANs, and you can also use trunk VLAN filtering for RSPAN.
Page 661: Configuring Span
Chapter 38 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN These sections describe how to configure SPAN: SPAN Hardware Requirements, page 38-5 • Understanding How SPAN Works, page 38-5 • SPAN Configuration Guidelines, page 38-6 • Configuring SPAN from the CLI, page 38-7 •...
Page 662: Span Configuration Guidelines
Chapter 38 Configuring SPAN and RSPAN Configuring SPAN SPAN Configuration Guidelines Follow these guidelines when configuring SPAN: Use a network analyzer to monitor ports. • For SPAN source ports, SPAN is not supported with ATM ports; it works with Ethernet •...
Page 663: Configuring Span From The Cli
Chapter 38 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN from the CLI To configure SPAN, you specify the source, the destination port, the direction of the traffic through the source that you want to mirror to the destination port, and whether or not the destination port can receive packets.
Page 664: Configuring Rspan
Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN Destination : Port 2/12 Admin Source : VLAN 522 Oper Source : Port 2/1-2 Direction : transmit Incoming Packets: enabled Learning : enabled Multicast : enabled Filter Console> (enable) This example shows how to set port 3/2 as the SPAN source and port 2/2 as the SPAN destination: Console>...
Page 665: Rspan Hardware Requirements
– For destination or intermediate switches—Any Cisco switch supporting RSPAN VLAN • No third party or other Cisco switches can be placed in the end-to-end path for RSPAN traffic. Understanding How RSPAN Works See the “Understanding How SPAN and RSPAN Works” section on page 38-1...
Page 666: Rspan Configuration Guidelines
Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN Figure 38-2 RSPAN Configuration Destination switch Switch D (data center) Layer 2 trunk Probe Intermediate switch Switch C (distribution) Layer 2 trunk Layer 2 trunk Source switch(es) Switch B Switch A (access) B1 B2 RSPAN Configuration Guidelines Follow these guidelines when configuring RSPAN:...
Page 667: Configuring Rspan
Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN Each Catalyst 6000 family switch can source a maximum of one RSPAN session (ingress, egress, or • both). When you configure a remote ingress or bidirectional SPAN session in a source switch, the limit for local ingress or bidirectional SPAN sessions is reduced to one.
Page 668 Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN VLAN DynCreated RSPAN ---- ---------- -------- static disabled static disabled static disabled static disabled static enabled Console> (enable) To configure RSPAN source ports, perform this task in privileged mode: Task Command Step 1 Configure RSPAN source ports.
Page 669 Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN To configure RSPAN destination ports, perform this task in privileged mode: Task Command Step 1 Configure RSPAN destination ports. Use this set rspan destination {mod/port} {rspan_vlan} command on each of the destination switches [inpkts {enable | disable}] [learning {enable | participating in RSPAN.
Page 670: Rspan Configuration Examples
Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN RSPAN Configuration Examples These sections describe how to configure RSPAN: Configuring a Single RSPAN Session, page 38-14 • Modifying an Active RSPAN Session, page 38-15 • Adding RSPAN Source Ports in Intermediate Switches, page 38-15 •...
Page 671 Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN Modifying an Active RSPAN Session This example shows how to modify an active RSPAN session. Use Figure 38-3 for reference; see Table 38-3 for the necessary commands to disable an RSPAN session and to add or remove source ports from an RSPAN session.
Page 672 Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN Configuring Multiple RSPAN Sessions This example shows how to configure multiple RSPAN sessions. Figure 38-5 shows an RSPAN configuration; see Table 38-5 for the necessary configuration commands to configure this RSPAN session. This is a typical scenario where the monitoring probes would be placed in the data center and source ports in the access switches (other ports in any of the switches can also be configured for RSPAN).
Page 673 Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN Adding Multiple Network Analyzers to an RSPAN Session You can attach multiple network analyzers (probes) to the same RSPAN session. For example, in Figure 38-6, you can add probe 3 in Switch B to monitor RSPAN VLAN 901 using the set rspan destination 1/2 901 command.
Page 674 Chapter 38 Configuring SPAN and RSPAN Configuring RSPAN Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 38-18 78-13315-02...
Page 675: Chapter 39 Using Switch Topn Reports
C H A P T E R Using Switch TopN Reports This chapter describes how to use the Switch TopN Reports utility on the Catalyst 6000 family switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 676: Running Switch Topn Reports Without The Background Option
Chapter 39 Using Switch TopN Reports Understanding How the Switch TopN Reports Utility Works The Switch TopN Reports utility collects the following data for each physical port: Port utilization (util) • Number of in/out bytes (bytes) • Number of in/out packets (pkts) •...
Page 677: Running And Viewing Switch Topn Reports
Chapter 39 Using Switch TopN Reports Running and Viewing Switch TopN Reports You can terminate a Switch TopN process invoked with the background option only by entering the clear top [report_num] command. Pressing Ctrl-C does not terminate the process. Completed reports remain available for viewing until you remove them using the clear top {all | report_num} command.
Page 678 Chapter 39 Using Switch TopN Reports Running and Viewing Switch TopN Reports This example shows how to run the Switch TopN Reports utility in the foreground: Console> (enable) show top 5 pkts Start Time: 06/16/1998,17:26:38 End Time: 06/16/1998,17:27:09 PortType: Metric: pkts (Tx + Rx) Port Band- Uti Bytes...
Page 679 Chapter 39 Using Switch TopN Reports Running and Viewing Switch TopN Reports The command clear top all command does not clear pending reports. Only the reports that have Note completed are cleared. This example shows how to remove a specific report and how to remove all stored reports: Console>...
Page 680 Chapter 39 Using Switch TopN Reports Running and Viewing Switch TopN Reports Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 39-6 78-13315-02...
Page 681: Chapter 40 Configuring Multicast Services
C H A P T E R Configuring Multicast Services This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping, GARP Multicast Registration Protocol (GMRP), and Router-Port Group Management Protocol (RGMP) on the Catalyst 6000 family switches. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication.
Page 682: Multicasting And Multicast Services Overview
You can run IGMP snooping on any Catalyst 6000 family supervisor engine model (Supervisor Engine 1, Note Supervisor Engine 1A, and Supervisor Engine 2). A PFC is not required to enable IGMP snooping. Cisco Group Management Protocol (CGMP) is not supported on the Catalyst 6000 family switches, although CGMP server is supported on the MSFC.
Page 683 Chapter 40 Configuring Multicast Services Understanding How Multicasting Works Joining a Multicast Group When a host wants to join an IP multicast group, it sends an IGMP join (also known as a join message) specifying the IP multicast group it wants to join (for example, group 224.1.2.3). The switch hardware recognizes that the packet is an IGMP report and redirects it to the switch CPU.
Page 684: Understanding How Gmrp Works
IEEE. For detailed protocol operational information, refer to 802.1p. GMRP software components run on both the switch and on the host. (Cisco is not a source for GMRP host software.) On the host, in an IP multicast environment, you must use IGMP with GMRP; the host GMRP software spawns Layer 2 GMRP versions of the host’s Layer 3 IGMP control packets.
Page 685: Understanding How Rgmp Works
Chapter 40 Configuring Multicast Services Understanding How Multicasting Works Understanding How RGMP Works Without RGMP, all multicast routers receive all multicast data traffic entering the switch. With RGMP, a multicast router can request not to receive multicast traffic if that router has no downstream receivers for the multicast traffic.
Page 686: Enabling Installation Of Directly Connected Subnets
Chapter 40 Configuring Multicast Services Configuring IGMP Snooping Non-RPF multicast fast drop (MFD) rate limits packets that fail the RPF check (non-RPF packets) and drops the majority of the non-RPF packets in hardware. According to the multicast protocol specification, the router needs to see the non-RPF packets for the PIM assert mechanism to work, so all non-RPF packets cannot be dropped in hardware.
Page 687: Default Igmp Snooping Configuration
Chapter 40 Configuring Multicast Services Configuring IGMP Snooping Disabling IGMP Fast-Leave Processing, page 40-12 • Disabling IGMP Snooping, page 40-12 • Default IGMP Snooping Configuration Table 40-2 shows the default IGMP snooping configuration. IGMP snooping is enabled by default in supervisor engine software release 5.5(9) and later releases Note and 6.3(1) and later releases.
Page 688: Specifying Igmp Snooping Mode
Chapter 40 Configuring Multicast Services Configuring IGMP Snooping Specifying IGMP Snooping Mode IGMP snooping runs in teither IGMP-only mode or IGMP-CGMP mode. The switch dynamically chooses either IGMP-only or IGMP-CGMP mode, depending on the traffic present on the network. IGMP-only mode is used in networks with no CGMP devices. IGMP-CGMP mode is used in networks with both IGMP and CGMP devices.
Page 689: Enabling Igmp Fast-Leave Processing
Chapter 40 Configuring Multicast Services Configuring IGMP Snooping This example shows how to enable IGMP rate limiting: Console> (enable) set igmp ratelimit enable IGMP Ratelimiting enabled Console> (enable) This example shows how to set the IGMP rate limit for MOSPF2 to 550 packets per every 30 seconds: Console>...
Page 690: Displaying Multicast Group Information
Chapter 40 Configuring Multicast Services Configuring IGMP Snooping To display the dynamically learned multicast router information, perform these tasks in privileged mode: Task Command Display information on dynamically learned and show multicast router [mod/port] [vlan_id] manually configured multicast router ports. Display information only on those multicast show multicast router igmp [mod/port] router ports learned dynamically using IGMP...
Page 691: Displaying Igmp Snooping Statistics
Chapter 40 Configuring Multicast Services Configuring IGMP Snooping Task Command Display the total number of multicast addresses show multicast group count [vlan_id] (groups) in each VLAN. Display the total number of multicast addresses show multicast group count igmp [vlan_id] (groups) in each VLAN that were learned dynamically through IGMP.
Page 692: Disabling Igmp Fast-Leave Processing
Chapter 40 Configuring Multicast Services Configuring GMRP Disabling IGMP Fast-Leave Processing To disable IGMP fast-leave processing, perform this task in privileged mode: Task Command Disable IGMP fast-leave processing on the set igmp fastleave disable switch. This example shows how to disable IGMP fast-leave processing on the switch: Console>...
Page 693: Gmrp Software Requirements
Chapter 40 Configuring Multicast Services Configuring GMRP For an overview of GMRP operation, see the “Understanding How GMRP Works” section on Note page 40-4. GMRP Software Requirements GMRP requires supervisor engine software release 5.2 or later releases. Default GMRP Configuration Table 40-3 shows the default GMRP configuration.
Page 694: Enabling Gmrp On Individual Switch Ports
Chapter 40 Configuring Multicast Services Configuring GMRP Port based GMRP Configuration: Port GMRP Status Registration ForwardAll -------------------------------------------- ----------- ------------ ---------- 1/1-2,3/1,6/1-48,7/1-24 Enabled Normal Disabled Console> (enable) Enabling GMRP on Individual Switch Ports Note You can change the per-port GMRP configuration regardless of whether GMRP is enabled globally. However, GMRP will not function on any ports until you enable it globally.
Page 695: Enabling Gmrp Forward-All Option
Chapter 40 Configuring Multicast Services Configuring GMRP Task Command Step 1 Disable GMRP on individual switch ports. set port gmrp disable mod/port Step 2 Verify the configuration. show gmrp configuration This example shows how to disable GMRP on ports 6/10–14 and verify the configuration: Console>...
Page 696: Configuring Gmrp Registration
Chapter 40 Configuring Multicast Services Configuring GMRP This example shows how to disable the GMRP forward-all option on port 1/1: Console> (enable) set gmrp fwdall disable 1/1 GMRP Forward All groups option disabled on port 1/1. Console> (enable) Configuring GMRP Registration These sections describe how to configure GMRP registration modes on switch ports: •...
Page 697: Setting The Garp Timers
Chapter 40 Configuring Multicast Services Configuring GMRP Console> (enable) set gmrp registration fixed 2/10 GMRP Registration is set fixed on port 2/10. Console> (enable) show gmrp configuration Global GMRP Configuration: GMRP Feature is currently enabled on this switch. GMRP Timers (milliseconds): Join = 200 Leave = 600 LeaveAll = 10000...
Page 698 Chapter 40 Configuring Multicast Services Configuring GMRP Modifying the GARP timer values affects the behavior of all GARP applications running on the Note switch, not just GMRP. (For example, GVRP uses the same timers.) The only ports that send out the GMRP LeaveAll messages are the ports that have previously received Note GMRP joins.
Page 699: Displaying Gmrp Statistics
Chapter 40 Configuring Multicast Services Configuring GMRP Displaying GMRP Statistics To display GMRP statistics on the switch, perform this task in privileged mode: Task Command Display GMRP statistics. show gmrp statistics [vlan_id] This example shows how to display GMRP statistics for VLAN 23: Console>...
Page 700: Configuring Multicast Router Ports And Group Entries
Chapter 40 Configuring Multicast Services Configuring Multicast Router Ports and Group Entries This example shows how to disable GMRP globally on the switch: Console> (enable) set gmrp disable GMRP disabled. Console> (enable) Configuring Multicast Router Ports and Group Entries These sections describe how to specify multicast router ports manually and configure multicast group entries: Specifying Multicast Router Ports, page 40-20 •...
Page 701: Configuring Multicast Groups
Chapter 40 Configuring Multicast Services Configuring Multicast Router Ports and Group Entries Configuring Multicast Groups To configure a multicast group manually, perform this task in privileged mode: With software release 6.3(2) and later releases, the maximum number of Layer 2 multicast entries is Note 15488.
Page 702: Clearing Multicast Group Entries
Chapter 40 Configuring Multicast Services Configuring RGMP Clearing Multicast Group Entries To clear manually configured multicast group entries, perform this task in privileged mode: Task Command Clear a multicast group entry from the CAM clear cam mac_addr [vlan] table. This example shows how to clear a multicast group entry from the CAM table: Console>...
Page 703 Chapter 40 Configuring Multicast Services Configuring RGMP Task Command Enable RGMP. set rgmp enable Disable RGMP. set rgmp disable This example shows how to enable RGMP: Console> (enable) set rgmp enable RGMP enabled. Console> (enable) This example shows how to disable RGMP: Console>...
Page 704 Chapter 40 Configuring Multicast Services Configuring RGMP Task Command Display the RGMP statistics for a specified show rgmp statistics [vlan] VLAN. This example shows how to display RGMP statistics: Console> (enable) show rgmp statistics 23 RGMP enabled RGMP Statistics for vlan <23>: Receive: Valid pkts:20 Hellos:10...
Page 705: Configuring Rgmp On The Msfc
Chapter 40 Configuring Multicast Services Displaying Multicast Protocol Status Clearing RGMP Statistics This command clears stored RGMP statistics. To clear RGMP statistics, perform this task in privileged mode: Task Command Clear RGMP statistics. clear rgmp statistics This example shows how to clear RGMP statistics: Console>...
Page 706 Chapter 40 Configuring Multicast Services Displaying Multicast Protocol Status This example shows how to display the multicast protocol status: Console> (enable) show multicast protocols status IGMP disabled IGMP fastleave enabled RGMP enabled GMRP disabled Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 40-26 78-13315-02...
Page 707: Chapter 41 Configuring Qos
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) on the Catalyst 6000 family switches and includes the configuration information required to support Common Open Policy Service (COPS) and Resouce ReSerVation Protocol (RSVP). Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication.
Page 708: Definitions
Chapter 41 Configuring QoS Understanding How QoS Works QoS sets Layer 2 and Layer 3 values in network traffic to a configured value or to a value based on received Layer 2 or Layer 3 values. IP traffic retains the Layer 3 value when it leaves the switch. These sections describe QoS: •...
Page 709: Flowcharts
Chapter 41 Configuring QoS Understanding How QoS Works Scheduling is the assignment of traffic to a queue. QoS assigns traffic based on CoS values. • Congestion avoidance is the process by which QoS reserves ingress and egress port capacity for •...
Page 710 Chapter 41 Configuring QoS Understanding How QoS Works Figure 41-2 Ethernet ingress Port Classification, Marking, Scheduling, and Congestion Avoidance Frame enters Ethernet ingress port classification, marking, switch scheduling, and congestion avoidance Apply Port set to port untrusted? Apply ISL or port 802.1Q? Port set to...
Page 711 Chapter 41 Configuring QoS Understanding How QoS Works Figure 41-3 Layer 3 Switching Engine Classification, Marking, and Policing From ingress port or VLAN L3 Switching Engine (PFC) classification, marking, and policing ACL(s) Trust Use received received Packet? DSCP interface? DSCP? Trust Match Set DSCP...
Page 712 Chapter 41 Configuring QoS Understanding How QoS Works Figure 41-4 Layer 2 Switching Engine Classification and Marking From Ingress port L2 Switching Engine Classification and Marking *Match *From SET QOS MAC-COS command Destination MAC Address/ VLAN? Apply configured Egress port Figure 41-5 Multilayer Switch Feature Card Marking (MSFC and MSFC2) From PFC Multilayer Switch Feature Card (MSFC) marking...
Page 713 Chapter 41 Configuring QoS Understanding How QoS Works Figure 41-6 Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking From switching engine or MSFC Ethernet egress port scheduling, congestion avoidance, and marking 2q2t port (tail-drop thresholds) High priority standard queue Write ToS 100% for CoS 6 and 7 IP traffic byte into...
Page 714: Qos Feature Set Summary
Chapter 41 Configuring QoS Understanding How QoS Works Figure 41-7 Single-Port ATM OC-12 Switching Module Marking From switching engine or MSFC Single-port ATM OC-12 switching module marking Write ToS IP traffic byte into from PFC? packet Transmit cell QoS Feature Set Summary The QoS feature set on your switch is determined by the switching engine on the supervisor engine.
Page 715 Chapter 41 Configuring QoS Understanding How QoS Works Ethernet Ingress Port Features With any switching engine, QoS supports classification, marking, scheduling, and congestion avoidance using Layer 2 CoS values at Ethernet ingress ports. Classification, marking, scheduling, and congestion avoidance at Ethernet ingress ports do not use or set Layer 3 IP precedence or DSCP values. With a Layer 3 switching engine, you can configure Ethernet ingress port trust states that can be used by the switching engine to set Layer 3 IP precedence or DSCP values and the Layer 2 CoS value.
Page 716: Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, And Classification
Chapter 41 Configuring QoS Understanding How QoS Works Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification These sections describe Ethernet ingress port marking, scheduling, congestion avoidance, and classification: Overview, page 41-10 • Marking at Untrusted Ports, page 41-11 • Marking at Trusted Ports, page 41-11 •...
Page 717 Chapter 41 Configuring QoS Understanding How QoS Works Marking at Untrusted Ports QoS marks all frames received through untrusted ports with the port CoS value (the default is zero). QoS does not implement ingress port congestion avoidance on untrusted ports: the traffic goes directly to the switching engine.
Page 718 Chapter 41 Configuring QoS Understanding How QoS Works 1q4t ports have this default drop-threshold configuration: Using receive-queue drop threshold 1, the switch drops incoming frames with CoS 0 or 1 when the • receive-queue buffer is 50 percent or more full. Using receive-queue drop threshold 2, the switch drops incoming frames with CoS 2 or 3 when the •...
Page 719 Chapter 41 Configuring QoS Understanding How QoS Works Figure 41-8 Receive Queue Drop Thresholds Drop threshold 4: 100% Reserved for CoS 6 and 7 Drop threshold 3: 80% Reserved for CoS 4 and higher Drop threshold 2: 60% Reserved for Drop threshold 1: 50% CoS 2 and higher Available for...
Page 720: Classification, Marking, And Policing With A Layer 3 Switching Engine
Chapter 41 Configuring QoS Understanding How QoS Works Table 41-1 Marking Based on Per-Port Classification Port Keyword ACE Keyword Marking Rule untrusted dscp Set internal and egress DSCP as specified in the ACE. trust-ipprec dscp For IP traffic, set internal and egress DSCP from the received Layer 3 IP precedence value.
Page 721 Chapter 41 Configuring QoS Understanding How QoS Works Internal DSCP Values These sections describe the internal DSCP values: Internal DSCP Sources, page 41-15 • Egress DSCP and CoS Sources, page 41-15 • Internal DSCP Sources During processing, the priority of all traffic (including non-IP traffic) is represented with an internal DSCP value.
Page 722 Chapter 41 Configuring QoS Understanding How QoS Works Table 41-2 Supported Ethertype Field Values ACL Type Ethertype Field Value Protocol 0x0800 0x8137 and 0x8138 0x0600 and 0x0601 0x0BAD and 0x0BAF Banyan VINES 0x6000-0x6009 and 0x8038-0x8042 DECnet 0x809b and 0x80f3 AppleTalk 1.
Page 723 Chapter 41 Configuring QoS Understanding How QoS Works Critical (IP precedence 5) – Flash-override (IP precedence 4) – Flash (IP precedence 3) – Immediate (IP precedence 2) – Priority (IP precedence 1) – Routine (IP precedence 0) – IP ACEs that do not include a DSCP or IP precedence value parameter match all DSCP Note or IP precedence values.
Page 724 Chapter 41 Configuring QoS Understanding How QoS Works IP ACE Layer 4 UDP Classification Criteria You can create User Datagram Protocol (UDP) ACEs that match traffic for specific UDP source and/or destination ports by including UDP port parameters (for more information, see the “IP ACEs for UDP Traffic”...
Page 725 Chapter 41 Configuring QoS Understanding How QoS Works Keyword Type Code Keyword Type Code information-request time-exceeded — mask-reply timestamp-reply mask-request timestamp-request mobile-redirect traceroute net-redirect ttl-exceeded net-tos-redirect unreachable — 1. Matches all code values Note ICMP ACEs with only a Layer 4 ICMP type parameter match all code values for that type value. ICMP ACEs that do not include any Layer 4 ICMP type and code parameters match all ICMP traffic.
Page 726 Chapter 41 Configuring QoS Understanding How QoS Works MAC ACE Layer 2 Classification Criteria You can create MAC ACEs that match specific Ethernet traffic by including these Layer 2 parameters (for more information, see the “Creating or Modifying Named MAC ACLs” section on page 41-43): Ethernet source and destination addresses and masks, entered as specific values or with the any •...
Page 727 Chapter 41 Configuring QoS Understanding How QoS Works Marking Rules Marking is not supported for IPX or MAC traffic with a PFC2. Note Marking rules specify how QoS marks traffic when the traffic matches the filtering parameters in an ACE (see the “ACE Name, Marking Rule, Policing, and Filtering Syntax”...
Page 728 Chapter 41 Configuring QoS Understanding How QoS Works Policing Rules You can create named policing rules that specify bandwidth utilization limits, which you can apply to traffic by including the policing rule name in an ACE (for more information, see the “Creating Policing Rules”...
Page 729 Chapter 41 Configuring QoS Understanding How QoS Works For example, you could create a microflow policing rule named “group_individual” with bandwidth limits suitable for individuals in a group and you could create an aggregate policing rule named “group_all” with bandwidth limits suitable for the group as a whole. You could include both policing rules in ACEs that match the group’s traffic.
Page 730: Classification And Marking With A Layer 2 Switching Engine
Chapter 41 Configuring QoS Understanding How QoS Works On ports configured for VLAN-based QoS, you can attach named ACLs to the port’s VLAN; or for a trunk, you can attach named ACLs to any VLANs allowed on the trunk as follows: •...
Page 731 Chapter 41 Configuring QoS Understanding How QoS Works Overview QoS schedules traffic through the transmit queues based on CoS values and uses CoS-value-based transmit-queue drop thresholds to avoid congestion in traffic transmitted from Ethernet ports. Ethernet egress port scheduling and congestion avoidance uses Layer 2 CoS values. Ethernet egress Note port marking writes Layer 2 CoS values and, for IP traffic, the Layer 3 ToS byte.
Page 732 Chapter 41 Configuring QoS Understanding How QoS Works 2q2t Ports For 2q2t ports, each transmit queue has two drop thresholds that function as follows: Frames with CoS 0, 1, 2, or 3 go to the low-priority transmit queue (queue 1): •...
Page 733: Qos Statistics Data Export
Chapter 41 Configuring QoS Understanding How QoS Works Frames with CoS 6 or 7 go to the high-priority standard transmit queue (queue 3). • You can configure each standard transmit queue to use both a tail-drop and a Note WRED-drop threshold by mapping a CoS value to a queue or to a queue and a threshold. The switch uses tail-drop thresholds for traffic carrying CoS values mapped only to a queue.
Page 734: Qos Default Configuration
Chapter 41 Configuring QoS QoS Default Configuration QoS Default Configuration Table 41-3 shows the QoS default configuration. Table 41-3 QoS Default Configuration Feature Default Value QoS enable state Disabled Note—With QoS enabled and all other QoS parameters at default values, QoS sets Layer 3 DSCP to zero and Layer 2 CoS to zero in all traffic transmitted from the switch.
Page 735 Chapter 41 Configuring QoS QoS Default Configuration Table 41-3 QoS Default Configuration (continued) Feature Default Value With QoS enabled Runtime—Port based or VLAN based Port based Config—Port based or VLAN based Port based Port trust state Untrusted Receive-queue tail-drop threshold percentages Threshold 1: 50% •...
Page 736: Configuring Qos
Chapter 41 Configuring QoS Configuring QoS Table 41-3 QoS Default Configuration (continued) Feature Default Value CoS value/drop-threshold mapping 1q4t/2q2t and 1p1q4t/1p2q2t ports: • Receive queue 1/drop threshold 1 and – transmit queue 1/drop threshold 1: CoS 0 and 1 Receive queue 1/drop threshold 2 and –...
Page 737: Enabling Qos
Chapter 41 Configuring QoS Configuring QoS Creating or Modifying ACLs, page 41-37 • Attaching ACLs to Interfaces, page 41-46 • Detaching ACLs from Interfaces, page 41-46 • Mapping a CoS Value to a Host Destination MAC Address/VLAN Pair, page 41-47 •...
Page 738: Enabling Port-Based Or Vlan-Based Qos
Chapter 41 Configuring QoS Configuring QoS Enabling Port-Based or VLAN-Based QoS The commands in this section are not supported with a Layer 2 Switching Engine. Note By default, QoS uses ACLs attached to ports. On a per-port basis, you can configure QoS to use ACLs attached to a VLAN.
Page 739: Configuring The Cos Value For A Port
Chapter 41 Configuring QoS Configuring QoS This example shows how to configure port 1/1 with the trust-cos keyword: Console> (enable) set port qos 1/1 trust trust-cos Port 1/1 qos set to trust-cos Console> (enable) Only ISL or 802.1Q frames carry CoS values. Configure ports with the trust-cos keyword only when Note the received traffic is ISL or 802.1Q frames carrying CoS values that you know to be consistent with network policy or to trust a configured port CoS value.
Page 740: Creating Policing Rules
Chapter 41 Configuring QoS Configuring QoS Creating Policing Rules The commands in this section are not supported with a Layer 2 Switching Engine. Note To create a policing rule, perform this task in privileged mode: Task Command Step 1 Create a policing rule. set qos policer microflow microflow_name {rate rate} {burst burst} {drop | policed-dscp} With PFC or PFC2:...
Page 741 Chapter 41 Configuring QoS Configuring QoS The burst parameter sets the token bucket size. To sustain a specific rate, set the token bucket size Note with the burst parameter to be at least the rate divided by 4000, because tokens are removed from the bucket every 1/4000th of a second (0.25 ms) and the bucket needs to be at least burst-size long to sustain the specified rate.
Page 742: Deleting Policing Rules
Chapter 41 Configuring QoS Configuring QoS Console> (enable) show qos policer config aggregate test2 QoS aggregate policers: Aggregate name Normal rate (kbps) Burst size (kb) Normal action ----------------------------- ------------------ --------------- ------------- test2 policed-dscp Excess rate (kbps) Burst size (kb) Excess action ------------------ -------------- ---------------...
Page 743: Creating Or Modifying Acls
Chapter 41 Configuring QoS Configuring QoS Creating or Modifying ACLs The commands in this section are not supported with a Layer 2 Switching Engine. Note These sections describe ACL creation and modification: ACL Names, page 41-37 • ACE Name, Marking Rule, Policing, and Filtering Syntax, page 41-37 •...
Page 744 Chapter 41 Configuring QoS Configuring QoS Named IP ACLs These sections describe creating or modifying IP ACLs: Source and Destination IP Addresses and Masks, page 41-38 • Port Operator Parameters, page 41-38 • Precedence Parameter Options, page 41-38 • • IP ACEs for TCP Traffic, page 41-39 •...
Page 745 Chapter 41 Configuring QoS Configuring QoS IP ACEs for TCP Traffic To create or modify an IP ACE for TCP traffic, perform this task in privileged mode: Task Command Step 1 Create or modify an IP ACE for TCP traffic. set qos acl ip {acl_name} {{dscp dscp} | trust-cos | trust-ipprec | trust-dscp} [microflow microflow_name] [aggregate...
Page 746 Chapter 41 Configuring QoS Configuring QoS IP ACEs for ICMP Traffic To create or modify an IP ACE for ICMP traffic, perform this task in privileged mode: Task Command Step 1 Create or modify an IP ACE for ICMP traffic. set qos acl ip acl_name {dscp dscp | trust-cos | trust-ipprec | trust-dscp} [microflow microflow_name] [aggregate aggregate_name]...
Page 747 Chapter 41 Configuring QoS Configuring QoS For igmp_type parameter keyword options, see the “IP ACE Layer 4 IGMP Classification Criteria” section on page 41-19. This example shows how to create an IP ACE for IGMP protocol independent multicast (PIM) traffic: Console>...
Page 748 Chapter 41 Configuring QoS Configuring QoS This example shows how to create an IP ACE: Console> (enable) set qos acl ip my_IPacl trust-ipprec microflow my-micro aggregate my-agg my_IPacl editbuffer modified. Use ‘commit’ command to apply changes. Console> (enable) Modifying the Default IP ACL To modify the default IP ACL, perform this task in privileged mode: Task Command...
Page 749 Chapter 41 Configuring QoS Configuring QoS If you specify an IPX destination network, IPX ACEs support the following optional parameters: An IPX destination network mask, entered as up to 8 hexadecimal digits in the range 1 to FFFFFFFE • (-1 matches any network number). Use one bits, which need not be contiguous, where you want wildcards.
Page 750 Chapter 41 Configuring QoS Configuring QoS Creating or Modifying the Default IPX and MAC ACLs To create or modify the default IPX or MAC ACL, perform this task in privileged mode: Task Command Step 1 Modify the default IPX or MAC ACL. With PFC: set qos acl default-action {ipx | mac} {dscp dscp | trust-cos} [aggregate aggregate_name]...
Page 751 Chapter 41 Configuring QoS Configuring QoS This example shows how to revert to the default values for the default IP ACL: Console> (enable) clear qos acl default-action ip Hardware programming in progress... QoS default-action for IP ACL is restored to default setting. Console>...
Page 752: Attaching Acls To Interfaces
Chapter 41 Configuring QoS Configuring QoS Attaching ACLs to Interfaces The commands in this section are not supported with a Layer 2 Switching Engine. Note You can attach one ACL of each type to each VLAN and to each port configured for port-based QoS. You cannot attach ACLs to a port configured for VLAN-based QoS (for more information, see the “Enabling Port-Based or VLAN-Based QoS”...
Page 753: Mapping A Cos Value To A Host Destination Mac Address/Vlan Pair
Chapter 41 Configuring QoS Configuring QoS This example shows how to detach an ACL named my_acl from port 2/1: Console> (enable) clear qos acl map my_acl 2/1 Hardware programming in progress... ACL my_acl is detached from port 2/1. Console> (enable) This example shows how to detach an ACL named my_acl from VLAN 4: Console>...
Page 754: Enabling Or Disabling Microflow Policing Of Bridged Traffic
Chapter 41 Configuring QoS Configuring QoS This example shows how to delete all CoS assignments to destination MAC addresses and VLANs: Console> (enable) clear qos mac-cos all All CoS to Mac/Vlan entries are cleared. Console> (enable) Enabling or Disabling Microflow Policing of Bridged Traffic Note The commands in this section are not supported with a Layer 2 Switching Engine.
Page 755: Configuring 2Q2T Port Standard Transmit-Queue Tail-Drop Thresholds
Chapter 41 Configuring QoS Configuring QoS QoS maintains separate configurations for 1q4t ports and 1p1q4t ports. With either keyword, this command configures only the standard queue. Specify queue 1 for both port types (the threshold in the strict-priority queue is not separately configurable; it uses threshold 4 as specified for queue 1). The thresholds are all specified as percentages ranging from 1 to 100.
Page 756: Allocating Bandwidth Between Standard Transmit Queues
Chapter 41 Configuring QoS Configuring QoS To configure the standard transmit-queue WRED-drop thresholds on all ports of each type, perform this task in privileged mode: Task Command Configure the standard transmit-queue set qos wred 1p2q2t [tx] queue q# WRED-drop thresholds on all ports of a given [thr1Lo:]thr1Hi [thr2Lo:]thr2Hi type.
Page 757: Configuring The Receive-Queue Size Ratio
Chapter 41 Configuring QoS Configuring QoS This example shows how to allocate bandwidth for the 2q2t ports: Console> (enable) set qos wrr 2q2t 30 70 QoS wrr ratio is set successfully. Console> (enable) Configuring the Receive-Queue Size Ratio For 1p1q0t ports, estimate the mix of standard-priority and strict-priority traffic on your network (for example, 85 percent standard-priority traffic and 15 percent strict-priority traffic).
Page 758: Mapping Cos Values To Drop Thresholds
Chapter 41 Configuring QoS Configuring QoS Mapping CoS Values to Drop Thresholds This command associates CoS values with receive- and transmit-queue drop thresholds. QoS maintains separate configurations for each port type. These sections describe mapping CoS values to drop thresholds: •...
Page 759 Chapter 41 Configuring QoS Configuring QoS Queue 1 is the standard queue. Queue 2 is the strict-priority queue. Threshold numbers range from 1 for low priority to 4 for high priority. This example shows how to associate the CoS value 5 to strict-priority receive-queue 2/threshold 1: Console>...
Page 760 Chapter 41 Configuring QoS Configuring QoS 1p3q1t Transmit Queues With 1p3q1t transmit queues, you can associate a CoS value with either the nonconfigurable tail-drop threshold or the configurable WRED-drop threshold: To associate a CoS value with the tail-drop threshold, map the CoS value to the queue. •...
Page 761: Configuring Dscp Value Maps
Chapter 41 Configuring QoS Configuring QoS Configuring DSCP Value Maps The commands in this section are not supported with a Layer 2 Switching Engine. Note These sections describe how DSCP values are mapped to other values: Mapping Received CoS Values to Internal DSCP Values, page 41-55 •...
Page 762 Chapter 41 Configuring QoS Configuring QoS Mapping Received IP Precedence Values to Internal DSCP Values To map received IP precedence values to the internal DSCP value (see the “Internal DSCP Values” section on page 41-15), perform this task in privileged mode: Task Command Step 1...
Page 763 Chapter 41 Configuring QoS Configuring QoS Enter up to 64 internal DSCP value list/egress CoS value pairs. This example shows how to map internal DSCP values to egress CoS values: Console> (enable) set qos dscp-cos-map 20-25:7 33-38:3 QoS dscp-cos-map set successfully. Console>...
Page 764: Displaying Qos Information
Chapter 41 Configuring QoS Configuring QoS Configure marked-down DSCP values that map to CoS values consistent with the markdown penalty Note (see the “Mapping Internal DSCP Values to Egress CoS Values” section on page 41-56). To revert to default DSCP markdown value mapping, perform this task in privileged mode: Task Command Step 1...
Page 765: Displaying Qos Statistics
Chapter 41 Configuring QoS Configuring QoS 50% 60% 80% 100% Tx drop thresholds: Queue # Thresholds - percentage (abs values ) ------- ------------------------------------- 40% 100% 40% 100% Tx WRED thresholds: WRED feature is not supported for this port_type. Queue Sizes: Queue # Sizes - percentage (abs values ) -------...
Page 766: Reverting To Qos Defaults
Chapter 41 Configuring QoS Configuring QoS Reverting to QoS Defaults Reverting to defaults disables QoS, because QoS is disabled by default. Note To revert to QoS defaults, perform this task in privileged mode: Task Command Revert to QoS defaults. clear qos config This example shows how to revert to QoS defaults: Console>...
Page 767 Chapter 41 Configuring QoS Configuring QoS Enabling Use of Locally Configured QoS Policy, page 41-62 • Assigning Port Roles, page 41-63 • Removing Roles from Port ASICs, page 41-63 • Deleting Roles, page 41-64 • Configuring Policy Decision Point Servers, page 41-64 •...
Page 768 Chapter 41 Configuring QoS Configuring QoS This example shows how to select COPS as the QoS policy source: Console> (enable) set qos policy-source cops QoS policy source for the switch set to COPS. Console> (enable) show qos policy-source QoS policy source for the switch set to COPS. Console>...
Page 769 Chapter 41 Configuring QoS Configuring QoS This example shows how to enable use of locally configured QoS policy: Console> (enable) set port qos 1/1 policy-source local QoS policy source set to local on port(s) 1/1-2. Console> (enable) Assigning Port Roles COPS does not configure ports using slot number and port number parameters.
Page 770 Chapter 41 Configuring QoS Configuring QoS Deleting Roles To delete a role (which removes it from all ports), perform this task in privileged mode: Task Command Step 1 Delete a role. clear cops {all-roles | roles role1 [role2] ...} Step 2 Verify the roles for the port.
Page 771 Chapter 41 Configuring QoS Configuring QoS This example shows how to delete PDP server configuration: Console> (enable) clear cops server all All COPS diff-serv servers cleared. All COPS rsvp servers cleared. Console> (enable) Configuring the COPS Domain Name PDP servers use a COPS domain name to communicate with policy enforcement point (PEP) devices such as switches.
Page 772: Configuring Rsvp Support
Chapter 41 Configuring QoS Configuring QoS Enter the parameters as a number of seconds in the range 0 to 65535. The value of the initial parameter plus the value of the increment parameter must not exceed the value of the maximum parameter. This example shows how to configure the parameters COPS uses to communicate with the PDP server: Console>...
Page 773 Chapter 41 Configuring QoS Configuring QoS Disabling RSVP Support To disable RSVP support, perform this task in privileged mode: Task Command Step 1 Disable RSVP support on the switch. set qos rsvp {enable | disable} Step 2 Verify the configuration. show qos rsvp info This example shows how to disable RSVP support: Console>...
Page 774 Chapter 41 Configuring QoS Configuring QoS This example shows how to disable the participation of port 2/1 in the election of the DSBM: Console> (enable) set port rsvp 2/1 dsbm-election disable DSBM disabled for port 2/1. Console> (enable) Configuring Policy Decision Point Servers Note COPS and RSVP can use the same PDP server.
Page 775 Chapter 41 Configuring QoS Configuring QoS Configuring RSVP Policy Timeout When the switch is the DSBM and communication with the PDP server is lost, the switch continues to function as the DSBM, using cached values, for the period specified by the timeout value; the behavior for new or modified RSVP path messages is determined by the RSVP local policy setting.
Page 776: Configuring Qos Statistics Data Export
Chapter 41 Configuring QoS Configuring QoS Configuring QoS Statistics Data Export These sections describe how to configure the QoS statistics data export feature: Enabling QoS Statistics Data Export Globally, page 41-70 • Enabling Per-Port QoS Statistics Data Export, page 41-71 •...
Page 777 Chapter 41 Configuring QoS Configuring QoS Enabling Per-Port QoS Statistics Data Export To enable QoS statistics data export on a per-port basis, perform this task in privileged mode: Task Command Step 1 Enable QoS statistics data export per port. set qos statistics export port mod/port enable | disable Step 2 Verify the configuration.
Page 778 Chapter 41 Configuring QoS Configuring QoS Enabling Per-Aggregate Policer QoS Statistics Data Export To enable QoS statistics data export on a per-aggregate policer basis, perform this task in privileged mode: Task Command Step 1 Enable QoS statistics data export per aggregate set qos statistics export enable | disable policer.
Page 779 Chapter 41 Configuring QoS Configuring QoS Setting the QoS Statistics Data Export Time Interval The default interval at which QoS statistics is exported is 30 seconds. To set the time interval for the QoS statistics data export, perform this task in privileged mode: Task Command Step 1...
Page 780 Chapter 41 Configuring QoS Configuring QoS Export time interval: 500 Export destination:Stargate, UDP port 9996 Port Export ------ -------- disabled disabled disabled disabled enabled disabled <output truncated> Aggregate name Export -------------- -------- ipagg_3 enabled Console> (enable) Displaying QoS Statistics Information To display the QoS statistics per-aggregate policer packet and byte rates, perform this task in privileged mode: Task...
Page 781: Chapter 42 Configuring Aslb
C H A P T E R Configuring ASLB This chapter describes how to configure accelerated server load balancing (ASLB) on the Catalyst 6000 family switches. For complete syntax and usage information for hte commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 782: Understanding How Aslb Works
Other Cisco routers can also be used as participating routers for ASLB. – Understanding How ASLB Works Note Refer to the Cisco LocalDirector Installation and Configuration Guide, Version 3.2, for an overview on load balancing TCP/IP traffic. These sections describe ASLB: •...
Page 783: Layer 3 Operations For Aslb
Chapter 42 Configuring ASLB Understanding How ASLB Works Figure 42-1 ASLB Functional Description Server pool Catalyst 6500 series switches Clients VLAN 10 VLAN 20 LocalDirector Layer 3 Operations for ASLB You can specify up to 1024 server virtual-IP addresses and TCP port pairs for acceleration by the switch. All traffic for the virtual-IP/port pairs specified is accelerated except for the SYN, FIN, RST, and fragment packets with a non-zero offset.
Page 784: Client-To-Server Data Forwarding
Chapter 42 Configuring ASLB Understanding How ASLB Works Client-to-Server Data Forwarding Figure 42-2 shows how data is forwarded from the router to the servers. Table 42-2 lists the sequence of events, and Table 42-3 lists the Layer 3 table entries. These sections describe the client-to-server data-forwarding paths: •...
Page 785 Chapter 42 Configuring ASLB Understanding How ASLB Works Figure 42-2 Client to Server ASLB Packet Flow Server pool Catalyst 6500 series switches Path 3 Clients Path 1 Path 2 VLAN 10 VLAN 20 LocalDirector Table 42-2 Client to Server ASLB Packet Flow Path Destination MAC Source...
Page 786: Server-To-Client Data Forwarding
Chapter 42 Configuring ASLB Understanding How ASLB Works Server-to-Client Data Forwarding Figure 42-3 shows how data is forwarded from the servers to the clients. Table 42-4 lists the sequence of events, and Table 42-5 lists the Layer 3 table entries. The traffic from the servers to the router or client devices works in the same manner, but in the reverse direction, as the data forwarding described in the “Client-to-Server Data Forwarding”...
Page 787: Cabling Guidelines
To implement these tasks, follow the guidelines and use the detailed configuration procedures in the sections that follow. Configuring the LocalDirector Interfaces Refer to the Cisco LocalDirector Installation and Configuration Guide, Version 3.2, for detailed information on configuring the LocalDirector interfaces for ASLB. Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4...
Page 788: Aslb Configuration Guidelines
Chapter 42 Configuring ASLB Configuring ASLB ASLB Configuration Guidelines This section lists the usage guidelines and restrictions for configuring ASLB: Routers, page 42-8 • Servers, page 42-8 • IP Addresses, page 42-9 • Supervisor Engine, page 42-9 • Backup LocalDirector Configuration (Optional), page 42-9 •...
Page 789 Chapter 42 Configuring ASLB Configuring ASLB IP Addresses Follow these IP address configuration guidelines: You can specify an IP address for the virtual-IP address other than server IP network addresses. Note Ensure that the LocalDirectors and servers are on the same subnet to allow the LocalDirector to ARP •...
Page 790 Chapter 42 Configuring ASLB Configuring ASLB MSFC and Multilayer Switching Follow these Multilayer Switch Feature Card (MSFC) and Multilayer Switching (MLS) configuration guidelines: With supervisor engine software release 5.4(1)CSX or later releases, an MSFC can be the • participating router for ASLB. Traffic is Layer 3 switched when an MSFC routes traffic from clients.
Page 791: Configuring Aslb From The Cli
Chapter 42 Configuring ASLB Configuring ASLB Configuring ASLB from the CLI This section describes how to configure ASLB using the Catalyst 6000 family switch lda command set and includes the following descriptions: • Configuring the Switch Ports Connected to the LocalDirector, page 42-11 •...
Page 792 Chapter 42 Configuring ASLB Configuring ASLB This example shows how to enable ASLB on the switch: Console> (enable) set lda enable Successfully enabled Local Director Accelerator. Console> (enable) This example shows how to disable ASLB on the switch: Console> (enable) set lda disable Successfully disabled Local Director Accelerator.
Page 793 Chapter 42 Configuring ASLB Configuring ASLB This example shows how to specify MAC addresses for participating routers: Console> (enable) set lda mac router 00-23-45-67-ee-7f Successfully set mac address. Use commit lda command to save settings to hardware. Console> (enable) Specifying a MAC Address for the LocalDirector To specify a MAC address for the LocalDirector, perform this task in privileged mode: Task Command...
Page 794 Chapter 42 Configuring ASLB Configuring ASLB Specifying the Server VLAN and the LocalDirector Port on the VLAN After entering the set lda server command, if you change the switch port(s) that the LocalDirector Note is connected to, you must enter the set lda server command again to specify the new configuration. Specifying a backup LocalDirector port is optional unless you are setting up a failover configuration Note of LocalDirectors.
Page 795 Chapter 42 Configuring ASLB Configuring ASLB To commit your ASLB configuration settings, perform this task in privileged mode: Task Command Commit your ASLB configuration commit lda settings. This example shows how to commit the ASLB configuration settings: Console> (enable) commit lda Commit operation in progress...
Page 796 Chapter 42 Configuring ASLB Configuring ASLB If the configuration is then modified and the changes are not committed, entering the show lda command again gives an indication that the configuration has been modified since the last commit but the new modifications are not shown, only the committed modifications are displayed.
Page 797 Chapter 42 Configuring ASLB Configuring ASLB Displaying the ASLB MLS Statistics To display the ASLB MLS statistics, perform this task in privileged mode: Task Command Display ASLB MLS entry statistics. show lda mls statistics entry show lda mls statistics count show lda mls statistics entry [destination ip_addr_spec] [source ip_addr_spec] [protocol protocol] [src-port port] [dst-port port]...
Page 798 Chapter 42 Configuring ASLB Configuring ASLB Clearing the ASLB Configuration If you do not enter any keywords with the clear lda command, the entire ASLB configuration is Caution removed from the hardware and NVRAM along with the MLS entries. If you do not enter any keywords with the clear lda mls command, all MLS entries are cleared.
Page 799: Aslb Configuration Example
Chapter 42 Configuring ASLB ASLB Configuration Example ASLB Configuration Example This section provides an example of a typical ASLB network configuration. Figure 42-4 shows the example network; the configuration specifications are as follows: The virtual-IP address is 192.255.201.55. • The router interface MAC address is 00-d0-bc-e9-fb-47 and its IP address is 192.255.201.1. •...
Page 800 Chapter 42 Configuring ASLB ASLB Configuration Example Local Director Flow:192.255.201.55/www (TCP port 80) Local Director Flow:192.255.201.55/ (TCP port 8001) Local Director Flow:192.255.201.55/ftp (TCP port 21) Router MAC: 00-d0-bc-e9-fb-47 LD MAC: 00-e0-b6-00-4b-04 LD Router Side: --------------- Router and LD are on VLAN 7 LD is connected to switch port 5/7 on VLAN 7 LD Server Side: ---------------...
Page 801: Aslb Redundant Configuration Example
Chapter 42 Configuring ASLB ASLB Redundant Configuration Example fixed-ttl 60 igmp 224.0.1.2 port 1637 redirection 192.255.201.55:8001:0:tcp dispatched assisted wildcard-ttl 60 fixed-ttl 60 igmp 224.0.1.2 port 1637 redirection 192.255.201.55:21:0:tcp dispatched assisted wildcard-ttl 60 fixed-ttl 60 igmp 224.0.1.2 port 1637 real 192.255.201.5:80:0:tcp is real 192.255.201.3:80:0:tcp is real 192.255.201.4:80:0:tcp is real 192.255.201.6:80:0:tcp is...
Page 802: Ip Addresses
Chapter 42 Configuring ASLB ASLB Redundant Configuration Example Figure 42-5 ASLB Redundant Configuration Example LocalDirector 1 VLAN 9 VLAN 5 Catalyst 6500 Router 1 series switches 1 3/41 VLAN 9 VLAN 5 Clients 3/23 Servers VLAN 5 & 9 (ISL trunk) Catalyst 6500 3/23 Router 2...
Page 803: Mac Addresses
Chapter 42 Configuring ASLB ASLB Redundant Configuration Example MAC Addresses The MAC addresses are as follows: HSRP MAC address for network 7: 00-00-0c-07-ac-00 • HSRP MAC address for network 5: 00-00-0c-07-ac-01 • Router 1, f2 MAC address: 00-d0-79-7b-20-88 • Router 2, f2 MAC address: 00-d0-79-7b-18-88 •...
Page 804: Router 2 Configuration
Chapter 42 Configuring ASLB ASLB Redundant Configuration Example full-duplex standby 1 ip 7.0.0.1 standby 1 track FastEthernet2 interface FastEthernet2 ip address 5.0.0.100 255.0.0.0 no ip redirects no ip directed-broadcast no ip route-cache distributed no keepalive full-duplex standby priority 250 standby 2 ip 5.0.0.2 standby 2 track FastEthernet1 ip route 13.13.13.13 255.255.255.255 5.0.0.1 Router 2 Configuration...
Page 805: Troubleshooting The Aslb Configuration
Chapter 42 Configuring ASLB Troubleshooting the ASLB Configuration redirection 13.13.13.13:80:0:tcp dispatched assisted redirection 13.13.13.13:23:0:tcp dispatched assisted real 5.100.100.100:80:0:tcp is real 5.100.100.100:23:0:tcp is bind 13.13.13.13:80:0:tcp 5.100.100.100:80:0:tcp bind 13.13.13.13:23:0:tcp 5.100.100.100:23:0:tcp Troubleshooting the ASLB Configuration Table 42-6 lists the possible problem symptoms and recommended actions to troubleshoot the ASLB configuration.
Page 806 Chapter 42 Configuring ASLB Troubleshooting the ASLB Configuration Table 42-6 Troubleshooting the ASLB Configuration (continued) Symptom Recommended Action LocalDirector set commands did not take The set lda commands will not take effect until you enter the commit lda effect. command. You can verify which set lda commands are in effect by entering the show lda commit command.
Page 807: Chapter 43 Configuring The Switch Fabric Modules
C H A P T E R Configuring the Switch Fabric Modules This chapter describes how to configure the Switch Fabric Module (WS-C6500-SFM) and Switch Fabric Module 2 (WS-X6500-SFM 2) for the Catalyst 6500 series switches. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 6000 Family Command Reference publication.
Page 808: Configuring And Monitoring The Switch Fabric Module
Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module When you install two Switch Fabric Modules at the same time in a 6- or 9-slot chassis, the primary module is in slot 5 and the backup is in slot 6. If you reset the module in slot 5, the module in slot 6 becomes active.
Page 809: Configuring A Fallback Option
Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module These sections describe how to configure the Switch Fabric Module: Configuring a Fallback Option, page 43-3 • Configuring the Switching Mode, page 43-3 • Switch Fabric Redundancy, page 43-4 •...
Page 810: Switch Fabric Redundancy
Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module To configure the switch to use compact mode if you have only fabric-enabled modules installed, perform this task: Task Command Configure the switch to use compact mode. set system switchmode allow truncated This example shows how to configure the switch to use compact mode: Console>...
Page 811 Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module Switch Fabric Module WS-C6500-SFM Mod Module-Name Serial-Num --- ------------------- ----------- Munish SAD02390156 SAD042818BR Mod MAC-Address(es) --- -------------------------------------- ------ ---------- ----------------- 00-40-0b-ff-00-00 to 00-40-0b-ff-00-01 0.219 6.1(0.146) 6.2(0.33-Eng)KEY 00-50-3e-7e-71-56 to 00-50-3e-7e-71-57 00-01-64-f8-ca-00 to 00-01-64-f8-cd-ff 00-10-7b-c2-3a-c0 to 00-10-7b-c2-3a-d7 0.204...
Page 812 Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module 0 n/a 0, 0 1, 1 unused 2, 2 unused 3, 3 unused 4, 4 unused 5, 5 unused 6, 6 unused 7, 7 unused 8, 8 unused 9, 9 unused...
Page 813 Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module Displaying the Backplane Traffic and Fabric Channel Input and Output To display the backplane traffic and fabric channel input and output, perform either of these tasks: Task Command Display system status including the backplane...
Page 814: Configuring The Lcd Banner
Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module Console> (enable) This example shows how to display backplane traffic and fabric channel input and output: Console> (enable) show traffic Threshold:100% Backplane-Traffic Peak Peak-Time ----------------- ---- ------------------------- 0% Thu Jul 27 2000, 14:03:27 Fab Chan Input Output -------- ----- ------...
Page 815 Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module Multilayer Switch Feature Card (MSFC) version on active and standby supervisor engine • System contact • After the LCD banner content is modified, this information is sent to the Switch Fabric Modules installed in the chassis and displayed in the LCDs.
Page 816 Chapter 43 Configuring the Switch Fabric Modules Configuring and Monitoring the Switch Fabric Module Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 43-10 78-13315-02...
Page 817: Chapter 44 Configuring A Voip Network
This chapter describes how to configure a Voice-over-IP (VoIP) network on the Catalyst 6000 family switches. While this chapter introduces a number of Cisco networking products related to VoIP, the primary Note focus of the chapter is to provide configuration information for integrating Catalyst 6000 family products into your VoIP network.
Page 818: Understanding How A Voip Network Works
* Catalyst 4000, 5000, and 6000 10/100 modules Cisco IP Phone 7960 The Cisco IP Phone 7960 provides connectivity to the IP PBX system. The IP phone has two RJ-45 jacks for connecting to external devices, a LAN-to-phone jack and a PC-to-phone jack. The jacks use either Category 3 or Category 5 unshielded twisted-pair (UTP) cable.
Page 819 Cisco IP Phone 7960 and PCs to the Catalyst 6000 family switch. Figure 44-2 Connecting the Cisco IP Phone 7960 to the Catalyst 6000 Family Switch Example 1—Single Cisco IP Phone 7960 Example 1 shows one IP phone connected to the 10/100 port on the Catalyst 6000 family switch. The PC-to-phone jack on the phone is not used.
Page 820: Cisco Callmanager
Each Cisco CallManager manages the devices within its zone and exchanges information with the Cisco CallManager in charge of another zone to make calls possible across multiple zones. Additionally, Cisco CallManager can work with existing PBX systems to route a call over the Public Switched Telephone Network (PSTN).
Page 821 Analog Trunk Gateway Cisco access analog trunk gateways allow the IP PBX to connect to the PSTN or PBX. The gateway supports up to eight trunks to the PSTN and appears like a phone to the trunk lines coming from the PSTN.
Page 822 The Catalyst 6000 family 8-port T1/E1 PSTN interface module is a high-density, eight port, T1/E1 VoIP module that can support both digital T1/E1 connectivity to the PSTN or transcoding and conferencing. The module requires an IP address, is registered with Cisco CallManager in its domain, and is managed by Cisco CallManager.
Page 823: How A Call Is Made
Cisco CallManager through the control channel. If a call is made to a number outside of the IP PBX network, Cisco CallManager routes the call to an analog or digital trunk gateway which in turn routes it to the PSTN.
Page 824: Understanding How Vlans Work
Note Figure 44-3 shows how a Cisco IP Phone 7960 can be connected to a Catalyst 6000 family switch. Figure 44-3 Switch-to-Phone Connections When the IP phone connects to a 10/100 port on the Catalyst 6000 family switch, the access port (PC-to-phone jack) of the IP phone can be used to connect a PC.
Page 825: Configuring Voip On A Switch
• Configuring QoS in the Cisco IP Phone 7960, page 44-29 You must enable Cisco Discovery Protocol (CDP) on the Catalyst 6000 family switch port connected Note to the IP phone in order to communicate information such as auxiliary VLAN ID, per-port power management details, and quality of service (QoS) configuration information.
Page 826: Configuring Per-Port Power Management
Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Table 44-3 Voice-Related CLI Command Module and Platform Support (continued) CLI Commands WS-X6348-RJ45V WS-X6608-T1/E1 WS-X6624-FXS Voice-related commands set port auxiliaryvlan show port auxiliaryvlan set port voice interface show port voice interface show port voice show port voice fdl show port voice active...
Page 827 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch This section describes the following: Using show Commands to Display Module Type and Version Information, page 44-11 • Power Management Modes, page 44-12 • Phone Detection Summary, page 44-14 •...
Page 828 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch 00-30-a3-4a-a0-00 to 00-30-a3-4a-a3-ff 00-d0-bc-ee-d0-dc to 00-d0-bc-ee-d1-1b 1.2 12.0(3)XE1 12.0(3)XE1 00-d0-c0-c8-83-ac to 00-d0-c0-c8-83-db 1.1 4.2(0.24)V6.1(0.37)FTL 00-50-3e-7c-43-00 to 00-50-3e-7c-43-2f 0.201 5.3(1) Mod Sub-Type Sub-Model Sub-Serial Sub-Hw --- ----------------------- ------------------- ----------- ------ L3 Switching Engine WS-F6K-PFC SAD03451187 1.0...
Page 829 IP Phones may have different power requirements. The supervisor engine initially allocates the configured default of 7W (167 mA at 42V) to the Cisco IP Phone. When the correct amount of power is determined from the CDP messaging with the Cisco IP Phone, the supervisor engine reduces or increases the allocated power.
Page 830 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Powering Off the Phone The supervisor engine can turn off power to a specific port by sending a message to the switching module. That power is then added back to the available system power. This situation occurs only when you power off the phone through the CLI or SNMP.
Page 831 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Figure 44-4 Power Detection Summary Catalyst Switch Switching module Cisco phone 10/100 module discovers the phone. Cisco phone Supervisor engine discovers 10/100 module or third party phone. the phone through CDP and/or IEEE.
Page 832 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Error Detection and Handling This section describes how the Catalyst 6000 family switch handles fault detection and errors related to per-port power management. These sections discuss fault detection and power-management error scenarios: Device is Powered but Link is Not Up, page 44-16 •...
Page 833 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch For modules that are already powered on, but have devices connected that are power denied, the supervisor engine attempts to power on the devices starting with the lowest numbered slot to the highest numbered slot, and from the lowest port number to the highest port number, one module at a time.
Page 834 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Console> (enable) The Operational (Oper) status field descriptions in the display are as follows: on—Power is supplied by the port. • off—Power is not supplied by the port. • denied—The system does not have enough available power for the port.
Page 835: Configuring Auxiliary Vlans On Catalyst Lan Switches
• Verifying Auxiliary VLAN Configuration, page 44-21 Understanding Auxiliary VLANs You can configure switch ports to send CDP packets that instruct an attached Cisco IP Phone 7960 to transmit voice traffic to the switch in these frame types: • 802.1Q frames carrying the auxiliary VLAN ID and Layer 2 CoS set to 5 (the switch port drops all 802.1Q frames except those carrying the auxiliary VLAN ID).
Page 836 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Auxiliary VLAN Configuration Guidelines Follow these guidelines when configuring auxiliary VLANs: An auxiliary VLAN port is operationally a trunk, even though it is not treated like a “normal” trunk •...
Page 837: Configuring The Access Gateways
Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch The default setting is none. Table 44-4 lists the set port auxiliaryvlan command keywords and their descriptions. Table 44-4 Keyword Descriptions Keyword Action of the Phone dot1p Specify that the phone send packets with 802.1p priority 5. untagged Specify that the phone send untagged packets.
Page 838 Console> (enable) set port voice interface 7/1 dhcp enable Port 7/1 DHCP enabled. Console> (enable) set port voice interface 7/3 dhcp disable 171.68.111.41/24 tftp 173.32.43.11 dns 172.20.34.204 cisco.com Port 7/3 dhcp disabled. System DNS configurations applied. Console> (enable) set port voice interface 7/4-6 dhcp enable vlan 3 Vlan 3 configuration successful Ports 7/4-6 DHCP enabled.
Page 839 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Displaying FDL Statistics FDL is a link management protocol used to help diagnose problems and gather statistics. Note To display Facilities Data Link (FDL) statistics for the specified ports, perform this task in privileged mode: Task Command...
Page 840 00-10-7b-00-0a-5e (Port host processor not online) enable 00-10-7b-00-0a-5f (Port host processor not online) Port Call-Manager(s) DHCP-Server TFTP-Sever Gateway -------- ----------------- --------------- --------------- --------------- 172.20.34.207* 172.20.34.207 172.20.34.207 callm.cisco.com 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.20 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.207...
Page 841 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Port DNS-Server(s) Domain -------- --------------- ------------------------------------------------- 172.20.34.207 cisco.com 172.20.34.207* int.cisco.com 171.69.45.34 172.78.111.132 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.207 (Port host processor not online) (Port host processor not online) Port CallManagerState DSP-Type...
Page 842 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch enable 00-10-7b-00-12-0b 10.6.15.168 255.255.255.0 enable 00-10-7b-00-12-0c 10.6.15.169 255.255.255.0 enable 00-10-7b-00-12-0d 10.6.15.170 255.255.255.0 enable 00-10-7b-00-12-0e 10.6.15.171 255.255.255.0 enable 00-10-7b-00-12-0f 10.6.15.172 255.255.255.0 Port Call-Manager(s) DHCP-Server TFTP-Server Gateway -------- ----------------- --------------- --------------- --------------- 10.6.15.155 10.6.15.155 10.6.15.155...
Page 843: Displaying Active Call Information
Gateway -------- ----------------- --------------- --------------- --------------- 3/1-24 172.20.34.207 172.20.34.207 172.20.34.207 Port DNS-Server(s) Domain -------- ----------------- ------------------------------------------------- 3/1-24 172.20.34.207* cisco.com 172.34.23.111 Port CallManagerState DSP-Type -------- ---------------- -------- 3/1-24 registered C549 Port ToneLocal Impedance InputGain(dB) OutputAtten(dB) -------- ------------- --------- ------------- --------------- 3/1-24...
Page 844 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch To display active call information, perform this task in normal mode: Task Command Display active call information. show port voice active [mod/port] [all | call | conference | transcode] [ipaddr] Entering the show port voice active command without any parameters shows all the calls in the system (regular calls, conference calls, and transcoding calls).
Page 845 Configuring QoS in the Cisco IP Phone 7960 These sections describe QoS in the Cisco IP Phone 7960: Understanding How QoS Works in the Cisco IP Phone 7960, page 44-30 • Configuring QoS in the Cisco IP Phone 7960, page 44-30 •...
Page 846: Configuring Qos In The Cisco Ip Phone 7960
Configuring VoIP on a Switch Understanding How QoS Works in the Cisco IP Phone 7960 The Cisco IP Phone 7960 always sets Layer 3 IP precedence and Layer 2 CoS to 5 in voice traffic Note generated by the phone. The Layer 3 IP precedence and Layer 2 CoS values in voice traffic generated by the phone are not configurable.
Page 847 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Setting the Phone Access Port Trust Mode To set the phone access port trust mode, perform this task in privileged mode: Task Command Set the phone access port trust mode. set port qos mod/ports...trust-ext {trusted | untrusted} This example shows how to set the phone access port to the trusted mode:...
Page 848 Chapter 44 Configuring a VoIP Network Configuring VoIP on a Switch Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 44-32 78-13315-02...
Page 849: I N D E X
I N D E X setting retransmission number Numerics supplicant 10/100-Mbps port speeds, setting automatic reauthentication 24-port FXS analog interface module manual reauthentication configuring transport layer packets description setting retransmission time 802.1Q 8-port T1/E1 PSTN interface module configuring configuring example configuration description mapping VLANs to ISL 9, 10...
Page 850 Index enabling restricting ARP traffic using VACLs events ASLB example configuration cabling guidelines overview configuration examples specifying RADIUS servers configuring ASLB on the switch suppressing accounting configuring the LocalDirector interfaces updating the server data forwarding hardware and software requirements See IOS ACLs Layer 2 operation See QoS ACE Layer 3 operation...
Page 851 Index auxiliary VLANs disabling 10, 12 configuring enabling 9, 11 dynamic port VLAN membership note overview BPDU overview Break key (note) bridge ID and MAC addresses bridge ID priority, PVST+ bridge protocol data units BackboneFast See BPDUs disabling broadcast suppression displaying statistics disabling enabling...
Page 852 CIDR, configuring static routes port ranges Cisco CallManager, overview ports, designating Cisco Discovery Protocol privileged mode See CDP shortcuts Cisco Group Management Protocol Telnet See CGMP VLANs, designating Cisco IP Phone 7960 clock, setting Cisco VG200 command aliases, creating classless interdomain routing...
Page 853 Index community ports example PC download CONFIG_FILE variable, setting recurrence example UNIX download configuration PC procedure clearing (switch) preparation MISTP UNIX procedure configuration files ROM monitor baud rate clearing using rcp SLIP and copying using rcp system message logging settings creating user sessions downloading...
Page 854 Index daylight saving time server disabling adjustment clearing enabling adjustment specifying default gateway setting up configuring system name and removing system prompt and designated MSFC documentation, related DES key document organization clearing domain name defining clearing destination-based QoS setting See QoS Domain Name System destination flow masks See DNS...
Page 855 CLI commands See QoS congestion avoidance environment variables DSCP See BOOT environment variables See QoS DSCP errdisable timeout, configuring error messages non-Cisco devices and system message logging (syslog) overview VMPS (table) duplex, Ethernet EtherChannel Dynamic Host Configuration Protocol administrative groups...
Page 856 Index port enable state overview port name, setting setting configuration modes port negotiation Flash memory port speed, setting storing ACLs setting port duplex Flash PC cards, formatting switching frames Flash synchronization timeout periods examples Ethernet ingress port overview ACLs flowcharts, QoS QoS ACLs flow control ethertypes...
Page 857 Index forwarding information base (FIB) disabling frame retransmission number globally full flow flow mask on 802.1Q ports 10, 6 enabling dynamic VLAN creation globally on 802.1Q ports GARP Multicast Registration Protocol registration See GMRP fixed GARP timers, setting 7, 17 forbidden Gigabit Ethernet normal...
Page 858 Index overview inferior BPDU, BackboneFast and routing protocol peering interface configuration mode interfaces in-band (sc0) 4, 5, 2 SLIP (sl0) 4, 7 Internet Group Management Protocol ICMP See IGMP ping interVLAN routing executing AppleTalk, configuring overview IP, configuring testing connectivity with IPX, configuring time exceeded messages overview...
Page 859 Index automatic assignment router information BOOTP router ports clearing from IP permit list clearing designating router ports and DHCP routing table 17, 31 in-band (sc0) interface IP permit list obtaining from DHCP, BOOTP or RARP addresses, adding RARP caution setting on supervisor clearing entries SLIP (sl0) interface default configuration...
Page 860 Index enabling load sharing on trunks enabling credentials forwarding local authentication login procedure configuration guidelines mapping realm to host name default configuration non-kerberized login procedure disabling overview enable password, setting realm, defining enabling servers, specifying login password, setting SRVTAB files overview SRVTAB files, copying password recovery...
Page 861 Index MAC address reduction entries, displaying IP unicast mapping reserved VLANs overview mapping VLANs size (note) markdown (QoS) CAM entries, displaying marking (QoS) clearing message-of-the-day cache entries See login banner statistics message processing subsystem configuration guidelines SNMP entity 7, 8 metric values, switch TopN reports (table) routing commands with IP MLS MIBs...
Page 862 Index enabling on MSFC interface routers entries (note) enabling globally examples multicast routing table, displaying fast aging-time PIM, enabling flow masks routing command restrictions access lists and setting minimum flow mask destination specifying aging time full flow specifying fast aging time IP MLS entries and statistics minimum...
Page 863 Index booting for the first time multicast configuration guidelines groups interVLAN routing leaving IP MMLS See IP multicast multicast suppression 2, 5 configuration mode Multilayer Switch Feature Card configuring See MSFC or MSFC2 Appletalk interVLAN routing Multilayer Switching interVLAN routing See MLS IP interVLAN routing IP MMLS...
Page 864 Index destination and source subnets setting destination host filters NVRAM destination TCP/UDP port filters caution protocol filters ignoring content at boot protocols for statistics collection setting configuration modes statistics collection removing protocols for specifying protocols for NetFlow Data Export out of profile See NDE See QoS out of profile Network Address Translation...
Page 865 9, 11 table, displaying entries caution 2, 8 QoS policing rule configuring statistics disabling displaying for NetFlow table entries enabling phones, Cisco IP Phone 7960 ports capabilities, checking Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 IN-17 78-13315-02...
Page 866 Index changing the default port enable state private VLANs checking status community VLAN community configuration guidelines designating on command-line configuring ACLs duplex creating dynamic VLAN membership delete mapping configuring deleting default configuration deleting isolated, community, or two-way community VLANs example hardware/software interactions overview isolated VLAN...
Page 867 IP with Layer 4 options IPX ACE IP with only Layer 3 options MAC ACE Layer 2 IPX, creating QoS configuring IPX, options QoS configuring on Cisco IP Phone 7960 MAC, creating QoS congestion avoidance MAC, options definition TCP, creating dual transmit queue ports...
Page 868 Index deleting QoS Layer 2 Switching Engine QoS disabling classification and marking 6, 24 QoS display feature summary information QoS Layer 3 Switching Engine statistics classification, marking, and policing 5, 14 QoS DSCP feature summary definition QoS MAC ACE Layer 2 internal values QoS mapping maps, configuring...
Page 869 Index QoS reverting to defaults overview QoS scheduling (definition) servers, specifying QoS single-port ATM OC-12 switching module suppressing features updating the server QoS single-port ATM OC-12 switching module RADIUS authentication marking configuration guidelines QoS single-receive, dual-transmit queue ports deadtime, setting configuring default configuration QoS strict priority receive queue...
Page 870 Index related documentation RMON Remote Monitoring enabling See RMON overview Remote Switched Port Analyzer supported MIB objects See RSPAN viewing data reserved-range VLANs ROM monitor See VLANs BOOT environment variable and reset boot process and scheduling absolute date and time configuration register and within a specific timeframe console port baud rate...
Page 871 Index enabling set spantree portcost command 17, 26 enabling set spantree portpri command PDP server configuration set spantree portvlancost command deleting set spantree priority command 16, 25 policy timeout shortcuts, Layer 3 See MLS short keyword (note) show cam command show mls command 12, 21 sc0 (in-band) interface...
Page 872 Index caution supervisor engine console port and source-destination-ip flow mask 10, 6 enabling source-destination-vlan flow mask 10, 6 overview SPAN sl0 interface caution slip attach command configuration guidelines slip detach command configuring from CLI SLIP (sl0) interface destination port configuring disabling 8, 13 SNMP...
Page 873 Index statistics SLIP and BPDU skewing default boot configuration statistics, PFC2 default configuration default gateways BPDUs and downloading software images 3, 10 bridge ID priority, understanding Flash file system forward delay timer See Flash file system hello time IP address, setting IEEE, overview management interfaces MAC address allocation...
Page 874 Index ports, checking status configuring procedures daemon, configuring switch boot process default configuration switch CLI logging levels, setting accessing message format help message log, displaying history substitution overview IP addresses, designating session settings, setting IP aliases, designating timestamp, changing enable state MAC addresses, designating system clock, setting modules, designating...
Page 875 Index deleting directed request, enabling and disabling 17, 21 disabling logging disabling 23, 53 Telnet session logging enabling 18, 52 disabling example configuration 48, 55 enabling key, clearing timestamp, changing enable state key, specifying system name login attempts allowed clearing overview 3, 49 configuring...
Page 876 Index example, supervisor 5, 11 trunks supervisor engine 802.1Q 3, 10 switching modules configuring 4, 10 uploading configuration files negotiating uploading software images 9, 15 restrictions thresholds allowed VLANs See QoS congestion avoidance autonegotiation time, setting configuring timers, configuring 802.1Q trunk forward delay ISL/802.1Q negotiating trunk port hello time...
Page 877 Index disabling globally VACLs on ports ACEs displaying configuration overview enabling applying on globally bridged packets on ports multicast packets overview routed packets specify the message interval capturing traffic flows UDP QoS features common uses for See QoS ACE or ACL configuration unicast suppression figure...
Page 878 802.1Q and analog station gateway, 24-port FXS analog interface module normal range 2, 5 analog trunk gateway, description private auxiliary VLANs, configuring See private VLANs Cisco CallManager protocol filtering and Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 IN-30 78-13315-02...
Page 879 Index Cisco IP Phone 7960 disabling CLI commands enabling configuring access gateways overview converged voice gateway, Cisco VG200 VLANs and digital trunk gateway, 8-port T1/E1 PSTN interface VTP pruning module configuring display active call information disabling how a call is made...
Page 880 Index Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 IN-32 78-13315-02...

This manual is also suitable for:

Ws-x6148x2-45af-rf - expansion module - 96 ports Ws-x6708-10g-3c - 10 gigabit en module Ws-x6708-10g-3cxl= - 10 gigabit ethernet module Ws-x6381-ids - intrusion detection system module Ws-x6716-10g-3cxl= - 10 gigabit en module Ws-x6k-sup1a-2ge - supervisor engine 1 ... Show all

Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual

Preface

Chapter 1 Product Overview

Command-Line Interfaces

CHAPTER 3 Configuring the Switch IP Address and Default Gateway

Preparing to Configure the IP Address and Default Gateway

Default IP Address and Default Gateway Configuration

Configuring Default Gateways

Configuring the SLIP (Sl0) Interface on the Console Port

Using BOOTP, DHCP, or RARP to Obtain an IP Address

Renewing and Releasing a DHCP-Assigned IP Address

Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching

Setting the Port Speed

Setting the Port Duplex Mode

Configuring IEEE 802.3X Flow Control

Enabling and Disabling Port Negotiation

Changing the Default Port Enable State

Setting the Port Debounce Timer

Configuring a Timeout Period for Ports in Errdisable State

Configuring the Jumbo Frame Feature

Task

Step 1

Command

Checking Connectivity

CHAPTER 5 Configuring Ethernet VLAN Trunks

Chapter 6 Configuring Etherchannel

Chapter 7 Configuring IEEE 802.1Q Tunneling

CHAPTER 8 Configuring Spanning Tree1

Understanding How Spanning Tree Protocols Work

Understanding PVST+ and MISTP Modes

Bridge Identifiers

Using MISTP-PVST+ or MISTP

Configuring a Root Switch

CHAPTER 9 Configuring Spanning Tree Portfast, Uplinkfast, Backbonefast, and Loop Guard

Understanding How Portfast BPDU Guard Works

Understanding How Portfast BPDU Filter Works

Understanding How Portfast Works

Understanding How Uplinkfast Works

Understanding How Backbonefast Works

Understanding How Loop Guard Works

Configuring Portfast

Configuring Portfast BPDU Guard

Configuring Portfast BPDU Filter

Configuring Uplinkfast

Configuring Backbonefast

Configuring Loop Guard

Configuring VTP

Chapter 11 Configuring Vlans

Understanding How Private Vlans Work

Private VLAN Configuration Guidelines

Creating a Primary Private VLAN

Viewing the Port Capability of a Private VLAN Port

Deleting a Private VLAN Mapping

Private VLAN Support on the MSFC

Chapter 12 Configuring Intervlan Routing

Chapter 13 Configuring CEF for PFC2

Chapter 14 Configuring MLS

Chapter 15 Configuring NDE

Chapter 16 Configuring Access Control

Quick Links

Troubleshooting

Related Manuals for Cisco WS-X6066-SLB-APC - Content Switching Module

Summary of Contents for Cisco WS-X6066-SLB-APC - Content Switching Module