Cisco IOS Software Configuration GuideRelease 12.2(33)SXH and Later ReleasesAmericas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

Text Part Number: OL-13013-05

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)

Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases 20072009, Cisco Systems, Inc. All rights reserved.

COL-13013-05C O N T E N T SPreface xxxvii

Audience xxxvii

Related Documentation xxxvii

Conventions xxxviii

Obtaining Documentation, Obtaining Support, and Security Guidelines xxxix

C H A P T E R 1 Product Overview 1-1

Supported Hardware and Software 1-1Understanding Supervisor Engine 720-10GE Memory Devices and Ports 1-1Understanding Supervisor Engine 720 Memory Devices and Ports 1-2Understanding Supervisor Engine 32 Memory Devices and Ports 1-4Understanding ME6500 Flash Memory Devices and Ports 1-5

User Interfaces 1-5

Software Features Supported in Hardware by the PFC and DFC 1-6

P A R T 1 Configuration Fundamentals

C H A P T E R 2 Command-Line Interfaces 2-1

Accessing the CLI 2-1Accessing the CLI through the EIA/TIA-232 Console Interface 2-2Accessing the CLI through Telnet 2-2

Performing Command Line Processing 2-3

Performing History Substitution 2-3

Cisco IOS Command Modes 2-4

Displaying a List of Cisco IOS Commands and Syntax 2-5

Securing the CLI 2-6

ROM-Monitor Command-Line Interface 2-7

C H A P T E R 3 Configuring Smart Port Macros 3-1

Understanding Smart Port Macros 3-1Understanding Cisco-Provided Smart Port Macros 3-1Understanding User-Created Smart Port Macros 3-2

Configuring Smart Port Macros 3-2iiiisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

ContentsSmart Port Macro Default Configuration 3-2Smart Port Macro Configuration Guidelines 3-3Applying the Cisco-Provided Smart Port Macros 3-4Configuring User-Created Smart Port Macros 3-13

Displaying Smart Port Macros 3-15

C H A P T E R 4 Configuring Virtual Switching Systems 4-1

Understanding Virtual Switching Systems 4-1VSS Overview 4-2VSS Redundancy 4-9Multichassis EtherChannels 4-11Packet Handling 4-14System Monitoring 4-17Dual-Active Detection 4-19VSS Initialization 4-21

VSS Configuration Guidelines and Restrictions 4-24General VSS Restrictions and Guidelines 4-24VSL Restrictions and Guidelines 4-24Multichassis EtherChannel Restrictions and Guidelines 4-24Dual-Active Detection Restrictions and Guidelines 4-25Service Module Restrictions and Guidelines 4-25

Configuring a VSS 4-25Converting to a VSS 4-26Displaying VSS Information 4-33Converting a VSS to Standalone Chassis 4-33Configuring VSS Parameters 4-35Configuring Multichassis EtherChannels 4-41Configuring Dual-Active Detection 4-43Configuring Service Modules in a VSS 4-49Viewing Chassis Status and Module Information in a VSS 4-51

Upgrading a VSS 4-52Performing a Fast Software Upgrade of a VSS 4-52Performing an Enhanced Fast Software Upgrade of a VSS 4-53

P A R T 2 High Availability

C H A P T E R 5 Performing an Enhanced Fast Software Upgrade 5-1

eFSU Overview 5-1eFSU Operation 5-2ivCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsOutage Time and Support Considerations 5-3Reserving Module Memory 5-3Error Handling for eFSU Preload 5-3

eFSU Guidelines and Limitations 5-4

Performing an Enhanced Fast Software Upgrade 5-4Software Upgrade Process Summary 5-5Preparing for the Upgrade 5-6Copying the New Software Image 5-8Loading the New Software onto the Standby Supervisor Engine 5-8Displaying the Maximum Outage Time for Installed Modules (Optional) 5-10Forcing a Switchover from Active to Standby 5-10Accepting the New Software Version and Stopping the Rollback Process (Optional) 5-12Committing the New Software to the Standby 5-12Verifying the Software Installation 5-12Aborting the Upgrade Process 5-14

Upgrading a Non-eFSU Image to an eFSU Image 5-14

C H A P T E R 6 Configuring NSF with SSO Supervisor Engine Redundancy 6-1

Understanding NSF with SSO Supervisor Engine Redundancy 6-1NSF with SSO Supervisor Engine Redundancy Overview 6-2SSO Operation 6-2NSF Operation 6-2Cisco Express Forwarding 6-3Multicast MLS NSF with SSO 6-3Routing Protocols 6-4NSF Benefits and Restrictions 6-8

Supervisor Engine Configuration Synchronization 6-9Supervisor Engine Redundancy Guidelines and Restrictions 6-9Redundancy Configuration Guidelines and Restrictions 6-9Hardware Configuration Guidelines and Restrictions 6-10Configuration Mode Restrictions 6-11

NSF Configuration Tasks 6-11Configuring SSO 6-11Verifying the Redundancy States 6-12Configuring Multicast MLS NSF with SSO 6-13Verifying Multicast NSF with SSO 6-13Configuring CEF NSF 6-13Verifying CEF NSF 6-14Configuring BGP NSF 6-14vCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsVerifying BGP NSF 6-14Configuring OSPF NSF 6-15Verifying OSPF NSF 6-16Configuring IS-IS NSF 6-17Verifying IS-IS NSF 6-17Configuring EIGRP NSF 6-19Verifying EIGRP NSF 6-19Synchronizing the Supervisor Engine Configurations 6-20

Copying Files to the Redundant Supervisor Engine 6-20

C H A P T E R 7 Configuring RPR Supervisor Engine Redundancy 7-1

Understanding RPR 7-1Supervisor Engine Redundancy Overview 7-2RPR Operation 7-2Supervisor Engine Configuration Synchronization 7-2

Supervisor Engine Redundancy Guidelines and Restrictions 7-3Redundancy Guidelines and Restrictions 7-3Hardware Configuration Guidelines and Restrictions 7-3Configuration Mode Restrictions 7-4

Configuring Supervisor Engine Redundancy 7-4Configuring Redundancy 7-4Synchronizing the Supervisor Engine Configurations 7-5Displaying the Redundancy States 7-5

Performing a Fast Software Upgrade 7-6

Copying Files to the RP 7-7

P A R T 3 Interface and Hardware Components

C H A P T E R 8 Configuring and Monitoring the Switch Fabric Functionality 8-1Understanding the Switch Fabric Functionality 8-1Configuring the Switch Fabric Functionality 8-3Monitoring the Switch Fabric Functionality 8-3

C H A P T E R 9 Configuring Interfaces 9-1

Understanding Interface Configuration 9-2

Using the Interface Command 9-2

Configuring a Range of Interfaces 9-4

Defining and Using Interface-Range Macros 9-6viCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsConfiguring Optional Interface Features 9-6Configuring Ethernet Interface Speed and Duplex Mode 9-7Configuring Jumbo Frame Support 9-10Configuring IEEE 802.3x Flow Control 9-13Configuring the Port Debounce Timer 9-14Adding a Description for an Interface 9-15

Understanding Online Insertion and Removal 9-16

Monitoring and Maintaining Interfaces 9-16Monitoring Interface Status 9-16Clearing Counters on an Interface 9-17Resetting an Interface 9-18Shutting Down and Restarting an Interface 9-18

Checking the Cable Status Using the TDR 9-19

C H A P T E R 10 Configuring UDLD 10-1

Understanding UDLD 10-1UDLD Overview 10-1UDLD Aggressive Mode 10-2

Default UDLD Configuration 10-3

Configuring UDLD 10-3Enabling UDLD Globally 10-3Enabling UDLD on Individual LAN Interfaces 10-4Disabling UDLD on Fiber-Optic LAN Interfaces 10-4Configuring the UDLD Probe Message Interval 10-4Resetting Disabled LAN Interfaces 10-5

C H A P T E R 11 Power Management and Environmental Monitoring 11-1

Understanding Power Management 11-1Enabling or Disabling Power Redundancy 11-2Powering Modules Off and On 11-3Viewing System Power Status 11-4Power Cycling Modules 11-5Determining System Power Requirements 11-5Determining System Hardware Capacity 11-5Determining Sensor Temperature Threshold 11-9

Understanding Environmental Monitoring 11-10Monitoring System Environmental Status 11-10Understanding LED Environmental Indications 11-12viiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsC H A P T E R 12 Configuring Online Diagnostics 12-1

Understanding Online Diagnostics 12-1

Configuring Online Diagnostics 12-2Setting Bootup Online Diagnostics Level 12-2Configuring On-Demand Online Diagnostics 12-2Scheduling Online Diagnostics 12-4Configuring Health-Monitoring Diagnostics 12-5

Running Online Diagnostic Tests 12-5Starting and Stopping Online Diagnostic Tests 12-6Running All Online Diagnostic Tests 12-7Displaying Online Diagnostic Tests and Test Results 12-7

Performing Memory Tests 12-12

Diagnostic Sanity Check 12-12

C H A P T E R 13 Configuring Cisco IP Phone Support 13-1

Understanding Cisco IP Phone Support 13-1Cisco IP Phone Connections 13-2Cisco IP Phone Voice Traffic 13-2Cisco IP Phone Data Traffic 13-3IP Phone Power Configurations 13-3Other Cisco IP Phone Features 13-6

Default Cisco IP Phone Support Configuration 13-6

Cisco IP Phone Support Configuration Guidelines and Restrictions 13-7

Configuring Cisco IP Phone Support 13-7Configuring Voice Traffic Support 13-8Configuring Data Traffic Support 13-9Configuring Inline Power Support 13-10

P A R T 4 LAN Switching

C H A P T E R 14 Configuring LAN Ports for Layer 2 Switching 14-1

Understanding Layer 2 Switching 14-1Understanding Layer 2 Ethernet Switching 14-1Understanding VLAN Trunks 14-3Layer 2 LAN Port Modes 14-4

Default Layer 2 LAN Interface Configuration 14-5

Layer 2 LAN Interface Configuration Guidelines and Restrictions 14-5

Configuring LAN Interfaces for Layer 2 Switching 14-6viiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsConfiguring a LAN Port for Layer 2 Switching 14-7Configuring MAC Address Table Notification 14-8Configuring a Layer 2 Switching Port as a Trunk 14-9Configuring a LAN Interface as a Layer 2 Access Port 14-15Configuring a Custom IEEE 802.1Q EtherType Field Value 14-17

C H A P T E R 15 Configuring Flex Links 15-1

Understanding Flex Links 15-1

Configuring Flex Links 15-2Flex Links Default Configuration 15-2Flex Links Configuration Guidelines and Restrictions 15-2Configuring Flex Links 15-3

Monitoring Flex Links 15-3

C H A P T E R 16 Configuring EtherChannels 16-1

Understanding EtherChannels 16-1EtherChannel Feature Overview 16-1Understanding EtherChannel Configuration 16-2Understanding LACP 1:1 Redundancy 16-4Understanding Port Channel Interfaces 16-4Understanding Load Balancing 16-5

EtherChannel Feature Configuration Guidelines and Restrictions 16-5

Configuring EtherChannels 16-6Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels 16-7Configuring Channel Groups 16-7Configuring the LACP System Priority and System ID 16-10Configuring EtherChannel Load Balancing 16-10Configuring EtherChannel Hash-Distribution Algorithm 16-11Configuring the EtherChannel Min-Links Feature 16-12Configuring LACP 1:1 Redundancy 16-13

C H A P T E R 17 Configuring VTP 17-1

Understanding VTP 17-1Understanding the VTP Domain 17-2Understanding VTP Modes 17-3Understanding VTP Advertisements 17-3Understanding VTP Authentication 17-4Understanding VTP Version 2 17-4Understanding VTP Version 3 17-5ixCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsUnderstanding VTP Pruning 17-6

VLAN Interaction 17-8Interaction Between VTP Version 3 and VTP Version 2 Devices 17-8Interaction Between VTP Version 3 and VTP Version 1 Devices 17-8

VTP Default Configuration 17-8

VTP Configuration Guidelines and Restrictions 17-9

Configuring VTP 17-10Configuring VTP Global Parameters 17-10Configuring the VTP Mode 17-15Configuring VTP Mode on a Per-Port Basis 17-17Displaying VTP Statistics 17-18

C H A P T E R 18 Configuring VLANs 18-1

Understanding VLANs 18-1VLAN Overview 18-1VLAN Ranges 18-2Configurable VLAN Parameters 18-2Understanding Token Ring VLANs 18-3

VLAN Default Configuration 18-6

VLAN Configuration Guidelines and Restrictions 18-7

Configuring VLANs 18-8VLAN Configuration Options 18-9Creating or Modifying an Ethernet VLAN 18-10Assigning a Layer 2 LAN Interface to a VLAN 18-11Configuring the Internal VLAN Allocation Policy 18-12Configuring VLAN Translation 18-12Mapping 802.1Q VLANs to ISL VLANs 18-16Saving VLAN Information 18-17

C H A P T E R 19 Configuring Private VLANs 19-1

Understanding Private VLANs 19-1Private VLAN Domains 19-2Private VLAN Ports 19-3Primary, Isolated, and Community VLANs 19-3Private VLAN Port Isolation 19-4IP Addressing Scheme with Private VLANs 19-4Private VLANs Across Multiple Switches 19-5Private VLAN Interaction with Other Features 19-5xCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsPrivate VLAN Configuration Guidelines and Restrictions 19-6Secondary and Primary VLAN Configuration 19-7Private VLAN Port Configuration 19-9Limitations with Other Features 19-9

Configuring Private VLANs 19-11Configuring a VLAN as a Private VLAN 19-11Associating Secondary VLANs with a Primary VLAN 19-12Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN 19-13Configuring a Layer 2 Interface as a Private VLAN Host Port 19-15Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port 19-16

Monitoring Private VLANs 19-17

C H A P T E R 20 Configuring Private Hosts 20-1

Understanding Private Hosts 20-1Isolating Hosts in a VLAN 20-2Restricting Traffic Flow (Using Private Hosts Port Mode and PACLs) 20-3Port ACLs 20-5

Configuration Guidelines and Limitations 20-5ACL Guidelines 20-6VLANs on the Trunk Port 20-6Interaction with Other Features 20-6Spoofing Protection 20-7Multicast Operation 20-7

Configuring Private Hosts 20-7Configuration Summary 20-8Detailed Configuration Steps 20-8Configuration Examples 20-10

C H A P T E R 21 Configuring IEEE 802.1Q Tunneling 21-1

Understanding 802.1Q Tunneling 21-1

802.1Q Tunneling Configuration Guidelines and Restrictions 21-3

Configuring 802.1Q Tunneling 21-6Configuring 802.1Q Tunnel Ports 21-6Configuring the Switch to Tag Native VLAN Traffic 21-7

C H A P T E R 22 Configuring Layer 2 Protocol Tunneling 22-1

Understanding Layer 2 Protocol Tunneling 22-1

Configuring Support for Layer 2 Protocol Tunneling 22-2xiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsC H A P T E R 23 Configuring STP and MST 23-1

Understanding STP 23-1STP Overview 23-2Understanding the Bridge ID 23-2Understanding Bridge Protocol Data Units 23-3Election of the Root Bridge 23-4STP Protocol Timers 23-4Creating the Spanning Tree Topology 23-5STP Port States 23-5STP and IEEE 802.1Q Trunks 23-11

Understanding IEEE 802.1w RSTP 23-12Port Roles and the Active Topology 23-12Rapid Convergence 23-13Synchronization of Port Roles 23-14Bridge Protocol Data Unit Format and Processing 23-15Topology Changes 23-16Rapid-PVST 23-17

Understanding MST 23-17MST Overview 23-18MST Regions 23-18IST, CIST, and CST 23-19Hop Count 23-22Boundary Ports 23-22Standard-Compliant MST Implementation 23-23Interoperability with IEEE 802.1D-1998 STP 23-25

Configuring STP 23-25Default STP Configuration 23-26Enabling STP 23-26Enabling the Extended System ID 23-28Configuring the Root Bridge 23-29Configuring a Secondary Root Bridge 23-30Configuring STP Port Priority 23-30Configuring STP Port Cost 23-32Configuring the Bridge Priority of a VLAN 23-34Configuring the Hello Time 23-34Configuring the Forward-Delay Time for a VLAN 23-35Configuring the Maximum Aging Time for a VLAN 23-36Enabling Rapid-PVST 23-36

Configuring MST 23-37xiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsDefault MST Configuration 23-38MST Configuration Guidelines and Restrictions 23-38Specifying the MST Region Configuration and Enabling MST 23-39Configuring the Root Bridge 23-40Configuring a Secondary Root Bridge 23-42Configuring Port Priority 23-42Configuring Path Cost 23-43Configuring the Switch Priority 23-44Configuring the Hello Time 23-45Configuring the Forwarding-Delay Time 23-46Configuring the Transmit Hold Count 23-46Configuring the Maximum-Aging Time 23-47Configuring the Maximum-Hop Count 23-47Specifying the Link Type to Ensure Rapid Transitions 23-47Designating the Neighbor Type 23-48Restarting the Protocol Migration Process 23-49

Displaying the MST Configuration and Status 23-49

C H A P T E R 24 Configuring Optional STP Features 24-1

Understanding the Optional STP Features 24-1Understanding STP Port Types 24-2Understanding PortFast 24-2Understanding Bridge Assurance 24-3Understanding BPDU Guard 24-5Understanding PortFast BPDU Filtering 24-5Understanding UplinkFast 24-6Understanding BackboneFast 24-7Understanding EtherChannel Guard 24-9Understanding Root Guard 24-9Understanding Loop Guard 24-9Understanding PVST Simulation 24-11

Configuring the Optional STP Features 24-11Enabling PortFast 24-12Enabling Bridge Assurance 24-13Enabling PortFast BPDU Filtering 24-14Enabling BPDU Guard 24-15Enabling UplinkFast 24-16Enabling BackboneFast 24-17Enabling EtherChannel Guard 24-17xiiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsEnabling Root Guard 24-18Enabling Loop Guard 24-18Configuring PVST Simulation 24-19

Verifying the Optional STP Features 24-20Using the show spanning-tree Commands 24-20Examples in Release 12.2(33)SXI and Later Releases 24-21Examples in Releases Earlier Than Release 12.2(33)SXI 24-24

P A R T 5 IP Routing Protocols

C H A P T E R 25 Configuring Layer 3 Interfaces 25-1

Layer 3 Interface Configuration Guidelines and Restrictions 25-1

Configuring Subinterfaces on Layer 3 Interfaces 25-2

Configuring IPv4 Routing and Addresses 25-3

Configuring IPX Routing and Network Numbers 25-7

Configuring AppleTalk Routing, Cable Ranges, and Zones 25-8

Configuring Other Protocols on Layer 3 Interfaces 25-9

C H A P T E R 26 Configuring UDE and UDLR 26-1

Understanding UDE and UDLR 26-1UDE and UDLR Overview 26-1Supported Hardware 26-2Understanding UDE 26-2Understanding UDLR 26-3

Configuring UDE and UDLR 26-3Configuring UDE 26-3Configuring UDLR 26-6

P A R T 6 Multiprotocol Label Switching

C H A P T E R 27 Configuring Multiprotocol Label Switching 27-1

MPLS 27-1Understanding MPLS 27-2Understanding MPLS 27-2Supported Hardware Features 27-4Supported Cisco IOS Features 27-5MPLS Guidelines and Restrictions 27-7MPLS Supported Commands 27-7xivCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsConfiguring MPLS 27-7MPLS Per-Label Load Balancing 27-7MPLS Configuration Examples 27-8

VPN Switching 27-9VPN Switching Operation 27-9MPLS VPN Guidelines and Restrictions 27-11MPLS VPN Supported Commands 27-11Configuring MPLS VPN 27-11MPLS VPN Sample Configuration 27-11

Any Transport over MPLS 27-13AToM Load Balancing 27-13Understanding EoMPLS 27-14EoMPLS Guidelines and Restrictions 27-14Configuring EoMPLS 27-15Configuring MUX-UNI Support on LAN Cards 27-22

P A R T 7 IP Switching

C H A P T E R 28 Configuring IP Unicast Layer 3 Switching 28-1

Understanding Layer 3 Switching 28-1Understanding Hardware Layer 3 Switching 28-2Understanding Layer 3-Switched Packet Rewrite 28-2

Default Hardware Layer 3 Switching Configuration 28-4

Configuration Guidelines and Restrictions 28-4

Configuring Hardware Layer 3 Switching 28-4

Displaying Hardware Layer 3 Switching Statistics 28-5

P A R T 8 IP Application Services

C H A P T E R 29 Configuring Web Cache Services Using WCCP 29-1

Understanding WCCP 29-2WCCP Overview 29-2Hardware Acceleration 29-2Understanding WCCPv1 Configuration 29-3Understanding WCCPv2 Configuration 29-4WCCPv2 Features 29-5

Restrictions for WCCPv2 29-7

Configuring WCCP 29-7xvCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsSpecifying a Version of WCCP 29-8Configuring a Service Group Using WCCPv2 29-8Excluding Traffic on a Specific Interface from Redirection 29-9Registering a Router to a Multicast Address 29-10Using Access Lists for a WCCP Service Group 29-10Setting a Password for a Router and Cache Engines 29-11

Verifying and Monitoring WCCP Configuration Settings 29-11

WCCP Configuration Examples 29-12Changing the Version of WCCP on a Router Example 29-12Performing a General WCCPv2 Configuration Example 29-13Running a Web Cache Service Example 29-13Running a Reverse Proxy Service Example 29-13Registering a Router to a Multicast Address Example 29-13Using Access Lists Example 29-14Setting a Password for a Router and Cache Engines Example 29-14Verifying WCCP Settings Example 29-14

P A R T 9 IPv6

C H A P T E R 30 Configuring IPv6 Multicast PFC3 and DFC3 Layer 3 Switching 30-1

Features that Support IPv6 Multicast 30-1

IPv6 Multicast Guidelines and Restrictions 30-2

New or Changed IPv6 Multicast Commands 30-3

Configuring IPv6 Multicast Layer 3 Switching 30-3

Using show Commands to Verify IPv6 Multicast Layer 3 Switching 30-3Verifying MFIB Clients 30-4Displaying the Switching Capability 30-4Verifying the (S,G) Forwarding Capability 30-4Verifying the (*,G) Forwarding Capability 30-5Verifying the Subnet Entry Support Status 30-5Verifying the Current Replication Mode 30-5Displaying the Replication Mode Auto-Detection Status 30-5Displaying the Replication Mode Capabilities 30-5Displaying Subnet Entries 30-5Displaying the IPv6 Multicast Summary 30-6Displaying the NetFlow Hardware Forwarding Count 30-6Displaying the FIB Hardware Bridging and Drop Counts 30-7Displaying the Shared and Well-Known Hardware Adjacency Counters 30-7xviCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsC H A P T E R 31 Configuring MLD Snooping for IPv6 Multicast Traffic 31-1

Understanding MLD Snooping 31-2MLD Snooping Overview 31-2MLD Messages 31-3Source-Based Filtering 31-3Explicit Host Tracking 31-3MLD Snooping Proxy Reporting 31-4Joining an IPv6 Multicast Group 31-4Leaving a Multicast Group 31-6Understanding the MLD Snooping Querier 31-7

Default MLD Snooping Configuration 31-8

MLD Snooping Configuration Guidelines and Restrictions 31-8

MLD Snooping Querier Configuration Guidelines and Restrictions 31-9

Enabling the MLD Snooping Querier 31-9

Configuring MLD Snooping 31-10Enabling MLD Snooping 31-10Configuring a Static Connection to a Multicast Receiver 31-11Configuring a Multicast Router Port Statically 31-11Configuring the MLD Snooping Query Interval 31-12Enabling Fast-Leave Processing 31-12Enabling SSM Safe Reporting 31-13Configuring Explicit Host Tracking 31-13Configuring Report Suppression 31-14Displaying MLD Snooping Information 31-14

P A R T 10 IP Multicast

C H A P T E R 32 Configuring IPv4 Multicast Layer 3 Switching 32-1

Understanding IPv4 Multicast Layer 3 Switching 32-1IPv4 Multicast Layer 3 Switching Overview 32-2Multicast Layer 3 Switching Cache 32-2Layer 3-Switched Multicast Packet Rewrite 32-3Partially and Completely Switched Flows 32-3Non-RPF Traffic Processing 32-5Multicast Boundary 32-7

Understanding IPv4 Bidirectional PIM 32-8

Default IPv4 Multicast Layer 3 Switching Configuration 32-8

IPv4 Multicast Layer 3 Switching Configuration Guidelines and Restrictions 32-9xviiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsRestrictions 32-9Unsupported Features 32-9

Configuring IPv4 Multicast Layer 3 Switching 32-10Source-Specific Multicast with IGMPv3, IGMP v3lite, and URD 32-10Enabling IPv4 Multicast Routing Globally 32-10Enabling IPv4 PIM on Layer 3 Interfaces 32-11Enabling IP Multicast Layer 3 Switching Globally 32-11Enabling IP Multicast Layer 3 Switching on Layer 3 Interfaces 32-12Configuring the Replication Mode 32-12Enabling Local Egress Replication 32-14Configuring the Layer 3 Switching Global Threshold 32-15Enabling Installation of Directly Connected Subnets 32-16Specifying the Flow Statistics Message Interval 32-16Enabling Shortcut-Consistency Checking 32-16Configuring ACL-Based Filtering of RPF Failures 32-17Displaying RPF Failure Rate-Limiting Information 32-17Configuring Multicast Boundary 32-18Displaying IPv4 Multicast Layer 3 Hardware Switching Summary 32-18Displaying the IPv4 Multicast Routing Table 32-21Displaying IPv4 Multicast Layer 3 Switching Statistics 32-22

Configuring IPv4 Bidirectional PIM 32-23Enabling IPv4 Bidirectional PIM Globally 32-23Configuring the Rendezvous Point for IPv4 Bidirectional PIM Groups 32-24Setting the IPv4 Bidirectional PIM Scan Interval 32-24Displaying IPv4 Bidirectional PIM Information 32-25Using IPv4 Debug Commands 32-27Clearing IPv4 Multicast Layer 3 Switching Statistics 32-27Redundancy for Multicast Traffic 32-28

C H A P T E R 33 Configuring IGMP Snooping and MVR for IPv4 Multicast Traffic 33-1

Understanding IGMP Snooping 33-1IGMP Snooping Overview 33-2Joining a Multicast Group 33-2Leaving a Multicast Group 33-4Understanding the IGMP Snooping Querier 33-5Understanding IGMP Version 3 Support 33-5

Default IGMP Snooping Configuration 33-7

IGMP Snooping Configuration Guidelines and Restrictions 33-8

IGMP Snooping Querier Configuration Guidelines and Restrictions 33-8xviiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsEnabling the IGMP Snooping Querier 33-9

Configuring IGMP Snooping 33-9Enabling IGMP Snooping 33-10Configuring a Static Connection to a Multicast Receiver 33-11Configuring a Multicast Router Port Statically 33-11Configuring the IGMP Snooping Query Interval 33-11Enabling IGMP Fast-Leave Processing 33-12Configuring Source-Specific Multicast Mapping 33-12CGMP Automatic Detection 33-13Configuring IGMPv3 Explicit Host Tracking 33-13Displaying IGMP Snooping Information 33-14

Understanding MVR 33-16Using MVR in a Multicast Television Application 33-17

Configuring MVR 33-19Default MVR Configuration 33-19MVR Configuration Guidelines and Limitations 33-20Configuring MVR Global Parameters 33-20Configuring MVR Interfaces 33-21

Displaying MVR Information 33-23Clearing MVR Counters 33-24

C H A P T E R 34 Configuring IPv4 IGMP Filtering and Router Guard 34-1

Understanding IGMP Filtering 34-1IGMP Filtering Overview 34-1IGMP Filters 34-2IGMP Filter Precedence 34-4Filter Hierarchy Example 34-4Displaying IGMP Filtering 34-5Clearing IGMP Filtering Statistics 34-7

Understanding Router Guard 34-7Router Guard Overview 34-7Configuring Router Guard 34-8Displaying Router Guard Configurations 34-9Displaying Router Guard Interfaces 34-10Clearing Router Guard Statistics 34-11

C H A P T E R 35 Configuring PIM Snooping 35-1

Understanding PIM Snooping 35-1

Default PIM Snooping Configuration 35-3xixCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsPIM Snooping Configuration Guidelines and Restrictions 35-4

Configuring PIM Snooping 35-4Enabling PIM Snooping Globally 35-4Enabling PIM Snooping in a VLAN 35-5Disabling PIM Snooping Designated-Router Flooding 35-5

C H A P T E R 36 Configuring IPv4 Multicast VPN Support 36-1

Understanding MVPN 36-1MVPN Overview 36-2Multicast Routing and Forwarding and Multicast Domains 36-2Multicast Distribution Trees 36-2Multicast Tunnel Interfaces 36-5PE Router Routing Table Support for MVPN 36-6Multicast Distributed Switching Support 36-6Hardware-Assisted IPv4 Multicast 36-6

MVPN Configuration Guidelines and Restrictions 36-7

Configuring MVPN 36-8Forcing Ingress Multicast Replication Mode (Optional) 36-8Configuring a Multicast VPN Routing and Forwarding Instance 36-9Configuring Multicast VRF Routing 36-15Configuring Interfaces for Multicast Routing to Support MVPN 36-19

Sample Configurations for MVPN 36-21MVPN Configuration with Default MDTs Only 36-21MVPN Configuration with Default and Data MDTs 36-23

P A R T 11 Quality of Service

C H A P T E R 37 Configuring PFC QoS 37-1

Understanding PFC QoS 37-1Port Types Supported by PFC QoS 37-2Overview 37-2Component Overview 37-5Understanding Classification and Marking 37-14Policers 37-17Understanding Port-Based Queue Types 37-20

PFC QoS Default Configuration 37-27PFC QoS Global Settings 37-27Default Values with PFC QoS Enabled 37-28Default Values with PFC QoS Disabled 37-50xxCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsPFC QoS Configuration Guidelines and Restrictions 37-50General Guidelines 37-51PFC3 Guidelines 37-52Class Map Command Restrictions 37-53Policy Map Command Restrictions 37-54Policy Map Class Command Restrictions 37-54Supported Granularity for CIR and PIR Rate Values 37-54Supported Granularity for CIR and PIR Token Bucket Sizes 37-55IP Precedence and DSCP Values 37-56

Configuring PFC QoS 37-56Enabling PFC QoS Globally 37-57Enabling Ignore Port Trust 37-58Configuring DSCP Transparency 37-58Enabling Queueing-Only Mode 37-59Enabling Microflow Policing of Bridged Traffic 37-60Enabling VLAN-Based PFC QoS on Layer 2 LAN Ports 37-60Enabling Egress ACL Support for Remarked DSCP 37-61Creating Named Aggregate Policers 37-62Configuring a PFC QoS Policy 37-64Configuring Egress DSCP Mutation 37-82Configuring Ingress CoS Mutation on IEEE 802.1Q Tunnel Ports 37-84Configuring DSCP Value Maps 37-86Configuring the Trust State of Ethernet LAN Ports 37-90Configuring Trusted Boundary with Cisco Device Verification 37-91Configuring the Ingress LAN Port CoS Value 37-92Configuring Standard-Queue Drop Threshold Percentages 37-93Mapping QoS Labels to Queues and Drop Thresholds 37-98Allocating Bandwidth Between Standard Transmit Queues 37-107Setting the Receive-Queue Size Ratio 37-109Configuring the Transmit-Queue Size Ratio 37-110

Common QoS Scenarios 37-111Sample Network Design Overview 37-111Classifying Traffic from PCs and IP Phones in the Access Layer 37-112Accepting the Traffic Priority Value on Interswitch Links 37-115Prioritizing Traffic on Interswitch Links 37-116Using Policers to Limit the Amount of Traffic from a PC 37-119

PFC QoS Glossary 37-120xxiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsC H A P T E R 38 Using AutoQoS 38-1

Understanding AutoQoS 38-1AutoQoS Support for a Cisco IP Phone 38-1AutoQoS Support for Cisco IP Communicator 38-2AutoQoS Support for Marked Traffic 38-2

Using AutoQoS 38-3AutoQoS Configuration Guidelines and Restrictions 38-3Configuring AutoQoS 38-4

C H A P T E R 39 Configuring MPLS QoS 39-1

Terminology 39-2

MPLS QoS Features 39-3MPLS Experimental Field 39-3Trust 39-3Classification 39-3Policing and Marking 39-4Preserving IP ToS 39-4EXP Mutation 39-4MPLS DiffServ Tunneling Modes 39-4

MPLS QoS Overview 39-4Specifying the QoS in the IP Precedence Field 39-5

MPLS QoS 39-5LERs at the Input Edge of an MPLS Network 39-6LSRs in the Core of an MPLS Network 39-6LERs at the Output Edge of an MPLS Network 39-7

Understanding MPLS QoS 39-7LERs at the EoMPLS Edge 39-8LERs at the IP Edge (MPLS, MPLS VPN) 39-9LSRs at the MPLS Core 39-13

MPLS QoS Default Configuration 39-15

MPLS QoS Commands 39-16

MPLS QoS Restrictions and Guidelines 39-17

Configuring MPLS QoS 39-17Enabling QoS Globally 39-18Enabling Queueing-Only Mode 39-19Configuring a Class Map to Classify MPLS Packets 39-20Configuring the MPLS Packet Trust State on Ingress Ports 39-22Configuring a Policy Map 39-22xxiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsDisplaying a Policy Map 39-27Configuring MPLS QoS Egress EXP Mutation 39-28Configuring EXP Value Maps 39-29

MPLS DiffServ Tunneling Modes 39-30Short Pipe Mode 39-31Uniform Mode 39-32MPLS DiffServ Tunneling Restrictions and Usage Guidelines 39-34

Configuring Short Pipe Mode 39-34Ingress PE RouterCustomer Facing Interface 39-34Configuring Ingress PE RouterP Facing Interface 39-35Configuring the P RouterOutput Interface 39-37Configuring the Egress PE RouterCustomer Facing Interface 39-38

Configuring Uniform Mode 39-39Configuring the Ingress PE RouterCustomer Facing Interface 39-39Configuring the Ingress PE RouterP Facing Interface 39-40Configuring the Egress PE RouterCustomer Facing Interface 39-41

C H A P T E R 40 Configuring PFC QoS Statistics Data Export 40-1

Understanding PFC QoS Statistics Data Export 40-1

PFC QoS Statistics Data Export Default Configuration 40-2

Configuring PFC QoS Statistics Data Export 40-2

P A R T 12 Security

C H A P T E R 41 Configuring Network Security 41-1

Configuring MAC Address-Based Traffic Blocking 41-1

Configuring TCP Intercept 41-2

Configuring Unicast Reverse Path Forwarding Check 41-2Understanding PFC3 Unicast RPF Check Support 41-2Unicast RPF Check Guidelines and Restrictions 41-3Configuring Unicast RPF Check 41-3

C H A P T E R 42 Using AutoSecure 42-1

Understanding AutoSecure 42-1Benefits of AutoSecure 42-2Securing the Management Plane 42-2Securing the Forwarding Plane 42-5AutoSecure Guidelines and Restrictions 42-6xxiiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsConfiguring AutoSecure 42-6Using the AutoSecure Command 42-6Configuring Additional Security 42-8Verifying AutoSecure 42-8

AutoSecure Configuration Example 42-9

C H A P T E R 43 Understanding Cisco IOS ACL Support 43-1

ACL Support in Hardware and Software 43-1

Cisco IOS ACL Configuration Guidelines and Restrictions 43-2

Policy-Based ACLs 43-3Understanding PBACLs 43-3PBACL Guidelines and Restrictions 43-4Configuring PBACL 43-4

Configuring IPv6 Address Compression 43-6

Optimized ACL Logging 43-7Understanding OAL 43-7OAL Guidelines and Restrictions 43-8Configuring OAL 43-8

Guidelines and Restrictions for Using Layer 4 Operators in ACLs 43-10Determining Layer 4 Operation Usage 43-10Determining Logical Operation Unit Usage 43-11

C H A P T E R 44 Configuring Port ACLs and VLAN ACLs 44-1

Understanding ACLs 44-1Understanding ACLs 44-2Understanding VACLs 44-2Understanding Port ACLs 44-3PACL and VACL Interactions 44-4

Configuring PACLs 44-7PACL Configuration Guidelines 44-8Configuring IP and MAC ACLs on a Layer 2 Interface 44-8Configuring Access-group Mode on Layer 2 Interface 44-9Applying ACLs to a Layer 2 Interface 44-9Applying ACLs to a Port Channel 44-10Displaying an ACL Configuration on a Layer 2 Interface 44-10

Configuring VACLs 44-11VACL Configuration Guidelines 44-11Defining a VLAN Access Map 44-12xxivCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsConfiguring a Match Clause in a VLAN Access Map Sequence 44-13Configuring an Action Clause in a VLAN Access Map Sequence 44-13Applying a VLAN Access Map 44-14Verifying VLAN Access Map Configuration 44-15VLAN Access Map Configuration and Verification Examples 44-15Configuring a Capture Port 44-16Configuring MAC PBF 44-17

Configuring VACL Logging 44-19

C H A P T E R 45 Configuring Denial of Service Protection 45-1

Understanding DoS Protection 45-2

DoS Protection Default Configuration 45-13

DoS Protection Configuration Guidelines and Restrictions 45-13Monitoring Packet Drop Statistics 45-14Displaying Rate-Limiter Information 45-17

Configuring Sticky ARP 45-18

C H A P T E R 46 Configuring Control Plane Policing 46-1

Understanding Control Plane Policing 46-1

CoPP Default Configuration 46-2

CoPP Configuration Guidelines and Restrictions 46-2

Configuring CoPP 46-3

Monitoring CoPP 46-4

Defining Traffic Classification 46-5Traffic Classification Overview 46-5Traffic Classification Guidelines 46-6Sample Basic ACLs for CoPP Traffic Classification 46-7

C H A P T E R 47 Configuring DHCP Snooping 47-1

Understanding DHCP Snooping 47-1Overview of DHCP Snooping 47-2Trusted and Untrusted Sources 47-2DHCP Snooping Binding Database 47-2Packet Validation 47-3DHCP Snooping Option-82 Data Insertion 47-3Overview of the DHCP Snooping Database Agent 47-5

Default Configuration for DHCP Snooping 47-6

DHCP Snooping Configuration Restrictions and Guidelines 47-7xxvCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsDHCP Snooping Configuration Restrictions 47-7DHCP Snooping Configuration Guidelines 47-7Minimum DHCP Snooping Configuration 47-8

Configuring DHCP Snooping 47-8Enabling DHCP Snooping Globally 47-9Enabling DHCP Option-82 Data Insertion 47-9Enabling the DHCP Option-82 on Untrusted Port Feature 47-10Enabling DHCP Snooping MAC Address Verification 47-11Enabling DHCP Snooping on VLANs 47-11Configuring the DHCP Trust State on Layer 2 LAN Interfaces 47-12Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces 47-13Configuring the DHCP Snooping Database Agent 47-14Configuration Examples for the Database Agent 47-14Displaying a Binding Table 47-17

C H A P T E R 48 Configuring IP Source Guard 48-1

Overview of IP Source Guard 48-1IP Source Guard Interaction with VLAN-Based Features 48-2Channel Ports 48-2Trunk Ports 48-2Layer 2 and Layer 3 Port Conversion 48-2IP Source Guard and Voice VLAN 48-2IP Source Guard and Web-Based Authentication 48-2IP Source Guard Restrictions 48-3

Configuring IP Source Guard on the Switch 48-3

Displaying IP Source Guard Information 48-4

Displaying IP Source Binding Information 48-6

C H A P T E R 49 Configuring Dynamic ARP Inspection 49-1

Understanding DAI 49-1Understanding ARP 49-1Understanding ARP Spoofing Attacks 49-2Understanding DAI and ARP Spoofing Attacks 49-2Interface Trust States and Network Security 49-3Rate Limiting of ARP Packets 49-4Relative Priority of ARP ACLs and DHCP Snooping Entries 49-4Logging of Dropped Packets 49-4

Default DAI Configuration 49-5

DAI Configuration Guidelines and Restrictions 49-5xxviCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsConfiguring DAI 49-6Enabling DAI on VLANs 49-7Configuring the DAI Interface Trust State 49-7Applying ARP ACLs for DAI Filtering 49-8Configuring ARP Packet Rate Limiting 49-9Enabling DAI Error-Disabled Recovery 49-10Enabling Additional Validation 49-10Configuring DAI Logging 49-12Displaying DAI Information 49-14

DAI Configuration Samples 49-15Sample One: Two Switches Support DAI 49-16Sample Two: One Switch Supports DAI 49-20

C H A P T E R 50 Configuring Traffic Storm Control 50-1

Understanding Traffic Storm Control 50-1

Default Traffic Storm Control Configuration 50-2

Configuration Guidelines and Restrictions 50-3

Enabling Traffic Storm Control 50-4

Displaying Traffic Storm Control Settings 50-5

C H A P T E R 51 Configuring Unknown Unicast and Multicast Flood Control 51-1

Understanding Unknown Traffic Flood Control 51-1

Configuring UUFB or UMFB 51-2

Configuring UUFRL 51-2

C H A P T E R 52 Configuring Network Admission Control 52-1

Understanding NAC 52-1NAC Overview 52-2NAC Device Roles 52-3AAA Down Policy 52-4NAC IP Validation 52-4NAC and Switchover 52-12

Configuring NAC 52-12Default NAC Configuration 52-12NAC IP Guidelines, Limitations, and Restrictions 52-12Configuring NAC IP Validation 52-14Configuring EAPoUDP 52-18Configuring Identity Profiles and Policies 52-18xxviiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsConfiguring NAC High Availability 52-19Configuring a NAC AAA Down Policy 52-20

Monitoring and Maintaining NAC 52-23Clearing Table Entries 52-23Displaying NAC Information 52-23

C H A P T E R 53 Configuring IEEE 802.1X Port-Based Authentication 53-1

Understanding 802.1X Port-Based Authentication 53-1Understanding 802.1X Device Roles 53-2Understanding the Port-based Authentication Process 53-3Authentication Initiation and Message Exchange 53-5Ports in Authorized and Unauthorized States 53-7802.1X Host Modes 53-8Using 802.1X Authentication with DHCP Snooping 53-10Understanding 802.1X Accounting 53-11Using 802.1X Authentication with VLAN Assignment 53-12Using Multiple VLANs and VLAN User Distribution with VLAN Assignment 53-13Using 802.1X Authentication with Guest VLAN 53-14Using 802.1X Authentication with Restricted VLAN 53-14Using 802.1X Authentication with Inaccessible Authentication Bypass 53-15Using 802.1X Authentication with Voice VLAN Ports 53-17Using 802.1X Authentication with Port Security 53-17Using 802.1X Authentication with ACL Assignments and Redirect URLs 53-18Using 802.1X Authentication with Port Descriptors 53-21Using 802.1X Authentication with MAC Authentication Bypass 53-21Using Network Admission Control Layer 2 IEEE 802.1X Validation 53-22Using 802.1X Authentication with Wake-on-LAN 53-23

Configuring 802.1X Port-Based Authentication 53-23Default 802.1X Port-Based Authentication Configuration 53-24802.1X Authentication Feature Configuration Guidelines 53-25Enabling 802.1X Authentication 53-29Configuring Switch-to-RADIUS-Server Communication 53-31Configuring 802.1X Authenticator Host Mode 53-32Enabling Fallback Authentication 53-34Enabling Periodic Reauthentication 53-36Manually Reauthenticating the Client Connected to a Port 53-37Initializing Authentication for the Client Connected to a Port 53-37Removing 802.1X Client Information 53-38Clearing Authentication Sessions 53-38xxviiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsChanging 802.1X Timeouts 53-38Setting the Switch-to-Client Frame Retransmission Number 53-40Setting the Reauthentication Number 53-41Configuring IEEE 802.1X Accounting 53-41Configuring VLAN User Distribution 53-42Configuring a Guest VLAN 53-43Configuring a Restricted VLAN 53-44Configuring the Inaccessible Authentication Bypass Feature 53-46Configuring MAC Authentication Bypass 53-49Configuring NAC Layer 2 IEEE 802.1X Validation 53-50Configuring NAC Agentless Audit Support 53-51Configuring the Switch for DACLs or Redirect URLs 53-52Configuring 802.1X Authentication with WoL 53-53Disabling 802.1X Authentication on the Port 53-53Resetting the 802.1X Configuration to the Default Values 53-54

Displaying Authentication Status and Information 53-54Displaying 802.1X Status 53-55Displaying Authentication Methods and Status 53-56Displaying MAC Authentication Bypass Status 53-59

C H A P T E R 54 Configuring Web-Based Authentication 54-1

Understanding Web-Based Authentication 54-1Device Roles 54-2Host Detection 54-2Session Creation 54-3Authentication Process 54-3AAA Fail Policy 54-4Customization of the Authentication Proxy Web Pages 54-4Web-based Authentication Interactions with Other Features 54-4

Configuring Web-Based Authentication 54-6Default Web-Based Authentication Configuration 54-7Web-based Authentication Configuration Guidelines and Restrictions 54-7Web-based Authentication Configuration Task List 54-8Configuring the Authentication Rule and Interfaces 54-8Configuring AAA Authentication 54-9Configuring Switch-to-RADIUS-Server Communication 54-9Configuring the HTTP Server 54-11Configuring an AAA Fail Policy 54-13Configuring the Web-based Authentication Parameters 54-14xxixCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsRemoving Web-based Authentication Cache Entries 54-15

Displaying Web-Based Authentication Status 54-15

C H A P T E R 55 Configuring Port Security 55-1

Understanding Port Security 55-1Port Security with Dynamically Learned and Static MAC Addresses 55-1Port Security with Sticky MAC Addresses 55-2Port Security with IP Phones 55-3

Default Port Security Configuration 55-3

Port Security Guidelines and Restrictions 55-3

Configuring Port Security 55-5Enabling Port Security 55-5Configuring the Port Security Violation Mode on a Port 55-6Configuring the Port Security Rate Limiter 55-7Configuring the Maximum Number of Secure MAC Addresses on a Port 55-9Enabling Port Security with Sticky MAC Addresses on a Port 55-9Configuring a Static Secure MAC Address on a Port 55-10Configuring Secure MAC Address Aging on a Port 55-11

Displaying Port Security Settings 55-12

P A R T 13 NetFlow

C H A P T E R 56 Configuring NetFlow 56-1

Understanding NetFlow 56-1NetFlow Overview 56-2NetFlow on the PFC 56-2NetFlow on the RP 56-4NetFlow Features 56-5

Default NetFlow Configuration 56-6

NetFlow Configuration Guidelines and Restrictions 56-6

Configuring NetFlow 56-7Configuring NetFlow on the PFC 56-7Configuring NetFlow Features 56-10

C H A P T E R 57 Configuring NDE 57-1

Understanding NDE 57-1NDE Overview 57-1NDE on the RP 57-2xxxCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsNDE on the PFC 57-2

Default NDE Configuration 57-10

NDE Configuration Guidelines and Restrictions 57-10

Configuring NDE 57-10Configuring NDE on the PFC 57-11Configuring NDE on the RP 57-13Enabling NDE for Ingress-Bridged IP Traffic 57-14Displaying the NDE Address and Port Configuration 57-15Configuring NDE Flow Filters 57-16Displaying the NDE Configuration 57-17

P A R T 14 Network Management

C H A P T E R 58 Configuring Local SPAN, RSPAN, and ERSPAN 58-1

Understanding Local SPAN, RSPAN, and ERSPAN 58-1Local SPAN, RSPAN, and ERSPAN Overview 58-1Local SPAN, RSPAN, and ERSPAN Sources 58-5Local SPAN, RSPAN, and ERSPAN Destinations 58-7

Local SPAN, RSPAN, and ERSPAN Configuration Guidelines and Restrictions 58-7Feature Incompatibilities 58-7Local SPAN, RSPAN, and ERSPAN Session Limits 58-8Local SPAN, RSPAN, and ERSPAN Interface Limits 58-9Local SPAN, RSPAN, and ERSPAN Guidelines and Restrictions 58-9VSPAN Guidelines and Restrictions 58-10RSPAN Guidelines and Restrictions 58-11ERSPAN Guidelines and Restrictions 58-11Distributed Egress SPAN Mode Guidelines and Restrictions 58-12

Configuring Local SPAN, RSPAN, and ERSPAN 58-13Local SPAN, RSPAN, and ERSPAN Default Configuration 58-13Configuring a Destination as an Unconditional Trunk (Optional) 58-14Configuring Destination Trunk VLAN Filtering (Optional) 58-15Configuring Destination Port Permit Lists (Optional) 58-16Configuring the Egress SPAN Mode (Optional) 58-17Configuring Local SPAN 58-18Configuring RSPAN 58-22Configuring ERSPAN 58-28Configuring Source VLAN Filtering in Global Configuration Mode 58-32Verifying the Configuration 58-33Configuration Examples 58-33xxxiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsC H A P T E R 59 Using the System Event Archive 59-1

Understanding the System Event Archive 59-1

Displaying the SEA Logging System 59-2

Copying the SEA To Another Device 59-3

C H A P T E R 60 Backplane Traffic Monitoring 60-1

Understanding Traffic Monitoring 60-1

Default Configuration 60-2

Configuration Guidelines and Restrictions 60-2

Configuring Backplane Traffic Monitoring 60-2

C H A P T E R 61 Configuring Call Home 61-1

Understanding Call Home 61-1Obtaining Smart Call Home 61-2

Configuring Call Home 61-3Configuring Contact Information 61-4Configuring Destination Profiles 61-5Subscribing to Alert Groups 61-6Configuring General E-Mail Options 61-9Enabling Call Home 61-10Testing Call Home Communications 61-10Configuring and Enabling Smart Call Home 61-12

Displaying Call Home Configuration Information 61-13

Default Settings 61-16

Alert Group Trigger Events and Commands 61-17

Message Contents 61-23Sample Syslog Alert Notification in Long-Text Format 61-27Sample Syslog Alert Notification in XML Format 61-27

C H A P T E R 62 Configuring SNMP IfIndex Persistence 62-1

Understanding SNMP IfIndex Persistence 62-1

Configuring SNMP IfIndex Persistence 62-2Enabling SNMP IfIndex Persistence Globally 62-2Disabling SNMP IfIndex Persistence Globally 62-2Enabling and Disabling SNMP IfIndex Persistence on Specific Interfaces 62-2Clearing SNMP IfIndex Persistence Configuration from a Specific Interface 62-3xxxiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsC H A P T E R 63 Using Top-N Reports 63-1

Understanding Top-N Reports 63-1Top-N Reports Overview 63-1Understanding Top-N Reports Operation 63-2

Using Top-N Reports 63-2Enabling Top-N Reports Creation 63-2Displaying Top-N Reports 63-3Clearing Top-N Reports 63-4

C H A P T E R 64 Using the Layer 2 Traceroute Utility 64-1

Understanding the Layer 2 Traceroute Utility 64-1

Usage Guidelines 64-1

Using the Layer 2 Traceroute Utility 64-2

C H A P T E R 65 Using the Mini Protocol Analyzer 65-1

Understanding How the Mini Protocol Analyzer Works 65-1

Configuring the Mini Protocol Analyzer 65-2Filtering the Packets to be Captured 65-3

Starting and Stopping a Capture 65-4

Displaying and Exporting the Capture Buffer 65-6

Mini Protocol Analyzer Configuration, Operation, and Display Examples 65-7General Configuration Examples 65-7Filtering Configuration Examples 65-8Operation Examples 65-9Display Examples 65-9

P A R T 15 Appendixes

A P P E N D I X A Online Diagnostic Tests A-1

Global Health-Monitoring Tests A-2TestEARLInternalTables A-2TestSPRPInbandPing A-3TestScratchRegister A-3TestMacNotification A-4TestErrorCounterMonitor A-4

Per-Port Tests A-5TestNonDisruptiveLoopback A-5TestLoopback A-6xxxiiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsTestActiveToStandbyLoopback A-6TestUnusedPortLoopback A-7TestTransceiverIntegrity A-7TestNetflowInlineRewrite A-8TestPortTxMonitoring A-9

PFC Layer 2 Forwarding Engine Tests A-9TestNewIndexLearn A-9TestDontConditionalLearn A-10TestBadBpduTrap A-10TestMatchCapture A-11TestStaticEntry A-11

DFC Layer 2 Forwarding Engine Tests A-11TestDontLearn A-12TestNewLearn A-12TestIndexLearn A-13TestConditionalLearn A-13TestTrap A-14TestBadBpdu A-15TestProtocolMatchChannel A-15TestCapture A-16TestStaticEntry A-16

PFC Layer 3 Forwarding Engine Tests A-17TestFibDevices A-17TestIPv4FibShortcut A-18TestIPv6FibShortcut A-18TestMPLSFibShortcut A-19TestNATFibShortcut A-19TestL3Capture2 A-20TestAclPermit A-20TestAclDeny A-21TestNetflowShortcut A-21TestQoS A-22

DFC Layer 3 Forwarding Engine Tests A-22TestFibDevices A-22TestIPv4FibShortcut A-23TestIPv6FibShortcut A-24TestMPLSFibShortcut A-24TestNATFibShortcut A-25TestL3Capture2 A-25xxxivCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsTestAclPermit A-26TestAclDeny A-26TestQoS A-27TestNetflowShortcut A-27

Replication Engine Tests A-27TestL3VlanMet A-28TestIngressSpan A-28TestEgressSpan A-29

Fabric Tests A-29TestFabricSnakeForward A-29TestFabricSnakeBackward A-30TestSynchedFabChannel A-30TestFabricCh0Health A-31TestFabricCh1Health A-31

Exhaustive Memory Tests A-32TestFibTcamSSRAM A-32TestAsicMemory A-32TestAclQosTcam A-33TestNetflowTcam A-33TestQoSTcam A-34

IPSEC Services Modules Tests A-34TestIPSecClearPkt A-35TestHapiEchoPkt A-35TestIPSecEncryptDecryptPkt A-35

Stress Tests A-36TestTrafficStress A-36TestEobcStressPing A-37

Critical Recovery Tests A-37TestL3HealthMonitoring A-37TestTxPathMonitoring A-38TestSynchedFabChannel A-38

General Tests A-39ScheduleSwitchover A-39TestFirmwareDiagStatus A-39TestCFRW A-40

A P P E N D I X B Acronyms B-1

I N D E XxxxvCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

ContentsxxxviCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

Preface

This preface describes who should read the Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and later releases, and its document conventions.

AudienceThis guide is for experienced network administrators who are responsible for configuring and maintaining the switches supported in Cisco IOS Release 12.2SX.

Related DocumentationThe following publications are available for Cisco IOS Release 12.2SX:

Catalyst 6500 Series Switch Installation Guide

Catalyst 6500 Series Switch Module Installation Guide

Cisco IOS Master Command List, Release 12.2SX

Catalyst 6500 Series Switch Cisco IOS System Message Guide, Release 12.2SX

Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases

Cisco IOS Configuration Guides and Command ReferencesUse these publications to help you configure Cisco IOS software features not described in the other publications:

Configuration Fundamentals Configuration Guide

Configuration Fundamentals Command Reference

Bridging and IBM Networking Configuration Guide

Bridging and IBM Networking Command Reference

Interface Configuration Guide

Interface Command Reference

Network Protocols Configuration Guide, Part 1, 2, and 3

Network Protocols Command Reference, Part 1, 2, and 3

Security Configuration Guide

Security Command Reference

Switching Services Configuration Guide xxxviiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

Preface Switching Services Command Reference

Voice, Video, and Home Applications Configuration Guide

Voice, Video, and Home Applications Command Reference

Software Command Summary

Software System Error Messages

Debug Command Reference

Internetwork Design Guide

Internetwork Troubleshooting Guide

Configuration Builder Getting Started Guide

The Cisco IOS Configuration Guides and Command References are located at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html

For information about MIBs, go to this URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

ConventionsThis document uses the following conventions:

Convention Description

boldface font Commands, command options, and keywords are in boldface.

italic font Arguments for which you supply values are in italics.

[ ] Elements in square brackets are optional.

{ x | y | z } Alternative keywords are grouped in braces and separated by vertical bars.

[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

screen font Terminal sessions and information the system displays are in screen font.

boldface screen font

Information you must enter is in boldface screen font.

italic screen font Arguments for which you supply values are in italic screen font.

This pointer highlights an important line of text in an example.

^ The symbol ^ represents the key labeled Controlfor example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

< > Nonprinting characters, such as passwords are in angle brackets.xxxviiiCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

PrefaceNotes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.

Cautions use the following conventions:

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html xxxixCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

PrefacexlCisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

Cisco IOS Software ConfiguraOL-13013-05C H A P T E R1

Product Overview

This chapter consists of these sections:

Supported Hardware and Software, page 1-1

User Interfaces, page 1-5

Software Features Supported in Hardware by the PFC and DFC, page 1-6

Supported Hardware and Software For complete information about the chassis, modules, and software features supported by Cisco IOS Release 12.2SX, see the Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html

These sections describe the ports and flash memory devices on the supervisor engines:

Understanding Supervisor Engine 720-10GE Memory Devices and Ports, page 1-1

Understanding Supervisor Engine 720 Memory Devices and Ports, page 1-2

Understanding Supervisor Engine 32 Memory Devices and Ports, page 1-4

Understanding ME6500 Flash Memory Devices and Ports, page 1-5

Understanding Supervisor Engine 720-10GE Memory Devices and PortsThese sections describe the Supervisor Engine 720-10GE memory devices and ports:

Supervisor Engine 720-10GE Flash Memory Devices, page 1-1

Supervisor Engine 720-10GE Ports, page 1-2

Supervisor Engine 720-10GE Flash Memory Devices

The Supervisor Engine 720-10GE has these flash memory devices:

disk0: (active) and slavedisk0: (standby):

External CompactFlash Type II slots

For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc.1-1tion Guide, Release 12.2(33)SXH and Later Releases

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html

Chapter 1 Product OverviewSupported Hardware and Software sup-bootdisk: (active) and slavesup-bootdisk: (standby):

Switch processor (SP) 1-GB internal CompactFlash flash memory

From SP ROMMON, it is bootdisk:

Not accessible from route processor (RP) ROMMON

bootflash: (active) and slave-bootflash: (standby):

RP 64-MB internal flash memory

Not accessible from SP ROMMON

Supervisor Engine 720-10GE Ports

The Supervisor Engine 720-10GE has these ports:

Console portEIA/TIA-232 (RS-232) port

Ports 1 and 2

Gigabit Ethernet SFP (fiber or 10/100/1000 Mbps RJ-45)

Fast Ethernet SFP

Port 310/100/1000 Mbps RJ-45

Ports 4 and 510-Gigabit Ethernet X2

Note The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t/1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the mls qos 10g-only global configuration command. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t/1p7q4t.

See the Configuring Optional Interface Features section on page 9-6 for information about configuring the ports.

Understanding Supervisor Engine 720 Memory Devices and PortsThese sections describe the Supervisor Engine 720 memory devices and ports:

Supervisor Engine 720 Flash Memory Devices, page 1-2

Configuring Supervisor Engine 720 Ports, page 1-3

Supervisor Engine 720 Flash Memory Devices

The Supervisor Engine 720 has these flash memory devices:

disk0: and disk1: (active) and slavedisk0: and slavedisk1: (standby):

External CompactFlash Type II slots

For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc.1-2Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

Chapter 1 Product OverviewSupported Hardware and Software sup-bootflash: (active) and slavesup-bootflash: (standby):

Switch processor (SP) 64-MB internal flash memory

From SP ROMMON, it is bootflash:

Not accessible from route processor (RP) ROMMON

With WS-CF-UPG=, sup-bootdisk: (active) and slavesup-bootflash: (standby):

SP 512-MB internal CompactFlash flash memory

From SP ROMMON, it is bootdisk:

Not accessible from RP ROMMON

See this publication for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_17277.html

bootflash: (active) and slave-bootflash: (standby):

RP 64-MB internal flash memory

Not accessible from SP ROMMON

Configuring Supervisor Engine 720 Ports

The Supervisor Engine 720 has these ports:

Port 1Small form-factor pluggable (SFP); no unique configuration options.

Port 2 RJ-45 connector and an SFP connector (default). To use the RJ-45 connector, you must change the configuration.

To configure port 2 on a Supervisor Engine 720 to use either the RJ-45 connector or the SFP connector, perform this task:

This example shows how to configure port 2 on a Supervisor Engine 720 in slot 5 to use the RJ-45 connector:

Router(config)# interface gigabitethernet 5/2Router(config-if)# media-type rj45

See the Configuring Optional Interface Features section on page 9-6 for more information about configuring the ports.

Command Purpose

Step 1 Router(config)# interface gigabitethernet slot/2 Selects the Ethernet port to be configured.

Step 2 Router(config-if)# media-type {rj45 | sfp} Selects the connector to use.1-3Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_17277.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_17277.html

Chapter 1 Product OverviewSupported Hardware and SoftwareUnderstanding Supervisor Engine 32 Memory Devices and Ports These sections describe the Supervisor Engine 32 memory devices and ports:

Supervisor Engine 32 Flash Memory Devices, page 1-4

Supervisor Engine 32 Ports, page 1-4

Note Supervisor Engine 32 does not support switch fabric connectivity.

Supervisor Engine 32 Flash Memory Devices

The Supervisor Engine 32 has these flash memory devices:

disk0: (active) and slavedisk0: (standby):

External CompactFlash Type II slots

For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc.

sup-bootdisk: (active) and slavesup-bootflash: (standby):

Switch processor (SP) 256-MB internal CompactFlash flash memory

From SP ROMMON, it is bootdisk:

Not accessible from route processor (RP) ROMMON

bootflash: (active) and slave-bootflash: (standby):

RP 64-MB internal flash memory

Not accessible from SP ROMMON

Supervisor Engine 32 Ports

The Supervisor Engine 32 has these ports:

Console portEIA/TIA-232 (RS-232) port

Two Universal Serial Bus (USB) 2.0 portsNot currently enabled

WS-SUP32-GE-3B:

Ports 1 through 8Small form-factor pluggable (SFP)

Port 910/100/1000 Mbps RJ-45

WS-SUP32-10GE:

Ports 1 and 210-Gigabit Ethernet XENPAK

Port 310/100/1000 Mbps RJ-45

See the Configuring Optional Interface Features section on page 9-6 for information about configuring the ports.1-4Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

Chapter 1 Product OverviewUser InterfacesUnderstanding ME6500 Flash Memory Devices and Ports These sections describe the Cisco ME6500 series Ethernet switch memory devices and ports:

ME6500 Flash Memory Devices, page 1-5

ME6500 Ports, page 1-5

ME6500 Flash Memory Devices

The ME6500 has these flash memory devices:

disk0:

One external CompactFlash Type II slot

Supports CompactFlash Type II flash PC cards

sup-bootflash:

Switch processor (SP) 128 MB internal CompactFlash flash memory

From SP ROMMON, it is bootflash:

Not accessible from route processor (RP) ROMMON

bootflash:

RP 64-MB internal flash memory

Not accessible from SP ROMMON

ME6500 Ports

The ME6500 has these ports:

ME-C6524GS-8S and ME-C6524GT-8S

Ports 2532: Gigabit Ethernet SFP

Requires Gigabit Ethernet SFPs

ME-C6524GS-8S

Ports 124: Gigabit Ethernet SFP

Requires Gigabit Ethernet SFPs

ME-C6524GT-8SPorts 124: 10/100/1000 Mbps RJ-45 Ethernet ports

User InterfacesRelease 12.2SX supports configuration using the following interfaces:

CLISee Chapter 2, Command-Line Interfaces.

SNMPSee the Release 12.2 IOS Configuration Fundamentals Configuration Guide and Command Reference at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html 1-5Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html

Chapter 1 Product OverviewSoftware Features Supported in Hardware by the PFC and DFC Cisco IOS web browser interfaceSee Using the Cisco Web Browser in the IOS Configuration Fundamentals Configuration Guide at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf005.html

Software Features Supported in Hardware by the PFC and DFC The PFC3 and DFC3 provide hardware support for these Cisco IOS software features:

Access Control Lists (ACLs) for Layer 3 ports and VLAN interfaces:

Permit and deny actions of input and output standard and extended ACLs

Note Flows that require ACL logging are processed in software on the route processor (RP).

Except on MPLS interfaces, reflexive ACL flows after the first packet in a session is processed in software on the RP

Dynamic ACL flows

Note Idle timeout is processed in software on the RP.

For more information about PFC and DFC support for ACLs, see Chapter 43, Understanding Cisco IOS ACL Support.

For complete information about configuring ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2, Traffic Filtering and Firewalls, at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html

Bidirectional Protocol Independent Multicast (PIM) in hardwareSee Understanding IPv4 Bidirectional PIM section on page 32-8.

IPv4 Multicast over point-to-point generic route encapsulation (GRE) TunnelsSee the publication at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html

Multiple-path Unicast Reverse Path Forwarding (RPF) CheckTo configure Unicast RPF Check, see the Configuring Unicast Reverse Path Forwarding Check section on page 41-2.

Except on MPLS interfaces, Network Address Translation (NAT) for IPv4 unicast and multicast traffic.

Note the following information about hardware-assisted NAT:

NAT of UDP traffic is not supported in PFC3A mode.

The PFC3 does not support NAT of multicast traffic.

The PFC3 does not support NAT configured with a route-map that specifies length.

When you configure NAT and NDE on an interface, the PFC3 sends all traffic in fragmented packets to the RP to be processed in software. (CSCdz51590)

To configure NAT, see the Cisco IOS IP Configuration Guide, Release 12.2, IP Addressing and Services, Configuring IP Addressing, Configuring Network Address Translation, at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html 1-6Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf005.htmlhttp://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.htmlhttp://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.htmlhttp://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html

Chapter 1 Product OverviewSoftware Features Supported in Hardware by the PFC and DFCTo prevent a significant volume of NAT traffic from being sent to the RP, due to either a DoS attack or a misconfiguration, enter the mls rate-limit unicast acl {ingress | egress} command described at this URL:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#mls_rate-limit_unicast_acl

(CSCea23296)

NetFlow AggregationSee this URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/nde.html

Policy-based routing (PBR) for route-map sequences that use the match ip address, set ip next-hop, and ip default next-hop PBR keywords.

To configure PBR, see the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, Classification, Configuring Policy-Based Routing, at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Note If the RP address falls within the range of a PBR ACL, traffic addressed to the RP is policy routed in hardware instead of being forwarded to the RP. To prevent policy routing of traffic addressed to the RP, configure PBR ACLs to deny traffic addressed to the RP.

Except on MPLS interfaces, TCP interceptTo configure TCP intercept, see the Configuring TCP Intercept section on page 41-2.

Note The PFC3 does not provide hardware acceleration for tunnels configured with the tunnel key command.

GRE Tunneling and IP in IP TunnelingThe PFC3 and DFC3s support the following tunnel commands:

tunnel destination

tunnel mode gre

tunnel mode ipip

tunnel source

tunnel ttl

tunnel tos

Other supported types of tunneling run in software on the RP.

The tunnel ttl command (default 255) sets the TTL of encapsulated packets.

The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it is encapsulated.

To configure GRE Tunneling and IP in IP Tunneling, see these publications:

http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html

http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html 1-7Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#mls_rate-limit_unicast_aclhttp://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#mls_rate-limit_unicast_aclhttp://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/nde.htmlhttp://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/nde.htmlhttp://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.htmlhttp://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.htmlhttp://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.htmlhttp://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html

Chapter 1 Product OverviewSoftware Features Supported in Hardware by the PFC and DFCTo configure the tunnel tos and tunnel ttl commands, see this publication for more information:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html

Note the following information about tunnels:

Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot share a source even if the destinations are different. Use secondary addresses on loopback interfaces or create multiple loopback interfaces. (CSCdy72539)

Each tunnel interface uses one internal VLAN.

Each tunnel interface uses one additional router MAC address entry per router MAC address.

The PFC3A does not support any PFC QoS features on tunnel interfaces.

Other PFC versions support PFC QoS features on tunnel interfaces.

The RP supports tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT (for inside to outside translation), TCP intercept, CBAC, and encryption.

VLAN ACLs (VACLs)To configure VACLs, see Chapter 44, Configuring Port ACLs and VLAN ACLs.1-8Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html

P A R T 1

Configuration Fundamentals

Cisco IOS Software ConfiguraOL-13013-05C H A P T E R2

Command-Line Interfaces

This chapter describes the command-line interfaces (CLIs) you use to configure the switches supported by Cisco IOS Release 12.2SX.

Note For complete syntax and usage information for the commands used in this chapter, see these publications:

The Cisco IOS Master Command List, Release 12.2SX, at this URL:

http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html

The Release 12.2 publications at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html

This chapter consists of these sections:

Accessing the CLI, page 2-1

Performing Command Line Processing, page 2-3

Performing History Substitution, page 2-3

Cisco IOS Command Modes, page 2-4

Displaying a List of Cisco IOS Commands and Syntax, page 2-5

Securing the CLI, page 2-6

ROM-Monitor Command-Line Interface, page 2-7

Accessing the CLIThese sections describe accessing the CLI:

Accessing the CLI through the EIA/TIA-232 Console Interface, page 2-2

Accessing the CLI through Telnet, page 2-22-1tion Guide, Release 12.2(33)SXH and Later Releases

http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.htmlhttp://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html

Chapter 2 Command-Line InterfacesAccessing the CLIAccessing the CLI through the EIA/TIA-232 Console Interface

Note EIA/TIA-232 was known as recommended standard 232 (RS-232) before its acceptance as a standard by the Electronic Industries Alliance (EIA) and Telecommunications Industry Association (TIA).

Perform initial configuration over a connection to the EIA/TIA-232 console interface. See the Catalyst 6500 Series Switch Module Installation Guide for console interface cable connection procedures.

To make a console connection, perform this task:

After making a console connection, you see this display:

Press Return for Console prompt

Router> enable Password:Router#

Accessing the CLI through Telnet

Note Before you can make a Telnet connection to the switch, you must configure an IP address (see the Configuring IPv4 Routing and Addresses section on page 25-3).

The switch supports up to eight simultaneous Telnet sessions. Telnet sessions disconnect automatically after remaining idle for the period specified with the exec-timeout command.

To make a Telnet connection to the switch, perform this task:

Command Purpose

Step 1 Press Return. Brings up the prompt.

Step 2 Router> enable Initiates enable mode enable.

Step 3 Password: password Router#

Completes enable mode enable.

Step 4 Router# quit Exits the session when finished.

Command Purpose

Step 1 telnet {hostname | ip_addr} Makes a Telnet connection from the remote host to the switch you want to access.

Step 2 Password: password

Router#

Initiates authentication.

Note If no password has been configured, press Return.

Step 3 Router> enable Initiates enable mode enable.

Step 4 Password: password Router#

Completes enable mode enable.

Step 5 Router# quit Exits the session when finished.2-2Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

Chapter 2 Command-Line InterfacesPerforming Command Line ProcessingThis example shows how to open a Telnet session to the switch:

unix_host% telnet Router_1 Trying 172.20.52.40...Connected to 172.20.52.40.Escape character is '^]'.

User Access Verification

Password:Router_1> enable Password:Router_1#

Performing Command Line ProcessingCommands are not case sensitive. You can abbreviate commands and parameters if the abbreviations contain enough letters to be different from any other currently available commands or parameters. You can scroll through the last 20 commands stored in the history buffer, and enter or edit the command at the prompt. Table 2-1 lists the keyboard shortcuts for entering and editing commands.

Performing History SubstitutionThe history buffer stores the last 20 commands you entered. History substitution allows you to access these commands without retyping them, by using special abbreviated commands. Table 2-2 lists the history substitution commands.

Table 2-1 Keyboard Shortcuts

Keystrokes Purpose

Press Ctrl-B or press the left arrow key1

1. The arrow keys function only on ANSI-compatible terminals such as VT100s.

Moves the cursor back one character.

Press Ctrl-F or press the right arrow key1

Moves the cursor forward one character.

Press Ctrl-A Moves the cursor to the beginning of the command line.

Press Ctrl-E Moves the cursor to the end of the command line.

Press Esc B Moves the cursor back one word.

Press Esc F Moves the cursor forward one word.2-3Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

OL-13013-05

Chapter 2 Command-Line InterfacesCisco IOS Command ModesCisco IOS Command Modes

Note For complete information about Cisco IOS command modes, see the Cisco IOS Configuration Fundamentals Configuration Guide at this URL:

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html

The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. To get a list of the commands in a given mode, type a question mark (?) at the system prompt. See the Displaying a List of Cisco IOS Commands and Syntax section on page 2-5.

When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in EXEC mode. To have access to all commands, you must enter privileged EXEC mode. Normally, you must type in a password to access privileged EXEC mode. From privileged EXEC mode, you can type in any EXEC command or acce