Manuals / Brands / Computer Equipment / Switch / Cisco Systems / Computer Equipment / Switch

Cisco Systems 6500, EA6500 Firewall Configuration Guidelines and Restrictions

1 570

Download 570 pages, 4.97 Mb

23-6

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E

78-14099-04

Chapter 23 Configuring Network Security

Configuring the Cisco IOS Firewall Feature Set

• Security server support

• Network address translation

• Neighbor router authentication

• Event logging

• User authentication and authorization

Note Catalyst 6500 series switches support the Intrusion Detection System Module (IDSM)

(WS-X6381-IDS). Catalyst 6500 series switches do not support the Cisco IOS firewall IDS feature,

which is configured with the ip audit command.

Firewall Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring the Cisco IOS firewall features:

Restrictions

• On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other

ports to permit the inspected traffic to flow through the network device. On Catalyst 6500 series

switches, you must enter the mls ip inspect commands to permit traffic through any ACLs that

would deny the traffic through other ports. See the “Configuring CBAC on Catalyst 6500 Series

Switches” section on page 23-7.

• With Supervisor Engine 2 and PFC2, reflexive ACLs and CBAC have conflicting flow mask

requirements. When you configure CBAC on a switch with Supervisor Engine 2 and PFC2, reflexive

ACLs are processed in software on the MSFC2.

• CBAC is incompatible with VACLs. You can configure both CBAC and VACLs on the switch but

not in the same subnet (VLAN) or on the same interface.

Note The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the

IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface

command, where acl_name is configured to select traffic for the IDSM.

Guidelines

• To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.

• To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http

inspection to block Java.

• You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN

interfaces.

• QoS and CBAC do not interact or interfere with each other.

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page AAcronyms 1 Page Preface Audience Organization Page Related Documentation Conventions Obtaining Documentation and Submitting a Service Request Page Product Overview Configuring Embedded CiscoView Support Understanding Embedded CiscoView Installing and Configuring Embedded CiscoView Displaying Embedded CiscoView Information Page Command-Line Interfaces Accessing the CLI Accessing the CLI through the EIA/TIA-232 Console Interface Accessing the CLI through Telnet Performing Command Line Processing Performing History Substitution Cisco IOS Command Modes Displaying a List of Cisco IOS Commands and Syntax ROM-Monitor Command-Line Interface Configuring the Switch for the First Time Default Configuration Configuring the Switch Using the Setup Facility or the setup Command Setup Overview Configuring the Global Parameters 3-4 3-5 Note The examples in this section are intended as examples only. Your configuration might look differently depending on your system configuration. see the current interface summary. Press Return to accept the default (yes): Page Page Configuring Interfaces Page Using Configuration Mode Checking the Running Configuration Before Saving 3-11 Saving the Running Configuration Settings Reviewing the Configuration Configuring a Default Gateway Configuring a Static Route 3-13 Configuring a BOOTP Server Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password Using the enable password and enable secret Commands Setting or Changing a Line Password Setting TACACS+ Password Protection for Privileged EXEC Mode Encrypting Passwords Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging In to a Privilege Level Exiting a Privilege Level Displaying the Password, Access Level, and Privilege Level Configuration Recovering a Lost Enable Password Modifying the Supervisor Engine Startup Configuration Understanding the Supervisor Engine Boot Configuration Understanding the Supervisor Engine Boot Process Understanding the ROM Monitor Configuring the Software Configuration Register Modifying the Boot Field and Using the boot Command Modifying the Boot Field Verifying the Configuration Register Setting Specifying the Startup System Image Understanding Flash Memory Flash Memory Features Security Features Flash Memory Configuration Process BOOTLDR Environment Variable CONFIG_FILE Environment Variable Controlling Environment Variables Setting the BOOTLDR Environment Variable Page Configuring EHSA Supervisor Engine Redundancy Supervisor Engine Redundant Operation Supervisor Engine Redundancy Requirements Synchronizing the Supervisor Engine Configurations Displaying the Supervisor Engine Redundancy Copying Files to the Redundant Supervisor Engine Page Page Configuring RPR and RPR+ Supervisor Engine Redundancy Understanding Supervisor Engine Redundancy Supervisor Engine Redundancy Overview RPR Operation RPR+ Operation Supervisor Engine Synchronization Supervisor Engine Redundancy Guidelines and Restrictions RPR+ Guidelines and Restrictions Restrictions Hardware Configuration Guidelines and Restrictions Configuration Mode Restrictions Configuring Supervisor Engine Redundancy Configuring RPR and RPR+ Synchronizing the Supervisor Engine Configurations 5-8 Displaying the Redundancy States To display the redundancy states, perform this task: This example shows how to display the redundancy states: Performing a Fast Software Upgrade Copying Files to an MSFC Configuring Interfaces Understanding Interface Configuration Using the Interface Command Page Configuring a Range of Interfaces Page Defining and Using Interface-Range Macros Configuring Optional Interface Features Configuring Ethernet Interface Speed and Duplex Mode Speed and Duplex Mode Configuration Guidelines Setting the Ethernet Interface Speed Setting the Interface Duplex Mode Configuring Link Negotiation on Gigabit Ethernet Ports Displaying the Speed and Duplex Mode Configuration Configuring Jumbo Frame Support Understanding Jumbo Frame Support Jumbo Frame Support Overview Ethernet Ports VLAN Interfaces Configuring MTU Sizes Configuring the MTU Size Configuring the Global LAN Port MTU Size Configuring IEEE 802.3Z Flow Control Configuring the Port Debounce Timer Adding a Description for an Interface Understanding Online Insertion and Removal Monitoring and Maintaining Interfaces Monitoring Interface Status Clearing Counters on an Interface Resetting an Interface Shutting Down and Restarting an Interface Page Configuring LAN Ports for Layer 2 Switching Understanding How Layer 2 Switching Works Understanding Layer 2 Ethernet Switching Layer 2 Ethernet Switching Overview Switching Frames Between Segments Understanding VLAN Trunks Trunking Overview Encapsulation Types Layer 2 LAN Port Modes Default Layer 2 LAN Interface Configuration Layer 2 LAN Interface Configuration Guidelines and Restrictions Configuring LAN Interfaces for Layer 2 Switching Configuring a LAN Port for Layer 2 Switching Configuring a Layer 2 Switching Port as a Trunk Preparing a Layer 2 Switching Port for Configuration as a Trunk Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk Configuring the Layer 2 Trunk to Use DTP Configuring the Layer 2 Trunk Not to Use DTP Configuring the Default VLAN Configuring the 802.1Q Native VLAN Configuring the List of VLANs Allowed on a Trunk Configuring the List of Prune-Eligible VLANs Completing Trunk Configuration Verifying Layer 2 Trunk Configuration Configuration and Verification Examples Configuring a LAN Interface as a Layer 2 Access Port Page Configuring a Custom IEEE 802.1Q EtherType Field Value Page Page Configuring VTP Understanding How VTP Works Understanding the VTP Domain Understanding VTP Modes Understanding VTP Advertisements Understanding VTP Version 2 Understanding VTP Pruning Page VTP Default Configuration VTP Configuration Guidelines and Restrictions Configuring VTP Configuring VTP Global Parameters Configuring a VTP Password Enabling VTP Pruning Enabling VTP Version 2 Configuring the VTP Mode 8-9 This example shows how to configure the switch as a VTP client: This example shows how to disable VTP on the switch: 8-10 Displaying VTP Statistics This example shows how to display VTP statistics: Configuring VLANs Understanding How VLANs Work VLAN Overview VLAN Ranges Configurable VLAN Parameters Understanding Token Ring VLANs Token Ring TrBRF VLANs Token Ring TrCRF VLANs Page VLAN Default Configuration Page VLAN Configuration Guidelines and Restrictions Configuring VLANs VLAN Configuration Options VLAN Configuration in Global Configuration Mode VLAN Configuration in VLAN Database Mode Creating or Modifying an Ethernet VLAN Page Assigning a Layer 2 LAN Interface to a VLAN Configuring the Internal VLAN Allocation Policy Mapping 802.1Q VLANs to ISL VLANs Page Page Configuring Private VLANs Understanding How Private VLANs Work Private VLAN Configuration Restrictions and Guidelines Page Page Configuring Private VLANs Configuring a VLAN as a Private VLAN Associating Secondary VLANs with a Primary VLAN Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN Configuring a Layer 2 Interface as a Private VLAN Host Port Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port Page Configuring Cisco IP Phone Support Understanding Cisco IP Phone Support Cisco IP Phone Connections Cisco IP Phone Voice Traffic Cisco IP Phone Data Traffic Cisco IP Phone Power Configurations Locally Powered Cisco IP Phones Inline-Powered Cisco IP Phones Default Cisco IP Phone Support Configuration Cisco IP Phone Support Configuration Guidelines and Configuring Cisco IP Phone Support Configuring Voice Traffic Support Page Configuring Data Traffic Support Configuring Inline Power Support Configuring Layer 3 Interfaces Configuring IP Routing and Addresses Page 12-4 Page Configuring IPX Routing and Network Numbers Configuring AppleTalk Routing, Cable Ranges, and Zones Configuring Other Protocols on Layer 3 Interfaces Configuring EtherChannels Understanding How EtherChannels Work EtherChannel Feature Overview Understanding How EtherChannels Are Configured EtherChannel Configuration Overview Understanding Manual EtherChannel Configuration Understanding PAgP EtherChannel Configuration Understanding IEEE 802.3ad LACP EtherChannel Configuration Page Understanding Port Channel Interfaces Understanding Load Balancing EtherChannel Feature Configuration Guidelines and Restrictions Configuring EtherChannels Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels Configuring Channel Groups 13-9 keyword. This example shows how to verify the configuration of port channel interface 2: This example shows how to verify the configuration of Fast Ethernet port 5/6: Configuring the LACP System Priority and System ID Configuring EtherChannel Load Balancing Page Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Understanding How 802.1Q Tunneling Works Page Page 802.1Q Tunneling Configuration Guidelines and Restrictions Configuring 802.1Q Tunneling Preconfiguration Tasks Configuring 802.1Q Tunnel Ports Configuring the Switch to Tag Native VLAN Traffic Understanding How Layer 2 Protocol Tunneling Works Configuring Support for Layer 2 Protocol Tunneling Page 14-10 This example shows how to display counter information for port 5/1: This example shows how to clear the Layer 2 protocol tunneling configuration from port 5/1: This example shows how to clear Layer 2 protocol tunneling port counters: Configuring STP and IEEE 802.1s MST Understanding How STP Works STP Overview Understanding the Bridge ID Bridge Priority Value Extended System ID STP MAC Address Allocation Understanding Bridge Protocol Data Units Election of the Root Bridge STP Protocol Timers Creating the Spanning Tree Topology STP Port States STP Port State Overview Page Blocking State Listening State Learning State Forwarding State Disabled State STP and IEEE 802.1Q Trunks Understanding How IEEE 802.1w RSTP Works IEEE 802.1w RSTP Overview RSTP Port Roles RSTP Port States Rapid-PVST Understanding How IEEE 802.1s MST Works IEEE 802.1s MST Overview MST-to-PVST Interoperability Page Common Spanning Tree MST Instances MST Configuration Parameters MST Regions MST Region Overview Boundary Ports IST Master Edge Ports Message Age and Hop Count Default STP Configuration STP and MST Configuration Guidelines Configuring STP Enabling STP Enabling the Extended System ID Configuring the Root Bridge Configuring a Secondary Root Bridge Configuring STP Port Priority Page Configuring STP Port Cost Configuring the Bridge Priority of a VLAN Page Configuring the Hello Time Configuring the Forward-Delay Time for a VLAN Configuring the Maximum Aging Time for a VLAN Enabling Rapid-PVST Specifying the Link Type Restarting Protocol Migration Configuring IEEE 802.1s MST Enabling MST 15-35 These examples show how to enable MST: Step 4 configuration mode. MST configuration submode Displaying MST Configurations 15-37 15-38 15-39 Configuring MST Instance Parameters Step 3 To configure MST instance parameters, perform these tasks: This example shows how to configure MST instance parameters: Step 1 Step 2 Configuring MST Instance Port Parameters Restarting Protocol Migration Page Page Configuring Optional STP Features Understanding How PortFast Works Understanding How BPDU Guard Works Understanding How PortFast BPDU Filtering Works Understanding How UplinkFast Works Understanding How BackboneFast Works Page Understanding How EtherChannel Guard Works Understanding How Root Guard Works Understanding How Loop Guard Works Page Enabling PortFast 16-9 To enable the default PortFast configuration, perform this task: This example shows how to enable the default PortFast configuration: Step 1 Step 2 Step 3 Verifies the effect on a specific port. Enabling PortFast BPDU Filtering Step 2 Note For PVST+ information, see Chapter 15, Configuring STP and IEEE 802.1s MST. Step 1 Enables BPDU filtering globally on the switch. Enabling BPDU Guard Enabling UplinkFast Enabling BackboneFast Enabling EtherChannel Guard Enabling Root Guard Enabling Loop Guard 16-16 Configuring IP Unicast Layer 3 Switching on Supervisor Engine 2 Understanding How Layer 3 Switching Works Understanding Hardware Layer 3 Switching on PFC2 and DFCs Understanding Layer 3-Switched Packet Rewrite Hardware Layer 3 Switching Examples Default Hardware Layer 3 Switching Configuration Layer 3 Switching Configuration Guidelines and Restrictions Configuring Hardware Layer 3 Switching Displaying Hardware Layer 3 Switching Statistics Configuring IP Multicast Layer 3 Switching Understanding How IP Multicast Layer 3 Switching Works IP Multicast Layer 3 Switching Overview Multicast Layer 3 Switching Cache IP Multicast Layer 3 Switching Flow Mask Layer 3-Switched Multicast Packet Rewrite Partially and Completely Switched Flows Partially Switched Flows with PFC1 or PFC2 Partially Switched Flows with PFC2 Completely Switched Flows Non-RPF Traffic Processing Non-RPF Traffic Overview Filtering of RPF Failures for Stub Networks Rate Limiting of RPF Failure Traffic NetFlow-Based Rate Limiting of RPF Failures CEF-Based Rate Limiting of RPF Failures Default IP Multicast Layer 3 Switching Configuration IP Multicast Layer 3 Switching Configuration Guidelines and PFC2 with MSCF2 PFC1 with MSFC or MSCF2 PFC1 and PFC2 General Restrictions Unsupported Features Configuring IP Multicast Layer 3 Switching Source Specific Multicast with IGMPv3, IGMP v3lite, and URD Enabling IP Multicast Routing Globally Enabling IP PIM on Layer 3 Interfaces Enabling IP Multicast Layer 3 Switching on Layer 3 Interfaces Configuring the Layer 3 Switching Global Threshold Enabling Installation of Directly Connected Subnets Enabling NetFlow-Based Rate Limiting of RPF Failures Enabling CEF-Based Rate Limiting of RPF Failures Enabling Shortcut-Consistency Checking Configuring ACL-Based Filtering of RPF Failures Displaying RPF Failure Rate-Limiting Information Displaying IP Multicast Layer 3 Hardware Switching Summary Page 18-16 Displaying the IP Multicast Routing Table hardware-switched interfaces. This example shows how to display the IP multicast routing table: Displaying IP Multicast Layer 3 Switching Statistics 18-18 This example shows how to display the IP multicast Layer 3 switching statistics: Using Debug Commands Table 18-2 IP Multicast Layer 3 Switching Debug Commands Command Description Clearing IP Multicast Layer 3 Switching Statistics Page Configuring IP Unicast Layer 3 Switching on Understanding How IP MLS Works IP MLS Overview IP MLS Flows Layer 3 MLS Cache Flow Masks Interaction Between Software Features and Flow Mask Behavior Layer 3-Switched Packet Rewrite IP MLS Operation Default IP MLS Configuration IP MLS Configuration Guidelines and Restrictions Configuring IP MLS Enabling IP MLS Globally Disabling and Enabling IP MLS on a Layer 3 Interface Displaying the Interface IP MLS Configuration Configuring the MLS Aging-Time Setting the Minimum IP MLS Flow Mask Displaying IP MLS Cache Entries Displaying IP MLS Information Displaying IP MLS Cache Entries for a Specific Destination Address Displaying Cache Entries for a Specific Source IP Address Displaying Entries for a Specific IP Flow Clearing IP MLS Cache Entries Displaying IP MLS Contention Table and Statistics Displaying the IP MLS Contention Table Displaying IP MLS VLAN Statistics Troubleshooting IP MLS Configuring IPX Unicast Layer 3 Switching on Understanding How IPX MLS Works IPX MLS Overview IPX MLS Flows Layer 3 MLS Cache Flow Masks Flow Mask Modes Flow Mask Mode and show mls entry Command Output Layer 3-Switched Packet Rewrite IPX MLS Operation Default IPX MLS Configuration Configuration Guidelines and Restrictions Configuring IPX MLS Enabling IPX MLS Globally Enabling IPX MLS on a Layer 3 Interface 20-7 To display the IPX MLS interface configuration, perform this task: Configuring the MLS Aging Time Configuring the Minimum IPX MLS Flow Mask Displaying IPX MLS Information Displaying IPX MLS Cache Entries Displaying All IPX MLS Cache Entries Displaying IPX MLS Cache Entries for a Specific Destination Address Displaying IPX MLS Cache Entries for a Specific Source Address Displaying IPX MLS Cache Entries for a Specific Interface Displaying IPX MLS Cache Entries for a Specific MAC Destination or Source Address Displaying the IPX MLS Contention Table Displaying IPX MLS VLAN Statistics Clearing IPX MLS Cache Entries Troubleshooting IPX MLS Configuring IGMP Snooping Understanding How IGMP Snooping Works IGMP Snooping Overview Joining a Multicast Group Page Leaving a Multicast Group Normal Leave Processing Fast-Leave Processing Understanding IGMP Snooping Querier Understanding IGMP Version 3 Support Default IGMP Snooping Configuration IGMP Snooping and IGMP Snooping Querier Configuration Guidelines and Restrictions Enabling the IGMP Snooping Querier Configuring IGMP Snooping Enabling IGMP Snooping Configuring IGMP Snooping Learning Configuring a Multicast Router Port Statically Configuring the IGMP Query Interval Enabling IGMP Fast-Leave Processing Configuring a Host Statically Displaying IGMP Snooping Information Displaying Multicast Router Interfaces Displaying MAC Address Multicast Entries Displaying IGMP Snooping Information for a VLAN Interface 21-14 Configuring RGMP Understanding How RGMP Works Default RGMP Configuration RGMP Configuration Guidelines and Restrictions Enabling RGMP on Layer 3 Interfaces Page Configuring Network Security ACL Configuration Guidelines Hardware and Software ACL Support Guidelines and Restrictions for Using Layer 4 Operators in ACLs Determining Layer 4 Operation Usage Determining Logical Operation Unit Usage Configuring the Cisco IOS Firewall Feature Set Cisco IOS Firewall Feature Set Support Overview Firewall Configuration Guidelines and Restrictions Restrictions Configuring CBAC on Catalyst 6500 Series Switches Configuring MAC Address-Based Traffic Blocking Configuring VLAN ACLs Understanding VACLs VACL Overview Bridged Packets Routed Packets Multicast Packets Configuring VACLs VACL Configuration Overview Defining a VLAN Access Map Configuring a Match Clause in a VLAN Access Map Sequence Configuring an Action Clause in a VLAN Access Map Sequence Applying a VLAN Access Map Verifying VLAN Access Map Configuration VLAN Access Map Configuration and Verification Examples Configuring a Capture Port Configuring VACL Logging Configuring TCP Intercept Configuring Unicast Reverse Path Forwarding Understanding Unicast RPF Support Configuring Unicast RPF Enabling Self-Pinging Configuring the Unicast RPF Checking Mode Configuring Unicast Flood Protection Configuring MAC Move Notification Page Page Configuring Denial of Service Protection DoS Protection Overview Configuring DoS Protection Supervisor Engine DoS Protection Security ACLs 24-3 When using security ACLs to drop DoS packets, note the following information: configured, you must merge the DoS security ACL with the existing security ACL. Security ACLs need to be configured on all external interfaces that require protection. Use the QoS ACLs configured, you must merge the rate-limiting ACL with the existing QoS ACL. Forwarding Information Base Rate-Limiting ARP Throttling Monitoring Packet Drop Statistics Monitoring Dropped Packets Using NetFlow Commands 24-7 Monitoring Dropped Packets Using Monitor Session Commands Page Configuring IEEE 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States Supported Topologies Default 802.1X Port-Based Authentication Configuration 802.1X Port-Based Authentication Guidelines and Restrictions Configuring 802.1X Port-Based Authentication Enabling 802.1X Port-Based Authentication Configuring Switch-to-RADIUS-Server Communication Page Enabling Periodic Reauthentication Manually Reauthenticating the Client Connected to a Port Initializing Authentication for the Client Connected to a Port Changing the Quiet Period Changing the Switch-to-Client Retransmission Time Setting the Switch-to-Client Retransmission Time for EAP-Request Frames Setting the Switch-to-Authentication-Server Retransmission Time for Layer 4 Packets Setting the Switch-to-Client Frame Retransmission Number Enabling Multiple Hosts Resetting the 802.1X Configuration to the Default Values Displaying 802.1X Status Page Configuring Port Security Understanding Port Security Default Port Security Configuration Port Security Guidelines and Restrictions Configuring Port Security Configuring Port Security on an Interface Configuring Port Security Aging Displaying Port Security Settings Page Configuring Layer 3 Protocol Filtering on Understanding How Layer 3 Protocol Filtering Works Configuring Layer 3 Protocol Filtering Enabling Layer 3 Protocol Filtering Configuring Layer 3 Protocol Filtering on a Layer 2 LAN Interface Verifying Layer 3 Protocol Filtering Configuration Page Configuring Traffic Storm Control Understanding Traffic Storm Control Default Traffic Storm Control Configuration Enabling Traffic Storm Control Page Displaying Traffic Storm Control Settings Configuring Broadcast Suppression Understanding How Broadcast Suppression Works Broadcast Suppression Configuration Guidelines and Enabling Broadcast Suppression Page Configuring CDP Understanding How CDP Works Configuring CDP Enabling CDP Globally Displaying the CDP Global Configuration Enabling CDP on a Port Displaying the CDP Interface Configuration Monitoring and Maintaining CDP Page Configuring PFC QoS Understanding How PFC QoS Works Hardware Supported by PFC QoS QoS Terminology Page Page 31-6 PFC QoS Feature Flowcharts Figure 31-1 show how traffic flows through the components that support PFC QoS features. FlexWAN traffic. FlexWAN interfaces CoS = 0 for all traffic (not configurable) FlexWAN interfaces 31-7 31-8 31-9 31-10 PFC QoS Feature Summary Ingress LAN Port Features Ingress OSM Port Features PFC QoS Features Egress LAN Port Features Ingress LAN Port Features Ingress LAN Port Trust States Marking at Untrusted Ingress LAN Ports Marking at Trusted Ingress LAN Ports Ingress LAN Port Scheduling and Congestion Avoidance Receive Queues Scheduling Congestion Avoidance Page PFC Marking and Policing C C S a Internal DSCP Values Internal DSCP Sources Egress DSCP and CoS Sources Policy Maps Policers Page Attaching Policy Maps Egress CoS and ToS Values LAN Egress Port Features Transmit Queues Scheduling and Congestion Avoidance 2q2t Ports 1p2q2t Ports 1p3q1t Ports 1p2q1t Ports Marking PFC QoS Statistics Data Export PFC QoS Default Configuration Page Page Page Page Page PFC QoS Configuration Guidelines and Restrictions Guidelines: Page Configuring PFC QoS Enabling PFC QoS Globally Enabling Queueing-Only Mode Creating Named Aggregate Policers Page Configuring a PFC QoS Policy PFC QoS Policy Configuration Overview Page Configuring MAC-Layer Named Access Lists (Optional) Configuring a Class Map (Optional) Creating a Class Map Configuring Filtering in a Class Map Verifying Class Map Configuration Configuring a Policy Map Creating a Policy Map Creating a Policy Map Class and Configuring Filtering Configuring Policy Map Class Actions Page Page Page Verifying Policy Map Configuration Attaching a Policy Map to an Interface Enabling or Disabling Microflow Policing Enabling Microflow Policing of Bridged Traffic Enabling or Disabling PFC Features on an Interface Enabling VLAN-Based PFC QoS on Layer 2 LAN Ports Configuring the Trust State of Ethernet LAN and OSM Ingress Ports Configuring the Ingress LAN Port CoS Value Configuring Standard-Queue Drop Threshold Percentages Configuring a Tail-Drop Receive Queue Configuring a WRED-Drop Transmit Queue Configuring a WRED-Drop and Tail-Drop Transmit Queue Configuring 1q4t/2q2t Tail-Drop Threshold Percentages Mapping CoS Values to Drop Thresholds Mapping CoS Values to Standard Receive-Queue Thresholds Mapping CoS Values to Standard Transmit-Queue Thresholds Mapping CoS Values to Strict-Priority Queues Mapping CoS Values to Tail-Drop Thresholds on 1q4t/2q2t LAN Ports Page Allocating Bandwidth Between LAN-Port Transmit Queues Setting the Receive-Queue Size Ratio on a 1p1q0t or 1p1q8t Ingress LAN Ports Setting the LAN-Port Transmit-Queue Size Ratio Configuring DSCP Value Maps Mapping Received CoS Values to Internal DSCP Values Mapping Received IP Precedence Values to Internal DSCP Values Mapping Internal DSCP Values to Egress CoS Values Configuring DSCP Markdown Values Page Configuring PFC QoS Statistics Data Export Enabling PFC QoS Statistics Data Export Globally Enabling PFC QoS Statistics Data Export for a Port Enabling PFC QoS Statistics Data Export for a Named Aggregate Policer Enabling PFC QoS Statistics Data Export for a Class Map Setting the PFC QoS Statistics Data Export Time Interval Configuring PFC QoS Statistics Data Export Destination Host and UDP Port Page Setting the PFC QoS Statistics Data Export Field Delimiter Page Configuring UDLD Understanding How UDLD Works UDLD Overview UDLD Aggressive Mode Default UDLD Configuration Configuring UDLD Enabling UDLD Globally Enabling UDLD on Individual LAN Interfaces Disabling UDLD on Fiber-Optic LAN Interfaces Configuring the UDLD Probe Message Interval Resetting Disabled LAN Interfaces Configuring NDE Understanding How NDE Works NDE Overview NDE from the MSFC NDE from the PFC Flow Masks NDE Versions Page Page MLS Cache Entries Sampled NetFlow Default NDE Configuration Configuring NDE Configuring NDE on the PFC Enabling NDE From the PFC Setting the Minimum IP MLS Flow Mask Populating Additional NDE Fields Configuring the MLS Aging Time Configuring Sampled NetFlow Configuring Sampled NetFlow Globally Configuring Sampled NetFlow on a Layer 3 Interface Configuring NDE on the MSFC Enabling NetFlow Configuring the MSFC NDE Source Layer 3 Interface Configuring the NDE Destination Displaying the NDE Address and Port Configuration Configuring NDE Flow Filters NDE Flow Filter Overview Configuring a Port Flow Filter Configuring a Host and Port Filter Configuring a Host Flow Filter Configuring a Protocol Flow Filter Clearing an NDE Flow Filter Displaying the NDE Configuration Page Configuring Local SPAN and RSPAN Understanding How Local SPAN and RSPAN Work Local SPAN and RSPAN Overview Local SPAN Overview RSPAN Overview Local SPAN and RSPAN Sessions Monitored Traffic Monitored Traffic Direction Monitored Traffic Type Duplicate Traffic SPAN Sources Local SPAN and RSPAN Configuration Guidelines and Local SPAN and RSPAN Session Limits Local SPAN and RSPAN Source and Destination Limits Local SPAN and RSPAN Guidelines and Restrictions VSPAN Guidelines and Restrictions RSPAN Guidelines and Restrictions Configuring Local SPAN and RSPAN Local SPAN and RSPAN Configuration Overview Configuring RSPAN VLANs Configuring Local or RSPAN Sources Monitoring Specific Source VLANs on a Source Trunk Port Configuring Local SPAN and RSPAN Destinations Configuring a Destination Port as an Unconditional Trunk Configuring a Local or RSPAN Destination Verifying the Configuration Configuration Examples Page Configuring Web Cache Services Using WCCP Understanding WCCP WCCP Overview Hardware Acceleration Understanding WCCPv1 Configuration Understanding WCCPv2 Configuration WCCPv2 Features Support for Non-HTTP Services Support for Multiple Routers MD5 Security Web Cache Packet Return Load Distribution Restrictions for WCCPv2 Configuring WCCP Specifying a Version of WCCP Configuring a Service Group Using WCCPv2 Specifying a Web Cache Service Excluding Traffic on a Specific Interface from Redirection Registering a Router to a Multicast Address Using Access Lists for a WCCP Service Group Setting a Password for a Router and Cache Engines Verifying and Monitoring WCCP Configuration Settings WCCP Configuration Examples 35-13 Changing the Version of WCCP on a Router Example Performing a General WCCPv2 Configuration Example The following example shows a general WCCPv2 configuration session: Running a Web Cache Service Example The following example shows a web cache service configuration session: Running a Reverse Proxy Service Example Registering a Router to a Multicast Address Example Using Access Lists Example 35-15 Setting a Password for a Router and Cache Engines Example The following example shows a WCCPv2 password configuration session where the password is alaska1: Verifying WCCP Settings Example 35-16 Configuring SNMP IfIndex Persistence Understanding SNMP IfIndex Persistence Configuring SNMP IfIndex Persistence Enabling and Disabling SNMP IfIndex Persistence Globally Enabling and Disabling SNMP IfIndex Persistence on Specific Interfaces Configuration Examples Enabling SNMP IfIndex Persistence on All Interfaces Example Enabling SNMP IfIndex Persistence on a Specific Interface Example Disabling SNMP IfIndex Persistence on a Specific Interface Example Clearing SNMP IfIndex Persistence Configuration from a Specific Interface Example Configuring the Switch Fabric Module Understanding How the Switch Fabric Module Works Switch Fabric Module Overview Switch Fabric Module Slots Switch Fabric Redundancy Forwarding Decisions for Layer 3-Switched Traffic Switching Modes Configuring the Switch Fabric Module Configuring the Switching Mode Configuring Fabric-Required Mode Configuring an LCD Message Monitoring the Switch Fabric Module Displaying the Module Information Displaying the Switch Fabric Module Redundancy Status Displaying Fabric Channel Switching Modes Displaying the Fabric Status Displaying the Fabric Utilization Displaying Fabric Errors 37-8 This example shows how to display fabric errors on all modules: Power Management and Environmental Monitoring Understanding How Power Management Works Enabling or Disabling Power Redundancy Using the CLI to Power Modules Off and On Using the CLI to View System Power Status Using the CLI to Power Cycle Modules Determining System Power Requirements Understanding How Environmental Monitoring Works Using CLI Commands to Monitor System Environmental Status Understanding LED Environmental Indications Page Page APPENDIX A Acronyms Page Page Page Page Page Page Page INDEX Numerics A B C D E F G H I Page Page J K L M N O P Page Q R S Page Page Page T U V W