Cisco Systems 4500 About ACLs

47-2

Software Configuration Guide—Release 15.0(2)SG

OL-23818-01

Chapter 47 Configuring Network Security with ACLs

About ACLs

• Using VLAN Maps with Router ACLs, page 47-32

• Configuring PACLs, page 47-35

• Using PACL with VLAN Maps and Router ACLs, page 47-41

• Configuring RA Guard, page 47-43

Note The following discussions applies to both Supervisor Engine 6-E (and 6L-E) and non-Supervisor Engine

6-E (and 6L-E) configurations unless noted otherwise.

About ACLs

This section includes these topics:

• Overview, page 47-2

• Supported Features That Use ACLs, page 47-3

• Router ACLs, page 47-3

• Port ACLs, page 47-4

• Dynamic ACLs, page 47-5

• VLAN Maps, page 47-5

Overview

An ACL is a collection of sequential permit and deny conditions that applies to packets. When a packet

is received on an interface, the switch compares the fields in the packet against any applied ACLs to

verify that the packet has the permissions required to be forwarded, based on the conditions specified in

the access lists. It tests the packets against the conditions in an access list one-by-one. The first match

determines whether the switch accepts or rejects the packets. Because the switch stops testing conditions

after the first match, the order of conditions in the list is critical. If no conditions match, the switch drops

the packet. If no restrictions exist, the switch forwards the packet; otherwise, the switch drops the packet.

Switches traditionally operate at Layer 2, switching traffic within a VLAN. Routers route traffic between

VLANs at Layer 3. The Catalyst 4500 series switch can accelerate packet routing between VLANs by

using Layer 3 switching. The Layer 3 switch bridges the packet, and then routes the packet internally

without going to an external router. The packet is then bridged again and sent to its destination. During

this process, the switch can control all packets, including packets bridged within a VLAN.

You configure access lists on a router or switch to filter traffic and provide basic security for your

network. If you do not configure ACLs, all packets passing using the switch could be allowed on all parts

of the network. You can use ACLs to control which hosts can access different parts of a network or to

decide which types of traffic are forwarded or blocked at router interfaces. For example, you can allow

e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic,

outbound traffic, or both. However, on Layer 2 interfaces, you can apply ACLs only in the inbound

direction.

An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny

and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny

depends on the context in which the ACL is used.

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Organization Page Page Conventions Related Documentation Hardware Documents Software Documentation Cisco IOS Documentation Commands in Task Tables Notices OpenSSL/Open SSL Project License Issues Page Obtaining Documentation and Submitting a Service Request Page Product Overview Layer 2 Software Features 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Auto SmartPort Macros Cisco Discovery Protocol Cisco Group Management Protocol (CGMP) server EtherChannel Bundles Ethernet CFM Ethernet OAM Protocol Flex Links and MAC Address-Table Move Update Internet Group Management Protocol (IGMP) Snooping IPv6 Multicast Listen Discovery (MLD) and Multicast Listen Discovery snooping Jumbo Frames Link Aggregation Control Protocol Link Layer Discovery Protocol Link State Tracking Location Service Multiple Spanning Tree Per-VLAN Rapid Spanning Tree Quality of Service Resilient Ethernet Protocol SmartPort Macros Spanning Tree Protocol Stateful Switchover SVI Autostate User-Based Rate Limiting Unidirectional Ethernet Unidirectional Link Detection VLANs Virtual Switch System Client Y.1731 (AIS and RDI) Layer 3 Software Features Cisco Express Forwarding EIGRP Stub Routing Enhanced Object Tracking GLBP HSRP SSO Aware HSRP IP Routing Protocols BGP BGP Route-Map Continue EIGRP IS-IS OSPF RIP In Service Software Upgrade IPv6 Multicast Services Page NSF with SSO OSPF for Routed Access Policy-Based Routing Unidirectional Link Routing VRF-lite Management Features Cisco Call Home Cisco Energy Wise Cisco IOS IP Service Level Agreements Cisco Network Assistant Dynamic Host Control Protocol Embedded CiscoView Embedded Event Manager Ethernet Management Port FAT File Management System on Supervisor Engine 6-E and 6L-E Forced 10/100 Autonegotiation Intelligent Power Management MAC Address Notification NetFlow-lite Secure Shell Simple Network Management Protocol SPAN and RSPAN Web Content Coordination Protocol Security Features 802.1X Identity-Based Network Security Cisco TrustSec SGT Exchange Protocol (SXP) IPv4 Dynamic ARP Inspection Dynamic Host Configuration Protocol Snooping Flood Blocking Hardware-Based Control Plane Policing IP Source Guard for Static Hosts IP Source Guard Local Authentication, RADIUS, and TACACS+ Authentication Network Admission Control Network Security with ACLs Port Security PPPoE Intermediate Agent Storm Control uRPF Strict Mode Utilities Layer 2 Traceroute Time Domain Reflectometry Debugging Features Web-based Authentication Command-Line Interfaces Accessing the Switch CLI Accessing the CLI Using the EIA/TIA-232 Console Interface Accessing the CLI Through Telnet Performing Command-Line Processing Performing History Substitution About Cisco IOS Command Modes Getting a List of Commands and Syntax Virtual Console for Standby Supervisor Engine ROMMON Command-Line Interface Archiving Crashfiles Information Displaying a Crash Dump 2-9 2-10 2-11 151A3B48: 1586D760 10C7FE38 10C7F17C 1586FF98 10C7FE38 10C7F17C 2-12 2-13 2-14 2-15 2-16 2-17 2-18 2-19 Page Configuring the Switch for the First Time Default Switch Configuration Configuring DHCP-Based Autoconfiguration About DHCP-Based Autoconfiguration DHCP Client Request Process Configuring the DHCP Server Configuring the TFTP Server Configuring the DNS Server Configuring the Relay Device Obtaining Configuration Files Example Configuration Configuring the Switch Using Configuration Mode to Configure Your Switch Verifying the Running Configuration Settings 3-10 Saving the Running Configuration Settings to Your Start-Up File Reviewing the Configuration in NVRAM ! Configuring a Default Gateway Configuring a Static Route Page Controlling Access to Privileged EXEC Commands Setting or Changing a Static enable Password Using the enable password and enable secret Commands Setting or Changing a Privileged Password Controlling Switch Access with TACACS+ Understanding TACACS+ Page TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Displaying the TACACS+ Configuration Encrypting Passwords Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging In to a Privilege Level Exiting a Privilege Level Displaying the Password, Access Level, and Privilege Level Configuration Recovering a Lost Enable Password Modifying the Supervisor Engine Startup Configuration Understanding the Supervisor Engine Boot Configuration Understanding the ROM Monitor Configuring the Software Configuration Register Modifying the Boot Field and Using the boot Command Modifying the Boot Field Verifying the Configuration Register Setting Specifying the Startup System Image Flash Memory Features Security Precautions Configuring Flash Memory Controlling Environment Variables Resetting a Switch to Factory Default Settings Page Page Administering the Switch Managing the System Time and Date System Clock Understanding Network Time Protocol Configuring NTP Default NTP Configuration Configuring NTP Authentication Page Configuring NTP Associations Configuring NTP Broadcast Service Configuring NTP Access Restrictions Creating an Access Group and Assigning a Basic IP Access List Disabling NTP Services on a Specific Interface Configuring the Source IP Address for NTP Packets Displaying the NTP Configuration Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Configuring a System Name and Prompt Configuring a System Name Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Configuring a Login Banner Managing the MAC Address Table Building the Address Table MAC Addresses and VLANs Default MAC Address Table Configuration Changing the Address Aging Time Removing Dynamic Address Entries Configuring MAC Change Notification Traps Page 4-24 Configuring MAC Move Notification Traps Page Configuring MAC Threshold Notification Traps Adding and Removing Static Address Entries Configuring Unicast MAC Address Filtering Page Disabling MAC Address Learning on a VLAN Configuring Disable MAC Address Learning Deployment Scenarios Metro (Point to Point Links) 4-32 Network Load Balancers Layer 2 Firewall or Cache Feature Compatibility Feature Incompatibility Partial Feature Incompatibility Displaying Address Table Entries Managing the ARP Table Configuring Embedded CiscoView Support Understanding Embedded CiscoView Installing and Configuring Embedded CiscoView 4-37 The following example shows how to install and configure Embedded CiscoView on your switch: 4-38 Displaying Embedded CiscoView Information Page Configuring the Cisco IOS In-Service Software Upgrade Process Prerequisites to Performing ISSU About ISSU Stateful Switchover Overview Page NSF Overview ISSU Process Overview 5-7 5-8 supervisor engines when they are running two different versions of Cisco IOS image. 5-9 Page Performing an ISSU Upgrade: 2 Methods Changeversion Process Changeversion: Quick Option Scheduled Changeversion: in and at Options Changeversion Deployment Scenario Aborting an In-Progress Changeversion Procedure Guidelines for Performing ISSU Versioning Capability in Cisco IOS Software to Support ISSU Compatibility Matrix SNMP Support for ISSU Compatibility Verification Using Cisco Feature Navigator Performing the ISSU Process Verifying the ISSU Software Installation Verifying Redundancy Mode Before Beginning the ISSU Process 5-17 Verifying the ISSU State Before Beginning the ISSU Process Loading New Cisco IOS Software on the Standby Supervisor Engine Page 5-20 The following example shows how the forced option places the system in RPR mode: Switching to the Standby Supervisor Engine 5-22 engine is running the old version of software and is in the standby hot state. Stopping the ISSU Rollback Timer (Optional) Loading New Cisco IOS Software on the New Standby Supervisor Engine 5-25 Using changeversion to Automate an ISSU Upgrade Page 5-28 Note Standby reloads with target image. 5-29 Note Switchover occurs. Look at the console of "new" ACTIVE supervisor engine. Note The new" STANDBY reloads with target image; changeversion is successful upon SSO terminal state is reached. 5-30 5-31 Aborting a Software Upgrade During ISSU traffic might be disrupted. Configuring the Rollback Timer to Safeguard Against Upgrade Issues Page Displaying ISSU Compatibility Matrix Information 5-35 5-36 Page Page Page Page Configuring Interfaces About Interface Configuration Using the interface Command 6-3 Configuring a Range of Interfaces Page Using the Ethernet Management Port Understanding the Ethernet Management Port Fa1 Interface and mgmtVrf Ping TraceRoute Telnet TFTP FTP Supported Features on the Ethernet Management Port Configuring the Ethernet Management Port Defining and Using Interface-Range Macros Deploying SFP+ in X2 Ports Deploying 10-Gigabit Ethernet and Gigabit Ethernet SFP Ports on Supervisor Engine V-10GE Port Numbering TwinGig Convertors Limitations on Using a TwinGig Convertor Selecting X2/TwinGig Convertor Mode Page Invoking Shared-Backplane Uplink Mode on Supervisor Engine 6-E Digital Optical Monitoring Transceiver Support Configuring Optional Interface Features Configuring Ethernet Interface Speed and Duplex Mode Speed and Duplex Mode Configuration Guidelines Setting the Interface Speed Setting the Interface Duplex Mode Displaying the Interface Speed and Duplex Mode Configuration Adding a Description for an Interface Configuring Flow Control Page 6-22 Configuring Jumbo Frame Support Ports and Modules That Support Jumbo Frames Jumbo Frame Support Maximum Transmission Units Jumbo Frame Support Overview Ethernet Ports VLAN Interfaces Configuring MTU Sizes Interacting with Baby Giants Configuring the Port Debounce Timer Configuring Auto-MDIX on a Port Page Displaying the Interface Auto-MDIX Configuration Understanding Online Insertion and Removal Monitoring and Maintaining the Interface Monitoring Interface and Controller Status Clearing and Resetting the Interface Shutting Down and Restarting an Interface Configuring Interface Link Status and Trunk Status Events Configuring Link Status Event Notification for an Interface Global Settings Configuring a Switch Global Link Status Logging Event 6-34 Resetting the Interface to the Default Configuration Page Page Checking Port Status and Connectivity Checking Module Status Checking Interfaces Status Displaying MAC Addresses Checking Cable Status Using Time Domain Reflectometer Running the TDR Test TDR Guidelines Using Telnet Changing the Logout Timer Monitoring User Sessions Using Ping Understanding How Ping Works Running Ping Using IP Traceroute Understanding How IP Traceroute Works Running IP Traceroute Using Layer 2 Traceroute Layer 2 Traceroute Usage Guidelines Running Layer 2 Traceroute Configuring ICMP Enabling ICMP Protocol Unreachable Messages Enabling ICMP Redirect Messages Enabling ICMP Mask Reply Messages Page Configuring Supervisor Engine Redundancy Using RPR and SSO About Supervisor Engine Redundancy RPR Operation SSO Operation About Supervisor Engine Redundancy Synchronization RPR Supervisor Engine Configuration Synchronization SSO Supervisor Engine Configuration Synchronization Supervisor Engine Redundancy Guidelines and Restrictions Page Page Configuring Supervisor Engine Redundancy Configuring Redundancy 8-9 This example shows how to display redundancy facility state information: Virtual Console for Standby Supervisor Engine Synchronizing the Supervisor Engine Configurations Page Performing a Manual Switchover Performing a Software Upgrade Page Manipulating Bootflash on the Redundant Supervisor Engine Page Configuring Cisco NSF with SSO Supervisor Engine Redundancy About NSF with SSO Supervisor Engine Redundancy About Cisco IOS NSF-Aware and NSF-Capable Support Page NSF with SSO Supervisor Engine Redundancy Overview SSO Operation NSF Operation Cisco Express Forwarding Routing Protocols BGP Operation OSPF Operation IS-IS Operation IETF IS-IS Configuration Cisco IS-IS Configuration EIGRP Operation NSF Guidelines and Restrictions Configuring NSF with SSO Supervisor Engine Redundancy Configuring SSO 9-11 Configuring CEF NSF Verifying CEF NSF To verify that CEF is NSF-capable, enter the show cef state command: Configuring BGP NSF Verifying BGP NSF Configuring OSPF NSF Verifying OSPF NSF Configuring IS-IS NSF Verifying IS-IS NSF 9-16 Configuring EIGRP NSF Verifying EIGRP NSF Page Environmental Monitoring and Power Management About Environmental Monitoring Using CLI Commands to Monitor your Environment Displaying Environment Conditions Conditions on Supervisor Engines II-Plus to V-10GE Conditions on Supervisor Engine 6-E and Supervisor Engine 6L-E Emergency Actions System Alarms Page Power Management Power Management for the Catalyst 4500 Series Switches Supported Power Supplies Power Management Modes for the Catalyst 4500 Switch Selecting a Power Management Mode Power Management Limitations in Catalyst 4500 Series Switches Limitation 1 Limitation 2 Configuring Redundant Mode on a Catalyst 4500 Series Switch Configuring Combined Mode on a Catalyst 4500 Series Switch Available Power for Catalyst 4500 Series Switches Power Supplies Special Considerations for the 4200 W AC and 6000 W AC Power Supplies Page Combined Mode Power Resiliency Page Special Considerations for the 1400 W DC Power Supply Configuring the DC Input for a Power Supply Special Considerations for the 1400 W DC SP Triple Input Power Supply Insufficient Inline Power Handling for Supervisor Engine II-TS 10-20 Powering Down a Module Power Management for the Catalyst 4948 Switches Power Management Modes for the Catalyst 4948 Switch IEEE 802.3az Energy Efficient Ethernet Determining EEE Capability Enabling EEE Determining EEE Status Page Configuring Power over Ethernet About Power over Ethernet Hardware Requirements Power Management Modes Intelligent Power Management Configuring Power Consumption for Powered Devices on an Interface Displaying the Operational Status for an Interface 11-7 This example shows how to display the operational status for Fast Ethernet interface 4/1: Displaying all PoE Detection and Removal Events Displaying the PoE Consumed by a Module 11-9 11-10 11-11 PoE Policing and Monitoring PoE Policing Modes Configuring Power Policing on an Interface Displaying Power Policing on an Interface Configuring Errdisable Recovery Enhanced Power PoE Support on the E-Series Chassis Page Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant About Network Assistant Community Overview Clustering Overview Network Assistant-Related Parameters and Their Defaults Network Assistant CLI Commands Configuring Your Switch for Network Assistant (Minimum) Required Configuration (Additional) Configuration Required to Use Community (Additional) Configuration Required to Use Clustering Managing a Network Using Community Candidate and Member Requirements Automatic Discovery of Candidates and Members Community Names Hostnames Passwords Communication Protocols Access Modes in Network Assistant Community Information Adding Devices Converting a Cluster into a Community Managing a Network Using Cluster Understanding Switch Clusters Cluster Command Switch Requirements Network Assistant and VTY Candidate Switch and Cluster Member Switch Requirements Using the CLI to Manage Switch Clusters Configuring Network Assistant in Community or Cluster Mode Configuring Network Assistant on a Networked Switch in Community Mode Page 12-15 This example shows how to configure Network Assistant on a networked switch in community mode: Step 27 Step 28 12-16 12-17 Configuring Network Assistant in a Networked Switch in Cluster Mode Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Page 12-19 12-20 Configuring VLANs, VTP, and VMPS VLANs About VLANs Page VLAN Configuration Guidelines and Restrictions VLAN Ranges Configurable Normal-Range VLAN Parameters VLAN Default Configuration Configuring VLANs Configuring VLANs in Global Configuration Mode Assigning a Layer 2 LAN Interface to a VLAN VLAN Trunking Protocol About VTP Understanding the VTP Domain Understanding VTP Modes Understanding VTP Advertisements Understanding VTP Versions VTP Version 2 VTP Version 3 Understanding VTP Pruning VTP Configuration Guidelines and Restrictions VTP Default Configuration Configuring VTP Configuring VTP Global Parameters Configuring a VTP Password Enabling VTP Pruning Enabling the VTP Version Number Configuring the VTP Mode 13-17 This example shows how to configure the switch as a VTP client: This example shows how to disable VTP on the switch: This example shows how to disable VTP on the switch and to disable VTP advertisement forwarding: 13-18 Starting a Takeover Displaying VTP Statistics Displaying VTP Devices in a Domain VLAN Membership Policy Server About VMPS Understanding the VMPS Server Security Modes for VMPS Server Open Mode Secure Mode Multiple Mode Fallback VLAN Overview of VMPS Clients Understanding Dynamic VLAN Membership Default VMPS Client Configuration Configuring a Switch as a VMPS Client Configuring the IP Address of the VMPS Server Configuring Dynamic Access Ports on a VMPS Client Voice Ports Reconfirming VLAN Memberships Configuring Reconfirmation Interval Configuring the Retry Interval Administering and Monitoring the VMPS Troubleshooting Dynamic Port VLAN Membership Dynamic Port VLAN Membership Configuration Example 13-30 Page VMPS Database Configuration File Example 13-33 Page Configuring IP Unnumbered Interface About IP Unnumbered Interface Support IP Unnumbered Interface Support with DHCP Server and Relay Agent DHCP Option 82 IP Unnumbered Interface with Connected Host Polling IP Unnumbered Configuration Guidelines and Restrictions Configuring IP Unnumbered Interface Support with DHCP Server Configuring IP Unnumbered Interface Support on LAN and VLAN Interfaces Configuring IP Unnumbered Interface Support on a Range of Ethernet VLANs Configuring IP Unnumbered Interface Support with Connected Host Polling Displaying IP Unnumbered Interface Settings Troubleshooting IP Unnumbered Interface Page Configuring Layer 2 Ethernet Interfaces About Layer 2 Ethernet Switching Layer 2 Ethernet Switching Switching Frames Between Segments Building the MAC Address Table VLAN Trunks Encapsulation Types Layer 2 Interface Modes Default Layer 2 Ethernet Interface Configuration Layer 2 Interface Configuration Guidelines and Restrictions Configuring Ethernet Interfaces for Layer 2 Switching Configuring an Ethernet Interface as a Layer 2 Trunk Page Configuring an Interface as a Layer 2 Access Port 15-9 This example shows how to configure the Fast Ethernet interface 5/6 as an access port in VLAN 200: Step 2 To clear the Layer 2 configuration on an interface, perform this task: Clearing Layer 2 Configuration Step 8 Displays the switch port configuration of the interface. Step 9 Step 1 Page Configuring Auto SmartPort Macros About Auto SmartPorts Configuring Auto SmartPorts Enabling Auto SmartPorts Auto SmartPorts Default Configuration Auto SmartPorts Configuration Guidelines Page Configuring Auto SmartPorts Built-in Macro Parameters Configuring User-Defined Event Triggers 802.1X-Based Event Trigger MAC Address-Based Event Trigger Configuring Mapping Between User-Defined Triggers and Built-in Macros Configuring Auto SmartPorts User-Defined Macros Page Page Page Displaying Auto SmartPorts 17-14 Configuring SmartPort Macros About SmartPort Macros and Static SmartPort Configuring SmartPort Macros Passing Parameters Through the Macro Macro Parameter Help Default SmartPort Macro Configuration cisco-global cisco-desktop 16-5 cisco-phone This is the example for the cisco-phone macro: cisco-router This is the example for the cisco-router macro: cisco-switch SmartPort Macro Configuration Guidelines Page Creating SmartPort Macros Applying SmartPort Macros cisco-global 16-11 cisco-desktop Note This macro requires the $AVID keyword, which is the access VLAN of the port. cisco-phone Note This macro requires the $AVID and $VVID keywords, which are the access and voice VLANs of the port. cisco-switch Note This macro requires the $NVID keyword, which is the native VLANs of the port. 16-13 cisco-router Note This macro requires the $NVID keyword, which is the native VLANs of the port. Displaying SmartPort Macros Configuring Static SmartPort Macros Default Static SmartPort Configuration Static SmartPort Configuration Guidelines Applying Static SmartPort Macros Page Configuring STP and MST About STP Understanding the Bridge ID Bridge Priority Value Extended System ID STP MAC Address Allocation Bridge Protocol Data Units Election of the Root Bridge STP Timers Creating the STP Topology STP Port States MAC Address Allocation STP and IEEE 802.1Q Trunks Per-VLAN Rapid Spanning Tree Default STP Configuration Configuring STP Enabling STP Enabling the Extended System ID Configuring the Root Bridge 18-11 You can set the switch as the root: This configuration is the one after the switch becomes the root: Configuring a Secondary Root Switch Configuring STP Port Priority 18-14 Configuring STP Port Cost Page Configuring the Bridge Priority of a VLAN Configuring the Hello Time Configuring the Maximum Aging Time for a VLAN Configuring the Forward-Delay Time for a VLAN Disabling Spanning Tree Protocol Enabling Per-VLAN Rapid Spanning Tree Specifying the Link Type Restarting Protocol Migration About MST IEEE 802.1s MST IEEE 802.1w RSTP RSTP Port Roles RSTP Port States MST-to-SST Interoperability Common Spanning Tree MST Instances MST Configuration Parameters MST Regions MST Region Overview Boundary Ports IST Master Edge Ports Link Type Message Age and Hop Count MST-to-PVST+ Interoperability MST Configuration Restrictions and Guidelines Configuring MST Enabling MST Page 18-31 Configuring MST Instance Parameters To configure MST instance parameters, perform this task: This example shows how to configure MST instance parameters: Step 1 Step 2 Step 3 Step 4 Configuring MST Instance Port Parameters To configure MST instance port parameters, perform this task: This example shows how to configure MST instance port parameters: Step 1 Step 2 Step 3 Step 4 Restarting Protocol Migration Displaying MST Configurations 18-34 The following examples show how to display spanning tree VLAN configurations in MST mode: 18-35 18-36 Configuring Flex Links and MAC Address-Table Move Update About Flex Links Flex Links VLAN Flex Links Load Balancing and Support Flex Links Failover Actions MAC Address-Table Move Update Configuring Flex Links Configuring Flex Links Page Configuring VLAN Load Balancing on Flex Links Page Configuring MAC Address-Table Move Update Configuring the MAC Address-Table Move Update Feature Configuring a Switch to Send MAC Address-Table Move Updates Page Configuring a Switch to Receive MAC Address-Table Move Updates Monitoring Flex Links and the MAC Address-Table Move Update Configuring Resilient Ethernet Protocol About REP Page Page Link Integrity Fast Convergence VLAN Load Balancing Page Spanning Tree Interaction REP Ports Configuring REP Default REP Configuration REP Configuration Guidelines Configuring the REP Administrative VLAN Configuring REP Interfaces Page Page Page Setting Manual Preemption for VLAN Load Balancing Configuring SNMP Traps for REP Monitoring REP Configuring Optional STP Features About Root Guard Enabling Root Guard About Loop Guard Page Enabling Loop Guard About EtherChannel Guard Enabling EtherChannel Guard (Optional) About PortFast Enabling PortFast About BPDU Guard Enabling BPDU Guard About PortFast BPDU Filtering Enabling PortFast BPDU Filtering About UplinkFast Enabling UplinkFast Page About BackboneFast Page Enabling BackboneFast 21-17 This example shows how to display a summary of port states: This example shows how to display the total lines of the spanning tree state section: 21-18 Configuring EtherChannel and Link State Tracking About EtherChannel Port Channel Interfaces Configuring EtherChannels EtherChannel Configuration Overview Manual EtherChannel Configuration PAgP EtherChannel Configuration IEEE 802.3ad LACP EtherChannel Configuration Load Balancing EtherChannel Configuration Guidelines and Restrictions Configuring EtherChannel Configuring Layer 3 EtherChannels Creating Port Channel Logical Interfaces Configuring Physical Interfaces as Layer 3 EtherChannels Page 22-9 This example shows how to display a one-line summary per channel group: Configuring Layer 2 EtherChannels 22-11 The following two examples show how to verify the configuration of Fast Ethernet interface 5/6: Configuring LACP Standalone or Independent Mode Configuring the LACP System Priority and System ID Configuring EtherChannel Load Balancing Removing an Interface from an EtherChannel Removing an EtherChannel Displaying EtherChannel to a Virtual Switch System Understanding VSS Client Virtual Switch System Dual-Active Scenarios Dual-Active Detection Using Enhanced PAgP 22-17 Displaying EtherChannel Links to VSS Understanding Link-State Tracking Page 22-20 Configuring Link-State Tracking Default Link-State Tracking Configuration Link-State Tracking Configuration Guidelines Configuring Link-State Tracking Displaying Link-State Tracking Status Configuring IGMP Snooping and Filtering About IGMP Snooping Page Immediate-Leave Processing IGMP Configurable-Leave Timer IGMP Snooping Querier Explicit Host Tracking Configuring IGMP Snooping Default IGMP Snooping Configuration Enabling IGMP Snooping Globally Enabling IGMP Snooping on a VLAN Configuring Learning Methods Configuring PIM/DVMRP Learning Configuring CGMP Learning Configuring a Static Connection to a Multicast Router Enabling IGMP Immediate-Leave Processing Configuring the IGMP Leave Timer Configuring IGMP Snooping Querier Configuring Explicit Host Tracking Configuring a Host Statically Suppressing Multicast Flooding IGMP Snooping Interface Configuration IGMP Snooping Switch Configuration Displaying IGMP Snooping Information Displaying Querier Information Displaying IGMP Host Membership Information Displaying Group Information Displaying Multicast Router Interfaces Displaying MAC Address Multicast Entries Displaying IGMP Snooping Information on a VLAN Interface 23-19 This example shows how to display IGMP snooping information on VLAN 5: Displaying IGMP Snooping Querier Information To display IGMP Snooping Querier information, perform this task: This example shows how to display Snooping Querier information: Configuring IGMP Filtering Default IGMP Filtering Configuration Configuring IGMP Profiles Applying IGMP Profiles Setting the Maximum Number of IGMP Groups Displaying IGMP Filtering Configuration Configuring IPv6 MLD Snooping About MLD Snooping MLD Messages MLD Queries Multicast Client Aging Multicast Router Discovery MLD Reports MLD Done Messages and Immediate-Leave Topology Change Notification Processing Configuring IPv6 MLD Snooping Default MLD Snooping Configuration MLD Snooping Configuration Guidelines Enabling or Disabling MLD Snooping Configuring a Static Multicast Group Configuring a Multicast Router Port Enabling MLD Immediate Leave Configuring MLD Snooping Queries Disabling MLD Listener Message Suppression Displaying MLD Snooping Information Page Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling About 802.1Q Tunneling Configuring 802.1Q Tunneling 802.1Q Tunneling Configuration Guidelines Native VLANs System MTU 802.1Q Tunneling and Other Features Configuring an 802.1Q Tunneling Port About VLAN Mapping Deployment Example Page Mapping Customer VLANs to Service-Provider VLANs Configuring VLAN Mapping Default VLAN Mapping Configuration VLAN Mapping Configuration Guidelines Configuring VLAN Mapping One-to-One Mapping Traditional Q-in-Q on a Trunk Port Selective Q-in-Q on a Trunk Port About Layer 2 Protocol Tunneling Page Configuring Layer 2 Protocol Tunneling Default Layer 2 Protocol Tunneling Configuration Layer 2 Protocol Tunneling Configuration Guidelines Configuring Layer 2 Tunneling Page Monitoring and Maintaining Tunneling Status Page Configuring CDP About CDP Configuring CDP Enabling CDP Globally Displaying the CDP Global Configuration Enabling CDP on an Interface Displaying the CDP Interface Configuration Monitoring and Maintaining CDP Page Configuring LLDP, LLDP-MED, and Location Service About LLDP, LLDP-MED, and Location Service LLDP LLDP-MED Location Service Configuring LLDP and LLDP-MED, and Location Service Default LLDP Configuration Configuring LLDP Characteristics Disabling and Enabling LLDP Globally Disabling and Enabling LLDP on an Interface Configuring LLDP-MED TLVs Configuring Network-Policy Profile Configuring LLDP Power Negotiation Configuring Location TLV and Location Service Page Monitoring and Maintaining LLDP, LLDP-MED, and Location Service Page Configuring UDLD About UDLD UDLD Topology Fast UDLD Topology Operation Modes Default States for UDLD Default UDLD Configuration Configuring UDLD on the Switch Fast UDLD Guidelines and Restrictions Enabling UDLD Globally Enabling UDLD on Individual Interfaces Disabling UDLD on Individual Interfaces Disabling UDLD on a Fiber-Optic Interface Configuring a UDLD Probe Message Interval Globally Configuring a Fast UDLD Probe Message Interval per Interface Resetting Disabled LAN Interfaces 28-9 Displaying UDLD Link Status To verify link status reported by UDLD, enter the following command: To verify status for a particular link as reported by UDLD, enter the following command: To verify link status reported by Fast UDLD, enter the following command: 28-10 To verify status for a particular link as reported by Fast UDLD, enter the following command: Configuring Unidirectional Ethernet About Unidirectional Ethernet Configuring Unidirectional Ethernet Page Page Configuring Layer 3 Interfaces About Layer 3 Interfaces Logical Layer 3 VLAN Interfaces Physical Layer 3 Interfaces Understanding SVI Autostate Exclude Understanding Layer 3 Interface Counters Page Configuration Guidelines Configuring Logical Layer 3 VLAN Interfaces Configuring VLANs as Layer 3 Interfaces Configuring SVI Autostate Exclude Page Configuring IP MTU Sizes Configuring Layer 3 Interface Counters Page Configuring Physical Layer 3 Interfaces Configuring EIGRP Stub Routing About EIGRP Stub Routing Configuring EIGRP Stub Routing Dual-Homed Remote Topology Page X EIGRP Stub Routing Configuration Tasks Configuring EIGRP Stub Routing Verifying EIGRP Stub Routing Monitoring and Maintaining EIGRP EIGRP Configuration Examples Route Summarization Example Route Authentication Example Stub Routing Example Page Page Configuring Cisco Express Forwarding About CEF CEF Features Forwarding Information Base Adjacency Tables Adjacency Discovery Adjacency Resolution Adjacency Types That Require Special Handling Catalyst 4500 Series Switch Implementation of CEF Hardware and Software Switching Hardware Switching Software Switching Load Balancing Software Interfaces CEF Configuration Restrictions Configuring CEF Enabling CEF Configuring Load Balancing for CEF Configuring Per-Destination Load Balancing Configuring Load Sharing Hash Function Viewing CEF Information Monitoring and Maintaining CEF Displaying IP Statistics Page Page Configuring Unicast Reverse Path Forwarding About Unicast Reverse Path Forwarding How Unicast RPF Works Page Implementing Unicast RPF Security Policy and Unicast RPF Where to Use Unicast RPF Enterprise Networks with a Single Connection to an ISP Page Routing Table Requirements Where Not to Use Unicast RPF Unicast RPF with BOOTP and DHCP Restrictions Limitation Related Features and Technologies Prerequisites to Configuring Unicast RPF Unicast RPF Configuration Tasks Configuring Unicast RPF Verifying Unicast RPF Monitoring and Maintaining Unicast RPF Unicast RPF Configuration Example: Inbound and Outbound Filters Configuring IP Multicast About IP Multicast IP Multicast Protocols Internet Group Management Protocol Protocol-Independent Multicast PIM Dense Mode PIM Sparse Mode Bidirectional PIM Mode Rendezvous Point (RP) IGMP Snooping IP Multicast Implementation on the Catalyst 4500 Series Switch CEF, MFIB, and Layer 2 Forwarding Page IP Multicast Tables Page Hardware and Software Forwarding Partial Routes Software Routes Non-Reverse Path Forwarding Traffic Multicast Fast Drop Multicast Forwarding Information Base S/M, 224/4 Restrictions on Using Bidirectional PIM Configuring IP Multicast Routing Default Configuration in IP Multicast Routing Enabling IP Multicast Routing Enabling PIM on an Interface Enabling Dense Mode Enabling Sparse Mode Enabling Sparse-Dense Mode Enabling Bidirectional Mode Enabling PIM-SSM Mapping Configuring a Rendezvous Point Configuring Auto-RP Page Page Configuring a Single Static RP Page Load Splitting of IP Multicast Traffic Monitoring and Maintaining IP Multicast Routing Displaying System and Network Statistics Displaying the Multicast Routing Table 33-24 Note Interface timers are not updated for hardware-forwarded packets. Entry timers are updated 33-25 The following is sample output from the show ip mroute command with the active keyword: The following is sample output from the show ip mroute command with the count keyword: Displaying IP MFIB Displaying Bidirectional PIM Information Displaying PIM Statistics Clearing Tables and Databases Configuration Examples PIM Dense Mode Example PIM Sparse Mode Example Bidirectional PIM Mode Example Sparse Mode with a Single Static RP Example 33-30 Sparse Mode with Auto-RP: Example The following example configures sparse mode with Auto-RP: Configuring ANCP Client About ANCP Client Enabling and Configuring ANCP Client Identifying a Port with the ANCP Protocol Example 1 Example 2 Identifying a Port with DHCP Option 82 ANCP Guidelines and Restrictions Page Configuring Policy-Based Routing About Policy-Based Routing About PBR Understanding Route-Maps PBR Route-Map Processing Logic PBR Route-Map Processing Logic Example PBR on Supervisor Engine 6-E, Supervisor Engine 6L-E, Catalyst 4900M, and Catalyst 4948E PBR Flow Switching Using Policy-Based Routing Policy-Based Routing Configuration Tasks Enabling PBR Page Enabling Local PBR Unsupported Commands Policy-Based Routing Configuration Examples Equal Access 35-9 set default interface null0 to set interface null0. Differing Next Hops Deny ACE 35-10 Configuring VRF-lite About VRF-lite Default VRF-lite Configuration VRF-lite Configuration Guidelines Configuring VRFs Configuring VRF-Aware Services Configuring the User Interface for ARP Configuring the User Interface for PING Configuring the User Interface for SNMP Configuring the User Interface for uRPF Configuring the User Interface for Syslog Configuring the User Interface for Traceroute Configuring the User Interface for FTP and TFTP Configuring the User Interface for Telnet and SSH Configuring the User Interface for NTP Configuring Per-VRF for TACACS+ Servers Page Configuring Multicast VRFs Configuring a VPN Routing Session Configuring BGP PE to CE Routing Sessions VRF-lite Configuration Example 36-14 Configuring Switch S8 On switch S8, enable routing and configure VRF. 36-15 Configure OSPF routing in VPN1 and VPN2: Configure BGP for CE to PE routing: Configuring Switch S20 Configure S20 to connect to CE: 36-16 Configuring Switch S11 Configure S11 to connect to CE: Configuring the PE Switch S3 On switch S3 (the router), these commands configure only the connections to switch S8: Displaying VRF-lite Status Page Configuring Quality of Service About QoS Prioritization Page QoS Terminology Page Basic QoS Model Classification Page 37-8 Software Configuration GuideRelease 15.0(2)SG OL-23818-01 Chapter 37 Configuring Quality of Service About QoS Figure 37-3 Classification Flowchart Classification Based on QoS ACLs Classification Based on Class Maps and Policy Maps Policing and Marking Page 37-12 Software Configuration GuideRelease 15.0(2)SG OL-23818-01 Chapter 37 Configuring Quality of Service About QoS Figure 37-4 Policing and Marking Flowchart Internal DSCP Values Internal DSCP Sources Egress ToS and CoS Sources Mapping Tables Queueing and Scheduling Active Queue Management Sharing Link Bandwidth Among Transmit Queues Strict Priority / Low Latency Queueing Traffic Shaping Packet Modification Per-Port Per-VLAN QoS QoS and Software Processed Packets Configuring QoS on Supervisor Engines II-Plus, II+10GE, IV, V, V-10GE, 4924, 4948, and 4948-10GE Default QoS Configuration Page Enabling QoS Globally Enabling IP DSCP Rewrite Configuring a Trusted Boundary to Ensure Port Security Enabling Dynamic Buffer Limiting Enabling DBL Globally Selectively Enable DBL Enabling DBL on Specific IP DSCP Values Enabling DBL on Specific CoS Values Creating Named Aggregate Policers Page Configuring a QoS Policy Overview of QoS Policy Configuration Configuring a Class Map (Optional) Creating a Class Map Configuring Filtering in a Class Map Verifying Class-Map Configuration Configuring a Policy Map Creating a Policy Map Configuring Policy-Map Class Actions Page Page Page Verifying Policy-Map Configuration Attaching a Policy Map to an Interface Configuring CoS Mutation Configuring User-Based Rate-Limiting Page 37-39 37-40 Example 5 Assume that there are two active flows on FastEthernet interface 6/1: Note If you use the match flow ip source-address | destination-address command, these two flows are consolidated into one flow because they have the same source and destination address. Configuring Hierarchical Policers Page Enabling Per-Port Per-VLAN QoS 37-44 37-45 Enabling or Disabling QoS on an Interface Configuring VLAN-Based QoS on Layer 2 Interfaces Page Configuring the Trust State of Interfaces Configuring the CoS Value for an Interface Configuring DSCP Values for an Interface Configuring Transmit Queues Mapping DSCP Values to Specific Transmit Queues Allocating Bandwidth Among Transmit Queues Configuring Traffic Shaping of Transmit Queues Configuring a High Priority Transmit Queue Configuring DSCP Maps Configuring the CoS-to-DSCP Map Configuring the Policed-DSCP Map Configuring the DSCP-to-CoS Map Page Generated Auto-QoS Configuration Effects of Auto-QoS on the Configuration Enabling Auto-QoS for VoIP Displaying Auto-QoS Information Auto-QoS Configuration Example 37-61 Page MQC-Based QoS Configuration MQC-Based QoS on the Supervisor Engine 6-E and 6L-E Input Output Platform-Supported Classification Criteria and QoS Features Platform Hardware Capabilities Prerequisites for Applying a QoS Service Policy Restrictions for Applying a QoS Service Policy Classification Classification Statistics Policing Implementing Policing Platform Restrictions Marking Network Traffic Information about Marking Network Traffic Purpose of Marking Network Traffic Benefits of Marking Network Traffic Methods for Marking Traffic Attributes Marking Action Drivers Traffic Marking Procedure Flowchart Restrictions for Marking Network Traffic Multi-attribute Marking Support Hardware Capabilities for Marking Configuring the Policy-Map Marking Action Configuring Table Map-Based Unconditional Marking Configuring Policer Result-Based Conditional Marking Marking Statistics Shaping, Sharing (Bandwidth), Priority Queuing, Queue-Limiting and DBL Shaping Page Sharing (Bandwidth) Page Priority Queuing Page Queue-limiting Queue Memory Service Policy Association Queue Allocation Failure Active Queue Management by Using Dynamic Buffer Limiting Transmit Queue Statistics Policy Associations QoS Action Restrictions QoS Policy Priorities Qos Policy Merging Software QoS High Priority Packets Low Priority Packets Configuring CoS Mutation Configuring System Queue Limit Page Page Page Configuring Voice Interfaces About Voice Interfaces Cisco IP Phone Voice Traffic Cisco IP Phone Data Traffic Configuring a Port to Connect to a Cisco 7960 IP Phone Configuring Voice Ports for Voice and Data Traffic Page Overriding the CoS Priority of Incoming Frames Configuring Power Page Configuring Private VLANs About Private VLANs Purpose of a PVLAN PVLAN Terminology Page PVLANs across Multiple Switches Standard Trunk Ports Isolated PVLAN Trunk Ports Promiscuous PVLAN Trunk Ports PVLAN Modes Over Gigabit Etherchannel Private-VLAN Interaction with Other Features PVLANs and VLAN ACL/QoS PVLANs and Unicast, Broadcast, and Multicast Traffic PVLANs and SVIs Per-Virtual Port Error-Disable on PVLANs PVLAN Commands Configuring PVLANs Basic PVLAN Configuration Procedure Default Private-VLAN Configuration PVLAN Configuration Guidelines and Restrictions Page Page Configuring a VLAN as a PVLAN Associating a Secondary VLAN with a Primary VLAN Configuring a Layer 2 Interface as a PVLAN Promiscuous Port Configuring a Layer 2 Interface as a PVLAN Host Port Configuring a Layer 2 Interface as an Isolated PVLAN Trunk Port Page Configuring a Layer 2 Interface as a Promiscuous PVLAN Trunk Port Page Permitting Routing of Secondary VLAN Ingress Traffic Configuring PVLAN over EtherChannel Configuring a Layer 2 EtherChannel Configuring a Layer 2 Etherchannel as a PVLAN Promiscuous Port Page Configuring a Layer 2 EtherChannel as a PVLAN Host Port Configuring a Layer 2 EtherChannel as an Isolated PVLAN Trunk Port Configuring a Layer 2 Etherchannel as a Promiscuous PVLAN Trunk Port Page 39-30 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication Device Roles 802.1X and Network Access Control Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States 40-6 802.1X Host Mode Single-Host Mode Multiple-Hosts Mode Multidomain Authentication Mode Multiauthentication Mode Pre-authentication Open Access 802.1X Violation Mode Using MAC Move Using MAC Replace Using 802.1X with VLAN Assignment Using 802.1X for Guest VLANs Usage Guidelines for Using 802.1X Authentication with Guest VLANs Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP Hosts Using 802.1X with MAC Authentication Bypass Feature Interaction Using 802.1X with Web-Based Authentication Using 802.1X with Inaccessible Authentication Bypass Using 802.1X with Unidirectional Controlled Port Unidirectional State Bidirectional State Using 802.1X with VLAN User Distribution Deployment Example Using 802.1X with Authentication Failed VLAN Assignment Usage Guidelines for Using Authentication Failed VLAN Assignment Using 802.1X with Port Security Using 802.1X Authentication with ACL Assignments and Redirect URLs Cisco Secure ACS and AV Pairs for URL-Redirect ACLs Using 802.1X with RADIUS-Provided Session Timeouts Using 802.1X with Voice VLAN Ports Using Multiple Domain Authentication and Multiple Authentication Page 802.1X Supplicant and Authenticator Switches with Network Edge Access Topology Deployment SSw Supplicant to ASw-switch Authenticator for clients ASw Authenticator How 802.1X Fails on a Port Supported Topologies Configuring 802.1X Port-Based Authentication Default 802.1X Configuration 802.1X Configuration Guidelines Enabling 802.1X Authentication Page Page 40-31 The following example illustrates when a port is authorized: Configuring Switch-to-RADIUS-Server Communication Page Configuring Multiple Domain Authentication and Multiple Authorization Page 40-36 40-37 This example shows how to verify the dot1x MDA settings on interface FastEthernet3/1: Note This example applies to Cisco IOS Release 12.2(50)SG and later releases. Configuring 802.1X Authentication with ACL Assignments and Redirect URLs Downloadable ACL Configuring the Switch for Downloadable ACL 40-39 Debug Commands for DACL The following command displays the contents of the downloadable ACL: Cisco ACS Configuration for DACL URL-Redirect 40-41 Configuring ACS Note A default port ACL must be configured on the interface. Configuring the Switch To configure the switch for URL redirect, follow these steps: Step 1 Configure the IP device tracking table. Guideline for DACL and URL Redirect Configuring a Downloadable Policy Configuring 802.1X Authentication with Per-User ACL and Filter-ID ACL Per-User ACL and Filter-ID ACL 40-45 Configuring the Switch To configure the switch for per-user ACL and filter-ID ACL: Step 1 Configure the IP device tracking table. Step 2 Configure static ACL for the interface. Per-User ACL Configuration in ACS Filter-Id Configuration in ACS Debug Commands for Per-User ACL and Filter-ID ACL Page Guidelines for Per-User ACL and Filter-ID ACL Configuring a Per-User ACL and Filter-ID ACL Configuring RADIUS-Provided Session Timeouts 40-52 Cisco IOS Release 12.2(46) or earlier Configuring MAC Move Configuring MAC Replace Configuring Violation Action Configuring 802.1X with Guest VLANs Page Page Configuring 802.1X with MAC Authentication Bypass Page Configuring 802.1X with Inaccessible Authentication Bypass Page Page 40-63 Configuring 802.1X with Unidirectional Controlled Port To configure unidirectional controlled port, perform this task: Page 40-65 Configuring 802.1X with VLAN User Distribution You will need to configure the switch and ACS to configure 802.1X with VLAN user distribution. Configuring the Switch To configure the switch, follow these steps: Step 1 Create a VLAN group on the switch. show commands ACS Configuration Configuring 802.1X with Authentication Failed Page Configuring 802.1X with Voice VLAN Configuring 802.1X with VLAN Assignment Cisco ACS Configuration for VLAN Assignment Enabling Fallback Authentication Page Page Page 40-77 40-78 Enabling Periodic Reauthentication Page Enabling Multiple Hosts Changing the Quiet Period Changing the Switch-to-Client Retransmission Time Setting the Switch-to-Client Frame-Retransmission Number Page Configuring an Authenticator and a Supplicant Switch with NEAT Configuring Switch as an Authenticator Cisco AV Pair Configuration Page Page Configuring Switch as a Supplicant Configuring NEAT with ASP Configuration Guidelines Manually Reauthenticating a Client Connected to a Port Initializing the 802.1X Authentication State Removing 802.1X Client Information Resetting the 802.1X Configuration to the Default Values Controlling Switch Access with RADIUS Understanding RADIUS RADIUS Operation RADIUS Change of Authorization Overview Change-of-Authorization Requests RFC 5176 Compliance Preconditions CoA Request Response Code Session Identification CoA ACK Response Code CoA NAK Response Code CoA Request Commands Session Reauthentication Session Termination CoA Disconnect-Request CoA Request: Disable Host Port CoA Request: Bounce-Port Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Configuring Settings for All RADIUS Servers Configuring the Switch to Use Vendor-Specific RADIUS Attributes Page Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Configuring CoA on the Switch Monitoring and Troubleshooting CoA Functionality Configuring RADIUS Server Load Balancing Displaying the RADIUS Configuration Displaying 802.1X Statistics and Status Displaying Authentication Details Determining the Authentication Methods Registered with the Auth Manager Displaying the Auth Manager Summary for an Interface Displaying the Summary of All Auth Manager Sessions on the Switch 40-115 Verifying the Auth Manager Session for an Interface The Auth manage session can be verified by using the show authentication sessions command: 40-116 Displaying MAB Details EPM Logging 40-118 Example 2 Configuring the PPPoE Intermediate Agent RFCs About PPPoE Intermediate Agent Enabling PPPoE IA on a Switch Configuring the Access Node Identifier for PPPoE IA on a Switch Configuring the Identifier String, Option, and Delimiter for PPPoE IA on an Switch Configuring the Generic Error Message for PPPoE IA on an Switch Enabling PPPoE IA on an Interface Configuring the PPPoE IA Trust Setting on an Interface Configuring PPPoE IA Rate Limiting Setting on an Interface Configuring PPPoE IA Vendor-tag Stripping on an Interface Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface Enabling PPPoE IA for a Specific VLAN on an Interface Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface Displaying Configuration Parameters Page 41-8 Clearing Packet Counters Debugging PPPoE Intermediate Agent Troubleshooting Tips Page Configuring Web-Based Authentication About Web-Based Authentication Device Roles Host Detection Session Creation Authentication Process Customization of the Authentication Proxy Web Pages Web-Based Authentication Interactions with Other Features Port Security Page Configuring Web-Based Authentication Default Web-Based Authentication Configuration Web-Based Authentication Configuration Guidelines and Restrictions Web-Based Authentication Configuration Task List Configuring the Authentication Rule and Interfaces Page Configuring AAA Authentication Configuring Switch-to-RADIUS-Server Communication Page Configuring the HTTP Server Customizing the Authentication Proxy Web Pages Page Specifying a Redirection URL for Successful Login Configuring the Web-Based Authentication Parameters Removing Web-Based Authentication Cache Entries Displaying Web-Based Authentication Status Configuring Port Security Port Security Commands About Port Security Secure MAC Addresses Maximum Number of Secure MAC Addresses Aging Secure MAC Addresses Sticky Addresses on a Port Violation Actions Invalid Packet Handling Configuring Port Security on Access Ports Configuring Port Security on Access Ports Page Page Examples of Port Security on Access Ports 43-11 Example 1: Setting Maximum Number of Secure Addresses Example 2: Setting a Violation Mode This example shows how to set the violation mode on the Fast Ethernet interface 3/12 to restrict. Example 3: Setting the Aging Timer 43-12 Example 4: Setting the Aging Timer Type Example 5: Configuring a Secure MAC Address 43-13 Example 6: Configuring Sticky Port Security Example 7: Setting a Rate Limit for Bad Packets Example 8: Clearing Dynamic Secure MAC Addresses Configuring Port Security on PVLAN Ports Configuring Port Security on an Isolated Private VLAN Host Port X Example of Port Security on an Isolated Private VLAN Host Port Configuring Port Security on a Private VLAN Promiscuous Port Example of Port Security on a Private VLAN Promiscuous Port Configuring Port Security on Trunk Ports Configuring Trunk Port Security Page Examples of Trunk Port Security Example 1: Configuring a Maximum Limit of Secure MAC Addresses for All VLANs 43-20 Example 2: Configuring a Maximum Limit of Secure MAC Addresses for Specific VLANs Example 3: Configuring Secure MAC Addresses in a VLAN Range This example shows how to configure a secure MAC-address in a VLAN on interface g1/1: Trunk Port Security Configuration Guidelines and Restrictions Port Mode Changes Configuring Port Security on Voice Ports Configuring Port Security on Voice Ports Page Examples of Voice Port Security Example 1: Configuring Maximum MAC Addresses for Voice and Data VLANs 43-26 Example 2: Configuring Sticky MAC Addresses for Voice and Data VLANs Voice Port Security Configuration Guidelines and Restrictions Displaying Port Security Settings Examples of Security Settings Example 1: Displaying Security Settings for the Entire Switch 43-29 Example 2: Displaying Security Settings for an Interface This example shows how to display port security settings for Fast Ethernet interface 5/1: Example 3: Displaying All Secure Addresses for the Entire Switch This example shows how to display all secure MAC addresses configured on all switch interfaces: 43-30 Example 4: Displaying a Maximum Number of MAC Addresses on an Interface Example 5: Displaying Security Settings on an Interface for a VLAN Range Example 6: Displaying Secured MAC Addresses and Aging Information on an Interface Example 7: Displaying Secured MAC Addresses for a VLAN Range on an Interface Configuring Port Security with Other Features/Environments DHCP and IP Source Guard 802.1X Authentication Configuring Port Security in a Wireless Environment Configuring Port Security over Layer 2 EtherChannel Port Security Configuration Guidelines and Restrictions Page Configuring Control Plane Policing and Layer 2 Control Packet QoS Configuring Control Plane Policing About Control Plane Policing General Guidelines for Control Plane Policing Configuring CoPP for Control Plane Traffic 44-5 The following example shows how to police CDP packets: Step 4 Step 5 Configuring CoPP for Data Plane and Management Plane Traffic Page Control Plane Policing Configuration Guidelines and Restrictions All supervisor engines Do not apply to Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E 44-9 Monitoring CoPP 44-10 To clear the counters on the control plane, enter the clear control-plane * command: To display all the CoPP access list information, enter the show access-lists command: Configuring Layer 2 Control Packet QoS Understanding Layer 2 Control Packet QoS Enabling Layer 2 Control Packet QoS Disabling Layer 2 Control Packet QoS Layer 2 Control Packet QoS Configuration Examples Page Layer 2 Control Packet QoS Guidelines and Restrictions Policing IPv6 Control Traffic 44-18 The following example shows how to policy to interface gi2/2 in the input direction: Configuring Dynamic ARP Inspection About Dynamic ARP Inspection ARP Cache Poisoning Purpose of Dynamic ARP Inspection Interface Trust State, Security Coverage and Network Configuration Relative Priority of Static Bindings and DHCP Snooping Entries Logging of Dropped Packets Rate Limiting of ARP Packets Port Channels Function Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection in DHCP Environments Page DAI Configuration Example Switch A 46-8 46-9 Switch B 46-10 Configuring ARP ACLs for Non-DHCP Environments Page 46-13 Configuring the Log Buffer Page Limiting the Rate of Incoming ARP Packets Page 46-18 46-19 Performing Validation Checks Page 46-21 Page Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts About DHCP Snooping Trusted and Untrusted Sources About the DHCP Snooping Database Agent Page Option 82 Data Insertion Circuit ID Suboption Frame Format Remote ID Suboption Frame Format Configuring DHCP Snooping Circuit ID Suboption Frame Format (for user-configured string): Remote ID Suboption Frame Format (for user-configured string): Default Configuration for DHCP Snooping Enabling DHCP Snooping Page Enabling DHCP Snooping on the Aggregration Switch Enabling DHCP Snooping and Option 82 Page Enabling DHCP Snooping on Private VLAN Configuring DHCP Snooping on Private VLAN Configuring DHCP Snooping with an Ethernet Channel Group Enabling the DHCP Snooping Database Agent Limiting the Rate of Incoming DHCP Packets Page 45-15 Configuration Examples for the Database Agent The following examples show how to configuration commands in the previous procedure: Example 1: Enabling the Database Agent Page Example 2: Reading Binding Entries from a TFTP File 45-18 Example 3: Adding Information to the DHCP Snooping Database Step 3 To manually add a binding to the DHCP snooping database, perform this task: Displaying DHCP Snooping Information Step 1 Step 2 command. Displaying a Binding Table Displaying the DHCP Snooping Configuration About IP Source Guard Configuring IP Source Guard Page Configuring IP Source Guard on Private VLANs Displaying IP Source Guard Information Displaying IP Source Binding Information Configuring IP Source Guard for Static Hosts About IP Source Guard for Static Hosts Configuring IPSG for Static Hosts on a Layer 2 Access Port Page 45-27 The following example displays all active IP-to-MAC binding entries for all interfaces: IPSG for Static Hosts on a PVLAN Host Port 45-29 Page Configuring Network Security with ACLs About ACLs Supported Features That Use ACLs Router ACLs Port ACLs Dynamic ACLs VLAN Maps Hardware and Software ACL Support Page TCAM Programming Algorithms Changing the Programming Algorithm Page Resizing the TCAM Regions Troubleshooting High CPU Due to ACLs Selecting Mode of Capturing Control Packets Guidelines and Restrictions Selecting Control Packet Capture TCAM Programming and ACLs for Supervisor Engine 6-E and Supervisor Engine 6L-E Layer 4 Operators in ACLs Restrictions for Layer 4 Operations Configuration Guidelines for Layer 4 Operations Layer 4 operation 6 stores gt 20 deny from ACL 102 Layer 4 operation 7 stores lt 9 deny from ACL 102 Layer 4 operation 8 stores range 11 13 deny from ACL 102 How ACL Processing Impacts CPU Page Configuring Unicast MAC Address Filtering Configuring Named MAC Extended ACLs Page Configuring EtherType Matching Configuring Named IPv6 ACLs Applying IPv6 ACLs to a Layer 3 Interface Configuring VLAN Maps VLAN Map Configuration Guidelines Creating and Deleting VLAN Maps Examples of ACLs and VLAN Maps Page Page Applying a VLAN Map to a VLAN Using VLAN Maps in Your Network Page Denying Access to a Server on Another VLAN Displaying VLAN Access Map Information Using VLAN Maps with Router ACLs Guidelines for Using Router ACLs and VLAN Maps on the Same VLAN Examples of Router ACLs and VLAN Maps Applied to VLANs ACLs and Switched Packets ACLs and Routed Packets Configuring PACLs Creating a PACL PACL Configuration Guidelines Removing the Requirement for a Port ACL Configuration Restrictions Debugging Considerations Webauth Fallback Configuring IPv4, IPv6, and MAC ACLs on a Layer 2 Interface Using PACL with Access-Group Mode Configuring Access-group Mode on Layer 2 Interface Applying ACLs to a Layer 2 Interface Displaying an ACL Configuration on a Layer 2 Interface Using PACL with VLAN Maps and Router ACLs Page Configuring RA Guard Introduction Deployment Configuring RA Guard Examples Usage Guidelines Page Page Support for IPv6 Finding Feature Information About IPv6 IPv6 Addressing and Basic Connectivity DHCP Security QoS Management Multicast Static Routes First-Hop Redundancy Protocols Unicast Routing RIP OSPF EIGRP IS-IS Multiprotocol BGP Tunneling IPv6 Default States Page Port Unicast and Multicast Flood Blocking About Flood Blocking Configuring Port Blocking Blocking Flooded Traffic on an Interface Resuming Normal Forwarding on a Port Page Configuring Storm Control About Storm Control Hardware-Based Storm Control Implementation Software-Based Storm Control Implementation Enabling Broadcast Storm Control 50-4 The following example shows how to enable storm control on interface: show interface counters storm-control command includes any multicast packets that were dropped. Enabling Multicast Storm Control This section includes these topics: Enabling Multicast Suppression on Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E, page 50-5 Enabling Multicast Suppression on the WS-X4515, WS-X4014, and WS-X4013+ Supervisor Enabling Multicast Suppression on the WS-X4515, WS-X4014, and WS-X4013+ Supervisor Engines Enabling Multicast Suppression on All Other Supervisor Engines Disabling Broadcast Storm Control Disabling Multicast Storm Control 50-8 Displaying Storm Control Note Use the show interface capabilities command to determine the mode in which storm control is Note Use the show interfaces counters storm-control command to display a count of discarded packets. The following example shows the output of the show storm-control command: the value is N/A for ports that perform suppression in hardware. Configuring SPAN and RSPAN About SPAN and RSPAN Page SPAN and RSPAN Concepts and Terminology SPAN Session Traffic Types Source Port Destination Port VLAN-Based SPAN SPAN Traffic SPAN and RSPAN Session Limits Default SPAN and RSPAN Configuration Configuring SPAN SPAN Configuration Guidelines and Restrictions Configuring SPAN Sources Configuring SPAN Destinations Monitoring Source VLANs on a Trunk Interface Configuration Scenario Verifying a SPAN Configuration CPU Port Sniffing Page Encapsulation Configuration Ingress Packets Access List Filtering ACL Configuration Guidelines Configuring Access List Filtering Packet Type Filtering Configuration Example Configuring RSPAN RSPAN Configuration Guidelines Creating an RSPAN Session Page Creating an RSPAN Destination Session Creating an RSPAN Destination Session and Enabling Ingress Traffic Removing Ports from an RSPAN Session Specifying VLANs to Monitor Specifying VLANs to Filter Page Displaying SPAN and RSPAN Status Page Configuring System Message Logging About System Message Logging Configuring System Message Logging System Log Message Format Default System Message Logging Configuration Disabling Message Logging Setting the Message Display Destination Device Synchronizing Log Messages Enabling and Disabling Timestamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages (Optional) Defining the Message Severity Level (Optional) Limiting Syslog Messages Sent to the History Table and to SNMP (Optional) Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Displaying the Logging Configuration Onboard Failure Logging (OBFL) Prerequisites for OBFL Restrictions for OBFL Information About OBFL Overview of OBFL Information about Data Collected by OBFL OBFL Data Overview Temperature Operational Uptime 53-5 Operational Uptime Example Page Interrupts Message Logging Default Settings for OBFL Enabling OBFL Configuration Examples for OBFL Enabling OBFL Message Logging: Example OBFL Message Log: Example 53-11 OBFL Component Uptime Report: Example The following example shows how to display a summary report for component uptimes for module 2: OBFL Report for a Specific Time: Example 53-12 53-13 53-14 53-15 Page Configuring SNMP About SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables SNMP Notifications Configuring SNMP Default SNMP Configuration SNMP Configuration Guidelines Disabling the SNMP Agent Configuring Community Strings Page Configuring SNMP Groups and Users Page Configuring SNMP Notifications Page Page Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP SNMP Examples Displaying SNMP Status Page Page Configuring NetFlow-lite About NetFlow Packet Sampling Feature Interaction System-wide Restrictions Interface-level Restrictions Monitor-level Restrictions Configuring Information about the External Collector Example Configuring Sampling Parameters Example Activating Sampling on an Interface or VLAN Page Page Display Commands 55-9 The following example shows how to display the total number of export packets sent: Clear Commands To clear statistics of a packet sampler at a monitor, use the following commands, as needed: Clear the statistics of a packet sampler at a datasource Page Configuring NetFlow About NetFlow Statistics Collection NDE Versions Information Derived from Hardware Information Derived from Software Assigning the Input and Output Interface and AS Numbers Assigning the Inferred Fields Assigning the Output Interface and Output-Related Inferred Fields Assigning the Input Interface and Input-Related Inferred Fields Feature Interaction of NetFlow Statistics with UBRL and Microflow Policing VLAN Statistics Configuring NetFlow Statistics Collection Checking for Required Hardware Enabling NetFlow Statistics Collection Configuring Switched/Bridged IP Flows Exporting NetFlow Statistics Managing NetFlow Statistics Collection Configuring an Aggregation Cache Verifying Aggregation Cache Configuration and Data Export Configuring a NetFlow Minimum Prefix Mask for Router-Based Aggregation Configuring the Minimum Mask of a Prefix Aggregation Scheme Configuring the Minimum Mask of a Destination-Prefix Aggregation Scheme Configuring the Minimum Mask of a Source-Prefix Aggregation Scheme Monitoring and Maintaining Minimum Masks for Aggregation Schemes Configuring NetFlow Aging Parameters 56-13 NetFlow Statistics Collection Configuration Example NetFlow Configuration Examples NetFlow Enabling Scheme Examples NetFlow Aggregation Configuration Examples Autonomous System Configuration Destination Prefix Configuration Prefix Configuration Protocol Port Configuration Source Prefix Configuration NetFlow Minimum Prefix Mask Router-Based Aggregation Scheme Examples Prefix Aggregation Scheme Destination-Prefix Aggregation Scheme Source-Prefix Aggregation Scheme Configuring Ethernet OAM and CFM About Ethernet CFM Ethernet CFM and OAM Definitions CFM Domain Page Maintenance Associations and Maintenance Points CFM Messages Crosscheck Function and Static Remote MEPs SNMP Traps and Fault Alarms Configuration Error List IP SLAs Support for CFM Configuring Ethernet CFM Ethernet CFM Default Configuration Ethernet CFM Configuration Guidelines Configuring the CFM Domain Page Page Configuring Ethernet CFM Crosscheck Page Configuring Static Remote MEP Configuring a Port MEP Page Configuring SNMP Traps Configuring Fault Alarms Page Configuring IP SLAs CFM Operation Manually Configuring an IP SLAs CFM Probe or Jitter Operation Page Configuring an IP SLAs Operation with Endpoint Discovery Page Page Configuring CFM on C-VLAN (Inner VLAN) Page Feature Support and Behavior Platform Restrictions and Limitations Understanding CFM ITU-T Y.1731 Fault Management Y.1731 Terminology Alarm Indication Signals Ethernet Remote Defect Indication Multicast Ethernet Loopback Configuring Y.1731 Fault Management Default Y.1731 Configuration Configuring ETH-AIS Page Using Multicast Ethernet Loopback Managing and Displaying Ethernet CFM Information Page About Ethernet OAM Protocol OAM Features OAM Messages Enabling and Configuring Ethernet OAM Ethernet OAM Default Configuration Ethernet OAM Configuration Guidelines Enabling Ethernet OAM on an Interface Enabling Ethernet OAM Remote Loopback Configuring Ethernet OAM Link Monitoring Page Page Page 57-42 Configuring Ethernet OAM Remote Failure Indications You can configure an error-disable action to occur on an interface when the following occur: Page Page Configuring Ethernet OAM Templates Page Page 57-48 Displaying Ethernet OAM Protocol Information 57-50 Ethernet CFM and Ethernet OAM Interaction Configuring Ethernet OAM Interaction with CFM Configuring the OAM Manager Enabling Ethernet OAM Example: Configuring Ethernet OAM and CFM Page Configuring Y.1731 (AIS and RDI) AIS and RDI Terminology About Y.1731 Server MEP Alarm Indication Signal Ethernet Remote Defect Indication Configuring Y.1731 Y.1731 Configuration Guidelines Configuring AIS Parameters Clearing MEP from the AIS Defect Condition Clearing SMEP from the AIS Defect Condition Displaying Y.1731 Information 58-7 Page Configuring Call Home About Call Home Obtaining Smart Call Home Configuring Call Home Configuring Contact Information Configuring Destination Profiles Copying a Destination Profile Subscribing to Alert Groups Page Configuring Periodic Notification Configuring Message Severity Threshold Configuring Syslog Pattern Matching Configuring General E-Mail Options Enabling Call Home Testing Call Home Communications Sending a Call Home Test Message Manually Sending a Call Home Alert Group Message Manually Sending a Request for an Analysis and Report Sending the Output of a Command Configuring and Enabling Smart Call Home Displaying Call Home Configuration Information 59-15 Example 59-2 Configured Call Home Information in Detail 59-16 Example 59-3 Available Call Home Alert Groups Example 59-4 E-Mail Server Status Information Example 59-5 Information for All Destination Profiles (Predefined and User-Defined) 59-17 Example 59-6 Information for a User-Defined Destination Profile Example 59-7 Call Home Statistics Call Home Default Settings Alert Group Trigger Events and Commands Page Page Message Contents Page Page Page Syslog Alert Notification in Long-Text Format Example 59-26 59-27 59-28 Syslog Alert Notification in XML Format Example 59-29 59-30 59-31 Page Configuring Cisco IOS IP SLA Operations Cisco IP SLA Commands About Cisco IOS IP SLA Using Cisco IOS IP SLAs to Measure Network Performance IP SLAs Responder and IP SLAs Control Protocol Response Time Computation for IP SLAs IP SLAs Operation Scheduling IP SLAs Operation Threshold Monitoring Configuring IP SLAs Operations IP SLA Default Configuration IP SLA Configuration Guidelines Configuring the IP SLAs Responder Analyzing IP Service Levels by Using the UDP Jitter Operation Page Analyzing IP Service Levels by Using the ICMP Echo Operation Page 60-13 To display IP SLAs operations configuration and results, perform one of these tasks: Monitoring IP SLAs Operations Step 8 Step 9 Page Configuring RMON About RMON 61-2 The switch supports these RMON groups (defined in RFC 1757): interface. Gigabit Ethernet interfaces for a specified polling interval. Configuring RMON Default RMON Configuration Configuring RMON Alarms and Events Page Configuring RMON Collection on an Interface Displaying RMON Status Performing Diagnostics Configuring Online Diagnostics Configuring On-Demand Online Diagnostics Scheduling Online Diagnostics Performing Diagnostics Starting and Stopping Online Diagnostic Tests Displaying Online Diagnostic Tests and Test Results 62-5 This example shows how to display the online diagnostic results for module 6: This example shows how to display the online diagnostic results details for module 6: ___________________________________________________________________________ 62-6 ___________________________________________________________________________ Displaying Data Path Online Diagnostics Test Results Line Card Online Diagnostics Troubleshooting with Online Diagnostics 62-9 To troubleshoot a faulty line card, follow these steps: Step 1 Enter the command show diagnostic result module 3. Power-On Self-Test Diagnostics Overview of Power-On Self-Test Diagnostics POST Result Example Page 62-13 62-14 The following example shows the output for a WS-X45-SUP6-E supervisor engine: 62-15 Power-On Self-Test Results for Supervisor Engine V-10GE POST on the Active Supervisor Engine POST Results on an Active Supervisor Engine Example 62-17 62-18 POST on a Standby Supervisor Engine 62-19 Display of the POST on a Standby Supervisor Engine Example 62-20 62-21 Contact Cisco Systems customer support team for more information. on power-up. Troubleshooting the Test Failures the POST tests. Page ROM Monitor Entering the ROM Monitor ROM Monitor Commands ROM Monitor Command Descriptions Configuration Register Changing the Configuration Register Manually Changing the Configuration Register Using Prompts Console Download Error Reporting Debug Commands Exiting the ROM Monitor Configuring WCCP Version 2 Services About WCCP Hardware Acceleration Understanding WCCP Configuration WCCP Features HTTP and Non-HTTP Services Support Multiple Routers Support MD5 Security Web Content Packet Return Restrictions for WCCP Configuring WCCP Configuring a Service Group Using WCCP Page Specifying a Web Cache Service Using Access Lists for a WCCP Service Group Setting a Password for a Router and Cache Engines Verifying and Monitoring WCCP Configuration Settings WCCP Configuration Examples Performing a General WCCP Configuration Example Running a Web Cache Service Example Running a Reverse Proxy Service Example Running TCP-Promiscuous Service Example Running Redirect Access-List Example Using Access Lists Example Setting a Password for a Switch and Content Engines Example 64-12 Verifying WCCP Settings Example WCCP unicast mode WCCP multicast mode Page Page Configuring MIB Support Determining MIB Support for Cisco IOS Releases Using Cisco IOS MIB Tools Downloading and Compiling MIBs Guidelines for Working with MIBs Downloading MIBs Compiling MIBs Enabling SNMP Support Page Page APPENDIX A Acronyms and Abbreviations Page Page Page Page Page Page Page INDEX Numerics A Page Page B C Page Page Page D Page Page E F G H I Page Page Page J K L Page M Page Page N O P Page Page Page Q R Page Page S Page Page Page Page T Page U V Page Page W Y