Cisco 6500 config

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco IOS Software Configuration Guide
Release 12.2(33)SXH and Later Releases
Text Part Number: OL-13013-05

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower,
Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design),
Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are
service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without
Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study,
IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar,
PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath,
WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0907R)
Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases
© 2007–2009, Cisco Systems, Inc. All rights reserved.

iii
OL-13013-05
C O N T E N T S
Preface xxxvii
Audience xxxvii
Related Documentation xxxvii
Conventions xxxviii
Obtaining Documentation, Obtaining Support, and Security Guidelines xxxix
C H A P T E R 1 Product Overview 1-1
Supported Hardware and Software 1-1
Understanding Supervisor Engine 720-10GE Memory Devices and Ports 1-1
Understanding Supervisor Engine 720 Memory Devices and Ports 1-2
Understanding Supervisor Engine 32 Memory Devices and Ports 1-4
Understanding ME6500 Flash Memory Devices and Ports 1-5
User Interfaces 1-5
Software Features Supported in Hardware by the PFC and DFC 1-6
P A R T 1 Configuration Fundamentals
C H A P T E R 2 Command-Line Interfaces 2-1
Accessing the CLI 2-1
Accessing the CLI through the EIA/TIA-232 Console Interface 2-2
Accessing the CLI through Telnet 2-2
Performing Command Line Processing 2-3
Performing History Substitution 2-3
Cisco IOS Command Modes 2-4
Displaying a List of Cisco IOS Commands and Syntax 2-5
Securing the CLI 2-6
ROM-Monitor Command-Line Interface 2-7
C H A P T E R 3 Configuring Smart Port Macros 3-1
Understanding Smart Port Macros 3-1
Understanding Cisco-Provided Smart Port Macros 3-1
Understanding User-Created Smart Port Macros 3-2
Configuring Smart Port Macros 3-2

Contents
iv
OL-13013-05
Smart Port Macro Default Configuration 3-2
Smart Port Macro Configuration Guidelines 3-3
Applying the Cisco-Provided Smart Port Macros 3-4
Configuring User-Created Smart Port Macros 3-13
Displaying Smart Port Macros 3-15
C H A P T E R 4 Configuring Virtual Switching Systems 4-1
Understanding Virtual Switching Systems 4-1
VSS Overview 4-2
VSS Redundancy 4-9
Multichassis EtherChannels 4-11
Packet Handling 4-14
System Monitoring 4-17
Dual-Active Detection 4-19
VSS Initialization 4-21
VSS Configuration Guidelines and Restrictions 4-24
General VSS Restrictions and Guidelines 4-24
VSL Restrictions and Guidelines 4-24
Multichassis EtherChannel Restrictions and Guidelines 4-24
Dual-Active Detection Restrictions and Guidelines 4-25
Service Module Restrictions and Guidelines 4-25
Configuring a VSS 4-25
Converting to a VSS 4-26
Displaying VSS Information 4-33
Converting a VSS to Standalone Chassis 4-33
Configuring VSS Parameters 4-35
Configuring Multichassis EtherChannels 4-41
Configuring Dual-Active Detection 4-43
Configuring Service Modules in a VSS 4-49
Viewing Chassis Status and Module Information in a VSS 4-51
Upgrading a VSS 4-52
Performing a Fast Software Upgrade of a VSS 4-52
Performing an Enhanced Fast Software Upgrade of a VSS 4-53
P A R T 2 High Availability
C H A P T E R 5 Performing an Enhanced Fast Software Upgrade 5-1
eFSU Overview 5-1
eFSU Operation 5-2

Contents
v
OL-13013-05
Outage Time and Support Considerations 5-3
Reserving Module Memory 5-3
Error Handling for eFSU Preload 5-3
eFSU Guidelines and Limitations 5-4
Performing an Enhanced Fast Software Upgrade 5-4
Software Upgrade Process Summary 5-5
Preparing for the Upgrade 5-6
Copying the New Software Image 5-8
Loading the New Software onto the Standby Supervisor Engine 5-8
Displaying the Maximum Outage Time for Installed Modules (Optional) 5-10
Forcing a Switchover from Active to Standby 5-10
Accepting the New Software Version and Stopping the Rollback Process (Optional) 5-12
Committing the New Software to the Standby 5-12
Verifying the Software Installation 5-12
Aborting the Upgrade Process 5-14
Upgrading a Non-eFSU Image to an eFSU Image 5-14
C H A P T E R 6 Configuring NSF with SSO Supervisor Engine Redundancy 6-1
Understanding NSF with SSO Supervisor Engine Redundancy 6-1
NSF with SSO Supervisor Engine Redundancy Overview 6-2
SSO Operation 6-2
NSF Operation 6-2
Cisco Express Forwarding 6-3
Multicast MLS NSF with SSO 6-3
Routing Protocols 6-4
NSF Benefits and Restrictions 6-8
Supervisor Engine Configuration Synchronization 6-9
Supervisor Engine Redundancy Guidelines and Restrictions 6-9
Redundancy Configuration Guidelines and Restrictions 6-9
Hardware Configuration Guidelines and Restrictions 6-10
Configuration Mode Restrictions 6-11
NSF Configuration Tasks 6-11
Configuring SSO 6-11
Verifying the Redundancy States 6-12
Configuring Multicast MLS NSF with SSO 6-13
Verifying Multicast NSF with SSO 6-13
Configuring CEF NSF 6-13
Verifying CEF NSF 6-14
Configuring BGP NSF 6-14

Contents
vi
OL-13013-05
Verifying BGP NSF 6-14
Configuring OSPF NSF 6-15
Verifying OSPF NSF 6-16
Configuring IS-IS NSF 6-17
Verifying IS-IS NSF 6-17
Configuring EIGRP NSF 6-19
Verifying EIGRP NSF 6-19
Synchronizing the Supervisor Engine Configurations 6-20
Copying Files to the Redundant Supervisor Engine 6-20
C H A P T E R 7 Configuring RPR Supervisor Engine Redundancy 7-1
Understanding RPR 7-1
Supervisor Engine Redundancy Overview 7-2
RPR Operation 7-2
Supervisor Engine Configuration Synchronization 7-2
Supervisor Engine Redundancy Guidelines and Restrictions 7-3
Redundancy Guidelines and Restrictions 7-3
Hardware Configuration Guidelines and Restrictions 7-3
Configuration Mode Restrictions 7-4
Configuring Supervisor Engine Redundancy 7-4
Configuring Redundancy 7-4
Synchronizing the Supervisor Engine Configurations 7-5
Displaying the Redundancy States 7-5
Performing a Fast Software Upgrade 7-6
Copying Files to the RP 7-7
P A R T 3 Interface and Hardware Components
C H A P T E R 8 Configuring and Monitoring the Switch Fabric Functionality 8-1
Understanding the Switch Fabric Functionality 8-1
Configuring the Switch Fabric Functionality 8-3
Monitoring the Switch Fabric Functionality 8-3
C H A P T E R 9 Configuring Interfaces 9-1
Understanding Interface Configuration 9-2
Using the Interface Command 9-2
Configuring a Range of Interfaces 9-4
Defining and Using Interface-Range Macros 9-6

Contents
vii
OL-13013-05
Configuring Optional Interface Features 9-6
Configuring Ethernet Interface Speed and Duplex Mode 9-7
Configuring Jumbo Frame Support 9-10
Configuring IEEE 802.3x Flow Control 9-13
Configuring the Port Debounce Timer 9-14
Adding a Description for an Interface 9-15
Understanding Online Insertion and Removal 9-16
Monitoring and Maintaining Interfaces 9-16
Monitoring Interface Status 9-16
Clearing Counters on an Interface 9-17
Resetting an Interface 9-18
Shutting Down and Restarting an Interface 9-18
Checking the Cable Status Using the TDR 9-19
C H A P T E R 10 Configuring UDLD 10-1
Understanding UDLD 10-1
UDLD Overview 10-1
UDLD Aggressive Mode 10-2
Default UDLD Configuration 10-3
Configuring UDLD 10-3
Enabling UDLD Globally 10-3
Enabling UDLD on Individual LAN Interfaces 10-4
Disabling UDLD on Fiber-Optic LAN Interfaces 10-4
Configuring the UDLD Probe Message Interval 10-4
Resetting Disabled LAN Interfaces 10-5
C H A P T E R 11 Power Management and Environmental Monitoring 11-1
Understanding Power Management 11-1
Enabling or Disabling Power Redundancy 11-2
Powering Modules Off and On 11-3
Viewing System Power Status 11-4
Power Cycling Modules 11-5
Determining System Power Requirements 11-5
Determining System Hardware Capacity 11-5
Determining Sensor Temperature Threshold 11-9
Understanding Environmental Monitoring 11-10
Monitoring System Environmental Status 11-10
Understanding LED Environmental Indications 11-12

Contents
viii
OL-13013-05
C H A P T E R 12 Configuring Online Diagnostics 12-1
Understanding Online Diagnostics 12-1
Configuring Online Diagnostics 12-2
Setting Bootup Online Diagnostics Level 12-2
Configuring On-Demand Online Diagnostics 12-2
Scheduling Online Diagnostics 12-4
Configuring Health-Monitoring Diagnostics 12-5
Running Online Diagnostic Tests 12-5
Starting and Stopping Online Diagnostic Tests 12-6
Running All Online Diagnostic Tests 12-7
Displaying Online Diagnostic Tests and Test Results 12-7
Performing Memory Tests 12-12
Diagnostic Sanity Check 12-12
C H A P T E R 13 Configuring Cisco IP Phone Support 13-1
Understanding Cisco IP Phone Support 13-1
Cisco IP Phone Connections 13-2
Cisco IP Phone Voice Traffic 13-2
Cisco IP Phone Data Traffic 13-3
IP Phone Power Configurations 13-3
Other Cisco IP Phone Features 13-6
Default Cisco IP Phone Support Configuration 13-6
Cisco IP Phone Support Configuration Guidelines and Restrictions 13-7
Configuring Cisco IP Phone Support 13-7
Configuring Voice Traffic Support 13-8
Configuring Data Traffic Support 13-9
Configuring Inline Power Support 13-10
P A R T 4 LAN Switching
C H A P T E R 14 Configuring LAN Ports for Layer 2 Switching 14-1
Understanding Layer 2 Switching 14-1
Understanding Layer 2 Ethernet Switching 14-1
Understanding VLAN Trunks 14-3
Layer 2 LAN Port Modes 14-4
Default Layer 2 LAN Interface Configuration 14-5
Layer 2 LAN Interface Configuration Guidelines and Restrictions 14-5
Configuring LAN Interfaces for Layer 2 Switching 14-6

Contents
ix
OL-13013-05
Configuring a LAN Port for Layer 2 Switching 14-7
Configuring MAC Address Table Notification 14-8
Configuring a Layer 2 Switching Port as a Trunk 14-9
Configuring a LAN Interface as a Layer 2 Access Port 14-15
Configuring a Custom IEEE 802.1Q EtherType Field Value 14-17
C H A P T E R 15 Configuring Flex Links 15-1
Understanding Flex Links 15-1
Configuring Flex Links 15-2
Flex Links Default Configuration 15-2
Flex Links Configuration Guidelines and Restrictions 15-2
Configuring Flex Links 15-3
Monitoring Flex Links 15-3
C H A P T E R 16 Configuring EtherChannels 16-1
Understanding EtherChannels 16-1
EtherChannel Feature Overview 16-1
Understanding EtherChannel Configuration 16-2
Understanding LACP 1:1 Redundancy 16-4
Understanding Port Channel Interfaces 16-4
Understanding Load Balancing 16-5
EtherChannel Feature Configuration Guidelines and Restrictions 16-5
Configuring EtherChannels 16-6
Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels 16-7
Configuring Channel Groups 16-7
Configuring the LACP System Priority and System ID 16-10
Configuring EtherChannel Load Balancing 16-10
Configuring EtherChannel Hash-Distribution Algorithm 16-11
Configuring the EtherChannel Min-Links Feature 16-12
Configuring LACP 1:1 Redundancy 16-13
C H A P T E R 17 Configuring VTP 17-1
Understanding VTP 17-1
Understanding the VTP Domain 17-2
Understanding VTP Modes 17-3
Understanding VTP Advertisements 17-3
Understanding VTP Authentication 17-4
Understanding VTP Version 2 17-4
Understanding VTP Version 3 17-5

Contents
x
OL-13013-05
Understanding VTP Pruning 17-6
VLAN Interaction 17-8
Interaction Between VTP Version 3 and VTP Version 2 Devices 17-8
Interaction Between VTP Version 3 and VTP Version 1 Devices 17-8
VTP Default Configuration 17-8
VTP Configuration Guidelines and Restrictions 17-9
Configuring VTP 17-10
Configuring VTP Global Parameters 17-10
Configuring the VTP Mode 17-15
Configuring VTP Mode on a Per-Port Basis 17-17
Displaying VTP Statistics 17-18
C H A P T E R 18 Configuring VLANs 18-1
Understanding VLANs 18-1
VLAN Overview 18-1
VLAN Ranges 18-2
Configurable VLAN Parameters 18-2
Understanding Token Ring VLANs 18-3
VLAN Default Configuration 18-6
VLAN Configuration Guidelines and Restrictions 18-7
Configuring VLANs 18-8
VLAN Configuration Options 18-9
Creating or Modifying an Ethernet VLAN 18-10
Assigning a Layer 2 LAN Interface to a VLAN 18-11
Configuring the Internal VLAN Allocation Policy 18-12
Configuring VLAN Translation 18-12
Mapping 802.1Q VLANs to ISL VLANs 18-16
Saving VLAN Information 18-17
C H A P T E R 19 Configuring Private VLANs 19-1
Understanding Private VLANs 19-1
Private VLAN Domains 19-2
Private VLAN Ports 19-3
Primary, Isolated, and Community VLANs 19-3
Private VLAN Port Isolation 19-4
IP Addressing Scheme with Private VLANs 19-4
Private VLANs Across Multiple Switches 19-5
Private VLAN Interaction with Other Features 19-5

Contents
xi
OL-13013-05
Private VLAN Configuration Guidelines and Restrictions 19-6
Secondary and Primary VLAN Configuration 19-7
Private VLAN Port Configuration 19-9
Limitations with Other Features 19-9
Configuring Private VLANs 19-11
Configuring a VLAN as a Private VLAN 19-11
Associating Secondary VLANs with a Primary VLAN 19-12
Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN 19-13
Configuring a Layer 2 Interface as a Private VLAN Host Port 19-15
Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port 19-16
Monitoring Private VLANs 19-17
C H A P T E R 20 Configuring Private Hosts 20-1
Understanding Private Hosts 20-1
Isolating Hosts in a VLAN 20-2
Restricting Traffic Flow (Using Private Hosts Port Mode and PACLs) 20-3
Port ACLs 20-5
Configuration Guidelines and Limitations 20-5
ACL Guidelines 20-6
VLANs on the Trunk Port 20-6
Interaction with Other Features 20-6
Spoofing Protection 20-7
Multicast Operation 20-7
Configuring Private Hosts 20-7
Configuration Summary 20-8
Detailed Configuration Steps 20-8
Configuration Examples 20-10
C H A P T E R 21 Configuring IEEE 802.1Q Tunneling 21-1
Understanding 802.1Q Tunneling 21-1
802.1Q Tunneling Configuration Guidelines and Restrictions 21-3
Configuring 802.1Q Tunneling 21-6
Configuring 802.1Q Tunnel Ports 21-6
Configuring the Switch to Tag Native VLAN Traffic 21-7
C H A P T E R 22 Configuring Layer 2 Protocol Tunneling 22-1
Understanding Layer 2 Protocol Tunneling 22-1
Configuring Support for Layer 2 Protocol Tunneling 22-2

Contents
xii
OL-13013-05
C H A P T E R 23 Configuring STP and MST 23-1
Understanding STP 23-1
STP Overview 23-2
Understanding the Bridge ID 23-2
Understanding Bridge Protocol Data Units 23-3
Election of the Root Bridge 23-4
STP Protocol Timers 23-4
Creating the Spanning Tree Topology 23-5
STP Port States 23-5
STP and IEEE 802.1Q Trunks 23-11
Understanding IEEE 802.1w RSTP 23-12
Port Roles and the Active Topology 23-12
Rapid Convergence 23-13
Synchronization of Port Roles 23-14
Bridge Protocol Data Unit Format and Processing 23-15
Topology Changes 23-16
Rapid-PVST 23-17
Understanding MST 23-17
MST Overview 23-18
MST Regions 23-18
IST, CIST, and CST 23-19
Hop Count 23-22
Boundary Ports 23-22
Standard-Compliant MST Implementation 23-23
Interoperability with IEEE 802.1D-1998 STP 23-25
Configuring STP 23-25
Default STP Configuration 23-26
Enabling STP 23-26
Enabling the Extended System ID 23-28
Configuring the Root Bridge 23-29
Configuring a Secondary Root Bridge 23-30
Configuring STP Port Priority 23-30
Configuring STP Port Cost 23-32
Configuring the Bridge Priority of a VLAN 23-34
Configuring the Hello Time 23-34
Configuring the Forward-Delay Time for a VLAN 23-35
Configuring the Maximum Aging Time for a VLAN 23-36
Enabling Rapid-PVST 23-36
Configuring MST 23-37

Contents
xiii
OL-13013-05
Default MST Configuration 23-38
MST Configuration Guidelines and Restrictions 23-38
Specifying the MST Region Configuration and Enabling MST 23-39
Configuring the Root Bridge 23-40
Configuring a Secondary Root Bridge 23-42
Configuring Port Priority 23-42
Configuring Path Cost 23-43
Configuring the Switch Priority 23-44
Configuring the Hello Time 23-45
Configuring the Forwarding-Delay Time 23-46
Configuring the Transmit Hold Count 23-46
Configuring the Maximum-Aging Time 23-47
Configuring the Maximum-Hop Count 23-47
Specifying the Link Type to Ensure Rapid Transitions 23-47
Designating the Neighbor Type 23-48
Restarting the Protocol Migration Process 23-49
Displaying the MST Configuration and Status 23-49
C H A P T E R 24 Configuring Optional STP Features 24-1
Understanding the Optional STP Features 24-1
Understanding STP Port Types 24-2
Understanding PortFast 24-2
Understanding Bridge Assurance 24-3
Understanding BPDU Guard 24-5
Understanding PortFast BPDU Filtering 24-5
Understanding UplinkFast 24-6
Understanding BackboneFast 24-7
Understanding EtherChannel Guard 24-9
Understanding Root Guard 24-9
Understanding Loop Guard 24-9
Understanding PVST Simulation 24-11
Configuring the Optional STP Features 24-11
Enabling PortFast 24-12
Enabling Bridge Assurance 24-13
Enabling PortFast BPDU Filtering 24-14
Enabling BPDU Guard 24-15
Enabling UplinkFast 24-16
Enabling BackboneFast 24-17
Enabling EtherChannel Guard 24-17

Contents
xiv
OL-13013-05
Enabling Root Guard 24-18
Enabling Loop Guard 24-18
Configuring PVST Simulation 24-19
Verifying the Optional STP Features 24-20
Using the show spanning-tree Commands 24-20
Examples in Release 12.2(33)SXI and Later Releases 24-21
Examples in Releases Earlier Than Release 12.2(33)SXI 24-24
P A R T 5 IP Routing Protocols
C H A P T E R 25 Configuring Layer 3 Interfaces 25-1
Layer 3 Interface Configuration Guidelines and Restrictions 25-1
Configuring Subinterfaces on Layer 3 Interfaces 25-2
Configuring IPv4 Routing and Addresses 25-3
Configuring IPX Routing and Network Numbers 25-7
Configuring AppleTalk Routing, Cable Ranges, and Zones 25-8
Configuring Other Protocols on Layer 3 Interfaces 25-9
C H A P T E R 26 Configuring UDE and UDLR 26-1
Understanding UDE and UDLR 26-1
UDE and UDLR Overview 26-1
Supported Hardware 26-2
Understanding UDE 26-2
Understanding UDLR 26-3
Configuring UDE and UDLR 26-3
Configuring UDE 26-3
Configuring UDLR 26-6
P A R T 6 Multiprotocol Label Switching
C H A P T E R 27 Configuring Multiprotocol Label Switching 27-1
MPLS 27-1
Understanding MPLS 27-2
Understanding MPLS 27-2
Supported Hardware Features 27-4
Supported Cisco IOS Features 27-5
MPLS Guidelines and Restrictions 27-7
MPLS Supported Commands 27-7

Contents
xv
OL-13013-05
Configuring MPLS 27-7
MPLS Per-Label Load Balancing 27-7
MPLS Configuration Examples 27-8
VPN Switching 27-9
VPN Switching Operation 27-9
MPLS VPN Guidelines and Restrictions 27-11
MPLS VPN Supported Commands 27-11
Configuring MPLS VPN 27-11
MPLS VPN Sample Configuration 27-11
Any Transport over MPLS 27-13
AToM Load Balancing 27-13
Understanding EoMPLS 27-14
EoMPLS Guidelines and Restrictions 27-14
Configuring EoMPLS 27-15
Configuring MUX-UNI Support on LAN Cards 27-22
P A R T 7 IP Switching
C H A P T E R 28 Configuring IP Unicast Layer 3 Switching 28-1
Understanding Layer 3 Switching 28-1
Understanding Hardware Layer 3 Switching 28-2
Understanding Layer 3-Switched Packet Rewrite 28-2
Default Hardware Layer 3 Switching Configuration 28-4
Configuration Guidelines and Restrictions 28-4
Configuring Hardware Layer 3 Switching 28-4
Displaying Hardware Layer 3 Switching Statistics 28-5
P A R T 8 IP Application Services
C H A P T E R 29 Configuring Web Cache Services Using WCCP 29-1
Understanding WCCP 29-2
WCCP Overview 29-2
Hardware Acceleration 29-2
Understanding WCCPv1 Configuration 29-3
Understanding WCCPv2 Configuration 29-4
WCCPv2 Features 29-5
Restrictions for WCCPv2 29-7
Configuring WCCP 29-7

Contents
xvi
OL-13013-05
Specifying a Version of WCCP 29-8
Configuring a Service Group Using WCCPv2 29-8
Excluding Traffic on a Specific Interface from Redirection 29-9
Registering a Router to a Multicast Address 29-10
Using Access Lists for a WCCP Service Group 29-10
Setting a Password for a Router and Cache Engines 29-11
Verifying and Monitoring WCCP Configuration Settings 29-11
WCCP Configuration Examples 29-12
Changing the Version of WCCP on a Router Example 29-12
Performing a General WCCPv2 Configuration Example 29-13
Running a Web Cache Service Example 29-13
Running a Reverse Proxy Service Example 29-13
Registering a Router to a Multicast Address Example 29-13
Using Access Lists Example 29-14
Setting a Password for a Router and Cache Engines Example 29-14
Verifying WCCP Settings Example 29-14
P A R T 9 IPv6
C H A P T E R 30 Configuring IPv6 Multicast PFC3 and DFC3 Layer 3 Switching 30-1
Features that Support IPv6 Multicast 30-1
IPv6 Multicast Guidelines and Restrictions 30-2
New or Changed IPv6 Multicast Commands 30-3
Configuring IPv6 Multicast Layer 3 Switching 30-3
Using show Commands to Verify IPv6 Multicast Layer 3 Switching 30-3
Verifying MFIB Clients 30-4
Displaying the Switching Capability 30-4
Verifying the (S,G) Forwarding Capability 30-4
Verifying the (*,G) Forwarding Capability 30-5
Verifying the Subnet Entry Support Status 30-5
Verifying the Current Replication Mode 30-5
Displaying the Replication Mode Auto-Detection Status 30-5
Displaying the Replication Mode Capabilities 30-5
Displaying Subnet Entries 30-5
Displaying the IPv6 Multicast Summary 30-6
Displaying the NetFlow Hardware Forwarding Count 30-6
Displaying the FIB Hardware Bridging and Drop Counts 30-7
Displaying the Shared and Well-Known Hardware Adjacency Counters 30-7

Contents
xvii
OL-13013-05
C H A P T E R 31 Configuring MLD Snooping for IPv6 Multicast Traffic 31-1
Understanding MLD Snooping 31-2
MLD Snooping Overview 31-2
MLD Messages 31-3
Source-Based Filtering 31-3
Explicit Host Tracking 31-3
MLD Snooping Proxy Reporting 31-4
Joining an IPv6 Multicast Group 31-4
Leaving a Multicast Group 31-6
Understanding the MLD Snooping Querier 31-7
Default MLD Snooping Configuration 31-8
MLD Snooping Configuration Guidelines and Restrictions 31-8
MLD Snooping Querier Configuration Guidelines and Restrictions 31-9
Enabling the MLD Snooping Querier 31-9
Configuring MLD Snooping 31-10
Enabling MLD Snooping 31-10
Configuring a Static Connection to a Multicast Receiver 31-11
Configuring a Multicast Router Port Statically 31-11
Configuring the MLD Snooping Query Interval 31-12
Enabling Fast-Leave Processing 31-12
Enabling SSM Safe Reporting 31-13
Configuring Explicit Host Tracking 31-13
Configuring Report Suppression 31-14
Displaying MLD Snooping Information 31-14
P A R T 10 IP Multicast
C H A P T E R 32 Configuring IPv4 Multicast Layer 3 Switching 32-1
Understanding IPv4 Multicast Layer 3 Switching 32-1
IPv4 Multicast Layer 3 Switching Overview 32-2
Multicast Layer 3 Switching Cache 32-2
Layer 3-Switched Multicast Packet Rewrite 32-3
Partially and Completely Switched Flows 32-3
Non-RPF Traffic Processing 32-5
Multicast Boundary 32-7
Understanding IPv4 Bidirectional PIM 32-8
Default IPv4 Multicast Layer 3 Switching Configuration 32-8
IPv4 Multicast Layer 3 Switching Configuration Guidelines and Restrictions 32-9

Contents
xviii
OL-13013-05
Restrictions 32-9
Unsupported Features 32-9
Configuring IPv4 Multicast Layer 3 Switching 32-10
Source-Specific Multicast with IGMPv3, IGMP v3lite, and URD 32-10
Enabling IPv4 Multicast Routing Globally 32-10
Enabling IPv4 PIM on Layer 3 Interfaces 32-11
Enabling IP Multicast Layer 3 Switching Globally 32-11
Enabling IP Multicast Layer 3 Switching on Layer 3 Interfaces 32-12
Configuring the Replication Mode 32-12
Enabling Local Egress Replication 32-14
Configuring the Layer 3 Switching Global Threshold 32-15
Enabling Installation of Directly Connected Subnets 32-16
Specifying the Flow Statistics Message Interval 32-16
Enabling Shortcut-Consistency Checking 32-16
Configuring ACL-Based Filtering of RPF Failures 32-17
Displaying RPF Failure Rate-Limiting Information 32-17
Configuring Multicast Boundary 32-18
Displaying IPv4 Multicast Layer 3 Hardware Switching Summary 32-18
Displaying the IPv4 Multicast Routing Table 32-21
Displaying IPv4 Multicast Layer 3 Switching Statistics 32-22
Configuring IPv4 Bidirectional PIM 32-23
Enabling IPv4 Bidirectional PIM Globally 32-23
Configuring the Rendezvous Point for IPv4 Bidirectional PIM Groups 32-24
Setting the IPv4 Bidirectional PIM Scan Interval 32-24
Displaying IPv4 Bidirectional PIM Information 32-25
Using IPv4 Debug Commands 32-27
Clearing IPv4 Multicast Layer 3 Switching Statistics 32-27
Redundancy for Multicast Traffic 32-28
C H A P T E R 33 Configuring IGMP Snooping and MVR for IPv4 Multicast Traffic 33-1
Understanding IGMP Snooping 33-1
IGMP Snooping Overview 33-2
Joining a Multicast Group 33-2
Leaving a Multicast Group 33-4
Understanding the IGMP Snooping Querier 33-5
Understanding IGMP Version 3 Support 33-5
Default IGMP Snooping Configuration 33-7
IGMP Snooping Configuration Guidelines and Restrictions 33-8
IGMP Snooping Querier Configuration Guidelines and Restrictions 33-8

Contents
xix
OL-13013-05
Enabling the IGMP Snooping Querier 33-9
Configuring IGMP Snooping 33-9
Enabling IGMP Snooping 33-10
Configuring a Static Connection to a Multicast Receiver 33-11
Configuring a Multicast Router Port Statically 33-11
Configuring the IGMP Snooping Query Interval 33-11
Enabling IGMP Fast-Leave Processing 33-12
Configuring Source-Specific Multicast Mapping 33-12
CGMP Automatic Detection 33-13
Configuring IGMPv3 Explicit Host Tracking 33-13
Displaying IGMP Snooping Information 33-14
Understanding MVR 33-16
Using MVR in a Multicast Television Application 33-17
Configuring MVR 33-19
Default MVR Configuration 33-19
MVR Configuration Guidelines and Limitations 33-20
Configuring MVR Global Parameters 33-20
Configuring MVR Interfaces 33-21
Displaying MVR Information 33-23
Clearing MVR Counters 33-24
C H A P T E R 34 Configuring IPv4 IGMP Filtering and Router Guard 34-1
Understanding IGMP Filtering 34-1
IGMP Filtering Overview 34-1
IGMP Filters 34-2
IGMP Filter Precedence 34-4
Filter Hierarchy Example 34-4
Displaying IGMP Filtering 34-5
Clearing IGMP Filtering Statistics 34-7
Understanding Router Guard 34-7
Router Guard Overview 34-7
Configuring Router Guard 34-8
Displaying Router Guard Configurations 34-9
Displaying Router Guard Interfaces 34-10
Clearing Router Guard Statistics 34-11
C H A P T E R 35 Configuring PIM Snooping 35-1
Understanding PIM Snooping 35-1
Default PIM Snooping Configuration 35-3

Contents
xx
OL-13013-05
PIM Snooping Configuration Guidelines and Restrictions 35-4
Configuring PIM Snooping 35-4
Enabling PIM Snooping Globally 35-4
Enabling PIM Snooping in a VLAN 35-5
Disabling PIM Snooping Designated-Router Flooding 35-5
C H A P T E R 36 Configuring IPv4 Multicast VPN Support 36-1
Understanding MVPN 36-1
MVPN Overview 36-2
Multicast Routing and Forwarding and Multicast Domains 36-2
Multicast Distribution Trees 36-2
Multicast Tunnel Interfaces 36-5
PE Router Routing Table Support for MVPN 36-6
Multicast Distributed Switching Support 36-6
Hardware-Assisted IPv4 Multicast 36-6
MVPN Configuration Guidelines and Restrictions 36-7
Configuring MVPN 36-8
Forcing Ingress Multicast Replication Mode (Optional) 36-8
Configuring a Multicast VPN Routing and Forwarding Instance 36-9
Configuring Multicast VRF Routing 36-15
Configuring Interfaces for Multicast Routing to Support MVPN 36-19
Sample Configurations for MVPN 36-21
MVPN Configuration with Default MDTs Only 36-21
MVPN Configuration with Default and Data MDTs 36-23
P A R T 11 Quality of Service
C H A P T E R 37 Configuring PFC QoS 37-1
Understanding PFC QoS 37-1
Port Types Supported by PFC QoS 37-2
Overview 37-2
Component Overview 37-5
Understanding Classification and Marking 37-14
Policers 37-17
Understanding Port-Based Queue Types 37-20
PFC QoS Default Configuration 37-27
PFC QoS Global Settings 37-27
Default Values with PFC QoS Enabled 37-28
Default Values with PFC QoS Disabled 37-50

Contents
xxi
OL-13013-05
PFC QoS Configuration Guidelines and Restrictions 37-50
General Guidelines 37-51
PFC3 Guidelines 37-52
Class Map Command Restrictions 37-53
Policy Map Command Restrictions 37-54
Policy Map Class Command Restrictions 37-54
Supported Granularity for CIR and PIR Rate Values 37-54
Supported Granularity for CIR and PIR Token Bucket Sizes 37-55
IP Precedence and DSCP Values 37-56
Configuring PFC QoS 37-56
Enabling PFC QoS Globally 37-57
Enabling Ignore Port Trust 37-58
Configuring DSCP Transparency 37-58
Enabling Queueing-Only Mode 37-59
Enabling Microflow Policing of Bridged Traffic 37-60
Enabling VLAN-Based PFC QoS on Layer 2 LAN Ports 37-60
Enabling Egress ACL Support for Remarked DSCP 37-61
Creating Named Aggregate Policers 37-62
Configuring a PFC QoS Policy 37-64
Configuring Egress DSCP Mutation 37-82
Configuring Ingress CoS Mutation on IEEE 802.1Q Tunnel Ports 37-84
Configuring DSCP Value Maps 37-86
Configuring the Trust State of Ethernet LAN Ports 37-90
Configuring Trusted Boundary with Cisco Device Verification 37-91
Configuring the Ingress LAN Port CoS Value 37-92
Configuring Standard-Queue Drop Threshold Percentages 37-93
Mapping QoS Labels to Queues and Drop Thresholds 37-98
Allocating Bandwidth Between Standard Transmit Queues 37-107
Setting the Receive-Queue Size Ratio 37-109
Configuring the Transmit-Queue Size Ratio 37-110
Common QoS Scenarios 37-111
Sample Network Design Overview 37-111
Classifying Traffic from PCs and IP Phones in the Access Layer 37-112
Accepting the Traffic Priority Value on Interswitch Links 37-115
Prioritizing Traffic on Interswitch Links 37-116
Using Policers to Limit the Amount of Traffic from a PC 37-119
PFC QoS Glossary 37-120

Contents
xxii
OL-13013-05
C H A P T E R 38 Using AutoQoS 38-1
Understanding AutoQoS 38-1
AutoQoS Support for a Cisco IP Phone 38-1
AutoQoS Support for Cisco IP Communicator 38-2
AutoQoS Support for Marked Traffic 38-2
Using AutoQoS 38-3
AutoQoS Configuration Guidelines and Restrictions 38-3
Configuring AutoQoS 38-4
C H A P T E R 39 Configuring MPLS QoS 39-1
Terminology 39-2
MPLS QoS Features 39-3
MPLS Experimental Field 39-3
Trust 39-3
Classification 39-3
Policing and Marking 39-4
Preserving IP ToS 39-4
EXP Mutation 39-4
MPLS DiffServ Tunneling Modes 39-4
MPLS QoS Overview 39-4
Specifying the QoS in the IP Precedence Field 39-5
MPLS QoS 39-5
LERs at the Input Edge of an MPLS Network 39-6
LSRs in the Core of an MPLS Network 39-6
LERs at the Output Edge of an MPLS Network 39-7
Understanding MPLS QoS 39-7
LERs at the EoMPLS Edge 39-8
LERs at the IP Edge (MPLS, MPLS VPN) 39-9
LSRs at the MPLS Core 39-13
MPLS QoS Default Configuration 39-15
MPLS QoS Commands 39-16
MPLS QoS Restrictions and Guidelines 39-17
Configuring MPLS QoS 39-17
Enabling QoS Globally 39-18
Enabling Queueing-Only Mode 39-19
Configuring a Class Map to Classify MPLS Packets 39-20
Configuring the MPLS Packet Trust State on Ingress Ports 39-22
Configuring a Policy Map 39-22

Contents
xxiii
OL-13013-05
Displaying a Policy Map 39-27
Configuring MPLS QoS Egress EXP Mutation 39-28
Configuring EXP Value Maps 39-29
MPLS DiffServ Tunneling Modes 39-30
Short Pipe Mode 39-31
Uniform Mode 39-32
MPLS DiffServ Tunneling Restrictions and Usage Guidelines 39-34
Configuring Short Pipe Mode 39-34
Ingress PE Router—Customer Facing Interface 39-34
Configuring Ingress PE Router—P Facing Interface 39-35
Configuring the P Router—Output Interface 39-37
Configuring the Egress PE Router—Customer Facing Interface 39-38
Configuring Uniform Mode 39-39
Configuring the Ingress PE Router—Customer Facing Interface 39-39
Configuring the Ingress PE Router—P Facing Interface 39-40
Configuring the Egress PE Router—Customer Facing Interface 39-41
C H A P T E R 40 Configuring PFC QoS Statistics Data Export 40-1
Understanding PFC QoS Statistics Data Export 40-1
PFC QoS Statistics Data Export Default Configuration 40-2
Configuring PFC QoS Statistics Data Export 40-2
P A R T 12 Security
C H A P T E R 41 Configuring Network Security 41-1
Configuring MAC Address-Based Traffic Blocking 41-1
Configuring TCP Intercept 41-2
Configuring Unicast Reverse Path Forwarding Check 41-2
Understanding PFC3 Unicast RPF Check Support 41-2
Unicast RPF Check Guidelines and Restrictions 41-3
Configuring Unicast RPF Check 41-3
C H A P T E R 42 Using AutoSecure 42-1
Understanding AutoSecure 42-1
Benefits of AutoSecure 42-2
Securing the Management Plane 42-2
Securing the Forwarding Plane 42-5
AutoSecure Guidelines and Restrictions 42-6

Contents
xxiv
OL-13013-05
Configuring AutoSecure 42-6
Using the AutoSecure Command 42-6
Configuring Additional Security 42-8
Verifying AutoSecure 42-8
AutoSecure Configuration Example 42-9
C H A P T E R 43 Understanding Cisco IOS ACL Support 43-1
ACL Support in Hardware and Software 43-1
Cisco IOS ACL Configuration Guidelines and Restrictions 43-2
Policy-Based ACLs 43-3
Understanding PBACLs 43-3
PBACL Guidelines and Restrictions 43-4
Configuring PBACL 43-4
Configuring IPv6 Address Compression 43-6
Optimized ACL Logging 43-7
Understanding OAL 43-7
OAL Guidelines and Restrictions 43-8
Configuring OAL 43-8
Guidelines and Restrictions for Using Layer 4 Operators in ACLs 43-10
Determining Layer 4 Operation Usage 43-10
Determining Logical Operation Unit Usage 43-11
C H A P T E R 44 Configuring Port ACLs and VLAN ACLs 44-1
Understanding ACLs 44-1
Understanding ACLs 44-2
Understanding VACLs 44-2
Understanding Port ACLs 44-3
PACL and VACL Interactions 44-4
Configuring PACLs 44-7
PACL Configuration Guidelines 44-8
Configuring IP and MAC ACLs on a Layer 2 Interface 44-8
Configuring Access-group Mode on Layer 2 Interface 44-9
Applying ACLs to a Layer 2 Interface 44-9
Applying ACLs to a Port Channel 44-10
Displaying an ACL Configuration on a Layer 2 Interface 44-10
Configuring VACLs 44-11
VACL Configuration Guidelines 44-11
Defining a VLAN Access Map 44-12

Contents
xxv
OL-13013-05
Configuring a Match Clause in a VLAN Access Map Sequence 44-13
Configuring an Action Clause in a VLAN Access Map Sequence 44-13
Applying a VLAN Access Map 44-14
Verifying VLAN Access Map Configuration 44-15
VLAN Access Map Configuration and Verification Examples 44-15
Configuring a Capture Port 44-16
Configuring MAC PBF 44-17
Configuring VACL Logging 44-19
C H A P T E R 45 Configuring Denial of Service Protection 45-1
Understanding DoS Protection 45-2
DoS Protection Default Configuration 45-13
DoS Protection Configuration Guidelines and Restrictions 45-13
Monitoring Packet Drop Statistics 45-14
Displaying Rate-Limiter Information 45-17
Configuring Sticky ARP 45-18
C H A P T E R 46 Configuring Control Plane Policing 46-1
Understanding Control Plane Policing 46-1
CoPP Default Configuration 46-2
CoPP Configuration Guidelines and Restrictions 46-2
Configuring CoPP 46-3
Monitoring CoPP 46-4
Defining Traffic Classification 46-5
Traffic Classification Overview 46-5
Traffic Classification Guidelines 46-6
Sample Basic ACLs for CoPP Traffic Classification 46-7
C H A P T E R 47 Configuring DHCP Snooping 47-1
Understanding DHCP Snooping 47-1
Overview of DHCP Snooping 47-2
Trusted and Untrusted Sources 47-2
DHCP Snooping Binding Database 47-2
Packet Validation 47-3
DHCP Snooping Option-82 Data Insertion 47-3
Overview of the DHCP Snooping Database Agent 47-5
Default Configuration for DHCP Snooping 47-6
DHCP Snooping Configuration Restrictions and Guidelines 47-7

Contents
xxvi
OL-13013-05
DHCP Snooping Configuration Restrictions 47-7
DHCP Snooping Configuration Guidelines 47-7
Minimum DHCP Snooping Configuration 47-8
Configuring DHCP Snooping 47-8
Enabling DHCP Snooping Globally 47-9
Enabling DHCP Option-82 Data Insertion 47-9
Enabling the DHCP Option-82 on Untrusted Port Feature 47-10
Enabling DHCP Snooping MAC Address Verification 47-11
Enabling DHCP Snooping on VLANs 47-11
Configuring the DHCP Trust State on Layer 2 LAN Interfaces 47-12
Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces 47-13
Configuring the DHCP Snooping Database Agent 47-14
Configuration Examples for the Database Agent 47-14
Displaying a Binding Table 47-17
C H A P T E R 48 Configuring IP Source Guard 48-1
Overview of IP Source Guard 48-1
IP Source Guard Interaction with VLAN-Based Features 48-2
Channel Ports 48-2
Trunk Ports 48-2
Layer 2 and Layer 3 Port Conversion 48-2
IP Source Guard and Voice VLAN 48-2
IP Source Guard and Web-Based Authentication 48-2
IP Source Guard Restrictions 48-3
Configuring IP Source Guard on the Switch 48-3
Displaying IP Source Guard Information 48-4
Displaying IP Source Binding Information 48-6
C H A P T E R 49 Configuring Dynamic ARP Inspection 49-1
Understanding DAI 49-1
Understanding ARP 49-1
Understanding ARP Spoofing Attacks 49-2
Understanding DAI and ARP Spoofing Attacks 49-2
Interface Trust States and Network Security 49-3
Rate Limiting of ARP Packets 49-4
Relative Priority of ARP ACLs and DHCP Snooping Entries 49-4
Logging of Dropped Packets 49-4
Default DAI Configuration 49-5
DAI Configuration Guidelines and Restrictions 49-5

Contents
xxvii
OL-13013-05
Configuring DAI 49-6
Enabling DAI on VLANs 49-7
Configuring the DAI Interface Trust State 49-7
Applying ARP ACLs for DAI Filtering 49-8
Configuring ARP Packet Rate Limiting 49-9
Enabling DAI Error-Disabled Recovery 49-10
Enabling Additional Validation 49-10
Configuring DAI Logging 49-12
Displaying DAI Information 49-14
DAI Configuration Samples 49-15
Sample One: Two Switches Support DAI 49-16
Sample Two: One Switch Supports DAI 49-20
C H A P T E R 50 Configuring Traffic Storm Control 50-1
Understanding Traffic Storm Control 50-1
Default Traffic Storm Control Configuration 50-2
Enabling Traffic Storm Control 50-4
Displaying Traffic Storm Control Settings 50-5
C H A P T E R 51 Configuring Unknown Unicast and Multicast Flood Control 51-1
Understanding Unknown Traffic Flood Control 51-1
Configuring UUFB or UMFB 51-2
Configuring UUFRL 51-2
C H A P T E R 52 Configuring Network Admission Control 52-1
Understanding NAC 52-1
NAC Overview 52-2
NAC Device Roles 52-3
AAA Down Policy 52-4
NAC IP Validation 52-4
NAC and Switchover 52-12
Configuring NAC 52-12
Default NAC Configuration 52-12
NAC IP Guidelines, Limitations, and Restrictions 52-12
Configuring NAC IP Validation 52-14
Configuring EAPoUDP 52-18
Configuring Identity Profiles and Policies 52-18

Contents
xxviii
OL-13013-05
Configuring NAC High Availability 52-19
Configuring a NAC AAA Down Policy 52-20
Monitoring and Maintaining NAC 52-23
Clearing Table Entries 52-23
Displaying NAC Information 52-23
C H A P T E R 53 Configuring IEEE 802.1X Port-Based Authentication 53-1
Understanding 802.1X Port-Based Authentication 53-1
Understanding 802.1X Device Roles 53-2
Understanding the Port-based Authentication Process 53-3
Authentication Initiation and Message Exchange 53-5
Ports in Authorized and Unauthorized States 53-7
802.1X Host Modes 53-8
Using 802.1X Authentication with DHCP Snooping 53-10
Understanding 802.1X Accounting 53-11
Using 802.1X Authentication with VLAN Assignment 53-12
Using Multiple VLANs and VLAN User Distribution with VLAN Assignment 53-13
Using 802.1X Authentication with Guest VLAN 53-14
Using 802.1X Authentication with Restricted VLAN 53-14
Using 802.1X Authentication with Inaccessible Authentication Bypass 53-15
Using 802.1X Authentication with Voice VLAN Ports 53-17
Using 802.1X Authentication with Port Security 53-17
Using 802.1X Authentication with ACL Assignments and Redirect URLs 53-18
Using 802.1X Authentication with Port Descriptors 53-21
Using 802.1X Authentication with MAC Authentication Bypass 53-21
Using Network Admission Control Layer 2 IEEE 802.1X Validation 53-22
Using 802.1X Authentication with Wake-on-LAN 53-23
Configuring 802.1X Port-Based Authentication 53-23
Default 802.1X Port-Based Authentication Configuration 53-24
802.1X Authentication Feature Configuration Guidelines 53-25
Enabling 802.1X Authentication 53-29
Configuring Switch-to-RADIUS-Server Communication 53-31
Configuring 802.1X Authenticator Host Mode 53-32
Enabling Fallback Authentication 53-34
Enabling Periodic Reauthentication 53-36
Manually Reauthenticating the Client Connected to a Port 53-37
Initializing Authentication for the Client Connected to a Port 53-37
Removing 802.1X Client Information 53-38
Clearing Authentication Sessions 53-38

Contents
xxix
OL-13013-05
Changing 802.1X Timeouts 53-38
Setting the Switch-to-Client Frame Retransmission Number 53-40
Setting the Reauthentication Number 53-41
Configuring IEEE 802.1X Accounting 53-41
Configuring VLAN User Distribution 53-42
Configuring a Guest VLAN 53-43
Configuring a Restricted VLAN 53-44
Configuring the Inaccessible Authentication Bypass Feature 53-46
Configuring MAC Authentication Bypass 53-49
Configuring NAC Layer 2 IEEE 802.1X Validation 53-50
Configuring NAC Agentless Audit Support 53-51
Configuring the Switch for DACLs or Redirect URLs 53-52
Configuring 802.1X Authentication with WoL 53-53
Disabling 802.1X Authentication on the Port 53-53
Resetting the 802.1X Configuration to the Default Values 53-54
Displaying Authentication Status and Information 53-54
Displaying 802.1X Status 53-55
Displaying Authentication Methods and Status 53-56
Displaying MAC Authentication Bypass Status 53-59
C H A P T E R 54 Configuring Web-Based Authentication 54-1
Understanding Web-Based Authentication 54-1
Device Roles 54-2
Host Detection 54-2
Session Creation 54-3
Authentication Process 54-3
AAA Fail Policy 54-4
Customization of the Authentication Proxy Web Pages 54-4
Web-based Authentication Interactions with Other Features 54-4
Configuring Web-Based Authentication 54-6
Default Web-Based Authentication Configuration 54-7
Web-based Authentication Configuration Guidelines and Restrictions 54-7
Web-based Authentication Configuration Task List 54-8
Configuring the Authentication Rule and Interfaces 54-8
Configuring AAA Authentication 54-9
Configuring Switch-to-RADIUS-Server Communication 54-9
Configuring the HTTP Server 54-11
Configuring an AAA Fail Policy 54-13
Configuring the Web-based Authentication Parameters 54-14

Contents
xxx
OL-13013-05
Removing Web-based Authentication Cache Entries 54-15
Displaying Web-Based Authentication Status 54-15
C H A P T E R 55 Configuring Port Security 55-1
Understanding Port Security 55-1
Port Security with Dynamically Learned and Static MAC Addresses 55-1
Port Security with Sticky MAC Addresses 55-2
Port Security with IP Phones 55-3
Default Port Security Configuration 55-3
Port Security Guidelines and Restrictions 55-3
Configuring Port Security 55-5
Enabling Port Security 55-5
Configuring the Port Security Violation Mode on a Port 55-6
Configuring the Port Security Rate Limiter 55-7
Configuring the Maximum Number of Secure MAC Addresses on a Port 55-9
Enabling Port Security with Sticky MAC Addresses on a Port 55-9
Configuring a Static Secure MAC Address on a Port 55-10
Configuring Secure MAC Address Aging on a Port 55-11
Displaying Port Security Settings 55-12
P A R T 13 NetFlow
C H A P T E R 56 Configuring NetFlow 56-1
Understanding NetFlow 56-1
NetFlow Overview 56-2
NetFlow on the PFC 56-2
NetFlow on the RP 56-4
NetFlow Features 56-5
Default NetFlow Configuration 56-6
NetFlow Configuration Guidelines and Restrictions 56-6
Configuring NetFlow 56-7
Configuring NetFlow on the PFC 56-7
Configuring NetFlow Features 56-10
C H A P T E R 57 Configuring NDE 57-1
Understanding NDE 57-1
NDE Overview 57-1
NDE on the RP 57-2

Contents
xxxi
OL-13013-05
NDE on the PFC 57-2
Default NDE Configuration 57-10
NDE Configuration Guidelines and Restrictions 57-10
Configuring NDE 57-10
Configuring NDE on the PFC 57-11
Configuring NDE on the RP 57-13
Enabling NDE for Ingress-Bridged IP Traffic 57-14
Displaying the NDE Address and Port Configuration 57-15
Configuring NDE Flow Filters 57-16
Displaying the NDE Configuration 57-17
P A R T 14 Network Management
C H A P T E R 58 Configuring Local SPAN, RSPAN, and ERSPAN 58-1
Understanding Local SPAN, RSPAN, and ERSPAN 58-1
Local SPAN, RSPAN, and ERSPAN Overview 58-1
Local SPAN, RSPAN, and ERSPAN Sources 58-5
Local SPAN, RSPAN, and ERSPAN Destinations 58-7
Local SPAN, RSPAN, and ERSPAN Configuration Guidelines and Restrictions 58-7
Feature Incompatibilities 58-7
Local SPAN, RSPAN, and ERSPAN Session Limits 58-8
Local SPAN, RSPAN, and ERSPAN Interface Limits 58-9
Local SPAN, RSPAN, and ERSPAN Guidelines and Restrictions 58-9
VSPAN Guidelines and Restrictions 58-10
RSPAN Guidelines and Restrictions 58-11
ERSPAN Guidelines and Restrictions 58-11
Distributed Egress SPAN Mode Guidelines and Restrictions 58-12
Configuring Local SPAN, RSPAN, and ERSPAN 58-13
Local SPAN, RSPAN, and ERSPAN Default Configuration 58-13
Configuring a Destination as an Unconditional Trunk (Optional) 58-14
Configuring Destination Trunk VLAN Filtering (Optional) 58-15
Configuring Destination Port Permit Lists (Optional) 58-16
Configuring the Egress SPAN Mode (Optional) 58-17
Configuring Local SPAN 58-18
Configuring RSPAN 58-22
Configuring ERSPAN 58-28
Configuring Source VLAN Filtering in Global Configuration Mode 58-32
Verifying the Configuration 58-33
Configuration Examples 58-33

Contents
xxxii
OL-13013-05
C H A P T E R 59 Using the System Event Archive 59-1
Understanding the System Event Archive 59-1
Displaying the SEA Logging System 59-2
Copying the SEA To Another Device 59-3
C H A P T E R 60 Backplane Traffic Monitoring 60-1
Understanding Traffic Monitoring 60-1
Default Configuration 60-2
Configuring Backplane Traffic Monitoring 60-2
C H A P T E R 61 Configuring Call Home 61-1
Understanding Call Home 61-1
Obtaining Smart Call Home 61-2
Configuring Call Home 61-3
Configuring Contact Information 61-4
Configuring Destination Profiles 61-5
Subscribing to Alert Groups 61-6
Configuring General E-Mail Options 61-9
Enabling Call Home 61-10
Testing Call Home Communications 61-10
Configuring and Enabling Smart Call Home 61-12
Displaying Call Home Configuration Information 61-13
Default Settings 61-16
Alert Group Trigger Events and Commands 61-17
Message Contents 61-23
Sample Syslog Alert Notification in Long-Text Format 61-27
Sample Syslog Alert Notification in XML Format 61-27
C H A P T E R 62 Configuring SNMP IfIndex Persistence 62-1
Understanding SNMP IfIndex Persistence 62-1
Configuring SNMP IfIndex Persistence 62-2
Enabling SNMP IfIndex Persistence Globally 62-2
Disabling SNMP IfIndex Persistence Globally 62-2
Enabling and Disabling SNMP IfIndex Persistence on Specific Interfaces 62-2
Clearing SNMP IfIndex Persistence Configuration from a Specific Interface 62-3

Contents
xxxiii
OL-13013-05
C H A P T E R 63 Using Top-N Reports 63-1
Understanding Top-N Reports 63-1
Top-N Reports Overview 63-1
Understanding Top-N Reports Operation 63-2
Using Top-N Reports 63-2
Enabling Top-N Reports Creation 63-2
Displaying Top-N Reports 63-3
Clearing Top-N Reports 63-4
C H A P T E R 64 Using the Layer 2 Traceroute Utility 64-1
Understanding the Layer 2 Traceroute Utility 64-1
Usage Guidelines 64-1
Using the Layer 2 Traceroute Utility 64-2
C H A P T E R 65 Using the Mini Protocol Analyzer 65-1
Understanding How the Mini Protocol Analyzer Works 65-1
Configuring the Mini Protocol Analyzer 65-2
Filtering the Packets to be Captured 65-3
Starting and Stopping a Capture 65-4
Displaying and Exporting the Capture Buffer 65-6
Mini Protocol Analyzer Configuration, Operation, and Display Examples 65-7
General Configuration Examples 65-7
Filtering Configuration Examples 65-8
Operation Examples 65-9
Display Examples 65-9
P A R T 15 Appendixes
A P P E N D I X A Online Diagnostic Tests A-1
Global Health-Monitoring Tests A-2
TestEARLInternalTables A-2
TestSPRPInbandPing A-3
TestScratchRegister A-3
TestMacNotification A-4
TestErrorCounterMonitor A-4
Per-Port Tests A-5
TestNonDisruptiveLoopback A-5
TestLoopback A-6

Contents
xxxiv
OL-13013-05
TestActiveToStandbyLoopback A-6
TestUnusedPortLoopback A-7
TestTransceiverIntegrity A-7
TestNetflowInlineRewrite A-8
TestPortTxMonitoring A-9
PFC Layer 2 Forwarding Engine Tests A-9
TestNewIndexLearn A-9
TestDontConditionalLearn A-10
TestBadBpduTrap A-10
TestMatchCapture A-11
TestStaticEntry A-11
DFC Layer 2 Forwarding Engine Tests A-11
TestDontLearn A-12
TestNewLearn A-12
TestIndexLearn A-13
TestConditionalLearn A-13
TestTrap A-14
TestBadBpdu A-15
TestProtocolMatchChannel A-15
TestCapture A-16
TestStaticEntry A-16
PFC Layer 3 Forwarding Engine Tests A-17
TestFibDevices A-17
TestIPv4FibShortcut A-18
TestMPLSFibShortcut A-19
TestNATFibShortcut A-19
TestL3Capture2 A-20
TestAclPermit A-20
TestAclDeny A-21
TestNetflowShortcut A-21
TestQoS A-22
DFC Layer 3 Forwarding Engine Tests A-22
TestFibDevices A-22
TestMPLSFibShortcut A-24
TestNATFibShortcut A-25
TestL3Capture2 A-25

Contents
xxxv
OL-13013-05
TestAclPermit A-26
TestAclDeny A-26
TestQoS A-27
TestNetflowShortcut A-27
Replication Engine Tests A-27
TestL3VlanMet A-28
TestIngressSpan A-28
TestEgressSpan A-29
Fabric Tests A-29
TestFabricSnakeForward A-29
TestFabricSnakeBackward A-30
TestSynchedFabChannel A-30
TestFabricCh0Health A-31
TestFabricCh1Health A-31
Exhaustive Memory Tests A-32
TestFibTcamSSRAM A-32
TestAsicMemory A-32
TestAclQosTcam A-33
TestNetflowTcam A-33
TestQoSTcam A-34
IPSEC Services Modules Tests A-34
TestIPSecClearPkt A-35
TestHapiEchoPkt A-35
TestIPSecEncryptDecryptPkt A-35
Stress Tests A-36
TestTrafficStress A-36
TestEobcStressPing A-37
Critical Recovery Tests A-37
TestL3HealthMonitoring A-37
TestTxPathMonitoring A-38
TestSynchedFabChannel A-38
General Tests A-39
ScheduleSwitchover A-39
TestFirmwareDiagStatus A-39
TestCFRW A-40
A P P E N D I X B Acronyms B-1
I N D E X

Contents
xxxvi
OL-13013-05

xxxvii
OL-13013-05
Preface
This preface describes who should read the Cisco IOS Software Configuration Guide,
Release 12.2(33)SXH and later releases, and its document conventions.
Audience
This guide is for experienced network administrators who are responsible for configuring and
maintaining the switches supported in Cisco IOS Release 12.2SX.
Related Documentation
The following publications are available for Cisco IOS Release 12.2SX:
• Catalyst 6500 Series Switch Installation Guide
• Catalyst 6500 Series Switch Module Installation Guide
• Cisco IOS Master Command List, Release 12.2SX
• Catalyst 6500 Series Switch Cisco IOS System Message Guide, Release 12.2SX
• Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases
• Cisco IOS Configuration Guides and Command References—Use these publications to help you
configure Cisco IOS software features not described in the other publications:
– Configuration Fundamentals Configuration Guide
– Configuration Fundamentals Command Reference
– Bridging and IBM Networking Configuration Guide
– Bridging and IBM Networking Command Reference
– Interface Configuration Guide
– Interface Command Reference
– Network Protocols Configuration Guide, Part 1, 2, and 3
– Network Protocols Command Reference, Part 1, 2, and 3
– Security Configuration Guide
– Security Command Reference
– Switching Services Configuration Guide

xxxviii
OL-13013-05
Preface
– Switching Services Command Reference
– Voice, Video, and Home Applications Configuration Guide
– Voice, Video, and Home Applications Command Reference
– Software Command Summary
– Software System Error Messages
– Debug Command Reference
– Internetwork Design Guide
– Internetwork Troubleshooting Guide
– Configuration Builder Getting Started Guide
The Cisco IOS Configuration Guides and Command References are located at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuratio
n_guides_list.html
• For information about MIBs, go to this URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Conventions
This document uses the following conventions:
Convention Description
boldface font Commands, command options, and keywords are in boldface.
italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional.
{ x | y | z } Alternative keywords are grouped in braces and separated by vertical bars.
[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by
vertical bars.
string A nonquoted set of characters. Do not use quotation marks around the
string or the string will include the quotation marks.
screen font Terminal sessions and information the system displays are in screen font.
boldface screen
font
Information you must enter is in boldface screen font.
italic screen font Arguments for which you supply values are in italic screen font.
This pointer highlights an important line of text in an example.
^ The symbol ^ represents the key labeled Control—for example, the key
combination ^D in a screen display means hold down the Control key
while you press the D key.
< > Nonprinting characters, such as passwords are in angle brackets.

xxxix
OL-13013-05
Preface
Notes use the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Cautions use the following conventions:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Obtaining Documentation, Obtaining Support, and Security
Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly
What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

xl
OL-13013-05
Preface

C H A P T E R
1-1
OL-13013-05
1
Product Overview
This chapter consists of these sections:
• Supported Hardware and Software, page 1-1
• User Interfaces, page 1-5
• Software Features Supported in Hardware by the PFC and DFC, page 1-6
Supported Hardware and Software
For complete information about the chassis, modules, and software features supported by
Cisco IOS Release 12.2SX, see the Release Notes for Cisco IOS Release 12.2(33)SXH and Later
Releases:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html
These sections describe the ports and flash memory devices on the supervisor engines:
• Understanding Supervisor Engine 720-10GE Memory Devices and Ports, page 1-1
• Understanding Supervisor Engine 720 Memory Devices and Ports, page 1-2
• Understanding Supervisor Engine 32 Memory Devices and Ports, page 1-4
• Understanding ME6500 Flash Memory Devices and Ports, page 1-5
Understanding Supervisor Engine 720-10GE Memory Devices and Ports
These sections describe the Supervisor Engine 720-10GE memory devices and ports:
• Supervisor Engine 720-10GE Flash Memory Devices, page 1-1
• Supervisor Engine 720-10GE Ports, page 1-2
Supervisor Engine 720-10GE Flash Memory Devices
The Supervisor Engine 720-10GE has these flash memory devices:
• disk0: (active) and slavedisk0: (standby):
– External CompactFlash Type II slots
– For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc.

1-2
OL-13013-05
Chapter 1 Product Overview
• sup-bootdisk: (active) and slavesup-bootdisk: (standby):
– Switch processor (SP) 1-GB internal CompactFlash flash memory
– From SP ROMMON, it is bootdisk:
– Not accessible from route processor (RP) ROMMON
• bootflash: (active) and slave-bootflash: (standby):
– RP 64-MB internal flash memory
– Not accessible from SP ROMMON
Supervisor Engine 720-10GE Ports
The Supervisor Engine 720-10GE has these ports:
• Console port—EIA/TIA-232 (RS-232) port
• Ports 1 and 2
– Gigabit Ethernet SFP (fiber or 10/100/1000 Mbps RJ-45)
– Fast Ethernet SFP
• Port 3—10/100/1000 Mbps RJ-45
• Ports 4 and 5—10-Gigabit Ethernet X2
Note The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture
(2q4t/1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the mls qos 10g-only global
configuration command. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the
10-Gigabit Ethernet ports is 8q4t/1p7q4t.
See the “Configuring Optional Interface Features” section on page 9-6 for information about configuring
the ports.
Understanding Supervisor Engine 720 Memory Devices and Ports
These sections describe the Supervisor Engine 720 memory devices and ports:
• Supervisor Engine 720 Flash Memory Devices, page 1-2
• Configuring Supervisor Engine 720 Ports, page 1-3
Supervisor Engine 720 Flash Memory Devices
The Supervisor Engine 720 has these flash memory devices:
• disk0: and disk1: (active) and slavedisk0: and slavedisk1: (standby):

1-3
OL-13013-05
• sup-bootflash: (active) and slavesup-bootflash: (standby):
– Switch processor (SP) 64-MB internal flash memory
– From SP ROMMON, it is bootflash:
• With WS-CF-UPG=, sup-bootdisk: (active) and slavesup-bootflash: (standby):
– SP 512-MB internal CompactFlash flash memory
– Not accessible from RP ROMMON
– See this publication for more information:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_1727
7.html
Configuring Supervisor Engine 720 Ports
The Supervisor Engine 720 has these ports:
• Port 1—Small form-factor pluggable (SFP); no unique configuration options.
• Port 2— RJ-45 connector and an SFP connector (default). To use the RJ-45 connector, you must
change the configuration.
To configure port 2 on a Supervisor Engine 720 to use either the RJ-45 connector or the SFP
connector, perform this task:
This example shows how to configure port 2 on a Supervisor Engine 720 in slot 5 to use the RJ-45
connector:
Router(config)# interface gigabitethernet 5/2
Router(config-if)# media-type rj45
See the “Configuring Optional Interface Features” section on page 9-6 for more information about
configuring the ports.
Command Purpose
Step 1 Router(config)# interface gigabitethernet slot/2 Selects the Ethernet port to be configured.
Step 2 Router(config-if)# media-type {rj45 | sfp} Selects the connector to use.

1-4
OL-13013-05
Understanding Supervisor Engine 32 Memory Devices and Ports
These sections describe the Supervisor Engine 32 memory devices and ports:
• Supervisor Engine 32 Flash Memory Devices, page 1-4
• Supervisor Engine 32 Ports, page 1-4
Note Supervisor Engine 32 does not support switch fabric connectivity.
Supervisor Engine 32 Flash Memory Devices
The Supervisor Engine 32 has these flash memory devices:
• disk0: (active) and slavedisk0: (standby):
• sup-bootdisk: (active) and slavesup-bootflash: (standby):
– Switch processor (SP) 256-MB internal CompactFlash flash memory
Supervisor Engine 32 Ports
The Supervisor Engine 32 has these ports:
• Console port—EIA/TIA-232 (RS-232) port
• Two Universal Serial Bus (USB) 2.0 ports—Not currently enabled
• WS-SUP32-GE-3B:
– Ports 1 through 8—Small form-factor pluggable (SFP)
– Port 9—10/100/1000 Mbps RJ-45
• WS-SUP32-10GE:
– Ports 1 and 2—10-Gigabit Ethernet XENPAK
– Port 3—10/100/1000 Mbps RJ-45
See the “Configuring Optional Interface Features” section on page 9-6 for information about configuring
the ports.

1-5
OL-13013-05
User Interfaces
Understanding ME6500 Flash Memory Devices and Ports
These sections describe the Cisco ME6500 series Ethernet switch memory devices and ports:
• ME6500 Flash Memory Devices, page 1-5
• ME6500 Ports, page 1-5
ME6500 Flash Memory Devices
The ME6500 has these flash memory devices:
• disk0:
– One external CompactFlash Type II slot
– Supports CompactFlash Type II flash PC cards
• sup-bootflash:
– Switch processor (SP) 128 MB internal CompactFlash flash memory
– From SP ROMMON, it is bootflash:
• bootflash:
ME6500 Ports
The ME6500 has these ports:
• ME-C6524GS-8S and ME-C6524GT-8S
– Ports 25–32: Gigabit Ethernet SFP
– Requires Gigabit Ethernet SFPs
• ME-C6524GS-8S
– Ports 1–24: Gigabit Ethernet SFP
– Requires Gigabit Ethernet SFPs
• ME-C6524GT-8S—Ports 1–24: 10/100/1000 Mbps RJ-45 Ethernet ports
User Interfaces
Release 12.2SX supports configuration using the following interfaces:
• CLI—See Chapter 2, “Command-Line Interfaces.”
• SNMP—See the Release 12.2 IOS Configuration Fundamentals Configuration Guide and
Command Reference at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html

1-6
OL-13013-05
Software Features Supported in Hardware by the PFC and DFC
• Cisco IOS web browser interface—See “Using the Cisco Web Browser” in the IOS Configuration
Fundamentals Configuration Guide at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf005.html
The PFC3 and DFC3 provide hardware support for these Cisco IOS software features:
• Access Control Lists (ACLs) for Layer 3 ports and VLAN interfaces:
– Permit and deny actions of input and output standard and extended ACLs
Note Flows that require ACL logging are processed in software on the route processor (RP).
– Except on MPLS interfaces, reflexive ACL flows after the first packet in a session is processed
in software on the RP
– Dynamic ACL flows
Note Idle timeout is processed in software on the RP.
For more information about PFC and DFC support for ACLs, see Chapter 43, “Understanding Cisco
IOS ACL Support.”
For complete information about configuring ACLs, see the Cisco IOS Security Configuration Guide,
Release 12.2, “Traffic Filtering and Firewalls,” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html
• Bidirectional Protocol Independent Multicast (PIM) in hardware—See “Understanding IPv4
Bidirectional PIM” section on page 32-8.
• IPv4 Multicast over point-to-point generic route encapsulation (GRE) Tunnels—See the publication
at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html
• Multiple-path Unicast Reverse Path Forwarding (RPF) Check—To configure Unicast RPF Check,
see the “Configuring Unicast Reverse Path Forwarding Check” section on page 41-2.
• Except on MPLS interfaces, Network Address Translation (NAT) for IPv4 unicast and multicast
traffic.
Note the following information about hardware-assisted NAT:
– NAT of UDP traffic is not supported in PFC3A mode.
– The PFC3 does not support NAT of multicast traffic.
– The PFC3 does not support NAT configured with a route-map that specifies length.
– When you configure NAT and NDE on an interface, the PFC3 sends all traffic in fragmented
packets to the RP to be processed in software. (CSCdz51590)
To configure NAT, see the Cisco IOS IP Configuration Guide, Release 12.2, “IP Addressing and
Services,” “Configuring IP Addressing,” “Configuring Network Address Translation,” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html

1-7
OL-13013-05
To prevent a significant volume of NAT traffic from being sent to the RP, due to either a DoS attack
or a misconfiguration, enter the mls rate-limit unicast acl {ingress | egress} command described
at this URL:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#mls_rate-limit_u
nicast_acl
(CSCea23296)
• NetFlow Aggregation—See this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/gui
de/nde.html
• Policy-based routing (PBR) for route-map sequences that use the match ip address, set ip
next-hop, and ip default next-hop PBR keywords.
To configure PBR, see the Cisco IOS Quality of Service Solutions Configuration Guide, Release
12.2, “Classification,” “Configuring Policy-Based Routing,” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_C
onfiguration_Guide_Chapter.html
Note If the RP address falls within the range of a PBR ACL, traffic addressed to the RP is policy
routed in hardware instead of being forwarded to the RP. To prevent policy routing of traffic
addressed to the RP, configure PBR ACLs to deny traffic addressed to the RP.
• Except on MPLS interfaces, TCP intercept—To configure TCP intercept, see the “Configuring TCP
Intercept” section on page 41-2.
Note The PFC3 does not provide hardware acceleration for tunnels configured with the tunnel key command.
• GRE Tunneling and IP in IP Tunneling—The PFC3 and DFC3s support the following tunnel
commands:
– tunnel destination
– tunnel mode gre
– tunnel mode ipip
– tunnel source
– tunnel ttl
– tunnel tos
Other supported types of tunneling run in software on the RP.
The tunnel ttl command (default 255) sets the TTL of encapsulated packets.
The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the
tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS
byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is
enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it
is encapsulated.
To configure GRE Tunneling and IP in IP Tunneling, see these publications:
http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html
http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html

1-8
OL-13013-05
To configure the tunnel tos and tunnel ttl commands, see this publication for more information:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html
Note the following information about tunnels:
– Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot
share a source even if the destinations are different. Use secondary addresses on loopback
interfaces or create multiple loopback interfaces. (CSCdy72539)
– Each tunnel interface uses one internal VLAN.
– Each tunnel interface uses one additional router MAC address entry per router MAC address.
– The PFC3A does not support any PFC QoS features on tunnel interfaces.
– Other PFC versions support PFC QoS features on tunnel interfaces.
– The RP supports tunnels configured with egress features on the tunnel interface. Examples of
egress features are output Cisco IOS ACLs, NAT (for inside to outside translation), TCP
intercept, CBAC, and encryption.
• VLAN ACLs (VACLs)—To configure VACLs, see Chapter 44, “Configuring Port ACLs and VLAN
ACLs.”

P A R T 1
Configuration Fundamentals

C H A P T E R
2-1
OL-13013-05
2
Command-Line Interfaces
This chapter describes the command-line interfaces (CLIs) you use to configure the switches supported
by Cisco IOS Release 12.2SX.
Note For complete syntax and usage information for the commands used in this chapter, see these
publications:
• The Cisco IOS Master Command List, Release 12.2SX, at this URL:
http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html
• The Release 12.2 publications at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuratio
n_guides_list.html
• Accessing the CLI, page 2-1
• Performing Command Line Processing, page 2-3
• Performing History Substitution, page 2-3
• Cisco IOS Command Modes, page 2-4
• Displaying a List of Cisco IOS Commands and Syntax, page 2-5
• Securing the CLI, page 2-6
• ROM-Monitor Command-Line Interface, page 2-7
Accessing the CLI
These sections describe accessing the CLI:
• Accessing the CLI through the EIA/TIA-232 Console Interface, page 2-2
• Accessing the CLI through Telnet, page 2-2

2-2
OL-13013-05
Chapter 2 Command-Line Interfaces
Accessing the CLI
Accessing the CLI through the EIA/TIA-232 Console Interface
Note EIA/TIA-232 was known as recommended standard 232 (RS-232) before its acceptance as a standard by
the Electronic Industries Alliance (EIA) and Telecommunications Industry Association (TIA).
Perform initial configuration over a connection to the EIA/TIA-232 console interface. See the
Catalyst 6500 Series Switch Module Installation Guide for console interface cable connection
procedures.
To make a console connection, perform this task:
After making a console connection, you see this display:
Press Return for Console prompt
Router> enable
Password:
Router#
Accessing the CLI through Telnet
Note Before you can make a Telnet connection to the switch, you must configure an IP address (see the
“Configuring IPv4 Routing and Addresses” section on page 25-3).
The switch supports up to eight simultaneous Telnet sessions. Telnet sessions disconnect automatically
after remaining idle for the period specified with the exec-timeout command.
To make a Telnet connection to the switch, perform this task:
Command Purpose
Step 1 Press Return. Brings up the prompt.
Step 2 Router> enable Initiates enable mode enable.
Step 3 Password: password
Router#
Completes enable mode enable.
Step 4 Router# quit Exits the session when finished.
Command Purpose
Step 1 telnet {hostname | ip_addr} Makes a Telnet connection from the remote host to the
switch you want to access.
Router#
Initiates authentication.
Note If no password has been configured, press Return.
Step 3 Router> enable Initiates enable mode enable.
Router#
Completes enable mode enable.
Step 5 Router# quit Exits the session when finished.

2-3
OL-13013-05
Performing Command Line Processing
This example shows how to open a Telnet session to the switch:
unix_host% telnet Router_1
Trying 172.20.52.40...
Connected to 172.20.52.40.
Escape character is '^]'.
User Access Verification
Password:
Router_1> enable
Password:
Router_1#
Performing Command Line Processing
Commands are not case sensitive. You can abbreviate commands and parameters if the abbreviations
contain enough letters to be different from any other currently available commands or parameters. You
can scroll through the last 20 commands stored in the history buffer, and enter or edit the command at
the prompt. Table 2-1 lists the keyboard shortcuts for entering and editing commands.
Performing History Substitution
The history buffer stores the last 20 commands you entered. History substitution allows you to access
these commands without retyping them, by using special abbreviated commands. Table 2-2 lists the
history substitution commands.
Table 2-1 Keyboard Shortcuts
Keystrokes Purpose
Press Ctrl-B or
press the left arrow key1
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Moves the cursor back one character.
Press Ctrl-F or
press the right arrow key1
Moves the cursor forward one character.
Press Ctrl-A Moves the cursor to the beginning of the command line.
Press Ctrl-E Moves the cursor to the end of the command line.
Press Esc B Moves the cursor back one word.
Press Esc F Moves the cursor forward one word.

2-4
OL-13013-05
Cisco IOS Command Modes
Cisco IOS Command Modes
Note For complete information about Cisco IOS command modes, see the Cisco IOS Configuration
Fundamentals Configuration Guide at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html
The Cisco IOS user interface is divided into many different modes. The commands available to you
depend on which mode you are currently in. To get a list of the commands in a given mode, type a
question mark (?) at the system prompt. See the “Displaying a List of Cisco IOS Commands and Syntax”
section on page 2-5.
When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a
limited subset of the commands are available in EXEC mode. To have access to all commands, you must
enter privileged EXEC mode. Normally, you must type in a password to access privileged EXEC mode.
From privileged EXEC mode, you can type in any EXEC command or access global configuration mode.
The configuration modes allow you to make changes to the running configuration. If you later save the
configuration, these commands are stored across reboots. You must start at global configuration mode.
From global configuration mode, you can enter interface configuration mode, subinterface configuration
mode, and a variety of protocol-specific modes.
Note With Release 12.1(11b)E and later, when you are in configuration mode you can enter EXEC mode-level
commands by entering the do keyword before the EXEC mode-level command.
ROM-monitor mode is a separate mode used when the switch cannot boot properly. For example, the
switch might enter ROM-monitor mode if it does not find a valid system image when it is booting, or if
its configuration file is corrupted at startup. See the “ROM-Monitor Command-Line Interface” section
on page 2-7.
Table 2-3 lists and describes frequently used Cisco IOS modes.
Table 2-2 History Substitution Commands
Command Purpose
Ctrl-P or the up arrow key.1
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Recalls commands in the history buffer, beginning
with the most recent command. Repeat the key
sequence to recall successively older commands.
Ctrl-N or the down arrow key.1
Returns to more recent commands in the history
buffer after recalling commands with Ctrl-P or the
up arrow key. Repeat the key sequence to recall
successively more recent commands.
Router# show history While in EXEC mode, lists the last several
commands you have just entered.

2-5
OL-13013-05
Displaying a List of Cisco IOS Commands and Syntax
The Cisco IOS command interpreter, called the EXEC, interprets and executes the commands you enter.
You can abbreviate commands and keywords by entering just enough characters to make the command
unique from other commands. For example, you can abbreviate the show command to sh and the
configure terminal command to config t.
When you type exit, the switch backs out one level. To exit configuration mode completely and return
to privileged EXEC mode, press Ctrl-Z.
Displaying a List of Cisco IOS Commands and Syntax
In any command mode, you can display a list of available commands by entering a question mark (?).
Router> ?
To display a list of commands that begin with a particular character sequence, type in those characters
followed by the question mark (?). Do not include a space. This form of help is called word help because
it completes a word for you.
Router# co?
collect configure connect copy
To display keywords or arguments, enter a question mark in place of a keyword or argument. Include a
space before the question mark. This form of help is called command syntax help because it reminds you
which keywords or arguments are applicable based on the command, keywords, and arguments you have
already entered.
Table 2-3 Frequently Used Cisco IOS Command Modes
Mode Description of Use How to Access Prompt
User EXEC Connect to remote devices, change
terminal settings on a temporary
basis, perform basic tests, and
display system information.
Log in. Router>
Privileged EXEC (enable) Set operating parameters. The
privileged command set includes
the commands in user EXEC
mode, as well as the configure
command. Use this command to
access the other command modes.
From the user EXEC mode, enter
the enable command and the
enable password.
Router#
Global configuration Configure features that affect the
system as a whole.
From the privileged EXEC mode,
enter the configure terminal
command.
Router(config)#
Interface configuration Many features are enabled for a
particular interface. Interface
commands enable or modify the
operation of an interface.
From global configuration mode,
enter the interface type slot/port
command.
Router(config-if)#
Console configuration From the directly connected
console or the virtual terminal
used with Telnet, use this
configuration mode to configure
the console interface.
From global configuration mode,
enter the line console 0 command.
Router(config-line)#

2-6
OL-13013-05
Securing the CLI
For example:
Router# configure ?
memory Configure from NV memory
network Configure from a TFTP network host
overwrite-network Overwrite NV memory from TFTP network host
terminal Configure from the terminal
<cr>
To redisplay a command you previously entered, press the up arrow key or Ctrl-P. You can continue to
press the up arrow key to see the last 20 commands you entered.
Tip If you are having trouble entering a command, check the system prompt, and enter the question mark (?)
for a list of available commands. You might be in the wrong command mode or using incorrect syntax.
Enter exit to return to the previous mode. Press Ctrl-Z or enter the end command in any mode to
immediately return to privileged EXEC mode.
Securing the CLI
Securing access to the CLI prevents unauthorized users from viewing configuration settings or making
configuration changes that can disrupt the stability of your network or compromise your network
security. You can create a strong and flexible security scheme for your switch by configuring one or more
of these security features:
• Protecting access to privileged EXEC commands
At a minimum, you should configure separate passwords for the user EXEC and privileged EXEC
(enable) IOS command modes. You can further increase the level of security by configuring
username and password pairs to limit access to CLI sessions to specific users. For more information,
see “Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions
on Networking Devices” at this URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli.html
• Controlling switch access with RADIUS, TACACS+, or Kerberos
For a centralized and scalable security scheme, you can require users to be authenticated and
authorized by an external security server running either Remote Authentication Dial-In User Service
(RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+), or Kerberos.
For more information about RADIUS, see “Configuring RADIUS” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html
For more information about TACACS+, see “Configuring TACACS+” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html
For more information about Kerberos, see “Configuring Kerberos” at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html
• Configuring a secure connection with SSH or HTTPS
To prevent eavesdropping of your configuration session, you can use a Secure Shell (SSH) client or
a browser that supports HTTP over Secure Socket Layer (HTTPS) to make an encrypted connection
to the switch.
For more information about SSH, see “Configuring Secure Shell” at this URL:

2-7
OL-13013-05
ROM-Monitor Command-Line Interface
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_secure_shell
_ps6017_TSD_Products_Configuration_Guide_Chapter.html
For more information about HTTPS, see “HTTPS - HTTP Server and Client with SSL 3.0” at this
URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsslsht.html
• Copying configuration files securely with SCP
To prevent eavesdropping when copying configuration files or image files to or from the switch, you
can use the Secure Copy Protocol (SCP) to perform an encrypted file transfer. For more information
about SCP, see “Secure Copy” at this URL:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_copy_ps
6017_TSD_Products_Configuration_Guide_Chapter.html
For additional information about securing the CLI, see “Cisco IOS Security Configuration Guide:
Securing User Services, Release 12.2SX” at this URL:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/12_2sx/sec_securing_use
r_services_12.2sx_book.html
The ROM-monitor is a ROM-based program that executes upon platform power-up, reset, or when a fatal
exception occurs. The switch enters ROM-monitor mode if it does not find a valid software image, if the
NVRAM configuration is corrupted, or if the configuration register is set to enter ROM-monitor mode.
From the ROM-monitor mode, you can load a software image manually from flash memory, from a
network server file, or from bootflash.
You can also enter ROM-monitor mode by restarting and pressing the Break key during the first 60
seconds of startup.
Note The Break key is always enabled for 60 seconds after rebooting, regardless of whether the Break key is
configured to be off by configuration register settings.
To access the ROM-monitor mode through a terminal server, you can escape to the Telnet prompt and
enter the send break command for your terminal emulation program to break into ROM-monitor mode.
Once you are in ROM-monitor mode, the prompt changes to rommon 1>. Enter a question mark (?) to
see the available ROM-monitor commands.
For more information about the ROM-monitor commands, see the Cisco IOS Master Command List,
Release 12.2SX.

2-8
OL-13013-05

C H A P T E R
3-1
OL-13013-05
3
Configuring Smart Port Macros
This chapter describes how to configure and apply smart port macros. Release 12.2(33)SXH and later
releases support smart port macros.
Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS
Master Command List, Release 12.2SX, at this URL:
http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html
• Understanding Smart Port Macros, page 3-1
• Configuring Smart Port Macros, page 3-2
• Displaying Smart Port Macros, page 3-15
Understanding Smart Port Macros
These sections describe smart port macros:
• Understanding Cisco-Provided Smart Port Macros, page 3-1
• Understanding User-Created Smart Port Macros, page 3-2
Understanding Cisco-Provided Smart Port Macros
There are Cisco-provided smart port macros embedded in the switch software (see Table 3-1). You can
display these macros and the commands they contain by using the show parser macro user EXEC
command.
Table 3-1 Cisco-Provided Smart Port Macros
Macro Name Description
cisco-global Use this global configuration macro to enable load balancing across VLANs, provide
rapid convergence of spanning-tree instances and to enable port error recovery.
cisco-desktop Use this interface configuration macro for increased network security and reliability
when connecting a desktop device, such as a PC, to a switch port.

3-2
OL-13013-05
Chapter 3 Configuring Smart Port Macros
Cisco also provides a collection of pretested, Cisco-recommended baseline configuration templates for
Catalyst switches. The online reference guide templates provide the CLI commands that you can use to
create smart port macros based on the usage of the port. You can use the configuration templates to create
smart port macros to build and deploy Cisco-recommended network designs and configurations.
Understanding User-Created Smart Port Macros
Smart port macros provide a convenient way to save and share common configurations. You can use
smart port macros to enable features and settings based on the location of a switch in the network and
for mass configuration deployments across the network.
Each smart port macro is a user-defined set of Cisco IOS CLI commands. When you apply a smart port
macro on an interface, the CLI commands within the macro are configured on the interface. When the
macro is applied to an interface, the existing interface configurations are not lost. The new commands
are added to the interface and are saved in the running configuration file.
• Smart Port Macro Default Configuration, page 3-2
• Smart Port Macro Configuration Guidelines, page 3-3
• Applying the Cisco-Provided Smart Port Macros, page 3-4
• Configuring User-Created Smart Port Macros, page 3-13
Smart Port Macro Default Configuration
This example shows how to list the Cisco-provided smart port macros:
Router# show parser macro brief | include default
default global : cisco-global
default interface: cisco-desktop
default interface: cisco-phone
default interface: cisco-switch
default interface: cisco-router
There are no smart port macros applied to any interfaces.
cisco-phone Use this interface configuration macro when connecting a desktop device such as a
PC with a Cisco IP phone to a switch port. This macro is an extension of the
cisco-desktop macro and provides the same security and resiliency features, but with
the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive
voice traffic.
cisco-switch Use this interface configuration macro for Layer 2 connections between devices like
switches and routers.
cisco-router Use this interface configuration macro for Layer 3 connections between devices like
switches and routers.
Table 3-1 Cisco-Provided Smart Port Macros (continued)
Macro Name Description

3-3
OL-13013-05
Smart Port Macro Configuration Guidelines
These section describe the smart port macro configuration guidelines:
• You can display all of the macros on the switch by using the show parser macro user EXEC
command. Display the contents of a specific macro by using the show parser macro name
macro-name user EXEC command.
• A macro cannot be edited. If the name following the macro name command is an existing macro’s
name, that macro is replaced by the new macro.
• If a description already exists for a macro, the macro description command appends any
description that you enter to the existing description; it does not replace it. The entered descriptions
are separated by the pipe (“|”) character.
• The maximum macro description length is 256 characters. When the description string becomes
longer than 256 characters, the oldest descriptions are deleted to make room for new ones.
• User-created recursive macros are not supported. You cannot define a macro that calls another
macro.
• Each user-created macro can have up to three keyword-value pairs.
• A macro definition can contain up to 3,000 characters. Line endings count as two characters.
• When creating a macro, do not use the exit or end commands or change the command mode by using
interface interface-id. This could cause commands that follow exit, end, or interface interface-id
to execute in a different command mode. When creating a macro, all CLI commands should be in
the same configuration mode.
• When creating a macro that requires the assignment of unique values, use the parameter value
keywords to designate values specific to the interface. Keyword matching is case sensitive. All
matching occurrences of the keyword are replaced with the corresponding value. Any full match of
a keyword, even if it is part of a larger string, is considered a match and is replaced by the
corresponding value.
• Macro names are case sensitive. For example, the commands macro name Sample-Macro and
macro name sample-macro will result in two separate macros.
• Some macros might contain keywords that require a parameter value. You can use the macro global
apply macro-name ? global configuration command or the macro apply macro-name ? interface
configuration command to display a list of any required values in the macro. If you apply a macro
without entering the keyword values, the commands are invalid and are not applied.
• When a macro is applied globally to a switch or to a switch interface, the existing configuration on
the interface is retained. This is helpful when applying an incremental configuration.
• If you modify a macro definition by adding or deleting commands, the changes are not reflected on
the interface where the original macro was applied. You need to reapply the updated macro on the
interface to apply the new or changed commands.
• You can use the macro global trace macro-name global configuration command or the macro trace
macro-name interface configuration command to apply and debug a macro to find any syntax or
configuration errors. If a command fails because of a syntax error or a configuration error, the macro
continues to apply the remaining commands.
• Some CLI commands are specific to certain interface types. If a macro is applied to an interface that
does not accept the configuration, the macro will fail the syntax check or the configuration check,
and the switch will return an error message.

3-4
OL-13013-05
• Applying a macro to an interface range is the same as applying a macro to a single interface. When
you use an interface range, the macro is applied sequentially to each interface within the range. If a
macro command fails on one interface, it is still applied to the remaining interfaces.
• When you apply a macro to a switch or a switch interface, the macro name is automatically added
to the switch or interface. You can display the applied commands and macro names by using the
show running-config user EXEC command.
Applying the Cisco-Provided Smart Port Macros
These sections describe how to apply the Cisco-provided smart port macros:
• Using the cisco-global Smart Port Macro, page 3-4
• Using the cisco-desktop Smart Port Macro, page 3-5
• Using the cisco-phone Smart Port Macro, page 3-7
• Using the cisco-switch Smart Port Macro, page 3-9
• Using the cisco-router Smart Port Macro, page 3-11
Using the cisco-global Smart Port Macro
These sections describe how to apply the cisco-global smart port macro:
• Displaying the Contents of the cisco-global Smart Port Macro, page 3-4
• Applying the cisco-global Smart Port Macro, page 3-5
Displaying the Contents of the cisco-global Smart Port Macro
This example shows how to display the contents of the cisco-global smart port macro:
Router# show parser macro name cisco-global
Macro name : cisco-global
Macro type : default global
# Enable dynamic port error recovery for link state
# failures
errdisable recovery cause link-flap
errdisable recovery interval 60
# VTP requires Transparent mode for future 802.1x Guest VLAN
# and current Best Practice
vtp domain [smartports]
vtp mode transparent
# Config Cos to DSCP mappings
mls qos map cos-dscp 0 8 16 26 32 46 48 56
# Enable aggressive mode UDLD on all fiber uplinks
udld aggressive
# Enable Rapid PVST+ and Loopguard
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id

Cisco 6500 config

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Cisco 6500 config

Similar to Cisco 6500 config (20)

Recently uploaded

Recently uploaded (20)

Cisco 6500 config