Manuals / Brands / Computer Equipment / Switch / Cisco Systems / Computer Equipment / Switch

Cisco Systems WSC4500X16SFP Denying Access to a Server on Another VLAN

1 680

Download 680 pages, 6.85 Mb

33-18

Software Configuration Guide—Release 12.2(25)SG

OL-7659-03

Chapter33 Configuring Network Security with ACLs

Configuring VLAN Maps

Denying Access to a Server on Another VLAN

Figure 33-4 shows how to restrict access to a server on another VLAN. In this example, server

10.1.1.100 in VLAN 10 has the following access restrictions:

•Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.

•Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.

Figure33-4 Deny Access to a Server on Another VLAN

This procedure configures ACLs with VLAN maps to deny access to a s erver on another VLAN. The

VLAN map SERVER 1_ACL denies access to hosts in subnet 10.1.2.0/8, host 10.1.1.4, and host

10.1.1.8. Then it permits all other IP traffic. In Step 3, VLAN map SE RVER1 is applied to VLAN 10.

To configure this scenario, you could take the following steps:

Step1 Define the IP ACL to match and permit the correct packets.

Switch(config)# ip access-list extended SERVER1_ACL

Switch(config-ext-nacl))# permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100

Switch(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100

Switch(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100

Switch(config-ext-nacl))# exit

Step2 Define a VLAN map using the ACL to drop IP packets that match SERVER1_ACL and forward IP

packets that do not match the ACL.

Switch(config)# vlan access-map SERVER1_MAP

Switch(config-access-map)# match ip address SERVER1_ACL

Switch(config-access-map)# action drop

Switch(config)# vlan access-map SERVER1_MAP 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Step3 Apply the VLAN map to VLAN 10.

Switch(config)# vlan filter SERVER1_MAP

vlan-list 10.

Catalyst 4500 series switch Host (VLAN 20)

Host (VLAN 10)

Server (VLAN 10)

94155

VLAN map

Subnet

10.1.2.0/8

10.1.1.100

10.1.1.4

10.1.1.8

Packet

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Organization Page Related Documentation Conventions Commands in Task Tables Obtaining Documentation Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Page Product Overview Layer 2 Software Features 802.1Q and Layer 2 Protocol Tunneling CDP EtherChannel Bundles Jumbo Frames MST PVRST+ QoS Spanning Tree Protocol SSO UBRL UDLD Unidirectional Ethernet VLANs Layer 3 Software Features CEF HSRP IP Routing Protocols RIP OSPF IS-IS IGRP EIGRP BGP Multicast Services Policy-Based Routing Unidirectional Link Routing VRF-lite Management Features Cisco Network Assistant and Embedded CiscoView Dynamic Host Control Protocol Forced 10/100 Autonegotiation Intelligent Power Management NetFlow Statistics Secure Shell Simple Network Management Protocol SPAN and RSPAN Security Features Network Admission Control (NAC) 802.1X Identity-Based Network Security Dynamic ARP Inspection Dynamic Host Configuration Protocol Snooping Flood Blocking IP Source Guard Local Authentication, RADIUS, and TACACS+ Authentication Network Security with ACLs Port Security Storm Control Utilities Layer 2 Traceroute Time Domain Reflectometry Debugging Features Page Command-Line Interfaces Accessing the Switch CLI Accessing the CLI Using the EIA/TIA-232 Console Interface Accessing the CLI Through Telnet Performing Command-Line Processing Performing History Substitution Understanding Cisco IOS Command Modes Getting a List of Commands and Syntax ROMMOM Command-Line Interface Configuring the Switch for the First Time Default Switch Configuration Configuring DHCP-Based Autoconfiguration Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring the DHCP Server Configuring the TFTP Server Configuring the DNS Server Configuring the Relay Device Obtaining Configuration Files Example Configuration Configuring the Switch Using Configuration Mode to Configure Your Switch Verifying the Running Configuration Settings 3-10 Saving the Running Configuration Settings to Your Start-Up File ! Reviewing the Configuration in NVRAM Configuring a Default Gateway Configuring a Static Route Page Controlling Access to Privileged EXEC Commands Setting or Changing a Static enable Password Using the enable password and enable secret Commands Setting or Changing a Privileged Password Setting TACACS+ Password Protection for Privileged EXEC Mode Encrypting Passwords Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging In to a Privilege Level Exiting a Privilege Level Displaying the Password, Access Level, and Privilege Level Configuration Recovering a Lost Enable Password Modifying the Supervisor Engine Startup Configuration Understanding the Supervisor Engine Boot Configuration Understanding the ROM Monitor Configuring the Software Configuration Register Modifying the Boot Field and Using the boot Command Modifying the Boot Field Verifying the Configuration Register Setting Specifying the Startup System Image Using Flash Memory Flash Memory Features Security Precautions Configuring Flash Memory Controlling Environment Variables Resetting a Switch to Factory Default Settings Page Configuring Interfaces Overview of Interface Configuration Using the interface Command 4-3 in the preceding line you can specify either fastethernet 5/5 or fastethernet5/5. keyword, interface type, slot number, and interface number in global configuration mode: Note You do not need to add a space between the interface type and interface number. For example, Configuring a Range of Interfaces Defining and Using Interface-Range Macros Deploying 10-Gigabit Ethernet and a Gigabit Ethernet SFP Ports Configuring Optional Interface Features Configuring Ethernet Interface Speed and Duplex Mode Speed and Duplex Mode Configuration Guidelines Setting the Interface Speed Setting the Interface Duplex Mode Displaying the Interface Speed and Duplex Mode Configuration Adding a Description for an Interface Configuring Jumbo Frame Support Ports and Modules that Support Jumbo Frames Understanding Jumbo Frame Support Jumbo Frame Support Overview Ethernet Ports VLAN Interfaces Configuring MTU Sizes Interacting with the Baby Giants Feature Understanding Online Insertion and Removal Monitoring and Maintaining the Interface Monitoring Interface and Controller Status Clearing and Resetting the Interface Shutting Down and Restarting an Interface Configuring Interface Link Status and Trunk Status Events Configuring Link Status Event Notification for an Interface Global Settings Configuring a Switch Global Link Status Logging Event 4-17 Result Page Checking Port Status and Connectivity Checking Module Status Checking Interfaces Status Displaying MAC Addresses Checking Cable Status Using TDR Overview Running the TDR Test Guidelines Using Telnet Changing the Logout Timer Monitoring User Sessions Using Ping Understanding How Ping Works Running Ping Using IP Traceroute Understanding How IP Traceroute Works Running IP Traceroute Using Layer 2 Traceroute Layer 2 Traceroute Usage Guidelines Running Layer 2 Traceroute Configuring ICMP Enabling ICMP Protocol Unreachable Messages Enabling ICMP Redirect Messages Enabling ICMP Mask Reply Messages Page Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Cisco IOS NSF-Awareness Support Understanding Supervisor Engine Redundancy Overview RPR Operation SSO Operation Page Understanding Supervisor Engine Redundancy Synchronization RPR Supervisor Engine Configuration Synchronization SSO Supervisor Engine Configuration Synchronization Supervisor Engine Redundancy Guidelines and Restrictions Configuring Supervisor Engine Redundancy Configuring Redundancy 6-9 This example shows how to display redundancy facility state information: Synchronizing the Supervisor Engine Configurations Performing a Manual Switchover Performing a Software Upgrade Page Manipulating Bootflash on the Redundant Supervisor Engine Page Page Environmental Monitoring and Power Management Understanding Environmental Monitoring Using CLI Commands to Monitor your Environment System Alarms Power Management Power Management for the Catalyst 4948 Switches Power Management Modes Power Management for the Catalyst 4500 Series Switches Supported Power Supplies Power Management Modes Selecting a Power Management Mode Power Management Limitations in Catalyst 4500 Series Switches Page Configuring Redundant Mode on a Catalyst 4500 Series Switch Configuring Combined Mode on a Catalyst 4500 Series Switch Insufficient Inline Power Handling for Supervisor Engine II-TS 7-11 Available Power for Catalyst 4500 Series Switches Power Supplies Special Considerations for the 1400 W DC Power Supply Configuring the DC Input for a Power Supply Special Considerations for the 1400 W DC SP Triple Input Power Supply Special Considerations for the 4200 W AC Power Supply Page Power Management for the Catalyst 4006 Switch Limitations of the 1+1 Redundancy Mode Setting the Power Redundancy Mode Power Consumption of Chassis Components Powering Down a Module Page Configuring Power over Ethernet Power Management Modes Configuring Power Consumption for Powered Devices on an Interface Overview Page Intelligent Power Management PoE and Supported Cabling Topology Displaying the Operational Status for an Interface 8-7 This example shows how to display the operational status for all interfaces on module 3. This example shows how to display the operational status for Fast Ethernet interface 4/1: Displaying the PoE Consumed by a Module Page 8-9 8-10 8-11 Page Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Installation Requirements Software and Hardware Requirements Page Network Assistant-Related Features and Their Defaults Overview of the CLI Commands Installing Network Assistant Getting Started with Network Assistant Launching the Network Assistant Connecting Network Assistant to a Device Using Community Mode to Manage a Network Candidate and Member Characteristics Automatic Discovery of Candidates and Members Community Names Hostnames Passwords Communication Protocols Access Modes in Network Assistant Community Information Converting a Cluster into a Community Using Cluster Mode to Manage a Network of Switches Understanding Switch Clusters Clustering Overview Cluster Command Switch Characteristics Network Assistant and VTY Candidate Switch and Cluster Member Switch Characteristics Using the CLI to Manage Switch Clusters Configuring Network Assistant in Community or Cluster Mode Configuring Network Assistant in on a Networked Switch in Community Mode 9-16 This example shows how to configure Network Assistant on a networked switch in community m ode: Step16 Step17 Step21 Step18 9-17 Configuring Network Assistant in a Networked Switch in Cluster Mode 9-19 Step16 Step23 Step20 Step17 9-20 Configuring Embedded CiscoView Support Understanding Embedded CiscoView Installing and Configuring Embedded CiscoView Page 9-23 Displaying Embedded CiscoView Information 9-25 The following example shows how to display the Embedded CiscoView file and version information: Page Understanding and Configuring VLANs, VTP, and VMPS VLANs Overview of VLANs Page VLAN Configuration Guidelines and Restrictions VLAN Ranges Configurable Normal-Range VLAN Parameters VLAN Default Configuration Configuring VLANs Configuring VLANs in Global Configuration Mode Page Configuring VLANs in VLAN Database Mode Assigning a Layer 2 LAN Interface to a VLAN VLAN Trunking Protocol Overview of VTP Understanding the VTP Domain Understanding VTP Modes Understanding VTP Advertisements Understanding VTP Version 2 Understanding VTP Pruning Page VTP Configuration Guidelines and Restrictions VTP Default Configuration Configuring VTP Configuring VTP Global Parameters Configuring a VTP Password Enabling VTP Pruning Enabling VTP Version 2 Configuring the Switch as a VTP Server Configuring the Switch as a VTP Client Disabling VTP (VTP Transparent Mode) Displaying VTP Statistics VLAN Membership Policy Server Overview of VMPS Understanding the VMPS Server Security Modes for VMPS Server Open Mode Secure Mode Multiple Mode Fallback VLAN Illegal VMPS Client Requests Overview of VMPS Clients Understanding Dynamic VLAN Membership Default VMPS Client Configuration Configuring a Switch as a VMPS Client Configuring the IP Address of the VMPS Server 10-22 Configuring Dynamic Access Ports on a VMPS Client Verifies the entry. To configure a dynamic access port on a VMPS client switch, perform this task: This example shows how to configure a dynamic access port and to verify the entry: Step1 Step2 Voice Ports Reconfirming VLAN Memberships Configuring Reconfirmation Interval Configuring the Retry Interval Administering and Monitoring the VMPS Troubleshooting Dynamic Port VLAN Membership 10-26 Dynamic Port VLAN Membership Configuration Example Catalyst 4500 series XL Switch 2 (running Catalyst IOS) Catalyst 4500 series XL Switch 9 (running Catalyst IOS) address 172.20.22.7. Page Page 10-29 VMPS Database Configuration File Example 10-30 Configuring Layer 2 Ethernet Interfaces Overview of Layer 2 Ethernet Switching Understanding Layer 2 Ethernet Switching Switching Frames Between Segments Building the MAC Address Table Understanding VLAN Trunks Encapsulation Types Layer 2 Interface Modes Default Layer 2 Ethernet Interface Configuration Layer 2 Interface Configuration Guidelines and Restrictions Configuring Ethernet Interfaces for Layer 2 Switching Configuring an Ethernet Interface as a Layer 2 Trunk 11-7 This example shows how to verify the running configuration: This example shows how to verify the switch port configuration: This example shows how to verify the trunk configuration: Step11 Configuring an Interface as a Layer 2 Access Port 11-9 This example shows how to verify the running configuration: Displays the switch port configuration of the interface. This example shows how to verify the switch port configuration: Clearing Layer 2 Configuration To clear the Layer 2 configuration on an interface, perform this task: This example shows how to clear the Layer 2 configuration on the Fast Ethernet interface 5/6: Step1 Specifies the interface to clear. Page Configuring SmartPort Macros Understanding SmartPort Macros Configuring Smart-Port Macros Default SmartPort Macro Configuration cisco-desktop cisco-phone 12-3 cisco-switch This is the example for the cisco-switch macr o: cisco-router This is the example for the cisco-router macro: SmartPort Macro Configuration Guidelines Creating and Applying SmartPort Macros cisco-desktop 12-6 cisco-phone Note This macro requires the $AVID and $VVID keywords, which are the access and voice VLANs of the port. 12-7 cisco-switch Note This macro requires the $NVID keyword, which is the native VLANs of the port. cisco-router Note This macro requires the $NVID keyword, which is the native VLANs of the port. Displaying SmartPort Macros Understanding and Configuring STP Overview of STP Understanding the Bridge ID Bridge Priority Value Extended System ID STP MAC Address Allocation Bridge Protocol Data Units Election of the Root Bridge STP Timers Creating the STP Topology STP Port States MAC Address Allocation STP and IEEE 802.1Q Trunks Per-VLAN Rapid Spanning Tree Default STP Configuration Configuring STP Enabling STP Enabling the Extended System ID Configuring the Root Bridge Page 13-11 Now, you can set the switch as the root: This is the configuration after the switch becomes the root: Configuring a Secondary Root Switch Configuring STP Port Priority 13-14 Configuring STP Port Cost Configuring the Bridge Priority of a VLAN Configuring the Hello Time Configuring the Maximum Aging Time for a VLAN Configuring the Forward-Delay Time for a VLAN Disabling Spanning Tree Protocol Enabling Per-VLAN Rapid Spanning Tree Specifying the Link Type Restarting Protocol Migration Page Configuring STP Features Overview of Root Guard Enabling Root Guard Overview of Loop Guard Enabling Loop Guard Overview of PortFast Enabling PortFast Overview of BPDU Guard Enabling BPDU Guard Overview of PortFast BPDU Filtering Enabling PortFast BPDU Filtering Page Overview of UplinkFast Enabling UplinkFast Overview of BackboneFast Page Page Enabling BackboneFast 14-16 This example shows how to display the total lines of the spanning tree state section: Understanding and Configuring Multiple Spanning Trees Overview of MST IEEE 802.1s MST IEEE 802.1w RSTP RSTP Port Roles RSTP Port States MST-to-SST Interoperability Common Spanning Tree MST Instances MST Configuration Parameters MST Regions MST Region Overview Boundary Ports IST Master Edge Ports Message Age and Hop Count MST-to-PVST+ Interoperability MST Configuration Restrictions and Guidelines Configuring MST Enabling MST 15-10 15-11 Configuring MST Instance Parameters X Step2 X Step1 Configuring MST Instance Port Parameters Restarting Protocol Migration 15-13 Displaying MST Configurations Displays VLAN information in MST mode. Step6 instance-id Step5 15-14 15-15 Page Understanding and Configuring EtherChannel Overview of EtherChannel Understanding Port-Channel Interfaces Understanding How EtherChannels Are Configured EtherChannel Configuration Overview Understanding Manual EtherChannel Configuration Understanding PAgP EtherChannel Configuration Understanding IEEE 802.3ad LACP EtherChannel Configuration Page Understanding Load Balancing EtherChannel Configuration Guidelines and Restrictions Configuring EtherChannel Configuring Layer 3 EtherChannels Creating Port-Channel Logical Interfaces Configuring Physical Interfaces as Layer 3 EtherChannels 16-8 Step5 Step6 port_channel_number Configuring Layer 2 EtherChannels Page 16-11 Configuring the LACP System Priority and System ID Configuring EtherChannel Load Balancing Removing an Interface from an EtherChannel Removing an EtherChannel Configuring IGMP Snooping and Filtering Overview of IGMP Snooping Page Immediate-Leave Processing Explicit Host Tracking Configuring IGMP Snooping Default IGMP Snooping Configuration Enabling IGMP Snooping Configuring Learning Methods Configuring PIM/DVMRP Learning Configuring CGMP Learning Configuring a Multicast Router Port Statical Enabling IGMP Immediate-Leave Processing Configuring Explicit Host Tracking Configuring a Host Statically Suppressing Multicast Flooding IGMP Snooping Interface Configuration IGMP Snooping Switch Configuration Displaying IGMP Snooping Information Displaying Querier Information Displaying IGMP Host Membership Information Displaying Group Information Displaying Multicast Router Interfaces Displaying MAC Address Multicast Entries Displaying IGMP Snooping Information on a VLAN Interface Configuring IGMP Filtering Default IGMP Filtering Configuration Configuring IGMP Profiles Applying IGMP Profiles Setting the Maximum Number of IGMP Groups Displaying IGMP Filtering Configuration Page Page Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling Page Page Configuring 802.1Q Tunneling 802.1Q Tunneling Configuration Guidelines Native VLANs System MTU 802.1Q Tunneling and Other Features Configuring an 802.1Q Tunneling Port Understanding Layer 2 Protocol Tunneling 18-8 Configuring Layer 2 Protocol Tunneling Default Layer 2 Protocol Tunneling Configuration Layer 2 Protocol Tunneling Configuration Guidelines Configuring Layer 2 Tunneling Page Monitoring and Maintaining Tunneling Status Understanding and Configuring CDP Overview of CDP Configuring CDP Enabling CDP Globally Displaying the CDP Global Configuration Enabling CDP on an Interface Displaying the CDP Interface Configuration Monitoring and Maintaining CDP Page Configuring UDLD Overview of UDLD Default UDLD Configuration Configuring UDLD on the Switch Enabling UDLD Globally Enabling UDLD on Individual Interfaces Disabling UDLD on Non-Fiber-Optic Interfaces Disabling UDLD on Fiber-Optic Interfaces Resetting Disabled Interfaces Configuring Unidirectional Ethernet Overview of Unidirectional Ethernet Configuring Unidirectional Ethernet 21-2 To enable Unidirectional Ethernet, perform this task: number Step1 This example shows how to set Gigabit Ethernet interface 1/1 to unidirectional ly send traffic: Page Page Configuring Layer 3 Interfaces Overview of Layer 3 Interfaces Logical Layer 3 VLAN Interfaces Physical Layer 3 Interfaces Configuration Guidelines Configuring Logical Layer 3 VLAN Interfaces 22-4 disabled, and specify an IP routing protocol. Configuring Physical Layer 3 Interfaces 22-5 To configure physical Layer 3 interfaces, perform this task: type slot/interface subnet_mask port_channel_number Page Configuring Cisco Express Forwarding Overview of CEF Benefits of CEF Forwarding Information Base Adjacency Tables Adjacency Discovery Adjacency Resolution Adjacency Types That Require Special Handling Catalyst 4500 Series Switch Implementation of CEF Hardware and Software Switching Hardware Switching Software Switching Load Balancing Software Interfaces CEF Configuration Restrictions Configuring CEF Enabling CEF Configuring Load Balancing for CEF Configuring Per-Destination Load Balancing Configuring Load Sharing Hash Function Viewing CEF Information Monitoring and Maintaining CEF Displaying IP Statistics Page Page Understanding and Configuring IP Multicast Overview of IP Multicast IP Multicast Protocols Internet Group Management Protocol Protocol-Independent Multicast PIM Dense Mode PIM Sparse Mode IGMP Snooping and CGMP IP Multicast on the Catalyst 4500 Series Switch CEF, MFIB, and Layer 2 Forwarding Page IP Multicast Tables Hardware and Software Forwarding Partial Routes Software Routes Non-Reverse Path Forwarding Traffic Multicast Fast Drop Multicast Forwarding Information Base S/M, 224/4 Unsupported Features Configuring IP Multicast Routing Default Configuration in IP MUlticast Routing Enabling IP Multicast Routing Enabling PIM on an Interface Enabling Dense Mode Enabling Sparse Mode Enabling Sparse-Dense Mode Monitoring and Maintaining IP Multicast Routing Displaying System and Network Statistics 24-16 Displaying the Multicast Routing Table Note Interface timers are not updated for hardware-forwar ded packets. Entry timers are updated 24-17 The following is sample output from the show ip mroute command with the active keyword: The following is sample output from the show ip mroute command with the count keyword: Displaying IP MFIB Displaying IP MFIB Fast Drop Displaying PIM Statistics Clearing Tables and Databases Configuration Examples PIM Dense Mode Example PIM Sparse Mode Example BSR Configuration Example Page Configuring Policy-Based Routing Overview of Policy-Based Routing Understanding PBR Understanding PBR Flow Switching Using Policy-Based Routing Policy-Based Routing Configuration Task List Enabling PBR Page Enabling Local PBR Unsupported Commands Policy-Based Routing Configuration Examples Equal Access Example 25-6 default interface null0 to set interface null0. Differing Next Hops Example Deny ACE Example Configuring VRF-lite Understanding VRF-lite Default VRF-lite Configuration VRF-lite Configuration Guidelines Configuring VRFs Configuring a VPN Routing Session Configuring BGP PE to CE Routing Sessions VRF-lite Configuration Example 26-8 Configuring Switch S8 On switch S8, enable routing and configure VRF. 26-9 Configure OSPF routing in VPN1 and VPN2: Configure BGP for CE to PE routing: Configuring Switch S20 Configure S20 to connect to CE: 26-10 Configuring Switch S11 Configure S11 to connect to CE: Configuring the PE Switch S3 On switch S3 (the router), these commands configure only the con nections to switch S8: Displaying VRF-lite Status Page Configuring Quality of Service Overview of QoS Prioritization QoS Terminology Page Basic QoS Model Classification Page 27-8 Software Configuration GuideRelease 12.2(25)SG OL-7659-03 Chapter27 Configuring Quality of Service Overview of QoS Figure27-3 Classification Flowchart Classification Based on QoS ACLs Classification Based on Class Maps and Policy Maps Policing and Marking Page 27-12 Software Configuration GuideRelease 12.2(25)SG OL-7659-03 Chapter27 Configuring Quality of Service Overview of QoS Figure27-4 Policing and Marking Flowchart Internal DSCP Values Internal DSCP Sources Egress ToS and CoS Sources Mapping Tables Queueing and Scheduling Active Queue Management Sharing Link Bandwidth Among Transmit Queues Strict Priority / Low Latency Queueing Traffic Shaping Packet Modification Per Port Per VLAN QoS QoS and Software Processed Packets Configuring Auto-QoS Generated Auto-QoS Configuration Effects of Auto-QoS on the Configuration Configuration Guidelines Enabling Auto-QoS for VoIP Displaying Auto-QoS Information 27-21 Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 27-5. Page Configuring QoS Default QoS Configuration Page Configuration Guidelines Enabling QoS Globally Configuring a Trusted Boundary to Ensure Port Security Enabling Dynamic Buffer Limiting Creating Named Aggregate Policers Page Configuring a QoS Policy Overview of QoS Policy Configuration Configuring a Class Map (Optional) Creating a Class Map Configuring Filtering in a Class Map Verifying Class Map Configuration Configuring a Policy Map Creating a Policy Map Configuring Policy-Map Class Actions Page Verifying Policy-Map Configuration Attaching a Policy Map to an Interface Configuring User Based Rate Limiting Examples 27-37 This example shows how to create a flow-based class map associated with a desti nation address: 27-38 Example 5 Assume that there are two active flows on FastEthernet interface 6/1: consolidated into one flow because they have the same source and destina tion address. 27-39 Hierarchical policers Note Hierarchical policers are only supported on Supervisor Engine V-10GE. Page Enabling Per-Port Per-VLAN QoS 27-42 27-43 27-44 Enabling or Disabling QoS on an Interface number Step1 | Selects the interface to configure. Configuring VLAN-Based QoS on Layer 2 Interfaces Configuring the Trust State of Interfaces Configuring the CoS Value for an Interface Configuring DSCP Values for an Interface Configuring Transmit Queues Mapping DSCP Values to Specific Transmit Queues Allocating Bandwidth Among Transmit Queues Configuring Traffic Shaping of Transmit Queues Configuring a High Priority Transmit Queue Configuring DSCP Maps Configuring the CoS-to-DSCP Map Configuring the Policed-DSCP Map Configuring the DSCP-to-CoS Map Page Configuring Voice Interfaces Overview of Voice Interfaces Configuring a Port to Connect to a Cisco 7960 IP Phone Configuring Voice Ports for Voice and Data Traffic Page Overriding the CoS Priority of Incoming Frames Configuring Power Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles 802.1x and Network Access Control Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States Using 802.1X with VLAN Assignment Using 802.1X Authentication for Guest VLANs Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP Hosts Using 802.1X with Authentication Failed VLAN Assignment Usage Guidelines for Using Authentication Failed VLAN Assignment Using 802.1X with Port Security Using 802.1X with RADIUS-Provided Session Timeouts Using 802.1X with RADIUS Accounting Page Using 802.1X with Voice VLAN Ports Supported Topologies How to Configure 802.1X Default 802.1X Configuration 802.1X Configuration Guidelines Enabling 802.1X Authentication Configuring Switch-to-RADIUS-Server Communication Page Configuring RADIUS-Provided Session Timeouts Enabling 802.1X Accounting Configuring 802.1X with Guest VLANs Page Configuring 802.1X with Authentication Failed VLAN Assignment Page Configuring 802.1X with Voice VLAN Enabling Periodic Reauthentication Manually Reauthenticating a Client Connected to a Port Changing the Quiet Period Changing the Switch-to-Client Retransmission Time Setting the Switch-to-Client Frame-Retransmission Number Enabling Multiple Hosts Resetting the 802.1X Configuration to the Default Values Displaying 802.1X Statistics and Status Configuring Port Security and Trunk Port Security Overview of Port Security Page Port mode changes Default Port Security Configuration Port Security Guidelines and Restrictions Configuring Port Security Configuring Port Security on an Interface Page Page Configuring Trunk Port Security Page Configuration Guidelines Configuring Port Security Aging Page Displaying Port Security Settings 30-12 This example shows how to display all secure MAC addresses configured on all switch inte rfaces: This example shows how to display the port security settings on interface g1/1 for VLANs 2 and 3: 30-13 Page Configuring DHCP Snooping and IP Source Guard Overview of DHCP Snooping Overview of the DHCP Snooping Database Agent Configuring DHCP Snooping on the Switch Default Configuration for DHCP Snooping Enabling DHCP Snooping Enabling DHCP Snooping on Aggregration Switch Enabling DHCP Snooping on Private VLAN Enabling the DHCP Snooping Database Agent Configuration Examples for the Database Agent Example 1: Enabling the Database Agent Example 2: Reading Binding Entries from a TFTP File 31-9 Example 3: Adding Information to the DHCP Snooping Database Step3 lease-time vlan-id binding-id Displaying DHCP Snooping Information Displaying a Binding Table Displaying the DHCP Snooping Configuration Overview of IP Source Guard Configuring IP Source Guard on the Switch Configuring IP Source Guard on Private VLANs Displaying IP Source Guard Information Displaying IP Source Binding Information Page Page Understanding and Configuring Dynamic ARP Inspection Overview of Dynamic ARP Inspection ARP Cache Poisoning Purpose of Dynamic ARP Inspection Interface Trust State, Security Coverage and Network Configuration Relative Priority of Static Bindings and DHCP Snooping Entries Logging of Dropped Packets Rate Limiting of ARP Packets Port Channels and Their Behavior Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection in DHCP Environments Page 32-7 On Switch A 32-8 On Switch B 32-9 Configuring ARP ACLs for Non-DHCP Environments Page Page 32-13 Configuring the Log Buffer Page Limiting the Rate of Incoming ARP Packets 32-17 32-18 Performing Validation Checks Page 32-20 Configuring Network Security with ACLs Understanding ACLs ACL Overview Supported Features That Use ACLs Router ACLs Port ACLs VLAN Maps Hardware and Software ACL Support TCAM Programming and ACLs Layer 4 Operators in ACLs Restrictions for Layer 4 Operations Configuration Guidelines for Layer 4 Operations How ACL Processing Impacts CPU Page Configuring Unicast MAC Address Filtering Configuring Named MAC Extended ACLs Configuring VLAN Maps VLAN Map Configuration Guidelines Creating and Deleting VLAN Maps Examples of ACLs and VLAN Maps Page Applying a VLAN Map to a VLAN Using VLAN Maps in Your Network Page Denying Access to a Server on Another VLAN Displaying VLAN Access Map Information Using VLAN Maps with Router ACLs Guidelines for Using Router ACLs and VLAN Maps Examples of Router ACLs and VLAN Maps Applied to VLANs ACLs and Switched Packets ACLs and Routed Packets Configuring PACLs Creating a PACL PACL Configuration Guidelines Configuring IP and MAC ACLs on a Layer 2 Interface Using PACL with Access-Group Mode Configuring Access-group Mode on Layer 2 Interface Applying ACLs to a Layer 2 Interface Displaying an ACL Configuration on a Layer 2 Interface Using PACL with VLAN Maps and Router ACLs Page Page Configuring Private VLANs Overview of PVLANs PVLAN Trunks PVLANs and VLAN ACL/QoS How to Configure PVLANs PVLAN Configuration Guidelines and Restrictions Page Configuring a VLAN as a PVLAN Associating a Secondary VLAN with a Primary VLAN Configuring a Layer 2 Interface as a PVLAN Promiscuous Port Configuring a Layer 2 Interface as a PVLAN Host Port 34-9 Configuring a Layer 2 Interface as a PVLAN Trunk Port To configure a Layer 2 interface as a PVLAN trunk port, perform this task: Step1 Step2 Step3 Specifies the LAN port to configure. Step4 Page Permitting Routing of Secondary VLAN Ingress Traffic 34-12 Port Unicast and Multicast Flood Blocking Overview of Flood Blocking Configuring Port Blocking Blocking Flooded Traffic on an Interface Resuming Normal Forwarding on a Port Page Configuring Storm Control Overview of Storm Control Hardware-based Storm Control Implementation Software-based Storm Control Implementation Enabling Storm Control Disabling Storm Control Displaying Storm Control 36-5 The following example shows an interface that supports broadcast suppression in hardware (hw). Note Use the show interfaces counters storm-control command to display a count of discarded packets. Multicast Storm Control Multicast Suppression on the WS-X4516 Supervisor Engine Multicast Suppression on the WS-X4515, WS-X4014, and WS-X4013+ Supervisor Engines Page Configuring SPAN and RSPAN Overview of SPAN and RSPAN Page SPAN and RSPAN Concepts and Terminology SPAN Session Traffic Types Source Port Destination Port VLAN-Based SPAN SPAN Traffic SPAN and RSPAN Session Limits Default SPAN and RSPAN Configuration Configuring SPAN SPAN Configuration Guidelines and Restrictions Configuring SPAN Sources Configuring SPAN Destinations Monitoring Source VLANs on a Trunk Interface Configuration Scenario Verifying a SPAN Configuration CPU Port Sniffing Page Encapsulation Configuration Ingress Packets Access List Filtering ACL Configuration Guidelines Configuring Access List Filtering Packet Type Filtering Configuration Example Configuring RSPAN RSPAN Configuration Guidelines Creating an RSPAN Session Creating an RSPAN Destination Session Creating an RSPAN Destination Session and Enabling Ingress Traffic Page Removing Ports from an RSPAN Session Specifying VLANs to Monitor Specifying VLANs to Filter Displaying SPAN and RSPAN Status 37-25 Page Configuring NetFlow Overview of NetFlow Statistics Collection NDE Versions Information Derived from Hardware Information Derived from Software Assigning the Input and Output Interface and AS Numbers Assigning the Inferred Fields Assigning the Output Interface and Output Related Inferred Fields Assigning the Input Interface and Input Related Inferred Fields Feature Interaction of Netflow Statistics with UBRL and Microflow Policing VLAN Statistics Configuring NetFlow Statistics Collection Checking for Required Hardware Enabling NetFlow Statistics Collection Configuring Switched/Bridged IP Flows Exporting NetFlow Statistics Managing NetFlow Statistics Collection Configuring an Aggregation Cache Verifying Aggregation Cache Configuration and Data Export Configuring a NetFlow Minimum Prefix Mask for Router-Based Aggregation Configuring the Minimum Mask of a Prefix Aggregation Scheme Configuring the Minimum Mask of a Destination-Prefix Aggregation Scheme Configuring the Minimum Mask of a Source-Prefix Aggregation Scheme Monitoring and Maintaining Minimum Masks for Aggregation Schemes Configuring NetFlow Aging Parameters 38-13 NetFlow Statistics Collection Configuration Example NetFlow Configuration Examples Sample NetFlow Enabling Schemes Sample NetFlow Aggregation Configurations Autonomous System Configuration Destination Prefix Configuration Prefix Configuration Protocol Port Configuration Source Prefix Configuration Sample NetFlow Minimum Prefix Mask Router-Based Aggregation Schemes Prefix Aggregation Scheme Destination-Prefix Aggregation Scheme Source-Prefix Aggregation Scheme Diagnostics on the Catalyst 4500 Switch Online Diagnostics Troubleshooting with Online Diagnostics Power-On-Self-Test Diagnostics Overview Sample POST Results 39-21 The following example shows the output for a WS-X4516 supervisor engine: 39-22 Power-On-Self-Test Results for Supervisor Engine V-10GE POST on the Active Supervisor Engine Sample POST Results on an Active Supervisor Engine 39-24 39-25 39-26 POST on Standby Supervisor Engine Sample Display of the POST on Standby Supervisor Engine 39-27 39-28 on power-up. Causes of Failure and Troubleshooting Page Page APPENDIX A Acronyms and Abbreviations Page Page Page Page Page Page Page INDEX Numerics A B C D Page E F G H I Page J K L M Page N O P Page Page Q R S Page Page T U V