Cisco IOS Software Configuration Guide

Cisco IOS Software Configuration GuideRelease 12.2(33)SXH and Later Releases

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Text Part Number: OL-13013-06

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Cisco IOS Software Configuration Guide, Release 12.2SX 20072009, Cisco Systems, Inc. All rights reserved.

CONTENTSPrefacexxxix xxxix xxxix

Audience Conventions

Related Documentationxxxix

Obtaining Documentation, Obtaining Support, and Security Guidelines1

xl

CHAPTER

Product Overview

1-1

Supported Hardware and Software 1-1 Understanding Supervisor Engine 720-10GE Memory Devices and Ports Understanding Supervisor Engine 720 Memory Devices and Ports 1-2 Understanding Supervisor Engine 32 Memory Devices and Ports 1-4 Understanding ME6500 Flash Memory Devices and Ports 1-5 User Interfaces1-5 1-6

1-1

Software Features Supported in Hardware by the PFC and DFC1

PART

Configuration Fundamentals2

CHAPTER

Command-Line Interfaces

2-1

Accessing the CLI 2-2 Accessing the CLI through the EIA/TIA-232 Console Interface Accessing the CLI through Telnet 2-2 Performing Command Line Processing Performing History Substitution Cisco IOS Command Modes Securing the CLI2-6 2-7 2-4 2-5 2-4 2-3

2-2

Displaying a List of Cisco IOS Commands and Syntax ROM-Monitor Command-Line Interface3

CHAPTER

Configuring Smart Port Macros

3-1

Understanding Smart Port Macros 3-1 Understanding Cisco-Provided Smart Port Macros 3-1 Understanding User-Created Smart Port Macros 3-2 Configuring Smart Port Macros3-2

Cisco IOS Software Configuration Guide, Release 12.2SX OL-13013-06

iii

Contents

Smart Port Macro Default Configuration 3-2 Smart Port Macro Configuration Guidelines 3-3 Applying the Cisco-Provided Smart Port Macros 3-4 Configuring User-Created Smart Port Macros 3-13 Displaying Smart Port Macros43-16

CHAPTER

Configuring Virtual Switching Systems Understanding Virtual Switching Systems VSS Overview 4-2 VSS Redundancy 4-11 Multichassis EtherChannels 4-14 Packet Handling 4-16 System Monitoring 4-20 Dual-Active Detection 4-22 VSS Initialization 4-25

4-1 4-1

VSS Configuration Guidelines and Restrictions 4-29 General VSS Restrictions and Guidelines 4-29 VSL Restrictions and Guidelines 4-29 Multichassis EtherChannel Restrictions and Guidelines 4-29 Dual-Active Detection Restrictions and Guidelines 4-30 Service Module Restrictions and Guidelines 4-30 Configuring a VSS 4-30 Converting to a VSS 4-31 Displaying VSS Information 4-37 Converting a VSS to Standalone Chassis 4-37 Configuring VSS Parameters 4-39 Configuring Multichassis EtherChannels 4-45 Configuring Dual-Active Detection 4-46 Configuring Service Modules in a VSS 4-52 Viewing Chassis Status and Module Information in a VSS Upgrading a VSS 4-55 Performing a Fast Software Upgrade of a VSS 4-55 Performing an Enhanced Fast Software Upgrade of a VSS2

4-54

4-56

PART

High Availability5

CHAPTER

Performing an Enhanced Fast Software Upgrade eFSU Overview 5-1 eFSU Operation 5-2Cisco IOS Software Configuration Guide, Release 12.2SX

5-1

iv

OL-13013-06

Contents

Outage Time and Support Considerations Reserving Module Memory 5-3 Error Handling for eFSU Preload 5-4 eFSU Guidelines and Limitations5-4

5-3

Performing an Enhanced Fast Software Upgrade 5-5 Software Upgrade Process Summary For a Switch 5-5 Preparing for the Upgrade 5-6 Copying the New Software Image 5-8 Loading the New Software onto the Standby Supervisor Engine 5-8 Displaying the Maximum Outage Time for Installed Modules (Optional) 5-10 Forcing a Switchover from Active to Standby 5-10 Accepting the New Software Version and Stopping the Rollback Process (Optional) Committing the New Software to the Standby 5-12 Verifying the Software Installation 5-12 Aborting the Upgrade Process 5-13 Performing an eFSU Upgrade on an Installed Modular Image 5-14 Upgrading an Installed Modular Image 5-14 Example an eFSU Upgrade on an Installed Modular Image 5-15 Upgrading a Non-eFSU Image to an eFSU Image65-16

5-11

CHAPTER

Configuring NSF with SSO Supervisor Engine Redundancy

6-1

Understanding NSF with SSO Supervisor Engine Redundancy 6-1 NSF with SSO Supervisor Engine Redundancy Overview 6-2 SSO Operation 6-2 NSF Operation 6-3 Cisco Express Forwarding 6-3 Multicast MLS NSF with SSO 6-4 Routing Protocols 6-4 NSF Benefits and Restrictions 6-8 Supervisor Engine Configuration Synchronization 6-9 Supervisor Engine Redundancy Guidelines and Restrictions 6-9 Redundancy Configuration Guidelines and Restrictions 6-9 Hardware Configuration Guidelines and Restrictions 6-10 Configuration Mode Restrictions 6-11 NSF Configuration Tasks 6-11 Configuring SSO 6-11 Verifying the Redundancy States 6-12 Configuring Multicast MLS NSF with SSO Verifying Multicast NSF with SSO 6-13

6-13


v

Contents

Configuring CEF NSF 6-13 Verifying CEF NSF 6-14 Configuring BGP NSF 6-14 Verifying BGP NSF 6-14 Configuring OSPF NSF 6-15 Verifying OSPF NSF 6-16 Configuring IS-IS NSF 6-17 Verifying IS-IS NSF 6-17 Configuring EIGRP NSF 6-19 Verifying EIGRP NSF 6-19 Synchronizing the Supervisor Engine Configurations Copying Files to the Redundant Supervisor Engine76-20

6-20

CHAPTER

Configuring RPR Supervisor Engine Redundancy

7-1

Understanding RPR 7-1 Supervisor Engine Redundancy Overview 7-2 RPR Operation 7-2 Supervisor Engine Configuration Synchronization

7-3

Supervisor Engine Redundancy Guidelines and Restrictions 7-3 Redundancy Guidelines and Restrictions 7-3 Hardware Configuration Guidelines and Restrictions 7-3 Configuration Mode Restrictions 7-4 Configuring Supervisor Engine Redundancy 7-4 Configuring Redundancy 7-4 Synchronizing the Supervisor Engine Configurations Displaying the Redundancy States 7-5 Performing a Fast Software Upgrade Copying Files to the RP37-7 7-6

7-5

PART

Interface and Hardware Components8

CHAPTER

Configuring and Monitoring the Switch Fabric Functionality Understanding the Switch Fabric Functionality 8-1 Switch Fabric Functionality Overview 8-2 Forwarding Decisions for Layer 3-Switched Traffic Switching Modes 8-2 Configuring the Switch Fabric Functionality Monitoring the Switch Fabric Functionality8-3 8-4

8-1

8-2

Cisco IOS Software Configuration Guide, Release 12.2SX

vi

OL-13013-06

Contents

Displaying the Switch Fabric Redundancy Status 8-4 Displaying Fabric Channel Switching Modes 8-4 Displaying the Fabric Status 8-5 Displaying the Fabric Utilization 8-5 Displaying Fabric Errors 8-69

CHAPTER

Configuring Interfaces

9-1 9-2

Understanding Interface Configuration Using the Interface Command9-2 9-4

Configuring a Range of Interfaces

Defining and Using Interface-Range Macros

9-6

Configuring Optional Interface Features 9-6 Configuring Ethernet Interface Speed and Duplex Mode Configuring Jumbo Frame Support 9-10 Configuring IEEE 802.3x Flow Control 9-13 Configuring the Port Debounce Timer 9-15 Adding a Description for an Interface 9-16 Understanding Online Insertion and Removal Monitoring and Maintaining Interfaces 9-17 Monitoring Interface Status 9-17 Clearing Counters on an Interface 9-18 Resetting an Interface 9-18 Shutting Down and Restarting an Interface Checking the Cable Status Using the TDR109-19 9-16

9-7

9-19

CHAPTER

Configuring UDLD

10-1

Understanding UDLD 10-1 UDLD Overview 10-2 UDLD Aggressive Mode Fast UDLD 10-4 Default UDLD Configuration

10-3

10-4

Configuring UDLD 10-5 Enabling UDLD Globally 10-5 Enabling UDLD on LAN Ports 10-5 Disabling UDLD on Fiber-Optic LAN Ports 10-6 Configuring the Global UDLD Probe Message Interval Configuring Fast UDLD 10-6 Resetting Disabled LAN Interfaces 10-7

10-6


vii

Contents

CHAPTER

11

Power Management and Environmental Monitoring Understanding Power Management 11-1 Enabling or Disabling Power Redundancy 11-2 Powering Modules Off and On 11-3 Viewing System Power Status 11-4 Power Cycling Modules 11-5 Determining System Power Requirements 11-5 Determining System Hardware Capacity 11-5 Determining Sensor Temperature Threshold 11-9

11-1

Understanding Environmental Monitoring 11-10 Overview 11-10 Monitoring System Environmental Status 11-10 Understanding LED Environmental Indications 11-1212

CHAPTER

Configuring EnergyWise

12-1

CHAPTER

13

Configuring Onboard Failure Logging Understanding OBFL 13-1 Overview of OBFL 13-2 Data Collected by OBFL 13-2 Restrictions for OBFL Enabling OBFL13-9 13-9

13-1

Configuration Examples for OBFL 13-10 Enabling OBFL Message Logging: Example 13-10 OBFL Message Log: Example 13-10 OBFL Component Uptime Report: Example 13-10 OBFL Report for a Specific Time: Example 13-1114

CHAPTER

Configuring Online Diagnostics

14-1 14-1

Understanding Online Diagnostics

Configuring Online Diagnostics 14-2 Setting Bootup Online Diagnostics Level 14-2 Configuring On-Demand Online Diagnostics 14-3 Scheduling Online Diagnostics 14-4 Configuring Health-Monitoring Diagnostics 14-5 Running Online Diagnostic Tests 14-5 Starting and Stopping Online Diagnostic Tests Running All Online Diagnostic Tests 14-714-6


viii

OL-13013-06

Contents

Displaying Online Diagnostic Tests and Test Results Performing Memory Tests1514-12

14-7

CHAPTER

Configuring Cisco IP Phone Support

15-1

Understanding Cisco IP Phone Support 15-1 Cisco IP Phone Connections 15-2 Cisco IP Phone Voice Traffic 15-2 Cisco IP Phone Data Traffic 15-3 IP Phone Power Configurations 15-3 Other Cisco IP Phone Features 15-6 Default Cisco IP Phone Support Configuration Configuring Cisco IP Phone Support 15-7 Configuring Voice Traffic Support 15-8 Configuring Data Traffic Support 15-9 Configuring Inline Power Support 15-10215-6 15-7

Cisco IP Phone Support Configuration Guidelines and Restrictions

PART

LAN Switching16

CHAPTER

Configuring LAN Ports for Layer 2 Switching Understanding Layer 2 Switching 16-1 Understanding Layer 2 Ethernet Switching Understanding VLAN Trunks 16-3 Layer 2 LAN Port Modes 16-4 Default Layer 2 LAN Interface Configuration

16-1

16-1

16-5 16-5

Layer 2 LAN Interface Configuration Guidelines and Restrictions

Configuring LAN Interfaces for Layer 2 Switching 16-6 Configuring a LAN Port for Layer 2 Switching 16-7 Enabling Out-of-Band MAC Address Table Synchronization 16-8 Configuring MAC Address Table Notification 16-8 Configuring a Layer 2 Switching Port as a Trunk 16-10 Configuring a LAN Interface as a Layer 2 Access Port 16-16 Configuring an IEEE 802.1Q Custom EtherType Field Value 16-1817

CHAPTER

Configuring Flex Links

17-1 17-1

Understanding Flex Links

Configuring Flex Links 17-2 Flex Links Default Configuration

17-2


ix

Contents

Flex Links Configuration Guidelines and Restrictions Configuring Flex Links 17-3 Monitoring Flex Links1817-4

17-2

CHAPTER

Configuring EtherChannels

18-1

Understanding EtherChannels 18-1 EtherChannel Feature Overview 18-2 Understanding EtherChannel Configuration 18-2 Understanding LACP 1:1 Redundancy 18-5 Understanding Port Channel Interfaces 18-5 Understanding Load Balancing 18-5 EtherChannel Feature Configuration Guidelines and Restrictions18-6

Configuring EtherChannels 18-7 Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels 18-7 Configuring Channel Groups 18-8 Configuring the LACP System Priority and System ID 18-11 Configuring EtherChannel Load Balancing 18-11 Configuring EtherChannel Hash-Distribution Algorithm 18-12 Configuring the EtherChannel Min-Links Feature 18-13 Configuring LACP 1:1 Redundancy 18-14 Configuring Auto Interleaved Port Priority For LACP Port Channels 18-1519

CHAPTER

Configuring mLACP for Server Access

19-1

Understanding mLACP for Server Access 19-1 Overview of mLACP for Server Access 19-2 Understanding mLACP Operation 19-2 Failure Protection Scenarios 19-6 mLACP Failover 19-6 mLACP for Server Access Guidelines and Restrictions19-9

Configuring mLACP for Server Access 19-10 Summary of mLACP PoA Configuration Values 19-11 Configuring mLACP Global Options 19-11 Configuring the Interchassis Communication Channel 19-12 Configuring Interchassis Redundancy Groups 19-13 Forcing a PoA Failover 19-18 Troubleshooting mLACP 19-18 Verifying an Active PoA 19-18 Verifying a Standby PoA 19-22


x

OL-13013-06

Contents

CHAPTER

20

Configuring IEEE 802.1ak MVRP and MRP

20-1

Understanding IEEE 802.1ak MVRP and MRP 20-1 Overview 20-1 Dynamic VLAN Creation 20-3 MVRP Interoperability with VTP 20-3 MVRP Interoperation with Non-Cisco Devices 20-5 MVRP Interoperability with Other Software Features and Protocols IEEE 802.1ak MVRP and MRP Guidelines and Restrictions Configuring IEEE 802.1ak MVRP and MRP 20-8 Enabling MVRP 20-8 Enabling Automatic Detection of MAC Addresses Enabling MVRP Dynamic VLAN Creation 20-9 Changing the MVRP Registrar State 20-9 Troubleshooting the MVRP Configuration20-10 20-7

20-5

20-8

Configuration Examples for IEEE 802.1ak MVRP and MRP 20-11 Enabling MVRP 20-11 Enabling MVRP Automatic Detection of MAC Addresses 20-11 Enabling Dynamic VLAN Creation 20-11 Changing the MVRP Registrar State 20-1121

CHAPTER

Configuring VTP

21-1

Understanding VTP 21-1 Understanding the VTP Domain 21-2 Understanding VTP Modes 21-3 Understanding VTP Advertisements 21-3 Understanding VTP Authentication 21-4 Understanding VTP Version 2 21-4 Understanding VTP Version 3 21-5 Understanding VTP Pruning 21-6 VLAN Interaction 21-8 Interaction Between VTP Version 3 and VTP Version 2 Devices Interaction Between VTP Version 3 and VTP Version 1 Devices VTP Default Configuration21-8 21-9 21-8 21-8

VTP Configuration Guidelines and Restrictions

Configuring VTP 21-10 Configuring VTP Global Parameters 21-10 Configuring the VTP Mode 21-15 Configuring VTP Mode on a Per-Port Basis 21-17


xi

Contents

Displaying VTP Statistics22

21-18

CHAPTER

Configuring VLANs

22-1

Understanding VLANs 22-1 VLAN Overview 22-2 VLAN Ranges 22-2 VLAN Configuration Guidelines and Restrictions22-3

Configuring VLANs 22-3 Configurable VLAN Parameters 22-4 Ethernet VLAN Default Parameters 22-4 VLAN Locking 22-4 Creating or Modifying an Ethernet VLAN 22-5 Assigning a Layer 2 LAN Interface to a VLAN 22-6 Configuring the Internal VLAN Allocation Policy 22-7 Configuring VLAN Translation 22-7 Mapping 802.1Q VLANs to ISL VLANs 22-10 Saving VLAN Information 22-1123

CHAPTER

Configuring Private VLANs

23-1

Understanding Private VLANs 23-1 Private VLAN Domains 23-2 Private VLAN Ports 23-3 Primary, Isolated, and Community VLANs 23-3 Private VLAN Port Isolation 23-4 IP Addressing Scheme with Private VLANs 23-4 Private VLANs Across Multiple Switches 23-5 Private VLAN Interaction with Other Features 23-5 Private VLAN Configuration Guidelines and Restrictions Secondary and Primary VLAN Configuration 23-7 Private VLAN Port Configuration 23-9 Limitations with Other Features 23-923-6

Configuring Private VLANs 23-11 Configuring a VLAN as a Private VLAN 23-11 Associating Secondary VLANs with a Primary VLAN 23-12 Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN Configuring a Layer 2 Interface as a Private VLAN Host Port 23-15 Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port 23-16 Monitoring Private VLANs23-17

23-13


xii

OL-13013-06

Contents

CHAPTER

24

Configuring Private Hosts

24-1

Understanding Private Hosts 24-1 Isolating Hosts in a VLAN 24-2 Restricting Traffic Flow (Using Private Hosts Port Mode and PACLs) Port ACLs 24-5 Configuration Guidelines and Limitations 24-5 ACL Guidelines 24-6 VLANs on the Trunk Port 24-6 Interaction with Other Features 24-6 Spoofing Protection 24-7 Multicast Operation 24-7 Configuring Private Hosts 24-7 Configuration Summary 24-8 Detailed Configuration Steps 24-9 Configuration Examples 24-1025

24-3

CHAPTER

Configuring IEEE 802.1Q Tunneling Understanding 802.1Q Tunneling

25-1 25-1 25-3

802.1Q Tunneling Configuration Guidelines and Restrictions Configuring 802.1Q Tunneling 25-6 Configuring 802.1Q Tunnel Ports 25-6 Configuring the Switch to Tag Native VLAN Traffic26

25-7

CHAPTER

Configuring Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling

26-1 26-1 26-2

Configuring Support for Layer 2 Protocol Tunneling27

CHAPTER

Configuring STP and MST

27-1

Understanding STP 27-1 STP Overview 27-2 Understanding the Bridge ID 27-2 Understanding Bridge Protocol Data Units 27-3 Election of the Root Bridge 27-4 STP Protocol Timers 27-4 Creating the Spanning Tree Topology 27-5 STP Port States 27-5 STP and IEEE 802.1Q Trunks 27-12 Understanding IEEE 802.1w RSTP27-13


xiii

Contents

Port Roles and the Active Topology 27-13 Rapid Convergence 27-14 Synchronization of Port Roles 27-15 Bridge Protocol Data Unit Format and Processing Topology Changes 27-17 Rapid-PVST 27-18 Understanding MST 27-18 MST Overview 27-19 MST Regions 27-19 IST, CIST, and CST 27-20 Hop Count 27-23 Boundary Ports 27-23 Standard-Compliant MST Implementation 27-24 Interoperability with IEEE 802.1D-1998 STP 27-26

27-16

Configuring STP 27-26 Default STP Configuration 27-27 Enabling STP 27-28 Enabling the Extended System ID 27-29 Configuring the Root Bridge 27-30 Configuring a Secondary Root Bridge 27-31 Configuring STP Port Priority 27-32 Configuring STP Port Cost 27-33 Configuring the Bridge Priority of a VLAN 27-35 Configuring the Hello Time 27-36 Configuring the Forward-Delay Time for a VLAN 27-36 Configuring the Maximum Aging Time for a VLAN 27-37 Enabling Rapid-PVST 27-37 Configuring MST 27-38 Default MST Configuration 27-39 MST Configuration Guidelines and Restrictions 27-39 Specifying the MST Region Configuration and Enabling MST Configuring the Root Bridge 27-41 Configuring a Secondary Root Bridge 27-43 Configuring Port Priority 27-43 Configuring Path Cost 27-44 Configuring the Switch Priority 27-45 Configuring the Hello Time 27-46 Configuring the Forwarding-Delay Time 27-47 Configuring the Transmit Hold Count 27-47

27-40


xiv

OL-13013-06

Contents

Configuring the Maximum-Aging Time 27-48 Configuring the Maximum-Hop Count 27-48 Specifying the Link Type to Ensure Rapid Transitions Designating the Neighbor Type 27-49 Restarting the Protocol Migration Process 27-50 Displaying the MST Configuration and Status2827-50

27-48

CHAPTER

Configuring Optional STP Features

28-1

Understanding the Optional STP Features 28-1 Understanding STP Port Types 28-2 Understanding PortFast 28-2 Understanding Bridge Assurance 28-3 Understanding BPDU Guard 28-5 Understanding PortFast BPDU Filtering 28-5 Understanding UplinkFast 28-6 Understanding BackboneFast 28-7 Understanding EtherChannel Guard 28-9 Understanding Root Guard 28-10 Understanding Loop Guard 28-10 Understanding PVST Simulation 28-11 Configuring the Optional STP Features 28-12 Enabling PortFast 28-12 Enabling Bridge Assurance 28-14 Enabling PortFast BPDU Filtering 28-15 Enabling BPDU Guard 28-16 Enabling UplinkFast 28-18 Enabling BackboneFast 28-19 Enabling EtherChannel Guard 28-20 Enabling Root Guard 28-20 Enabling Loop Guard 28-21 Configuring PVST Simulation 28-22 Verifying the Optional STP Features 28-23 Using the show spanning-tree Commands 28-23 Examples in Release 12.2(33)SXI and Later Releases 28-23 Examples in Releases Earlier Than Release 12.2(33)SXI 28-263

PART

IP Routing Protocols


xv

Contents

CHAPTER

29

Configuring Layer 3 Interfaces

29-1 29-2

Layer 3 Interface Configuration Guidelines and Restrictions Configuring Subinterfaces on Layer 3 Interfaces Configuring IPv4 Routing and Addresses29-4 29-7 29-2

Configuring IPX Routing and Network Numbers Configuring Other Protocols on Layer 3 Interfaces30

Configuring AppleTalk Routing, Cable Ranges, and Zones29-9

29-8

CHAPTER

Configuring UDE and UDLR

30-1

Understanding UDE and UDLR 30-1 UDE and UDLR Overview 30-1 Supported Hardware 30-2 Understanding UDE 30-2 Understanding UDLR 30-3 Configuring UDE and UDLR 30-3 Configuring UDE 30-3 Configuring UDLR 30-64

PART

Multiprotocol Label Switching31

CHAPTER

Configuring Multiprotocol Label Switching

31-1

MPLS 31-1 Understanding MPLS 31-2 Hardware-Supported MPLS Functions 31-4 Supported Cisco IOS Features 31-5 MPLS Guidelines and Restrictions 31-7 Supported MPLS Commands 31-7 Configuring MPLS 31-8 MPLS Per-Label Load Balancing 31-8 MPLS Configuration Examples 31-8 DE/CLP and EXP Mapping on FR/ATMoMPLS VC Match on ATM CLP Bit 31-10 Set on ATM CLP Bit 31-12 VPN Switching 31-13 VPN Switching Operation 31-13 MPLS VPN Guidelines and Restrictions 31-14 MPLS VPN Supported Commands 31-14 Configuring MPLS VPN 31-15Cisco IOS Software Configuration Guide, Release 12.2SX

31-10

xvi

OL-13013-06

Contents

MPLS VPN Sample Configuration

31-15

Any Transport over MPLS 31-17 AToM Load Balancing 31-17 Understanding EoMPLS 31-17 EoMPLS Guidelines and Restrictions 31-18 Configuring EoMPLS 31-19 Configuring MUX-UNI Support on LAN Cards5

31-26

PART

IP Switching32

CHAPTER

Configuring IP Unicast Layer 3 Switching

32-1

Understanding Layer 3 Switching 32-2 Understanding Hardware Layer 3 Switching 32-2 Understanding Layer 3-Switched Packet Rewrite 32-2 Default Hardware Layer 3 Switching Configuration Configuration Guidelines and Restrictions Configuring Hardware Layer 3 Switching32-4 32-5 32-6 32-4

Displaying Hardware Layer 3 Switching Statistics6

PART

IPv633

CHAPTER

Configuring IPv6 Multicast PFC3 and DFC3 Layer 3 Switching Features that Support IPv6 Multicast33-1 33-2 33-3 33-3

33-1

IPv6 Multicast Guidelines and Restrictions New or Changed IPv6 Multicast Commands Configuring IPv6 Multicast Layer 3 Switching

Using show Commands to Verify IPv6 Multicast Layer 3 Switching 33-3 Verifying MFIB Clients 33-4 Displaying the Switching Capability 33-4 Verifying the (S,G) Forwarding Capability 33-5 Verifying the (*,G) Forwarding Capability 33-5 Verifying the Subnet Entry Support Status 33-5 Verifying the Current Replication Mode 33-5 Displaying the Replication Mode Auto-Detection Status 33-5 Displaying the Replication Mode Capabilities 33-5 Displaying Subnet Entries 33-6 Displaying the IPv6 Multicast Summary 33-6 Displaying the NetFlow Hardware Forwarding Count 33-6Cisco IOS Software Configuration Guide, Release 12.2SX OL-13013-06

xvii

Contents

Displaying the FIB Hardware Bridging and Drop Counts 33-7 Displaying the Shared and Well-Known Hardware Adjacency Counters34

33-7

CHAPTER

Configuring MLD Snooping for IPv6 Multicast Traffic Understanding MLD Snooping 34-2 MLD Snooping Overview 34-2 MLD Messages 34-3 Source-Based Filtering 34-3 Explicit Host Tracking 34-3 MLD Snooping Proxy Reporting 34-4 Joining an IPv6 Multicast Group 34-4 Leaving a Multicast Group 34-6 Understanding the MLD Snooping Querier Default MLD Snooping Configuration34-8

34-1

34-7

MLD Snooping Configuration Guidelines and Restrictions Enabling the MLD Snooping Querier34-9

34-8 34-9

MLD Snooping Querier Configuration Guidelines and Restrictions Configuring MLD Snooping 34-10 Enabling MLD Snooping 34-10 Configuring a Static Connection to a Multicast Receiver Configuring a Multicast Router Port Statically 34-11 Configuring the MLD Snooping Query Interval 34-12 Enabling Fast-Leave Processing 34-12 Enabling SSM Safe Reporting 34-13 Configuring Explicit Host Tracking 34-13 Configuring Report Suppression 34-14 Displaying MLD Snooping Information 34-147

34-11

PART

IP Multicast35

CHAPTER

Configuring IPv4 Multicast Layer 3 Switching

35-1

Understanding IPv4 Multicast Layer 3 Switching 35-1 IPv4 Multicast Layer 3 Switching Overview 35-2 Multicast Layer 3 Switching Cache 35-2 Layer 3-Switched Multicast Packet Rewrite 35-3 Partially and Completely Switched Flows 35-4 Non-RPF Traffic Processing 35-5 Multicast Boundary 35-8


xviii

OL-13013-06

Contents

Understanding IPv4 Bidirectional PIM

35-9 35-9 35-10

Default IPv4 Multicast Layer 3 Switching Configuration

IPv4 Multicast Layer 3 Switching Configuration Guidelines and Restrictions Restrictions 35-10 Unsupported Features 35-10 Configuring IPv4 Multicast Layer 3 Switching 35-11 Source-Specific Multicast with IGMPv3, IGMP v3lite, and URD 35-11 Enabling IPv4 Multicast Routing Globally 35-11 Enabling IPv4 PIM on Layer 3 Interfaces 35-12 Enabling IP Multicast Layer 3 Switching Globally 35-12 Enabling IP Multicast Layer 3 Switching on Layer 3 Interfaces 35-13 Configuring the Replication Mode 35-13 Enabling Local Egress Replication 35-15 Configuring the Layer 3 Switching Global Threshold 35-16 Enabling Installation of Directly Connected Subnets 35-17 Specifying the Flow Statistics Message Interval 35-17 Enabling Shortcut-Consistency Checking 35-17 Configuring ACL-Based Filtering of RPF Failures 35-18 Displaying RPF Failure Rate-Limiting Information 35-18 Configuring Multicast Boundary 35-19 Displaying IPv4 Multicast Layer 3 Hardware Switching Summary 35-19 Displaying the IPv4 Multicast Routing Table 35-22 Displaying IPv4 Multicast Layer 3 Switching Statistics 35-23 Configuring IPv4 Bidirectional PIM 35-24 Enabling IPv4 Bidirectional PIM Globally 35-24 Configuring the Rendezvous Point for IPv4 Bidirectional PIM Groups Setting the IPv4 Bidirectional PIM Scan Interval 35-25 Displaying IPv4 Bidirectional PIM Information 35-26 Using IPv4 Debug Commands 35-28 Clearing IPv4 Multicast Layer 3 Switching Statistics 35-28 Redundancy for Multicast Traffic 35-2936

35-25

CHAPTER

Configuring IGMP Snooping and MVR for IPv4 Multicast Traffic Understanding IGMP Snooping 36-2 IGMP Snooping Overview 36-2 Joining a Multicast Group 36-2 Leaving a Multicast Group 36-4 Understanding the IGMP Snooping Querier 36-5 Understanding IGMP Version 3 Support 36-5

36-1


xix

Contents

Default IGMP Snooping Configuration

36-7 36-8 36-8

IGMP Snooping Configuration Guidelines and Restrictions Enabling the IGMP Snooping Querier36-9

IGMP Snooping Querier Configuration Guidelines and Restrictions Configuring IGMP Snooping 36-9 Enabling IGMP Snooping 36-10 Configuring a Static Connection to a Multicast Receiver Configuring a Multicast Router Port Statically 36-11 Configuring the IGMP Snooping Query Interval 36-11 Enabling IGMP Fast-Leave Processing 36-12 Configuring Source-Specific Multicast Mapping 36-12 CGMP Automatic Detection 36-13 Configuring IGMPv3 Explicit Host Tracking 36-13 Displaying IGMP Snooping Information 36-14 Understanding MVR 36-16 Using MVR in a Multicast Television Application Configuring MVR 36-19 Default MVR Configuration 36-19 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 36-20 Configuring MVR Interfaces 36-21 Displaying MVR Information Clearing MVR Counters3736-23 36-24 36-17

36-11

36-20

CHAPTER

Configuring IPv4 IGMP Filtering and Router Guard Understanding IGMP Filtering 37-1 IGMP Filtering Overview 37-2 IGMP Filters 37-2 IGMP Filter Precedence 37-4 Filter Hierarchy Example 37-4 Displaying IGMP Filtering 37-5 Clearing IGMP Filtering Statistics

37-1

37-7

Understanding Router Guard 37-7 Router Guard Overview 37-8 Configuring Router Guard 37-8 Displaying Router Guard Configurations 37-9 Displaying Router Guard Interfaces 37-10 Clearing Router Guard Statistics 37-11


xx

OL-13013-06

Contents

CHAPTER

38

Configuring PIM Snooping

38-1 38-1 38-4 38-4

Understanding PIM Snooping

Default PIM Snooping Configuration

PIM Snooping Configuration Guidelines and Restrictions Configuring PIM Snooping 38-5 Enabling PIM Snooping Globally 38-5 Enabling PIM Snooping in a VLAN 38-5 Disabling PIM Snooping Designated-Router Flooding39

38-6

CHAPTER

Configuring IPv4 Multicast VPN Support

39-1

Understanding MVPN 39-1 MVPN Overview 39-2 Multicast Routing and Forwarding and Multicast Domains Multicast Distribution Trees 39-2 Multicast Tunnel Interfaces 39-5 PE Router Routing Table Support for MVPN 39-6 Multicast Distributed Switching Support 39-6 Hardware-Assisted IPv4 Multicast 39-6 MVPN Configuration Guidelines and Restrictions39-7

39-2

Configuring MVPN 39-8 Forcing Ingress Multicast Replication Mode (Optional) 39-8 Configuring a Multicast VPN Routing and Forwarding Instance Configuring Multicast VRF Routing 39-15 Configuring Interfaces for Multicast Routing to Support MVPN Sample Configurations for MVPN 39-21 MVPN Configuration with Default MDTs Only 39-21 MVPN Configuration with Default and Data MDTs 39-238

39-9

39-19

PART

Quality of Service40

CHAPTER

Configuring PFC QoS

40-1

Understanding PFC QoS 40-2 Port Types Supported by PFC QoS 40-2 Overview 40-2 Component Overview 40-5 Understanding Classification and Marking 40-14 Policers 40-17 Understanding Port-Based Queue Types 40-20


xxi

Contents

PFC QoS Default Configuration 40-27 PFC QoS Global Settings 40-27 Default Values with PFC QoS Enabled 40-28 Default Values with PFC QoS Disabled 40-50 PFC QoS Configuration Guidelines and Restrictions 40-50 General Guidelines 40-51 Class Map Command Restrictions 40-54 Policy Map Command Restrictions 40-54 Policy Map Class Command Restrictions 40-54 Supported Granularity for CIR and PIR Rate Values 40-54 Supported Granularity for CIR and PIR Token Bucket Sizes 40-55 IP Precedence and DSCP Values 40-56 Configuring PFC QoS 40-56 Enabling PFC QoS Globally 40-57 Enabling Ignore Port Trust 40-58 Configuring DSCP Transparency 40-59 Enabling Queueing-Only Mode 40-59 Enabling Microflow Policing of Bridged Traffic 40-60 Enabling VLAN-Based PFC QoS on Layer 2 LAN Ports 40-61 Enabling Egress ACL Support for Remarked DSCP 40-61 Creating Named Aggregate Policers 40-62 Configuring a PFC QoS Policy 40-65 Configuring Egress DSCP Mutation 40-82 Configuring Ingress CoS Mutation on IEEE 802.1Q Tunnel Ports 40-84 Configuring DSCP Value Maps 40-86 Configuring the Trust State of Ethernet LAN Ports 40-90 Configuring Trusted Boundary with Cisco Device Verification 40-91 Configuring the Ingress LAN Port CoS Value 40-92 Configuring Standard-Queue Drop Threshold Percentages 40-93 Mapping QoS Labels to Queues and Drop Thresholds 40-98 Allocating Bandwidth Between Standard Transmit Queues 40-107 Setting the Receive-Queue Size Ratio 40-109 Configuring the Transmit-Queue Size Ratio 40-110 Common QoS Scenarios 40-111 Sample Network Design Overview 40-111 Classifying Traffic from PCs and IP Phones in the Access Layer 40-112 Accepting the Traffic Priority Value on Interswitch Links 40-115 Prioritizing Traffic on Interswitch Links 40-116 Using Policers to Limit the Amount of Traffic from a PC 40-119


xxii

OL-13013-06

Contents

PFC QoS Glossary41

40-120

CHAPTER

Using AutoQoS

41-1

Understanding AutoQoS 41-1 AutoQoS Support for a Cisco IP Phone 41-2 AutoQoS Support for Cisco IP Communicator 41-2 AutoQoS Support for Marked Traffic 41-2 Using AutoQoS 41-3 AutoQoS Configuration Guidelines and Restrictions Configuring AutoQoS 41-44241-3

CHAPTER

Configuring MPLS QoS Terminology42-2

42-1

MPLS QoS Features 42-3 MPLS Experimental Field 42-3 Trust 42-3 Classification 42-3 Policing and Marking 42-4 Preserving IP ToS 42-4 EXP Mutation 42-4 MPLS DiffServ Tunneling Modes

42-4

MPLS QoS Overview 42-4 Specifying the QoS in the IP Precedence Field

42-5

MPLS QoS 42-5 LERs at the Input Edge of an MPLS Network 42-6 LSRs in the Core of an MPLS Network 42-6 LERs at the Output Edge of an MPLS Network 42-7 Understanding MPLS QoS 42-7 LERs at the EoMPLS Edge 42-8 LERs at the IP Edge (MPLS, MPLS VPN) LSRs at the MPLS Core 42-13 MPLS QoS Default Configuration MPLS QoS Commands42-16 42-17 42-15

42-9

MPLS QoS Restrictions and Guidelines

Configuring MPLS QoS 42-17 Enabling QoS Globally 42-18 Enabling Queueing-Only Mode 42-19 Configuring a Class Map to Classify MPLS Packets

42-20


xxiii

Contents

Configuring the MPLS Packet Trust State on Ingress Ports Configuring a Policy Map 42-22 Displaying a Policy Map 42-27 Configuring MPLS QoS Egress EXP Mutation 42-28 Configuring EXP Value Maps 42-29 MPLS DiffServ Tunneling Modes 42-30 Short Pipe Mode 42-31 Uniform Mode 42-32 MPLS DiffServ Tunneling Restrictions and Usage Guidelines

42-22

42-34

Configuring Short Pipe Mode 42-34 Ingress PE RouterCustomer Facing Interface 42-34 Configuring Ingress PE RouterP Facing Interface 42-35 Configuring the P RouterOutput Interface 42-37 Configuring the Egress PE RouterCustomer Facing Interface

42-38

Configuring Uniform Mode 42-39 Configuring the Ingress PE RouterCustomer Facing Interface 42-39 Configuring the Ingress PE RouterP Facing Interface 42-40 Configuring the Egress PE RouterCustomer Facing Interface 42-4143

CHAPTER

Configuring PFC QoS Statistics Data Export Understanding PFC QoS Statistics Data Export Configuring PFC QoS Statistics Data Export

43-1 43-1 43-2

PFC QoS Statistics Data Export Default Configuration43-2

PART

9

Security44

CHAPTER

Configuring Network Security Configuring TCP Intercept

44-1 44-2

Configuring MAC Address-Based Traffic Blocking44-2

Configuring Unicast Reverse Path Forwarding Check 44-2 Understanding PFC3 Unicast RPF Check Support 44-2 Unicast RPF Check Guidelines and Restrictions 44-3 Configuring Unicast RPF Check 44-445

CHAPTER

Using AutoSecure

45-1

Understanding AutoSecure 45-1 Benefits of AutoSecure 45-2 Securing the Management PlaneCisco IOS Software Configuration Guide, Release 12.2SX

45-2

xxiv

OL-13013-06

Contents

Securing the Forwarding Plane 45-5 AutoSecure Guidelines and Restrictions Configuring AutoSecure 45-6 Using the AutoSecure Command 45-7 Configuring Additional Security 45-8 Verifying AutoSecure 45-8 AutoSecure Configuration Example4645-9

45-6

CHAPTER

Understanding Cisco IOS ACL Support ACL Support in Hardware and Software Policy-Based ACLs 46-3 Understanding PBACLs 46-3 PBACL Guidelines and Restrictions Configuring PBACL 46-4 Configuring IPv6 Address Compression Optimized ACL Logging 46-8 Understanding OAL 46-8 OAL Guidelines and Restrictions Configuring OAL 46-8

46-1 46-1 46-3

Cisco IOS ACL Configuration Guidelines and Restrictions

46-4

46-6

46-8

Guidelines and Restrictions for Using Layer 4 Operators in ACLs Determining Layer 4 Operation Usage 46-10 Determining Logical Operation Unit Usage 46-1147

46-10

CHAPTER

Configuring Cisco TrustSec 47-1 Hardware Supported 47-3 Configuring Port ACLs and VLAN ACLs Understanding ACLs 48-1 Understanding ACLs 48-2 Understanding VACLs 48-2 Understanding Port ACLs 48-3 PACL and VACL Interactions 48-4 Configuring PACLs 48-7 PACL Configuration Guidelines 48-8 Configuring IP and MAC ACLs on a Layer 2 Interface 48-8 Configuring Access-group Mode on Layer 2 Interface 48-9 Applying ACLs to a Layer 2 Interface 48-948-1

CHAPTER

48


xxv

Contents

Applying ACLs to a Port Channel 48-10 Displaying an ACL Configuration on a Layer 2 Interface

48-10

Configuring VACLs 48-11 VACL Configuration Guidelines 48-11 Defining a VLAN Access Map 48-13 Configuring a Match Clause in a VLAN Access Map Sequence 48-13 Configuring an Action Clause in a VLAN Access Map Sequence 48-14 Applying a VLAN Access Map 48-15 Verifying VLAN Access Map Configuration 48-15 VLAN Access Map Configuration and Verification Examples 48-15 Configuring a Capture Port 48-16 Configuring MAC PBF 48-17 Configuring VACL Logging4948-19

CHAPTER

Configuring Denial of Service Protection Understanding DoS Protection49-2

49-1

DoS Protection Default Configuration

49-13 49-14

DoS Protection Configuration Guidelines and Restrictions Monitoring Packet Drop Statistics 49-15 Displaying Rate-Limiter Information 49-17 Configuring Sticky ARP5049-18

CHAPTER

Configuring Control Plane Policing Understanding Control Plane Policing CoPP Default Configuration Configuring CoPP Monitoring CoPP50-3 50-4 50-2

50-1 50-1

CoPP Configuration Guidelines and Restrictions

50-2

Defining Traffic Classification 50-5 Traffic Classification Overview 50-6 Traffic Classification Guidelines 50-7 Sample Basic ACLs for CoPP Traffic Classification51

50-7

CHAPTER

Configuring DHCP Snooping

51-1

Understanding DHCP Snooping 51-1 Overview of DHCP Snooping 51-2 Trusted and Untrusted Sources 51-2 DHCP Snooping Binding Database 51-3Cisco IOS Software Configuration Guide, Release 12.2SX

xxvi

OL-13013-06

Contents

Packet Validation 51-3 DHCP Snooping Option-82 Data Insertion 51-3 Overview of the DHCP Snooping Database Agent Default Configuration for DHCP Snooping51-6

51-5

DHCP Snooping Configuration Restrictions and Guidelines DHCP Snooping Configuration Restrictions 51-7 DHCP Snooping Configuration Guidelines 51-7 Minimum DHCP Snooping Configuration 51-8

51-7

Configuring DHCP Snooping 51-9 Enabling DHCP Snooping Globally 51-9 Enabling DHCP Option-82 Data Insertion 51-10 Enabling the DHCP Option-82 on Untrusted Port Feature 51-10 Enabling DHCP Snooping MAC Address Verification 51-11 Enabling DHCP Snooping on VLANs 51-11 Configuring the DHCP Trust State on Layer 2 LAN Interfaces 51-12 Configuring Spurious DHCP Server Detection 51-13 Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces Configuring the DHCP Snooping Database Agent 51-14 Configuration Examples for the Database Agent 51-14 Displaying a Binding Table 51-1852

51-13

CHAPTER

Configuring IP Source Guard

52-1

Overview of IP Source Guard 52-1 IP Source Guard Interaction with VLAN-Based Features Channel Ports 52-2 Trunk Ports 52-2 Layer 2 and Layer 3 Port Conversion 52-2 IP Source Guard and Voice VLAN 52-2 IP Source Guard and Web-Based Authentication 52-2 IP Source Guard Restrictions 52-3 Configuring IP Source Guard on the Switch Displaying IP Source Guard Information Displaying IP Source Binding Information5352-3 52-4 52-6

52-2

CHAPTER

Configuring Dynamic ARP Inspection

53-1

Understanding DAI 53-1 Understanding ARP 53-2 Understanding ARP Spoofing Attacks 53-2 Understanding DAI and ARP Spoofing Attacks

53-2


xxvii

Contents

Interface Trust States and Network Security 53-3 Rate Limiting of ARP Packets 53-4 Relative Priority of ARP ACLs and DHCP Snooping Entries Logging of Dropped Packets 53-5 Default DAI Configuration53-5 53-6

53-4

DAI Configuration Guidelines and Restrictions

Configuring DAI 53-6 Enabling DAI on VLANs 53-7 Configuring the DAI Interface Trust State 53-8 Applying ARP ACLs for DAI Filtering 53-8 Configuring ARP Packet Rate Limiting 53-9 Enabling DAI Error-Disabled Recovery 53-10 Enabling Additional Validation 53-11 Configuring DAI Logging 53-12 Displaying DAI Information 53-14 DAI Configuration Samples 53-15 Sample One: Two Switches Support DAI 53-16 Sample Two: One Switch Supports DAI 53-2054

CHAPTER

Configuring Traffic Storm Control

54-1 54-1 54-3 54-3

Understanding Traffic Storm Control

Default Traffic Storm Control Configuration Configuration Guidelines and Restrictions

Configuring Traffic Storm Control 54-4 Enabling Traffic Storm Control 54-4 Configuring the Traffic Storm Control Shutdown Mode Configuring Traffic Storm Control SNMP Traps 54-6 Displaying Traffic Storm Control Settings5554-7

54-6

CHAPTER

Configuring Unknown Unicast and Multicast Flood Control Understanding Unknown Traffic Flood Control Configuring UUFB or UMFB Configuring UUFRL55-2 55-2 55-1

55-1

CHAPTER

56

Configuring Network Admission Control Understanding NAC 56-1 NAC Overview 56-2 NAC Device Roles 56-3

56-1


xxviii

OL-13013-06

Contents

AAA Down Policy 56-4 NAC IP Validation 56-4 NAC and Switchover 56-12 Configuring NAC 56-12 Default NAC Configuration 56-12 NAC IP Guidelines, Limitations, and Restrictions Configuring NAC IP Validation 56-14 Configuring EAPoUDP 56-18 Configuring Identity Profiles and Policies 56-18 Configuring NAC High Availability 56-19 Configuring a NAC AAA Down Policy 56-20 Monitoring and Maintaining NAC 56-23 Clearing Table Entries 56-23 Displaying NAC Information 56-2357

56-12

CHAPTER

Configuring IEEE 802.1X Port-Based Authentication

57-1

Understanding 802.1X Port-Based Authentication 57-1 Understanding 802.1X Device Roles 57-2 Understanding the Port-based Authentication Process 57-3 Authentication Initiation and Message Exchange 57-6 Ports in Authorized and Unauthorized States 57-8 802.1X Host Modes 57-9 Using 802.1X Authentication with DHCP Snooping 57-11 Understanding 802.1X Accounting 57-12 Using 802.1X Authentication with VLAN Assignment 57-13 Using Multiple VLANs and VLAN User Distribution with VLAN Assignment 57-14 Using 802.1X Authentication with Guest VLAN 57-15 Using 802.1X Authentication with Restricted VLAN 57-16 Using 802.1X Authentication with Inaccessible Authentication Bypass 57-17 Using 802.1X Authentication with Voice VLAN Ports 57-18 Using 802.1X Authentication with Port Security 57-19 Using 802.1X Authentication with ACL Assignments and Redirect URLs 57-19 Using 802.1X Authentication with Port Descriptors 57-22 Using 802.1X Authentication with MAC Authentication Bypass 57-22 Using Network Admission Control Layer 2 IEEE 802.1X Validation 57-23 Using RADIUS Change of Authorization 57-24 Using 802.1X Authentication with Wake-on-LAN 57-25 Understanding MAC Move 57-25 Understanding MAC Replace 57-26


xxix

Contents

Understanding 802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) 57-26 802.1X Authentication Feature Configuration Guidelines 57-28 802.1X Authentication 57-28 802.1X Host Mode 57-29 VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass MAC Authentication Bypass 57-31 Web-Based Authentication 57-32 Configuring 802.1X Port-Based Authentication 57-32 Default 802.1X Port-Based Authentication Configuration 57-33 Enabling 802.1X Authentication 57-34 Configuring Switch-to-RADIUS-Server Communication 57-36 Configuring 802.1X Authenticator Host Mode 57-37 Enabling Fallback Authentication 57-39 Enabling Periodic Reauthentication 57-41 Manually Reauthenticating the Client Connected to a Port 57-42 Initializing Authentication for the Client Connected to a Port 57-42 Removing 802.1X Client Information 57-43 Clearing Authentication Sessions 57-43 Changing 802.1X Timeouts 57-43 Setting the Switch-to-Client Frame Retransmission Number 57-45 Setting the Reauthentication Number 57-46 Configuring IEEE 802.1X Accounting 57-46 Configuring VLAN User Distribution 57-47 Configuring a Guest VLAN 57-48 Configuring a Restricted VLAN 57-49 Configuring the Inaccessible Authentication Bypass Feature 57-51 Configuring MAC Authentication Bypass 57-54 Configuring NAC Layer 2 IEEE 802.1X Validation 57-55 Configuring NAC Agentless Audit Support 57-56 Configuring the Switch for DACLs or Redirect URLs 57-57 Configuring a Port to Ignore CoA Commands 57-58 Configuring 802.1X Authentication with WoL 57-58 Disabling 802.1X Authentication on the Port 57-59 Resetting the 802.1X Configuration to the Default Values 57-59 Configuring an Authenticator and a Supplicant Switch with NEAT 57-60 Displaying Authentication Status and Information 57-61 Displaying 802.1X Status 57-62 Displaying Authentication Methods and Status 57-63 Displaying MAC Authentication Bypass Status 57-66Cisco IOS Software Configuration Guide, Release 12.2SX

57-30

xxx

OL-13013-06

Contents

Enabling MAC Move 57-67 Enabling MAC Replace 57-6758

CHAPTER

Configuring Web-Based Authentication

58-1

Understanding Web-Based Authentication 58-1 Device Roles 58-2 Host Detection 58-3 Session Creation 58-3 Authentication Process 58-3 AAA Fail Policy 58-4 Customization of the Authentication Proxy Web Pages 58-4 Web-based Authentication Interactions with Other Features 58-5 Configuring Web-Based Authentication 58-6 Default Web-Based Authentication Configuration 58-7 Web-based Authentication Configuration Guidelines and Restrictions Web-based Authentication Configuration Task List 58-8 Configuring the Authentication Rule and Interfaces 58-8 Configuring AAA Authentication 58-9 Configuring Switch-to-RADIUS-Server Communication 58-9 Configuring the HTTP Server 58-11 Configuring an AAA Fail Policy 58-13 Configuring the Web-based Authentication Parameters 58-14 Removing Web-based Authentication Cache Entries 58-15 Displaying Web-Based Authentication Status5958-15

58-7

CHAPTER

Configuring Port Security

59-1

Understanding Port Security 59-1 Port Security with Dynamically Learned and Static MAC Addresses Port Security with Sticky MAC Addresses 59-2 Port Security with IP Phones 59-3 Default Port Security Configuration59-3 59-3

59-2

Port Security Guidelines and Restrictions

Configuring Port Security 59-5 Enabling Port Security 59-5 Configuring the Port Security Violation Mode on a Port 59-6 Configuring the Port Security Rate Limiter 59-7 Configuring the Maximum Number of Secure MAC Addresses on a Port Enabling Port Security with Sticky MAC Addresses on a Port 59-9 Configuring a Static Secure MAC Address on a Port 59-10

59-9


xxxi

Contents

Configuring Secure MAC Address Aging on a Port Displaying Port Security Settings1059-12

59-11

PART

NetFlow60

CHAPTER

Configuring NetFlow

60-1 60-1 60-2 60-2 60-4 60-4 60-5 60-6

Understanding NetFlow NetFlow Overview NetFlow on the PFC NetFlow on the RP NetFlow Features

Default NetFlow Configuration

NetFlow Configuration Guidelines and Restrictions Configuring NetFlow 60-6 Configuring NetFlow on the PFC 60-7 Configuring NetFlow Features 60-1061

CHAPTER

Configuring NDE

61-1

Understanding NDE 61-2 NDE Overview 61-2 NDE on the RP 61-2 NDE on the PFC 61-2 Default NDE Configuration61-10 61-10

NDE Configuration Guidelines and Restrictions

Configuring NDE 61-10 Configuring NDE on the PFC 61-11 Configuring NDE on the RP 61-13 Enabling NDE for Ingress-Bridged IP Traffic 61-14 Displaying the NDE Address and Port Configuration Configuring NDE Flow Filters 61-16 Displaying the NDE Configuration 61-1711

61-15

PART

Network Management62

CHAPTER

Configuring Call Home

62-1 62-2 62-3

Understanding Call Home Obtaining Smart Call Home Default Settings62-3


xxxii

OL-13013-06

Contents

Configuring Call Home 62-3 Configuration Overview 62-4 Configuring Customer Contact Information 62-4 Configuring Destination Profiles 62-5 Subscribing to Alert Groups 62-13 Enabling Call Home 62-16 Testing Call Home Communications 62-16 Configuring and Enabling Smart Call Home 62-19 Configuring the Smart Call Home Service 62-20 Enabling the Smart Call Home Service 62-20 Declare and Authenticate a CA Trustpoint 62-21 Start Smart Call Home Registration 62-22 Displaying Call Home Configuration Information Alert Group Trigger Events and Commands62-26 62-23

Message Contents 62-33 Sample Syslog Alert Notification in Long-Text Format 62-37 Sample Syslog Alert Notification in XML Format 62-3763

CHAPTER

Using the System Event Archive

63-1 63-1

Understanding the System Event Archive Displaying the SEA Logging System Copying the SEA To Another Device6463-2 63-3

CHAPTER

Backplane Traffic Monitoring Default Configuration64-2

64-1 64-1

Understanding Traffic Monitoring

Configuration Guidelines and Restrictions Configuring Backplane Traffic Monitoring65

64-2 64-2

CHAPTER

Configuring Local SPAN, RSPAN, and ERSPAN

65-1

Understanding Local SPAN, RSPAN, and ERSPAN 65-1 Local SPAN, RSPAN, and ERSPAN Overview 65-2 Local SPAN, RSPAN, and ERSPAN Sources 65-5 Local SPAN, RSPAN, and ERSPAN Destinations 65-7 Local SPAN, RSPAN, and ERSPAN Configuration Guidelines and Restrictions General Guidelines and Restrictions 65-8 Feature Incompatibilities 65-8 Local SPAN, RSPAN, and ERSPAN Session Limits 65-1065-7


xxxiii

Contents

Local SPAN, RSPAN, and ERSPAN Interface Limits 65-10 Local SPAN, RSPAN, and ERSPAN Guidelines and Restrictions 65-10 VSPAN Guidelines and Restrictions 65-11 RSPAN Guidelines and Restrictions 65-12 ERSPAN Guidelines and Restrictions 65-13 Distributed Egress SPAN Mode Guidelines and Restrictions 65-14 Configuring Local SPAN, RSPAN, and ERSPAN 65-14 Local SPAN, RSPAN, and ERSPAN Default Configuration 65-15 Configuring a Destination as an Unconditional Trunk (Optional) 65-15 Configuring Destination Trunk VLAN Filtering (Optional) 65-16 Configuring Destination Port Permit Lists (Optional) 65-17 Configuring the Egress SPAN Mode (Optional) 65-18 Configuring Local SPAN 65-19 Configuring RSPAN 65-23 Configuring ERSPAN 65-29 Configuring Source VLAN Filtering in Global Configuration Mode 65-33 Verifying the Configuration 65-34 Configuration Examples 65-3466

CHAPTER

Configuring SNMP IfIndex Persistence Understanding SNMP IfIndex Persistence

66-1 66-1

Configuring SNMP IfIndex Persistence 66-2 Enabling SNMP IfIndex Persistence Globally 66-2 Disabling SNMP IfIndex Persistence Globally 66-2 Enabling and Disabling SNMP IfIndex Persistence on Specific Interfaces 66-3 Clearing SNMP IfIndex Persistence Configuration from a Specific Interface 66-367

CHAPTER

Using Top-N Reports

67-1

Understanding Top-N Reports 67-1 Top-N Reports Overview 67-1 Understanding Top-N Reports Operation Using Top-N Reports 67-2 Enabling Top-N Reports Creation Displaying Top-N Reports 67-3 Clearing Top-N Reports 67-46867-3

67-2

CHAPTER

Using the Layer 2 Traceroute Utility Usage Guidelines68-2

68-1 68-1

Understanding the Layer 2 Traceroute Utility


xxxiv

OL-13013-06

Contents

Using the Layer 2 Traceroute Utility69

68-3

CHAPTER

Using the Mini Protocol Analyzer

69-1 69-1

Understanding How the Mini Protocol Analyzer Works Configuring the Mini Protocol Analyzer 69-2 Filtering the Packets to be Captured 69-3 Starting and Stopping a Capture69-4 69-6

Displaying and Exporting the Capture Buffer

Mini Protocol Analyzer Configuration, Operation, and Display Examples General Configuration Examples 69-7 Filtering Configuration Examples 69-8 Operation Examples 69-9 Display Examples 69-912

69-7

PART

AppendixesA

APPENDIX

Online Diagnostic Tests

A-1

Global Health-Monitoring Tests A-2 TestEARLInternalTables A-2 TestSPRPInbandPing A-3 TestScratchRegister A-3 TestMacNotification A-4 TestErrorCounterMonitor A-4 TestLtlFpoeMemoryConsistency A-5 TestMgmtPortsLoopback A-5 TestDataPortLoopback A-6 Per-Port Tests A-6 TestNonDisruptiveLoopback A-7 TestLoopback A-7 TestActiveToStandbyLoopback A-8 TestUnusedPortLoopback A-8 TestTransceiverIntegrity A-9 TestNetflowInlineRewrite A-9 TestPortTxMonitoring A-10 TestSnrMonitoring A-10 TestDCPLoopback A-11 TestCCPLoopback A-11 TestNPLoopback A-12 TestMediaLoopback A-13Cisco IOS Software Configuration Guide, Release 12.2SX OL-13013-06

xxxv

Contents

PFC Layer 2 Forwarding Engine Tests A-13 TestNewIndexLearn A-13 TestDontConditionalLearn A-14 TestBadBpduTrap A-14 TestMatchCapture A-15 TestStaticEntry A-15 DFC Layer 2 Forwarding Engine Tests A-16 TestDontLearn A-16 TestNewLearn A-16 TestIndexLearn A-17 TestConditionalLearn A-18 TestTrap A-18 TestBadBpdu A-19 TestProtocolMatchChannel A-19 TestCapture A-20 TestStaticEntry A-20 PFC Layer 3 Forwarding Engine Tests TestFibDevices A-21 TestIPv4FibShortcut A-22 TestIPv6FibShortcut A-22 TestMPLSFibShortcut A-23 TestNATFibShortcut A-23 TestL3Capture2 A-24 TestAclPermit A-24 TestAclDeny A-25 TestNetflowShortcut A-25 TestQoS A-26 DFC Layer 3 Forwarding Engine Tests TestFibDevices A-26 TestIPv4FibShortcut A-27 TestIPv6FibShortcut A-28 TestMPLSFibShortcut A-28 TestNATFibShortcut A-29 TestL3Capture2 A-29 TestAclPermit A-30 TestAclDeny A-30 TestQoS A-31 TestNetflowShortcut A-31 TestAclFpgaMonitor A-32A-21

A-26


xxxvi

OL-13013-06

Contents

Replication Engine Tests A-32 TestL3VlanMet A-32 TestIngressSpan A-33 TestEgressSpan A-33 Fabric Tests A-34 TestFabricSnakeForward A-34 TestFabricSnakeBackward A-34 TestSynchedFabChannel A-35 TestFabricCh0Health A-36 TestFabricCh1Health A-36 Exhaustive Memory Tests A-36 TestFibTcamSSRAM A-37 TestAsicMemory A-37 TestAclQosTcam A-38 TestNetflowTcam A-38 TestQoSTcam A-39 IPSEC Services Modules Tests A-39 TestIPSecClearPkt A-39 TestHapiEchoPkt A-40 TestIPSecEncryptDecryptPkt A-40 Stress Tests A-41 TestTrafficStress A-41 TestEobcStressPing A-41 TestMicroburst A-42 Critical Recovery Tests A-42 TestL3HealthMonitoring A-42 TestTxPathMonitoring A-43 TestSynchedFabChannel A-43 General Tests A-44 ScheduleSwitchover A-44 TestFirmwareDiagStatus A-44 TestCFRW A-45B

APPENDIX

Acronyms

B-1

INDEX


xxxvii

Contents


xxxviii

OL-13013-06

PrefaceThis preface describes who should read the Cisco IOS Software Configuration Guide, Release 12.2SX , and its document conventions.

AudienceThis guide is for experienced network administrators who are responsible for configuring and maintaining the switches supported in Cisco IOS Release 12.2SX.

Related DocumentationThe following publications are available for Cisco IOS Release 12.2SX:

Catalyst 6500 Series Switch Installation Guide Catalyst 6500 Series Switch Module Installation Guide Cisco IOS Master Command List, Release 12.2SX Catalyst 6500 Series Switch Cisco IOS System Message Guide, Release 12.2SX Release Notes for Cisco IOS Release 12.2SX Cisco IOS Configuration Guides and Command References: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html For information about MIBs, go to this URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

ConventionsThis document uses the following conventions: Convention boldface font italic font Description Commands, command options, and keywords are in boldface. Arguments for which you supply values are in italics.


xxxix

Preface

Convention [ ] {x|y|z} [x|y|z] stringscreen

Description Elements in square brackets are optional. Alternative keywords are grouped in braces and separated by vertical bars. Optional alternative keywords are grouped in brackets and separated by vertical bars. A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

font

Terminal sessions and information the system displays are in screen font. Information you must enter is in boldface screen font. Arguments for which you supply values are in italic screen font.This pointer highlights an important line of text in an example.

boldface screen

fontitalic screen

font

^

The symbol ^ represents the key labeled Controlfor example, the key combination ^D in a screen display means hold down the Control key while you press the D key. Nonprinting characters, such as passwords are in angle brackets.

< >

Notes use the following conventions:

Note

Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication. Cautions use the following conventions:

Caution

Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Obtaining Documentation, Obtaining Support, and Security GuidelinesFor information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Tip

For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html


xl

OL-13013-06

C H A P T E R

1

Product OverviewThis chapter consists of these sections:

Supported Hardware and Software, page 1-1 User Interfaces, page 1-5 Software Features Supported in Hardware by the PFC and DFC, page 1-6

Tip


Supported Hardware and SoftwareFor complete information about the chassis, modules, and software features supported by Cisco IOS Release 12.2SX, see the Release Notes for Cisco IOS Release 12.2SX: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html These sections describe the ports and flash memory devices on the supervisor engines:

Understanding Supervisor Engine 720-10GE Memory Devices and Ports, page 1-1 Understanding Supervisor Engine 720 Memory Devices and Ports, page 1-2 Understanding Supervisor Engine 32 Memory Devices and Ports, page 1-4 Understanding ME6500 Flash Memory Devices and Ports, page 1-5

Understanding Supervisor Engine 720-10GE Memory Devices and PortsThese sections describe the Supervisor Engine 720-10GE memory devices and ports:

Supervisor Engine 720-10GE Flash Memory Devices, page 1-2 Supervisor Engine 720-10GE Ports, page 1-2


1-1

Chapter 1 Supported Hardware and Software

Product Overview

Supervisor Engine 720-10GE Flash Memory DevicesThe Supervisor Engine 720-10GE has these flash memory devices:

disk0: (active) and slavedisk0: (standby): External CompactFlash Type II slots For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc.

sup-bootdisk: (active) and slavesup-bootdisk: (standby): Switch processor (SP) 1-GB internal CompactFlash flash memory From SP ROMMON, it is bootdisk: Not accessible from route processor (RP) ROMMON

bootflash: (active) and slave-bootflash: (standby): RP 64-MB internal flash memory Not accessible from SP ROMMON

Supervisor Engine 720-10GE PortsThe Supervisor Engine 720-10GE has these ports:

Console portEIA/TIA-232 (RS-232) port Ports 1 and 2 Gigabit Ethernet SFP (fiber or 10/100/1000 Mbps RJ-45) Fast Ethernet SFP

Port 310/100/1000 Mbps RJ-45 Ports 4 and 510-Gigabit Ethernet X2

Note

The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t/1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the mls qos 10g-only global configuration command. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t/1p7q4t. See the Configuring Optional Interface Features section on page 9-6 for information about configuring the ports.

Understanding Supervisor Engine 720 Memory Devices and PortsThese sections describe the Supervisor Engine 720 memory devices and ports:

Supervisor Engine 720 Flash Memory Devices, page 1-3 Configuring Supervisor Engine 720 Ports, page 1-3


1-2

OL-13013-06

Chapter 1

Product Overview Supported Hardware and Software

Supervisor Engine 720 Flash Memory DevicesThe Supervisor Engine 720 has these flash memory devices:

disk0: and disk1: (active) and slavedisk0: and slavedisk1: (standby): External CompactFlash Type II slots For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc.

sup-bootflash: (active) and slavesup-bootflash: (standby): Switch processor (SP) 64-MB internal flash memory From SP ROMMON, it is bootflash: Not accessible from route processor (RP) ROMMON

With WS-CF-UPG=, sup-bootdisk: (active) and slavesup-bootflash: (standby): SP 512-MB internal CompactFlash flash memory From SP ROMMON, it is bootdisk: Not accessible from RP ROMMON See this publication for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_1727 7.html


Configuring Supervisor Engine 720 PortsThe Supervisor Engine 720 has these ports:

Port 1Small form-factor pluggable (SFP); no unique configuration options. Port 2 RJ-45 connector and an SFP connector (default). To use the RJ-45 connector, you must change the configuration. To configure port 2 on a Supervisor Engine 720 to use either the RJ-45 connector or the SFP connector, perform this task:

CommandStep 1 Step 2Router(config)# interface gigabitethernet slot/2 Router(config-if)# media-type {rj45 | sfp}

Purpose Selects the Ethernet port to be configured. Selects the connector to use.

This example shows how to configure port 2 on a Supervisor Engine 720 in slot 5 to use the RJ-45 connector:Router(config)# interface gigabitethernet 5/2 Router(config-if)# media-type rj45

See the Configuring Optional Interface Features section on page 9-6 for more information about configuring the ports.


1-3

Chapter 1 Supported Hardware and Software

Product Overview

Understanding Supervisor Engine 32 Memory Devices and PortsThese sections describe the Supervisor Engine 32 memory devices and ports:

Supervisor Engine 32 Flash Memory Devices, page 1-4 Supervisor Engine 32 Ports, page 1-4

Note

Supervisor Engine 32 does not support switch fabric connectivity.

Supervisor Engine 32 Flash Memory DevicesThe Supervisor Engine 32 has these flash memory devices:

disk0: (active) and slavedisk0: (standby): External CompactFlash Type II slots For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc.

sup-bootdisk: (active) and slavesup-bootflash: (standby): Switch processor (SP) 256-MB internal CompactFlash flash memory From SP ROMMON, it is bootdisk: Not accessible from route processor (RP) ROMMON


Supervisor Engine 32 PortsThe Supervisor Engine 32 has these ports:

Console portEIA/TIA-232 (RS-232) port Two Universal Serial Bus (USB) 2.0 portsNot currently enabled WS-SUP32-GE-3B: Ports 1 through 8Small form-factor pluggable (SFP) Port 910/100/1000 Mbps RJ-45

WS-SUP32-10GE: Ports 1 and 210-Gigabit Ethernet XENPAK Port 310/100/1000 Mbps RJ-45

See the Configuring Optional Interface Features section on page 9-6 for information about configuring the ports.


1-4

OL-13013-06

Chapter 1

Product Overview User Interfaces

Understanding ME6500 Flash Memory Devices and PortsThese sections describe the Cisco ME6500 series Ethernet switch memory devices and ports:

ME6500 Flash Memory Devices, page 1-5 ME6500 Ports, page 1-5

ME6500 Flash Memory DevicesThe ME6500 has these flash memory devices:

disk0: One external CompactFlash Type II slot Supports CompactFlash Type II flash PC cards

sup-bootflash: Switch processor (SP) 128 MB internal CompactFlash flash memory From SP ROMMON, it is bootflash: Not accessible from route processor (RP) ROMMON

bootflash: RP 64-MB internal flash memory Not accessible from SP ROMMON

ME6500 PortsThe ME6500 has these ports:

ME-C6524GS-8S and ME-C6524GT-8S Ports 2532: Gigabit Ethernet SFP Requires Gigabit Ethernet SFPs

ME-C6524GS-8S Ports 124: Gigabit Ethernet SFP Requires Gigabit Ethernet SFPs

ME-C6524GT-8SPorts 124: 10/100/1000 Mbps RJ-45 Ethernet ports

User InterfacesRelease 12.2SX supports configuration using the following interfaces:

CLISee Chapter 2, Command-Line Interfaces. SNMPSee the Release 12.2 IOS Configuration Fundamentals Configuration Guide and Command Reference at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html


1-5

Chapter 1 Software Features Supported in Hardware by the PFC and DFC

Product Overview

Cisco IOS web browser interfaceSee Using the Cisco Web Browser in the IOS Configuration Fundamentals Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf005.html

Software Features Supported in Hardware by the PFC and DFCThe PFC3 and DFC3 provide hardware support for these Cisco IOS software features:

Access Control Lists (ACLs) for Layer 3 ports and VLAN interfaces: Permit and deny actions of input and output standard and extended ACLs

Note

Flows that require ACL logging are processed in software on the route processor (RP).

Except on MPLS interfaces, reflexive ACL flows after the first packet in a session is processed

in software on the RP Dynamic ACL flows

Note

Idle timeout is processed in software on the RP.

For more information about PFC and DFC support for ACLs, see Chapter 46, Understanding Cisco IOS ACL Support. For complete information about configuring ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2, Traffic Filtering and Firewalls, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html

Bidirectional Protocol Independent Multicast (PIM) in hardwareSee Understanding IPv4 Bidirectional PIM section on page 35-9. IPv4 Multicast over point-to-point generic route encapsulation (GRE) TunnelsSee the publication at this URL: http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html Multiple-path Unicast Reverse Path Forwarding (RPF) CheckTo configure Unicast RPF Check, see the Configuring Unicast Reverse Path Forwarding Check section on page 44-2. Except on MPLS interfaces, Network Address Translation (NAT) for IPv4 unicast and multicast traffic. Note the following information about hardware-assisted NAT: NAT of UDP traffic is not supported in PFC3A mode. The PFC3 does not support NAT of multicast traffic. The PFC3 does not support NAT configured with a route-map that specifies length. When you configure NAT and NDE on an interface, the PFC3 sends all traffic in fragmented

packets to the RP to be processed in software. (CSCdz51590) To configure NAT, see the Cisco IOS IP Configuration Guide, Release 12.2, IP Addressing and Services, Configuring IP Addressing, Configuring Network Address Translation, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html


1-6

OL-13013-06

Chapter 1

Product Overview Software Features Supported in Hardware by the PFC and DFC

To prevent a significant volume of NAT traffic from being sent to the RP, due to either a DoS attack or a misconfiguration, enter the mls rate-limit unicast acl {ingress | egress} command described at this URL: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#mls_rate-limit_u nicast_acl (CSCea23296)

NetFlow AggregationSee this URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/netfl ow.html#NetFlow_Aggregation

Policy-based routing (PBR) for route-map sequences that use the match ip address, set ip next-hop, and ip default next-hop PBR keywords. To configure PBR, see the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, Classification, Configuring Policy-Based Routing, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_C onfiguration_Guide_Chapter.html

Note

If the RP address falls within the range of a PBR ACL, traffic addressed to the RP is policy routed in hardware instead of being forwarded to the RP. To prevent policy routing of traffic addressed to the RP, configure PBR ACLs to deny traffic addressed to the RP.

Except on MPLS interfaces, TCP interceptTo configure TCP intercept, see the Configuring TCP Intercept section on page 44-2.

Note

The PFC3 does not provide hardware acceleration for tunnels configured with the tunnel key command.

GRE Tunneling and IP in IP TunnelingThe PFC3 and DFC3s support the following tunnel commands: tunnel destination tunnel mode gre tunnel mode ipip tunnel source tunnel ttl tunnel tos

Other supported types of tunneling run in software on the RP. The tunnel ttl command (default 255) sets the TTL of encapsulated packets. The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it is encapsulated. To configure GRE Tunneling and IP in IP Tunneling, see these publications: http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html


1-7

Chapter 1 Software Features Supported in Hardware by the PFC and DFC

Product Overview

To configure the tunnel tos and tunnel ttl commands, see this publication for more information: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html Note the following information about tunnels: Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot

share a source even if the destinations are different. Use secondary addresses on loopback interfaces or create multiple loopback interfaces. Failure to use unique source addresses may result in control plane failures when software path congestion occurs. (CSCdy72539) Each tunnel interface uses one internal VLAN. Each tunnel interface uses one additional router MAC address entry per router MAC address. The PFC3A does not support any PFC QoS features on tunnel interfaces. Other PFC versions support PFC QoS features on tunnel interfaces. The RP supports tunnels configured with egress features on the tunnel interface. Examples of

egress features are output Cisco IOS ACLs, NAT (for inside to outside translation), TCP intercept, and encryption.

VLAN ACLs (VACLs)To configure VACLs, see Chapter 48, Configuring Port ACLs and VLAN ACLs.


1-8

OL-13013-06

PA R T

1

Configuration Fundamentals

C H A P T E R

2

Command-Line InterfacesThis chapter describes the command-line interfaces (CLIs) you use to configure the switches supported by Cisco IOS Release 12.2SX.

Note

For complete syntax and usage information for the commands used in this chapter, see these publications:

The Cisco IOS Master Command List, Release 12.2SX, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html The Release 12.2 publications at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuratio n_guides_list.html

Tip


This chapter consists of these sections:

Accessing the CLI, page 2-2 Performing Command Line Processing, page 2-3 Performing History Substitution, page 2-4 Cisco IOS Command Modes, page 2-4 Displaying a List of Cisco IOS Commands and Syntax, page 2-5 Securing the CLI, page 2-6 ROM-Monitor Command-Line Interface, page 2-7


2-1

Chapter 2 Accessing the CLI


Accessing the CLIThese sections describe accessing the CLI:

Accessing the CLI through the EIA/TIA-232 Console Interface, page 2-2 Accessing the CLI through Telnet, page 2-2

Accessing the CLI through the EIA/TIA-232 Console InterfaceNote

EIA/TIA-232 was known as recommended standard 232 (RS-232) before its acceptance as a standard by the Electronic Industries Alliance (EIA) and Telecommunications Industry Association (TIA). Perform initial configuration over a connection to the EIA/TIA-232 console interface. See the Catalyst 6500 Series Switch Module Installation Guide for console interface cable connection procedures. To make a console connection, perform this task:

CommandStep 1 Step 2 Step 3 Step 4

Purpose Brings up the prompt. Initiates enable mode enable. Completes enable mode enable. Exits the session when finished. After making a console connection, you see this display:Press Return for Console prompt Router> enable Password: Router#

Press Return.Router> enable Password: password Router# Router# quit

Accessing the CLI through TelnetNote

Before you can make a Telnet connection to the switch, you must configure an IP address (see the Configuring IPv4 Routing and Addresses section on page 29-4). The switch supports up to eight simultaneous Telnet sessions. Telnet sessions disconnect automatically after remaining idle for the period specified with the exec-timeout command. To make a Telnet connection to the switch, perform this task:


2-2

OL-13013-06

Chapter 2

Command-Line Interfaces Performing Command Line Processing

CommandStep 1 Step 2telnet {hostname | ip_addr}

Purpose Makes a Telnet connection from the remote host to the switch you want to access. Initiates authentication.Note

Password: password Router#

If no password has been configured, press Return.

Step 3 Step 4 Step 5

Router> enable Password: password Router# Router# quit

Initiates enable mode enable. Completes enable mode enable. Exits the session when finished.

This example shows how to open a Telnet session to the switch:unix_host% telnet Router_1 Trying 172.20.52.40... Connected to 172.20.52.40. Escape character is '^]'. User Access Verification Password: Router_1> enable Password: Router_1#

Performing Command Line ProcessingCommands are not case sensitive. You can abbreviate commands and parameters if the abbreviations contain enough letters to be different from any other currently available commands or parameters. You can scroll through the last 20 commands stored in the history buffer, and enter or edit the command at the prompt. Table 2-1 lists the keyboard shortcuts for entering and editing commands.Table 2-1 Keyboard Shortcuts

Keystrokes Press Ctrl-B or press the left arrow key1 Press Ctrl-F or press the right arrow key1 Press Ctrl-A Press Ctrl-E Press Esc B Press Esc F

Purpose Moves the cursor back one character. Moves the cursor forward one character. Moves the cursor to the beginning of the command line. Moves the cursor to the end of the command line. Moves the cursor back one word. Moves the cursor forward one word.

1. The arrow keys function only on ANSI-compatible terminals such as VT100s.


2-3

Chapter 2 Performing History Substitution


Performing History SubstitutionThe history buffer stores the last 20 commands you entered. History substitution allows you to access these commands without retyping them, by using special abbreviated commands. Table 2-2 lists the history substitution commands.Table 2-2 History Substitution Commands

Command Ctrl-P or the up arrow key.1

Purpose Recalls commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands. Returns to more recent commands in the history buffer after recalling commands with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively more recent commands. While in EXEC mode, lists the last several commands you have just entered.

Ctrl-N or the down arrow key.1

Router# show history

1. The arrow keys function only on ANSI-compatible terminals such as VT100s.

Cisco IOS Command ModesNote

For complete information about Cisco IOS command modes, see the Cisco IOS Configuration Fundamentals Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html

The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. To get a list of the commands in a given mode, type a question mark (?) at the system prompt. See the Displaying a List of Cisco IOS Commands and Syntax section on page 2-5. When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in EXEC mode. To have access to all commands, you must enter privileged EXEC mode. Normally, you must type in a password to access privileged EXEC mode. From privileged EXEC mode, you can type in any EXEC command or access global configuration mode. The configuration modes allow you to make changes to the running configuration. If you later save the configuration, these commands are stored across reboots. You must start at global configuration mode. From global configuration mode, you can enter interface configuration mode, subinterface configuration mode, and a variety of protocol-specific modes.

Note

With Release 12.1(11b)E and later, when you are in configuration mode you can enter EXEC mode-level commands by entering the do keyword before the EXEC mode-level command.


2-4

OL-13013-06

Chapter 2

Command-Line Interfaces Displaying a List of Cisco IOS Commands and Syntax

ROM-monitor mode is a separate mode used when the switch cannot boot properly. For example, the switch might enter ROM-monitor mode if it does not find a valid system image when it is booting, or if its configuration file is corrupted at startup. See the ROM-Monitor Command-Line Interface section on page 2-7. Table 2-3 lists and describes frequently used Cisco IOS modes.Table 2-3 Frequently Used Cisco IOS Command Modes

Mode User EXEC

Description of Use

How to Access

PromptRouter>

Connect to remote devices, change Log in. terminal settings on a temporary basis, perform basic tests, and display system information. From the user EXEC mode, enter the enable command and the enable password.

Privileged EXEC (enable) Set operating parameters. The privileged command set includes the commands in user EXEC mode, as well as the configure command. Use this command to access the other command modes. Global configuration Configure features that affect the system as a whole. Many features are enabled for a particular interface. Interface commands enable or modify the operation of an interface. From the directly connected console or the virtual terminal used with Telnet, use this configuration mode to configure the console interface.

Router#

From the privileged EXEC mode, enter the configure terminal command. From global configuration mode, enter the interface type slot/port command.

Router(config)#

Interface configuration

Router(config-if)#

Console configuration

From global configuration mode, Router(config-line)# enter the line console 0 command.

The Cisco IOS command interpreter, called the EXEC, interprets and executes the commands you enter. You can abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. For example, you can abbreviate the show command to sh and the configure terminal command to config t. When you type exit, the switch backs out one level. To exit configuration mode completely and return to privileged EXEC mode, press Ctrl-Z.

Displaying a List of Cisco IOS Commands and SyntaxIn any command mode, you can display a list of available commands by entering a question mark (?).Router> ?

To display a list of commands that begin with a particular character sequence, type in those characters followed by the question mark (?). Do not include a space. This form of help is called word help because it completes a word for you.Router# co?


2-5

Chapter 2 Securing the CLI


collect

configure

connect

copy

To display keywords or arguments, enter a question mark in place of a keyword or argument. Include a space before the question mark. This form of help is called command syntax help because it reminds you which keywords or arguments are applicable based on the command, keywords, and arguments you have already entered. For example:Router# configure ? memory network overwrite-network terminal Configure Configure Overwrite Configure from NV memory from a TFTP network host NV memory from TFTP network host from the terminal

To redisplay a command you previously entered, press the up arrow key or Ctrl-P. You can continue to press the up arrow key to see the last 20 commands you entered.

Tip

If you are having trouble entering a command, check the system prompt, and enter the question mark (?) for a list of available commands. You might be in the wrong command mode or using incorrect syntax. Enter exit to return to the previous mode. Press Ctrl-Z or enter the end command in any mode to immediately return to privileged EXEC mode.

Securing the CLISecuring access to the CLI prevents unauthorized users from viewing configuration settings or making configuration changes that can disrupt the stability of your network or compromise your network security. You can create a strong and flexible security scheme for your switch by configuring one or more of these security features:

Protecting access to privileged EXEC commands At a minimum, you should configure separate passwords for the user EXEC and privileged EXEC (enable) IOS command modes. You can further increase the level of security by configuring username and password pairs to limit access to CLI sessions to specific users. For more information, see Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices at this URL: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli.html Controlling switch access with RADIUS, TACACS+, or Kerberos For a centralized and scalable security scheme, you can require users to be authenticated and authorized by an external security server running either Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+), or Kerberos. For more information about RADIUS, see Configuring RADIUS at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html For more information about TACACS+, see Configuring TACACS+ at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html For more information about Kerberos, see Configuring Kerberos at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html


2-6

OL-13013-06

Chapter 2

Command-Line Interfaces ROM-Monitor Command-Line Interface

Configuring a secure connection with SSH or HTTPS To prevent eavesd

Documents

Cisco IOS Software Configuration Guide