Catalyst 6000 Family Software Configuration Guide

Software Releases 6.3 and 6.4

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

Customer Order Number: DOC-7813315= Text Part Number: 78-13315-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0208R) Catalyst 6000 Family Software Configuration Guide Copyright © 1999-2003, Cisco Systems, Inc. All rights reserved.

C O N T E N T S

Preface

xxvii xxvii xxvii xxix

Audience

Organization Conventions

Related Documentation
xxx

Obtaining Documentation xxxi World Wide Web xxxi Documentation CD-ROM xxxi Ordering Documentation xxxi Documentation Feedback xxxi Obtaining Technical Assistance xxxii Cisco.com xxxii Technical Assistance Center xxxii
1

CHAPTER

Product Overview

1-1

CHAPTER

2

Command-Line Interfaces

2-1

Catalyst Command-Line Interface 2-1 ROM-Monitor Command-Line Interface Switch Command-Line Interface 2-2 MSFC Command-Line Interface 2-8 Cisco IOS Command Modes 2-8 Cisco IOS Command-Line Interface
3

2-1

2-10

CHAPTER

Configuring the Switch IP Address and Default Gateway Understanding the Switch Management Interfaces Understanding Automatic IP Configuration 3-2 Automatic IP Configuration Overview 3-2 Understanding How DHCP Works 3-2 Understanding How BOOTP and RARP Work Booting the MSFC for the First Time
3-4 3-5 3-1

3-1

3-3 3-4

Preparing to Configure the IP Address and Default Gateway Default IP Address and Default Gateway Configuration

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02

iii

Contents

Assigning the In-Band (sc0) Interface IP Address Configuring Default Gateways
3-6

3-5

Configuring the SLIP (sl0) Interface on the Console Port Using BOOTP, DHCP, or RARP to Obtain an IP Address Renewing and Releasing a DHCP-Assigned IP Address
4

3-7 3-9 3-10

CHAPTER

Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching Understanding How Ethernet Works 4-1 Switching Frames Between Segments 4-2 Building the Address Table 4-2 Understanding How Port Negotiation Works

4-1

4-2 4-3

Default Ethernet, Fast Ethernet, and Gigabit Ethernet Configuration Setting the Port Configuration 4-4 Setting the Port Name 4-4 Setting the Port Speed 4-5 Setting the Port Duplex Mode 4-5 Configuring IEEE 802.3Z Flow Control 4-6 Enabling and Disabling Port Negotiation 4-7 Changing the Default Port Enable State 4-7 Setting the Port Debounce Timer 4-8 Configuring a Timeout Period for Ports in errdisable State Configuring the Jumbo Frame Feature 4-11 Checking Connectivity 4-13
5

4-9

CHAPTER

Configuring Ethernet VLAN Trunks

5-1

Understanding How VLAN Trunks Work 5-1 Trunking Overview 5-1 Trunking Modes and Encapsulation Types 802.1Q Trunk Restrictions 5-4 Default Trunk Configuration
5-5

5-2

Configuring a Trunk Link 5-5 Configuring an ISL Trunk 5-5 Configuring an 802.1Q Trunk 5-6 Configuring an ISL/802.1Q Negotiating Trunk Port Defining the Allowed VLANs on a Trunk 5-7 Disabling a Trunk Port 5-8

5-7

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4

iv

78-13315-02

Contents

Example VLAN Trunk Configurations 5-9 ISL Trunk Configuration Example 5-9 ISL Trunk Over EtherChannel Link Example 5-10 802.1Q Trunk Over EtherChannel Link Example 5-13 Load-Sharing VLAN Traffic Over Parallel Trunks Example Disabling VLAN 1 on Trunks 5-23 Disabling VLAN 1 on a Trunk Link
6
5-23

5-16

CHAPTER

Configuring EtherChannel

6-1

Understanding How EtherChannel Works 6-1 Understanding Administrative Groups 6-2 Understanding EtherChannel IDs 6-2 Understanding Port Aggregation Protocol 6-2 Understanding Frame Distribution 6-3 EtherChannel Configuration Guidelines
6-4

Configuring EtherChannel 6-5 Configuring an EtherChannel 6-5 Setting the EtherChannel Port Mode 6-5 Setting the EtherChannel Port Path Cost 6-6 Setting the EtherChannel VLAN Cost 6-6 Configuring EtherChannel Frame Distribution 6-8 Displaying EtherChannel Traffic Utilization 6-8 Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number Disabling an EtherChannel 6-9
7

6-8

CHAPTER

Configuring IEEE 802.1Q Tunneling

7-1 7-1 7-2

Understanding How 802.1Q Tunneling Works 802.1Q Tunneling Configuration Guidelines

Configuring Support for 802.1Q Tunneling 7-3 Configuring the Switch to Support 802.1Q Tunneling 7-3 Configuring 802.1Q Tunnel Ports 7-4 Clearing 802.1Q Tunnel Ports 7-4 Removing Global Support for 802.1Q Tunneling 7-4
8

CHAPTER

Configuring Spanning Tree

8-1

Understanding How Spanning Tree Protocols Work 8-1 Understanding How a Topology is Created 8-2 Understanding How a Switch Becomes the Root Switch

8-3

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02

v

Contents

Understanding How Bridge Protocol Data Units Work Spanning Tree Port States 8-4 Understanding PVST+ and MISTP Modes PVST+ Mode 8-11 MISTP Mode 8-11 MISTP-PVST+ Mode 8-12 Bridge Identifiers 8-12 MAC Address Allocation MAC Address Reduction
8-12 8-12 8-10

8-3

Using PVST+ 8-14 Default PVST+ Configuration 8-14 Setting the PVST+ Bridge ID Priority 8-15 Configuring the PVST+ Port Cost 8-16 Configuring the PVST+ Port Priority 8-17 Configuring the PVST+ Default Port Cost Mode 8-17 Configuring the PVST+ Port Cost for a VLAN 8-18 Configuring the PVST+ Port Priority for a VLAN 8-18 Disabling the PVST+ Mode on a VLAN 8-19 Using MISTP-PVST+ or MISTP 8-20 Default MISTP and MISTP-PVST+ Configuration 8-21 Setting MISTP-PVST+ Mode or MISTP Mode 8-21 Configuring an MISTP Instance 8-23 Enabling an MISTP Instance 8-26 Mapping VLANs to an MISTP Instance 8-27 Disabling MISTP-PVST+ or MISTP 8-29 Configuring a Root Switch 8-29 Configuring a Primary Root Switch 8-29 Configuring a Secondary Root Switch 8-30 Configuring a Root Switch to Improve Convergence 8-31 Using Root Guard—Preventing Switches from Becoming Root Configuring Spanning Tree Timers 8-33 Configuring the Hello Time 8-33 Configuring the Forward Delay Time 8-34 Configuring the Maximum Aging Time 8-34 Understanding How BPDU Skewing Works Configuring BPDU Skewing
8-36 8-35

8-32

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4

vi

78-13315-02

Contents

CHAPTER

9

Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard Understanding How PortFast Works
9-2 9-2 9-2

9-1

Understanding How PortFast BPDU Guard Works Understanding How PortFast BPDU Filter Works Understanding How UplinkFast Works Understanding How Loop Guard Works Configuring PortFast 9-7 Enabling PortFast 9-8 Disabling PortFast 9-8 Configuring PortFast BPDU Guard 9-9 Enabling PortFast BPDU Guard 9-9 Disabling PortFast BPDU Guard 9-10 Configuring PortFast BPDU Filter 9-11 Enabling PortFast BPDU Filter 9-11 Disabling PortFast BPDU Filter 9-12 Configuring UplinkFast 9-13 Enabling UplinkFast 9-13 Disabling UplinkFast 9-14 Configuring BackboneFast 9-15 Enabling BackboneFast 9-15 Displaying BackboneFast Statistics Disabling BackboneFast 9-16 Configuring Loop Guard 9-17 Enabling Loop Guard 9-17 Disabling Loop Guard 9-17
10
9-2 9-4 9-5

Understanding How BackboneFast Works

9-16

CHAPTER

Configuring VTP

10-1

Understanding How VTP Works 10-1 Understanding the VTP Domain 10-2 Understanding VTP Modes 10-2 Understanding VTP Advertisements 10-2 Understanding VTP Version 2 10-3 Understanding VTP Pruning 10-3 Default VTP Configuration
10-5 10-5

VTP Configuration Guidelines

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02

vii

Contents

Configuring VTP 10-6 Configuring a VTP Server 10-6 Configuring a VTP Client 10-6 Disabling VTP (VTP Transparent Mode) Enabling VTP Version 2 10-8 Disabling VTP Version 2 10-9 Enabling VTP Pruning 10-9 Disabling VTP Pruning 10-10 Displaying VTP 10-10
11

10-7

CHAPTER

Configuring VLANs

11-1

Understanding How VLANs Work 11-1 VLAN Ranges 11-2 Configurable VLAN Parameters 11-3 Default VLAN Configuration 11-4 Configuring Normal-Range VLANs 11-5 Normal-Range VLAN Configuration Guidelines Creating Normal-Range VLANs 11-5 Modifying Normal-Range VLANs 11-6 Configuring Extended-Range VLANs 11-6 Extended-Range VLAN Configuration Guidelines Creating Extended-Range VLANs 11-7
11-5

11-7

Mapping VLANs to VLANs 11-8 Mapping Reserved VLANs to Nonreserved VLANs 11-9 Deleting Reserved-to-Nonreserved VLAN Mappings 11-10 Mapping 802.1Q VLANs to ISL VLANs 11-10 Deleting 802.1Q-to-ISL VLAN Mappings 11-11 Assigning Switch Ports to a VLAN Deleting a VLAN
11-13 11-12

Configuring Private VLANs 11-13 Understanding How Private VLANs Work 11-14 Private VLAN Configuration Guidelines 11-15 Creating a Primary Private VLAN 11-18 Viewing the Port Capability of a Private VLAN Port 11-21 Deleting a Private VLAN 11-22 Deleting an Isolated, Community, or Two-Way Community VLAN Deleting a Private VLAN Mapping 11-23 Private VLAN Support on the MSFC 11-23

11-22

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4

viii

78-13315-02

Contents

Configuring FDDI VLANs

11-24

Configuring Token Ring VLANs 11-24 Understanding Token Ring TrBRF VLANs 11-25 Understanding Token Ring TrCRF VLANs 11-25 Token Ring VLAN Configuration Guidelines 11-27 Creating or Modifying a Token Ring TrBRF VLAN 11-27 Creating or Modifying a Token Ring TrCRF VLAN 11-28
12

CHAPTER

Configuring InterVLAN Routing

12-1 12-1

Understanding How InterVLAN Routing Works

Configuring InterVLAN Routing on the MSFC 12-2 MSFC Routing Configuration Guidelines 12-2 Configuring IP InterVLAN Routing on the MSFC 12-3 Configuring IPX InterVLAN Routing on the MSFC 12-3 Configuring AppleTalk InterVLAN Routing on the MSFC Configuring MSFC Features 12-4
13

12-4

CHAPTER

Configuring CEF for PFC2

13-1

Understanding How Layer 3 Switching Works 13-1 Layer 3 Switching Overview 13-2 Understanding Layer 3-Switched Packet Rewrite Understanding CEF for PFC2 13-4 Understanding NetFlow Statistics 13-9 Default CEF for PFC2 Configuration
13-10

13-2

CEF for PFC2 Configuration Guidelines and Restrictions

13-11

Configuring CEF for PFC2 13-12 Displaying Layer 3-Switching Entries on the Supervisor Engine Configuring CEF on the MSFC2 13-14 Configuring IP Multicast on the MSFC2 13-14 Displaying IP Multicast Information 13-16

13-12

Configuring NetFlow Statistics 13-22 Specifying the NetFlow Table Entry Aging-Time Value 13-23 Specifying NetFlow Table IP Entry Fast Aging Time and Packet Threshold Values Setting the Minimum Statistics Flow Mask 13-24 Excluding IP Protocol Entries from the NetFlow Table 13-25 Displaying NetFlow Statistics 13-25 Clearing NetFlow IP and IPX Statistics 13-26 Displaying NetFlow Statistics Debug Information 13-28

13-24

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02

ix

Contents

CHAPTER

14

Configuring MLS

14-1

Understanding How Layer 3 Switching Works 14-1 Understanding Layer 3-Switched Packet Rewrite Understanding MLS 14-4 Default MLS Configuration
14-10 14-11

14-2

Configuration Guidelines and Restrictions IP MLS 14-11 IP MMLS 14-12 IPX MLS 14-13

Configuring MLS 14-14 Configuring Unicast MLS on the MSFC 14-14 Configuring MLS on Supervisor Engine 1 14-17 Configuring IP MMLS 14-28
15

CHAPTER

Configuring NDE

15-1

Understanding How NDE Works 15-1 Overview of NDE and Integrated Layer 3 Switching Management Traffic Statistics Data Collection 15-2 Using NDE Filters 15-3 Default NDE Configuration
15-3

15-1

Configuring NDE 15-3 Usage Guidelines 15-4 Specifying an NDE Collector 15-4 Specifying an NDE Destination Address on the MSFC 15-5 Specifying an NDE Source Address on the MSFC 15-5 Enabling NDE 15-6 Specifying a Destination Host Filter 15-6 Specifying a Destination and Source Subnet Filter 15-6 Specifying a Destination TCP/UDP Port Filter 15-7 Specifying a Source Host and Destination TCP/UDP Port Filter Specifying a Protocol Filter 15-8 Specifying Protocols for Statistics Collection 15-8 Removing Protocols for Statistics Collection 15-8 Clearing the NDE Flow Filter 15-9 Disabling NDE 15-9 Removing the NDE IP Address 15-9 Displaying the NDE Configuration 15-10

15-7

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4

x

78-13315-02

Contents

CHAPTER

16

Configuring Access Control Hardware Requirements Supported ACLs 16-2 QoS ACLs 16-2 Cisco IOS ACLs 16-3 VACLs 16-3

16-1 16-1

Understanding How ACLs Work
16-2

Applying Cisco IOS ACLs and VACLs on VLANs Bridged Packets 16-7 Routed Packets 16-7 Multicast Packets 16-8

16-7

Using Cisco IOS ACLs in your Network 16-9 Hardware and Software Handling of Cisco IOS ACLs with PFC 16-10 Hardware and Software Handling of Cisco IOS ACLs with PFC2 16-12 Using VACLs with Cisco IOS ACLs 16-15 Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines for Using Layer 4 Operations 16-20 Using VACLs in your Network 16-22 Wiring Closet Configuration 16-22 Redirecting Broadcast Traffic to a Specific Server Port 16-23 Restricting the DHCP Response for a Specific Server 16-24 Denying Access to a Server on Another VLAN 16-25 Restricting ARP Traffic 16-26 Configuring ACLs on Private VLANs 16-26 Capturing Traffic Flows 16-27 Unsupported Features
16-27 16-16

Configuring VACLs 16-28 VACL Configuration Guidelines 16-28 VACL Configuration Summary 16-29 Configuring VACLs From the CLI 16-29 Configuring and Storing VACLs and QoS ACLs in Flash Memory 16-42 Automatically Moving the VACL and QoS ACL Configuration to Flash Memory 16-43 Manually Moving the VACL and QoS ACL Configuration to Flash Memory 16-44 Running with the VACL and QoS ACL Configuration in Flash Memory 16-45 Moving the VACL and QoS ACL Configuration Back to NVRAM 16-46 Redundancy Synchronization Support 16-46 Interacting with High Availability 16-46

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02

xi

Contents

Configuring Policy-Based Forwarding Hardware and Software Requirements

16-46 16-47

Understanding How Policy-Based Forwarding Works
16-47

Configuring Policy-Based Forwarding 16-48 Enabling PBF and Specifying a MAC Address for the PFC2 16-48 Configuring VACLs for PBF 16-50 Displaying PBF Information 16-52 Clearing Entries in PBF VACLs 16-52 Rolling Back Adjacency Table Entries in the Edit Buffer 16-53 Configuring Hosts for PBF 16-53 Policy-Based Forwarding Configuration Example 16-55
17

CHAPTER

Configuring GVRP

17-1 17-1

Understanding How GVRP Works Default GVRP Configuration
17-2

GVRP Configuration Guidelines

17-2

Configuring GVRP 17-2 Enabling GVRP Globally 17-3 Enabling GVRP on Individual 802.1Q Trunk Ports 17-3 Enabling GVRP Dynamic VLAN Creation 17-4 Configuring GVRP Registration 17-5 Configuring GVRP VLAN Declarations from Blocking Ports Setting the GARP Timers 17-7 Displaying GVRP Statistics 17-8 Clearing GVRP Statistics 17-8 Disabling GVRP on Individual 802.1Q Trunk Ports 17-8 Disabling GVRP Globally 17-9
18

17-6

CHAPTER

Configuring Dynamic Port VLAN Membership with VMPS Understanding How VMPS Works
18-1 18-2

18-1

Default VMPS and Dynamic Port Configuration

Dynamic Port VLAN Membership and VMPS Configuration Guidelines Configuring VMPS and Dynamic Port VLAN Membership Creating the VMPS Database 18-4 Configuring VMPS 18-5 Configuring Dynamic Ports on VMPS Clients 18-5 Administering and Monitoring VMPS 18-6 Configuring Static VLAN Port Membership 18-7
18-3

18-3

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4

xii

78-13315-02

Contents

Troubleshooting VMPS and Dynamic Port VLAN Membership Troubleshooting VMPS 18-8 Troubleshooting Dynamic Port VLAN Membership 18-8

18-8

Dynamic Port VLAN Membership with VMPS Configuration Examples VMPS Database Configuration File Example 18-9 Dynamic Port VLAN Membership Configuration Example 18-10 Dynamic Port VLAN Membership with Auxiliary VLANs 18-12 Configuration Guidelines 18-13 Configuring Dynamic Port VLAN Membership with Auxiliary VLANs
19

18-9

18-13

CHAPTER

Checking Port Status and Connectivity Checking Module Status Checking Port Status Using Telnet
19-4 19-1 19-2 19-4

19-1

Checking Port Capabilities

Using Secure Shell Encryption for Telnet Sessions Monitoring User Sessions
19-6

19-5

Using Ping 19-7 Understanding How Ping Works Executing Ping 19-8

19-7

Using Layer 2 Traceroute 19-9 Layer 2 Traceroute Usage Guidelines Identifying a Layer 2 Path 19-10

19-9

Using IP Traceroute 19-10 Understanding How IP Traceroute Works Executing IP Traceroute 19-11
20

19-10

CHAPTER

Administering the Switch

20-1

Setting the System Name and System Prompt 20-1 Setting the Static System Name and Prompt 20-2 Setting the System Contact and Location Setting the System Clock
20-4 20-3

Creating a Login Banner 20-4 Configuring a Login Banner 20-5 Clearing the Login Banner 20-5 Defining Command Aliases Defining IP Aliases
20-6 20-5

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02

xiii

Contents

Configuring Static Routes

20-7 20-8

Configuring Permanent and Static ARP Entries

Scheduling a System Reset 20-9 Scheduling a Reset at a Specific Time 20-10 Scheduling a Reset Within a Specified Amount of Time Power Management 20-11 Enabling or Disabling Power Redundancy 20-11 Using the CLI to Power Modules Up or Down 20-13 Determining System Power Requirements 20-14 Environmental Monitoring 20-16 Environmental Monitoring Using CLI Commands LED Indications 20-16
20-16

20-10

Displaying System Status Information for Technical Support Generating a System Status Report 20-18 Using System Dump Files 20-18
21

20-17

CHAPTER

Configuring Switch Access Using AAA

21-1

Understanding How Authentication Works 21-1 Authentication Overview 21-2 Understanding How Login Authentication Works 21-2 Understanding How Local Authentication Works 21-2 Understanding How TACACS+ Authentication Works 21-3 Understanding How RADIUS Authentication Works 21-4 Understanding How Kerberos Authentication Works 21-4 Understanding How 802.1x Authentication Works 21-7 Configuring Authentication 21-9 Authentication Default Configuration 21-10 Authentication Configuration Guidelines 21-11 Configuring Login Authentication 21-12 Configuring Local Authentication 21-13 Configuring TACACS+ Authentication 21-17 Configuring RADIUS Authentication 21-23 Configuring Kerberos Authentication 21-31 Configuring 802.1x Authentication 21-40 Authentication Example
21-48

Understanding How Authorization Works 21-49 Authorization Overview 21-49 Authorization Events 21-49 TACACS+ Primary Options and Fallback Options
Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4

21-50

xiv

78-13315-02

Contents

TACACS+ Command Authorization RADIUS Authorization 21-51

21-50

Configuring Authorization 21-51 TACACS+ Authorization Default Configuration 21-51 TACACS+ Authorization Configuration Guidelines 21-51 Configuring TACACS+ Authorization 21-52 Configuring RADIUS Authorization 21-55 Authorization Example
21-55

Understanding How Accounting Works 21-56 Accounting Overview 21-56 Accounting Events 21-57 Specifying When to Create Accounting Records Specifying RADIUS Servers 21-58 Updating the Server 21-59 Suppressing Accounting 21-59 Configuring Accounting 21-59 Accounting Default Configuration 21-59 Accounting Configuration Guidelines 21-60 Configuring Accounting 21-60 Accounting Example
22
21-63

21-57

CHAPTER

Configuring Redundancy

22-1 22-2

Understanding How Supervisor Engine Redundancy Works

Configuring Redundant Supervisor Engines 22-3 Synchronization Process Initiation 22-4 Redundant Supervisor Engine Configuration Guidelines and Restrictions Verifying Standby Supervisor Engine Status 22-5 Forcing a Switchover to the Standby Supervisor Engine 22-6 High Availability 22-8 Supervisor Engine Synchronization Examples 22-14 MSFC Redundancy 22-18 Dual MSFC Redundancy 22-19 Single Router Mode Redundancy 22-41 Manual-Mode MSFC Redundancy 22-45

22-4

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02

xv

Contents

CHAPTER

23

Modifying the Switch Boot Configuration

23-1

Understanding How the Switch Boot Configuration Works 23-1 Understanding the Boot Process 23-1 Understanding the ROM Monitor 23-2 Understanding the Configuration Register 23-2 Understanding the BOOT Environment Variable 23-3 Understanding the CONFIG_FILE Environment Variable 23-3 Default Switch Boot Configuration
23-4

Setting the Configuration Register 23-5 Setting the Boot Field in the Configuration Register 23-5 Setting the ROM-Monitor Console-Port Baud Rate 23-6 Setting CONFIG_FILE Recurrence 23-7 Setting CONFIG_FILE Overwrite 23-7 Setting CONFIG_FILE Synchronization 23-8 Setting the Switch to Ignore the NVRAM Configuration 23-9 Setting the Configuration Register Value 23-10 Setting the BOOT Environment Variable 23-10 Setting the BOOT Environment Variable 23-10 Clearing the BOOT Environment Variable Settings

23-11

Setting the CONFIG_FILE Environment Variable 23-11 Setting the CONFIG_FILE Environment Variable 23-11 Clearing the CONFIG_FILE Environment Variable Settings Displaying the Switch Boot Configuration
24
23-12

23-12

CHAPTER

Working With the Flash File System

24-1 24-1

Understanding How the Flash File System Works Working with the Flash File System 24-1 Setting the Default Flash Device 24-2 Setting the Text File Configuration Mode Listing the Files on a Flash Device 24-3 Copying Files 24-4 Deleting Files 24-6 Restoring Deleted Files 24-7 Verifying a File Checksum 24-7 Formatting a Flash Device 24-8

24-2

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4

xvi

78-13315-02

Contents

CHAPTER

25

Working with System Software Images Software Image Naming Conventions

25-1 25-1

Downloading Software Images to the Switch With TFTP 25-2 Understanding How TFTP Software Image Downloads Work Preparing to Download an Image Using TFTP 25-2 Downloading Supervisor Engine Images Using TFTP 25-3 Downloading Switching Module Images Using TFTP 25-4 TFTP Download Procedures Example 25-5 Uploading System Software Images to a TFTP Server 25-8 Preparing to Upload an Image to a TFTP Server 25-8 Uploading Software Images to a TFTP Server 25-9 Downloading System Software Images Using rcp 25-9 Preparing to Download an Image Using rcp 25-9 Downloading Supervisor Engine Images Using rcp 25-10 Downloading Switching Module Images Using rcp 25-10 Example rcp Download Procedures 25-11 Uploading System Software Images to an rcp Server 25-14 Preparing to Upload an Image to an rcp Server 25-15 Uploading Software Images to an rcp Server 25-15

25-2

Downloading Software Images Over a Serial Connection on the Console Port Preparing to Download an Image Using Kermit 25-16 Downloading Software Images Using Kermit (PC Procedure) 25-16 Downloading Software Images Using Kermit (UNIX Procedure) 25-17 Example Serial Software Image Download Procedures 25-18 Downloading a System Image Using Xmodem or Ymodem
26
25-21

25-15

CHAPTER

Working with Configuration Files

26-1

Working with Configuration Files on the Switch 26-1 Creating and Using Configuration File Guidelines 26-1 Creating a Configuration File 26-2 Downloading Configuration Files to the Switch Using TFTP Uploading Configuration Files to a TFTP Server 26-5 Copying Configuration Files Using rcp 26-6 Downloading Configuration Files from an rcp Server 26-6 Uploading Configuration Files to an rcp Server 26-7 Clearing the Configuration 26-8

26-3

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4 78-13315-02

xvii

Contents Working with Configuration Files on the MSFC 26-9 Uploading the Configuration File to a TFTP Server 26-10 Uploading the Configuration File to the Supervisor Engine Flash PC Card 26-11 Downloading the Configuration File from a Remote Host 26-11 Downloading the Configuration File from the Supervisor Engine Flash PC Card 26-13 27 CHAPTER Configuring System Message Logging System Log Message Format 27-3 27-1 27-1 Understanding How System Message Logging Works Default System Message Logging Configuration 27-4 Configuring System Message Logging 27-4 Enabling and Disabling Session Logging Settings 27-5 Setting the System Message Logging Levels 27-6 Enabling and Disabling the Logging Time Stamp Enable State 27-6 Setting the Logging Buffer Size 27-6 Configuring the syslog Daemon on a UNIX syslog Server 27-7 Configuring syslog Servers 27-7 Displaying the Logging Configuration 27-9 Displaying System Messages 27-10 28 CHAPTER Configuring DNS 28-1 28-1 Understanding How DNS Works DNS Default Configuration 28-1 Configuring DNS 28-2 Setting Up and Enabling DNS 28-2 Clearing a DNS Server 28-3 Clearing the DNS Domain Name 28-3 Disabling DNS 28-3 29 CHAPTER Configuring CDP 29-1 29-1 Understanding How CDP Works Default CDP Configuration 29-2 Configuring CDP 29-2 Setting the CDP Global Enable and Disable States 29-2 Setting the CDP Enable and Disable States on a Port 29-3 Setting the CDP Message Interval 29-4 Setting the CDP Holdtime 29-4 Displaying CDP Neighbor Information 29-5 Catalyst 6000 Family Software Configuration Guide.3 and 6. Releases 6.4 xviii 78-13315-02 .

4 78-13315-02 xix .3 and 6. Releases 6.Contents CHAPTER 30 Configuring UDLD 30-1 30-1 Understanding How UDLD Works Default UDLD Configuration 30-2 Configuring UDLD 30-3 Enabling UDLD Globally 30-3 Enabling UDLD on Individual Ports 30-3 Disabling UDLD on Individual Ports 30-4 Disabling UDLD Globally 30-4 Specifying the UDLD Message Interval 30-4 Enabling UDLD Aggressive Mode 30-5 Displaying the UDLD Configuration 30-5 31 CHAPTER Configuring NTP 31-1 31-1 Understanding How NTP Works NTP Default Configuration 31-2 Configuring NTP 31-2 Enabling NTP in Broadcast-Client Mode 31-3 Configuring NTP in Client Mode 31-3 Configuring Authentication in Client Mode 31-4 Setting the Time Zone 31-5 Enabling the Daylight Saving Time Adjustment 31-5 Disabling the Daylight Saving Time Adjustment 31-7 Clearing the Time Zone 31-7 Clearing NTP Servers 31-7 Disabling NTP 31-8 32 CHAPTER Configuring Broadcast Suppression 32-1 32-1 Understanding How Broadcast Suppression Works Configuring Broadcast Suppression 32-2 Enabling Broadcast Suppression 32-3 Disabling Broadcast Suppression 32-4 33 CHAPTER Configuring Layer 3 Protocol Filtering 33-1 33-1 Understanding How Layer 3 Protocol Filtering Works Default Layer 3 Protocol Filtering Configuration Configuring Layer 3 Protocol Filtering 33-2 Enabling Layer 3 Protocol Filtering 33-3 Disabling Layer 3 Protocol Filtering 33-3 33-2 Catalyst 6000 Family Software Configuration Guide.

Contents CHAPTER 34 Configuring the IP Permit List 34-1 34-1 Understanding How the IP Permit List Works IP Permit List Default Configuration 34-2 Configuring the IP Permit List 34-2 Adding IP Addresses to the IP Permit List Enabling the IP Permit List 34-3 Disabling the IP Permit List 34-4 Clearing an IP Permit List Entry 34-4 35 34-2 CHAPTER Configuring Port Security 35-1 Understanding How Port Security Works 35-1 Allowing Traffic Based on the Host MAC Address 35-1 Restricting Traffic Based on the Host MAC Address 35-2 Port Security Configuration Guidelines 35-3 Configuring Port Security 35-3 Enabling Port Security 35-3 Setting the Maximum Number of Secure MAC Addresses Setting the Port Security Age Time 35-5 Clearing MAC Addresses 35-5 Specifying the Security Violation Action 35-6 Setting the Shutdown Timeout 35-6 Disabling Port Security 35-7 Restricting Traffic Based on a Host MAC Address 35-7 Displaying Port Security 35-8 36 35-4 CHAPTER Configuring SNMP SNMP Terminology 36-1 36-1 Understanding SNMP 36-3 Security Models and Levels 36-4 SNMP ifindex Persistence Feature 36-5 36-5 Understanding How SNMPv1 and SNMPv2c Works Using Managed Devices 36-5 Using SNMP Agents and MIBs 36-5 Using CiscoWorks2000 36-6 Understanding SNMPv3 SNMP Entity 36-7 Applications 36-9 36-7 Catalyst 6000 Family Software Configuration Guide.4 xx 78-13315-02 .3 and 6. Releases 6.

Contents Configuring SNMPv1 and SNMPv2c 36-10 SNMPv1 and SNMPv2c Default Configuration 36-10 Configuring SNMPv1 and SNMPv2c from an NMS 36-10 Configuring SNMPv1 and SNMPv2c from the CLI 36-10 Configuring SNMPv3 36-11 SNMPv3 Default Configuration 36-11 Configuring SNMPv3 from an NMS 36-11 Configuring SNMPv3 from the CLI 36-12 37 CHAPTER Configuring RMON Enabling RMON 37-1 37-1 Understanding How RMON Works 37-2 37-2 Viewing RMON Data Supported RMON and RMON2 MIB Objects 38 37-2 CHAPTER Configuring SPAN and RSPAN 38-1 38-1 Understanding How SPAN and RSPAN Works SPAN Session 38-2 Destination Port 38-2 Source Port 38-2 Ingress SPAN 38-3 Egress SPAN 38-3 VSPAN 38-3 Trunk VLAN Filtering 38-4 SPAN Traffic 38-4 SPAN and RSPAN Session Limits 38-4 Configuring SPAN 38-5 SPAN Hardware Requirements 38-5 Understanding How SPAN Works 38-5 SPAN Configuration Guidelines 38-6 Configuring SPAN from the CLI 38-6 Configuring RSPAN 38-8 RSPAN Hardware Requirements 38-8 Understanding How RSPAN Works 38-9 RSPAN Configuration Guidelines 38-9 Configuring RSPAN 38-10 RSPAN Configuration Examples 38-13 Catalyst 6000 Family Software Configuration Guide.3 and 6. Releases 6.4 78-13315-02 xxi .

4 xxii 78-13315-02 .3 and 6. Releases 6.Contents CHAPTER 39 Using Switch TopN Reports 39-1 Understanding How the Switch TopN Reports Utility Works 39-1 TopN Reports Overview 39-1 Running Switch TopN Reports without the Background Option 39-2 Running Switch TopN Reports with the Background Option 39-2 Running and Viewing Switch TopN Reports 40 39-3 CHAPTER Configuring Multicast Services 40-1 Understanding How Multicasting Works 40-1 Multicasting and Multicast Services Overview 40-2 Understanding How IGMP Snooping Works 40-2 Understanding How GMRP Works 40-4 Understanding How RGMP Works 40-5 Suppressing Multicast Traffic 40-5 Nonreverse Path Forwarding Multicast Fast Drop 40-5 Enabling Installation of Directly Connected Subnets 40-6 Configuring IGMP Snooping 40-6 Default IGMP Snooping Configuration 40-7 Enabling IGMP Snooping 40-7 Enabling IGMP Fast-Leave Processing 40-8 Displaying Multicast Router Information 40-8 Displaying Multicast Group Information 40-9 Displaying IGMP Snooping Statistics 40-10 Disabling IGMP Fast-Leave Processing 40-10 Disabling IGMP Snooping 40-11 Configuring GMRP 40-11 GMRP Software Requirements 40-11 Default GMRP Configuration 40-11 Enabling GMRP Globally 40-12 Enabling GMRP on Individual Switch Ports 40-12 Disabling GMRP on Individual Switch Ports 40-13 Enabling GMRP Forward-All Option 40-14 Disabling GMRP Forward-All Option 40-14 Configuring GMRP Registration 40-14 Setting the GARP Timers 40-16 Displaying GMRP Statistics 40-17 Clearing GMRP Statistics 40-18 Disabling GMRP Globally on the Switch 40-18 Catalyst 6000 Family Software Configuration Guide.

4 78-13315-02 xxiii . Congestion Avoidance.3 and 6. Scheduling. Congestion Avoidance. and Classification Classification. and Policing with a Layer 3 Switching Engine 41-14 Classification and Marking with a Layer 2 Switching Engine 41-24 Ethernet Egress Port Scheduling. Releases 6.Contents Configuring Multicast Router Ports and Group Entries Specifying Multicast Router Ports 40-19 Configuring Multicast Groups 40-19 Clearing Multicast Router Ports 40-20 Clearing Multicast Group Entries 40-20 Configuring RGMP 40-21 Configuring RGMP on the Supervisor Engine Configuring RGMP on the MSFC 40-24 Displaying Multicast Protocol Status 41 40-24 40-18 40-21 CHAPTER Configuring QoS 41-1 Understanding How QoS Works 41-1 Definitions 41-2 Flowcharts 41-3 QoS Feature Set Summary 41-8 Ethernet Ingress Port Marking. and Marking 41-24 QoS Statistics Data Export 41-27 QoS Default Configuration 41-28 41-10 Configuring QoS 41-30 Enabling QoS 41-31 Enabling Port-Based or VLAN-Based QoS 41-32 Configuring the Trust State of a Port 41-32 Configuring the CoS Value for a Port 41-33 Creating Policing Rules 41-34 Deleting Policing Rules 41-36 Creating or Modifying ACLs 41-37 Attaching ACLs to Interfaces 41-46 Detaching ACLs from Interfaces 41-46 Mapping a CoS Value to a Host Destination MAC Address/VLAN Pair 41-47 Deleting a CoS Value to a Host Destination MAC Address/VLAN Pair 41-47 Enabling or Disabling Microflow Policing of Bridged Traffic 41-48 Configuring Standard Receive-Queue Tail-Drop Thresholds 41-48 Configuring 2q2t Port Standard Transmit-Queue Tail-Drop Thresholds 41-49 Configuring Standard Transmit-Queue WRED-Drop Thresholds 41-49 Allocating Bandwidth Between Standard Transmit Queues 41-50 Configuring the Receive-Queue Size Ratio 41-51 Catalyst 6000 Family Software Configuration Guide. Marking.

Releases 6.Contents Configuring the Transmit-Queue Size Ratio 41-51 Mapping CoS Values to Drop Thresholds 41-52 Configuring DSCP Value Maps 41-55 Displaying QoS Information 41-58 Displaying QoS Statistics 41-59 Reverting to QoS Defaults 41-60 Disabling QoS 41-60 Configuring COPS Support 41-60 Configuring RSVP Support 41-66 Configuring QoS Statistics Data Export 41-70 42 CHAPTER Configuring ASLB 42-1 42-1 Hardware and Software Requirements Understanding How ASLB Works 42-2 Layer 3 Operations for ASLB 42-3 Layer 2 Operations for ASLB 42-3 Client-to-Server Data Forwarding 42-4 Server-to-Client Data Forwarding 42-6 Cabling Guidelines 42-7 Configuring ASLB 42-7 Configuring the LocalDirector Interfaces ASLB Configuration Guidelines 42-8 Configuring ASLB from the CLI 42-11 ASLB Configuration Example 42-19 42-7 ASLB Redundant Configuration Example 42-21 IP Addresses 42-22 MAC Addresses 42-23 Catalyst 6000 Family Switch 1 Configuration Catalyst 6000 Family Switch 2 Configuration Router 1 Configuration 42-23 Router 2 Configuration 42-24 LocalDirector Configuration 42-24 Troubleshooting the ASLB Configuration 43 42-25 42-23 42-23 CHAPTER Configuring the Switch Fabric Modules 43-1 43-1 43-2 Understanding How the Switch Fabric Module Works Configuring and Monitoring the Switch Fabric Module Catalyst 6000 Family Software Configuration Guide.3 and 6.4 xxiv 78-13315-02 .

Contents Configuring a Fallback Option 43-3 Configuring the Switching Mode 43-3 Switch Fabric Redundancy 43-4 Monitoring the Switch Fabric Module 43-4 Configuring the LCD Banner 43-8 44 CHAPTER Configuring a VoIP Network 44-1 44-1 44-2 Hardware and Software Requirements Understanding How a VoIP Network Works Cisco IP Phone 7960 44-2 Cisco CallManager 44-4 Access Gateways 44-4 How a Call Is Made 44-7 Understanding How VLANs Work 44-8 Configuring VoIP on a Switch 44-9 Voice-Related CLI Commands 44-9 Configuring Per-Port Power Management 44-10 Configuring Auxiliary VLANs on Catalyst LAN Switches Configuring the Access Gateways 44-21 Displaying Active Call Information 44-27 Configuring QoS in the Cisco IP Phone 7960 44-29 44-19 INDEX Catalyst 6000 Family Software Configuration Guide.3 and 6.4 78-13315-02 xxv . Releases 6.

Releases 6.Contents Catalyst 6000 Family Software Configuration Guide.3 and 6.4 xxvi 78-13315-02 .

x) and Policy Feature Card Configuration Guide. Fast Ethernet. Describes how to configure Inter-Switch Link (ISL) and IEEE 802. Describes how to use the command-line interface (CLI). Audience This publication is for experienced network administrators who are responsible for configuring and maintaining Catalyst 6000 family switches. Chapter 6 Chapter 7 Chapter 8 Configuring EtherChannel Configuring IEEE 802. Organization Note This publication includes the information that previously was in the Catalyst 6000 Family Multilayer Switch Feature Card (12. Describes how to configure Fast EtherChannel and Gigabit EtherChannel port bundles.3 and 6. and Gigabit Ethernet Switching Configuring Ethernet VLAN Trunks Description Presents an overview of the Catalyst 6000 family switches. Describes how to configure 802. This publication is organized as follows: Chapter Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Title Product Overview Command-Line Interfaces Configuring the Switch IP Address and Default Gateway Configuring Ethernet. Fast Ethernet. Describes how to configure Ethernet.Preface This preface describes who should read the Catalyst 6000 Family Software Configuration Guide. how it is organized.1Q Tunneling Configuring Spanning Tree Catalyst 6000 Family Software Configuration Guide—Releases 6.1Q tunneling. Describes how to perform a baseline configuration of the switch.1Q VLAN trunks on Fast Ethernet and Gigabit Ethernet ports. Describes how to configure the Spanning Tree Protocol and explains how spanning tree works. and Gigabit Ethernet switching.4 78-13315-02 xxvii . and its document conventions.

Describes how to configure Network Time Protocol (NTP). Describes how to install and configure redundant supervisor engines and MSFCs in the Catalyst 6000 family switches. UplinkFast. Describes how to configure dynamic port VLAN membership on the switch using the VLAN Management Policy Server (VMPS). Describes how to configure GARP VLAN Registration Protocol (GVRP) on the switch. Describes how to configure the UniDirectional Link Detection (UDLD) protocol. Describes how to configure Multilayer Switching (MLS). and accounting (AAA) to monitor and control access to the CLI.4 xxviii 78-13315-02 . Describes how to work with the Flash file system. Describes how to create. Describes how to configure the IP permit list. and IP traceroute.3 and 6. Telnet. Describes how to configure authentication. Describes how to display information about modules and switch ports and how to check connectivity using ping. Fast Ethernet. authorization. and Gigabit Ethernet ports.Preface Organization Chapter Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Title Description Configuring Spanning Tree PortFast. and upload switch configuration files. and BackboneFast features. Describes how to configure hardware and software broadcast suppression. Describes how to configure the spanning tree PortFast. download. Describes how to configure protocol filtering on Ethernet. Describes how to configure NetFlow Data Export (NDE). Chapter 20 Chapter 21 Chapter 22 Chapter 23 Administering the Switch Configuring Switch Access Using AAA Configuring Redundancy Modifying the Switch Boot Configuration Chapter 24 Chapter 25 Chapter 26 Chapter 27 Chapter 28 Chapter 29 Chapter 30 Chapter 31 Chapter 32 Chapter 33 Chapter 34 Working With the Flash File System Working with System Software Images Working with Configuration Files Configuring System Message Logging Configuring DNS Configuring CDP Configuring UDLD Configuring NTP Configuring Broadcast Suppression Configuring Layer 3 Protocol Filtering Configuring the IP Permit List Catalyst 6000 Family Software Configuration Guide—Releases 6. Describes how to configure VLANs on the switch. including the BOOT environment variable and the configuration register. Describes how to configure Domain Name System (DNS). Describes how to configure interVLAN routing on the MSFC. Describes how to configure system message logging (syslog). and Loop Guard UplinkFast. Configuring VTP Configuring VLANs Configuring InterVLAN Routing Configuring CEF for PFC2 Configuring MLS Configuring NDE Configuring Access Control Configuring GVRP Configuring Dynamic Port VLAN Membership with VMPS Checking Port Status and Connectivity Describes how to configure VLAN Trunk Protocol (VTP) on the switch. Describes how to modify the switch boot configuration. Describes how to set the system name. create a login banner. Describes how to configure Cisco Express Forwarding for Policy Feature Card 2 (CEF for PFC2). BackboneFast. Describes how to configure Cisco Discovery Protocol (CDP). and perform other administrative tasks on the switch. Describes how to configure access control lists (ACLs). Describes how to download and upload system software images.

and ATM modules. Describes how to configure accelerated server load balancing (ASLB). Describes how to generate switch TopN reports. Describes how to configure the Switch Fabric Module. Catalyst 2948G. Describes how to configure Remote Monitoring (RMON). and Catalyst 4000 Family.com/public/sw-center/netmgmt/cmtk/mibs. Describes how to configure the Switch Port Analyzer (SPAN) and Remote SPAN (RSPAN). Chapter 41 Chapter 42 Chapter 43 Chapter 44 Configuring QoS Configuring ASLB Configuring the Switch Fabric Modules Configuring a VoIP Network Related Documentation The following publications are available for the Catalyst 6000 family switches: • • • • • • • Catalyst 6000 Family Module Installation Guide Catalyst 6000 Family Command Reference ATM Software Configuration and Command Reference—Catalyst 5000 Family and Catalyst 6000 Family Switches System Message Guide—Catalyst 6000 Family.shtml Catalyst 6000 Family Software Configuration Guide—Releases 6. and Router Group Management Protocol (RGMP). Describes how to configure Quality of Service (QoS).4 78-13315-02 xxix . For information about MIBs.x Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC. MSM. Describes how to configure Internet Group Management Protocol (IGMP) snooping. and Catalyst 2980G Release Notes for Catalyst 6000 Family Software Release 6. Catalyst 5000 Family. refer to http://www. Describes how to configure a Voice-over-IP (VoIP) network. Describes how to configure SNMP. GARP Multicast Registration Protocol (GMRP).3 and 6.Preface Related Documentation Chapter Chapter 35 Chapter 36 Chapter 37 Chapter 38 Chapter 39 Chapter 40 Title Configuring Port Security Configuring SNMP Configuring RMON Configuring SPAN and RSPAN Using Switch TopN Reports Configuring Multicast Services Description Describes how to configure secure port filtering.cisco.

Alternative keywords are grouped in braces and separated by vertical bars. except where noted. ^ The symbol ^ represents the key labeled Control—for example. This publication uses the following conventions: Convention boldface font italic font [ ] {x|y|z} [x|y|z] string Description Commands. Nonprinting characters. screen Information you must enter is in boldface font. the term supervisor engine is used to refer to both Supervisor Engine 1 and Supervisor Engine 2. font screen boldface screen screen Terminal sessions and information the system displays are in font. Notes contain helpful suggestions or references to material not covered in the publication. Cautions use the following conventions: Caution Means reader be careful. font italic screen font Arguments for which you supply values are in italic screen font. such as passwords are in angle brackets. Elements in square brackets are optional. the key combination ^D in a screen display means hold down the Control key while you press the D key. < > Notes use the following conventions: Note Means reader take note. Do not use quotation marks around the string or the string will include the quotation marks. you might do something that could result in equipment damage or loss of data.Preface Conventions Conventions Note Throughout this publication. Catalyst 6000 Family Software Configuration Guide—Releases 6. A nonquoted set of characters. command options. Arguments for which you supply values are in italics.3 and 6. Optional alternative keywords are grouped in brackets and separated by vertical bars.4 xxx 78-13315-02 . In this situation. This pointer highlights an important line of text in an example. and keywords are in boldface.

cisco.A.com/en/US/partner/ordering/index. Registered Cisco. by calling 800 553-NETS (6387). which may have shipped with your product. U.com/go/subscription • Nonregistered Cisco.shtml Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package.cisco.com/univercd/cc/td/doc/es_inpck/pdi.S.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.) at 408 526-7208 or.Preface Obtaining Documentation Obtaining Documentation Cisco provides several ways to obtain documentation.cisco.shtml • Registered Cisco.htm You can order Cisco documentation in these ways: • Registered Cisco. technical assistance.cisco. and other technical resources.com/public/countries_languages. These sections explain how to obtain technical information from Cisco Systems.3 and 6.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.htm You can access the Cisco website at this URL: http://www. The CD-ROM package is available as a single unit or through an annual subscription.cisco. Catalyst 6000 Family Software Configuration Guide—Releases 6.com International Cisco web sites can be accessed from this URL: http://www.com/go/subscription Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.com/univercd/home/home.cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California. The Documentation CD-ROM is updated monthly and may be more current than printed documentation.cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store: http://www. Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store: http://www. elsewhere in North America.4 78-13315-02 xxxi .

com Cisco. click Feedback at the top of the page. Cisco.com. You can e-mail your comments to bug-doc@cisco. On the Cisco Documentation home page. technology. you can self-register on Cisco. CA 95134-9883 We appreciate your comments. as a starting point for all technical assistance. and sample configurations from the Cisco TAC website. Customers and partners can obtain online documentation.com offers a suite of interactive. or solution. troubleshooting tips. when applicable. training. which includes the Cisco Technical Assistance Center (TAC) Website.com at this URL: http://www. Obtaining Technical Assistance Cisco provides Cisco. networking solutions.com registered users have complete access to the technical support resources on the Cisco TAC website. networked services that let you access Cisco information.Preface Obtaining Technical Assistance Documentation Feedback You can submit comments electronically on Cisco.4 xxxii 78-13315-02 . and resources at any time. Cisco.cisco. services. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. Cisco. from anywhere in the world. You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose.3 and 6.com Technical Assistance Center The Cisco TAC is available to all customers who need technical assistance with a Cisco product.com provides a broad range of features and services to help you with these tasks: • • • • • Streamline business processes and improve productivity Resolve technical issues with online support Download and test software packages Order Cisco learning materials and merchandise Register for online skill assessment. programs.com. Catalyst 6000 Family Software Configuration Guide—Releases 6.com. and certification programs To obtain customized information and service. including TAC tools and utilities.

but most business operations continue. please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example.cisco. SMARTnet. and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. or Network Supported Accounts (NSA). and you cannot resolve your technical issues by using the Cisco TAC website.com/tac All customers. If you have a valid service contract but do not have a login ID or password.html If you have Internet access. Priority level 3 (P3)—Your network performance is degraded. partners. When you contact the TAC Escalation Center with a P1 or P2 problem.3 and 6. go to this URL: http://www. Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues.com/warp/public/687/Directory/DirTAC. and a critical impact to business operations will occur if service is not restored quickly. Priority level 2 (P2)—Your production network is severely degraded.cisco.com login ID and password. These classifications are assigned when severe network degradation significantly impacts business operations. No workaround is available. No workaround is available.com/RPF/register/register. knowledge bases.do If you are a Cisco. SMARTnet Onsite. we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files. Priority level 1 (P1)—Your production network is down. saving both cost and time. To obtain a directory of toll-free Cisco TAC telephone numbers for your country. or basic product configuration. affecting significant aspects of business operations.com/en/US/support/index.Preface Obtaining Technical Assistance We categorize Cisco TAC inquiries according to urgency: • • • • Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities.com registered user. To access the Cisco TAC website. you can open a case online at this URL: http://www.cisco. Catalyst 6000 Family Software Configuration Guide—Releases 6. please have available your service agreement number and your product serial number. go to this URL to register: http://tools. Cisco TAC Website You can use the Cisco TAC website to resolve P3 and P4 issues yourself.4 78-13315-02 xxxiii .cisco. and software. Some services on the Cisco TAC website require a Cisco. product installation. a Cisco TAC engineer automatically opens a case. The site provides around-the-clock access to online tools. go to this URL: http://www. When you call the center.shtml Before calling. Network functionality is noticeably impaired.

ciscopress. technologies.com/prod/tree. Internetworking Technology Handbook.com/en/US/products/products_catalog_links_launch. and network solutions is available from various online and printed sources. development. • The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services.com/en/US/learning/le31/learning_recommended_training_list.4 xxxiv 78-13315-02 . go to Cisco Press online at this URL: http://www. Access the Cisco Product Catalog at this URL: http://www.cisco. You can access Packet magazine at this URL: http://www.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.cisco.cisco. Internetworking Troubleshooting Guide. You can access iQ Magazine at this URL: http://business. with current offerings in network training listed at this URL: http://www.html • Training—Cisco offers world-class networking training.3 and 6.Preface Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products.html • Cisco Press publishes a wide range of networking publications. For current Cisco Press titles and other information.com/en/US/about/ac123/ac114/about_cisco_packet_magazine. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary.cisco.html Catalyst 6000 Family Software Configuration Guide—Releases 6.com • Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking.html • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design.taf%3fasset_id=44699&public_view=true&kbns=1. and the Internetworking Design Guide.html • iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry. You can access the Internet Protocol Journal at this URL: http://www. and operation of public and private internets and intranets.cisco.

x publication for complete information about the chassis.4 78-13315-02 1-1 . Catalyst 6000 Family Software Configuration Guide—Releases 6. software features. and Multilayer Switch Feature Card 2 (MSFC2) Supervisor Engine 2 and PFC2 Supervisor Engine 1. Policy Feature Card 2 (PFC2). protocols. Note This publication includes the information that previously was in the Catalyst 6000 Family Multilayer Switch Feature Card (12. modules.x) and Policy Feature Card Configuration Guide.C H A P T E R 1 Product Overview The Catalyst 6000 family switches support the following configurations: • • • • • Supervisor Engine 2. and MSFC or MSFC2 Supervisor Engine 1 and PFC Supervisor Engine 1 Note The Switch Fabric Module is supported only in Catalyst 6500 series switches.3 and 6. Refer to the Release Notes for Catalyst 6000 Family Software Release 6. and MIBs supported by the Catalyst 6000 family switches. PFC.

4 1-2 78-13315-02 .3 and 6.Chapter 1 Product Overview Catalyst 6000 Family Software Configuration Guide—Releases 6.

you can load a system image manually from Flash memory.4 78-13315-02 2-1 . For descriptions of all switch and ROM monitor commands. refer to the Catalyst 6000 Family Command Reference publication. regardless of whether the Break key is configured to be off by configuration register settings. page 2-i MSFC Command-Line Interface. The system enters ROM-monitor mode if the switch does not find a valid system image. This chapter consists of these sections: • • Catalyst Command-Line Interface. Catalyst 6000 Family Software Configuration Guide—Releases 6. or when a fatal exception occurs.C H A P T E R 2 Command-Line Interfaces This chapter describes the command-line interface (CLI) you use to configure the Catalyst 6000 family switches and Ethernet modules. page 2-i Switch Command-Line Interface. Note The Break key is always enabled for 60 seconds after rebooting the system. if the NVRAM configuration is corrupted. refer to the Multilayer Switch Module Installation and Configuration Note. Note For a description of the ATM Cisco IOS CLI and commands. page 2-ii ROM-Monitor Command-Line Interface The ROM monitor is a ROM-based program that executes upon platform power-up. or from bootflash. page 2-viii Catalyst Command-Line Interface These sections describe the Catalyst CLI: • • ROM-Monitor Command-Line Interface. or if the configuration register is set to enter ROM-monitor mode. You can enter ROM-monitor mode by restarting the switch and pressing the Break key during the first 60 seconds of startup. For a description of the Multilayer Switch Module (MSM) IOS CLI and commands. From the ROM-monitor mode. reset. from a network server file.3 and 6. refer to the ATM Software Configuration Guide and Command Reference—Catalyst 5000 Family and 6000 Family Switches publication.

When finished. page 2-ii Accessing the MSFC from the Switch. The Console> prompt appears. similar to the UNIX C shell. the prompt changes to rommon>. exit the session. If necessary. page 2-iii Accessing the CLI through the Console Port To access the switch CLI through the console port.4 2-2 78-13315-02 . Note For complete information on how to connect to the supervisor engine console port. enter the system password. At the prompt. Step 3 enable Step 4 Step 5 — exit Catalyst 6000 Family Software Configuration Guide—Releases 6. These sections describe how to use the switch CLI: • • • Accessing the Switch CLI. refer to the hardware documentation for your switch. indicating that you have accessed the CLI in normal mode. enter privileged mode (you must enter privileged mode to change the switch configuration). To access the switch through the console port. page 2-iii Working With the Command-Line Interface. Once you are in ROM-monitor mode.Chapter 2 Catalyst Command-Line Interface Command-Line Interfaces To access the ROM monitor through a terminal server. page 2-ii Accessing the CLI through Telnet. perform this task: Task Command — — Step 1 Step 2 Initiate a connection from the terminal to the switch console prompt and press Return. you can escape to the Telnet prompt and enter the send break command for your terminal emulation program to break into ROM-monitor mode. page 2-v Accessing the Switch CLI You can access the CLI through the supervisor engine console port or through a Telnet session. Switch Command-Line Interface The switch CLI is a basic command-line interpreter. you must connect a console terminal to the console port through an EIA/TIA-232 (RS-232) cable. These sections describe how to access the switch CLI: • • Accessing the CLI through the Console Port. Enter the necessary commands to complete the desired tasks.3 and 6. Use the ? command to see the available ROM-monitor commands.

3 and 6. If — no password has been configured...10. enter the password for the CLI. Enter the necessary commands to complete your desired tasks. Cisco Systems Console Enter password: Catalyst_1> Accessing the MSFC from the Switch These sections describe how to access the Multilayer Switch Feature Card (MSFC) from a directly connected console port or from a Telnet session: • • Accessing the MSFC from the Console Port. Connected to Catalyst_1.Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface After accessing the switch through the console port.4 78-13315-02 2-3 . page 2-iv Accessing the MSFC from a Telnet Session. enter the telnet command telnet {hostname | ip_addr} and the name or IP address of the switch you want to access. you see this display: Cisco Systems Console Enter password: Console> Accessing the CLI through Telnet Before you can open a Telnet session to the switch. At the prompt.10. exit the Telnet session. For information about setting the IP address. Escape character is '^]'. you must first set the IP address for the switch. — exit Step 2 Step 3 Step 4 This example shows how to open a Telnet session to the switch: unix_host% telnet Catalyst_1 Trying 172. To access the switch CLI from a remote host using Telnet. Catalyst 6000 Family Software Configuration Guide—Releases 6. Up to eight simultaneous Telnet sessions are supported. press Return. perform this task: Task Step 1 Command From the remote host. Telnet sessions disconnect automatically after remaining idle for a set time period. see the “Assigning the In-Band (sc0) Interface IP Address” section on page 3-5. page 2-iv See the “MSFC Command-Line Interface” section on page 2-viii.16. When finished.

connect to the console port of the standby supervisor engine. and how to exit the MSFC CLI and return to the switch CLI: Console> (enable) switch console 15 Trying Router-15. If no module number is specified. either 15 (if the MSFC is installed on the supervisor engine in slot 1) or 16 (if the MSFC is installed on the supervisor engine in slot 2). This example shows how to access the active MSFC from the switch CLI from the active supervisor engine.. To exit from the MSFC CLI and return to the switch CLI. To access the MSFC from the switch CLI. To exit from the MSFC CLI back to the switch CLI. Command switch console [mod]1 1. enter the exit command at the Router> prompt. The mod keyword specifies the module number of the MSFC. enter ^C^C^C at the Router> prompt.4 2-4 78-13315-02 .3 and 6. Router> ^C^C^C Console> (enable) Accessing the MSFC from a Telnet Session You can enter the session mod command to access the MSFC from the switch CLI using a Telnet session. perform this task: Task Access the MSFC from the switch CLI.. and how to exit the MSFC CLI and return to the switch CLI: Console> (enable) session 15 Router> exit Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.. Type ^C^C^C to switch back.Chapter 2 Catalyst Command-Line Interface Command-Line Interfaces Accessing the MSFC from the Console Port You can enter the switch console command to access the MSFC from the switch CLI directly connected to the supervisor engine console port. Note To access the Cisco IOS CLI on the standby MSFC. Note The supervisor engine software sees the MSFC as module 15 (when installed on a supervisor engine in slot 1) or module 16 (when installed on a supervisor engine in slot 2). This example shows how to access the MSFC from the switch CLI. Connected to Router-15. the console will switch to the MSFC on the active supervisor engine..

port. To designate a specific module. Modules. This example shows how to enter privileged mode: Console> enable Enter Password: <password> Console> (enable) Designating Modules. port 1. To specify a range of ports. For example. enter the disable command at the prompt. In some commands. 5. Hyphens take precedence over commas. the supervisor engines reside in slots 1 and 2. use a comma-separated list (do not insert spaces) to specify individual ports or a hyphen (-) between the port numbers to specify a range of ports. Ports.3 and 6. To return to normal mode. Commands you enter from the CLI might apply to the entire system or to a specific module. 7. The supervisor engine is module 1. page 2-vi Command Line Editing. Table 1 shows examples of how to designate ports and port ranges. and VLANs are numbered starting with 1. You can access privileged mode by entering the enable command followed by the privileged-mode password. Enter privileged-mode commands to configure the system and perform basic troubleshooting. or VLAN. page 2-vi History Substitution. Both modes are password protected. page 2-viii Switch CLI Command Modes The switch CLI supports two modes of operation: normal and privileged. the command syntax is mod/port.4 78-13315-02 2-5 . If your switch has a redundant supervisor engine. you can enter lists of ports. page 2-v Designating MAC Addresses. You can abbreviate commands and parameters as long as they contain enough letters to be distinguished from any other currently available commands or parameters. Ports. After you log in.Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface Working With the Command-Line Interface These sections describe how to work with the switch CLI: • • • • • • Switch CLI Command Modes. IP Addresses. and IP Aliases. Catalyst 6000 family switches are multimodule systems. To designate a specific port on a specific module. use the module number. Table 2-1 Designating Ports and Port Ranges Example 2/1 3/4-8 Function Specifies port 1 on module 2 Specifies ports 4. Port 1 is always the left-most port. which gives you access to normal-mode commands only. 3/1 denotes module 3. and 8 on module 3 Catalyst 6000 Family Software Configuration Guide—Releases 6. such as set trunk and set port channel. and VLANs on the Command Line Switch commands are not case sensitive. page 2-v Designating Modules. the system enters normal mode automatically. residing in slot 1. ports. Enter normal-mode commands for everyday system monitoring. 6. page 2-vii Accessing Command Help. and VLANs on the Command Line.

4 2-6 78-13315-02 . IP Addresses.5/4. an optional subnet section.” Command Line Editing You can scroll through the last 20 commands stored in the history buffer. or IP alias.Chapter 2 Catalyst Command-Line Interface Command-Line Interfaces Table 2-1 Designating Ports and Port Ranges (continued) Example 5/2. 10. Catalyst 6000 Family Software Configuration Guide—Releases 6. which must be designated in a standard format. you can use DNS host names in place of IP addresses. For information on configuring DNS. and enter or edit the command at the prompt. This is true for most commands that use an IP address. you can use IP aliases in place of the dotted decimal IP address.54. Table 2 shows examples of how to designate VLANs and VLAN ranges. and VLAN 500 Designating MAC Addresses. see the “Defining IP Aliases” section on page 20-6. To specify a list of VLANs. Table 2-2 Designating VLANs and VLAN Ranges Example 10 5. IP address. and a host section. as shown in the following example: 126. a single number associated with the VLAN. and 15 Specifies VLANs 10 through 50.4/8 Function Specifies ports 2 and 4 on module 5 and port 10 on module 6 Specifies ports 1 and 2 on module 3 and port 8 on module 4 VLANs are identified using the VLAN ID. The MAC address format must be six hexadecimal numbers separated by hyphens. as shown in the following example: 00-00-0c-24-d2-fe The IP address format is 32 bits. except for commands that define the IP address or IP alias. and IP Aliases Some commands require a MAC address.10.6/10 3/1-2. written as 4 octets separated by periods (dotted decimal format) that are made up of a network section.3 and 6. Moves the cursor back one character. For information on using IP aliases. inclusive. Table 3 lists the keyboard shortcuts to use when entering and editing switch commands.500 Function Specifies VLAN 10 Specifies VLANs 5. use a comma-separated list (do not insert spaces) to specify individual VLANs or a hyphen (-) between the VLAN numbers to specify a range of VLANs.15 10-50. Table 2-3 Command-Line Editing Keyboard Shortcuts Keystroke Ctrl-A Ctrl-B or the left arrow key Ctrl-C Function Jumps to the first character of the command line.1 If you have configured IP aliases on the switch. Escapes and terminates prompts and tasks.2. see Chapter 28. If DNS is configured on the switch. “Configuring DNS.

To modify and repeat the most recent command: ^aaa^bbb To add a string to the end of a previous command and repeat it: !!aaa !n aaa !aaa bbb !?aaa bbb Catalyst 6000 Family Software Configuration Guide—Releases 6. Add string aaa to the end of command n. Deletes from the cursor to the end of the word. Repeat the command containing the string aaa. Enters next command line in the history buffer. Add string aaa to the end of the most recent command. Moves the cursor forward one word. Table 2-4 History Substitution Commands Command Repeating recent commands: !! !-nn !n !aaa !?aaa Function Repeat the most recent command. Deletes last word typed. Jumps to the end of the current command line. by using special abbreviated commands.4 78-13315-02 2-7 . 1. Add string bbb to the end of the command containing the string aaa. History substitution allows you to access these commands without retyping them. Moves the cursor forward one character.3 and 6. The arrow keys function only on ANSI-compatible terminals such as VT100s. reenter command after using this key. Table 4 lists the history substitution commands. Ctrl-R Ctrl-N or the down arrow key Ctrl-P or the up arrow key Ctrl-U. Erases mistake when entering a command. History Substitution The history buffer stores the last 20 commands you entered during a terminal session. Moves the cursor back one word. Replace the string aaa with the string bbb in the most recent command. Enters previous command line in the history buffer. Repeat the command beginning with string aaa. Repeat command n. Repeat the nnth most recent command. Ctrl-X Ctrl-W Esc B Esc D Esc F Delete key or Backspace key 1 1 1 Function Deletes the character at the cursor. Deletes from the cursor to the beginning of the command line. Repeats current command line on a new line. Add string bbb to the end of the command beginning with string aaa.Chapter 2 Command-Line Interfaces Catalyst Command-Line Interface Table 2-3 Command-Line Editing Keyboard Shortcuts (continued) Keystroke Ctrl-D Ctrl-E Ctrl-F or the right arrow key Ctrl-K Ctrl-L. Deletes from the cursor to the end of the command line.

such as show commands. When you start a session on the switch. Normally. To have access to all commands. see the “Getting a List of IOS Commands and Syntax” section on page 2-ix. or if its configuration file is corrupted at startup.cisco. page 2-x Note In addition to the methods described in the “Accessing the MSFC from the Switch” section on page 2-iii. entering help or ? after a command provides additional information. The configuration modes allow you to make changes to the running configuration. you can configure IOS to support direct Telnet access to the MSFC. To get a list of the commands in a given mode. which show the current configuration status. The commands available to you depend on which mode you are currently in. From global configuration mode. such as a command usage description. For more information. subinterface configuration mode. appending help or ? to a command category displays a list of commands in that category. For example.Chapter 2 MSFC Command-Line Interface Command-Line Interfaces Accessing Command Help Enter help or ? in normal or privileged mode to see the commands available in those modes.3 and 6. From privileged EXEC mode. see the “ROM-Monitor Command-Line Interface” section on page 2-i. You must start at global configuration mode. these commands are stored across switch reboots. MSFC Command-Line Interface These sections describe the MSFC CLI: • • Cisco IOS Command Modes. Table 5 lists and describes the most commonly used Cisco IOS modes.htm Cisco IOS Command Modes The Cisco IOS user interface is divided into many different modes. you can enter interface configuration mode. If you later save the configuration. ROM monitor mode is a separate mode used when the switch cannot boot properly. the switch might enter ROM monitor mode if it does not find a valid system image when it is booting. you must type in a password to access privileged EXEC mode. and a variety of protocol-specific modes. you begin in user mode. you must enter privileged EXEC mode. you can type in any EXEC command or access global configuration mode. Catalyst 6000 Family Software Configuration Guide—Releases 6. the help menu. Additionally. often called user EXEC mode. On selected commands. Refer to “Configuring Authentication” in the Cisco IOS Security Configuration Guide: http://www. Most of the EXEC commands are one-time commands. and when appropriate. Only a limited subset of the commands are available in EXEC mode. The EXEC commands are not saved across reboots of the switch.4 2-8 78-13315-02 . For more information. which clear counters or interfaces. type a question mark (?) at the system prompt. Command usage. and clear commands.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/scdathen. parameter ranges are provided if you enter a command using the wrong number of arguments or inappropriate arguments. page 2-viii Cisco IOS Command-Line Interface.

because it completes a word for you. you can abbreviate the show command to sh and the configure terminal command to config t. When you type exit. Router> ? To obtain a list of commands that begin with a particular character sequence.3 and 6. enter the line console 0 command. This form of help is called word help. use this configuration mode to configure the console interface. Interface commands enable or modify the operation of a Gigabit Ethernet or Fast Ethernet interface. Use this command to access the other command modes. enter the enable command and the enable password. For example. and display system information. perform basic tests. type in those characters followed by the question mark (?). interprets and executes the commands you enter. The privileged command set includes the commands in user EXEC mode as well as the configure command. the switch backs out one level. Router(config)# Interface configuration Router(config-if)# Console configuration From global configuration mode. you can get a list of available commands by entering a question mark (?). Prompt Router> Privileged EXEC (enable) From the user EXEC mode. press Ctrl-Z. Do not include a space. Getting a List of IOS Commands and Syntax In any command mode. Set operating parameters. enter the interface type location command. Router# co? configure Catalyst 6000 Family Software Configuration Guide—Releases 6. From the directly connected console or the virtual terminal used with Telnet.4 78-13315-02 2-9 . Many features are enabled for a particular interface. To exit configuration mode completely and return to privileged EXEC mode. Router# Global configuration From the privileged EXEC mode. Router(config-line)# The Cisco IOS command interpreter. You can abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. How to Access Log in. From global configuration mode. change terminal settings on a temporary basis. Configure features that affect the system as a whole. enter the configure terminal command. called the EXEC.Chapter 2 Command-Line Interfaces MSFC Command-Line Interface Table 2-5 Frequently Used IOS Command Modes Mode User EXEC Description of Use Connect to remote devices.

Press Ctrl-Z in any mode to immediately return to privileged EXEC mode. enter Console> switch console [mod] the MSFC CLI. check the system prompt. keywords. You can continue to press the up-arrow key to see the last 20 commands you entered. Task Step 1 Step 2 Step 3 Command If you are in the switch CLI. page 2-xi Accessing Cisco IOS Configuration Mode To access the Cisco IOS configuration mode. and arguments you have already entered. and enter the question mark (?) for a list of available commands. Enter exit to return to the previous mode.3 and 6. enter a question mark in place of a keyword or argument. press the up-arrow key or Ctrl-P. page 2-x Viewing and Saving the Cisco IOS Configuration. You might be in the wrong command mode or using incorrect syntax. Cisco IOS Command-Line Interface These sections describe basic Cisco IOS configuration tasks you need to understand before you configure routing: • • • Accessing Cisco IOS Configuration Mode. Tip If you are having trouble entering a command. because it reminds you which keywords or arguments are applicable based on the command. perform this task: Note Enter the switch console command to access the MSFC from the switch CLI when directly connected to the supervisor engine console port. This form of help is called command syntax help.4 2-10 78-13315-02 . Router# configure ? memory network overwrite-network terminal Configure Configure Overwrite Configure from NV memory from a TFTP network host NV memory from TFTP network host from the terminal To redisplay a command you previously entered. To access the MSFC from a Telnet session. At the EXEC prompt. Router# configure terminal Catalyst 6000 Family Software Configuration Guide—Releases 6. At the privileged EXEC prompt. see the “Accessing the MSFC from a Telnet Session” section on page 2-iv.Chapter 2 MSFC Command-Line Interface Command-Line Interfaces To list keywords or arguments. page 2-xi Bringing Up an MSFC Interface. enter enable Router> enable mode. enter global configuration mode. Include a space before the question mark.

Step 2 Step 3 Router# show startup-config Router# copy running-config startup-config Bringing Up an MSFC Interface In some cases. Catalyst 6000 Family Software Configuration Guide—Releases 6. the matching VLAN interface on the redundant MSFC will stop forwarding packets. Exit configuration mode. perform this task: Task Step 1 Command Router# show running-config View the current operating configuration at the privileged EXEC prompt. Note In a redundant supervisor engine setup. you should manually shut down the matching interface on the redundant MSFC.3 and 6. Bring the interface up. if an interface on one MSFC is shut down. Exit configuration mode. View the configuration in NVRAM. Viewing and Saving the Cisco IOS Configuration To view and save the configuration after you make changes. You can check the status of an interface using the show interface command.) Router(config)# Ctrl-Z Enter the commands to configure routing. Save the current configuration to NVRAM. Therefore.Chapter 2 Command-Line Interfaces MSFC Command-Line Interface Task Step 4 Step 5 Command (Refer to the appropriate configuration tasks later in this chapter. perform this task in privileged mode: Task Command Router(config)# interface interface_type interface_num Router(config-if)# no shutdown Router(config-if)# Ctrl-Z Step 1 Step 2 Step 3 Specify the interface to bring up.4 78-13315-02 2-11 . an MSFC interface might be administratively shut down. To bring up an MSFC interface that is administratively shut down.

Chapter 2 MSFC Command-Line Interface Command-Line Interfaces Catalyst 6000 Family Software Configuration Guide—Releases 6.4 2-12 78-13315-02 .3 and 6.

Catalyst 6000 Family Software Configuration Guide—Releases 6. page 3-v Configuring Default Gateways. page 3-ix Renewing and Releasing a DHCP-Assigned IP Address. refer to the Catalyst 6000 Family Command Reference publication. page 3-i Understanding Automatic IP Configuration.C H A P T E R 3 Configuring the Switch IP Address and Default Gateway This chapter describes how to configure the IP address. page 3-iv Booting the MSFC for the First Time. page 3-vii Using BOOTP. The out-of-band management interface (sl0) is not connected to the switching fabric and does not participate in any of these functions. page 3-iv Default IP Address and Default Gateway Configuration. page 3-ii Preparing to Configure the IP Address and Default Gateway.4 78-13315-02 3-1 . and so forth. Cisco Discovery Protocol (CDP). or RARP to Obtain an IP Address. page 3-v Assigning the In-Band (sc0) Interface IP Address. page 3-vi Configuring the SLIP (sl0) Interface on the Console Port. DHCP. and default gateway on the Catalyst 6000 family switches. Note For complete syntax and usage information for the commands used in this chapter. the in-band (sc0) interface and the Serial Line Internet Protocol (SLIP) (sl0) interface. VLAN membership. page 3-x Understanding the Switch Management Interfaces Catalyst 6000 family switches have two configurable IP management interfaces. This chapter consists of these sections: • • • • • • • • • • Understanding the Switch Management Interfaces.3 and 6. such as spanning tree. The in-band (sc0) management interface is connected to the switching fabric and participates in all of the functions of a normal switch port. subnet mask.

The switch IP routing table is used to forward traffic originating on the switch only.3 and 6. you must configure at least one default gateway for the sc0 interface. you can open a point-to-point connection to the switch through the console port from a workstation. When you configure the SLIP (sl0) interface.4 3-2 78-13315-02 . all configuration files are processed before the switch determines whether to broadcast BOOTP. see Chapter 23. For intersubnetwork communication to occur. DHCP. not for forwarding traffic sent by devices connected to the switch.0. All IP traffic generated by the switch itself (for example. The IP address is revoked at the end of this period.0 when the switch boots up. The address is permanently assigned to the switch. For more information about the CONFIG_FILE environment variable.Chapter 3 Understanding Automatic IP Configuration Configuring the Switch IP Address and Default Gateway When you configure the IP address. you can access the switch through Telnet or Simple Network Management Protocol (SNMP). and RARP requests are only broadcast out the sc0 interface. page 3-iii Automatic IP Configuration Overview The switch can obtain its IP configuration automatically using one of the following protocols: • • • Bootstrap Protocol (BOOTP) Dynamic Host Configuration Protocol (DHCP) Reverse Address Resolution Protocol (RARP) The switch makes BOOTP. page 3-ii Understanding How DHCP Works. and the switch surrenders the address. Automatic allocation—The switch obtains an IP address when it first contacts the DHCP server.0. a Telnet session opened from the switch to a host) is forwarded according to the entries in the switch IP routing table. Note If the CONFIG_FILE environment variable is set. This address is the default for a new switch or a switch whose configuration file has been cleared using the clear config all command. subnet mask. Catalyst 6000 Family Software Configuration Guide—Releases 6. BOOTP. and RARP requests only if the sc0 interface IP address is set to 0. Dynamic allocation—The switch obtains a “leased” IP address for a specified period of time. “Modifying the Switch Boot Configuration.” Understanding How DHCP Works There are three methods for obtaining an IP address from the DHCP server: • • • Manual allocation—The network administrator maps the switch MAC address to an IP address at the DHCP server. and RARP requests. broadcast address. Understanding Automatic IP Configuration These sections describe how the switch can obtain its IP configuration automatically: • • • Automatic IP Configuration Overview. The switch must request another IP address. DHCP. DHCP. and VLAN membership of the sc0 interface. page 3-ii Understanding How BOOTP and RARP Work.

the switch attempts to renew the lease on the IP address. Catalyst 6000 Family Software Configuration Guide—Releases 6. Other options specified in the DHCPOFFER message are ignored. If a DHCPOFFER message is received from a DCHP server. If no DHCPOFFER message or BOOTP response is received in reply. If you reset or power cycle a switch with a DHCP. the switch retains the current IP address. If no reply is received. The switch broadcasts 10 BOOTP and RARP requests after all of the switch ports are online. If a DHCP or Bootstrap Protocol (BOOTP) server responds to the request.0. DHCP-learned values are not used if user-configured values are present. you map the switch MAC address to an IP address on the BOOTP or RARP server. broadcast address.4 78-13315-02 3-3 . The switch broadcasts a DHCPDISCOVER message one to ten seconds after all of the switch ports are online. the switch sets the in-band (sc0) interface IP address to the address specified in the BOOTP response. the switch takes appropriate action. If a response is received. The switch retrieves its IP address from the server automatically when it boots up. the sc0 interface IP address remains set to 0. The switch always requests an infinite lease time in the DHCPDISCOVER message. the switch processes all supported options contained in the message. At bootup. Understanding How BOOTP and RARP Work With BOOTP and RARP.Chapter 3 Configuring the Switch IP Address and Default Gateway Understanding Automatic IP Configuration In addition to the sc0 interface IP address. Table 1 shows the supported DHCP options. the switch sets the in-band (sc0) interface IP address to the address specified in the response. and default gateway address.0. the switch can obtain the subnet mask.0 (provided that BOOTP and RARP requests fail as well). the information learned from DHCP or BOOTP is retained. the switch rebroadcasts the request using an exponential backoff algorithm (the amount of time between requests increases exponentially).3 and 6. Table 3-1 Supported DHCP Options Code 1 2 3 6 12 15 28 33 42 51 52 61 66 Option Subnet mask Time offset Router Domain name server Host name Domain name Broadcast address Static route NTP servers IP address lease time Option overload Client-identifier TFTP server name If a BOOTP response is received from a BOOTP server.or BOOTP-obtained IP address. If no response is received after ten minutes.

0. which then boots the system image from the bootflash. Preparing to Configure the IP Address and Default Gateway Before you configure the switch IP address and default gateway.0. system_image is the name of the desired image on the supervisor Flash PC card. Booting the MSFC for the First Time Two Multilayer Switch Feature Card (MSFC) images are provided on the MSFC bootflash: a boot loader image and a system image. this image must always remain as the first image on the MSFC bootflash as it is always used as the first image to boot. we recommend that you store all new system images (upgrades) on the supervisor engine Flash PC card instead of the bootflash on the MSFC. subnet mask. As shipped. If you reset or power cycle a switch with a BOOTP or RARP-obtained IP address. the sc0 interface IP address remains set to 0. Catalyst 6000 Family Software Configuration Guide—Releases 6. obtain the following information. Note Before you can use a system image stored on the supervisor engine Flash PC card. In privileged mode. as appropriate: • • • • • • IP address for the switch (sc0 interface only) Subnet mask/number of subnet bits (sc0 interface only) (Optional) Broadcast address (sc0 interface only) VLAN membership (sc0 interface only) SLIP and SLIP destination addresses (sl0 interface only) Interface connection type – In-band (sc0) interface: Configure this interface when assigning an IP address.4 3-4 78-13315-02 . you need to change the configuration on the MSFC to boot the MSFC from the appropriate image on the Flash PC card by adding the following command to the MSFC configuration: boot sup-slot0:system_image In the above example. enter the boot bootldr bootflash:boot_loader_image command. if a Flash PC card is available on the supervisor engine. However. The system image is the main Cisco IOS software image with full multiprotocol routing support. the MSFC is configured to boot the boot loader image first. – SLIP (sl0) interface: Configure this interface when setting up a point-to-point SLIP connection between a terminal and the switch. The boot loader image is a limited function system image that has network interface code and end-host protocol code.Chapter 3 Preparing to Configure the IP Address and Default Gateway Configuring the Switch IP Address and Default Gateway If no reply is received. To store the system image on the supervisor Flash PC card. and VLAN to the in-band management interface on the switch. the information learned from BOOTP or RARP is retained. The boot loader image must stay on the MSFC bootflash.3 and 6. Caution Do not erase the boot loader image.0 (provided that DHCP requests fail as well). you must set the BOOTLDR environment variable.

set interface sc0 up show interface Step 2 Step 3 Step 4 Catalyst 6000 Family Software Configuration Guide—Releases 6.0.0. you can update the system image on the bootflash from an image on the supervisor engine Flash PC card by entering these commands: delete bootflash:old_system_image squeeze bootflash: copy sup-slot0:new_system_image bootflash: Default IP Address and Default Gateway Configuration Table 2 shows the default IP address and default gateway configuration.0. If desired. and broadcast address set to 0. To set the IP address and VLAN membership of the in-band (sc0) management interface. at least one VLAN interface must be configured and active.0. Assign the in-band interface to the proper VLAN set interface sc0 [vlan] (make sure the VLAN is associated with the network to which the IP address belongs).0 Assigned to VLAN 1 IP address and SLIP destination address set to 0. Table 3-2 Switch IP Address and Default Gateway Default Configuration Feature In-band (sc0) interface Default gateway address SLIP (sl0) interface 1 Default Value • • IP address. bring the interface up.4 78-13315-02 3-5 . perform this task in privileged mode: Task Step 1 Command Assign an IP address.0.3 and 6.0 with a metric of 0 • • 1. Verify the interface configuration. If necessary. subnet mask. By following this recommendation. subnet mask (or number of set interface sc0 [ip_addr[/netmask] [broadcast]] subnet bits).Chapter 3 Configuring the Switch IP Address and Default Gateway Default IP Address and Default Gateway Configuration Note To boot a system image stored on the supervisor engine Flash PC card. SLIP=Serial Line Internet Protocol Assigning the In-Band (sc0) Interface IP Address Before you can Telnet to the switch or use SNMP to manage the switch. and (optional) broadcast address to the in-band (sc0) interface. you must assign an IP address to the in-band (sc0) logical interface. You can specify the subnet mask (netmask) using the number of subnet bits or using the subnet mask in dotted decimal format.0. there is really no need to store new system images on the bootflash.0 SLIP for the console port is not active (set to detach) Set to 0.

see the “Configuring Static Routes” section on page 20-7. a router interface in the same network or subnet as the switch IP address).0 sc0: flags=63<UP. (Optional) Configure additional default gateways set ip route default gateway [metric] [primary] for the switch.0. the switch resumes sending traffic to the primary gateway. Verify that the default gateways appear correctly in the IP routing table.20.0. the last primary gateway configured is the primary default gateway. the switch attempts to use the backup gateways in the order they were configured.RUNNING> vlan 5 inet 172.0 dest 0.255. you might want to configure static IP routes in addition to default gateways. assign an IP address. perform this task in privileged mode: Task Command set ip route default gateway [metric] [primary] Step 1 Step 2 Step 3 Configure a default IP gateway address for the switch. Console> (enable) set interface sc0 5 Interface sc0 vlan set. For information on configuring static routes.RUNNING> slip 0.52. and verify the configuration: Console> (enable) set interface sc0 5 172. If connectivity to the primary gateway is restored. If you do not specify a primary default gateway.52. show ip route Catalyst 6000 Family Software Configuration Guide—Releases 6.52.0.BROADCAST. The switch sends all off-network IP traffic to the primary default gateway. specify the subnet mask in dotted decimal format.20.4 3-6 78-13315-02 . the first gateway configured is the primary gateway. Note In some cases. The switch does not use the IP routing table to forward traffic from connected devices. the switch forwards only IP traffic generated by the switch itself (for example.255.248 broadcast 172.255. and specify the VLAN assignment for the in-band (sc0) interface: Console> (enable) set interface sc0 172.3 and 6.0. The switch sends periodic ping messages to determine whether each default gateway is up or down. To configure one or more default gateways. You can define up to three default IP gateways. specify the number of subnet bits.17 Console> (enable) Configuring Default Gateways The supervisor engine sends IP packets destined for other IP subnets to the default gateway (typically.255. Use the primary keyword to make a gateway the primary gateway.20. Telnet.52. If more than one gateway is designated as primary. TFTP.Chapter 3 Configuring Default Gateways Configuring the Switch IP Address and Default Gateway This example shows how to assign an IP address. and ping).124/29 Interface sc0 IP address and netmask set. If connectivity to the primary gateway is lost.POINTOPOINT. Console> (enable) This example shows how to specify the VLAN assignment. IP address and netmask set.248 Interface sc0 vlan set.124 netmask 255.20.124/255. Console> (enable) show interface sl0: flags=51<UP.

Console> (enable) show ip route Fragmentation Redirect Unreachable -----------------------------enabled enabled enabled The primary gateway: 10. Use Telnet to access the switch.1 default 10. Catalyst 6000 Family Software Configuration Guide—Releases 6. Clear all default gateways and static routes.1. When the SLIP connection is enabled and SLIP is attached on the console port.20 Route added.1.20 default 10. you will lose the console port connection.10 Route added.3 and 6. Enable SLIP for the console port. an EIA/TIA-232 terminal cannot connect through the console port.1. Verify the SLIP interface configuration.1. Console> (enable) set ip route default 10.--------------default 10.100 default default Console> (enable) RouteMask ---------0x0 0x0 0x0 0xff000000 0xff000000 Flags ----UG G G U UH Use -------6 0 0 75 0 Interface --------sc0 sc0 sc0 sc0 sl0 Configuring the SLIP (sl0) Interface on the Console Port Use the SLIP (sl0) interface for point-to-point SLIP connections between the switch and an IP host. Console> (enable) set ip route default 10.1 Destination Gateway --------------. Set the console port SLIP address and the destination address of the attached host. perform one of these tasks in privileged mode: Task Clear an individual default gateway entry. Command clear ip route default gateway clear ip route all This example shows how to configure three default gateways on the switch and how to verify the default gateway configuration: Console> (enable) set ip route default 10.0.1.1.1 primary Route added.4 78-13315-02 3-7 .1.10 10.1.1. If you are connected to the switch CLI through the console port and you enter the slip attach command.Chapter 3 Configuring the Switch IP Address and Default Gateway Configuring the SLIP (sl0) Interface on the Console Port To remove default gateway entries.0 10.1. To enable and attach SLIP on the console port.1.0.1. and enter the slip detach command to restore the console port connection. Caution You must use the console port for the SLIP connection.1. enter privileged mode. telnet {host_name | ip_addr} Enter privileged mode on the switch. perform this task: Task Command enable set interface sl0 slip_addr dest_addr show interface slip attach Step 1 Step 2 Step 3 Step 4 Step 5 Access the switch from a remote host with Telnet.1.1.1.

RUNNING> vlan 522 inet 172. Escape character is '^]'..20..240 broadcast 172.52. Inc. Console Enter password: Console> enable Enter password: Console> (enable) set interface sl0 10.52.1.1.1.52.20. This example shows how to configure SLIP on the console port and verify the configuration: sparc20% telnet 172.2 Interface sl0 slip and destination address set.1.52.1 dest 10.7 Console> (enable) slip attach Console Port now running SLIP.38 netmask 255.1 10.2 sc0: flags=63<UP. Console> (enable) show interface sl0: flags=51<UP. Disable SLIP for the console port.1.20.20.POINTOPOINT. telnet {host_name | ip_addr} Enter privileged mode on the switch.38 . perform this task: Task Step 1 Step 2 Step 3 Command enable slip detach Access the switch from a remote host with Telnet.4 3-8 78-13315-02 .1.20.BROADCAST.Chapter 3 Configuring the SLIP (sl0) Interface on the Console Port Configuring the Switch IP Address and Default Gateway To disable SLIP on the console port.1.255.RUNNING> slip 10.1. Connected to 172.38 Trying 172.3 and 6. Console> (enable) slip detach SLIP detached on Console port.255.38.52. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Cisco Systems.

25. BOOTP.16.32.254 Catalyst 6000 Family Software Configuration Guide—Releases 6. This example shows the switch broadcasting a DHCP request. DHCP.32 added to DNS server table as primary server. DHCP. confirm that other options (such as the show ip route default gateway address) are set correctly. see the “Understanding Automatic IP Configuration” section on page 3-ii.0.) Set the sc0 interface IP address to 0.32 added to DNS server table as backup server.16.0. When the switch reboots. offset from UTC is 7 hours 58 minutes Timezone set to ''.16.253 added NTP server 172. Reset the switch. and broadcast address are set correctly. mapping the MAC address of the switch to the IP configuration information for the switch.4 78-13315-02 3-9 . DHCP.30. 172.252 added %MGMT-5-DHCP_S:Assigned IP address 172. this step is necessary only if using the manual or automatic allocation methods. NTP server 172.31. subnet mask.3 and 6.25. this step is necessary only if using the manual allocation method. The switch broadcasts DHCP and RARP requests only when the switch boots up. Obtain the last address in the MAC address range show module for module 1 (the supervisor engine). BOOTP. or RARP to obtain an IP address for the switch.0 reset system Step 3 Step 4 Step 5 Step 6 show interface Step 7 For DHCP.) — Add an entry for each switch in the DHCP.16. To use BOOTP. confirm that the sc0 interface IP address. (With DHCP.0.16. or RARP to obtain its IP configuration.0.244 from DHCP Server 172. offset from UTC is 7 hours 58 minutes 172.20. (With DHCP. DHCP. receiving a DHCP offer.0.20. perform this task: Task Command — Step 1 Step 2 Make sure that there is a DHCP.32 added to DNS server table as backup server. or RARP to Obtain an IP Address Note For complete information on how the switch uses BOOTP. or RARP to Obtain an IP Address Using BOOTP.25. set interface sc0 0.25. or RARP server configuration. or RARP server on the network. and configuring the IP address and other IP parameters according to the contents of the DHCP offer: Console> (enable) Sending RARP request with address 00:90:0c:5a:8f:ff Sending DHCP packet with address: 00:90:0c:5a:8f:ff dhcpoffer Sending DHCP packet with address: 00:90:0c:5a:8f:ff Timezone set to ''.Chapter 3 Configuring the Switch IP Address and Default Gateway Using BOOTP. 172. This address is displayed under the MAC-Address(es) heading.

244 netmask 255.254 Console> Renewing and Releasing a DHCP-Assigned IP Address If you are using DHCP for IP address assignment.> This example shows how to release the lease on a DHCP-assigned IP address: Console> (enable) set interface sc0 dhcp release Releasing IP address..255.RUNNING> vlan 1 inet 172.0.0 dest 0.25.. you can perform either of these DHCP-related tasks: • • Renew the lease on a DHCP-assigned IP address Release the lease on a DHCP-assigned IP address To renew or release a DHCP-assigned IP address on the in-band (sc0) management interface. set interface sc0 dhcp renew Release the lease on a DHCP-assigned IP address.20.RUNNING> slip 0..3 and 6.4 3-10 78-13315-02 .0 broadcast 172.0.255.POINTOPOINT.Chapter 3 Renewing and Releasing a DHCP-Assigned IP Address Configuring the Switch IP Address and Default Gateway Console> (enable) show interface sl0: flags=51<UP.output truncated. perform one of these tasks in privileged mode: Task Command Renew the lease on a DHCP-assigned IP address.20.0..25.. Console> (enable) Sending DHCP packet with address: 00:90:0c:5a:8f:ff <.25.0 sc0: flags=63<UP. Console> (enable) Sending DHCP packet with address: 00:90:0c:5a:8f:ff Done Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.0..BROADCAST.255 dhcp server: 172... set interface sc0 dhcp release This example shows how to renew the lease on a DHCP-assigned IP address: Console> (enable) set interface sc0 dhcp renew Renewing IP address.20.

Catalyst 6000 Family Software Configuration Guide—Releases 6. Note For complete syntax and usage information for the commands used in this chapter. Because each Ethernet port on the switch represents a separate Ethernet segment. This chapter consists of these sections: • • • Understanding How Ethernet Works. a server) to its own 10-. as well as to the uplink ports on the supervisor engine. refer to the Catalyst 6000 Family Command Reference publication. effective Ethernet bandwidth doubles to 20 Mbps for 10-Mbps ports and to 200 Mbps for Fast Ethernet ports. Because collisions are a major bottleneck in Ethernet networks. In full-duplex mode. When packets can flow in both directions simultaneously. page 4-iv Understanding How Ethernet Works Catalyst 6000 family switches support simultaneous.3 and 6. page 4-iii Setting the Port Configuration.C H A P T E R 4 Configuring Ethernet. which means that stations can either receive or transmit. and Gigabit Ethernet Switching This chapter describes how to use the command-line interface (CLI) to configure Ethernet. parallel connections between Ethernet segments. page 4-i Default Ethernet. Fast Ethernet. Ethernet operates in half-duplex mode. and Gigabit Ethernet Configuration. or 1000-Mbps segment. Gigabit Ethernet ports on Catalyst 6000 family switches are full duplex only (2-Gbps effective bandwidth). New connections can be made between different segments for the next packet.4 78-13315-02 4-1 . and Gigabit Ethernet switching on the Catalyst 6000 family switches. servers in a properly configured switched environment achieve full access to the bandwidth. Normally.or 100-Mbps port on a Catalyst 6000 family switch (Gigabit Ethernet ports are always full duplex). Fast Ethernet. Fast Ethernet. Fast Ethernet. The configuration tasks in this chapter apply to Ethernet. 100-. an effective solution is full-duplex communication. Catalyst 6000 family switches solve congestion problems caused by high-bandwidth devices and a large number of users by assigning each device (for example. and Gigabit Ethernet switching modules. two stations can transmit and receive at the same time. Switched connections between Ethernet segments last only for the duration of the packet. which is an option for any 10.

The switch uses an aging mechanism. it associates the MAC address of the sending station with the port on which it was received. When the switch receives a frame for a destination address not listed in its address table. When stations on different ports need to communicate. The ports on both ends of a link must have the same setting. page 4-ii Building the Address Table. The link will not come up if the ports at each end of the link are set inconsistently (port negotiation enabled on one port and disabled on the other). To reduce degradation. Building the Address Table Catalyst 6000 family switches build the address table by using the source address of the frames received. Configure port negotiation with the set port negotiation command. To switch frames between ports efficiently. Port negotiation is enabled by default. and duplex information. it is removed from the address table.Chapter 4 Understanding How Ethernet Works Configuring Ethernet. Catalyst 6000 Family Software Configuration Guide—Releases 6. the switch treats each port as an individual segment. the switch maintains an address table. the switch adds its relevant source address and port ID to the address table. the network performance of all other stations attached to the hub is degraded. page 4-ii Understanding How Port Negotiation Works. and the bandwidth of the network is shared by all devices attached to the hub. remote fault information. The switch then forwards subsequent frames to a single port without flooding to all ports. the switch forwards frames from one port to the other at wire speed to ensure that each session receives full bandwidth.4 4-2 78-13315-02 . Ports on a typical Ethernet hub all connect to a common backplane within the hub. If two stations establish a session that uses a significant level of bandwidth. and Gigabit Ethernet Switching These sections describe Ethernet: • • • Switching Frames Between Segments. so if an address remains inactive for a specified number of seconds. defined by a configurable aging timer. page 4-ii Switching Frames Between Segments Each Ethernet port on a Catalyst 6000 family switch can connect to a single workstation or server. You cannot disable port negotiation with the set port speed command. Understanding How Port Negotiation Works Note Port negotiation does not involve negotiating port speed. When the destination station replies.3 and 6. it floods the frame to all ports of the same VLAN except the port that received the frame. Fast Ethernet. When a frame enters the switch. or to a hub through which workstations or servers connect to the network. The address table can store at least 32K address entries without flooding any entries. Port negotiation exchanges flow-control parameters.

2. Table 4-1 Port Negotiation Configuration and Possible Link Status Port Negotiation State Near End Off On Off On 1 Link Status Far End Off On On Off 2 Near End Up Up Up Down Far End Up Up Down Up 1. Far End refers to the port at the other end of the link. Table 4-2 Ethernet Default Configuration Feature Port enable state Port name Duplex mode Default Value All ports are enabled None • • • • Half duplex for 10-Mbps Ethernet ports Autonegotiate speed and duplex for 10/100-Mbps Fast Ethernet ports Autonegotiate duplex for 100-Mbps Fast Ethernet ports Full duplex for 1000-Mbps Gigabit Ethernet ports Flow control (Gigabit Ethernet) Flow control set to off for receive (Rx) and desired for transmit (Tx) Flow control (other Ethernet) Spanning Tree Protocol (STP) Native VLAN Port VLAN cost Flow control set to off for receive (Rx). Default Ethernet. Fast Ethernet.3 and 6. Near End refers to the local port. Fast Ethernet. transmit (Tx) not supported Enabled for VLAN 1 VLAN 1 • • • • Port VLAN cost of 100 for 10-Mbps Ethernet ports Port VLAN cost of 19 for 10/100-Mbps Fast Ethernet ports Port VLAN cost of 19 for 100-Mbps Fast Ethernet ports Port VLAN cost of 4 for 1000-Mbps Gigabit Ethernet ports EtherChannel Jumbo frames Disabled on all Ethernet ports Disabled on all Ethernet ports Catalyst 6000 Family Software Configuration Guide—Releases 6. and Gigabit Ethernet Configuration Table 1 shows the four possible port negotiation configurations and the resulting link status for each configuration.Chapter 4 Configuring Ethernet. Fast Ethernet. and Gigabit Ethernet Switching Default Ethernet. and Gigabit Ethernet Configuration Table 2 shows the Ethernet.4 78-13315-02 4-3 . and Gigabit Ethernet default configuration. Fast Ethernet.

perform this task in privileged mode: Task Step 1 Step 2 Command set port name mod/port [name_string] show port [mod[/port]] Set a port name. page 4-vii Changing the Default Port Enable State.Chapter 4 Setting the Port Configuration Configuring Ethernet.-----------full 1000 1000BaseSX full 1000 1000BaseSX Catalyst 6000 Family Software Configuration Guide—Releases 6. page 4-xiii Setting the Port Name You can set port names on Ethernet. and Gigabit Ethernet switching on the Catalyst 6000 family switches: • • • • • • • • • • Setting the Port Name. page 4-iv Setting the Port Speed..3 and 6. and Gigabit Ethernet switching modules to facilitate switch administration.----.3Z Flow Control. page 4-ix Configuring the Jumbo Frame Feature. Console> (enable) show port 1 Port Name Status ----. page 4-v Configuring IEEE 802. page 4-xi Checking Connectivity.output truncated.> Last-Time-Cleared -------------------------Wed Jun 16 1999. page 4-v Setting the Port Duplex Mode.4 4-4 78-13315-02 . 16:25:57 Console> (enable) Router Connection Server Link Vlan ---------trunk trunk Duplex Speed Type -----. page 4-viii Configuring a Timeout Period for Ports in errdisable State. Console> (enable) set port name 1/2 Port 1/2 name set... Fast Ethernet. Verify the port name is configured.-----------------. This example shows how to set the name for ports 1/1 and 1/2 and how to verify that the port names are configured correctly: Console> (enable) set port name 1/1 Port 1/1 name set. and Gigabit Ethernet Switching Setting the Port Configuration These sections describe how to configure Ethernet. To set the port name.. page 4-vi Enabling and Disabling Port Negotiation. page 4-vii Setting the Port Debounce Timer. Fast Ethernet. Fast Ethernet.---------1/1 Router Connection connected 1/2 Server Link connected <.

3 and 6. Verify that the speed of the port is configured correctly. both speed and duplex are autonegotiated. perform this task in privileged mode: Task Command Step 1 Step 2 Set the port speed of a 10/100-Mbps Fast Ethernet set port speed mod/port {10 | 100 | auto} port. perform this task in privileged mode: Task Command set port duplex mod/port {full | half} show port [mod[/port]] Step 1 Step 2 Set the duplex mode of a port.Chapter 4 Configuring Ethernet. Verify that the duplex mode of the port is configured correctly. Catalyst 6000 Family Software Configuration Guide—Releases 6. Note If the port speed is set to auto on a 10/100-Mbps Ethernet port. and Gigabit Ethernet Switching Setting the Port Configuration Setting the Port Speed You can configure the port speed on 10/100-Mbps Ethernet switching modules. Note Gigabit Ethernet is full duplex only. Console> (enable) This example shows how to make port 2/1 autonegotiate speed and duplex with the neighboring port: Console> (enable) set port speed 2/1 auto Port 2/1 speed set to auto-sensing mode. show port [mod[/port]] This example shows how to set the port speed to 100 Mbps on port 2/2: Console> (enable) set port speed 2/2 100 Port 2/2 speed set to 100 Mbps. To set the duplex mode of a port. Fast Ethernet. Use the auto keyword to autonegotiate the port’s speed and duplex mode with the neighboring port. Note If the port speed is set to auto on a 10/100-Mbps Ethernet port. Console> (enable) Setting the Port Duplex Mode You can set the port duplex mode to full or half duplex for Ethernet and Fast Ethernet ports. To set the port speed for a 10/100-Mbps port. You cannot change the duplex mode on Gigabit Ethernet ports. both speed and duplex are autonegotiated. You cannot change the duplex mode of autonegotiation ports.4 78-13315-02 4-5 .

3Z Flow Control Gigabit Ethernet ports on the Catalyst 6000 family switches use flow control to inhibit the transmission of packets to the port for a period of time. 1. and Gigabit Ethernet Switching This example shows how to set the duplex mode to half duplex on port 2/1: Console> (enable) set port duplex 2/1 half Port 2/1 set to half-duplex. Fast Ethernet.Chapter 4 Setting the Port Configuration Configuring Ethernet. Verify the flow-control configuration. Console> (enable) Configuring IEEE 802. the port transmits a “pause” packet that tells remote ports to delay sending more packets for a specified period of time. The port does not use flow control. (enable) set port flowcontrol 3/1 receive on will require far end to send flow control Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. other Ethernet ports use flow control to respond to flow-control requests. regardless of whether flow control is requested by the neighboring port.4 4-6 78-13315-02 . and 10 Mbps) can receive and act upon “pause” packets from other devices. The port sends flow-control frames to the port if the neighboring port asks to use flow control. The port sends flow-control frames to the neighboring port. If a Gigabit Ethernet port receive buffer becomes full. To configure flow control. This example shows how to turn transmit and receive flow control on and how to verify the flow-control configuration: Console> Port 3/1 Console> Port 3/1 (enable) set port flowcontrol 3/1 send on will send flowcontrol to far end. Table 4-3 Ethernet-Flow Control Keyword Functions Keywords receive on receive desired receive off send on1 send desired1 send off1 Function The port uses flow control dictated by the neighboring port. All Ethernet ports (1000 Mbps. perform this task in privileged mode: Task Step 1 Step 2 Command set port flowcontrol mod/port {receive | send} {off | on | desired} show port flowcontrol Set the flow-control parameters. 100 Mbps. Table 3 lists the set port flowcontrol command keywords and describes their functions. Supported only on Gigabit Ethernet ports. Enter the set port flow control command to configure flow control on ports. The port does not send flow-control frames to the neighboring port. The port uses flow control if the neighboring port uses it and does not use flow control if the neighboring port does not use it.

Note This feature is not supported on systems that do not have a chassis ID PROM. Verify the port negotiation configuration. perform this task in privileged mode: Task Step 1 Step 2 Command set port negotiation mod/port disable show port negotiation [mod/port] Disable port negotiation.---------------2/1 disabled Console> (enable) Changing the Default Port Enable State Note Changing the default port enable state applies to all port types.Chapter 4 Configuring Ethernet.3 and 6. and Gigabit Ethernet Switching Setting the Port Configuration Console> (enable) show port flowcontrol Port Send-Flowcontrol Receive-Flowcntl Admin Oper Admin Oper ----. Fast Ethernet.---------------2/1 enabled Console> (enable) To disable port negotiation.4 78-13315-02 4-7 . This example shows how to disable port negotiation and verify the configuration: Console> (enable) set port negotiation 2/1 disable Port 2/1 negotiation disabled Console> (enable) show port negotiation 2/1 Port Link Negotiation ----. Catalyst 6000 Family Software Configuration Guide—Releases 6.---------------3/1 on disagree on disagree 3/2 off off off off 3/3 desired on desired off Console> (enable) RxPause ------0 0 10 TxPause ------0 0 10 Enabling and Disabling Port Negotiation To enable port negotiation. not just Ethernet. Verify the port negotiation configuration. perform this task in privileged mode: Task Step 1 Step 2 Command set port negotiation mod/port enable show port negotiation [mod/port] Enable port negotiation. This example shows how to enable port negotiation and verify the configuration: Console> (enable) set port negotiation 2/1 enable Port 2/1 negotiation enabled Console> (enable) show port negotiation 2/1 Port Link Negotiation ----.---------------.

This means it is tied to a chassis and not the supervisor engine. Entering the set default portstatus command puts all ports into a disable state and blocks the traffic flowing through the ports during a configuration loss. Console> (enable) This example shows how to display the port enable state: Console> (enable) show default portstatus: disable Console> (enable) Setting the Port Debounce Timer You can set the port debounce timer on a per-port basis for Ethernet. To change the port enable state.4 4-8 78-13315-02 . This example shows how to change the default port enable state from enabled to disabled: Console> (enable) set default portstatus disable Default port status set to disable. and Gigabit Ethernet ports. Fast Ethernet. This situation might affect the convergence and reconvergence of various Layer 2 and Layer 3 protocols. Fast Ethernet. When you set the port debounce timer. The clear config all command uses this setting to determine whether ports should be enabled or disabled when returning to default configuration. The clear config all command does not change the default port status setting on the chassis. Caution Enabling the port debounce timer causes link up and link down detections to be delayed.3 and 6.Chapter 4 Setting the Port Configuration Configuring Ethernet. The default port status configuration is stored on the chassis. You can then manually configure the ports back to the enable state. The output of the show config command shows the current default port status configuration. This might cause a security and network instability problem. the switch delays notifying the main processor of a link change that can decrease traffic loss due to a network outage. Catalyst 6000 Family Software Configuration Guide—Releases 6. and Gigabit Ethernet Switching When you enter the clear config all command or in the event of a configuration loss. all ports collapse into VLAN 1. Display the port enable state. resulting in loss of data traffic during the debouncing period. perform this task in privileged mode: Task Step 1 Step 2 Command set default portstatus {enable | disable} show default Change the port enable state.

For example. However. The errdisable timeout feature allows you to configure a timeout period for ports in errdisable state. Once a port is in the errdisable state. because the NVRAM configuration for the port is enabled (you have not disabled the port). the port shuts down at runtime. if UniDirectional Link Detection (UDLD) detects a unidirectional link.4 78-13315-02 4-9 . but is disabled at runtime by any process. the port status is shown as errdisable. perform this task in privileged mode: Task Step 1 Step 2 Command set port debounce mod num/port num {enable | disable} show port debounce [mod | mod_num/port_num] Enable the debounce timer for a port. the ports are reenabled automatically eliminating the need to reenable all the errdisabled ports manually. Catalyst 6000 Family Software Configuration Guide—Releases 6. Table 4-4 Port Debounce Timer Delay Time Port Type 10BASE-FL ports 10/100BASE-TX ports 100BASE-FX ports 10/100/1000BASE-TX ports 1000BASE-TX ports 1000BASE-FX ports Debounce Timer Disabled 300 milliseconds 300 milliseconds 300 milliseconds 300 milliseconds 300 milliseconds 10 milliseconds Debounce Timer Enabled 3100 milliseconds 3100 milliseconds 3100 milliseconds 3100 milliseconds 3100 milliseconds 100 milliseconds To set the debounce timer on a port.3 and 6. This example shows how to enable the debounce timer on port 2/1: Console> (enable) set port debounce 2/1 enable Link debounce enabled on port 2/1 Console> (enable) This example shows how to display the per-port debounce timer settings: Console> (enable) show port debounce Port Link debounce ----.--------------2/1 enable 2/2 disable Console> (enable) Configuring a Timeout Period for Ports in errdisable State A port is in errdisable state if it is enabled in NVRAM. you have to reenable it manually.Chapter 4 Configuring Ethernet. Fast Ethernet. and Gigabit Ethernet Switching Setting the Port Configuration Table 4 lists the time delay that occurs before the switch notifies the main processor of a link change before and after the switch enables the debounce timer. Verify that the debounce timer of the port is configured correctly.

Console> (enable) This example shows how to set the errdisable timeout interval to 450 seconds: Console> (enable) set errdisable-timeout interval 450 Successfully set errdisable timeout to 450 seconds.Chapter 4 Setting the Port Configuration Configuring Ethernet.----------------3/1 udld 3/8 bpdu-guard 6/5 udld 7/24 duplex-mismatch Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.” If you specify “other. The default interval for enabling a port is 300 seconds.4 4-10 78-13315-02 .3 and 6.” all ports errdisabled for any reason are enabled for errdisable timeout. This example shows how to enable errdisable timeout for BPDU guard causes: Console> (enable) set errdisable-timeout enable bpdu-guard Successfully enabled errdisable-timeout for bpdu-guard. The allowable interval range is 30 to 86400 seconds (30 seconds to 24 hours). Fast Ethernet. Console> (enable) This example shows how to display the errdisable timeout configuration: Console> (enable) show errdisable-timeout ErrDisable Reason Timeout Status ------------------. and Gigabit Ethernet Switching A port enters errdisable state for the following reasons (these reasons appear as configuration options with the set errdisable-timeout enable command): • • • • • • Channel misconfiguration Duplex mismatch BPDU port-guard UDLD Other (reasons other than the above) All (apply errdisable timeout to all reasons) You can enable or disable errdisable timeout for each of the above listed reasons. The ports in errdisable state for reasons other than the first four reasons are considered “other.-----------bpdu-guard Enable channel-misconfig Disable duplex-mismatch Enable udld Enable other Disable Interval: 300 seconds Ports that will be enabled at the next timeout: Port ErrDisable Reason ----. If you specify “all. The errdisable feature is disabled by default.” all ports errdisabled by causes other than the first four reasons are enabled for errdisable timeout. Console> (enable) This example shows how to enable errdisable timeout for all causes: Console> (enable) set errdisable-timeout enable all Successfully enabled errdisable-timeout for all.

At 10 Mbps and 1000 Mbps the module supports the jumbo frame default of 9216 bytes. By enabling the jumbo frame feature on a port. WS-X6348-RJ-21. WS-X6248-TEL. page 4-xi Configuring the Jumbo Frame Feature on MSFC2. If this occurs. WS-X6248-RJ-45.4 78-13315-02 4-11 . WS-X6148-RJ21V.3 and 6. and Gigabit Ethernet Switching Setting the Port Configuration Configuring the Jumbo Frame Feature These sections describe the jumbo frame feature: • • Configuring the Jumbo Frame Feature on the Supervisor Engine. enter the set port jumbo command to reenable the ports. The WS-X6548-RJ-21 and WS-X6548-RJ-45 modules use different hardware at the PHY level and support the full jumbo frame default value of 9216 bytes. if jumbo frames are sent to these routers. page 4-xii Configuring the Jumbo Frame Feature on the Supervisor Engine When you enable the jumbo frame feature on a port. Note The WS-X6516-GE-TX (10/100/1000) module only supports a maximum of 8092 bytes at the 100 Mbps speed. The Multilayer Switching Feature Card (MSFC) and Multilayer Switch Module (MSM) do not support jumbo frame routing. and WX-X6348-RJ21V. WS-X6248A-TEL. The default maximum transmission unit (MTU) frame size is 1548 bytes for all Ethernet ports. This feature is useful in optimizing server-to-server performance. Fast Ethernet. – Trunk ports – EtherChannels • • • • • Jumbo frames are supported on all Optical Services Modules (OSMs). the MTU size is increased to 9216 bytes. The Gigabit Switch Router (GSR) supports routing of jumbo frames. the port can switch large (or jumbo) frames. The Multilayer Switching Feature Card 2 (MSFC2) supports routing of jumbo frames. router performance is significantly degraded. Jumbo frames are not supported on ATM modules (WS-X6101-OC12-SMF/MMF). you might see a “Jumbo frames inconsistent state” message for a port or multiple ports after entering the show port jumbo command. WS-X6348-RJ45V. WS-X6248A-RJ-45.Chapter 4 Configuring Ethernet. follow these guidelines: • The jumbo frames feature is supported on the following: – Ethernet ports Note The following modules only support a maximum of 8092 bytes: WS-X6148-RJ-45V. To enable the jumbo frame feature on a per-port basis. Catalyst 6000 Family Software Configuration Guide—Releases 6. Note Occasionally. WS-X6348-RJ-45.

1. Verify the port configuration. Valid values are from 64 to 17952 bytes. Catalyst 6000 Family Software Configuration Guide—Releases 6. Set the MTU size no larger than 9216.4 4-12 78-13315-02 . you can configure the MTU size on VLAN interfaces to support routing of jumbo frames.3 and 6. perform this task: Task Step 1 Step 2 Step 3 Command Router(config)# interface vlan vlan_ID Router(config-if)# mtu mtu_size Router# show interface vlan 111 Access VLAN interface configuration mode.1 Verify the configuration. Verify the port configuration. This example shows how to disable the jumbo frames feature on a port: Console> (enable) set port jumbo 2/1 disable Jumbo frames disabled on port 2/1 Console> (enable) Configuring the Jumbo Frame Feature on MSFC2 With an MSFC2. which is the size supported by the supervisor engine. The jumbo frame feature supports only a single larger-than-default MTU size on the switch. Set the MTU size. Fast Ethernet. perform this task in privileged mode: Task Step 1 Step 2 Command set port jumbo mod/port enable show port jumbo Enable jumbo frames. perform this task in privileged mode: Task Step 1 Step 2 Command set port jumbo mod/port disable show port jumbo Disable jumbo frames.Chapter 4 Setting the Port Configuration Configuring Ethernet. VLAN interfaces that have not been changed from the default are not affected. and Gigabit Ethernet Switching To enable the jumbo frames feature on an Ethernet port. To configure the MTU value. This example shows how to enable the jumbo frames feature on a port and verify the configuration: Console> (enable) set port jumbo 2/1 enable Jumbo frames enabled on port 2/1 Console> (enable) show port jumbo Jumbo frames MTU size is 9216 bytes Jumbo frames enabled on port(s) 2/1 To disable the jumbo frames feature on an Ethernet port. Configuring a VLAN interface with an MTU size greater than the default automatically configures all other VLAN interfaces that have an MTU size greater than the default to the newly configured size.

31.206) 2 ms 1 ms 1 ms 2 engineering-2.1.3) 3 ms * 2 ms Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.31..company..com (10.company.2.com (173.1.Output Truncated.204) 2 ms 3 ms 2 ms 3 gateway_a.com (10..com (173.company.Output Truncated..192.4 78-13315-02 4-13 .196.3).company.> Router# Checking Connectivity Use the ping and traceroute commands to test connectivity.Chapter 4 Configuring Ethernet.3 and 6.. DLY 10 usec.com (173. and Gigabit Ethernet Switching Setting the Port Configuration This example shows how to set the MTU size on a VLAN interface and verify the configuration: Router(config)# interface vlan 111 Router(config-if)# mtu 9216 Router(config-if)# end Router# show interface vlan 111 <.2.16. To check connectivity out a port.company. traceroute host Step 3 show interface show ip route This example shows how to ping a remote host and how to trace the hop-by-hop path of packets through the network using traceroute: Console> (enable) ping somehost somehost is alive Console> (enable) traceroute somehost traceroute to somehost. perform this task in privileged mode: Task Step 1 Step 2 Command Ping a remote host that is located out the port you ping [-s] host [packet_size] [packet_count] want to test. <. 40 byte packets 1 engineering-1..201) 6 ms 3 ms 3 ms 4 somehost. Fast Ethernet. 30 hops max.. Trace the hop-by-hop route of packets from the switch to a remote host located out the port you want to test.. check the IP address and default gateway configured on the switch. If the host is unresponsive.> MTU 9216 bytes.1. BW 1000000 Kbit.

Fast Ethernet.Chapter 4 Setting the Port Configuration Configuring Ethernet.3 and 6. and Gigabit Ethernet Switching Catalyst 6000 Family Software Configuration Guide—Releases 6.4 4-14 78-13315-02 .

“Configuring VLANs. refer to the Catalyst 6000 Family Command Reference publication. page 5-v Configuring a Trunk Link. page 5-ix Disabling VLAN 1 on Trunks.1Q—802. This chapter consists of these sections: • • • • • Understanding How VLAN Trunks Work.C H A P T E R 5 Configuring Ethernet VLAN Trunks This chapter describes how to configure Ethernet VLAN trunks on the Catalyst 6000 family switches. page 5-xxiv Understanding How VLAN Trunks Work These sections describe how VLAN trunks work on the Catalyst 6000 family switches: • • • Trunking Overview.1Q is an industry-standard trunking encapsulation Catalyst 6000 Family Software Configuration Guide—Releases 6.1Q Trunk Restrictions. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network. page 5-i Default Trunk Configuration.4 78-13315-02 5-1 .” Note For complete syntax and usage information for the commands used in this chapter. page 5-v Example VLAN Trunk Configurations. Two trunking encapsulations are available on all Ethernet ports: • • Inter-Switch Link (ISL)—ISL is a Cisco-proprietary trunking encapsulation IEEE 802.3 and 6. see Chapter 11. Note For complete information on configuring VLANs. page 5-i Trunking Modes and Encapsulation Types. page 5-iv Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch ports and another networking device such as a router or a switch. page 5-ii 802.

For trunking to be autonegotiated.3 and 6. The port becomes a trunk port even if the neighboring port does not agree to the change. Puts the port into permanent trunking mode but prevents the port from generating DTP frames.” Ethernet trunk ports support five different trunking modes (see Table 1). Table 5-2 Ethernet Trunk Encapsulation Types Encapsulation isl dot1q negotiate Function Specifies ISL encapsulation on the trunk link. Specifies that the port negotiate with the neighboring port to become an ISL (preferred) or 802.1Q trunks. You can use the show port capabilities command to determine which encapsulation types a particular port supports. “Configuring EtherChannel. or auto mode. Puts the port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link.1Q encapsulation on the trunk link. 802. The port becomes a trunk port if the neighboring port is set to on or desirable mode. see Chapter 6.Chapter 5 Understanding How VLAN Trunks Work Configuring Ethernet VLAN Trunks You can configure a trunk on a single Ethernet port or on an EtherChannel bundle. Table 3 shows the result of the possible trunking configurations. The port becomes a nontrunk port even if the neighboring port does not agree to the change.1Q trunk. For more information on VTP domains. or whether the encapsulation type will be autonegotiated. and the hardware capabilities of the two connected ports determine whether a trunk link comes up and the type of trunk the link becomes. You must configure the neighboring port manually as a trunk port to establish a trunk link. DTP supports autonegotiation of both ISL and 802. you can use the on or nonegotiate mode to force a port to become a trunk. depending on the configuration and capabilities of the neighboring port. “Configuring VTP.” Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP). The trunking mode. For more information about EtherChannel. In addition. Table 5-1 Ethernet Trunking Modes Mode on off desirable auto nonegotiate Function Puts the port into permanent trunking mode and negotiates to convert the link into a trunk link.1Q encapsulation. you can specify whether the trunk will use ISL encapsulation. However. This is the default mode for all Ethernet ports. Makes the port actively attempt to convert the link to a trunk link. Specifies 802. Catalyst 6000 Family Software Configuration Guide—Releases 6. the trunk encapsulation type. Table 2 lists the encapsulation types used with the set trunk command and describes how they function on Ethernet ports. even if it is in a different domain. The port becomes a trunk port if the neighboring port is set to on. Trunking Modes and Encapsulation Types Table 1 lists the trunking modes used with the set trunk command and describes how they function on Fast Ethernet and Gigabit Ethernet ports. the ports must be in the same VLAN Trunking Protocol (VTP) domain.4 5-2 78-13315-02 . see Chapter 10. desirable. Makes the port willing to convert the link to a trunk link.

Using this configuration can result in spanning tree loops and is not recommended.4 78-13315-02 5-3 .Chapter 5 Configuring Ethernet VLAN Trunks Understanding How VLAN Trunks Work Table 5-3 Results of Possible Fast Ethernet and Gigabit Ethernet Trunk Configurations Neighbor Port Trunk Mode and Trunk Encapsulation off isl or dot1q Local Port Trunk Mode and Trunk Encapsulation off isl or dot1q Local: Nontrunk on isl Local: ISL trunk desirable isl Local: Nontrunk auto isl Local: Nontrunk on dot1q Local: 1Q trunk desirable dot1q Local: Nontrunk auto dot1q Local: Nontrunk desirable negotiate Local: Nontrunk auto negotiate Local: Nontrunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk on isl Local: Nontrunk Local: ISL trunk Local: ISL trunk Local: ISL trunk Local: Local: 1Q trunk1 Nontrunk Local: Nontrunk Local: ISL trunk Local: ISL trunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: ISL trunk ISL trunk ISL trunk ISL trunk ISL trunk 1 ISL trunk ISL trunk ISL trunk ISL trunk desirable isl Local: Nontrunk Local: ISL trunk Local: ISL trunk Local: ISL trunk Local: 1Q trunk Local: Nontrunk Local: Nontrunk Local: ISL trunk Local: ISL trunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Nontrunk ISL trunk ISL trunk ISL trunk Nontrunk Nontrunk Nontrunk ISL trunk ISL trunk auto isl Local: Nontrunk Local: ISL trunk Local: ISL trunk Local: Nontrunk Local: 1Q trunk Local: Nontrunk Local: Nontrunk Local: ISL trunk Local: Nontrunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Nontrunk ISL trunk ISL trunk Nontrunk Nontrunk Nontrunk Nontrunk ISL trunk Nontrunk on dot1q Local: Nontrunk Local: Local: ISL trunk1 Nontrunk Local: Nontrunk Local: 1Q trunk Local: 1Q trunk Local: 1Q trunk Local: 1Q trunk Local: 1Q trunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: 1Q trunk 1Q trunk1 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk desirable dot1q Local: Nontrunk Local: ISL trunk Local: Nontrunk Local: Nontrunk Local: 1Q trunk Local: 1Q trunk Local: 1Q trunk Local: 1Q trunk Local: 1Q trunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Nontrunk Nontrunk Nontrunk Nontrunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk auto dot1q Local: Nontrunk Local: ISL trunk Local: Nontrunk Local: Nontrunk Local: 1Q trunk Local: 1Q trunk Local: Nontrunk Local: 1Q trunk Local: Nontrunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Nontrunk Nontrunk Nontrunk Nontrunk 1Q trunk 1Q trunk Nontrunk 1Q trunk Nontrunk desirable negotiate Local: Nontrunk Local: ISL trunk Local: ISL trunk Local: ISL trunk Local: 1Q trunk Local: 1Q trunk Local: 1Q trunk Local: ISL trunk Local: ISL trunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Nontrunk ISL trunk ISL trunk ISL trunk 1Q trunk 1Q trunk 1Q trunk ISL trunk ISL trunk auto negotiate Local: Nontrunk Local: ISL trunk Local: ISL trunk Local: Nontrunk Local: 1Q trunk Local: 1Q trunk Local: Nontrunk Local: ISL trunk Local: Nontrunk Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Nontrunk ISL trunk ISL trunk Nontrunk 1Q trunk 1Q trunk Nontrunk ISL trunk Nontrunk 1.3 and 6. Catalyst 6000 Family Software Configuration Guide—Releases 6.

1Q cloud through ISL trunks or through access ports.1Q cloud. the switches exchange spanning tree BPDUs on each VLAN allowed on the trunks.1Q switches maintain only a single instance of spanning tree (the Mono Spanning Tree.3 and 6. The non-Cisco 802. Make sure your network is free of physical loops before disabling spanning tree.1Q Trunk Restrictions The following configuration guidelines and restrictions apply when using 802. Doing so will cause the switch to place the ISL trunk port or access port into the spanning tree “port inconsistent” state and no traffic will pass through the port.1Q trunk. ensure that trunking is turned off on ports connected to non-switch devices if you do not intend to trunk across those links. Non-Cisco 802. some internetworking devices might forward DTP frames improperly.1Q trunk. Note these restrictions when using 802.1Q trunk is the same on both ends of the trunk link.Chapter 5 Understanding How VLAN Trunks Work Configuring Ethernet VLAN Trunks Note DTP is a point-to-point protocol. non-Cisco switches do not recognize these frames as BPDUs and flood them on all ports in the corresponding VLAN. the MST of the non-Cisco switch and the native VLAN spanning-tree of the Cisco switch combine to form a single spanning-tree topology known as the Common Spanning Tree (CST). or MST) that defines the spanning-tree topology for all VLANs. Other Cisco switches connected to the non-Cisco 802. use the nonegotiate keyword to cause the port to become a trunk but not generate DTP frames.1Q cloud through 802. This allows Cisco switches to maintain a per-VLAN spanning tree topology across a cloud of non-Cisco 802.1Q trunks.1Q cloud receive these flooded BPDUs.1Q cloud separating the Cisco switches is treated as a single broadcast segment between all switches connected to the non-Cisco 802.4 5-4 78-13315-02 . The BPDUs on the native VLAN of the trunk are sent untagged to the reserved IEEE 802. When you connect a Cisco switch to a non-Cisco switch through an 802.1Q trunks. The Cisco switch sends an untagged IEEE BDPU (01-80-C2-00-00-00) on VLAN 1 for the CST and on the native VLAN the Cisco switch sends an untagged Cisco BPDU (01-00-0C-CC-CC-CC) which the non-Cisco switch forwards but does not act on (the IEEE BPDU is not forwarded on the native VLAN). You CANNOT connect Cisco switches to a non-Cisco 802. spanning tree loops might result.1Q switches. When manually enabling trunking on a link to a Cisco router. Make certain that the native VLAN is the same on ALL of the 802.1Q trunks connecting the Cisco switches to the non-Cisco 802. If you are connecting multiple Cisco switches to a non-Cisco 802. When you connect two Cisco switches through 802. all of the connections MUST be through 802. However.1Q trunk without disabling spanning tree on every VLAN in the network can cause spanning tree loops.1Q trunks. Disabling spanning tree on the native VLAN of an 802.1D spanning tree multicast MAC address (01-80-C2-00-00-00).1Q trunks: • When connecting Cisco switches through an 802. • • Catalyst 6000 Family Software Configuration Guide—Releases 6. We recommend that you leave spanning tree enabled on the native VLAN of an 802. disable spanning tree on every VLAN in the network. 802. make sure the native VLAN for an 802.1Q cloud. If this is not possible. When you connect a Cisco switch to a non-Cisco switch the CST is always on VLAN 1. • • • • Because Cisco switches transmit BPDUs to the SSTP multicast MAC address on VLANs other than the native VLAN of the trunk. If the native VLAN on one end of the trunk is different from the native VLAN on the other end.1Q trunk.1Q trunks impose some limitations on the trunking strategy for a network. The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd). To avoid this problem.

1025-4094 Configuring a Trunk Link These sections describe how to configure a trunk link on Ethernet ports and how to define the allowed VLAN range on a trunk: • • • • • Configuring an ISL Trunk.----------1/1 on isl trunking 1 Port Vlans allowed on trunk -------.22:16:40:PAGP-5:Port 1/1 joined bridge port 1/1.------------. 06/16/1998. page 5-v Configuring an 802.----------. Table 5-4 Default Ethernet Trunk Configuration Feature Trunk mode Trunk encapsulation Allowed VLAN range Default Configuration auto negotiate VLANs 1–1005.Chapter 5 Configuring Ethernet VLAN Trunks Default Trunk Configuration Default Trunk Configuration Table 4 shows the default Ethernet trunk configuration. Console> (enable) show trunk Port Mode Encapsulation Status Native vlan -------.22:16:39:DTP-5:Port 1/1 has become isl trunk 06/16/1998.-----------. perform this task in privileged mode: Task Step 1 Step 2 Command set trunk mod/port [on | desirable | auto | nonegotiate] isl show trunk [mod/port] Configure an ISL trunk. page 5-vi Configuring an ISL/802. page 5-ix Configuring an ISL Trunk To configure an ISL trunk. This example assumes that the neighboring port is in auto mode: Console> (enable) set trunk 1/1 on Port(s) 1/1 trunk mode set to on.4 78-13315-02 5-5 .--------------------------------------------------------------------1/1 1-1005. page 5-vii Defining the Allowed VLANs on a Trunk.1Q Trunk. Console> (enable) 06/16/1998. This example shows how to configure a port as a trunk and how to verify the trunk configuration. page 5-viii Disabling a Trunk Port.1Q Negotiating Trunk Port. Verify the trunking configuration.22:16:40:PAGP-5:Port 1/1 left bridge port 1/1. 1025-4094 Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.

4 5-6 78-13315-02 .------------.----------2/9 desirable Port -------2/9 Status -----------trunking Native vlan ----------1 Vlans allowed on trunk --------------------------------------------------------------------1-1005.----------1/2 desirable isl trunking 1 Port Vlans allowed on trunk -------.1Q trunk.--------------------------------------------------------------------1/2 1. 1025-4094 Port Vlans allowed and active in management domain -------. This example assumes that the neighboring port is in auto mode: Console> (enable) set trunk 1/2 desirable Port(s) 1/2 trunk mode set to desirable.18:22:25:DTP-5:Port 2/9 has become dot1q trunk trunk Encapsulation ------------dot1q Console> (enable) show Port Mode -------.-----------.1Q trunk. This example shows how to configure an 802.--------------------------------------------------------------------1/1 Console> (enable) This example shows how to place a port in desirable mode and how to verify the trunk configuration. 06/16/1998.1Q Trunk To configure an 802. type set to dot1q. Verify the trunking configuration.--------------------------------------------------------------------1/1 1. 1025-4094 Catalyst 6000 Family Software Configuration Guide—Releases 6.22:20:16:PAGP-5:Port 1/2 joined bridge port 1/2.22:20:16:PAGP-5:Port 1/2 left bridge port 1/2.22:20:16:DTP-5:Port 1/2 has become isl trunk 06/16/1998. Console> (enable) 06/16/1998. 07/02/1998.521-524 Port Vlans in spanning tree forwarding state and not pruned -------.Chapter 5 Configuring a Trunk Link Configuring Ethernet VLAN Trunks Port Vlans allowed and active in management domain -------.3 and 6.----------.1Q trunk and how to verify the trunk configuration: Console> (enable) Port(s) 2/9 trunk Port(s) 2/9 trunk Console> (enable) set trunk 2/9 desirable dot1q mode set to desirable. perform this task in privileged mode: Task Step 1 Step 2 Command set trunk mod/port [on | desirable | auto | nonegotiate] dot1q show trunk [mod/port] Configure an 802. Console> (enable) show trunk 1/2 Port Mode Encapsulation Status Native vlan -------.--------------------------------------------------------------------1/2 1-1005.--------------------------------------------------------------------1/2 Console> (enable) Configuring an 802.521-524 Port Vlans in spanning tree forwarding state and not pruned -------.

1000 Console> (enable) Configuring an ISL/802.5.300.150.10-32.Chapter 5 Configuring Ethernet VLAN Trunks Configuring a Trunk Link Port -------2/9 Vlans allowed and active in management domain --------------------------------------------------------------------1.1Q). Console> (enable) set trunk 4/11 desirable negotiate Port(s) 4/11 trunk mode set to desirable.700.998-1000 Port Vlans in spanning tree forwarding state and not pruned -------.10-32. all VLANs are added to the allowed VLANs list for that trunk.1000 Port Vlans in spanning tree forwarding state and not pruned -------.-----------. Catalyst 6000 Family Software Configuration Guide—Releases 6.150.900.----------.900.55.400.101-120.500.--------------------------------------------------------------------2/9 5. perform this task in privileged mode: Task Step 1 Step 2 Command set trunk mod/port [on | desirable | auto | nonegotiate] negotiate show trunk [mod/port] Configure a port to negotiate the trunk encapsulation type.800.200.998-1000 Console> (enable) Defining the Allowed VLANs on a Trunk When you configure a trunk port.400.700.1025-4094 Vlans allowed and active in management domain --------------------------------------------------------------------1.1Q Negotiating Trunk Port To configure a trunk port to negotiate the trunk encapsulation type (either ISL or 802. This example assumes that the neighboring port is in auto mode with encapsulation set to isl or negotiate. you can remove VLANs from the allowed list to prevent traffic for those VLANs from passing over the trunk.800. Verify the trunking configuration.200. This example shows how to configure a port to negotiate the encapsulation type and how to verify the trunk configuration. Console> (enable) show trunk 4/11 Port Mode Encapsulation Status Native vlan -------.4 78-13315-02 5-7 .101-120.250. However.10-32.600.101-120.500.600.3 and 6.5.300. Port(s) 4/11 trunk type set to negotiate.5.--------------------------------------------------------------------4/11 1.------------.101-120.250.----------4/11 desirable n-isl trunking 1 Port -------4/11 Port -------4/11 Vlans allowed on trunk --------------------------------------------------------------------1-1005.10-32.55.

-----------. Port(s) 1/1 allowed vlans modified to 1-100. 500-1005. Verify the trunking configuration. even if you specify a VLAN range (any specified VLAN range is ignored). Catalyst 6000 Family Software Configuration Guide—Releases 6.521-524 Port Vlans in spanning tree forwarding state and not pruned -------. To modify the allowed VLANs list.--------------------------------------------------------------------1/1 1. perform this task in privileged mode: Task Step 1 Step 2 Command set trunk mod/port off show trunk [mod/port] Turn off trunking on a port.------------.4 5-8 78-13315-02 . Console> (enable) set trunk 1/1 2500 Adding vlans 2500 to allowed list.2500.Chapter 5 Configuring a Trunk Link Configuring Ethernet VLAN Trunks Note When you first configure a port as a trunk. and VLAN 2500 on trunk port 1/1 and how to verify the allowed VLAN list for the trunk: Console> (enable) clear trunk 1/1 101-499 Removing Vlan(s) 101-499 from allowed list. perform this task in privileged mode: Task Command Step 1 Step 2 Step 3 Remove VLANs from the allowed VLANs list for clear trunk mod/port vlans a trunk. use a combination of the clear trunk and set trunk commands to specify the allowed VLANs.500-1005.2500 Port Vlans allowed and active in management domain -------.----------1/1 desirable isl trunking 1 Port Vlans allowed on trunk -------. entering the set trunk command always adds all VLANs to the allowed VLAN list for the trunk.--------------------------------------------------------------------1/1 1. set trunk mod/port vlans show trunk [mod/port] This example shows how to define the allowed VLANs list to allow VLANs 1–100. To define the allowed VLAN list for a trunk port.--------------------------------------------------------------------1/1 1-100. Console> (enable) show trunk 1/1 Port Mode Encapsulation Status Native vlan -------. Verify the allowed VLAN list for the trunk. VLANs 500–1005.500-1005.3 and 6.----------. Port 1/1 allowed vlans modified to 1-100. (Optional) Add specific VLANs to the allowed VLANs list for a trunk.521-524 Console> (enable) Disabling a Trunk Port To turn off trunking on a port.

------------.--------------------------------------------------------------------1/1 1. The Status field in the screen output indicates that port 1/1 is trunking. Example VLAN Trunk Configurations This section contains example VLAN trunk configurations: • • • • ISL Trunk Configuration Example.1Q Trunk Over EtherChannel Link Example.4 78-13315-02 5-9 . Switch1> (enable) Step 2 Check the configuration by entering the show trunk command. see the “Default Trunk Configuration” section on page 5-v). By specifying the desirable keyword. port 1/1 on Switch 1 is connected to a Fast Ethernet port on another switch. perform this task in privileged mode: Task Step 1 Step 2 Command clear trunk mod/port show trunk [mod/port] Return the port to the default trunking type and mode for that port type. Switch1> (enable) show trunk 1/1 Port Mode Encapsulation Status Native vlan -------.521-524 Catalyst 6000 Family Software Configuration Guide—Releases 6. Both ports are in their default state. with the trunk mode set to auto (for more information.--------------------------------------------------------------------1/1 1-1005. Switch1> (enable) set trunk 1/1 desirable Port(s) 1/1 trunk mode set to desirable.3 and 6.----------1/1 desirable isl trunking 1 Port Vlans allowed on trunk -------. Verify the trunking configuration.12:20:23:PAGP-5:Port 1/1 joined bridge port 1/1. page 5-ix ISL Trunk Over EtherChannel Link Example. page 5-xiii Load-Sharing VLAN Traffic Over Parallel Trunks Example. page 5-xvii ISL Trunk Configuration Example This example shows how to configure an ISL trunk between two switches and how to limit the allowed VLANs on the trunk to VLAN 1 and VLANs 520–530. 06/18/1998. ISL encapsulation is assumed based on the hardware type.12:20:23:DTP-5:Port 1/1 has become isl trunk 06/18/1998. Switch1> (enable) 06/18/1998. page 5-x 802.12:20:23:PAGP-5:Port 1/1 left bridge port 1/1.Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations To return a port to the default trunk type and mode for that port type. In this example. 1025-4094 Port Vlans allowed and active in management domain -------. the trunk is automatically negotiated with the neighboring port (port 1/2 on Switch 2). Step 1 Configure port 1/1 on Switch 1 as an ISL trunk port by entering the set trunk command.----------.-----------.

521-524 (enable) Step 4 Verify connectivity across the trunk by entering the ping command.------------. allowed vlans modified to 1. Catalyst 6000 Family Software Configuration Guide—Releases 6.-----------. Figure 5-1 ISL Trunk Over Fast EtherChannel Link Switch A 1/1 1/2 3/1 3/2 Switch B Fast EtherChannel ISL trunk link This example shows how to configure the switches to form a two-port EtherChannel bundle and then configure the EtherChannel bundle as an ISL trunk link. Switch1> Removing Port 1/1 Switch1> Removing Port 1/1 Switch1> Port -------1/1 Port -------1/1 Port -------1/1 Port -------1/1 Switch1> (enable) clear trunk 1/1 2-519 Vlan(s) 2-519 from allowed list.--------------------------------------------------------------------1/1 Switch1> (enable) Step 3 Define the allowed VLAN list for the trunk by entering the clear trunk command to remove the VLANs that should not pass traffic over the trunk link.3 and 6.520-530 Vlans allowed and active in management domain --------------------------------------------------------------------1.4 5-10 23925 78-13315-02 . (enable) show trunk 1/1 Mode Encapsulation Status Native vlan ----------. (enable) clear trunk 1/1 531-1005 Vlan(s) 531-1005 from allowed list. Switch1> (enable) ping switch2 switch2 is alive Switch1> (enable) ISL Trunk Over EtherChannel Link Example This example shows how to configure an ISL trunk over an EtherChannel link between two switches.521-524 Vlans in spanning tree forwarding state and not pruned --------------------------------------------------------------------1.520-1005.520-530.----------desirable isl trunking 1 Vlans allowed on trunk --------------------------------------------------------------------1.Chapter 5 Example VLAN Trunk Configurations Configuring Ethernet VLAN Trunks Port Vlans in spanning tree forwarding state and not pruned -------. Figure 1 shows two switches connected through two 100BASE-TX Fast Ethernet ports. allowed vlans modified to 1.

Switch_A> (enable) Switch_B> (enable) show port channel No ports channelling Switch_B> (enable) show trunk No ports trunking. Switch_B> (enable) Step 2 Configure the ports on Switch A to negotiate an EtherChannel bundle with the neighboring switch by entering the set port channel command. The system logging messages provide information about the formation of the EtherChannel bundle.----------1/1 connected desirable channel 1/2 connected desirable channel ----.--------. Catalyst 6000 Family Software Configuration Guide—Releases 6.----------Switch_A> (enable) Switch_B> (enable) show port channel Port Status Channel Channel mode status ----.----------3/1 connected auto channel 3/2 connected auto channel ----.3 and 6. This example assumes that the neighboring ports on Switch B are in EtherChannel auto mode. This example assumes that the neighboring ports on Switch B are configured to use isl or negotiate encapsulation and are in auto trunk mode.---------.Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Step 1 Confirm the channeling and trunking status of the switches by entering the show port channel and show trunk commands. Switch_A> (enable) show port channel No ports channelling Switch_A> (enable) show trunk No ports trunking. The system logging messages provide information about the formation of the ISL trunk.--------.---------.4 78-13315-02 5-11 . The configuration is applied to all of the ports in the bundle. Switch_A> (enable) show port channel Port Status Channel Channel mode status ----.----------Switch_B> (enable) Neighbor device ------------------------WS-C5000 009979082(Sw WS-C5000 009979082(Sw ------------------------Neighbor port ---------3/1 3/2 ---------- Neighbor device ------------------------WS-C5500 069003103(Sw WS-C5500 069003103(Sw ------------------------- Neighbor port ---------1/1 1/2 ---------- Step 4 Configure one of the ports in the EtherChannel bundle to negotiate an ISL trunk by entering the set trunk command. verify the configuration by entering the show port channel command.--------. Switch_A> (enable) set port channel 1/1-2 desirable Port(s) 1/1-2 channel mode set to desirable.--------. Switch_A> (enable) %PAGP-5-PORTFROMSTP:Port 1/1 left bridge port 1/1 %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2 %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2 %PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-2 %PAGP-5-PORTTOSTP:Port 1/2 joined bridge port 1/1-2 Switch_B> (enable) %PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1 %PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/2 %PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/2 %PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1-2 %PAGP-5-PORTTOSTP:Port 3/2 joined bridge port 3/1-2 Step 3 After the EtherChannel bundle is negotiated.---------.---------.

1025-4094 Vlans allowed and active in management domain --------------------------------------------------------------------1-5.521-524.20.400.500.850.500.400.10.999 Vlans in spanning tree forwarding state and not pruned --------------------------------------------------------------------1-5.917.50. 1025-4094 Vlans allowed and active in management domain --------------------------------------------------------------------1-5.850.570.10.521-524.850.20.50.521-524.521-524.500.400.917.570.------------auto isl auto isl Status -----------trunking trunking Native vlan ----------1 1 Vlans allowed on trunk --------------------------------------------------------------------1-1005.300.300. Switch_A> (enable) %DTP-5-TRUNKPORTON:Port 1/1 has become isl trunk %DTP-5-TRUNKPORTON:Port 1/2 has become isl trunk %PAGP-5-PORTFROMSTP:Port 1/1 left bridge port 1/1-2 %PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/1-2 %PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-2 %PAGP-5-PORTTOSTP:Port 1/2 joined bridge port 1/1-2 Switch_B> (enable) %DTP-5-TRUNKPORTON:Port 3/1 has become isl trunk %DTP-5-TRUNKPORTON:Port 3/2 has become isl trunk %PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1-2 %PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/1-2 %PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1-2 %PAGP-5-PORTTOSTP:Port 3/2 joined bridge port 3/1-2 Step 5 After the ISL trunk link is negotiated.999 (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.10. 1025-4094 1-1005.570.152.152.50.200.917.999 1-5.152.300.20.917.10.999 Vlans in spanning tree forwarding state and not pruned --------------------------------------------------------------------1-5.50.200.999 1-5.Chapter 5 Example VLAN Trunk Configurations Configuring Ethernet VLAN Trunks Switch_A> (enable) set trunk 1/1 desirable isl Port(s) 1/1-2 trunk mode set to desirable.152.20.500.10.850.10.200.20.400.917.152.850.4 5-12 78-13315-02 . Port(s) 1/1-2 trunk type set to isl.570.20.400.------------desirable isl desirable isl Status -----------trunking trunking Native vlan ----------1 1 Vlans allowed on trunk --------------------------------------------------------------------1-1005.10.50.917.50.300.999 (enable) (enable) show trunk Mode Encapsulation ----------.400.50.917.521-524.521-524.152.200.999 1-5.400.400.570.500.300.999 1-5.300.200.500.500.521-524.3 and 6.300.801.850.200.570.570.850.200.10.570.50. verify the configuration by entering the show trunk command.20.521-524. 1025-4094 1-1005.200.152.152.500.20.801.300. Switch_A> Port -------1/1 1/2 Port -------1/1 1/2 Port -------1/1 1/2 Port -------1/1 1/2 Switch_A> Switch_B> Port -------3/1 3/2 Port -------3/1 3/2 Port -------3/1 3/2 Port -------3/1 3/2 Switch_B> (enable) show trunk Mode Encapsulation ----------.917.850.

Step 1 Make sure all ports on both Switch A and Switch B are assigned to the same VLAN by entering the set vlan command.Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations 802.1Q trunk over an EtherChannel link between two switches. In this example.3 and 6. Catalyst 6000 Family Software Configuration Guide—Releases 6. This VLAN is used as the 802. all ports are configured as members of VLAN 1.1Q native VLAN for the trunk.4 78-13315-02 23848 Gigabit EtherChannel 5-13 .1Q Trunk Over EtherChannel Link Switch A 2/3 2/4 2/5 2/6 3/3 3/4 3/5 3/6 Switch B IEEE 802. Switch_A> (enable) set vlan 1 2/3-6 VLAN Mod/Ports ---. Switch_A> (enable) Switch_B> (enable) show port channel No ports channelling Switch_B> (enable) show trunk No ports trunking. Figure 2 shows two switches connected through four 1000BASE-SX Gigabit Ethernet ports.----------------------1 3/1-6 Switch_B> (enable) Step 2 Confirm the channeling and trunking status of the switches by entering the show port channel and show trunk commands. Switch_A> (enable) show port channel No ports channelling Switch_A> (enable) show trunk No ports trunking. The system logging messages provide information about the formation of the EtherChannel bundle.1Q trunk link This example shows how to configure the switches to form a four-port EtherChannel bundle and then configure the EtherChannel bundle as an 802.1Q trunk link.1Q Trunk Over EtherChannel Link Example This example shows how to configure an 802.----------------------1 2/1-6 Switch_A> (enable) Switch_B> (enable) set vlan 1 3/3-6 VLAN Mod/Ports ---. Figure 5-2 802. Switch_B> (enable) Step 3 Configure the ports on Switch A to negotiate an EtherChannel bundle with the neighboring switch by entering the set port channel command. This example assumes that the neighboring ports on Switch B are in EtherChannel auto mode.

---------.----------Switch_B> (enable) Neighbor device ------------------------WS-C4003 JAB023806(Sw WS-C4003 JAB023806(Sw WS-C4003 JAB023806(Sw WS-C4003 JAB023806(Sw ------------------------Neighbor port ---------2/3 2/4 2/5 2/6 ---------- Neighbor device ------------------------WS-C4003 JAB023806(Sw WS-C4003 JAB023806(Sw WS-C4003 JAB023806(Sw WS-C4003 JAB023806(Sw ------------------------- Neighbor port ---------2/3 2/4 2/5 2/6 ---------- Step 5 Configure one of the ports in the EtherChannel bundle to negotiate an 802.---------. The system logging messages provide information about the formation of the 802.Chapter 5 Example VLAN Trunk Configurations Configuring Ethernet VLAN Trunks Switch_A> (enable) set port channel 2/3-6 desirable Port(s) 2/3-6 channel mode set to desirable. This example assumes that the neighboring ports on Switch B are configured to use dot1q or negotiate encapsulation and are in auto trunk mode.--------. Switch_A> (enable) set trunk 2/3 desirable dot1q Port(s) 2/3-6 trunk mode set to desirable. Port(s) 2/3-6 trunk type set to dot1q.1Q trunk.--------. The configuration is applied to all of the ports in the bundle.1Q trunk by entering the set trunk command.----------3/3 connected auto channel 3/4 connected auto channel 3/5 connected auto channel 3/6 connected auto channel ----. Switch_A> (enable) %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3 %PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/4 %PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/5 %PAGP-5-PORTFROMSTP:Port 2/6 left bridge port 2/6 %PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/4 %PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/5 %PAGP-5-PORTFROMSTP:Port 2/6 left bridge port 2/6 %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3 %PAGP-5-PORTTOSTP:Port 2/3 joined bridge port 2/3-6 %PAGP-5-PORTTOSTP:Port 2/4 joined bridge port 2/3-6 %PAGP-5-PORTTOSTP:Port 2/5 joined bridge port 2/3-6 %PAGP-5-PORTTOSTP:Port 2/6 joined bridge port 2/3-6 Switch_B> (enable) %PAGP-5-PORTFROMSTP:Port 3/3 left bridge port 3/3 %PAGP-5-PORTFROMSTP:Port 3/4 left bridge port 3/4 %PAGP-5-PORTFROMSTP:Port 3/5 left bridge port 3/5 %PAGP-5-PORTFROMSTP:Port 3/6 left bridge port 3/6 %PAGP-5-PORTFROMSTP:Port 3/4 left bridge port 3/4 %PAGP-5-PORTFROMSTP:Port 3/5 left bridge port 3/5 %PAGP-5-PORTFROMSTP:Port 3/6 left bridge port 3/6 %PAGP-5-PORTFROMSTP:Port 3/3 left bridge port 3/3 %PAGP-5-PORTTOSTP:Port 3/3 joined bridge port 3/3-6 %PAGP-5-PORTTOSTP:Port 3/4 joined bridge port 3/3-6 %PAGP-5-PORTTOSTP:Port 3/5 joined bridge port 3/3-6 %PAGP-5-PORTTOSTP:Port 3/6 joined bridge port 3/3-6 Step 4 After the EtherChannel bundle is negotiated.3 and 6.----------Switch_A> (enable) Switch_B> (enable) show port channel Port Status Channel Channel mode status ----.---------. Switch_A> (enable) %DTP-5-TRUNKPORTON:Port 2/3 has become dot1q trunk Catalyst 6000 Family Software Configuration Guide—Releases 6.---------.--------.--------.----------2/3 connected desirable channel 2/4 connected desirable channel 2/5 connected desirable channel 2/6 connected desirable channel ----. verify the configuration by entering the show port channel command. Switch_A> (enable) show port channel Port Status Channel Channel mode status ----.4 5-14 78-13315-02 .

521-524.1Q trunk link is negotiated.10.50.3 and 6.917.10.999 1-5.200.300.400.152.300.50.400.400.917.850.570.50. Switch_A> Port -------2/3 2/4 2/5 2/6 Port -------2/3 2/4 2/5 2/6 Port -------2/3 2/4 2/5 2/6 (enable) show trunk Mode Encapsulation ----------.850.999 1-5. 1025-4094 1-1005.999 1-5.521-524.152.500.Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations %DTP-5-TRUNKPORTON:Port 2/4 has become dot1q trunk %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3-6 %DTP-5-TRUNKPORTON:Port 2/5 has become dot1q trunk %PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/3-6 %PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/3-6 %DTP-5-TRUNKPORTON:Port 2/6 has become dot1q trunk %PAGP-5-PORTFROMSTP:Port 2/6 left bridge port 2/3-6 %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3 %PAGP-5-PORTTOSTP:Port 2/3 joined bridge port 2/3-6 %PAGP-5-PORTTOSTP:Port 2/4 joined bridge port 2/3-6 %PAGP-5-PORTTOSTP:Port 2/5 joined bridge port 2/3-6 %PAGP-5-PORTTOSTP:Port 2/6 joined bridge port 2/3-6 Switch_B> (enable) %DTP-5-TRUNKPORTON:Port 3/3 has become dot1q trunk %DTP-5-TRUNKPORTON:Port 3/4 has become dot1q trunk %PAGP-5-PORTFROMSTP:Port 3/3 left bridge port 3/3-6 %PAGP-5-PORTFROMSTP:Port 3/4 left bridge port 3/3-6 %PAGP-5-PORTFROMSTP:Port 3/5 left bridge port 3/3-6 %PAGP-5-PORTFROMSTP:Port 3/6 left bridge port 3/3-6 %DTP-5-TRUNKPORTON:Port 3/5 has become dot1q trunk %DTP-5-TRUNKPORTON:Port 3/6 has become dot1q trunk %PAGP-5-PORTFROMSTP:Port 3/5 left bridge port 3/3-6 %PAGP-5-PORTFROMSTP:Port 3/6 left bridge port 3/3-6 %PAGP-5-PORTTOSTP:Port 3/3 joined bridge port 3/3-6 %PAGP-5-PORTTOSTP:Port 3/4 joined bridge port 3/3-6 %PAGP-5-PORTTOSTP:Port 3/5 joined bridge port 3/3-6 %PAGP-5-PORTTOSTP:Port 3/6 joined bridge port 3/3-6 Step 6 After the 802.850. 1025-4094 1-1005.521-524.4 78-13315-02 5-15 .152. 1025-4094 1-1005.917.10.500.10. 1025-4094 Vlans allowed and active in management domain --------------------------------------------------------------------1-5.20.500.------------desirable dot1q desirable dot1q desirable dot1q desirable dot1q Status -----------trunking trunking trunking trunking Native vlan ----------1 1 1 1 Vlans allowed on trunk --------------------------------------------------------------------1-1005.200.50.570.521-524.200. verify the configuration by entering the show trunk command.999 Port Vlans in spanning tree forwarding state and not pruned -------.917.152.200.570.570.300.300.20.--------------------------------------------------------------------2/3 2/4 2/5 2/6 Switch_A> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.400.20.500.850.20.

917.917.400.999 1-5.300.999 Vlans in spanning tree forwarding state and not pruned --------------------------------------------------------------------1-5.152.999 1-5.20.570.570.400. This configuration allows traffic to be carried over both trunks simultaneously (instead of keeping one trunk in blocking mode).20.850.500.850.3 and 6. using the Fast Ethernet uplink ports on the supervisor engine.521-524.850.521-524.4 5-16 78-13315-02 . which reduces the total traffic carried over each trunk while still maintaining a fault-tolerant configuration. Catalyst 6000 Family Software Configuration Guide—Releases 6.50.300.400.999 1-5. while traffic from other VLANs travels over the other trunk.917.500.521-524. 1025-4094 1-1005.400.917.521-524.917.10.Chapter 5 Example VLAN Trunk Configurations Configuring Ethernet VLAN Trunks Switch_B> Port -------3/3 3/4 3/5 3/6 Port -------3/3 3/4 3/5 3/6 Port -------3/3 3/4 3/5 3/6 Port -------3/3 3/4 3/5 3/6 Switch_B> (enable) show trunk Mode Encapsulation ----------.521-524.20.50. Figure 3 shows a parallel trunk configuration between two switches.------------auto dot1q auto dot1q auto dot1q auto dot1q Status -----------trunking trunking trunking trunking Native vlan ----------1 1 1 1 Vlans allowed on trunk --------------------------------------------------------------------1-1005.850.999 1-5.200.300. 1025-4094 1-1005.50.10.500.152.850.500.521-524.917. 1025-4094 Vlans allowed and active in management domain --------------------------------------------------------------------1-5.917.999 1-5.152.152.10.152.400. 1025-4094 1-1005.570.50.200. you can load-share VLAN traffic over parallel trunk ports so that traffic from some VLANs travels over one trunk.10.10.20.20.200.999 1-5.500.20.570.521-524.500.999 (enable) Load-Sharing VLAN Traffic Over Parallel Trunks Example Using spanning tree port-VLAN priorities.300.200.200.300.50.200.300.570.50.50.200.50.850.570.200.20.500.570.10.300.152.152.152.10.20.850.500.400.521-524.400.10.570.917.400.300.850.

20. Catalyst 6000 Family Software Configuration Guide—Releases 6. 50.Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Figure 5-3 Parallel Trunk Configuration Before Configuring VLAN-Traffic Load Sharing Trunk 2 VLANs 10. STP blocks port 1/2 (Trunk 2) for each VLAN on Switch 1 to prevent forwarding loops. You can configure Switch 2 as a VTP client or as a VTP server. 30. 50. and 60. 40. the port-VLAN priority for both trunks is equal (a value of 32). Switch_1> (enable) set vlan 10 Vlan 10 configuration successful Switch_1> (enable) set vlan 20 Vlan 20 configuration successful Switch_1> (enable) set vlan 30 Vlan 30 configuration successful Switch_1> (enable) set vlan 40 Vlan 40 configuration successful Switch_1> (enable) set vlan 50 Vlan 50 configuration successful Switch_1> (enable) set vlan 60 Vlan 60 configuration successful Switch_1> (enable) Step 3 Verify the VTP and VLAN configuration on Switch 1 by entering the show vtp domain and show vlan commands. and 60: port-VLAN priority 32 (blocking) Switch 1 1/1 1/1 Switch 2 1/2 1/2 Trunk 1 VLANs 10. Make sure Switch 1 is a VTP server. In this example. and 60: port-VLAN priority 32 (forwarding) By default. you see VLANs 10. 20. 30. This example shows how to configure the switches so that traffic from multiple VLANs is load balanced over the parallel trunks. 40. 40. 30.4 78-13315-02 16750 5-17 . 20. 50. Step 1 Configure a VTP domain on both Switch 1 and Switch 2 by entering the set vtp command so that the VLAN information configured on Switch 1 is learned by Switch 2. Switch_1> (enable) set vtp domain BigCorp mode server VTP domain BigCorp modified Switch_1> (enable) Switch_2> (enable) set vtp domain BigCorp mode server VTP domain BigCorp modified Switch_2> (enable) Step 2 Create the VLANs on Switch 1 by entering the set vlan command. Trunk 2 is not used to forward traffic unless Trunk 1 fails.3 and 6.

03:05:05:DISL-5:Port 1/1 has become isl trunk Switch_1> (enable) set trunk 1/2 desirable Port(s) 1/2 trunk mode set to desirable.10. Switch_1> (enable) Step 4 Configure the supervisor engine uplinks on Switch 1 as ISL trunk ports by entering the set trunk command.-------.60 Catalyst 6000 Family Software Configuration Guide—Releases 6.----------.3 and 6.4 5-18 78-13315-02 .30.03:05:13:DISL-5:Port 1/2 has become isl trunk Step 5 Verify that the trunk links are up by entering the show trunk command.30.------------desirable isl desirable isl Status -----------trunking trunking Native vlan ----------1 1 Vlans allowed on trunk --------------------------------------------------------------------1-1005.--------------.---------BigCorp 1 2 server Vlan-count Max-vlan-storage Config Revision Notifications ---------.------------11 1023 13 disabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------.10 disabled enabled 2-1000 Switch_1> (enable) show vlan VLAN Name Status Mod/Ports. 1025-4094 Vlans allowed and active in management domain --------------------------------------------------------------------1.10.50.40. 1025-4094 1-1005.-------------------------------. Specifying the desirable mode on the Switch 1 ports causes the ports on Switch 2 to negotiate to become trunk links (assuming that the Switch 2 uplinks are in the default auto mode).Chapter 5 Example VLAN Trunk Configurations Configuring Ethernet VLAN Trunks Switch_1> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------.40. . .60 1. Switch_1> Port -------1/1 1/2 Port -------1/1 1/2 Port -------1/1 1/2 (enable) show trunk 1 Mode Encapsulation ----------.50.-------.------------------------172.---------------------------1 default active 1/1-2 2/1-12 5/1-2 10 VLAN0010 active 20 VLAN0020 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 60 VLAN0060 active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active .-----------.20. Switch_1> (enable) set trunk 1/1 desirable Port(s) 1/1 trunk mode set to desirable.52. Vlans ---.20.--------. Switch_1> (enable) 04/21/1998.20.----------.---------------. Switch_1> (enable) 04/21/1998.

output truncated.. After the network stabilizes. Trunk 1 is forwarding for all VLANs.4 78-13315-02 5-19 . check the spanning tree state of each trunk port on Switch 1 by entering the show spantree command. On Switch 2.--------------------------------------------------------------------1/1 1/2 Switch_1> (enable) Step 6 Note that when the trunk links come up.. Vlans --------. Verify that Switch 2 has learned the VLAN configuration by entering the show vlan command on Switch 2.------------..> Switch_2> (enable) Status Mod/Ports. but no traffic passes over Trunk 2 because port 1/2 on Switch 1 is blocking. Switch_1> Port --------1/1 1/1 1/1 1/1 1/1 1/1 1/1 1/1 1/1 Switch_1> Port --------1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 Switch_1> (enable) show spantree 1/1 Vlan Port-State Cost ---.Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Port Vlans in spanning tree forwarding state and not pruned -------.-------------------------------1 default 10 VLAN0010 20 VLAN0020 30 VLAN0030 40 VLAN0040 50 VLAN0050 60 VLAN0060 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default <. VTP passes the VTP and VLAN configuration to Switch 2.------------. Trunk 2 is blocking for all VLANs.---------------------------active active active active active active active active active active active Step 7 Note that spanning tree takes one to two minutes to converge.----1 blocking 19 10 blocking 19 20 blocking 19 30 blocking 19 40 blocking 19 50 blocking 19 60 blocking 19 1003 not-connected 19 1005 not-connected 19 (enable) Priority -------32 32 32 32 32 32 32 32 4 Priority -------32 32 32 32 32 32 32 32 4 Fast-Start ---------disabled disabled disabled disabled disabled disabled disabled disabled disabled Fast-Start ---------disabled disabled disabled disabled disabled disabled disabled disabled disabled Group-method ------------ Group-method ------------ Catalyst 6000 Family Software Configuration Guide—Releases 6.----1 forwarding 19 10 forwarding 19 20 forwarding 19 30 forwarding 19 40 forwarding 19 50 forwarding 19 60 forwarding 19 1003 not-connected 19 1005 not-connected 19 (enable) show spantree 1/2 Vlan Port-State Cost ---. Switch_2> (enable) show vlan VLAN Name ---. both trunks are forwarding for all VLANs.3 and 6..

11-19. Port 1/1 vlans 10 using portpri 1. 50.31-1004 using portpri 32. Port 1/1 vlans 1005 using portpri 4. Port 1/1 vlans 10. Switch_1> (enable) set spantree portvlanpri 1/1 1 20 Port 1/1 vlans 1-9. Switch_1> (enable) set spantree portvlanpri 1/2 1 60 Port 1/2 vlans 1-39.41-49.51-1004 using portpri 32.30 using portpri 1. Port 1/2 vlans 1005 using portpri 4. 20.21-1004 using portpri 32. Port 1/1 vlans 1005 using portpri 4. change the port-VLAN priority for the Group 1 VLANs on Trunk 1 (port 1/1) to an integer value lower than the default of 32 by entering the set spantree portvlanpri command. Port 1/2 vlans 40.61-1004 using portpri 32.11-19. Note In the following steps. or if one VLAN has heavier traffic than the others.50. and 30 (Group 1) are forwarded over Trunk 1.11-1004 using portpri 32. change the port-VLAN priority for the Group 2 VLANs on Trunk 2 (port 1/2) to an integer value lower than the default of 32 by entering the set spantree portvlanpri command. You might want traffic from half of the VLANs to go over one trunk link and half over the other. Port 1/1 vlans 1005 using portpri 4.51-59. Port 1/2 vlans 40 using portpri 1.31-1004 using portpri 32.50 using portpri 1. VLANs 10.Chapter 5 Example VLAN Trunk Configurations Configuring Ethernet VLAN Trunks Step 8 Divide the configured VLANs into two groups.41-1004 using portpri 32.30 using portpri 1.4 5-20 78-13315-02 .11-19. Port 1/1 vlans 1005 using portpri 4. change the port-VLAN priority for the Group 1 VLANs on Trunk 1 (port 1/1) to the same value you configured for those VLANs on Switch 1 by entering the set spantree portvlanpri command.20 using portpri 1.21-29. Step 9 On Switch 1.11-1004 using portpri 32. Switch_2> (enable) set spantree portvlanpri 1/1 1 20 Port 1/1 vlans 1-9. Switch_1> (enable) set spantree portvlanpri 1/1 1 10 Port 1/1 vlans 1-9. Port 1/1 vlans 1005 using portpri 4. you can forward traffic from that VLAN over one trunk and traffic from the other VLANs over the other trunk link. Port 1/1 vlans 10 using portpri 1. Switch_1> (enable) set spantree portvlanpri 1/2 1 40 Port 1/2 vlans 1-39.20. Port 1/2 vlans 1005 using portpri 4.41-49. Port 1/1 vlans 10.21-29.60 using portpri 1. Switch_2> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Port 1/2 vlans 40.20 using portpri 1. Switch_1> (enable) Step 11 On Switch 2. Switch_1> (enable) set spantree portvlanpri 1/1 1 30 Port 1/1 vlans 1-9.21-1004 using portpri 32. Port 1/1 vlans 10. Port 1/1 vlans 1005 using portpri 4. Caution The port-VLAN priority for each VLAN must be equal on both ends of the link.11-19. Switch_1> (enable) Step 10 On Switch 1. Port 1/2 vlans 1005 using portpri 4. and 60 (Group 2) are forwarded over Trunk 2. Switch_2> (enable) set spantree portvlanpri 1/1 1 30 Port 1/1 vlans 1-9.3 and 6.20. and VLANs 40. Switch_2> (enable) set spantree portvlanpri 1/1 1 10 Port 1/1 vlans 1-9. Switch_1> (enable) set spantree portvlanpri 1/2 1 50 Port 1/2 vlans 1-39. Port 1/1 vlans 10.

The Group 1 VLANs should forward on Trunk 1 and block on Trunk 2. Port 1/2 vlans 40.3 and 6.4 78-13315-02 5-21 . Port 1/2 vlans 1005 using portpri 4. Step 13 Check the spanning tree port states on Switch 1 by entering the show spantree command.60 using portpri 1.50. The Group 2 VLANs should block on Trunk 1 and forward on Trunk 2.41-1004 using portpri 32. Port 1/2 vlans 1005 using portpri 4.50 using portpri 1. Port 1/2 vlans 40. Switch_2> (enable) set spantree portvlanpri 1/2 1 50 Port 1/2 vlans 1-39. Switch_1> Port --------1/1 1/1 1/1 1/1 1/1 1/1 1/1 1/1 1/1 Switch_1> Port --------1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 Switch_1> (enable) show spantree 1/1 Vlan Port-State Cost ---. Switch_2> (enable) set spantree portvlanpri 1/2 1 40 Port 1/2 vlans 1-39.------------. Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 5 Configuring Ethernet VLAN Trunks Example VLAN Trunk Configurations Step 12 On Switch 2. Switch_2> (enable) Note When you have configured the port-VLAN priorities on both ends of the link. Switch_2> (enable) set spantree portvlanpri 1/2 1 60 Port 1/2 vlans 1-39. Port 1/2 vlans 1005 using portpri 4.----1 forwarding 19 10 forwarding 19 20 forwarding 19 30 forwarding 19 40 blocking 19 50 blocking 19 60 blocking 19 1003 not-connected 19 1005 not-connected 19 (enable) show spantree 1/2 Vlan Port-State Cost ---.----1 blocking 19 10 blocking 19 20 blocking 19 30 blocking 19 40 forwarding 19 50 forwarding 19 60 forwarding 19 1003 not-connected 19 1005 not-connected 19 (enable) Priority -------32 1 1 1 32 32 32 32 4 Priority -------32 32 32 32 1 1 1 32 4 Fast-Start ---------disabled disabled disabled disabled disabled disabled disabled disabled disabled Fast-Start ---------disabled disabled disabled disabled disabled disabled disabled disabled disabled Group-method ------------ Group-method ------------ Figure 4 shows the network after you configure VLAN traffic load sharing. change the port-VLAN priority for the Group 2 VLANs on Trunk 2 (port 1/2) to the same value you configured for those VLANs on Switch 1 by entering the set spantree portvlanpri command.51-59.------------.41-49. Port 1/2 vlans 40 using portpri 1.51-1004 using portpri 32. the spanning tree converges to use the new configuration.41-49.61-1004 using portpri 32.

and 30: port-VLAN priority 32 (blocking) VLANs 40.----1 forwarding 19 10 forwarding 19 20 forwarding 19 30 forwarding 19 40 forwarding 19 50 forwarding 19 60 forwarding 19 1003 not-connected 19 1005 not-connected 19 (enable) Priority -------32 Priority -------32 32 32 32 1 1 1 32 4 Priority -------32 32 32 32 1 1 1 32 4 Fast-Start ---------disabled Fast-Start ---------disabled disabled disabled disabled disabled disabled disabled disabled disabled Fast-Start ---------disabled disabled disabled disabled disabled disabled disabled disabled disabled 16749 Group-method ------------ Group-method ------------ Group-method ------------ Catalyst 6000 Family Software Configuration Guide—Releases 6. 50. as shown in this example: Switch_1> (enable) 04/21/1998. and 60: port-VLAN priority 1 (forwarding) Switch 1 1/1 1/1 Switch 2 1/2 1/2 Trunk 1 VLANs 10. if one trunk link fails. STP reconverges to use Trunk 2 to forward traffic from all the VLANs. and 60: port-VLAN priority 32 (blocking) Figure 4 shows that both trunks are utilized when the network is operating normally.Chapter 5 Example VLAN Trunk Configurations Configuring Ethernet VLAN Trunks Figure 5-4 Parallel Trunk Configuration After Configuring VLAN-Traffic Load Sharing Trunk 2 VLANs 10.3 and 6. 20.4 5-22 78-13315-02 . 50. 20. If Trunk 1 fails in the network shown in Figure 4.------------.----1 not-connected 19 (enable) show spantree 1/2 Vlan Port-State Cost ---.------------.------------. and 30: port-VLAN priority 1 (forwarding) VLANs 40.----1 learning 19 10 learning 19 20 learning 19 30 learning 19 40 forwarding 19 50 forwarding 19 60 forwarding 19 1003 not-connected 19 1005 not-connected 19 (enable) show spantree 1/2 Vlan Port-State Cost ---.03:15:40:DISL-5:Port 1/1 has become non-trunk Switch_1> Port --------1/1 Switch_1> Port --------1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 Switch_1> Port --------1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 Switch_1> (enable) show spantree 1/1 Vlan Port-State Cost ---. the other trunk link acts as an alternate forwarding path for the traffic previously traveling over the failed link.

----------. the port is enabled and added to VLAN 1. but the supervisor engine continues to transmit and receive packets from control protocols such as Cisco Discovery Protocol (CDP). perform this task in privileged mode: Task Step 1 Step 2 Command clear trunk mod/port [vlan-range] show trunk [mod/port] Disable VLAN 1 on the trunk interface.1005 Console> (enable) show config Catalyst 6000 Family Software Configuration Guide—Releases 6.9 99.20.20.524. If the native VLAN is VLAN 1. When a trunk port with VLAN 1 disabled becomes a nontrunk port. it is added to the native VLAN. To prevent this scenario.400.200. you can disable VLAN 1 on trunk interfaces.776.917.570.850.801-802. no user traffic is transmitted and received across that trunk interface. Verify the allowed VLAN list for the trunk.1 003. VLAN 1 is enabled by default to allow control protocols to transmit and receive packets across the network topology.1003.152.1005 Port Vlans in spanning tree forwarding state and not pruned -------. VTP.917.3 and 6.--------------------------------------------------------------------8/1 2-6. However. Console> (enable) show trunk 8/1 Port Mode Encapsulation Status -------.200.521.500.152. when VLAN 1 is enabled on trunk links in a large complex network.--------------------------------------------------------------------8/1 2-6.50.776.524.100. 1025-4094 Port Vlans allowed and active in management domain -------. This example shows how to disable VLAN 1 on a trunk link and verify the configuration: Console> (enable) clear trunk 8/1 1 Removing Vlan(s) 1 from allowed list. Disabling VLAN 1 on a Trunk Link To disable VLAN 1 on a trunk interface.10.400. the impact of broadcast storms increases.521.300. Port 8/1 allowed vlans modified to 2-1005.999.4 78-13315-02 5-23 .300.500.850. Port Aggregation Protocol (PAgP).-----------8/1 on isl trunking Port -------8/1 Native vlan ----------1 Vlans allowed on trunk --------------------------------------------------------------------2-1005.10.------------. Because spanning tree applies to the entire network.100. spanning tree loops might increase when you enable VLAN 1 on all trunk links. and DTP.Chapter 5 Configuring Ethernet VLAN Trunks Disabling VLAN 1 on Trunks Disabling VLAN 1 on Trunks On the Catalyst 6000 family switches. When you disable VLAN 1 on a trunk interface.50.802.570.

3 and 6.4 5-24 78-13315-02 .Chapter 5 Disabling VLAN 1 on Trunks Configuring Ethernet VLAN Trunks Catalyst 6000 Family Software Configuration Guide—Releases 6.

and Gigabit Ethernet switching modules. page 6-iv Configuring EtherChannel.2(2). Note For complete syntax and usage information for the commands used in this chapter. refer to the Catalyst 6000 Family Command Reference publication.or 9-slot chassis and 63 for a 13-slot chassis. page 6-i EtherChannel Configuration Guidelines.2(2) and later releases. This chapter consists of these sections: • • • Understanding How EtherChannel Works.C H A P T E R 6 Configuring EtherChannel This chapter describes how to use the command-line interface (CLI) to configure EtherChannel on the Catalyst 6000 family switches. Note With software release 6.2(1) and earlier releases. Catalyst 6000 Family Software Configuration Guide—Releases 6. the 6. including those on a standby supervisor engine. All ports in each EtherChannel must be the same speed. the maximum supported number of EtherChannels is 126 for a 6. Understanding How EtherChannel Works EtherChannel bundles individual Ethernet links into a single logical link that provides bandwidth up to 1600 Mbps (Fast EtherChannel full duplex) or 16 Gbps (Gigabit EtherChannel) between a Catalyst 6000 family switch and another switch or host.4 78-13315-02 6-1 . as well as to the uplink ports on the supervisor engine. support EtherChannel (maximum of eight compatibly configured ports) with no requirement that ports be contiguous or on the same module. Note that the 13-slot chassis was first supported in software release 6. page 6-v Note The commands in the following sections can be used on all Ethernet ports in the Catalyst 6000 family switches.3 and 6. With software release 6. Fast Ethernet. The configuration tasks in this chapter apply to Ethernet. All Ethernet ports on all modules.and 9-slot Catalyst 6000 family switches support a maximum of 128 EtherChannels. due to the port ID handling by the spanning tree feature.

page 6-ii Understanding Port Aggregation Protocol. page 6-iii Understanding Administrative Groups Configuring an EtherChannel creates an administrative group. configuring any port in the channel as a trunk applies the configuration to all ports in the channel. An administrative group may contain a maximum of eight ports. A trap is sent upon a failure identifying the switch. Only auto and desirable are PAgP modes. and the failed link. After a channel is formed. These sections describe EtherChannel: • • • • Understanding Administrative Groups. Understanding EtherChannel IDs Each EtherChannel is automatically assigned a unique EtherChannel ID. Identically configured trunk ports can be configured as an EtherChannel. EtherChannel includes four user-configurable modes: on. you can assign an administrative group number or let the next available administrative group number be assigned automatically. Inbound broadcast and multicast packets on one segment in an EtherChannel are blocked from returning on any other segment of the EtherChannel. off. PAgP packets are exchanged only between ports in auto and desirable modes. and desirable. designated by an integer between 1 and 1024. The EtherChannel is then added to the spanning tree as a single bridge port. Understanding Port Aggregation Protocol The Port Aggregation Protocol (PAgP) facilitates the automatic creation of EtherChannels by exchanging packets between Ethernet ports. You can modify the auto and desirable modes with the silent and non-silent keywords. After PAgP identifies correctly matched EtherChannel links.4 6-2 78-13315-02 . traffic previously carried over the failed link switches to the remaining segments within the EtherChannel. it groups the ports into an EtherChannel.Chapter 6 Understanding How EtherChannel Works Configuring EtherChannel Note The network device to which a Catalyst 6000 family switch is connected may impose its own limits on the number of ports in an EtherChannel. Ports configured in on or off mode do not exchange PAgP packets. If a segment within an EtherChannel fails. the EtherChannel. Forming a channel without specifying an administrative group number creates a new automatically numbered administrative group. By default. auto. When an administrative group is created. page 6-ii Understanding Frame Distribution. Catalyst 6000 Family Software Configuration Guide—Releases 6. You can configure EtherChannels as trunks. page 6-ii Understanding EtherChannel IDs. ports are in auto silent mode.3 and 6. The protocol learns the capabilities of port groups dynamically and informs the other ports. to which the EtherChannel belongs. Use the show channel group admin_group command to display the EtherChannel ID.

because neither port will initiate negotiation. • Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.Chapter 6 Configuring EtherChannel Understanding How EtherChannel Works Table 1 describes EtherChannel modes. it uses source and destination Media Access Control (MAC) addresses. PAgP mode that places a port into a passive negotiating state. The default is to use source and destination IP addresses. With the on mode. Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible: • • • A port in desirable mode can form an EtherChannel successfully with another port that is in desirable or auto mode.” then EtherChannel frame distribution is not configurable on your switch. A port in auto mode cannot form an EtherChannel with another port that is also in auto mode. Mode that prevents the port from channeling.4 78-13315-02 6-3 . Table 6-1 EtherChannel Modes Mode on Description Mode that forces the port to channel without PAgP. in which the port initiates negotiations with other ports by sending PAgP packets. trunking state. A port in auto mode can form an EtherChannel with another port in desirable mode. based on criteria such as port speed. EtherChannel frame distribution is configurable with all other switching engines. in which the port responds to PAgP packets it receives but does not initiate PAgP packet negotiation. Enter the show module command for the supervisor engine to determine if EtherChannel frame distribution is configurable on your switch: • If the display shows the “Sub-Type” to be “L2 Switching Engine I WS-F6020. and VLAN numbers. a usable EtherChannel exists only when a port group in on mode is connected to another port group in on mode. Keyword that is used with the auto or desirable mode when no traffic is expected from the other device to prevent the link from being reported to the Spanning Tree Protocol as down. (Default) PAgP mode that places a port into an active negotiating state. Understanding Frame Distribution EtherChannel distributes frames across the links in a channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel. (Default) off auto desirable silent non-silent Keyword that is used with the auto or desirable mode when traffic is expected from the other device. Both the auto and desirable modes allow ports to negotiate with connected ports to determine if they can form an EtherChannel.

If the allowed range of VLANs is not the same for a port list. Doing so can adversely affect switch performance. and quality of service (QoS) configurations. an EtherChannel is preserved even if it contains only one port. With software release 6. The mode you select applies to all EtherChannels configured on the switch. EtherChannel Configuration Guidelines If improperly configured. Enable all ports in an EtherChannel. configure the same trunk mode on all the ports in the EtherChannel. Ports with different port path costs. using source addresses or IP addresses or Layer 4 port numbers as the basis for frame distribution may provide better frame distribution than selecting MAC addresses as the basis.3(1). Use the option that provides the greatest variety in your configuration. IP addresses. You can specify either source or destination address or both source and destination addresses and Layer 4 port numbers. or configure them as trunk ports. and Layer 4 port numbers.3(1) and later releases. some EtherChannel ports are disabled automatically to avoid network loops and other problems. the ports do not form an EtherChannel even when set to the auto or desirable mode with the set port channel command. traffic was disrupted when you removed a 1-port channel from spanning tree and then added it to spanning tree as an individual port. set by the set spantree portcost command. make ports incompatible for the formation of an EtherChannel. • • • • • • • • • • • Catalyst 6000 Family Software Configuration Guide—Releases 6. GARP Multicast Registration Protocol (GMRP).Chapter 6 EtherChannel Configuration Guidelines Configuring EtherChannel When configurable. if the traffic on a channel is going to a single MAC address only. If you disable a port in an EtherChannel. If you configure the EtherChannel as a trunk. An EtherChannel will not form with ports that have different GARP VLAN Registration Protocol (GVRP). An EtherChannel will not form if one of the ports is a SPAN destination port. by itself. Configuring ports in an EtherChannel in different trunk modes can have unexpected results. For example. An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking EtherChannel. Do not configure the ports in an EtherChannel as dynamic VLAN ports. can form an EtherChannel as long they are otherwise compatibly configured. In software releases prior to 6. An EtherChannel will not form with ports where the port security feature is enabled. Configure all ports in an EtherChannel to operate at the same speed and duplex mode. Follow these guidelines to avoid configuration problems: • • Assign all ports in an EtherChannel to the same VLAN. You cannot enable the port security feature for ports in an EtherChannel. An EtherChannel will not form if protocol filtering is set differently on the ports.3 and 6. EtherChannel frame distribution can use MAC addresses.4 6-4 78-13315-02 . Setting different port path costs does not. it is treated as a link failure and its traffic is transferred to one of the remaining ports in the EtherChannel.

Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.. page 6-ix Configuring an EtherChannel To configure EtherChannel on a group of Ethernet ports. Console> (enable) Setting the EtherChannel Port Mode To set a port’s EtherChannel mode.4 78-13315-02 6-5 . Ports 2/2-8 joined admin_group 2. Command set port channel mod/ports.Chapter 6 Configuring EtherChannel Configuring EtherChannel Configuring EtherChannel These sections describe how to configure EtherChannel: • • • • • • • • Configuring an EtherChannel. page 6-viii Disabling an EtherChannel. set port channel mod/ports. page 6-viii Displaying EtherChannel Traffic Utilization. page 6-v Setting the EtherChannel Port Mode. page 6-vi Configuring EtherChannel Frame Distribution. [admin_group] set port channel mod/port mode {on | off | desirable | auto} [silent | non-silent] This example shows how to set port 2/1 to auto mode: Console> (enable) set port channel 2/1 mode auto Ports 2/1 channel mode set to auto.3 and 6. perform this task in privileged mode: Task Command Configure the EtherChannel on the desired ports. perform this task in privileged mode: Task Set a port’s EtherChannel mode. [admin_group] set port channel mod/port mode {on | off | desirable | auto} [silent | non-silent] This example shows how to configure a seven-port EtherChannel in a new administrative group: Console> (enable) set port channel 2/2-8 mode desirable Ports 2/2-8 left admin_group 1. page 6-vi Setting the EtherChannel VLAN Cost. page 6-viii Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number.. page 6-v Setting the EtherChannel Port Path Cost...

Console> (enable) Setting the EtherChannel VLAN Cost The EtherChannel VLAN cost feature provides load balancing of VLAN traffic across multiple channels configured with trunking. This example shows how to set the EtherChannel port path cost for channel ID 768: Console> (enable) show Admin Port Status group ----.------------------------------. Warning:channel cost may not be applicable if channel is broken.---------20 1/1 notconnect 20 1/2 connected channel group 20 Channel Channel Mode id --------.3 and 6. The set channel vlancost command provides an alternate cost for some of the VLANs in the channel (assuming you are trunking across the channel). You enter the set channel vlancost command to set the initial spanning tree costs for all VLANs in the channel.1/2 port path cost are updated to 31. The command causes a “set spantree portcost” entry to be created for each port in the channel.----. it does not appear in the configuration file. This command allows you to have up to two different spanning tree costs assigned per channel.-------on 768 on 768 Admin Port Device-ID Port-ID Platform group ----. Use the EtherChannel ID to set the EtherChannel set channel cost {channel_id | all} cost port path cost.----.” for information on using the set spantree portcost command.4 6-6 78-13315-02 . perform this task in privileged mode: Task Step 1 Step 2 Command show channel group admin_group Use the administrative group number to display the EtherChannel ID. See the “Configuring the PVST+ Port Cost” section in Chapter 8. some VLANs in the channel can have the “vlancost” while the remaining VLANs in the channel have the “cost. “Configuring Spanning Tree.------------------------. Channel 768 cost is set to 12. Note When you enter the set channel cost command.Chapter 6 Configuring EtherChannel Configuring EtherChannel Setting the EtherChannel Port Path Cost To set the EtherChannel port path cost.---------20 1/1 20 1/2 066510644(cat26-lnf(NET25)) 2/1 WS-C6009 Console> (enable) Console> (enable) set channel cost 768 12 Port(s) 1/1.” Catalyst 6000 Family Software Configuration Guide—Releases 6.

To set the EtherChannel VLAN cost. Port 3/47 VLANs 1-1005 have path cost 16. Console> (enable) set spantree portvlancost 3/47 cost 16 1-1005 Port 3/47 VLANs 1025-4094 have path cost 19.----.3 and 6. Port 3/48 VLANs 1-1005 have path cost 16.------------------------------. [vlan_list] This example shows how to set the EtherChannel VLAN cost for channel ID 856: Console> (enable) show Admin Port Status group ----. Once you have entered the set channel vlancost command. Configure the port cost for the desired VLANs on set spantree portvlancost {mod/port} [cost cost] each port. you must enter the set spantree portvlancost command for at least one port in the channel.4 78-13315-02 6-7 . Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.------------------------. Port 3/47 VLANs 1-1005 have path cost 16.-------on 856 on 856 Admin Port Device-ID Port-ID Platform group ----. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command show channel group admin_group Use the administrative group number to display the EtherChannel ID. The following examples show what occurs when each command is entered: Console> (enable) set channel vlancost 856 10 Port(s) 3/47-48 vlan cost are updated to 16. specifying the VLAN or VLANs that you want associated with each port. Channel 856 vlancost is set to 10.---------22 1/1 22 1/2 066510644(cat26-lnf(NET25)) 2/1 WS-C6009 Console> (enable) Console> (enable) set channel vlancost 856 10 Port(s) 3/47-48 vlan cost are updated to 16. Use the EtherChannel ID to set the EtherChannel set channel vlancost channel_id cost VLAN cost. Channel 856 vlancost is set to 10.---------22 1/1 notconnect 22 1/2 connected channel group 22 Channel Channel Mode id --------. Port 3/48 VLANs 1-1005 have path cost 16.Chapter 6 Configuring EtherChannel Configuring EtherChannel The set channel vlancost command creates a “set spantree portvlancost” entry to the configuration file for each port in the channel. The following commands are added to the configuration file: • • set spantree portvlancost 3/47 cost 16 set spantree portvlancost 3/48 cost 16 Now you have to add the desired VLANs to the above created commands by entering the following: Console> (enable) set spantree portvlancost 3/47 cost 16 1-1005 Port 3/47 VLANs 1025-4094 have path cost 19.----.

00% 25.00% 0. perform this task in privileged mode: Task Configure EtherChannel frame distribution.3 and 6. [dest_ip_addr] | dest_ip_address | src_mac_addr [dest_mac_addr] | dest_mac_addr | src_port dest_port Catalyst 6000 Family Software Configuration Guide—Releases 6.75% 50.00% 25. Console> (enable) Displaying EtherChannel Traffic Utilization To display the traffic utilization on the EtherChannel ports.------808 2/16 0.------.00% 75.00% 0.00% 816 2/31 0.------.----.00% Console> (enable) Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number To display the outgoing port used in an EtherChannel for a specific address or Layer 4 port number.00% 75.25% 0.75% 0.------.00% 0. perform this task in privileged mode: Task Display traffic utilization.------. perform this task in privileged mode: Task Command Display the outgoing port for a specified show channel hash channel_id src_ip_addr address or Layer 4 port number.00% 50.25% 50.00% 808 2/17 0.00% 0.------.50% 0.4 6-8 78-13315-02 .Chapter 6 Configuring EtherChannel Configuring EtherChannel Configuring EtherChannel Frame Distribution To configure EtherChannel frame distribution. This example shows how to configure EtherChannel to use MAC source addresses: Console> (enable) set port channel all distribution mac source Channel distribution is set to mac source.00% 50. Command set port channel all distribution {ip | mac} [source | destination | both] set port channel all distribution {session} [both] Note The set port channel all distribution session command option is supported on Supervisor Engine 2 only. Command show channel traffic This example shows how to display traffic utilization on EtherChannel ports: Console> (enable) show channel traffic ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst -----.00% 0.00% 0.00% 0.00% 816 2/32 0.00% 0.50% 0.

32.20.32. perform this task in privileged mode: Task Disable an EtherChannel. Command set port channel mod/port mode off This example shows how to disable an EtherChannel: Console> (enable) set port channel 2/2-8 mode off Ports 2/2-8 channel mode set to off.10 172.20.4 78-13315-02 6-9 . Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 6 Configuring EtherChannel Configuring EtherChannel This example shows how to display the outgoing port for the specified source and destination IP addresses: Console> (enable) show channel hash 808 172.66 Selected channel port:2/17 Console> (enable) Disabling an EtherChannel To disable an EtherChannel.3 and 6.

3 and 6.4 6-10 78-13315-02 .Chapter 6 Configuring EtherChannel Configuring EtherChannel Catalyst 6000 Family Software Configuration Guide—Releases 6.

but that one VLAN supports all of the customer’s VLANs.1Q trunk port on a customer device.1Q tag and puts the traffic into the appropriate customer VLAN. When a tunnel port receives tagged customer traffic from an 802. the tunnel port leaves the 802. A tunnel can have as many tunnel ports as required to support the customer devices that need to communicate through the tunnel.3 and 6.1Q Tunneling Works 802. adds a 1-byte Ethertype field (0x8100) and a 1-byte length field and puts the received customer traffic into the VLAN to which the tunnel port is assigned. each customer requires a separate VLAN. tagged traffic comes from an 802. This chapter consists of these sections: • • • Understanding How 802.1Q trunk port on a customer device and the tunnel port is called an asymmetrical link because one end is configured as an 802. instead.1Q tunneling on the Catalyst 6000 family switches.1Q tunneling is called a tunnel port.1Q Tunneling This chapter describes how to configure IEEE 802. The tunnel can cross other network links and other network devices before reaching the egress tunnel port.1Q tunneling.1Q tag intact.1Q Tunneling Configuration Guidelines. The 802. page 7-ii Configuring Support for 802. you assign a tunnel port to a VLAN that you dedicate to tunneling.1Q tunneling enables service providers to use a single VLAN to support customers who have multiple VLANs. The tunnel ports in the VLAN are the tunnel’s ingress and egress points. is called tunnel traffic. When you configure tunneling. With 802.1Q trunk port on a customer device and enters the switch through a tunnel port.1Q Tunneling Works.4 78-13315-02 7-1 . The link between the 802. page 7-i 802.1Q tag still intact to an 802. A VLAN carrying tunnel traffic is an 802. To keep customer traffic segregated. while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated.1Q tunnel.1Q tag intact. This Ethertype 0x8100 traffic. An egress tunnel port strips the 1-byte Ethertype field (0x8100) and the 1-byte length field and transmits the traffic with the 802.1Q tag from the frame header. page 7-iii Understanding How 802.1Q trunk port on the customer device strips the 802.1Q trunk port and the other end is configured as a tunnel port.1Q Tunneling. Catalyst 6000 Family Software Configuration Guide—Releases 6. The tunnel ports do not have to be on the same network device. A port configured to support 802.C H A P T E R 7 Configuring IEEE 802. with the received 802. it does not strip the received 802.1Q trunk port.

The 802.1Q Tunneling Configuration Guidelines Follow these guidelines when configuring 802.1Q Tunneling 802. Configure the 802. Configure tunnel ports only to form an asymmetrical link. The 802.1Q tag does not exceed the maximum frame size.3 and 6. We recommend that you use ISL trunks to carry tunnel traffic between devices that do not have tunnel ports.1Q tunneling feature cannot be configured on ports configured to support: – Private VLANs – Voice over IP (Cisco IP Phone 7960) • • • • The following Layer 2 protocols work between devices connected by an asymmetrical link: – CDP – UniDirectional Link Detection (UDLD) – Port Aggregation Protocol (PAgP) Catalyst 6000 Family Software Configuration Guide—Releases 6. Trunks require no special configuration to carry tunnel VLANs.1Q tunneling in your network: • • • • • • Use asymmetrical links to put traffic into a tunnel or to remove traffic from a tunnel. – Layer 3 and higher parameters are not identifiable in tunnel traffic (for example. – The switch can provide only MAC-layer QoS for tunnel traffic.1Q 2-byte Tag Control Information field.1Q trunk. • Asymmetrical links do not support the Dynamic Trunking Protocol (DTP). Ignore the messages if your configuration requires nonmatching VLANs. using 802. Because tunnel traffic retains the 802.4 7-2 78-13315-02 .1Q Tunneling Configuration Guidelines Configuring IEEE 802. it cannot be tunneled correctly. – QoS cannot detect the received CoS value in the 802. Ensure that the native VLAN of the 802.1Q tag within the switch. because only one port on the link is a trunk.1Q trunks requires that you be very careful when you configure tunneling: a mistake might direct tunnel traffic to a non-tunnel port. Layer 3 • • destination and source addresses).1Q tunnel feature does not require that the VLANs match. the Cisco Discovery Protocol (CDP) reports a native VLAN mismatch if the VLAN of the tunnel port does not match the native VLAN of the 802. You must enter the global set dot1q-all-tagged enable command to ensure that egress traffic in the native VLAN is tagged with 802.1Q trunk port in an asymmetrical link carries no traffic. On an asymmetrical link. Because of the 802.Chapter 7 802.1Q trunk port on an asymmetrical link with the nonegotiate dot1q trunking keywords. – Tunnel traffic cannot be routed. Assign only tunnel ports to VLANs used for tunneling. Because traffic in the native VLAN is untagged. the Layer 2 frame header length imposes the following restrictions: – The Layer 3 packet within the Layer 2 frame cannot be identified.1Q tags. Jumbo frames can be tunneled as long as the jumbo frame length combined with the 802. – The switch can filter tunnel traffic using only Layer 2 parameters (VLANs and source and destination MAC addresses). Dedicate one VLAN for each tunnel.1Q native VLAN feature.

1Q Tunneling The set dot1q-all-tagged enable command is a global command that configures a switch to forward all frames from 802. You can enter this command on any switch that needs to support 802. page 7-iv Removing Global Support for 802. To configure the switch to support 802.1Q trunks. page 7-v Caution Ensure that only the appropriate tunnel ports are in any VLAN used for tunneling and that one VLAN is used for each tunnel.4 78-13315-02 7-3 . An interconnected network may have redundant paths to the same edge switch in an ISP. page 7-iii Configuring 802. An interconnected network cannot have redundant paths to two different edge switches in an ISP.1Q tunneling. and admit only 802. all ports in the EtherChannel must have the same tunneling configuration.3 and 6. perform this task in privileged mode: Task Step 1 Step 2 Command set dot1q-all-tagged enable [all] show dot1q-all-tagged Configure tunneling support on the switch.Chapter 7 Configuring IEEE 802.1Q tagged frames on 802.1Q tunneling configuration: • • • • Configuring the Switch to Support 802.1Q tagging.1Q Tunneling.1Q Tunneling These sections describe 802. Catalyst 6000 Family Software Configuration Guide—Releases 6.1Q trunks with 802. dropping any untagged traffic.1Q trunks. Verify the configuration.1Q Tunneling. Since the Layer 3 packet within the Layer 2 frame cannot be identified.1Q Tunneling Configuring Support for 802. Configuring the Switch to Support 802. • Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) works between devices communicating through a tunnel.1Q Tunnel Ports. page 7-iv Clearing 802.1Q tunneling with 802. including untagged traffic in the native VLAN. The ISP infrastructure must use either PVST+ or MISTP-PVST+. configure the EtherChannel to use MAC-address-based frame distribution. but does not work between devices connected by an asymmetrical link. including traffic in the native VLAN. Incorrect assignment of tunnel ports to VLANs can forward traffic inappropriately. • Configuring Support for 802.1Q Tunneling • VLAN Trunk Protocol (VTP) does not work between the following devices: – Devices connected by an asymmetrical link – Devices communicating through a tunnel Note To configure an EtherChannel as an asymmetrical link. but the customer network must use Per VLAN Spanning Tree + (PVST+) and cannot be configured for Multi-Instance Spanning Tree Protocol (MISTP).1Q Tunnel Ports.

Console> (enable) show port dot1qtunnel 4/1 Port Dot1q tunnel mode ----.4 7-4 78-13315-02 . The set port dot1qtunnel disable command is the only command required to clear the feature from the port. Port 4/1 trunk mode set to off.----------------4/1 access Clearing 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling This example shows how to configure tunneling on the switch and verify the configuration: Console> (enable) set dot1q-all-tagged enable Dot1q tagging is enabled Console> (enable) show dot1q-all-tagged Dot1q all tagged mode enabled Console> (enable) Configuring 802. Console> (enable) show port dot1qtunnel 4/1 Port Dot1q tunnel mode ----. Verify the configuration.1Q Tunnel Ports To clear 802.1Q tunneling on a port. perform this task in privileged mode: Task Step 1 Step 2 Command set port dot1qtunnel {mod/port} access show port dot1qtunnel [mod[/port]] Configure tunneling on a port.1Q tunneling support from a port.1Q tunneling. This example shows how to clear tunneling on port 4/1 and verify the configuration: Console> (enable) set port dot1qtunnel 4/1 disable Dot1q tunnel feature disabled on port 4/1. perform this task in privileged mode: Task Step 1 Step 2 Command set port dot1qtunnel {mod/port} disable show port dot1qtunnel [mod[/port]] Clear tunneling from a port.----------------4/1 disabled Removing Global Support for 802.3 and 6. This example shows how to configure tunneling on port 4/1 and verify the configuration: Console> (enable) set port dot1qtunnel 4/1 access Dot1q tunnel feature set to access mode on port 4/1. Verify the configuration.1Q Tunnel Ports To configure 802.1Q Tunneling You do not need to enter the set dot1q-all-tagged disable command to clear 802. Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 7 Configuring Support for 802.

3 and 6.1Q Tunneling Configuring Support for 802. Verify the configuration. perform this task in privileged mode: Task Step 1 Step 2 Command set dot1q-all-tagged disable [all] show dot1q-all-tagged Remove tunneling support on the switch.Chapter 7 Configuring IEEE 802. This example shows how to remove tunneling support on the switch and verify the configuration: Console> (enable) set dot1q-all-tagged disable Dot1q tagging is disabled Console> (enable) show dot1q-all-tagged Dot1q all tagged mode disabled Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.1Q Tunneling To remove global support for 802.1Q tunneling on the switch.4 78-13315-02 7-5 .

1Q Tunneling Configuring IEEE 802.1Q Tunneling Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 7-6 78-13315-02 .Chapter 7 Configuring Support for 802.

“Configuring Spanning Tree PortFast. page 8-xxxvii Configuring BPDU Skewing.C H A P T E R 8 Configuring Spanning Tree This chapter describes the IEEE 802.” This chapter consists of these sections: • • • • • • • • • Understanding How Spanning Tree Protocols Work. All spanning tree protocols use an algorithm that calculates the best loop-free path through the network. page 8-xxii Configuring a Root Switch. and Loop Guard. refer to the Catalyst 6000 Family Command Reference publication. page 8-xi Bridge Identifiers. page 8-i Understanding PVST+ and MISTP Modes. page 8-xxxviii Note For complete syntax and usage information for the commands used in this chapter. page 8-xiii Using PVST+. page 8-xv Using MISTP-PVST+ or MISTP.1D STP. and BackboneFast features.4 78-13315-02 8-1 .1D STP is a Layer 2 management protocol that provides path redundancy in a network while preventing undesirable loops. (See the “Understanding PVST+ and MISTP Modes” section on page 8-xi for information about PVST+ and MISTP.3 and 6. UplinkFast. Understanding How Spanning Tree Protocols Work This section describes the specific functions that are common to all spanning tree protocols. see Chapter 9. page 8-xxxv Understanding How BPDU Skewing Works. Note For information on configuring the spanning tree PortFast. on the Catalyst 6000 family switches. Per VLAN Spanning Tree + (PVST+) and Multi-Instance Spanning Tree Protocol (MISTP). Cisco’s proprietary spanning tree protocols. page 8-xxxi Configuring Spanning Tree Timers. BackboneFast. PVST+ and MISTP. Catalyst 6000 Family Software Configuration Guide—Releases 6.) The 802. are based on IEEE 802. UplinkFast.1D bridge Spanning Tree Protocol (STP) and how to use and configure Cisco’s proprietary spanning tree protocols.

the spanning tree algorithm reconfigures the spanning tree topology and reestablishes the link by activating the standby path. At regular intervals.Chapter 8 Understanding How Spanning Tree Protocols Work Configuring Spanning Tree The Spanning Tree Protocol (STP) uses a distributed algorithm that selects one bridge of a redundantly connected network as the root of a spanning tree connected active topology. Spanning tree algorithms provide path redundancy by defining a tree that spans all of the switches in an extended network and then forces certain redundant data paths into a standby (blocked) state. page 8-v Understanding How a Topology is Created All switches in an extended LAN participating in a spanning tree gather information about other switches in the network through an exchange of data messages known as bridge protocol data units (BPDUs). page 8-iv Spanning Tree Port States. When loops occur. the switches in the network send and receive spanning tree packets that they use to identify the path. Spanning tree operation is transparent to end stations. These sections describe the STP: • • • • • Understanding How a Topology is Created. This situation causes the forwarding algorithm to malfunction allowing duplicate frames to be forwarded. page 8-ii Understanding How a Switch Becomes the Root Switch. STP assigns roles to each port depending on what the port’s function is in the active topology. In Ethernet networks. which do not detect whether they are connected to a single LAN segment or a switched LAN of multiple segments. The topology of an active switched network is determined by the following: • • • The unique switch identifier Media Access Control ([MAC] address of the switch) associated with each switch The path cost to the root associated with each switch port The port identifier (MAC address of the port) associated with each switch port Catalyst 6000 Family Software Configuration Guide—Releases 6. Port roles are as follows: • • • • Root—A unique forwarding port elected for the spanning tree topology Designated—A forwarding port elected for every switched LAN segment Alternate—A blocked port providing an alternate path to the root port in the spanning tree Backup—A blocked port in a loopback configuration Switches that have ports with these assigned roles are called root or designated switches. page 8-iii Calculating and Assigning Port Costs. Multiple active paths between stations can cause loops in the network. This exchange of messages results in the following actions: • • • A unique root switch is elected for the spanning tree network topology A designated switch is elected for every switched LAN segment Any loops in the switched network are eliminated by placing redundant switch ports in a backup state. If one network segment becomes unreachable. all paths that are not needed to reach the root switch from anywhere in the switched network are placed in STP-blocked mode. only one active path may exist between any two stations. or if spanning tree costs change.3 and 6.4 8-2 78-13315-02 . see the “Understanding How a Switch Becomes the Root Switch” section on page 8-iii. some switches recognize stations on both sides of the switch. For more information. page 8-iii Understanding How Bridge Protocol Data Units Work.

Figure 8-1 DP DP DP RP B A DP RP D DP DP Configuring a Loop-Free Topology RP C DP S5688 RP = Root Port DP = Designated Port You can change the priority of a port to make it the root port. Switch A is the root switch because it has the lowest MAC address. Understanding How a Switch Becomes the Root Switch If all switches are enabled with default settings. A spanning tree protocol uses BPDUs to elect the root switch and root port for the switched network. Each configuration BPDU contains this information: • • • The unique identifier of the switch that the transmitting switch believes to be the root switch The cost of the path to the root from the transmitting port The identifier of the transmitting port Catalyst 6000 Family Software Configuration Guide—Releases 6. due to traffic patterns. Switch A might not be the ideal root switch.Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work In a switched network. lowering the numerical priority number) on the preferred switch. the root switch is the logical center of the spanning tree topology. Connecting higher-speed links to a port that has a higher number than the current root port can cause a root-port change. the path between source and destination stations in a switched network might not be ideal. This action causes the spanning tree to recalculate the topology and make the selected switch the root switch. Network traffic might be more efficient over the high-speed fiber-optic link. or line types. as well as the root port and designated port for each switched segment. You could also accomplish this scenario by changing the Port Cost parameter for the UTP port to a lower value than that of the fiber-optic port. port priority.3 and 6. In Figure 1. Understanding How Bridge Protocol Data Units Work BPDUs contain configuration information about the transmitting switch and its ports. and port cost. number of forwarding ports. For example. including switch and port MAC addresses. the switch with the lowest MAC address in the network becomes the root switch. Also. switch priority. However. another port on Switch B (an unshielded twisted-pair [UTP] link) is the root port. By changing the Port Priority parameter for the UTP port to a higher priority (lower numerical value) than the fiber-optic port.4 78-13315-02 8-3 . The goal is to make the fastest link the root port. assume that a port on Switch B is a fiber-optic link. When the spanning tree topology is based on default parameters. the UTP port becomes the root port. A switch can be forced to become the root switch by increasing the priority (that is.

3 and 6. initiates a BPDU transmission. Ports included in the STP are selected. Table 8-1 Default Port Cost Values Using the Short Method Port Speed 10 Mbps 100 Mbps 1 Gbps Default Cost Value 100 19 4 Default Range 1 to 65535 1 to 65535 1 to 65535 Catalyst 6000 Family Software Configuration Guide—Releases 6. you can ensure that the shortest (lowest cost) distance to the root switch is used to transmit data. A MAC frame conveying a BPDU sends the switch group address to the destination address field. Two methods are available for calculating the default port cost: the short method and the long method.1D specification assigns 16-bit (short) default port cost values to each port based on bandwidth. All switches connected to the LAN on which the frame is transmitted receive the BPDU. The short method is used to calculate the port cost unless you specify that the long method be used.000. Calculating and Assigning Port Costs By calculating and assigning the port cost of the switch ports. You can specify the calculation method using the CLI.4 8-4 78-13315-02 .Chapter 8 Understanding How Spanning Tree Protocols Work Configuring Spanning Tree The switch sends configuration BPDUs to communicate and compute the spanning tree topology. A port for each switch is selected. The long method uses a 32-bit format that yields values in the range of 1 to 200. A BPDU exchange results in the following: • • • • • One switch is elected as the root switch. The 16-bit values are only used for ports that have not been specifically configured for port cost. This is the switch that is closest to the root switch through which frames will be forwarded to the root. You can also manually assign port costs between 1 and 65535. Calculating the Port Cost Using the Short Method The IEEE 802. Table 8-1 shows the default port cost values that are assigned by the switch for each type of port when you use the short method to calculate the port cost. BPDUs are not directly forwarded by the switch. The shortest distance to the root switch is calculated for each switch. For steps for setting the default cost mode. You can calculate and assign lower path cost values (port costs) to higher bandwidth ports by using either the short method (which is the default) or the long method. and if the topology changes. The short method uses a 16-bit format that yields values from 1 to 65535. A designated switch is selected. This is the port that provides the best path from the switch to the root switch.000. but the receiving switch uses the information in the frame to calculate a BPDU. see the “Configuring the PVST+ Default Port Cost Mode” section on page 8-xviii Note You should configure all switches in your network to use the same method for calculating port cost.

Catalyst 6000 Family Software Configuration Guide—Releases 6. the Address Resolution Protocol (ARP) on the STP Topology Change Notification feature ensures that excessive flooding does not occur when the MSFC receives a topology change notification (TCN) from the supervisor engine.1t states that changes in bandwidth will not result in changes to the cost of the port concerned. they must allow the frame lifetime to expire for frames that have been forwarded using the old topology. Ports must wait for new topology information to propagate through the switches in the LAN before they can start forwarding frames. if a 10-Mbps link were removed from a 10-Gbps aggregate link).3 and 6.Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Calculating the Port Cost Using the Long Method 802. Table 8-1 shows the default port cost values that are assigned by the switch and the recommended cost values and ranges for each type of port when you use the long method to calculate port cost. it can create temporary data loops.000. Learning the entries immediately following a topology change prevents excessive flooding later.4 78-13315-02 8-5 . Because of the limitations presented by automatically recalculating the topology. Also. The formula for obtaining default 32-bit port costs is to divide the bandwidth of the port by 200. When a switch port transitions directly from nonparticipation in the topology to the forwarding state. which were lost as a result of the topology change.1. The aggregated port will therefore use the same port cost parameters as a stand alone port. especially if the added or removed link is of little consequence to the bandwidth of the aggregate link (for example. Spanning Tree Port States Topology changes can take place in a switched network due to a link coming up or a link going down (failing).000. the bandwidth of the aggregate link increases or decreases.(1)E or later releases on the Multilayer Switch Feature Card (MSFC). This feature works with supervisor engine software release 5. Changes to the default port cost or changes resulting from links that autonegotiate their bandwidth could lead to recalculation of the spanning tree topology which may not be desirable.000.1t assigns 32-bit (long) default port cost values to each port using a formula that is based on the bandwidth of the port. When the ARP replies come back. You can also manually assign port costs between 1 and 200. Note With IOS Release 12. These changes in bandwidth lead to recalculation of the default port cost for the aggregated port. the Policy Feature Card (PFC) learns the MAC entries. Table 8-2 Default Port Cost Values Using the Long Method Port Speed ≤100 kbps 1 Mbps 10 Mbps 100 Mbps 1 Gbps 10 Gbps Recommended Value 200000000 20000000 2000000 200000 20000 2000 Recommended Range 20000000 to 200000000 2000000 to 200000000 200000 to 20000000 20000 to 2000000 2000 to 200000 200 to 20000 Available Range 1 to 200000000 1 to 200000000 1 to 200000000 1 to 200000000 1 to 200000000 1 to 200000000 Calculating the Port Cost for Aggregate Links • As individual links are added or removed from an aggregate link (port bundle).4(2) or later releases. The feature causes the MSFC to send ARP requests for all the ARP entries belonging to the VLAN interface where the TCN is received. There is no configuration required on the MSFC. 802.000.

When you enable spanning tree. If properly configured. Catalyst 6000 Family Software Configuration Guide—Releases 6. the following occurs: • • • • The port is put into the listening state while it waits for protocol information that suggests it should go to the blocking state. In the learning state. The port waits for the expiration of a protocol timer that moves the port to the learning state.4 8-6 S5691 Forwarding state 78-13315-02 . VLAN Trunking Protocol (VTP). where both learning and forwarding are enabled. each port on a switch using a spanning tree protocol is in one of these states: • • • • • Blocking Listening Learning Forwarding Disabled A port moves through these states as follows: • • • • • From initialization to blocking From blocking to listening or to disabled From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 2 illustrates how a port moves through the states. for example.3 and 6. the port continues to block frame forwarding as it learns station location information for the forwarding database. each port stabilizes into the forwarding or blocking state. Figure 8-2 Boot-up initialization STP Port States Blocking state Listening state Disabled state Learning state You can modify each port state by using management software. The expiration of a protocol timer moves the port to the forwarding state. When the spanning tree algorithm places a port in the forwarding state.Chapter 8 Understanding How Spanning Tree Protocols Work Configuring Spanning Tree At any given time. every switch in the network goes through the blocking state and the transitory states of listening and learning at power up.

This exchange establishes which switch in the network is really the root. Catalyst 6000 Family Software Configuration Guide—Releases 6. (There is no learning on a blocking port.4 78-13315-02 8-7 .Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work Blocking State A port in the blocking state does not participate in frame forwarding (see Figure 3). After initialization. Figure 4 shows a port in the listening state. Discards frames switched from another port for forwarding.) Receives BPDUs and directs them to the system module. the forward delay timer expires.3 and 6. and the ports move to the listening state. Learning is disabled in the listening state. Listening State The listening state is the first transitional state a port enters after the blocking state. so there is no address database update. A switch initially assumes it is the root until it exchanges BPDUs with other switches. Figure 8-3 Port 2 in Blocking State Segment frames Forwarding Port 1 Station addresses Network management and data frames BPDUs Filtering database System module Frame forwarding BPDUs Network management frames S5692 Data frames Port 2 Blocking Segment frames A port in the blocking state performs as follows: • • • • • • Discards frames received from the attached segment. A switch always enters the blocking state following switch initialization. no exchange occurs. Does not incorporate station location into its address database. If only one switch resides in the network. Does not transmit BPDUs received from the system module. Receives and responds to network management messages. a BPDU is sent to each port in the switch. The port enters this state when the spanning tree determines that the port should participate in frame forwarding.

Figure 5 shows a port in the learning state.) Receives BPDUs and directs them to the system module. Catalyst 6000 Family Software Configuration Guide—Releases 6. Receives and responds to network management messages. A port in the learning state performs as follows: • • • • Discards frames received from the attached segment.Chapter 8 Understanding How Spanning Tree Protocols Work Configuring Spanning Tree Figure 8-4 Port 2 in Listening State All segment frames Forwarding Port 1 Station addresses Network management and data frames BPDUs Filtering database System module Frame forwarding BPDUs Data frames Port 2 Network management frames S5693 Listening All segment frames BPDU and network management frames A port in the listening state performs as follows: • • • • • • Discards frames received from the attached segment. so there is no address database update. Discards frames switched from another port for forwarding. Learning State A port in the learning state prepares to participate in frame forwarding. Incorporates station location into its address database. Processes BPDUs received from the system module. Receives BPDUs and directs them to the system module.3 and 6. Discards frames switched from another port for forwarding. The port enters the learning state from the listening state.4 8-8 78-13315-02 . Does not incorporate station location into its address database. (There is no learning at this point.

3 and 6.Chapter 8 Configuring Spanning Tree Understanding How Spanning Tree Protocols Work • • Receives. and transmits BPDUs received from the system module.4 78-13315-02 8-9 . Port 2 in Learning State Figure 8-5 All segment frames Forwarding Port 1 Station addresses Network management and data frames BPDUs Filtering database System module Frame forwarding Station addresses Data frames BPDUs Network management frames S5694 Port 2 Learning All segment frames BPDU and network management frames Catalyst 6000 Family Software Configuration Guide—Releases 6. processes. Receives and responds to network management messages.

instead of having to go through the entire spanning tree initialization process. Receives BPDUs and directs them to the system module. Processes BPDUs received from the system module.4 8-10 78-13315-02 . BackboneFast. Caution Use spanning tree PortFast mode only on ports directly connected to individual workstations to allow these ports to come up and go directly to the forwarding state. Forwards frames switched from another port for forwarding. see Chapter 9. Receives and responds to network management messages. For more information about PortFast.Chapter 8 Understanding How Spanning Tree Protocols Work Configuring Spanning Tree Forwarding State A port in the forwarding state forwards frames. Figure 8-6 Port 2 in Forwarding State All segment frames Forwarding Port 1 Station addresses Network management and data frames BPDUs Filtering database System module Frame forwarding Station addresses BPDUs Network management and data frames S5695 Port 2 Forwarding All segment frames A port in the forwarding state performs as follows: • • • • • • Forwards frames received from the attached segment. and Loop Guard. UplinkFast. Incorporates station location information into its address database. enable spanning tree on ports connected to switches or other devices that forward messages. as shown in Figure 6. The port enters the forwarding state from the learning state. To prevent illegal topologies.3 and 6.” Catalyst 6000 Family Software Configuration Guide—Releases 6. “Configuring Spanning Tree PortFast.

1D standard and one mode that is a combination of the two modes: • • • Per VLAN Spanning Tree (PVST+) Multi-Instance Spanning Tree Protocol (MISTP) MISTP-PVST+ (combination mode) Catalyst 6000 Family Software Configuration Guide—Releases 6.4 78-13315-02 8-11 .) Receives BPDUs but does not direct them to the system module. as shown in Figure 7. Figure 8-7 Port 2 in Disabled State All segment frames Forwarding Port 1 Station addresses Network management and data frames BPDUs Filtering database System module Frame forwarding Network management frames Port 2 S5696 Data frames Disabled All segment frames A disabled port performs as follows: • • • • • • Discards frames received from the attached segment.Chapter 8 Configuring Spanning Tree Understanding PVST+ and MISTP Modes Disabled State A port in the disabled state does not participate in frame forwarding or STP. so there is no address database update. Does not incorporate station location into its address database. Does not receive BPDUs for transmission from the system module. A port in the disabled state is virtually nonoperational. (There is no learning. Receives and responds to network management messages. Discards frames switched from another port for forwarding.3 and 6. Understanding PVST+ and MISTP Modes Catalyst 6000 family switches provide two proprietary spanning tree modes based on the IEEE 802.

Fast Ethernet. An MISTP instance is a virtual logical topology defined by a set of bridge and port parameters. This process ensures that the network topology is maintained because each switch has the same knowledge about the network. MISTP builds MISTP instances by exchanging MISTP BPDUs with peer entities in the network. that is. page 8-xv Using MISTP-PVST+ or MISTP. When you map VLANs to an MISTP instance. you must first enable MISTP-PVST+ on the switch and configure an MISTP instance to avoid causing loops in the network. You can easily move a VLAN (or VLANs) in an MISTP topology to another MISTP instance if it has converged. ensuring that each VLAN has a loop-free path through the network. MISTP combines the Layer 2 load-balancing benefits of PVST+ with the lower CPU load of IEEE 802. rather than one for each VLAN. MISTP Mode MISTP is an optional spanning tree protocol that runs on Catalyst 6000 family switches.1Q. Each MISTP instance has its own root switch and a different set of forwarding links. PVST+ runs on each VLAN on the switch. Because there are fewer BPDUs in an MISTP network. you can create different logical topologies using the VLANs on your network to ensure that all the links are used and no link is oversubscribed. MISTP discards PVST+ BPDUs. different bridge and port parameters. PVST+ Mode PVST+ is the default spanning tree protocol used on all Ethernet.) Catalyst 6000 Family Software Configuration Guide—Releases 6. this virtual logical topology becomes a physical topology. This root switch propagates the spanning tree information associated with that VLAN to all other switches in the network. but a VLAN can be mapped only to a single MISTP instance. Each PVST+ instance on a VLAN has a single root switch. (However. and Gigabit Ethernet port-based VLANs on Catalyst 6000 family switches. convergence time is required. MISTP networks converge faster with less overhead. MISTP uses one BPDU for each MISTP instance.3 and 6.Chapter 8 Understanding PVST+ and MISTP Modes Configuring Spanning Tree An overview of each mode is provided in this section. if ports are added at the same time the VLAN is moved. An MISTP instance can have any number of VLANs mapped to it.4 8-12 78-13315-02 . as in PVST+. page 8-xxii Caution If your network currently uses PVST+ and you plan to use MISTP on any switch. PVST+ provides Layer 2 load balancing for the VLAN on which it runs. MISTP allows you to group multiple VLANs under a single instance of spanning tree (an MISTP instance). Each mode is described in detail in these sections: • • Using PVST+. This process maintains the network topology because it ensures that each switch has the same information about the network. Each MISTP instance root switch propagates the information associated with it to all other switches in the network.

the system ID extension functions as the unique identifier for a VLAN or an MISTP instance. and so forth. The in-band (sc0) interface MAC address is 00-e0-1e-9b-31-ff. You can use the show module command to view the MAC address range. To convert your network to MISTP. you cannot configure more VLAN ports on your MISTP-PVST+ switches than on your PVST+ switches. page 8-xiii MAC Address Allocation Catalyst 6000 family switches have a pool of 1024 MAC addresses that can be used as bridge identifiers for VLANs running under PVST+ or for MISTP instances.Chapter 8 Configuring Spanning Tree Bridge Identifiers MISTP-PVST+ Mode MISTP-PVST+ is a transition spanning tree mode that allows you to use the MISTP functionality on Catalyst 6000 family switches while continuing to communicate with Catalyst 5000 and 6000 switches in your network that use PVST+. Bridge Identifiers These sections explain how MAC addresses are used in PVST+ and MISTP as unique bridge identifiers: • • MAC Address Allocation. and so on. For example. The system ID extension is always the number of the VLAN or the MISTP instance. the second MAC address in the range assigned to VLAN 2. However. MAC address reduction allows up to 4096 VLANs running under PVST+ or 16 MISTP instances to have unique identifiers without increasing the number of MAC addresses required on the switch. Catalyst 6000 Family Software Configuration Guide—Releases 6. MAC Address Reduction For Catalyst family switches that support 4096 VLANs. The last MAC address in the range is assigned to the supervisor engine in-band (sc0) management interface. the VLAN 1 bridge ID is 00-e0-1e-9b-2e-00. MAC addresses are allocated sequentially.3 and 6. a condition that can cause loops in the network. MISTP-PVST+ allows interoperability between PVST+ and pure MISTP because it sees the BPDUs of both modes. Combined with the bridge priority. if the MAC address range is 00-e0-1e-9b-2e-00 to 00-e0-1e-9b-31-ff. the bridge identifier stored in the spanning tree BPDU contains an additional field called the system ID extension. MAC address reduction reduces the number of MAC addresses required by the STP from one per VLAN or MISTP instance to one per switch. page 8-xiii MAC Address Reduction. with the first MAC address in the range assigned to VLAN 1. for example. the VLAN 2 bridge ID is 00-e0-1e-9b-2e-01. the VLAN 3 bridge ID is 00-e0-1e-9b-2e-02. Because MISTP-PVST+ conforms to the limits of PVST+. because VLANs running under PVST+ and MISTP instances running under MISTP-PVST+ or MISTP are considered logical bridges. the system ID extension for VLAN 100 is 100. When you enable MAC address reduction. use MISTP-PVST+ to transition the network from PVST+ to MISTP. A switch using PVST+ mode that is connected to a switch using MISTP mode cannot see the BPDUs of the other switch. each bridge must have its own unique identifier in the network.4 78-13315-02 8-13 . and the system ID extension for MISTP instance 2 is 2.

the lowest being preferred) can only be specified as a multiple of 4096. The bridge identifier consists of the bridge priority. Console> (enable) show spantree 1 VLAN 1 Spanning tree mode PVST+ Spanning tree type ieee . Therefore. 40960. 8192.3 and 6.4 8-14 43842 43841 Bridge Priority 2 bytes MAC Address 6 bytes 78-13315-02 . Figure 8-9 Bridge Identifier with MAC Address Reduction Enabled Bridge ID Priority Bridge Priority 4 bits System ID Ext. if another bridge in the same spanning-tree domain does not run the MAC address reduction feature. 49152. you should also enable MAC address reduction on all other Layer-2 connected switches to avoid undesirable root election and spanning tree topology issues. 53248. the root bridge priority becomes a multiple of 4096 plus the VLAN ID. sys ID ext: 1) Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec If you have a Catalyst switch in your network with MAC address reduction enabled. The unique identifier for this VLAN is 32769. 32768. Catalyst 6000 Family Software Configuration Guide—Releases 6. CISCO7603. 4096. Bridge ID MAC ADDR 00-d0-00-4c-18-00 Bridge ID Priority 32769 (bridge priority: 32768. it could claim and win root bridge ownership because of the finer granularity in the selection of its bridge ID. . 36864. Only the following values are possible: 0. 16384. With MAC address reduction enabled. you can see the bridge ID priority for a VLAN in PVST+ or for an MISTP instance in MISTP or MISTP-PVST+ mode. Note The MAC address reduction feature is enabled by default on Cisco switches that have 64 MAC addresses (Cisco 7606. The bridge ID priority is the unique identifier for the VLAN or the MISTP instance.Chapter 8 Bridge Identifiers Configuring Spanning Tree Figure 8 shows the bridge identifier when you do not enable MAC address reduction. 12 bits MAC Address 6 bytes When you enter a show spantree command. and WS-C6513). 12288. a switch bridge ID (used by the spanning-tree algorithm to determine the identity of the root bridge. 45056. 57344. When MAC address reduction is enabled. 24576. The bridge identifier consists of the bridge priority and the MAC address. This example shows the bridge ID priority for VLAN 1 when you enable MAC address reduction in PVST+ mode. 20480. The bridge priority and the system ID extension combined are known as the bridge ID priority. the system ID extension. . and 61440. Figure 8-8 Bridge Identifier without MAC Address Reduction Figure 9 shows the bridge identifier when you enable MAC address reduction. and the MAC address. WS-C6503. 28672.

4 78-13315-02 8-15 . page 8-xvii Configuring the PVST+ Port Priority. If 10/100 Mbps ports autonegotiate or are hard set to 10 Mbps. page 8-xvi Configuring the PVST+ Port Cost. page 8-xx Default PVST+ Configuration Table 3 shows the default PVST+ configuration. page 8-xix Configuring the PVST+ Port Priority for a VLAN. page 8-xv Setting the PVST+ Bridge ID Priority. page 8-xx Disabling the PVST+ Mode on a VLAN. Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 8 Configuring Spanning Tree Using PVST+ Using PVST+ PVST+ is the default spanning tree mode for Catalyst 6000 family switches. the port cost is 19. 2. page 8-xviii Configuring the PVST+ Default Port Cost Mode. If 10/100 Mbps ports autonegotiate or are hard set to 100 Mbps. page 8-xviii Configuring the PVST+ Port Cost for a VLAN.1D) Same as port priority but configurable on a per-VLAN basis in PVST+ Same as port cost but configurable on a per-VLAN basis in PVST+ 20 seconds 2 seconds 15 seconds 1. Table 8-3 PVST+ Default Configuration Feature VLAN 1 Enable state MAC address reduction Bridge priority Bridge ID priority Port priority Port cost Default Value All ports assigned to VLAN 1 PVST+ enabled for all VLANs Disabled 32768 32769 (bridge priority plus system ID extension of VLAN 1) 32 • • • • Gigabit Ethernet: 4 Fast Ethernet: 191 FDDI/CDDI: 10 Ethernet: 1002 Default spantree port cost mode Port VLAN priority Port VLAN cost Maximum aging time Hello time Forward delay time Short (802. the port cost is 100.3 and 6. These sections describe how to configure PVST+ on Ethernet VLANs: • • • • • • • • Default PVST+ Configuration.

49152. 57344. 24576.3 and 6. To set the spanning tree bridge priority for a VLAN. perform this task in privileged mode: Task Step 1 Step 2 Command show spantree [vlan] [active] Set the PVST+ bridge ID priority for a VLAN. When the switch is in PVST+ mode with MAC address reduction enabled. 28672. 8192.Chapter 8 Using PVST+ Configuring Spanning Tree Setting the PVST+ Bridge ID Priority The bridge ID priority is the priority of a VLAN when the switch is in PVST+ mode. 53248. you can enter a bridge priority value between 0–65535. When the switch is in PVST+ mode without MAC address reduction enabled.--------. 20480. 12288. 45056. The bridge priority is combined with the system ID extension (that is. This example shows how to set the PVST+ bridge ID priority when MAC address reduction is not enabled (default): Console> Spantree Console> VLAN 1 Spanning Spanning Spanning (enable) set spantree priority 30000 1 1 bridge priority set to 30000.---. 16384. the ID of the VLAN) to create the bridge ID priority for the VLAN. 4096. or 61440. (enable) show spantree 1 tree mode tree type tree enabled PVST+ ieee Designated Root 00-60-70-4c-70-00 Designated Root Priority 16384 Designated Root Cost 19 Designated Root Port 2/3 Root Max Age 14 sec Hello Time 2 sec Forward Delay 10 sec Bridge ID MAC ADDR Bridge ID Priority Bridge Max Age 20 sec Port -----------------------1/1 1/2 2/1 2/2 00-d0-00-4c-18-00 30000 Hello Time 2 sec Forward Delay 15 sec Vlan ---1 1 1 1 Port-State Cost Prio Portfast Channel_id ------------. set spantree priority bridge_ID_priority [vlan] Verify the bridge ID priority.-------. 36864.4 8-16 78-13315-02 . 32768.---------not-connected 4 32 disabled 0 not-connected 4 32 disabled 0 not-connected 100 32 disabled 0 not-connected 100 32 disabled 0 This example shows how to set the PVST+ bridge ID priority when MAC reduction is enabled: Console> (enable) set spantree priority 32768 1 Spantree 1 bridge ID priority set to 32769 (bridge priority: 32768 + sys ID extension: 1) Console> (enable) show spantree 1/1 1 VLAN 1 Spanning tree mode PVST+ Spanning tree type ieee Spanning tree enabled Catalyst 6000 Family Software Configuration Guide—Releases 6. The bridge priority value you enter also becomes the VLAN bridge ID priority for that VLAN. 40960. you can enter one of 16 bridge priority values: 0.

------------.-------. sys ID ext: 1) Hello Time 2 sec Forward Delay 15 sec Vlan ---1 1 1 1 Port-State Cost Prio Portfast Channel_id ------------. see the “Calculating and Assigning Port Costs” section on page 8-4. The default cost differs for different media. Assign lower numbers to ports that are attached to faster media (such as full duplex) and higher numbers to ports that are attached to slower media. “Configuring EtherChannel. .---. Port Vlan Port-State Cost Prio Portfast Channel_id -----------------------.Chapter 8 Configuring Spanning Tree Using PVST+ Designated Root 00-60-70-4c-70-00 Designated Root Priority 16384 Designated Root Cost 19 Designated Root Port 2/3 Root Max Age 14 sec Hello Time 2 sec Forward Delay 10 sec Bridge ID MAC ADDR Bridge ID Priority Bridge Max Age 20 sec Port -----------------------1/1 1/2 2/1 2/2 00-d0-00-4c-18-00 32769 (bridge priority: 32768. See the “Setting the EtherChannel Port Path Cost” section in Chapter 6. Verify the port cost setting.-------.---. Note When you enter the set channel cost command.” for information on using the set channel cost command.---------not-connected 4 32 disabled 0 not-connected 4 32 disabled 0 not-connected 100 32 disabled 0 not-connected 100 32 disabled 0 Configuring the PVST+ Port Cost You can configure the port cost of switch ports. To configure the PVST+ port cost for a port. . The possible cost is from 1 to 65535 when using the short method for calculating port cost and from 1 to 200000000 when using the long method. For information about calculating port cost.3 and 6.---------1/1 1 not-connected 4 32 disabled 0 1/2 1 not-connected 4 32 disabled 0 2/1 1 not-connected 100 32 disabled 0 2/2 1 not-connected 100 32 disabled 0 2/3 1 forwarding 12 32 disabled 0 Catalyst 6000 Family Software Configuration Guide—Releases 6. it does not appear in the configuration file.4 78-13315-02 8-17 . This example shows how to configure the PVST+ port cost on a port and verify the configuration: Console> (enable) set spantree portcost 2/3 12 Spantree port 2/3 path cost set to 12.--------. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree portcost {mod/port} cost show spantree mod/port Configure the PVST+ port cost for a switch port.---. The ports with lower port costs are more likely to be chosen to forward frames. Console> (enable) show spantree 2/3 VLAN 1 . The command causes a “set spantree portcost” entry to be created for each port in the channel.--------.

The possible port priority value is 0–63.------------. The default is 32.---------1/1 1 not-connected 4 32 disabled 0 1/2 1 not-connected 4 32 disabled 0 2/1 1 not-connected 100 32 disabled 0 2/2 1 not-connected 100 32 disabled 0 2/3 1 forwarding 19 16 disabled 0 2/4 1 not-connected 100 32 disabled 0 Configuring the PVST+ Default Port Cost Mode If any switch in your network is using a port speed of 10 Gb or over and the network is using PVST+ spanning tree mode.3 and 6.-------.---. You can enter the set spantree defaultcostmode command to force all VLANs associated with all the ports to have the same port cost default set. If all ports have the same priority value. The port with the lowest priority value forwards frames for all VLANs. the actual cost is incremented by 3000 • The long mode has these parameters: – Portcost – Portvlancost (trunk ports only) – When uplinkfast is enabled. Two default port cost modes are available—short and long. the port with the lowest port number forwards frames.---. . Verify the port priority setting.000. To configure the PVST+ port priority for a port. the actual cost is incremented by 10.4 8-18 78-13315-02 . . • The short mode has these parameters: – Portcost – Portvlancost (trunk ports only) – When uplinkfast is enabled.--------.000 Catalyst 6000 Family Software Configuration Guide—Releases 6. all switches in the network must have the same path cost defaults. Port Vlan Port-State Cost Prio Portfast Channel_id -----------------------. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree portpri mod/port priority show spantree mod/port Configure the PVST+ port priority for a switch port. This example shows how to configure the PVST+ port priority for a port: Console> (enable) set spantree portpri 2/3 16 Bridge port 2/3 port priority set to 16.Chapter 8 Using PVST+ Configuring Spanning Tree 2/4 1 not-connected 100 32 disabled Configuring the PVST+ Port Priority You can configure the port priority of switch ports in PVST+ mode. Console> (enable) show spantree 2/3 VLAN 1 .

Assign lower numbers to ports that are attached to faster media (such as full duplex) and higher numbers to ports that are attached to slower media. perform this task in privileged mode: Task Configure the PVST+ default port cost mode. Command set spantree defaultcostmode {short | long} This example shows how to configure the PVST+ default port cost mode: Console> (enable) set spantree defaultcostmode long Portcost and portvlancost set to use long format default values. For port speeds of 10 Gb and greater. it does not appear in the configuration file.3 and 6. see the “Calculating and Assigning Port Costs” section on page 8-4. the default port cost mode must be set to long. AVERAGE_COST/NUM_PORT The default port cost mode is set to short in PVST+ mode. The default cost differs for different media.Chapter 8 Configuring Spanning Tree Using PVST+ – EtherChannel computes the cost of a bundle using the formula. perform this task in privileged mode: Task Configure the PVST+ port cost for a VLAN on a port.” for information on using the set channel cost command. Console> (enable Catalyst 6000 Family Software Configuration Guide—Releases 6. To configure the PVST+ default port cost mode. The command causes a “set spantree portcost” entry to be created for each port in the channel.1025-4094 have path cost 12. To configure the PVST+ port VLAN cost for a port. This example shows how to configure the PVST+ port VLAN cost on port 2/3 for VLANs 1 through 5: Console> (enable) set spantree portvlancost 2/3 cost 20000 1-5 Port 2/3 VLANs 6-11. The possible cost is from 1 to 65535 when using the short method for calculating port cost and from 1 to 200000000 when using the long method. For information about calculating port cost.12 have path cost 20000.13-1005. The ports with lower port costs are more likely to be chosen to forward frames. Console> (enable) Configuring the PVST+ Port Cost for a VLAN You can configure the port cost of switch ports. “Configuring EtherChannel. See the “Setting the EtherChannel Port Path Cost” section in Chapter 6. Port 2/3 VLANs 1-5.4 78-13315-02 8-19 . This parameter applies to trunking ports only. Command set spantree portvlancost {mod/port} [cost cost] [vlan_list] Note When you use the set channel cost command.

1006-4094 using portpri 32. . Do not disable spanning tree in a VLAN without ensuring that there are no physical loops present in the VLAN. To configure the port VLAN priority for a port. you can disable spanning-tree on individual VLANs or all VLANs. The possible port priority range is 0–63. Caution We do not recommend disabling spanning tree. The port with the lowest priority value for a specific VLAN forwards frames for that VLAN. .1005 using portpri 4. . Catalyst 6000 Family Software Configuration Guide—Releases 6. show config all This example shows how to configure the port priority for VLAN 6 on port 2/3: Console> (enable) set spantree portvlanpri 2/3 16 6 Port 2/3 vlans 6 using portpri 16. Port 2/3 vlans 1-5.4 8-20 78-13315-02 . Console> (enable) show config all . .Chapter 8 Using PVST+ Configuring Spanning Tree Configuring the PVST+ Port Priority for a VLAN When the switch is in PVST+ mode. even in a topology that is free of physical loops. The port VLAN priority value must be lower than the port priority value. set spantree portcost 2/12. If all ports have the same priority value for a particular VLAN. perform this task in privileged mode: Task Step 1 Step 2 Command Configure the PVST+ port priority for a VLAN on set spantree portvlanpri mod/port priority a port. The default is 32.802-1004. When you disable spanning tree on a VLAN. [vlans] Verify the port VLAN priority.2/13-14. the port with the lowest port number forwards frames for that VLAN. This parameter applies to trunking ports only.7-800. you can set the port priority for a trunking port in a VLAN.12 Disabling the PVST+ Mode on a VLAN When the switch is in PVST+ mode. set spantree portvlanpri 2/48 0 set spantree portvlancost 2/1 cost 99 set spantree portvlancost 2/2 cost 99 set spantree portvlancost 2/3 cost 20000 1-5. Port 2/3 vlans 801.2/4-11. Spanning tree serves as a safeguard against misconfigurations and cabling errors. the switch does not participate in spanning-tree and any BPDUs received in that VLAN are flooded on all ports.2/16-48 100 set spantree portcost 2/3 12 set spantree portpri 2/1-48 32 set spantree portvlanpri 2/1 0 set spantree portvlanpri 2/2 0 .2/15 19 set spantree portcost 2/1-2.3 and 6.

4 78-13315-02 8-21 .Chapter 8 Configuring Spanning Tree Using PVST+ Caution Do not disable spanning tree on a VLAN unless all switches or routers in the VLAN have spanning tree disabled.3 and 6. Catalyst 6000 Family Software Configuration Guide—Releases 6. If spanning tree remains enabled on the switches and routers. they will have incomplete information about the physical topology of the network which may cause unexpected results. You cannot disable spanning tree on some switches or routers in a VLAN and leave spanning tree enabled on other switches or routers in the VLAN.

page 8-xxiii Configuring an MISTP Instance. Note Map VLANs to MISTP instances on Catalyst 6000 family switches that are either in VTP server mode or transparent mode only. To use MISTP mode. we recommend you carefully follow the procedures described in the following sections in order to avoid losing connectivity in your network. page 8-xxv Mapping VLANs to an MISTP Instance. You cannot map VLANs to MISTP instances on switches that are in VTP client mode. page 8-xxix Disabling MISTP-PVST+ or MISTP. you must first enable MISTP-PVST+ mode on each switch on which you intend to use MISTP so that PVST+ BPDUs can flow through the switches while you configure them. you should configure all of your Catalyst 6000 family switches to run MISTP. This example shows how to disable PVST+ on a VLAN: Console> (enable) set spantree disable 4 Spantree 4 disabled. all of the configuration parameters are preserved for the previous mode. These sections describe how to use MISTP-PVST+ or MISTP: • • • • • Default MISTP and MISTP-PVST+ Configuration. Console> (enable) Command set spantree disable vlans [all] Using MISTP-PVST+ or MISTP The default spanning tree mode on the Catalyst 6000 family switches is PVST+. You must have at least one forwarding port in the VLAN in order for the MISTP instance to be active. If you return to the previous mode. you first enable an MISTP instance. When you change the spanning tree mode. Note We recommend that if you use MISTP mode. Information about the port states is lost. you can then enable MISTP on all of the switches. perform this task in privileged mode: Task Disable PVST+ mode on a VLAN. If you are changing a switch from PVST+ mode to MISTP mode and you have other switches in the network that are using PVST+. the information collected at runtime is used to build the port database for the new mode. and the new spanning tree mode restarts the computation of the active topology. then map at least one VLAN to the instance.4 8-22 78-13315-02 .3 and 6. If you want to use MISTP mode in your network.Chapter 8 Using MISTP-PVST+ or MISTP Configuring Spanning Tree To disable PVST+. page 8-xxxi Catalyst 6000 Family Software Configuration Guide—Releases 6. When all switches in the network are configured in MISTP-PVST+. however. page 8-xxiii Setting MISTP-PVST+ Mode or MISTP Mode. the configuration is still there. the current mode stops.

the port cost is 100. Reduce the number of configured VLAN ports on your switch to no more than 6000 to avoid losing connectivity. Caution If you have more than 6000 VLAN ports configured on your switch.1D) Same as port priority but configurable on a per-VLAN basis in PVST+ Same as port cost but configurable on a per-VLAN basis in PVST+ 20 seconds 2 seconds 15 seconds 1. After you map a VLAN to an MISTP instance. If 10/100 Mbps ports autonegotiate or are hard set to 10 Mbps. the port cost is 19. Caution If you are working from a Telnet connection to your switch. Setting MISTP-PVST+ Mode or MISTP Mode If you enable MISTP in a PVST+ network. the first time you enable MISTP-PVST+ or MISTP mode. Catalyst 6000 Family Software Configuration Guide—Releases 6. you must be careful to avoid bringing down the network. you must do so from the switch console. you can Telnet to the switch.3 and 6. changing from MISTP to either PVST+ or MISTP-PVST+ mode could bring down your network.4 78-13315-02 8-23 .Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Default MISTP and MISTP-PVST+ Configuration Table 4 shows the default MISTP and MISTP-PVST+ configuration. This section explains how to enable MISTP or MISTP-PVST+ on your network. do not use a Telnet connection through the data port or you will lose your connection to the switch. Table 8-4 MISTP and MISTP-PVST+ Default Configuration Feature Enable state MAC address reduction Bridge priority Bridge ID priority Port priority Port cost Default Value Disabled until a VLAN is mapped to an MISTP instance Disabled 32768 32769 (bridge priority plus the system ID extension of MISTP instance 1) 32 (global) • • • • Gigabit Ethernet: 4 Fast Ethernet: 191 FDDI/CDDI: 10 Ethernet: 1002 Default port cost mode Port VLAN priority Port VLAN cost Maximum aging time Hello time Forward delay time Short (802. 2. If 10/100 Mbps ports autonegotiate or are hard set to 100 Mbps.

3 and 6. To display spanning tree mapping.4 8-24 78-13315-02 . perform this task in privileged mode: Task Command set spantree mode mistp show spantree mapping [config] Step 1 Step 2 Set the spanning tree mode to MISTP. Warning!! There are no VLANs mapped to any MISTP instance. Spantree mode set to MISTP. use the optional keyword config to display the list of mappings configured on the local switch. Console> (enable) show spantree mapping Inst Root Mac Vlans ---.----------------. Console> (enable) You can display VLAN-to-MISTP instance mapping information propagated from the root switch at runtime. Spantree mode set to MISTP-PVST+. Show the spanning tree mapping.-------------------------1 00-50-3e-78-70-00 1 2 00-50-3e-78-70-00 3 00-50-3e-78-70-00 4 00-50-3e-78-70-00 5 00-50-3e-78-70-00 6 00-50-3e-78-70-00 7 00-50-3e-78-70-00 8 00-50-3e-78-70-00 9 00-50-3e-78-70-00 10 00-50-3e-78-70-00 11 00-50-3e-78-70-00 12 00-50-3e-78-70-00 13 00-50-3e-78-70-00 14 00-50-3e-78-70-00 15 00-50-3e-78-70-00 16 00-50-3e-78-70-00 - Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 8 Using MISTP-PVST+ or MISTP Configuring Spanning Tree To change from PVST+ to MISTP-PVST+ or MISTP. This example shows how to display the spanning tree VLAN instance mapping in MISTP mode: MISTP/MISTP-PVST+ Console> (enable) set spantree mode mistp PVST+ database cleaned up. When in the PVST+ mode. Note MAC addresses are not displayed when you specify the keyword config. Command set spantree mode {mistp | pvst+ | mistp-pvst+} This example shows how to set a switch to MISTP-PVST+ mode: Console> (enable) set spantree mode mistp-pvst+ PVST+ database cleaned up. perform this task in privileged mode: Task Set a spanning tree mode. This display is available only in the MISTP or MISTP-PVST+ mode.

You can set 16 possible bridge priority values: 0.4 78-13315-02 8-25 .---. 49152.-------. 40960.---------not-connected 20000 32 disabled 0 not-connected 20000 32 disabled 0 not-connected 2000000 32 disabled 0 not-connected 2000000 32 disabled 0 forwarding 200000 32 disabled 0 Catalyst 6000 Family Software Configuration Guide—Releases 6. 8192. page 8-xxvi Configuring the MISTP Port Priority. Verify the bridge ID priority. 57344.3 and 6. 36864. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree priority bridge_ID_priority [mistp-instance instance] show spantree mistp-instance instance [mod/port] active Configure the bridge ID priority for an MISTP instance. The bridge priority value is combined with the system ID extension (the ID of the MISTP instance) to create the bridge ID priority.Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Configuring an MISTP Instance These sections describe how to configure MISTP instances: • • • • • Configuring the MISTP Bridge ID Priority. page 8-xxvi Configuring the MISTP Port Instance Cost. The example shows how to configure the bridge ID priority for an MISTP instance: Console> (enable) set spantree priority 8192 mistpinstance 1 Spantree 1 bridge ID priority set to 8193 (bridge priority: 8192 + sys ID extension: 1) Console> (enable) show spantree mistp-instance 1 VLAN 1 Spanning tree mode MISTP Spanning tree type ieee Spanning tree enabled VLAN mapped to MISTP Instance: 1 Bridge ID MAC ADDR Bridge ID Priority Bridge Max Age 20 sec Port -----------------------1/1 1/2 2/1 2/2 2/3 00-d0-00-4c-18-00 8193 (bridge priority: 8192. and 61440.--------. page 8-xxv Configuring the MISTP Port Cost. 32768. 53248. 20480. To configure the bridge ID priority for an MISTP instance. 24576. 45056. 28672. page 8-xxvii Configuring the MISTP Port Instance Priority. 4096. page 8-xxvii Configuring the MISTP Bridge ID Priority You can set the bridge ID priority for an MISTP instance when the switch is in MISTP or MISTP-PVST+ mode. 16384. 12288. sys ID ext: 1) Hello Time 2 sec Forward Delay 15 sec Vlan ---1 1 1 1 1 Port-State Cost Prio Portfast Channel_id ------------.

This example shows how to configure the port cost on a MISTP instance and verify the configuration: Console> Spantree Console> Instance Spanning Spanning Spanning (enable) set spantree portcost 2/12 22222222 port 2/12 path cost set to 22222222. The possible port priority value is 0–63.------------.--------.3 and 6. set spantree portpri mod/port priority [instance] Verify the port priority setting.-------. If all ports have the same priority value. Catalyst 6000 Family Software Configuration Guide—Releases 6. sys ID ext: 1) 6 Hello Time 2 sec Forward Delay 15 sec Port Inst Port-State Cost Prio Portfast Channel_id -----------------------. perform this task in privileged mode: Task Step 1 Step 2 Command show spantree mistp-instance instance [mod/port] active Configure the MISTP port cost for a switch port. (enable) show spantree mistp-instance active 1 tree mode MISTP-PVST+ tree type ieee tree instance enabled Designated Root 00-d0-00-4c-18-00 Designated Root Priority 32769 (root priority: 32768. For information about calculating port cost. perform this task in privileged mode: Task Step 1 Step 2 Command show spantree mistp-instance instance [mod/port] active Configure the MISTP port priority for a port.---------2/12 1 forwarding 22222222 40 disabled 0 Console> (enable) Configuring the MISTP Port Priority You can configure the port priority of ports. The possible cost is from 1 to 65535 when using the short method for calculating port cost and from 1 to 200000000 when using the long method. see the “Calculating and Assigning Port Costs” section on page 8-4.Chapter 8 Using MISTP-PVST+ or MISTP Configuring Spanning Tree Configuring the MISTP Port Cost You can configure the port cost of switch ports. To configure the port priority for a port. the default is 32. sys ID ext: 1) Designated Root Cost 0 Designated Root Port none VLANs mapped: 6 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR Bridge ID Priority VLANs mapped: Bridge Max Age 20 sec 00-d0-00-4c-18-00 32769 (bridge priority: 32768. To configure the port cost for a port. The ports with lower port costs are more likely to be chosen to forward frames. The port with the lowest priority value forwards frames for all VLANs. The default cost differs for different media.---. the port with the lowest port number forwards frames.4 8-26 78-13315-02 . Assign lower numbers to ports that are attached to faster media (such as full duplex) and higher numbers to ports that are attached to slower media. set spantree portcost mod/port cost Verify the port cost setting.---.

3 and 6. Console> (enable) show spantree mistp-instance 1 Instance 1 Spanning tree mode MISTP-PVST+ Spanning tree type ieee Spanning tree instance enabled Designated Root 00-d0-00-4c-18-00 Designated Root Priority 32769 (root priority: 32768. the port with the lowest port number forwards frames for that instance. [instances] This example shows how to configure the MISTP port instance cost on a port: Console> (enable) set spantree portinstancecost 2/12 cost 110110 2 Port 2/12 instances 1. perform this task in privileged mode: Task Command Configure the MISTP port instance cost on set spantree portinstancecost {mod/port} [cost cost] a port.---. Console> (enable) Configuring the MISTP Port Instance Priority You can set the port priority for an instance of MISTP. To configure the port instance cost for a port. The port with the lowest priority value for a specific MISTP instance forwards frames for that instance. Port 2/12 instances 2 have path cost 110110. sys ID ext: 1) Designated Root Cost 0 Designated Root Port none VLANs mapped: 6 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR Bridge ID Priority VLANs mapped: Bridge Max Age 20 sec 00-d0-00-4c-18-00 32769 (bridge priority: 32768.---------2/12 1 forwarding 22222222 40 disabled 0 Console> (enable) Configuring the MISTP Port Instance Cost You can configure the port instance cost for an instance of MISTP or MISTP-PVST+. Catalyst 6000 Family Software Configuration Guide—Releases 6. The default cost differs for different media. The possible value for port instance cost is 1–268435456.--------. If all ports have the same priority value for an MISTP instance.---. You should assign lower numbers to ports attached to faster media (such as full duplex) and higher numbers to ports attached to slower media. sys ID ext: 1) 6 Hello Time 2 sec Forward Delay 15 sec Port Inst Port-State Cost Prio Portfast Channel_id -----------------------. The possible port instance range is 0–63.3-16 have path cost 22222222.------------.Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP This example shows how to configure the port priority and verify the configuration: Console> (enable) set spantree portpri 2/12 40 Bridge port 2/12 port priority set to 40.4 78-13315-02 8-27 . Ports with a lower instance cost are more likely to be chosen to forward frames.-------.

Note The software does not display the status of an MISTP instance until it has a VLAN with an active port mapped to it.3-16 using portpri 40.3 and 6.Chapter 8 Using MISTP-PVST+ or MISTP Configuring Spanning Tree To configure the port instance priority on an MISTP instance. you must map a VLAN to it in order for it to be active. the default instance. is enabled by default. Each MISTP instance defines a unique spanning tree topology. perform this task in privileged mode: Task Configure the port instance priority on an MISTP instance. Console> Instance Spanning Spanning Spanning .4 8-28 78-13315-02 . perform this task in privileged mode. This example shows how to enable an MISTP instance: Console> (enable) set spantree enable mistp-instance 2 Spantree 2 enabled. Verify the instance is enabled. . however. Port 2/12 mistp-instance 1. Command set spantree portinstancepri {mod/port} priority [instances] This example shows how to configure the port instance priority on an MISTP instance and verify the configuration: Console> (enable) set spantree portinstancepri 2/12 10 2 Port 2/12 instances 2 using portpri 10. To enable an MISTP instance. Console> (enable) Enabling an MISTP Instance You can enable up to 16 MISTP instances. or all instances at once using the all keyword. a range of instances. Task Command set spantree enable mistp-instance instance [all] show spantree mistp-instance [instance] [active] mod/port Step 1 Step 2 Enable an MISTP instance. Note Enter the active keyword to display active ports only. (enable) show spantree mistp-instance 2 2 tree mode MISTP tree type ieee tree instance enabled Catalyst 6000 Family Software Configuration Guide—Releases 6. . MISTP instance 1. You can enable a single MISTP instance.

------------.4 78-13315-02 8-29 . “Configuring VLANs” for details on using extended-range VLANs. These sections describe how to configure MISTP instances: • • Determining MISTP Instances—VLAN Mapping Conflicts.Chapter 8 Configuring Spanning Tree Using MISTP-PVST+ or MISTP Mapping VLANs to an MISTP Instance When you are using MISTP-PVST+ or MISTP on a switch. • • • • You can only map Ethernet VLANs to MISTP instances.---. To map a VLAN to an MISTP instance. You can map as many Ethernet VLANs as you wish to an MISTP instance. page 8-xxx Note See Chapter 11. At least one VLAN in the instance must have an active port in order for MISTP-PVST+ or MISTP to be active. See the “Creating Extended-Range VLANs” section on page 11-7 in Chapter 11. you must map at least one VLAN to an MISTP instance in order for MISTP-PVST+ or MISTP to be active. “Configuring VLANs” for details on using and configuring VLANs. Note To use VLANs 1025–4094.--------.-------. you must enable MAC address reduction. page 8-xxx Unmapping VLANs from an MISTP Instance. You cannot map a VLAN to more than one MISTP instance. perform this task in privileged mode: Task Command set vlan vlan mistp-instance instance show spantree mistp-instance [instance] [active] mod/port Step 1 Step 2 Map a VLAN to an MISTP instance.---------- Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. Verify the VLAN is mapped. sys ID ext: 1) 6 Hello Time 2 sec Forward Delay 15 sec Port Inst Port-State Cost Prio Portfast Channel_id -----------------------. sys ID ext: 1) Designated Root Cost 0 Designated Root Port none VLANs mapped: 6 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR Bridge ID Priority VLANs mapped: Bridge Max Age 20 sec 00-d0-00-4c-18-00 49153 (bridge priority: 49152.---. This example shows how to map a VLAN to MISTP instance 1 and verify the mapping: Console> (enable) set vlan 6 mistp-instance 1 Vlan 6 configuration successful Console> (enable) show spantree mist-instance 1 Instance 1 Spanning tree mode MISTP-PVST+ Spanning tree type ieee Spanning tree instance enabled Designated Root 00-d0-00-4c-18-00 Designated Root Priority 49153 (root priority: 49152.

the MAC addresses of the root switches that are sending the BPDUs containing the VLAN mapping information.--------. the VLAN is mapped to that instance. To unmap a VLAN or all VLANs from an MISTP instance. or if the VLAN is in conflict between instances. Entries pertaining to the root switch show inactive on the root switch itself.3 and 6. and the timers associated with the mapping of a VLAN to an MISTP instance. If you attempt to map a VLAN to more than one instance. The field displays inactive if the VLAN is already mapped to an instance (the timer has expired). To clear up the conflict. all of its ports are set to blocking mode. The remaining entry on the list becomes the official mapping. The timer is restarted every time an incoming BPDU confirms the mapping.4 8-30 78-13315-02 . the VLAN is in conflict. the resulting state of all the ports of the VLAN (if the VLAN exists) is blocking. Command show spantree conflicts vlan This example shows there is an attempt to map VLAN 2 to MISTP instance 1 and to MISTP instance 3 on two different switches as seen from a third switch in the topology: Console> (enable) show spantree conflicts 2 Inst MAC Delay Time left ---. The Time Left timer shows the time in seconds left before the entry expires and is removed from the table. If two or more entries in the list are associated with different MISTP instances. perform this task in privileged mode: Task Determine VLAN mapping conflicts. To determine VLAN mapping conflicts. When you unmap a VLAN from an MISTP instance. perform this task in privileged mode: Task Unmap a VLAN from an MISTP instance. When only one entry is printed or when all the entries are associated to the same instance. you must manually remove the incorrect mapping(s) from the root switch. This command prints a list of the MISTP instances associated with the VLAN.--------1 00-30-a3-4a-0c-00 inactive 20 3 00-30-f1-e5-00-01 inactive 10 The Delay timer shows the time in seconds remaining before the VLAN joins the instance.Chapter 8 Using MISTP-PVST+ or MISTP Configuring Spanning Tree 2/12 1 forwarding 22222222 40 disabled 0 Determining MISTP Instances—VLAN Mapping Conflicts A VLAN can only be mapped to one MISTP instance. Unmapping VLANs from an MISTP Instance The keyword none is used to unmap the specified VLANs from the MISTP instances to which they are currently mapped.----------------. You can use the show spantree conflicts command to determine to which MISTP instances you have attempted to map the VLAN. Command set vlan vlan mistp-instance none This example shows how to unmap a VLAN from an MISTP instance: Console> (enable) set vlan 6 mistp-instance none Vlan 6 configuration successful Catalyst 6000 Family Software Configuration Guide—Releases 6.

you disable spanning tree on an instance. page 8-xxxiv Configuring a Primary Root Switch You can set a root switch on a VLAN when the switch is in PVST+ mode or on an MISTP instance when the switch is in MISTP mode. modify the bridge priority to be 1 less or the same as the bridge priority of the current root switch.Chapter 8 Configuring Spanning Tree Configuring a Root Switch Disabling MISTP-PVST+ or MISTP When the switch is in MISTP mode. When you specify a switch as the primary root. Caution Enter the set spantree root command on backbone switches or distribution switches only. perform this task in privileged mode: Task Disable an MISTP instance. To disable an MISTP instance. the bridge VLAN-priority chosen makes this switch the root for all the VLANs specified. page 8-xxxi Configuring a Secondary Root Switch. the default bridge priority is modified so that it becomes the root for the specified VLANs. all of the VLANs mapped to it have all of their ports forwarding. perform this task in privileged mode: Task Configure a switch as the primary root switch. When you disable spanning tree on an MISTP instance. If reducing the bridge priority as low as 1 still does not make the switch the root switch. To configure a switch as the primary root switch. Command set spantree root [vlans] [dia network_diameter] [hello hello_time] Catalyst 6000 Family Software Configuration Guide—Releases 6. the instance still exists on the switch. Because different VLANs could potentially have different root switches. which allows the switch to become the root switch. page 8-xxxiii Using Root Guard—Preventing Switches from Becoming Root. Set the bridge priority to 8192. You enter the set spantree root command to reduce the bridge priority (the value associated with the switch) from the default (32768) to a lower value. the system displays a message. If this setting does not result in the switch becoming a root. not for the whole switch.3 and 6. Command set spantree disable mistp-instance instance [all] This example shows how to disable an MISTP instance: Console> (enable) set spantree disable mistp-instance 2 MI-STP instance 2 disabled. Configuring a Root Switch These sections explain how to configure a root switch: • • • • Configuring a Primary Root Switch. not on access switches. and the instance BPDUs are flooded. page 8-xxxii Configuring a Root Switch to Improve Convergence.4 78-13315-02 8-31 .

3 and 6. hello time set to 2 seconds.Chapter 8 Configuring a Root Switch Configuring Spanning Tree This example shows how to configure the primary root switch for VLANs 1–10: Console> (enable) VLANs 1-10 bridge VLANs 1-10 bridge VLANs 1-10 bridge VLANs 1-10 bridge Switch is now the Console> (enable) set spantree root 1-10 dia 4 priority set to 8192 max aging time set to 14 seconds. perform this task in privileged mode: Task Configure a switch as the secondary root switch. network_diameter] [hello hello_time] This example shows how to configure the primary root switch for an instance: Console> (enable) set spantree root mistp-instance 2-4 dia 4 Instances 2-4 bridge priority set to 8192 VLInstances 2-4 bridge max aging time set to 14 seconds.24 bridge hello time set to 1 second. perform this task in privileged mode: Task Command Configure a switch as the primary root switch for set spantree root mistp-instance instance [dia an instance.24 bridge forward delay set to 7 seconds. root switch for active VLANs 1-6. forward delay set to 9 seconds.24 bridge max aging time set to 10 seconds. Command set spantree root [secondary] vlans [dia network_diameter] [hello hello_time] This example shows how to configure the secondary root switch for VLANs 22 and 24: Console> (enable) set spantree root secondary 22. The set spantree root secondary command reduces the bridge priority to 16. You can run this command on more than one switch to create multiple backup switches in case the primary root switch fails.384. Instances 2-4 bridge forward delay set to 9 seconds. Switch is now the root switch for active Instances 1-6. VLANs 22. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.24 bridge priority set to 16384. To configure a switch as the primary root switch for an instance.24 dia 5 hello 1 VLANs 22. VLANs 22. Instances 2-4 bridge hello time set to 2 seconds.4 8-32 78-13315-02 . Console> (enable) Configuring a Secondary Root Switch You can set a secondary root switch on a VLAN when the switch is in PVST+ mode or on an MISTP instance when the switch is in MISTP mode. To configure a switch as the secondary root switch. making it the probable candidate to become the root switch if the primary root switch fails. VLANs 22.

it then goes through listening and learning before reaching the forwarding state. the network reconfiguration is not immediate. To speed up convergence. Console> (enable) Configuring a Root Switch to Improve Convergence By lowering the values for the Hello Time. This reconfiguration time depends on the network diameter. you can reduce the convergence time. Table 8-5 Nondefault Parameters Parameter Network Diameter (dia) Hello Time Forward Delay Timer Maximum Age Timer Time 2 2 seconds 4 seconds 6 seconds Note You can set switch ports in PortFast mode for improved convergence. See Table 5 for the nondefault parameters for a reconvergence of 14 seconds. For information about PortFast. In a network with links of 10 Mbps or faster. Forward Delay Timer. and Maximum Age Timer parameters on the root switch. When a link failure occurs in a bridged network. see the “Configuring Spanning Tree Timers” section on page 8-xxxv. Instances 2-4 bridge hello time set to 2 seconds. Reconfiguring the default parameters (specified by IEEE 802.1D standard. Note Reducing the timer parameters values is possible only if your network has LAN links of 10 Mbps or faster.4 78-13315-02 8-33 .Chapter 8 Configuring Spanning Tree Configuring a Root Switch To configure a switch as the secondary root switch for an instance.1D) for the Hello Time. perform this task in privileged mode: Task Configure a switch as the secondary root switch for an instance. Command set spantree root [secondary] mistp-instance instance [dia network_diameter] [hello hello_time] This example shows how to configure the secondary root for an instance: Console> (enable) set spantree root secondary mistp-instance 2-4 dia 4 Instances 2-4 bridge priority set to 8192 VLInstances 2-4 bridge max aging time set to 14 seconds. and Maximum Age Timer requires a 50-second delay. Switch is now the root switch for active Instances 1-6. use nondefault parameter values permitted by the 802. which is the maximum number of bridges between any two end stations. If a port in the PortFast mode begins blocking. For information on configuring these timers. Instances 2-4 bridge forward delay set to 9 seconds. Forward Delay Timer.3 and 6. the network diameter can reach the maximum value of 7. With WAN connections. PortFast mode affects only the transition from disable (link down) to enable (link up) by moving the port immediately to the forwarding state. see the Catalyst 6000 Family Software Configuration Guide—Releases 6. you cannot reduce the parameters.

and 4 seconds respectively: Console> (enable) set spantree hello 2 100 Spantree 100 hello time set to 7 seconds.Chapter 8 Configuring a Root Switch Configuring Spanning Tree “Understanding How PortFast Works” section on page 9-2 in Chapter 9. 4. and Maximum Age Timer to 2. Catalyst 6000 Family Software Configuration Guide—Releases 6. UplinkFast.” To configure the spanning tree parameters to improve convergence. When you enable root guard on a per-port basis. BackboneFast.3 and 6. Verify the configuration. show spantree [vlan | mistp-instance instances] set spantree fwddelay delay [vlan] mistp-instance [instances] show spantree [mod/port] mistp-instance [instances] [active] set spantree maxage agingtime [vlans] mistp-instance instances show spantree [mod/port] mistp-instance [instances] [active] This example shows how to configure the spanning tree Hello Time.4 8-34 78-13315-02 . it is disabled for the specified port(s). Console> (enable) Console> (enable) set spantree root 1-10 dia 4 VLANs 1-10 bridge priority set to 8192 VLANs 1-10 bridge max aging time set to 14 seconds. “Configuring Spanning Tree PortFast. When you disable root guard. Configure the maximum aging time for a VLAN or an MISTP instance. Forward Delay Timer. If a port goes into the root-inconsistent state. it is automatically applied to all of the active VLANs to which that port belongs. Console> (enable) Console> (enable) set spantree fwddelay 4 100 Spantree 100 forward delay set to 21 seconds. Verify the configuration. Console> (enable) Using Root Guard—Preventing Switches from Becoming Root You may want to prevent switches from becoming the root switch. The root guard feature forces a port to become a designated port so that no switch on the other end of the link can become a root switch. Console> (enable) Console> (enable) set spantree maxage 6 100 Spantree 100 max aging time set to 36 seconds. VLANs 1-10 bridge forward delay set to 9 seconds. VLANs 1-10 bridge hello time set to 2 seconds. [instances] Verify the configuration. it automatically goes into the listening state. and Loop Guard. Configure the forward delay time for a VLAN or an MISTP instance. Switch is now the root switch for active VLANs 1-6. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Command Configure the hello time for a VLAN or an set spantree hello interval [vlan] mistp-instance MISTP instance.

we recommend that you use the set spantree root and set spantree root secondary commands to modify the spanning tree performance parameters.Chapter 8 Configuring Spanning Tree Configuring Spanning Tree Timers To prevent switches from becoming root. page 8-xxxvi Configuring the Maximum Aging Time. Configuring Spanning Tree Timers Spanning tree timers affect the spanning tree performance. You can configure the spanning tree timers for a VLAN in PVST+ or an MISTP instance in MISTP mode. Catalyst 6000 Family Software Configuration Guide—Releases 6. If you do not specify a VLAN when the switch is in PVST+ mode. These sections describe how to configure spanning tree timers: • • • Configuring the Hello Time. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree guard {root | none} mod/port show spantree guard {mod/port | vlan} {mistp-instance instance | mod/port} Enable root guard on a port. or if you do not specify an MISTP instance when the switch is in MISTP mode. 15 seconds Forward Delay Timer Configuring the Hello Time Enter the set spantree hello command to change the hello time for a VLAN or for an MISTP instance. The timeout value is the maximum age parameter of the switches. The timeout value is the forward delay parameter of the switches.4 78-13315-02 8-35 . page 8-xxxv Configuring the Forward Delay Time. Default 2 seconds Measures the age of the received protocol information recorded for 20 seconds a port and ensures that this information is discarded when its age limit exceeds the value of the maximum age parameter recorded by the switch. Table 8-6 Spanning Tree Timers Variable Hello Time Maximum Age Timer Description Determines how often the switch broadcasts its hello message to other switches. The possible range of interval is 1 to 10 seconds. Monitors the time spent by a port in the learning and listening states. Table 6 describes the switch variables that affect spanning tree performance. VLAN 1 is assumed. page 8-xxxvi Caution Exercise care using these commands. For most situations. Verify that root guard is enabled.3 and 6. MISTP instance 1 is assumed.

Console> (enable) Configuring the Forward Delay Time Enter the set spantree fwddelay command to configure the spanning tree forward delay time for a VLAN. show spantree [mod/port] mistp-instance [instances] [active] This example shows how to configure the spanning tree forward delay time for VLAN 100 to 21 seconds: Console> (enable) set spantree fwddelay 21 100 Spantree 100 forward delay set to 21 seconds. Console> (enable) Configuring the Maximum Aging Time Enter the set spantree maxage command to change the spanning tree maximum aging time for a VLAN or an instance. The possible range of delay is 4 to 30 seconds. mistp-instance [instances] Verify the configuration. To configure the spanning tree forward delay time for a VLAN. [instances] Verify the configuration. Console> (enable) This example shows how to set the bridge forward delay for an instance to 16 seconds: Console> (enable) set spantree fwddelay 16 mistp-instance 1 Instance 1 forward delay set to 16 seconds.3 and 6. perform this task in privileged mode: Task Step 1 Step 2 Command Configure the hello time for a VLAN or an set spantree hello interval [vlan] mistp-instance MISTP instance. The possible range of agingtime is 6 to 40 seconds.Chapter 8 Configuring Spanning Tree Timers Configuring Spanning Tree To configure the spanning tree bridge hello time for a VLAN or an MISTP instance. show spantree [vlan | mistp-instance instances] This example shows how to configure the spanning tree hello time for VLAN 100 to 7 seconds: Console> (enable) set spantree hello 7 100 Spantree 100 hello time set to 7 seconds.4 8-36 78-13315-02 . Console> (enable) This example shows how to configure the spanning tree hello time for an instance to 3 seconds: Console> (enable) set spantree hello 3 mistp-instance 1 Spantree 1 hello time set to 3 seconds. perform this task in privileged mode: Task Step 1 Step 2 Command Configure the forward delay time for a VLAN or set spantree fwddelay delay [vlan] an MISTP instance. Catalyst 6000 Family Software Configuration Guide—Releases 6.

3 and 6. If BPDU skewing occurs. Spanning tree uses the Hello Time (see the “Configuring the Hello Time” section on page 8-xxxv) to detect when a connection to the root switch exists through a port and when that connection is lost. Verify the configuration. This example shows how to configure the spanning tree maximum aging time for VLAN 100 to 36 seconds: Console> (enable) set spantree maxage 36 100 Spantree 100 max aging time set to 36 seconds. the slower the switching process will be. In MISTP. Spanning tree detects topology changes. The skew causes BPDUs to reflood the network to keep the spanning tree topology database current.Chapter 8 Configuring Spanning Tree Understanding How BPDU Skewing Works To configure the spanning tree maximum aging time for a VLAN or an instance. New syslog messages are not generated as individual messages for every VLAN because the higher the number of syslog messages that are reported. A VLAN may not receive the BPDU as scheduled. Console> (enable) This example shows how to set the maximum aging time for an instance to 25 seconds: Console> (enable) set spantree maxage 25 mistp-instance 1 Instance 1 max aging time set to 25 seconds.4 78-13315-02 8-37 . the skew detection is on a per-instance basis. Skewing occurs when the following occurs: • • • Spanning tree timers lapse. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree maxage agingtime [vlans] mistp-instance instances show spantree [mod/port] mistp-instance [instances] [active] Configure the maximum aging time for a VLAN or an MISTP instance. BPDU skewing detects BPDUs that are not processed in a regular time frame on the nonroot switches in the network. The syslog applies to both PVST+ and MISTP. The root switch advertises its presence by sending out BPDUs for the configured Hello time interval. the BPDU is skewed. If the BPDU is not received on a VLAN at the configured time interval. The nonroot switches receive and process one BPDU during each configured time period. Console> (enable) Understanding How BPDU Skewing Works BPDU skewing is the difference between when the BPDUs are expected to be received and the time BPDUs are actually received. Expected BPDUs are not received. a syslog message is displayed. the syslog messages are as follows: • • Generated 50 percent of the maximum age time (see the “Configuring the Maximum Aging Time” section on page 8-xxxvi) Rate limited at one for every 60 seconds Catalyst 6000 Family Software Configuration Guide—Releases 6. The number of syslog messages that are generated may impact the convergence of the network and the CPU utilization of the switch. To reduce the impact on the switch. This feature applies to both PVST+ and MISTP.

perform this task in privileged mode: Task Step 1 Step 2 Command set spantree bpdu-skewing [enable | disable] show spantree bpdu-skewing vlan [mod/port] show spantree bpdu-skewing mistp-instance [instance] [mod/port] Configure BPDU skewing. 06:26:05 8/18 113833 113833 Tue Nov 21 2000.Chapter 8 Configuring BPDU Skewing Configuring Spanning Tree Configuring BPDU Skewing Commands that support the spanning tree BPDU skewing feature perform these functions: • • • Allow you to enable or disable BPDU skewing. This example shows how to configure BPDU skewing and view the skewing statistics: Console> (enable) set spantree bpdu-skewing Usage:set spantree bpdu-skewing <enable|disable> Console> (enable) set spantree bpdu-skewing enable Spantree bpdu-skewing enabled on this switch. 06:26:05 8/10 113522 113522 Tue Nov 21 2000. The bpdu-skewing command is disabled by default. 06:25:59 8/4 4050 113198 Tue Nov 21 2000. 06:26:05 8/12 4111 113600 Tue Nov 21 2000. Console> (enable) Console> (enable) show spantree bpdu-skewing 1 Bpdu skewing statistics for vlan 1 Port Last Skew ms Worst Skew ms Worst Skew Time -----. 06:26:05 8/24 4110 113922 Tue Nov 21 2000.4 8-38 78-13315-02 . enter the set spantree bpdu-skewing command. 06:26:05 8/20 4111 113913 Tue Nov 21 2000.------------. 06:26:05 8/8 4111 113441 Tue Nov 21 2000. The default is disabled. Modify the show spantree summary output to show if the skew detection is enabled and for which VLANs or PVST+ or MISTP instances the skew was detected. 06:26:05 8/22 113917 113917 Tue Nov 21 2000. Provide a display of the VLAN or PVST+ or MISTP instance and the port affected by the skew including this information: – The last skew duration (in absolute time) – The worst skew duration (in absolute time) – The date and time of the worst duration To change how spanning tree performs BPDU skewing statistics gathering. 06:26:04 8/6 113363 113363 Tue Nov 21 2000. To configure the BPDU skewing statistics gathering for a VLAN.3 and 6. 06:26:05 8/26 113926 113926 Tue Nov 21 2000. 06:26:05 8/28 4111 113931 Tue Nov 21 2000. 06:26:05 8/14 113678 113678 Tue Nov 21 2000. Verify the configuration.------------. 06:26:05 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. 06:26:05 8/16 4111 113755 Tue Nov 21 2000.------------------------8/2 5869 108370 Tue Nov 21 2000.

Chapter 8 Configuring Spanning Tree Configuring BPDU Skewing This example shows how to configure BPDU skewing for VLAN 1 on module 8.---------Total 6 4 2 0 12 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Summary of connected spanning tree ports by vlan VLAN Blocking Listening Learning Forwarding STP Active ----.------------------------8/4 5869 108370 Tue Nov 21 2000. port 2 and view the skewing statistics: Console> (enable) show spantree bpdu-skewing 1 8/4 Bpdu skewing statistics for vlan 1 Port Last Skew ms Worst Skew ms Worst Skew Time -----. Portfast bpdu-filter disabled for bridge.-------.4 78-13315-02 8-39 .---------.--------.-------. This example shows the output when using the show spantree summary command: Console> (enable) show spantree summary Root switch for vlans: 1 BPDU skewing detection enabled for the bridge BPDU skewed for vlans: 1 Portfast bpdu-guard disabled for bridge.--------.3 and 6. 06:25:59 You will receive a similar output when MISTP is running.------------.---------.---------1 6 4 2 0 12 Blocking Listening Learning Forwarding STP Active ----. The show spantree summary command displays if BPDU skew detection is enabled and also lists the VLANs or instances affected in the skew.-------.------------.-------. Backbonefast disabled for bridge. Uplinkfast disabled for bridge.

4 8-40 78-13315-02 .3 and 6.Chapter 8 Configuring BPDU Skewing Configuring Spanning Tree Catalyst 6000 Family Software Configuration Guide—Releases 6.

page 9-xv Configuring Loop Guard. BackboneFast. and loop guard features on the Catalyst 6000 family switches. page 9-ii Understanding How PortFast BPDU Guard Works. page 9-vii Configuring PortFast BPDU Guard. page 9-v Configuring PortFast.3 and 6. see Chapter 8. page 9-ix Configuring PortFast BPDU Filter.” Note For complete syntax and usage information for the commands used in this chapter. page 9-iv Understanding How Loop Guard Works. Note For information on configuring the Spanning Tree Protocol (STP). This chapter consists of these sections: • • • • • • • • • • • • Understanding How PortFast Works. and Loop Guard This chapter describes how to configure the spanning tree PortFast.4 78-13315-02 9-1 . UplinkFast.C H A P T E R 9 Configuring Spanning Tree PortFast. refer to the Catalyst 6000 Family Command Reference publication. page 9-xi Configuring UplinkFast. “Configuring Spanning Tree. page 9-ii Understanding How PortFast BPDU Filter Works. page 9-ii Understanding How UplinkFast Works. page 9-xvii Catalyst 6000 Family Software Configuration Guide—Releases 6. page 9-ii Understanding How BackboneFast Works. BackboneFast. UplinkFast. page 9-xiii Configuring BackboneFast.

spanning tree applies the PortFast BPDU guard feature to all PortFast-configured interfaces. Understanding How PortFast BPDU Guard Works PortFast BPDU guard prevents spanning tree loops by moving a nontrunking port into the errdisable state when a BPDU is received on that port. When you enable BPDU guard on the switch. and Loop Guard Understanding How PortFast Works PortFast causes a spanning tree port to immediately enter the forwarding state.3 and 6. PortFast-configured interfaces do not receive BPDUs.4 9-2 78-13315-02 . In a valid configuration. The uplink group provides an alternate path in case the currently forwarding link fails. To prevent loops in a network. If you enable PortFast on nontrunking ports that connect two switches.Chapter 9 Understanding How PortFast Works Configuring Spanning Tree PortFast. Note When enabled on the switch. rather than waiting for spanning tree to converge. UplinkFast. The blocked ports do not include self-looping ports. such as a connection of an unauthorized device. Specifically. Understanding How PortFast BPDU Filter Works BPDU filtering provides a method for you to avoid transmitting BPDUs on a PortFast-enabled port. Spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled or not. you might create a network loop. bypassing the listening and learning states. after BPDU filtering is enabled it applies to all PortFast-enabled ports. PortFast BPDU filtering is enabled globally but applies to PortFast-enabled ports only. You can use PortFast on switch ports connected to a single workstation or server to allow those devices to connect to the network immediately. because you must manually put the interface back in service. BPDU guard can prevent invalid configurations. an uplink group consists of the root port (which is forwarding) and a set of blocked ports. The PortFast BPDU filter allows access ports to move directly to the forwarding state as soon as end hosts are connected. Catalyst 6000 Family Software Configuration Guide—Releases 6. This feature is on a per-switch basis. spanning tree loops can occur if BPDUs are being transmitted and received on those ports. only one of which is forwarding at any given time. rather than putting them into the spanning tree blocking state. spanning tree shuts down PortFast-configured interfaces that receive BPDUs. The most secure implementation of PortFast occurs when you enable it on ports that connect end stations to switches. Otherwise. In an invalid configuration. Understanding How UplinkFast Works UplinkFast provides fast convergence after a spanning tree topology change and achieves load balancing between redundant links using uplink groups. connected to an end system which helps save CPU time. BackboneFast. a BPDU is received by a PortFast-configured interface. you can enable PortFast on nontrunking access ports only because these ports typically do not transmit or receive bridge protocol data units (BPDUs). An uplink group is a set of ports (per VLAN). Caution Use PortFast only when connecting a single end station to a switch port.

Switch A. Figure 1 shows an example topology with no link failures. The port on Switch C that is connected directly to Switch B is in blocking state.3 and 6.Chapter 9 Configuring Spanning Tree PortFast. as shown in Figure 2. Figure 9-1 UplinkFast Example Before Direct Link Failure Switch A (Root) L1 Switch B L2 L3 Blocked port Switch C 11241 If Switch C detects a link failure on the currently active link L2 (a direct link failure). Figure 9-2 UplinkFast Example After Direct Link Failure Switch A (Root) L1 Switch B L2 Link failure L3 UplinkFast transitions port directly to forwarding state Switch C 11242 Catalyst 6000 Family Software Configuration Guide—Releases 6. UplinkFast. This feature may not be useful for other types of applications. the root switch. is connected directly to Switch B over link L1 and to Switch C over link L2. This switchover takes approximately 1 to 5 seconds.4 78-13315-02 9-3 . BackboneFast. UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states. and Loop Guard Understanding How UplinkFast Works Note UplinkFast is most useful in wiring-closet switches.

all blocked ports become alternate paths to the root bridge. connects directly to Switch B over link L1 and to Switch C over link L2. If one or more alternate paths can still connect to the root bridge. the root port and other blocked ports on the switch become alternate paths to the root bridge. the root switch. BackboneFast. Figure 3 shows an example topology with no link failures. Switch C detects this failure as an indirect failure. An inferior BPDU identifies one switch as both the root bridge and the designated bridge.) If the inferior BPDU arrives on the root port. Catalyst 6000 Family Software Configuration Guide—Releases 6. the designated bridge has lost its connection to the root bridge). BackboneFast allows the blocked port on Switch C to move immediately to the listening state without waiting for the maximum aging time for the port to expire. through the listening and learning states. When a switch receives an inferior BPDU. the switch makes all ports on which it received an inferior BPDU its designated ports and moves them out of the blocking state (if they were in the blocking state). it uses these alternate paths to transmit a new kind of PDU called the Root Link Query PDU out all alternate paths to the root bridge. since it is not connected directly to link L1. and Loop Guard Understanding How BackboneFast Works BackboneFast is initiated when a root port or blocked port on a switch receives inferior BPDUs from its designated bridge. If the inferior BPDU arrives on a blocked port. the switch assumes that it has lost connectivity to the root bridge. it causes the maximum aging time on the ports on which it received the inferior BPDU to expire.Chapter 9 Understanding How BackboneFast Works Configuring Spanning Tree PortFast. Switch A. Switch B no longer has a path to the root switch. (Self-looped ports are not considered alternate paths to the root bridge. Figure 9-3 BackboneFast Example Before Indirect Link Failure Switch A (Root) L1 Switch B L2 L3 Blocked port Switch C 11241 If link L1 fails. This switchover takes approximately 30 seconds. The switch tries to determine if it has an alternate path to the root bridge. The port on Switch C that connects directly to Switch B is in the blocking state. the switch ignores inferior BPDUs for the configured maximum aging time. the switch causes the maximum aging times on the ports on which it received an inferior BPDU to expire. providing a path from Switch B to Switch A. UplinkFast. If the switch has alternate paths to the root bridge. and into the forwarding state. causes the maximum aging time on the root to expire. BackboneFast then transitions the port on Switch C to the forwarding state. Figure 4 shows how BackboneFast reconfigures the topology to account for the failure of link L1. as specified by the agingtime variable of the set spantree maxage command. Under normal spanning tree rules. If all the alternate paths to the root bridge indicate that the switch has lost connectivity to the root bridge. If the inferior BPDU arrives on the root port and there are no blocked ports.3 and 6. it indicates that a link to which the switch is not directly connected (an indirect link) has failed (that is. and becomes the root switch according to normal spanning tree rules.4 9-4 78-13315-02 . If the switch determines that it still has an alternate path to the root.

and Loop Guard Understanding How Loop Guard Works Figure 9-4 BackboneFast Example After Indirect Link Failure Switch A (Root) L1 Link failure L2 L3 Switch B Switch C If a new switch is introduced into a shared-medium topology. BackboneFast.3 and 6. However. The loop guard feature checks if a root port or an alternate root port receives BPDUs. the loop guard feature puts the port into an inconsistent state until it starts receiving BPDUs again. Figure 5 shows a shared-medium topology in which a new switch is added. the root switch. UplinkFast.Chapter 9 Configuring Spanning Tree PortFast. BackboneFast is not activated.4 78-13315-02 11244 BackboneFast transitions port through listening and learning states to forwarding state 9-5 . the other switches ignore these inferior BPDUs and the new switch learns that Switch B is the designated bridge to Switch A. If the port is not receiving BPDUs. Figure 9-5 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch C Blocked port Switch B (Designated Bridge) Added switch 11245 Understanding How Loop Guard Works Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent. Catalyst 6000 Family Software Configuration Guide—Releases 6. Loop guard isolates the failure and lets spanning tree converge to a stable topology without the failed link or bridge. Some software failures may introduce temporary loops in the network. The new switch begins sending inferior BPDUs that say it is the root switch.

B. Figure 6 shows loop guard in a triangle switch configuration. When you disable loop guard. it is disabled for the specified ports.3 and 6.Chapter 9 Understanding How Loop Guard Works Configuring Spanning Tree PortFast. Topologies that have no blocked ports. Enabling loop guard on a root switch has no effect but provides protection when a root switch becomes a nonroot switch. do not need to enable this feature. If you enable loop guard on a channel and the first link becomes unidirectional. When you enable loop guard. Do not enable loop guard on ports that are connected to a shared link. UplinkFast. Note We recommend that you enable loop guard on root ports and alternate root ports on access switches. and C. loop guard blocks the entire channel until the affected port is removed from the channel. Figure 9-6 Triangle Switch Configuration with Loop Guard A 3/1 3/2 3/1 B 3/2 3/1 3/2 C Designated port 55772 Root port Alternate port Figure 6 illustrates the following configuration: • • • Switches A and B are distribution switches. Loop guard interacts with other features as follows: • • Loop guard does not affect the functionality of UplinkFast or BackboneFast. BackboneFast.4 9-6 78-13315-02 . Disabling loop guard moves all loop-inconsistent ports to the listening state. Follow these guidelines when using loop guard: • • • You cannot enable loop guard on PortFast-enabled or dynamic VLAN ports. Catalyst 6000 Family Software Configuration Guide—Releases 6. which are loop free. Loop guard is enabled on ports 3/1 and 3/2 on Switches A. You cannot enable PortFast on loop guard-enabled ports. Switch C is an access switch. You cannot enable loop guard if root guard is enabled. it is automatically applied to all of the active instances or VLANs to which that port belongs. Use loop guard only in topologies where there are blocked ports. and Loop Guard You can enable loop guard on a per-port basis.

You cannot configure a loop guard-enabled port with dynamic VLAN membership. A loop may occur until UDLD detects the failure. but the port is moved into the type-inconsistent state or PVID-inconsistent state. misconfigured BPDUs received on the port make loop guard recover. – If a channel is blocked by loop guard and the channel breaks. The port transitions out of the inconsistent state after the message age expires. Assigning dynamic VLAN membership for the port requires that the port is PortFast enabled. spanning tree loses all the state information for those ports and the new channel port may obtain the forwarding state with a designated role. it remains blocked even after switchover to the redundant supervisor engine. If that • • • • link becomes unidirectional. Note You can enable UniDirectional Link Detection (UDLD) to help isolate the link failure. spanning tree loses all the state information.4 78-13315-02 9-7 . UplinkFast. In high-availability switch configurations. page 9-viii Disabling PortFast. Loop guard is effective only if the port is a root port or an alternate port. if a port is put into the blocked state by loop guard. Loop guard can take advantage of logical ports provided by the Port Aggregation Protocol (PAgP). • Loop guard has no effect on a disabled spanning tree instance or a VLAN. – If a set of ports that are already blocked by loop guard are grouped together to form a channel. all the physical ports grouped in the channel must have compatible configurations. These caveats apply to loop guard: – Spanning tree always chooses the first operational port in the channel to send the BPDUs. If the port is already blocked by loop guard. to form a channel. and Loop Guard Configuring PortFast • Root guard forces a port to be always designated as the root port. The newly activated supervisor engine recovers the port only after receiving a BPDU on that port. Because a PortFast-enabled port will not be a root port or alternate port. all BPDUs are dropped until the misconfiguration is corrected.Chapter 9 Configuring Spanning Tree PortFast. Configuring PortFast These sections describe how to configure PortFast on the switch: • • Enabling PortFast. Loop guard uses the ports known to spanning tree. but loop guard will not be able to detect it. You cannot enable loop guard and root guard on a port at the same time. BackboneFast. The individual physical ports may obtain the forwarding state with the designated role. even if one or more of the links that formed the channel are unidirectional. loop guard blocks the channel.3 and 6. However. Loop guard ignores the message age expiration on type-inconsistent ports and PVID-inconsistent ports. loop guard and PortFast cannot be configured on the same port. PAgP enforces uniform configurations of root guard or loop guard on all the physical ports to form a channel. PortFast transitions a port into a forwarding state immediately when a link is established. If your network has a type-inconsistent port or a PVID-inconsistent port. even if other links in the channel are functioning properly. page 9-viii Catalyst 6000 Family Software Configuration Guide—Releases 6.

otherwise. This example shows how to disable PortFast on a port: Console> (enable) set spantree portfast 4/1 disable Spantree port 4/1 fast start disabled. switches.3 and 6. bridges. BackboneFast. to can cause temporary spanning tree loops.------------. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree portfast mod/port disable show spantree mod/port Disable PortFast on a switch port. you might create a network loop. and Loop Guard Enabling PortFast Caution Use PortFast only when you connect a single end station to a switch port. To enable PortFast on a switch port.Chapter 9 Configuring PortFast Configuring Spanning Tree PortFast. concentrators.4 9-8 78-13315-02 . Use with caution. UplinkFast. Console> (enable) show spantree 4/1 Port Vlan Port-State Cost --------. fast start enabled. Verify the PortFast setting. This example shows how to enable PortFast on a port and verify the configuration (the PortFast status is shown in the “Fast-Start” column): Console> (enable) Warning: Spantree to a single host. perform this task in privileged mode: Task Command set spantree portfast mod/port enable show spantree mod/port Step 1 Step 2 Enable PortFast on a switch port connected to a single workstation or server.---. etc.----4/1 1 blocking 19 4/1 100 forwarding 10 4/1 521 blocking 19 4/1 522 blocking 19 4/1 523 blocking 19 4/1 524 blocking 19 4/1 1003 not-connected 19 4/1 1005 not-connected 19 Console> (enable) Priority -------20 20 20 20 20 20 20 4 Fast-Start ---------enabled enabled enabled enabled enabled enabled enabled enabled Group-method ------------ Disabling PortFast To disable PortFast on a switch port. a fast start port Spantree port 4/1 set spantree portfast 4/1 enable port fast start should only be enabled on ports connected Connecting hubs. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Verify the PortFast setting.

-------. Verify the PortFast BPDU guard setting. UplinkFast. Vlan Blocking Listening Learning Forwarding STP Active ----. the PortFast BPDU guard option is configured globally. see Chapter 8. Uplinkfast disabled for bridge. perform this task in privileged mode: Task Command set spantree portfast bpdu-guard enable show spantree summary Step 1 Step 2 Enable PortFast BPDU guard on the switch. BackboneFast. and Loop Guard Configuring PortFast BPDU Guard Configuring PortFast BPDU Guard These sections describe how to configure PortFast BPDU guard on the switch: • • Enabling PortFast BPDU Guard. Console> (enable) show spantree summary Root switch for vlans: none. Backbonefast disabled for bridge.---------.---------1 0 0 0 4 4 2 0 0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 10 0 0 0 4 4 20 0 0 0 4 4 50 0 0 0 4 4 100 0 0 0 4 4 152 0 0 0 4 4 200 0 0 0 5 5 300 0 0 0 4 4 400 0 0 0 4 4 500 0 0 0 4 4 521 0 0 0 4 4 524 0 0 0 4 4 570 0 0 0 4 4 801 0 0 0 0 0 Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 9 Configuring Spanning Tree PortFast. “Configuring Spanning Tree. PortFast BPDU guard becomes inactive.4 78-13315-02 9-9 .” Console> (enable) set spantree portfast bpdu-guard enable Spantree portfast bpdu-guard enabled on this switch.-------.3 and 6. page 9-x Enabling PortFast BPDU Guard Note Although the PortFast feature is configured on an individual port. When you disable PortFast on a port. Portfast bpdu-guard enabled for bridge. To enable PortFast BPDU guard on a nontrunking switch port. This example shows how to enable PortFast BPDU guard on the switch and verify the configuration in the Per VLAN Spanning Tree + (PVST+) mode: Note For additional PVST+ information. page 9-ix Disabling PortFast BPDU Guard.--------.

---------1 0 0 0 4 4 2 0 0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 10 0 0 0 4 4 20 0 0 0 4 4 50 0 0 0 4 4 100 0 0 0 4 4 152 0 0 0 4 4 200 0 0 0 5 5 300 0 0 0 4 4 400 0 0 0 4 4 500 0 0 0 4 4 521 0 0 0 4 4 524 0 0 0 4 4 570 0 0 0 4 4 801 0 0 0 0 0 802 0 0 0 0 0 850 0 0 0 4 4 917 0 0 0 4 4 999 0 0 0 4 4 Catalyst 6000 Family Software Configuration Guide—Releases 6.---------Total 0 0 0 85 85 Console> (enable) Disabling PortFast BPDU Guard To disable PortFast BPDU guard on the switch. Vlan Blocking Listening Learning Forwarding STP Active ----.3 and 6.-------. UplinkFast. This example shows how to disable PortFast BPDU guard on the switch and verify the configuration: Console> (enable) set spantree portfast bpdu-guard disable Spantree portfast bpdu-guard disabled on this switch. Console> (enable) show spantree summary Summary of connected spanning tree ports by vlan Portfast bpdu-guard disabled for bridge. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree portfast bpdu-guard disable show spantree Disable PortFast BPDU guard on the switch.-------. and Loop Guard 802 850 917 999 1003 1005 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 4 4 0 0 0 4 4 4 0 0 Blocking Listening Learning Forwarding STP Active ----.-------.---------. Backbonefast disabled for bridge. Verify the PortFast BPDU guard setting.4 9-10 78-13315-02 .-------.--------.Chapter 9 Configuring PortFast BPDU Guard Configuring Spanning Tree PortFast.--------. BackboneFast. Uplinkfast disabled for bridge.---------.

page 9-xi Disabling PortFast BPDU Filter. BackboneFast.-------. Backbonefast disabled for bridge.” Console> (enable) set spantree portfast bpdu-filter enable Usage: set spantree portfast <mod/port> <enable|disable> set spantree portfast bpdu-guard <enable|disable> set spantree portfast bpdu-filter <enable|disable> Spantree portfast bpdu-filter enabled on this switch. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree portfast bpdu-filter enable show spantree summary show spantree portfast Enable PortFast BPDU filtering on the port. Console> (enable) show spantree summary Root switch for vlans: none. and Loop Guard Configuring PortFast BPDU Filter 1003 1005 0 0 0 0 0 0 0 0 0 0 Blocking Listening Learning Forwarding STP Active ----.3 and 6. “Configuring Spanning Tree. Verify the PortFast BPDU filter setting.---------Total 0 0 0 85 85 Console> (enable) Configuring PortFast BPDU Filter These sections describe how to configure PortFast BPDU filter on the switch: • • Enabling PortFast BPDU Filter. see Chapter 8. This example shows how to enable PortFast BPDU filtering on the port and verify the configuration in PVST+ mode: Note For PVST+ information. UplinkFast.-------. Catalyst 6000 Family Software Configuration Guide—Releases 6.--------. Uplinkfast disabled for bridge. Portfast bpdu-filter enabled for bridge. Console> (enable) show spantree portfast Portfast BPDU guard is disabled. page 9-xii Enabling PortFast BPDU Filter To enable PortFast BPDU filtering on a nontrunking port.Chapter 9 Configuring Spanning Tree PortFast. Portfast BPDU filter is disabled.---------.4 78-13315-02 9-11 .

Backbonefast disabled for bridge. and Loop Guard Vlan Blocking Listening Learning Forwarding STP Active ----.4 9-12 78-13315-02 . .Chapter 9 Configuring PortFast BPDU Filter Configuring Spanning Tree PortFast.---------1 0 0 0 4 4 2 0 0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 .--------.3 and 6.-------. Console> (enable) show spantree summary Summary of connected spanning tree ports by vlan Portfast bpdu-filter disabled for bridge. . Verify the PortFast BPDU filter setting. UplinkFast.-------. . This example shows how to disable PortFast BPDU filtering on the switch and verify the configuration: Console> (enable) set spantree portfast bpdu-filter disable Spantree portfast bpdu-filter disabled on this switch.-------.---------Total 0 0 0 85 85 Console> (enable) Disabling PortFast BPDU Filter To disable PortFast BPDU filtering on the switch. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree portfast bpdu-filter disable show spantree show portfast Disable PortFast BPDU filtering on the switch.---------.-------. BackboneFast.-------. 802 0 0 0 0 0 850 0 0 0 4 4 917 0 0 0 4 4 999 0 0 0 4 4 Catalyst 6000 Family Software Configuration Guide—Releases 6.--------.-------.--------. Vlan Blocking Listening Learning Forwarding STP Active ----. .---------. 850 0 0 0 4 4 917 0 0 0 4 4 999 0 0 0 4 4 1003 0 0 0 0 0 1005 0 0 0 0 0 Blocking Listening Learning Forwarding STP Active ----. Uplinkfast disabled for bridge.---------1 0 0 0 4 4 2 0 0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 10 0 0 0 4 4 .---------.

page 9-xiii Disabling UplinkFast. The port cost and portvlancost of all ports set to above 3000. You cannot configure UplinkFast on an individual VLAN.---------Total 0 0 0 85 85 Console> (enable) Configuring UplinkFast You can configure UplinkFast for PVST+ or for Multi-Instance Spanning Tree Protocol (MISTP). The station_update_rate value represents the number of multicast packets transmitted per 100 milliseconds (the default is 15 packets per millisecond). page 9-xiv Enabling UplinkFast The set spantree uplinkfast enable command increases the path cost of all ports on the switch. Note When you enable the set spantree uplinkfast command. perform this task in privileged mode: Task Command set spantree uplinkfast enable [rate station_update_rate] [all-protocols off | on] show spantree uplinkfast [{mistp-instance [instances]}| vlans] Step 1 Step 2 Enable UplinkFast on the switch.--------.3 and 6. “Configuring Spanning Tree. To enable UplinkFast on the switch. uplinkfast enabled for bridge. Station update rate set to 15 packets/100ms. it affects all VLANs on the switch. Catalyst 6000 Family Software Configuration Guide—Releases 6. BackboneFast.4 78-13315-02 9-13 . see Chapter 8. Note For additional MISTP information. this example shows how to enable UplinkFast with a station-update rate of 40 packets per 100 milliseconds and how to verify that UplinkFast is enabled: Console> (enable) set spantree uplinkfast enable VLANs 1-4094 bridge priority set to 49152. and Loop Guard Configuring UplinkFast 1003 1005 0 0 0 0 0 0 0 0 0 0 Blocking Listening Learning Forwarding STP Active ----. UplinkFast.-------.Chapter 9 Configuring Spanning Tree PortFast. making it unlikely that the switch will become the root switch.---------. With PVST+ mode enabled. uplinkfast all-protocols field set to off.” These sections describe how to configure UplinkFast on the switch: • • Enabling UplinkFast.-------. Verify that UplinkFast is enabled. The command is the same but the output may be slightly different.

Station update rate set to 15 packets/100ms. UplinkFast. but the switch priority and port cost values are not reset to the factory defaults. and Loop Guard Console> (enable) show spantree uplinkfast 1 100 521-524 Station update rate set to 15 packets/100ms. uplinkfast all-protocols field set to off.1/2-1/5 21-50 1/9(fwd).Chapter 9 Configuring UplinkFast Configuring Spanning Tree PortFast. BackboneFast. 1/6-1/8. VLAN port list ----------------------------------------------1 1/1(fwd). Inst port list -----------------------------------------------1 4/1(fwd) Console> Disabling UplinkFast The set spantree uplinkfast disable command disables UplinkFast on the switch.4 9-14 78-13315-02 . 1/10-1/12 51-100 2/1(fwd). The port cost and portinstancecost of all ports set to above 10000000. it affects all VLANs on the switch.1/2 100 1/2(fwd) 521 1/1(fwd). uplinkfast enabled for bridge. uplinkfast all-protocols field set to off. You cannot disable UplinkFast on an individual VLAN.1/2 524 1/1(fwd).1/2 523 1/1(fwd).3 and 6.1/2 Console> (enable) This example shows how to display the UplinkFast feature settings for all VLANs: Console> show spantree uplinkfast Station update rate set to 15 packets/100ms. Note When you enter the set spantree uplinkfast disable command. 2/12 Console> With MISTP mode enabled. uplinkfast all-protocols field set to off. Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) This example shows how to display the UplinkFast feature settings for a specific instance: Console> show spantree uplinkfast mistp-instance 1 Station update rate set to 15 packets/100ms. VLAN port list -----------------------------------------------1-20 1/1(fwd). this example shows the output when you enable UplinkFast: Console> (enable) set spantree uplinkfast enable Instances 1-16 bridge priority set to 49152.1/2 522 1/1(fwd). uplinkfast all-protocols field set to off.

page 9-xv Displaying BackboneFast Statistics. Verify that UplinkFast is disabled. To enable BackboneFast on the switch. BackboneFast is not supported on Token Ring VLANs. and Loop Guard Configuring BackboneFast To disable UplinkFast on the switch. uplinkfast all-protocols field set to off. BackboneFast. page 9-xvi Enabling BackboneFast Note For BackboneFast to work.1/2 522 1/1(fwd). Console> (enable) show spantree uplinkfast Station update rate set to 15 packets/100ms. Catalyst 6000 Family Software Configuration Guide—Releases 6. Use clear spantree uplinkfast to return stp parameters to default. perform this task in privileged mode: Task Command set spantree backbonefast enable show spantree backbonefast Step 1 Step 2 Enable BackboneFast on the switch. VLAN port list ----------------------------------------------1 1/1(fwd). this example shows how to disable UplinkFast on the switch and verify the configuration: Console> (enable) set spantree uplinkfast disable Uplinkfast disabled for switch. Verify that BackboneFast is enabled. With PVST+ mode enabled. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree uplinkfast disable show spantree uplinkfast Disable UplinkFast on the switch.1/2 Console> (enable) Configuring BackboneFast These sections describe how to configure BackboneFast: • • • Enabling BackboneFast. you must enable it on all switches in the network.1/2 524 1/1(fwd).Chapter 9 Configuring Spanning Tree PortFast.1/2 100 1/2(fwd) 521 1/1(fwd). page 9-xvi Disabling BackboneFast. UplinkFast.1/2 523 1/1(fwd).3 and 6.4 78-13315-02 9-15 . This feature is supported for use with third-party switches.

4 9-16 78-13315-02 . Command show spantree summary This example shows how to display BackboneFast statistics: Console> (enable) show spantree summary Summary of connected spanning tree ports by vlan Uplinkfast disabled for bridge. Backbonefast enabled for bridge. UplinkFast. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree backbonefast disable show spantree backbonefast Disable BackboneFast on the switch.--------.-------. Verify that BackboneFast is disabled. and Loop Guard This example shows how to enable BackboneFast on the switch and how to verify the configuration: Console> (enable) set spantree backbonefast enable Backbonefast enabled for all VLANs Console> (enable) show spantree backbonefast Backbonefast is enabled. Console> (enable) Displaying BackboneFast Statistics To display BackboneFast statistics.---------.---------Total 0 0 0 1 1 BackboneFast statistics ----------------------Number of inferior BPDUs received (all VLANs) Number of RLQ req PDUs received (all VLANs) Number of RLQ res PDUs received (all VLANs) Number of RLQ req PDUs transmitted (all VLANs) Number of RLQ res PDUs transmitted (all VLANs) Console> (enable) : : : : : 0 0 0 0 0 Disabling BackboneFast To disable BackboneFast on the switch.--------. BackboneFast.-------. This example shows how to disable BackboneFast on the switch and how to verify the configuration: Console> (enable) set spantree backbonefast disable Backbonefast enabled for all VLANs Console> (enable) show spantree backbonefast Backbonefast is disable. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.-------.---------.3 and 6. Vlan Blocking Listening Learning Forwarding STP Active ----. perform this task in privileged mode: Task Display BackboneFast statistics.Chapter 9 Configuring BackboneFast Configuring Spanning Tree PortFast.-------.---------1 0 0 0 1 1 Blocking Listening Learning Forwarding STP Active ----.

Console> (enable) Disabling Loop Guard To disable loop guard on the switch. Verify that loop guard is disabled. Do you want to continue (y/n) [n]? y Loopguard on port 5/1 is enabled. This example shows how to disable loop guard: Console> (enable) set spantree guard none 5/1 Rootguard is disabled on port 5/1. page 9-xvii Disabling Loop Guard.Chapter 9 Configuring Spanning Tree PortFast. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree guard none mod/port show spantree guard {mod/port | vlan} mistp-instance instance Disable loop guard on a port. enabling loopguard will disable rootguard on this port. UplinkFast. Verify that loop guard is enabled. Do you want to continue (y/n) [n]? y Loopguard on port 5/1 is disabled. perform this task in privileged mode: Task Step 1 Step 2 Command set spantree guard loop mod/port show spantree guard {mod/port | vlan} mistp-instance instance Enable loop guard on a port. This example shows how to enable loop guard: Console> (enable) set spantree guard loop 5/1 Rootguard is enabled on port 5/1. BackboneFast. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. and Loop Guard Configuring Loop Guard Configuring Loop Guard These sections describe how to configure BackboneFast: • • Enabling Loop Guard. To enable loop guard on the switch.4 78-13315-02 9-17 . page 9-xvii Enabling Loop Guard Use the set spantree guard command to enable or disable the spanning tree loop guard feature on a per-port basis. disabling loopguard will disable rootguard on this port.

UplinkFast. and Loop Guard Catalyst 6000 Family Software Configuration Guide—Releases 6. BackboneFast.Chapter 9 Configuring Loop Guard Configuring Spanning Tree PortFast.4 9-18 78-13315-02 .3 and 6.

Note For complete information on configuring VLANs. page 10-ii Understanding VTP Modes. This chapter consists of these sections: • • • • Understanding How VTP Works.3 and 6.” These sections describe how VTP works: • • • • • Understanding the VTP Domain. (Note that VTP does not support VLANs 1025 to 4094. page 10-i Default VTP Configuration. VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of problems. page 10-ii Understanding VTP Advertisements. incorrect VLAN-type specifications. refer to the Catalyst 6000 Family Command Reference publication. you can make configuration changes centrally on one switch and have those changes automatically communicated to all the other switches in the network. and renaming of VLANs on a network-wide basis.) With VTP. Note For complete syntax and usage information for the commands used in this chapter.4 78-13315-02 10-1 . see Chapter 11. page 10-iii Catalyst 6000 Family Software Configuration Guide—Releases 6. deletion. page 10-vi Understanding How VTP Works VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition. and security violations. “Configuring VLANs. page 10-v VTP Configuration Guidelines. page 10-ii Understanding VTP Version 2.C H A P T E R 10 Configuring VTP This chapter describes how to configure the VLAN Trunking Protocol (VTP) on the Catalyst 6000 family switches. page 10-iii Understanding VTP Pruning. page 10-v Configuring VTP. such as duplicate VLAN names. You can use VTP to manage VLANs 1 to 1005 in your network.

3 and 6.4 10-2 78-13315-02 . By default. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. Transparent—VTP transparent switches do not participate in VTP. Understanding VTP Modes You can configure a switch to operate in any one of these VTP modes: • Server—In VTP server mode. VTP advertisements are received by neighboring switches. you can create.1Q. the switch is in VTP server mode and is in the no-management domain state until the switch receives an advertisement for a domain over a trunk link or you configure a management domain. Mapping eliminates excessive device administration required from network administrators. including Inter-Switch Link (ISL). Client—VTP clients behave the same way as VTP servers. IEEE 802. However. the change is propagated to all switches in the VTP domain. change. The following global configuration information is distributed in VTP advertisements: • • • VLAN IDs (ISL and 802. The switch ignores advertisements with a different management domain name or an earlier configuration revision number. and ATM LAN Emulation (LANE). transparent switches do forward VTP advertisements that they receive out their trunk ports. which update their VTP and VLAN configurations as necessary. When you make a change to the VLAN configuration on a VTP server. you can create and modify VLANs but the changes affect only the individual switch.1Q) Emulated LAN names (for ATM LANE) 802. or delete VLANs on a VTP client. If you configure the switch as VTP transparent. A switch can be configured to be in one and only one VTP domain.Chapter 10 Understanding How VTP Works Configuring VTP Understanding the VTP Domain A VTP domain (also called a VLAN management domain) is made up of one or more interconnected switches that share the same VTP domain name. but you cannot create. VTP maps VLANs dynamically across multiple LAN types with unique names and internal index associations. VTP advertisements are transmitted out all trunk connections. and delete VLANs and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain. • • Understanding VTP Advertisements Each switch in the VTP domain sends periodic advertisements out each trunk port to a reserved multicast address. If the switch receives a VTP advertisement over a trunk link. You cannot create or modify VLANs on a VTP server until the management domain name is specified or learned. it inherits the management domain name and the VTP configuration revision number. modify.10 SAID values (FDDI) Catalyst 6000 Family Software Configuration Guide—Releases 6. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links.10. You make global VLAN configuration changes for the domain using either the command-line interface (CLI) or Simple Network Management Protocol (SNMP). VTP server is the default mode. in VTP version 2. IEEE 802.

VTP version 2 forwards VTP messages in transparent mode. For more information about Token Ring VLANs.3 and 6. • • • Understanding VTP Pruning VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic. Catalyst 6000 Family Software Configuration Guide—Releases 6. VTP version 2 supports the following features not supported in version 1: • Token Ring support—VTP version 2 supports Token Ring LAN switching and VLANs (Token Ring Bridge Relay Function [TrBRF] and Token Ring Concentrator Relay Function [TrCRF]). you must use version 2.Chapter 10 Configuring VTP Understanding How VTP Works • • • • VTP domain name VTP configuration revision number VLAN configuration. such as broadcast. VTP pruning is supported in supervisor engine software release 5. without checking the version. If the digest on a received VTP message is correct. Make sure that all devices in the management domain support VTP pruning before enabling it.” Unrecognized Type-Length-Value (TLV) Support—A VTP server or client propagates configuration changes to its other trunks. VTP pruning is disabled. VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.4 78-13315-02 10-3 . unknown. its information is accepted without consistency checks. Consistency checks are not performed when new information is obtained from a VTP message. a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. The unrecognized TLV is saved in NVRAM. By default. including the maximum transmission unit (MTU) size for each VLAN Frame format Understanding VTP Version 2 If you use VTP in your network. VLAN consistency checks (such as VLAN names and values) are performed only when you enter new information through the CLI or SNMP. you must decide whether to use VTP version 1 or version 2. Version-Dependent Transparent Mode—In VTP version 1. you should disable VTP pruning in the VTP management domain that contains the switches with ATM LANE modules installed (VTP pruning messages are sent over the ATM LANE module because it is a trunk). see Chapter 11. Consistency Checks—In VTP version 2. even for TLVs it is not able to parse.1(1) and later releases. Since only one domain is supported in the supervisor engine software. Another solution is to disable pruning for the LANE VLANs using the clear vtp pruneeligible command on all switches with ATM LANE modules. “Configuring VLANs. multicast. or when information is read from NVRAM. Note If you are using routers to route between emulated LANS. and flooded unicast packets. Note If you are using VTP in a Token Ring environment.

VTP pruning does not prune traffic from VLANs that are pruning ineligible. By default. Figure 10-2 Flooding Traffic with VTP Pruning Switch 4 Port 2 Flooded traffic is pruned. VLAN 1 is always pruning ineligible. Figure 10-1 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 Red VLAN Port 1 S5812 Switch 6 Switch 3 Switch 1 Figure 2 shows the same switched network with VTP pruning enabled. VTP pruning takes effect several seconds after you enable it. The broadcast traffic from Switch 1 is not forwarded to Switches 3. 5. 5.3 and 6. Catalyst 6000 Family Software Configuration Guide—Releases 6. even though Switches 3. traffic from VLAN 1 cannot be pruned. Port 4 Switch 2 Red VLAN Switch 5 Port 5 Port 1 24511 Switch 6 Switch 3 Switch 1 Enabling VTP pruning on a VTP server enables pruning for the entire management domain.Chapter 10 Understanding How VTP Works Configuring VTP Figure 1 shows a switched network without VTP pruning enabled. VLANs 2 through 1000 are pruning eligible.4 10-4 78-13315-02 . and 6 have no ports in the Red VLAN. Switch 1 floods the broadcast and every switch in the network receives it. Port 1 on Switch 1 and port 2 on Switch 4 are assigned to the Red VLAN. A broadcast is sent from the host connected to Switch 1. and 6 because traffic for the Red VLAN has been pruned on the links indicated (port 5 on Switch 2 and port 4 on Switch 4).

not for the entire VTP domain. all of the version 2-capable switches in the domain enable VTP version 2. In a Token Ring environment. enter the clear vtp pruneeligible command. you must enable VTP version 2 for Token Ring VLAN switching to function properly. You can set VLAN pruning eligibility regardless of whether VTP pruning is enabled or disabled for the domain. Table 10-1 VTP Default Configuration Feature VTP domain name VTP mode VTP version 2 enable state VTP password VTP pruning Default Value Null Server Version 2 is disabled None Disabled VTP Configuration Guidelines Follow these guidelines when implementing VTP in your network: • • All switches in a VTP domain must run the same VTP version. You must configure a password on each switch in the management domain when in secure mode.Chapter 10 Configuring VTP Default VTP Configuration To make a VLAN pruning ineligible. the management domain will not function properly if you do not assign a management domain password to each switch in the domain. Caution If you configure VTP in secure mode. enter the set vtp pruneeligible command.3 and 6.4 78-13315-02 10-5 . Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain. Pruning eligibility always applies to the local device only. When you enable VTP version 2 on a switch. Default VTP Configuration Table 1 shows the default VTP configuration. To make a VLAN pruning eligible again. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1 provided VTP version 2 is disabled on the VTP version 2-capable switch (VTP version 2 is disabled by default). • • • • Catalyst 6000 Family Software Configuration Guide—Releases 6. Making VLANs pruning eligible or pruning ineligible on a switch affects pruning eligibility for those VLANs on that device only (not on all switches in the VTP domain). Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2 capable.

20. Catalyst 6000 Family Software Configuration Guide—Releases 6. This example shows how to configure the switch as a VTP server and verify the configuration: Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode server VTP domain Lab_Network modified Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------.------------10 1023 40 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------. Verify the VTP configuration.-------. page 10-vi Disabling VTP (VTP Transparent Mode).-----------. page 10-ix Enabling VTP Pruning. page 10-x Configuring a VTP Server When a switch is in VTP server mode. The client switch receives VTP updates from a VTP server in the management domain and modifies its configuration accordingly. page 10-viii Disabling VTP Version 2. you can change the VLAN configuration and have it propagate throughout the network.-------. you cannot change the VLAN configuration on the switch.Chapter 10 Configuring VTP Configuring VTP Configuring VTP These sections describe how to configure VTP: • • • • • • • • Configuring a VTP Server.---------Lab_Network 1 2 server Vlan-count Max-vlan-storage Config Revision Notifications ---------. Place the switch in VTP server mode. To configure the switch as a VTP server. page 10-vi Configuring a VTP Client. page 10-vii Enabling VTP Version 2.----------.4 10-6 78-13315-02 . page 10-ix Disabling VTP Pruning.3 and 6.------------------------172.70 disabled disabled 2-1000 Console> (enable) Configuring a VTP Client When a switch is in VTP client mode.---------------.52. page 10-x Displaying VTP.----------.--------------. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Step 4 Command set vtp domain name set vtp mode server set vtp passwd passwd show vtp domain Define the VTP domain name. (Optional) Set a password for the VTP domain.

Chapter 10 Configuring VTP Configuring VTP To configure the switch as a VTP client. However.-----------.---------------. perform this task in privileged mode: Task Command set vtp mode transparent show vtp domain Step 1 Step 2 Disable VTP on the switch by configuring it for VTP transparent mode. Note Network devices in VTP transparent mode do not send VTP Join messages.20.3 and 6. On Catalyst 6000 family switches with trunk connections to network devices in VTP transparent mode. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command set vtp domain name set vtp mode client show vtp domain Define the VTP domain name.---------Lab_Network 1 2 client Vlan-count Max-vlan-storage Config Revision Notifications ---------. Verify the VTP configuration.--------------. To disable VTP on the switch.------------------------172.----------.-------.70 disabled disabled 2-1000 Console> (enable) Disabling VTP (VTP Transparent Mode) When you configure the switch as VTP transparent. A VTP transparent switch does not send VTP updates and does not act on VTP updates received from other switches.----------. you disable VTP on the switch. This example shows how to configure the switch as a VTP client and verify the configuration: Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode client VTP domain Lab_Network modified Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------. Catalyst 6000 Family Software Configuration Guide—Releases 6.------------10 1023 40 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------. Place the switch in VTP client mode.52. Verify the VTP configuration.-------. a VTP transparent switch running VTP version 2 does forward received VTP advertisements out all of its trunk links.4 78-13315-02 10-7 . configure the VLANs that are used by the transparent-mode network devices or that need to be carried across trunks as pruning ineligible (use the clear vtp pruneeligible command).

52.-----------. All devices in the management domain should be version2-capable before enabling.---------Lab_Net 1 2 Transparent Vlan-count Max-vlan-storage Config Revision Notifications ---------.---------Lab_Net 1 2 server Vlan-count Max-vlan-storage Config Revision Notifications ---------.20. Note In a Token Ring environment.--------------.----------.70 enabled disabled 2-1000 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.-------.----------. Caution VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain. Verify that VTP version 2 is enabled.------------10 1023 1 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------.---------------.----------.-------. every VTP version 2-capable switch in the VTP domain will enable version 2 as well.3 and 6.-------.Chapter 10 Configuring VTP Configuring VTP This example shows how to configure the switch as VTP transparent and verify the configuration: Console> (enable) set vtp mode transparent VTP domain Lab_Net modified Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------.20. Do you want to continue (y/n) [n]? y VTP domain Lab_Net modified Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------.52.70 disabled disabled 2-1000 Console> (enable) Enabling VTP Version 2 VTP version 2 is disabled by default on VTP version 2-capable switches.-------.------------------------172.4 10-8 78-13315-02 .--------------.-----------. you must enable VTP version 2 for Token Ring VLAN switching to function properly. This example shows how to enable VTP version 2 and verify the configuration: Console> (enable) set vtp v2 enable This command will enable the version 2 function in the entire management domain.----------. Every switch in the VTP domain must use the same VTP version.------------10 1023 0 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------. To enable VTP version 2. When you enable VTP version 2 on a switch. Do not enable VTP version 2 unless every switch in the VTP domain supports version 2.------------------------172. perform this task in privileged mode: Task Command set vtp v2 enable show vtp domain Step 1 Step 2 Enable VTP version 2 on the switch.---------------.

VTP domain Lab_Network modified. perform this task in privileged mode: Task Step 1 Step 2 Command set vtp v2 disable show vtp domain Disable VTP version 2.Chapter 10 Configuring VTP Configuring VTP Disabling VTP Version 2 To disable VTP version 2. set vtp pruning enable (Optional) Make specific VLANs pruning ineligible on the device. 250–255.4 78-13315-02 10-9 .100-500. Console> (enable) set vtp pruneeligible 250-255 Vlans 2-99. show vtp domain show trunk This example shows how to enable VTP pruning in the management domain and how to make VLANs 2–99. Do you want to continue (y/n) [n]? y VTP domain Lab_Net modified Console> (enable) Enabling VTP Pruning To enable VTP pruning. Catalyst 6000 Family Software Configuration Guide—Releases 6. (By default. Verify that VTP version 2 is disabled. VLANs 2–1000 are pruning eligible. VTP domain Lab_Network modified.3 and 6. Warning: trbrf & trcrf vlans will not work properly in this mode.1001-1005 will not be pruned on this device.) Step 3 Step 4 Step 5 (Optional) Make specific VLANs pruning eligible set vtp pruneeligible vlan_range on the device. Do you want to continue (y/n) [n]? y VTP domain Lab_Network modified Console> (enable) clear vtp pruneeligible 100-500 Vlans 1. Verify the VTP pruning configuration. perform this task in privileged mode: Task Step 1 Step 2 Command clear vtp pruneeligible vlan_range Enable VTP pruning in the management domain. and 501–1000 pruning eligible on the particular device: Console> (enable) set vtp pruning enable This command will enable the pruning function in the entire management domain.250-255.501-1000 eligible for pruning on this device. Verify that the appropriate VLANs are being pruned on trunk ports. This example shows how to disable VTP version 2: Console> (enable) set vtp v2 disable This command will disable the version 2 function in the entire management domain. All devices in the management domain should be pruning-capable before enabling.

-----------.-------.20.---------Lab_Network 1 2 server Vlan-count Max-vlan-storage Config Revision Notifications ---------.501-1000 Console> (enable) show trunk Port Mode Encapsulation Status Native vlan -------. perform this task: Task Display VTP statistics for the switch. Command show vtp statistics Catalyst 6000 Family Software Configuration Guide—Releases 6.522-524 Console> (enable) Disabling VTP Pruning To disable VTP pruning.4 10-10 78-13315-02 .3 and 6.-------.-----------.--------------.----------.------------------------172. perform this task in privileged mode: Task Step 1 Step 2 Command show vtp domain Disable VTP pruning in the management domain.522-524 Port Vlans in spanning tree forwarding state and not pruned -------.----------.2 disabled enabled 2-99.250-255. This example shows how to disable VTP pruning in the management domain: Console> (enable) set vtp pruning disable This command will disable the pruning function in the entire management domain. set vtp pruning disable Verify that VTP pruning is disabled.------------. including VTP advertisements sent and received and VTP errors.----------1/1 auto isl trunking 523 Port -------1/1 Port -------1/1 Vlans allowed on trunk --------------------------------------------------------------------1-1005 Vlans allowed and active in management domain --------------------------------------------------------------------1.---------------.52.--------------------------------------------------------------------1/1 1. Do you want to continue (y/n) [n]? y VTP domain Lab_Network modified Console> (enable) Displaying VTP To display VTP activity.Chapter 10 Configuring VTP Configuring VTP Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password -------------------------------.------------8 1023 16 disabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------.----------.

3 and 6.Chapter 10 Configuring VTP Configuring VTP This example shows how to display VTP statistics on the switch: Console> (enable) show vtp statistics VTP statistics: summary advts received 4690 subset advts received 7 request advts received 0 summary advts transmitted 4397 subset advts transmitted 8 request advts transmitted 0 No of config revision errors 0 No of config digest errors 0 VTP pruning statistics: Trunk Join Trasmitted Join Received -------.4 78-13315-02 10-11 .--------------1/1 0 1/2 0 Console> (enable) ------------0 0 Summary advts received from non-pruning-capable device --------------------------0 0 Catalyst 6000 Family Software Configuration Guide—Releases 6.

4 10-12 78-13315-02 .Chapter 10 Configuring VTP Configuring VTP Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.

page 11-viii Assigning Switch Ports to a VLAN. page 11-xiii Configuring FDDI VLANs. Note For complete syntax and usage information for the commands used in this chapter. page 11-ii Configurable VLAN Parameters. page 11-iii Default VLAN Configuration. This chapter consists of these sections: • • • • • • • • • Understanding How VLANs Work. Figure 1 shows an example of VLANs segmented into logically defined networks. VLANs allow you to group ports on a switch to limit unicast.C H A P T E R 11 Configuring VLANs This chapter describes how to configure VLANs for the Catalyst 6000 family switches. refer to the Catalyst 6000 Family Command Reference publication. page 11-vi Mapping VLANs to VLANs. page 11-xii Deleting a VLAN. These sections describe VLANs: • • • VLAN Ranges. independent of their physical location.4 78-13315-02 11-1 . page 11-xiii Configuring Private VLANs. Flooded traffic originating from a particular VLAN is only flooded out ports belonging to that VLAN. page 11-xxiv Understanding How VLANs Work A VLAN is a group of end stations with a common set of requirements. and broadcast traffic flooding. page 11-xxiv Configuring Token Ring VLANs. multicast. page 11-i Configuring Normal-Range VLANs. A VLAN has the same attributes as a physical LAN but allows you to group end stations even if they are not located physically on the same LAN segment.3 and 6. page 11-v Configuring Extended-Range VLANs. page 11-iv Catalyst 6000 Family Software Configuration Guide—Releases 6.

Port VLAN membership on the switch is assigned manually on a port-by-port basis. 4095 Catalyst 6000 Family Software Configuration Guide—Releases 6. Only one IP address at a time can be assigned to the in-band interface. When you assign switch ports to VLANs using this method. VLAN Ranges Catalyst 6000 family switches support 4096 VLANs in accordance with the IEEE 802. The in-band (sc0) interface of a switch can be assigned to any VLAN.3 and 6. VLAN membership. Other VLANs are not propagated and you must configure them on each applicable switch. If you change the IP address and assign the interface to a different VLAN. 1002–1024. Some of these VLANs are propagated to other switches in the network when you use a management protocol. Traffic between VLANs must be routed.1Q standard.4 11-2 78-13315-02 . These VLANs are organized into several ranges. it is known as port-based. you use each range slightly differently. all the end stations in a particular IP subnet belong to the same VLAN. or static. the previous IP address and VLAN assignment are overwritten.Chapter 11 Understanding How VLANs Work Configuring VLANs Figure 11-1 VLANs as Logically Defined Networks Engineering VLAN Cisco router Marketing VLAN Accounting VLAN Floor 3 Fast Ethernet Floor 2 Floor 1 16751 VLANs are often associated with IP subnetworks. such as the VLAN Trunking Protocol (VTP). For example. There are three ranges of VLANs: • • • Normal-range VLANs: 1–1000 Extended-range VLANs: 1025–4094 Reserved-range VLANs: 0. so you can access another switch on the same VLAN directly without a router.

If you use these devices. community. Not supported on Catalyst 6000 family switches. isolated. 4095 1 2–1000 1001 1002–1005 Range Reserved range Normal range Normal range Normal range Reserved range Usage For system use only. You cannot see or use these VLANs but you can map N/A nonreserved VLANs to these reserved VLANs when necessary. Used for Ethernet VLANs.4 78-13315-02 11-3 . You can use this VLAN but you cannot Yes delete it. N/A 1006–1009 Reserved range Cisco defaults. use. two-way community. No 1010–1024 Reserved range 1025–4094 Extended range Configurable VLAN Parameters Whenever you create or modify VLANs 2–1005. you can set the parameters as follows: Note Ethernet VLANs 1 and 1025–4094 can use the defaults only.Chapter 11 Configuring VLANs Understanding How VLANs Work Table 1 describes the VLAN ranges.3 and 6. May be available Yes in the future. and delete these VLANs. You can map nonreserved VLANs to these reserved VLANs when necessary. You can create. and delete these VLANs. Yes You cannot create or use this VLAN. use. Cisco defaults for FDDI and Token Ring. Not currently used but may be used for N/A defaults in the future. • • • • • • • VLAN number VLAN name VLAN type: Ethernet. Table 11-1 VLAN Ranges VLANs 0. FDDI. FDDINET. with the following exception: FlexWAN modules and routed ports automatically allocate a sequential block of internal VLANs starting at VLAN 1025. or none Security Association Identifier (SAID) Catalyst 6000 Family Software Configuration Guide—Releases 6. you can create. You cannot see or use these VLANs. Token Ring Bridge Relay Function (TrBRF). For Ethernet VLANs only. Propagated by VTP (Y/N) N/A Cisco default. You cannot delete these VLANs. you must allow the required number of VLANs for them. or Token Ring Concentrator Relay Function (TrCRF) VLAN state: active or suspended Multi-Instance Spanning Tree Protocol (MISTP) instance Private VLAN type: primary.

or auto VLAN to use when translating from one VLAN media type to another (VLANs 1–1005 only). Table 11-2 VLAN Default Configuration Feature Native (default) VLAN Port VLAN assignments VLAN state MTU size SAID value Pruning eligibility MAC address reduction Spanning tree mode Default FDDI VLAN Default FDDI NET VLAN Default Token Ring TrBRF VLAN Default Token Ring TrCRF VLAN Spanning Tree Protocol (STP) version for TrBRF VLAN Default Value VLAN 1 All ports assigned to VLAN 1 Token Ring ports assigned to VLAN 1003 (trcrf-default) Active 1500 bytes 4472 bytes for Token Ring VLANs 100. the SAID for VLAN 8 is 100008.Chapter 11 Understanding How VLANs Work Configuring VLANs • • • • • • • • • • Maximum transmission unit (MTU) for the VLAN Ring number for FDDI and TrCRF VLANs Bridge identification number for TrBRF VLANs Parent VLAN number for TrCRF VLANs STP type for TrCRF VLANs: IEEE. VLANs 1025–4094 are not pruning eligible Disabled PVST+ VLAN 1002 VLAN 1004 VLAN 1005 (trbrf-default) with bridge number 0F VLAN 1003 (trcrf-default) IBM Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 11-4 78-13315-02 . IBM.000 plus the VLAN number (for example. the SAID for VLAN 4050 is 104050) VLANs 2–1000 are pruning eligible. requires a different VLAN number for each media type Source routing bridge mode for Token Ring VLANs: source-routing bridge (SRB) or source-routing transparent bridge (SRT) Backup for TrCRF VLAN Maximum hops VLAN All-Routes Explorer frames (ARE) and Spanning Tree Explorer frames (STE) for Token Ring Remote Switched Port Analyzer (RSPAN) Default VLAN Configuration Table 2 shows the default VLAN configuration for the Catalyst 6000 family switches.

starting at VLAN 1025. you cannot specify a name.3 and 6. See Chapter 10. you must allow for the number of VLANs required. To create a normal-range VLAN. Verify the VLAN configuration. If you wish to use VTP to maintain global VLAN configuration information on your network. If you use these devices.Chapter 11 Configuring VLANs Configuring Normal-Range VLANs Table 11-2 VLAN Default Configuration (continued) Feature TrCRF bridge mode Remote switched port analyzer (RSPAN) Default Value SRB Disabled Configuring Normal-Range VLANs These sections explain how to configure normal-range VLANs 2–1000: • • • Normal-Range VLAN Configuration Guidelines. If you create a range of VLANs. page 11-v Modifying Normal-Range VLANs. configure VTP before you create any normal-range VLANs. the VLAN will be an Ethernet VLAN. page 11-v Creating Normal-Range VLANs. if you do not specify a VLAN type. VLAN names must be unique. page 11-vi Note You cannot configure or modify normal-range VLAN 1.) FlexWAN modules and routed ports automatically allocate a number of VLANs for their own use. Catalyst 6000 Family Software Configuration Guide—Releases 6. “Configuring VTP” for configuring VTP. Normal-Range VLAN Configuration Guidelines Follow these guidelines when creating and modifying normal-range VLANs 2–1000 in your network: • • The default VLAN type is Ethernet. • Creating Normal-Range VLANs You can create one VLAN at a time or you can create a range of VLANs with a single command. (You cannot use VTP to manage extended-range VLANs 1025–4094.4 78-13315-02 11-5 . perform this task in privileged mode: Task Step 1 Step 2 Command set vlan vlan [name name] [said said] [mtu mtu] [translation vlan] show vlan [vlan] Create a normal-range Ethernet VLAN.

page 11-vii Creating Extended-Range VLANs.------. 520 enet 100520 1500 0 0 VLAN AREHops STEHops Backup CRF ---. perform this task in privileged mode: Task Step 1 Step 2 Command Modify an existing normal-range VLAN. . .-----.---------Console> (enable) Modifying Normal-Range VLANs To modify the VLAN parameters on an existing normal-range VLAN.-----.----.3 and 6. Vlans ---. page 11-vii Catalyst 6000 Family Software Configuration Guide—Releases 6. .----.---.-----------------------500 active 342 501 active 343 502 active 344 503 active 345 .Chapter 11 Configuring Extended-Range VLANs Configuring VLANs This example shows how to create normal-range VLANs and verify the configuration when the switch is in Per VLAN Spanning Tree + (PVST+) mode: Console> (enable) set vlan 500-520 Vlan 500 configuration successful Vlan 501 configuration successful Vlan 502 configuration successful Vlan 503 configuration successful .------. 520 active 362 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---.---------.-------.------.-----. . . set vlan vlan [name name] [state {active | suspend}] [said said] [mtu mtu] [translation vlan] Verify the VLAN configuration.-------------------------------.-----. .4 11-6 78-13315-02 . Vlan 520 configuration successful Console> (enable) show vlan 500-520 VLAN Name Status IfIndex Mod/Ports. show vlan [vlan] Configuring Extended-Range VLANs These sections explain how to configure extended-range VLANs 1025–4094: • • Extended-Range VLAN Configuration Guidelines.--------.-----500 enet 100500 1500 0 0 501 enet 100501 1500 0 0 502 enet 100502 1500 0 0 503 enet 100503 1500 0 0 .

See the “Deleting 802. If you use these devices.3 and 6. You must enable MAC address reduction in order to use extended-range VLANs. and so forth. which provides IDs for extended-range VLANs. you cannot disable it as long as any extended-range VLANs exist. it will allocate another block of VLANs without deleting the previous block. the switch may allocate VLANs for routed ports or FlexWAN modules. You can configure private VLAN parameters and RSPAN for extended-range VLANs. You must use the highest VLANs first. because VLANs are never allocated from the user’s VLAN area. Catalyst 6000 Family Software Configuration Guide—Releases 6. use VLAN 4090. then VLAN 4089. you must delete the mappings. You can only create and delete extended-range VLANs from the CLI or SNMP. If not enough VLANs are available for the FlexWAN module. After you enable MAC address reduction. For example. Caution If you move a FlexWAN module from one slot to another on the same switch. however. The block of VLANs is always allocated starting from VLAN 1025. you must first enable MAC address reduction.4 78-13315-02 11-7 . some ports may not work. You cannot use extended-range VLANs if you have dot1q-to-isl mappings. If you have any VLANs within the range required by the FlexWAN module. all other parameters for extended-range VLANs use the system defaults only. The switch may allocate a block of VLANs from the extended range for internal purposes. you must allow the required number of VLANs for them and must not use the lower-range VLANs starting with VLAN 1025. Note If you wish to use extended-range VLANs and you have existing 802. You cannot use VTP to manage these VLANs. all of the VLANs required will not be allocated. for example.1Q-to-ISL VLAN Mappings” section on page 11-xi for more information.1Q-to-ISL mappings in your system.Chapter 11 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines to create extended-range VLANs 1025–4094: • • • • • • • You can only create Ethernet-type VLANs in the extended range. Creating Extended-Range VLANs To create extended-range VLANs. they must be statically configured on each switch. You should reboot the switch if you move the FlexWAN module. Caution FlexWAN modules and routed ports automatically allocate a sequential block of internal VLANs starting at VLAN 1025.

Verify the VLAN configuration.-----. you can use extended-range VLANs (1025–4094) on the switch.------. Vlans ---. page 11-x Mapping 802.---------.----.-----.1Q-to-ISL VLAN Mappings.---------. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command set spantree macreduction {enable | disable} set vlan vlan show vlan [vlan] Enable MAC address reduction. From non-Cisco devices in your network using VLANs 1006–1024 to nonreserved VLANs on the Catalyst 6000 family switches.-------.-------2000 static disabled VLAN AREHops STEHops Backup CRF 1q VLAN ---.3 and 6. From VLANs on non-Cisco devices on 802.-----.------. if you use method 2. This example shows how to enable MAC address reduction and create an extended-range Ethernet VLAN: Console> (enable) set spantree macreduction enable MAC address reduction enabled Console> (enable) set vlan 2000 Vlan 2000 configuration successful Console> (enable) show vlan 2000 VLAN Name Status IfIndex Mod/Ports.------Console> (enable) Mapping VLANs to VLANs You can map VLANs to other VLANS on the Catalyst 6000 family switches in two ways: 1.--------. page 11-x Deleting 802.------.1Q VLANs to ISL VLANs.1Q trunks to ISL trunks on the Catalyst 6000 family switches. This section describes how to map VLANs to VLANs: • • • • Mapping Reserved VLANs to Nonreserved VLANs. page 11-ix Deleting Reserved-to-Nonreserved VLAN Mappings. page 11-xi Catalyst 6000 Family Software Configuration Guide—Releases 6. you can retain mappings from a previous Catalyst 6000 family software release but you cannot use extended-range VLANs. Create a VLAN.----.---------.-----.-----------------------2000 VLAN2000 active 61 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---.---. 2.-----2000 enet 102000 1500 0 0 VLAN Inst DynCreated RSPAN ---. Note If you use method 1.4 11-8 78-13315-02 .Chapter 11 Mapping VLANs to VLANs Configuring VLANs To enable MAC address reduction and create an Ethernet VLAN in the extended range.-------------------------------.---.

These restrictions apply when mapping reserved VLANs to nonreserved VLANs: • • • You can create up to eight reserved-to-nonreserved VLAN mappings on the switch. you cannot use the mapped VLANs to map reserved VLANs to nonreserved VLANs. Mappings marked false cannot be used by the system. the next mapping you create will appear where the old one was deleted. Verify the VLAN mapping. Console> (enable) show vlan mapping Reserved vlan Non-Reserved vlan Effective ---------------------------------------------------1008 63 false 1010 4065 true 1011 4066 true 1020 4070 true The Effective column in the mapping table indicates whether the mapping has taken effect (that is. this includes normal-range and extended-range VLANs. map a reserved VLAN. Catalyst 6000 Family Software Configuration Guide—Releases 6. clear old dot1q-to-isl VLAN mappings.3 and 6. Note Reserved VLAN mappings are entered on the table in the order in which you map them. You must configure the VLAN mappings on all applicable switches in the network. Reserved VLAN mappings are local to each switch. Optionally.Chapter 11 Configuring VLANs Mapping VLANs to VLANs Mapping Reserved VLANs to Nonreserved VLANs You can map reserved-range VLANs to any nonreserved VLANs that are not in use. Mappings that are marked true can be used by the system. Map a reserved VLAN to a nonreserved VLAN. To map a reserved VLAN to a nonreserved VLAN. If you delete a mapping. the line where it existed will not display on the table. This example shows how to clear old VLAN mappings. You can only map Ethernet VLANs to Ethernet VLANs. However. Note If you have dot1q-to-isl VLAN mappings from a previous Catalyst 6000 family switch software release. Nonreserved VLANs are any VLANs that are not reserved by Cisco.4 78-13315-02 11-9 . true or false). and verify the mappings on the mapping table: Console> (enable) clear vlan mapping dot1q all All dot1q vlan mapping entries deleted Console> (enable) set vlan mapping reserved 1020 non-reserved 4070 Vlan 1020 successfully mapped to 4070. you can clear the dot1q-to-isl mappings and then use those reserved VLANs. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command clear vlan mapping dot1q all set vlan mapping reserved {reserved_vlan} non-reserved {nonreserved_vlan} show vlan mapping If necessary.

3 and 6. Note that if you use any VLANs in the extended range (1025–4094) for dot1q mappings. You can only map 802. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command clear vlan mapping reserved {reserved_vlan | all} clear vlan vlan Clear the reserved VLAN. These restrictions apply when mapping 802.1Q VLAN numbers greater than 1000 must be mapped to an ISL VLAN in order to be recognized and forwarded by Cisco switches. you can map 802.1Q VLAN numbers greater than 1000 to ISL VLAN numbers.1Q VLANs-to-ISL VLANs.1Q-to-ISL VLAN mappings on the switch. To delete reserved VLAN mappings.1Q VLANs to Ethernet-type ISL VLANs.1Q trunks.1Q standard is 0–4095.Chapter 11 Mapping VLANs to VLANs Configuring VLANs Deleting Reserved-to-Nonreserved VLAN Mappings To clear the mappings for reserved-to-nonreserved VLAN mappings.1Q VLANs to ISL VLANs Your network might have non-Cisco devices connected to the Catalyst 6000 family switches through 802.1Q VLANs to ISL VLANs: • • • • If there are any extended-range VLANs present on the switch. show vlan mapping This example shows how to clear a single mapping: Console> (enable) clear vlan mapping reserved 1010 Vlan 1010 mapping entry deleted Console> (enable) This example shows how to clear all reserved VLAN mappings: Console> (enable) clear vlan mapping reserved all All reserved vlan mapping entries deleted Console> (enable) Mapping 802. When you clear all entries from the mapping table at once. The valid range of VLANs specified in the IEEE 802. The valid range of user-configured Inter-Switch Link (ISL) VLANs is 1–1000. Clear the nonreserved VLAN.1Q VLANs in the range 1–1000 are automatically mapped to the corresponding ISL VLAN. you can delete the mappings one at a time or all at once. In a network environment with non-Cisco devices connected to Cisco switches through 802. you cannot map any new 802. you cannot use any of the extended-range VLANs for any other purpose. Do not enter the native VLAN of any 802. 1002–1024. the table is completely cleared and the nonreserved VLANs still exist in the list of VLANs. Catalyst 6000 Family Software Configuration Guide—Releases 6.4 11-10 78-13315-02 .1Q trunks or traffic from a non-Cisco switch that has VLANs in the Catalyst 6000 family reserved range. 802. Verify the mapping table entry has been cleared. 802. You can configure up to eight 802.1Q trunk in the mapping table.

300.1Q-to-ISL VLAN mapping. traffic on 802. and 4000 to ISL VLANs 200.1q vlan 2000 is existent in the mapping table Console> (enable) set vlan mapping dot1q 3000 isl 300 Vlan mapping successful Console> (enable) set vlan mapping dot1q 4000 isl 400 Vlan mapping successful Console> (enable) show vlan mapping 802.Chapter 11 Configuring VLANs Mapping VLANs to VLANs • When you map an 802.1Q VLAN to an ISL VLAN. Verify the VLAN mapping. if you map 802. traffic on the 802.1Q VLANs 2000.1Q VLAN corresponding to the mapped ISL VLAN is blocked. The set vlan mapping dot1q dot1q_vlan isl valid range for dot1q_vlan is 1001–4095. perform this task in privileged mode: Task Step 1 Command Map an 802. VLAN mappings are local to each switch. Verify the VLAN mapping. The valid isl_vlan range for isl_vlan is 1–1000. This example shows how to delete the VLAN mapping for 802.1Q VLAN to an ISL Ethernet VLAN.1Q VLAN to an ISL VLAN.1Q VLAN 200 is blocked. show vlan mapping Step 2 This example shows how to map 802. 3000. and 400. • To map an 802. For example.1Q-to-ISL VLAN mappings: Console> (enable) clear vlan mapping dot1q all All vlan mapping entries deleted Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. and verify the configuration: Console> (enable) set vlan mapping dot1q 2000 isl 200 802. perform this task in privileged mode: Task Step 1 Step 2 Command clear vlan mapping dot1q {dot1q_vlan | all} show vlan mapping Delete an 802. Make sure you configure the same VLAN mappings on all appropriate switches in the network.1Q VLAN 2000 to ISL VLAN 200.3 and 6.4 78-13315-02 11-11 .1q vlan ISL vlan Effective -----------------------------------------2000 200 true 3000 300 true 4000 400 true Console> (enable) Deleting 802.1Q VLAN 2000: Console> (enable) clear vlan mapping dot1q 2000 Vlan 2000 mapping entry deleted Console> (enable) This example shows how to delete all 802.1Q-to-ISL VLAN Mappings To delete an 802.1Q-to-ISL VLAN mapping.

4 11-12 78-13315-02 ..3 and 6.----.----. VLAN 1 modified. This example shows how to assign switch ports to a VLAN and verify the assignment: Console> (enable) set vlan 560 4/10 VLAN 560 modified.-------------------------------.-----.------------. For example. 16:45:18 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.--------.---------.-------------4/10 none none <. To assign one or more switch ports to a VLAN. or you can create the VLAN and specify the module and ports in a single step. perform this task in privileged mode: Task Command set vlan vlan mod/port show vlan [vlan] show port [mod[/port]] Step 1 Step 2 Assign one or more switch ports to a VLAN.----. You can create a new VLAN and then specify the module and ports later..---------.Chapter 11 Assigning Switch Ports to a VLAN Configuring VLANs Assigning Switch Ports to a VLAN A VLAN created in a management domain remains unused until you assign one or more switch ports to the VLAN.----------------------560 4/10 Console> (enable) show vlan 560 VLAN Name Status IfIndex Mod/Ports.------.------.---------. and Gigabit Ethernet ports to Ethernet-type VLANs.> Last-Time-Cleared -------------------------Tue Jun 6 2000. VLAN Mod/Ports ---.---.-------.-----------4/10 connected 560 a-half a-100 10/100BaseTX Port AuxiliaryVlan AuxVlan-Status ----. Verify the port VLAN membership.-----..-----. Fast Ethernet..-----------------------560 Engineering active 348 4/10 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---.---------Console> (enable) show port 4/10 Port Name Status Vlan Duplex Speed Type ----.-----. assign Ethernet.-----560 enet 100560 1500 0 0 VLAN AREHops STEHops Backup CRF ---. Vlans ---.-----------------.-----.output truncated.------. Note Make sure you assign switch ports to a VLAN of the proper type.

Such ports remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. page 11-xxiii Private VLAN Support on the MSFC. page 11-xxiii Catalyst 6000 Family Software Configuration Guide—Releases 6. or Two-Way Community VLAN. To delete a VLAN on the switch. or delete the child TrCRFs. Do you want to continue(y/n) [n]? Configuring Private VLANs These sections describe how private VLANs work: • • • • • • • • Understanding How Private VLANs Work. page 11-xiv Private VLAN Configuration Guidelines. any ports assigned to that VLAN become inactive. You can delete an extended-range VLAN only on the switch where it was created.4 78-13315-02 11-13 . the switch is a VTP server): Console> (enable) clear vlan 500 This command will deactivate all ports on vlan(s) 500 Do you want to continue(y/n) [n]?y Vlan 500 deleted Console> (enable) This command will deactivate all ports on vlan(s) 10 All ports on normal range vlan(s) 10 will be deactivated in the entire management domain. When you delete a normal-range VLAN in VTP transparent mode. page 11-xxi Deleting a Private VLAN. page 11-xxii Deleting a Private VLAN Mapping. page 11-xviii Viewing the Port Capability of a Private VLAN Port.3 and 6. You can delete a single VLAN or a range of VLANs.Chapter 11 Configuring VLANs Deleting a VLAN Deleting a VLAN Follow these guidelines for deleting VLANs: • • • • When you delete a normal-range Ethernet VLAN in VTP server mode. page 11-xxii Deleting an Isolated. the VLAN is removed from all switches in the VTP domain. Community. you must first reassign its child TrCRFs to another parent TrBRF. the VLAN is deleted only on the current switch. Caution When you delete a VLAN. page 11-xv Creating a Primary Private VLAN. Command clear vlan vlan This example shows how to delete a VLAN (in this case. perform this task in privileged mode: Task Delete a VLAN. To delete a Token Ring TrBRF VLAN.

• • • A promiscuous port communicates with all other private VLAN ports and is the port you use to communicate with routers.4 11-14 78-13315-02 . Isolated VLAN—Used by isolated ports to communicate to the promiscuous ports. Traffic received from an isolated port is forwarded to all promiscuous ports only. community.2(1) and later releases. community. community. and administrative workstations. and community. You can extend private VLANs across multiple Ethernet switches by trunking the primary. You must define each supporting VLAN within a private VLAN structure before you can configure the private VLAN: • • Primary VLAN—Conveys incoming traffic from the promiscuous port to all other promiscuous. and any community or two-way community VLANs to other switches that support private VLANs. After designating the VLANs. and a second VLAN is designated as either an isolated. All isolated ports are assigned to an isolated VLAN where this hardware function occurs. you assign two or more normal VLANs in the normal VLAN range: one VLAN is designated as a primary VLAN. Privacy is granted at the Layer 2 level by blocking outgoing traffic to all isolated ports. An isolated port has complete Layer 2 separation from other ports within the same private VLAN with the exception of the promiscuous port. you can then designate additional VLANs as separate isolated. LocalDirector. Community VLAN—Unidirectional VLAN used by a group of community ports to communicate among themselves and transmit traffic to outside the PVLAN through the designated promiscuous port. Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 11 Configuring Private VLANs Configuring VLANs Understanding How Private VLANs Work Private VLANs provide Layer-2 isolation between ports within the same private VLAN on the Catalyst 6000 family switches. To create a private VLAN. you must bind them together and associate them to the promiscuous port. isolated. a single isolated VLAN. There are three types of private VLAN ports: promiscuous. These ports are isolated at Layer 2 from all other ports in other communities or isolated ports within their private VLAN. If you choose. Both outbound and inbound traffic can be carried on the same VLAN allowing VLAN-based features such as VACLs to be applied in both directions on a per-community (per customer) basis. and two-way community ports. • • Note With software release 6. or two-way community VLANs in this private VLAN. Two-way community VLAN—Bidirectional VLAN used by a group of community ports to communicate among themselves and to and from community ports from and to the Multilayer Switch Feature Card (MSFC). Ports belonging to a private VLAN are associated with a common set of supporting VLANs that are used to create the private VLAN structure. backup servers. isolated. and a series of community or two-way community VLANs. The traffic from an isolated port is blocked on all adjacent ports within its PVLAN and can only be received by its promiscuous ports. isolated. Within a private VLAN are four distinct classifications of VLANs: a single primary VLAN. you can use two-way community VLANs to perform an inverse mapping from the primary VLAN to the secondary VLAN when the traffic crosses the boundary of a private VLAN through an MSFC promiscuous port. or two-way community VLAN.3 and 6. Community ports communicate among themselves and with their promiscuous ports.

By incorporating these stations. You must set VTP to transparent mode. regardless of ownership. Catalyst 6000 Family Software Configuration Guide—Releases 6. an MSFC port does not have this limitation. – Access ports become host ports. the term community VLAN is used for both unidirectional community VLANs and two-way community VLANs unless specifically differentiated. or LocalDirector are attached as promiscuous to allow all stations to have access to these gateways. you can connect a wide range of devices as “access points” to a private VLAN. but you can only use one isolated VLAN.3 and 6. • • Set up the automatic VLAN translation that maps the isolated and community VLANs to the primary VLAN on the promiscuous port(s). – VLAN membership becomes static. Private VLAN Configuration Guidelines Follow these guidelines to configure private VLANs: Note In this section. you can remap as many isolated or community VLANs as desired. you need to designate a community VLAN for each community. You will achieve these results: – Isolated/community VLAN spanning tree properties are set to those of the primary VLAN. or you can use a nontrunk promiscuous port to monitor and/or back up all the private VLAN servers from an administration workstation. while a nontrunk promiscuous port can remap to only one primary VLAN. You only need to allocate one IP subnet to the entire group of stations because all stations reside in one common private VLAN. Reduce VLAN consumption. An MSFC port can only connect an MSFC router. – BPDU guard protection is activated. Designate the ports to which the default gateway(s).4 78-13315-02 11-15 . however. into one private VLAN.Chapter 11 Configuring VLANs Configuring Private VLANs In an Ethernet-switched environment. Note A two-way community VLAN can only be mapped on the MSFC promiscuous port (it cannot be mapped on nontrunk or other types of promiscuous ports). With a nontrunk promiscuous port. you can do the following: • • • Designate the server ports as isolated to prevent any interserver communication at Layer 2. The servers only require the ability to communicate with a default gateway to gain access to end points outside the VLAN itself. On an MSFC port or a nontrunk promiscuous port. • • • • Designate one VLAN as the primary VLAN. Set the nontrunk ports or the MSFC ports as promiscuous ports. you can connect a nontrunk promiscuous port to the “server port” of a LocalDirector to remap a number of isolated or community VLANs to the server VLAN so that the LocalDirector can load balance the servers present in the isolated or community VLANs. For example. you can assign an individual VLAN and associated IP subnet to each individual or common group of stations. Bind the isolated and/or community VLAN(s) to the primary VLAN and assign the isolated or community ports. backup server. You have the option of using private VLAN communities. You have the option of designating one VLAN as an isolated VLAN.

If you attempt such a configuration.Chapter 11 Configuring Private VLANs Configuring VLANs • • After you configure a private VLAN.3 and 6. You can configure VLANs as primary. because VTP does not support private VLAN types and mapping propagation. A primary VLAN can have one isolated VLAN and/or multiple communities associated with it. • • • • • Note With software release 6. Table 11-3 Modules with Ports Listed by ASIC Groups Module Number WS-X6224-100FX-MT Description Ports by ASIC Ports 13–24 Ports 25–36 Ports 37–48 24-port 100FX Multimode MT-RJ Ports 1–12 WS-X6248-RJ-45 48-port 10/100TX RJ-45 Ports 1–12 Ports 13–24 Ports 25–36 Ports 37–48 WS-X6248-TEL 48-Port 10/100TX RJ-21 Ports 1–12 Ports 13–24 Ports 25–36 Ports 37–48 Catalyst 6000 Family Software Configuration Guide—Releases 6.4 11-16 78-13315-02 . sc0.3(1) and later releases. When configuring private VLANs. the ports associated with the VLAN become inactive. or community only if no access ports are currently assigned to the VLAN. with the exception of MSFC ports that always have trunking activated. Enter the show port command to verify that the VLAN has no access ports assigned to it. a warning message displays and the command is rejected. or have dynamic VLAN memberships. isolated. – You cannot set ports belonging to the same ASIC where one port is set to trunking mode or a SPAN destination and another is set to a promiscuous. note the hardware and software interactions: – You cannot use the inband port. An isolated or community VLAN can have only one primary VLAN associated with it. in a private VLAN. – You cannot set private VLAN ports to trunking mode. Private VLANs can use VLANs 2 through 1000 and 1025 through 4096. If you delete either the primary or secondary VLAN. channeling. the sc0 port can be configured as a private VLAN port. or community port for the modules listed in Table 3. you cannot change the VTP mode to client or server mode. however it cannot be configured as a promiscuous port. isolated.

you will have to use the default bridge priorities to make sure that the root bridge is common to the primary VLAN and to all its associated isolated and community VLANs. This configuration maintains consistent spanning tree topologies between associated primary. You can create private VLANs that run in MISTP mode as follows: – If you disable MISTP. You cannot use a remote SPAN VLAN (RSPAN) for a private VLAN. and community VLANs’ spanning tree topologies match. Otherwise. isolated. These priorities and parameters automatically propagate from the primary VLAN to the isolated and community VLANs. isolated. or use SPAN on only one VLAN to separately monitor egress or ingress traffic.4 78-13315-02 11-17 . you might want to enable MAC address reduction on all the switches in your network to ensure that the STP topologies of the private VLANs match. – If you enable MISTP. in a network where private VLANs are configured. MAC address reduction allows only discrete levels and uses all intermediate values internally as a range. • In networks with some switches using MAC address reduction. if you enable MAC address reduction on some switches and disable it on others (mixed environment). You cannot configure a destination SPAN port as a private VLAN port and vice versa. BPDU guard mode is system wide and is enabled after you add the first port to a private VLAN. you can only configure the MISTP instance with the primary VLAN. Primary VLANs and associated isolated/community VLANs must have the same spanning tree configuration. isolated. and configure the root bridge with any priority higher than the highest priority range used by any nonroot bridge. and community VLANs and avoids possible loss of connectivity. You should manually check the STP configuration to ensure that the primary. and community VLANs together. Be consistent with the ranges employed by the MAC address reduction feature regardless of whether it is enabled on the system.3 and 6. You can use VLAN-based SPAN (VSPAN) to span primary.Chapter 11 Configuring VLANs Configuring Private VLANs Table 11-3 Modules with Ports Listed by ASIC Groups (continued) Module Number WS-X6348-RJ-45 Description 48-port 10/100TX RJ-45 Ports by ASIC Ports 1–12 Ports 13–24 Ports 25–36 Ports 37–48 WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ Ports 1–12 Ports 13–24 • • Isolated and community ports should run BPDU guard features to prevent spanning tree loops due to misconfigurations. any change to the configuration of a primary VLAN propagates to all • corresponding isolated and community VLANs. Changes will be applied to the primary VLAN and will propagate to the isolated and community VLANs. You should disable a root bridge with private VLANs and MAC address reduction. and others not using MAC address reduction. and you cannot change the isolated or community VLANs. • • • • • • Catalyst 6000 Family Software Configuration Guide—Releases 6. STP parameters do not necessarily propagate to ensure that the spanning tree topologies match. If you enable MAC address reduction on a Catalyst 6000 series switch. A source SPAN port can belong to a private VLAN.

Associate the isolated.4 11-18 78-13315-02 . You can stop Layer 3 switching on an isolated or community VLAN by destroying the binding of that VLAN with its primary VLAN. or two-way set pvlan primary_vlan {isolated_vlan | community port(s) to the primary private VLAN.3 and 6. Output ACLs need to be configured on both the two-way community VLANs and the primary VLAN in order to be applied to all outgoing traffic from the MSFC. You cannot map Cisco IOS ACLs to an isolated or community VLAN. You cannot enable EtherChannel on isolated. the Cisco IOS ACL automatically maps to the associated isolated and community VLANs.Chapter 11 Configuring Private VLANs Configuring VLANs • • • IGMP snooping and multicast shortcuts are not supported in private VLANs. community. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Step 4 Command set vlan vlan pvlan-type primary set vlan vlan pvlan-type {isolated | community | twoway-community} set pvlan primary_vlan {isolated_vlan | community_vlan | twoway_community_vlan} Create the primary private VLAN. Set the isolated. Verify the primary private VLAN configuration. set pvlan mapping primary_vlan {isolated_vlan | community_vlan | twoway_community_vlan} mod/ports show pvlan [vlan] show pvlan mapping Step 5 Step 6 Catalyst 6000 Family Software Configuration Guide—Releases 6. community. • • • • • • Creating a Primary Private VLAN To create a primary private VLAN. community. community. You get an error message if you try to apply a policy to a private VLAN interface using the ip policy route-map route_map_name command. You cannot use policy-based routing (PBR) on a private VLAN interface. You can apply different VACLs and quality of service (QoS) ACLs to primary. or two-way community VLAN to the primary private VLAN on the promiscuous port. and community VLANs. community. If you map a Cisco IOS ACL to a primary VLAN. Bind the isolated. see the “Configuring ACLs on Private VLANs” section on page 16-26. community_vlan | twoway_community_vlan} [mod/ports | sc0] Map the isolated. You cannot set a VLAN to a private VLAN if the VLAN has dynamic access control entries (ACEs) configured on it. Note For information on configuring ACLs. isolated. Deleting the corresponding mapping is not sufficient. or promiscuous ports. or two-way community VLAN(s). or two-way community VLAN(s) to the primary VLAN.

community.Chapter 11 Configuring VLANs Configuring Private VLANs Note You can bind the isolated. access switches with no private ports). community. This example shows how to specify VLAN 7 as the primary VLAN: Console> (enable) set vlan 7 pvlan-type primary Vlan 7 configuration successful Console> (enable) This example shows how to specify VLAN 901 as the isolated VLAN and VLANs 902 and 903 as community VLANs: Console> Vlan 901 Console> Vlan 902 Console> Vlan 903 Console> (enable) set vlan 901 pvlan-type isolated configuration successful (enable) set vlan 902 pvlan-type community configuration successful (enable) set vlan 903 pvlan-type community configuration successful (enable) This example shows how to bind VLAN 901 to primary VLAN 7 and assign port 4/3 as the isolated port: Console> (enable) set pvlan 7 901 4/3 Successfully set the following ports to Private Vlan 7. or two-way community port(s) and associated isolated. community. or two-way community ports. or use 16/1 if the supervisor engine is in slot 2. Note If you are using the MSFC for your promiscuous port in your private VLAN. or promiscuous ports (typically.3 and 6. you do not need to create private VLANs and you can prune the private VLANs from the trunks for security reasons. use 15/1 as the MSFC mod/port number if the supervisor engine is in slot 1. community. Note You must enter the set pvlan command everywhere a private VLAN needs to be created. which includes switches with isolated. switches with promiscuous ports. two-way community.902:4/4-6 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Note Ports do not have to be on the same switch as long as the switches are trunk connected and the private VLAN has not been removed from the trunk. and all intermediate switches that need to carry the private VLANs on their trunks.901: 4/3 Console> (enable) This example shows how to bind VLAN 902 to primary VLAN 7 and assign ports 4/4 through 4/6 as the community port: Console> (enable) set pvlan 7 902 4/4-6 Successfully set the following ports to Private Vlan 7.4 78-13315-02 11-19 . or two-way community VLANs to the private VLAN using the set pvlan primary_vlan {isolated_vlan | community_vlan | twoway_community_vlan} mod/port command. On the edge switches that do not have any isolated.

--------.-------7 static disabled VLAN AREHops STEHops Backup CRF 1q VLAN ---.Chapter 11 Configuring Private VLANs Configuring VLANs This example shows how to bind VLAN 903 to primary VLAN 7 and assign ports 4/7 through 4/9 as the community ports: Console> (enable) set pvlan 7 903 Successfully set association between 7 and 903.------Primary Secondary Secondary-Type Ports ------.3 and 6.-----7 enet 100010 1500 0 0 VLAN DynCreated RSPAN ---.----.----------------.---------.---------. Vlans ---.------.----.---------.--------.903:4/7-9 Console> (enable) This example shows how to map the isolated/community VLAN to the primary VLAN on the promiscuous port.------.------.------.------.-----7 enet 100010 1500 0 0 VLAN DynCreated RSPAN ---.----------------7 901 Isolated 4/3 7 902 Community 4/4-6 7 903 Community 4/7-9 Console> (enable) show vlan 902 VLAN Name Status IfIndex Mod/Ports.----.-------------------------------. Vlans ---.----------------.---.-----.-----.-----.-------.4 11-20 78-13315-02 .-----.---------.--------.-----.---------. 3/1.-------. for each isolated or community VLAN: Console> (enable) set pvlan mapping 7 901 3/1 Successfully set mapping between 7 and 901 on 3/1 Console> (enable) set pvlan mapping 7 902 3/1 Successfully set mapping between 7 and 902 on 3/1 Console> (enable) set pvlan mapping 7 903 3/1 Successfully set mapping between 7 and 903 on 3/1 This example shows how to verify the private VLAN configuration: Console> (enable) show vlan 7 VLAN Name Status IfIndex Mod/Ports.-----.-----------------------7 VLAN0007 active 35 4/4-6 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---.----------------7 902 Isolated 4/4-6 Console> (enable) Primary Secondary ------.-----.-----.-----------------------902 VLAN0007 active 38 4/4-6 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---.-------------------------------.----.-------7 static disabled VLAN AREHops STEHops Backup CRF 1q VLAN ---.--------.---------.------.---.------Primary Secondary Secondary-Type Ports ------.--------7 901 7 902 7 903 show pvlan Secondary-Type -------------isolated community community Ports -----------4/3 4/4-6 4/7-9 Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) set pvlan 7 903 4/7-9 Successfully set the following ports to Private Vlan 7.

Port 5/1 cannot be made a private vlan port due to: -----------------------------------------------------Trunking ports are not Private Vlan capable. Port 5/20 can be made a private vlan port.5/12 are in the same ASIC range as port 5/2. This example shows the port capability for several ports in the following configuration: Console> Console> Console> Console> (enable) (enable) (enable) (enable) set set set set pvlan pvlan pvlan trunk 10 20 mapping 10 20 3/1 mapping 10 20 5/2 5/1 desirable isl 1-1005.-----------isolated Console> (enable) show pvlan capability 3/1 Port 3/1 cannot be made a private vlan port due to: -----------------------------------------------------Promiscuous ports cannot be made private vlan ports.Chapter 11 Configuring VLANs Configuring Private VLANs Console> (enable) show pvlan mapping Port Primary Secondary ----.903 half 100 100BaseFX MM .---------. Conflict with Promiscuous port(s) : 5/2 Console> (enable) show pvlan capability 5/2 Ports 5/1 .---------. Console> (enable) show pvlan capability 5/1 Ports 5/1 .---------3/1 7 901-903 Console> (enable) show port Port Name Status Vlan Duplex Speed Type ----. 4/3 notconnect 7.-----------.5/24 are in the same ASIC range as port 5/20..----..3 and 6.902 half 100 100BaseFX MM 4/7 notconnect 7. Port 5/2 cannot be made a private vlan port due to: -----------------------------------------------------Promiscuous ports cannot be made private vlan ports.-----------------.903 half 100 100BaseFX MM 4/8 notconnect 7.. Conflict with Trunking port(s) : 5/1 Catalyst 6000 Family Software Configuration Guide—Releases 6.902 half 100 100BaseFX MM 4/5 notconnect 7. truncated output.1025-4094 Console> (enable) show pvlan capability 5/20 Ports 5/13 .-----..-------.901 half 100 100BaseFX MM 4/4 notconnect 7.--------10 20 show pvlan Secondary-Type Ports -------------. Console> (enable) Primary Secondary ------.truncated output.902 half 100 100BaseFX MM 4/6 notconnect 7... Viewing the Port Capability of a Private VLAN Port You can view the port capability of a port in a private VLAN using the show pvlan capability mod/port command..5/12 are in the same ASIC range as port 5/1.4 78-13315-02 11-21 .903 half 100 100BaseFX MM 4/9 notconnect 7..

Command clear vlan {isolated_vlan | community_vlan | twoway_community_vlan} This example shows how to delete the community VLAN 902: Console> (enable) clear vlan 902 This command will de-activate all ports on vlan 902 Do you want to continue(y/n) [n]?y Vlan 902 deleted Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 11 Configuring Private VLANs Configuring VLANs Console> (enable) show pvlan capability 5/3 Ports 5/1 . the binding with the primary VLAN is broken. all bindings to the primary VLAN are broken. To delete a private VLAN. or Two-Way Community VLAN If you delete an isolated. and any related mappings on the promiscuous port(s) are deleted. community. perform this task in privileged mode: Task Delete a primary VLAN.5/12 are in the same ASIC range as port 5/3. any isolated. If you delete a primary VLAN. community. and any related mappings on the promiscuous port(s) are deleted. Deleting a Private VLAN You can delete a private VLAN by deleting the primary VLAN. Command clear vlan primary_vlan This example shows how to delete primary VLAN 7: Console> (enable) clear vlan 7 This command will de-activate all ports on vlan 7 Do you want to continue(y/n) [n]?y Vlan 7 deleted Console> (enable) Deleting an Isolated. or two-way community ports associated to the VLAN become inactive. perform this task in privileged mode: Task Delete an isolated or community VLAN. Community. To delete a VLAN on the switch. all ports in the private VLAN become inactive. Port 5/3 cannot be made a private vlan port due to: -----------------------------------------------------Conflict with Promiscuous port(s) : 5/2 Conflict with Trunking port(s) : 5/1 Console> (enable) show pvlan capability 15/1 Port 15/1 cannot be made a private vlan port due to: -----------------------------------------------------Only ethernet ports can be added to private vlans.4 11-22 78-13315-02 . or two-way community VLAN.3 and 6.

On the supervisor engine. Connecting new equipment with the same IP address generates a message and the ARP entry is not created. clear pvlan mapping primary_vlan {isolated | community | twoway-community} {mod/ports} This example shows how to delete the mapping of VLANs 902 to 901. Primary 100. If you delete all the mappings on a promiscuous port. The show pvlan command displays information about private VLANs only when the primary private VLAN is up. you cannot create isolated or community VLANs using VLAN numbers for which interface vlan commands have been entered on the MSFC. ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries (we recommend that you display and verify private VLAN interface ARP entries). To delete a port mapping from a private VLAN. See the following for an example: %PV-6-PV_MSG:Created a private vlan mapping. Catalyst 6000 Family Software Configuration Guide—Releases 6. or two-way community VLAN to which it belongs is cleared. Entering a set pvlan mapping or a clear pvlan mapping command on the supervisor engine generates MSFC syslog messages. previously set on ports 3/2 through 3/5: Console> (enable) clear pvlan mapping 901 902 3/2-5 Successfully cleared mapping between 901 and 902 on 3/2-5 Console> (enable) Private VLAN Support on the MSFC These items describe private VLAN support on the MSFC: • • Enter the show pvlan command to display information about private VLANs. Because the private VLAN interface ARP entries do not age out. you must manually remove private VLAN interface ARP entries if a MAC address changes. All mappings from a non-MSFC promiscuous port are deleted. private VLAN interface sticky ARP entries do not age out. it displays “pvlan-” as its VLAN number in the show port output. Primary 200. A private VLAN port might be set to inactive for the following reasons: • • • The primary. Secondary 201 %PV-6-PV_MSG:Purged a private vlan mapping. the promiscuous port becomes inactive. Secondary 101 %PV-6-PV_MSG:Created a private vlan mapping. community. community. isolated. An error occurs during the configuration of a port to be a private VLAN port.Chapter 11 Configuring VLANs Configuring Private VLANs Deleting a Private VLAN Mapping If you delete the private VLAN mapping. For security reasons.4 78-13315-02 11-23 . the connectivity breaks between the isolated.3 and 6. Secondary 101 • • • • • Enter an interface vlan command to configure Layer 3 parameters only for primary private VLANs. perform this task in privileged mode: Task Command Delete the port mapping from the private VLAN. Primary 100. or two-way community ports and the promiscuous port. When a private VLAN port is set to inactive.

Chapter 11 Configuring FDDI VLANs

Configuring VLANs

You can add or remove private VLAN ARP entries manually as follows:
obelix-rp(config)# no arp 11.1.3.30 IP ARP:Deleting Sticky ARP entry 11.1.3.30 obelix-rp(config)# arp 11.1.3.30 0000.5403.2356 arpa IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by hw:0000.5403.2356

Some commands clear and recreate private VLAN mapping as follows:
obelix-rp(config)# xns routing obelix-rp(config)# %PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 101 %PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 102 %PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 103 %PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 101 %PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 102 %PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 103

Configuring FDDI VLANs
To create a new FDDI VLAN, perform this task in privileged mode: Task
Step 1 Step 2

Command set vlan vlan [name name] type {fddi | fddinet} [said said] [mtu mtu] show vlan [vlan]

Create a new FDDI or FDDI NET-type VLAN. Verify the VLAN configuration.

To modify the VLAN parameters on an existing FDDI VLAN, perform this task in privileged mode: Task
Step 1 Step 2

Command set vlan vlan [name name] [state {active | suspend}] [said said] [mtu mtu] show vlan [vlan]

Modify an existing FDDI or FDDI NET-type VLAN. Verify the VLAN configuration.

Configuring Token Ring VLANs
These sections describe the two Token Ring VLAN types that are supported on switches running VTP version 2:
• • • • •

Understanding Token Ring TrBRF VLANs, page 11-xxv Understanding Token Ring TrCRF VLANs, page 11-xxv Token Ring VLAN Configuration Guidelines, page 11-xxvii Creating or Modifying a Token Ring TrBRF VLAN, page 11-xxvii Creating or Modifying a Token Ring TrCRF VLAN, page 11-xxviii

You must use VTP version 2 to configure and manage Token Ring VLANs.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-24

78-13315-02

Chapter 11

Configuring VLANs Configuring Token Ring VLANs

Note

Catalyst 6000 family switches do not support ISL-encapsulated Token Ring frames.

Understanding Token Ring TrBRF VLANs
Token Ring Bridge Relay Function (TrBRF) VLANs interconnect multiple Token Ring Concentrator Relay Function (TrCRF) VLANs in a switched Token Ring network (see Figure 2). The TrBRF can be extended across a network of switches interconnected through trunk links. The connection between the TrCRF and the TrBRF is referred to as a logical port.
Figure 11-2 Interconnected Token Ring TrBRF and TrCRF VLANs
SRB or SRT BRF

CRF SRS SRS SRS

Token Ring 001

Token Ring 001

Token Ring 011

Token Ring 002

Token Ring 002

Token Ring 002

For source routing, the switch appears as a single bridge between the logical rings. The TrBRF can function as a source-route bridge (SRB) or as a source-route transparent (SRT) bridge running either the IBM or IEEE STP. If SRB is used, you can define duplicate MAC addresses on different logical rings. The Token Ring software runs an instance of STP for each TrBRF VLAN and each TrCRF VLAN. For TrCRF VLANs, STP removes loops in the logical ring. For TrBRF VLANs, STP interacts with external bridges to remove loops from the bridge topology, similar to STP operation on Ethernet VLANs.

Caution

Certain parent TrBRF STP and TrCRF bridge mode configurations can place the logical ports (the connection between the TrBRF and the TrCRF) of the TrBRF in a blocked state. For more information, see the “Default VLAN Configuration” section on page 11-iv. For source routing, the switch appears as a single bridge between the logical rings. The TrBRF can function as an SRB or SRT bridge running either the IBM or IEEE STP. If SRB is used, duplicate MAC addresses can be defined on different logical rings. To accommodate IBM System Network Architecture (SNA) traffic, you can use a combination of SRT and SRB modes. In a mixed mode, the TrBRF considers some ports (logical ports connected to TrCRFs) to operate in SRB mode while others operate in SRT mode.

Understanding Token Ring TrCRF VLANs
Token Ring Concentrator Relay Function (TrCRF) VLANs define port groups with the same logical ring number. You can configure two types of TrCRFs in your network: undistributed and backup.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

S6624

11-25

Chapter 11 Configuring Token Ring VLANs

Configuring VLANs

Typically, TrCRFs are undistributed, which means each TrCRF is limited to the ports on a single switch. Multiple undistributed TrCRFs on the same or separate switches can be associated with a single parent TrBRF (see Figure 3). The parent TrBRF acts as a multiport bridge, forwarding traffic between the undistributed TrCRFs.

Note

To pass data between rings located on separate switches, you can associate the rings to the same TrBRF and configure the TrBRF for SRB.
Figure 11-3 Undistributed TrCRFs
Switch A ISL Switch B

TrBRF 3
S6813 S6812

TrCRF 400

TrCRF 350

TrCRF 200

Note

By default, Token Ring ports are associated with the default TrCRF (VLAN 1003, trcrf-default), which has the default TrBRF (VLAN 1005, trbrf-default) as its parent. In this configuration, a distributed TrCRF is possible (see Figure 4), and traffic is passed between the default TrCRFs located on separate switches provided that the switches are connected through an ISL trunk.
Figure 11-4 Distributed TrCRF
Switch A ISL Switch B

TrBRF 2 TrCRF 300 TrCRF 300 TrCRF 300

Within a TrCRF, source-route switching forwards frames based on either MAC addresses or route descriptors. The entire VLAN can operate as a single ring, with frames switched between ports within a single TrCRF. You can specify the maximum hop count for All-Routes and Spanning Tree Explorer frames for each TrCRF. This limits the maximum number of hops an explorer is allowed to traverse. If a port determines that the explorer frame it is receiving has traversed more than the number of hops specified, it does not forward the frame. The TrCRF determines the number of hops an explorer has traversed based on the number of bridge hops in the route information field. A backup TrCRF enables you to configure an alternate route for traffic between undistributed TrCRFs located on separate switches that are connected by a TrBRF, in the event that the ISL connection between the switches fails. Only one backup TrCRF for a TrBRF is allowed, and only one port per switch can belong to a backup TrCRF.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-26

78-13315-02

Chapter 11

Configuring VLANs Configuring Token Ring VLANs

If the ISL connection between the switches fails, the port in the backup TrCRF on each affected switch automatically becomes active, rerouting traffic between the undistributed TrCRFs through the backup TrCRF. When the ISL connection is reestablished, all but one port in the backup TrCRF is disabled. Figure 5 illustrates the backup TrCRF.
Figure 11-5 Backup TrCRF
Switch A ISL Switch B

TrBRF 1 TrCRF 600 Backup TrCRF 612 TrCRF 601

Token Ring VLAN Configuration Guidelines
When you create or modify Token Ring VLANs, take the following guidelines into consideration:

For Token Ring VLANs, the default TrBRF (VLAN 1005) can only be the parent of the default TrCRF (VLAN 1003). You cannot specify the default TrBRF as the parent of a user-configured TrCRF. You must configure a TrBRF before you configure the TrCRF; that is, the parent TrBRF VLAN you specify for the TrCRF must already exist. In a Token Ring environment, the logical ports of the TrBRF (the connection between the TrBRF and the TrCRF) are placed in a blocked state if either of these conditions exists:
– The TrBRF is running the IBM STP, and the TrCRF is in SRT mode. – The TrBRF is running the IEEE STP, and the TrCRF is in SRB mode.

• •

Creating or Modifying a Token Ring TrBRF VLAN
You must enable VTP version 2 before you create Token Ring VLANs. For information on enabling VTP version 2, see Chapter 10, “Configuring VTP.” You must specify a bridge number when you create a new TrBRF. To create a new Token Ring TrBRF VLAN, perform this task in privileged mode: Task
Step 1 Step 2

Command set vlan vlan [name name] type trbrf [said said] [mtu mtu] bridge bridgeber [stp {ieee | ibm}] show vlan [vlan]

Create a new Token Ring TrBRF-type VLAN. Verify the VLAN configuration.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

S6811

11-27

Chapter 11 Configuring Token Ring VLANs

Configuring VLANs

This example shows how to create a new Token Ring TrBRF VLAN and verify the configuration:
Console> (enable) set vlan 999 name TrBRF_999 type trbrf bridge a Vlan 999 configuration successful Console> (enable) show vlan 999 VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- -----------------------999 TrBRF_999 active VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ -----999 trbrf 100999 4472 0xa ibm 0 0 VLAN AREHops STEHops Backup CRF ---- ------- ------- ---------Console> (enable)

To modify the VLAN parameters on an existing Token Ring TrBRF VLAN, perform this task in privileged mode: Task
Step 1

Command

Modify an existing Token Ring TrBRF-type set vlan vlan [name name] [state {active | suspend}] VLAN. [said said] [mtu mtu] [bridge bridgeber] [stp {ieee | ibm}] Verify the VLAN configuration. show vlan [vlan]

Step 2

Creating or Modifying a Token Ring TrCRF VLAN
Note

You must enable VTP version 2 before you create Token Ring VLANs. For information on enabling VTP version 2, see Chapter 10, “Configuring VTP.” To create a new Token Ring TrCRF VLAN, perform this task in privileged mode: Task Command set vlan vlan [name name] type trcrf [said said] [mtu mtu] {ring hex_ringber | decring decimal_ringber} parent vlan show vlan [vlan]

Step 1

Create a new Token Ring TrCRF-type VLAN.

Step 2

Verify the VLAN configuration.

Note

You must specify a ring number (either in hexadecimal or in decimal) and a parent TrBRF VLAN when creating a new TrCRF.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-28

78-13315-02

Chapter 11

Configuring VLANs Configuring Token Ring VLANs

This example shows how to create a Token Ring TrCRF VLAN and verify the configuration:
Console> (enable) set vlan 998 name TrCRF_998 type trcrf decring 10 parent 999 Vlan 998 configuration successful Console> (enable) show vlan 998 VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- -----------------------998 TrCRF_998 active 352 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ -----998 trcrf 100998 4472 999 0xa srb 0 0 VLAN AREHops STEHops Backup CRF ---- ------- ------- ---------998 7 7 off Console> (enable)

To modify the VLAN parameters on an existing Token Ring TrCRF VLAN, perform this task in privileged mode: Task
Step 1

Command set vlan vlan [name name] [state {active | suspend}] [said said] [mtu mtu] [ring hex_ring] [decring decimal_ring] [bridge bridge] [parent vlan] show vlan [vlan]

Modify an existing Token Ring TrCRF VLAN. Verify the VLAN configuration.

Step 2

To create a backup TrCRF, assign one port on each switch that the TrBRF traverses to the backup TrCRF. To configure a TrCRF VLAN as a backup TrCRF, perform this task in privileged mode: Task
Step 1 Step 2

Command set vlan vlan backupcrf on show vlan [vlan]

Configure a TrCRF VLAN as a backup TrCRF. Verify the VLAN configuration.

Caution

If the backup TrCRF port is attached to a Token Ring multistation access unit (MSAU), it does not provide a backup path unless the ring speed and port mode are set by another device. We recommend that you configure the ring speed and port mode for the backup TrCRF. To specify the maximum number of hops for All-Routes Explorer frames or Spanning Tree Explorer frames in the TrCRF, perform this task in privileged mode: Task Command set vlan vlan aremaxhop hopcount set vlan vlan stemaxhop hopcount show vlan [vlan]

Step 1 Step 2 Step 3

Specify the maximum number of hops for All-Routes Explorer frames in the TrCRF. Specify the maximum number of hops for Spanning Tree Explorer frames in the TrCRF. Verify the VLAN configuration.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

11-29

Chapter 11 Configuring Token Ring VLANs

Configuring VLANs

This example shows how to limit All-Routes Explorer frames and Spanning Tree Explorer frames to ten hops and how to verify the configuration:
Console> (enable) set vlan 998 aremaxhop 10 stemaxhop 10 Vlan 998 configuration successful Console> (enable) show vlan 998 VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- -----------------------998 VLAN0998 active 357

VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ -----998 trcrf 100998 4472 999 0xff srb 0 0

VLAN AREHops STEHops Backup CRF ---- ------- ------- ---------998 10 10 off Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-30

78-13315-02

C H A P T E R

12

Configuring InterVLAN Routing
This chapter describes how to configure the Multilayer Switch Feature Card (MSFC) for interVLAN routing on the Catalyst 6000 family switches.

Note

For complete syntax and usage for the commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication. This chapter consists of these sections:
• •

Understanding How InterVLAN Routing Works, page 12-i Configuring InterVLAN Routing on the MSFC, page 12-ii

Note

Refer to the FlexWAN Module Port Adapter Installation and Configuration Notes for information about configuring routing on FlexWAN module interfaces.

Understanding How InterVLAN Routing Works
Network devices in different VLANs cannot communicate with one another without a router to forward traffic between the VLANs. In most network environments, VLANs are associated with individual networks or subnetworks. For example, in an IP network, each subnetwork is mapped to an individual VLAN. In an IPX network, each VLAN is mapped to an IPX network number. Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local. When an end station in one VLAN needs to communicate with an end station in another VLAN, interVLAN communication is required. This communication is provided by interVLAN routing. You configure one or more routers to route traffic to the appropriate destination VLAN. Figure 1 shows a basic interVLAN routing topology. Switch A is in VLAN 10 and Switch B is in VLAN 20. The router has an interface in each VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

12-1

Chapter 12 Configuring InterVLAN Routing on the MSFC

Configuring InterVLAN Routing

Figure 12-1 Basic InterVLAN Routing Topology

VLAN 10 Switch A

VLAN 20 Switch B C Host ISL Trunks
18071

A Host B Host

When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to that host. Switch A forwards the packet directly to Host B, without sending it to the router. When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which receives the traffic on the VLAN 10 interface. The router checks the routing table, determines the correct outgoing interface, and forwards the packet out the VLAN 20 interface to Switch B. Switch B receives the packet and forwards it to Host C.

Configuring InterVLAN Routing on the MSFC
Note

This section is for users who are familiar with Cisco IOS software and have some experience configuring Cisco IOS routing. If you are not familiar with configuring Cisco routing, refer to the Cisco IOS documentation on Cisco.com. These sections describe how to configure interVLAN routing on the MSFC:
• • • • •

MSFC Routing Configuration Guidelines, page 12-ii Configuring IP InterVLAN Routing on the MSFC, page 12-iii Configuring IPX InterVLAN Routing on the MSFC, page 12-iii Configuring AppleTalk InterVLAN Routing on the MSFC, page 12-iv Configuring MSFC Features, page 12-iv

MSFC Routing Configuration Guidelines
Configuring interVLAN routing on the MSFC consists of two main procedures:
1. 2.

Create and configure VLANs on the switch and assign VLAN membership to switch ports. For more information, see Chapter 11, “Configuring VLANs.” Create and configure VLAN interfaces for interVLAN routing on the MSFC. Configure a VLAN interface for each VLAN for which you want to route traffic.

VLAN interfaces on the MSFC are virtual interfaces. However, you configure them much as you do a physical router interface. MSFC2 and MSFC support the same range of VLANs as the supervisor engine. MSFC2 supports up to 1,000 VLAN interfaces. MSFC supports up to 256 VLAN interfaces.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

12-2

78-13315-02

Chapter 12

Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC

Configuring IP InterVLAN Routing on the MSFC
To configure interVLAN routing for IP, perform this task: Task
Step 1 Step 2 Step 3 Step 4 Step 5

Command Router(config)# ip routing Router(config)# router ip_routing_protocol Router(config)# interface vlan-id Router(config-if)# ip address n.n.n.n mask Router(config-if)# Ctrl-Z

(Optional) Enable IP routing on the router1. (Optional) Specify an IP routing protocol2. Specify a VLAN interface on the MSFC. Assign an IP address to the VLAN. Exit configuration mode.
1. 2.

This step is necessary if you have multiple routers in the network. This step is necessary if you enabled IP routing in Step 1. This step might include other commands, such as using the network router configuration command to specify the networks to route. Refer to the documentation for your router platform for detailed information on configuring routing protocols.

This example shows how to enable IP routing on the MSFC, create a VLAN interface, and assign the interface an IP address:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip routing Router(config)# router rip Router(config-router)# network 10.0.0.0 Router(config-router)# interface vlan 100 Router(config-if)# ip address 10.1.1.1 255.0.0.0 Router(config-if)# ^Z Router#

Configuring IPX InterVLAN Routing on the MSFC
To configure interVLAN routing for Internetwork Packet Exchange (IPX), perform this task: Task
Step 1 Step 2 Step 3 Step 4 Step 5
1

Command Router(config)# ipx router ipx_routing_protocol Router(config)# interface vlan-id Router(config-if)# ipx network [network | unnumbered] encapsulation encapsulation-type Router(config-if)# Ctrl-Z

(Optional) Enable IPX routing on the router . Router(config)# ipx routing (Optional) Specify an IPX routing protocol2. Specify a VLAN interface on the MSFC. Assign a network number to the VLAN . Exit configuration mode.
1. 2.
3

This step is necessary if you have multiple routers in the network. This step is necessary if you enabled IPX routing in Step 1. This step might include other commands, such as using the network router configuration command to specify the networks to route. Refer to the documentation for your router platform for detailed information on configuring routing protocols. This step enables IPX routing on the VLAN. When you enable IPX routing on the VLAN, you can also specify an encapsulation type.

3.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

12-3

Chapter 12 Configuring InterVLAN Routing on the MSFC

Configuring InterVLAN Routing

This example shows how to enable IPX routing on the MSFC, create a VLAN interface, and assign the interface an IPX network address:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ipx routing Router(config)# ipx router rip Router(config-ipx-router)# network all Router(config-ipx-router)# interface vlan100 Router(config-if)# ipx network 100 encapsulation snap Router(config-if)# ^Z Router#

Configuring AppleTalk InterVLAN Routing on the MSFC
To configure interVLAN routing for AppleTalk, perform this task: Task
Step 1 Step 2 Step 3 Step 4 Step 5

Command Router(config)# appletalk routing

(Optional) Enable AppleTalk routing on the router1. Assign a cable range to the VLAN. Assign a zone name to the VLAN. Exit configuration mode.
1.

Specify a VLAN interface on the MSFC. Router(config)# interface vlan-id Router(config-if)# appletalk cable-range cable-range Router(config-if)# appletalk zone zone-name Router(config-if)# Ctrl-Z

This step is necessary if you have multiple routers in the network.

This example shows how to enable AppleTalk routing on the MSFC, create a VLAN interface, and assign the interface an AppleTalk cable-range and zone name:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# appletalk routing Router(config)# interface vlan100 Router(config-if)# appletalk cable-range 100-100 Router(config-if)# appletalk zone Engineering Router(config-if)# ^Z Router#

Configuring MSFC Features
These sections describe features implemented on the MSFC:
• • •

Local Proxy ARP, page 12-v WCCP Layer 2 Redirection, page 12-v Auto State Feature, page 12-v

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

12-4

78-13315-02

Chapter 12

Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC

Local Proxy ARP
With Release 12.1(2)E or later releases, the Local Proxy Address Resolution Protocol (ARP) allows the MSFC to respond to ARP requests for IP addresses within a subnet where normally no routing is required. With local proxy ARP enabled, the MSFC responds to all ARP requests for IP addresses within the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where hosts are intentionally prevented from communicating directly by the configuration on the switch to which they are connected. Local proxy ARP is disabled by default. Enter the ip local-proxy-arp interface configuration command to enable local proxy ARP on an interface. Enter the no ip local-proxy-arp interface configuration command to disable the feature. The Internet Control Message Protocol (ICMP) redirects are disabled on interfaces where local proxy ARP is enabled.

WCCP Layer 2 Redirection
Note

Supervisor Engine 1 with the Policy Feature Card (PFC) supports this feature with Release 12.1(2)E or later releases. Supervisor Engine 2 with PFC2 supports this feature with Release 12.1(3a)E or later releases. Web Cache Communication Protocol (WCCP) Layer 2 redirection allows directly connected Cisco Cache Engines to use Layer 2 redirection, which is more efficient than Layer 3 redirection, through generic routing encapsulation (GRE). You can configure a directly connected Cache Engine to negotiate use of WCCP Layer 2 redirection. WCCP Layer 2 redirection requires no configuration on the MSFC. Enter the show ip wccp web-cache detail command to display which redirection method is in use for each cache. Follow these guidelines when using this feature:
• • •

WCCP Layer 2 redirection feature sets the IP flow mask to full-flow mode. You can configure the Cisco Cache Engine software release 2.2 or later releases to use WCCP Layer 2 redirection. Layer 2 redirection takes place on the switch and is not visible to the MSFC. Entering the show ip wccp web-cache detail command on the MSFC displays statistics for only the first packet of a Layer 2 redirected flow, which provides an indication of how many flows, rather than packets, are using Layer 2 redirection. Entering the show mls entries command on the supervisor engine displays the other packets in the Layer 2 redirected flows.

Configure the Cisco IOS WCCP as described in the Cisco IOS Configuration Fundamentals Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_c/fcprt3/fcd305.htm

Auto State Feature
The auto state feature shuts down (or brings up) Layer 3 interfaces/subinterfaces on the MSFC and the Multilayer Switch Module (MSM) when the following port configuration changes occur on the switch:

When the last external port on a VLAN goes down, all Layer 3 interfaces/subinterfaces on that VLAN shut down (are autostated) unless sc0 is on the VLAN or another router is in the chassis with an interface/subinterface in the VLAN. When a Layer 3 interface goes down, this message is reported to the console for each Layer 3 interface:
%AUTOSTATE-6-SHUT_DOWN

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

12-5

Chapter 12 Configuring InterVLAN Routing on the MSFC

Configuring InterVLAN Routing

When the first external port on the VLAN is brought back up, all Layer 3 interfaces on that VLAN that were previously shut down are brought up. This message is reported to the console for each Layer 3 interface:
%AUTOSTATE-6-BRING_UP

The Catalyst 6000 family switch does not have knowledge of, or control over, the MSM or MSFC configuration (just as the switch does not have knowledge of, or control over, external router configurations). The auto state feature will not work on MSM or MSFC interfaces if the MSM or MSFC is not properly configured. For example, consider this MSM trunk configuration:
interface GigabitEthernet0/0/0.200 encap isl 200 . .

In the example, the GigabitEthernet0/0/0.200 interface is not auto stated if any of these configuration errors are made:
• • •

VLAN 200 is not configured on the switch. Trunking is not configured on the corresponding Gigabit Ethernet switch port. Trunking is configured but VLAN 200 is not an allowed VLAN on that trunk.

Displaying the Auto State Configuration
To display the current line protocol state determination for the MSM, perform this task in normal mode: Task Display the current line protocol state determination for the MSM. Command show msmautostate mod

This example shows how to display the current line protocol state determination for the MSM:
Console> show msmautostate MSM Auto port state: enabled Console>

To display the line protocol state determination for the MSFC, perform this task in privileged mode: Task Display the line protocol state determination for the MSFC. Command show msfcautostate

This example shows how to display the line protocol state determination for the MSFC:
Console> (enable) show msfcautostate MSFC Auto port state: enabled Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

12-6

78-13315-02

Chapter 12

Configuring InterVLAN Routing Configuring InterVLAN Routing on the MSFC

To check which MSM interfaces are currently auto stated, perform this task in enabled mode: Task Check which MSM interfaces are currently auto stated. Command show autostate entries

This example shows how to check which MSM interfaces are currently auto stated (shutdown or brought up through auto state):
Router# show autostate entries Port-channel1.5 Port-channel1.6 Port-channel1.4 Router#

Disabling the Auto State Feature
To disable the auto state feature if you have an MSM installed, perform this task in privileged mode: Task Command

Disable the auto state feature if you have an MSM set msmautostate disable installed. The auto state feature is enabled by default. This example shows how to disable the auto state feature if you have an MSM installed:
Console> (enable) set msmautostate disable MSM port auto state disabled. Console> (enable)

To disable the line protocol state determination of the MSFC, perform this task in privileged mode:

Note

If you toggle (enable to disable and/or disable to enable) the msfcautostate command you might have to use the shutdown and no shutdown commands to disable and then restart the VLAN and WAN interfaces on the MSFC to bring them back up. Unless there is a valid reason, the MSFC auto state feature should not be disabled.

Task Disable the line protocol state determination of the MSFC.

Command set msfcautostate disable

This example shows how to disable the line protocol state determination of the MSFC:
Console> (enable) set msfcautostate disable MSM port auto state disabled. Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

12-7

Chapter 12 Configuring InterVLAN Routing on the MSFC

Configuring InterVLAN Routing

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

12-8

78-13315-02

C H A P T E R

13

Configuring CEF for PFC2
This chapter describes how to configure Cisco Express Forwarding (CEF) for Policy Feature Card 2 (PFC2). CEF for PFC2 provides IP and Internetwork Packet Exchange (IPX) unicast Layer 3 switching and IP multicast Layer 3 switching for Supervisor Engine 2, PFC2, and Multilayer Switch Feature Card 2 (MSFC2).

Note

For complete information on the syntax and usage information for the supervisor engine commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication. This chapter consists of these sections:
• • • • •

Understanding How Layer 3 Switching Works, page 13-i Default CEF for PFC2 Configuration, page 13-x CEF for PFC2 Configuration Guidelines and Restrictions, page 13-xi Configuring CEF for PFC2, page 13-xii Configuring NetFlow Statistics, page 13-xxii

Note

Supervisor Engine 1 with the PFC1 and the MSFC or MSFC2 provide Layer 3 switching with Multilayer Switching (MLS). See Chapter 14, “Configuring MLS,” for more information.

Note

To configure the MSFC2 to support MLS on a Catalyst 5000 family switch, refer to the Layer 3 Switching Software Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_2/layer3/index.htm.

Understanding How Layer 3 Switching Works
These sections describe Layer 3 switching with PFC2:
• • • •

Layer 3 Switching Overview, page 13-ii Understanding Layer 3-Switched Packet Rewrite, page 13-ii Understanding CEF for PFC2, page 13-iv Understanding NetFlow Statistics, page 13-ix

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

13-1

Chapter 13 Understanding How Layer 3 Switching Works

Configuring CEF for PFC2

Layer 3 Switching Overview
Layer 3 switching allows the switch, instead of a router, to forward IP and IPX unicast traffic and IP multicast traffic between VLANs. Layer 3 switching is implemented in hardware and provides wire-speed interVLAN forwarding on the switch, rather than on the MSFC2. Layer 3 switching requires minimal support from the MSFC2. The MSFC2 routes any traffic that cannot be Layer 3 switched.

Note

Layer 3 switching supports the routing protocols configured on the MSFC2. Layer 3 switching does not replace the routing protocols configured on the MSFC2. Layer 3 switching uses Protocol Independent Multicast (PIM) for multicast route determination. Layer 3 switching on Catalyst 6000 family switches provides flow statistics that you can use to identify traffic characteristics for administration, planning, and troubleshooting. Layer 3 switching uses NetFlow Data Export (NDE) to export flow statistics (for more information about NDE, see Chapter 15, “Configuring NDE”).

Note

Traffic is Layer 3 switched after being processed by the VLAN access control list (VACL) feature and the quality of service (QoS) feature.

Understanding Layer 3-Switched Packet Rewrite
When a packet is Layer 3 switched from a source in one VLAN to a destination in another VLAN, the switch performs a packet rewrite at the egress port based on information learned from the MSFC2 so that the packets appear to have been routed by the MSFC2.

Note

Rather than just forwarding IP multicast packets, the PFC2 replicates them as necessary on the appropriate VLANs. Packet rewrite alters five fields:
• • • • •

Layer 2 (MAC) destination address Layer 2 (MAC) source address Layer 3 IP Time to Live (TTL) or IPX Transport Control Layer 3 checksum Layer 2 (MAC) checksum (also called the frame checksum or FCS)

Note

Packets are rewritten with the encapsulation appropriate for the next-hop subnet. If Source A and Destination B are on different VLANs and Source A sends a packet to the MSFC2 to be routed to Destination B, the switch recognizes that the packet was sent to the Layer 2 (MAC) address of the MSFC2. To perform Layer 3 switching, the switch rewrites the Layer 2 frame header, changing the Layer 2 destination address to the Layer 2 address of Destination B and the Layer 2 source address to the Layer 2 address of the MSFC2. The Layer 3 addresses remain the same.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-2

78-13315-02

page 13-iii Understanding IPX Unicast Rewrite. page 13-iii Understanding IP Multicast Rewrite. page 13-iv Understanding IP Unicast Rewrite Received IP unicast packets are (conceptually) formatted as follows: Layer 2 Frame Header Destination Source MSFC2 MAC Source A MAC Layer 3 IP Header Destination Destination B IP Source Source A IP TTL n Checksum calculation1 Data FCS After the switch rewrites an IP unicast packet. the switch decrements the Layer 3 TTL value by 1 and recomputes the Layer 3 packet checksum. In IPX traffic.4 78-13315-02 13-3 .3 and 6. replicates as necessary) the rewritten packet to Destination B’s VLAN. it is (conceptually) formatted as follows: Layer 2 Frame Header Destination Source Destination B MAC MSFC2 MAC Layer 3 IP Header Destination Source TTL Checksum calculation2 Destination B IP Source A IP n-1 Data FCS Understanding IPX Unicast Rewrite Received IPX packets are (conceptually) formatted as follows: Layer 2 Frame Header Destination Source Layer 3 IPX Header Checksum/ IPX Length/ Transport Control n Destination Net/ Node/ Socket Destination B IPX Source Net/ Node/ Socket Source A IPX Data FCS MSFC2 MAC Source A MAC After the switch rewrites an IPX packet. the switch increments the Layer 3 Transport Control value by 1 and recomputes the Layer 3 packet checksum.Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works In IP unicast and IP multicast traffic. it is (conceptually) formatted as follows: Layer 2 Frame Header Destination Source Layer 3 IPX Header Checksum/ IPX Length/ Transport Control n+1 Destination Net/ Node/ Socket Destination B IPX Source Net/ Node/ Socket Source A IPX Data FCS Destination B MSFC2 MAC MAC Catalyst 6000 Family Software Configuration Guide—Releases 6. These sections describe how the packets are rewritten: • • • Understanding IP Unicast Rewrite. The switch recomputes the Layer 2 frame checksum and forwards (or for multicast packets.

In this example.4 13-4 78-13315-02 . PFC2. CEF for PFC2 works with CEF (for unicast traffic) and PIM (for multicast traffic) on the MSFC2 to support IP. page 13-vii CEF for PFC2 Examples. Cisco IOS CEF is permanently enabled on the MSFC2 in support of CEF for PFC2. CEF for PFC2 sends all packets that match an incomplete FIB entry (one where the MAC address has not been resolved) to the MSFC2 to be routed until the MSFC2 resolves the MAC address. page 13-iv Understanding Forwarding Decisions. Destination B is a member of Group G1. and MSFC2 provide Layer 3 switching with CEF for PFC2. it is (conceptually) formatted as follows: Frame Header Destination Group G1 MAC Source MSFC2 MAC IP Header Destination Group G1 IP Source Source A IP TTL n–1 Checksum calculation2 Data FCS Understanding CEF for PFC2 These sections describe CEF for PFC2: • • • • • • CEF for PFC2 Overview. IP multicast. CEF for PFC2 is permanently enabled on Supervisor Engine 2. page 13-v Understanding the Adjacency Table. CEF for PFC2 generates flow statistics for Layer 3-switched traffic that can be displayed at the CLI or used for NDE. and IPX traffic. page 13-vi Partially and Completely Switched Multicast Flows. page 13-v Understanding the FIB. CEF for PFC2 provides Layer 3 switching for all packets that match a complete forwarding information base (FIB) entry (see the “Understanding the FIB” section on page 13-v). Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 13 Understanding How Layer 3 Switching Works Configuring CEF for PFC2 Understanding IP Multicast Rewrite Received IP multicast packets are (conceptually) formatted as follows: Layer 2 Frame Header Destination Group G1 MAC 1 Layer 3 IP Header Source Source A MAC Destination Group G1 IP Source Source A IP TTL n Checksum calculation1 Data FCS 1. CEF and PIM on the MSFC2 are enhanced to support CEF for PFC2. page 13-vii CEF for PFC2 Overview Supervisor Engine 2.3 and 6. Note CEF for PFC2 sends bridge traffic that is addressed at Layer 2 to the MSFC2 to be processed. After the switch rewrites an IP multicast packet.

Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Note Access control lists (ACLs) and policy-based routing can cause CEF for PFC2 to ignore the FIB when making a forwarding decision (see the “Understanding Forwarding Decisions” section on page 13-v). When routing or topology changes occur in the network. The FIB maintains next-hop address information based on the information in the routing tables on the MSFC2. The FIB supports 256K entries.4 78-13315-02 13-5 . The adjacency table is stored separately in DRAM. the unicast and multicast routing tables on the MSFC2 are updated and those changes are reflected in the FIB. and the NetFlow table do not compete with any other features for storage space. where the rewrite occurs when the packet is transmitted from the switch. Understanding the FIB The FIB resides in a separate TCAM. FIB lookup uses the following criteria: • • • • Destination IP address for IP unicast Destination IPX network for IPX unicast Source and destination IP address for IP unicast with RPF check Source and destination IP address for IP multicast with RPF check Catalyst 6000 Family Software Configuration Guide—Releases 6. The FIB. The NetFlow table is stored separately in DRAM. Enter the show mls cef command to display a Layer 3 switching summary: Console> (enable) show mls cef Total L3 packets switched: Total L3 octets switched: Total route entries: IP route entries: IPX route entries: IPM route entries: IP load sharing entries: IPX load sharing entries: Forwarding entries: Bridge entries: Drop entries: 0 0 18 15 3 0 0 0 4 12 2 Understanding Forwarding Decisions CEF for PFC2 provides Layer 3 switching based on: • • • Entries in the ACL ternary content addressable memory (TCAM) for policy-based routing decisions Entries in the NetFlow table for TCP intercept and reflexive ACL forwarding decisions (see the “Understanding NetFlow Statistics” section on page 13-ix) Entries in the FIB and adjacency table for all other forwarding decisions Enter the show mls entry command to display information about the entries used to make forwarding decisions. which includes 16K IP multicast entries. CEF for PFC2 makes a forwarding decision for each packet and sends the rewrite information for each packet to the egress port.3 and 6. It maintains a mirror image of the forwarding information contained in the unicast and multicast routing tables on the MSFC2. The FIB is conceptually similar to a routing table. the number of IP entries doubles. With reverse path forwarding (RPF) check enabled. the adjacency table.

null. null. Forwarding entries cannot be cleared from the Supervisor Engine 2 command-line interface (CLI). frc drp. Enter the show mls entry cef command to display: • • • • • • • Module number of the MSFC that is supporting the FIB FIB entry type (receive. loopbk. which points to an adjacency entry. loopbk Description Entry type that contains complete rewrite information Entry to send traffic to the MSFC2 Entry to send traffic to the MSFC2 when rewrite information is incomplete Entry used to drop packets due to ARP throttling Entries used to drop packets Enter the show mls entry cef adjacency command to display: • • • • • • • FIB information (see the “Understanding the FIB” section on page 13-v) Adjacency type (connect. The routing protocols on the nondesignated MSFC2 send information to the routing protocols on the designated MSFC2. any commands on the MSFC2 that change the unicast or multicast routing tables affect the FIB. the designated MSFC2 supports the FIB on the active Supervisor Engine 2. In switches with redundant supervisor engines and MSFC2s. wildcard. CEF for PFC2 stores Layer 2 information from the designated MSFC2 for adjacent nodes in the adjacency table. connected. Table 13-1 Adjacency Types Adjacency Type connect punt no r/w frc drp drop.3 and 6. punt. CEF for PFC2 supports 256K adjacency table entries.4 13-6 78-13315-02 . CEF for PFC2 selects a route from a FIB entry.Chapter 13 Understanding How Layer 3 Switching Works Configuring CEF for PFC2 Note Because the FIB mirrors the unicast and multicast routing tables on the MSFC2. To forward traffic. and uses the Layer 2 header for the adjacent node in the adjacency table entry to rewrite the packet during Layer 3 switching. Adjacent nodes are nodes that are directly connected at Layer 2. no r/w) Next-hop MAC address Next-hop VLAN Next-hop encapsulation Number of packets transmitted to this adjacency from the associated FIB entry Number of bytes transmitted to this adjacency from the associated FIB entry Catalyst 6000 Family Software Configuration Guide—Releases 6. drop. Table 1 lists the adjacency types. drop. or default) Destination address (IP address or IPX network) Destination mask Next-hop address (IP address or IPX network) Next-hop mask Next-hop load-sharing weight Understanding the Adjacency Table For each FIB entry. resolved.

CEF for PFC2 Examples Figure 1 shows a simple IP CEF network topology.3. reducing the load on the MSFC. The MSFC uses the statistics to update the corresponding multicast routing table entries and reset the appropriate expiration timers.59. The PFC prevents multicast traffic in flows that are completely Layer 3 switched from reaching the MSFC.1. For all completely Layer 3-switched flows.Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Partially and Completely Switched Multicast Flows Some flows might be partially Layer 3 switched instead of completely Layer 3 switched in these situations: • • • • • • The MSFC is configured as a member of the IP multicast group (using the ip igmp join-group command) on the RPF interface of the multicast source.0).0). Host B is on the Marketing VLAN (IP subnet 171. the MSFC must send PIM-register messages to the rendezvous point).59. Multicast tag switching is configured on an egress interface. The MSFC is the first-hop router to the source in PIM sparse mode (in this case.0). Note CEF for PFC2 provides Layer 3 switching when the extended access list deny condition on the RPF interface specifies something other than the Layer 3 source. the PFC periodically sends multicast packet and byte count statistics to the MSFC.3 and 6. and multicast to broadcast translation is required.G) flows are always partially Layer 3 switched. because the MSFC cannot record multicast statistics for completely switched flows.2. The multicast helper is configured on the RPF interface for the flow. For partially switched flows. The multicast TTL threshold is configured on an egress interface for the flow. Note All (*. In this example. Catalyst 6000 Family Software Configuration Guide—Releases 6.4 78-13315-02 13-7 . Network address translation (NAT) is configured on an interface. the PFC2 uses the information in the FIB and adjacency table to forward packets from Host A to Host C. because it is switched by the PFC).59. and source address translation is required for the outgoing interface. Layer 3 destination. Host A is on the Sales VLAN (IP subnet 171. When Host A initiates an HTTP file transfer to Host C. or IP protocol (an example is the Layer 4 port numbers). all multicast traffic belonging to the flow reaches the MSFC and is software switched for any interface that is not Layer 3 switched. which it never sees. the multicast packet is dropped. and Host C is on the Engineering VLAN (IP subnet 171. The show ip mroute and show mls ip multicast commands identify completely Layer 3-switched flows with the text string RPF-MFD (Multicast Fast Drop [MFD] indicates that from the viewpoint of the MSFC.

Bb).1 171.2.Aa).1.2.3.1.59.2 171.1.3.59.59.2:171.2 Destination IP Address 171.59.2.2.2 171.1.2. In this example.59.1.59.59.59. Catalyst 6000 Family Software Configuration Guide—Releases 6.2 Dd:Cc 78-13315-02 . Host A is on the Sales VLAN (IPX address 01.4 13-8 44610 Host C 171.2 Rewrite Src/Dst MAC Address Dd:Bb Dd:Cc Dd:Aa Destination VLAN Marketing Engineering Sales MAC = Bb MAC = Dd MSFC MAC = Aa Subnet 1/Sales Host A 171.2 171. the PFC2 uses the information in the FIB and adjacency table to forward packets from Host A to Host C.2:171.1.59.59.2 Aa:Dd Figure 2 shows a simple IPX CEF network topology.59.2 Data 171. Host B is on the Marketing VLAN (IPX address 03.59.1 net 2/E ngin eeri ng MAC = Cc Data 171.3 and 6.Cc).59.Chapter 13 Understanding How Layer 3 Switching Works Configuring CEF for PFC2 Figure 13-1 IP CEF Example Topology Source IP Address 171. and Host C is on the Engineering VLAN (IPX address 02.2 Sub Sub n /M et 3 arke ting Host B 171. When Host A initiates a file transfer to Host C.

which are stored in the NetFlow table.Aa:02.4 78-13315-02 13-9 . Catalyst 6000 Family Software Configuration Guide—Releases 6.Cc Aa:Dd Data ing MAC = Cc Host C 01. page 13-x NetFlow Statistics Overview CEF for PFC2 generates flow statistics for Layer 3-switched traffic.Aa 01. NetFlow statistics can be displayed with show commands and are also available to NetFlow Data Export (NDE).Bb 02. Note A NetFlow table with more than 32K entries increases the probability that there will be insufficient room to store statistics.3 and 6.Chapter 13 Configuring CEF for PFC2 Understanding How Layer 3 Switching Works Figure 13-2 IPX CEF Example Topology Source IPX Destination Rewrite Src/Dst Address IPX Address MAC Address 01. page 13-ix NetFlow Table Entry Aging. To reduce the number of entries in the NetFlow table.Cc 03.Cc 01.Cc Dd:Cc 25482 Understanding NetFlow Statistics These sections describe NetFlow statistics: • • • NetFlow Statistics Overview.Aa Dd:Bb Dd:Cc Dd:Aa Destination VLAN Marketing Engineering Sales MAC = Bb MAC = Dd MSFC MAC = Aa Net 1/Sales 01 Host A ti arke t 3/M 3 Ne 0 ng Host B Net 2/E ngin eer 02 Data 01.Aa 02. page 13-x Flow Masks.Aa:02. you can exclude specified IP protocols from the statistics (see the “Excluding IP Protocol Entries from the NetFlow Table” section on page 13-xxv).

The statistics flow masks are as follows: • • • • • destination-ip—The least-specific flow mask for IP destination-ipx—The only flow mask for IPX source-destination-ip—For IP source-destination-vlan—For IP multicast full flow—The most-specific flow mask Enter the show mls statistics entry command to display the contents of the NetFlow table and the current flow mask. the entry ages out and statistics for that flow can be exported to a flow collector application. If an entry is not used for the specified period of time. When CEF for PFC2 exports cached entries. Depending on the current flow mask. You can configure the aging time for NetFlow table entries kept in the NetFlow table. flow records are created based on the current flow mask. Unsupported fields are filled with a zero (0). the entry ages out.4 13-10 78-13315-02 . When the flow mask changes. If CEF for PFC2 detects different flow masks from different MSFCs for which it is performing Layer 3 switching. when traffic for a flow ceases. Table 13-2 Default CEF for PFC2 Configuration Feature CEF for PFC2 enable state CEF enable state on MSFC2 Default Value Enabled (cannot be disabled) Enabled (cannot be disabled) Catalyst 6000 Family Software Configuration Guide—Releases 6. Use the keyword options to display information for specific traffic (refer to the Catalyst 6000 Family Command Reference publication for more information). CEF for PFC2 supports only one flow mask (the most specific one) for all statistics. some fields in the flow record might not have values. Default CEF for PFC2 Configuration Table 2 shows the default CEF for PFC2 configuration.Chapter 13 Default CEF for PFC2 Configuration Configuring CEF for PFC2 NetFlow statistics supports unicast and multicast flows: • A unicast flow can be any of the following: – Destination only: all traffic to a particular destination – Destination-source: all traffic from a particular source to a particular destination – Full-flow: all traffic from a particular source to a particular destination that shares the same protocol and transport-layer information • A multicast flow is all traffic with the same protocol and transport-layer information from a particular source to the members of a particular destination multicast group. Flow Masks Flow masks determine how NetFlow table entries are created. it changes its flow mask to the most specific flow mask detected. the entire NetFlow table is purged.3 and 6. NetFlow Table Entry Aging The state and identity of flows are maintained while packet traffic is active.

which might cause errors if you configure bridging on the MSFC.3 and 6. Catalyst 6000 Family Software Configuration Guide—Releases 6.*. CEF for PFC2 cannot support the standby use-bia HSRP command.0 (ARPA) 802.3 with 802.Chapter 13 Configuring CEF for PFC2 CEF for PFC2 Configuration Guidelines and Restrictions Table 13-2 Default CEF for PFC2 Configuration (continued) Feature Multicast routing on MSFC2 PIM routing on MSFC2 IP MMLS Threshold IP MMLS Default Value Disabled globally Disabled on all interfaces Unconfigured—no default value Enabled when multicast routing is enabled and IP PIM is enabled on the interface Multicast services (IGMP snooping or GMRP) Disabled CEF for PFC2 Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring CEF for PFC2: • PFC2 supports a maximum of 16 unique Hot Standby Router Protocol (HSRP) group numbers. CEF for PFC2 supports the following ingress and egress encapsulations: – For IP unicast: Ethernet V2. If you configure more than 16 HSRP groups.* and 224.2 with 1 byte control (SAP1) 802.0.* (where * is in the range 0–255). • • Because of the restriction to 16 unique HSRP group numbers.2 and SNAP – For IPX: Ethernet V2. this restriction prevents use of the VLAN number as the HSRP group number. which is used by routing protocols.0.* through 239.3 (raw) 802. Note Identically numbered HSRP groups use the same virtual MAC address.128.0.0. CEF for PFC2 provides Layer 3 switching only when the egress encapsulation is also SAP1.0.0.0.4 78-13315-02 13-11 .0. The MSFC2 routes IPX SAP1 traffic that requires an encapsulation change. CEF for PFC2 supports 225.0 (ARPA) CEF for PFC2 does not provide Layer 3 switching for an IP multicast flow in the following cases: • For IP multicast groups that fall into the range 224. You can use the same HSRP group numbers in different VLANs.128. – For IP multicast—Ethernet V2.2 with 1 byte control (SAP1) SNAP Note When the ingress encapsulation for IPX traffic is SAP1.* through 239.0 (ARPA) 802.3 with 802.

0. No configuration is required.” Displaying Layer 3-Switching Entries on the Supervisor Engine CEF for PFC2 is permanently enabled on Supervisor Engine 2 with the PFC2 and the MSFC2. the PIM interface configuration must be the same on both the active and the redundant MSFC2.40). For PIM auto-RP multicast groups (IP multicast group addresses 224. page 13-xvi Note For information on configuring routing on the MSFC2.39 and 224.0. For source traffic received on tunnel interfaces (such as MBONE traffic). perform this task: Task Display Layer 3-switching information. However. where xx is in the range 0–0xFF. packets in the flow that are not fragmented or that do not specify IP options are multilayer switched.* range are reserved for routing control packets and must be flooded to all forwarding ports of the VLAN. page 13-xiv Displaying IP Multicast Information. To display all the Layer 3-switching entries on the supervisor engine.Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Note Groups in the 224. These addresses map to the multicast MAC address range 01-00-5E-00-00-xx.1.3 and 6. page 13-xiv Configuring IP Multicast on the MSFC2. Command show mls entry [cef] | [netflow-route] Catalyst 6000 Family Software Configuration Guide—Releases 6.4 13-12 78-13315-02 . “Configuring InterVLAN Routing. For fragmented IP packets and packets with IP options. page 13-xii Configuring CEF on the MSFC2.1. • • • • Configuring CEF for PFC2 These sections describe how to configure CEF for PFC2: • • • • Displaying Layer 3-Switching Entries on the Supervisor Engine. If the shortest-path tree (SPT) bit for the flow is cleared when running PIM sparse mode for the interface or group. For any RPF interface with multicast tag switching enabled. see Chapter 12.0.0. • Note In systems with redundant MSFC2s.

0.0.ABFD 1 1 Destination-IP Source-IP Prot DstPrt SrcPrt Stat-Bytes Uptime Age TcpDltSeq TcpDltAck --------------.-----.0.0.255.0.0.2 2 201 101 0 01:03:21 01:00:51 cccccccc cccccccc 0.20 255.0.255.0.255 16 receive 44.0.0.0.255.0.0.255.0.---------------.0 Mod --15 15 15 15 15 15 FIB-Type --------connected connected connected resolved resolved wildcard Dest-IPX-net -----------21 44 42 450 480 0 NextHop-IPX Weight ------------------------.0.255.255 16 receive 44.255.0.4 4 203 X 0 01:03:19 01:00:51 cccccccc cccccccc 0.3 3 202 102 0 01:03:20 01:00:52 cccccccc cccccccc 0.------ 42.255 15 resolved 127.255.255 16 receive 42.255.0 0.--------------.0.0.0. Catalyst 6000 Family Software Configuration Guide—Releases 6.0 240.0050.255.255.0.255.255 15 receive 43.255.11 1 15 receive 21.Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 This example shows how to display the Layer 3-switching entries: Console> (enable) show mls entry Mod FIB-Type Destination-IP Destination-Mask NextHop-IP Weight --.---------------.0.255.255 15 receive 43.0.---------cc-cc-cc-cc-cc-cc 5 cc-cc-cc-cc-cc-cc 2 cc-cc-cc-cc-cc-cc 4 cc-cc-cc-cc-cc-cc 1 cc-cc-cc-cc-cc-cc 3 cc-cc-cc-cc-cc-cc 6 ARPA 0 ARPA 0 ARPA 0 ARPA 0 ARPA 0 ARPA 0 Enter the show mls entry cef command to display only the FIB entries.255.255.--------------.0 255.255.255.4 255.255 16 receive 21.3 0.255.0.6 0.-------.0.255.255.255 16 receive 127.0050.0.0.255 255.255 15 receive 192.255.0.0.0.ABFD 42.5 5 204 104 0 01:03:18 01:00:51 cccccccc cccccccc 0.0.-----15 receive 0.255.255 15 receive 127.0 255.0.255 15 receive 255.0.0.0 15 wildcard 0.255.255.255 16 receive 21.255 15 receive 42.255.0.0.255.255.255.0.0.0.255.0 255.20 255.0.0.255.0.255.1 255.20.5 0.255 127.0.255 255.0.255. Enter the show mls entry netflow-route command to display only the entries from the TCP intercept feature and reflexive access control lists (ACLs).1 255.255 16 receive 42.2.255.255.255.255.2.255.255 255.255 255.11 255.0.255.0.255.--------0.0.0 15 drop 224.3EA9.255.0.0 255.255 255.255.0.255 15 receive 43.255.---.0 255.2 0.0.255.255.0.1 ICMP 200 100 0 01:03:25 01:00:52 cccccccc cccccccc 0.0.0.20.0.255.255.99 255.255.255.12 255.1 0.255.---.0.255.255 15 connected 43.255 15 receive 44.6 TCP 205 105 0 01:03:18 01:00:52 cccccccc cccccccc Console> (enable) Destination-Mac Vlan EDst Stat-Pkts ----------------.0.0.0.0.255 16 receive 42.--------.0.255 16 receive 21.3EA9.0.0.-------.255.0.--------.0.4 0.255.255.3 and 6.----.0 255.5 255.255.--------------.255 255.0 255.255 16 receive 127.4 78-13315-02 13-13 .0.

page 13-xiv Enabling IP PIM on an MSFC2 Interface. Command Router(config)# ip multicast-routing This example shows how to enable IP multicast routing globally: Router(config)# ip multicast-routing Router(config)# Catalyst 6000 Family Software Configuration Guide—Releases 6. and ip cef accounting non-recursive IOS CEF commands on the MSFC2 apply only to traffic that is CEF-switched on the MSFC. No configuration is required to support CEF for PFC2. perform this task in global configuration mode: Task Enable IP multicast routing globally.htm Enabling IP Multicast Routing Globally You must enable IP multicast routing globally on the MSFC2 before you can enable PIM on MSFC interfaces. ip cef accounting per-prefix.4 13-14 78-13315-02 .Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Configuring CEF on the MSFC2 CEF is permanently enabled on the MSFC2. refer to the “IP Multicast” section of the Cisco IOS IP and IP Routing Configuration Guide at http://www.3 and 6. Configuring IP Multicast on the MSFC2 These sections describe how to configure the MSFC2 for IP multicast: • • • • Enabling IP Multicast Routing Globally. page 13-xv Note This section describes how to enable IP multicast routing on the MSFC2.cisco. page 13-xv Configuring the IP MMLS Global Threshold. Note The ip load-sharing per-packet. To enable IP multicast routing globally on the MSFC2. For more detailed IP multicast configuration information. page 13-xv Enabling IP MMLS on MSFC Interfaces. The commands do not affect traffic that is switched by CEF for PFC2 on the supervisor engine.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt3/index.

To enable IP PIM on an MSFC2 interface. such as join requests. clear the route and let it reestablish. perform this task in interface configuration mode: Task Enable IP PIM on an MSFC2 interface. specified in packets per second.Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Enabling IP PIM on an MSFC2 Interface You must enable PIM on MSFC2 interfaces before IP multicast will function on those interfaces. below which all multicast traffic is routed by the MSFC. Note This command does not affect flows that are already being routed.3 and 6. Note You must enable IP PIM on all participating MSFC interfaces before IP MMLS will function. perform this task: Task Configure the IP MMLS threshold. Command Router(config)# [no] mls ip multicast threshold ppsec This example shows how to configure the IP MMLS threshold to 10 packets per second: Router(config)# mls ip multicast threshold 10 Router(config)# Use the no keyword to deconfigure the threshold. Perform this task only if you disabled IP MMLS on the interface and you want to reenable it. Command Router(config-if)# ip pim {dense-mode | sparse-mode | sparse-dense-mode} This example shows how to enable PIM on an MSFC2 interface using the default mode (sparse-dense-mode): Router(config-if)# ip pim Router(config-if)# This example shows how to enable PIM sparse mode on an MSFC2 interface: Router(config-if)# ip pim sparse-mode Router(config-if)# Configuring the IP MMLS Global Threshold You can configure a global multicast rate threshold.4 78-13315-02 13-15 . This prevents creation of MLS entries for short-lived multicast flows. To apply the threshold to existing routes. For information on configuring IP PIM on MSFC interfaces. Catalyst 6000 Family Software Configuration Guide—Releases 6. Enabling IP MMLS on MSFC Interfaces IP MMLS is enabled by default on the MSFC interface when you enable IP PIM on the interface. see the “Enabling IP PIM on an MSFC2 Interface” section on page 13-xv. To configure the IP MMLS threshold.

page 13-xx Displaying IP Multicast Information on the MSFC2 These sections describe displaying IP multicast information on the MSFC2: • • • • • Displaying IP MMLS Interface Information. page 13-xix Displaying IP MMLS Interface Information The show ip pim interface count command displays the IP MMLS enable state on MSFC IP PIM interfaces and the number of packets received and sent on the interface.3 and 6. The show ip interface command displays the IP MMLS enable state on an MSFC interface. page 13-xvii Using Debug Commands. To display IP MMLS information for an IP PIM MSFC interface. page 13-xvi Displaying IP Multicast Information on the Supervisor Engine. Command Router(config-if)# [no] mls ip multicast This example shows how to enable IP MMLS on an MSFC interface: Router(config-if)# mls ip multicast Router(config-if)# Use the no keyword to disable IP MMLS on an MSFC interface. perform this task: Task Enable IP MMLS on an MSFC interface. Displaying IP Multicast Information These sections describe how to display IP multicast information: • • Displaying IP Multicast Information on the MSFC2. Command Router# show ip pim interface [type number] count Router# show ip interface Catalyst 6000 Family Software Configuration Guide—Releases 6. page 13-xvii Displaying IP Multicast Details. page 13-xvi Displaying the IP Multicast Routing Table.Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 To enable IP MMLS on an MSFC interface. Display the IP MMLS interface enable state. page 13-xix Using Debug Commands on the SCP.4 13-16 78-13315-02 . perform one of these tasks: Task Display IP MMLS interface information.

T . 00:00:19/00:02:41. To display the IP multicast routing table. H (22.Dense.1). 04:04:59/00:02:59. H Displaying IP Multicast Details The show mls ip multicast command displays detailed information about IP MMLS. L .252.0.252.2 Outgoing interface list: Vlan10. RP 80. 01:29:57/00:00:00.RP-bit set.1.Connected.1).0.1.2.0. Command Router# show mls ip multicast group group-address [interface type number | statistics] Router# show mls ip multicast interface type number [statistics | summary] Router# show mls ip multicast summary Router# show mls ip multicast statistics Router# show mls ip multicast source ip-address [interface type number | statistics] Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. flags:JT Incoming interface:Vlan800. C .Local.Sparse. Forward/Dense.252.10. J .MSDP created entry. P . Command Router# show ip mroute [group[source]] | [summary] | [count] | [active kbps] This example shows how to display the IP multicast routing table: Router# show ip mroute 239. Forward/Dense. perform this task: Task Display the IP multicast routing table. RPF-MFD Outgoing interface list: Vlan10.4 78-13315-02 13-17 .Pruned R .Proxy Join Timer Running A . Display a summary of IP MMLS information.Hardware switched Timers:Uptime/Expires Interface state:Interface.Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Displaying the IP Multicast Routing Table The show ip mroute command displays the IP multicast routing table on the MSFC2. 239. RPF nbr 80.Join SPT M . Display IP MMLS details for all interfaces. To display detailed MMLS information on the MSFC.0.0. Next-Hop or VCD. Display IP MMLS source information. RPF nbr 80.Register flag.SPT-bit set. 00:00:19/00:00:00. State/Mode (*.0. perform one of these tasks: Task Display IP MMLS group information. F .1. flags:SJ Incoming interface:Vlan800. 239.1 IP Multicast Routing Table Flags:D .0.2. X .Advertised via MSDP Outgoing interface flags:H . Display IP MMLS statistics. S .0.

3 and 6. 224.123.1.1. 224.9bfd. Packets switched: 61590 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan13 (1.1. Router IP:1.1.1.3.12.9.12.1) Incoming interface: Vlan12.4 13-18 78-13315-02 .1.12.1.1.234 MLS multicast operating state:ACTIVE Maximum number of allowed outstanding messages:1 Maximum size reached from feQ:1 Feature Notification sent:5 Feature Notification Ack received:4 Unsolicited Feature Notification received:0 MSM sent:33 MSM ACK received:33 Delete notifications received:1 Flow Statistics messages received:248 MLS Multicast statistics: Flow install Ack:9 Flow install Nack:0 Flow update Ack:2 Flow update Nack:0 Flow delete Ack:0 Complete flow install Ack:10 Complete flow install Nack:0 Complete flow delete Ack:1 Input VLAN delete Ack:4 Output VLAN delete Ack:0 Group delete sent:0 Group delete Ack:0 Global delete sent:7 Global delete Ack:7 L2 entry not found error:0 Generic error :3 LTL entry not found error:0 MET entry not found error:0 L3 entry exists error :0 Hash collision error :0 L3 entry not found error:0 Complete flow exists error :0 This example shows how to display information on a specific IP MMLS entry on the MSFC: Router# show mls ip multicast 224.Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 This example shows how to display IP MMLS statistics on the MSFC: Router# show mls ip multicast statistics MLS Multicast configuration and state: Router Mac:0050. 224.1.1.3. Packets switched: 61980 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan12 Catalyst 6000 Family Software Configuration Guide—Releases 6.1.1 Multicast hardware switched flows: (1.1. Packets switched: 62010 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan12 (1.1.1) Incoming interface: Vlan9. Packets switched: 0 Hardware switched outgoing interfaces: Vlan20 RFD-MFD installed: Vlan9 (1.13.1.1) Incoming interface: Vlan12.1.0f2d.1) Incoming interface: Vlan13. 224.1.

Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 (1. Packets switched: 62430 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan11 (1.3 and 6. Turns on all MDSS messages. Packets switched: 62430 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan11 Total hardware switched installed: 6 Router# This example shows how to display a summary of IP MMLS information on the MSFC: Router# show mls ip multicast summary 7 MMLS entries using 560 bytes of memory Number of partial hardware-switched flows:2 Number of complete hardware-switched flows:5 Router# Using Debug Commands Table 3 describes IP MMLS-related debug troubleshooting commands.4 78-13315-02 13-19 . Catalyst 6000 Family Software Configuration Guide—Releases 6.1. Table 13-3 IP MMLS Debug Commands Command Description [no] debug mls ip multicast group group_id group_mask Configures filtering that applies to all other multicast debugging commands.1. 224.3.1.1. [no] debug mls ip multicast events [no] debug mls ip multicast errors [no] debug mls ip multicast messages [no] debug mls ip multicast all [no] debug mdss error [no] debug mdss events [no] debug mdss all 1. MDSS = Multicast Distributed Switching Services Displays IP MMLS events. Displays IP MMLS messages from/to the hardware switching engine. Displays packet data in and out of the SCP system. Table 13-4 SCP Debug Commands Command [no] debug scp async [no] debug scp data [no] debug scp errors [no] debug scp packets Description Displays trace for asynchronous data in and out of the SCP system.1) Incoming interface: Vlan11.11.1) Incoming interface: Vlan11. Displays errors and warnings in the SCP. 224. Turns on debug messages for multicast MLS-related errors. Turns on MDSS-related events.1. Using Debug Commands on the SCP Table 4 describes the Serial Control Protocol (SCP)-related debug commands to troubleshoot the SCP that runs over the Ethernet out-of-band channel (EOBC).1. Turns on MDSS1 error messages. Turns on all IP MMLS messages.1.11. Shows packet data trace.

9.252 ? 00-10-29-8d-88-01 Transmit: Delete Notifications: Acknowledgements: Flow Statistics: 22 75 22 Catalyst 6000 Family Software Configuration Guide—Releases 6.1. perform this task: Task Display IP multicast statistics. page 13-xxi Displaying IP Multicast Entries. page 13-xxi Displaying IP Multicast Statistics The show mls multicast statistics command displays IP multicast statistics. Displaying IP Multicast Information on the Supervisor Engine These sections describe how to display IP multicast information: • • • Displaying IP Multicast Statistics. Turns on all SCP debugging messages. page 13-xx Clearing IP Multicast Statistics.5.1. To display IP multicast statistics.4 13-20 78-13315-02 . Command show mls multicast statistics [ip_addr] This example shows how to display IP multicast statistics for the MSFC2: Console (enable) show mls multicast statistics Router IP Router Name Router MAC ------------------------------------------------------1.Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Table 13-4 SCP Debug Commands (continued) Command [no] debug scp timeouts [no] debug scp all Description Reports timeouts.3 and 6.254 ? 00-50-0f-06-3c-a0 Transmit: Delete Notifications: Acknowledgements: Flow Statistics: 23 92 56 Receive: Open Connection Requests: 1 Keep Alive Messages: 72 Shortcut Messages: 19 Shortcut Install TLV: 8 Selective Delete TLV: 4 Group Delete TLV: 0 Update TLV: 3 Input VLAN Delete TLV: 0 Output VLAN Delete TLV: 0 Global Delete TLV: 0 MFD Install TLV: 7 MFD Delete TLV: 0 Router IP Router Name Router MAC ------------------------------------------------------1.

---------.13. Command clear mls multicast statistics This example shows how to clear IP multicast statistics: Console> (enable) clear mls multicast statistics All statistics for the MLS routers in include list are cleared.1.----------.1.1.1 224. the multicast group address.1 224.11.254 1.1.254 1.1 15870 473220 15759 473670 15810 473220 15840 2761380 82340280 2742066 82418580 2750940 82340280 2756160 20 12 20 11 20 12 20 Catalyst 6000 Family Software Configuration Guide—Releases 6.1. perform this task in privileged mode: Task Display information about IP multicast entries.1.254 1.1.1.-------1.1.5.1.252 224.11.1 1.1.------.5.3 1.1.12.3 1.1 1. Console> (enable) Displaying IP Multicast Entries The show mls multicast entry command displays a variety of information about the multicast flows being handled by the PFC.--------------.1.1.12.9.9.1.5.1.3 and 6. To display information about IP multicast entries.252 1.4 78-13315-02 13-21 .1.1.12. You can display entries based on any combination of the participating MSFC2.1.1 224.1 224.1 1.1 224.1.1.252 1.1.Chapter 13 Configuring CEF for PFC2 Configuring CEF for PFC2 Receive: Open Connection Requests: Keep Alive Messages: Shortcut Messages: Shortcut Install TLV: Selective Delete TLV: Group Delete TLV: Update TLV: Input VLAN Delete TLV: Output VLAN Delete TLV: Global Delete TLV: MFD Install TLV: MFD Delete TLV: Console (enable) 1 68 6 4 2 0 0 0 0 0 4 0 Clearing IP Multicast Statistics The clear mls multicast statistics command clears IP multicast statistics.252 1. To clear IP multicast statistics.--------------.11.1 224.1. or the multicast traffic source. Command show mls multicast entry [[[mod] [vlan vlan_id] [group ip_addr] [source ip_addr]] | [all]] This example shows how to display all IP multicast entries: Console> (enable) show mls multicast entry all Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans --------------. the VLAN. perform this task in privileged mode: Task Clear IP multicast statistics.1.1.1 1.9.5.1.1.1.3 1.

1.20.0.1 short Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans --------------.1.1.1 1.1 Total Entries: 5 Console> (enable) 1.1.1.1.2.6 1.1.3 and 6.25 172.-------1.------.49.9 12 25 3120 8.2.20 This example shows how to display IP multicast entries for a specific MSFC2 and a specific multicast source address: Console> (enable) show mls multicast entry 15 source 1.159 224.Chapter 13 Configuring NetFlow Statistics Configuring CEF for PFC2 1.1.1.3 472770 15840 473667 82261980 2756160 82418058 13 20 11 This example shows how to display IP multicast entries for a specific MSFC2: Console> (enable) show mls multicast entry 15 Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans --------------. page 13-xxiii Specifying NetFlow Table IP Entry Fast Aging Time and Packet Threshold Values.1.22.1.--------172.5.---------.1 226. page 13-xxiv Setting the Minimum Statistics Flow Mask.1.2.1 1.9.1 1.20.1.1.1.2 99 65142 22 30.49.---------172.1.1 226.3 1.1.8 1.20.69.1 1.159 224.1 1.40.1.13.254 224.252 224.-----.1.1.69. page 13-xxvi Displaying NetFlow Statistics Debug Information. page 13-xxv Clearing NetFlow IP and IPX Statistics.3 1.252 224.---------.5.------------------------.19 Console> (enable) Configuring NetFlow Statistics These sections describe how to configure NetFlow statistics: • • • • • • • Specifying the NetFlow Table Entry Aging-Time Value.37 172.--------------.5.2 396 235620 22 13.8 20 171 23512 10.252 224.1.12.1.12.-----.1.5. page 13-xxviii Catalyst 6000 Family Software Configuration Guide—Releases 6.1 Total Entries: 10 Console> (enable) 1.1.3.4 13-22 78-13315-02 .--------.11.1.1.11.1.1.1.4.1.1. page 13-xxiv Excluding IP Protocol Entries from the NetFlow Table.0.5.1.1.--------------. page 13-xxv Displaying NetFlow Statistics.1 1.1.3 171.11.22.254 224.4 368 57776 40 23.22.49.252 224.1.--------------.--------------.1 1.1 1.13.1.1.1.1.1.1.9.----------.252 224.11.0.1.1.1.3 Total Entries: 2 Console> (enable) multicast entry group 226.252 224.201.1 1.5.71 1.1 15870 15759 15810 15840 15840 2761380 2742066 2750940 2756160 2756160 20 20 20 20 20 This example shows how to display IP multicast entries for a specific multicast group address: Console> (enable) show mls Router IP Dest IP -------------.159 224.45 172.1.1 1.12.----------171.3.3 short Source IP InVlan Pkts Bytes OutVlans -----------.

3 and 6. Command set mls agingtime [agingtime] This example shows how to specify the entry aging time: Console> (enable) set mls agingtime 512 Multilayer switching agingtime IP and IPX set to 512 Console> (enable) To specify the IP entry aging time. perform this task in privileged mode: Task Specify the IP entry aging time for the NetFlow table. perform this task in privileged mode: Task Command Specify the IPX entry aging time for the NetFlow set mls agingtime ipx [agingtime] table. Any aging-time value that is not a multiple of 8 seconds is adjusted to the closest multiple of 8 seconds. You can specify the aging time in the range of 8 to 2032 seconds in 8-second increments. Command set mls agingtime ip [agingtime] This example shows how to specify the IP entry aging time: Console> (enable) set mls agingtime ip 512 Multilayer switching aging time IP set to 512 Console> (enable) To specify the IPX entry aging time. The default is 256 seconds. a value of 65 is adjusted to 64 and a value of 127 is adjusted to 128. For example. To specify the entry aging time for both IP and IPX. perform this task in privileged mode: Task Specify the aging time for NetFlow table entries. Any entry that has not been used for agingtime seconds is aged out.Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics Specifying the NetFlow Table Entry Aging-Time Value The entry aging time for each protocol (IP and IPX) applies to all protocol-specific NetFlow table entries.4 78-13315-02 13-23 . This example shows how to specify the IPX entry aging time: Console> (enable) set mls agingtime ipx 512 Multilayer switching aging time IPX set to 512 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.

The default fastagingtime value is 0 (no fast aging). You can configure the fastagingtime value to 32. 96.Chapter 13 Configuring NetFlow Statistics Configuring CEF for PFC2 Specifying NetFlow Table IP Entry Fast Aging Time and Packet Threshold Values Note IPX entries do not use fast aging. Catalyst 6000 Family Software Configuration Guide—Releases 6. perform this task in privileged mode: Task Specify the IP entry fast aging time and packet threshold for a NetFlow table entry. Console> (enable) Setting the Minimum Statistics Flow Mask You can set the minimum granularity of the flow mask for the NetFlow table. If the NetFlow table continues to remain full. 64. decrease the normal IP entry aging time. initially set the value to 128 seconds. Any fastagingtime value that is not configured exactly as the indicated values is adjusted to the closest one. decrease the setting. The actual flow mask used will be at least of the granularity specified by this command. see the “Flow Masks” section on page 13-x. To specify the IP entry fast aging time and packet threshold. 31. the entry might never be used again after it is created. To minimize the size of the NetFlow table. If you need to enable IP entry fast aging time. 3. or 63 packets. 1. The IP entry fast aging time applies to NetFlow table entries that have no more than pkt_threshold packets routed within fastagingtime seconds after they are created. enable IP entry fast aging time. If the NetFlow table remains full. Note Entering a set mls flow command purges all existing entries in the NetFlow table. A typical NetFlow table entry that is removed is the entry for flows to and from a Domain Name Server (DNS) or TFTP server. 15.3 and 6.4 13-24 78-13315-02 . Detecting and aging out these entries saves space in the NetFlow table for other data traffic. or 128 seconds. For information on how the different flow masks work. 7. Typical values for fastagingtime and pkt_threshold are 32 seconds and 0 packets (no packets switched within 32 seconds after the entry is created). Command set mls agingtime fast [fastagingtime] [pkt_threshold] This example shows how to set the IP entry fast aging time to 32 seconds with a packet threshold of 0 packets: Console> (enable) set mls agingtime fast 32 0 Multilayer switching fast aging time set to 32 seconds for entries with no more than 0 packets switched. You can configure the pkt_threshold value to 0.

Console> (enable) Displaying NetFlow Statistics Note To display the forwarding decision entries. or www. perform this task in privileged mode: Task Display all NetFlow table entries and statistics. smtp.3 and 6. perform this task in privileged mode: Task Exclude IP protocols from the NetFlow table. enter the show mls entry cef command (see the “Displaying Layer 3-Switching Entries on the Supervisor Engine” section on page 13-xii. telnet. Command set mls exclude protocol {tcp | upd | both} port The port parameter can be a port number or a keyword: dns.Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics To set the minimum NetFlow statistics flow mask.) To display a summary of NetFlow table entries and statistics. To exclude IP protocols from the NetFlow table. x (X-Windows).4 78-13315-02 13-25 . perform this task in privileged mode: Task Set the minimum statistics flow mask. Note: MLS exclusion only works in full flow mode. This example shows how to exclude Telnet traffic from the NetFlow table: Console> (enable) set mls exclude protocol tcp telnet NetFlow table will not create entries for TCP packets with protocol port 23. Console> (enable) Excluding IP Protocol Entries from the NetFlow Table You can configure the NetFlow table to exclude specified IP protocols. ftp. Command set mls flow {destination | destination-source | full} This example shows how to set the minimum statistics flow mask to destination-source-ip: Console> (enable) set mls flow destination-source Configured IP flow mask is set to destination-source flow. Command show mls This example shows how to display all NetFlow table entries: Console> (enable) show mls show mls ======= Total packets switched = 2 Total bytes switched = 112 Total routes = 48 Catalyst 6000 Family Software Configuration Guide—Releases 6.

20.4 13-26 78-13315-02 . the protocol. page 13-xxviii Note The clear mls commands affect only statistics. If the protocol specified is not TCP or UDP.20. Specify the destination address.14 Last Used Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes --------------. source address.--------.25. and source and destination ports to see the statistics for a specific NetFlow table entry.-----.0.----------------------42 00-00-0c-07-ac-00 Console> The show mls statistics entry command can display all statistics or statistics for specific NetFlow table entries. perform this task in privileged mode: Task Display statistics for NetFlow table entries.14 172. Catalyst 6000 Family Software Configuration Guide—Releases 6. If you do not specify a NetFlow table entry. Command show mls statistics entry [ip | ipx | uptime] [destination ip_addr_spec] [source ip_addr_spec] [flow protocol src_port dst_port] This example shows how to display NetFlow statistics for a particular NetFlow table entry: Console> show mls statistics entry ip destination 172.--------------. page 13-xxvii Clearing NetFlow IP Statistics. set the src_port and dst_prt to 0 or no NetFlow statistics will display.3 and 6.20.----------MSFC 127. page 13-xxviii Clearing NetFlow Statistics Totals. page 13-xxvii Clearing NetFlow IPX Statistics. None of the clear mls commands affect forwarding entries or the NetFlow table entries that correspond to the forwarding entries. A value of zero (0) for src_port or dst_port is treated as a wildcard.0. Total packets exported = 0 IPX statistics flows aging time = 256 seconds IPX flow mask is Destination flow IPX max hop is 15 Module 15:Physical MAC-Address 00-50-3e-a9-ab-fc Vlan Virtual MAC-Address(es) ---.10 6 50648 80 3152 347854 Console> Clearing NetFlow IP and IPX Statistics These sections describe clearing NetFlow statistics: • • • • Clearing All NetFlow Statistics. and all NetFlow statistics are displayed (unspecified options are treated as wildcards).22. packet threshold = 0 IP Current flow mask is Full flow Netflow Data Export version:7 Netflow Data Export disabled Netflow Data Export port/host is not configured. all NetFlow statistics are shown.---.-----.22.12: 172. and for IP. To display statistics for NetFlow table entries.Chapter 13 Configuring NetFlow Statistics Configuring CEF for PFC2 IP statistics flows aging time = 256 seconds IP statistics flows fast aging time = 0 seconds.

22. perform this task in privileged mode: Task Clear all NetFlow statistics.26. and TCP destination port 23: Console> (enable) clear mls statistics entry destination 172. Use the all keyword to clear all NetFlow IP statistics. specify the source and destination TCP or UDP port numbers. For other protocols. A value of zero (0) for src_port or dst_port is treated as a wildcard (unspecified options are treated as wildcards). The destination and source keywords specify the source and destination IP addresses.22 MLS IP entry cleared Console> (enable) This example shows how to clear statistics for NetFlow table entries with destination IP address 172. The destination and source ip_addr_spec can be a full IP address or a subnet address in the format ip_subnet_addr. A value of zero (0) for protocol is treated as a wildcard (unspecified options are treated as wildcards).Chapter 13 Configuring CEF for PFC2 Configuring NetFlow Statistics Clearing All NetFlow Statistics To clear all NetFlow IP and IPX statistics. Console> (enable) Clearing NetFlow IP Statistics The clear mls statistics entry ip command clears NetFlow IP statistics. or no entries will clear.22 source 172.20.113 flow tcp 1652 23 MLS IP entry cleared Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. The flow keyword specifies the following additional flow information: • Protocol family (protocol)—Specify tcp.4 78-13315-02 13-27 . perform this task in privileged mode: Task Clear statistics for a NetFlow table IP entry. set the src_port and dst_port to 0. TCP source port 1652.3 and 6. icmp.20. • To clear statistics for a NetFlow table IP entry.22: Console> (enable) clear mls statistics entry ip destination 172. Command clear mls statistics entry ip [destination ip_addr_spec] [source ip_addr_spec] [flow protocol src_port dst_port] [all] This example shows how to clear statistics for NetFlow table entries with destination IP address 172. ip_addr/subnet_mask.20. or ip_addr/subnet_mask_bits.20.113.26.20. TCP or UDP source and destination port numbers (src_port and dst_port)—If the protocol you specify is TCP or UDP.26. udp. or a decimal number for other protocol families.22. Command clear mls statistics entry all This example shows how to clear all NetFlow statistics: Console> (enable) clear mls statistics entry all All MLS IP and IPX entries cleared.

perform this task in privileged mode: Task Clear statistics for a NetFlow table IPX entry.0002. Command clear mls statistics entry ipx [destination ipx_addr_spec] [source ipx_addr_spec] [all] This example shows how to clear statistics for IPX MLS entries with destination IPX address 1. perform this task: Task Display NetFlow statistics debug information that you can send to your technical support representative.6000: Console> (enable) clear mls statistics entry ipx destination 1.6000 MLS IPX entry cleared.00e0. To display NetFlow statistics debug information. Command clear mls statistics This example shows how to clear NetFlow statistics totals: Console> (enable) clear mls statistics All mls statistics cleared.fefc. Use application-specific commands to get more information about particular applications. Command show mls debug Note The show tech-support command displays supervisor engine system information.00e0. Console> (enable) Clearing NetFlow Statistics Totals The clear mls statistics command clears the following NetFlow statistics: • • Total packets switched (IP and IPX) Total packets exported (for NDE) To clear NetFlow statistic totals. The destination and source keywords specify the source and destination IPX addresses. To clear statistics for a NetFlow table IPX entry. perform this task in privileged mode: Task Clear NetFlow statistics totals. Use the all keyword to clear all NetFlow IPX statistics.4 13-28 78-13315-02 . Catalyst 6000 Family Software Configuration Guide—Releases 6.0002.3 and 6.Chapter 13 Configuring NetFlow Statistics Configuring CEF for PFC2 Clearing NetFlow IPX Statistics The clear mls statistics entry ipx command clears NetFlow IPX statistics. Console> (enable) Displaying NetFlow Statistics Debug Information The show mls debug command displays NetFlow statistics debug information that you can send to your technical support representative for analysis if necessary.fefc.

“Configuring CEF for PFC2. page 14-i Default MLS Configuration.3 and 6. Layer 3 switching is implemented in hardware and provides wire-speed interVLAN forwarding on the switch. and troubleshooting.C H A P T E R 14 Configuring MLS This chapter describes how to configure Multilayer Switching (MLS) for the Catalyst 6000 family switches.4 78-13315-02 14-1 . Layer 3 switching uses NetFlow Data Export (NDE) to export flow statistics (for more information about NDE. see Chapter 15. page 14-x Configuration Guidelines and Restrictions. PFC2. Catalyst 6000 Family Software Configuration Guide—Releases 6. and the Multilayer Switch Feature Card (MSFC) or MSFC2. page 14-xiv Note Supervisor Engine 2. Layer 3 switching does not replace the routing protocols configured on the MSFC. to forward IP and IPX unicast traffic and IP multicast traffic between VLANs. The MSFC routes any traffic that cannot be Layer 3 switched. planning. rather than on the MSFC. Layer 3 switching requires minimal support from the MSFC. Understanding How Layer 3 Switching Works Layer 3 switching allows the switch. “Configuring NDE”). page 14-xi Configuring MLS. refer to the Catalyst 6000 Family Command Reference publication. Layer 3 switching uses IP Protocol Independent Multicast (IP PIM) for multicast route determination. Note Layer 3 switching supports the routing protocols configured on the MSFC. This chapter consists of these sections: • • • • Understanding How Layer 3 Switching Works. Layer 3 switching on Catalyst 6000 family switches provides traffic statistics that you can use to identify traffic characteristics for administration. MLS provides IP and Internetwork Packet Exchange (IPX) unicast Layer 3 switching and IP multicast Layer 3 switching with Supervisor Engine 1. instead of a router. the Policy Feature Card (PFC). and MSFC2 provide Layer 3 switching with Cisco Express Forwarding for PFC2 (CEF for PFC2).” for more information. Note For complete information on the syntax and usage information for the supervisor engine commands used in this chapter. See Chapter 13.

The switch recomputes the Layer 2 frame checksum and forwards (or for multicast packets. Packet rewrite alters five fields: • • • • • Layer 2 (MAC) destination address Layer 2 (MAC) source address Layer 3 IP Time to Live (TTL) or IPX Transport Control Layer 3 checksum Layer 2 (MAC) checksum (also called the frame checksum or FCS) If Source A and Destination B are on different VLANs and Source A sends a packet to the MSFC to be routed to Destination B. page 14-iii Understanding IP Multicast Rewrite.Chapter 14 Understanding How Layer 3 Switching Works Configuring MLS These sections describe Layer 3 switching and MLS on the Catalyst 6000 family switches: • • Understanding Layer 3-Switched Packet Rewrite. Note Rather than just forwarding multicast packets. the switch rewrites the Layer 2 frame header. replicates as necessary) the rewritten packet to Destination B’s VLAN. the switch decrements the Layer 3 Time to Live (TTL) value by 1 and recomputes the Layer 3 packet checksum. the switch replicates them as necessary on the appropriate VLANs. page 14-ii Understanding IPX Unicast Rewrite. the switch recognizes that the packet was sent to the Layer 2 (MAC) address of the MSFC. page 14-iii Understanding IP Unicast Rewrite Received IP unicast packets are (conceptually) formatted as follows: Layer 2 Frame Header Destination MSFC MAC Source Source A MAC Layer 3 IP Header Destination Destination B IP Source Source A IP TTL n Checksum calculation1 Data FCS Catalyst 6000 Family Software Configuration Guide—Releases 6. These sections describe how the packets are rewritten: • • • Understanding IP Unicast Rewrite. In IPX traffic. changing the Layer 2 destination address to the Layer 2 address of Destination B and the Layer 2 source address to the Layer 2 address of the MSFC.4 14-2 78-13315-02 . page 14-iv Understanding Layer 3-Switched Packet Rewrite When a packet is Layer 3 switched from a source in one VLAN to a destination in another VLAN. the switch performs a packet rewrite at the egress port based on information learned from the MSFC so that the packets appear to have been routed by the MSFC. In IP unicast and IP multicast traffic. The Layer 3 addresses remain the same. the switch increments the Layer 3 Transport Control value by 1 and recomputes the Layer 3 packet checksum.3 and 6. page 14-ii Understanding MLS. To perform Layer 3 switching.

3 and 6. it is (conceptually) formatted as follows: Layer 2 Frame Header Destination Group G1 MAC Source MSFC MAC Layer 3 IP Header Destination Group G1 IP Source Source A IP TTL n–1 Checksum calculation2 Data FCS Catalyst 6000 Family Software Configuration Guide—Releases 6. it is (conceptually) formatted as follows: Layer 2 Frame Header Destination Source Layer 3 IPX Header Checksum/ IPX Length/ Transport Control n+1 Destination Net/ Node/ Socket Destination B IPX Source Net/ Node/ Socket Source A IPX Data FCS Destination B MAC MSFC MAC Understanding IP Multicast Rewrite Received IP multicast packets are (conceptually) formatted as follows: Layer 2 Frame Header Destination Group G1 MAC 1 Layer 3 IP Header Source Source A MAC Destination Group G1 IP Source Source A IP TTL n Checksum calculation1 Data FCS 1. After the switch rewrites an IP multicast packet. In this example.4 78-13315-02 14-3 . it is (conceptually) formatted as follows: Layer 2 Frame Header Destination Source Layer 3 IP Header Destination Source TTL Checksum calculation2 Data FCS Destination B MAC MSFC MAC Destination B IP Source A IP n-1 Understanding IPX Unicast Rewrite Received IPX packets are (conceptually) formatted as follows: Layer 2 Frame Header Destination Source Layer 3 IPX Header Checksum/ IPX Length/ Transport Control n Destination Net/ Node/ Socket Destination B IPX Source Net/ Node/ Socket Source A IPX Data FCS MSFC MAC Source A MAC After the switch rewrites an IPX packet.Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works After the switch rewrites an IP unicast packet. Destination B is a member of Group G1.

page 14-vi Partially and Completely Switched Multicast Flows. an external MLS-RP cannot be used in place of the internal MLS-RP. page 14-v Understanding Flow Masks. Layer 3 switching with MLS identifies flows on the switch after the first packet has been routed by the MSFC and transfers the process of forwarding the remaining traffic in the flow to the switch. The multicast forwarding table entries are populated by whichever multicast constraint feature is enabled on the switch (IGMP snooping or Generic Attribute Registration Protocol [GARP] Multicast Registration Protocol [GMRP]). and MSFC or MSFC2 provide Layer 3 switching with MLS. Supervisor Engine 1. actual network traffic consists of many end-to-end conversations. Catalyst 6000 Family Software Configuration Guide—Releases 6. For example. PFC. or flows. which reduces the load on the MSFC. These sections describe MLS: • • • • • Understanding MLS Flows. are connectionless—they deliver every packet independently of every other packet. However. and MSFC or MSFC2 can only do MLS internally with the MSFC or MSFC2 in the same chassis.3 and 6. communication from a client to a server and from the server to the client are separate flows. between users or applications.4 14-4 78-13315-02 . such as IP and IPX. page 14-iv Understanding the MLS Cache. PFC. page 14-viii Understanding MLS Flows Layer 3 protocols. These entries map the destination multicast MAC address to the outgoing switch ports for a given VLAN. Note The PFC uses the Layer 2 multicast forwarding table to identify the ports to which Layer 2 multicast traffic should be forwarded (if any). Telnet traffic transferred from a particular source to a particular destination comprises a separate flow from File Transfer Protocol (FTP) packets between the same source and destination.Chapter 14 Understanding How Layer 3 Switching Works Configuring MLS Understanding MLS Note Supervisor Engine 1. MLS supports unicast and multicast flows: • A unicast flow can be any of the following: – All traffic to a particular destination – All traffic from a particular source to a particular destination – All traffic from a particular source to a particular destination that shares the same protocol and transport-layer information • A multicast flow is all traffic with the same protocol and transport-layer information from a particular source to the members of a particular destination multicast group. page 14-viii MLS Examples.

packets identified as belonging to an existing flow can be Layer 3 switched based on the cached information. the PFC creates an MLS cache entry for the initial routed packet of each unicast flow. page 14-v Unicast Traffic.Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Understanding the MLS Cache These sections describe the MLS cache: • • • • • MLS Cache. page 14-v MLS Cache Aging. the entry ages out and statistics for that flow can be exported to a flow collector application. After the PFC creates an MLS cache entry. The cache also includes entries for traffic statistics that are updated in tandem with the switching of packets. In addition. Catalyst 6000 Family Software Configuration Guide—Releases 6. If an entry is not used for the specified period of time. For each multicast flow cache entry. page 14-v Multicast Traffic. page 14-vi MLS Cache The PFC maintains a Layer 3 switching table called the MLS cache for Layer 3-switched flows. the PFC creates a new MLS entry. if an entry in the multicast routing table ages out. when traffic for a flow ceases. it updates its multicast routing table and forwards the new information to the PFC. Unicast Traffic For unicast traffic. Multicast Traffic For multicast traffic.3 and 6. These MSFC IOS commands affect the multicast MLS cache entries on the switch: • • Using the clear ip mroute command to clear the multicast routing table on the MSFC clears all multicast MLS cache entries on the PFC. the PFC maintains a list of outgoing interfaces for the destination IP multicast group. the entry ages out. The PFC uses this list to identify the VLANs on which traffic to a given multicast flow should be replicated. Using the no ip multicast-routing command to disable IP multicast routing on the MSFC purges all multicast MLS cache entries on the PFC.4 78-13315-02 14-5 . The MLS cache maintains flow information for all active flows. the PFC populates the MLS cache using information learned from the MSFC. Upon receipt of a routed packet that does not match any unicast flow currently in the MLS cache. You can configure the aging time for MLS entries kept in the MLS cache. the MSFC deletes the entry and forwards the updated information to the PFC. page 14-vi MLS Cache Size. Whenever the MSFC receives traffic for a new multicast flow. MLS Cache Aging The state and identity of flows are maintained while packet traffic is active.

full flow—The most-specific flow mask. These sections describe the flow mask modes: • • Flow Mask Modes. destination-ipx—The only flow mask mode for IPX MLS is destination mode. IP MMLS. The MLS flow masks are as follows: • • destination-ip—The least-specific flow mask. destination IP address. source-destination-vlan—For IP MMLS. source VLAN}. and IPX MLS). page 14-vii Flow Mask Modes The PFC supports only one flow mask (the most specific one) for all MSFCs that are Layer 3 switched by that PFC. The PFC maintains one MMLS cache entry for each {source IP. A full flow entry includes the source IP address.4 14-6 78-13315-02 . When the PFC flow mask changes. some fields in the flow record might not have values. • • • Catalyst 6000 Family Software Configuration Guide—Releases 6. The PFC creates and maintains a separate MLS cache entry for each IP flow. An MLS cache larger than 32K entries increases the probability that a flow will not be Layer 3 switched. protocol. Depending on the current flow mask. The PFC maintains one MLS entry for each Layer 3 destination address. When the PFC exports cached entries. The MLS cache is shared by all MLS processes on the switch (IP MLS.3 and 6. it changes its flow mask to the most specific flow mask detected. source-destination-ip—The PFC maintains one MLS entry for each source and destination IP address pair. the entire MLS cache is purged. Understanding Flow Masks The PFC uses flow masks to determine how MLS entries are created. page 14-vi Flow Mask Mode and show mls entry Command Output. If the PFC detects different flow masks from different MSFCs for which it is performing Layer 3 switching.Chapter 14 Understanding How Layer 3 Switching Works Configuring MLS MLS Cache Size The maximum MLS cache size is 128K entries. All flows to a given Layer 3 destination address use this MLS entry. All flows to a given destination IPX address use this IPX MLS entry. The source VLAN is the multicast reverse path forwarding (RPF) interface for the multicast flow. but will instead be forwarded to the MSFC. The multicast source-destination-vlan flow mask differs from the IP unicast MLS source-destination-ip flow mask in that. Unsupported fields are filled with a zero (0). flow records are created based on the current flow mask. and protocol ports. destination group IP. for IP MMLS. the source VLAN is included as part of the entry. The PFC maintains one IPX MLS entry for each destination IPX address (network and node). All flows between a given source and destination use this MLS entry regardless of the IP protocol ports.

42 00-60-70-6c-fc-23 SNAP ARPA 5/8 1/1 2345 123456 09:03:32 09:08:12 Total Entries: 2 * indicates TCP flow has ended Console> (enable) Vlan ---- 4 2 With the full-flow flow mask.69.----.---.--------------.1.69.69.--------.--------.-----------.69. protocol.-------.3 and 6.69.192.---.--------------.133 171. because a separate MLS entry is created for every ip flow. This example shows how the show mls entry command output appears in source-destination-ip mode: Console> (enable) show mls entry ip short Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac --------------.----.-----.69.---.41 00-60-70-6c-fc-22 ARPA SNAP 5/8 11/1 3152 347854 09:01:19 09:08:20 171. The default is long (no text wrap).192.133 171. This example shows how the show mls entry command output appears in destination-ip mode: Console> (enable) show mls entry ip short Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac --------------. and destination port fields display the details of the last packet that was Layer 3 switched using the MLS cache entry.200.----. With the source-destination-ip flow mask.192.----.----.1.----------------ESrc EDst SPort DPort Stat-Pkts Stat-Byte Uptime Age ---.Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Flow Mask Mode and show mls entry Command Output With the destination-ip flow mask.-------171.----.----.-----.200.----.----------------ESrc EDst SPort DPort Stat-Pkts Stat-Byte Uptime Age ---.234 00-60-70-6c-fc-22 ARPA SNAP 5/8 11/1 3152 347854 09:01:19 09:08:20 171.-------.234 171.200.-----.69.4 78-13315-02 14-7 .69.133 00-60-70-6c-fc-23 SNAP ARPA 5/8 1/1 2345 123456 09:03:32 09:08:12 Total Entries: 2 * indicates TCP flow has ended Console> (enable) Vlan ---- 4 2 Note The short keyword exists for some show commands and displays the output by wrapping the text after 80 characters.-------171.--------.192.-----.-----------.234 171.-----------.-----.----------------ESrc EDst SPort DPort Stat-Pkts Stat-Byte Uptime Age ---. This example shows how the show mls entry command output appears in full flow mode: Console> (enable) show mls entry ip short Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac --------------. the protocol. the source IP.-----.69.69. details are shown for each flow.1.-------.41 TCP* 6000 59181 00-60-70-6c-fc-22 ARPA SNAP 5/8 11/1 3152 347854 09:01:19 09:08:20 171.--------------. source port.42 UDP 2049 41636 00-60-70-6c-fc-23 SNAP ARPA 5/8 1/1 2345 123456 09:03:32 09:08:12 Total Entries: 2 * indicates TCP flow has ended Console> (enable) Vlan ---- 4 2 Catalyst 6000 Family Software Configuration Guide—Releases 6.----.-------171. and source and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry.

the multicast packet is dropped. MLS Examples Figure 1 shows a simple IP MLS network topology. The multicast TTL threshold is configured on an egress interface for the flow.59. Multicast tag switching is configured on an egress interface. all multicast traffic belonging to the flow reaches the MSFC and is software switched for any interface that is not Layer 3 switched.0). Layer 3 destination.59.3. reducing the load on the MSFC. The extended access list deny condition on the RPF interface specifies anything other than the Layer 3 source. The MSFC uses the statistics to update the corresponding multicast routing table entries and reset the appropriate expiration timers. In this example. The MSFC is the first-hop router to the source in PIM sparse mode (in this case. The PFC prevents multicast traffic in flows that are completely Layer 3 switched from reaching the MSFC. and multicast to broadcast translation is required. For all completely Layer 3-switched flows. the MSFC must send PIM-register messages to the rendezvous point).3 and 6. The multicast helper is configured on the RPF interface for the flow. When Host A initiates an HTTP file transfer to Host C.0). For partially switched flows. The show ip mroute and show mls ip multicast commands identify completely Layer 3-switched flows with the text string RPF-MFD (Multicast Fast Drop [MFD] indicates that from the perspective of the MSFC.Chapter 14 Understanding How Layer 3 Switching Works Configuring MLS Partially and Completely Switched Multicast Flows Some flows might be partially Layer 3 switched instead of completely Layer 3 switched in these situations: • • • • • • • The MSFC is configured as a member of the IP multicast group (using the ip igmp join-group command) on the RPF interface of the multicast source. Host B is on the Marketing VLAN (IP subnet 171. Host A is on the Sales VLAN (IP subnet 171.59. Network address translation (NAT) is configured on an interface. because the MSFC cannot record multicast statistics for completely switched flows. and source address translation is required for the outgoing interface. The PFC uses this information to rewrite subsequent packets from Host A to Host C. and Host C is on the Engineering VLAN (IP subnet 171. The PFC stores the MAC addresses of the MSFC and Host C in the MLS entry when the MSFC forwards the first packet from Host A through the switch to Host C. Catalyst 6000 Family Software Configuration Guide—Releases 6.0).2. which it never sees.1.4 14-8 78-13315-02 . because it is switched by the PFC). or IP protocol (an example is Layer 4 port numbers). an MLS entry for this flow is created (this entry is the second item in the MLS cache shown in Figure 1). the PFC periodically sends multicast packet and byte count statistics to the MSFC.

1.Chapter 14 Configuring MLS Understanding How Layer 3 Switching Works Figure 14-1 IP MLS Example Topology Source IP Address 171.59. Host A is on the Sales VLAN (IPX address 01.3. Similarly. Host B is on the Marketing VLAN (IPX address 03.59.2.59.59. The PFC uses this information to rewrite subsequent packets from Host A to Host B.59.4 78-13315-02 14-9 .59. The PFC stores the MAC addresses of the MSFC and Host B in the IPX MLS entry when the MSFC forwards the first packet from Host A through the switch to Host B.59.1.1 Sub Host A 171.59.Cc).Bb).2: 2000 Aa:Dd Host C 171.2 Destination IP Address 171. In this example.2.1.2 171.2 Data 171.1.59.1 171. and Host C is on the Engineering VLAN (IPX address 02.3 and 6.2. When Host A initiates a file transfer to Host B.59.59.1.2 Application FTP HTTP HTTP Rewrite Src/Dst MAC Address Dd:Bb Dd:Cc Dd:Aa Destination VLAN Marketing Engineering Sales MAC = Bb MAC = Dd MSFC MAC = Aa Subnet 1/Sales Sub n /M et 3 arke ting Host B 171.3.1. an IPX MLS entry for this flow is created (this entry is the first item in the table shown in Figure 1). Catalyst 6000 Family Software Configuration Guide—Releases 6.2 171. and for the traffic from Host C to Host A.2: 2000 Dd:Cc 25481 Figure 2 shows a simple IPX MLS network topology. The destination VLAN is stored as part of each IPX MLS entry so that the correct VLAN identifier is used when encapsulating traffic on trunk links.Aa).2 net 2/E ngin eeri ng MAC = Cc Data 171.2 171. a separate IPX MLS entry is created in the MLS cache for the traffic from Host A to Host C.

Table 14-2 Default IP MMLS Supervisor Engine Configuration Feature IP MMLS Default Value Enabled Multicast services (IGMP snooping or GMRP) Disabled Catalyst 6000 Family Software Configuration Guide—Releases 6.Cc 03.4 14-10 78-13315-02 .Aa Dd:Bb Dd:Cc Dd:Aa Destination VLAN Marketing Engineering Sales MAC = Bb MAC = Dd MSFC MAC = Aa Net 1/Sales 01 Host A ti arke t 3/M 3 Ne 0 ng Host B Net 2/E ngin eer 02 Data 01.3 and 6. Table 14-1 Default IP MLS Configuration Feature IP MLS enable state IP MLS aging time IP MLS fast aging time IP MLS fast aging-time packet threshold Default Value Enabled 256 seconds 0 seconds (no fast aging) 0 packets Table 2 shows the default IP MMLS switch configuration.Bb 02.Chapter 14 Default MLS Configuration Configuring MLS Figure 14-2 IPX MLS Example Topology Source IPX Destination Rewrite Src/Dst Address IPX Address MAC Address 01.Cc 01.Aa 02.Aa 01.Cc Aa:Dd Data ing MAC = Cc Host C 01.Aa:02.Aa:02.Cc Dd:Cc 25482 Default MLS Configuration Table 1 shows the default IP MLS configuration.

3 and 6. page 14-xi Restrictions on Using IP Routing Commands with IP MLS Enabled. page 14-xii IPX MLS.4 78-13315-02 14-11 . To change the MTU on an IP MLS-enabled interface. Table 14-3 Default IP MMLS MSFC Configuration Feature Multicast routing IP PIM routing IP MMLS Threshold IP MMLS Default Value Disabled globally Disabled on all interfaces Unconfigured—no default value Enabled when multicast routing is enabled and IP PIM is enabled on the interface Table 4 shows the default IPX MLS configuration. page 14-xii Maximum Transmission Unit Size The default maximum transmission unit (MTU) for IP MLS is 1500. Catalyst 6000 Family Software Configuration Guide—Releases 6. page 14-xi IP MMLS. page 14-xiii IP MLS These sections describe IP MLS configuration guidelines: • • Maximum Transmission Unit Size.Chapter 14 Configuring MLS Configuration Guidelines and Restrictions Table 3 shows the default IP MMLS MSFC configuration. Table 14-4 Default IPX MLS Configuration Feature IPX MLS enable state IPX MLS aging time Default Value Enabled 256 seconds Configuration Guidelines and Restrictions These sections describe configuration guidelines and restrictions: • • • IP MLS. enter the ip mtu mtu command.

the corresponding Layer 3 flow information is purged. When using two MSFCs that have one or more interfaces in the same VLAN. the switch uses two reserved VLANs (VLANs 1012 and 1013) internally to forward multicast flows properly.Chapter 14 Configuration Guidelines and Restrictions Configuring MLS Restrictions on Using IP Routing Commands with IP MLS Enabled Enabling certain IP processes on an interface will affect IP MLS on the interface. page 14-xii IP MMLS MSFC Configuration Restrictions. The no form purges all MLS cache entries and disables IP MLS on this MSFC. Enter the show multicast group command to check for a Layer 2 entry for a particular IP multicast destination. • • • Catalyst 6000 Family Software Configuration Guide—Releases 6. Subnetwork Address Protocol (SNAP) rewrites are not supported. Table 5 shows the affected commands and the resulting behavior. page 14-xiii IP MMLS Supervisor Engine Guidelines and Restrictions These guidelines and restrictions apply when configuring Supervisor Engine 1 for IP MMLS: • • • • Only ARPA rewrites are supported for IP multicast packets.3 and 6. Disables IP MLS on the interface. page 14-xiii Unsupported IP MMLS Features. The MSFC will not act as an external router for a Catalyst 5000 family switch that has Layer 3 switching hardware.4 14-12 78-13315-02 . ip tcp compression-connections Disables IP MLS on the interface. Table 14-5 IP Routing Command Restrictions Command clear ip route ip routing ip security (all forms of this command) ip tcp header-compression Behavior Clears all MLS cache entries for all switches performing Layer 3 switching for this MSFC. Disables IP MLS on the interface. if no Layer 2 multicast services are enabled or the forwarding table is full). IP MMLS These sections describe IP MMLS configuration guidelines: • • • IP MMLS Supervisor Engine Guidelines and Restrictions. IP multicast flows are not multilayer switched if there is no entry in the Layer 2 multicast forwarding table (for example. If a Layer 2 entry is cleared. You must enable one of the multicast services (IGMP snooping or GMRP) on the switch in order to use IP MMLS.

Note In systems with redundant MSFCs.40). For any RPF interface with multicast tag switching enabled.0. • For IP PIM auto-RP multicast groups (IP multicast group addresses 224.* Note Groups in the 224.1.* through 239.0.* range are reserved for routing control packets and must be flooded to all forwarding ports of the VLAN. the IP PIM interface configuration must be the same on both the active and redundant MSFCs.128. These addresses map to the multicast MAC address range 01-00-5E-00-00-xx. However. with the tc_value greater than 16.* 224. Unsupported IP MMLS Features If you enable IP MMLS. If the shortest-path tree (SPT) bit for the flow is cleared when running IP PIM sparse mode for the interface or group.*} forwarding) when the interface or group is running IP PIM sparse mode.39 and 224.3 and 6.0. where xx is in the range 0–0xFF. Catalyst 6000 Family Software Configuration Guide—Releases 6. page 14-xiv IPX MLS Interaction with Other Features Other IOS software features affect IPX MLS as follows: • • IPX accounting—IPX accounting cannot be enabled on an IPX MLS-enabled interface.0. • • • • • For flows that are forwarded on the multicast-shared tree (that is. IPX MLS These sections describe configuration guidelines that apply when configuring IPX MLS: • • IPX MLS Interaction with Other Features. IP accounting for the interface will not reflect accurate values. Enter the ipx maximum-hop tc_value global configuration command on the MSFC.0.0.0.G.0. For source traffic received on tunnel interfaces (such as MBONE traffic). {*.0.Chapter 14 Configuring MLS Configuration Guidelines and Restrictions IP MMLS MSFC Configuration Restrictions IP MMLS does not perform multilayer switching for an IP multicast flow in the following situations: • For IP multicast groups that fall into these ranges (where * is in the range 0–255): 224. page 14-xiii IPX MLS and Maximum Transmission Unit Size.0. IPX EIGRP—To support MLS on EIGRP interfaces you must set the Transport Control (TC) maximum to a value greater than the default (16).128.1.4 78-13315-02 14-13 . packets in the flow that are not fragmented or that do not specify IP options are multilayer switched. For fragmented IP packets and packets with IP options.* through 239.

Chapter 14 Configuring MLS Configuring MLS IPX MLS and Maximum Transmission Unit Size In IPX. 2926G Series. page 14-xv Using Debug Commands on the MSFC. To disable unicast IP or IPX MLS on a specific MSFC interface. Disable IPX MLS on an MSFC interface. but can be disabled and enabled on a specified interface.4 14-14 78-13315-02 . page 14-xvi Using Debug Commands on the SCP. Disable IP MLS on an MSFC interface. The MTU size is limited by the media type. the two end points of communication negotiate the maximum transmission unit (MTU) to be used. Note The MSFC can be specified as the MLS route processor (MLS-RP) for Catalyst 5000 family switches using MLS. page 14-xiv Configuring MLS on Supervisor Engine 1. Command Router(config)# interface vlan-id Router(config-if)# no mls ip Router(config-if)# no mls ipx Catalyst 6000 Family Software Configuration Guide—Releases 6. see the “Configuring MLS on Supervisor Engine 1” section on page 14-xvii. page 14-xvi For information on configuring routing on the MSFC. page 14-xxviii Configuring Unicast MLS on the MSFC These sections describe how to configure MLS on the MSFC: • • • • Disabling and Enabling Unicast MLS on an MSFC Interface. Configuring MLS These sections describe how to configure MLS: • • • Configuring Unicast MLS on the MSFC. 2926 Series Switches. page 14-xiv Displaying MLS Information on the MSFC. perform this task: Task Specify an MSFC interface. page 14-xvii Configuring IP MMLS. Disabling and Enabling Unicast MLS on an MSFC Interface Unicast MLS for IP and IPX is enabled globally by default. “Configuring InterVLAN Routing. see Chapter 12. for MLS configuration procedures.” For information on configuring unicast Layer 3 switching on Supervisor Engine 1.3 and 6. Refer to the Layer 3 Switching Configuration Guide—Catalyst 5000 Family.

you only need to enable (or reenable) it if you have previously disabled it.Chapter 14 Configuring MLS Configuring MLS This example shows how to disable IP MLS on an MSFC interface: Router(config)# interface vlan 100 Router(config-if)# no mls ip Router(config-if)# This example shows how to disable IPX MLS on an MSFC interface: Router(config)# interface vlan 100 Router(config-if)# no mls ipx Router(config-if)# Note Unicast MLS is enabled by default. Command Router(config)# interface vlan-id Router(config-if)# mls ipx Enable IP MLS on an MSFC interface. perform this task: Task Display MLS status. Router(config-if)# mls ip This example shows how to enable IP MLS on an MSFC interface: Router(config)# interface vlan 100 Router(config-if)# mls ip Router(config-if)# This example shows how to enable IPX MLS on an MSFC interface: Router(config)# interface vlan 100 Router(config-if)# mls ipx Router(config-if)# Displaying MLS Information on the MSFC The show mls status command displays MLS details. To display MLS information on the MSFC. Enable IPX MLS on an MSFC interface.4 78-13315-02 14-15 . perform this task: Task Specify an MSFC interface. To enable unicast IP or IPX MLS on a specific MSFC interface. Command show mls status This example shows how to display MLS status on the MSFC: Router# show mls status MLS global configuration status: global mls ip: global mls ipx: global mls ip multicast: current ip flowmask for unicast: current ipx flowmask for unicast: Router# enabled enabled disabled destination only destination only Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.

3 and 6. Reports timeouts. Displays errors and warnings in the SCP. including route purging and changes of access lists and flow masks. Using Debug Commands on the SCP Table 8 describes the Serial Control Protocol (SCP)-related debug commands to troubleshoot the SCP that runs over the Ethernet out-of-band channel (EOBC). including route purging and changes of access lists and flow masks. Table 14-6 MLS Debug Commands Command [no] debug l3-mgr events [no] debug l3-mgr packets [no] debug l3-mgr global [no] debug l3-mgr all Description Displays Layer 3 manager-related events.Chapter 14 Configuring MLS Configuring MLS Using Debug Commands on the MSFC Table 6 describes MLS-related debug commands that you can use to troubleshoot MLS problems on the MSFC. Table 14-8 SCP Debug Commands Command [no] debug scp async [no] debug scp data [no] debug scp errors [no] debug scp packets [no] debug scp timeouts [no] debug scp all Description Displays trace for asynchronous data in and out of the SCP system. Table 7 describes MLS-related debug commands that you can use to troubleshoot MLS problems when using the MSFC as an external router for a Catalyst 5000 family switch. Turns on all SCP debugging messages. Turns on all MLS debugging events. Displays bugtrace of ip global purge events. Displays packet data in and out of the SCP system. Table 14-7 MLS Debug Commands—External Router Function Command [no] debug mls ip [no] debug mls ipx [no] debug mls rp [no] debug mls locator [no] debug mls all Description Turns on IP-related events for MLS. Catalyst 6000 Family Software Configuration Guide—Releases 6. Turns on IPX-related events for MLS. Displays Layer 3 manager packets. Turns on all Layer 3 manager debugging messages. Turns on route processor-related events.4 14-16 78-13315-02 . Displays packet data trace. Identifies which switch is switching a particular flow by using MLS explorer packets.

page 14-xxi Displaying IP MLS Cache Entries.” For information on configuring MLS on the MSFC. page 14-xix Displaying CAM Entries on the Supervisor Engine. page 14-xxviii Displaying MLS Debug Information. “Configuring VLANs.3 and 6. page 14-xviii Setting the Minimum IP MLS Flow Mask. Specifying MLS Aging-Time Value The MLS aging time for each protocol (IP and IPX) applies to all protocol-specific MLS cache entries. page 14-xx Displaying MLS Information. see Chapter 11. you will lose the statistics for existing cache entries—they are not exported. page 14-xxvi Displaying IP MLS Statistics. page 14-xxvi Clearing IPX MLS Cache Entries. You can configure the aging time in the range of 8 to 2032 seconds in 8-second increments. For example.Chapter 14 Configuring MLS Configuring MLS Configuring MLS on Supervisor Engine 1 MLS is enabled by default on Catalyst 6000 family switches.4 78-13315-02 14-17 . Note When you disable IP or IPX MLS on the MSFC. a value of 65 is adjusted to 64 and a value of 127 is adjusted to 128. page 14-xxviii For information on configuring VLANs on the switch. page 14-xxii Clearing MLS Cache Entries. see the “Disabling and Enabling Unicast MLS on an MSFC Interface” section on page 14-xiv. Any aging-time value that is not a multiple of 8 seconds is adjusted to the closest multiple of 8 seconds. page 14-xvii Specifying IP MLS Fast Aging Time and Packet Threshold Values. IP or IPX MLS is automatically disabled on Supervisor Engine 1. All existing protocol-specific MLS cache entries are purged. see the “Configuring Unicast MLS on the MSFC” section on page 14-xiv. To disable MLS on the MSFC. page 14-xxvi Clearing MLS Statistics. Any MLS entry that has not been used for agingtime seconds is aged out. Note If NDE is enabled and you disable MLS. You only need to configure Supervisor Engine 1 in these circumstances: • • You want to change the MLS aging time You want to enable NDE These sections describe how to configure MLS on Supervisor Engine 1: • • • • • • • • • • • Specifying MLS Aging-Time Value. Catalyst 6000 Family Software Configuration Guide—Releases 6. The default is 256 seconds.

for IP.3 and 6. Command set mls agingtime ip [agingtime] This example shows how to specify the IP MLS aging time: Console> (enable) set mls agingtime ip 512 Multilayer switching aging time IP set to 512 Console> (enable) To specify the IPX MLS aging time. Catalyst 6000 Family Software Configuration Guide—Releases 6. therefore. To help keep the size of the MLS cache down. enable IP MLS fast aging. IPX MLS only operates in destination-source and destination flow modes. Command set mls agingtime ipx [agingtime] This example shows how to specify the IPX MLS aging time: Console> (enable) set mls agingtime ipx 512 Multilayer switching aging time IPX set to 512 Console> (enable) Specifying IP MLS Fast Aging Time and Packet Threshold Values Note IPX MLS does not use fast aging. set mls agingtime [agingtime] This example shows how to specify the MLS aging time: Console> (enable) set mls agingtime 512 Multilayer switching agingtime IP and IPX set to 512 Console> (enable) To specify the IP MLS aging time. perform this task in privileged mode: Task Specify the IPX MLS aging time for an MLS cache entry.Chapter 14 Configuring MLS Configuring MLS Note We recommend that you keep the size of the MLS cache below 32K entries. the number of IPX MLS entries in the MLS table is low relative to IP MLS entries in full-flow mode. To specify the MLS aging time for both IP and IPX. If the number of MLS entries exceeds 32K. some flows are sent to the MSFC. perform this task in privileged mode: Task Specify the IP MLS aging time for an MLS cache entry. as described in the “Specifying IP MLS Fast Aging Time and Packet Threshold Values” section on page 14-xviii.4 14-18 78-13315-02 . perform this task in privileged mode: Task Command Specify the MLS aging time for MLS cache entries.

The IP MLS fast aging time applies to MLS entries that have no more than pkt_threshold packets switched within fastagingtime seconds after they are created. If you need to enable IP MLS fast aging time. 7. then the IP MLS flow mask on the PFC is destination-ip by default. However. If the size of the MLS cache continues to grow over 32K entries. Console> (enable) Setting the Minimum IP MLS Flow Mask You can set the minimum granularity of the flow mask for the MLS cache on the PFC. Exercise care when using this command. initially set the value to 128 seconds. decrease the setting until the cache size stays below 32K. For information on how the different flow masks work. or 128 seconds. For example. Typical values for fastagingtime and pkt_threshold are 32 seconds and 0 packets (no packets switched within 32 seconds after the entry is created). This example shows how to set the IP MLS fast aging time to 32 seconds with a packet threshold of 0 packets: Console> (enable) set mls agingtime fast 32 0 Multilayer switching fast aging time set to 32 seconds for entries with no more than 0 packets switched.Chapter 14 Configuring MLS Configuring MLS To keep the MLS cache size below 32K entries. If the cache continues to grow over 32K entries. 64. perform this task in privileged mode: Task Set the minimum IP MLS flow mask. see the “Understanding Flow Masks” section on page 14-vi. The default fastagingtime value is 0 (no fast aging). Caution The set mls flow destination-source command purges all existing shortcuts in the MLS cache and affects the number of active shortcuts on the PFC. decrease the normal IP MLS aging time. The actual flow mask used will be at least of the granularity specified by this command. 31. you can force the PFC to use the source-destination-ip flow mask by setting the minimum IP MLS flow mask using the set mls flow destination-source command. if you do not configure access lists on any MSFC. the entry might never be used again after it is created.4 78-13315-02 14-19 . 3. or 63 packets. 1. Detecting and aging out these entries saves space in the MLS cache for other data traffic. perform this task in privileged mode: Task Command Specify the IP MLS fast aging time and set mls agingtime fast [fastagingtime] [pkt_threshold] packet threshold for an MLS cache entry. You can configure the fastagingtime value to 32.3 and 6. Any fastagingtime value that is not configured exactly as the indicated values is adjusted to the closest one. 15. Command set mls flow {destination | destination-source | full} Catalyst 6000 Family Software Configuration Guide—Releases 6. 96. enable IP MLS fast aging time. To specify the IP MLS fast aging time and packet threshold. A typical cache entry that is removed is the entry for flows to and from a Domain Name Server (DNS) or TFTP server. To set the minimum IP MLS flow mask. You can configure the pkt_threshold value to 0.

Console> (enable) Displaying CAM Entries on the Supervisor Engine The show cam command displays the content-addressable memory (CAM) entries associated with a specific MAC address. an “R” is appended to the MAC address. entries for all VLANs are displayed.Chapter 14 Configuring MLS Configuring MLS This example shows how to set the minimum IP MLS flow mask to destination-source-ip: Console> (enable) set mls flow destination-source Configured IP flow mask is set to destination-source flow.-----------------194 00-e0-f9-d1-2c-00R 193 00-00-0c-07-ac-c1R 193 00-00-0c-07-ac-5dR 202 00-00-0c-07-ac-caR 204 00-e0-f9-d1-2c-00R 195 00-e0-f9-d1-2c-00R 192 00-00-0c-07-ac-c0R 192 00-e0-f9-d1-2c-00R 204 00-00-0c-07-ac-ccR 202 00-e0-f9-d1-2c-00R 194 00-00-0c-07-ac-5eR 196 00-e0-f9-d1-2c-00R 194 00-00-0c-07-ac-c2R 193 00-e0-f9-d1-2c-00R Total Matching CAM Entries Console> Destination-Ports or VCs -----------------------------7/1 7/1 7/1 7/1 7/1 7/1 7/1 7/1 7/1 7/1 7/1 7/1 7/1 7/1 Displayed = 14 Xtag ---2 2 2 2 2 2 2 2 2 2 2 2 2 2 Status -----H H H H H H H H H H H H H H This example shows how to display the CAM entries for a specified VLAN: Console> show cam msfc 192 VLAN Destination MAC ---.4 14-20 78-13315-02 . If you specify a VLAN number. To display CAM entries. If the MAC address belongs to an MSFC. only those CAM entries corresponding to that VLAN number are displayed.-----------------192 00-00-0c-07-ac-c0R 192 00-e0-f9-d1-2c-00R Console> Destination-Ports or VCs -----------------------------7/1 7/1 Xtag ---2 2 Status -----H H Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. Command show cam msfc [vlan] This example shows how to display the CAM entries: Console> show cam msfc VLAN Destination MAC ---. If a VLAN is not specified. perform this task: Task Display CAM entries by MAC address.

To display protocol-specific MLS information and MSFC-specific information.123.14. The mod keyword specifies the module number of the MSFC.1.Chapter 14 Configuring MLS Configuring MLS Displaying MLS Information The show mls command displays protocol-specific MLS information and MSFC-specific information. 17.10.9.8.11.---.-----.111 00-d0-d3-9c-e3-f4 112 Catalyst 6000 Family Software Configuration Guide—Releases 6.----------------.0. either 15 (if the MSFC is installed on Supervisor Engine 1 in slot 1) or 16 (if the MSFC is installed on Supervisor Engine 1 in slot 2).-----.16.20.15.---------------22.13.434. 12.3.03 15 1 01-10-29-8a-0c-00 1.-------------------52.666.0. This example shows how to display IP MLS information and MSFC-specific information: Console> (enable) show mls ip Total Active MLS entries = 0 Total packets switched = 0 IP Multilayer switching enabled IP Multilayer switching aging time = 256 seconds IP Multilayer switching fast aging time = 0 seconds.56 15 1 00-10-07-38-29-18 2.19.3 and 6.----------------. packet threshold = 0 IP Flow mask: Full Flow Configured flow mask is Destination flow Active IP MLS entries = 0 Netflow Data Export version: 8 Netflow Data Export disabled Netflow Data Export port/host is not configured Total packets exported = 0 MSFC ID Module XTAG MAC Vlans --------------.121 222.4 78-13315-02 14-21 .4. 7.959 Console> (enable) This example shows how to display IPX MLS information: Console> (enable) show mls ipx IPX Multilayer switching aging time = 256 seconds IPX flow mask is Destination flow IPX max hop is 15 Active IPX MLS entries = 356 IPX MSFC ID Module XTAG MAC Vlans --------------. 77 00-d0-d3-9c-e3-f4 25 00-10-07-38-29-18 26. perform this task: Task Display general IP or IPX MLS information and MSFC-specific information for all MSFCs.6.5.66.10.18.---. Command show mls {ip | ipx} [mod 1] 1.

-----------.5.3 and 6.66.192.Chapter 14 Configuring MLS Configuring MLS 22.69.1. page 14-xxii Displaying MLS Entries for a Specific IP Destination Address. Catalyst 6000 Family Software Configuration Guide—Releases 6. Displaying All MLS Entries To display all MLS entries (IP and IPX).58 16 2 00-10-07-38-22-22 2.1.11.-----.-----.99. 111 00-d0-d3-33-17-8c 112 Console> (enable) Displaying IP MLS Cache Entries These sections describe how to display MLS cache entries on Supervisor Engine 1: • • • • • • Displaying All MLS Entries.69.69. page 14-xxv Note For a description of how the flow mask mode affects the screen displays when showing MLS entries.16. page 14-xxiii Displaying Entries for a Specific IP Source Address.69. page 14-xxiv Displaying IPX MLS Entries for a Specific MSFC. 7.19.8.-------. Command show mls entry [short | long] This example shows how to display all MLS entries (IP and IPX): Console> (enable) show mls entry short Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan --------------.69. page 14-xxiii Displaying IPX MLS Entries for a Specific IPX Destination Address.42 UDP 2049 41636 00-60-70-6c-fc-23 2 SNAP ARPA 5/8 1/1 2345 1234567 09:03:32 09:08:12 171.---------.69.133 171.88.9.192.15.77.4 14-22 78-13315-02 .69.192.-------171.18.--------------. see the “Flow Mask Mode and show mls entry Command Output” section on page 14-vii.1. 12.10.14.69.1.133 171. page 14-xxiv Displaying Entries for a Specific IP Flow.192.192.133 171.----.4.234 171.200.41 TCP* 6000 59181 00-60-70-6c-fc-22 4 ARPA SNAP 5/8 11/1 3152 347854 09:01:19 09:08:20 171.42 UDP 2049 41636 00-60-70-6c-fc-23 2 SNAP ARPA 5/8 1/1 2345 1234567 09:03:32 09:08:12 Total IP entries: 5 * indicates TCP flow has ended.----.42 UDP 2049 41636 00-60-70-6c-fc-23 2 SNAP ARPA 5/8 1/1 2345 1234567 09:03:32 09:08:12 171. perform this task in privileged mode: Task Display all MLS entries.---.13.20 00-d0-d3-33-17-8c 25 00-10-07-38-22-22 26.69.6.69. 17.1.----.3.---ESrc EDst SPort DPort Stat-Pkts Stat-Bytes Created LastUsed ---.133 171.0.42 UDP 2049 41636 00-60-70-6c-fc-23 2 SNAP ARPA 5/8 1/1 2345 1234567 09:03:32 09:08:12 171.----------------.

Command show mls entry ipx destination ipx_addr This example shows how to display IPX MLS entries for a specific destination IPX address: Console> (enable) show mls entry ipx destination 3E.----------------.0000.-----.3100.25. perform this task in privileged mode: Task Display IPX MLS entries for a specific destination IPX address (net_address.56 (Module 15): 3E.----------BABE.00A0.2451.14 00-60-70-6c-fc-22 4 ARPA ARPA 5/39 5/40 115 5290 00:12:20 00:00:04 MSFC 172.--------------.0010.-------MSFC 172.----MSFC 22.1 (Module 15): 172.20.4 78-13315-02 14-23 .------.----------.20.0c00 Destination IPX Source IPX net Destination Mac Vlan Port ------------------------.3 and 6.0401 4633 38676 Total IPX entries: 4 Console> Source-IPX-net Destination-Mac Vlan Port -------------.----00-a0-c9-0a-89-1d 211 00-a0-24-51-74-23 201 31-00-05-01-00-00 501 00-00-04-01-00-00 401 13/37 14/33 9/37 3/1 Displaying MLS Entries for a Specific IP Destination Address To display MLS entries for a specific destination IP address.27.node_address).0000.---.20.1 (Module 16): Total entries:1 Console> (enable) Displaying IPX MLS Entries for a Specific IPX Destination Address To display IPX MLS entries for a specific destination IPX address.----------------.0000. perform this task in privileged mode: Task Display MLS entries for the specified destination IP address.---.7423 30256 31795084 501.0501 12121 323232 401.14/24 Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan EDst ESrc DPort SPort Stat-Pkts Stat-Bytes Uptime Age --------------.-------------.---.22.0000.0010.0000.298a.0c00 13 00-00-00-00-00-09 26 4/7 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.-----.-----.298a.----.---------. Command show mls entry ip destination [ip_addr] This example shows how to display MLS entries for a specific destination IP address: Console> (enable) show mls entry ip destination 172.Chapter 14 Configuring MLS Configuring MLS Destination-IPX Stat-Pkts Stat-Bytes --------------------------------.0.-------.22.-----.1.----------------.20.0001 30230 1510775 201.

--------------. A value of zero (0) for src_port. or protocol is treated as a wildcard and all entries are displayed (unspecified options are treated as wildcards).----------------. set the src_port and dst_prt to 0 or no flows will display.-----. To display MLS entries for a specific IP flow (when the flow mask mode is full flow).27.-------MSFC 172.----------------.----------. udp.-----.-------.---. If the protocol selected is not TCP or UDP. icmp.2.0.4 14-24 78-13315-02 .-----.14 10.3 and 6. or a decimal number for other protocol families. The protocol argument can be tcp. Command show mls entry ip source [ip_addr] This example shows how to display MLS entries for a specific source IP address: Console> (enable) show mls entry ip source 10.3: 10.20.0.20.1 (Module 15): 172.-----.---------.15 TCP Telnet 37819 00-e0-4f-15-49-ff 51 ARPA ARPA 5/39 5/40 115 5290 00:12:20 00:00:04 MSFC 172. perform this task in privileged mode: Task Command Display entries for a specific IP flow (when show mls entry ip flow [protocol src_port dst_port] the flow mask mode is full flow).25.---.0.--------------.------.2.----.-----. This example shows how to display MLS entries for a specific IP flow: Console> (enable) show mls entry ip flow tcp 23 37819 Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port --------------.22.15 51.20.15 Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan EDst ESrc DPort SPort Stat-Pkts Stat-Bytes Uptime Age --------------.0. perform this task in privileged mode: Task Display MLS entries for the specified source IP address.---.1 (Module 16): Total entries:1 Console> (enable) Displaying Entries for a Specific IP Flow The show mls entry ip flow command displays MLS entries for a specific IP flow.2.----MSFC 51.2 TCP 37819 Telnet 08-00-20-7a-07-75 10 3/1 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.-----.0.Chapter 14 Configuring MLS Configuring MLS Displaying Entries for a Specific IP Source Address To display MLS entries for a specific source IP address.0.0. dst_port. The src_port and dst_port arguments specify the protocol ports if the protocol is TCP or User Datagram Protocol (UDP).

Chapter 14 Configuring MLS Configuring MLS Displaying IPX MLS Entries for a Specific MSFC To display IPX MLS entries for a specific MSFC.4 78-13315-02 14-25 . The mod keyword specifies the module number of the MSFC.3210 00-00-00-00-32-10 362066 00:15:52 00:00:00 11.0000.1910 00-00-00-00-19-10 362158 00:15:52 00:00:00 11.7D10 00-00-00-00-7d-10 181240 00:15:53 00:00:00 11.0000.0000.0000.4F10 00-00-00-00-4f-10 362342 00:15:53 00:00:00 11.0000.0000.6010 00-00-00-00-60-10 362710 00:15:53 00:00:00 11.E310 00-00-00-00-e3-10 181332 00:15:53 00:00:00 11.0000.D510 00-00-00-00-d5-10 181194 00:15:53 00:00:00 11.-------.-------MSFC 22.----.0000.---------- 11 11 11 11 11 11 11 11 10 11 11 11 11 11 11 11 11 11 11 11 ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA 3/11 3/10 - 7869 3934 7871 3935 7873 3936 7875 3937 96364 7877 3938 7879 3939 3940 3941 7883 3941 7885 3942 3943 Catalyst 6000 Family Software Configuration Guide—Releases 6.0000.0000.---.0000.0000.B110 00-00-00-00-b1-10 181010 00:15:52 00:00:00 11.0000.0000.0000.0000. either 15 (if the MSFC is installed on Supervisor Engine 1 in slot 1) or 16 (if the MSFC is installed on Supervisor Engine 1 in slot 2).CC10 00-00-00-00-cc-10 181148 00:15:53 00:00:00 11.1.0000.2B10 00-00-00-00-2b-10 361974 00:15:52 00:00:00 11.0000.0000.0000.0000.5610 00-00-00-00-56-10 362434 00:15:53 00:00:00 11. This example shows how to display IPX MLS entries for a specific MSFC: Console> (enable) show mls entry ipx 15 Destination-IPX Destination-Mac Stat-Bytes Uptime Age ------------------------. perform this task in privileged mode: Task Display IPX MLS entries for a specific MSFC.---.6410 00-00-00-00-64-10 362618 00:15:53 00:00:00 11.0000.0000.0000. Command show mls entry ipx mod1 1.0010 00-00-00-00-00-10 362250 00:15:52 00:00:00 11.9A10 00-00-00-00-9a-10 181056 00:15:52 00:00:00 11.0000.FE10 00-00-00-00-fe-10 181286 00:15:53 00:00:00 11.0000.0000.0000.0000.0000.--------------------------.7910 00-00-00-00-79-10 181378 00:15:54 00:00:00 Console> (enable) Vlan EDst ESrc Port Stat-Pkts ---.0000.0.0000.0000.0000.3 and 6.0000.E710 00-00-00-00-e7-10 181286 00:15:53 00:00:00 11.0000.8310 00-00-00-00-83-10 181102 00:15:52 00:00:00 10.0000.0109 00-00-00-00-01-09 4432744 00:15:52 00:00:00 11.0000.A810 00-00-00-00-a8-10 180964 00:15:52 00:00:00 11.0000.0000.56 (Module 15): 11.

ip_addr/subnet_mask.26.22 MLS IP entry cleared Console> (enable) This example shows how to clear MLS entries with destination IP address 172.26. The destination and source keywords specify the source and destination IPX addresses.20.22: Console> (enable) clear mls entry ip destination 172. TCP source port 1652. The all keyword clears all MLS entries. and entries for all source or destination ports are cleared (unspecified options are treated as wildcards). or ip_addr/subnet_mask_bits. and entries for all protocols are cleared (unspecified options are treated as wildcards).22 source 172.22. set the src_port and dst_port to 0.113 flow tcp 1652 23 MLS IP entry cleared Console> (enable) Clearing IPX MLS Cache Entries The clear mls entry ipx command removes specific IPX MLS cache entries. The destination and source keywords specify the source and destination IP addresses.22. TCP or UDP source and destination port numbers (src_port and dst_port)—If the protocol you specify is TCP or UDP.113. or no entries will clear. page 14-xxvii Catalyst 6000 Family Software Configuration Guide—Releases 6. For other protocols. icmp.20. Command clear mls entry ip [destination ip_addr_spec] [source ip_addr_spec] [flow protocol src_port dst_port] [all] This example shows how to clear MLS entries with destination IP address 172. and TCP destination port 23: Console> (enable) clear mls entry destination 172. The destination and source ip_addr_spec can be a full IP address or a subnet address in the format ip_subnet_addr. page 14-xxvii Displaying Statistics for MLS Cache Entries. udp.3 and 6. • To clear an MLS entry. A value of zero (0) for protocol is treated as a wildcard.20. The flow keyword specifies the following additional flow information: • Protocol family (protocol)—Specify tcp.20. or a decimal number for other protocol families. perform this task in privileged mode: Task Clear an MLS entry. specify the source and destination TCP or UDP port numbers.Chapter 14 Configuring MLS Configuring MLS Clearing MLS Cache Entries The clear mls entry command removes specific MLS cache entries.26. The all keyword clears all MLS entries. Displaying IP MLS Statistics These sections describe how to display a variety of IP MLS statistics: • • Displaying IP MLS Statistics by Protocol.20. A value of zero (0) for src_port or dst_port is treated as a wildcard.4 14-26 78-13315-02 .

--------------. and source and destination ports to see specific MLS cache entries.0.10 6 50648 80 3152 347854 Console> Catalyst 6000 Family Software Configuration Guide—Releases 6. This example shows how to display IP MLS statistics by protocol: Console> (enable) show mls statistics Protocol TotalFlows TotalPackets ---------------.20.14 172. perform this task in privileged mode: Task Command Display IP MLS statistics by protocol (only show mls statistics protocol if IP MLS is in full flow mode).22. To display statistics for MLS cache entries.-------------Telnet 900 630 FTP 688 2190 WWW 389 42679 SMTP 802 4966 X 142 2487 DNS 1580 52 Others 82 1 Total 6583 53005 Console> (enable) protocol Total Bytes -----------4298 3105 623686 92873 36870 1046 73 801951 Displaying Statistics for MLS Cache Entries The show mls statistics entry command displays IP MLS statistics for MLS cache entries. and all statistics are displayed (unspecified options are treated as wildcards). set the src_port and dst_prt to 0 or no statistics will display.-----.4 78-13315-02 14-27 . source IP address. perform this task in privileged mode: Task Display statistics for MLS cache entries. Command show mls statistics entry ip [destination ip_addr_spec] [source ip_addr_spec] [flow protocol src_port dst_port] This example shows how to display statistics for a particular MLS cache entry: Console> show mls statistics entry ip destination 172.14 Last Used Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes --------------. and WWW).---. To display IP MLS statistics by protocol.3 and 6.0.-----.12: 172.20.25.----------MSFC 127. protocol. If the protocol specified is not TCP or UDP.--------.20.22. If you do not specify an MLS cache entry. FTP. all statistics are shown. Enter the show mls command to see the current flow mask.Chapter 14 Configuring MLS Configuring MLS Displaying IP MLS Statistics by Protocol The show mls statistics protocol command displays IP MLS statistics by protocol (such as Telnet. The protocol keyword functions only if the flow mask mode is full flow. A value of zero (0) for src_port or dst_port is treated as a wildcard. Specify the destination IP address.

Configuring IP MMLS These sections describe how to configure IP MMLS: • • Configuring IP MMLS on the MSFC. page 14-xxx Enabling IP MMLS on MSFC Interfaces. Console> (enable) Displaying MLS Debug Information The show mls debug command displays MLS debug information that you can send to your technical support representative for analysis if necessary. perform this task in privileged mode: Task Clear IP MLS statistics. page 14-xxx Catalyst 6000 Family Software Configuration Guide—Releases 6.4 14-28 78-13315-02 . Use application-specific commands to get more information about particular applications. perform this task: Task Display MLS debug information that you can send to your technical support representative.3 and 6. Command show mls debug Note The show tech-support command displays supervisor engine system information.Chapter 14 Configuring MLS Configuring MLS Clearing MLS Statistics The clear mls statistics command clears the following statistics: • • Total packets switched (IP and IPX) Total packets exported (for NDE) To clear IP MLS statistics. page 14-xxix Configuring the IP MMLS Global Threshold. To display MLS debug information. Command clear mls statistics This example shows how to clear IP MLS statistics: Console> (enable) clear mls statistics All mls statistics cleared. page 14-xxviii Displaying Global IP MMLS Information on the Supervisor Engine. page 14-xxix Enabling IP PIM on MSFC Interfaces. page 14-xxxiv Configuring IP MMLS on the MSFC These sections describe how to configure the MSFC for IP MMLS: • • • • Enabling IP Multicast Routing Globally.

3 and 6. 2926G Series.Chapter 14 Configuring MLS Configuring MLS • • • • • Displaying IP MMLS Interface Information. Note This section describes how to enable IP multicast routing on the MSFC. page 14-xxxiii Using Debug Commands on the SCP. 2926 Series Switches for Catalyst 5000 family switch MLS configuration procedures. “Configuring InterVLAN Routing. For more detailed IP multicast configuration information. see Chapter 12.cisco. To enable IP multicast routing globally on the MSFC. perform this task in global configuration mode: Task Enable IP multicast routing globally.4 78-13315-02 14-29 . refer to the “IP Multicast” section of the Cisco IOS IP and IP Routing Configuration Guide at http://www. page 14-xxxiv Note For information on configuring routing on the MSFC.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt3/index. page 14-xxxii Using Debug Commands on the IP MMLS MSFC.” Note You can specify the MSFC as the MLS route processor (MLS-RP) for Catalyst 5000 family switches using MLS.htm Enabling IP Multicast Routing Globally You must enable IP multicast routing globally on the MSFC before you can enable IP MMLS on MSFC interfaces. perform this task: Task Command Enable IP PIM on an MSFC interface. Command Router(config)# ip multicast-routing This example shows how to enable IP multicast routing globally: Router(config)# ip multicast-routing Router(config)# Enabling IP PIM on MSFC Interfaces You must enable IP PIM on the MSFC interfaces before IP MMLS will function on those interfaces. Refer to the Layer 3 Switching Configuration Guide—Catalyst 5000 Family. page 14-xxxi Displaying the IP Multicast Routing Table. Router(config-if)# ip pim {dense-mode | sparse-mode | sparse-dense-mode} Catalyst 6000 Family Software Configuration Guide—Releases 6. page 14-xxxi Monitoring IP MMLS on the MSFC. To enable IP PIM on an interface.

specified in packets per second. Perform this task only if you disabled IP MMLS on the interface and you want to reenable it. For information on configuring IP PIM on MSFC interfaces. This prevents creation of MLS entries for short-lived multicast flows. To enable IP MMLS on an MSFC interface. Command Router(config-if)# [no] mls ip multicast This example shows how to enable IP MMLS on an MSFC interface: Router(config-if)# mls ip multicast Router(config-if)# Use the no keyword to disable IP MMLS on an MSFC interface. below which all (S.Chapter 14 Configuring MLS Configuring MLS This example shows how to enable IP PIM on an interface using the default mode (sparse-dense-mode): Router(config-if)# ip pim Router(config-if)# This example shows how to enable IP PIM sparse mode on an interface: Router(config-if)# ip pim sparse-mode Router(config-if)# Configuring the IP MMLS Global Threshold You can configure a global multicast rate threshold. Note You must enable IP PIM on all participating MSFC interfaces before IP MMLS will function. To apply the threshold to existing routes. Note This command does not affect flows that are already being routed. Enabling IP MMLS on MSFC Interfaces IP MMLS is enabled by default on the MSFC interface when you enable IP PIM on the interface. Command Router(config)# [no] mls ip multicast threshold ppsec This example shows how to configure the IP MMLS threshold to 10 packets per second: Router(config)# mls ip multicast threshold 10 Router(config)# Use the no keyword to deconfigure the threshold. Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.G) multicast traffic is routed by the MSFC. To configure the IP MMLS threshold.4 14-30 78-13315-02 . perform this task: Task Enable IP MMLS on an MSFC interface. such as join requests. clear the route and let it reestablish. see the “Enabling IP PIM on MSFC Interfaces” section on page 14-xxix. perform this task: Task Configure the IP MMLS threshold.

0. flags:JT Incoming interface:Vlan800. T . Command Router# show ip mroute [group[source]] | [summary] | [count] | [active kbps] This example shows how to display the IP multicast routing table for 239.1.1. H (22.0.Sparse. RP 80. C .MSDP created entry. Display the IP MMLS interface enable state. perform one of these tasks: Task Display IP MMLS interface information. RPF-MFD Outgoing interface list: Vlan10.Advertised via MSDP Outgoing interface flags:H .0.RP-bit set.0.Connected.Register flag. Forward/Dense. J .Proxy Join Timer Running A .Dense.2.Join SPT M .0. flags:SJ Incoming interface:Vlan800. S .2 Outgoing interface list: Vlan10. 239.1: Router# show ip mroute 239. L . 00:00:19/00:00:00.252.4 78-13315-02 14-31 . X . 04:04:59/00:02:59.10. H Catalyst 6000 Family Software Configuration Guide—Releases 6.Pruned R . 00:00:19/00:02:41. Forward/Dense. Next-Hop or VCD. 01:29:57/00:00:00.0. F . Command Router# show ip pim interface [type number] count Router# show ip interface Displaying the IP Multicast Routing Table The show ip mroute command displays the IP multicast routing table on the MSFC. The show ip interface command displays the IP MMLS enable state on an MSFC interface.1. RPF nbr 80.1.Local.252.252.0.3 and 6.1).1). P . To display IP MMLS information for an IP PIM MSFC interface. 239.1 IP Multicast Routing Table Flags:D .Hardware switched Timers:Uptime/Expires Interface state:Interface. To display the IP multicast routing table.Chapter 14 Configuring MLS Configuring MLS Displaying IP MMLS Interface Information The show ip pim interface count command displays the IP MMLS enable state on MSFC IP PIM interfaces and the number of packets received and sent on the interface. State/Mode (*.SPT-bit set.0.2. RPF nbr 80. perform this task: Task Display the IP multicast routing table.252.

9bfd.12.234 MLS multicast operating state:ACTIVE Maximum number of allowed outstanding messages:1 Maximum size reached from feQ:1 Feature Notification sent:5 Feature Notification Ack received:4 Unsolicited Feature Notification received:0 MSM sent:33 MSM ACK received:33 Delete notifications received:1 Flow Statistics messages received:248 MLS Multicast statistics: Flow install Ack:9 Flow install Nack:0 Flow update Ack:2 Flow update Nack:0 Flow delete Ack:0 Complete flow install Ack:10 Complete flow install Nack:0 Complete flow delete Ack:1 Input VLAN delete Ack:4 Output VLAN delete Ack:0 Group delete sent:0 Group delete Ack:0 Global delete sent:7 Global delete Ack:7 L2 entry not found error:0 Generic error :3 LTL entry not found error:0 MET entry not found error:0 L3 entry exists error :0 Hash collision error :0 L3 entry not found error:0 Complete flow exists error :0 Catalyst 6000 Family Software Configuration Guide—Releases 6.123. Command Router# show mls ip multicast group group-address [interface type number | statistics] Router# show mls ip multicast interface type number [statistics | summary] Router# show mls ip multicast summary Router# show mls ip multicast statistics Router# show mls ip multicast source ip-address [interface type number | statistics] This example shows how to display IP MMLS statistics on the MSFC: Router# show mls ip multicast statistics MLS Multicast configuration and state: Router Mac:0050. Display IP MMLS source information. Display IP MMLS statistics.0f2d. perform one of these tasks: Task Display IP MMLS group information.4 14-32 78-13315-02 . Display IP MMLS details for all interfaces.Chapter 14 Configuring MLS Configuring MLS Monitoring IP MMLS on the MSFC The show mls ip multicast command displays detailed information about IP MMLS. To display detailed IP MMLS information on the MSFC. Display a summary of IP MMLS information. Router IP:1.3 and 6.

Packets switched: 62430 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan11 (1. Packets switched: 61590 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan13 (1.1. Displays IP MMLS events.3 and 6. Turns on MDSS-related events.1.3. Table 14-9 IP MMLS Debug Commands Command [no] debug mls ip multicast group group_id group_mask [no] debug mls ip multicast events [no] debug mls ip multicast errors [no] debug mls ip multicast messages [no] debug mls ip multicast all [no] debug mdss error [no] debug mdss events [no] debug mdss all 1.1.1) Incoming interface: Vlan12.Chapter 14 Configuring MLS Configuring MLS This example shows how to display information on a specific IP MMLS entry on the MSFC: Router# show mls ip multicast 224.1.1.1) Incoming interface: Vlan11. Displays IP MMLS messages from/to the hardware switching engine.1 Multicast hardware switched flows: (1.1.1.3.1. 224.1.12.1.3.1) Incoming interface: Vlan11. Turns on all MDSS messages. 224.1.9. Catalyst 6000 Family Software Configuration Guide—Releases 6.1.1.1.1) Incoming interface: Vlan13.1.12.1. 224. Turns on MDSS 1 error messages.1) Incoming interface: Vlan12.1.1.4 78-13315-02 14-33 . Packets switched: 0 Hardware switched outgoing interfaces: Vlan20 RFD-MFD installed: Vlan9 (1.1. Packets switched: 61980 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan12 (1. Packets switched: 62430 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan11 Total hardware switched installed: 6 Router# This example shows how to display a summary of IP MMLS information on the MSFC: Router# show mls ip multicast summary 7 MMLS entries using 560 bytes of memory Number of partial hardware-switched flows:2 Number of complete hardware-switched flows:5 Router# Using Debug Commands on the IP MMLS MSFC Table 9 describes IP MMLS-related debug troubleshooting commands. MDSS = Multicast Distributed Switching Services Description Configures filtering that applies to all other multicast debugging commands.11. 224. 224.11. Packets switched: 62010 Hardware switched outgoing interfaces: Vlan20 Vlan9 RFD-MFD installed: Vlan12 (1. 224. Turns on all IP MMLS messages.1. Turns on debug messages for multicast MLS-related errors.1.13.1.1) Incoming interface: Vlan9.1.

To display global IP MMLS configuration information. page 14-xxxiv Displaying IP MMLS Statistics.4 14-34 78-13315-02 .Chapter 14 Configuring MLS Configuring MLS Using Debug Commands on the SCP Table 10 describes the Serial Control Protocol (SCP)-related debug commands to troubleshoot the SCP that runs over the Ethernet out-of-band channel (EOBC). Command show mls multicast Catalyst 6000 Family Software Configuration Guide—Releases 6. page 14-xxxv Clearing IP MMLS Statistics. page 14-xxxvi Note IP MMLS is permanently enabled on Supervisor Engine 1 and cannot be disabled. Displaying Global IP MMLS Information on the Supervisor Engine These sections describe how to configure IP MMLS on Supervisor Engine 1: • • • • Displaying IP MMLS Configuration Information.3 and 6. Note To configure IP MMLS on the MSFC. page 14-xxxvi Displaying IP MMLS Entries. perform this task: Task Display global IP MMLS configuration information. Displaying IP MMLS Configuration Information The show mls multicast command displays global IP MMLS configuration information and the state of participating MSFCs. Displays packet data in and out of the SCP system. Displays errors and warnings in the SCP. see the “Configuring IP MMLS on the MSFC” section on page 14-xxviii. Reports timeouts. Table 14-10 SCP Debug Commands Command [no] debug scp async [no] debug scp data [no] debug scp errors [no] debug scp packets [no] debug scp timeouts [no] debug scp all Description Displays trace for asynchronous data in and out of the SCP system. Shows packet data trace. Turns on all SCP debugging messages.

4 78-13315-02 14-35 .3 and 6.252 (Active) Console> (enable) Displaying IP MMLS Statistics The show mls multicast statistics command displays IP MMLS statistics for multicast MSFCs. To display IP MMLS statistics for multicast MSFCs.254 (Active) 1.9.5.9.Chapter 14 Configuring MLS Configuring MLS This example shows how to display global IP MMLS configuration information: Console> (enable) show mls multicast Admin Status: Enabled Operational Status: Active Configured flow mask is {Destination-source-vlan flow} Active Entries = 10 Router include list : 1.1.5. perform this task: Task Display IP multicast MSFC statistics.1.1.1.252 ? 00-10-29-8d-88-01 Transmit: Delete Notifications: Acknowledgements: Flow Statistics: 22 75 22 Catalyst 6000 Family Software Configuration Guide—Releases 6. Command show mls multicast statistics [ip_addr] This example shows how to display IP MMLS statistics for multicast MSFCs: Console (enable) show mls multicast statistics Router IP Router Name Router MAC ------------------------------------------------------1.254 ? 00-50-0f-06-3c-a0 Transmit: Delete Notifications: Acknowledgements: Flow Statistics: 23 92 56 Receive: Open Connection Requests: 1 Keep Alive Messages: 72 Shortcut Messages: 19 Shortcut Install TLV: 8 Selective Delete TLV: 4 Group Delete TLV: 0 Update TLV: 3 Input VLAN Delete TLV: 0 Output VLAN Delete TLV: 0 Global Delete TLV: 0 MFD Install TLV: 7 MFD Delete TLV: 0 Router IP Router Name Router MAC ------------------------------------------------------1.

1.1. To clear IP MMLS statistics. You can display entries based on any combination of the participating MSFC.1 224. Console> (enable) Displaying IP MMLS Entries The show mls multicast entry command displays a variety of information about the multicast flows being handled by the PFC.1.11.12. Command show mls multicast entry [[[mod] [vlan vlan_id] [group ip_addr] [source ip_addr]] | [all]] This example shows how to display all IP MMLS entries: Console> (enable) show mls multicast entry all Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans --------------. perform this task in privileged mode: Task Clear IP MMLS statistics.9.1.1.1 224.--------------.1.1.252 1.--------------.254 1.1.1.9.1.1.4 14-36 78-13315-02 .1.254 1.252 1.13.---------.1.1.12.1.11. To display information about IP MMLS entries.----------.1 1.5.3 1.9.5. perform this task in privileged mode: Task Display information about IP MMLS entries.1.1.1 1.3 and 6.252 1.12.Chapter 14 Configuring MLS Configuring MLS Receive: Open Connection Requests: Keep Alive Messages: Shortcut Messages: Shortcut Install TLV: Selective Delete TLV: Group Delete TLV: Update TLV: Input VLAN Delete TLV: Output VLAN Delete TLV: Global Delete TLV: MFD Install TLV: MFD Delete TLV: Console (enable) 1 68 6 4 2 0 0 0 0 0 4 0 Clearing IP MMLS Statistics The clear mls multicast statistics command clears IP MMLS statistics for all participating MSFCs.1.1 15870 473220 15759 473670 15810 473220 15840 2761380 82340280 2742066 82418580 2750940 82340280 2756160 20 12 20 11 20 12 20 Catalyst 6000 Family Software Configuration Guide—Releases 6.1 224.1 1. the VLAN.1 224.1.5.-------1.1. Command clear mls multicast statistics This example shows how to clear IP MMLS statistics: Console> (enable) clear mls multicast statistics All statistics for the MLS routers in include list are cleared.1.1.252 224.1.1.------.1 1.1.254 1.1.1 224.3 1.11.1. the multicast group address.1 224. or the multicast traffic source.5.1.3 1.

1 1.3.1.11.252 224.1 1.1.252 source 1.11.4.12.1.40.49.1.1.45 172.1 15870 15759 15810 15840 15840 2761380 2742066 2750940 2756160 2756160 20 20 20 20 20 This example shows how to display IP MMLS entries for a specific multicast group address: Console> (enable) show mls Router IP Dest IP -------------.--------------.11.---------172.9 12 25 3120 8.5.11.1 1.5.252 224.1.5.----------171.12.159 224.1.25 172.1.--------------.252 224.49.159 224.1.0.---------.1.3 472770 15840 473667 82261980 2756160 82418058 13 20 11 This example shows how to display IP MMLS entries for a specific MSFC: Console> (enable) show mls multicast entry 15 Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans --------------.2 99 65142 22 30.1.37 172.1.9.1 226.1.2 396 235620 22 13.1.4 78-13315-02 14-37 .1.1.22.1 1.4 368 57776 40 23.1.1 226.--------------.1 Total Entries: 10 Console> (enable) 1.1.252 224.71 1.2.252 224.1.-------1.2.5.3 171.12.69.1 1.254 224.20.8 1.5.1.69.----------.------------------------.254 224.1 short Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans --------------.--------172.3 Total Entries: 2 Console> (enable) multicast entry group 226.1.1.13.0.1.9.3 and 6.49.1.1.1.1 1.1.1.252 224.20 This example shows how to display IP MMLS entries for a specific MSFC and a specific multicast source address: Console> (enable) show mls multicast entry 15 1.1 1.1.8 20 171 23512 10.5.--------.6 1.3 1.3 1.1 1.1.1.Chapter 14 Configuring MLS Configuring MLS 1.------.1.--------------.22.1.1.5.13.1.1.1.1.1.1.-----.1.1 1.20.20.19 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.3 short Source IP InVlan Pkts Bytes OutVlans -----------.1.1.1.159 224.201.1 1.0.---------.22.3.1.2.-----.1.1 Total Entries: 5 Console> (enable) 1.

4 14-38 78-13315-02 .Chapter 14 Configuring MLS Configuring MLS Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.

C H A P T E R 15 Configuring NDE This chapter describes how to configure NetFlow Data Export (NDE) on the Catalyst 6000 family switches. Catalyst 6000 Family Software Configuration Guide—Releases 6. Note For complete syntax and usage information for the commands used in this chapter. page 15-iii Overview of NDE and Integrated Layer 3 Switching Management Catalyst 6000 family switches provide Layer 3 switching with Cisco Express Forwarding for Policy Feature Card 2 (CEF for PFC2) or with Multilayer Switching (MLS). page 15-iii Configuring NDE. Note NDE is not supported for IP multicast or Internetwork Packet Exchange (IPX) traffic. page 15-i Traffic Statistics Data Collection. This chapter consists of these sections: • • • Understanding How NDE Works. page 15-iii Understanding How NDE Works These sections describe how NDE works: • • • Overview of NDE and Integrated Layer 3 Switching Management. You can use NDE to monitor all Layer 3-switched traffic through the Multilayer Switch Feature Card (MSFC). NDE complements the embedded Remote Monitoring (RMON) capabilities on the switch that allow you to see all port traffic. page 15-i Default NDE Configuration. Note NDE version 7 and NDE version 8 are not supported for the MSFC.4 78-13315-02 15-1 .3 and 6. refer to the Catalyst 6000 Family Command Reference publication. page 15-ii Using NDE Filters.

Flow collectors.” Integrated Layer 3-switching management includes products. export the statistics.Chapter 15 Understanding How NDE Works Configuring NDE Note For information on configuring CEF for PFC2. gather and classify flows. “Configuring MLS. The switch or router transmits data to the flow collector by grouping flow entries for expired flows from its statistics cache into a User Datagram Protocol (UDP) datagram.3 and 6. collect and perform data reduction on the exported statistics. This flow information is then aggregated and fed to applications such as TrafficDirector. Figure 15-1 Integrated Layer 3 Switching Management Network planning Routers Accounting/Billing Switches Flow profiling RMON Probe Flow switching and data export Flow collection Flow consolidation Network monitoring Flow consumers 10699 Catalyst 6000 Family Software Configuration Guide—Releases 6. see Chapter 14. management utilities. and forward them to applications for traffic monitoring. which consists of a header and a series of flow entries. “Configuring CEF for PFC2 and PFC3. and partner applications designed to gather flow statistics. Traffic Statistics Data Collection An external data collector gathers flow entries from the statistics cache of one or more switches or Cisco routers. and accounting. see Chapter 13.” For information on configuring MLS. such as the Cisco SwitchProbe and NetFlow FlowCollector.4 15-2 78-13315-02 . See Figure 1. or NetFlow Analyzer. NetSys. planning.

page 15-v Enabling NDE. Table 15-1 Default NDE Configuration Feature NDE NDE data collector address and UDP port NDE filters Default Value Disabled None specified None configured Configuring NDE These sections describe how to configure NDE: • • • • • • • • • • • • Usage Guidelines.2. The source filter for host 10. in the filter specified in the following display if the flow mask is in destination-ip mode.15 are exported.15/32 Netflow data export: source filter set to 10. all expired flows are exported until you specify a filter. After specifying a filter.1.3 and 6. page 15-viii Specifying Protocols for Statistics Collection.1. all flows with destination address 9. Console> (enable) set mls nde flow destination 9. page 15-viii Catalyst 6000 Family Software Configuration Guide—Releases 6. page 15-vi Specifying a Destination TCP/UDP Port Filter. For example. only expired and purged flows matching the specified filter criteria are exported.2.1.2. page 15-v Specifying an NDE Source Address on the MSFC.4 78-13315-02 15-3 . page 15-iv Specifying an NDE Collector.Chapter 15 Configuring NDE Default NDE Configuration Using NDE Filters By default.2. only the destination filter is effective.2.1.15/32 source 10.15 is not effective (it is ignored). page 15-iv Specifying an NDE Destination Address on the MSFC. If the flow mask is destination-ip mode and the NDE filter contains a filter on both source and destination.15/32 Console> (enable) Default NDE Configuration Table 1 shows the default NDE configuration. page 15-vii Specifying a Protocol Filter.1. page 15-vii Specifying a Source Host and Destination TCP/UDP Port Filter.1. Filter values are stored in NVRAM and are not cleared when NDE is disabled.2. page 15-vi Specifying a Destination Host Filter.15/32 Netflow data export: destination filter set to 9. page 15-vi Specifying a Destination and Source Subnet Filter. page 15-viii Removing Protocols for Statistics Collection.

3 and 6. Keep specific flows from being added to the Netflow table with the set mls nde flow exclude command. page 15-ix Displaying the NDE Configuration. but packets from filtered protocols will go to the MSFC. • • • • Specifying an NDE Collector Before enabling NDE for the first time.file in the FlowCollector application. reduce the MLS fast aging time. see the “Specifying IP MLS Long-Duration Aging Time. “Configuring MLS. you must specify an NDE collector and UDP port to receive the exported statistics. For information on how to change the MLS fast aging time. “Configuring MLS. You can specify up to four protocol filters. For information on how to change the MLS aging time. Try to use a flow mask with the minimum granularity required to get the data you need. see the “Specifying MLS Aging-Time Value” section on page 14-17 in Chapter 14. Use the flow mask required to extract the kind of information you want. The collector address and UDP port number are saved in NVRAM and are preserved if NDE is disabled and reenabled or if the switch is power cycled.” If there are protocols with fewer packets per flow running.4 15-4 78-13315-02 .” Use the correct flow mask.Chapter 15 Configuring NDE Configuring NDE • • • • Clearing the NDE Flow Filter. Note If you are using the NetFlow FlowCollector application for data collection. generate fewer packets per flow and can be excluded from the NetFlow table with the set mls exclude protocol command.file. the load on the Layer 3 aging also increases. Some query protocols. For information on setting the flow mask. verify that the UDP port number you specify is the same port number shown in the FlowCollector’s nfconfig. and Packet Threshold Values” section on page 14-18 in Chapter 14. With a full flow mask.” Exclude entries with fewer packets per flow. page 15-x Usage Guidelines If too many entries are added to the NetFlow table. Fast Aging Time. Set the aging time high enough to keep the number of entries within the 32k-flow range of the PFC. like Domain Name System (DNS). This file is located at /opt/csconfc/config/nfconfig. To specify an NDE collector. A full flow mask gives more information but as the number of flows increase. page 15-ix Removing the NDE IP Address. follow these guidelines: • Reduce the MLS aging time. page 15-ix Disabling NDE. Command set mls nde {collector_ip | collector_name} {udp_port_number} Catalyst 6000 Family Software Configuration Guide—Releases 6. perform this task in privileged mode: Task Specify an NDE collector and UDP port for data export of hardware-switched packets. “Configuring MLS. you might need to decrease the MLS aging time because a full flow mask increases the number of flows per second. see the “Setting the Minimum IP MLS Flow Mask” section on page 14-19 in Chapter 14.

peform this task in privileged mode: Task Specify an NDE source address for data export of software-switched packets.4 78-13315-02 15-5 .Chapter 15 Configuring NDE Configuring NDE This example shows how to specify an NDE collector: Console> (enable) set mls nde Stargate 9996 Netflow data export not enabled.1(Stargate) Console> (enable) Specifying an NDE Destination Address on the MSFC To monitor data and statistics about Layer 3 traffic that is switched in software by the MSFC. Command ip flow-export destination {hostname | ip_address} {udp_port_number} This example shows how to specify the NDE collector from the MSFC: Router(config)# ip flow-export destination Stargate 9996 Router(config)# Specifying an NDE Source Address on the MSFC The MSFC and the PFC use the NDE source address when sending statistics to the data collection application. Netflow data export to port 9996 on 172. you must specify the NDE collector and UDP port on the MSFC by entering the ip flow-export destination command on the MSFC. Note The ip flow-export source vlan command is optional. peform this task in privileged mode: Task Specify an NDE collector and UDP port for data export of software-switched packets.20. Command ip flow-export source vlan {vlan_interface_number} This example shows how to specify the NDE source address on the MSFC: Router(config)# ip flow-export source vlan 10 Router(config)# Catalyst 6000 Family Software Configuration Guide—Releases 6. the MSFC and PFC automatically use the IP address of one of the MSFC VLAN interfaces. You configure the source address on the MSFC so the data collection application can aggregate export data from both the MSFC and the PFC for the same flow by entering the ip flow-export source vlan command on the MSFC. To specify the NDE source address for Layer 3 traffic that is being switched by the MSFC.3 and 6. To specify the NDE collector for Layer 3 traffic that is being switched by the MSFC. If you do not specify an NDE source address on the MSFC.15.

4 15-6 78-13315-02 . Command set mls nde flow destination [ip_addr_spec] source [ip_addr_spec] Catalyst 6000 Family Software Configuration Guide—Releases 6.194.20.69.140 are exported: Console> (enable) set mls nde flow destination 171.69.194. Netflow data export to port 9996 on 172. perform this task in privileged mode: Task Specify a destination host filter for an NDE flow. perform this task in privileged mode: Task Specify a destination and source subnet filter for an NDE flow.255.194. you see this display: Console> (enable) set mls nde enable Please set host name and UDP port number with ‘set mls nde <collector_ip> <udp_port_number>’.3 and 6.255. Command set mls nde enable This example shows how to enable NDE on the switch: Console> (enable) set mls nde enable Netflow data export enabled.15.Chapter 15 Configuring NDE Configuring NDE Enabling NDE To enable NDE.140 Netflow Data Export successfully set Destination filter is 171. Console> (enable) Specifying a Destination Host Filter To specify a destination host filter.69.140/255. Command set mls nde flow destination [ip_addr_spec] This example shows how to specify a destination host filter so that only expired flows to host 171. perform this task in privileged mode: Task Enable NDE on the switch.1 (Stargate) Console> (enable) If you attempt to enable NDE without first specifying a collector.255 Filter type: include Console> (enable) Specifying a Destination and Source Subnet Filter To specify a destination and source subnet filter.

194.0/24 Filter type: include Console> (enable) Specifying a Destination TCP/UDP Port Filter To specify a destination TCP/UDP port filter.194.0 from subnet 171. Command set mls nde flow dst_prt [port_number] This example shows how to specify a destination TCP/UDP port filter so that only expired flows to destination port 23 are exported (assuming the flow mask is set to ip-flow): Console> (enable) set mls nde flow dst_port 23 Netflow Data Export successfully set Destination port filter is 23 Filter type: include Console> (enable) Specifying a Source Host and Destination TCP/UDP Port Filter To specify a source host and destination TCP/UDP port filter.194.140/255.140/24 source 171.69.194.0/24 Destination filter is 171.140 to destination port 23 are exported (assuming the flow mask is set to ip-flow): Console> (enable) set mls nde flow source 171.69.255.194.5/24 Netflow Data Export successfully set Source filter is 171.173.69.69.69.140 dst_port 23 Netflow Data Export successfully set Source filter is 171.69.0 are exported (assuming the flow mask is set to source-destination-ip): Console> (enable) set mls nde flow destination 171.173.255.3 and 6.69.69.4 78-13315-02 15-7 . perform this task in privileged mode: Task Specify a destination TCP/UDP port filter for an NDE flow.255 Destination port filter is 23 Filter type: include Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.194.69. Command set mls nde flow source [ip_addr_spec] dst_prt [port_number] This example shows how to specify a source host and destination TCP/UDP port filter so that only expired flows from host 171.173.Chapter 15 Configuring NDE Configuring NDE This example shows how to specify a destination and source subnet filter so that only expired flows to subnet 171. perform this task in privileged mode: Task Specify a source host and destination TCP/UDP port filter for an NDE flow.

Use the all keyword to remove all protocols for statistics collection. The port argument specifies the protocol port. Command set mls nde flow protocol protocol This example shows how to specify a protocol filter so that only expired flows from protocol 17 are exported: Console> (enable) set mls nde flow protocol 17 Netflow Data Export filter successfully set. igmp. tcp. udp. or a decimal number for other protocol families.Chapter 15 Configuring NDE Configuring NDE Specifying a Protocol Filter To specify a protocol filter. Protocol filter is 17 Filter type: include Console> (enable) Specifying Protocols for Statistics Collection You can enter the set mls statistics protocol protocol port command to specify up to 64 different protocols for which to collect statistics to be exported using NDE.3 and 6. The protocol argument can be ip.4 15-8 78-13315-02 . To specify protocols for statistics collection. perform this task in privileged mode: Task Remove protocols for statistics collection. To remove protocols for statistics collection. Command set mls statistics protocol protocol port This example shows how to specify a protocol for statistics collection: Console> (enable) set mls statistics protocol 17 1934 Protocol 17 port 1934 is added to protocol statistics list. icmp. Command clear mls statistics protocol {protocol port | all} Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) Removing Protocols for Statistics Collection You can enter the clear mls statistics protocol {protocol port | all} command to specify up to 64 different protocols for which to collect statistics to be exported using NDE. icmp. perform this task in privileged mode: Task Specify protocols for statistics collection. perform this task in privileged mode: Task Specify a protocol filter for an NDE flow. The protocol argument can be tcp. or a decimal number for other protocol families. ipinip. and udp. The port argument specifies the protocol port.

if NDE is enabled and you disable MLS. perform this task in privileged mode: Task Disable NDE on the switch. perform this task in global configuration mode: Task Remove the NDE IP address from the MSFC.Chapter 15 Configuring NDE Configuring NDE This example shows how to remove a protocol for statistics collection: Console> (enable) clear mls statistics protocol 17 1934 Protocol 17 port 1934 cleared from protocol statistics list. Command set mls nde disable This example shows how to disable NDE on the switch: Console> (enable) set mls nde disable Netflow data export disabled. perform this task in privileged mode: Task Clear the NDE flow filter. Console> (enable) Clearing the NDE Flow Filter To clear the NDE flow filter and reset the filter to the default (all flows exported). Command clear mls nde flow This example shows how to clear the NDE flow filter so that all flows are exported: Console> (enable) clear mls nde flow Netflow data export filter cleared. you lose the statistics for existing cache entries—they are not exported.3 and 6. Console> (enable) Removing the NDE IP Address To remove the NDE IP address from the MSFC.4 78-13315-02 15-9 . Console> (enable) Disabling NDE Note With Supervisor Engine 1 and a PFC. Command Router(config)# no mls nde-address [ip_addr] Catalyst 6000 Family Software Configuration Guide—Releases 6. To disable NDE on the switch.

0 Destination port filter is 23 Total packets exported = 26784 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.194.1 Router(config)# Displaying the NDE Configuration To display the NDE configuration on the switch.20.140/255.4 15-10 78-13315-02 .170. perform this task in privileged mode: Task Display the NDE configuration on the switch.69.Chapter 15 Configuring NDE Configuring NDE This example shows how to remove the NDE IP addresses from the MSFC: Router(config)# no mls nde-address 170.15. Command show mls nde This example shows how to display the NDE configuration on the switch: Console> (enable) show mls nde Netflow Data Export enabled Netflow Data Export configured for port 1098 on host 172.255.1 Source filter is 171.3 and 6.255.2.

Configuration of the ACLs depends on the type of hardware you install on your supervisor engine. page 16-xvi Using VACLs in your Network. page 16-ii Applying Cisco IOS ACLs and VACLs on VLANs. page 16-xxiii Unsupported Features.4 78-13315-02 16-1 . the information and procedures in this chapter apply to both Supervisor Engine 2 with Layer 3 Switching Engine II (Policy Feature Card 2 or PFC2) and Supervisor Engine 1 with Layer 3 Switching Engine II (Policy Feature Card or PFC). page 16-xlviii Note Except where specifically differentiated. This chapter consists of these sections: • • • • • • • • • • • Understanding How ACLs Work.3 and 6. page 16-ii Hardware Requirements.C H A P T E R 16 Configuring Access Control This chapter describes how to configure access control lists (ACLs) on the Catalyst 6000 family switches. page 16-viii Using Cisco IOS ACLs in your Network. page 16-ii Supported ACLs. Catalyst 6000 family switches with the Multilayer Switch Feature Card (MSFC) can accelerate packet routing between VLANs by using Layer 3 switching (Multilayer Catalyst 6000 Family Software Configuration Guide—Releases 6. switches operated at Layer 2 only. page 16-xxix Configuring and Storing VACLs and QoS ACLs in Flash Memory. Note For complete syntax and usage information for the commands used in this chapter. See the “Hardware Requirements” section on page 16-ii for details. switches switched traffic within a VLAN and routers routed traffic between VLANs. page 16-x Using VACLs with Cisco IOS ACLs. page 16-xxviii Configuring VACLs. Understanding How ACLs Work Traditionally. refer to the Catalyst 6000 Family Command Reference publication. page 16-xliii Configuring Policy-Based Forwarding.

page 16-iii VACLs. “Configuring QoS” for more information. Hardware Requirements The hardware that is required to configure ACLs on Catalyst 6000 family switches is as follows: • Cisco IOS ACLs: – Policy Feature Card (PFC) and MSFC or MSFC2 – PFC2 and MSFC2 • VACLs and QoS ACLs: – PFC – PFC2 Note The QoS feature set supported on your switch is determined by which switching engine daughter card is installed on the supervisor engine. all packets (routed or bridged) entering the VLAN are checked against the VACL. the packet is then routed internally without going to the router. Classified packets can be subject to a number of features such as access control (security). VACLs can provide access control based on Layer 3 addresses for IP and IPX protocols. During this process.” Catalyst 6000 Family Software Configuration Guide—Releases 6. including packets bridged within a VLAN. The switch first bridges the packet. Packets can either enter the VLAN through a switch port or through a router port after being routed. See Chapter 41. and VLAN ACLs (VACLs) provide access control for all packets.Chapter 16 Hardware Requirements Configuring Access Control Switching [MLS]). policy-based routing.3 and 6. Supported ACLs These sections describe the ACLs supported by the Catalyst 6000 family switches: • • • QoS ACLs. Unsupported protocols are access controlled through MAC addresses. Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed packets. encryption. page 16-iii Cisco IOS ACLs.4 16-2 78-13315-02 . A VACL is applied to all packets (bridged and routed) and can be configured on any VLAN interface. page 16-iii QoS ACLs You can configure QoS ACLs on the switch. the switch can access control all packets it switches. Standard and extended Cisco IOS ACLs are used to classify packets. and so on. see Chapter 41. and then the packet is bridged again to send it to its destination. “Configuring QoS. Cisco IOS ACLs provide access control for routed traffic between VLANs. Once a VACL is configured on a VLAN.

and/or reflexive) Encryption ACLs (not supported on the MSFC) NAT ACLs (for inside-to-outside translation) WCCP ACL TCP intercept ACL VACLs The following sections describe VACLs: • • • VACL Overview. For example. Cisco IOS software examines it multiple times. For such features. ACLs are applied on all interfaces for a given direction. page 16-v VACL Overview VACLs can access control all traffic. One Cisco IOS ACL can be used with multiple features for a given interface. Catalyst 6000 Family Software Configuration Guide—Releases 6. An ACL provides access control and consists of an ordered set of access control entries (ACEs). page 16-iv Handling Fragmented and Unfragmented Traffic. and/or reflexive) Encryption ACLs (not supported on the MSFC) Policy routing ACLs Network Address Translation (NAT) for outside-to-inside translation After packets are routed and before they are forwarded out to the next hop. However. As an example. Cisco IOS software examines ACLs that are associated with all inbound features that are configured on that interface for the following: • • • • Inbound access control ACLs (standard. Web Cache Redirect (through the Web Cache Coordination Protocol [WCCP]) uses ACLs to specify HTTP flows that can be redirected to a Web cache engine. VACLs are not defined by direction (input or output). some features use ACLs globally. Cisco IOS software examines ACLs that are associated with features that are configured on a given interface and a direction. Unlike Cisco IOS ACLs. extended. VACLs are strictly for security packet filtering and redirecting traffic to specific physical switch ports. When a single ACL is used by multiple features. As packets enter the router on a given interface.Chapter 16 Configuring Access Control Supported ACLs Cisco IOS ACLs Cisco IOS ACLs are configured on the MSFC VLAN interfaces. Cisco IOS examines all ACLs that are associated with the outbound features that are configured on the egress interface for the following: • • • • • Outbound access control ACLs (standard. Many other features in Cisco IOS software also use ACLs for specifying flows. You can configure VACLs on the switch to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. TCP intercept uses a global ACL that is applied on all interfaces for outbound direction. and one feature can use multiple ACLs. page 16-iv ACEs Supported in VACLs. Most Cisco IOS features are applied on interfaces for specific directions (inbound versus outbound).3 and 6.4 78-13315-02 16-3 . extended.

ACEs Supported in VACLs A VACL contains an ordered list of access control entries (ACEs). You can enforce VACLs only on packets going through the Catalyst 6000 family switch.4 16-4 78-13315-02 . you cannot enforce VACLs on traffic between hosts on a hub or another switch connected to the Catalyst 6000 family switch. Table 16-1 ACE Types and Parameters ACE Type Layer 4 parameters TCP or UDP1 Source port Source port operator Destination port Destination port operator N/A ICMP1 Other IP1 IPX Ethernet2 ICMP code1 ICMP type IP ToS byte IP source address IP destination address N/A IP ToS byte IP source address IP destination address IPX source network IPX destination network IPX destination node Layer 3 parameters IP ToS byte IP source address IP destination address TCP or UDP ICMP Other protocol IPX packet type Catalyst 6000 Family Software Configuration Guide—Releases 6. Caution IP traffic and IPX traffic are not access controlled by MAC VACLs. Catalyst 6000 family switches support three types of ACEs in the hardware: • • • IP ACEs IPX ACEs Ethernet ACEs Table 1 lists the parameters associated with each ACE type. Each VACL can contain ACEs of only one type. Each ACE contains a number of fields that are matched against the contents of a packet. All other traffic types (AppleTalk. An action is associated with each ACE that describes what the system should do with the packet when a match occurs. DECnet. Each field can have an associated bit mask to indicate which bits are relevant. All other protocols are access controlled through MAC addresses and Ethertype using MAC VACLs.3 and 6.Chapter 16 Supported ACLs Configuring Access Control You can configure VACLs on Layer 3 addresses for IP and IPX. and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic. The action is feature dependent.

2.1. the first fragment hits this entry and is permitted. This example shows that if the traffic from 1. If you specify the fragment keyword. permit tcp host 1.4 78-13315-02 16-5 .1(1) and later releases.1 eq 68 host 255.Chapter 16 Configuring Access Control Supported ACLs Table 16-1 ACE Types and Parameters (continued) ACE Type Layer 2 parameters TCP or UDP1 ICMP1 Other IP1 IPX Ethernet2 Ethertype Ethernet source address Ethernet destination address 1. port eq port_number and the software would implicitly install the following ACE at the top of the ACL: permit tcp any any fragments. Layer 4 parameters of ACEs can filter unfragmented traffic and fragmented traffic with fragments that have offset 0. The fragments that have an offset other than 0 are permitted as a default.2.255 This example shows that the traffic coming from 1.2. the system does not automatically install a global permit statement for fragments.2 eq 34 This example shows that the fragment that has offset 0 of the traffic from 1. and the rest of the traffic from port 68 does not hit this entry.1. only the first fragment goes to port 4/3. This situation makes it difficult to enforce security based on the application.255..2 eq 34 In releases prior to software release 6.1.1.1 port 68 is fragmented. For Ethernet packets that are not IP version 4 or IPX.3 and 6. you would type an ACE such as permit tcp . redirect 4/3 tcp host 1. the behavior is the same as in previous releases. deny tcp host 1.2.1 port 68 going to 2. IP fragments that have an offset other than 0 miss the Layer 4 port information and cannot be filtered. loses the Layer 4 information (Layer 4 source/destination ports). Handling Fragmented and Unfragmented Traffic TCP/UDP or any Layer 4 protocol traffic.1 eq 68 host 2. there is a fragment option.1.255.1 port 68 and going to 2.1 eq 68 host 2.1.1.1.2.2.1.1. you can identify fragments and distinguish them from the rest of the TCP/UDP traffic. when fragmented. fragments that have an offset other than 0 are also permitted as a default result for fragments.2 port 34 is denied. Catalyst 6000 Family Software Configuration Guide—Releases 6. If you do not specify the fragment keyword. If packets are fragmented. The following examples show how ACEs handle packet fragmentation.1(1).. In software release 6.1. 2. This keyword allows you to control how fragments are handled.2 port 34 is permitted. the fragment filtering was completely transparent.2.1.. IP ACEs.2. However.

the deny tcp any host 10.1.1. 6. fragments would be denied by the entry deny ip any host 10.1.2 eq www permit udp any host 10. 3. permit tcp any host 10.1. all the fragments for TCP traffic are permitted as the permit tcp any any fragments ACE is added automatically at the top of the ACL as follows: permit tcp any any fragments 1.1.1..2 eq 69 entry allows clients to connect to the TFTP server 10. the next access-list entry is processed.1.1.1.1..3 and 6.1.2 ACE.] 3.1.1.1.1. deny tcp any host 10.1.1. When you specify the fragment keyword for at least one ACE.2.1. 2. enter deny udp any host 10.1. 5.1.2 fragment permit udp any host 10.1. 3. deny udp any host 10.1.1.2 permit ip any any In the above example if you change entry 1 as follows: 1. 2. If you do not use a fragment ACE.1.2.1.1. If the entry is a deny statement.2 gt 1023 deny ip any host 10. The system automatically installs a permit for all fragments of udp traffic to host 10.1.1.1. In this ACL example. When you specify the fragment keyword.1. 1.1.2.2 gt 1023 [.1.Chapter 16 Supported ACLs Configuring Access Control In this example. 5.1..2 fragment entry stops fragmented traffic going to all TCP ports on host 10. Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.1.2 eq www deny ip any host 10. the permit udp any host 10.2 eq 69 permit udp any gt 1023 10.1.1.2 eq 69 permit udp any gt 1023 10. 10.2 fragment before entry number 3 as shown in this example: [. the system does not install the global permit TCP or UDP fragments statement.2 eq www there will not be a permit tcp any any fragments ACE added at the top of ACL. the software implicitly installs ACEs to permit flows to a specific IP address (or subnet) that you specify. deny tcp any host 10.2 permit ip any any If you explicitly want to stop fragmented UDP traffic to host 10.] Catalyst 6000 Family Software Configuration Guide—Releases 6. 4.1. otherwise.1.2 is configured to serve HTTP connections.1.2 fragment permit tcp any host 10..1.2.4 16-6 78-13315-02 . Later in the ACL. 4.

page 16-viii Routed Packets. page 16-viii Multicast Packets.4 78-13315-02 26961 Host A (VLAN 10) Catalyst 6500 Series Switch with PFC Host B (VLAN 10) 16-7 . and multicast packets. 2. routed packets. 4. For routed/Layer 3-switched packets. 3. VACL for input VLAN Input Cisco IOS ACL Output Cisco IOS ACL VACL for output VLAN Catalyst 6000 Family Software Configuration Guide—Releases 6. the ACLs are applied in the following order: 1. Figure 16-1 Applying ACLs on Bridged Packets VACL Bridged Routed Packets Figure 2 shows how ACLs are applied on routed/Layer 3-switched packets. only Layer 2 ACLs are applied to the input VLAN.Chapter 16 Configuring Access Control Applying Cisco IOS ACLs and VACLs on VLANs Applying Cisco IOS ACLs and VACLs on VLANs This section describes how to apply Cisco IOS ACLs and VACLs to the VLAN for bridged packets. These sections show how ACLs and VACLs are applied: • • • Bridged Packets. page 16-ix Bridged Packets Figure 1 shows how an ACL is applied on bridged packets.3 and 6. For bridged packets.

VACL for output VLAN Catalyst 6000 Family Software Configuration Guide—Releases 6. Packets after multicast expansion: a. VACL for output VLAN 3. Packets that need multicast expansion: a. For packets that need multicast expansion. the ACLs are applied in the following order: 1.Chapter 16 Applying Cisco IOS ACLs and VACLs on VLANs Configuring Access Control Figure 16-2 Applying ACLs on Routed Packets Routed Input IOS ACL Bridged VACL Output IOS ACL MSFC VACL Bridged Catalyst 6500 series switches with MSFC Host A (VLAN 10) 26964 Host B (VLAN 20) Multicast Packets Figure 3 shows how ACLs are applied on packets that need multicast expansion.3 and 6.4 16-8 78-13315-02 . VACL for input VLAN b. Input Cisco IOS ACL 2. Output Cisco IOS ACL b. Packets originating from router: a.

For example. To configure Cisco IOS ACLs. In addition.Chapter 16 Configuring Access Control Using Cisco IOS ACLs in your Network Figure 16-3 Applying ACLs on Multicast Packets Catalyst 6500 Series Switch with MSFC Routed Input IOS ACL Bridged VACL MSFC IOS ACL for output VLAN for packets originating from router Output IOS ACL VACL Host B (VLAN 20) Host A (VLAN 10) Bridged Host D (VLAN 20) 26965 Host C (VLAN 10) Using Cisco IOS ACLs in your Network Note Configuring Cisco IOS ACLs on the Catalyst 6000 family switch routed-VLAN interfaces is the same as configuring ACLs on other Cisco routers. The router then applies the feature and routes the packet normally.3 and 6. When a feature is configured on the router to process traffic (such as NAT). refer to the “Configuring IP Services” chapter in the Network Protocols Configuration Guide. Catalyst 6000 Family Software Configuration Guide—Releases 6. see the “Unsupported Features” section on page 16-xxviii and the “VACL Configuration Guidelines” section on page 16-xxix. Part 1.4 78-13315-02 16-9 . the Cisco IOS ACL associated with the feature determines the specific traffic that is bridged to the router instead of being Layer 3 switched. Note that there are some exceptions to this process as described in the “Hardware and Software Handling of Cisco IOS ACLs with PFC” section on page 16-xi. the ACL configurations for Cisco IOS ACLs and VACLs must be the same on both MSFCs. refer to the Cisco IOS configuration guides and command reference publication. to configure ACLs for IP. Note In systems with redundant MSFCs.

This process significantly degrades system performance. page 16-xii Reflexive ACLs. These sections describe how different types of ACLs and traffic flows are handled by the hardware and the software: • • • • • Security Cisco IOS ACLs. Flows that require logging as specified by the ACL are handled in the software without impacting non-log flow forwarding in the hardware. page 16-xiii WCCP. you must disable ICMP unreachables using the no ip unreachables interface configuration command. To drop access-group denied packets in the hardware.Chapter 16 Using Cisco IOS ACLs in your Network Configuring Access Control Caution For PFC: By default. see the “Hardware and Software Handling of Cisco IOS ACLs with PFC2” section on page 16-xiii. the deny is performed in hardware although a small number of packets are sent to the MSFC2 to generate the appropriate ICMP-unreachable messages.4 16-10 78-13315-02 . page 16-xiii Hardware and Software Handling of Cisco IOS ACLs with PFC This section describes hardware and software handling of Cisco IOS ACLs with the PFC. For PFC2: If IP unreachables or IP redirect is enabled on an interface. the match count displayed does not account for packets access controlled in the hardware. Note When you enter the show ip access-list command. page 16-xiii Catalyst 6000 Family Software Configuration Guide—Releases 6. page 16-xi Hardware and Software Handling of Cisco IOS ACLs with PFC2. Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch in the hardware. These sections describe hardware and software handling of ACLs with PFC and PFC2: • • Hardware and Software Handling of Cisco IOS ACLs with PFC. page 16-xii Policy Routing. These access-group denied packets are not dropped in the hardware but are bridged to the MSFC so that the MSFC can generate the ICMP-unreachable message. ACL feature processing requires forwarding of some flows by the software. Note For information on Cisco IOS ACLs with PFC2. the MSFC sends Internet Control Message Protocol (ICMP) unreachables when a packet is denied by an access group. Note that the ip unreachables command is enabled by default. the MSFC has to process the ACL in the software. The forwarding rate for software-forwarded flows is substantially less than for hardware-forwarded flows.3 and 6. page 16-xii TCP Intercept.

destination node. Dynamic (lock and key) ACL flows are supported in the hardware. In intercept mode. • • • • • • Reflexive ACLs Up to 512 simultaneous reflexive sessions are supported in the hardware. and/or destination node. the flow mask is changed to VLAN-full flow. Catalyst 6000 Family Software Configuration Guide—Releases 6. Note that when reflexive ACLs are applied. The software continues to intercept and forward packets throughout the duration of the connection. The software establishes a connection with the client on behalf of the destination server. If the ACL contains any other parameters. page 16-xiii Security Cisco IOS ACLs The IP and IPX security Cisco IOS ACLs with PFC are as follows: • The flows that match a “deny” statement in a security ACL are dropped by the hardware if “ip unreachables” is disabled. and/or protocol type.3 and 6. IPX extended input and output ACLs are supported in the hardware when the ACL parameters are IPX source network. IPX standard input and output ACLs are supported in the hardware when the ACL parameters are IPX source network. destination network. which are a type of denial-of-service attack. Permit and deny actions of standard and extended ACLs (input and output) for security access control are handled in the hardware. without impacting other flows. and if successful. page 16-xiii Unicast RPF Check.4 78-13315-02 16-11 . The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. it is handled in the software. The flows matching a “permit” statement are switched in the hardware. destination network. IP accounting for an ACL access violation on a given interface is supported by forwarding all denied packets for that interface to the software. the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. page 16-xiii Bridge-Groups. TCP Intercept The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks. ACL flows requiring logging are handled in the software without impacting non-log flow forwarding in the hardware. idle timeout is not supported. however. establishes the connection with the server on behalf of the client and binds the two half-connections together transparently. This process ensures that connection attempts from unreachable hosts never reach the server.Chapter 16 Configuring Access Control Using Cisco IOS ACLs in your Network • • • NAT.

NAT NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the hardware. HTTP replies from the server and the Cache Engine are handled in the hardware. Note Drop-suppress statistics for ACL-based RPF check is not supported. for route maps containing both “match ip address” and “match length. For ACL-based RPF checks. these packets will most likely match the deny ACE and be forwarded to the CPU.3 and 6.Chapter 16 Using Cisco IOS ACLs in your Network Configuring Access Control Policy Routing Policy routing-required flows are handled in the software without impacting non-policy routed flow forwarding in the hardware.4 16-12 78-13315-02 . all policy routing occurs in the hardware.” all traffic matching the ACL in the “match ip address” clause is forwarded to the software regardless of the match length criteria. However. When you enable hardware policy routing using the mls ip pbr global command. WCCP HTTP requests subject to Web Cache Coordination Protocol (WCCP) redirection are handled in the software. traffic denied by the unicast RPF ACL is forwarded to the MSFC for RPF validation. all conditions imposed by these match clauses must be met before a packet is policy routed. Under heavy traffic conditions. Caution With ACL-based unicast RPF. Bridge-Groups Cisco IOS bridge-group ACLs are handled in the software. When a route map contains multiple “match” clauses. policy routing is applied in the hardware for all interfaces regardless of which interface was configured for policy routing. all packets received on the interface are forwarded to the software. In the event of DOS attacks. Hardware and Software Handling of Cisco IOS ACLs with PFC2 This section describes hardware and software handling of Cisco IOS ACLs with the PFC2. this could cause high CPU utilization. packets denied by the ACL are sent to the CPU for RPF validation. Catalyst 6000 Family Software Configuration Guide—Releases 6. Caution If you use the mls ip pbr command to enable policy routing. For route maps that only contain match length clauses. Unicast RPF Check The unicast RPF feature is supported in hardware on the PFC.

These sections describe how different types of ACLs and traffic flows are handled by the hardware and the software in systems with PFC2: • • • • • • • • Security Cisco IOS ACLs. Flows that require logging as specified by the ACL. and/or protocol type. Permit and deny actions of standard and extended ACLs (input and output) for security access control are handled in the hardware. destination network. page 16-xv TCP Intercept. idle timeout is not supported. ACL flows requiring logging are handled in the software without impacting non-log flow forwarding in the hardware. This process significantly degrades system performance. it is handled in the software. the MSFC has to process the ACL in the software. Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch in the hardware. IP accounting for an ACL access violation on a given interface is supported by forwarding all denied packets for that interface to the software. The forwarding rate for software-forwarded flows is substantially less than for hardware-forwarded flows. page 16-xiv Reflexive ACLs. page 16-xv WCCP. however. most of the packets of the flows that match a “deny” statement in an ACL are dropped by the hardware. and/or destination node.4 78-13315-02 16-13 . If the ACL contains any other parameters. page 16-xv NAT. destination node. page 16-xvi Unicast RPF Check. • • • • • • Catalyst 6000 Family Software Configuration Guide—Releases 6. Dynamic (lock and key) ACL flows are supported in the hardware.3 and 6. only a few packets are processed in software in order for the router to send the appropriate ICMP-unreachable message. destination network. without impacting other flows. page 16-xvi Bridge-Groups.Chapter 16 Configuring Access Control Using Cisco IOS ACLs in your Network ACL feature processing requires forwarding some flows to the software. are handled in the software without impacting non-log flow forwarding in the hardware. IPX extended input and output ACLs are supported in the hardware when the ACL parameters are IPX source network. the match count displayed does not account for packets access controlled in the hardware. page 16-xvi Security Cisco IOS ACLs The IP and IPX security Cisco IOS ACLs with PFC2 are as follows: • If either the “ip unreachables” or “ip redirect” options are enabled. IPX standard input and output ACLs are supported in the hardware when the ACL parameters are IPX source network. page 16-xv Policy Routing. Note When you enter the show ip access-list command.

4 16-14 78-13315-02 . This process ensures that connection attempts from unreachable hosts never reach the server. The hardware support for TCP intercept on a PFC2 is as follows: 1. For route maps that only contain match length clauses. Catalyst 6000 Family Software Configuration Guide—Releases 6. For TCP/UDP flows. the following applies: a. If the TCP intercept is using intercept mode with timeout. they are handled in hardware.3 and 6. for route maps containing both a match ip address and match length. This process occurs even if the security ACL does not have the SYN flag specified. connection/flow is handled in the software. the flow mask is changed to VLAN-full flow. WCCP HTTP requests subject to WCCP redirection are handled in the software. all traffic matching the ACL in the match ip address clause is forwarded to the software regardless of the match length criteria. which are a type of denial-of-service attack. all traffic belonging to the given 2. once the connection is successfully established. Once the TCP intercept feature has been configured. However. HTTP replies from the server and the Cache Engine are handled in the hardware. For other modes of TCP intercept. When a route map contains multiple “match” clauses. TCP Intercept The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks. In intercept mode. establishes the connection with the server on behalf of the client and binds the two half-connections together transparently. Policy Routing Policy routing-required flows are handled in hardware or software depending on the route map. The software establishes a connection with the client on behalf of the destination server. and if successful. Note The mls ip pbr command is not required (and not supported) on PFC2. once the flow is established. all conditions imposed by these match clauses must be met before a packet is policy routed. all TCP SYN packets matching the ACEs with a permit clause in the TCP intercept ACL and which are permitted by the security ACL are sent to the software to apply the TCP intercept functionality. there cannot be any other traffic belonging to that flow. Note that when reflexive ACLs are applied. The software continues to intercept and forward packets throughout the duration of the connection. If a connection is not established successfully. then the packet is forwarded in hardware. the software installs a hardware shortcut to switch the rest of the flow in the hardware. all packets received on the interface are forwarded to the software. b. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. 3.Chapter 16 Using Cisco IOS ACLs in your Network Configuring Access Control Reflexive ACLs ICMP packets are handled in the software. If a connection is established successfully. If the route map contains only a “match ip address” and the “set” clause contains the “next hop” and the next hop is reachable. the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list.

page 16-xxi Catalyst 6000 Family Software Configuration Guide—Releases 6. In the event of DOS attacks. Using VACLs with Cisco IOS ACLs To access control both bridged and routed traffic.Chapter 16 Configuring Access Control Using VACLs with Cisco IOS ACLs NAT NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the hardware. and you can define a VACL to access control the bridged traffic. the flow is denied or redirected. irrespective of the IOS ACL configuration. this could cause high CPU utilization. If a flow matches a VACL deny or redirect clause in the ACL. Caution With ACL-based unicast RPF. packets denied by the ACL are sent to the CPU for RPF validation. Note VACLs have an implicit deny at the end of the list. Under heavy traffic conditions. the flow might get access controlled after the translation because of the VACL configuration. traffic denied by the unicast RPF ACL is forwarded to the MSFC2 for RPF validation. a packet is denied if it does not match any VACL ACE. You can define Cisco IOS ACLs on both input and output routed-VLAN interfaces. Unicast RPF Check The unicast RPF feature is supported in hardware on the PFC2. you can use VACLs only or a combination of Cisco IOS ACLs and VACLs. The following caveats apply to IOS ACLs when used with VACLs: • • Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.3 and 6. Note that if the translated flow should not be access controlled. For ACL-based RPF checks. page 16-xvii Guidelines for Using Layer 4 Operations. Bridge-Groups Cisco IOS bridge-group ACLs are handled in the software.4 78-13315-02 16-15 . NAT—VACLs are applied on packets before NAT translation. These sections describe Cisco IOS ACL and VACL configuration guidelines and guidelines for Layer 4 operations: • • Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface. Note Drop-suppress statistics for ACL-based RPF check is not supported. these packets will most likely match the deny ACE and be forwarded to the CPU.

the result of merging would be 53 entries. These sections provide Cisco IOS ACL and VACL configuration guidelines and examples: • • • • • • Using the Implicit Deny Action.4 16-16 78-13315-02 . page 16-xvii Avoiding Layer 4 Port Information. use the following guidelines for both Cisco IOS ACL and VACL configuration. deny. An ACL with permit and redirect has three actions: permit. or redirect and deny. enter the show security acl resource-usage command. and deny (because of the implicit deny at the end of the list). page 16-xvii Grouping Actions Together. redirect). The Catalyst 6000 family switch hardware provides one lookup for security ACLs for each direction (input and output). If you must configure a Cisco IOS ACL and a VACL on the same VLAN. instead of 329. page 16-xviii Using the Implicit Deny Action If possible. If this deny action is removed. group each action type together. You can achieve this same effect by defining all the deny entries.3 and 6. page 16-xix shows what can happen when you do not group each type together. In the example. use the implicit deny action at the end of an ACL (deny any any) and define ACEs to permit only allowed traffic. Limiting the Number of Actions An ACL with only permit ACEs has two actions: permit and deny (because of the implicit deny at the end of the list). page 16-xviii Examples. page 16-xviii Estimating Merge Results. Note To display the percentage of ACL storage being used. you must merge a Cisco IOS ACL and a VACL when they are configured on the same VLAN. page 16-xvii Limiting the Number of Actions. redirect. When configuring an ACL. the deny action in line 6 was grouped with permit actions. These guidelines do not apply to configurations where you are mapping Cisco IOS ACLs and VACLs on different VLANs. page 16-xviii). and at the end of the list specifying permit ip any any (see Example 1. Merging the Cisco IOS ACL with the VACL might significantly increase the number of ACEs. Grouping Actions Together To define multiple actions in an ACL (permit. the best merge results are obtained when you specify only two different actions: permit and deny. Example 3. Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 16 Using VACLs with Cisco IOS ACLs Configuring Access Control Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Follow these guidelines when you need to configure a Cisco IOS ACL and a VACL on the same VLAN. redirect and permit.

ACL B.0.72.6. destination IP address. If you specify permit ip any any. and ACL C.1 0. “Grouping Actions Together” section on page 16-xvii.94 194. To specify a redirect and permit ACL.51 12 permit tcp any eq domain host 194.6.205 eq syslog 4 permit udp host 167.72.15 eq tftp 6 permit udp host 193. and you know the size of ACL A and ACL B.6. do not use any permit ACEs.72. put the Layer 4 ACEs at the end of the list to prioritize the traffic filtering based on IP addresses.72.213.205 gt 1023 7 permit tcp any host 194.15 2 permit udp host 147.255 host 194.Chapter 16 Configuring Access Control Using VACLs with Cisco IOS ACLs To specify a redirect and deny ACL. Example 1 This example shows that the VACL does not follow the recommended guidelines (see line 9) and the resultant merge increases the number of ACEs: ******** VACL *********** 1 permit udp host 194.221.198 eq tacacs 5 permit udp 194.0. Note that in these examples.72. one VACL and one Cisco IOS ACL are configured on the same VLAN.6.72.72.72. The following example uses ACL A.74.51 13 permit tcp any host 194.6.0.72.64 0.15 eq bootps 3 permit udp 194. If you need to specify the full flow.0. Avoiding Layer 4 Port Information Avoid including Layer 4 information in an ACL.72. and for the last ACE. You will obtain the best merge results if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address.0.6.128 194.23.1.6.72. page 16-xx. as follows: size of ACL C = (size of ACL A) x (size of ACL B) x (2) If Layer 4 port information was specified.64 0.1 host 194.6.52 eq 113 9 deny tcp any host 194.136.51 eq ftp 10 permit tcp any host 194.0.52 8 permit tcp any host 194.6.6.17 host 194.72.0. redirect ACEs. see the recommendations in the “Using the Implicit Deny Action” section on page 16-xvii.160 0.6. use permit ACEs. the upper limit could be higher.0.0 0.51 eq ftp-data 11 permit tcp any host 194.72. protocol. you can get a rough estimate of the merge results for ACLs.150.72.6.1 Catalyst 6000 Family Software Configuration Guide—Releases 6. and Example 6.72. Examples These examples show the merge results for various Cisco IOS ACL and VACL configurations.73. page 16-xix).65.33 194.6. specify permit ip any any.3.1.4 78-13315-02 16-17 .3 and 6.72. and protocol ports). you can estimate the upper limit of the size of ACL C when no Layer 4 port information has been specified on ACL A and ACL B. If you cannot follow the recommendations because the ACL has both IP and TCP/UDP/ICMP ACEs with Layer 4 information. adding this information will complicate the merging process.0. you will override the implicit deny ip any at the end of the list (see Example 4. Estimating Merge Results If you follow the ACL guidelines when configuring ACLs. If ACL C is the result of merging ACL A and ACL B.6.51 gt 1023 14 permit ip any host 1.

150.6.255 255.255 2 permit ip any any ******** MERGE ********** has 329 entries Example 4 This example shows that the VACL does not follow the recommended guidelines (three different actions are specified).221.17 host 194.160 0.255.255.6.0 any 3 deny ip any 0.3.255.0 7 permit tcp any range 0 65534 any range 0 65534 8 permit udp any range 0 65534 any range 0 65534 9 permit icmp any any 10 permit ip any any ******** IOS ACL ********** 1 deny ip any host 239.255.6.6.255. and the resultant merge significantly increases the number of ACEs: ******** VACL *********** 1 redirect 4/25 tcp host 192.51 neq ftp 12 permit tcp any host 194.0.255. if you follow the guidelines and remove line 9 and modify lines 11 and 12.255.72.0.1.33 194.94 194.67 host 255.51 eq ftp-data 10 permit tcp any host 194.255 2 permit ip any any ******** MERGE *********** has 78 entries Example 3 This example shows the VACL does not follow the recommended guidelines.72.0.72.72.64 0.23.72.1 0.72.255.73.168.6.6.1 ******** IOS ACL ************ 1 deny ip any host 239.0.0.Chapter 16 Using VACLs with Cisco IOS ACLs Configuring Access Control ******** IOS ACL ************ 1 deny ip any host 239.0.0.52 8 permit tcp any host 194.51 neq ftp 11 permit tcp any eq domain host 194. and the resultant merge significantly increases the number of ACEs: ******** VACL *********** 1 deny ip 0.65.0 any 2 deny ip 0.255.255 6 deny ip any 0.72.205 eq syslog 4 permit udp host 167.255.255. you get the following equivalent ACL with improved merge results (note that a deny ACE is not specified): ******** VACL ********** 1 permit udp host 194.255.205 gt 1023 7 permit tcp any host 194.255.52 eq 113 9 permit tcp any host 194.1.67 host 255.0.0 255.0.0.15 eq bootps 3 permit udp 194.64 0.6.255 5 permit ip any host 255.0 255.6.1.255 host 194.255.3 and 6.255 3 deny tcp any any lt 30 4 deny udp any any lt 30 5 permit ip any any Catalyst 6000 Family Software Configuration Guide—Releases 6.255 2 permit ip any any ******** MERGE ********** has 91 entries entries Example 2 In Example 1.6.255.72.72.51 gt 1023 13 permit ip any host 1.255.0 4 permit ip any host 239.72.1 host 194.255.0.0.255.4 16-18 78-13315-02 .0.72.0 0.128 194.255.72.15 eq tftp 6 permit udp host 193.255 255.0.168.255.6.72.255.136.74.255.198 eq tacacs 5 permit udp 194.15 2 permit udp host 147.213.6.255 2 redirect 4/25 udp host 192.0.6.1.72.0.6.72.0.

213.6..6.] total 62 entries without L4 information ******** MERGE ********** has 801 ACEs Example 7 This example shows that the same Cisco IOS ACL that was used in Example 6 is merged with a VACL with Layer 4 port information.0 3 redirect 4/25 icmp host 192.0.7 eq time 4 permit udp any 194.255 2 permit ip any any ******* MERGE ********** has 4 entries Example 6 This example shows that applying the merging guidelines on a large Cisco IOS ACL (no Layer 4 port information is specified on the Cisco IOS ACL).0.150.7 gt 1023 3 permit udp any 194.7 gt 1023 8 permit udp host 158.255.6.0.128 0.168.0 0.15 7 permit ip 147.255 194.0.73.67 host 255.255 0.205 4 permit ip 147.224 0.0.151.37.72.0.72.0 0.24 194.0.15 gt 1023 2 permit tcp host 158.0.151.15 5 permit ip 147.64 0.255.15 3 permit ip 147.0.168.0.0.0.1.0.77.255 3 permit ip any any ******* IOS ACL *********** 1 deny ip any host 239.72. Following the guidelines in the “Using the Implicit Deny Action” section on page 16-xvii.255.6.1.224 0.73.67 host 255.255 194.73.6.72.121 194.151.160 0.255.73.128 0.0.15 eq 1645 7 permit udp host 158.8 194.255.0.208 0.1.72.72.255 2 permit ip any any ******* MERGE ********** has 142 entries Example 5 This example shows the VACL has two different actions specified and the merge results are significantly improved: ******** VACL *********** 1 redirect 4/25 tcp host 192.31 194.0.73.64 0.15 eq time 5 permit udp 194.0.31 194.6.255.152.72.67 host 255.0.64 0..255 2 redirect 4/25 udp host 192.7.151.0.255. produces a merge result of 801 entries: ******** VACL ********** 1 redirect 4/25 tcp host 192.72.67 255.72.0.6.0.224 0.72.168.72.0.0.168.0 0.65 194.15 6 permit ip 147. the merge results are good.255 5 deny tcp any any lt 30 6 deny udp any any lt 30 7 permit ip any any ******** IOS ACL *********** 1 permit ip 147.6.Chapter 16 Configuring Access Control Using VACLs with Cisco IOS ACLs ******* IOS ACL *********** 1 deny ip any host 239.3 and 6.43.6.31 host 194.72.0.0 2 redirect 4/25 udp host 192.205 8 permit ip host 193.0.255.255 0.0.7 eq 1645 6 permit udp 194.160 0..64 0.1.0 0.152.0.168.15 2 permit ip 147.1.15 gt 1023 [.0 0.0.1.0.150.0.7 194.0.64 0.0.1.15 [.0.] total 168 entries Catalyst 6000 Family Software Configuration Guide—Releases 6.64 0.0.1.128.255.6.255.6.0.255.77.0.255.77.255 host 194.7. ******** VACL ********* 1 permit tcp host 193.0.168.65 194.77.0.169.0.0 0.0.0.213.0.150.255 4 redirect 4/25 ip host 192.4 78-13315-02 16-19 .131.67 255.6.7 194.255.67 host 255.255.0 0.0.73.0.213.73.72.255.0 0..0.73.0.0.0.0.248.72.255.224 0.255 194.0.

0 0.15 7 permit ip 147.0 0.0.150.0.150.72. in this ACL there are four different Layer 4 operations (“gt 10” and “gt 11” are considered two different Layer 4 operations): .205 8 permit ip host 193.0. These sections provide guidelines for specifying Layer 4 port operations: • • Determining Layer 4 Operation Usage.6.64 0. For example.15 [...6. page 16-xxii Determining Layer 4 Operation Usage The switch hardware allows you to specify these types of operations: • • • • • gt (greater than) lt (less than) neq (not equal) eq (equal) range (inclusive range) We recommend that you do not specify more than nine different operations on the same ACL.6.31 194.72.77.77.151. .15 3 permit ip 147. .64 0.77.151.0.255 194.6.] total 62 entries without L4 information ******* MERGE ******** has 1259 ACEs.255 host 194..72.15 5 permit ip 147.0.72.4 16-20 78-13315-02 ..150.0. Layer 4 operations are considered different if the operator or the operand differ. Note If you have a Cisco IOS ACL and a VACL on the same VLAN interface.0. Guidelines for Using Layer 4 Operations Follow these guidelines for configurations where you need to specify Layer 4 port operations.208 0.31 host 194.6.31 194. page 16-xxi Determining Logical Operation Unit Usage.37. ..0.64 0.255 194.255 194.205 4 permit ip 147.6.0.121 194.0.0.72.151. gt 10 permit lt 9 deny gt 11 deny neq 6 redirect Catalyst 6000 Family Software Configuration Guide—Releases 6...72.213.72..0.6.15 2 permit ip 147.0.0.3 and 6.213.0. Use the following two guidelines to determine Layer 4 operation usage: 1.160 0.0.0.6.0.160 0. each new operation might cause the affected ACE to be translated into more than one ACE.0.151.0.0.0.77.0.64 0.0 0.0.64 0..0.72.213. If you exceed this number.0.Chapter 16 Using VACLs with Cisco IOS ACLs Configuring Access Control ******** IOS ACL ********* 1 permit ip 147..15 6 permit ip 147.169.64 0. the recommended total number of Layer 4 operations is still nine or less.0 0.

. . .... 2. All ACLs use LOUs..Chapter 16 Configuring Access Control Using VACLs with Cisco IOS ACLs Note There is no limit to the use of “eq” operators as the “eq” operator does not use a logical operator unit (LOU) or a Layer 4 operation bit... Layer 4 operations are considered different if the same operator/operand couple applies once to a source port and once to a destination port. (src .... Dst gt 10 Note Check the ACL Layer 4 port operations resource usage using the show security acl resource-usage command. Src gt 10 . (dst . (dst port) port) port) port) port) port) gt 10 permit lt 9 deny gt 11 deny neq 6 redirect neq 6 redirect gt 10 deny port) port) port) port) gt 20 deny lt 9 deny range 11 13 permit neq 6 redirect The Layer 4 operations and LOU usage is as follows: • • • ACL1 Layer 4 operations: 5 ACL2 Layer 4 operations: 4 LOUs: 4 Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. Determining Logical Operation Unit Usage LOUs are registers that store operator/operand couples... this ACL would use a single LOU to store two different operator/operand couples: . Src gt 10 . in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port... (dst .... (dst . (dst ACL2 ...4 78-13315-02 16-21 .. (src . There can be up to 32 LOUs. LOU usage per Layer 4 operation is as follows: • • • • • gt uses 1/2 LOU lt uses 1/2 LOU neq uses 1/2 LOU range uses 1 LOU eq does not require a LOU For example... (dst ..... . each LOU can store two different operator/operand couples with the exception of the range operator. See the “Determining Logical Operation Unit Usage” section on page 16-xxii for a description of LOUs. (dst ...... For example.. (src . Dst gt 10 A more detailed example follows: ACL1 .

All HTTP traffic from Host X to Host Y would be dropped at Switch A and not be bridged to the switch with the MSFC. Catalyst 6000 family switches might not be equipped with MSFCs (routers). If you do not want HTTP traffic switched from Host X to Host Y. page 16-xxvi Restricting ARP Traffic. Switch A. page 16-xxvii Configuring ACLs on Private VLANs. In this configuration. page 16-xxvii Capturing Traffic Flows. you can configure a VACL on Switch A. Traffic from Host X to Host Y can be access controlled at the traffic entry point. Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 16 Using VACLs in your Network Configuring Access Control An explanation of the LOU usage follows: • • • • LOU 1 stores “gt 10” and “lt 9” LOU 2 stores “gt 11” and “neq 6” LOU 3 stores “gt 20” (with space for one more) LOU 4 stores “range 11 13” (range needs the entire LOU) Using VACLs in your Network This section describes some typical uses for VACLs and includes the following: • • • • • • • Wiring Closet Configuration. Suppose Host X and Host Y are in different VLANs and are connected to wiring closet Switch A and Switch C (see Figure 4). page 16-xxiii Redirecting Broadcast Traffic to a Specific Server Port. page 16-xxviii Wiring Closet Configuration In a wiring closet configuration.3 and 6. page 16-xxiv Restricting the DHCP Response for a Specific Server. Traffic from Host X to Host Y is eventually being routed by the switch equipped with the MSFC.4 16-22 78-13315-02 . the switch can still support a VACL and a QoS ACL. page 16-xxv Denying Access to a Server on Another VLAN.

To redirect broadcast traffic to a specific server port.255. With VACLs. you can redirect these broadcast packets to the intended application server port. Map the VACL to VLAN 10.255. Figure 5 shows an application broadcast packet from Host A being redirected to the target application server port and preventing other ports from receiving the packet.4 78-13315-02 26959 VLAN 1 VLAN 2 Packet 16-23 . Note You could apply the same concept to direct broadcast traffic to a multicast destination by redirecting the traffic to a group of ports (see Figure 5). perform this task in privileged mode (TCP port 5000 is the intended server application port): Task Step 1 Step 2 Step 3 Step 4 Command set security acl ip SERVER redirect 4/1 tcp any host 255. Catalyst 6000 Family Software Configuration Guide—Releases 6. Commit the VACL.Chapter 16 Configuring Access Control Using VACLs in your Network Figure 16-4 Wiring Closet Configuration Catalyst 6500 series switches with MSFC Switch A with PFC only VACL: deny http from X to Y http is dropped at entry point Host X Switch C with PFC only Host Y Redirecting Broadcast Traffic to a Specific Server Port Some application traffic uses broadcast packets that reach every host in a VLAN. Permit all other traffic.255 eq 5000 set security acl ip SERVER permit ip any any commit security acl SERVER set security acl map SERVER 10 Redirect the broadcast packets.3 and 6.

3. you can restrict the response from a specific DHCP server and drop the other responses.3.2.2.4. With VACLs. Catalyst 6000 Family Software Configuration Guide—Releases 6.4 16-24 78-13315-02 .4): Task Step 1 Step 2 Step 3 Step 4 Step 5 Command set security acl ip SERVER permit udp host 1. Commit the VACL. Permit other IP traffic.4 any eq 68 set security acl ip SERVER deny udp any any eq 68 set security acl ip SERVER permit any commit security acl SERVER set security acl map SERVER 10 Permit a DHCP response from host 1.3 and 6. Map the VACL to VLAN 10. they reach every DHCP server in the VLAN and multiple responses are returned. Deny DHCP responses from any other host. perform this task in privileged mode (the target DHCP server IP address is 1. To restrict DHCP responses for a specific server.Chapter 16 Using VACLs in your Network Configuring Access Control Figure 16-5 Redirecting Broadcast Traffic to a Specific Server Port VACL Target server 4/1 Catalyst 6500 series switches with PFC Host A Host B Host C VLAN 10 Application broadcast packet 26960 Restricting the DHCP Response for a Specific Server When Dynamic Host Configuration Protocol (DHCP) requests are broadcast.3.2.

0 0.1.1. To deny access to a server on another VLAN. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Command set security acl ip SERVER deny ip 10.2.100 set security acl ip SERVER deny ip host 10.0.1. Deny traffic from host 10.4.100 in VLAN 10 needs to have access restricted as follows (see Figure 7): • • Hosts in subnet 10.3 and 6.4 and 10.Chapter 16 Configuring Access Control Using VACLs in your Network Figure 6 shows that only the target server returns a DHCP response from the DHCP request.2.0/24 in VLAN 20 should not have access.255 host 10. Figure 16-6 Redirect DHCP Response for a Specific Server VACL Target server 1. Hosts 10.1.0.100 set security acl ip SERVER permit ip any any commit security acl SERVER set security acl map SERVER 10 Deny traffic from hosts in subnet 10.1.8 host 10.8 in VLAN 10 should not have access.1.1.4 Host A Catalyst 6500 series switches with PFC Host B Host C VLAN 10 DHCP response packets 26962 Denying Access to a Server on Another VLAN You can restrict access to a server on another VLAN.1.1.2.1. Catalyst 6000 Family Software Configuration Guide—Releases 6.1.2.1.4 78-13315-02 16-25 .1.4 host 10.1.3.1.1. Deny traffic from host 10. For example.0/8.8. server 10. Commit the VACL. Map the VACL to VLAN 10. Permit other IP traffic.1.1.100 set security acl ip SERVER deny ip host 10.1.1.1.1.1.

3 and 6.1(1).0/24 Host (VLAN 20) Restricting ARP Traffic Note This feature is only available with Supervisor Engine 2 with PFC2.4 Host (VLAN 10) 10. ARP traffic is permitted on each VLAN by default. In software release 6.1(1) and later releases.1. it filters the traffic from the router to the host and if you map a VACL to a secondary VLAN. you could configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary VLANs.Chapter 16 Using VACLs in your Network Configuring Access Control Figure 16-7 Deny Access to a Server on Another VLAN VACL 10. Catalyst 6000 Family Software Configuration Guide—Releases 6. Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary VLANs. You can map QoS ACLs to secondary VLANs or primary VLANs.2. To allow ARP traffic on a VLAN that has had ARP traffic disallowed.1. ACLs can be applied as follows: • • • • • You can map VACLs to secondary VLANs or primary VLANs. You can disallow ARP traffic on a per VLAN basis using the set security acl ip acl_name deny arp command. Configuring ACLs on Private VLANs Private VLANs allow you to split a primary VLAN into sub-VLANs (secondary VLANs) that can be either community VLANs or isolated VLANs.100 Server (VLAN 10) 10. it filters the traffic from the host to the router. In releases prior to software release 6. ARP traffic is disallowed on the VLAN that the ACL is mapped to.8 Host (VLAN 10) 26963 Catalyst 6500 series switches with PFC Subnet 10.1.1.1. You cannot map Cisco IOS ACLs to secondary VLANs.1.1.4 16-26 78-13315-02 . When you enter this command. You cannot map dynamic ACEs to a private VLAN. enter the set security acl ip acl_name permit arp command. If you map a VACL to a primary VLAN.

the MSFC has to process the ACL in the software and this significantly degrades system performance: – Bridge-group ACLs – IP accounting – Inbound and outbound rate limiting – Standard IPX with source node number – IPX extended access lists that specify a source node number or socket numbers are not enforced in the hardware – Standard XNS access list – Extended XNS access list – DECnet access list – Extended MAC address access list – Protocol type-code access list • • IP packets with a header length of less than five will not be access controlled. and destination node number only. Unsupported Features This section lists ACL-related features that are not supported or have limited support on the Catalyst 6000 family switches. Catalyst 6000 Family Software Configuration Guide—Releases 6. you can use two-way community VLANs to perform an inverse mapping from the primary VLAN to the secondary VLAN when the traffic crosses the boundary of a private VLAN through a promiscuous port. Non full-flow IPX VACL—IPX VACL is based on a flow specified by a source/destination network number. Both outbound and inbound traffic can be carried on the same VLAN allowing VLAN-based VACLs to be applied in both directions on a per-community (per customer) basis. Note For additional information on private VLANS.3 and 6. • Non-IP version 4/non-IPX Cisco IOS ACLs—The following types of Cisco IOS security ACLs cannot be enforced on the switch in the hardware.4 78-13315-02 16-27 .2(1) and later.Chapter 16 Configuring Access Control Unsupported Features Note With software releases 6. Capturing Traffic Flows See the “Capturing Traffic Flows on Specified Ports” section on page 16-xxxix for complete configuration details. The source node number and socket number are not supported when specifying the IPX flow. packet type. see the “Configuring Private VLANs” section on page 11-13.

Prior to performing any configuration tasks. See the “Configuring and Storing VACLs and QoS ACLs in Flash Memory” section on page 16-xliii for detailed information. See the “Using VACLs in your Network” section on page 16-xxiii for configuration examples. page 16-xxix VACL Configuration Summary.4 16-28 78-13315-02 .Chapter 16 Configuring VACLs Configuring Access Control Configuring VACLs This section describes how to configure VACLs.3 and 6. and no VACL configured. the packet is applied against the next ACE in the list. Note that the system might take longer to boot if you configure a very large number of ACLs. Note that in systems with redundant MSFCs. Note that a VACL has to be committed before you can map it to a VLAN. all traffic is permitted. see the “VACL Configuration Guidelines” section on page 16-xxix. Note that the system might incorrectly calculate the maximum number of ACLs in the system if an ACL is deleted but not committed. See the “Unsupported Features” section on page 16-xxviii. Note that the show security acl resource-usage and show qos acl resource-usage commands might not show 100 percent usage even if there is no space in the hardware to store more ACLs. A packet that comes into the switch is applied against the first ACE in the ACL. page 16-xxx VACL Configuration Guidelines Follow these guidelines when configuring VACLs: Caution All changes to ACLs are stored temporarily in an edit buffer. These sections provide guidelines and a summary for configuring VACLs: • • VACL Configuration Guidelines. the ACL configurations for Cisco IOS ACLs and VACLs must be the same on both MSFCs. We recommend that you enter ACEs in batches and enter the commit command to save all of them to NVRAM. If there is no match. Committed ACLs with no ACEs are deleted. the packet is denied (dropped). You must enter the commit command to commit all ACEs to NVRAM. Note that the order of ACEs in an ACL is important. • • • • • • See the “Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface” section on page 16-xvii. This situation occurs because some ACL space is reserved in hardware for the ACL manager to perform cleanup and mapping if necessary. Always enter the show security acl info acl_name editbuffer command to see the current list of ACEs before making any changes to the edit buffer. Note You can configure Cisco IOS ACLs and VACLs from Flash memory instead of NVRAM. • • • • • Catalyst 6000 Family Software Configuration Guide—Releases 6. If no ACEs match. There are no default VACLs and no default VACL-to-VLAN mappings. Note that if there is no Cisco IOS ACL configured to deny traffic on a routed VLAN interface (input or output).

3 and 6. page 16-xxxi Creating an IPX VACL and Adding ACEs. perform these steps: Step 1 Step 2 Step 3 Enter the set security acl ip command to create a VACL and add ACEs. This section describes the following tasks: • • • • • • • Creating an IP VACL and Adding ACEs. there is no routing involved. VACL Configuration Summary To create a VACL and map it to a VLAN.Chapter 16 Configuring Access Control Configuring VACLs • Follow these guidelines for using the redirect option: – Note that redirected packets can only go out a port that supports the VLAN that the traffic is in. – Use the redirect option to do some basic VLAN-based load balancing by redirecting traffic to multiple ports. Note VACLs have an implicit deny feature at the end of the list. – Note that if packets are coming in from many VLANs. page 16-xxxvi Mapping a VACL to a VLAN. These tasks are listed in the order that they should be performed. Enter the commit command to commit the VACL and its associated ACEs to NVRAM. page 16-xxxiii Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs. page 16-xxxv Committing ACLs. page 16-xxxvii Showing VACL-to-VLAN Mapping. Each port transmits only those packets that belong to the VLANs that are forwarding on the port. Enter the set security acl map command to map the VACL to a VLAN. you can configure IPX and non-IP version 4/non-IPX VACLs using the same basic steps. Configuring VACLs From the CLI This section describes how to create and activate VACLs on the Catalyst 6000 family switches. Note An IP VACL is used in this description. – Put caches in promiscuous mode so they can receive traffic that is not routed.4 78-13315-02 16-29 . You might have to configure the redirect port as a trunk to allow multiple VLANs to go out of the port. page 16-xxxvi Showing the Contents of a VACL. a packet is denied if it does not match any VACL ACE. the redirect port should have those VLANs in forwarding state. – Note that the redirect option only involves taking packets and sending them out the redirect port. page 16-xxxvii Catalyst 6000 Family Software Configuration Guide—Releases 6.

page 16-xxxviii Displaying VACL Management Information.4 any 2. The log keyword provides logging messages for denied IP VACLs only.3 and 6. deny ip host 171.8. all other traffic is denied.4 0.0 IPACL1 editbuffer modified. permit ip any any 3.20.0. permit ip host 172. Use ‘commit’ command to apply changes.8. Console> (enable) This example shows how to create an ACE for IPACL1 to block traffic from source address 171. page 16-xxxix Capturing Traffic Flows on Specified Ports. or to add ACEs to an existing IP VACL. Console> (enable) Note The example shows that because VACLs have an implicit deny feature at the end of the list.53. page 16-xxxviii Removing ACEs from Security ACLs.3.2: Console> (enable) set security acl ip IPACL1 deny host 171. page 16-xxxviii Clearing the Security ACL Map.4 16-30 78-13315-02 . perform these tasks in privileged mode: Task • Command set security acl ip {acl_name} {permit | deny} {src_ip_spec} [capture] [before editbuffer_index | modify editbuffer_index] [log 1] set security acl ip {acl_name} {permit | deny | redirect mod_num/ port_num} {protocol} {src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture] [before editbuffer_index | modify editbuffer_index] [log1] If an IP protocol specification is not required.53. • 1.Chapter 16 Configuring VACLs Configuring Access Control • • • • • • Clearing the Edit Buffer.8. use the following syntax. This example shows how to create an ACE for IPACL1 to allow traffic from source address 172.3.2 IPACL1 editbuffer modified. This example shows how to create an ACE for IPACL1 to allow traffic from all source addresses: Console> (enable) set security acl ip IPACL1 permit any IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.4: Console> (enable) set security acl ip IPACL1 permit host 172.20. Use ‘commit’ command to apply changes.0. page 16-xli Creating an IP VACL and Adding ACEs To create a new IP VACL and add ACEs. Console> (enable) This example shows how to display the contents of the edit buffer: Console> (enable) show security acl info IPACL1 editbuffer set security acl ip IPACL1 ----------------------------------------------------------------1.20. page 16-xxxix Configuring VACL Logging.3. If an IP protocol is specified.53. use the following syntax.2 any Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.

0. Console> (enable) set security acl ip IPACL2 redirect 3/1 ip 1. Enter the show security acl info acl_name [editbuffer] command to see the current ACE listing stored in NVRAM (enter the editbuffer keyword to see edit buffer contents).20. ACL IPACL2 is committed to hardware.255 host 255.255. This example shows how to create an ACE for IPACL2 to block traffic from source address 172. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) This example shows how to create an ACE for IPACL2 to redirect IP traffic to port 3/1 from source address 1. Use ‘commit’ command to apply changes.2.3. ACL IPACL1 is committed to hardware.3.0.2 and place this ACE before ACE number 2 in the VACL. If this VACL has not been mapped to a VLAN. Console> (enable) This example shows how to display the contents of the edit buffer: Console> (enable) show security acl info IPACL2 editbuffer set security acl ip IPACL2 ----------------------------------------------------------------1. Enter the show security acl info IPACL1 command to verify that the changes were committed.20. This example shows how to commit the ACEs to NVRAM: Console> (enable) commit security acl all ACL commit in progress.0. Console> (enable) Note For more information about the commit security acl all command. Use ‘commit’ command to apply changes. Note that host can be used as an abbreviation for a source and source-wildcard of 0. deny 172.4 with the destination address of 255. enter the set security acl map command to map it to a VLAN.3. redirect 1.2 before 2 IPACL2 editbuffer modified.255 precedence 1 tos min-delay IPACL2 editbuffer modified. see the “Committing ACLs” section on page 16-xxxvi. you can use the modify keyword to replace an existing ACE with a new ACE.2.4 0.2.3 and 6. Optionally.4 Console> (enable) Note For more information about the show security acl info command. see the “Showing the Contents of a VACL” section on page 16-xxxvii.3.20.255.2 2.3. Console> (enable) set security acl ip IPACL2 deny host 172. This ACE also specifies the following: • • precedence—IP precedence values that range between zero for low priority and seven for high priority.3. tos—Type of service levels that range between 0 and 15.0.Chapter 16 Configuring Access Control Configuring VACLs This example shows how to commit the ACEs to NVRAM: Console> (enable) commit security acl all ACL commit in progress.4 78-13315-02 16-31 .255.255.255.0.

Enter the show security acl info IPACL2 command to verify that the changes were committed.4 3.3. Creating an IPX VACL and Adding ACEs To create a new IPX VACL and add ACEs.[dest_node] [[dest_net_mask. see the “Showing the Contents of a VACL” section on page 16-xxxvii.A.4 16-32 78-13315-02 . or add ACEs to an existing IPX VACL. Console> (enable) This example shows how to create an ACE for IPXACL1 to block all traffic with destination address 1. or to add ACEs to an existing IPX VACL. deny any 1234 2. Use ‘commit’ command to apply changes.4 IPXACL1 editbuffer modified.A. Console> (enable) This example shows how to create an ACE for IPXACL1 to redirect broadcast traffic to port 4/1 from source network 3456: Console> (enable) set security acl ipx IPXACL1 redirect 4/1 any 3456 IPXACL1 editbuffer modified.3.3 and 6.Chapter 16 Configuring VACLs Configuring Access Control Note For more information about the commit security acl all command see the “Committing ACLs” section on page 16-xxxvi. perform this task in privileged mode: Task Create a new IPX VACL and add ACEs.3. Catalyst 6000 Family Software Configuration Guide—Releases 6. Use ‘commit’ command to apply changes.4: Console> (enable) set security acl ipx IPXACL1 deny any any 1. Console> (enable) This example shows how to display the contents of the edit buffer: Console> (enable) show security acl info IPXACL1 editbuffer set security acl ipx IPXACL1 ----------------------------------------------------------------1. If this VACL has not been mapped to a VLAN. redirect 4/1 any 3456 Console> (enable) Note For more information about the show security acl info command. Command set security acl ipx {acl_name} {permit | deny | redirect mod_num/port_num} {protocol} {src_net} [dest_net. enter the set security acl map command to map it to a VLAN. deny any any 1.]dest_node_mask]] [capture] [before editbuffer_index modify editbuffer_index] This example shows how to create an ACE for IPXACL1 to block all traffic from source network 1234: Console> (enable) set security acl ipx IPXACL1 deny any 1234 IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes.A.

Use ‘commit’ command to apply changes. Console> (enable) Enter the show security acl info IPXACL1 command to verify that the changes were committed.3 and 6. ACL IPXACL1 is committed to hardware. deny any 1234 2. Use ‘commit’ command to apply changes. If this VACL has not been mapped to a VLAN.3. Enter the show security acl info IPXACL1 command to verify that the changes were committed.A. permit any 1 3. This example shows how to create an ACE for IPXACL1 to allow all traffic from source network 1 and insert this ACE before ACE number 2: Console> (enable) set security acl ipx IPXACL1 permit any 1 before 2 IPXACL1 editbuffer modified. Console> (enable) This example shows how to display the contents of the edit buffer: Console> (enable) show security acl info IPXACL1 editbuffer set security acl ipx IPXACL1 ----------------------------------------------------------------1.4 78-13315-02 16-33 . see the “Committing ACLs” section on page 16-xxxvi. ACL IPXACL1 is committed to hardware. enter the set security acl map command to map it to a VLAN. Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) Note For more information about the commit security acl all command. If this VACL has not been mapped to a VLAN. permit any any ACL IPXACL1 Status: Not Committed Console> (enable) This example shows how to commit the ACEs to NVRAM: Console> (enable) commit security acl all ACL commit in progress. enter the set security acl map command to map it to a VLAN. deny any any 1.Chapter 16 Configuring Access Control Configuring VACLs This example shows how to commit the ACEs to NVRAM: Console> (enable) commit security acl all ACL commit in progress.4 4. Console> (enable) This example shows how to create an ACE for IPXACL1 to allow traffic from all source addresses: Console> (enable) set security acl ipx IPXACL1 permit any any IPXACL1 editbuffer modified. redirect 4/1 any 3456 5.

Use ‘commit’ command to apply changes. and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic. Console> (enable) This example shows how to create an ACE for MACACL1 to allow traffic from all sources: Console> (enable) set security acl mac MACACL1 permit any any MACACL1 editbuffer modified. deny 8-2-3-4-7-A any 2. All other traffic types (AppleTalk. deny any A-B-C-D-1-2 3. permit any any Console> (enable) Note For more information about the show security acl info command. This example shows how to commit the ACEs to NVRAM: Console> (enable) commit security acl all ACL commit in progress. Command set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index] This example shows how to create an ACE for MACACL1 to block all traffic from 8-2-3-4-7-A: Console> (enable) set security acl mac MACACL1 deny host 8-2-3-4-7-A any MACACL1 editbuffer modified. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. To create a new non-IP version 4/non-IPX VACL and add ACEs. perform this task in privileged mode: Task Create a new non-IP version 4/non-IPX VACL and add ACEs. or to add ACEs to an existing non-IP version 4/non-IPX VACL. Console> (enable) This example shows how to create an ACE for MACACL1 to block all traffic to A-B-C-D-1-2: Console> (enable) set security acl mac MACACL1 deny any host A-B-C-D-1-2 MACACL1 editbuffer modified. Console> (enable) This example shows how to display the contents of the edit buffer: Console> (enable) show security acl info MACACL1 editbuffer set security acl mac MACACL1 ----------------------------------------------------------------1. Use ‘commit’ command to apply changes.3 and 6. DECnet. see the “Showing the Contents of a VACL” section on page 16-xxxvii.4 16-34 78-13315-02 . or add ACEs to an existing non-IP version 4/non-IPX VACL.Chapter 16 Configuring VACLs Configuring Access Control Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs Caution IP traffic and IPX traffic are not access controlled by MAC VACLs. ACL MACACL1 is committed to hardware. Use ‘commit’ command to apply changes.

Enter the show security acl info MACACL1 command to verify that the changes were committed.4 78-13315-02 16-35 . Command set security acl map acl_name vlans This example shows how to map IPACL1 to VLAN 10: Console> (enable) set security acl map IPACL1 10 ACL IPACL1 mapped to vlan 10 Console> (enable) This example shows the output if you try to map an ACL that has not been committed: Console> (enable) set security acl map IPACL1 10 Commit ACL IPACL1 before mapping. ACL IPACL2 is committed to hardware. Any committed ACL with no ACEs will be deleted.3 and 6. all VACLs need to be mapped to a VLAN. see the “Committing ACLs” section on page 16-xxxvi. Committing ACLs You can commit all ACLs or a specific ACL to NVRAM with the commit command. Note that there is no default ACL-to-VLAN mapping. perform this task in privileged mode: Task Map a VACL to a VLAN. enter the set security acl map command to map it to a VLAN. Console> (enable) Mapping a VACL to a VLAN You can map a VACL to a VLAN with the set security acl map command. If this VACL has not been mapped to a VLAN. To map a VACL to a VLAN. To commit an ACL to NVRAM. Command commit security acl acl_name | all This example shows how to commit a specific security ACL to NVRAM: Console> (enable) commit security acl IPACL2 ACL commit in progress. perform this task in privileged mode: Task Commit an ACL to NVRAM. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 16 Configuring Access Control Configuring VACLs Note For more information about the commit security acl all command.

Command show security acl info {acl_name | all} [editbuffer [editbuffer_index]] This example shows how to show the contents of a VACL that has been saved in NVRAM: Console> (enable) show security acl info IPACL1 set security acl ip IPACL1 -----------------------------------------------------------------1. To show the contents of a VACL.4 16-36 78-13315-02 . deny D 5. permit any Console> (enable) Showing VACL-to-VLAN Mapping You can display VACL-to-VLAN mapping for a specified ACL or VLAN with the show security acl map command.Chapter 16 Configuring VACLs Configuring Access Control Showing the Contents of a VACL You can display the contents of a VACL with the show security acl info command. deny ip B any 3. VLAN 1 is mapped to IPX ACL IPXACL1. perform this task in privileged mode: Task Command Show VACL-to-VLAN mapping. deny C 4. deny c 4. deny A 2. deny A 2. deny ip B any 3.3 and 6. To show VACL-to-VLAN mapping. permit any This example shows how to show the contents of a VACL that is still in the edit buffer: Console> (enable) show security acl info IPACL1 editbuffer set security acl ip IPACL1 ----------------------------------------------------------------1. VLAN 1 is mapped to MAC ACL MACACL1. show security acl map {acl_name | vlan | all} This example shows how to show the mappings of a specific VACL: Console> (enable) show security acl map IPACL1 ACL IPACL1 is mapped to VLANs: 1 Console> (enable) This example shows how to show the mappings of a specific VLAN: Console> (enable) show security acl map 1 VLAN 1 is mapped to IP ACL IPACL1. perform this task in privileged mode: Task Show the contents of a VACL. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.

Console> (enable) This example shows how to remove a specific ACE from a specific ACL: Console> (enable) clear security acl IPACL1 2 IPACL1 editbuffer modified. clear security acl all clear security acl acl_name clear security acl acl_name editbuffer_index This example shows how to remove ACEs from all the ACLs: Console> (enable) clear security acl all All editbuffers modified. To remove an ACE from a security ACL. Use ‘commit’ command to apply changes. To clear the security ACL map. The ACL is rolled back to its state at the last commit command. Command clear security acl map all clear security acl map acl_name clear security acl map vlan clear security acl map acl_name vlan Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 16 Configuring Access Control Configuring VACLs Clearing the Edit Buffer You can clear changes made to the ACL edit buffer since its last save with the rollback command.3 and 6. perform this task in privileged mode: Task Command Remove an ACE from a security ACL. To clear the ACL edit buffer. Command rollback security acl {acl_name | all | adjacency} This example shows how to clear the edit buffer of a specific security ACL: Console> (enable) rollback security acl IPACL1 Editbuffer for ‘IPACL1’ rolled back to last commit state. perform this task in privileged mode: Task Clear the ACL edit buffer. Console> (enable) Removing ACEs from Security ACLs You can remove a specific ACE or all ACEs from an ACL with the clear security acl command.4 78-13315-02 16-37 . Use ‘commit’ command to apply changes. perform this task in privileged mode: Task Clear the security ACL map. This command deletes the ACEs from the edit buffer. Console> (enable) Clearing the Security ACL Map You can remove a VACL-to-VLAN mapping with the clear security acl map command.

.3 and 6.29%/0. command..4 16-38 78-13315-02 . Command show security acl resource-usage This example shows how to display VACL management information: Console> (enable) show security acl resource-usage ACL resource usage: ACL storage (mask/value): 0. Console> (enable) Displaying VACL Management Information You can display VACL management information with the show security acl resource-usage command. The capture port cannot be an ATM port. packets that match the specified flows are switched normally but are also captured and transmitted out of the capture ports. they send out only the traffic belonging to the VLANs of the captured port. Successfully cleared mapping between ACL ipx1 and VLAN 10. display text omitted Console> (enable) This example shows how to clear the mapping for a specific VACL on a specific VLAN: Console> (enable) clear security acl map IPACL1 50 Map deletion in progress. Successfully cleared mapping between ACL ip1 and VLAN 10. When you use the capture option.10% ACL to switch interface mapping table: 0.39% ACL layer 4 port operators: 0. The capture port must be in the spanning tree forwarding state for the VLAN.0% Console (enable) Capturing Traffic Flows on Specified Ports You can use the capture option in the set security acl (ip.Chapter 16 Configuring VACLs Configuring Access Control This example shows how to clear all VACL-to-VLAN mappings: Console> (enable) clear security acl map all Map deletion in progress. Configuration Guidelines Follow these guidelines when configuring capture ports: • • • The capture port cannot be part of an EtherChannel. and mac) commands to specify that packets that match the specified flows are captured and transmitted out of capture ports.. perform this task in privileged mode: Task Display VACL management information. You can specify capture ports using the set security acl capture-ports mod/ports. . Catalyst 6000 Family Software Configuration Guide—Releases 6. ipx. Successfully cleared mapping between ACL ipacl1 and VLAN 50... To display VACL management information. Capture ports do not send out all the captured traffic.

ensure that the capture port is in the same VLAN as the bridged traffic. Enter the set security acl map command to map the VACL to a VLAN. For bridged traffic. • To capture traffic.1 host 60.Chapter 16 Configuring Access Control Configuring VACLs • • • You can specify any number of switch ports as capture ports.. include the capture option. you can configure IPX and non-IP version 4/non-IPX VACLs using the same basic steps. command to specify capture ports. This traffic gets transmitted out of the capture port only if it belongs to VLAN 20 or if the port is a trunk carrying VLAN 20. Use ’commit’ command to apply changes. packets are transmitted out of a port only if the output VLAN of the Layer 3 switched flow is the same as the capture port VLAN. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. because all the traffic remains in the same VLAN. If the capture port is in VLAN 10.1.1. They transmit only traffic belonging to the capture port VLAN. For example. Step 1 Step 2 Step 3 Step 4 Enter the set security acl ip command to create a VACL and add ACEs.3 and 6. Only permit traffic is captured. it does not transmit any traffic. Enter the commit command to commit the VACL and its associated ACEs to NVRAM. ACL my_cap successfully committed. If a packet is dropped due to an ACL. the capture port should be a trunk carrying the required VLANs. the packet cannot be captured. perform these steps: Note An IP VACL is used in this description. To capture traffic going to many VLANs. To capture traffic flows. Capture ports do not transmit out all captured traffic. For routed traffic. Enter the set security acl capture-ports mod/ports. Capture ports are added to a capture port list and the configuration is saved in NVRAM.98 capture my_cap editbuffer modified. Configure as many ACEs per ACL as necessary to capture the desired traffic. you can configure one ACL and map it to a group of VLANs or you can configure a number of ACLs and map each to one VLAN. capture ports transmit packets only after they are Layer 3 switched. Configuration Examples This example shows how to create an ACE for my_cap and specify that the allowed traffic be captured: Console> (enable) set security acl ip my_cap permit ip host 60. If you want to capture traffic from one VLAN going to many VLANs. Whether a capture port transmits the traffic or not is independent of the VLAN on which you placed the VACL..1. Console> (enable) This example shows how to commit the my_cap ACL to NVRAM: Console> (enable) commit security acl my_cap ACL commit in progress.4 78-13315-02 16-39 . the capture port has to be a trunk carrying all output VLANs.1. assume you have flows from VLAN 10 to VLAN 20 and you add a VACL (on one of the VLANs) permitting these flows and you specify a capture port.

2/1 Successfully cleared the following ports: 1/1.” Configuration Guidelines Follow these guidelines when configuring VACL logging: • • Log only deny traffic from IP VACLs. “Configuring System Message Logging. You must set the logging level to 6 (information) or 7 (debugging). By default. That is.2/1-2 Console> (enable) This example shows how to clear capture ports: Console> (enable) clear security acl capture-ports 1/1. see Chapter 27. Console> (enable) This example shows how to specify capture ports: Console> (enable) set security acl capture-ports 1/1-2.2/2 Console> (enable) Configuring VACL Logging Note This feature is only available with Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2).2/1-2 Console> (enable) This example shows how to display ports that have been specified as capture ports: Console> (enable) show security acl capture-ports ACL Capture Ports: 1/1-2.4 16-40 78-13315-02 .Chapter 16 Configuring VACLs Configuring Access Control This example shows how to map my_cap to VLAN 10: Console> (enable) set security acl map my_cap 10 Mapping in progress. system logging messages are sent to the console.2/1 Console> (enable) This example shows that ports 1/1 and 2/1 were cleared: Console> (enable) show security acl capture-ports ACL Capture Ports:1/2. any packet that matches the access list will cause an informational logging message about the packet to be sent to the console. You can configure the switch to send system logging messages to a syslog server. You can log messages about denied packets for the standard IP access list by entering the log keyword for deny VACLs. For information on configuring system message logging. and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The first packet that triggers the access list causes a logging message right away. The old mapping with ACL captest was replaced with the new one. The level of messages logged to the console is controlled by the set logging level acl severity command. VLAN 10 successfully mapped to ACL my_cap. Catalyst 6000 Family Software Configuration Guide—Releases 6. The logging message includes the flow pattern and number of packets received in the prior 5-minute interval.2/1-2 Successfully set the following ports to capture ACL traffic: 1/1-2.3 and 6.

the default value is 500. Step 3 (Optional) Enter the set security acl log ratelimit pps to set the redirect rate in pps (packet per second). Enter the commit security acl acl_name command to commit the VACL to NVRAM. Configuration Examples This example shows how to set the logging level: Console> (enable) set logging level acl 6 System logging facility <acl> for this session set to severity 6(information) This example shows how to allocate a new log table based on the maximum flow: Console> (enable) set security acl log maxflow 512 Set VACL Log table to 512 flow patterns. the command is dropped and the range is displayed on the console. an error message is displayed and the command is dropped. Messages are not logged for these packets. This example shows how to set the redirect rate: Console> (enable) set security acl log ratelimit 1000 Set Redirect Rate to 1000 pps. This example shows how to display the VACL log configuration: Console> (enable) show security acl log config VACL LOG Configration ------------------------------------------------------------Max Flow Pattern : 512 Redirect Rate (pps) : 1000 Catalyst 6000 Family Software Configuration Guide—Releases 6. Valid values are from 500 to 5000. If either memory is not enough or the maximum number is over the limit. the new buffer replaces the old one and all flows in the old table are cleared. Valid values are from 256 to 2048. an error message is displayed and the command is dropped. If the configuration is over the range.3 and 6. Note If the redirect rate is over the pps range. Step 4 Step 5 Step 6 Enter the set security acl ip acl_name deny log command to create an IP VACL and enable logging. (Optional) Enter the set security acl log maxflow max_number to allocate a new log table based on the maximum flow pattern number to store logged packet information.4 78-13315-02 16-41 . Note If the maximum flow pattern is over the max_num limit. Messages are not logged for these packets. If successful. Enter the set security acl map acl_name vlan command to map the VACL to a VLAN. perform these steps: Step 1 Step 2 Enter the set logging level acl severity command to set the logging level to 6 (information) or 7 (debugging). the default value is 2500. the command is discarded and the range is displayed on the console.Chapter 16 Configuring Access Control Configuring VACLs To enable VACL logging.

IP Packet ---------------------------------------Vlan Number : 1 Mod/Port Number : 2/1 Source IP address : 21. : : 2000 Jul 19 01:14:06 %ACL-6-VACLLOG:VLAN 1(Port 2/1) denied ip tcp 21. In addition to limiting ACL configuration.1(2000) -> 255. Console> (enable) This example shows how to commit the my_cap ACL to NVRAM: Console> (enable) commit security acl my_cap ACL commit in progress. the 512-KB NVRAM is sufficient for storing VACLs and QoS ACLs. NVRAM could become full.0.255. Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. therefore. all ACL configurations are stored in NVRAM by default.255(3000). ACL my_cap successfully mapped to VLAN 1.0. Prior to this feature. all configuration information was stored in NVRAM.255(3000). Console> (enable) This example shows how to map the VACL to a VLAN: Console> (enable) set security acl map my_cap 1 Mapping in progress.255. Note In most cases.255. ACL my_cap successfully committed.0. 1 packets This example shows how to display the flow information in the log table: Console> (enable) show security acl log flow ip any any Total matched entry number = 1 Entry No.4 16-42 78-13315-02 .1 Destination IP address : 255.1(2000) -> 255.Chapter 16 Configuring and Storing VACLs and QoS ACLs in Flash Memory Configuring Access Control This example shows how to create an ACE for my_cap and specify that denied traffic be logged: Console> (enable) set security acl ip my_cap deny ip host 21.255.0.255.255. With the addition of QoS and security ACLs (VACLs). Console> (enable) Configuring and Storing VACLs and QoS ACLs in Flash Memory This section describes how to configure and store VACLs and QoS ACLs in Flash memory instead of NVRAM.255.255(3000).1 log my_cap editbuffer modified.0.255.0.255 TCP Source port : 2000 TCP Destination port : 3000 Received Packet Number : 10 This example shows how to clear the log table: Console> (enable) clear security acl log flow Log table is cleared. 1 packet 2000 Jul 19 01:19:06 %ACL-6-VACLLOG:VLAN 1(Port 2/1) denied ip tcp 21. 7 packets 2000 Jul 19 01:25:06 %ACL-6-VACLLOG:VLAN 1(Port 2/2) denied ip tcp 21.0.1(2000) -> 255.0.0. filling up NVRAM can cause problems when you attempt to upgrade from one software version to another.0. #1. Use ’commit’ command to apply changes.

the system also does the following: • • Sets the CONFIG_FILE variable to bootflash:switchapp. Qos/Security ACL configuration deleted from NVRAM. You need to make more space available in Flash memory and then save the configuration to Flash memory (as described in the “Moving the VACL and QoS ACL Configuration Back to NVRAM” section on page 16-xlvi). The VACL and QoS ACL configuration has now been successfully moved to Flash memory.” for additional information on using the commands described in this section. Catalyst 6000 Family Software Configuration Guide—Releases 6.cfg Enables the set boot config-register auto-config command recurring. page 16-xlvi Moving the VACL and QoS ACL Configuration Back to NVRAM.cfg 1999 Sep 01 17:00:00 %SYS-1-CFG_ACL_DEALLOC:NVRAM full. the VACL and QoS ACL configuration is stored in DRAM only. the QoS ACL and VACL configuration is deleted from NVRAM and the ACL configuration is automatically moved to Flash memory. “Modifying the Switch Boot Configuration.cfg 1999 Sep 01 17:00:00 %SYS-1-CFG_ACL_DEALLOC:NVRAM full. you might try to delete unneeded VACLs and QoS ACLs and save the ACL configuration to NVRAM using the set config acl nvram command. Qos/Security ACL configuration deleted from NVRAM. page 16-xliv Running with the VACL and QoS ACL Configuration in Flash Memory. When this occurs.3 and 6. page 16-xliv Manually Moving the VACL and QoS ACL Configuration to Flash Memory.4 78-13315-02 16-43 .Chapter 16 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory This section describes the following tasks: • • • • • • Automatically Moving the VACL and QoS ACL Configuration to Flash Memory. these syslog messages display: 1999 Sep 01 17:00:00 %SYS-1-CFG_FLASH_ERR:Failed to write ACL configuration to bootflash:switchapp. page 16-xlvii Note See Chapter 23. If you receive these error messages. During this process. If there is not enough NVRAM to perform a software upgrade. these syslog messages display: 1999 Sep 01 17:00:00 %SYS-1-CFG_FLASH:ACL configuration moved to bootflash:switchapp. Automatically Moving the VACL and QoS ACL Configuration to Flash Memory Moving the VACL and QoS ACL configuration to Flash memory is done automatically only during system software upgrades and then only if there is not sufficient NVRAM for the upgrade. append. page 16-xlvi Redundancy Synchronization Support. and sync options If an error occurs during the upgrade. page 16-xlvi Interacting with High Availability. Alternatively.

3 and 6. append. Console> (enable) set boot config-register auto-config append Configuration register is 0x12F ignore-config: disabled auto-config: recurring.Chapter 16 Configuring and Storing VACLs and QoS ACLs in Flash Memory Configuring Access Control Manually Moving the VACL and QoS ACL Configuration to Flash Memory If your VACL and QoS ACL configuration requirements require more memory than the 512-KB NVRAM. Catalyst 6000 Family Software Configuration Guide—Releases 6.cfg Upload ACL configuration to bootflash:switchapp. Console> (enable) Step 6 Delete the VACL and QoS ACL configuration from NVRAM. sync enabled console baud: 9600 boot: image specified by the boot system commands Console> (enable) Step 5 Save committed VACL and QoS ACL configuration changes to the auto-config file. the auto-config file(s) synchronize automatically to the standby supervisor engine.cfg CONFIG_FILE variable = bootflash:switchapp. proceed (y/n) [n]? y ACL configuration has been copied successfully. you can manually move the VACL and QoS ACL configuration to Flash memory as follows: Step 1 Specify the VACL and QoS ACL auto-config file to use to configure the switch at startup. sync disabled console baud: 9600 boot: image specified by the boot system commands Console> (enable) Step 3 Specify if the auto-config file should be used to overwrite the NVRAM configuration or be appended to what is currently in NVRAM. overwrite. Console> (enable) set boot auto-config bootflash:switchapp. sync disabled console baud: 9600 boot: image specified by the boot system commands Console> (enable) Step 4 Specify if synchronization should be enabled or disabled. Console> (enable) set boot config-register auto-config recurring Configuration register is 0x12F ignore-config: disabled auto-config: recurring. append.cfg Console> (enable) Step 2 Specify if the switch should retain (recurring keyword) or clear (non-recurring keyword) the contents of the CONFIG_FILE environment variable after a reset or power cycle.4 16-44 78-13315-02 .cfg 2843644 bytes available on device bootflash. Console> (enable) clear config acl nvram ACL configuration has been deleted from NVRAM. Console> (enable) set boot config-register auto-config sync enable Configuration register is 0x12F ignore-config: disabled auto-config: recurring. Warning: Use the copy commands to save the ACL configuration to a file and the ’set boot config-register auto-config’ commands to configure the auto-config feature. With synchronization enabled. Console> (enable) copy acl-config bootflash:switchapp.

After making any additional changes to the VACL and QoS ACL configuration and committing those changes. it is removed from NVRAM. At this point.cfg and will be appended to the NVRAM configuration at system startup. You should always copy your entire configuration (not just the VACL and QoS ACL configuration) to the auto-config file when you want to save it. If you cannot write the VACL and QoS ACL configuration to Flash memory.3 and 6. and then try to write the VACL and QoS ACL configuration to Flash memory.cfg command to save the configuration to the auto-config file. You have to copy the configuration to the Flash file manually as follows: • If you use the set boot config-register auto-config append option. Any changes made in NVRAM are lost. QoS ACLs and VACL commit operations are no longer written to NVRAM. If you do not use the set boot config-register auto-config append option. If the VACL and QoS ACL configuration is in Flash memory and you use the mapping commands. A system reset for any reason can cause the VACL and QoS ACL configuration to revert to the default. Note If you cannot write the configuration to Flash memory. make additional room available in Flash memory.Chapter 16 Configuring Access Control Configuring and Storing VACLs and QoS ACLs in Flash Memory Note VACL and QoS ACL mapping commands (set qos acl map and set security acl map) are also stored in the auto-config file. At this point. the VACL and QoS ACL configuration is no longer in NVRAM. the auto-config feature clears the configuration before executing the auto-config file at system startup.4 78-13315-02 16-45 . At system startup. the following syslog message displays: 1999 Sep 01 17:00:00 %SYS-0-CFG_FLASH_ERR:ACL configuration set to flash but no ACL configuration file found. it is saved in the auto-config file bootflash:switchapp. the configuration from the auto-config file is appended to the NVRAM configuration. Running with the VACL and QoS ACL Configuration in Flash Memory After you move the VACL and QoS ACL configuration to Flash memory. you must copy the configuration to a file. You then only have to copy the VACL and QoS ACL configuration to this file after commit operations. if the VACL and QoS ACL configuration location is set to Flash memory but either the CONFIG_FILE variable is not set or none of the files specified exist. you need to enter the copy command to save the configuration to Flash memory. you must enter the copy acl-config bootflash:switchapp. The auto-config file is synchronized automatically to the standby supervisor engine because synchronization was enabled. the VACL and QoS ACL configuration exists in DRAM only. • Catalyst 6000 Family Software Configuration Guide—Releases 6.

Note PBF may require some configuration on attached hosts.3 and 6. Console> (enable) Console> (enable) clear boot auto-config CONFIG_FILE variable = Console> (enable) Redundancy Synchronization Support The set boot commands contain an option to synchronize the auto-config file automatically. When a router is not present in the network. the VACL and QoS ACL configuration on the standby supervisor engine is consistent with what was on the active supervisor engine. Configuring Policy-Based Forwarding The policy-based forwarding (PBF) feature is an extension of VACL redirection supported by the Policy Feature Card 2 (PFC2). Note PBF does not support Internetwork Packet Exchange (IPX) and multicast traffic. When you enable the auto-config option. This feature can also be used in server farms or DMZs where bridging devices like server load balancing appliances are involved. The only difference is that the data is stored in DRAM. It can prove to be particularly beneficial in any flat Layer 2 network used for transparent bridging where a limited amount of inter-VLAN communication is required. Note PBF does not work with 802. the active supervisor engine automatically synchronizes the auto-config file. the auto-config file on the active supervisor engine is automatically synchronized to the standby supervisor engine whenever a change is made. it is not applicable to Layer 2 traffic. deleting the auto-config file on the active supervisor engine causes the file to be deleted on the standby supervisor engine.Chapter 16 Configuring Policy-Based Forwarding Configuring Access Control Moving the VACL and QoS ACL Configuration Back to NVRAM This example shows how to move the VACL and QoS ACL configuration back to NVRAM: Console> (enable) set config acl nvram ACL configuration copied to NVRAM. just as in the case where the VACL and QoS ACL configuration is saved in NVRAM. if the VACL and QoS ACL configuration resides in Flash memory.1Q tunnel traffic appears as Layer 2 traffic. Similarly. At the intermediate (PBF) switch.4 16-46 78-13315-02 . but the functional behavior of a switchover does not change. or where firewall load balancing is performed. Catalyst 6000 Family Software Configuration Guide—Releases 6. ARP table entries have to be statically added on each host participating in PBF. all 802.1Q tunnel traffic. Interacting with High Availability After a supervisor engine switchover. if you insert a new standby supervisor engine. PBF is supported on Layer 3 IP unicast traffic. for example.

• PBF requires supervisor engine software release 6. you must configure all VACLs carefully when using PBF. page 16-lvi Understanding How Policy-Based Forwarding Works PBF configuration involves these steps: • • • Enabling PBF and specifying a MAC address for the PFC2 Configuring VACLs for PBF Configuring attached hosts for PBF You enable PBF by specifying a MAC address for the PFC2. If packets are not sent with the PFC2 MAC address. PBF is not supported with an operating (booted) Multilayer Switch Feature Card 2 (MSFC2) in the Catalyst 6000 family switch that is being used for PBF. The MAC address can be a default or user-specified MAC address. If the VACLs are not specific. page 16-xlvii Hardware and Software Requirements. You must set VACLs on both VLANs that participate in PBF. The PFC2 must think the packet is a Layer 3 packet or no rewrite operation occurs. Packets have to be sent with the destination MAC address equal to the PFC2 MAC address. you need to specify static ARP entries on participating hosts. the PFC2 treats the packets as Layer 2 packets.3(1) or later releases. page 16-xlviii Configuring Policy-Based Forwarding. The PBF VACL contains an adjacency table entry for the PFC2 and a redirect ACE. Catalyst 6000 Family Software Configuration Guide—Releases 6. When the packet from the source VLAN comes into the PFC2. the system responds with a message indicating the feature is not supported with an MSFC2. a rewritten packet could hit a deny statement in the outgoing VACL and be dropped. If you try to configure PBF with an MSFC2 present and booted. The packets are forwarded between VLANs only if they hit the VACL entries that are associated with the adjacency information. Based on the information provided in the adjacency table. When a router is not present in the network. If an MSFC2 is present but has not booted.3 and 6. Note Because VACLs are applied to incoming and outgoing traffic. it hits the PBF VACL. the packet header is rewritten (destination VLAN and source and destination MAC addresses) and the packet is forwarded to the destination VLAN. Hardware and Software Requirements PBF hardware and software requirements are as follows: • • PBF requires Supervisor Engine 2 with the Policy Feature Card 2 (PFC2) (WS-X6K-S2-PFC2).Chapter 16 Configuring Access Control Understanding How Policy-Based Forwarding Works PBF is described in these sections: • • • • Understanding How Policy-Based Forwarding Works.4 78-13315-02 16-47 . The PBF VACL is created using the security ACL (VACL) commands (set security acl commands). you can configure PBF. page 16-xlviii Policy-Based Forwarding Configuration Example.

1 MAC 00:00:00:00:00:0A Interface: Ethernet1 Host B IP 11. page 16-liv Figure 16-8 Policy-Based Forwarding Catalyst 6500 series switches PFC2 MAC address: 00-11-11-11-11-11 VLAN 10 VLAN 11 Enabling PBF and Specifying a MAC Address for the PFC2 Note The MAC address can be a default or user-specified MAC address. The default MAC address is taken from a MAC address PROM on the Catalyst 6000 family switch chassis.3 and 6. page 16-liii Rolling Back Adjacency Table Entries in the Edit Buffer.Chapter 16 Configuring Policy-Based Forwarding Configuring Access Control Configuring Policy-Based Forwarding This section provides guidelines and configuration examples for PBF.4 16-48 58995 Host A IP 10. Catalyst 6000 Family Software Configuration Guide—Releases 6. page 16-xlix Configuring VACLs for PBF. if the MAC address is a duplicate of a MAC address already in use. and redirects traffic from Host B to Host A. ensure that the MAC address is unique and not already being used on any interfaces. This section contains the following example procedures: • • • • • • Enabling PBF and Specifying a MAC Address for the PFC2.0.0. packets might get dropped. When you specify your own MAC address using the set pbf mac command. The configuration examples use the example configuration shown in Figure 8.0.1 MAC 00:00:00:00:00:0B Interface: Ethernet0 78-13315-02 . page 16-lii Clearing Entries in PBF VACLs. page 16-l Displaying PBF Information. The Catalyst 6000 family switch redirects all the traffic coming from Host A on VLAN 10 to Host B on VLAN 11. page 16-liv Configuring Hosts for PBF. When specifying a MAC address using the set pbf mac command.0. We recommend that you use the default MAC address provided by the MAC address PROM.

and verify the change: Console> (enable) show pbf Pbf status Mac address ---------------------------not set 00-00-00-00-00-00 Console> (enable) Console> (enable) set pbf PBF committed successfully. Operation successful. perform one of these tasks in privileged mode: Task Enable PBF with a default MAC address. Command clear pbf Catalyst 6000 Family Software Configuration Guide—Releases 6. Operation successful. Command show pbf To enable PBF. perform this task in privileged mode: Task Display PBF status and MAC address. Command set pbf set pbf [mac mac address] This example shows how to check PBF status and MAC address. perform this task in privileged mode: Task Disable PBF and clear the PBF MAC address. Console> (enable) Console> (enable) show pbf Pbf status Mac address ---------------------------ok 00-01-64-61-39-c2 Console> (enable) This example shows how to enable PBF with a specific MAC address: Console> (enable) set pbf mac 00-11-11-11-11-11 PBF committed successfully.4 78-13315-02 16-49 . enable PBF with a default MAC address. Enable PBF with a specific MAC address. Console> (enable) Console> (enable) show pbf Pbf status Mac address ---------------------------ok 00-11-11-11-11-11 Console> (enable) To disable PBF and clear the PBF MAC address.3 and 6.Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding To display PBF status and MAC address.

The order of entries in a PBF VACL is important.Chapter 16 Configuring Policy-Based Forwarding Configuring Access Control This example shows how to clear the PBF MAC address: Console> (enable) clear pbf PBF cleared. 5. Note The same adjacency table entry can be used by more than one redirect ACE. the system defaults to the PBF MAC address. Commit the PBF VACL. You should create entries for PBF VACLs in the following order: 1.4 16-50 78-13315-02 . Note You can configure a maximum of 256 adjacency table entries for a VLAN. Specify the redirect ACE in the PBF VACL that is using the adjacency table entry. If you do not specify the source MAC address. Note You can combine steps 3 and 4 by entering the commit security acl all command. The adjacency table entry has to be defined in the VACL before the redirect ACE because the redirect ACE uses it to redirect traffic. 3. Map the PBF VACL to a single VLAN or multiple VLANs. Console> (enable) Console> (enable) show pbf Pbf status Mac address ---------------------------not set 00-00-00-00-00-00 Console> (enable) Configuring VACLs for PBF Note Enter the set security acl adjacency command to specify the rewrite information in the adjacency table that causes the packet header to be rewritten (destination VLAN and source and destination MAC addresses) and forwarded to the destination VLAN. Note To enable jumbo frame forwarding using PBF. The maximum number of adjacency table entries is 1023. Commit the adjacency table entry. 4. 2. Note that the source MAC address is optional. Specify the adjacency table entry. Catalyst 6000 Family Software Configuration Guide—Releases 6. enter the mtu keyword in the set security acl adjacency command.3 and 6.

0. Use 'commit' command to apply changes. Use 'commit' command to apply changes. ACL IPACL1 successfully mapped to VLAN 10. Console> (enable) set security acl map IPACL1 10 Mapping in progress. Adjacency successfully committed. Console> (enable) set security acl ip IPACL1 permit any IPACL1 editbuffer modified.1 host 11.0.0. Console> (enable) This example shows how to create the PBF VACL for VLAN 11 (see Figure 8): Console> (enable) set security acl adjacency ADJ2 10 00-00-00-00-00-0A ADJ2 editbuffer modified. Console> (enable) set security acl ip IPACL2 redirect ADJ2 ip host 11.1 IPACL2 editbuffer modified.0.3 and 6. Use 'commit' command to apply changes. Adjacency successfully committed. Console> (enable) commit security acl IPACL1 ACL commit in progress.0. Console> (enable) commit security acl adjacency Commit operation in progress.1 host 10. Use 'commit' command to apply changes. Console> (enable) set security acl ip IPACL1 redirect ADJ1 ip host 10. Console> (enable) This example shows how to create the PBF VACL for VLAN 10 (shown in Figure 8): Console> (enable) set security acl adjacency ADJ1 11 00-00-00-00-00-0B ADJ1 editbuffer modified. Use 'commit' command to apply changes. Console> (enable) commit security acl IPACL2 ACL commit in progress. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) commit security acl adjacency Commit operation in progress. Console> (enable) set security acl map IPACL2 11 Mapping in progress. Console> (enable) set security acl ip IPACL2 permit any IPACL2 editbuffer modified. ACL 'IPACL2' successfully committed.0.4 78-13315-02 16-51 . ACL 'IPACL1' successfully committed. Use 'commit' command to apply changes.0. ACL IPACL2 successfully mapped to VLAN 11. perform this task in privileged mode: Task Specify an adjacency table entry for the PFC2.Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding To specify an adjacency table entry for the PFC2. Use 'commit' command to apply changes. Command set security acl adjacency adjacency_name dest_vlan dest_mac [[source_mac] | [source_mac mtu mtu_size] | [ mtu mtu_size]] This example shows how to specify the adjacency table entry: Console> (enable) set security acl adjacency ADJ1 11 00-00-00-00-00-0B ADJ1 editbuffer modified.1 IPACL1 editbuffer modified.0.

Commit the PBF VACL. Display PBF adjacency information for all adjacency table entries or a specific adjacency table entry. Display PBF statistics for all adjacency table entries or a specific adjacency table entry. 11 00-00-00-00-00-0b set security acl adjacency ADJ2 --------------------------------------------------1. To display adjacency table entries.-------------------ADJ1 IPACL1 ADJ2 Console> (enable) IPACL2 Clearing Entries in PBF VACLs The adjacency table entry cannot be cleared before the redirect ACE. Clear the redirect ACE. Catalyst 6000 Family Software Configuration Guide—Releases 6. Command show security acl info [acl_name | adjacency | all] [editbuffer [editbuffer_index]] show pbf adjacency [adj name] show pbf statistics [adj name] Display the adjacency-to-VACL mappings for all show pbf map [adj name] adjacency table entries or a specific adjacency table entry. Console> show security acl info adjacency set security acl adjacency ADJ1 --------------------------------------------------1.Chapter 16 Configuring Policy-Based Forwarding Configuring Access Control Displaying PBF Information This section describes how to display PBF-related information. perform these tasks in normal mode: Task Display adjacency table entries. 10 00-00-00-00-00-0a Console> show pbf adjacency Index DstVlan DstMac SrcMac Name -----------------------------------------------------------------1 11 00-00-00-00-00-0a 00-00-00-00-00-0b ADJ1 2 10 00-00-00-00-00-0a 00-00-00-00-00-0b ADJ2 Console> show pbf statistics Index DstVlan DstMac SrcMac HitCount(hex) Name ------------------------------------------------------------------------1 11 00-00-00-00-00-0a 00-00-00-00-00-0b 0x00000000 ADJ1 2 10 00-00-00-00-00-0a 00-00-00-00-00-0b 0x00000000 ADJ2 Console> show pbf map Adjacency ACL -----------------.3 and 6.4 16-52 78-13315-02 . 2. You should clear the redirect ACE and the adjacency table entry in PBF VACLs in the following order: 1.

Command rollback security acl {acl_name | all | adjacency} This example shows how to roll back adjacency table entries in the edit buffer: Console> (enable) rollback security acl adjacency Editbuffer for adjacency info rolled back to last commit state. Commit the adjacency table entry. Console> (enable) clear security acl IPACL1 IPACL1 editbuffer modified. Console> (enable) Rolling Back Adjacency Table Entries in the Edit Buffer You can clear adjacency table entries in the edit buffer that were made prior to the last commit by using the rollback command. Command clear security acl adjacency adj name This example shows how to clear a PBF adjacency table entry: Console> (enable) clear security acl adjacency ADJ1 Adj is in use by a VACL. page 16-lv MS-Windows/NT/2000 Hosts. Clear the adjacency table entry.Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding 3. perform this task in privileged mode: Task Roll back adjacency table entries in the edit buffer. perform this task in privileged mode: Task Clear a PBF adjacency table entry. page 16-liv Sun Workstation. 4. Console> (enable) clear security acl adjacency ADJ1 ADJ1 editbuffer modified. page 16-lv Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) commit security acl IPACL1 ACL commit in progress. Console> (enable) Configuring Hosts for PBF This section provides host configuration procedures for the following platforms and operating systems: • • • Linux.3 and 6. Console> (enable) commit security acl adjacency Console> (enable) Adjacency committed successfully Commit operation in progress. clear the VACL first then clear adj. The adjacency table entries are rolled back to their state at the last commit. To clear a PBF adjacency table entry. ACL 'IPACL1' successfully deleted. Use 'commit' command to save changes. To roll back the adjacency table entries in the edit buffer. Use 'commit' command to apply changes.4 78-13315-02 16-53 .

0.1 00:11:11:11:11:11 where 00-11-11-11-11-11 is the PBF MAC address.0. Using the example above. Each static ARP entry must point to the PBF MAC address that is mapped to the destination host.0.1 on VLAN 40 needs to communicate with host 11. you need to specify static ARP entries on participating hosts.0.0. This is a limitation of ARP in all Sun Workstations.0.0. To overcome this problem.0. If the Sun Workstation needs to communicate to a different network.1 eth1 Sun Workstation When using PBF to enable forwarding between two VLANs with Sun Workstation end hosts.2 Catalyst 6000 Family Software Configuration Guide—Releases 6. you need to define a dummy gateway. and set a static ARP entry pointing to the PBF MAC address mapped to the destination host.x in this example). Linux These examples show how to configure the ARP table for hosts running the Linux operating system.0. you must set a static ARP entry on each Sun Workstation that participates in PBF.4 16-54 78-13315-02 .0.0. which is a host route. You must also configure the Sun Workstation to have a gateway.1 on VLAN 50. and assuming the PBF MAC address is 00-11-11-11-11-11. The IP address of the gateway is one of the host addresses within that network as follows: (A)Kubera# arp -s 10.1 eth0 This example shows how to configure Host B: arp -s 10.2 00:11:11:11:11:11 (B)Kubera# route add host 11.1 10.Chapter 16 Configuring Policy-Based Forwarding Configuring Access Control Note When a router is not present in the network. if host 10.x.0. the static ARP entry would be as follows: arp -s 11. make sure that the IP addresses you use in your network configuration are unique.0.3 and 6. This example shows how to configure Host A: arp -s 11.1 00:11:11:11:11:11 -i eth0 route add 11. PBF Limitations PBF does not support ARP.0.1 00:11:11:11:11:11 -i eth1 route add 10.0.0. These IP addresses were randomly selected.0.x. For example. Sun Workstation Limitations Sun Workstations do not allow you to set a static ARP entry if the destination is part of a different network (11. Note The IP addresses in the following examples are the IP addresses used in Figure 8. and 11.0. The host’s ARP table maps the IP address of the host device to the MAC address of the PFC2.0. and if required.0.0. you must define the host routes for all networks that go through PBF. you need to first define a dummy static ARP entry for the gateway. you must define a default gateway.0. note that there are limitations you must take into account when configuring the hosts.1 is the IP address of the destination host.

0. You can create the file in a directory that has full permissions for the root/superuser.Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding You need to set only one dummy ARP entry for PBF-related traffic and the host routes for each destination host. set a soft link pointing to that file in /etc/rc2. For Windows-based PCs.1 00-11-11-11-11-11 In this example. you must also set static ARP entries on Windows-based PCs.3 and 6.1 is the IP address of the destination host. Policy-Based Forwarding Configuration Example This section provides example configurations to enable PBF between hosts on VLAN 1 and hosts on VLAN 2 (see Figure 9). Catalyst 6000 Family Software Configuration Guide—Releases 6.4 78-13315-02 16-55 . 00-11-11-11-11-11 is the PBF MAC address and 11. MS-Windows/NT/2000 Hosts Similar to Sun Workstations setup.0.0. you can create a batch file with ARP entries to each destination host and specify that Windows use this file at startup. you do not need to set up any dummy gateways for switching between VLANs with PBF.0.d which has host route entries for each of the destination hosts.d directory itself. If you need to configure more hosts. or create the file in the /etc/rc2. Entries in the file should use this form: Route add host <destination Host IP Address> <dummy gateway IP Address> The file that contains the host route entries needs to be started as one of the startup scripts. If the number of hosts increase.d. You can set up a startup file in /etc/rc2. you need to set the host route entries for each destination host. Setting up this file prevents you from having to key in all the host route entries after the Workstation is reset or rebooted. This example shows how to configure static ARP entries in Windows-based platforms: C:###BOT_TEXT###gt; arp -s 11.

2 44.0.0.0.0.0.0.1 43.Chapter 16 Configuring Policy-Based Forwarding Configuring Access Control Figure 16-9 Policy-Based Forwarding Configuration Example Catalyst 6500 series switches PFC2 MAC address: 00-11-22-33-44-55 6/17 6/9 VLAN 1 VLAN 2 VLAN 1 Hosts IP: 44.0.0.17 MAC:00-20-20-20-20-20 00:20:20:20:20:2f Interface: Port 4/1 VLAN 2 Hosts IP: 43.0.1 .0.0.0.1 through 44.0.1 .0.4 host host host host 44.3 set security acl ip ip2 redirect b_4 ip host 43.4).44.0.3 44.0.0.0.0.0.0.0.4 set security acl ip ip2 permit ip any any #pbf set set pbf mac 00-11-22-33-44-55 # commit security acl all set security acl map ip1 1 set security acl map ip2 2 host host host host 43.0.0.2 set security acl ip ip2 redirect b_3 ip host 43.0.0.0.0.4 and 43.2 43.0.43.0.0.0.2 set security acl ip ip1 redirect a_3 ip host 44.0.0.0.4 Catalyst 6000 Family Software Configuration Guide—Releases 6.0.4 set security acl ip ip1 permit ip any any #ip2 set security acl ip ip2 permit arp set security acl ip ip2 redirect b_1 ip host 43.0.3 set security acl ip ip1 redirect a_4 ip host 44.0.0. #security ACLs clear security acl all #adj set set security acl adjacency a_1 2 00-0a-0a-0a-0a-0a set security acl adjacency a_2 2 00-0a-0a-0a-0a-0b set security acl adjacency a_3 2 00-0a-0a-0a-0a-0c set security acl adjacency a_4 2 00-0a-0a-0a-0a-0d set security acl adjacency b_1 1 00-20-20-20-20-20 set security acl adjacency b_2 1 00-20-20-20-20-21 set security acl adjacency b_3 1 00-20-20-20-20-22 set security acl adjacency b_4 1 00-20-20-20-20-23 #ip1 set security acl ip ip1 permit arp set security acl ip ip1 redirect a_1 ip host 44.0.3 and 6.0.3 43.0.4 16-56 58974 78-13315-02 .17 MAC:00-0a-0a-0a-0a-0a 00:0a:0a:0a:0a:19 Interface: Port 4/2 This example shows the switch configuration file that was created to enable PBF between the hosts on VLAN 1 and VLAN 2.1 44.1 set security acl ip ip2 redirect b_2 ip host 43.0.1 through 43. Only the first four hosts from each VLAN are shown in the example (44.0.0.0.0.1 set security acl ip ip1 redirect a_2 ip host 44.0.

3 and 6.------------------------------------------00-0a-0a-0a-0a-0e 6/9 [ALL] 00-0a-0a-0a-0a-0f 6/9 [ALL] 00-0a-0a-0a-0a-0c 6/9 [ALL] 00-0a-0a-0a-0a-0d 6/9 [ALL] 00-0a-0a-0a-0a-0a 6/9 [ALL] 00-0a-0a-0a-0a-0b 6/9 [ALL] 00-0a-0a-0a-0a-19 6/9 [ALL] 00-0a-0a-0a-0a-18 6/9 [ALL] 00-0a-0a-0a-0a-17 6/9 [ALL] 00-0a-0a-0a-0a-16 6/9 [ALL] 00-0a-0a-0a-0a-15 6/9 [ALL] 00-0a-0a-0a-0a-14 6/9 [ALL] 00-0a-0a-0a-0a-13 6/9 [ALL] 00-0a-0a-0a-0a-12 6/9 [ALL] 00-0a-0a-0a-0a-11 6/9 [ALL] 00-0a-0a-0a-0a-10 6/9 [ALL] Matching CAM Entries Displayed for 6/9 = 16 Catalyst 6000 Family Software Configuration Guide—Releases 6.4 78-13315-02 16-57 . R = Router Entry.------------------------------------------00-20-20-20-20-23 6/17 [ALL] 00-20-20-20-20-22 6/17 [ALL] 00-20-20-20-20-21 6/17 [ALL] 00-20-20-20-20-20 6/17 [ALL] 00-20-20-20-20-27 6/17 [ALL] 00-20-20-20-20-26 6/17 [ALL] 00-20-20-20-20-25 6/17 [ALL] 00-20-20-20-20-24 6/17 [ALL] 00-20-20-20-20-2b 6/17 [ALL] 00-20-20-20-20-2a 6/17 [ALL] 00-20-20-20-20-29 6/17 [ALL] 00-20-20-20-20-28 6/17 [ALL] 00-20-20-20-20-2f 6/17 [ALL] 00-20-20-20-20-2e 6/17 [ALL] 00-20-20-20-20-2d 6/17 [ALL] 00-20-20-20-20-2c 6/17 [ALL] Matching CAM Entries Displayed for 6/17 = 16 for port 6/9. X = Port Security Entry $ = Dot1x Security Entry VLAN ---2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 Total Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type] ---------------------. # = System Entry.Chapter 16 Configuring Access Control Configuring Policy-Based Forwarding This example shows how to display MAC addresses learned by the switch for port 6/17 on VLAN 1: Console> (enable) show cam dynamic 6/17 * = Static Entry. R = Router Entry. + = Permanent Entry. vlan 2 This example shows how to display MAC addresses learned by the switch for port 6/9 on VLAN 2: Console> (enable) show cam dynamic 6/9 * = Static Entry. X = Port Security Entry $ = Dot1x Security Entry VLAN ---1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Total Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type] ---------------------. # = System Entry. + = Permanent Entry.

4 16-58 78-13315-02 .Chapter 16 Configuring Policy-Based Forwarding Configuring Access Control This example shows how to display the PBF status and the PFC2 MAC address: Console> (enable) show pbf Pbf status Mac address ---------------------------ok 00-11-22-33-44-55 This example shows how to display the PBF statistics: Console> (enable) show pbf statistics Index DstVlan DstMac SrcMac HitCount(hex) Name ------------------------------------------------------------------------1 2 00-0a-0a-0a-0a-0a 00-11-22-33-44-55 0x00026d7c a_1 2 2 00-0a-0a-0a-0a-0b 00-11-22-33-44-55 0x00026d83 a_2 3 2 00-0a-0a-0a-0a-0c 00-11-22-33-44-55 0x00026d89 a_3 4 2 00-0a-0a-0a-0a-0d 00-11-22-33-44-55 0x00026d90 a_4 5 1 00-20-20-20-20-20 00-11-22-33-44-55 0x000260e3 b_1 6 1 00-20-20-20-20-21 00-11-22-33-44-55 0x000260ea b_2 7 1 00-20-20-20-20-22 00-11-22-33-44-55 0x000260f1 b_3 8 1 00-20-20-20-20-23 00-11-22-33-44-55 0x000260f8 b_4 Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.

This chapter consists of these sections: • • • • Understanding How GVRP Works.1Q-compliant VLAN pruning and dynamic VLAN creation on 802.4 78-13315-02 17-1 . and dynamically create and manage VLANs on switches connected through 802. Understanding How GVRP Works GVRP is a GARP application that provides IEEE 802. Catalyst 6000 Family Software Configuration Guide—Releases 6.1Q trunk ports. With GVRP.C H A P T E R 17 Configuring GVRP This chapter describes how to configure the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) on the Catalyst 6000 family switches.1Q trunk ports. page 17-ii GVRP Configuration Guidelines. Note GARP and GVRP are industry-standard protocols described in IEEE 802. prune unnecessary broadcast and unknown unicast traffic.3 and 6. refer to the Catalyst 6000 Family Command Reference publication. page 17-ii Configuring GVRP. page 17-i Default GVRP Configuration. the switch can exchange VLAN configuration information with other GVRP switches. Note For complete syntax and usage information for the commands used in this chapter. page 17-ii Note GVRP requires supervisor engine software release 5.1p.2 or later releases.

page 17-viii Clearing GVRP Statistics. it runs on all GVRP-disabled 802. page 17-vii Displaying GVRP Statistics. page 17-vi Setting the GARP Timers. page 17-iii Enabling GVRP Dynamic VLAN Creation. STP = Spanning Tree Protocol GVRP Configuration Guidelines Follow these guidelines when configuring GVRP: • • • • You can configure the per-port GVRP state only on 802. with VLAN 1 set to fixed. page 17-viii Disabling GVRP on Individual 802.000 ms 1.1Q-capable ports.1Q trunk ports. for all ports normal (ports do not declare VLANs when in the STP1 blocking state) • • • Join time: 200 ms Leave time: 600 ms Leaveall time: 10.4 17-2 78-13315-02 . page 17-iv Configuring GVRP Registration.1Q Trunk Ports. page 17-v Configuring GVRP VLAN Declarations from Blocking Ports. VLAN 1 is always carried by 802.Chapter 17 Default GVRP Configuration Configuring GVRP Default GVRP Configuration Table 1 shows the default GVRP configuration. page 17-ix Catalyst 6000 Family Software Configuration Guide—Releases 6. When VTP pruning is enabled. The GVRP registration mode for VLAN 1 is always fixed and is not configurable. page 17-iii Enabling GVRP on Individual 802. Configuring GVRP These sections describe how to configure GVRP: • • • • • • • • • • Enabling GVRP Globally.1Q trunks on which GVRP is enabled.1Q trunk link.1Q Trunk Ports. page 17-viii Disabling GVRP Globally.3 and 6. Table 17-1 GVRP Default Configuration Feature GVRP global enable state GVRP per-trunk enable state GVRP dynamic creation of VLANs GVRP registration mode GVRP applicant state GARP timers Default Value Disabled Disabled on all ports Disabled normal. You must enable GVRP on both ends of an 802.

you must enable GVRP globally and the port must be an 802. GVRP dynamic VLAN creation is disabled.3 and 6.1Q trunk links. Enabling GVRP globally enables GVRP to perform VLAN pruning on 802. regardless of the global GVRP enable state or whether the port is an 802. There are two per-port GVRP states: • • The static GVRP state configured in the command-line interface (CLI) and stored in NVRAM The actual GVRP state of the ports (active GVRP participants) You can configure the static GVRP port-state on any 802.1Q Trunk Ports Note You can change the per-trunk GVRP configuration regardless of whether GVRP is enabled globally. However.----------. To enable dynamic VLAN creation.7/1-24.1Q Trunk Ports” section on page 17-iii.3/1-8. Catalyst 6000 Family Software Configuration Guide—Releases 6. However. see the “Enabling GVRP on Individual 802. either through CLI configuration or Dynamic Trunking Protocol (DTP) negotiation. This example shows how to enable GVRP and verify the configuration: Console> (enable) set gvrp enable GVRP enabled Console> (enable) show gvrp configuration Global GVRP Configuration: GVRP Feature is currently enabled on the switch.8/1-24 Enabled Normal GVRP Participants running on 3/7-8.1Q trunk port.1Q trunk. perform this task in privileged mode: Task Step 1 Step 2 Command set gvrp enable show gvrp configuration Enable GVRP on the switch.1Q-capable switch ports. For information on setting the per-trunk port GVRP enable state. For information on enabling dynamic VLAN creation. To enable GVRP globally on the switch. For information on configuring GVRP globally on the switch. Verify the configuration. in order for the port to become an active GVRP participant. Console> Enabling GVRP on Individual 802. GVRP will not function on any ports until you enable it globally. Pruning occurs only on GVRP-enabled trunks.Chapter 17 Configuring GVRP Configuring GVRP Enabling GVRP Globally You must enable GVRP globally before any GVRP processing occurs on the switch. see the “Enabling GVRP Globally” section on page 17-iii. you must explicitly enable dynamic VLAN creation globally on the switch as well.-----------2/1-2. see the “Enabling GVRP Dynamic VLAN Creation” section on page 17-iv. GVRP Timers(milliseconds) Join = 200 Leave = 600 LeaveAll = 10000 Port based GVRP Configuration: Port GVRP Status Registration ------------------------------------------------------.4 78-13315-02 17-3 .

Console> (enable) Enabling GVRP Dynamic VLAN Creation You can enable GVRP dynamic VLAN creation only if these conditions are met: • • • The switch is in VTP transparent mode All trunk ports on the switch are 802.Chapter 17 Configuring GVRP Configuring GVRP To enable GVRP on individual 802. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Note Dynamic VLAN creation supports all VLAN types.1Q trunks in the normal registration mode. these configuration restrictions are imposed: • • You cannot change the switch to VTP server or client mode You cannot disable GVRP on a trunk port running GVRP If any port on the switch becomes an Inter-Switch Link (ISL) trunk (either by CLI configuration or negotiated using DTP) while dynamic VLAN creation is enabled.1Q-capable port 1/1: Console> (enable) set port gvrp 1/1 enable GVRP enabled on 1/1. To enable GVRP dynamic VLAN creation on the switch. Verify the configuration. Verify the configuration.4 17-4 78-13315-02 . This example shows how to enable dynamic VLAN creation on the switch: Console> (enable) set gvrp dynamic-vlan-creation enable Dynamic VLAN creation enabled.1Q-capable ports. dynamic VLAN creation is disabled automatically until the conditions for enabling dynamic VLAN creation are restored. Note VLANs can only be created dynamically on 802.1Q trunks (the trunk connection to an MSFC is exempt from this restriction) GVRP is enabled on all trunk ports If you enable dynamic VLAN creation. perform this task in privileged mode: Task Step 1 Step 2 Command set port gvrp mod/port enable show gvrp configuration Enable GVRP on an individual 802. perform this task in privileged mode: Task Command set gvrp dynamic-vlan-creation enable show gvrp configuration Step 1 Step 2 Enable dynamic VLAN creation on the switch.3 and 6.1Q-capable port. This example shows how to enable GVRP on 802.

1Q trunk port in normal registration mode allows dynamic creation (if dynamic VLAN creation is enabled).1Q trunk port. and deregistration of VLANs on the trunk port. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Normal mode is the default. page 17-v Configuring GVRP Forbidden Registration. page 17-v Configuring GVRP Fixed Registration. show gvrp configuration This example shows how to configure normal registration on an 802.3 and 6.1Q trunk port in fixed registration mode allows manual creation and registration of VLANs.1Q trunk port: Console> (enable) set gvrp registration normal 1/1 Registrar Administrative Control set to normal on port 1/1. This example shows how to configure fixed registration on an 802. page 17-vi Configuring GVRP Normal Registration Configuring an 802. and registers all VLANs known on other ports on the trunk port. perform this task in privileged mode: Task Step 1 Step 2 Command Configure normal registration on an 802. Verify the configuration. To configure GVRP fixed registration on an 802. perform this task in privileged mode: Task Step 1 Step 2 Command set gvrp registration fixed mod/port show gvrp configuration Configure fixed registration on an 802. Console> (enable) Configuring GVRP Fixed Registration Configuring an 802.4 78-13315-02 17-5 .Chapter 17 Configuring GVRP Configuring GVRP Configuring GVRP Registration These sections describe how to configure GVRP registration modes on switch ports: • • • Configuring GVRP Normal Registration.1Q trunk port.1Q trunk port.1Q trunk set gvrp registration normal mod/port port. To configure GVRP normal registration on an 802. registration. Verify the configuration.1Q trunk port: Console> (enable) set gvrp registration fixed 1/1 Registrar Administrative Control set to fixed on port 1/1. prevents VLAN deregistration.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. Command set gvrp applicant state {normal | active} mod/port This example shows how to configure a group of 802.1Q trunk port in forbidden registration mode deregisters all VLANs (except VLAN 1) and prevents any further VLAN creation or registration on the trunk port. Ports in the GVRP active applicant state send GVRP VLAN declarations when they are in the STP blocking state.1Q trunk port.1Q trunk ports to send VLAN declarations when in the blocking state: Console> (enable) set gvrp applicant state active 4/2-3.1Q trunk port.4/12-24. To configure an 802. perform this task in privileged mode: Task Step 1 Step 2 Command set gvrp registration forbidden mod/port show gvrp configuration Configure forbidden registration on an 802.Chapter 17 Configuring GVRP Configuring GVRP Configuring GVRP Forbidden Registration Configuring an 802.1Q trunk port to send VLAN declarations when in the blocking state.4/12-24 Applicant was set to active on port(s) 4/2-3.1Q trunk port to send VLAN declarations when in the blocking state.4/9-10. configure the GVRP active applicant state on the port. Console> (enable) Configuring GVRP VLAN Declarations from Blocking Ports To prevent undesirable Spanning Tree Protocol (STP) topology reconfiguration on a port connected to a device that does not support Per-VLAN STP+ (PVST+). Console> (enable) Use the normal keyword to return to the default state (active mode disabled).1Q trunk port: Console> (enable) set gvrp registration forbidden 1/1 Registrar Administrative Control set to forbidden on port 1/1. Note Configuring fixed registration on the other device’s port also prevents undesirable STP topology reconfiguration. Verify the configuration.4/9-10. To configure GVRP forbidden registration on an 802.4 17-6 78-13315-02 . perform this task in privileged mode: Task Configure an 802. This example shows how to configure forbidden registration on an 802. which prevents the STP bridge protocol data units (BPDUs) from being pruned from the other port.

(For example. GMRP and GVRP) do not operate successfully. the value for leave must be greater than three times the join value (leave >= join * 3). Set the leave timer to at least 1050 ms and then set the join timer to 350 ms. If the GARP timers are set differently on Layer 2-connected devices. Verify the configuration. Caution Set the same GARP timer values on all Layer 2-connected devices. To set the GARP timer values. perform this task in privileged mode: Task Command set garp timer {join | leave | leaveall} timer_value show garp timer Step 1 Step 2 Set the GARP timer values. For example. Note Modifying the GARP timer values affects the behavior of all GARP applications running on the switch.4 78-13315-02 17-7 .Chapter 17 Configuring GVRP Configuring GVRP Setting the GARP Timers Note The commands set gvrp timer and show gvrp timer are aliases for set garp timer and show garp timer. GARP applications (for example. This example shows how to set the GARP timers and verify the configuration: Console> (enable) set garp timer leaveall 10000 GMRP/GARP leaveAll timer value is set to 10000 milliseconds.3 and 6. Console> (enable) show garp timer Timer Timer Value (milliseconds) -------. an error is returned. not just GVRP. if you set the leave timer to 600 ms and you attempt to configure the join timer to 350 ms.-------------------------Join 200 Leave 600 LeaveAll 10000 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) set garp timer join 200 GMRP/GARP join timer value is set to 200 milliseconds. When setting the timer values. GMRP uses the same timers. If you attempt to set a timer value that does not adhere to these rules. The aliases may be used if desired.) You can modify the default GARP timer values on the switch. an error is returned. The value for leaveall must be greater than the value for leave (leaveall > leave). Console> (enable) set garp timer leave 600 GMRP/GARP leave timer value is set to 600 milliseconds.

Console> (enable) Disabling GVRP on Individual 802.Chapter 17 Configuring GVRP Configuring GVRP Displaying GVRP Statistics To display GVRP statistics on the switch. perform this task in privileged mode: Task Clear GVRP statistics.1Q trunk ports. perform this task: Task Display GVRP statistics. Verify the configuration. Catalyst 6000 Family Software Configuration Guide—Releases 6.1Q trunk port. perform this task in privileged mode: Task Step 1 Step 2 Command set port gvrp disable mod/port show gvrp configuration Disable GVRP on an individual 802.4 17-8 78-13315-02 .3 and 6.1Q Trunk Ports To disable GVRP on individual 802. Command clear gvrp statistics {mod/port | all} This example shows how to clear all GVRP statistics on the switch: Console> (enable) clear gvrp statistics all GVRP Statistics cleared for all ports. Command show gvrp statistics [mod/port] This example shows how to display GVRP statistics for port 1/1: Console> (enable) show gvrp statistics 1/1 Join Empty Received: 0 Join In Received: 0 Empty Received: 0 LeaveIn Received: 0 Leave Empty Received: 0 Leave All Received: 40 Join Empty Transmitted: 156 Join In Transmitted: 0 Empty Transmitted: 0 Leave In Transmitted: 0 Leave Empty Transmitted: 0 Leave All Transmitted: 41 VTP Message Received: 0 Console> (enable) Clearing GVRP Statistics To clear all GVRP statistics on the switch.

4 78-13315-02 17-9 . perform this task in privileged mode: Task Disable GVRP on the switch. Console> (enable) Disabling GVRP Globally To disable GVRP globally on the switch.3 and 6. Command set gvrp disable This example shows how to disable GVRP globally on the switch: Console> (enable) set gvrp disable GVRP disabled Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.1Q trunk port 1/1: Console> (enable) set gvrp disable 1/1 GVRP disabled on 1/1.Chapter 17 Configuring GVRP Configuring GVRP This example shows how to disable GVRP on 802.

3 and 6.4 17-10 78-13315-02 .Chapter 17 Configuring GVRP Configuring GVRP Catalyst 6000 Family Software Configuration Guide—Releases 6.

Note For complete syntax and usage information for the commands used in this chapter. page 18-viii Dynamic Port VLAN Membership with VMPS Configuration Examples. When you move a host from a port on one switch in the network to a port on another switch in the network. you can assign switch ports to VLANs dynamically. This chapter consists of these sections: • • • • • • • Understanding How VMPS Works.3 and 6. page 18-iii Configuring VMPS and Dynamic Port VLAN Membership. it searches its database for a MAC address-to-VLAN mapping. page 18-ix Dynamic Port VLAN Membership with Auxiliary VLANs. If you reset or power cycle the switch. a MAC address-to-VLAN mapping database downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS begins to accept client requests. the VMPS database downloads from the TFTP server automatically and VMPS is reenabled. page 18-xii Understanding How VMPS Works With VMPS.4 78-13315-02 18-1 . VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests.C H A P T E R 18 Configuring Dynamic Port VLAN Membership with VMPS This chapter describes how to configure dynamic port VLAN membership using the VLAN Management Policy Server (VMPS). When you enable VMPS. refer to the Catalyst 6000 Family Command Reference publication. page 18-iii Troubleshooting VMPS and Dynamic Port VLAN Membership. page 18-i Default VMPS and Dynamic Port Configuration. Catalyst 6000 Family Software Configuration Guide—Releases 6. based on the source Media Access Control (MAC) address of the device connected to the port. page 18-ii Dynamic Port VLAN Membership and VMPS Configuration Guidelines. the switch assigns the new port to the proper VLAN for that host dynamically. When the VMPS server receives a valid request from a client.

the VLAN name is returned to the client. You can configure a fallback VLAN name. If there is a match.Chapter 18 Default VMPS and Dynamic Port Configuration Configuring Dynamic Port VLAN Membership with VMPS If the assigned VLAN is restricted to a group of ports. a port can belong to a native VLAN and an auxiliary VLAN. Default VMPS and Dynamic Port Configuration Table 1 shows the default VMPS and dynamic port configuration. You can also make an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-. Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting). If VMPS is in secure mode. a dynamic port is isolated from its static VLAN. which attempts to match the MAC address to a VLAN in the VMPS database. it sends a port shutdown response. VMPS sends an access denied response.2(1). In this case. If you connect a device with a MAC address that is not in the database. If the VLAN is allowed on the port. VMPS provides the VLAN number to assign to the port.1 Null Open Allow VMPS enable state VMPS management domain VMPS TFTP server VMPS database configuration filename VMPS fallback VLAN VMPS secure mode VMPS no domain requests Catalyst 6000 Family Software Configuration Guide—Releases 6. Any hosts that come online through the port are checked again with VMPS before the port is assigned to a VLAN. If a VLAN in the database does not match the current VLAN on the port and active hosts are on the port. If VMPS is in secure mode.keyword for the VLAN name. A dynamic port can belong to only one native VLAN in software releases prior to release 6. VMPS sends an access denied or a port shutdown response based on the VMPS secure mode.3 and 6. The source MAC address from the first packet of a new host on the dynamic port is sent to VMPS. the host receives an “access denied” response. When the link comes up. If you do not configure a fallback VLAN and the MAC address does not exist in the database. If the VLAN is not allowed on the port and VMPS is not in secure mode. VMPS sends the fallback VLAN name to the client. the port returns to an isolated state. See the “Dynamic Port VLAN Membership with Auxiliary VLANs” section on page 18-xii for complete details. If the link goes down on a dynamic port. Table 18-1 Default VMPS and Dynamic Port Configuration Feature VMPS server Default Configuration Disabled Null None vmps-config-database.4 18-2 78-13315-02 . VMPS verifies the requesting port against this group. VMPS sends an access denied or port shutdown response.2(1)—with software release 6. the port is shut down. If there is no match.

page 18-iv Configuring VMPS. page 18-vi Configuring Static VLAN Port Membership. For more information. Static ports that are trunking cannot become dynamic ports.4 78-13315-02 18-3 . Automatic enabling of spanning tree PortFast prevents applications on the host from timing out and entering loops caused by incorrect configurations. “Configuring VLANs. You can disable spanning tree PortFast mode on a dynamic port. page 18-vii Catalyst 6000 Family Software Configuration Guide—Releases 6. However. • • • Note The VTP management domain and the management VLAN of VMPS clients and the VMPS server must be the same. page 18-v Administering and Monitoring VMPS. page 18-v Configuring Dynamic Ports on VMPS Clients. When you configure a port as dynamic.” Configuring VMPS and Dynamic Port VLAN Membership These sections describe how to configure VMPS and define dynamic ports on clients: • • • • • Creating the VMPS Database.3 and 6. You must turn off security on the static secure port before it can become dynamic.Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership and VMPS Configuration Guidelines Table 18-1 Default VMPS and Dynamic Port Configuration (continued) Feature VMPS Client Default Configuration None 60 minutes 3 No dynamic ports configured VMPS domain server VMPS reconfirm interval VMPS server retry count Dynamic ports Dynamic Port VLAN Membership and VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic port VLAN membership: • • You must configure VMPS before you configure ports as dynamic. If you reconfigure a port from a static port to a dynamic port on the same VLAN. You must turn off trunking on the trunk port before changing it from static to dynamic. spanning tree PortFast is enabled automatically for that port.” and Chapter 11. “Configuring VTP. Static secure ports cannot become dynamic ports. see Chapter 10. VMPS checks the legality of the specific host on the dynamic port after a certain period. the port connects immediately to that VLAN.

Define the MAC address-to-VLAN name mappings—Enter the MAC address of each host and the VLAN to which each should belong.4 18-4 78-13315-02 . Create an ASCII text file on your workstation or PC that contains the MAC address-to-VLAN mappings. you first must create a VMPS database and store it on a TFTP server. Define the security mode—VMPS can operate in open or secure mode. A port is identified by the IP address of the switch and the module/port number of the port in the form mod/port. Ranges are not allowed for the port numbers. The keyword all-ports specifies all the ports in the specified switch. Move the ASCII text file to a TFTP server so it can be downloaded to the switch. Define port groups—A port group is a logical group of ports. Step 3 — Catalyst 6000 Family Software Configuration Guide—Releases 6. (Optional) Define a fallback VLAN—The fallback VLAN is assigned if the MAC addresses of the connected host is not defined in the database.Chapter 18 Configuring VMPS and Dynamic Port VLAN Membership Configuring Dynamic Port VLAN Membership with VMPS Creating the VMPS Database To use VMPS. Use the --NONE-. The VMPS parser is line based. Define VLAN port policies—VLAN port policies define the ports associated with a restricted VLAN.3 and 6. Note For an example ASCII text VMPS database configuration file. You can configure a restricted VLAN by defining the set of dynamic ports on which it can exist. perform this task: Task Step 1 Step 2 Command show cam — Determine the MAC addresses of the hosts you want to be assigned to VLANs dynamically. • • • To create a VMPS database. Define VLAN groups—A VLAN group defines a logical group of VLANs. Follow these guidelines for creating the VMPS database file: • • • • • Begin the configuration file with the word “VMPS. These logical groups define the VLAN port policies. Start each entry in the file on a new line. Define the VMPS domain—The VMPS domain should correspond to the VTP domain name configured on the switch.keyword as the VLAN name to deny the specified host network connectivity.” to prevent other types of configuration files from incorrectly being read by the VMPS server. You can apply VMPS policies to individual ports or to port groups. see the “VMPS Database Configuration File Example” section on page 18-ix.

Console> (enable) Configuring Dynamic Ports on VMPS Clients To configure dynamic ports on VMPS client switches. Verify the VMPS configuration. Verify the VMPS server specification. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Step 4 Command set vmps server ip_addr [primary] show vmps server set port membership mod/port dynamic show port [mod[/port]] Specify the IP address of the VMPS server (the switch with VMPS enabled). This example shows how to disable VMPS on the switch: Console> (enable) set vmps state disable All the VMPS configuration information will be lost and the resources released on disable. perform this task in privileged mode: Task Step 1 Step 2 Command set vmps downloadmethod rcp | tftp [username] Specify the download method.Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership Configuring VMPS When you enable VMPS. Verify that VMPS is disabled. Configure the IP address of the TFTP or rcp server set vmps downloadserver ip_addr [filename] on which the ASCII text VMPS database configuration file resides. Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) To disable VMPS.3 and 6. Do you want to continue (y/n[n]): y Vlan Membership Policy Server disabled. perform this task in privileged mode: Task Step 1 Step 2 Command set vmps state disable show vmps Disable VMPS.4 78-13315-02 18-5 . To configure VMPS. the switch downloads the VMPS database from the TFTP or rcp server and begins accepting VMPS requests. Configure dynamic port VLAN membership assignment to a port. Enable VMPS. Verify the dynamic port assignments. set vmps state enable show vmps Step 3 Step 4 This example shows how to enable VMPS on the switch: Console> (enable) set vmps state enable Vlan Membership Policy Server enable is in progress.

Chapter 18 Configuring VMPS and Dynamic Port VLAN Membership

Configuring Dynamic Port VLAN Membership with VMPS

This example shows how to specify the VMPS server, verify the VMPS server specification, assign dynamic ports, and verify the configuration:
Console> (enable) show vmps server VMPS domain server VMPS Status --------------------------------------192.0.0.6 192.0.0.1 primary 192.0.0.9 Console> (enable) set port membership 3/1-3 dynamic Ports 3/1-3 vlan assignment set to dynamic. Spantree port fast start option enabled for ports 3/1-3. Console> (enable) set port membership 1/2 dynamic Trunking port 1/2 vlan assignment cannot be set to dynamic. Console> (enable) set port membership 2/1 dynamic ATM LANE port 2/1 vlan assignment can not be set to dynamic. Console> show port Port Name Status Vlan Level Duplex Speed 1/1 connect dyn-3 normal full 100 1/2 connect trunk normal half 100 2/1 connect trunk normal full 155 3/1 connect dyn-5 normal half 10 3/2 connect dyn-5 normal half 10 3/3 connect dyn-5 normal half 10 Console> (enable)

Type 100 BASE-TX 100 BASE-TX OC3 MMF ATM 10 BASE-T 10 BASE-T 10 BASE-T

Note

The show port command displays dyn- under the Vlan column of the display when it has not yet been assigned a VLAN for a port.

Administering and Monitoring VMPS
To show information about MAC address-to-VLAN mappings, perform one of these tasks in privileged mode: Task Show the VLAN to which a MAC address is mapped in the database. Show the MAC addresses that are mapped to a VLAN in the database. Show ports belonging to a restricted VLAN. Command show vmps mac [mac_address] show vmps vlan [vlan_name] show vmps vlanports [vlan_name]

To show VMPS statistics, perform this task in privileged mode: Task Show VMPS statistics. Command show vmps statistics

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-6

78-13315-02

Chapter 18

Configuring Dynamic Port VLAN Membership with VMPS Configuring VMPS and Dynamic Port VLAN Membership

To clear VMPS statistics, perform this task in privileged mode: Task Clear VMPS statistics. Command clear vmps statistics

To clear a VMPS server entry, perform this task in privileged mode: Task Clear a VMPS server entry. Command clear vmps server ip_addr

To reconfirm the dynamic port VLAN membership assignments, perform this task in privileged mode: Task
Step 1 Step 2

Command reconfirm vmps

Reconfirm dynamic port VLAN membership.

Verify the dynamic VLAN reconfirmation status. show dvlan statistics This example shows how to reconfirm dynamic port VLAN membership assignments:
Console> (enable) reconfirm vmps reconfirm process started Use 'show dvlan statistics' to see reconfirm status Console> (enable)

To download the VMPS database manually (to download a changed database configuration file or retry after a failed download attempt), perform this task in privileged mode: Task
Step 1

Command download vmps

Download the VMPS database from the TFTP server, or specify a different VMPS database configuration file. Verify the VMPS database configuration file.

Step 2

show vmps

Configuring Static VLAN Port Membership
To return a port to static VLAN port membership, perform this task in privileged mode: Task
Step 1 Step 2

Command set port membership mod/port static show port [mod[/port]]

Configure static port VLAN membership assignment to a port. Verify the static port assignments.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

18-7

Chapter 18 Troubleshooting VMPS and Dynamic Port VLAN Membership

Configuring Dynamic Port VLAN Membership with VMPS

This example shows how to return a port to static VLAN port membership:
Console> (enable) set port membership 3/1 static Port 3/1 vlan assignment set to static. Console> (enable)

Troubleshooting VMPS and Dynamic Port VLAN Membership
These sections describe how to troubleshoot VMPS and dynamic port VLAN membership:
• •

Troubleshooting VMPS, page 18-viii Troubleshooting Dynamic Port VLAN Membership, page 18-viii

Troubleshooting VMPS
Table 2 shows VMPS error messages you might see when you enter the set vmps state enable or the download vmps command.
Table 18-2 VMPS Error Messages

VMPS Error Message
TFTP server IP address is not configured. Unable to contact the TFTP server 172.16.254.222. File “vmps_configuration.db” not found on the TFTP server 172.16.254.222. Enable failed due to insufficient resources.

Recommended Action Specify the TFTP server address using the set vmps tftpserver ip_addr [filename] command. Enter a static route (using the set ip route command) to the TFTP server. Check the filename of the VMPS database configuration file on the TFTP server. Make sure the permissions are set correctly. The switch does not have sufficient resources to run the database. You can fix this problem by increasing the dynamic random-access memory (DRAM).

After VMPS successfully downloads the VMPS database configuration file, it parses the file and builds a database. When the parsing is complete, VMPS outputs statistics about the total number of lines parsed and the number of parsing errors. To obtain more information on VMPS parsing errors, set the syslog level for VMPS to 3 using the set logging level vmps 3 command.

Troubleshooting Dynamic Port VLAN Membership
A dynamic port might shut down under these circumstances:
• •

VMPS is in secure mode and it is illegal for the host to connect to the port. The port shuts down to prevent the host from connecting to the network. More than 50 active hosts reside on a dynamic port.

To reenable a shut-down dynamic port, enter the set port enable mod/port command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-8

78-13315-02

Chapter 18

Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples

Dynamic Port VLAN Membership with VMPS Configuration Examples
These sections show examples of how to configure VMPS and dynamic ports:
• •

VMPS Database Configuration File Example, page 18-ix Dynamic Port VLAN Membership Configuration Example, page 18-x

VMPS Database Configuration File Example
This example shows a sample VMPS database configuration file. A VMPS database configuration file is an ASCII text file that is stored on a TFTP server accessible to the switch configured as the VMPS server. A summary of the configuration example follows:
• • • • • •

The security mode is open. The default is used for the fallback VLAN. MAC address-to-VLAN name mappings—The MAC address of each host and the VLAN to which each host belongs is defined. Port groups are defined. VLAN groups are defined. VLAN port policies are defined for the ports associated with restricted VLANs.

!VMPS File Format, version 1.1 ! Always begin the configuration file with ! the word “VMPS” ! !vmps domain <domain-name> ! The VMPS domain must be defined. !vmps mode {open | secure} ! The default mode is open. !vmps fallback <vlan-name> !vmps no-domain-req { allow | deny } ! ! The default value is allow. vmps domain WBU vmps mode open vmps fallback default vmps no-domain-req deny ! ! !MAC Addresses ! vmps-mac-addrs ! ! address <addr> vlan-name <vlan_name> ! address 0012.2233.4455 vlan-name hardware address 0000.6509.a080 vlan-name hardware address aabb.ccdd.eeff vlan-name Green address 1223.5678.9abc vlan-name ExecStaff address fedc.ba98.7654 vlan-name --NONE-address fedc.ba23.1245 vlan-name Purple !

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

18-9

Chapter 18 Dynamic Port VLAN Membership with VMPS Configuration Examples

Configuring Dynamic Port VLAN Membership with VMPS

!Port Groups ! !vmps-port-group <group-name> ! device <device-id> { port <port-name> | all-ports } ! vmps-port-group WiringCloset1 device 198.92.30.32 port 3/2 device 172.20.26.141 port 2/8 vmps-port-group “Executive Row” device 198.4.254.222 port 1/2 device 198.4.254.222 port 1/3 device 198.4.254.223 all-ports ! ! !VLAN groups ! !vmps-vlan-group <group-name> ! vlan-name <vlan-name> ! vmps-vlan-group Engineering vlan-name hardware vlan-name software ! ! !VLAN port Policies ! !vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> } ! { port-group <group-name> | device <device-id> port <port-name> } ! vmps-port-policies vlan-group Engineering port-group WiringCloset1 vmps-port-policies vlan-name Green device 198.92.30.32 port 4/8 vmps-port-policies vlan-name Purple device 198.4.254.22 port 1/2 port-group “Executive Row”

Dynamic Port VLAN Membership Configuration Example
Figure 1 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply:
• • • •

The VMPS server and the VMPS client are separate switches. Switch 1 is the primary VMPS server. Switch 3 and Switch 10 are secondary VMPS servers. End stations are connected to these clients:
– Switch 2 – Switch 9

The database configuration file is called Bldg-G.db and is stored on a TFTP server with IP address 172.20.22.7.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-10

78-13315-02

Chapter 18

Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with VMPS Configuration Examples

Figure 18-1 Dynamic Port VLAN Membership Configuration

Catalyst 6500 series switches Primary VMPS Server 1 Switch 1 172.20.26.150 3/1
Switch 2

TFTP server

172.20.22.7 Client

End station 1

172.20.26.151

Catalyst 6000

Secondary VMPS Server 2 Switch 3 172.20.26.152

Switch 4

Ethernet segment

172.20.26.153
Switch 5

172.20.26.154
Switch 6

172.20.26.155

Switch 7

172.20.26.156

Switch 8

172.20.26.157 Client
Switch 9

End station 2 172.20.26.158 Catalyst 6500 series switches Secondary VMPS Server 3 Switch 10 172.20.26.159
55908

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

18-11

Chapter 18 Dynamic Port VLAN Membership with Auxiliary VLANs

Configuring Dynamic Port VLAN Membership with VMPS

Use this procedure to configure VMPS and dynamic ports:
Step 1

Configure Switch 1 as the primary VMPS server.
a.

Configure the IP address of the TFTP server on which the ASCII file resides:
Console> (enable) set vmps tftpserver 172.20.22.7 Bldg-G.db

b.

Enable VMPS:
Console> (enable) set vmps state enable

After entering these commands, the file Bldg-G.db is downloaded to Switch 1. Switch 1 becomes the VMPS server.
Step 2

Configure the VMPS server addresses on each VMPS client.
a.

Configure the primary VMPS server IP address:
Console> (enable) set vmps server 172.20.26.150 primary

b.

Configure the secondary VMPS server IP addresses:
Console> (enable) set vmps server 172.20.26.152 Console> (enable) set vmps server 172.20.26.159

c.

Verify the VMPS server addresses:
Console> (enable) show vmps server

Step 3

Configure port 3/1 on Switch 2 as dynamic.
Console> (enable) set port membership 3/1 dynamic

Step 4

Connect End Station 2 on port 3/1. When End Station 2 sends a packet, Switch 2 sends a query to the primary VMPS server, Switch 1. Switch 1 responds with the VLAN to assign to port 3/1. Because spanning tree PortFast mode is enabled by default on dynamic ports, port 3/1 connects immediately and enters forwarding mode. Repeat Steps 2 and 3 to configure the VMPS server addresses and assign dynamic ports on each VMPS client switch.

Step 5

Dynamic Port VLAN Membership with Auxiliary VLANs
Note

This feature requires software release 6.2(1) or later releases. This section describes how to configure a dynamic port to belong to two VLANs—a native VLAN and an auxiliary VLAN. This section uses the following terminology:
• • • •

Auxiliary VLAN—Separate VLAN for IP phones Native VLAN—Traditional VLAN for data Auxiliary VLAN ID—VLAN ID of an auxiliary VLAN Native VLAN ID—VLAN ID of a native VLAN

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-12

78-13315-02

Chapter 18

Configuring Dynamic Port VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs

Prior to software release 6.2(1), dynamic ports could only belong to one VLAN. You could not enable the dynamic port VLAN feature on ports that carried a native VLAN and an auxiliary VLAN. With software release 6.2(1) and later releases, the dynamic ports can belong to two VLANs. The switch port configured for connecting an IP phone can have separate VLANs configured for carrying:
• •

Voice traffic to and from the IP phone (auxiliary VLAN) Data traffic to and from the PC connected to the switch through the access port of the IP phone (native VLAN)

These sections include configuration guidelines and examples:
• •

Configuration Guidelines, page 18-xiii Configuring Dynamic Port VLAN Membership with Auxiliary VLANs, page 18-xiii

Note

For detailed information on auxiliary VLANs and Cisco voice-over-IP networks, see Chapter 44, “Configuring a VoIP Network.”

Configuration Guidelines
These guidelines and restrictions apply to configuring dynamic port VLAN membership for auxiliary VLANs:

Configuration of the native VLAN ID is dynamic for the PC connected to the access port of the IP phone. Configuration of the auxiliary VLAN ID is not dynamic; you need to configure it manually. As the auxiliary VLAN ID is manually configured, the VMPS server is queried for packets coming from the PC, not for packets coming from the IP phone. All packets except Cisco Discovery Protocol (CDP) packets from the IP phone are tagged with the auxiliary VLAN ID. All packets tagged with the auxiliary VLAN ID are considered to be packets from the phone and all other packets are considered to be packets from the PC. When configuring the auxiliary VLAN ID with 802.1p or untagged frames, you need to configure the VMPS server with the IP phone’s MAC address (see the “Dynamic Port VLAN Membership with VMPS Configuration Examples” section on page 18-ix for information on configuring VMPS). For dynamic ports, the auxiliary VLAN ID cannot be the same as the native VLAN ID assigned by VMPS for the dynamic port. See the “Dynamic Port VLAN Membership and VMPS Configuration Guidelines” section on page 18-iii prior to configuring any port.

• •

Configuring Dynamic Port VLAN Membership with Auxiliary VLANs
This example shows how to add voice ports to auxiliary VLANs and specify an encapsulation type:
Console> (enable) set port auxiliaryvlan 5/9 222 Auxiliaryvlan 222 configuration successful. AuxiliaryVlan AuxVlanStatus Mod/Ports ------------- ------------- ------------------------222 active 5/9 Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

18-13

Chapter 18 Dynamic Port VLAN Membership with Auxiliary VLANs

Configuring Dynamic Port VLAN Membership with VMPS

Console> (enable) set port auxiliaryvlan 5/9 dot1p Port 5/9 allows the connected device send and receive packets with 802.1p priority. Console> (enable)

This example shows how to specify port 5/9 as a dynamic port:
Console> Warning: phones. Port 5/9 Spantree Console> (enable) set port membership 5/9 dynamic Auxiliary Vlan set to dot1p|untagged on dynamic port. VMPS will be queried for IP vlan assignment set to dynamic. port fast start option enabled for ports 5/9. (enable)

This example shows that the auxiliary VLAN ID specified cannot be the same as the native VLAN ID:
Console> (enable) set port auxiliaryvlan 5/10 223 Auxiliary vlan cannot be set to 223 as PVID=223. Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-14

78-13315-02

C H A P T E R

19

Checking Port Status and Connectivity
This chapter describes how to check switch port status and connectivity on the Catalyst 6000 family switches.

Note

For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication. This chapter consists of these sections:
• • • • • • • • •

Checking Module Status, page 19-i Checking Port Status, page 19-ii Checking Port Capabilities, page 19-iv Using Telnet, page 19-iv Using Secure Shell Encryption for Telnet Sessions, page 19-v Monitoring User Sessions, page 19-vi Using Ping, page 19-vii Using Layer 2 Traceroute, page 19-ix Using IP Traceroute, page 19-x

Checking Module Status
Catalyst 6000 family switches are multimodule systems. You can see what modules are installed, as well as the MAC address ranges and version numbers for each module, using the show module [mod] command. Specify a particular module number to see detailed information on that module. This example shows how to check module status. The output shows that there is one supervisor engine and four additional modules installed in the chassis.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

19-1

Chapter 19 Checking Port Status

Checking Port Status and Connectivity

Console> Mod Slot --- ---1 1 2 2 3 3 4 4 5 5

(enable) show module Ports Module-Type ----- ------------------------2 1000BaseX Supervisor 24 100BaseFX MM Ethernet 8 1000BaseX Ethernet 48 10/100BaseTX (Telco) 48 10/100BaseTX (RJ-45) Serial-Num ----------SAD03040546 SAD03110020 SAD03070194 SAD03140787 SAD03181291

Model ------------------WS-X6K-SUP1-2GE WS-X6224-100FX-MT WS-X6408-GBIC WS-X6248-TEL WS-X6248-RJ-45

Status -------ok ok ok ok ok

Mod Module-Name --- ------------------1 2 3 4 5

Mod MAC-Address(es) --- -------------------------------------1 00-50-f0-a8-26-b2 to 00-50-f0-a8-26-b3 00-50-f0-a8-26-b0 to 00-50-f0-a8-26-b1 00-50-3e-8d-64-00 to 00-50-3e-8d-67-ff 2 00-50-54-6c-e9-a8 to 00-50-54-6c-e9-bf 3 00-50-54-6c-93-6c to 00-50-54-6c-93-73 4 00-50-54-bf-59-64 to 00-50-54-bf-59-93 5 00-50-f0-ac-30-54 to 00-50-f0-ac-30-83

Hw Fw Sw ------ ---------- ----------------1.4 5.1(1) 5.2(1)CSX

1.3 1.4 0.103 1.0

4.2(0.24)V 4.2(0.24)V 4.2(0.24)V 4.2(0.24)V

5.2(1)CSX 5.2(1)CSX 5.2(1)CSX 5.2(1)CSX

Mod Sub-Type Sub-Model Sub-Serial Sub-Hw --- ----------------------- ------------------- ----------- -----1 L2 Switching Engine I WS-F6020 SAD03040312 1.0 Console> (enable)

This example shows how to check module status on a specific module:
Console> Mod Slot --- ---4 4 (enable) show module 4 Ports Module-Type Model Status ----- ------------------------- ------------------- -------48 10/100BaseTX (Telco) WS-X6248-TEL ok

Mod Module-Name Serial-Num --- ------------------- ----------4 SAD03140787 Mod MAC-Address(es) Hw Fw Sw --- -------------------------------------- ------ ---------- ----------------4 00-50-54-bf-59-64 to 00-50-54-bf-59-93 0.103 4.2(0.24)V 5.2(1)CSX Console> (enable)

Checking Port Status
You can see summary or detailed information on the switch ports using the show port [mod[/port]] command. To see summary information on all of the ports on the switch, enter the show port command with no arguments. Specify a particular module number to see information on the ports on that module only. Enter both the module number and the port number to see detailed information about the specified port. To apply configuration commands to a particular port, you must specify the appropriate logical module. For more information, see the “Checking Module Status” section on page 19-i.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-2

78-13315-02

Chapter 19

Checking Port Status and Connectivity Checking Port Status

This example shows how to see information on the ports on a specific module only:
Console> (enable) show port 1 Port Name Status ----- ------------------ ---------1/1 connected 1/2 notconnect Port ----1/1 1/2 Vlan Duplex Speed Type ---------- ------ ----- -----------1 full 1000 1000BaseSX 1 full 1000 1000BaseSX Shutdown -------No No Trap -------disabled disabled IfIndex ------3 4

Security Secure-Src-Addr Last-Src-Addr -------- ----------------- ----------------disabled disabled

Port Broadcast-Limit Broadcast-Drop -------- --------------- -------------------1/1 0 1/2 0 Port ----1/1 1/2 Port Send FlowControl admin oper -------- -------desired off desired off Status Receive FlowControl admin oper -------- -------off off off off Admin Group ----65 65 RxPause TxPause

---------- ---------0 0 0 0

Channel Mode ----- ---------- --------1/1 connected auto 1/2 notconnect auto

Ch Neighbor Neighbor Id Device Port ----- ----------------------------------- ----0 0

Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize ----- ---------- ---------- ---------- ---------- --------1/1 0 0 0 0 0 1/2 0 0 0 0 0 Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants ----- ---------- ---------- ---------- ---------- --------- --------- --------1/1 0 0 0 0 0 0 0 1/2 0 0 0 0 0 0 0 Last-Time-Cleared -------------------------Tue Jun 8 1999, 10:01:35 Console> (enable)

This example shows how to see information on an individual port:
Console> (enable) show port 1/1 Port Name Status Vlan Duplex Speed Type ----- ------------------ ---------- ---------- ------ ----- -----------1/1 connected 1 full 1000 1000BaseSX Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex ----- -------- ----------------- ----------------- -------- -------- ------1/1 disabled No disabled 3 Port Broadcast-Limit Broadcast-Drop -------- --------------- -------------------1/1 0 Port Send FlowControl Receive FlowControl admin oper admin oper ----- -------- --------------- -------1/1 desired off off off

RxPause

TxPause

---------- ---------0 0

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

19-3

Chapter 19 Checking Port Capabilities

Checking Port Status and Connectivity

Port

Channel Mode ----- ---------- --------1/1 connected auto

Status

Admin Group ----65

Ch Neighbor Neighbor Id Device Port ----- ----------------------------------- ----0

Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize ----- ---------- ---------- ---------- ---------- --------1/1 0 0 0 0 0 Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants ----- ---------- ---------- ---------- ---------- --------- --------- --------1/1 0 0 0 0 0 0 0 Last-Time-Cleared -------------------------Tue Jun 8 1999, 10:01:35 Console> (enable)

Checking Port Capabilities
You can display the capabilities of any port in a switch using the show port capabilities [[mod][/port]] command. This example shows you how to display the port capabilities for switch ports:
Console> (enable) show port capabilities 1/1 Model WS-X6K-SUP1A-2GE Port 1/1 Type No Connector Speed 1000 Duplex full Trunk encap type 802.1Q,ISL Trunk mode on,off,desirable,auto,nonegotiate Channel yes Broadcast suppression percentage(0-100) Flow control receive-(off,on,desired),send-(off,on,desired) Security yes Membership static,dynamic Fast start yes QOS scheduling rx-(1p1q4t),tx-(1p2q2t) CoS rewrite yes ToS rewrite DSCP UDLD yes Inline power no AuxiliaryVlan no SPAN source,destination COPS port group 1/1-2 Console> (enable)

Using Telnet
You can access the switch command-line interface (CLI) using Telnet. In addition, you can use Telnet from the switch to access other devices in the network. Up to eight simultaneous Telnet sessions are possible.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-4

78-13315-02

Chapter 19

Checking Port Status and Connectivity Using Secure Shell Encryption for Telnet Sessions

To Telnet to another device on the network from the switch, perform this task in privileged mode: Task Open a Telnet session with a remote host. Command telnet host [port]

This example shows how to Telnet from the switch to a remote host:
Console> (enable) telnet labsparc Trying 172.16.10.3... Connected to labsparc. Escape character is '^]'. UNIX(r) System V Release 4.0 (labsparc) login:

Using Secure Shell Encryption for Telnet Sessions
Note

To use the Secure Shell encryption feature commands, you must be running an encryption image. The set crypto key rsa, clear crypto key rsa, and show crypto key commands are used for encryption. See Chapter 25, “Working with System Software Images” for the software image naming conventions used for the encryption images. The Secure Shell encryption feature provides security for Telnet sessions to the switch. Secure Shell encryption is supported for remote logins to the switch only. Telnet sessions initiated from the switch cannot be encrypted. To use this feature, you must install the application on the client accessing the switch, and you must configure Secure Shell encryption on the switch. The current implementation of Secure Shell encryption supports SSH version 1, the DES and 3DES encryption methods, and can be used with RADIUS and TACACS+ authentication. To configure authentication with Secure Shell encryption, use the telnet keyword in the set authentication commands.

Note

If you are using Kerberos to authenticate to the switch, you will not be able to use the Secure Shell encryption feature. To enable Secure Shell encryption on the switch, perform this task in privileged mode: Task Create the RSA host key. Command set crypto key rsa nbits [force]

This example shows how to create the RSA host key:
Console> (enable) set crypto key rsa 1024 Generating RSA keys.... [OK] Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

19-5

Chapter 19 Monitoring User Sessions

Checking Port Status and Connectivity

The nbits value specifies the RSA key size. The valid key size range is 512 to 2048 bits. A key size with a larger number provides higher security but takes longer to generate. You can enter the optional force keyword to regenerate the keys and suppress the warning prompt of overwriting existing keys.

Monitoring User Sessions
You can display the currently active user sessions on the switch using the show users command. The command output displays all active console port and Telnet sessions on the switch. To display the active user sessions on the switch, perform this task in privileged mode: Task Display the currently active user sessions on the switch. Command show users [noalias]

This example shows the output of the show users command when local authentication is enabled for console and Telnet sessions (the asterisk [*] indicates the current session):
Console> (enable) show users Session User Location -------- ---------------- ------------------------console telnet sam-pc.bigcorp.com * telnet jake-mac.bigcorp.com Console> (enable)

This example shows the output of the show users command when TACACS+ authentication is enabled for console and Telnet sessions:
Console> (enable) show users Session User Location -------- ---------------- ------------------------console sam telnet jake jake-mac.bigcorp.com telnet tim tim-nt.bigcorp.com * telnet suzy suzy-pc.bigcorp.com Console> (enable)

This example shows how to display information about user sessions using the noalias keyword to display the IP addresses of connected hosts:
Console> (enable) show users noalias Session User Location -------- ---------------- ------------------------console telnet 10.10.10.12 * telnet 10.10.20.46 Console> (enable)

To disconnect an active user session, perform this task in privileged mode: Task Disconnect an active user session on the switch. Command disconnect {console | ip_addr}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-6

78-13315-02

Chapter 19

Checking Port Status and Connectivity Using Ping

This example shows how to disconnect an active console port session and an active Telnet session:
Console> (enable) show users Session User Location -------- ---------------- ------------------------console sam telnet jake jake-mac.bigcorp.com telnet tim tim-nt.bigcorp.com * telnet suzy suzy-pc.bigcorp.com Console> (enable) disconnect console Console session disconnected. Console> (enable) disconnect tim-nt.bigcorp.com Telnet session from tim-nt.bigcorp.com disconnected. (1) Console> (enable) show users Session User Location -------- ---------------- ------------------------telnet jake jake-mac.bigcorp.com * telnet suzy suzy-pc.bigcorp.com Console> (enable)

Using Ping
These sections describe how to use IP ping:
• •

Understanding How Ping Works, page 19-vii Executing Ping, page 19-viii

Understanding How Ping Works
You can use IP ping to test connectivity to remote hosts. If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or configure a router to route between those subnets. The ping command is configurable from normal executive and privileged executive mode. In normal executive mode, the ping command supports the -s parameter, which allows you to specify the packet size and packet count. In privileged executive mode, the ping command lets you specify the packet size, packet count, and the wait time. Table 19-1 shows the default values that apply to the ping-s command.
Table 19-1 Ping Default Values

Description Number of Packets Packet Size Wait Time Source Address

Ping 5 56 2 Host IP Address

Ping-s 0=continuous ping 56 2 N/A

To stop a ping in progress, press Ctrl-C.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4 78-13315-02

19-7

Chapter 19 Using Ping

Checking Port Status and Connectivity

Ping returns one of the following responses:
• • • • •

Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on network traffic. Destination does not respond—If the host does not respond, a no answer message is returned. Unknown host—If the host does not exist, an unknown host message is returned. Destination unreachable—If the default gateway cannot reach the specified network, a destination unreachable message is returned. Network or host unreachable—If there is no entry in the route table for the host or network, a network or host unreachable message is returned.

Executing Ping
To ping another device on the network from the switch, perform one of these tasks in normal or privileged mode: Task Ping a remote host. Ping a remote host using ping options. Command ping host ping -s host [packet_size] [packet_count]

This example shows how to ping a remote host from normal executive mode:
Console> ping labsparc labsparc is alive Console> ping 72.16.10.3 12.16.10.3 is alive Console>

This example shows how to ping a remote host using the ping -s option:
Console> ping -s 12.20.5.3 800 10 PING 12.20.2.3: 800 data bytes 808 bytes from 12.20.2.3: icmp_seq=0. 808 bytes from 12.20.2.3: icmp_seq=1. 808 bytes from 12.20.2.3: icmp_seq=2. 808 bytes from 12.20.2.3: icmp_seq=3. 808 bytes from 12.20.2.3: icmp_seq=4. 808 bytes from 12.20.2.3: icmp_seq=5. 808 bytes from 12.20.2.3: icmp_seq=6. 808 bytes from 12.20.2.3: icmp_seq=7. 808 bytes from 12.20.2.3: icmp_seq=8. 808 bytes from 12.20.2.3: icmp_seq=9.

time=2 time=3 time=2 time=2 time=2 time=2 time=2 time=2 time=2 time=3

ms ms ms ms ms ms ms ms ms ms

----17.20.2.3 PING Statistics---10 packets transmitted, 10 packets received, 0% packet loss round-trip (ms) min/avg/max = 2/2/3 Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-8

78-13315-02

(See Chapter 29. You can trace a Layer 2 path by specifying the source and destination IP addresses (or IP aliases) or the MAC addresses.20. all of the switches in the path.20. the packet size. “Configuring CDP” for information about enabling CDP. The maximum number of hops an l2trace query will try is 10.18]: 12.5. page 19-ix Identifying a Layer 2 Path.Chapter 19 Checking Port Status and Connectivity Using Layer 2 Traceroute This example shows how to enter a ping command in privileged mode specifying the number of packets. or when multiple devices are attached to one port through hubs. • • • • • • Catalyst 6000 Family Software Configuration Guide—Releases 6.4 78-13315-02 19-9 . however.20.2. including the source and destination. You must enable CDP on all of the Catalyst 5000 and 6000 family switches in the network. The Layer 2 Traceroute utility determines the path by looking at the forwarding engine tables of the switches in the path.19 PING Statistics---10 packets transmitted. The Layer 2 Traceroute utility does not work with Token Ring VLANs.20. Information is displayed about all Catalyst 6000 family switches that are in the path from the source to the destination. The source and destination switches must belong in the same VLAN. this includes hops involved in source tracing.3 and 6. l2trace will not be able to trace the Layer 2 path through those devices.2. If the source and destination belong to multiple VLANs and you specify MAC addresses. All switches in the path must be reachable from each other. 10 packets received.19 Number of Packets [5]: 10 Datagram Size [56]: 100 Timeout in seconds [2]: 10 Source IP Address [12. 0% packet loss round-trip (ms) min/avg/max = 1/1/1 Console> (enable) Using Layer 2 Traceroute The Layer 2 Traceroute utility allows you to identify the physical path that a packet will take when going from a source to a destination. must be reachable from the switch. These sections describe how to use Layer 2 Traceroute: • • Layer 2 Traceroute Usage Guidelines. or when multiple neighbors are on a port. page 19-x Layer 2 Traceroute Usage Guidelines Follow these guidelines for using the Layer 2 Traceroute utility: • • The Layer 2 Traceroute utility works for unicast traffic only. and the timeout period: Console> (enable) ping Target IP Address []: 12.2.) If any devices in the path are transparent to CDP. You can use this utility from a switch that is not in the Layer 2 path between the source and the destination. you can also specify a VLAN.18 !!!!!!!!!! ----12.

The second router sees a TTL value of 1. 00-01-22-33-44-55 found in C5500 named wiring-1 on port 4/1 10Mb half duplex C5500:wiring-1:192.Chapter 19 Using IP Traceroute Checking Port Status and Connectivity Identifying a Layer 2 Path To identify a Layer 2 path. in port speed. These sections describe how to use IP Traceroute: • • Understanding How IP Traceroute Works. If a router finds a TTL value of 1 or 0.242.242. The first router decrements the TTL field by 1 and sends the datagram to the next router. The traceroute facility determines the address of the first hop by examining the source address field of the ICMP time-exceeded message.20:1/1 100Mb full duplex -> 3/1 100MB full duplex C5000:backup-core-1:192. it drops the datagram and sends back an Internet Control Message Protocol (ICMP) time-exceeded message to the sender. To identify the next hop. l2trace {src-ip-addr} {dest-ip-addr} [detail] This example shows the source and destination MAC addresses specified.168. page 19-xi Understanding How IP Traceroute Works The traceroute command uses the Time To Live (TTL) field in the IP header to cause routers and servers to generate specific return messages. The command output displays all network layer (Layer 3) devices.30:4/1 100 MB full duplex -> 1/1 100MB full duplex C6000:core-1:192. discards the datagram.4 19-10 78-13315-02 . traceroute sends a UDP packet with a TTL value of 2. device name. Using IP Traceroute The IP Traceroute utility allows you to identify the path that packets take through the network at Layer 3 on a hop-by-hop basis. and the detail option specified. device IP address. Catalyst 6000 Family Software Configuration Guide—Releases 6. page 19-x Executing IP Traceroute. that the traffic passes through on the way to the destination. and returns the time-exceeded message to the source. 10-22-33-44-55-66 found in C6000 named core-1 on port 2/1 10MB half duplex. This process continues until the TTL is incremented to a value large enough for the datagram to reach the destination host (or until the maximum TTL is reached). in port name.168.168. the output shows the device type. Console> (enable) l2trace 00-01-22-33-44-55 10-22-33-44-55-66 detail l2trace vlan number is 10. perform one of these tasks in privileged mode: Task Command (Optional) Trace a Layer 2 path using MAC l2trace {src-mac-addr} {dest-mac-addr} [vlan] [detail] addresses. out port name. in port duplex mode.40:1/1 100MB full duplex -> 2/1 10MB half duplex.10:4/1 10Mb half duplex -> 5/2 100MB full duplex C5000:backup-wiring-1:192. out port speed.3 and 6. (Optional) Trace a Layer 2 path using IP addresses or IP aliases.242.168. such as routers. with no VLAN specified.242. and out port duplex mode. For each Catalyst 5000 and 6000 family switch found in the path. Traceroute starts by sending a User Datagram Protocol (UDP) datagram to the destination host with the TTL field set to 1.

1.1. This message indicates to the traceroute facility that it has reached the destination.100 (10.1.1.100) 2 ms 2 ms 2 ms Console> (enable) This example shows how to perform a traceroute with six queries to each hop with packets of 1400 bytes each: Console> (enable) traceroute -q 6 10.1 (10. Executing IP Traceroute To trace the path that packets take through the network.1.100). 1440 byte packets 1 10.100) 2 ms 4 ms 3 ms 3 ms 3 ms 3 ms Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.1.1.1.1.1.1. 40 byte packets 1 10. When a host receives a datagram with an unrecognized port number.1.3 and 6.100 (10.100 1400 traceroute to 10.1) 2 ms 2 ms 2 ms 1 ms 2 ms 2 ms 2 10.1.Chapter 19 Checking Port Status and Connectivity Using IP Traceroute To determine when a datagram reaches its destination.1.4 78-13315-02 19-11 .1. Switches can participate as the source or destination of the traceroute command but will not appear as a hop in the traceroute command output. traceroute sets the UDP destination port in the datagram to a very large value which the destination host is unlikely to be using.1.1.1.1.100 traceroute to 10.1.1. 30 hops max. perform this task in privileged mode: Task Execute IP traceroute to trace the Layer 3 path that packets take through the network. Command traceroute [-n] [-w wait_time] [-i initial_ttl] [-m max_ttl] [-p dest_port] [-q nqueries] [-t tos] host [data_size] This example shows how to use the traceroute command: Console> (enable) traceroute 10.1.1.100 (10. it sends an ICMP port unreachable error to the source.100).100 (10. 30 hops max.1.1.1.1.1) 1 ms 2 ms 1 ms 2 10.1 (10.1.

Chapter 19 Using IP Traceroute Checking Port Status and Connectivity Catalyst 6000 Family Software Configuration Guide—Releases 6.4 19-12 78-13315-02 .3 and 6.

3 and 6. page 20-xvi Displaying System Status Information for Technical Support. page 20-iv Creating a Login Banner. refer to the Catalyst 6000 Family Command Reference publication. This chapter consists of these sections: • • • • • • • • • • • • Setting the System Name and System Prompt. page 20-iii Setting the System Clock. page 20-iv Defining Command Aliases. page 20-xi Environmental Monitoring. page 20-viii Scheduling a System Reset. page 20-xvii Setting the System Name and System Prompt The system name on the switch is a user-configurable string used to identify the device. page 20-v Defining IP Aliases. the system name is obtained through the Domain Name System (DNS) if you configure the switch as follows: • • • Assign the sc0 interface an IP address that is mapped to the switch name on the DNS server Enable DNS on the switch Specify at least one valid DNS server on the switch Catalyst 6000 Family Software Configuration Guide—Releases 6. If you do not manually configure a system name. The default configuration has no system name configured. page 20-vii Configuring Permanent and Static ARP Entries. page 20-i Setting the System Contact and Location.4 78-13315-02 20-1 . Note For complete syntax and usage information for the commands used in this chapter. page 20-vi Configuring Static Routes.C H A P T E R 20 Administering the Switch This chapter describes how to perform various administrative tasks on the Catalyst 6000 family switches. page 20-ix Power Management.

the first 20 characters of the system name are used as the system prompt (a greater-than symbol [>] is appended). If you have not configured a system prompt. page 20-iii Clearing the System Name. Command set system name name_string Note When you set the system name. page 20-ii Setting the Static System Prompt. the DNS host name of the switch is configured as the system name of the switch and is saved in NVRAM (the domain name is removed). This example shows how to configure the system name on the switch: Console> (enable) set system name Catalyst 6000 System name set.4 20-2 78-13315-02 . unless you manually configure the prompt using the set prompt command. You can override the prompt string with the set prompt command. perform this task in privileged mode: Task Set the static system name. the system name is used as the system prompt. no DNS lookup is performed.Chapter 20 Setting the System Name and System Prompt Administering the Switch If the DNS lookup is successful. Setting the Static System Name and Prompt These sections describe how to set the static system name and prompt: • • • Setting the Static System Name. Catalyst 6000> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. page 20-iii Setting the Static System Name To set a static system name. The switch performs a DNS lookup for the system name whenever one of the following occurs: • • • • • The switch is initialized (power on or reset) You configure the IP address on the sc0 interface using the command-line interface (CLI) or Simple Network Management Protocol (SNMP) You configure a route using the set ip route command You clear the system name using the set system name command You enable DNS or specify DNS servers If the system name is user configured. The prompt is updated whenever the system name changes.

Command set prompt prompt_string This example shows how to set the static system prompt on the switch: Console> (enable) set prompt Catalyst6509> Catalyst6509> (enable) Clearing the System Name To clear the system name.04:04:07 20 min Catalyst 6000 Family Software Configuration Guide—Releases 6.--------ok none ok off ok 0.h:m:s Logout ---------. Catalyst 6000> (enable) set system location Sunnyvale CA System location set.4 78-13315-02 20-3 . perform this task in privileged mode: Task Clear the system name. perform this task in privileged mode: Task Set the static system prompt.---------. This example shows how to clear the system name: Console> (enable) set system name System name cleared. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command set system contact [contact_string] set system location [location_string] show system Set the system contact. Catalyst 6000> (enable) show system PS1-Status PS2-Status Fan-Status Temp-Alarm Sys-Status Uptime d.3 and 6. Verify the global system information.---------. Console> (enable) Command set system name Setting the System Contact and Location You can set the system contact and location to help you with resource management tasks.Chapter 20 Administering the Switch Setting the System Contact and Location Setting the Static System Prompt To set the static system prompt. To set the system contact and location.---------.com System contact set. Set the system location.---------.-------------. This example shows how to set the system contact and location and verify the configuration: Catalyst 6000> (enable) set system contact sysadmin@corp.

-----------------------.---------.----. Display the current date and time. The first character following the motd keyword is used to delimit the beginning and end of the banner text. Characters following the ending delimiter are discarded. “Configuring NTP.3 and 6. The banner must be fewer than 3070 characters. This example shows how to set the system clock and display the current date and time: Console> (enable) set time Mon 06/15/98 12:30:00 Mon Jun 15 1998.-----------------------Catalyst 6000 Sunnyvale CA sysadmin@corp. perform this task in privileged mode: Task Command set time [day_of_week] [mm/dd/yy] [hh:mm:ss] show time Step 1 Step 2 Set the system clock. press Return. page 20-v Clearing the Login Banner.------------------------other none disable 9600 0% 0% Tue Jun 23 1998. see Chapter 31. page 20-v Catalyst 6000 Family Software Configuration Guide—Releases 6. 12:30:00 Console> (enable) show time Mon Jun 15 1998. For information on configuring NTP.---. 16:51:36 System Name System Location System Contact -----------------------.” To set the system clock. 12:30:02 Console> (enable) Creating a Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch.com Catalyst 6000> (enable) Setting the System Clock Note You can configure the switch to obtain the time and date using the Network Time Protocol (NTP).4 20-4 78-13315-02 . These sections describe how to configure and clear a login banner: • • Configuring a Login Banner.Chapter 20 Setting the System Clock Administering the Switch PS1-Type PS2-Type Modem Baud Traffic Peak Peak-Time ---------. After entering the ending delimiter.------.------.

Catalyst 6000 Family Software Configuration Guide—Releases 6. Contact sysadmin@corp. perform this task in privileged mode: Task Clear the message of the day. Verify the currently defined command aliases. The name argument defines the command alias. This example shows how to configure the login banner on the switch using the # symbol as the beginning and ending delimiter: Console> (enable) set banner motd # Welcome to the Catalyst 6000 Switch! Unauthorized access prohibited.com for access. To define a command alias on the switch. # MOTD banner set Console> (enable) Clearing the Login Banner To clear the login banner. The command and parameter arguments define the command to enter when the command alias is entered at the command line.Chapter 20 Administering the Switch Defining Command Aliases Configuring a Login Banner To configure a login banner. perform this task in privileged mode: Task Step 1 Step 2 Command set banner motd c message_of_the_day c Enter the message of the day. perform this task in privileged mode: Task Step 1 Step 2 Command set alias name command [parameter] [parameter] show alias [name] Define a command alias on the switch.4 78-13315-02 20-5 . This example shows how to clear the login banner: Console> (enable) set banner motd ## MOTD banner cleared Console> (enable) Command set banner motd cc Defining Command Aliases You can use the set alias command to define command aliases (shorthand versions of commands) for frequently used or long and complex commands. Command aliases can save you time and can help prevent typing errors when you are configuring or monitoring the switch.3 and 6. Display the login banner by logging out and logging back into the switch.

even when DNS is not enabled.-----------45 DS3 ATM 45 DS3 ATM Use 'session' command to see ATM counters. Console> (enable) set alias sp8 show port 8 Command alias added.---------.-----------------.--------.------8 2 DS3 Dual PHY ATM WS-X5166 007243262 ok Mod MAC-Address(es) Hw Fw --. The name argument defines the IP alias.-----. Console> (enable) show alias sm8 show module 8 sp8 show port 8 Console> (enable) sm8 Mod Module-Name Ports Module-Type Model Serial-Num Status --.-------------------------------------.--------.3 and 6. Catalyst 6000 Family Software Configuration Guide—Releases 6.3 Console> (enable) sp8 Port Name Status Vlan Level Duplex Speed Type ----. To define an IP alias on the switch.--------------------. IP aliases can make it easier to refer to other network devices when using ping.0 1. sm8 and sp8. Verify the currently defined IP aliases.-----. perform this task in privileged mode: Task Step 1 Step 2 Command set ip alias name ip_addr show ip alias [name] Define an IP alias on the switch. This example also shows how to verify the currently defined command aliases and what happens when you enter the command aliases at the command line: Console> (enable) set alias sm8 show module 8 Command alias added. Last-Time-Cleared -------------------------Thu Sep 10 1998. and sp8 issues the show port 8 command.-----8/1 notconnect trunk normal full 8/2 notconnect trunk normal full Port ----8/1 8/2 ifIndex ------285 286 Sw ----------------51.1(103) ----. sm8 issues the show module 8 command. 16:56:08 Console> (enable) Defining IP Aliases You can use the set ip alias command to define textual aliases for IP addresses.---------8 00-60-2f-45-26-2f 2. telnet.----. and other commands.Chapter 20 Defining IP Aliases Administering the Switch This example shows how to define two command aliases.------------------.---------.4 20-6 78-13315-02 . The ip_addr argument defines the IP address to which the name refers.

52. TFTP.20.16.52. Console> (enable) show ip alias default 0.16. you might need to add a static routing table entry for one or more destination networks.52.20. If no subnet mask is specified. Console> (enable) set ip alias cat6509 172. the default (classful) mask is used. To configure a static route.3 cat6509 172. Verify that the static route appears correctly in the show ip route IP routing table.71 IP alias added.0.Chapter 20 Administering the Switch Configuring Static Routes This example shows how to define two IP aliases.0 sparc 172.127 Route added. In some situations.0. This example shows how to configure a static route on the switch and how to verify that the route is configured properly in the routing table: Console> (enable) set ip route 172. perform this task in privileged mode: Task Command set ip route destination[/netmask] gateway [metric] Step 1 Step 2 Configure a static route to the remote network. and the metric (hop count) for the route.71. and ping). only IP traffic generated by the switch itself (for example.0/20 172. see the “Configuring Default Gateways” section on page 3-6. The switch forwards IP traffic generated by the switch using the longest address match in the IP routing table.52.52. Console> (enable) show ip route Fragmentation Redirect Unreachable -----------------------------enabled enabled enabled Catalyst 6000 Family Software Configuration Guide—Releases 6.3.20. The switch does not use the IP routing table to forward traffic from connected devices. Static route entries consist of the destination IP network address. Telnet. The destination IP network address can be variably subnetted to support Classless Interdomain Routing (CIDR). This example also shows how to verify the currently defined IP aliases and what happens when you use the IP aliases with the ping command: Console> (enable) set ip alias sparc 172.20.20. sparc and cat6509.71 Console> (enable) ping sparc sparc is alive Console> (enable) ping cat6509 cat6509 is alive Console> (enable) Configuring Static Routes Note For information on configuring a default gateway (default route).20.3 IP alias added. sparc refers to IP address 172.20. and cat6509 refers to IP address 172. You can specify the subnet mask (netmask) for a destination network using the number of subnet bits or using the subnet mask in dotted decimal format.52. the IP address of the next hop router.52.4 78-13315-02 20-7 .3 and 6.

you usually do not need to specify static or permanent ARP cache entries. the ARP entry is retained even after a system reset.1.1 at 00-80-1c-93-80-60 on vlan 1 Console> (enable) This example shows how to set the ARP aging time: Console> (enable) set arp agingtime 300 ARP aging time set to 300 seconds. This example shows how to define a static ARP entry: Console> (enable) set arp static 20.16. the entry is removed from the ARP cache after a system reset.20.120 172.4 20-8 78-13315-02 .3 and 6.20.1.1 at 00-80-1c-93-80-40 on vlan 1 Console> (enable) This example shows how to define a permanent ARP entry: Console> (enable) set arp permanent 10.52. When you configure a permanent ARP by using the set arp permanent command.1. you can configure a static or permanent ARP entry that maps the IP addresses of those devices to their MAC addresses.124 0xfffffff8 default default 0xff000000 Console> (enable) Flags ----UG UG U UH Use -------0 0 1 0 Interface --------sc0 sc0 sc0 sl0 Configuring Permanent and Static ARP Entries To enable your Catalyst LAN switch to communicate with devices that do not respond to Address Resolution Protocol (ARP) requests.121 0x0 172.127 0xfffff000 default 172.1.20.---------172.1 00-80-1c-93-80-60 Permanent ARP entry added as 10.52. you can configure an ARP entry to be statically or permanently entered into the ARP cache so that those devices can still be reached.1 00-80-1c-93-80-40 Static ARP entry added as 20.121 Destination Gateway RouteMask --------------.1.52.--------------. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command set arp [dynamic | permanent | static] {ip_addr hw_addr} set arp agingtime seconds show arp Configure a static or permanent ARP entry. When you configure a static ARP entry using the set arp static command. You can configure an ARP entry so that it does not age out by configuring it as either static or permanent.1.52.1.20.52. Because most hosts support dynamic resolution. (Optional) Specify the ARP aging time.20.1.0 172. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Verify the ARP configuration.16.Chapter 20 Configuring Permanent and Static ARP Entries Administering the Switch The primary gateway: 172. When a device does not respond to ARP requests. To configure a static or permanent ARP entry.

1 at 00-60-5c-86-5b-28 port 8/1 on vlan 1 * 20. and if connectivity is lost.52.20. page 20-x Scheduling a Reset Within a Specified Amount of Time.Static Arp Entries + 10. Console> (enable) Console> (enable) show arp ARP Aging time = 300 sec + . You can then change the configuration.1 at 00-80-1c-93-80-60 on vlan 1 172.20.1.52.1.3 and 6. the system will reset in 30 minutes and return to the previous configuration. static. you can set up the startup configuration feature and schedule a reset to occur in 30 minutes. You can also use the schedule reset feature when trying out new features on a switch. Catalyst 6000 Family Software Configuration Guide—Releases 6.1 at 00-80-1c-93-80-40 port 8/1 on vlan 1 Console> (enable) Scheduling a System Reset These sections describe how to schedule a system reset: • • Scheduling a Reset at a Specific Time. This feature allows you to upgrade software during business hours and schedule the system upgrade after business hours to avoid a major impact on users.Permanent Arp Entries * . perform this task in privileged mode: Task Step 1 Step 2 Command Clear a dynamic.Permanent Arp Entries * .1.1.1.Chapter 20 Administering the Switch Scheduling a System Reset This example shows how to display the ARP cache: Console> (enable) show arp ARP Aging time = 300 sec + .1 at 00-60-5c-86-5b-28 port 8/1 on vlan 1 * 20. show arp This example shows how to clear all permanent ARP entries and verify the configuration: Console> (enable) clear arp permanent Permanent ARP entries cleared. clear arp [dynamic | permanent | static] {ip_addr hw_addr} Verify the ARP configuration.1 at 00-80-1c-93-80-40 port 8/1 on vlan 1 Console> (enable) To clear ARP entries.4 78-13315-02 20-9 . page 20-x You can use the schedule reset command to schedule a system to reset at a future time.Static Arp Entries 172.1. or permanent ARP entry. To avoid misconfiguration or the possibility of losing network connectivity to the device.

Note The minimum downtime argument is valid only if the system has a standby supervisor engine.4 20-10 78-13315-02 . Wed Aug 18 1999 (in 0 day 8 hours 39 minutes). if the current system time is 9:00 a.3(1). Reset reason: Software upgrade to 5. Proceed with scheduled reset? (y/n) [n]? y Reset scheduled for 20:00:00.m. Proceed with scheduled reset? (y/n) [n]? y Reset scheduled for 23:00:00.m. Proceed with scheduled reset? (y/n) [n]? y Reset mindown scheduled for 23:00:00. Reset scheduled at 23:00:00. Console> (enable) Scheduling a Reset Within a Specified Amount of Time You can schedule a reset within a specified time with the reset in command. and reset is scheduled in one hour. If the time scheduled for reset is earlier than the current time. perform this task in privileged mode: Task Command reset [mindown] at {hh:mm} [mm/dd] [reason] show reset Step 1 Step 2 Schedule the reset time at a specific time.3 and 6. the reset will take place on the following day.m. To schedule a reset at a specific time.3(1). Wed Aug 18 1999. Reset reason: Software upgrade to 5. Wed Aug 18 1999.3(1).m. Verify the scheduled reset.3(1). This example shows how to schedule a reset at a specific time: Console> (enable) reset at 20:00 Reset scheduled at 20:00:00. For instance. Reset scheduled at 23:00:00. If you do not specify the month and day. the reset will take place 5 minutes after the current time. Console> (enable) This example shows how to schedule a reset with a minimum downtime: Console> (enable) reset mindown at 23:00 8/18 Software upgrade to 5. Note The maximum scheduled reset time is 24 days. Entering the month and day argument with this command is optional. If you or NTP advances the system clock to 10:00 a. the reset will take place at 11:00 a. Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 20 Scheduling a System Reset Administering the Switch Scheduling a Reset at a Specific Time You can specify an absolute time and date at which the reset should take place with the reset at command. Wed Aug 18 1999. the reset will take place on the current day if the time specified is later than the current time. Wed Aug 18 1999 (in 0 day 8 hours 39 minutes). If the clock is advanced ahead of the scheduled reset time. the scheduled reset will take place at 10:00 a. Console> (enable) This example shows how to schedule a reset at a specific time and include a reason for the reset: Console> (enable) reset at 23:00 8/18 Software upgrade to 5.. Wed Aug 18 1999 (in 0 day 5 hours 40 minutes).

Note The minimum downtime argument is valid only if the system has a standby supervisor engine.Chapter 20 Administering the Switch Power Management To schedule a reset within a specified time. This example shows how to schedule a reset in a specified time: Console> (enable) reset in 5:20 Configuration update Reset scheduled in 5 hours 20 minutes. page 20-xi Using the CLI to Power Modules Up or Down. Reset reason: Configuration update Console> (enable) Power Management This section describes power management in the Catalyst 6000 family switches and includes the following information: • • • Enabling or Disabling Power Redundancy. perform this task in privileged mode: Task Step 1 Step 2 Command reset [mindown] in [hh] {mm} [reason] show reset Schedule the reset time within a specific amount of time. redundancy is not supported in this configuration. The Catalyst 6000 family switches allow you to mix AC-input and DC-input power supplies in the same chassis. depending upon the wattage of the power supply. certain switch configurations might require more power than a single power supply can provide. page 20-xiii Determining System Power Requirements. Wed Aug 18 1999 (in 5 hours 20 minutes).4 78-13315-02 20-11 . For detailed information on supported power supply configurations for each chassis. Catalyst 6000 family modules have different power requirements and.3 and 6. Although the power management feature allows you to power all installed modules with two power supplies. With redundancy enabled and two power supplies of equal wattage installed. If one supply malfunctions. Enabling or Disabling Power Redundancy Enter the set power redundancy enable | disable command to enable or disable redundancy (redundancy is enabled by default). page 20-xiv Note In systems with redundant power supplies. When you install and Catalyst 6000 Family Software Configuration Guide—Releases 6. the total power drawn from both supplies is at no time greater than the capability of one supply. both power supplies must be of the same wattage. Verify the scheduled reset. Redundant and nonredundant power configurations are discussed in the following sections. Reset reason: Configuration update Proceed with scheduled reset? (y/n) [n]? y Reset scheduled for 19:56:01. refer to the Catalyst 6000 Family Installation Guide. the other supply can take over the entire system load.

In a nonredundant configuration. the power available to the system is the combined power capability of both power supplies. no software configuration is required. if you power up the system with two power supplies of unequal wattage. The system powers up as many modules as the combined capacity allows. Nonredundant to redundant • • • Equal wattage power supply is inserted with redundancy enabled • • • Equal wattage power supply is inserted with redundancy disabled • • • Higher wattage power supply is inserted with redundancy enabled • • Catalyst 6000 Family Software Configuration Guide—Releases 6. the system powers down some modules. These modules are marked as power-deny in the show module Status field. the lower wattage power supply that was disabled comes online and. System power is increased to the combined power capability of both supplies. System power equals the power capability of one supply. If you change from a nonredundant to a redundant configuration. System log and syslog messages are generated. Table 20-1 Effects of Power Supply Configuration Changes Configuration Change Redundant to nonredundant Effect • • • System log and syslog messages are generated. However. System log and syslog messages are generated. if necessary. System log and syslog messages are generated. the higher wattage supply powers the system. System power is the combined power capability of both supplies. If they are of different wattage. The modules marked as power-deny in the show module Status field are brought up if there is sufficient power. each concurrently provides approximately half of the required power to the system.Chapter 20 Power Management Administering the Switch turn on two power supplies of equal wattage. some modules are powered down and marked as power-deny in the show module Status field. if one supply should fail and there is not enough power for all previously powered up modules. and if they are of the same wattage. modules are powered down to accommodate the lower wattage power supply.4 20-12 78-13315-02 . The system disables the lower wattage power supply. System power is the power capability of the larger wattage supply. Table 1 describes how the system responds to changes in the power supply configuration. No change in the module status because the power capability is unchanged. You can change the configuration of the power supplies to redundant or nonredundant at any time. If the active power supply fails. Load sharing and redundancy are enabled automatically. both power supplies come online but a syslog message displays that the lower wattage power supply will be disabled. The modules marked as power-deny in the show module Status field are brought up if there is sufficient power.3 and 6. a syslog message displays and the lower wattage supply is disabled. If there is not enough power for all previously powered-up modules. If you switch from a redundant to a nonredundant configuration. remain enabled. both power supplies are initially enabled. both power supplies are enabled (even a power supply that was disabled because it was of a lower wattage than the other power supply). System log and syslog messages are generated. With redundancy enabled.

4 78-13315-02 20-13 . System power equals the combined power capability of both supplies. The module is marked as power-down in the show module Status field. The modules marked as power-deny in the show module Status field are brought up if there is sufficient power. System log and syslog messages are generated. Catalyst 6000 Family Software Configuration Guide—Releases 6. System log and syslog messages are generated. there is no change in the module status because the power capability is unchanged. some modules are powered down and marked as power-deny in the show module Status field. Enter the set module power up mod command to check if adequate power is available in the system to turn the power on for a module that was previously powered down. System is booted with power supplies of different wattage installed and redundancy enabled System is booted with power supplies of equal or different wattage installed and redundancy disabled • • • • • System log and syslog messages are generated.3 and 6. the higher wattage supply powers the system. System power is decreased to the power capability of one supply. If the power supplies are of equal wattage. The lower wattage supply is disabled. Using the CLI to Power Modules Up or Down You can power down a properly working module from the command-line interface (CLI) by entering the set module power down mod command. The system powers up as many modules as the combined capacity allows. Power supply is removed with redundancy enabled • • Power supply is removed with redundancy disabled • • • System log and syslog messages are generated. If not enough power is available. The system disables the lower wattage power supply.Chapter 20 Administering the Switch Power Management Table 20-1 Effects of Power Supply Configuration Changes (continued) Configuration Change Lower wattage power supply is inserted with redundancy enabled Higher or lower wattage power supply is inserted with redundancy disabled Effect • • • • • System log and syslog messages are generated. If the power supplies are of unequal wattage and the higher wattage supply is removed. and if there is not enough power for all previously powered-up modules. System power is increased to the combined power capability of both supplies. some modules are powered down and marked as power-deny in the show module Status field. there is no change in the module status. the module status changes from power-down to power-deny. If the power supplies are of unequal wattage and the lower wattage supply is removed. System log and syslog messages are generated. If there is not enough power for all previously powered-up modules.

3 and 6.46A 0.4 20-14 78-13315-02 .06A 3. Note Enter the show environment power command to display current system power usage.52A 1.90A 3.52A 2.52A Catalyst 6000 Family Software Configuration Guide—Releases 6.30A 2.20A 1.Chapter 20 Power Management Administering the Switch Determining System Power Requirements This section describes how to determine the system power requirements for 6-. 9-.50A 3. and 13-slot chassis. Table 20-2 Module Power Requirements Module Supervisor Engine 1: WS-X6K-SUP1A-2GE WS-X6K-SUP1-2GE Supervisor Engine 1 with PFC: WS-X6K-SUP1A-PFC Supervisor Engine 1 with PFC and MSFC: WS-X6K-SUP1A-MSFC Supervisor Engine 1 with PFC and MSFC2: WS-X6K-S1A-MSFC2 Supervisor Engine 2 with PFC2: WS-X6K-S2-PFC2 Supervisor Engine 2 with PFC2 and MSFC2: WS-X6K-S2-MSFC2 MSFC2 (spare): WS-F6K-MSFC2= Multilayer Switching Module: WS-X6302-MSM 24-Port 10BASE-FL: WS-X6024-10FL-MT Switch Fabric Modules: WS-C6500-SFM WS-X6500-SFM2 24-Port 100FX: WS-X6224-100FX-MT WS-X6324-100FX-SM WS-X6324-100FX-MM Power Requirement 1.79A 3.70A 1.70A 2. See Table 2 to determine the exact power requirements for your configuration.40A 5.90A 1.09A 1.

3 and 6.69A 2.10A 2. -SI.70A.46A. -SL OSM-8OC3-POS-MM..40A.59 3.57A 5. -SL OSM-16OC3-POS-MM.39A 2.00A 2.78A 3.98A 1. -SI.36A 4. -SI. plus margin. initialization) The total power available with the 4000W power supply is 95.90A 2. 1.50A 5.45A 2. The total power available with the 1000W power supply is 21.98A 1.10A 2.69A 2.15A 3.54A Cisco IP Phone 7960 (when plugged into the WS-X6348-RJ-45 0.120A (after bootup. The total power available with the 1300W power supply is 27.25A 3. -SL OSM-10C48-POS-SS. -SL OSM-4GE-WAN (GBIC) Server load balancing: WS-X6066-SLB-APG 8-Port T1/E1 PSTN Interface: WS-X6608-T1 WS-X6608-E1 24-Port FXS Analog Interface: WS-X6624-FXS Power Requirement 2.39A 2.09A 4.69A 2.00A 1.167A (default) and WS-X6648-PWR modules) 0.81A 2. -SI.Chapter 20 Administering the Switch Power Management Table 20-2 Module Power Requirements (continued) Module 48-Port 10/100TX: WS-X6248-RJ-45 WS-X6248-TEL WS-X6248A-TEL WS-X6348-RJ-45 WS-X6548-RJ-45 WS-X6648-PWR 8-Port Gigabit Ethernet: WS-X6408-GBIC WS-X6408A-GBIC 16-Port Gigabit Ethernet: WS-X6416-GBIC WS-X6416-GE-MT WS-X6316-GE-TX WS-X6516-GE-TX 1-Port OC-12 ATM: WS-X6101-OC12-MMF WS-X6101-OC12-SMF WAN module: WS-X6182-2PA (FlexWAN) Optical Services Modules: OSM-2OC12-POS-MM. The total power available with the 2500W power supply is 55.50A. -SL OSM-4OC12-POS-MM. Catalyst 6000 Family Software Configuration Guide—Releases 6.38A1 3.00A 2.4 78-13315-02 20-15 . -SI. Based on the base FlexWAN module power draw plus a worst-case 15W per port adapter.

Minor alarms are for informational purposes only. indicating an overtemperature condition. page 20-xvi Environmental Monitoring Using CLI Commands Enter the show test [mod] command to display the errors reported from the diagnostic tests. the alarm is not canceled or any action taken (such as a module reset or shutdown) for 5 minutes. If there are no errors. enabling you to identify and rapidly correct hardware-related problems in your system.Chapter 20 Environmental Monitoring Administering the Switch Environmental Monitoring Environmental monitoring of chassis components provides early warning indications of possible component failure to ensure safe and reliable system operation and avoid network interruptions. When the system has an alarm (major or minor). This section describes how to monitor these critical system components. The following sections describe the environmental monitors: • • Environmental Monitoring Using CLI Commands. PASS is displayed in the Line Card Status field.3 and 6. giving you notice of a problem that could turn critical if corrective action is not taken. Enter the show environment [temperature | all | power] command to display system status information. Table 3 lists the environmental indicators for the supervisor engine and switching modules. all—(Optional) Displays environmental status (for example. LED Indications There are two alarm types. page 20-xvi LED Indications. Note For additional information on LED indications. fan status. refer to the Catalyst 6000 Family Module Installation Guide. Keyword descriptions follow: • • • temperature—(Optional) Displays temperature information. power supply. test statistics are given for the general system and for the module in slot 1. the alarm is canceled. Major alarms indicate a critical problem that could lead to the system being shut down. and temperature information) and information about the power available to the system. major and minor. power—(Optional) Displays environmental power information. If the temperature falls 5°C (41°F) below the alarm threshold during this period.4 20-16 78-13315-02 . Catalyst 6000 Family Software Configuration Guide—Releases 6. If you do not specify a module number.

page 20-xviii Catalyst 6000 Family Software Configuration Guide—Releases 6. If major alarm and the overtemperature condition is not corrected. Power down the module4. See the “Power Management” section on page 20-xi for instructions. system switches to redundant supervisor engine and the active supervisor engine shuts down. monitor the condition.4 78-13315-02 20-17 . syslog message and SNMP trap generated. If there is no redundant supervisor. syslog message and SNMP trap generated. Temperature sensors monitor key supervisor engine components including daughter cards. A STATUS LED is located on the supervisor engine front panel and all module front panels. syslog message and SNMP trap generated. 3. page 20-xviii Using System Dump Files. If there is no redundancy and the overtemperature condition is not corrected. Minor STATUS LED orange 1.3 and 6. the SYSTEM LED is red also. Displaying System Status Information for Technical Support These sections describe how to display system status information for technical support: • • Generating a System Status Report. Monitor the condition. Redundant supervisor engine Major temperature sensor exceeds major or minor threshold Minor Switching module temperature sensor exceeds major threshold Switching module temperature sensor exceeds minor threshold Major STATUS LED orange STATUS LED red If minor alarm. Monitor the condition. The STATUS LED is red on the failed supervisor engine. Supervisor engine temperature sensor exceeds minor threshold Minor STATUS LED orange STATUS LED red syslog message and SNMP trap generated. the system shuts down after 5 minutes. the system shuts down after 5 minutes. 4.Chapter 20 Administering the Switch Displaying System Status Information for Technical Support Table 20-3 Environmental Monitoring for Supervisor Engine and Switching Modules Component Supervisor engine temperature sensor exceeds major threshold1 Alarm Type Major LED Indication STATUS LED red 2 3 Action syslog message and SNMP trap generated. If redundancy. 2.

a report for the entire system is generated. Enter the set system core-dump command to enable or disable the core dump feature. so the complete status of the switch will be included in the report.20.32.4 20-18 78-13315-02 . where you can send it to TAC. Console> (enable) write tech-support 172.20.10 tech.10 to a filename you supply. Enabling and Disabling the Core Dump A core dump produces a comprehensive report of images when your system fails due to a software error. This command is a combination of several show system status commands. (67784 bytes) Console> (enable) Using System Dump Files The core dump and the stack dump features generate reports that contain status information about your switch. including text. By examining the core dump file. and so forth.txt Upload tech-report to tech. You can upload the output of the command to a TFTP server.Chapter 20 Displaying System Status Information for Technical Support Administering the Switch Generating a System Status Report Using a single command.20. The information generated is useful when reporting a problem to Cisco Technical Assistance Center (TAC). To generate a report and upload the report to a TFTP server. The core image is produced in Cisco core file format and is stored in the file system. Command write tech-support {host} {filename} [module mod] [port mod/port] [vlan vlan] [memory] [config] This example shows a report sent to host 172. If the switch has a redundant supervisor engine. If you do not specify any keywords. you can generate a report that contains status information about your switch.32. such as specific modules. No keywords are specified. The previously active supervisor engine resets itself after the core dump is complete. Send images captured by the core dump or the stack dump to the Cisco TAC for analysis. code.txt on 172. TAC can analyze the error condition of a terminated process. perform this task in privileged mode: Task Generate a system status report that you can send to TAC.10 (y/n) [n]? y / Finished network upload. perform this task in privileged mode: Task Enable or disable the core dump feature. You can use keywords to limit the output to certain areas. and stack segments. ports.3 and 6. VLANs.32. This report contains system memory content. Command set system core-dump {enable | disable} Catalyst 6000 Family Software Configuration Guide—Releases 6. To enable or disable the core dump feature. the standby supervisor engine takes over automatically before the core dump occurs.

3 and 6. this feature will cause a core file to be written out.4 78-13315-02 20-19 . Make sure that you have enough memory available to store the core dump file. (3) Selected core file is slot0:crash. perform this task in normal mode: Task Display the stack dump. perform this task in privileged mode: Task Specify the core image filename. To specify the core image filename. The stack dump is automatic and becomes available when you enter the show log command after you reboot your system. Console> (enable) Displaying the Stack Dump A stack dump provides only the images related to a particular process that has caused the system to fail. Command set system core-file {device:filename} This example shows how to specify the core image filename: Console> (enable) set system core-file slot0:core.hz. To display log information. The default filename is “slot0:crash. An error process will generate a core image that is proportional to the size of the system DRAM. and ready to use Core-dump enabled Console> (enable) This example shows how to disable the core dump feature: Console> (enable) set system core-dump disable Core-dump disabled Console> (enable) The size of the file system depends on the size of your memory card. This image stack is displayed on the console and is also saved in the log area. Command show log Catalyst 6000 Family Software Configuration Guide—Releases 6. (2) Core file generation may take up to 20 minutes.hz System core-file set.hz (4) Please make sure the above device has been installed.” This command automatically checks the validity of the device name that you input. Specifying the Core Image Filename Enter the set system core-file command to specify the core image filename.Chapter 20 Administering the Switch Displaying System Status Information for Technical Support This example shows how to enable the core dump feature: Console> (enable) set system core-dump enable (1) In the event of a system crash.

Software version = 6. GDB: It will hang until examined with gdb.3 and 6. Catalyst 6000 Family Software Configuration Guide—Releases 6.83) Process ID #52.2(0. Name = Console EPC: 807523F4 Stack content: sp+00: 00000000 80A75698 00000005 00000005 sp+10: BE000A00 00000000 83F84150 801194B8 sp+20: 80A75698 80A74BC8 80C8DBDC 000006E8 sp+30: 8006AF30 8006AE98 82040664 00000630 sp+40: 801AC744 801AC734 80A32488 80A32484 sp+50: 80A3249C 00000000 00000002 000009E4 sp+60: 8204067B 82040670 8011812C 81CAFC98 sp+70: 8011814C 82040670 8011812C 81CAFC98 sp+80: 00000002 000009E4 80110160 80110088 sp+90: 82040670 80A71EB4 81F1E9F8 00000004 sp+A0: 00000000 81F25EAC 81FF5750 00000000 sp+B0: 00000000 00000000 81F1E314 800840BC sp+C0: 0000000B 80084EB0 00000001 8073A358 sp+D0: 00000003 0000000D 00000000 0000000A sp+E0: 00000020 00000000 800831B4 0000001A sp+F0: 00000000 00000000 00000000 000D84F0 Register content: Status: 3401FC23 Cause: 00000024 AT: 81640000 V0: 00000007 V1: 00000007 A0: 00000000 A1: 80A756A6 A2: 00000011 A3: BE000BD0 T0: BFFFFFFE T1: 80000000 T2: 00000000 T3: 00000001 T4: 00000000 T5: 00000007 T6: 00000000 T7: 00000000 S0: 00000001 S1: 00000032 S2: 81F1E9F8 S3: 80A74BC8 S4: 80C8DBDC S5: 000006E8 S6: 00000000 S7: 00000000 T8: F0D09E3A T9: 82940828 K0: 3041C001 K1: 80C73038 GP: 811F39C0 SP: 83F84010 S8: 83F84010 RA: 807523F4 HIGH: 00000001 LOW: D5555559 BADVADDR: 7DFF7FFF ERR EPC: 58982466 GDB: Breakpoint Exception GDB: The system has trapped into the debugger.4 20-20 78-13315-02 .Chapter 20 Displaying System Status Information for Technical Support Administering the Switch The following is an example of an image stack that may display after you enter the show log command: Breakpoint Exception occurred.

3 and 6. page 21-iv Understanding How Kerberos Authentication Works. page 21-ix Authentication Example.C H A P T E R 21 Configuring Switch Access Using AAA This chapter describes how to configure authentication. page 21-xlviii Understanding How Authorization Works. refer to the Catalyst 6000 Family Command Reference publication.4 78-13315-02 21-1 . page 21-i Configuring Authentication. This chapter consists of these sections: • • • • • • • • • Understanding How Authentication Works. Note For complete syntax and usage information for the commands used in this chapter. page 21-ii Understanding How TACACS+ Authentication Works. page 21-lii Authorization Example. page 21-iv Understanding How 802. page 21-ii Understanding How Login Authentication Works. and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst 6000 family switches. page 21-iii Understanding How RADIUS Authentication Works. authorization. page 21-lix Accounting Example. page 21-lxiii Understanding How Authentication Works These sections describe how the different authentication methods work: • • • • • • • Authentication Overview. page 21-l Configuring Authorization. page 21-vii Catalyst 6000 Family Software Configuration Guide—Releases 6. page 21-ii Understanding How Local Authentication Works. page 21-lvii Configuring Accounting. page 21-lvi Understanding How Accounting Works.1x Authentication Works.

By default. SNMP traps and syslog messages are generated and the lockout restriction occurs. If a user attempts to log in to privileged mode and fails. However. When you enable local authentication with one or more other authentication methods. The configurable range is 30 to 600 seconds.3 and 6. the console does not allow the user to log in during that lockout time. local authentication is reenabled automatically. For example. the connection closes when the limit is reached. When a user reaches the set limit without successfully logging in. Catalyst 6000 Family Software Configuration Guide—Releases 6. Setting the login authentication to zero (0) disables the login limit checking. local authentication is enabled. Understanding How Login Authentication Works Login authentication increases the security of the system by keeping unauthorized users from guessing the password. Understanding How Local Authentication Works Local authentication uses locally configured login and enable passwords to authenticate login attempts. if you disable all other authentication methods. If a user is locked out with a Telnet session.Chapter 21 Understanding How Authentication Works Configuring Switch Access Using AAA Authentication Overview You can configure any combination of these authentication methods to control access to the switch: • • • • • • Login authentication Local authentication RADIUS authentication TACACS+ authentication Kerberos authentication 802.1x authentication Note Kerberos authentication does not work if TACACS+ is used as the authentication method. local authentication is always attempted last. You can enable local authentication and one or more of the other authentication methods at the same time. when local authentication is disabled. the system disables execution of the enable command for the lockout period. The lockout time is configurable from the CLI and SNMP. and any subsequent accesses from that station are closed immediately (with proper notice) by the switch during the lockout time. The user is limited to a specific number of attempts to successfully log in to the switch. The login and enable passwords are local to each switch and are not mapped to individual user names. you might use local authentication for console connections and RADIUS authentication for Telnet connections. You can enable login authentication access attempts within a range of three (the default) to ten tries. the system delays accesses and captures the user ID and the IP address of the station in the syslog and in the SNMP trap. You can disable local authentication only after enabling one or more of the other authentication methods. The switch attempts local authentication only if the other authentication methods fail. you can specify different authentication methods for console and Telnet connections. If a user is locked out at the console.4 21-2 78-13315-02 . If the user fails to authorize the password. However.

TACACS+ works with many authentication types.Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How TACACS+ Authentication Works TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or an entity. Notifies the client that authentication will continue and that the client must provide additional information. TACACS+ is an enhanced version of TACACS. local authentication is reenabled automatically. while all part of TACACS+. the packet sequence number. You can enable TACACS+ authentication and local authentication at the same time. packets are not encrypted. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device. a User Datagram Protocol (UDP)-based access-control protocol specified by RFC 1492. the encryption type used. and the total packet length. TACACS+ encrypts your user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. The TACACS+ protocol then forwards the packet to the TACACS+ server. TACACS+ authentication usually occurs in these instances: • • When you first log on to a machine When you send a service request that requires privileged access When you request privileged or restricted services. If you configure a key on the switch. so a given TACACS+ configuration can use any or all of the three services. A TACACS+ server can provide authentication. These services. Catalyst 6000 Family Software Configuration Guide—Releases 6. You can configure the following TACACS+ parameters on the switch: • • • • • • • Enable or disable TACACS+ authentication to determine if a user has permission to access the switch Enable or disable TACACS+ authentication to determine if a user has permission to enter privileged mode Specify a key used to encrypt the protocol packets Specify the server on which the TACACS+ server daemon resides Set the number of login attempts allowed Set the timeout interval for server daemon response Enable or disable the directed-request option TACACS+ authentication is disabled by default. one-time password. it must be the same as the one configured on the TACACS+ servers. authorization. When the TACACS+ server receives the packet. it does the following: • • Authenticates the user information and notifies the client that authentication has either passed or failed. This challenge-response process can continue through multiple iterations until authentication either passes or fails. This header information identifies the packet type being sent (for example. You can configure a TACACS+ key on the client and server. an authentication packet). If you do not configure a TACACS+ key.3 and 6. and accounting functions. The TACACS+ clients and servers use the key to encrypt all TACACS+ packets transmitted. are independent of one another.4 78-13315-02 21-3 . if you disable all other authentication methods. including fixed password. When local authentication is disabled. and challenge-response authentication.

Kerberos encrypts user passwords into the tickets. The KDC issues tickets to validate users and services. it must be the same as the one configured on the RADIUS servers. for more than a few seconds. “Remote Authentication Dial In User Service (RADIUS).3 and 6. You can configure a RADIUS key on the client and server. Kerberos also guards against intruders who might pick up the encrypted tickets from the network. In Kerberos. If you do not configure a RADIUS key. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. local authentication is reenabled automatically. Catalyst 6000 Family Software Configuration Guide—Releases 6. packets are not encrypted. refer to RFC 2138. passwords are not stored on any machine. ensuring that passwords are not sent on the network in clear text. this trusted server is called the key distribution center (KDC). If the standard user password method is used. When local authentication is disabled.Chapter 21 Understanding How Authentication Works Configuring Switch Access Using AAA Understanding How RADIUS Authentication Works RADIUS is a client-server authentication and authorization access protocol used by the NAS to authenticate users attempting to connect to a network device. The NAS functions as a client. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. You can specify which method to use first using the primary keyword. if you disable all other authentication methods. The key itself is never transmitted over the network. When you use Kerberos. passing user information to one or more RADIUS servers. Understanding How Kerberos Authentication Works Kerberos is a client-server based secret-key network authentication method that uses a trusted Kerberos server to verify secure access to both services and users. Note For more information about how the RADIUS protocol operates.” You can configure the following RADIUS parameters on the switch: • • • • • • • Enable or disable RADIUS authentication to control login access Enable or disable RADIUS authentication to control enable access Specify the IP addresses and UDP ports of the RADIUS servers Specify the RADIUS key used to encrypt RADIUS packets Specify the RADIUS server timeout interval Specify the RADIUS retransmit count Specify the RADIUS server deadtime interval RADIUS authentication is disabled by default. other than the Kerberos server. You can enable RADIUS authentication and other authentication methods at the same time. If you configure a key on the client. RADIUS uses UDP for transport between the RADIUS client and server.4 21-4 78-13315-02 . A ticket is a temporary set of electronic credentials that verifies the identity of a client for a particular service. These tickets have a limited life span and can be used in place of the standard user password pair authentication mechanism if a service trusts the Kerberos server that issued the ticket.

When users receive a TGT. Note If you are logged in to the console through a modem or a terminal server.Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Table 1 defines the terms used in Kerberos. Credentials have a default life span of eight hours. When issued from the KDC. Kerberos credentials verify the ticket of a user or service. The network service authenticates an encrypted service credential by using the SRVTAB (also known as a KEYTAB) to decrypt it. (Also known as a Kerberos identity. A password that a network service shares with the KDC. A credential for a network service. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service. If a network service decides to trust the Kerberos server that issued the ticket. Note Kerberos authentication does not work if TACACS+ is used as the authentication mechanism. (See Kerberos principal. Network services query the Kerberos server to authenticate to other network services.4 78-13315-02 21-5 . A daemon running on a network host. General term referring to authentication tickets. and network services that are registered to a Kerberos server. Table 21-1 Kerberos Terminology Term Kerberized Kerberos credential Definition Applications and services that have been modified to support the Kerberos credential infrastructure. the Kerberos credential can be used in place of retyping in a username and password.3 and 6. hosts. A Kerberos server and database program running on a network host that allocates the Kerberos credentials to different users or network services. they can authenticate to network services within the Kerberos realm represented by the KDC. Kerberos identity Kerberos principal Kerberos realm Kerberos server Key distribution center (KDC) Service credential SRVTAB Ticket granting ticket (TGT) In the Catalyst 6000 family switches. such as ticket granting tickets (TGTs) and service credentials. you cannot use a Kerberized login procedure. Users and network services register their identity with the Kerberos server.) A domain consisting of users. Kerberos realms must always be in uppercase characters. Telnet clients and servers through both the console and in-band management port can be Kerberized. A credential that the KDC issues to authenticated users.) The Kerberos principal is who you are or what a service is according to the Kerberos server. Catalyst 6000 Family Software Configuration Guide—Releases 6. this credential is encrypted with the password shared by the network service and the KDC and with the user’s TGT.

When the Telnet client and services have been Kerberized. The Telnet client decrypts the packet first with its TGT.4 21-6 30794 78-13315-02 . This request contains the user’s identity and a message saying that it wants to Telnet to the switch. the packet is still encrypted with the password that the switch’s Telnet server and the KDC share. If encryption is successful. Figure 21-1 Kerberized Telnet Connection Host (Telnet client) 1 2 3 4 5 6 6000 Kerberos server (contains KDC) Catalyst 6500 series switches Catalyst 6000 Family Software Configuration Guide—Releases 6. the KDC’s identity. The KDC creates the TGT. This request is encrypted using the TGT. 4. 2.3 and 6. When the KDC successfully decrypts the service credential request with the TGT that it issued to the client. Figure 1 shows the Kerberos Telnet connection process. 3. it forwards the TGT to the switch. The KDC then encrypts the credential with the password that it shares with the switch’s Telnet server and encrypts the resulting packet with the Telnet client’s TGT and sends this packet to the client. The Telnet client asks the user for the username and issues a request for a TGT to the KDC on the Kerberos server. When the Telnet client receives the encrypted TGT. The service credential has the client’s identity and the identity of the desired Telnet server. This step ensures that the user does not need to get another TGT in order to use another network service from the switch. At this point. The KDC then encrypts the TGT with the user’s password and sends the TGT to the client. it builds a service to the switch. 5. and the TGT’s expiration time. it prompts the user for the password. The client then builds a service credential request and sends this to the KDC. the client then sends the resulting packet to the switch’s Telnet server.Chapter 21 Understanding How Authentication Works Configuring Switch Access Using AAA Using Kerberized Login Procedure You can use a Kerberized Telnet session if you are logging in through the in-band management port. the user is successfully authenticated to the KDC. 6. If the Telnet client has been instructed to do so. which contains the user’s identity. you will follow this process when attempting to Telnet to the switch: 1. If the Telnet client can decrypt the TGT with the entered password.

KDC’s identity. 802.3 and 6. Figure 2 shows the non-Kerberized login process. 3.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. Note A non-Kerberized login can be performed through a modem or terminal server through the in-band management port. which contains your identity. Until the device is authenticated. To obtain the TGT. After authentication is successful.4 78-13315-02 55510 21-7 . you are authenticated to the switch. If you want to access other network services. Telnet does not support non-Kerberized login.” the client software provided with the Kerberos package. the user password is now transferred in clear text from the login client to the switch. The KDC sends an encrypted TGT to the switch. the KDC must be contacted directly for authentication. If the decryption is successful. the following process takes place: 1. the switch takes care of authentication to the KDC on behalf of the login client. normal traffic can pass through the port.1x authenticates each user device connected to a switch port before making available any services offered by the switch or the LAN. 802. The switch tries to decrypt the TGT with the password that you entered. and TGT’s expiration time. you can run the program “kinit. Catalyst 6000 Family Software Configuration Guide—Releases 6. If you launch a non-Kerberized login.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected.Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Using a Non-Kerberized Login Procedure If you use a non-Kerberized login procedure to log in to the switch.1x Authentication Works IEEE 802. Figure 21-2 Non-Kerberized Telnet Connection Host (Telnet client) Kerberos server (contains KDC) 1 2 3 Catalyst switch Understanding How 802. 5. However. 4. 2. The switch requests a TGT from the KDC so that you can be authenticated to the switch. The switch prompts you for a username and password.

the controlled port opens. whether the supplicant PAE is authorized to access the LAN/switch services. Status of the port before the supplicant PAE is authorized. Secured access point. incoming and outgoing. Status of the port after the supplicant PAE is authorized. Only EAPOL traffic is allowed to pass through the uncontrolled port. After this authorization takes place. the authenticator PAE. MAC bridge ports).Chapter 21 Understanding How Authentication Works Configuring Switch Access Using AAA 802. Table 2 defines the terms used in 802. the other is a controlled port. Table 21-2 802.1x. Unauthorized state Uncontrolled port 1. Entity that provides the authentication service for the authenticator PAE. All traffic through the single port is available to both access points. Protocol object associated with a specific system port. Single point of attachment to the LAN infrastructure (for example. EAPOL=Extensible Authorization Protocol over LAN 2.1x. Extensible Authentication Protocol.1x controls network access by creating two distinct virtual access points at each port. It communicates with the supplicant. allowing normal traffic to pass. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange. (Referred to as the “supplicant”) entity that requests access to the LAN/switch services and responds to information requests from the authenticator. which is always open. It checks the credentials of the supplicant PAE and then notifies its client.1x Terminology Term Authenticator PAE Definition (Referred to as the “authenticator”) entity at one end of a point-to-point LAN segment that enforces supplicant authentication. Remote Access Dial-In User Service.4 21-8 78-13315-02 . Protocol data unit. One access point is an uncontrolled port. Bidirectional flow control. and authorizes the supplicant when instructed to do so by the authentication server. 1 Authentication server Authorized state Both Controlled port EAP EAPOL In Port PAE2 PDU RADIUS Supplicant PAE Encapsulated EAP messages that can be handled directly by a LAN MAC service. submits the information from the supplicant to the authentication server. at an unauthorized switch port. Unsecured access point that allows the uncontrolled exchange of PDUs. Flow control only on incoming frames in an unauthorized switch port. The controlled port is open only when the device connected to the port has been authorized by 802. PAE=port access entity Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.

page 21-xiii Configuring TACACS+ Authentication. particularly when the authentication server is located remotely.3 and 6.1x Parameters Configurable on the Switch You can configure these 802. page 21-xii Configuring Local Authentication. Force-Unauthorized.1x Authentication. page 21-xxiii Configuring Kerberos Authentication. page 21-xvii Configuring RADIUS Authentication. page 21-xxxi Configuring 802. page 21-xi Configuring Login Authentication. page 21-xlviii Catalyst 6000 Family Software Configuration Guide—Releases 6.1x parameters on the switch: • • • • • • • • • • Force-Authorized. because RADIUS has extensions that support encapsulation of EAP frames built into it. Authentication Server The frames exchanged between the authenticator and the authentication server are dependent on the authentication mechanism. but we recommend RADIUS for authentication.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Traffic Control You can restrict traffic in both directions or just incoming traffic.4 78-13315-02 21-9 . page 21-x Authentication Configuration Guidelines. page 21-xl Authentication Example. or Automatic 802.1x standard. so they are not defined by the 802. You can use other protocols. 802.1x port control Enable or disable multiple hosts on a specific port Enable or disable system authentication control Specify quiet time interval Specify the authenticator to supplicant retransmission time interval Specify the back-end authenticator to supplicant retransmission time interval Specify the back-end authenticator to authentication server retransmission time interval Specify the number of frames retransmitted from the back-end authenticator to supplicant Specify the automatic supplicant reauthentication time interval Enable or disable automatic supplicant reauthentication Configuring Authentication These sections describe how to configure the different authentication methods: • • • • • • • • • Authentication Default Configuration.

1x port control 802.1x quiet period time 802.4 21-10 78-13315-02 .1x system authentication control 802.3 and 6.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Authentication Default Configuration Table 3 shows the default authentication configuration.1x back-end authenticator to supplicant retransmission time Default Value Enabled Enabled Disabled Disabled None specified 3 5 seconds Disabled Disabled Disabled None specified Port 1812 None specified 5 seconds 0 (servers not marked dead) 2 times Disabled Disabled None specified None specified Port 750 NULL string Disabled Not mandatory Disabled Force-Authorized Disabled Enable 60 seconds 30 seconds 30 seconds Catalyst 6000 Family Software Configuration Guide—Releases 6.1x multiple hosts 802. Table 21-3 Authentication Default Configuration Feature Login authentication (console and Telnet) Local authentication (console and Telnet) TACACS+ login authentication (console and Telnet) TACACS+ enable authentication (console and Telnet) TACACS+ key TACACS+ login attempts TACACS+ server timeout TACACS+ directed request RADIUS login authentication (console and Telnet) RADIUS enable authentication (console and Telnet) RADIUS server IP address RADIUS server UDP auth-port RADIUS key RADIUS server timeout RADIUS server deadtime RADIUS retransmit attempts Kerberos login authentication (console and Telnet) Kerberos enable authentication (console and Telnet) Kerberos server IP address Kerberos DES key Kerberos server auth-port Kerberos local-realm name Kerberos credentials forwarding Kerberos clients mandatory Kerberos preauthentication 802.1x authenticator to supplicant retransmission time 802.

RADIUS and TACACS+ support one privileged mode only (level 1). 802.1x port.1x back-end authenticator to authentication server retransmission time 802.3 and 6. You cannot enable 802. You cannot enable security on an 802. You cannot enable DVLAN on an 802.1x is only supported on Ethernet ports.1x will work with other protocols.4 78-13315-02 21-11 . If you configure a RADIUS or TACACS+ key on the switch. However. You cannot enable 802. • • • • • • • • • • • • • Catalyst 6000 Family Software Configuration Guide—Releases 6. you can configure an 802.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Table 21-3 Authentication Default Configuration (continued) Feature 802.1x port. make sure you configure an identical key on the RADIUS or TACACS+ server. You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port.1x on a dynamic port until you turn off the DVLAN feature on that port.1x on a Multiple VLAN Access Port (MVAP) with an auxiliary VLAN ID until you turn off the auxiliary VLAN ID feature on that port. You cannot enable 802.1x port. the first server configured is the primary server and authentication requests are sent to this server first.1x port.1x on a secure port until you turn off the security feature on that port. Kerberos authentication does not work if TACACS+ is also used as an authentication mechanism. particularly with a remotely located authentication server. You cannot configure SPAN destination on an 802.1x on a switched port analyzer (SPAN) destination port.1x port as a SPAN source port.1x port. 802.1x automatic authenticator reauthentication of supplicant Default Value 30 seconds 2 3600 seconds Disabled Authentication Configuration Guidelines Follow these guidelines when configuring authentication on the switch: • Authentication configuration applies both to console and Telnet connection attempts unless you use the console and telnet keywords to specify the authentication methods to use for each connection type individually. You cannot enable 802. but we recommend RADIUS.1x automatic supplicant reauthentication time 802.1x port.1x on a channeling port until you turn off the channeling feature on that port. You cannot enable channeling on an 802. You cannot enable trunking on an 802. You must specify a RADIUS or TACACS+ server before enabling RADIUS or TACACS+ on the switch. You cannot enable 802. You cannot enable an auxiliary VLAN ID on an 802.1x number of frames retransmitted from back-end authenticator to supplicant 802. If you configure multiple RADIUS or TACACS+ servers. You can specify a server as primary by using the primary keyword.

show authentication Step 3 This example shows how to limit login attempts to five. Console> (enable) show authentication Login Authentication: --------------------tacacs radius kerberos local attempt limit lockout timeout (sec) Enable Authentication: ---------------------tacacs radius kerberos local attempt limit lockout timeout (sec) Console> (enable) Console Session ---------------disabled disabled disabled enabled(primary) 5 50 Console Session ----------------disabled disabled disabled enabled(primary) 3 disabled Telnet Session ---------------disabled disabled disabled enabled(primary) 5 50 Telnet Session ---------------disabled disabled disabled enabled(primary) 3 disabled Http Session ---------------disabled disabled disabled enabled(primary) Http Session ---------------disabled disabled disabled enabled(primary) - Catalyst 6000 Family Software Configuration Guide—Releases 6. set the lockout time for both console and Telnet connections to 50 seconds. page 21-xiii Setting Authentication Login Attempts on the Switch To set up login authentication on the switch. perform this task in privileged mode: Task Step 1 Command set authentication login attempt {count} [console | telnet] Enable login attempt limits on the switch. page 21-xii Setting Authentication Login Attempts for the Privileged Mode.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Configuring Login Authentication These sections describe how to configure login authentication on the switch: • • Setting Authentication Login Attempts on the Switch. Step 2 Enable the login lockout time on the switch. Console> (enable) set authentication login lockout 50 Login lockout time for console and telnet logins set to 50.4 21-12 78-13315-02 . Verify the local authentication configuration. and verify the configuration: Console> (enable) set authentication login attempt 5 Login authentication attempts for console and telnet logins set to 5.3 and 6. Enter set authentication login lockout {time} [console | telnet] the console or telnet keyword if you want to enable local authentication only for the console port or for Telnet connection attempts. Enter the console or telnet keyword if you want to enable local authentication only for the console port or for Telnet connection attempts.

set the enable mode lockout time for both console and Telnet connections to 50 seconds. set authentication enable lockout {time} Enable the login lockout time for privileged mode. Console> (enable) set authentication enable lockout 50 Enable mode lockout time for console and telnet logins set to 50. page 21-xv Disabling Local Authentication. page 21-xiv Setting the Login Password. and verify the configuration: Console> (enable) set authentication enable attempt 5 Enable mode authentication attempts for console and telnet logins set to 5. show authentication Step 2 Step 3 This example shows how to limit enable mode login attempts to five.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Setting Authentication Login Attempts for the Privileged Mode To set up login authentication for privileged mode. page 21-xvi Catalyst 6000 Family Software Configuration Guide—Releases 6. Enter the console or telnet keyword if you [console | telnet] want to enable local authentication only for the console port or for Telnet connection attempts. Enter the console or telnet keyword if you [console | telnet] want to enable local authentication only for the console port or for Telnet connection attempts.4 78-13315-02 21-13 .3 and 6. Verify the local authentication configuration. page 21-xiv Setting the Enable Password. Console> (enable) show authentication Login Authentication: --------------------tacacs radius kerberos local attempt limit lockout timeout (sec) Enable Authentication: ---------------------tacacs radius kerberos local attempt limit lockout timeout (sec) Console> (enable) Console Session ---------------disabled disabled disabled enabled(primary) 5 50 Console Session ----------------disabled disabled disabled enabled(primary) 5 50 Telnet Session ---------------disabled disabled disabled enabled(primary) 5 50 Telnet Session ---------------disabled disabled disabled enabled(primary) 5 50 Http Session ---------------disabled disabled disabled enabled(primary) Http Session ---------------disabled disabled disabled enabled(primary) - Configuring Local Authentication These sections describe how to configure local authentication on the switch: • • • • • Enabling Local Authentication. page 21-xv Recovering a Lost Password. perform this task in privileged mode: Task Step 1 Command set authentication enable attempt {count} Enable the login attempt limits for privileged mode.

including a space.4 remain non-case sensitive. and how to verify the configuration: Console> (enable) set authentication login local enable local login authentication set to enable for console and telnet session.3 and 6. To enable local authentication on the switch. Verify the local authentication configuration. contain up to 30 characters. show authentication Step 2 Step 3 This example shows how to enable local login. set authentication enable local enable [all | Enter the console or telnet keyword if you want to console | http | telnet] enable local authentication only for console port or Telnet connection attempts. Catalyst 6000 Family Software Configuration Guide—Releases 6.4 21-14 78-13315-02 . and use any printable character. You must reset the password after installing software release 5. Enable local enable authentication on the switch. how to enable authentication for both console and Telnet connections.4 to activate case sensitivity.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Enabling Local Authentication Note Local login and enable authentication are enabled for both console and Telnet connections by default. Passwords are case sensitive. Console> (enable) show authentication Login Authentication: --------------------tacacs radius kerberos local Enable Authentication: ---------------------tacacs radius kerberos local Console> (enable) Console Session ---------------disabled disabled disabled enabled(primary) Console Session ----------------disabled disabled disabled enabled(primary) Telnet Session ---------------disabled disabled disabled enabled(primary) Telnet Session ---------------disabled disabled disabled enabled(primary) Setting the Login Password The login password controls access to the user mode CLI. Console> (enable) set authentication enable local enable local enable authentication set to enable for console and telnet session. set authentication login local enable [all | Enter the console or telnet keyword if you want to console | http | telnet] enable local authentication only for console port or Telnet connection attempts. Note Passwords set in releases prior to software release 5. perform this task in privileged mode: Task Command Step 1 Enable local login authentication on the switch. You do not need to perform this task unless you want to modify the default configuration or you have disabled local authentication.

or if the RADIUS or TACACS+ server is not online.3 and 6. Enter your old set password password (press Return on a switch with no password configured). This example shows how to set the enable password on the switch: Console> (enable) set enablepass Enter old password: <old_password> Enter new password: <new_password> Retype new password: <new_password> Password changed. Note Passwords set in releases prior to software release 5. You must reset the password after installing software release 5. you may be unable to log in to the switch. Passwords are case sensitive. If you disable local authentication and RADIUS or TACACS+ is not configured correctly. perform this task in privileged mode: Task Command Set the password for privileged mode.4 78-13315-02 21-15 . and reenter your new password. This example shows how to set the login password on the switch: Console> (enable) set password Enter old password: <old_password> Enter new password: <new_password> Retype new password: <new_password> Password changed. contain up to 30 characters. including a space. Enter your set enablepass old password (press Return on a switch with no password configured).4 remain non-case sensitive. and use any printable character. perform this task in privileged mode: Task Command Set the login password for access. enter your new password. and reenter your new password. Catalyst 6000 Family Software Configuration Guide—Releases 6. To set the enable password for local authentication.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To set the login password for local authentication. Console> (enable) Disabling Local Authentication Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before disabling local login or enable authentication. enter your new password. Console> (enable) Setting the Enable Password The login password controls access to the user mode CLI.4 to activate case sensitivity.

This example shows how to disable local login authentication. how to enable authentication for both console and Telnet connections. Verify the local authentication configuration.4 21-16 78-13315-02 . repeat the process for each password.3 and 6. Console> (enable) show authentication Login Authentication: --------------------tacacs radius kerberos local Enable Authentication: ---------------------tacacs radius kerberos local Console> (enable) Console Session ---------------disabled enabled(primary) disabled disabled Console Session ----------------disabled enabled(primary) disabled disabled Telnet Session ---------------disabled enabled(primary) disabled disabled Telnet Session ---------------disabled enabled(primary) disabled disabled Recovering a Lost Password Use the following procedure to recover a lost local authentication password. set authentication login local disable [all | Enter the console or telnet keyword if you want to console | http | telnet] disable local authentication only for console port or Telnet connection attempts. and how to verify the configuration: Console> (enable) set authentication login local disable local login authentication set to disable for console and telnet session. set authentication enable local disable [all | Enter the console or telnet keyword if you want to console | http | telnet] disable local authentication only for console port or Telnet connection attempts. perform the following task in privileged mode: Step 1 Step 2 Connect to the switch through the supervisor engine console port. Console> (enable) set authentication enable local disable local enable authentication set to disable for console and telnet session. perform this task in privileged mode: Task Step 1 Command Disable local login authentication on the switch. You must complete Steps 3 through 7 within 30 seconds of a power cycle or the recovery will fail. If you lost both the login and enable passwords.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA To disable local authentication on the switch. Disable local enable authentication on the switch. You cannot recover the password if you are connected through a Telnet connection. show authentication Step 2 Step 3 Note You must have either RADIUS or TACACS+ authentication enabled before you disable local authentication. To recover a lost password. Enter the reset system command to reboot the switch. Catalyst 6000 Family Software Configuration Guide—Releases 6.

4 78-13315-02 21-17 . The login password is null for 30 seconds when you are connected to the console port.) Enter the set password or set enablepass command.2 primary 172.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 At the “Enter Password” prompt. The first server you specify is the primary server. Verify the TACACS+ configuration.3 and 6. page 21-xxii Disabling TACACS+ Authentication. Configuring TACACS+ Authentication These sections describe how to configure TACACS+ authentication on the switch: • • • • • • • • • • Specifying TACACS+ Servers.52.20.20. Enter privileged mode using the enable command.3 added to TACACS server table as primary server.52.52. Enter and confirm your new password. Console> (enable) set tacacs server 172.2 added to TACACS server table as primary server. press Return. page 21-xxiii Specifying TACACS+ Servers Specify one or more TACACS+ servers before you enable TACACS+ authentication on the switch. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.52. page 21-xx Enabling TACACS+ Directed Request. perform this task in privileged mode: Task Step 1 Step 2 Command Specify the IP address of one or more TACACS+ set tacacs server ip_addr [primary] servers. Console> (enable) set tacacs server 172. as appropriate.10 added to TACACS server table as backup server. unless you explicitly make one server the primary using the primary keyword. page 21-xix Specifying the TACACS+ Login Attempts. page 21-xvii Enabling TACACS+ Authentication.20. page 21-xxi Disabling TACACS+ Directed Request. To specify one or more TACACS+ servers.52. page 21-xix Specifying the TACACS+ Timeout Interval. When prompted for your old password. (The enable password is null for 30 seconds when you are connected to the console port.3 172. press Return. page 21-xxi Clearing TACACS+ Servers. show tacacs This example shows how to specify TACACS+ servers and verify the configuration: Console> (enable) set tacacs server 172.52. press Return. page 21-xxii Clearing the TACACS+ Key. page 21-xviii Specifying the TACACS+ Key. At the “Enter Password” prompt.20.10 172.20.20.

For information on specifying a TACACS+ server.20. perform this task in privileged mode: Task Command Step 1 Enable TACACS+ authentication for normal login set authentication login tacacs enable [all | mode.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Console> (enable) show tacacs Login Authentication: --------------------tacacs radius local Console Session ---------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Enable Authentication: Console Session ---------------------.10 Console> (enable) Status ------primary Enabling TACACS+ Authentication Note Specify at least one TACACS+ server before enabling TACACS+ authentication on the switch.2 172.20. If desired. Enter the console or telnet keyword if you console | http | telnet] [primary] want to enable TACACS+ only for console port or Telnet connection attempts.----------------tacacs disabled radius disabled local enabled(primary) Tacacs key: Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server ---------------------------------------172. If you are using both RADIUS and TACACS+. To enable TACACS+ authentication. Verify the TACACS+ configuration. you can use the primary keyword to force the switch to try TACACS+ authentication first. set authentication enable tacacs enable [all | Enable TACACS+ authentication for enable mode.3 and 6. you can use the console and telnet keywords to specify that TACACS+ authentication be used only on console or Telnet connections. Enter the console or telnet keyword if you console | http | telnet] [primary] want to enable TACACS+ only for console port or Telnet connection attempts. Catalyst 6000 Family Software Configuration Guide—Releases 6.52. see the “Specifying TACACS+ Servers” section on page 21-xvii. You can enable TACACS+ authentication for login and enable access to the switch.20.52.4 21-18 78-13315-02 .52.3 172. show authentication Step 2 Step 3 This example shows how to enable TACACS+ authentication for console and Telnet connections and how to verify the configuration: Console> (enable) set authentication login tacacs enable tacacs login authentication set to enable for console and telnet session.

perform this task in privileged mode: Task Command set tacacs key key show tacacs Step 1 Step 2 Specify the key used to encrypt packets. To specify the TACACS+ key.10 Console> (enable) Status ------primary Specifying the TACACS+ Timeout Interval You can specify the timeout interval between retransmissions to the TACACS+ server.20. Verify the TACACS+ configuration.4 78-13315-02 21-19 .Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Console> (enable) set authentication enable tacacs enable tacacs enable authentication set to enable for console and telnet session.3 and 6. Console> (enable) show authentication Login Authentication: --------------------tacacs radius local Enable Authentication: ---------------------tacacs radius local Console> (enable) Console Session ---------------enabled(primary) disabled enabled Console Session ----------------enabled(primary) disabled enabled Telnet Session ---------------enabled(primary) disabled enabled Telnet Session ---------------enabled(primary) disabled enabled Specifying the TACACS+ Key Note If you configure a TACACS+ key on the client. make sure you configure an identical key on the TACACS+ server. The default timeout is 5 seconds.52.20.52.2 172.52.3 172. This example shows how to specify the TACACS+ key and verify the configuration: Console> (enable) set tacacs key Secret_TACACS_key The tacacs key has been set to Secret_TACACS_key.20. Console> (enable) show tacacs Tacacs key: Secret_TACACS_key Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server ---------------------------------------172. Catalyst 6000 Family Software Configuration Guide—Releases 6.

3 172.52.2 172. This example shows how to specify the server timeout interval and verify the configuration: Console> (enable) set tacacs timeout 30 Tacacs timeout set to 30 seconds.52.3 172.4 21-20 78-13315-02 .52. Console> (enable) show tacacs Tacacs key: Secret_TACACS_key Tacacs login attempts: 5 Tacacs timeout: 30 seconds Tacacs direct request: disabled Tacacs-Server ---------------------------------------172.20. This example shows how to specify the number of login attempts and verify the configuration: Console> (enable) set tacacs attempts 5 Tacacs number of attempts set to 5.20.20. Verify the TACACS+ configuration. To specify the number of login attempts allowed.10 Console> (enable) Status ------primary Catalyst 6000 Family Software Configuration Guide—Releases 6.10 Console> (enable) Status ------primary Specifying the TACACS+ Login Attempts You can specify the number of failed login attempts allowed.52. Verify the TACACS+ configuration.3 and 6. Console> (enable) show tacacs Tacacs key: Secret_TACACS_key Tacacs login attempts: 3 Tacacs timeout: 30 seconds Tacacs direct request: disabled Tacacs-Server ---------------------------------------172.2 172.20.52.20.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA To specify the TACACS+ timeout interval. perform this task in privileged mode: Task Step 1 Step 2 Command set tacacs timeout seconds show tacacs Specify the TACACS+ timeout interval.20.52. perform this task in privileged mode: Task Step 1 Step 2 Command set tacacs attempts number show tacacs Specify the number of allowed login attempts.

10 Console> (enable) Status ------primary Disabling TACACS+ Directed Request To disable TACACS+ directed request.3 and 6. perform this task in privileged mode: Task Step 1 Step 2 Command show tacacs Enable TACACS+ directed request on the switch.2 172. Console> (enable) show tacacs Tacacs key: Secret_TACACS_key Tacacs login attempts: 5 Tacacs timeout: 30 seconds Tacacs direct request: enabled Tacacs-Server ---------------------------------------172.52. perform this task in privileged mode: Task Step 1 Step 2 Command show tacacs Disable TACACS+ directed request on the switch.3 172. This example shows how to disable TACACS+ directed request: Console> (enable) set tacacs directedrequest disable Tacacs direct request has been disabled. set tacacs directedrequest enable Verify the TACACS+ configuration.20.52. set tacacs directedrequest disable Verify the TACACS+ configuration. To enable TACACS+ directed request.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Enabling TACACS+ Directed Request When you enable TACACS+ directed request.20.52.20. you can optionally specify the host name of a configured TACACS+ server to direct the TACACS+ authentication request to that particular TACACS+ server. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. This example shows how to enable TACACS+ directed request and verify the configuration: Console> (enable) set tacacs directedrequest enable Tacacs direct request has been enabled.4 78-13315-02 21-21 . Authentication will fail if the server that the switch contacts does not have an account for the user that is attempting to log in.

perform this task in privileged mode: Task Step 1 Step 2 Command clear tacacs key show tacacs Clear the TACACS+ key.52.3 cleared from TACACS table Console> (enable) This example shows how to clear all TACACS+ servers from the configuration: Console> (enable) clear tacacs server all All TACACS servers cleared Console> (enable) Clearing the TACACS+ Key To clear the TACACS+ key.20.3 172.52. perform this task in privileged mode: Task Step 1 Command Specify the IP address of the TACACS+ server to clear tacacs server [ip_addr | all] clear from the configuration. Verify the TACACS+ configuration. Verify the TACACS+ server configuration. show tacacs Step 2 This example shows how to clear a specific TACACS+ server from the configuration: Console> (enable) clear tacacs server 172.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Clearing TACACS+ Servers To clear one or more TACACS+ servers.20. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. This example shows how to clear the TACACS+ key: Console> (enable) clear tacacs key TACACS server key cleared. Enter the all keyword to clear all of the servers from the configuration.4 21-22 78-13315-02 .

Enter the console or telnet keyword console | http | telnet] if you want to disable TACACS+ only for console port or Telnet connection attempts. To disable TACACS+ authentication. perform this task in privileged mode: Task Step 1 Command set authentication login tacacs disable [all | Disable TACACS+ authentication for normal login mode. page 21-xxiv Specifying the RADIUS Key. Console> (enable) show authentication Login Authentication: --------------------tacacs radius local Enable Authentication: ---------------------tacacs radius local Console> (enable) Console Session ---------------disabled disabled enabled(primary) Console Session ----------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Configuring RADIUS Authentication These sections describe how to configure RADIUS authentication on the switch: • • • • • • • Specifying RADIUS Servers. set authentication enable tacacs disable [all | Disable TACACS+ authentication for enable mode. page 21-xxix Catalyst 6000 Family Software Configuration Guide—Releases 6. page 21-xxvii Specifying the RADIUS Retransmit Count.3 and 6. Verify the TACACS+ configuration. page 21-xxv Specifying the RADIUS Timeout Interval. Console> (enable) set authentication enable tacacs disable tacacs enable authentication set to disable for console and telnet session. local authentication is reenabled automatically.4 78-13315-02 21-23 . page 21-xxviii Clearing RADIUS Servers. page 21-xxiv Enabling RADIUS Authentication. if you disable TACACS+ authentication. page 21-xxvii Specifying the RADIUS Deadtime. Enter the console or telnet keyword if you console | http | telnet] want to disable TACACS+ only for console port or Telnet connection attempts. show authentication Step 2 Step 3 This example shows how to disable TACACS+ authentication for console and Telnet connections and how to verify the configuration: Console> (enable) set authentication login tacacs disable tacacs login authentication set to disable for console and telnet session.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Disabling TACACS+ Authentication When local authentication is disabled and only TACACS+ authentication is enabled.

52. page 21-xxix Disabling RADIUS Authentication.3 172. It can include any printable ASCII characters except tabs. Console> (enable) show radius Login Authentication: --------------------tacacs radius local Enable Authentication: ---------------------tacacs radius local Radius Radius Radius Radius Deadtime: Key: Retransmit: Timeout: Console Session ---------------disabled disabled enabled(primary) Console Session ----------------disabled disabled enabled(primary) 0 minutes 2 5 seconds Auth-port -----------1812 Telnet Session ---------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Radius-Server Status ----------------------------.------172.3 with auth-port 1812 added to radius server table as primary server. Step 2 show radius This example shows how to specify a RADIUS server and verify the configuration: Console> (enable) set radius server 172. perform this task in privileged mode: Task Step 1 Command set radius server ip_addr [auth-port port] [primary] Specify the IP address of up to three RADIUS servers.3 primary Console> (enable) Specifying the RADIUS Key Note If you specify a RADIUS key on the client. Specify the primary server using the primary keyword. Catalyst 6000 Family Software Configuration Guide—Releases 6. You must configure the same key on the client and the RADIUS server. specify the destination UDP port to use on the server.3 and 6. The RADIUS key is used to encrypt and authenticate all communication between the RADIUS client and server. Optionally. The length of the key is limited to 65 characters.20. make sure you specify an identical key on the RADIUS server.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA • • Clearing the RADIUS Key. page 21-xxx Specifying RADIUS Servers To specify one or more RADIUS servers.52. Verify the RADIUS server configuration.4 21-24 78-13315-02 .20.20.52.

4 78-13315-02 21-25 .Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To specify the RADIUS key.3 and 6. you can enter the console or telnet keyword to specify that RADIUS authentication be used only on console or Telnet connections. You can enable RADIUS authentication for login and enable access to the switch. Verify the RADIUS configuration.---------------tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Enable Authentication: ---------------------tacacs radius local Radius Radius Radius Radius Deadtime: Key: Retransmit: Timeout: Console Session ----------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled 0 minutes Secret_RADIUS_key 2 5 seconds Auth-port -----------1812 Radius-Server Status ----------------------------. the RADIUS key value is hidden): Console> (enable) set radius key Secret_RADIUS_key Radius key set to Secret_RADIUS_key Console> (enable) show radius Login Authentication: Console Session Telnet Session --------------------.20. you can use the primary keyword to force the switch to try RADIUS authentication first. perform this task in privileged mode: Task Step 1 Step 2 Command Specify the RADIUS key used to encrypt packets set radius key key sent to the RADIUS server. If desired.------172.52. see the “Specifying RADIUS Servers” section on page 21-xxiv.3 primary Console> (enable) Enabling RADIUS Authentication Note Specify at least one RADIUS server before enabling RADIUS authentication on the switch. If you are using both RADIUS and TACACS+.---------------. For information on specifying a RADIUS server. show radius This example shows how to specify the RADIUS key and verify the configuration (in normal mode. Catalyst 6000 Family Software Configuration Guide—Releases 6.

Verify the RADIUS configuration. and assign a password to that user. you can set the service-type attribute (attribute 6) to Administrative (value 6) for a RADUIS user to directly launch the user into enable mode without asking for a separate enable password. you can enter enable mode using the password assigned to the $enab15$ user. Enter the console or telnet keyword if you console | http | telnet] [primary] want to enable RADIUS only for console port or Telnet connection attempts.3 and 6. you will need to create a user $enab15$ on the RADIUS server. perform this task in privileged mode: Step 1 Enable RADIUS authentication for normal login set authentication login radius enable [all | mode.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA To set up the RADIUS username and enable RADIUS authentication. See the Note below for additional information. password hello. Enable RADIUS authentication for enable mode. and assign a password to that user. If your RADIUS server does not support the $enab15$ username.4 21-26 78-13315-02 . This example shows how to enable RADIUS authentication and verify the configuration: Console> (enable) set authentication login radius enable radius login authentication set to enable for console and telnet session.) After you log in to the Catalyst 6000 family switch with your assigned username and password (john/hello). This user needs to be created in addition to your assigned username and password on the RADIUS server (example: username john. set authentication enable radius enable [all | Enter the console or telnet keyword if you want to console | http | telnet] [primary] enable RADIUS only for console port or Telnet connection attempts. Create a user $enab15$ on the RADIUS server. Console> (enable) set authentication enable radius enable radius enable authentication set to enable for console and telnet session. show authentication Step 2 Step 3 Step 4 Note To use RADIUS authentication for enable mode. Console> (enable) show authentication Login Authentication: --------------------tacacs radius local Enable Authentication: ---------------------tacacs radius local Console> (enable) Console Session ---------------disabled enabled(primary) enabled Console Session ----------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled Catalyst 6000 Family Software Configuration Guide—Releases 6.

3 and 6. This example shows how to specify the RADIUS retransmit count and verify the configuration: Console> (enable) set radius retransmit 4 Radius retransmit count set to 4. To specify the RADIUS timeout interval. perform this task in privileged mode: Task Step 1 Step 2 Command set radius retransmit count show radius Specify the RADIUS server retransmit count. Verify the RADIUS configuration. This example shows how to specify the RADIUS timeout interval and verify the configuration: Console> (enable) set radius timeout 10 Radius timeout set to 10 seconds. By default. To specify the RADIUS retransmit count. perform this task in privileged mode: Task Step 1 Step 2 Command set radius timeout seconds show radius Specify the RADIUS timeout interval. Console> (enable) show radius Login Authentication: --------------------tacacs radius local Enable Authentication: ---------------------tacacs radius local Radius Radius Radius Radius Deadtime: Key: Retransmit: Timeout: Console Session ---------------disabled enabled(primary) enabled Console Session ----------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled 0 minutes Secret_RADIUS_key 2 10 seconds Auth-port -----------1812 Radius-Server Status ----------------------------.------172.20. Verify the RADIUS configuration. The default timeout is 5 seconds.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Specifying the RADIUS Timeout Interval You can specify the timeout interval between retransmissions to the RADIUS server.4 78-13315-02 21-27 .3 primary Console> (enable) Specifying the RADIUS Retransmit Count You can specify the number of times the switch will attempt to contact a RADIUS server before the next configured server is tried. Console> (enable) show radius Catalyst 6000 Family Software Configuration Guide—Releases 6.52. each RADIUS server will be tried two times.

3 primary Console> (enable) Specifying the RADIUS Deadtime You can configure the switch so that. If you configure only one RADIUS server. or if all of the configured servers are marked dead. This example shows how to specify the RADIUS deadtime interval and verify the configuration: Console> (enable) set radius deadtime 5 Radius deadtime set to 5 minute(s) Console> (enable) show radius Login Authentication: --------------------tacacs radius local Enable Authentication: ---------------------tacacs radius local Console Session ---------------disabled enabled(primary) enabled Console Session ----------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled Catalyst 6000 Family Software Configuration Guide—Releases 6. To set the RADIUS deadtime. when a RADIUS server does not respond to an authentication request. the deadtime is ignored because there are no alternate servers available. Verify the RADIUS configuration.52.4 21-28 78-13315-02 . Configuring a deadtime speeds up the authentication process by eliminating timeouts and retransmissions to the dead RADIUS server.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Login Authentication: --------------------tacacs radius local Enable Authentication: ---------------------tacacs radius local Radius Radius Radius Radius Deadtime: Key: Retransmit: Timeout: Console Session ---------------disabled enabled(primary) enabled Console Session ----------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled Telnet Session ---------------disabled enabled(primary) enabled 0 minutes Secret_RADIUS_key 4 10 seconds Auth-port -----------1812 Radius-Server Status ----------------------------.3 and 6. the switch marks that server as dead for the length of time specified by the deadtime. perform this task in privileged mode: Task Step 1 Step 2 Command set radius deadtime minutes show radius Specify the RADIUS server deadtime interval.------172.20. Any authentication requests received during the deadtime interval (such as other users attempting to log in to the switch) are not sent to a RADIUS server marked dead.

52. This example shows how to clear the RADIUS key and verify the configuration: Console> (enable) clear radius key Radius key cleared.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Radius Radius Radius Radius Deadtime: Key: Retransmit: Timeout: 5 minutes Secret_RADIUS_key 4 10 seconds Auth-port -----------1812 1812 Radius-Server Status ----------------------------. Console> (enable) Clearing the RADIUS Key To clear the RADIUS key.20. perform this task in privileged mode: Task Step 1 Step 2 Command clear radius key show radius Clear the RADIUS key.52. Console> (enable) show radius Login Authentication: --------------------tacacs radius local Console Session ---------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Catalyst 6000 Family Software Configuration Guide—Releases 6. Verify the RADIUS server configuration.52. Enter the all keyword to clear all of the servers from the configuration.3 172.20.3 primary 172.20.52. Step 2 show radius This example shows how to clear a single RADIUS server from the configuration: Console> (enable) clear radius server 172.2 Console> (enable) Clearing RADIUS Servers To clear one or more RADIUS servers.------172. Console> (enable) This example shows how to clear all RADIUS servers from the configuration: Console> (enable) clear radius server all All radius servers cleared from radius server table. perform this task in privileged mode: Task Step 1 Command clear radius server [ip_addr | all] Specify the IP address of the RADIUS server to clear from the configuration. Verify the RADIUS configuration.3 cleared from radius server table.3 and 6.4 78-13315-02 21-29 .20.

Disable RADIUS authentication for enable mode. local authentication is reenabled automatically.20. show authentication This example shows how to disable RADIUS authentication: Console> (enable) set authentication login radius disable radius login authentication set to disable for console and telnet session. set authentication enable radius disable [all | console | http | telnet] Verify the RADIUS configuration.4 21-30 78-13315-02 . perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command set authentication login radius disable [all | console | http | telnet] Disable RADIUS authentication for login mode.3 primary Console> (enable) Auth-port -----------1812 Disabling RADIUS Authentication When local authentication is disabled and only RADIUS authentication is enabled.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Enable Authentication: ---------------------tacacs radius local Radius Radius Radius Radius Deadtime: Key: Retransmit: Timeout: Console Session ----------------disabled disabled enabled(primary) 0 minutes 2 5 seconds Telnet Session ---------------disabled disabled enabled(primary) Radius-Server Status ----------------------------.3 and 6. To disable RADIUS authentication. if you disable RADIUS authentication. Console> (enable) show authentication Login Authentication: --------------------tacacs radius local Enable Authentication: ---------------------tacacs radius local Console> (enable) Console Session ---------------disabled disabled enabled(primary) Console Session ----------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Catalyst 6000 Family Software Configuration Guide—Releases 6. Console> (enable) set authentication enable radius disable radius enable authentication set to disable for console and telnet session.52.------172.

EDU -s Step 2 Add the switch to the database. To configure the Kerberos server. In the following example. • • • • • • • • • • • • Configuring a Kerberos Server. perform this procedure: Step 1 Before you can enter the switch in the Kerberos server’s key table. page 21-xxxix Configuring a Kerberos Server Before you can use Kerberos as an authentication method on the switch. we recommend that you enable DNS.edu@CISCO. page 21-xxxviii Displaying and Clearing Kerberos Configurations.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Configuring Kerberos Authentication These sections describe how to configure Kerberos authentication on the switch.EDU Step 5 Using the admin. page 21-xxxvi Disabling Credentials Forwarding. page 21-xxxi Enabling Kerberos. create the database entry for the switch as follows: ktadd host/Cat6509.cisco.EDU is created: /usr/local/sbin/kdb5_util create -r CISCO. Catalyst 6000 Family Software Configuration Guide—Releases 6. page 21-xxxii Defining the Kerberos Local Realm. Additionally.3 and 6.EDU database: ank host/Cat6509.EDU Step 4 Add the administrative principals as follows: ank user1/admin@CISCO. The following example adds a switch called Cat6509 to the CISCO. you must create the database the KDC will use.EDU Step 3 Add the username as follows: ank user1@CISCO. a database called CISCO. page 21-xxxviii Encrypting a Telnet Session.4 78-13315-02 21-31 .edu@CISCO.EDU Step 6 Move the keytab file to a place where the switch can reach it. Note Kerberos authentication requires that NTP is enabled. page 21-xxxv Enabling Credentials Forwarding. page 21-xxxiii Mapping a Kerberos Realm to a Host Name or DNS Domain. page 21-xxxiv Deleting an SRVTAB Entry. you need to configure the Kerberos server. page 21-xxxvii Defining and Clearing a Private DES Key. page 21-xxxiv Copying SRVTAB Files. page 21-xxxiii Specifying a Kerberos Server.local ktadd command. You will need to create a database for the KDC and add the switch to the database.cisco.

perform this task in privileged mode: Task Step 1 Step 2 Command set authentication login kerberos enable [all | console | http | telnet] [primary] show authentication Specify Kerberos as the authentication method.----------------. kerberos> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------.4 21-32 78-13315-02 .---------------tacacs disabled disabled radius disabled disabled kerberos enabled(primary) enabled(primary) local enabled enabled Enable Authentication:Console Session Telnet Session ---------------------. This example shows how to enable Kerberos as the login authentication method for Telnet and verify the configuration: kerberos> (enable) set authentication login kerberos enable telnet kerberos login authentication set to enable for telnet session.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Step 7 Start the KDC server as follows: /usr/local/sbin/krb5kdc /usr/local/sbin/kadmind Enabling Kerberos To enable Kerberos authentication.---------------.----------------.---------------. Verify the configuration.---------------tacacs disabled disabled radius disabled disabled kerberos disabled enabled(primary) local enabled(primary) enabled kerberos> (enable) This example shows how to enable Kerberos as the login authentication method for the console and verify the configuration: kerberos> (enable) set authentication login kerberos enable console kerberos login authentication set to enable for console session.---------------tacacs disabled disabled radius disabled disabled kerberos enabled(primary) enabled(primary) local enabled enabled kerberos> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. kerberos> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------.---------------tacacs disabled disabled radius disabled disabled kerberos disabled enabled(primary) local enabled(primary) enabled Enable Authentication:Console Session Telnet Session ---------------------.

The maximum number of entries in the table is 100.COM Kerberos local realm for this switch set to CISCO.COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/niners. the switch must know the host name or IP address of the host running the KDC and the name of the Kerberos realm.3 and 6. Command set kerberos local-realm kerberos_realm Note Make sure the realm is entered in uppercase letters.0.) Clear the Kerberos server entry. Realm:CISCO.com@CISCO. perform this task in privileged mode: Task Define the default realm for the switch.COM. (The default port number is 750.cisco.. Server:187. To specify the Kerberos server.1. clear kerberos server kerberos_realm {hostname | ip_address} [port] Step 2 Catalyst 6000 Family Software Configuration Guide—Releases 6.COM 0 932423923 1 1 8 01. hosts.COM Kerberos server entries: Realm:CISCO. Port:750 Kerberos Domain<->Realm entries: Domain:cisco.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Defining the Kerberos Local Realm The Kerberos realm is a domain consisting of users.8>00>50.4 78-13315-02 21-33 . kerberos> (enable) show kerberos Kerberos Local Realm:CISCO. perform this task in privileged mode: Task Step 1 Command Specify which KDC to use in a given Kerberos set kerberos server kerberos_realm {hostname | realm. The Kerberos server information you enter is maintained in a table with one entry for each Kerberos realm.COM. Optionally.0=0=0 kerberos> (enable) Specifying a Kerberos Server You can specify to the switch which KDC to use in a specific Kerberos realm. and network services that are registered to a Kerberos server. Optionally. This example shows how to define a local realm and how to verify the configuration: kerberos> (enable) set kerberos local-realm CISCO.2. you can also specify the port number which the KDC is monitoring. To configure the switch to authenticate to the KDC in a specified Kerberos realm. Kerberos will not authenticate users if the realm is entered in lowercase letters. To authenticate a user defined in the Kerberos database. enter the port number the KDC ip_address} [port] is monitoring.com.

2. The maximum size of the table is 20 entries.2.0. If you enter the SRVTAB directly into the switch.COM deleted Console> (enable) Copying SRVTAB Files To make it possible for remote users to authenticate to the switch using Kerberos credentials. create an entry for each Kerberos principal (service) on the switch.COM 187. perform this task in privileged mode: Task Step 1 Step 2 Command (Optional) Map a host name or DNS domain to a set kerberos realm {dns_domain | host} Kerberos realm. the switch parses the information in this file and stores it in the running configuration in the Kerberos SRVTAB entry format.COM 187.COM .0.2. To copy SRVTAB files to a switch that does not have a physical media drive.COM-187.1-750 deleted Console> (enable) Mapping a Kerberos Realm to a Host Name or DNS Domain Optionally.187. kerberos_realm Clear the Kerberos realm domain or host mapping clear kerberos realm {dns_domain | host} entry. These files are called SRVTAB files on the switch and KEYTAB files on the servers.4 21-34 78-13315-02 .COM Kerberos DnsDomain-Realm entry set to CISCO . you must give the switch a copy of the file stored in the KDC that contains the key. The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto physical media and go to each host in turn and manually copy the files onto the system. When you copy the SRVTAB file from the switch to the KDC.COM Console> (enable) Console> (enable) clear kerberos realm CISCO CISCO.1 .Chapter 21 Configuring Authentication Configuring Switch Access Using AAA This example shows how to specify which Kerberos server will serve as the KDC for the specified Kerberos realm and how to clear the entry: kerberos> (enable) set kerberos server CISCO.1 750 Kerberos Realm-Server-Port entry CISCO.CISCO. Catalyst 6000 Family Software Configuration Guide—Releases 6. To map a Kerberos realm to either a host name or DNS domain. the switch must share a key with the KDC.0.2. you must transfer them through the network by using the Trivial File Transfer Protocol (TFTP).1 750 Kerberos Realm-Server-Port entry set to:CISCO.3 and 6. kerberos_realm This example shows how to map a Kerberos realm to a DNS domain and how to clear the entry: Console> (enable) set kerberos realm CISCO CISCO. To allow this configuration.CISCO. you can map a host name or domain name system (DNS) domain to a Kerberos realm.0.750 kerberos> (enable) Console> (enable) clear kerberos server CISCO.COM Kerberos DnsDomain-Realm entry CISCO . The entries are maintained in the SRVTAB table.

com@CISCO.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To remotely copy SRVTAB files to the switch from the KDC.20.COM 0 932423923 1 1 8 03. enter an SRVTAB directly into the switch.3 and 6.9 Console> (enable) Deleting an SRVTAB Entry To delete an SRVTAB entry. Port:750 Kerberos Domain<->Realm entries: Domain:cisco..com@CISCO.com@CISCO.cisco. Realm:CISCO..0=0=0 kerberos> (enable) show kerberos Kerberos Local Realm:CISCO.COM.cisco.10 /users/jdoe/krb5/ninerskeytab kerberos> (enable) kerberos> (enable) set kerberos srvtab entry host/niners.COM 0 932423923 1 1 8 03.COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/niners.1.COM Kerberos server entries: Realm:CISCO.cisco.0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.5>00>50.0=0=0 Srvtab Entry 2:host/niners.1. Server:187. and verify the configuration: kerberos> (enable) set kerberos srvtab remote 187.COM Principal Type:0 Timestamp:932423923 Key version number:1 Key type:1 Key length:8 Encrypted key tab:03. perform this task in privileged mode: Task Delete the SRVTAB entry for a particular Kerberos principal.com. Server:187.cisco. Port:750 Realm:CISCO.5>00>50.20. set kerberos srvtab remote {hostname | ip_address} filename (Optional) Enter the SRVTAB directly into the switch.32.COM. set kerberos srvtab entry kerberos_principal principal_type timestamp key_version number key_type key_length encrypted_keytab This example shows how to retrieve an SRVTAB file from the KDC.2. perform this task in privileged mode: Task Step 1 Step 2 Command Retrieve a specified SRVTAB file from the KDC..EDU 0 933974942 1 1 8 00?58:127:223=:.2. Command clear kerberos srvtab entry kerberos_principal principal_type Catalyst 6000 Family Software Configuration Guide—Releases 6.4 78-13315-02 21-35 .edu@CISCO.5>00>50.0.

configure the switch to forward user TGTs when they authenticate from the switch to Kerberized remote hosts on the network using Kerberized Telnet. Server:187.0.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA This example shows how to delete an SRVTAB entry: kerberos> (enable) clear kerberos srvtab entry host/niners. To configure clients to forward user credentials as they connect to other hosts in the Kerberos realm. Port:750 Realm:CISCO.2.4 21-36 78-13315-02 .2.COM Kerberos server entries: Realm:CISCO.9 kerberos> (enable) This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services: Console> (enable) set kerberos clients mandatory Kerberos clients set to mandatory Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.cisco. This example shows how to configure clients to forward user credentials and verify the configuration: kerberos> (enable) set kerberos credentials forward Kerberos credentials forwarding enabled kerberos> (enable) show kerberos Kerberos Local Realm:CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:. the output will show no Kerberos credentials present. (Optional) Configure Telnet to fail if clients cannot authenticate to the remote server. To enable credentials forwarding. As an additional layer of security.1. However.COM. Port:750 Kerberos Domain<->Realm entries: Domain:cisco. Server:187. For example. you can configure the switch so that after users authenticate to it.com@CISCO. perform this task in privileged mode: Task Step 1 Step 2 Command set kerberos credentials forward set kerberos clients mandatory Set all clients to forward user credentials upon successful Kerberos authentication.COM.com. If you do not make Kerberos authentication mandatory and Kerberos authentication fails. these users can authenticate only to other services on the network with Kerberized clients.20.edu@CISCO. the application attempts to authenticate users using the default method of authentication for that network service.1.COM 0 kerberos> (enable) Enabling Credentials Forwarding A user authenticated to a Kerberized switch has a TGT and can use it to authenticate to a host on the network. Realm:CISCO.3 and 6.cisco. Telnet prompts for a password. if forwarding is not enabled and a user tries to list credentials after authenticating to a host.COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.

perform this task in privileged mode: Task Clear the credentials forwarding configuration. Command clear kerberos clients mandatory This example shows how to clear the clients mandatory configuration and verify the change: Console> Kerberos Console> Kerberos Kerberos (enable) clear kerberos clients mandatory clients mandatory cleared (enable) show kerberos Local Realm not configured server entries: Kerberos Domain<->Realm entries: Kerberos Kerberos Kerberos Kerberos Kerberos Console> Kerberos Clients NOT Mandatory Credentials Forwarding Disabled Pre Authentication Method set to None config key: SRVTAB Entries (enable) server entries: Kerberos Domain<->Realm entries: Kerberos Kerberos Kerberos Kerberos Kerberos Console> Clients Mandatory Credentials Forwarding Disabled Pre Authentication Method set to Encrypted Unix Time Stamp config key: SRVTAB Entries (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Command clear kerberos credentials forward This example shows how to clear the credentials forwarding configuration and verify the change: Console> Kerberos Console> Kerberos Kerberos (enable) clear kerberos credentials forward credentials forwarding disabled (enable) show kerberos Local Realm not configured server entries: Kerberos Domain<->Realm entries: Kerberos Kerberos Kerberos Kerberos Kerberos Console> Clients NOT Mandatory Credentials Forwarding Disabled Pre Authentication Method set to None config key: SRVTAB Entries (enable) To clear the Kerberos clients mandatory configuration. perform this task in privileged mode: Task Clear the Kerberos clients mandatory configuration.3 and 6.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Disabling Credentials Forwarding To clear the credentials forwarding configuration.4 78-13315-02 21-37 .

COM.1. whether or not this will be a Kerberized Telnet depends on the authentication method that the Telnet server uses. If the Telnet server uses Kerberos for authentication. Server:172.20. perform this task in privileged mode: Task Define a DES key for the switch.edu@CISCO.COM. Catalyst 6000 Family Software Configuration Guide—Releases 6. Realm:CISCO. the secret key is not displayed in clear text. Port:750 Realm:CISCO. select the encrypt kerberos option in the telnet command.EDU 0 933974942 1 1 8 12151><88?=>>3>11 kerberos> (enable) To clear the DES key.4 21-38 78-13315-02 . To define a DES key. This example shows how to clear the DES key: Console> (enable) clear key config-key Kerberos config key cleared Console> (enable) Command clear key config-key string Encrypting a Telnet Session After a user authenticates to the switch using Kerberos and wants to Telnet to another switch or host.1.COM Kerberos Clients Mandatory Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key:abcd Kerberos SRVTAB Entries Srvtab Entry 1:host/aspen-niners.com. you can choose to have all the application data packets encrypted for the duration of the Telnet session.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Defining and Clearing a Private DES Key You can define a private DES key for the switch. The private DES key can be used to encrypt the secret key that the switch shares with the KDC so that when the show kerberos command is executed.2. To encrypt the Telnet session.COM Kerberos server entries: Realm:CISCO. Server:170. perform this task in privileged mode: Task Clear a DES key from the switch.20.cisco. The key length should be eight characters or less. Port:750 Kerberos Domain<->Realm entries: Domain:cisco.2.3 and 6. Command set key config-key string This example shows how to define a DES key and verify the configuration: kerberos> (enable) set key config-key abcd Kerberos config key set to abcd kerberos> (enable) show kerberos Kerberos Local Realm:CISCO.

1.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To encrypt a Telnet session.COM.2.0. Command show kerberos This example shows how to display the Kerberos configuration: kerberos> (enable) show kerberos Kerberos Local Realm:CISCO. Port:750 Kerberos Domain<->Realm entries: Domain:cisco.COM.9 kerberos> (enable) To display the Kerberos credentials.4 78-13315-02 21-39 .com.edu@CISCO.1. Port:750 Realm:CISCO.COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/niners.5>00>50.COM Kerberos server entries: Realm:CISCO.COM 0 932423923 1 1 8 03..2. Realm:CISCO. perform this task in privileged mode: Task Display the Kerberos configuration. perform this task: Task Encrypt a Telnet session.EDU 0 933974942 1 1 8 00?58:127:223=:. Server:187. Server:187.0=0=0 Srvtab Entry 2:host/niners. Command show kerberos creds This example shows how to display the Kerberos credentials: Console> (enable) show kerberos creds No Kerberos credentials. perform this task in privileged mode: Task Display the Kerberos credentials.3 and 6.com@CISCO.cisco.cisco. Command telnet encrypt kerberos host This example shows how to configure a Telnet session for Kerberos authentication and encryption: Console> (enable) telnet encrypt kerberos Displaying and Clearing Kerberos Configurations These commands can be used to display and clear Kerberos configurations on the switch: • • • show kerberos show kerberos creds clear kerberos creds To display the Kerberos configuration. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.20.

1x authentication for the entire system before configuring it for individual ports. To enable 802.3 and 6. page 21-xlv Resetting the 802.4 21-40 78-13315-02 . page 21-xliii Setting the Quiet Period.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA To clear all Kerberos credentials. page 21-xlii Manually Reauthenticating the Supplicant. see the “Enabling and Initializing 802.1x authentication if they meet the specific requirements required by 802.1x Globally You must enable 802. page 21-xliii Enabling Multiple Hosts.1x Globally. page 21-xliii Disabling Multiple Hosts. page 21-xliv Setting the Authenticator-to-Supplicant Retransmission Time for EAP-Request/Identity Frames. you can configure individual ports for 802. page 21-xlvii Enabling 802. page 21-xlv Setting the Back-End Authenticator-to-Supplicant Frame-Retransmission Number.1x Configuration Parameters to the Default Values. After you globally enable 802. page 21-xlvi Using the show Commands.1x Authentication for Individual Ports” section on page 21-xli. page 21-xliv Setting the Back-End Authenticator-to-Supplicant Retransmission Time for EAP-Request Frames.1x Authentication for Individual Ports. perform this task in privileged mode: Task Clear all credentials. page 21-xlvi Setting the Trace Severity. page 21-xli Enabling and Initializing 802. Command clear kerberos creds This example shows how to clear all Kerberos credentials from the switch: Console> (enable) clear kerberos creds Console> (enable) Configuring 802. Catalyst 6000 Family Software Configuration Guide—Releases 6. page 21-xliv Setting theBack-End Authenticator-to-Authentication-Server Retransmission Time for Transport Layer Packets.1x Authentication These sections describe how to configure 802. page 21-xli Setting and Enabling Automatic Reauthentication of the Supplicant.1x authentication on the switch: • • • • • • • • • • • • • • • Enabling 802.1x Globally.1x authentication for individual ports.1x.1x authentication. page 21-xl Disabling 802.

1x authentication.1x authentication from the console for individual ports. When 802.1x control on a specific port.1x authentication is globally enabled.1x Globally When 802.1x Authentication for Individual Ports After 802.1x authentication: Console> (enable) set dot1x system-auth-control enable dot1x system-auth-control enabled.1x. For information on specifying a RADIUS server. Verify the 802. it is no longer available at any port. see the “Specifying RADIUS Servers” section on page 21-xxiv. Initialize 802. Note You must specify at least one RADIUS server before you can enable 802. perform this task in privileged mode: Task Globally disable 802. Disabling 802.1x authentication: Console> (enable) set dot1x system-auth-control disable dot1x system-auth-control disabled.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication To globally enable 802. Command set dot1x system-auth-control enable This example shows how to globally enable 802.1x authentication for access to the switch. Enabling and Initializing 802. perform this task in privileged mode: Task Command set port dot1x mod/port port-control auto set port dot1x mod/port initialize show port dot1x mod/port Step 1 Step 2 Step 3 Enable 802. even ports that were previously configured for it. you can disable it globally.1x authentication.1x.1x on the same port. perform this task in privileged mode: Task Globally enable 802. To globally enable 802.4 78-13315-02 21-41 . To globally disable 802. Catalyst 6000 Family Software Configuration Guide—Releases 6.1x authentication is disabled globally.1x authentication is enabled for the entire system.1x authentication on the switch. Command set dot1x system-auth-control disable This example shows how to globally disable 802.1x authentication.1x configuration.3 and 6. To enable and initialize 802. you must enable and initialize 802.1x Globally” section on page 21-xl. see the “Enabling 802.

1x supplicant reauthentication can be enabled for supplicants connected to a specific port. This example shows how to set automatic reauthentication to 7200 seconds.------------. Trunking disabled for port 4/1 due to Dot1x feature. enable 802. Console> (enable) show port dot1x 4/1 Port Auth-State BEnd-State Port-Control Port-Status ----. Verify the 802.3 and 6.1x authentication reauthenticates the supplicant if you do so before you enable automatic 802. Port 4/1 dot1x initialization complete.------------. To set how often 802.. Console> (enable) set port dot1x 4/1 initialize Port 4/1 initializing.1x defaults to 3.1x authentication on port 1 in module 4.1x configuration. Enable reauthentication.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA This example shows how to enable 802. If you do not specify a time period before you enable supplicant reauthentication.1x supplicant reauthentication.----------------4/1 disabled enabled Catalyst 6000 Family Software Configuration Guide—Releases 6.------------------. and verify the configuration: Console> (enable) set port dot1x 4/1 port-control auto Port 4/1 dot1x port-control is set to auto.---------. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command set dot1x re-authperiod seconds set port dot1x re-authentication enable show port dot1x mod/port Set the time constant for reauthenticating the supplicant.4 21-42 78-13315-02 ..----------------4/1 disabled disabled Setting and Enabling Automatic Reauthentication of the Supplicant You can specify how often 802. 802.------------------.1x reauthentication.600 seconds (valid values are from 1 to 65.1x authentication reauthenticates the supplicant and enable automatic 802.------------------. Automatic 802. see the “Manually Reauthenticating the Supplicant” section on page 21-xliii. Console> (enable) show port dot1x 4/1 Port Auth-State BEnd-State Port-Control Port-Status ----.535 seconds).1x reauthentication. Spantree port fast start option enabled for port 4/1.1x authentication on the same port.---------. To manually reauthenticate the supplicant connected to a specific port. initialize 802. and verify the configuration: Console> (enable) set dot1x re-authperiod 7200 dot1x re-authperiod set to 7200 seconds Console> (enable) set port dot1x re-authentication enable Port 4/1 re-authentication enabled.------------------.------------4/1 connecting finished auto unauthorized Port Multiple-Host Re-authentication ----.------------4/1 connecting finished auto unauthorized Port Multiple-Host Re-authentication ----.

1x supplicant reauthentication.. Command set port dot1x mod/port multiple-host enable This example shows how to enable access for multiple hosts on port 1 on module 4: Console> (enable) set port dot1x 4/1 multiple-host enable Port 4/1 multiple hosts allowed. Disabling Multiple Hosts You can disable multiple-user access on any port where it is enabled. perform this task in privileged mode: Task Enable multiple hosts on a specific port. Catalyst 6000 Family Software Configuration Guide—Releases 6. and a supplicant connected to that port is authorized successfully.4 78-13315-02 21-43 .Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Manually Reauthenticating the Supplicant You can manually reauthenticate the supplicant connected to a specific port at any time. any host (with any MAC address) is allowed to send and receive traffic on that port. When a port is enabled for multiple users. perform this task in privileged mode: Task Command Manually reauthenticate the supplicant connected set port dot1x mod/port re-authenticate to a specific port. This example shows how to manually reauthenticate the supplicant connected to port 1 on module 4: Console> (enable) set port dot1x 4/1 re-authenticate Port 4/1 re-authenticating. you can reduce the security level on that port.. dot1x port 4/1 authorized. To disable multiple-user access on a specific port. To enable multiple-user access on a specific port.. When you want to configure automatic 802. If you then connect multiple supplicants to that port through a hub.3 and 6. Command set port dot1x mod/port multiple-host disable This example shows how to disable access for multiple hosts on port 1 on module 4: Console> (enable) set port dot1x 4/1 multiple-host disable Port 4/1 multiple hosts not allowed. Enabling Multiple Hosts You can enable a specific port to allow multiple-user access. dot1x re-authentication successful. To manually reauthenticate a supplicant connected to a specific port. perform this task in privileged mode: Task Disable multiple hosts on a specific port. see the “Setting and Enabling Automatic Reauthentication of the Supplicant” section on page 21-xlii..

Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Setting the Quiet Period When the authenticator cannot authenticate the supplicant.) To set the authenticator-to-supplicant retransmission time for the EAP-request/identity frames. perform this task in privileged mode: Task Set the authenticator-to-supplicant retransmission time for EAP-request/identity frames.4 21-44 78-13315-02 . it remains idle for set a period of time. Catalyst 6000 Family Software Configuration Guide—Releases 6. perform this task in privileged mode: Task Set the quiet-period value.3 and 6. Command set dot1x tx-period seconds This example shows how to set the authenticator-to-supplicant retransmission time for the EAP-request/identity frame to 15 seconds: Console> (enable) set dot1x tx-period 15 dot1x tx-period set to 15 seconds. To set the value for the quiet period. perform this task in privileged mode: Task Command Set the back-end authenticator-to-supplicant set dot1x supp-timeout seconds retransmission time for the EAP-request frame. (The default is 30 seconds. and then tries again. When the back-end authenticator does not receive this notification. Setting the Authenticator-to-Supplicant Retransmission Time for EAP-Request/Identity Frames The supplicant notifies the authenticator that it received the EAP-request/identity frame. the back-end authenticator waits a set period of time. the authenticator waits a set period of time.) To set the back-end authenticator-to-supplicant retransmission time for the EAP-request frames. The idle time is determined by the quiet-period value. You may set the amount of time that the authenticator waits for notification from 1 to 65535 seconds. and then retransmits the frame. (The default is 60 seconds. When the authenticator does not receive this notification. Setting the Back-End Authenticator-to-Supplicant Retransmission Time for EAP-Request Frames The supplicant notifies the back-end authenticator that it received the EAP-request frame. Command set dot1x quiet-period seconds This example shows how to set the quiet period to 45 seconds: Console> (enable) set dot1x quiet-period 45 dot1x quiet-period set to 45 seconds.) You may set the value from 0 to 65535 seconds. (The default is 30 seconds. and then retransmits the frame. You may set the amount of time that the back-end authenticator waits for notification from 1 to 65535 seconds.

Chapter 21 Configuring Switch Access Using AAA Configuring Authentication This example shows how to set the back-end authenticator-to-supplicant retransmission time for the EAP-request frame to 15 seconds: Console> (enable) set dot1x supp-timeout 15 dot1x supp-timeout set to 15 seconds. perform this task in privileged mode: Task Set the back-end authenticator-to-authentication-server retransmission time for transport layer packets. Catalyst 6000 Family Software Configuration Guide—Releases 6. Setting the Back-End Authenticator-to-Supplicant Frame-Retransmission Number The authentication server notifies the back-end authenticator each time it receives a specific number of frames. Command set dot1x server-timeout seconds This example shows how to set the value for the retransmission time for transport layer packets sent from the back-end authenticator to the authentication server to 15 seconds: Console> (enable) set dot1x server-timeout 15 dot1x server-timeout set to 15 seconds. Command set dot1x max-req count This example shows how to set the number of retransmitted frames sent from the back-end authenticator to the supplicant to 4: Console> (enable) set dot1x max-req 4 dot1x max-req set to 4. Setting theBack-End Authenticator-to-Authentication-Server Retransmission Time for Transport Layer Packets The authentication server notifies the back-end authenticator each time it receives a transport layer packet. and then retransmits the packet. the back-end authenticator waits a set period of time.3 and 6. To set the number of frames retransmitted from the back-end authenticator to the supplicant. the back-end authenticator waits a set period of time.) To set the value for the retransmission of transport layer packets from the back-end authenticator to the authentication server. You may set the amount of time that the back-end authenticator waits for notification from 1 to 65535 seconds. and then retransmits the frames.4 78-13315-02 21-45 . perform this task in privileged mode: Task Set the back-end authenticator-to-supplicant frame retransmission number. When the back-end authenticator does not receive a notification after sending a packet. When the back-end authenticator does not receive this notification after sending the frames. You may set the number of frames that the back-end authenticator retransmits from 1 to 10 (the default is 2). (The default is 30 seconds.

1x authentication.1x configuration parameters to the default values and verify the configuration: Console> (enable) clear dot1x config This command will disable dot1x on all ports and take dot1x parameter values back to factory defaults.1x configuration.4 21-46 78-13315-02 .1x authentication with this command.1x. To set the trace severity for 802. Low numbers result in fewer messages.1x configuration parameters to the default values. Use with caution.1x configuration parameters to the default values and globally disable 802. which also globally disables 802.1x.1x configuration parameters to the default values with a single command. This example shows how to reset the 802. Catalyst 6000 Family Software Configuration Guide—Releases 6. perform this task in privileged mode: Task Command Set the trace severity for 802. Do you want to continue (y/n) [n]? Console> (enable) show dot1x PAE Capability Authenticator Only Protocol Version 1 system-auth-control enabled max-req 2 quiet-period 60 seconds re-authperiod 3600 seconds server-timeout 30 seconds supp-timeout 30 seconds tx-period 30 seconds Setting the Trace Severity You can alter the trace severity for 802. To reset the 802. perform this task in privileged mode: Task Step 1 Step 2 Command clear dot1x config show dot1x Reset the 802.1x Configuration Parameters to the Default Values You can reset the 802.1x.3 and 6.1x authentication to 5: Console> (enable) set trace dot1x 5 DOT1X tracing set to 5 Warning!! Turning on trace may affect the operation of the system. high numbers result in more messages. The number setting affects the number of trace messages displayed. Verify the 802. set trace dot1x trace-level This example shows how to set the trace severity for 802.Chapter 21 Configuring Authentication Configuring Switch Access Using AAA Resetting the 802.

3 and 6. perform this task in normal mode: Task Command Display the values for all configurable and current show port dot1x mod/port state parameters associated with the authenticator PAE and back-end authenticator on a specific port on a specific module. perform this task in normal mode: Task Display the statistics for the different types of EAP frames transmitted and received by the authenticator on a specific port on a specific module.----------------4/1 disabled enabled To display the statistics for the different types of EAP frames transmitted and received by the authenticator on a specific port on a specific module. This example shows how to display the values for all the parameters associated with the authenticator PAE and back-end authenticator on port 1 on module 4: Console> (enable) show port dot1x 4/1 Port Auth-State BEnd-State Port-Control Port-Status ----. Command show port dot1x statistics mod/port Catalyst 6000 Family Software Configuration Guide—Releases 6.------------4/1 connecting finished auto unauthorized Port Multiple-Host Re-authentication ----. Command show port dot1x help This example shows how to display the usage options for the show port dot1x command: Console> (enable) show port dot1x help Usage: show port dot1x [<mod[/port]>] show port dot1x statistics [<mod[/port]>] To display the values for all the parameters associated with the authenticator PAE and back-end authenticator on a specific port on a specific module.------------.1x authentication and its configuration: • • • • show port dot1x help show port dot1x show port dot1x statistics show dot1x To display the usage options for the show port dot1x command.------------------.4 78-13315-02 21-47 .------------------. perform this task in normal mode: Task Display the usage options for the show port dot1x command.Chapter 21 Configuring Switch Access Using AAA Configuring Authentication Using the show Commands You can use these show commands to access information about 802.---------.

-------.--------------. When Workstation A attempts to connect to the switch.-------. Command show dot1x This example shows how to display the global 802.-----. system-auth-control.--------. protocol version.--------.---------.1x parameters.------------------4/1 0 0 0 0 00-00-00-00-00-00 To display the global 802. TACACS+ authentication is enabled and local authentication is disabled for both login and enable access to the switch for all Telnet connections. perform this task in normal mode: Task Display the PAE capabilities. Any user with access to the directly connected terminal can access the switch using the login and enable passwords. However. only local authentication is enabled for both login and enable access on the console port.---------.4 21-48 78-13315-02 .------4/1 97 0 97 0 0 0 0 Port Rx_Invalid Rx_Len_Err Rx_Total Last_Rx_Frm_Ver Last_Rx_Frm_Src_Mac ----. the user is challenged for a TACACS+ username and password. Catalyst 6000 Family Software Configuration Guide—Releases 6. and other global dot1x parameters.Chapter 21 Authentication Example Configuring Switch Access Using AAA This example shows how to display the statistics for the different types of EAP frames transmitted and received by the authenticator on port 1 on module 4: Console> (enable) show port dot1x statistics 4/1 Port Tx_Req/Id Tx_Req Tx_Total Rx_Start Rx_Logoff Rx_Resp/Id Rx_Resp ----.3 and 6.-------.---------. In this example.1x parameters: Console> (enable) show dot1x PAE Capability Authenticator Only Protocol Version 1 system-auth-control enabled max-req 2 quiet-period 60 seconds re-authperiod 3600 seconds server-timeout 30 seconds supp-timeout 30 seconds tx-period 30 seconds Authentication Example Figure 3 shows a simple network topology using TACACS+.

10 172.20.52.52. Console> (enable) set authentication enable local disable telnet local enable authentication set to disable for telnet session. Console> (enable) set authentication enable tacacs enable telnet tacacs enable authentication set to enable for telnet session. local authentication is enabled for console connections.52. Console> (enable) set tacacs key tintin_et_milou The tacacs key has been set to tintin_et_milou.10 Console> (enable) Status ------primary Catalyst 6000 Family Software Configuration Guide—Releases 6.20.20.52.10 added to TACACS server table as primary server. Console> (enable) show tacacs Tacacs key: tintin_et_milou Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server ---------------------------------------172. Console> (enable) set authentication login local disable telnet local login authentication set to disable for telnet session. Console> (enable) set authentication login tacacs enable telnet tacacs login authentication set to enable for telnet session.Chapter 21 Configuring Switch Access Using AAA Authentication Example Figure 21-3 TACACS+ Example Network Topology TACACS+ server 172.10 Switch Console port connection Workstation A This example shows how to configure the switch so that TACACS+ authentication is enabled for Telnet connections.20.4 78-13315-02 18927 Terminal 21-49 .3 and 6. and a TACACS+ encryption key is specified: Console> (enable) show tacacs Tacacs key: Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------------Console> (enable) set tacacs server 172.

If the user is authorized to issue that command. Catalyst 6000 Family Software Configuration Guide—Releases 6. EXEC mode (normal login)—When the authorization feature is enabled for EXEC mode. otherwise. Authorization is required only if you have enabled the authorization feature. Enable mode (privileged login)—When the authorization feature is enabled for enable mode.4 21-50 78-13315-02 . The access list resides on the host running the TACACS+ or RADIUS server. and there is no response from the TACACS+ server. Authorization limits access to specified users using a dynamically applied access list (or user profile) based on the username and password pair. the command is executed. page 21-l TACACS+ Command Authorization. the user must supply a valid username and password pair to gain access to enable mode. Authorization Events You can enable authorization for the following: • Commands—When you enable the authorization feature for commands. if-authenticated—If you have been authenticated. This is the default behavior. the user must supply a valid username and password pair to gain access to EXEC mode.3 and 6. When a user issues a command. page 21-li RADIUS Authorization. Available options and fallback options include the following: • • • • tacacs+—If you have been authenticated. then authorization will succeed immediately. and there is no response from the TACACS+ server. • • TACACS+ Primary Options and Fallback Options You can specify the primary option and fallback option used in the authorization process. page 21-li Authorization Overview Catalyst 6000 family switches support TACACS+ and RADIUS authorization. page 21-l Authorization Events. none—Authorization will succeed if the TACACS+ server does not respond. Authorization will fail if the TACACS+ server fails to respond. page 21-l TACACS+ Primary Options and Fallback Options. the command is not executed. deny—Deny is strictly a fallback option. Authorization is required only if you have enabled the authorization feature for enable mode. The server responds to the user password information with an access list number that causes the specific list to be applied.Chapter 21 Understanding How Authorization Works Configuring Switch Access Using AAA Understanding How Authorization Works These sections describe how authorization works: • • • • • Authorization Overview. the authorization server receives the command and user information and compares it against an access list. then authorization will succeed immediately. the user must supply a valid username and password pair to execute certain commands. You can require authorization for all commands or for configuration (enable mode) commands only.

If you have enabled authorization for configuration commands only.3 and 6. If you have Administrative/Shell (6) Service-Type access. Configuration commands include the following: • • • • • • • • • • • • • • copy clear commit configure delete download format reload rollback session set squeeze switch undelete The following TACACS+ authorization process occurs for every command that you enter: • • If you have disabled the command authorization feature. in the authentication protocol that provides authorization information. There is one attribute. and then logs you in to the EXEC mode. and then logs you in to the privileged mode. the switch will verify that the argument string matches one of the commands listed above.4 78-13315-02 21-51 . the TACACS+ server will allow you to execute any command on the switch. the switch forwards the command to the NAS for authorization. • RADIUS Authorization RADUIS has limited authorization. Service-Type. If there is no match. the network access server (NAS) authenticates you. If you have enabled authorization for all commands. the switch forwards the command to the NAS for authorization. the NAS authenticates you. If there is a match. Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 21 Configuring Switch Access Using AAA Understanding How Authorization Works TACACS+ Command Authorization You can require authorization for all commands or for configuration (enable mode) commands only. the switch completes the command. This attribute is part of the user-profile. When you log in using RADIUS authentication and you do not have Administrative/Shell (6) Service-Type access.

page 21-lii Configuring TACACS+ Authorization.3 and 6. page 21-lii Configuring RADIUS Authorization. • Configuring TACACS+ Authorization These sections describe how to configure TACACS+ authorization on the switch. Authorization configuration applies to console connections. See the “Specifying the TACACS+ Key” section on page 21-xix or the “Specifying the RADIUS Key” section on page 21-xxiv for more information on the key setup. and connection type when enabling authorization. You must specify the mode. • • Enabling TACACS+ Authorization. fallback option. Configure RADIUS and TACACS+ keys to encrypt protocol packets before enabling authorization. page 21-lv TACACS+ Authorization Default Configuration Table 4 shows the TACACS+ default authorization configuration. page 21-lii TACACS+ Authorization Configuration Guidelines. page 21-liv Catalyst 6000 Family Software Configuration Guide—Releases 6.4 21-52 78-13315-02 . Configure RADIUS and TACACS+ servers before enabling authorization. See the “Specifying TACACS+ Servers” section on page 21-xvii or the “Specifying RADIUS Servers” section on page 21-xxiv for more information on server setup. page 21-liii Disabling TACACS+ Authorization. option. Table 21-4 Default Authorization Configuration Feature TACACS+ login authorization (console and Telnet) TACACS+ EXEC authorization (console and Telnet) TACACS+ enable authorization (console and Telnet) TACACS+ commands authorization (console and Telnet) Default Value Disabled Disabled Disabled Disabled TACACS+ Authorization Configuration Guidelines Follow these guidelines when configuring TACACS+ authorization on the switch: • • • • TACACS+ authorization is disabled by default. or both types of connections. Telnet connections.Chapter 21 Configuring Authorization Configuring Switch Access Using AAA Configuring Authorization These sections describe how to configure authorization: • • • • TACACS+ Authorization Default Configuration.

The fallback option is deny: Console> (enable) set authorization commands enable config tacacs+ deny both Successfully enabled commands authorization. The fallback option is deny: Console> (enable) set authorization exec enable tacacs+ deny both Successfully enabled enable authorization. Enter the both keyword to enable authorization for both console port and Telnet connection attempts. set authorization commands enable {config | Enter the console or telnet keyword if you want to all} {option}{fallbackoption} [console | telnet | both] enable authorization only for console port or Telnet connection attempts. Step 2 set authorization enable enable {option} {fallbackoption} [console | telnet | both] Step 3 Enable authorization of configuration commands. Authorization is configured with the tacacs+ option.Chapter 21 Configuring Switch Access Using AAA Configuring Authorization Enabling TACACS+ Authorization To enable TACACS+ authorization on the switch. perform this task in privileged mode: Task Step 1 Command set authorization exec enable {option}{fallbackoption} [console | telnet | both] Enable authorization for normal mode. Enable authorization for enable mode. Enter the console or telnet keyword if you want to enable authorization only for console port or Telnet connection attempts. Console> (enable) This example shows how to verify the configuration: Console> (enable) show authorization Telnet: ------Primary Fallback -------------exec: tacacs+ deny enable: tacacs+ deny commands: Catalyst 6000 Family Software Configuration Guide—Releases 6.4 78-13315-02 21-53 . Verify the TACACS+ authorization configuration. Enter the both keyword to enable authorization for both console port and Telnet connection attempts. Console> Step 4 This example shows how to enable TACACS+ enable mode authorization for console and Telnet connections.3 and 6. Authorization is configured with the tacacs+ option. The fallback option is deny: Console> (enable) set authorization enable enable tacacs+ deny both Successfully enabled enable authorization. Authorization is configured with the tacacs+ option. Enter the both keyword to enable authorization for both console port and Telnet connection attempts. show authorization This example shows how to enable TACACS+ EXEC mode authorization for both console and Telnet connections. Console> This example shows how to enable TACACS+ command authorization for both console and Telnet connections. Enter the console or telnet keyword if you want to enable authorization only for console port or Telnet connection attempts.

Enter the console or telnet keyword if you want to disable authorization only for console port or Telnet connection attempts. Enter the both keyword to disable authorization for both console port and Telnet connection attempts. Enter the both keyword to disable authorization for both console port and Telnet connection attempts. Enter the both keyword to disable authorization for both console port and Telnet connection attempts. show authorization This example shows how to disable TACACS+ EXEC mode authorization for both console and Telnet connections and how to verify the configuration: Console> (enable) set authorization exec disable both Successfully disabled enable authorization. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Verify the TACACS+ authorization configuration. Enter the console or telnet keyword if telnet | both] you want to disable authorization only for console port or Telnet connection attempts.3 and 6.Chapter 21 Configuring Authorization Configuring Switch Access Using AAA config: all: Console: -------- tacacs+ - deny - exec: enable: commands: config: tacacs+ all: Console> (enable) Primary ------tacacs+ tacacs+ Fallback -------deny deny deny - Disabling TACACS+ Authorization To disable TACACS+ authorization on the switch. set authorization enable disable [console | telnet | both] Step 2 Step 3 set authorization commands disable [console | Disable authorization of configuration commands. Disable authorization for enable mode. Enter the set authorization exec disable [console | telnet | console or telnet keyword if you want to disable both] authorization only for console port or Telnet connection attempts.4 21-54 78-13315-02 . Console> (enable) Step 4 This example shows how to disable TACACS+ enable mode authorization for both console and Telnet connections and how to verify the configuration: Console> (enable) set authorization enable disable both Successfully disabled enable authorization. perform this task in privileged mode: Task Step 1 Command Disable authorization for normal mode.

a value of 6) in the RADIUS server to launch the user into enable mode in the RADIUS server. not the enable prompt. or 2-framed). If the service-type is set for anything other than 6-administrative (for example. page 21-lv Disabling RADIUS Authorization. perform this task in privileged mode: Step 1 Step 2 Enter the set authentication login radius enable command in privileged mode. Disabling RADIUS Authorization Enter the set authentication login radius disable command in privileged mode to disable RADIUS authorization. Console> (enable) This example shows how to verify the configuration: Console> (enable) show authorization Telnet: ------Primary ------tacacs+ tacacs+ tacacs+ Fallback -------deny deny deny - exec: enable: commands: config: all: Console: -------- exec: enable: commands: config: tacacs+ all: Console> (enable) Primary ------tacacs+ tacacs+ Fallback -------deny deny deny - Configuring RADIUS Authorization These sections describe how to configure RADIUS authorization on the switch: • • Enabling RADIUS Authorization. page 21-lv Enabling RADIUS Authorization To enable RADIUS authorization and authentication on the switch. you will be at the switch EXEC prompt.3 and 6. 7-shell.4 78-13315-02 21-55 . Catalyst 6000 Family Software Configuration Guide—Releases 6. 1-login.Chapter 21 Configuring Switch Access Using AAA Configuring Authorization This example shows how to disable TACACS+ command authorization for both console and Telnet connections and how to verify the configuration: Console> (enable) set authorization commands disable both Successfully disabled commands authorization. This command enables both RADIUS authentication and authorization. Set the Service-Type (RADIUS attribute 6) for the user to Admistrative (that is.

Console> (enable) show authorization Telnet: ------Primary Fallback -------------exec: tacacs+ deny enable: tacacs+ deny commands: config: tacacs+ deny all: Console: -------Primary ------tacacs+ tacacs+ Fallback -------deny deny deny - exec: enable: commands: config: tacacs+ all: Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 21 Authorization Example Configuring Switch Access Using AAA Authorization Example Figure 4 shows a simple network topology using TACACS+.10 Switch Console port connection Workstation A In this example. Figure 21-4 TACACS+ Example Network Topology TACACS+ server 172. authorizing configuration commands: Console> (enable) set authorization enable enable tacacs+ deny both Successfully enabled enable authorization.4 21-56 18927 Terminal 78-13315-02 . TACACS+ authorization is enabled for enable mode access to the switch for both Telnet and console connections. the switch registers a request with the TACACS+ daemon. Console> (enable) set authorization commands enable config tacacs+ deny both Successfully enabled commands authorization.20. The TACACS+ daemon determines if the user is authorized to use the feature and sends a response either executing the command or denying access.52. When Workstation A initiates a command on the switch.3 and 6.

page 21-lviii Specifying RADIUS Servers. The accounting protocol operates in a client-server model.4 78-13315-02 21-57 . page 21-lix Accounting Overview You can configure these accounting methods to monitor access to the switch: • • TACACS+ accounting RADIUS accounting Accounting allows you to track user activity to a specified host. You can use the accounting feature for security. The accounting information is sent to the accounting server where it is saved in the form of a record. The NAS sends accounting information to the server. and unauthorized changes to the NAS configuration itself. All transactions between the NAS and server are authenticated using a key. acknowledging the request. billing. rlogin). system boot.3 and 6. Accounting Events You can configure accounting for the following types of events: • • EXEC mode accounting—Provides information about user EXEC sessions (normal login sessions) on the NAS (includes the duration of the EXEC session but does not include traffic statistics). and resource allocation purposes. Once accounting has been enabled and an accountable event occurs on the system. Accounting information typically consists of the user’s action and the duration for which the action lasted. page 21-lviii Updating the Server. page 21-lvii Accounting Events. page 21-lvii Specifying When to Create Accounting Records. and then the system deletes the record from memory. the accounting information is gathered dynamically in memory. Connect accounting—Provides information about all outbound connections from the NAS (such as Telnet. the EXEC and connect events overlap and have almost identical start and stop times. using TCP for transport.Chapter 21 Configuring Switch Access Using AAA Understanding How Accounting Works Understanding How Accounting Works These sections describe how the different accounting methods work: • • • • • • Accounting Overview. page 21-lix Suppressing Accounting. sends a response to the NAS. suspicious connection attempts in the network. and user configuration of accounting). Catalyst 6000 Family Software Configuration Guide—Releases 6. The NAS acts as the client and the accounting server acts as the daemon. The server. after successfully processing the information. • System accounting—Provides information on system events not related to users (includes system reset. an accounting record is created and sent to the NAS. The amount of memory used by the NAS for accounting varies depending on the number of concurrent accountable events. When the event ends. Note If you get a connection immediately upon login and then your connection terminates.

52. Stop records—Include complete information of the event (when the event started.Chapter 21 Understanding How Accounting Works Configuring Switch Access Using AAA • Command accounting—Sends a record for each command issued by the user. type of service. Accounting records are created and sent to the server at two events: • Start-stop—Records are sent at both the start and stop of an action if the action has duration. may monitor both start and stop records of events occurring on the NAS. therefore. and traffic statistics). Specify the primary server using the primary keyword. • Note Stop records include complete information of the event (when the event started.20. This permits audit trail information to be gathered. and traffic statistics). Commands are assumed to have zero duration. the switch can generate two types of records: • • Start records—Include partial information of the event (when the event started. type of service.52. Step 2 show radius This example shows how to specify a RADIUS server and verify the configuration: Console> (enable) set radius server 172. However. its duration. so only stop records are generated for command accounting. Console> (enable) show radius Login Authentication: --------------------tacacs radius local Console Session ---------------disabled disabled enabled(primary) Telnet Session ---------------disabled disabled enabled(primary) Telnet Session Enable Authentication: Console Session Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. perform this task in privileged mode: Task Step 1 Command set radius server ip_addr [acct-port port] [primary] Specify the IP address of up to three RADIUS servers. No users are associated with system events.20. its duration. Specifying RADIUS Servers To specify one or more RADIUS servers. Specifying When to Create Accounting Records You configure the switch to gather accounting information to create records.3 with auth-port 1812 added to radius server table as primary server.3 172. and traffic statistics). you might want redundancy and. therefore. If the NAS fails to send the accounting record at the start of the action. the start-stop option in the set accounting system command is ignored for system events. When you configure accounting (using the set accounting commands).4 21-58 78-13315-02 . Optionally. specify the destination UDP port to use on the server. Verify the RADIUS server configuration. Stop-only—Records are sent only at the termination of the event. it still allows you to proceed with the action.

or allow null-username suppression. This option could be used to keep up-to-date connection and session information even if the NAS restarts and loses the initial start time. Configuring Accounting These sections describe how to configure accounting for both TACACS+ and RADIUS: • • • Accounting Default Configuration. You must set a time lapse between periodic updates. periodic updates. There are two options: • • Newinfo—Sends accounting information to the server only when new accounting information becomes available.20.------172.4 78-13315-02 21-59 . page 21-lx Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6. Note RADIUS and TACACS+ accounting are the same.3 primary Console> (enable) Auth-port -----------1812 Updating the Server You can configure the switch to send accounting information to the TACACS+ server. page 21-lx Accounting Configuration Guidelines. Valid intervals are from 1 to 71. Suppressing Accounting You can configure the system to suppress accounting when an unknown user with no username accesses the switch by using the set accounting suppress null-username enable command.52. page 21-lx Configuring Accounting.Chapter 21 Configuring Switch Access Using AAA Configuring Accounting ---------------------tacacs radius local Radius Radius Radius Radius Deadtime: Key: Retransmit: Timeout: ----------------disabled disabled enabled(primary) 0 minutes 2 5 seconds ---------------disabled disabled enabled(primary) Radius-Server Status ----------------------------. except that RADIUS does not do command accounting. Periodic—Sends accounting update records at regular intervals.582 minutes.

page 21-lxii Enabling Accounting To enable accounting on the switch.3 and 6. See the “Specifying TACACS+ Servers” section on page 21-xvii or the “Specifying RADIUS Servers” section on page 21-xxiv for more information on server setup.4 21-60 78-13315-02 . and connect) Accounting records Default Value Disabled Disabled Stop-only Accounting Configuration Guidelines Follow these guidelines when configuring accounting on the switch: • Configure RADIUS and TACACS+ servers before enabling accounting. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Command set accounting connect enable {start-stop | stop-only} {tacacs+ | radius} set accounting exec enable {start-stop | stop-only} {tacacs+ | radius} set accounting system enable {start-stop | stop-only} {tacacs+ | radius} Enable accounting for connection events. Enable accounting for EXEC mode. Table 21-5 Accounting Default Configuration Feature Accounting Accounting events (exec. The total amount of DRAM used by accounting depends on the number of concurrent accountable events in the system. system. Configure RADIUS and TACACS+ keys to encrypt protocol packets before enabling accounting. Catalyst 6000 Family Software Configuration Guide—Releases 6. Configuring Accounting These sections describe how to configure RADIUS and TACACS+ accounting on the switch: • • Enabling Accounting. See the “Specifying the TACACS+ Key” section on page 21-xix or the “Specifying the RADIUS Key” section on page 21-xxiv for more information on the key setup. • Note The amount of DRAM allocated for one accounting event is approximately 500 bytes.Chapter 21 Configuring Accounting Configuring Switch Access Using AAA Accounting Default Configuration Table 5 shows the accounting default configuration. commands. Enable accounting for system events. page 21-lx Disabling Accounting.

User (null) Priv 0 Catalyst 6000 Family Software Configuration Guide—Releases 6.4 78-13315-02 21-61 . This example shows how to enable stop-only TACACS+ accounting events: Console> (enable) set accounting connect enable stop-only tacacs+ Accounting set to enable for connect events in stop-only mode. User (null) Priv 0 Active Accounted actions on tty288091924. Enable suppression of information for unknown users. Verify the accounting configuration.Chapter 21 Configuring Switch Access Using AAA Configuring Accounting Task Step 4 Step 5 Step 6 Step 7 Command set accounting commands enable {config | all} {stop-only} tacacs+ set accounting suppress null-username enable set accounting update {new-info | {periodic [interval]}} show accounting Enable accounting of configuration commands. Console> (enable) This example shows how to periodically update the server: Console> (enable) set accounting update periodic 120 Accounting updates will be periodic at 120 minute intervals. Configure accounting to be updated as new information is available.3 and 6. Console> (enable) This example shows how to suppress accounting of unknown users: Console> (enable) set accounting suppress null-username enable Accounting will be suppressed for user with no username. Console> (enable) Console> (enable) set accounting exec enable stop-only tacacs+ Accounting set to enable for exec events in stop-only mode. Interval = 120 Accounting information: ----------------------Active Accounted actions on tty0. Console> (enable) This example shows how to verify the configuration: Console> (enable) show accounting Event Method Mode ----------.---exec: tacacs+ stop-only connect: tacacs+ stop-only system: tacacs+ stop-only commands: config: all: tacacs+ stop-only TACACS+ Suppress for no username: enabled Update Frequency: periodic. Console> (enable) Console> (enable) set accounting commands enable all stop-only tacacs+ Accounting set to enable for commands-all events in stop-only mode. Console> (enable) Console> (enable) set accounting system enable stop-only tacacs+ Accounting set to enable for system events in stop-only mode.

Console> (enable) Console> (enable) set accounting system disable Accounting set to disable for system events. Disable accounting of configuration commands. Disable accounting for EXEC mode.3 and 6. perform this task in privileged mode: Task Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Command set accounting connect disable set accounting exec disable set accounting system disable set accounting commands disable set accounting suppress null-username disable show accounting Disable accounting for connection events. Console> (enable) Console> (enable) set accounting exec disable Accounting set to disable for exec events. Console> (enable) This example shows how to disable suppression of unknown users: Console> (enable) set accounting suppress null-username disable Accounting will be not be suppressed for user with no username. Disable accounting for system events. Console> (enable) This example shows how to verify the configuration: Console> (enable) show accounting Event Method Mode ----------. This example shows how to disable stop-only accounting: Console> (enable) set accounting connect disable Accounting set to disable for connect events.Chapter 21 Configuring Accounting Configuring Switch Access Using AAA Overall Accounting Traffic: Starts Stops Active --------.---exec: connect: system: - Catalyst 6000 Family Software Configuration Guide—Releases 6. Verify the accounting configuration. Console> (enable) Console> (enable) set accounting commands disable Accounting set to disable for commands-all events.4 21-62 78-13315-02 . Disable suppression of information for unknown users.-----Exec 0 0 0 Connect 0 0 0 Command 0 0 0 System 1 0 0 Console> (enable) Disabling Accounting To disable RADIUS accounting on the switch.

exec. Accounting is suspended for unknown users and the system is updated every 120 minutes. User (null) Priv 0 Overall Accounting Traffic: Starts Stops Active --------.3 and 6. When Workstation A initiates an accountable event on the switch.4 78-13315-02 18927 Terminal 21-63 . User (null) Priv 0 Active Accounted actions on tty288091924.52. and all command accounting: Console> (enable) Accounting set to Console> (enable) Accounting set to Console> (enable) Accounting set to set accounting connect enable stop-only tacacs+ enable for connect events in stop-only mode.10 Switch Console port connection Workstation A In this example. Figure 21-5 TACACS+ Example Network Topology TACACS+ server 172. set accounting commands enable all stop-only tacacs+ enable for commands-all events in stop-only mode. set accounting exec enable stop-only tacacs+ enable for exec events in stop-only mode.20. TACACS+ accounting is enabled for connection.Chapter 21 Configuring Switch Access Using AAA Accounting Example commands: config: all: - - TACACS+ Suppress for no username: disabled Update Frequency: new-info Accounting information: ----------------------Active Accounted actions on tty0. Catalyst 6000 Family Software Configuration Guide—Releases 6.-----Exec 0 0 0 Connect 0 0 0 Command 0 0 0 System 1 2 0 Console> (enable) Accounting Example Figure 5 shows a simple network topology using TACACS+. system. the switch gathers event information and forwards the information to the server at the conclusion of the event. Accounting information is gathered at the conclusion of the event.

---exec: tacacs+ stop-only connect: tacacs+ stop-only system: tacacs+ stop-only commands: config: all: tacacs+ stop-only TACACS+ Suppress for no username: enabled Update Frequency: periodic.4 21-64 78-13315-02 . Console> (enable) show accounting Event Method Mode ----------.Chapter 21 Accounting Example Configuring Switch Access Using AAA Console> (enable) set accounting update periodic 120 Accounting updates will be periodic at 120 minute intervals.3 and 6. User (null) Priv 0 Overall Accounting Traffic: Starts Stops Active --------.-----Exec 0 0 0 Connect 0 0 0 Command 0 0 0 System 1 0 0 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. Interval = 120 Accounting information: ----------------------Active Accounted actions on tty0. User (null) Priv 0 Active Accounted actions on tty288091924.

3 and 6. page 22-ii Configuring Redundant Supervisor Engines. Note The term MSFC is used to refer to the MSFC and MSFC2 except where specifically differentiated. This chapter consists of these sections: • • • Understanding How Supervisor Engine Redundancy Works. refer to the Catalyst 6000 Family Command Reference publication. Note Except where specifically differentiated. For syntax and usage information for the commands used in this chapter. For more information about installing redundant Catalyst 6000 family supervisor engines. page 22-iii MSFC Redundancy.4 78-13315-02 22-1 . We do not support configurations where the MSFCs are not configured identically. the information and procedures in this chapter apply to both Supervisor Engine 2 with Layer 3 Switching Engine II (Policy Feature Card 2 or PFC2) and Supervisor Engine 1 with Layer 3 Switching Engine II. See the “MSFC Redundancy” section on page 22-xviii for detailed information. Catalyst 6000 Family Software Configuration Guide—Releases 6. page 22-xviii Caution Dual MSFCs in a single chassis are designed to be used in redundant mode only and must have identical configurations. refer to the Catalyst 6000 Family Module Installation Guide.C H A P T E R 22 Configuring Redundancy This chapter describes how to configure redundant supervisor engines and how to configure redundancy on Multilayer Switch Feature Cards (MSFCs) on the Catalyst 6000 family switches.

and the supervisor engine in slot 2 enters standby mode. The supervisor engines use two Flash images: the boot image and the runtime image. The supervisor engine in slot 1 becomes active. the runtime image resides in dynamic RAM (DRAM). On the standby supervisor engine. After the system boots. The active supervisor engine downloads the software image and configuration to the standby supervisor engine. command-line interface (CLI) console. If the software versions of the two supervisor engines are different.3 and 6. Catalyst 6000 Family Software Configuration Guide—Releases 6. All administrative and network management functions. Note To allow you to control the booting of each supervisor engine separately. Redundant supervisor engines are hot swappable. Because the active supervisor engine is already switching traffic on the backplane. or if the NVRAM configuration of the two supervisor engines is different. which is stored in NVRAM. The standby supervisor engine detects that the active supervisor engine is no longer running and becomes active. no switching-bus diagnostics are run for the second supervisor engine because running diagnostics can disrupt normal traffic.” and the status for the uplink ports is shown normally. Cisco Discovery Protocol (CDP). If the reset supervisor engine comes online again. Spanning Tree Protocol (STP). synchronization occurs to ensure that the runtime and boot images on the standby supervisor engine are the same as the images on the active supervisor engine. When you power up or reset a switch with redundant supervisor engines. the configuration registers are not synchronized between the supervisor engines. such as SNMP. Assuming both supervisor engines pass this level of diagnostics. You must install redundant supervisor engines in slots 1 and 2 of the chassis. it enters standby mode. the first supervisor engine to come online becomes the active module. At power-up. if necessary. The system continues to operate with the same configuration after switching over to the redundant supervisor engine. The boot image filename is specified in the BOOT environment variable. and VLAN Trunk Protocol (VTP) are processed on the active supervisor engine. allowing them to cooperate during switching-bus diagnostics. The standby supervisor engine can detect if the active supervisor engine is not functioning and can force a reset. both supervisor engines run initial module-level diagnostics. If you hot insert a second supervisor engine. the module status shows as “standby. if necessary. Telnet. Note The switchover time from the active to the standby supervisor engine does not include spanning tree convergence time. the console port is inactive. the second supervisor engine goes into standby mode. When you install two supervisor engines.4 22-2 78-13315-02 . The runtime image is the boot image that the ROM monitor uses to boot the supervisor engine. the active supervisor engine resets. the active supervisor engine automatically downloads its software image and configuration to the standby supervisor engine. the two supervisor engines communicate over the backplane.Chapter 22 Understanding How Supervisor Engine Redundancy Works Configuring Redundancy Understanding How Supervisor Engine Redundancy Works Note Redundant supervisor engines must be of the same type with the same model feature card. The second supervisor engine immediately enters standby mode. If the background diagnostics on the active supervisor engine detect a major problem or an exception occurs. the second module communicates with the active supervisor engine after completing its initial module-level diagnostics.

Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines The supervisor engines can have different runtime and boot images.3 and 6.4 78-13315-02 22-3 . and so on) on files stored on Flash memory devices. and you change the BOOT environment variable or overwrite or destroy the current boot image on the Flash device that was used to boot the system. the runtime and boot images will differ. the active supervisor engine synchronizes its current boot image with the standby supervisor engine. “Modifying the Switch Boot Configuration. page 22-xiv Catalyst 6000 Family Software Configuration Guide—Releases 6. the term Flash PC card is used in place of the term PCMCIA card. delete. For more information about using the Flash file system. page 22-iv Redundant Supervisor Engine Configuration Guidelines and Restrictions. Whenever you reconfigure the boot image. see Chapter 24.” The supervisor engine has a Flash PC card (PCMCIA) slot (slot0) in addition to the onboard Flash memory. see Chapter 23. you must specify the name of the boot file image and the location of the image file in the Flash file system in order to boot and synchronize properly. page 22-viii Supervisor Engine Synchronization Examples. Because you can store multiple boot images. undelete. You can perform operations (such as copy. the active supervisor engine checks the standby supervisor engine runtime image to make sure it matches its own runtime image. page 22-iv Verifying Standby Supervisor Engine Status. and you can store the boot image of the active supervisor engine in the standby supervisor engine bootflash. If the boot image and the runtime image are the same. Configuring Redundant Supervisor Engines These sections describe how to configure redundant supervisor engines: • • • • • • Synchronization Process Initiation. For information about how to specify the name and location of the boot image. page 22-v Forcing a Switchover to the Standby Supervisor Engine. see the “Supervisor Engine Synchronization Examples” section on page 22-xiv. Note Throughout this publication. For examples of how the system synchronizes the supervisor engine Flash images with various configurations.” In the synchronization process. page 22-vi High Availability. this slot can hold a Flash PC card that can store additional boot images. The active supervisor engine checks three conditions: • • • If it needs to copy its boot image to the standby supervisor engine If the standby supervisor engine bootstring needs to be changed If the standby supervisor engine needs to be reset The following section describes the conditions that can initiate Flash synchronization. The boot image is read directly into the Flash file system. “Working With the Flash File System.

Chapter 22 Configuring Redundant Supervisor Engines Configuring Redundancy Synchronization Process Initiation These conditions initiate the synchronization of the runtime and boot images on the active and standby supervisor engines: • Time stamp mismatch between the runtime images on the active and standby supervisor engines—The active supervisor engine synchronizes its runtime image with the standby supervisor engine if the time stamps of their respective runtime images differ when the system is booted or reset. you must configure this newly downloaded image as the boot image on the active supervisor engine. Because you may or may not have configured this image as the boot image. the Flash file management module prompts you to verify that you want to delete the current runtime image. The active supervisor engine copies its new boot image to the standby supervisor engine. or if you change the BOOT environment variable. • • • • • Redundant Supervisor Engine Configuration Guidelines and Restrictions These conditions and events can cause the synchronization of images between redundant supervisor engines to fail or to produce unexpected results: • Downloading a new image to the active supervisor engine When you download a new image to the active supervisor engine. Time stamp mismatch between the boot images on the active and standby supervisor engines—The active supervisor engine synchronizes its boot image with the standby supervisor engine if the time stamps of their respective boot images differ when the system is booted or reset. The NVRAM configuration module detects this event and calls the Flash synchronization function with the next probable boot filename by looking at the boot configuration parameter. Catalyst 6000 Family Software Configuration Guide—Releases 6. the active supervisor engine initiates boot-image synchronization. it is copied to the file system (in bootflash or on a Flash PC card in the Flash PC card slot). To run the new image.4 22-4 78-13315-02 . the Flash file management module initiates synchronization. Synchronization occurs when you change the boot variable. the Flash file management module initiates Flash synchronization and informs the NVRAM configuration module of the change. you must reset the system. the file system management module detects this event and initiates synchronization.3 and 6. Flash PC cards with same boot-image filename—If you change the Flash device on either the active or standby supervisor engine and the new Flash device contains a boot image that has the same name (but a different time stamp) as the boot image from the previous Flash device. Current runtime image deleted—If you delete the current runtime image from the Flash device. Current boot image overwritten—If you overwrite the current boot image stored on one of the Flash devices. The NVRAM configuration module examines the BOOT environment variable to determine the next probable image to boot and calls the Flash synchronization function using the new image name. To initiate the synchronization function between the active and standby supervisor engines. BOOT environment variables changed—If you change the BOOT environment variables to specify a different default boot image. the newly downloaded image is not copied to the standby supervisor engine automatically. If you confirm the deletion.

101 Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.---2 2 (enable) show module 2 Ports Module-Type Model Status ----.---------. Command show port [mod[/port]] show test [mod] Show the status of the standby supervisor engine.------------------. • Active supervisor engine in slot 2 When the active supervisor engine is in slot 2. To avoid this problem. if the standby supervisor engine is inserted or reset. Show diagnostic test results for the standby supervisor engine.------------------. the STATUS LED on the standby supervisor engine turns red and the system generates a syslog error message.404 4.-------2 1000BaseX Supervisor WS-X6K-SUP1-2GE ok Mod Module-Name Serial-Num --. show module [mod] This example shows how to check the status of the standby supervisor engine using the show module and show test commands: Console> Mod Slot --. The show test command provides information about onboard application-specific integrated circuits (ASICs).4 78-13315-02 22-5 .2(2038) 4.3 and 6. it signals an error condition. Note The show module output provides information about installed daughter cards.----------.----------2 SAD02330231 Mod MAC-Address(es) Hw Fw Sw --.24)VAI50 00-e0-14-0e-f5-6e to 00-e0-14-0e-f5-6f 00-10-7b-bb-2b-00 to 00-10-7b-bb-2e-ff Mod Sub-Type Sub-Model Sub-Serial Sub-Hw --. the standby supervisor engine is in slot 1.-----. In this case.------------------------. the supervisor engine in slot 1 becomes the active supervisor engine and loads its default boot image. the switch prompts you for Flash synchronization as soon as you change the boot file configuration. Flash synchronization does not occur. If you change the configuration to specify a new boot image and then reset the system. Verifying Standby Supervisor Engine Status You can verify the status of the standby supervisor engine using a number of CLI commands. In addition.-------------------------------------.------------------.Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines • Unable to find the current runtime image If the active supervisor engine is unable to find the current runtime image on any of the Flash devices. canceling the configuration changes you have just made.-----2 L2 Switching Engine WS-F6020 SAD02350211 0. To verify the status of the standby supervisor engine.2(0. perform one or more of these tasks: Task Show the state of the standby supervisor engine uplink ports.----------------2 00-e0-14-0e-f5-6c to 00-e0-14-0e-f5-6d 0.------------------.

Version 3. TrapTest: . Do you want to continue (y/n) [n]? y Console> (enable) 12/07/1998. = Pass. Flash-EEPROM: . Note Resetting the active supervisor engine disconnects any open Telnet sessions. When the switchover occurs. Ser-EEPROM: . DontForwardTest: . F = Fail. Line Card Status for Module 1 : PASS Port Status : Ports 1 2 ----------. you can also force a switchover to the standby supervisor engine by setting the CISCO-STACK-MIB moduleAction variable to reset(2) on the active supervisor engine. IndexLearnTest: . F = Fail. Inc. To force a switchover to the standby supervisor engine.Chapter 22 Configuring Redundant Supervisor Engines Configuring Redundancy Console> (enable) show test 2 Module 2 : 2-port 1000BaseX Supervisor Network Management Processor (NMP) Status: (. This example shows the console output on the active supervisor engine when you force a switchover from the active to the standby supervisor engine: Console> (enable) reset 1 This command will force a switch-over to the standby Supervisor module. Loopback Status [Reported by Module 2] : Ports 1 2 ----------. N = N/A) Module 2 Cafe II Status : NewLearnTest: . In addition. = Pass. the system sends a standard SNMP warm-start trap to the configured trap receivers.4 22-6 78-13315-02 . EOBC Comm: .3 and 6. Console> (enable) Forcing a Switchover to the Standby Supervisor Engine You can force a switchover to the standby supervisor engine by resetting the active supervisor engine.1(2) Copyright (c) 1994-1997 by cisco Systems. System Bootstrap. U = Unknown) ROM: .1(2) Catalyst 6000 Family Software Configuration Guide—Releases 6.17:04:39:SYS-5:Module 1 reset from Console// System Bootstrap. perform this task in privileged mode: Task Command Reset the active supervisor engine (where mod is reset mod the number of the active supervisor engine). NVRAM: . ConditionalLearnTest: . Line Card Diag Status for Module 2 (. BadBpduTest: . . DontLearnTest: . Version 3. .

.........................................17:04:45:SYS-5:Module 5 is online 12/07/1998.........Passed DRAM Data 0xaa Test ........Present EARLII RAM Test ...Passed Clearing DPRAM .....6 added 12/07/1998.................Passed Boot image: bootflash:cat6000-sup....4 78-13315-02 22-7 .17:06:37:SYS-5:Ports on standby supervisor(Module 1) are UP 12/07/1998.......bin Downloading epld sram device please wait ..Present Level2 Cache test...17:04:52:MLS-5:Route Processor 172.....16KB DPRAM Data 0x55 Test .32MB DRAM Data 0x55 Test .. .. Programming successful for Altera 10K50 SRAM EPLD This module is now in standby mode.bin" CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC Uncompressing file: ########################################################### System Power On Diagnostics NVRAM Size ..Done System DRAM Memory Size ..Passed DRAM Address Test ..3 and 6.... Console is disabled for standby supervisor This example shows the console output on the standby supervisor engine when you force a switchover from the active to the standby supervisor engine: Cisco Systems Console Enter password: 12/07/1998.......................512KB ID Prom Test .. Console> Catalyst 6000 Family Software Configuration Guide—Releases 6...17:05:10:SYS-5:Module 8 is online 12/07/1998.Passed DPRAM Size .5-4-1a....Done EARLII ...............17:05:14:SYS-5:Module 9 is online 12/07/1998..5-4-1a..17:04:45:SYS-5:Module 7 is online 12/07/1998...17:04:45:SYS-5:Module 3 is online 12/07/1998.....17:06:41:SYS-5:Active supervisor is synchronizing the NMP image.17:04:43:MLS-5:Multilayer switching is enabled 12/07/1998... Presto processor with 32768 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup..Passed Clearing DRAM ........... 12/07/1998.Passed DPRAM Data 0xaa Test ...Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines Copyright (c) 1994-1997 by cisco Systems.......17:04:43:MLS-5:Netflow Data Export disabled 12/07/1998........ Inc.17:06:44:SYS-5:The active supervisor has synchronized the NMP image...........Passed EARL Serial Prom Test ......20.....Passed Level2 Cache .....17:06:13:SYS-5:Module 1 is in standby mode Supervisor image synchronization process will start in 10 seconds 12/07/1998....Passed DPRAM Address Test .....52.....17:04:44:SYS-5:Module 2 is online 12/07/1998.............17:05:22:SYS-5:Module 4 is online 12/07/1998..

high availability provides a versioning option that allows you to run different software images on the active and standby supervisor engines. The standby supervisor engine also receives packets from the switching bus to learn and populate the Multilayer Switching (MLS) table for Layer 3-switched flows. In addition. because the state of the switch features before the switchover was unknown.Chapter 22 Configuring Redundant Supervisor Engines Configuring Redundancy High Availability High availability allows you to minimize the switchover time from the active supervisor engine to the standby supervisor engine if the active supervisor engine fails. Prior to this feature. The active supervisor engine communicates and updates the standby supervisor engine when any state changes occur. When you disable high availability. with fast switchover. Catalyst 6000 Family Software Configuration Guide—Releases 6. The standby supervisor engine is isolated from the system bus and does not switch packets. The active supervisor engine controls the system bus (backplane). a system database is maintained on the active supervisor engine and updates are sent to the standby supervisor engine for any change of data in the system database. Synchronization between the supervisor engines allows the standby supervisor engine to take over in the event of a failure. These features are discussed in these sections: • • • • • High-Availability Overview. and controls all modules. image version compatibility is checked and if found compatible. page 22-xi Loading a Different (but Compatible) Image on the Standby Supervisor Engine. keeping feature protocol states synchronized. you had to reinitialize and restart all the switch features when the standby supervisor engine assumed the active role. synchronization from the active supervisor engine is stopped and the standby supervisor engine discards all current synchronization data. page 22-viii High-Availability Supported Features. page 22-xiii High-Availability Overview For high availability. However.4 22-8 78-13315-02 . The standby supervisor engine does not participate in forwarding any packets and does not communicate with any modules. The standby supervisor engine knows the current protocol states for all modules. the protocols can initialize with this state information and start running immediately. But it does receive packets from the switching bus to learn and populate its Layer 2 forwarding table for Layer 2-switched flows. ports. High availability compatible features continue from the saved states on the standby supervisor engine after a switchover. ensuring that the standby supervisor engine knows the current protocol state of supported features. page 22-ix Versioning Overview. If you enable high availability when the standby supervisor engine is running.3 and 6. sends and receives packets to and from the network. the database synchronization is started. High availability removes this limitation. the database synchronization is not done and all features must restart on the standby supervisor engine after a switchover. If you change high availability from enabled to disabled. and VLANs. high availability allows the active supervisor engine to communicate with the standby supervisor engine. page 22-x CLI Commands. Protocols run on the active supervisor engine only. fast switchover ensured that a switchover to the standby supervisor engine happened quickly.

the active supervisor engine downloads the entire system database to the standby supervisor engine. You can then configure HSRP on the MSFCs to provide automatic routing backup.4 78-13315-02 22-9 . See the “MSFC Redundancy” section on page 22-xviii for detailed information. synchronization from the active to standby supervisor engine is started (provided the standby supervisor engine is present and its image version is compatible). • Note Timers and statistics are not synchronized from the active to the standby supervisor engine. Catalyst 6000 Family Software Configuration Guide—Releases 6. The feature cannot be enabled if high availability is enabled and similarly. when you reset or remove the standby supervisor engine. you can configure both MSFCs on the active and standby supervisor engines with the same configuration to preserve routing table entries across the active and standby MSFCs.Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines If you change high availability from disabled to enabled. Compatible features—High availability is not supported. the feature’s database is not synchronized from the active supervisor engine to the standby supervisor engine. However. the feature’s database is synchronized from the active supervisor engine to the standby supervisor engine. the feature’s database is not synchronized from the active supervisor engine to the standby supervisor engine. the active supervisor engine queues and synchronizes the individual updates to the standby supervisor engine. High-Availability Supported Features Note MLS flows are preserved from the active supervisor engine to the standby supervisor engine. If you do not install a standby supervisor engine during system bootup. the synchronization updates are not queued and any pending updates in the synchronization queue are discarded. the feature can be enabled (operational) with high availability. the active supervisor engine detects this and the database updates are not queued for synchronization. high availability cannot be enabled if the feature is enabled. Incompatible features—High availability is not supported. High availability for the Catalyst 6000 family switch is classified into three categories (see Table 1): • • Supported features—High availability is fully supported. Similarly. it might take a few minutes for the global synchronization to complete. Note High availability does not preserve routing table entries on the active MSFC because high availability is not run on the MSFC IOS software. However. NVRAM synchronization occurs irrespective of high availability being enabled or disabled (provided there are compatible NVRAM versions on the two supervisor engines). Note When you hot insert or restart a second supervisor engine. When you hot insert or restart a second supervisor engine that becomes the standby supervisor engine. Only after this global synchronization is completed.3 and 6.

5(3) and 5.3 and 6.5(5) 5.4(1)CSX and later releases.5(4) 6.4(4) 5. With versioning enabled.1(4) Images that are compatible with all modules except Gigabit Ethernet switching modules are as follows: • • • 5.4(3) and 5. high availability is fully supported with the active and standby supervisor engines running different images as long as the images are compatible. you cannot enable high availability.4 22-10 78-13315-02 .1(3) and 6. If the active and standby supervisor engines are not running compatible image versions.5(5) Images that are compatible with Gigabit Ethernet switching modules but not compatible with 10/100BASE-T modules are as follows: • 5.5(4) and 5.5(6a) and 5.5(3) and 5. Image versioning is supported in supervisor engine software release 5. The active supervisor engine exchanges image version information with the standby supervisor engine and determines whether the images are compatible for enabling high availability.Chapter 22 Configuring Redundant Supervisor Engines Configuring Redundancy Table 22-1 High Availability Feature Support Supported Features CEF COPS-DS COPS-PR DTP EtherChannel IOS ACLs MLS PAgP QoS SPAN STP Trunking UDLD VACLs VTP Compatible Features ASLB CDP GMRP IGMP snooping RMON RSVP SNMP Telnet sessions UplinkFast VTP pruning Incompatible Features Dynamic VLAN GVRP Port security Protocol filtering Versioning Overview When you enable high-availability versioning. Catalyst 6000 Family Software Configuration Guide—Releases 6. The only fully compatible images are as follows: • • 5.5(7) Note Attempting to run incompatible image versions could result in configuration loss. you can have two different but compatible images on the active and standby supervisor engines.

the active supervisor engine automatically downloads its software image and configuration to the standby supervisor engine. If the software versions of the two supervisor engines are different. To enable or disable high availability. the second supervisor engine goes into standby mode. at power up the supervisor engine in slot 1 becomes active. Command set system highavailability versioning {enable | disable} This example shows how to enable high-availability versioning: Console> (enable) set system highavailability versioning enable Image versioning enabled. To enable or disable high-availability versioning. and the supervisor engine in slot 2 enters standby mode. or if the NVRAM configuration of the two supervisor engines is different. Command set system highavailability {enable | disable} This example shows how to enable high availability: Console> (enable) set system highavailability enable System high availability enabled. Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6.Chapter 22 Configuring Redundancy Configuring Redundant Supervisor Engines Note When you install two supervisor engines. Enabling or Disabling High Availability High availability is disabled by default. perform this task in privileged mode: Task Enable or disable high-availability versioning. the first supervisor engine to come online becomes the active module. perform this task in privileged mode: Task Enable or disable high availability. If two supervisor engines are installed in your system. Console> (enable) Enabling or Disabling High-Availability Versioning High-availability versioning is disabled by default. Console> (enable) This example shows how to disable high availability: Console> (enable) set system highavailability disable System high availability disabled.3 and 6. and if you do not enable versioning. CLI Commands This section describes the CLI commands for high availability and versioning.4 78-13315-02 22-11 .

– OFF (standby-supervisor-not-operational-yet): The standby supervisor engine is detected but is not operational (not online yet). it takes a few minutes before high availability is operational). but high availability is not operational yet (when the system is booted from reset. Command show system highavailability This example shows how to disable high availability and versioning: Console> (enable) show system highavailability Highavailability: disabled Highavailability versioning: disabled Highavailability Operational-status: OFF (high-availability-not-enabled) Console> (enable) Catalyst 6000 Family Software Configuration Guide—Releases 6. high availability cannot be supported. No synchronization is done (even a configuration change in NVRAM on the active supervisor engine cannot be propagated to the standby supervisor engine because of the version incompatibility).4 22-12 78-13315-02 . However. a configuration change in NVRAM on the active supervisor engine is propagated to the standby supervisor engine). – OFF (standby-supervisor-not-present): The standby supervisor engine is not installed. – OFF (high-availability-not-operational-yet): The standby supervisor engine is operational (online). To show the high-availability configuration and operational states. Console> (enable) Showing High-Availability Settings and Operational Status The show system highavailability command displays the following: • • • High-availability setting (enabled or disabled) Versioning setting (enabled or disabled) High-availability operational status (based on whether the standby supervisor engine is present and operational).3 and 6. perform this task: Task Show high-availability configuration and operational states.Chapter 22 Configuring Redundant Supervisor Engines Configuring Redundancy This example shows how to disable high-availability