Catalyst 6000 Family

Software Configuration Guide

Software Releases 6.3 and 6.4

Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100

Customer Order Number: DOC-7813315=

Text Part Number: 78-13315-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ
Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco
Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are
service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco
IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel,
EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing,
Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its
affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0208R)

Catalyst 6000 Family Software Configuration Guide

Copyright © 1999-2003, Cisco Systems, Inc.
All rights reserved.
 C O N T E N T S

Preface 27

Audience 27

Organization 27

Related Documentation 29

Conventions 30

Obtaining Documentation 31
Cisco.com 31
Documentation CD-ROM 31
Ordering Documentation 31
Documentation Feedback 32
Obtaining Technical Assistance 32
Cisco.com 32
Technical Assistance Center 32
Obtaining Additional Publications and Information 34

CHAPTER 1 Product Overview 1

CHAPTER 2 Command-Line Interfaces 1

Catalyst Command-Line Interface 1

ROM-Monitor Command-Line Interface 1
Switch Command-Line Interface 2
MSFC Command-Line Interface 8
Cisco IOS Command Modes 8
Cisco IOS Command-Line Interface 10

CHAPTER 3 Configuring the Switch IP Address and Default Gateway 1

Understanding the Switch Management Interfaces 1

Understanding Automatic IP Configuration 2

Automatic IP Configuration Overview 2
Understanding How DHCP Works 2
Understanding How BOOTP and RARP Work 3

Preparing to Configure the IP Address and Default Gateway 4

Booting the MSFC for the First Time 4

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 3
 Contents

Default IP Address and Default Gateway Configuration 5

Assigning the In-Band (sc0) Interface IP Address 5

Configuring Default Gateways 6

Configuring the SLIP (sl0) Interface on the Console Port 7

Using BOOTP, DHCP, or RARP to Obtain an IP Address 9

Renewing and Releasing a DHCP-Assigned IP Address 10

CHAPTER 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching 1

Understanding How Ethernet Works 1

Switching Frames Between Segments 2
Building the Address Table 2
Understanding How Port Negotiation Works 2

Default Ethernet, Fast Ethernet, and Gigabit Ethernet Configuration 3

Setting the Port Configuration 4

Setting the Port Name 4
Setting the Port Speed 5
Setting the Port Duplex Mode 5
Configuring IEEE 802.3X Flow Control 6
Enabling and Disabling Port Negotiation 7
Changing the Default Port Enable State 7
Setting the Port Debounce Timer 8
Configuring a Timeout Period for Ports in errdisable State 9
Configuring the Jumbo Frame Feature 11
Checking Connectivity 13

CHAPTER 5 Configuring Ethernet VLAN Trunks 1

Understanding How VLAN Trunks Work 1

Trunking Overview 1
Trunking Modes and Encapsulation Types 2
802.1Q Trunk Restrictions 4
Default Trunk Configuration 5

Configuring a Trunk Link 5

Configuring an ISL Trunk 5
Configuring an 802.1Q Trunk 6
Configuring an ISL/802.1Q Negotiating Trunk Port 7
Defining the Allowed VLANs on a Trunk 7
Disabling a Trunk Port 8
Example VLAN Trunk Configurations 9

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
4 78-13315-02
 Contents

ISL Trunk Configuration Example 9

ISL Trunk Over EtherChannel Link Example 10
802.1Q Trunk Over EtherChannel Link Example 13
Load-Sharing VLAN Traffic Over Parallel Trunks Example 16

Disabling VLAN 1 on Trunks 23

Disabling VLAN 1 on a Trunk Link 23

CHAPTER 6 Configuring EtherChannel 1

Understanding How EtherChannel Works 1

Understanding Administrative Groups 2
Understanding EtherChannel IDs 2
Understanding Port Aggregation Protocol 2
Understanding Frame Distribution 3
EtherChannel Configuration Guidelines 4

Configuring EtherChannel 5
Configuring an EtherChannel 5
Setting the EtherChannel Port Mode 5
Setting the EtherChannel Port Path Cost 6
Setting the EtherChannel VLAN Cost 6
Configuring EtherChannel Frame Distribution 8
Displaying EtherChannel Traffic Utilization 8
Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number 8
Disabling an EtherChannel 9

CHAPTER 7 Configuring IEEE 802.1Q Tunneling 1

Understanding How 802.1Q Tunneling Works 1

802.1Q Tunneling Configuration Guidelines 2

Configuring Support for 802.1Q Tunneling 3

Configuring the Switch to Support 802.1Q Tunneling 3
Configuring 802.1Q Tunnel Ports 4
Clearing 802.1Q Tunnel Ports 4
Removing Global Support for 802.1Q Tunneling 4

CHAPTER 8 Configuring Spanning Tree 1

Understanding How Spanning Tree Protocols Work 1
Understanding How a Topology is Created 2
Understanding How a Switch Becomes the Root Switch 3
Understanding How Bridge Protocol Data Units Work 3

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 5
 Contents

Calculating and Assigning Port Costs 4

Spanning Tree Port States 5
Understanding PVST+ and MISTP Modes 11
PVST+ Mode 12
MISTP Mode 12
MISTP-PVST+ Mode 13
Bridge Identifiers 13
MAC Address Allocation 13
MAC Address Reduction 13

Using PVST+ 15
Default PVST+ Configuration 15
Setting the PVST+ Bridge ID Priority 16
Configuring the PVST+ Port Cost 17
Configuring the PVST+ Port Priority 18
Configuring the PVST+ Default Port Cost Mode 18
Configuring the PVST+ Port Cost for a VLAN 19
Configuring the PVST+ Port Priority for a VLAN 20
Disabling the PVST+ Mode on a VLAN 20
Using MISTP-PVST+ or MISTP 22
Default MISTP and MISTP-PVST+ Configuration 23
Setting MISTP-PVST+ Mode or MISTP Mode 23
Configuring an MISTP Instance 25
Enabling an MISTP Instance 28
Mapping VLANs to an MISTP Instance 29
Disabling MISTP-PVST+ or MISTP 31
Configuring a Root Switch 31
Configuring a Primary Root Switch 31
Configuring a Secondary Root Switch 32
Configuring a Root Switch to Improve Convergence 33
Using Root Guard—Preventing Switches from Becoming Root 34

Configuring Spanning Tree Timers 35

Configuring the Hello Time 35
Configuring the Forward Delay Time 36
Configuring the Maximum Aging Time 36
Understanding How BPDU Skewing Works 37

Configuring BPDU Skewing 38

CHAPTER 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard 1

Understanding How PortFast Works 2

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
6 78-13315-02
 Contents

Understanding How PortFast BPDU Guard Works 2

Understanding How PortFast BPDU Filter Works 2

Understanding How UplinkFast Works 3

Understanding How BackboneFast Works 4

Understanding How Loop Guard Works 5

Configuring PortFast 7
Enabling PortFast 8
Disabling PortFast 8
Configuring PortFast BPDU Guard 9
Enabling PortFast BPDU Guard 9
Disabling PortFast BPDU Guard 10
Configuring PortFast BPDU Filter 11
Enabling PortFast BPDU Filter 11
Disabling PortFast BPDU Filter 12
Configuring UplinkFast 13
Enabling UplinkFast 13
Disabling UplinkFast 14
Configuring BackboneFast 15
Enabling BackboneFast 15
Displaying BackboneFast Statistics 16
Disabling BackboneFast 16
Configuring Loop Guard 17
Enabling Loop Guard 17
Disabling Loop Guard 17

CHAPTER 10 Configuring VTP 1

Understanding How VTP Works 1
Understanding the VTP Domain 2
Understanding VTP Modes 2
Understanding VTP Advertisements 2
Understanding VTP Version 2 3
Understanding VTP Pruning 3
Default VTP Configuration 5

VTP Configuration Guidelines 5

Configuring VTP 6
Configuring a VTP Server 6
Configuring a VTP Client 6
Disabling VTP (VTP Transparent Mode) 7

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 7
 Contents

Enabling VTP Version 2 8

Disabling VTP Version 2 9
Enabling VTP Pruning 9
Disabling VTP Pruning 10
Displaying VTP 10

CHAPTER 11 Configuring VLANs 1

Understanding How VLANs Work 1

VLAN Ranges 2
Configurable VLAN Parameters 3
Default VLAN Configuration 4
Configuring Normal-Range VLANs 5
Normal-Range VLAN Configuration Guidelines 5
Creating Normal-Range VLANs 5
Modifying Normal-Range VLANs 6
Configuring Extended-Range VLANs 6
Extended-Range VLAN Configuration Guidelines 7
Creating Extended-Range VLANs 7
Mapping VLANs to VLANs 8
Mapping Reserved VLANs to Nonreserved VLANs 9
Deleting Reserved-to-Nonreserved VLAN Mappings 10
Mapping 802.1Q VLANs to ISL VLANs 10
Deleting 802.1Q-to-ISL VLAN Mappings 11
Assigning Switch Ports to a VLAN 12
Deleting a VLAN 13

Configuring Private VLANs 13

Understanding How Private VLANs Work 14
Private VLAN Configuration Guidelines 15
Creating a Primary Private VLAN 18
Viewing the Port Capability of a Private VLAN Port 21
Deleting a Private VLAN 22
Deleting an Isolated, Community, or Two-Way Community VLAN 22
Deleting a Private VLAN Mapping 23
Private VLAN Support on the MSFC 23
Configuring FDDI VLANs 24

Configuring Token Ring VLANs 24

Understanding Token Ring TrBRF VLANs 25
Understanding Token Ring TrCRF VLANs 25
Token Ring VLAN Configuration Guidelines 27

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
8 78-13315-02
 Contents

Creating or Modifying a Token Ring TrBRF VLAN 27

Creating or Modifying a Token Ring TrCRF VLAN 28

CHAPTER 12 Configuring InterVLAN Routing 1

Understanding How InterVLAN Routing Works 1

Configuring InterVLAN Routing on the MSFC 2

MSFC Routing Configuration Guidelines 2
Configuring IP InterVLAN Routing on the MSFC 3
Configuring IPX InterVLAN Routing on the MSFC 3
Configuring AppleTalk InterVLAN Routing on the MSFC 4
Configuring MSFC Features 4

CHAPTER 13 Configuring CEF for PFC2 1

Understanding How Layer 3 Switching Works 1

Layer 3 Switching Overview 2
Understanding Layer 3-Switched Packet Rewrite 2
Understanding CEF for PFC2 4
Understanding NetFlow Statistics 9
Default CEF for PFC2 Configuration 10

CEF for PFC2 Configuration Guidelines and Restrictions 11

Configuring CEF for PFC2 12

Displaying Layer 3-Switching Entries on the Supervisor Engine 12
Configuring CEF on the MSFC2 14
Configuring IP Multicast on the MSFC2 14
Displaying IP Multicast Information 16
Configuring NetFlow Statistics 22
Specifying the NetFlow Table Entry Aging-Time Value 23
Specifying NetFlow Table IP Entry Fast Aging Time and Packet Threshold Values 24
Setting the Minimum Statistics Flow Mask 24
Excluding IP Protocol Entries from the NetFlow Table 25
Displaying NetFlow Statistics 25
Clearing NetFlow IP and IPX Statistics 26
Displaying NetFlow Statistics Debug Information 28

CHAPTER 14 Configuring MLS 1

Understanding How Layer 3 Switching Works 1

Understanding Layer 3-Switched Packet Rewrite 2
Understanding MLS 4

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 9
 Contents

Default MLS Configuration 10

Configuration Guidelines and Restrictions 11

IP MLS 11
IP MMLS 12
IPX MLS 13
Configuring MLS 14
Configuring Unicast MLS on the MSFC 14
Configuring MLS on Supervisor Engine 1 17
Configuring IP MMLS 28

CHAPTER 15 Configuring NDE 1

Understanding How NDE Works 1

Overview of NDE and Integrated Layer 3 Switching Management 1
Traffic Statistics Data Collection 2
Using NDE Filters 3
Default NDE Configuration 3

Configuring NDE 3
Usage Guidelines 4
Specifying an NDE Collector 4
Specifying an NDE Destination Address on the MSFC 5
Specifying an NDE Source Address on the MSFC 5
Enabling NDE 6
Specifying a Destination Host Filter 6
Specifying a Destination and Source Subnet Filter 6
Specifying a Destination TCP/UDP Port Filter 7
Specifying a Source Host and Destination TCP/UDP Port Filter 7
Specifying a Protocol Filter 8
Specifying Protocols for Statistics Collection 8
Removing Protocols for Statistics Collection 8
Clearing the NDE Flow Filter 9
Disabling NDE 9
Removing the NDE IP Address 9
Displaying the NDE Configuration 10

CHAPTER 16 Configuring Access Control 1

Understanding How ACLs Work 1

Hardware Requirements 2

Supported ACLs 2
QoS ACLs 2

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
10 78-13315-02
 Contents

Cisco IOS ACLs 3

VACLs 3
Applying Cisco IOS ACLs and VACLs on VLANs 7
Bridged Packets 7
Routed Packets 7
Multicast Packets 8
Using Cisco IOS ACLs in your Network 9
Hardware and Software Handling of Cisco IOS ACLs with PFC 10
Hardware and Software Handling of Cisco IOS ACLs with PFC2 12
Using VACLs with Cisco IOS ACLs 15
Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface 16
Guidelines for Using Layer 4 Operations 20
Using VACLs in your Network 22
Wiring Closet Configuration 22
Redirecting Broadcast Traffic to a Specific Server Port 23
Restricting the DHCP Response for a Specific Server 24
Denying Access to a Server on Another VLAN 25
Restricting ARP Traffic 26
Configuring ACLs on Private VLANs 26
Capturing Traffic Flows 27
Unsupported Features 27

Configuring VACLs 28
VACL Configuration Guidelines 28
VACL Configuration Summary 29
Configuring VACLs From the CLI 29
Configuring and Storing VACLs and QoS ACLs in Flash Memory 42
Automatically Moving the VACL and QoS ACL Configuration to Flash Memory 43
Manually Moving the VACL and QoS ACL Configuration to Flash Memory 44
Running with the VACL and QoS ACL Configuration in Flash Memory 45
Moving the VACL and QoS ACL Configuration Back to NVRAM 46
Redundancy Synchronization Support 46
Interacting with High Availability 46
Configuring Policy-Based Forwarding 46

Understanding How Policy-Based Forwarding Works 47

Hardware and Software Requirements 47

Configuring Policy-Based Forwarding 48

Enabling PBF and Specifying a MAC Address for the PFC2 48
Configuring VACLs for PBF 50

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 11
 Contents

Displaying PBF Information 52

Clearing Entries in PBF VACLs 52
Rolling Back Adjacency Table Entries in the Edit Buffer 53
Configuring Hosts for PBF 53
Policy-Based Forwarding Configuration Example 55

CHAPTER 17 Configuring GVRP 1

Understanding How GVRP Works 1

Default GVRP Configuration 2

GVRP Configuration Guidelines 2

Configuring GVRP 2
Enabling GVRP Globally 3
Enabling GVRP on Individual 802.1Q Trunk Ports 3
Enabling GVRP Dynamic VLAN Creation 4
Configuring GVRP Registration 5
Configuring GVRP VLAN Declarations from Blocking Ports 6
Setting the GARP Timers 7
Displaying GVRP Statistics 8
Clearing GVRP Statistics 8
Disabling GVRP on Individual 802.1Q Trunk Ports 8
Disabling GVRP Globally 9

CHAPTER 18 Configuring Dynamic Port VLAN Membership with VMPS 1

Understanding How VMPS Works 1

Default VMPS and Dynamic Port Configuration 2
Dynamic Port VLAN Membership and VMPS Configuration Guidelines 3

Configuring VMPS and Dynamic Port VLAN Membership 3

Creating the VMPS Database 4
Configuring VMPS 5
Configuring Dynamic Ports on VMPS Clients 5
Administering and Monitoring VMPS 6
Configuring Static VLAN Port Membership 7
Troubleshooting VMPS and Dynamic Port VLAN Membership 8
Troubleshooting VMPS 8
Troubleshooting Dynamic Port VLAN Membership 8
Dynamic Port VLAN Membership with VMPS Configuration Examples 9
VMPS Database Configuration File Example 9
Dynamic Port VLAN Membership Configuration Example 10

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
12 78-13315-02
 Contents

Dynamic Port VLAN Membership with Auxiliary VLANs 12

Configuration Guidelines 13
Configuring Dynamic Port VLAN Membership with Auxiliary VLANs 13

CHAPTER 19 Checking Port Status and Connectivity 1

Checking Module Status 1

Checking Port Status 2

Checking Port Capabilities 4

Using Telnet 4

Using Secure Shell Encryption for Telnet Sessions 5

Monitoring User Sessions 6

Using Ping 7
Understanding How Ping Works 7
Executing Ping 8
Using Layer 2 Traceroute 9
Layer 2 Traceroute Usage Guidelines 9
Identifying a Layer 2 Path 10
Using IP Traceroute 10
Understanding How IP Traceroute Works 10
Executing IP Traceroute 11

CHAPTER 20 Administering the Switch 1

Setting the System Name and System Prompt 1

Setting the Static System Name and Prompt 2
Setting the System Contact and Location 3
Setting the System Clock 4
Creating a Login Banner 4
Configuring a Login Banner 5
Clearing the Login Banner 5
Defining Command Aliases 5

Defining IP Aliases 6

Configuring Static Routes 7

Configuring Permanent and Static ARP Entries 8

Scheduling a System Reset 9

Scheduling a Reset at a Specific Time 10
Scheduling a Reset Within a Specified Amount of Time 10

Power Management 11

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 13
 Contents

Enabling or Disabling Power Redundancy 11

Using the CLI to Power Modules Up or Down 13
Determining System Power Requirements 14
Environmental Monitoring 16
Environmental Monitoring Using CLI Commands 16
LED Indications 16
Displaying System Status Information for Technical Support 17
Generating a System Status Report 18
Using System Dump Files 18

CHAPTER 21 Configuring Switch Access Using AAA 1

Understanding How Authentication Works 1

Authentication Overview 2
Understanding How Login Authentication Works 2
Understanding How Local Authentication Works 2
Understanding How TACACS+ Authentication Works 3
Understanding How RADIUS Authentication Works 4
Understanding How Kerberos Authentication Works 4
Understanding How 802.1x Authentication Works 7
Configuring Authentication 9
Authentication Default Configuration 10
Authentication Configuration Guidelines 11
Configuring Login Authentication 12
Configuring Local Authentication 13
Configuring TACACS+ Authentication 17
Configuring RADIUS Authentication 23
Configuring Kerberos Authentication 31
Configuring 802.1x Authentication 40
Authentication Example 48

Understanding How Authorization Works 49

Authorization Overview 49
Authorization Events 49
TACACS+ Primary Options and Fallback Options 50
TACACS+ Command Authorization 50
RADIUS Authorization 51
Configuring Authorization 51
TACACS+ Authorization Default Configuration 51
TACACS+ Authorization Configuration Guidelines 51
Configuring TACACS+ Authorization 52

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
14 78-13315-02
 Contents

Configuring RADIUS Authorization 55

Authorization Example 55

Understanding How Accounting Works 56

Accounting Overview 56
Accounting Events 57
Specifying When to Create Accounting Records 57
Specifying RADIUS Servers 58
Updating the Server 59
Suppressing Accounting 59
Configuring Accounting 59
Accounting Default Configuration 59
Accounting Configuration Guidelines 60
Configuring Accounting 60
Accounting Example 63

CHAPTER 22 Configuring Redundancy 1

Understanding How Supervisor Engine Redundancy Works 2

Configuring Redundant Supervisor Engines 3

Synchronization Process Initiation 4
Redundant Supervisor Engine Configuration Guidelines and Restrictions 4
Verifying Standby Supervisor Engine Status 5
Forcing a Switchover to the Standby Supervisor Engine 6
High Availability 8
Supervisor Engine Synchronization Examples 14
MSFC Redundancy 18
Dual MSFC Redundancy 19
Single Router Mode Redundancy 41
Manual-Mode MSFC Redundancy 45

CHAPTER 23 Modifying the Switch Boot Configuration 1

Understanding How the Switch Boot Configuration Works 1

Understanding the Boot Process 1
Understanding the ROM Monitor 2
Understanding the Configuration Register 2
Understanding the BOOT Environment Variable 3
Understanding the CONFIG_FILE Environment Variable 3
Default Switch Boot Configuration 4

Setting the Configuration Register 5

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 15
 Contents

Setting the Boot Field in the Configuration Register 5

Setting the ROM-Monitor Console-Port Baud Rate 6
Setting CONFIG_FILE Recurrence 7
Setting CONFIG_FILE Overwrite 7
Setting CONFIG_FILE Synchronization 8
Setting the Switch to Ignore the NVRAM Configuration 9
Setting the Configuration Register Value 10
Setting the BOOT Environment Variable 10
Setting the BOOT Environment Variable 10
Clearing the BOOT Environment Variable Settings 11

Setting the CONFIG_FILE Environment Variable 11

Setting the CONFIG_FILE Environment Variable 11
Clearing the CONFIG_FILE Environment Variable Settings 12

Displaying the Switch Boot Configuration 12

CHAPTER 24 Working With the Flash File System 1

Understanding How the Flash File System Works 1

Working with the Flash File System 1

Setting the Default Flash Device 2
Setting the Text File Configuration Mode 2
Listing the Files on a Flash Device 3
Copying Files 4
Deleting Files 6
Restoring Deleted Files 7
Verifying a File Checksum 7
Formatting a Flash Device 8

CHAPTER 25 Working with System Software Images 1

Software Image Naming Conventions 1

Downloading Software Images to the Switch With TFTP 2

Understanding How TFTP Software Image Downloads Work 2
Preparing to Download an Image Using TFTP 2
Downloading Supervisor Engine Images Using TFTP 3
Downloading Switching Module Images Using TFTP 4
TFTP Download Procedures Example 5
Uploading System Software Images to a TFTP Server 8
Preparing to Upload an Image to a TFTP Server 8
Uploading Software Images to a TFTP Server 9

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
16 78-13315-02
 Contents

Downloading System Software Images Using rcp 9

Preparing to Download an Image Using rcp 9
Downloading Supervisor Engine Images Using rcp 10
Downloading Switching Module Images Using rcp 10
Example rcp Download Procedures 11
Uploading System Software Images to an rcp Server 14
Preparing to Upload an Image to an rcp Server 15
Uploading Software Images to an rcp Server 15
Downloading Software Images Over a Serial Connection on the Console Port 15
Preparing to Download an Image Using Kermit 16
Downloading Software Images Using Kermit (PC Procedure) 16
Downloading Software Images Using Kermit (UNIX Procedure) 17
Example Serial Software Image Download Procedures 18
Downloading a System Image Using Xmodem or Ymodem 21

CHAPTER 26 Working with Configuration Files 1

Working with Configuration Files on the Switch 1

Creating and Using Configuration File Guidelines 1
Creating a Configuration File 2
Downloading Configuration Files to the Switch Using TFTP 3
Uploading Configuration Files to a TFTP Server 5
Copying Configuration Files Using rcp 6
Downloading Configuration Files from an rcp Server 6
Uploading Configuration Files to an rcp Server 7
Clearing the Configuration 8
Working with Configuration Files on the MSFC 9
Uploading the Configuration File to a TFTP Server 10
Uploading the Configuration File to the Supervisor Engine Flash PC Card 11
Downloading the Configuration File from a Remote Host 11
Downloading the Configuration File from the Supervisor Engine Flash PC Card 13

CHAPTER 27 Configuring System Message Logging 1

Understanding How System Message Logging Works 1

System Log Message Format 3

Default System Message Logging Configuration 4

Configuring System Message Logging 4

Enabling and Disabling Session Logging Settings 5
Setting the System Message Logging Levels 6

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 17
 Contents

Enabling and Disabling the Logging Time Stamp Enable State 6

Setting the Logging Buffer Size 6
Configuring the syslog Daemon on a UNIX syslog Server 7
Configuring syslog Servers 7
Displaying the Logging Configuration 9
Displaying System Messages 10

CHAPTER 28 Configuring DNS 1

Understanding How DNS Works 1

DNS Default Configuration 1

Configuring DNS 2
Setting Up and Enabling DNS 2
Clearing a DNS Server 3
Clearing the DNS Domain Name 3
Disabling DNS 3

CHAPTER 29 Configuring CDP 1

Understanding How CDP Works 1

Default CDP Configuration 2

Configuring CDP 2
Setting the CDP Global Enable and Disable States 2
Setting the CDP Enable and Disable States on a Port 3
Setting the CDP Message Interval 4
Setting the CDP Holdtime 4
Displaying CDP Neighbor Information 5

CHAPTER 30 Configuring UDLD 1

Understanding How UDLD Works 1

Default UDLD Configuration 2

Configuring UDLD 3
Enabling UDLD Globally 3
Enabling UDLD on Individual Ports 3
Disabling UDLD on Individual Ports 4
Disabling UDLD Globally 4
Specifying the UDLD Message Interval 4
Enabling UDLD Aggressive Mode 5
Displaying the UDLD Configuration 5

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
18 78-13315-02
 Contents

CHAPTER 31 Configuring NTP 1

Understanding How NTP Works 1

NTP Default Configuration 2

Configuring NTP 2
Enabling NTP in Broadcast-Client Mode 3
Configuring NTP in Client Mode 3
Configuring Authentication in Client Mode 4
Setting the Time Zone 5
Enabling the Daylight Saving Time Adjustment 5
Disabling the Daylight Saving Time Adjustment 7
Clearing the Time Zone 7
Clearing NTP Servers 7
Disabling NTP 8

CHAPTER 32 Configuring Broadcast Suppression 1

Understanding How Broadcast Suppression Works 1

Configuring Broadcast Suppression 2

Enabling Broadcast Suppression 3
Disabling Broadcast Suppression 4

CHAPTER 33 Configuring Layer 3 Protocol Filtering 1

Understanding How Layer 3 Protocol Filtering Works 1

Default Layer 3 Protocol Filtering Configuration 2

Configuring Layer 3 Protocol Filtering 2

Enabling Layer 3 Protocol Filtering 3
Disabling Layer 3 Protocol Filtering 3

CHAPTER 34 Configuring the IP Permit List 1

Understanding How the IP Permit List Works 1

IP Permit List Default Configuration 2

Configuring the IP Permit List 2

Adding IP Addresses to the IP Permit List 2
Enabling the IP Permit List 3
Disabling the IP Permit List 4
Clearing an IP Permit List Entry 4

CHAPTER 35 Configuring Port Security 1

Understanding How Port Security Works 1

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 19
 Contents

Allowing Traffic Based on the Host MAC Address 1

Restricting Traffic Based on the Host MAC Address 2
Port Security Configuration Guidelines 3

Configuring Port Security 3

Enabling Port Security 3
Setting the Maximum Number of Secure MAC Addresses 4
Setting the Port Security Age Time 5
Clearing MAC Addresses 5
Specifying the Security Violation Action 6
Setting the Shutdown Timeout 6
Disabling Port Security 7
Restricting Traffic Based on a Host MAC Address 7
Displaying Port Security 8

CHAPTER 36 Configuring SNMP 1

SNMP Terminology 1

Understanding SNMP 3
Security Models and Levels 4
SNMP ifindex Persistence Feature 5

Understanding How SNMPv1 and SNMPv2c Works 5

Using Managed Devices 5
Using SNMP Agents and MIBs 5
Using CiscoWorks2000 6
Understanding SNMPv3 7
SNMP Entity 7
Applications 9
Configuring SNMPv1 and SNMPv2c 10
SNMPv1 and SNMPv2c Default Configuration 10
Configuring SNMPv1 and SNMPv2c from an NMS 10
Configuring SNMPv1 and SNMPv2c from the CLI 10
Configuring SNMPv3 11
SNMPv3 Default Configuration 11
Configuring SNMPv3 from an NMS 11
Configuring SNMPv3 from the CLI 12

CHAPTER 37 Configuring RMON 1

Understanding How RMON Works 1

Enabling RMON 2

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
20 78-13315-02
 Contents

Viewing RMON Data 2

Supported RMON and RMON2 MIB Objects 2

CHAPTER 38 Configuring SPAN and RSPAN 1

Understanding How SPAN and RSPAN Works 1

SPAN Session 2
Destination Port 2
Source Port 2
Ingress SPAN 3
Egress SPAN 3
VSPAN 3
Trunk VLAN Filtering 4
SPAN Traffic 4
SPAN and RSPAN Session Limits 4

Configuring SPAN 5
SPAN Hardware Requirements 5
Understanding How SPAN Works 5
SPAN Configuration Guidelines 6
Configuring SPAN from the CLI 7
Configuring RSPAN 8
RSPAN Hardware Requirements 9
Understanding How RSPAN Works 9
RSPAN Configuration Guidelines 10
Configuring RSPAN 11
RSPAN Configuration Examples 14

CHAPTER 39 Using Switch TopN Reports 1

Understanding How the Switch TopN Reports Utility Works 1

TopN Reports Overview 1
Running Switch TopN Reports without the Background Option 2
Running Switch TopN Reports with the Background Option 2
Running and Viewing Switch TopN Reports 3

CHAPTER 40 Configuring Multicast Services 1

Understanding How Multicasting Works 1
Multicasting and Multicast Services Overview 2
Understanding How IGMP Snooping Works 2
Understanding How GMRP Works 4

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 21
Contents

Understanding How RGMP Works 5

Suppressing Multicast Traffic 5
Nonreverse Path Forwarding Multicast Fast Drop 5
Enabling Installation of Directly Connected Subnets 6
Configuring IGMP Snooping 6
Default IGMP Snooping Configuration 7
Enabling IGMP Snooping 7
Specifying IGMP Snooping Mode 8
Enabling IGMP Rate Limiting 8
Enabling IGMP Fast-Leave Processing 9
Displaying Multicast Router Information 9
Displaying Multicast Group Information 10
Displaying IGMP Snooping Statistics 11
Disabling IGMP Fast-Leave Processing 12
Disabling IGMP Snooping 12
Configuring GMRP 12
GMRP Software Requirements 13
Default GMRP Configuration 13
Enabling GMRP Globally 13
Enabling GMRP on Individual Switch Ports 14
Disabling GMRP on Individual Switch Ports 14
Enabling GMRP Forward-All Option 15
Disabling GMRP Forward-All Option 15
Configuring GMRP Registration 16
Setting the GARP Timers 17
Displaying GMRP Statistics 19
Clearing GMRP Statistics 19
Disabling GMRP Globally on the Switch 19
Configuring Multicast Router Ports and Group Entries 20
Specifying Multicast Router Ports 20
Configuring Multicast Groups 21
Clearing Multicast Router Ports 21
Clearing Multicast Group Entries 22
Configuring RGMP 22
Configuring RGMP on the Supervisor Engine 22
Configuring RGMP on the MSFC 25
Displaying Multicast Protocol Status 25

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
22 78-13315-02
 Contents

CHAPTER 41 Configuring QoS 1

Understanding How QoS Works 1

Definitions 2
Flowcharts 3
QoS Feature Set Summary 8
Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification 10
Classification, Marking, and Policing with a Layer 3 Switching Engine 14
Classification and Marking with a Layer 2 Switching Engine 24
Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking 24
QoS Statistics Data Export 27
QoS Default Configuration 28

Configuring QoS 30
Enabling QoS 31
Enabling Port-Based or VLAN-Based QoS 32
Configuring the Trust State of a Port 32
Configuring the CoS Value for a Port 33
Creating Policing Rules 34
Deleting Policing Rules 36
Creating or Modifying ACLs 37
Attaching ACLs to Interfaces 46
Detaching ACLs from Interfaces 46
Mapping a CoS Value to a Host Destination MAC Address/VLAN Pair 47
Deleting a CoS Value to a Host Destination MAC Address/VLAN Pair 47
Enabling or Disabling Microflow Policing of Bridged Traffic 48
Configuring Standard Receive-Queue Tail-Drop Thresholds 48
Configuring 2q2t Port Standard Transmit-Queue Tail-Drop Thresholds 49
Configuring Standard Transmit-Queue WRED-Drop Thresholds 49
Allocating Bandwidth Between Standard Transmit Queues 50
Configuring the Receive-Queue Size Ratio 51
Configuring the Transmit-Queue Size Ratio 51
Mapping CoS Values to Drop Thresholds 52
Configuring DSCP Value Maps 55
Displaying QoS Information 58
Displaying QoS Statistics 59
Reverting to QoS Defaults 60
Disabling QoS 60
Configuring COPS Support 60
Configuring RSVP Support 66
Configuring QoS Statistics Data Export 70

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 23
 Contents

CHAPTER 42 Configuring ASLB 1

Hardware and Software Requirements 1

Understanding How ASLB Works 2

Layer 3 Operations for ASLB 3
Layer 2 Operations for ASLB 3
Client-to-Server Data Forwarding 4
Server-to-Client Data Forwarding 6

Cabling Guidelines 7

Configuring ASLB 7
Configuring the LocalDirector Interfaces 7
ASLB Configuration Guidelines 8
Configuring ASLB from the CLI 11
ASLB Configuration Example 19

ASLB Redundant Configuration Example 21

IP Addresses 22
MAC Addresses 23
Catalyst 6000 Family Switch 1 Configuration 23
Catalyst 6000 Family Switch 2 Configuration 23
Router 1 Configuration 23
Router 2 Configuration 24
LocalDirector Configuration 24
Troubleshooting the ASLB Configuration 25

CHAPTER 43 Configuring the Switch Fabric Modules 1

Understanding How the Switch Fabric Module Works 1
Configuring and Monitoring the Switch Fabric Module 2
Configuring a Fallback Option 3
Configuring the Switching Mode 3
Switch Fabric Redundancy 4
Monitoring the Switch Fabric Module 4
Configuring the LCD Banner 8

CHAPTER 44 Configuring a VoIP Network 1

Hardware and Software Requirements 1

Understanding How a VoIP Network Works 2

Cisco IP Phone 7960 2
Cisco CallManager 4
Access Gateways 4

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
24 78-13315-02
 Contents

How a Call Is Made 7

Understanding How VLANs Work 8

Configuring VoIP on a Switch 9

Voice-Related CLI Commands 9
Configuring Per-Port Power Management 10
Configuring Auxiliary VLANs on Catalyst LAN Switches 19
Configuring the Access Gateways 21
Displaying Active Call Information 27
Configuring QoS in the Cisco IP Phone 7960 29

INDEX

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
78-13315-02 25
Contents

Catalyst 6000 Family Software Configuration Guide, Releases 6.3 and 6.4
26 78-13315-02
 Preface

This preface describes who should read the Catalyst 6000 Family Software Configuration Guide, how it
is organized, and its document conventions.

Audience
This publication is for experienced network administrators who are responsible for configuring and
maintaining Catalyst 6000 family switches.

Organization
Note This publication includes the information that previously was in the Catalyst 6000 Family Multilayer
Switch Feature Card (12.x) and Policy Feature Card Configuration Guide.

This publication is organized as follows:

Chapter Title Description

Chapter 1 Product Overview Presents an overview of the Catalyst 6000 family switches.
Chapter 2 Command-Line Interfaces Describes how to use the command-line interface (CLI).
Chapter 3 Configuring the Switch IP Address and Describes how to perform a baseline configuration of the switch.
Default Gateway
Chapter 4 Configuring Ethernet, Fast Ethernet, and Describes how to configure Ethernet, Fast Ethernet, and Gigabit
Gigabit Ethernet Switching Ethernet switching.
Chapter 5 Configuring Ethernet VLAN Trunks Describes how to configure Inter-Switch Link (ISL) and
IEEE 802.1Q VLAN trunks on Fast Ethernet and Gigabit
Ethernet ports.
Chapter 6 Configuring EtherChannel Describes how to configure Fast EtherChannel and Gigabit
EtherChannel port bundles.
Chapter 7 Configuring IEEE 802.1Q Tunneling Describes how to configure 802.1Q tunneling.
Chapter 8 Configuring Spanning Tree Describes how to configure the Spanning Tree Protocol and
explains how spanning tree works.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 27
 Preface
Organization

Chapter Title Description

Chapter 9 Configuring Spanning Tree PortFast, Describes how to configure the spanning tree PortFast,
UplinkFast, BackboneFast, and Loop Guard UplinkFast, and BackboneFast features.
Chapter 10 Configuring VTP Describes how to configure VLAN Trunk Protocol (VTP) on the
switch.
Chapter 11 Configuring VLANs Describes how to configure VLANs on the switch.
Chapter 12 Configuring InterVLAN Routing Describes how to configure interVLAN routing on the MSFC.
Chapter 13 Configuring CEF for PFC2 Describes how to configure Cisco Express Forwarding for
Policy Feature Card 2 (CEF for PFC2).
Chapter 14 Configuring MLS Describes how to configure Multilayer Switching (MLS).
Chapter 15 Configuring NDE Describes how to configure NetFlow Data Export (NDE).
Chapter 16 Configuring Access Control Describes how to configure access control lists (ACLs).
Chapter 17 Configuring GVRP Describes how to configure GARP VLAN Registration Protocol
(GVRP) on the switch.
Chapter 18 Configuring Dynamic Port VLAN Describes how to configure dynamic port VLAN membership on
Membership with VMPS the switch using the VLAN Management Policy Server (VMPS).
Chapter 19 Checking Port Status and Connectivity Describes how to display information about modules and switch
ports and how to check connectivity using ping, Telnet, and IP
traceroute.
Chapter 20 Administering the Switch Describes how to set the system name, create a login banner, and
perform other administrative tasks on the switch.
Chapter 21 Configuring Switch Access Using AAA Describes how to configure authentication, authorization, and
accounting (AAA) to monitor and control access to the CLI.
Chapter 22 Configuring Redundancy Describes how to install and configure redundant supervisor
engines and MSFCs in the Catalyst 6000 family switches.
Chapter 23 Modifying the Switch Boot Configuration Describes how to modify the switch boot configuration,
including the BOOT environment variable and the configuration
register.
Chapter 24 Working With the Flash File System Describes how to work with the Flash file system.
Chapter 25 Working with System Software Images Describes how to download and upload system software images.
Chapter 26 Working with Configuration Files Describes how to create, download, and upload switch
configuration files.
Chapter 27 Configuring System Message Logging Describes how to configure system message logging (syslog).
Chapter 28 Configuring DNS Describes how to configure Domain Name System (DNS).
Chapter 29 Configuring CDP Describes how to configure Cisco Discovery Protocol (CDP).
Chapter 30 Configuring UDLD Describes how to configure the UniDirectional Link Detection
(UDLD) protocol.
Chapter 31 Configuring NTP Describes how to configure Network Time Protocol (NTP).
Chapter 32 Configuring Broadcast Suppression Describes how to configure hardware and software broadcast
suppression.
Chapter 33 Configuring Layer 3 Protocol Filtering Describes how to configure protocol filtering on Ethernet, Fast
Ethernet, and Gigabit Ethernet ports.
Chapter 34 Configuring the IP Permit List Describes how to configure the IP permit list.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

28 78-13315-02
 Preface
Related Documentation

Chapter Title Description

Chapter 35 Configuring Port Security Describes how to configure secure port filtering.
Chapter 36 Configuring SNMP Describes how to configure SNMP.
Chapter 37 Configuring RMON Describes how to configure Remote Monitoring (RMON).
Chapter 38 Configuring SPAN and RSPAN Describes how to configure the Switch Port Analyzer (SPAN)
and Remote SPAN (RSPAN).
Chapter 39 Using Switch TopN Reports Describes how to generate switch TopN reports.
Chapter 40 Configuring Multicast Services Describes how to configure Internet Group Management
Protocol (IGMP) snooping, GARP Multicast Registration
Protocol (GMRP), and Router Group Management Protocol
(RGMP).
Chapter 41 Configuring QoS Describes how to configure Quality of Service (QoS).
Chapter 42 Configuring ASLB Describes how to configure accelerated server load balancing
(ASLB).
Chapter 43 Configuring the Switch Fabric Modules Describes how to configure the Switch Fabric Module.
Chapter 44 Configuring a VoIP Network Describes how to configure a Voice-over-IP (VoIP) network.

Related Documentation
The following publications are available for the Catalyst 6000 family switches:
• Catalyst 6000 Family Module Installation Guide
• Catalyst 6000 Family Command Reference
• ATM Software Configuration and Command Reference—Catalyst 5000 Family and
Catalyst 6000 Family Switches
• System Message Guide—Catalyst 6000 Family, Catalyst 5000 Family, and Catalyst 4000 Family,
Catalyst 2948G, and Catalyst 2980G
• Release Notes for Catalyst 6000 Family Software Release 6.x
• Cisco IOS Configuration Guides and Command References—Use these publications to help you
configure the Cisco IOS software that runs on the MSFC, MSM, and ATM modules.
• For information about MIBs, refer to
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 29
 Preface
Conventions

Conventions
Note Throughout this publication, except where noted, the term supervisor engine is used to refer to both
Supervisor Engine 1 and Supervisor Engine 2.

This publication uses the following conventions:

Convention Description
boldface font Commands, command options, and keywords are in
boldface.
italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional.
{x|y|z} Alternative keywords are grouped in braces and separated by
vertical bars.
[x|y|z] Optional alternative keywords are grouped in brackets and
separated by vertical bars.
string A nonquoted set of characters. Do not use quotation marks
around the string or the string will include the quotation
marks.
screen font Terminal sessions and information the system displays are in
screenfont.
boldface screen Information you must enter is in boldface screen font.
font
italic screen font Arguments for which you supply values are in italic screen
font.
This pointer highlights an important line of text in
an example.

^ The symbol ^ represents the key labeled Control—for

example, the key combination ^D in a screen display means
hold down the Control key while you press the D key.
< > Nonprinting characters, such as passwords are in angle
brackets.

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in
the publication.

Cautions use the following conventions:

Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

30 78-13315-02
 Preface
Obtaining Documentation

Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical
resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco web sites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which may have shipped with your product. The Documentation CD-ROM is updated monthly
and may be more current than printed documentation. The CD-ROM package is available as a single unit
or through an annual subscription.
Registered Cisco.com users can order the Documentation CD-ROM (product number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription

Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere
in North America, by calling 800 553-NETS (6387).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 31
 Preface
Obtaining Technical Assistance

Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click
Feedback at the top of the page.
You can e-mail your comments to [email protected].
You can submit your comments by mail by using the response card behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a
starting point for all technical assistance. Customers and partners can obtain online documentation,
troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users
have complete access to the technical support resources on the Cisco TAC website, including TAC tools
and utilities.

Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information,
networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
• Streamline business processes and improve productivity
• Resolve technical issues with online support
• Download and test software packages
• Order Cisco learning materials and merchandise
• Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL:
http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product,
technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC
Escalation Center. The avenue of support that you choose depends on the priority of the problem and the
conditions stated in service contracts, when applicable.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

32 78-13315-02
 Preface
Obtaining Technical Assistance

We categorize Cisco TAC inquiries according to urgency:

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,
product installation, or basic product configuration.
• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably
impaired, but most business operations continue.
• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects
of business operations. No workaround is available.
• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations
will occur if service is not restored quickly. No workaround is available.

Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The
site provides around-the-clock access to online tools, knowledge bases, and software. To access the
Cisco TAC website, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have complete access to
the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website
require a Cisco.com login ID and password. If you have a valid service contract but do not have a login
ID or password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco
TAC website, you can open a case online at this URL:
http://www.cisco.com/en/US/support/index.html
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC
website so that you can describe the situation in your own words and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These
classifications are assigned when severe network degradation significantly impacts business operations.
When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer
automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support
services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network
Supported Accounts (NSA). When you call the center, please have available your service agreement
number and your product serial number.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 33
 Preface
Obtaining Additional Publications and Information

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as
ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new
and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking
Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design
Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest
information about the field of networking. You can access Packet magazine at this URL:
http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html
• iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers
with the latest information about the networking industry. You can access iQ Magazine at this URL:
http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in the design, development, and operation of public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
• Training—Cisco offers world-class networking training, with current offerings in network training
listed at this URL:
http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

34 78-13315-02
 C H A P T E R 1
Product Overview

The Catalyst 6000 family switches support the following configurations:

• Supervisor Engine 2, Policy Feature Card 2 (PFC2), and Multilayer Switch Feature Card 2 (MSFC2)
• Supervisor Engine 2 and PFC2
• Supervisor Engine 1, PFC, and MSFC or MSFC2
• Supervisor Engine 1 and PFC
• Supervisor Engine 1

Note The Switch Fabric Module is supported only in Catalyst 6500 series switches.

Refer to the Release Notes for Catalyst 6000 Family Software Release 6.x publication for complete
information about the chassis, modules, software features, protocols, and MIBs supported by the
Catalyst 6000 family switches.

Note This publication includes the information that previously was in the Catalyst 6000 Family Multilayer
Switch Feature Card (12.x) and Policy Feature Card Configuration Guide.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 1-1
 Chapter 1 Product Overview

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

1-2 78-13315-02
 C H A P T E R 2
Command-Line Interfaces

This chapter describes the command-line interface (CLI) you use to configure the Catalyst 6000 family
switches and Ethernet modules. For descriptions of all switch and ROM monitor commands, refer to the
Catalyst 6000 Family Command Reference publication.

Note For a description of the ATM Cisco IOS CLI and commands, refer to the ATM Software
Configuration Guide and Command Reference—Catalyst 5000 Family and 6000 Family Switches
publication. For a description of the Multilayer Switch Module (MSM) IOS CLI and commands,
refer to the Multilayer Switch Module Installation and Configuration Note.

This chapter consists of these sections:

• Catalyst Command-Line Interface, page 2-1
• MSFC Command-Line Interface, page 2-8

Catalyst Command-Line Interface

These sections describe the Catalyst CLI:
• ROM-Monitor Command-Line Interface, page 2-1
• Switch Command-Line Interface, page 2-2

ROM-Monitor Command-Line Interface

The ROM monitor is a ROM-based program that executes upon platform power-up, reset, or when a fatal
exception occurs. The system enters ROM-monitor mode if the switch does not find a valid system
image, if the NVRAM configuration is corrupted, or if the configuration register is set to enter
ROM-monitor mode. From the ROM-monitor mode, you can load a system image manually from Flash
memory, from a network server file, or from bootflash.
You can enter ROM-monitor mode by restarting the switch and pressing the Break key during the first
60 seconds of startup.

Note The Break key is always enabled for 60 seconds after rebooting the system, regardless of whether the
Break key is configured to be off by configuration register settings.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 2-1
 Chapter 2 Command-Line Interfaces
Catalyst Command-Line Interface

To access the ROM monitor through a terminal server, you can escape to the Telnet prompt and enter
the send break command for your terminal emulation program to break into ROM-monitor mode.
Once you are in ROM-monitor mode, the prompt changes to rommon>. Use the ? command to see the
available ROM-monitor commands.

Switch Command-Line Interface

The switch CLI is a basic command-line interpreter, similar to the UNIX C shell.
These sections describe how to use the switch CLI:
• Accessing the Switch CLI, page 2-2
• Accessing the MSFC from the Switch, page 2-3
• Working With the Command-Line Interface, page 2-5

Accessing the Switch CLI

You can access the CLI through the supervisor engine console port or through a Telnet session.
These sections describe how to access the switch CLI:
• Accessing the CLI through the Console Port, page 2-2
• Accessing the CLI through Telnet, page 2-3

Accessing the CLI through the Console Port

To access the switch CLI through the console port, you must connect a console terminal to the console
port through an EIA/TIA-232 (RS-232) cable.

Note For complete information on how to connect to the supervisor engine console port, refer to the
hardware documentation for your switch.

To access the switch through the console port, perform this task:

Task Command
Step 1 Initiate a connection from the terminal to the —
switch console prompt and press Return.
Step 2 At the prompt, enter the system password. The —
Console> prompt appears, indicating that you
have accessed the CLI in normal mode.
Step 3 If necessary, enter privileged mode (you must enable
enter privileged mode to change the switch
configuration).
Step 4 Enter the necessary commands to complete the —
desired tasks.
Step 5 When finished, exit the session. exit

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

2-2 78-13315-02
 Chapter 2 Command-Line Interfaces
Catalyst Command-Line Interface

After accessing the switch through the console port, you see this display:
Cisco Systems Console
Enter password:
Console>

Accessing the CLI through Telnet

Before you can open a Telnet session to the switch, you must first set the IP address for the switch. For
information about setting the IP address, see the “Assigning the In-Band (sc0) Interface IP Address”
section on page 3-5. Up to eight simultaneous Telnet sessions are supported. Telnet sessions disconnect
automatically after remaining idle for a set time period.
To access the switch CLI from a remote host using Telnet, perform this task:

Task Command
Step 1 From the remote host, enter the telnet command telnet {hostname | ip_addr}
and the name or IP address of the switch you want
to access.
Step 2 At the prompt, enter the password for the CLI. If —
no password has been configured, press Return.
Step 3 Enter the necessary commands to complete your —
desired tasks.
Step 4 When finished, exit the Telnet session. exit

This example shows how to open a Telnet session to the switch:

unix_host% telnet Catalyst_1
Trying 172.16.10.10...
Connected to Catalyst_1.
Escape character is '^]'.

Cisco Systems Console

Enter password:
Catalyst_1>

Accessing the MSFC from the Switch

These sections describe how to access the Multilayer Switch Feature Card (MSFC) from a directly
connected console port or from a Telnet session:
• Accessing the MSFC from the Console Port, page 2-4
• Accessing the MSFC from a Telnet Session, page 2-4
See the “MSFC Command-Line Interface” section on page 2-8.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 2-3
 Chapter 2 Command-Line Interfaces
Catalyst Command-Line Interface

Accessing the MSFC from the Console Port

You can enter the switch console command to access the MSFC from the switch CLI directly connected
to the supervisor engine console port. To exit from the MSFC CLI and return to the switch CLI, enter
^C^C^C at the Router> prompt.
To access the MSFC from the switch CLI, perform this task:

Task Command
Access the MSFC from the switch CLI. switch console [mod]1
1. The mod keyword specifies the module number of the MSFC; either 15 (if the MSFC is installed on the supervisor engine in
slot 1) or 16 (if the MSFC is installed on the supervisor engine in slot 2). If no module number is specified, the console will
switch to the MSFC on the active supervisor engine.

Note To access the Cisco IOS CLI on the standby MSFC, connect to the console port of the standby
supervisor engine.

This example shows how to access the active MSFC from the switch CLI from the active supervisor
engine, and how to exit the MSFC CLI and return to the switch CLI:
Console> (enable) switch console 15
Trying Router-15...
Connected to Router-15.
Type ^C^C^C to switch back...
Router> ^C^C^C
Console> (enable)

Accessing the MSFC from a Telnet Session

You can enter the session mod command to access the MSFC from the switch CLI using a Telnet session.
To exit from the MSFC CLI back to the switch CLI, enter the exit command at the Router> prompt.

Note The supervisor engine software sees the MSFC as module 15 (when installed on a supervisor engine
in slot 1) or module 16 (when installed on a supervisor engine in slot 2).

This example shows how to access the MSFC from the switch CLI, and how to exit the MSFC CLI and
return to the switch CLI:
Console> (enable) session 15
Router> exit
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

2-4 78-13315-02
 Chapter 2 Command-Line Interfaces
Catalyst Command-Line Interface

Working With the Command-Line Interface

These sections describe how to work with the switch CLI:
• Switch CLI Command Modes, page 2-5
• Designating Modules, Ports, and VLANs on the Command Line, page 2-5
• Designating MAC Addresses, IP Addresses, and IP Aliases, page 2-6
• Command Line Editing, page 2-6
• History Substitution, page 2-7
• Accessing Command Help, page 2-8

Switch CLI Command Modes

The switch CLI supports two modes of operation: normal and privileged. Both modes are password
protected. Enter normal-mode commands for everyday system monitoring. Enter privileged-mode
commands to configure the system and perform basic troubleshooting.
After you log in, the system enters normal mode automatically, which gives you access to normal-mode
commands only. You can access privileged mode by entering the enable command followed by the
privileged-mode password. To return to normal mode, enter the disable command at the prompt.
This example shows how to enter privileged mode:
Console> enable
Enter Password: <password>
Console> (enable)

Designating Modules, Ports, and VLANs on the Command Line

Switch commands are not case sensitive. You can abbreviate commands and parameters as long as they
contain enough letters to be distinguished from any other currently available commands or parameters.
Catalyst 6000 family switches are multimodule systems. Commands you enter from the CLI might apply
to the entire system or to a specific module, port, or VLAN.
Modules, ports, and VLANs are numbered starting with 1. The supervisor engine is module 1, residing
in slot 1. If your switch has a redundant supervisor engine, the supervisor engines reside in slots 1 and 2.
To designate a specific module, use the module number.
Port 1 is always the left-most port. To designate a specific port on a specific module, the command
syntax is mod/port. For example, 3/1 denotes module 3, port 1. In some commands, such as set trunk
and set port channel, you can enter lists of ports.
To specify a range of ports, use a comma-separated list (do not insert spaces) to specify individual ports
or a hyphen (-) between the port numbers to specify a range of ports. Hyphens take precedence over
commas.
Table 2-1 shows examples of how to designate ports and port ranges.

Table 2-1 Designating Ports and Port Ranges

Example Function
2/1 Specifies port 1 on module 2
3/4-8 Specifies ports 4, 5, 6, 7, and 8 on module 3

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 2-5
 Chapter 2 Command-Line Interfaces
Catalyst Command-Line Interface

Table 2-1 Designating Ports and Port Ranges (continued)

Example Function
5/2,5/4,6/10 Specifies ports 2 and 4 on module 5 and port 10 on module 6
3/1-2,4/8 Specifies ports 1 and 2 on module 3 and port 8 on module 4

VLANs are identified using the VLAN ID, a single number associated with the VLAN. To specify a list
of VLANs, use a comma-separated list (do not insert spaces) to specify individual VLANs or a hyphen
(-) between the VLAN numbers to specify a range of VLANs.
Table 2-2 shows examples of how to designate VLANs and VLAN ranges.

Table 2-2 Designating VLANs and VLAN Ranges

Example Function
10 Specifies VLAN 10
5,10,15 Specifies VLANs 5, 10, and 15
10-50,500 Specifies VLANs 10 through 50, inclusive, and VLAN 500

Designating MAC Addresses, IP Addresses, and IP Aliases

Some commands require a MAC address, IP address, or IP alias, which must be designated in a standard
format. The MAC address format must be six hexadecimal numbers separated by hyphens, as shown in
the following example:
00-00-0c-24-d2-fe

The IP address format is 32 bits, written as 4 octets separated by periods (dotted decimal format) that
are made up of a network section, an optional subnet section, and a host section, as shown in the
following example:
126.2.54.1

If you have configured IP aliases on the switch, you can use IP aliases in place of the dotted decimal IP
address. This is true for most commands that use an IP address, except for commands that define the IP
address or IP alias. For information on using IP aliases, see the “Defining IP Aliases” section on
page 20-6.
If DNS is configured on the switch, you can use DNS host names in place of IP addresses. For
information on configuring DNS, see Chapter 28, “Configuring DNS.”

Command Line Editing

You can scroll through the last 20 commands stored in the history buffer, and enter or edit the command
at the prompt. Table 2-3 lists the keyboard shortcuts to use when entering and editing switch commands.

Table 2-3 Command-Line Editing Keyboard Shortcuts

Keystroke Function
Ctrl-A Jumps to the first character of the command line.
Ctrl-B or the left arrow key Moves the cursor back one character.
Ctrl-C Escapes and terminates prompts and tasks.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

2-6 78-13315-02
 Chapter 2 Command-Line Interfaces
Catalyst Command-Line Interface

Table 2-3 Command-Line Editing Keyboard Shortcuts (continued)

Keystroke Function
Ctrl-D Deletes the character at the cursor.
Ctrl-E Jumps to the end of the current command line.
Ctrl-F or the right arrow key1 Moves the cursor forward one character.
Ctrl-K Deletes from the cursor to the end of the command line.
Ctrl-L; Ctrl-R Repeats current command line on a new line.
1
Ctrl-N or the down arrow key Enters next command line in the history buffer.
1
Ctrl-P or the up arrow key Enters previous command line in the history buffer.
Ctrl-U; Ctrl-X Deletes from the cursor to the beginning of the command line.
Ctrl-W Deletes last word typed.
Esc B Moves the cursor back one word.
Esc D Deletes from the cursor to the end of the word.
Esc F Moves the cursor forward one word.
Delete key or Backspace key Erases mistake when entering a command; reenter command after
using this key.
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.

History Substitution

The history buffer stores the last 20 commands you entered during a terminal session. History
substitution allows you to access these commands without retyping them, by using special abbreviated
commands. Table 2-4 lists the history substitution commands.

Table 2-4 History Substitution Commands

Command Function
Repeating recent commands:
!! Repeat the most recent command.
!-nn Repeat the nnth most recent command.
!n Repeat command n.
!aaa Repeat the command beginning with string aaa.
!?aaa Repeat the command containing the string aaa.
To modify and repeat the most recent command:
^aaa^bbb Replace the string aaa with the string bbb in the most recent command.
To add a string to the end of a previous command and repeat it:
!!aaa Add string aaa to the end of the most recent command.
!n aaa Add string aaa to the end of command n.
!aaa bbb Add string bbb to the end of the command beginning with string aaa.
!?aaa bbb Add string bbb to the end of the command containing the string aaa.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 2-7
 Chapter 2 Command-Line Interfaces
MSFC Command-Line Interface

Accessing Command Help

Enter help or ? in normal or privileged mode to see the commands available in those modes. On selected
commands, entering help or ? after a command provides additional information, such as a command
usage description. Command usage, the help menu, and when appropriate, parameter ranges are
provided if you enter a command using the wrong number of arguments or inappropriate arguments.
Additionally, appending help or ? to a command category displays a list of commands in that category.

MSFC Command-Line Interface

These sections describe the MSFC CLI:
• Cisco IOS Command Modes, page 2-8
• Cisco IOS Command-Line Interface, page 2-10

Note In addition to the methods described in the “Accessing the MSFC from the Switch” section on
page 2-3, you can configure IOS to support direct Telnet access to the MSFC. Refer to “Configuring
Authentication” in the Cisco IOS Security Configuration Guide:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/scdathen.htm

Cisco IOS Command Modes

The Cisco IOS user interface is divided into many different modes. The commands available to you
depend on which mode you are currently in. To get a list of the commands in a given mode, type a
question mark (?) at the system prompt. For more information, see the “Getting a List of IOS Commands
and Syntax” section on page 2-9.
When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a
limited subset of the commands are available in EXEC mode. To have access to all commands, you must
enter privileged EXEC mode. Normally, you must type in a password to access privileged EXEC mode.
From privileged EXEC mode, you can type in any EXEC command or access global configuration mode.
Most of the EXEC commands are one-time commands, such as show commands, which show the current
configuration status, and clear commands, which clear counters or interfaces. The EXEC commands are
not saved across reboots of the switch.
The configuration modes allow you to make changes to the running configuration. If you later save the
configuration, these commands are stored across switch reboots. You must start at global configuration
mode. From global configuration mode, you can enter interface configuration mode, subinterface
configuration mode, and a variety of protocol-specific modes.
ROM monitor mode is a separate mode used when the switch cannot boot properly. For example, the
switch might enter ROM monitor mode if it does not find a valid system image when it is booting, or if
its configuration file is corrupted at startup. For more information, see the “ROM-Monitor
Command-Line Interface” section on page 2-1.
Table 2-5 lists and describes the most commonly used Cisco IOS modes.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

2-8 78-13315-02
 Chapter 2 Command-Line Interfaces
MSFC Command-Line Interface

Table 2-5 Frequently Used IOS Command Modes

Mode Description of Use How to Access Prompt

User EXEC
Privileged EXEC (enable)
Global configuration
Interface configuration
Console configuration
Connect to remote devices, Log in. Router>
change terminal settings on a
temporary basis, perform basic
tests, and display system
information.
Set operating parameters. The From the user EXEC mode, Router#
privileged command set enter the enable command and
includes the commands in user the enable password.
EXEC mode as well as the
configure command. Use this
command to access the other
command modes.
Configure features that affect From the privileged EXEC Router(config)#
the system as a whole. mode, enter the configure
terminal command.
Many features are enabled for a From global configuration Router(config-if)#
particular interface. Interface mode, enter the interface type
commands enable or modify the location command.
operation of a Gigabit Ethernet
or Fast Ethernet interface.
From the directly connected From global configuration Router(config-line)#
console or the virtual terminal mode, enter the line console 0
used with Telnet, use this command.
configuration mode to configure
the console interface.

The Cisco IOS command interpreter, called the EXEC, interprets and executes the commands you enter.
You can abbreviate commands and keywords by entering just enough characters to make the command
unique from other commands. For example, you can abbreviate the show command to sh and the
configure terminal command to config t.
When you type exit, the switch backs out one level. To exit configuration mode completely and return
to privileged EXEC mode, press Ctrl-Z.

Getting a List of IOS Commands and Syntax

In any command mode, you can get a list of available commands by entering a question mark (?).
Router> ?

To obtain a list of commands that begin with a particular character sequence, type in those characters
followed by the question mark (?). Do not include a space. This form of help is called word help, because
it completes a word for you.
Router# co?
configure

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 2-9
 Chapter 2 Command-Line Interfaces
MSFC Command-Line Interface

To list keywords or arguments, enter a question mark in place of a keyword or argument. Include a space
before the question mark. This form of help is called command syntax help, because it reminds you
which keywords or arguments are applicable based on the command, keywords, and arguments you have
already entered.
Router# configure ?
memory Configure from NV memory
network Configure from a TFTP network host
overwrite-network Overwrite NV memory from TFTP network host
terminal Configure from the terminal

To redisplay a command you previously entered, press the up-arrow key or Ctrl-P. You can continue to
press the up-arrow key to see the last 20 commands you entered.

Tip If you are having trouble entering a command, check the system prompt, and enter the question mark
(?) for a list of available commands. You might be in the wrong command mode or using incorrect
syntax.

Press Ctrl-Z in any mode to immediately return to privileged EXEC mode. Enter exit to return to the
previous mode.

Cisco IOS Command-Line Interface

These sections describe basic Cisco IOS configuration tasks you need to understand before you
configure routing:
• Accessing Cisco IOS Configuration Mode, page 2-10
• Viewing and Saving the Cisco IOS Configuration, page 2-11
• Bringing Up an MSFC Interface, page 2-11

Accessing Cisco IOS Configuration Mode

To access the Cisco IOS configuration mode, perform this task:

Note Enter the switch console command to access the MSFC from the switch CLI when directly connected
to the supervisor engine console port. To access the MSFC from a Telnet session, see the “Accessing
the MSFC from a Telnet Session” section on page 2-4.

Task Command
Step 1 If you are in the switch CLI, enter Console> switch console [mod]
the MSFC CLI.
Step 2 At the EXEC prompt, enter enable Router> enable
mode.
Step 3 At the privileged EXEC prompt, Router# configure terminal
enter global configuration mode.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

2-10 78-13315-02
 Chapter 2 Command-Line Interfaces
MSFC Command-Line Interface

Task Command
Step 4 Enter the commands to configure (Refer to the appropriate configuration tasks later in this chapter.)
routing.
Step 5 Exit configuration mode. Router(config)# Ctrl-Z

Viewing and Saving the Cisco IOS Configuration

To view and save the configuration after you make changes, perform this task:

Task Command
Step 1 View the current operating Router# show running-config
configuration at the privileged
EXEC prompt.
Step 2 View the configuration in Router# show startup-config
NVRAM.
Step 3 Save the current configuration to Router# copy running-config startup-config
NVRAM.

Bringing Up an MSFC Interface

In some cases, an MSFC interface might be administratively shut down. You can check the status of an
interface using the show interface command.

Note In a redundant supervisor engine setup, if an interface on one MSFC is shut down, the matching
VLAN interface on the redundant MSFC will stop forwarding packets. Therefore, you should
manually shut down the matching interface on the redundant MSFC.

To bring up an MSFC interface that is administratively shut down, perform this task in privileged mode:

Task Command
Step 1 Specify the interface to bring up. Router(config)# interface interface_type interface_num
Step 2 Bring the interface up. Router(config-if)# no shutdown
Step 3 Exit configuration mode. Router(config-if)# Ctrl-Z

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 2-11
 Chapter 2 Command-Line Interfaces
MSFC Command-Line Interface

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

2-12 78-13315-02
 C H A P T E R 3
Configuring the Switch IP Address and
Default Gateway

This chapter describes how to configure the IP address, subnet mask, and default gateway on the
Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding the Switch Management Interfaces, page 3-1
• Understanding Automatic IP Configuration, page 3-2
• Preparing to Configure the IP Address and Default Gateway, page 3-4
• Booting the MSFC for the First Time, page 3-4
• Default IP Address and Default Gateway Configuration, page 3-5
• Assigning the In-Band (sc0) Interface IP Address, page 3-5
• Configuring Default Gateways, page 3-6
• Configuring the SLIP (sl0) Interface on the Console Port, page 3-7
• Using BOOTP, DHCP, or RARP to Obtain an IP Address, page 3-9
• Renewing and Releasing a DHCP-Assigned IP Address, page 3-10

Understanding the Switch Management Interfaces

Catalyst 6000 family switches have two configurable IP management interfaces, the in-band (sc0)
interface and the Serial Line Internet Protocol (SLIP) (sl0) interface.
The in-band (sc0) management interface is connected to the switching fabric and participates in all of
the functions of a normal switch port, such as spanning tree, Cisco Discovery Protocol (CDP), VLAN
membership, and so forth. The out-of-band management interface (sl0) is not connected to the switching
fabric and does not participate in any of these functions.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 3-1
 Chapter 3 Configuring the Switch IP Address and Default Gateway
Understanding Automatic IP Configuration

When you configure the IP address, subnet mask, broadcast address, and VLAN membership of the sc0
interface, you can access the switch through Telnet or Simple Network Management Protocol (SNMP).
When you configure the SLIP (sl0) interface, you can open a point-to-point connection to the switch
through the console port from a workstation.
All IP traffic generated by the switch itself (for example, a Telnet session opened from the switch to a
host) is forwarded according to the entries in the switch IP routing table. For intersubnetwork
communication to occur, you must configure at least one default gateway for the sc0 interface. The
switch IP routing table is used to forward traffic originating on the switch only, not for forwarding traffic
sent by devices connected to the switch.

Understanding Automatic IP Configuration

These sections describe how the switch can obtain its IP configuration automatically:
• Automatic IP Configuration Overview, page 3-2
• Understanding How DHCP Works, page 3-2
• Understanding How BOOTP and RARP Work, page 3-3

Automatic IP Configuration Overview

The switch can obtain its IP configuration automatically using one of the following protocols:
• Bootstrap Protocol (BOOTP)
• Dynamic Host Configuration Protocol (DHCP)
• Reverse Address Resolution Protocol (RARP)
The switch makes BOOTP, DHCP, and RARP requests only if the sc0 interface IP address is set to
0.0.0.0 when the switch boots up. This address is the default for a new switch or a switch whose
configuration file has been cleared using the clear config all command. BOOTP, DHCP, and RARP
requests are only broadcast out the sc0 interface.

Note If the CONFIG_FILE environment variable is set, all configuration files are processed before the
switch determines whether to broadcast BOOTP, DHCP, and RARP requests. For more information
about the CONFIG_FILE environment variable, see Chapter 23, “Modifying the Switch Boot
Configuration.”

Understanding How DHCP Works

There are three methods for obtaining an IP address from the DHCP server:
• Manual allocation—The network administrator maps the switch MAC address to an IP address at
the DHCP server.
• Automatic allocation—The switch obtains an IP address when it first contacts the DHCP server. The
address is permanently assigned to the switch.
• Dynamic allocation—The switch obtains a “leased” IP address for a specified period of time. The
IP address is revoked at the end of this period, and the switch surrenders the address. The switch
must request another IP address.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

3-2 78-13315-02
 Chapter 3 Configuring the Switch IP Address and Default Gateway
Understanding Automatic IP Configuration

In addition to the sc0 interface IP address, the switch can obtain the subnet mask, broadcast address, and
default gateway address. DHCP-learned values are not used if user-configured values are present.
The switch broadcasts a DHCPDISCOVER message one to ten seconds after all of the switch ports are
online. The switch always requests an infinite lease time in the DHCPDISCOVER message.
If a DHCP or Bootstrap Protocol (BOOTP) server responds to the request, the switch takes appropriate
action. If a DHCPOFFER message is received from a DCHP server, the switch processes all supported
options contained in the message. Table 3-1 shows the supported DHCP options. Other options specified
in the DHCPOFFER message are ignored.

Table 3-1 Supported DHCP Options

Code Option
1 Subnet mask
2 Time offset
3 Router
6 Domain name server
12 Host name
15 Domain name
28 Broadcast address
33 Static route
42 NTP servers
51 IP address lease time
52 Option overload
61 Client-identifier
66 TFTP server name

If a BOOTP response is received from a BOOTP server, the switch sets the in-band (sc0) interface IP
address to the address specified in the BOOTP response.
If no DHCPOFFER message or BOOTP response is received in reply, the switch rebroadcasts the
request using an exponential backoff algorithm (the amount of time between requests increases
exponentially). If no response is received after ten minutes, the sc0 interface IP address remains set to
0.0.0.0 (provided that BOOTP and RARP requests fail as well).
If you reset or power cycle a switch with a DHCP- or BOOTP-obtained IP address, the information
learned from DHCP or BOOTP is retained. At bootup, the switch attempts to renew the lease on the IP
address. If no reply is received, the switch retains the current IP address.

Understanding How BOOTP and RARP Work

With BOOTP and RARP, you map the switch MAC address to an IP address on the BOOTP or RARP
server. The switch retrieves its IP address from the server automatically when it boots up.
The switch broadcasts 10 BOOTP and RARP requests after all of the switch ports are online. If a
response is received, the switch sets the in-band (sc0) interface IP address to the address specified in the
response.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 3-3
 Chapter 3 Configuring the Switch IP Address and Default Gateway
Preparing to Configure the IP Address and Default Gateway

If no reply is received, the sc0 interface IP address remains set to 0.0.0.0 (provided that DHCP requests
fail as well).
If you reset or power cycle a switch with a BOOTP or RARP-obtained IP address, the information
learned from BOOTP or RARP is retained.

Preparing to Configure the IP Address and Default Gateway

Before you configure the switch IP address and default gateway, obtain the following information, as
appropriate:
• IP address for the switch (sc0 interface only)
• Subnet mask/number of subnet bits (sc0 interface only)
• (Optional) Broadcast address (sc0 interface only)
• VLAN membership (sc0 interface only)
• SLIP and SLIP destination addresses (sl0 interface only)
• Interface connection type
– In-band (sc0) interface: Configure this interface when assigning an IP address, subnet mask, and
VLAN to the in-band management interface on the switch.
– SLIP (sl0) interface: Configure this interface when setting up a point-to-point SLIP connection
between a terminal and the switch.

Booting the MSFC for the First Time

Two Multilayer Switch Feature Card (MSFC) images are provided on the MSFC bootflash: a boot loader
image and a system image. The boot loader image is a limited function system image that has network
interface code and end-host protocol code. The system image is the main Cisco IOS software image with
full multiprotocol routing support.
As shipped, the MSFC is configured to boot the boot loader image first, which then boots the system
image from the bootflash. However, if a Flash PC card is available on the supervisor engine, we
recommend that you store all new system images (upgrades) on the supervisor engine Flash PC card
instead of the bootflash on the MSFC. The boot loader image must stay on the MSFC bootflash.

Caution Do not erase the boot loader image; this image must always remain as the first image on the MSFC
bootflash as it is always used as the first image to boot.

Note Before you can use a system image stored on the supervisor engine Flash PC card, you must set the
BOOTLDR environment variable. In privileged mode, enter the boot bootldr
bootflash:boot_loader_image command.

To store the system image on the supervisor Flash PC card, you need to change the configuration on the
MSFC to boot the MSFC from the appropriate image on the Flash PC card by adding the following
command to the MSFC configuration:
boot sup-slot0:system_image

In the above example, system_image is the name of the desired image on the supervisor Flash PC card.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

3-4 78-13315-02
 Chapter 3 Configuring the Switch IP Address and Default Gateway
Default IP Address and Default Gateway Configuration

Note To boot a system image stored on the supervisor engine Flash PC card, at least one VLAN interface
must be configured and active.

By following this recommendation, there is really no need to store new system images on the bootflash.
If desired, you can update the system image on the bootflash from an image on the supervisor engine
Flash PC card by entering these commands:
delete bootflash:old_system_image
squeeze bootflash:
copy sup-slot0:new_system_image bootflash:

Default IP Address and Default Gateway Configuration

Table 3-2 shows the default IP address and default gateway configuration.

Table 3-2 Switch IP Address and Default Gateway Default Configuration

Feature Default Value

In-band (sc0) interface
Default gateway address
1
SLIP (sl0) interface
1. SLIP=Serial Line Internet Protocol
• IP address, subnet mask, and broadcast address set to 0.0.0.0
• Assigned to VLAN 1
Set to 0.0.0.0 with a metric of 0
• IP address and SLIP destination address set to 0.0.0.0
• SLIP for the console port is not active (set to detach)

Assigning the In-Band (sc0) Interface IP Address

Before you can Telnet to the switch or use SNMP to manage the switch, you must assign an IP address
to the in-band (sc0) logical interface.
You can specify the subnet mask (netmask) using the number of subnet bits or using the subnet mask in
dotted decimal format.
To set the IP address and VLAN membership of the in-band (sc0) management interface, perform this
task in privileged mode:

Task Command
Step 1 Assign an IP address, subnet mask (or number of set interface sc0 [ip_addr[/netmask] [broadcast]]
subnet bits), and (optional) broadcast address to
the in-band (sc0) interface.
Step 2 Assign the in-band interface to the proper VLAN set interface sc0 [vlan]
(make sure the VLAN is associated with the
network to which the IP address belongs).
Step 3 If necessary, bring the interface up. set interface sc0 up
Step 4 Verify the interface configuration. show interface

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 3-5
 Chapter 3 Configuring the Switch IP Address and Default Gateway
Configuring Default Gateways

This example shows how to assign an IP address, specify the number of subnet bits, and specify the
VLAN assignment for the in-band (sc0) interface:
Console> (enable) set interface sc0 172.20.52.124/29
Interface sc0 IP address and netmask set.
Console> (enable) set interface sc0 5
Interface sc0 vlan set.
Console> (enable)

This example shows how to specify the VLAN assignment, assign an IP address, specify the subnet mask
in dotted decimal format, and verify the configuration:
Console> (enable) set interface sc0 5 172.20.52.124/255.255.255.248
Interface sc0 vlan set, IP address and netmask set.
Console> (enable) show interface
sl0: flags=51<UP,POINTOPOINT,RUNNING>
slip 0.0.0.0 dest 0.0.0.0
sc0: flags=63<UP,BROADCAST,RUNNING>
vlan 5 inet 172.20.52.124 netmask 255.255.255.248 broadcast 172.20.52.17
Console> (enable)

Configuring Default Gateways

The supervisor engine sends IP packets destined for other IP subnets to the default gateway (typically,
a router interface in the same network or subnet as the switch IP address). The switch does not use the
IP routing table to forward traffic from connected devices; the switch forwards only IP traffic generated
by the switch itself (for example, Telnet, TFTP, and ping).

Note In some cases, you might want to configure static IP routes in addition to default gateways. For
information on configuring static routes, see the “Configuring Static Routes” section on page 20-7.

You can define up to three default IP gateways. Use the primary keyword to make a gateway the
primary gateway. If you do not specify a primary default gateway, the first gateway configured is the
primary gateway. If more than one gateway is designated as primary, the last primary gateway
configured is the primary default gateway.
The switch sends all off-network IP traffic to the primary default gateway. If connectivity to the primary
gateway is lost, the switch attempts to use the backup gateways in the order they were configured. The
switch sends periodic ping messages to determine whether each default gateway is up or down. If
connectivity to the primary gateway is restored, the switch resumes sending traffic to the primary
gateway.
To configure one or more default gateways, perform this task in privileged mode:

Task Command
Step 1 Configure a default IP gateway address for the set ip route default gateway [metric] [primary]
switch.
Step 2 (Optional) Configure additional default gateways set ip route default gateway [metric] [primary]
for the switch.
Step 3 Verify that the default gateways appear correctly show ip route
in the IP routing table.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

3-6 78-13315-02
 Chapter 3 Configuring the Switch IP Address and Default Gateway
Configuring the SLIP (sl0) Interface on the Console Port

To remove default gateway entries, perform one of these tasks in privileged mode:

Task Command
Clear an individual default gateway entry. clear ip route default gateway
Clear all default gateways and static routes. clear ip route all

This example shows how to configure three default gateways on the switch and how to verify the default
gateway configuration:
Console> (enable) set ip route default 10.1.1.10
Route added.
Console> (enable) set ip route default 10.1.1.20
Route added.
Console> (enable) set ip route default 10.1.1.1 primary
Route added.
Console> (enable) show ip route
Fragmentation Redirect Unreachable
------------- -------- -----------
enabled enabled enabled

The primary gateway: 10.1.1.1

Destination Gateway RouteMask Flags Use Interface
--------------- --------------- ---------- ----- -------- ---------
default 10.1.1.1 0x0 UG 6 sc0
default 10.1.1.20 0x0 G 0 sc0
default 10.1.1.10 0x0 G 0 sc0
10.0.0.0 10.1.1.100 0xff000000 U 75 sc0
default default 0xff000000 UH 0 sl0
Console> (enable)

Configuring the SLIP (sl0) Interface on the Console Port

Use the SLIP (sl0) interface for point-to-point SLIP connections between the switch and an IP host.

Caution You must use the console port for the SLIP connection. When the SLIP connection is enabled and
SLIP is attached on the console port, an EIA/TIA-232 terminal cannot connect through the console
port. If you are connected to the switch CLI through the console port and you enter the slip attach
command, you will lose the console port connection. Use Telnet to access the switch, enter privileged
mode, and enter the slip detach command to restore the console port connection.

To enable and attach SLIP on the console port, perform this task:

Task Command
Step 1 Access the switch from a remote host with Telnet. telnet {host_name | ip_addr}
Step 2 Enter privileged mode on the switch. enable
Step 3 Set the console port SLIP address and the set interface sl0 slip_addr dest_addr
destination address of the attached host.
Step 4 Verify the SLIP interface configuration. show interface
Step 5 Enable SLIP for the console port. slip attach

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 3-7
 Chapter 3 Configuring the Switch IP Address and Default Gateway
Configuring the SLIP (sl0) Interface on the Console Port

To disable SLIP on the console port, perform this task:

Task Command
Step 1 Access the switch from a remote host with Telnet. telnet {host_name | ip_addr}
Step 2 Enter privileged mode on the switch. enable
Step 3 Disable SLIP for the console port. slip detach

This example shows how to configure SLIP on the console port and verify the configuration:
sparc20% telnet 172.20.52.38
Trying 172.20.52.38 ...
Connected to 172.20.52.38.
Escape character is '^]'.

Cisco Systems, Inc. Console

Enter password:
Console> enable

Enter password:
Console> (enable) set interface sl0 10.1.1.1 10.1.1.2
Interface sl0 slip and destination address set.
Console> (enable) show interface
sl0: flags=51<UP,POINTOPOINT,RUNNING>
slip 10.1.1.1 dest 10.1.1.2
sc0: flags=63<UP,BROADCAST,RUNNING>
vlan 522 inet 172.20.52.38 netmask 255.255.255.240 broadcast 172.20.52.7
Console> (enable) slip attach
Console Port now running SLIP.

Console> (enable) slip detach

SLIP detached on Console port.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

3-8 78-13315-02
Chapter 3 Configuring the Switch IP Address and Default Gateway
Using BOOTP, DHCP, or RARP to Obtain an IP Address

Using BOOTP, DHCP, or RARP to Obtain an IP Address

Note For complete information on how the switch uses BOOTP, DHCP, or RARP to obtain its IP
configuration, see the “Understanding Automatic IP Configuration” section on page 3-2.

To use BOOTP, DHCP, or RARP to obtain an IP address for the switch, perform this task:

Task Command
Step 1 Make sure that there is a DHCP, BOOTP, or —
RARP server on the network.
Step 2 Obtain the last address in the MAC address range show module
for module 1 (the supervisor engine). This address
is displayed under the MAC-Address(es) heading.
(With DHCP, this step is necessary only if using
the manual allocation method.)
Step 3 Add an entry for each switch in the DHCP, —
BOOTP, or RARP server configuration, mapping
the MAC address of the switch to the IP
configuration information for the switch. (With
DHCP, this step is necessary only if using the
manual or automatic allocation methods.)
Step 4 Set the sc0 interface IP address to 0.0.0.0. set interface sc0 0.0.0.0
Step 5 Reset the switch. The switch broadcasts DHCP reset system
and RARP requests only when the switch boots
up.
Step 6 When the switch reboots, confirm that the sc0 show interface
interface IP address, subnet mask, and broadcast
address are set correctly.
Step 7 For DHCP, confirm that other options (such as the show ip route
default gateway address) are set correctly.

This example shows the switch broadcasting a DHCP request, receiving a DHCP offer, and configuring
the IP address and other IP parameters according to the contents of the DHCP offer:
Console> (enable)
Sending RARP request with address 00:90:0c:5a:8f:ff
Sending DHCP packet with address: 00:90:0c:5a:8f:ff
dhcpoffer
Sending DHCP packet with address: 00:90:0c:5a:8f:ff
Timezone set to '', offset from UTC is 7 hours 58 minutes
Timezone set to '', offset from UTC is 7 hours 58 minutes
172.16.30.32 added to DNS server table as primary server.
172.16.31.32 added to DNS server table as backup server.
172.16.32.32 added to DNS server table as backup server.
NTP server 172.16.25.253 added
NTP server 172.16.25.252 added
%MGMT-5-DHCP_S:Assigned IP address 172.20.25.244 from DHCP Server 172.20.25.254

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 3-9
 Chapter 3 Configuring the Switch IP Address and Default Gateway
Renewing and Releasing a DHCP-Assigned IP Address

Console> (enable) show interface

sl0: flags=51<UP,POINTOPOINT,RUNNING>
slip 0.0.0.0 dest 0.0.0.0
sc0: flags=63<UP,BROADCAST,RUNNING>
vlan 1 inet 172.20.25.244 netmask 255.255.255.0 broadcast 172.20.25.255
dhcp server: 172.20.25.254
Console>

Renewing and Releasing a DHCP-Assigned IP Address

If you are using DHCP for IP address assignment, you can perform either of these DHCP-related tasks:
• Renew the lease on a DHCP-assigned IP address
• Release the lease on a DHCP-assigned IP address
To renew or release a DHCP-assigned IP address on the in-band (sc0) management interface, perform
one of these tasks in privileged mode:

Task Command
Renew the lease on a DHCP-assigned IP address. set interface sc0 dhcp renew
Release the lease on a DHCP-assigned IP address. set interface sc0 dhcp release

This example shows how to renew the lease on a DHCP-assigned IP address:

Console> (enable) set interface sc0 dhcp renew
Renewing IP address...
Console> (enable) Sending DHCP packet with address: 00:90:0c:5a:8f:ff
<...output truncated...>

This example shows how to release the lease on a DHCP-assigned IP address:

Console> (enable) set interface sc0 dhcp release
Releasing IP address...
Console> (enable) Sending DHCP packet with address: 00:90:0c:5a:8f:ff
Done

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

3-10 78-13315-02
 C H A P T E R 4
Configuring Ethernet, Fast Ethernet, and Gigabit
Ethernet Switching

This chapter describes how to use the command-line interface (CLI) to configure Ethernet, Fast
Ethernet, and Gigabit Ethernet switching on the Catalyst 6000 family switches. The configuration tasks
in this chapter apply to Ethernet, Fast Ethernet, and Gigabit Ethernet switching modules, as well as to
the uplink ports on the supervisor engine.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How Ethernet Works, page 4-1
• Default Ethernet, Fast Ethernet, and Gigabit Ethernet Configuration, page 4-3
• Setting the Port Configuration, page 4-4

Understanding How Ethernet Works

Catalyst 6000 family switches support simultaneous, parallel connections between Ethernet segments.
Switched connections between Ethernet segments last only for the duration of the packet. New
connections can be made between different segments for the next packet.
Catalyst 6000 family switches solve congestion problems caused by high-bandwidth devices and a large
number of users by assigning each device (for example, a server) to its own 10-, 100-, or 1000-Mbps
segment. Because each Ethernet port on the switch represents a separate Ethernet segment, servers in a
properly configured switched environment achieve full access to the bandwidth.
Because collisions are a major bottleneck in Ethernet networks, an effective solution is full-duplex
communication, which is an option for any 10- or 100-Mbps port on a Catalyst 6000 family switch
(Gigabit Ethernet ports are always full duplex). Normally, Ethernet operates in half-duplex mode, which
means that stations can either receive or transmit. In full-duplex mode, two stations can transmit and
receive at the same time. When packets can flow in both directions simultaneously, effective Ethernet
bandwidth doubles to 20 Mbps for 10-Mbps ports and to 200 Mbps for Fast Ethernet ports. Gigabit
Ethernet ports on Catalyst 6000 family switches are full duplex only (2-Gbps effective bandwidth).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 4-1
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Understanding How Ethernet Works

These sections describe Ethernet:

• Switching Frames Between Segments, page 4-2
• Building the Address Table, page 4-2
• Understanding How Port Negotiation Works, page 4-2

Switching Frames Between Segments

Each Ethernet port on a Catalyst 6000 family switch can connect to a single workstation or server, or to
a hub through which workstations or servers connect to the network.
Ports on a typical Ethernet hub all connect to a common backplane within the hub, and the bandwidth of
the network is shared by all devices attached to the hub. If two stations establish a session that uses a
significant level of bandwidth, the network performance of all other stations attached to the hub is
degraded.
To reduce degradation, the switch treats each port as an individual segment. When stations on different
ports need to communicate, the switch forwards frames from one port to the other at wire speed to ensure
that each session receives full bandwidth.
To switch frames between ports efficiently, the switch maintains an address table. When a frame enters
the switch, it associates the MAC address of the sending station with the port on which it was received.

Building the Address Table

Catalyst 6000 family switches build the address table by using the source address of the frames received.
When the switch receives a frame for a destination address not listed in its address table, it floods the
frame to all ports of the same VLAN except the port that received the frame. When the destination station
replies, the switch adds its relevant source address and port ID to the address table. The switch then
forwards subsequent frames to a single port without flooding to all ports.
The address table can store at least 32K address entries without flooding any entries. The switch uses an
aging mechanism, defined by a configurable aging timer, so if an address remains inactive for a specified
number of seconds, it is removed from the address table.

Understanding How Port Negotiation Works

Note Port negotiation does not involve negotiating port speed. You cannot disable port negotiation with
the set port speed command.

Port negotiation exchanges flow-control parameters, remote fault information, and duplex information.
Configure port negotiation with the set port negotiation command. Port negotiation is enabled by
default.
The ports on both ends of a link must have the same setting. The link will not come up if the ports at
each end of the link are set inconsistently (port negotiation enabled on one port and disabled on the
other).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

4-2 78-13315-02
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Default Ethernet, Fast Ethernet, and Gigabit Ethernet Configuration

Table 4-1 shows the four possible port negotiation configurations and the resulting link status for each
configuration.

Table 4-1 Port Negotiation Configuration and Possible Link Status

Port Negotiation State Link Status

1 2
Near End Far End Near End Far End
Off Off Up Up
On On Up Up
Off On Up Down
On Off Down Up
1. Near End refers to the local port.
2. Far End refers to the port at the other end of the link.

Default Ethernet, Fast Ethernet, and Gigabit Ethernet

Configuration
Table 4-2 shows the Ethernet, Fast Ethernet, and Gigabit Ethernet default configuration.

Table 4-2 Ethernet Default Configuration

Feature Default Value

Port enable state All ports are enabled
Port name None
Duplex mode • Half duplex for 10-Mbps Ethernet ports
• Autonegotiate speed and duplex for 10/100-Mbps Fast
Ethernet ports
• Autonegotiate duplex for 100-Mbps Fast Ethernet ports
• Full duplex for 1000-Mbps Gigabit Ethernet ports
Flow control (Gigabit Ethernet) Flow control set to off for receive (Rx) and desired for transmit (Tx)
Flow control (other Ethernet) Flow control set to off for receive (Rx); transmit (Tx) not supported
Spanning Tree Protocol (STP) Enabled for VLAN 1
Native VLAN VLAN 1
Port VLAN cost • Port VLAN cost of 100 for 10-Mbps Ethernet ports
• Port VLAN cost of 19 for 10/100-Mbps Fast Ethernet ports
• Port VLAN cost of 19 for 100-Mbps Fast Ethernet ports
• Port VLAN cost of 4 for 1000-Mbps Gigabit Ethernet ports
EtherChannel Disabled on all Ethernet ports
Jumbo frames Disabled on all Ethernet ports

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 4-3
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

Setting the Port Configuration

These sections describe how to configure Ethernet, Fast Ethernet, and Gigabit Ethernet switching on the
Catalyst 6000 family switches:
• Setting the Port Name, page 4-4
• Setting the Port Speed, page 4-5
• Setting the Port Duplex Mode, page 4-5
• Configuring IEEE 802.3X Flow Control, page 4-6
• Enabling and Disabling Port Negotiation, page 4-7
• Changing the Default Port Enable State, page 4-7
• Setting the Port Debounce Timer, page 4-8
• Configuring a Timeout Period for Ports in errdisable State, page 4-9
• Configuring the Jumbo Frame Feature, page 4-11
• Checking Connectivity, page 4-13

Setting the Port Name

You can set port names on Ethernet, Fast Ethernet, and Gigabit Ethernet switching modules to facilitate
switch administration.
To set the port name, perform this task in privileged mode:

Task Command
Step 1 Set a port name. set port name mod/port [name_string]
Step 2 Verify the port name is configured. show port [mod[/port]]

This example shows how to set the name for ports 1/1 and 1/2 and how to verify that the port names are
configured correctly:
Console> (enable) set port name 1/1 Router Connection
Port 1/1 name set.
Console> (enable) set port name 1/2 Server Link
Port 1/2 name set.
Console> (enable) show port 1
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
1/1 Router Connection connected trunk full 1000 1000BaseSX
1/2 Server Link connected trunk full 1000 1000BaseSX

<...output truncated...>

Last-Time-Cleared
--------------------------
Wed Jun 16 1999, 16:25:57
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

4-4 78-13315-02
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

Setting the Port Speed

You can configure the port speed on 10/100-Mbps Ethernet switching modules. Use the auto keyword
to autonegotiate the port’s speed and duplex mode with the neighboring port.

Note If the port speed is set to auto on a 10/100-Mbps Ethernet port, both speed and duplex are
autonegotiated.

To set the port speed for a 10/100-Mbps port, perform this task in privileged mode:

Task Command
Step 1 Set the port speed of a 10/100-Mbps Fast Ethernet set port speed mod/port {10 | 100 | auto}
port.
Step 2 Verify that the speed of the port is configured show port [mod[/port]]
correctly.

This example shows how to set the port speed to 100 Mbps on port 2/2:
Console> (enable) set port speed 2/2 100
Port 2/2 speed set to 100 Mbps.
Console> (enable)

This example shows how to make port 2/1 autonegotiate speed and duplex with the neighboring port:
Console> (enable) set port speed 2/1 auto
Port 2/1 speed set to auto-sensing mode.
Console> (enable)

Setting the Port Duplex Mode

You can set the port duplex mode to full or half duplex for Ethernet and Fast Ethernet ports.

Note Gigabit Ethernet is full duplex only. You cannot change the duplex mode on Gigabit Ethernet ports.

Note If the port speed is set to auto on a 10/100-Mbps Ethernet port, both speed and duplex are
autonegotiated. You cannot change the duplex mode of autonegotiation ports.

To set the duplex mode of a port, perform this task in privileged mode:

Task Command
Step 1 Set the duplex mode of a port. set port duplex mod/port {full | half}
Step 2 Verify that the duplex mode of the port is show port [mod[/port]]
configured correctly.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 4-5
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

This example shows how to set the duplex mode to half duplex on port 2/1:
Console> (enable) set port duplex 2/1 half
Port 2/1 set to half-duplex.
Console> (enable)

Configuring IEEE 802.3X Flow Control

Gigabit Ethernet ports on the Catalyst 6000 family switches use flow control to inhibit the transmission
of packets to the port for a period of time; other Ethernet ports use flow control to respond to
flow-control requests.
If a Gigabit Ethernet port receive buffer becomes full, the port transmits a “pause” packet that tells
remote ports to delay sending more packets for a specified period of time. All Ethernet ports
(1000 Mbps, 100 Mbps, and 10 Mbps) can receive and act upon “pause” packets from other devices.
Enter the set port flow control command to configure flow control on ports. Table 4-3 lists the set port
flowcontrol command keywords and describes their functions.

Table 4-3 Ethernet-Flow Control Keyword Functions

Keywords Function
receive on The port uses flow control dictated by the neighboring port.
receive desired The port uses flow control if the neighboring port uses it and does not
use flow control if the neighboring port does not use it.
receive off The port does not use flow control, regardless of whether flow control is
requested by the neighboring port.
send on1 The port sends flow-control frames to the neighboring port.
1
send desired The port sends flow-control frames to the port if the neighboring port
asks to use flow control.
send off1 The port does not send flow-control frames to the neighboring port.
1. Supported only on Gigabit Ethernet ports.

To configure flow control, perform this task in privileged mode:

Task Command
Step 1 Set the flow-control parameters. set port flowcontrol mod/port {receive | send}
{off | on | desired}
Step 2 Verify the flow-control configuration. show port flowcontrol

This example shows how to turn transmit and receive flow control on and how to verify the flow-control
configuration:
Console> (enable) set port flowcontrol 3/1 send on
Port 3/1 will send flowcontrol to far end.
Console> (enable) set port flowcontrol 3/1 receive on
Port 3/1 will require far end to send flow control

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

4-6 78-13315-02
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

Console> (enable) show port flowcontrol

Port Send-Flowcontrol Receive-Flowcntl RxPause TxPause
Admin Oper Admin Oper
----- ---------------- ---------------- ------- -------
3/1 on disagree on disagree 0 0
3/2 off off off off 0 0
3/3 desired on desired off 10 10
Console> (enable)

Enabling and Disabling Port Negotiation

To enable port negotiation, perform this task in privileged mode:

Task Command
Step 1 Enable port negotiation. set port negotiation mod/port enable
Step 2 Verify the port negotiation configuration. show port negotiation [mod/port]

This example shows how to enable port negotiation and verify the configuration:
Console> (enable) set port negotiation 2/1 enable
Port 2/1 negotiation enabled
Console> (enable) show port negotiation 2/1
Port Link Negotiation
----- ----------------
2/1 enabled
Console> (enable)

To disable port negotiation, perform this task in privileged mode:

Task Command
Step 1 Disable port negotiation. set port negotiation mod/port disable
Step 2 Verify the port negotiation configuration. show port negotiation [mod/port]

This example shows how to disable port negotiation and verify the configuration:
Console> (enable) set port negotiation 2/1 disable
Port 2/1 negotiation disabled
Console> (enable) show port negotiation 2/1
Port Link Negotiation
----- ----------------
2/1 disabled
Console> (enable)

Changing the Default Port Enable State

Note Changing the default port enable state applies to all port types, not just Ethernet.

Note This feature is not supported on systems that do not have a chassis ID PROM.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 4-7
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

When you enter the clear config all command or in the event of a configuration loss, all ports collapse
into VLAN 1. This might cause a security and network instability problem. Entering the set default
portstatus command puts all ports into a disable state and blocks the traffic flowing through the ports
during a configuration loss. You can then manually configure the ports back to the enable state.
The default port status configuration is stored on the chassis. This means it is tied to a chassis and not
the supervisor engine. The clear config all command uses this setting to determine whether ports should
be enabled or disabled when returning to default configuration. The clear config all command does not
change the default port status setting on the chassis. The output of the show config command shows the
current default port status configuration.
To change the port enable state, perform this task in privileged mode:

Task Command
Step 1 Change the port enable state. set default portstatus {enable | disable}
Step 2 Display the port enable state. show default

This example shows how to change the default port enable state from enabled to disabled:
Console> (enable) set default portstatus disable
Default port status set to disable.
Console> (enable)

This example shows how to display the port enable state:

Console> (enable) show default
portstatus: disable
Console> (enable)

Setting the Port Debounce Timer

You can set the port debounce timer on a per-port basis for Ethernet, Fast Ethernet, and Gigabit Ethernet
ports. When you set the port debounce timer, the switch delays notifying the main processor of a link
change that can decrease traffic loss due to a network outage.

Caution Enabling the port debounce timer causes link up and link down detections to be delayed, resulting in
loss of data traffic during the debouncing period. This situation might affect the convergence and
reconvergence of various Layer 2 and Layer 3 protocols.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

4-8 78-13315-02
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

Table 4-4 lists the time delay that occurs before the switch notifies the main processor of a link change
before and after the switch enables the debounce timer.

Table 4-4 Port Debounce Timer Delay Time

Port Type Debounce Timer Disabled Debounce Timer Enabled

10BASE-FL ports 300 milliseconds 3100 milliseconds
10/100BASE-TX ports 300 milliseconds 3100 milliseconds
100BASE-FX ports 300 milliseconds 3100 milliseconds
10/100/1000BASE-TX ports 300 milliseconds 3100 milliseconds
1000BASE-TX ports 300 milliseconds 3100 milliseconds
Fiber Gigabit Ethernet ports 10 milliseconds 100 milliseconds

To set the debounce timer on a port, perform this task in privileged mode:

Task Command
Step 1 Enable the debounce timer for a port. set port debounce
mod num/port num {enable | disable}
Step 2 Verify that the debounce timer of the port is show port debounce [mod | mod_num/port_num]
configured correctly.

This example shows how to enable the debounce timer on port 2/1:
Console> (enable) set port debounce 2/1 enable
Link debounce enabled on port 2/1
Console> (enable)

This example shows how to display the per-port debounce timer settings:
Console> (enable) show port debounce
Port Link debounce
----- ---------------
2/1 enable
2/2 disable
Console> (enable)

Configuring a Timeout Period for Ports in errdisable State

A port is in errdisable state if it is enabled in NVRAM, but is disabled at runtime by any process. For
example, if UniDirectional Link Detection (UDLD) detects a unidirectional link, the port shuts down at
runtime. However, because the NVRAM configuration for the port is enabled (you have not disabled the
port), the port status is shown as errdisable.
Once a port is in the errdisable state, you have to reenable it manually. The errdisable timeout feature
allows you to configure a timeout period for ports in errdisable state; the ports are reenabled
automatically eliminating the need to reenable all the errdisabled ports manually.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 4-9
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

A port enters errdisable state for the following reasons (these reasons appear as configuration options
with the set errdisable-timeout enable command):
• Channel misconfiguration
• Duplex mismatch
• BPDU port-guard
• UDLD
• Other (reasons other than the above)
• All (apply errdisable timeout to all reasons)
You can enable or disable errdisable timeout for each of the above listed reasons. The ports in errdisable
state for reasons other than the first four reasons are considered “other.” If you specify “other,” all ports
errdisabled by causes other than the first four reasons are enabled for errdisable timeout. If you specify
“all,” all ports errdisabled for any reason are enabled for errdisable timeout.
The errdisable feature is disabled by default. The default interval for enabling a port is 300 seconds. The
allowable interval range is 30 to 86400 seconds (30 seconds to 24 hours).
This example shows how to enable errdisable timeout for BPDU guard causes:
Console> (enable) set errdisable-timeout enable bpdu-guard
Successfully enabled errdisable-timeout for bpdu-guard.
Console> (enable)

This example shows how to enable errdisable timeout for all causes:
Console> (enable) set errdisable-timeout enable all
Successfully enabled errdisable-timeout for all.
Console> (enable)

This example shows how to set the errdisable timeout interval to 450 seconds:
Console> (enable) set errdisable-timeout interval 450
Successfully set errdisable timeout to 450 seconds.
Console> (enable)

This example shows how to display the errdisable timeout configuration:

Console> (enable) show errdisable-timeout
ErrDisable Reason Timeout Status
------------------- ------------
bpdu-guard Enable
channel-misconfig Disable
duplex-mismatch Enable
udld Enable
other Disable

Interval: 300 seconds

Ports that will be enabled at the next timeout:

Port ErrDisable Reason
----- -----------------
3/1 udld
3/8 bpdu-guard
6/5 udld
7/24 duplex-mismatch
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

4-10 78-13315-02
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

Configuring the Jumbo Frame Feature

These sections describe the jumbo frame feature:
• Configuring the Jumbo Frame Feature on the Supervisor Engine, page 4-11
• Configuring the Jumbo Frame Feature on MSFC2, page 4-12

Configuring the Jumbo Frame Feature on the Supervisor Engine

When you enable the jumbo frame feature on a port, the port can switch large (or jumbo) frames. This
feature is useful in optimizing server-to-server performance. The default maximum transmission unit
(MTU) frame size is 1548 bytes for all Ethernet ports. By enabling the jumbo frame feature on a port,
the MTU size is increased to 9216 bytes.
To enable the jumbo frame feature on a per-port basis, follow these guidelines:
• The jumbo frames feature is supported on the following:
– Ethernet ports

Note The following modules only support a maximum of 8092 bytes: WS-X6148-RJ-45V,
WS-X6148-RJ21V, WS-X6248-RJ-45, WS-X6248A-RJ-45, WS-X6248-TEL,
WS-X6248A-TEL, WS-X6348-RJ-45, WS-X6348-RJ45V, WS-X6348-RJ-21, and
WX-X6348-RJ21V.

The WS-X6548-RJ-21 and WS-X6548-RJ-45 modules use different hardware at the

PHY level and support the full jumbo frame default value of 9216 bytes.

Note The WS-X6516-GE-TX (10/100/1000) module only supports a maximum of 8092 bytes
at the 100 Mbps speed. At 10 Mbps and 1000 Mbps the module supports the jumbo frame
default of 9216 bytes.

– Trunk ports
– EtherChannels
• Jumbo frames are supported on all Optical Services Modules (OSMs).
• Jumbo frames are not supported on ATM modules (WS-X6101-OC12-SMF/MMF).
• The Multilayer Switching Feature Card 2 (MSFC2) supports routing of jumbo frames.
• The Gigabit Switch Router (GSR) supports routing of jumbo frames.
• The Multilayer Switching Feature Card (MSFC) and Multilayer Switch Module (MSM) do not
support jumbo frame routing; if jumbo frames are sent to these routers, router performance is
significantly degraded.

Note Occasionally, you might see a “Jumbo frames inconsistent state” message for a port or multiple ports
after entering the show port jumbo command. If this occurs, enter the set port jumbo command to
reenable the ports.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 4-11
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

To enable the jumbo frames feature on an Ethernet port, perform this task in privileged mode:

Task Command
Step 1 Enable jumbo frames. set port jumbo mod/port enable
Step 2 Verify the port configuration. show port jumbo

This example shows how to enable the jumbo frames feature on a port and verify the configuration:
Console> (enable) set port jumbo 2/1 enable
Jumbo frames enabled on port 2/1
Console> (enable) show port jumbo
Jumbo frames MTU size is 9216 bytes
Jumbo frames enabled on port(s) 2/1

To disable the jumbo frames feature on an Ethernet port, perform this task in privileged mode:

Task Command
Step 1 Disable jumbo frames. set port jumbo mod/port disable
Step 2 Verify the port configuration. show port jumbo

This example shows how to disable the jumbo frames feature on a port:
Console> (enable) set port jumbo 2/1 disable
Jumbo frames disabled on port 2/1
Console> (enable)

Configuring the Jumbo Frame Feature on MSFC2

With an MSFC2, you can configure the MTU size on VLAN interfaces to support routing of jumbo
frames.
The jumbo frame feature supports only a single larger-than-default MTU size on the switch. Configuring
a VLAN interface with an MTU size greater than the default automatically configures all other VLAN
interfaces that have an MTU size greater than the default to the newly configured size. VLAN interfaces
that have not been changed from the default are not affected.
To configure the MTU value, perform this task:

Task Command
Step 1 Access VLAN interface configuration mode. Router(config)# interface vlan vlan_ID
Step 2 Set the MTU size. Valid values are from 64 to Router(config-if)# mtu mtu_size
17952 bytes.1
Step 3 Verify the configuration. Router# show interface vlan 111
1. Set the MTU size no larger than 9216, which is the size supported by the supervisor engine.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

4-12 78-13315-02
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

This example shows how to set the MTU size on a VLAN interface and verify the configuration:
Router(config)# interface vlan 111
Router(config-if)# mtu 9216
Router(config-if)# end
Router# show interface vlan 111
<...Output Truncated...>
MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec,
<...Output Truncated...>
Router#

Checking Connectivity
Use the ping and traceroute commands to test connectivity.
To check connectivity out a port, perform this task in privileged mode:

Task Command
Step 1 Ping a remote host that is located out the port you ping [-s] host [packet_size] [packet_count]
want to test.
Step 2 Trace the hop-by-hop route of packets from the traceroute host
switch to a remote host located out the port you
want to test.
Step 3 If the host is unresponsive, check the IP address show interface
and default gateway configured on the switch. show ip route

This example shows how to ping a remote host and how to trace the hop-by-hop path of packets through
the network using traceroute:
Console> (enable) ping somehost
somehost is alive
Console> (enable) traceroute somehost
traceroute to somehost.company.com (10.1.2.3), 30 hops max, 40 byte packets
1 engineering-1.company.com (173.31.192.206) 2 ms 1 ms 1 ms
2 engineering-2.company.com (173.31.196.204) 2 ms 3 ms 2 ms
3 gateway_a.company.com (173.16.1.201) 6 ms 3 ms 3 ms
4 somehost.company.com (10.1.2.3) 3 ms * 2 ms
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 4-13
 Chapter 4 Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching
Setting the Port Configuration

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

4-14 78-13315-02
 C H A P T E R 5
Configuring Ethernet VLAN Trunks

This chapter describes how to configure Ethernet VLAN trunks on the Catalyst 6000 family switches.

Note For complete information on configuring VLANs, see Chapter 11, “Configuring VLANs.”

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How VLAN Trunks Work, page 5-1
• Default Trunk Configuration, page 5-5
• Configuring a Trunk Link, page 5-5
• Example VLAN Trunk Configurations, page 5-9
• Disabling VLAN 1 on Trunks, page 5-23

Understanding How VLAN Trunks Work

These sections describe how VLAN trunks work on the Catalyst 6000 family switches:
• Trunking Overview, page 5-1
• Trunking Modes and Encapsulation Types, page 5-2
• 802.1Q Trunk Restrictions, page 5-4

Trunking Overview
A trunk is a point-to-point link between one or more Ethernet switch ports and another networking
device such as a router or a switch. Trunks carry the traffic of multiple VLANs over a single link and
allow you to extend VLANs across an entire network.
Two trunking encapsulations are available on all Ethernet ports:
• Inter-Switch Link (ISL)—ISL is a Cisco-proprietary trunking encapsulation
• IEEE 802.1Q—802.1Q is an industry-standard trunking encapsulation

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-1
 Chapter 5 Configuring Ethernet VLAN Trunks
Understanding How VLAN Trunks Work

You can configure a trunk on a single Ethernet port or on an EtherChannel bundle. For more information
about EtherChannel, see Chapter 6, “Configuring EtherChannel.”
Ethernet trunk ports support five different trunking modes (see Table 5-1). In addition, you can specify
whether the trunk will use ISL encapsulation, 802.1Q encapsulation, or whether the encapsulation type
will be autonegotiated.
For trunking to be autonegotiated, the ports must be in the same VLAN Trunking Protocol (VTP)
domain. However, you can use the on or nonegotiate mode to force a port to become a trunk, even if it
is in a different domain. For more information on VTP domains, see Chapter 10, “Configuring VTP.”
Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP). DTP supports autonegotiation
of both ISL and 802.1Q trunks.

Trunking Modes and Encapsulation Types

Table 5-1 lists the trunking modes used with the set trunk command and describes how they function
on Fast Ethernet and Gigabit Ethernet ports.

Table 5-1 Ethernet Trunking Modes

Mode Function
on Puts the port into permanent trunking mode and negotiates to convert the link into a trunk link. The port
becomes a trunk port even if the neighboring port does not agree to the change.
off Puts the port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The
port becomes a nontrunk port even if the neighboring port does not agree to the change.
desirable Makes the port actively attempt to convert the link to a trunk link. The port becomes a trunk port if the
neighboring port is set to on, desirable, or auto mode.
auto Makes the port willing to convert the link to a trunk link. The port becomes a trunk port if the neighboring
port is set to on or desirable mode. This is the default mode for all Ethernet ports.
nonegotiate Puts the port into permanent trunking mode but prevents the port from generating DTP frames. You must
configure the neighboring port manually as a trunk port to establish a trunk link.

Table 5-2 lists the encapsulation types used with the set trunk command and describes how they
function on Ethernet ports. You can use the show port capabilities command to determine which
encapsulation types a particular port supports.

Table 5-2 Ethernet Trunk Encapsulation Types

Encapsulation Function
isl Specifies ISL encapsulation on the trunk link.
dot1q Specifies 802.1Q encapsulation on the trunk link.
negotiate Specifies that the port negotiate with the neighboring port to become an ISL (preferred) or 802.1Q trunk,
depending on the configuration and capabilities of the neighboring port.

The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected
ports determine whether a trunk link comes up and the type of trunk the link becomes. Table 5-3 shows
the result of the possible trunking configurations.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-2 78-13315-02
 Chapter 5 Configuring Ethernet VLAN Trunks
Understanding How VLAN Trunks Work

Table 5-3 Results of Possible Fast Ethernet and Gigabit Ethernet Trunk Configurations

Neighbor Port Local Port Trunk Mode and Trunk Encapsulation

Trunk Mode off
and Trunk isl or on desirable auto on desirable auto desirable auto
Encapsulation dot1q isl isl isl dot1q dot1q dot1q negotiate negotiate
off Local: Local: Local: Local: Local: Local: Local: Local: Local:
isl or dot1q Nontrunk ISL trunk Nontrunk Nontrunk 1Q trunk Nontrunk Nontrunk Nontrunk Nontrunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk Nontrunk
on Local: Local: Local: Local: Local: Local: Local: Local: Local:
isl Nontrunk ISL trunk ISL trunk ISL trunk 1Q trunk1 Nontrunk Nontrunk ISL trunk ISL trunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
ISL trunk ISL trunk ISL trunk ISL trunk ISL trunk1 ISL trunk ISL trunk ISL trunk ISL trunk
desirable Local: Local: Local: Local: Local: Local: Local: Local: Local:
isl Nontrunk ISL trunk ISL trunk ISL trunk 1Q trunk Nontrunk Nontrunk ISL trunk ISL trunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
Nontrunk ISL trunk ISL trunk ISL trunk Nontrunk Nontrunk Nontrunk ISL trunk ISL trunk
auto Local: Local: Local: Local: Local: Local: Local: Local: Local:
isl Nontrunk ISL trunk ISL trunk Nontrunk 1Q trunk Nontrunk Nontrunk ISL trunk Nontrunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
Nontrunk ISL trunk ISL trunk Nontrunk Nontrunk Nontrunk Nontrunk ISL trunk Nontrunk
on Local: Local: Local: Local: Local: Local: Local: Local: Local:
dot1q Nontrunk ISL trunk1 Nontrunk Nontrunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
1Q trunk 1Q trunk1 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk
desirable Local: Local: Local: Local: Local: Local: Local: Local: Local:
dot1q Nontrunk ISL trunk Nontrunk Nontrunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
Nontrunk Nontrunk Nontrunk Nontrunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk 1Q trunk
auto Local: Local: Local: Local: Local: Local: Local: Local: Local:
dot1q Nontrunk ISL trunk Nontrunk Nontrunk 1Q trunk 1Q trunk Nontrunk 1Q trunk Nontrunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
Nontrunk Nontrunk Nontrunk Nontrunk 1Q trunk 1Q trunk Nontrunk 1Q trunk Nontrunk
desirable Local: Local: Local: Local: Local: Local: Local: Local: Local:
negotiate Nontrunk ISL trunk ISL trunk ISL trunk 1Q trunk 1Q trunk 1Q trunk ISL trunk ISL trunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
Nontrunk ISL trunk ISL trunk ISL trunk 1Q trunk 1Q trunk 1Q trunk ISL trunk ISL trunk
auto Local: Local: Local: Local: Local: Local: Local: Local: Local:
negotiate Nontrunk ISL trunk ISL trunk Nontrunk 1Q trunk 1Q trunk Nontrunk ISL trunk Nontrunk
Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor: Neighbor:
Nontrunk ISL trunk ISL trunk Nontrunk 1Q trunk 1Q trunk Nontrunk ISL trunk Nontrunk
1. Using this configuration can result in spanning tree loops and is not recommended.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-3
 Chapter 5 Configuring Ethernet VLAN Trunks
Understanding How VLAN Trunks Work

Note DTP is a point-to-point protocol. However, some internetworking devices might forward DTP frames
improperly. To avoid this problem, ensure that trunking is turned off on ports connected to
non-switch devices if you do not intend to trunk across those links. When manually enabling trunking
on a link to a Cisco router, use the nonegotiate keyword to cause the port to become a trunk but not
generate DTP frames.

802.1Q Trunk Restrictions

The following configuration guidelines and restrictions apply when using 802.1Q trunks impose some
limitations on the trunking strategy for a network. Note these restrictions when using 802.1Q trunks:
• When connecting Cisco switches through an 802.1Q trunk, make sure the native VLAN for an
802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk
is different from the native VLAN on the other end, spanning tree loops might result.
• Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on
every VLAN in the network can cause spanning tree loops. We recommend that you leave spanning
tree enabled on the native VLAN of an 802.1Q trunk. If this is not possible, disable spanning tree
on every VLAN in the network. Make sure your network is free of physical loops before disabling
spanning tree.
• When you connect two Cisco switches through 802.1Q trunks, the switches exchange spanning tree
BPDUs on each VLAN allowed on the trunks. The BPDUs on the native VLAN of the trunk are sent
untagged to the reserved IEEE 802.1D spanning tree multicast MAC address (01-80-C2-00-00-00).
The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning
Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd).
• Non-Cisco 802.1Q switches maintain only a single instance of spanning tree (the Mono Spanning
Tree, or MST) that defines the spanning-tree topology for all VLANs. When you connect a Cisco
switch to a non-Cisco switch through an 802.1Q trunk, the MST of the non-Cisco switch and the
native VLAN spanning-tree of the Cisco switch combine to form a single spanning-tree topology
known as the Common Spanning Tree (CST).
When you connect a Cisco switch to a non-Cisco switch the CST is always on VLAN 1. The Cisco
switch sends an untagged IEEE BDPU (01-80-C2-00-00-00) on VLAN 1 for the CST and on the
native VLAN the Cisco switch sends an untagged Cisco BPDU (01-00-0C-CC-CC-CC) which the
non-Cisco switch forwards but does not act on (the IEEE BPDU is not forwarded on the native
VLAN).
• Because Cisco switches transmit BPDUs to the SSTP multicast MAC address on VLANs other than
the native VLAN of the trunk, non-Cisco switches do not recognize these frames as BPDUs and
flood them on all ports in the corresponding VLAN. Other Cisco switches connected to the
non-Cisco 802.1Q cloud receive these flooded BPDUs. This allows Cisco switches to maintain a
per-VLAN spanning tree topology across a cloud of non-Cisco 802.1Q switches. The non-Cisco
802.1Q cloud separating the Cisco switches is treated as a single broadcast segment between all
switches connected to the non-Cisco 802.1Q cloud through 802.1Q trunks.
• Make certain that the native VLAN is the same on ALL of the 802.1Q trunks connecting the Cisco
switches to the non-Cisco 802.1Q cloud.
• If you are connecting multiple Cisco switches to a non-Cisco 802.1Q cloud, all of the connections
MUST be through 802.1Q trunks. You CANNOT connect Cisco switches to a non-Cisco 802.1Q
cloud through ISL trunks or through access ports. Doing so will cause the switch to place the ISL
trunk port or access port into the spanning tree “port inconsistent” state and no traffic will pass
through the port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-4 78-13315-02
 Chapter 5 Configuring Ethernet VLAN Trunks
Default Trunk Configuration

Default Trunk Configuration

Table 5-4 shows the default Ethernet trunk configuration.

Table 5-4 Default Ethernet Trunk Configuration

Feature Default Configuration

Trunk mode auto
Trunk encapsulation negotiate
Allowed VLAN range VLANs 1–1005, 1025-4094

Configuring a Trunk Link

These sections describe how to configure a trunk link on Ethernet ports and how to define the allowed
VLAN range on a trunk:
• Configuring an ISL Trunk, page 5-5
• Configuring an 802.1Q Trunk, page 5-6
• Configuring an ISL/802.1Q Negotiating Trunk Port, page 5-7
• Defining the Allowed VLANs on a Trunk, page 5-7
• Disabling a Trunk Port, page 5-8

Configuring an ISL Trunk

To configure an ISL trunk, perform this task in privileged mode:

Task Command
Step 1 Configure an ISL trunk. set trunk mod/port [on | desirable | auto |
nonegotiate] isl
Step 2 Verify the trunking configuration. show trunk [mod/port]

This example shows how to configure a port as a trunk and how to verify the trunk configuration. This
example assumes that the neighboring port is in auto mode:
Console> (enable) set trunk 1/1 on
Port(s) 1/1 trunk mode set to on.
Console> (enable) 06/16/1998,22:16:39:DTP-5:Port 1/1 has become isl trunk
06/16/1998,22:16:40:PAGP-5:Port 1/1 left bridge port 1/1.
06/16/1998,22:16:40:PAGP-5:Port 1/1 joined bridge port 1/1.
Console> (enable) show trunk
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/1 on isl trunking 1
Port Vlans allowed on trunk
-------- ---------------------------------------------------------------------
1/1 1-1005, 1025-4094

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-5
 Chapter 5 Configuring Ethernet VLAN Trunks
Configuring a Trunk Link

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
1/1 1,521-524
Port Vlans in spanning tree forwarding state and not pruned
-------- ---------------------------------------------------------------------
1/1
Console> (enable)

This example shows how to place a port in desirable mode and how to verify the trunk configuration.
This example assumes that the neighboring port is in auto mode:
Console> (enable) set trunk 1/2 desirable
Port(s) 1/2 trunk mode set to desirable.
Console> (enable) 06/16/1998,22:20:16:DTP-5:Port 1/2 has become isl trunk
06/16/1998,22:20:16:PAGP-5:Port 1/2 left bridge port 1/2.
06/16/1998,22:20:16:PAGP-5:Port 1/2 joined bridge port 1/2.
Console> (enable) show trunk 1/2
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/2 desirable isl trunking 1
Port Vlans allowed on trunk
-------- ---------------------------------------------------------------------
1/2 1-1005, 1025-4094
Port Vlans allowed and active in management domain
-------- ---------------------------------------------------------------------
1/2 1,521-524
Port Vlans in spanning tree forwarding state and not pruned
-------- ---------------------------------------------------------------------
1/2
Console> (enable)

Configuring an 802.1Q Trunk

To configure an 802.1Q trunk, perform this task in privileged mode:

Task Command
Step 1 Configure an 802.1Q trunk. set trunk mod/port [on | desirable | auto |
nonegotiate] dot1q
Step 2 Verify the trunking configuration. show trunk [mod/port]

This example shows how to configure an 802.1Q trunk and how to verify the trunk configuration:
Console> (enable) set trunk 2/9 desirable dot1q
Port(s) 2/9 trunk mode set to desirable.
Port(s) 2/9 trunk type set to dot1q.
Console> (enable) 07/02/1998,18:22:25:DTP-5:Port 2/9 has become dot1q trunk

Console> (enable) show trunk

Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
2/9 desirable dot1q trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
2/9 1-1005, 1025-4094

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-6 78-13315-02
 Chapter 5 Configuring Ethernet VLAN Trunks
Configuring a Trunk Link

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
2/9 1,5,10-32,101-120,150,200,250,300,400,500,600,700,800,900,1000

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
2/9 5,10-32,101-120,150,200,250,300,400,500,600,700,800,900,1000
Console> (enable)

Configuring an ISL/802.1Q Negotiating Trunk Port

To configure a trunk port to negotiate the trunk encapsulation type (either ISL or 802.1Q), perform this
task in privileged mode:

Task Command
Step 1 Configure a port to negotiate the trunk set trunk mod/port [on | desirable | auto |
encapsulation type. nonegotiate] negotiate
Step 2 Verify the trunking configuration. show trunk [mod/port]

This example shows how to configure a port to negotiate the encapsulation type and how to verify the
trunk configuration. This example assumes that the neighboring port is in auto mode with encapsulation
set to isl or negotiate.
Console> (enable) set trunk 4/11 desirable negotiate
Port(s) 4/11 trunk mode set to desirable.
Port(s) 4/11 trunk type set to negotiate.
Console> (enable) show trunk 4/11
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
4/11 desirable n-isl trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
4/11 1-1005,1025-4094

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
4/11 1,5,10-32,55,101-120,998-1000

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
4/11 1,5,10-32,55,101-120,998-1000
Console> (enable)

Defining the Allowed VLANs on a Trunk

When you configure a trunk port, all VLANs are added to the allowed VLANs list for that trunk.
However, you can remove VLANs from the allowed list to prevent traffic for those VLANs from passing
over the trunk.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-7
 Chapter 5 Configuring Ethernet VLAN Trunks
Configuring a Trunk Link

Note When you first configure a port as a trunk, entering the set trunk command always adds all VLANs
to the allowed VLAN list for the trunk, even if you specify a VLAN range (any specified VLAN
range is ignored). To modify the allowed VLANs list, use a combination of the clear trunk and set
trunk commands to specify the allowed VLANs.

To define the allowed VLAN list for a trunk port, perform this task in privileged mode:

Task Command
Step 1 Remove VLANs from the allowed VLANs list for clear trunk mod/port vlans
a trunk.
Step 2 (Optional) Add specific VLANs to the allowed set trunk mod/port vlans
VLANs list for a trunk.
Step 3 Verify the allowed VLAN list for the trunk. show trunk [mod/port]

This example shows how to define the allowed VLANs list to allow VLANs 1–100, VLANs 500–1005,
and VLAN 2500 on trunk port 1/1 and how to verify the allowed VLAN list for the trunk:
Console> (enable) clear trunk 1/1 101-499
Removing Vlan(s) 101-499 from allowed list.
Port 1/1 allowed vlans modified to 1-100,500-1005.
Console> (enable) set trunk 1/1 2500
Adding vlans 2500 to allowed list.
Port(s) 1/1 allowed vlans modified to 1-100,500-1005,2500.
Console> (enable) show trunk 1/1
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/1 desirable isl trunking 1
Port Vlans allowed on trunk
-------- ---------------------------------------------------------------------
1/1 1-100, 500-1005,2500
Port Vlans allowed and active in management domain
-------- ---------------------------------------------------------------------
1/1 1,521-524
Port Vlans in spanning tree forwarding state and not pruned
-------- ---------------------------------------------------------------------
1/1 1,521-524
Console> (enable)

Disabling a Trunk Port

To turn off trunking on a port, perform this task in privileged mode:

Task Command
Step 1 Turn off trunking on a port. set trunk mod/port off
Step 2 Verify the trunking configuration. show trunk [mod/port]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-8 78-13315-02
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

To return a port to the default trunk type and mode for that port type, perform this task in privileged
mode:

Task Command
Step 1 Return the port to the default trunking type and clear trunk mod/port
mode for that port type.
Step 2 Verify the trunking configuration. show trunk [mod/port]

Example VLAN Trunk Configurations

This section contains example VLAN trunk configurations:
• ISL Trunk Configuration Example, page 5-9
• ISL Trunk Over EtherChannel Link Example, page 5-10
• 802.1Q Trunk Over EtherChannel Link Example, page 5-13
• Load-Sharing VLAN Traffic Over Parallel Trunks Example, page 5-16

ISL Trunk Configuration Example

This example shows how to configure an ISL trunk between two switches and how to limit the allowed
VLANs on the trunk to VLAN 1 and VLANs 520–530.
In this example, port 1/1 on Switch 1 is connected to a Fast Ethernet port on another switch. Both ports
are in their default state, with the trunk mode set to auto (for more information, see the “Default Trunk
Configuration” section on page 5-5).

Step 1 Configure port 1/1 on Switch 1 as an ISL trunk port by entering the set trunk command. By specifying
the desirable keyword, the trunk is automatically negotiated with the neighboring port (port 1/2 on
Switch 2). ISL encapsulation is assumed based on the hardware type.
Switch1> (enable) set trunk 1/1 desirable
Port(s) 1/1 trunk mode set to desirable.
Switch1> (enable) 06/18/1998,12:20:23:DTP-5:Port 1/1 has become isl trunk
06/18/1998,12:20:23:PAGP-5:Port 1/1 left bridge port 1/1.
06/18/1998,12:20:23:PAGP-5:Port 1/1 joined bridge port 1/1.
Switch1> (enable)

Step 2 Check the configuration by entering the show trunk command. The Status field in the screen output
indicates that port 1/1 is trunking.
Switch1> (enable) show trunk 1/1
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/1 desirable isl trunking 1
Port Vlans allowed on trunk
-------- ---------------------------------------------------------------------
1/1 1-1005, 1025-4094
Port Vlans allowed and active in management domain
-------- ---------------------------------------------------------------------
1/1 1,521-524

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-9
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
1/1
Switch1> (enable)

Step 3 Define the allowed VLAN list for the trunk by entering the clear trunk command to remove the VLANs
that should not pass traffic over the trunk link.
Switch1> (enable) clear trunk 1/1 2-519
Removing Vlan(s) 2-519 from allowed list.
Port 1/1 allowed vlans modified to 1,520-1005.
Switch1> (enable) clear trunk 1/1 531-1005
Removing Vlan(s) 531-1005 from allowed list.
Port 1/1 allowed vlans modified to 1,520-530.
Switch1> (enable) show trunk 1/1
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/1 desirable isl trunking 1
Port Vlans allowed on trunk
-------- ---------------------------------------------------------------------
1/1 1,520-530
Port Vlans allowed and active in management domain
-------- ---------------------------------------------------------------------
1/1 1,521-524
Port Vlans in spanning tree forwarding state and not pruned
-------- ---------------------------------------------------------------------
1/1 1,521-524
Switch1> (enable)

Step 4 Verify connectivity across the trunk by entering the ping command.
Switch1> (enable) ping switch2
switch2 is alive
Switch1> (enable)

ISL Trunk Over EtherChannel Link Example

This example shows how to configure an ISL trunk over an EtherChannel link between two switches.
Figure 5-1 shows two switches connected through two 100BASE-TX Fast Ethernet ports.

Figure 5-1 ISL Trunk Over Fast EtherChannel Link

Switch A Switch B
1/1 3/1
1/2 3/2
23925

Fast EtherChannel
ISL trunk link

This example shows how to configure the switches to form a two-port EtherChannel bundle and then
configure the EtherChannel bundle as an ISL trunk link.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-10 78-13315-02
Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Step 1 Confirm the channeling and trunking status of the switches by entering the show port channel and show
trunk commands.
Switch_A> (enable) show port channel
No ports channelling
Switch_A> (enable) show trunk
No ports trunking.
Switch_A> (enable)

Switch_B> (enable) show port channel

No ports channelling
Switch_B> (enable) show trunk
No ports trunking.
Switch_B> (enable)

Step 2 Configure the ports on Switch A to negotiate an EtherChannel bundle with the neighboring switch by
entering the set port channel command. This example assumes that the neighboring ports on Switch B
are in EtherChannel auto mode. The system logging messages provide information about the formation
of the EtherChannel bundle.
Switch_A> (enable) set port channel 1/1-2 desirable
Port(s) 1/1-2 channel mode set to desirable.
Switch_A> (enable) %PAGP-5-PORTFROMSTP:Port 1/1 left bridge port 1/1
%PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2
%PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2
%PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-2
%PAGP-5-PORTTOSTP:Port 1/2 joined bridge port 1/1-2

Switch_B> (enable) %PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1

%PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/2
%PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/2
%PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1-2
%PAGP-5-PORTTOSTP:Port 3/2 joined bridge port 3/1-2

Step 3 After the EtherChannel bundle is negotiated, verify the configuration by entering the show port channel
command.
Switch_A> (enable) show port channel
Port Status Channel Channel Neighbor Neighbor
mode status device port
----- ---------- --------- ----------- ------------------------- ----------
1/1 connected desirable channel WS-C5000 009979082(Sw 3/1
1/2 connected desirable channel WS-C5000 009979082(Sw 3/2
----- ---------- --------- ----------- ------------------------- ----------
Switch_A> (enable)

Switch_B> (enable) show port channel

Port Status Channel Channel Neighbor Neighbor
mode status device port
----- ---------- --------- ----------- ------------------------- ----------
3/1 connected auto channel WS-C5500 069003103(Sw 1/1
3/2 connected auto channel WS-C5500 069003103(Sw 1/2
----- ---------- --------- ----------- ------------------------- ----------
Switch_B> (enable)

Step 4 Configure one of the ports in the EtherChannel bundle to negotiate an ISL trunk by entering the set
trunk command.
The configuration is applied to all of the ports in the bundle. This example assumes that the neighboring
ports on Switch B are configured to use isl or negotiate encapsulation and are in auto trunk mode. The
system logging messages provide information about the formation of the ISL trunk.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-11
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Switch_A> (enable) set trunk 1/1 desirable isl

Port(s) 1/1-2 trunk mode set to desirable.
Port(s) 1/1-2 trunk type set to isl.
Switch_A> (enable) %DTP-5-TRUNKPORTON:Port 1/1 has become isl trunk
%DTP-5-TRUNKPORTON:Port 1/2 has become isl trunk
%PAGP-5-PORTFROMSTP:Port 1/1 left bridge port 1/1-2
%PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/1-2
%PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-2
%PAGP-5-PORTTOSTP:Port 1/2 joined bridge port 1/1-2

Switch_B> (enable) %DTP-5-TRUNKPORTON:Port 3/1 has become isl trunk

%DTP-5-TRUNKPORTON:Port 3/2 has become isl trunk
%PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1-2
%PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/1-2
%PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1-2
%PAGP-5-PORTTOSTP:Port 3/2 joined bridge port 3/1-2

Step 5 After the ISL trunk link is negotiated, verify the configuration by entering the show trunk command.
Switch_A> (enable) show trunk
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/1 desirable isl trunking 1
1/2 desirable isl trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
1/1 1-1005, 1025-4094
1/2 1-1005, 1025-4094

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
1/1 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
1/2 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
1/1 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
1/2 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
Switch_A> (enable)

Switch_B> (enable) show trunk

Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
3/1 auto isl trunking 1
3/2 auto isl trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
3/1 1-1005, 1025-4094
3/2 1-1005, 1025-4094

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
3/1 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
3/2 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
Port Vlans in spanning tree forwarding state and not pruned
-------- ---------------------------------------------------------------------
3/1 1-5,10,20,50,152,200,300,400,500,521-524,570,801,850,917,999
3/2 1-5,10,20,50,152,200,300,400,500,521-524,570,801,850,917,999
Switch_B> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-12 78-13315-02
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

802.1Q Trunk Over EtherChannel Link Example

This example shows how to configure an 802.1Q trunk over an EtherChannel link between two switches.
Figure 5-2 shows two switches connected through four 1000BASE-SX Gigabit Ethernet ports.

Figure 5-2 802.1Q Trunk Over EtherChannel Link

2/3 3/3
Switch A Switch B
2/4 3/4
2/5 3/5
2/6 3/6

Gigabit EtherChannel

23848
IEEE 802.1Q trunk link

This example shows how to configure the switches to form a four-port EtherChannel bundle and then
configure the EtherChannel bundle as an 802.1Q trunk link.

Step 1 Make sure all ports on both Switch A and Switch B are assigned to the same VLAN by entering the set
vlan command. This VLAN is used as the 802.1Q native VLAN for the trunk. In this example, all ports
are configured as members of VLAN 1.
Switch_A> (enable) set vlan 1 2/3-6
VLAN Mod/Ports
---- -----------------------
1 2/1-6

Switch_A> (enable)

Switch_B> (enable) set vlan 1 3/3-6

VLAN Mod/Ports
---- -----------------------
1 3/1-6

Switch_B> (enable)

Step 2 Confirm the channeling and trunking status of the switches by entering the show port channel and show
trunk commands.
Switch_A> (enable) show port channel
No ports channelling
Switch_A> (enable) show trunk
No ports trunking.
Switch_A> (enable)

Switch_B> (enable) show port channel

No ports channelling
Switch_B> (enable) show trunk
No ports trunking.
Switch_B> (enable)

Step 3 Configure the ports on Switch A to negotiate an EtherChannel bundle with the neighboring switch by
entering the set port channel command. This example assumes that the neighboring ports on Switch B
are in EtherChannel auto mode. The system logging messages provide information about the formation
of the EtherChannel bundle.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-13
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Switch_A> (enable) set port channel 2/3-6 desirable

Port(s) 2/3-6 channel mode set to desirable.
Switch_A> (enable) %PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3
%PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/4
%PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/5
%PAGP-5-PORTFROMSTP:Port 2/6 left bridge port 2/6
%PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/4
%PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/5
%PAGP-5-PORTFROMSTP:Port 2/6 left bridge port 2/6
%PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3
%PAGP-5-PORTTOSTP:Port 2/3 joined bridge port 2/3-6
%PAGP-5-PORTTOSTP:Port 2/4 joined bridge port 2/3-6
%PAGP-5-PORTTOSTP:Port 2/5 joined bridge port 2/3-6
%PAGP-5-PORTTOSTP:Port 2/6 joined bridge port 2/3-6

Switch_B> (enable) %PAGP-5-PORTFROMSTP:Port 3/3 left bridge port 3/3

%PAGP-5-PORTFROMSTP:Port 3/4 left bridge port 3/4
%PAGP-5-PORTFROMSTP:Port 3/5 left bridge port 3/5
%PAGP-5-PORTFROMSTP:Port 3/6 left bridge port 3/6
%PAGP-5-PORTFROMSTP:Port 3/4 left bridge port 3/4
%PAGP-5-PORTFROMSTP:Port 3/5 left bridge port 3/5
%PAGP-5-PORTFROMSTP:Port 3/6 left bridge port 3/6
%PAGP-5-PORTFROMSTP:Port 3/3 left bridge port 3/3
%PAGP-5-PORTTOSTP:Port 3/3 joined bridge port 3/3-6
%PAGP-5-PORTTOSTP:Port 3/4 joined bridge port 3/3-6
%PAGP-5-PORTTOSTP:Port 3/5 joined bridge port 3/3-6
%PAGP-5-PORTTOSTP:Port 3/6 joined bridge port 3/3-6

Step 4 After the EtherChannel bundle is negotiated, verify the configuration by entering the show port channel
command.
Switch_A> (enable) show port channel
Port Status Channel Channel Neighbor Neighbor
mode status device port
----- ---------- --------- ----------- ------------------------- ----------
2/3 connected desirable channel WS-C4003 JAB023806(Sw 2/3
2/4 connected desirable channel WS-C4003 JAB023806(Sw 2/4
2/5 connected desirable channel WS-C4003 JAB023806(Sw 2/5
2/6 connected desirable channel WS-C4003 JAB023806(Sw 2/6
----- ---------- --------- ----------- ------------------------- ----------
Switch_A> (enable)

Switch_B> (enable) show port channel

Port Status Channel Channel Neighbor Neighbor
mode status device port
----- ---------- --------- ----------- ------------------------- ----------
3/3 connected auto channel WS-C4003 JAB023806(Sw 2/3
3/4 connected auto channel WS-C4003 JAB023806(Sw 2/4
3/5 connected auto channel WS-C4003 JAB023806(Sw 2/5
3/6 connected auto channel WS-C4003 JAB023806(Sw 2/6
----- ---------- --------- ----------- ------------------------- ----------
Switch_B> (enable)

Step 5 Configure one of the ports in the EtherChannel bundle to negotiate an 802.1Q trunk by entering the set
trunk command. The configuration is applied to all of the ports in the bundle. This example assumes
that the neighboring ports on Switch B are configured to use dot1q or negotiate encapsulation and are
in auto trunk mode. The system logging messages provide information about the formation of the
802.1Q trunk.
Switch_A> (enable) set trunk 2/3 desirable dot1q
Port(s) 2/3-6 trunk mode set to desirable.
Port(s) 2/3-6 trunk type set to dot1q.
Switch_A> (enable) %DTP-5-TRUNKPORTON:Port 2/3 has become dot1q trunk

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-14 78-13315-02
Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

%DTP-5-TRUNKPORTON:Port 2/4 has become dot1q trunk

%PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3-6
%DTP-5-TRUNKPORTON:Port 2/5 has become dot1q trunk
%PAGP-5-PORTFROMSTP:Port 2/4 left bridge port 2/3-6
%PAGP-5-PORTFROMSTP:Port 2/5 left bridge port 2/3-6
%DTP-5-TRUNKPORTON:Port 2/6 has become dot1q trunk
%PAGP-5-PORTFROMSTP:Port 2/6 left bridge port 2/3-6
%PAGP-5-PORTFROMSTP:Port 2/3 left bridge port 2/3
%PAGP-5-PORTTOSTP:Port 2/3 joined bridge port 2/3-6
%PAGP-5-PORTTOSTP:Port 2/4 joined bridge port 2/3-6
%PAGP-5-PORTTOSTP:Port 2/5 joined bridge port 2/3-6
%PAGP-5-PORTTOSTP:Port 2/6 joined bridge port 2/3-6
Switch_B> (enable) %DTP-5-TRUNKPORTON:Port 3/3 has become dot1q trunk
%DTP-5-TRUNKPORTON:Port 3/4 has become dot1q trunk
%PAGP-5-PORTFROMSTP:Port 3/3 left bridge port 3/3-6
%PAGP-5-PORTFROMSTP:Port 3/4 left bridge port 3/3-6
%PAGP-5-PORTFROMSTP:Port 3/5 left bridge port 3/3-6
%PAGP-5-PORTFROMSTP:Port 3/6 left bridge port 3/3-6
%DTP-5-TRUNKPORTON:Port 3/5 has become dot1q trunk
%DTP-5-TRUNKPORTON:Port 3/6 has become dot1q trunk
%PAGP-5-PORTFROMSTP:Port 3/5 left bridge port 3/3-6
%PAGP-5-PORTFROMSTP:Port 3/6 left bridge port 3/3-6
%PAGP-5-PORTTOSTP:Port 3/3 joined bridge port 3/3-6
%PAGP-5-PORTTOSTP:Port 3/4 joined bridge port 3/3-6
%PAGP-5-PORTTOSTP:Port 3/5 joined bridge port 3/3-6
%PAGP-5-PORTTOSTP:Port 3/6 joined bridge port 3/3-6

Step 6 After the 802.1Q trunk link is negotiated, verify the configuration by entering the show trunk command.
Switch_A> (enable) show trunk
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
2/3 desirable dot1q trunking 1
2/4 desirable dot1q trunking 1
2/5 desirable dot1q trunking 1
2/6 desirable dot1q trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
2/3 1-1005, 1025-4094
2/4 1-1005, 1025-4094
2/5 1-1005, 1025-4094
2/6 1-1005, 1025-4094

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
2/3 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
2/4 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
2/5 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
2/6 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
2/3
2/4
2/5
2/6
Switch_A> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-15
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Switch_B> (enable) show trunk

Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
3/3 auto dot1q trunking 1
3/4 auto dot1q trunking 1
3/5 auto dot1q trunking 1
3/6 auto dot1q trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
3/3 1-1005, 1025-4094
3/4 1-1005, 1025-4094
3/5 1-1005, 1025-4094
3/6 1-1005, 1025-4094

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
3/3 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
3/4 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
3/5 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
3/6 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
3/3 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
3/4 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
3/5 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
3/6 1-5,10,20,50,152,200,300,400,500,521-524,570,850,917,999
Switch_B> (enable)

Load-Sharing VLAN Traffic Over Parallel Trunks Example

Using spanning tree port-VLAN priorities, you can load-share VLAN traffic over parallel trunk ports so
that traffic from some VLANs travels over one trunk, while traffic from other VLANs travels over the
other trunk. This configuration allows traffic to be carried over both trunks simultaneously (instead of
keeping one trunk in blocking mode), which reduces the total traffic carried over each trunk while still
maintaining a fault-tolerant configuration.
Figure 5-3 shows a parallel trunk configuration between two switches, using the Fast Ethernet uplink
ports on the supervisor engine.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-16 78-13315-02
Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Figure 5-3 Parallel Trunk Configuration Before Configuring VLAN-Traffic Load Sharing

Trunk 2
VLANs 10, 20, 30, 40, 50, and 60: port-VLAN priority 32 (blocking)

Switch 1 Switch 2

1/1 1/1
1/2 1/2

Trunk 1

16750
VLANs 10, 20, 30, 40, 50, and 60: port-VLAN priority 32 (forwarding)

By default, the port-VLAN priority for both trunks is equal (a value of 32). STP blocks port 1/2
(Trunk 2) for each VLAN on Switch 1 to prevent forwarding loops. Trunk 2 is not used to forward traffic
unless Trunk 1 fails.
This example shows how to configure the switches so that traffic from multiple VLANs is load balanced
over the parallel trunks.

Step 1 Configure a VTP domain on both Switch 1 and Switch 2 by entering the set vtp command so that the
VLAN information configured on Switch 1 is learned by Switch 2. Make sure Switch 1 is a VTP server.
You can configure Switch 2 as a VTP client or as a VTP server.
Switch_1> (enable) set vtp domain BigCorp mode server
VTP domain BigCorp modified
Switch_1> (enable)

Switch_2> (enable) set vtp domain BigCorp mode server

VTP domain BigCorp modified
Switch_2> (enable)

Step 2 Create the VLANs on Switch 1 by entering the set vlan command. In this example, you see VLANs 10,
20, 30, 40, 50, and 60.
Switch_1> (enable) set vlan 10
Vlan 10 configuration successful
Switch_1> (enable) set vlan 20
Vlan 20 configuration successful
Switch_1> (enable) set vlan 30
Vlan 30 configuration successful
Switch_1> (enable) set vlan 40
Vlan 40 configuration successful
Switch_1> (enable) set vlan 50
Vlan 50 configuration successful
Switch_1> (enable) set vlan 60
Vlan 60 configuration successful
Switch_1> (enable)

Step 3 Verify the VTP and VLAN configuration on Switch 1 by entering the show vtp domain and show vlan
commands.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-17
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Switch_1> (enable) show vtp domain

Domain Name Domain Index VTP Version Local Mode Password
-------------------------------- ------------ ----------- ----------- ----------
BigCorp 1 2 server -

Vlan-count Max-vlan-storage Config Revision Notifications

---------- ---------------- --------------- -------------
11 1023 13 disabled

Last Updater V2 Mode Pruning PruneEligible on Vlans

--------------- -------- -------- -------------------------
172.20.52.10 disabled enabled 2-1000
Switch_1> (enable) show vlan
VLAN Name Status Mod/Ports, Vlans
---- -------------------------------- --------- ----------------------------
1 default active 1/1-2
2/1-12
5/1-2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
40 VLAN0040 active
50 VLAN0050 active
60 VLAN0060 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
.
.
.

Switch_1> (enable)

Step 4 Configure the supervisor engine uplinks on Switch 1 as ISL trunk ports by entering the set trunk
command. Specifying the desirable mode on the Switch 1 ports causes the ports on Switch 2 to negotiate
to become trunk links (assuming that the Switch 2 uplinks are in the default auto mode).
Switch_1> (enable) set trunk 1/1 desirable
Port(s) 1/1 trunk mode set to desirable.
Switch_1> (enable) 04/21/1998,03:05:05:DISL-5:Port 1/1 has become isl trunk

Switch_1> (enable) set trunk 1/2 desirable

Port(s) 1/2 trunk mode set to desirable.
Switch_1> (enable) 04/21/1998,03:05:13:DISL-5:Port 1/2 has become isl trunk

Step 5 Verify that the trunk links are up by entering the show trunk command.
Switch_1> (enable) show trunk 1
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/1 desirable isl trunking 1
1/2 desirable isl trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
1/1 1-1005, 1025-4094
1/2 1-1005, 1025-4094

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
1/1 1,10,20,30,40,50,60
1/2 1,10,20,30,40,50,60

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-18 78-13315-02
Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
1/1
1/2
Switch_1> (enable)

Step 6 Note that when the trunk links come up, VTP passes the VTP and VLAN configuration to Switch 2.
Verify that Switch 2 has learned the VLAN configuration by entering the show vlan command on
Switch 2.
Switch_2> (enable) show vlan
VLAN Name Status Mod/Ports, Vlans
---- -------------------------------- --------- ----------------------------
1 default active
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
40 VLAN0040 active
50 VLAN0050 active
60 VLAN0060 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

<...output truncated...>

Switch_2> (enable)

Step 7 Note that spanning tree takes one to two minutes to converge. After the network stabilizes, check the
spanning tree state of each trunk port on Switch 1 by entering the show spantree command.
Trunk 1 is forwarding for all VLANs. Trunk 2 is blocking for all VLANs. On Switch 2, both trunks are
forwarding for all VLANs, but no traffic passes over Trunk 2 because port 1/2 on Switch 1 is blocking.
Switch_1> (enable) show spantree 1/1
Port Vlan Port-State Cost Priority Fast-Start Group-method
--------- ---- ------------- ----- -------- ---------- ------------
1/1 1 forwarding 19 32 disabled
1/1 10 forwarding 19 32 disabled
1/1 20 forwarding 19 32 disabled
1/1 30 forwarding 19 32 disabled
1/1 40 forwarding 19 32 disabled
1/1 50 forwarding 19 32 disabled
1/1 60 forwarding 19 32 disabled
1/1 1003 not-connected 19 32 disabled
1/1 1005 not-connected 19 4 disabled
Switch_1> (enable) show spantree 1/2
Port Vlan Port-State Cost Priority Fast-Start Group-method
--------- ---- ------------- ----- -------- ---------- ------------
1/2 1 blocking 19 32 disabled
1/2 10 blocking 19 32 disabled
1/2 20 blocking 19 32 disabled
1/2 30 blocking 19 32 disabled
1/2 40 blocking 19 32 disabled
1/2 50 blocking 19 32 disabled
1/2 60 blocking 19 32 disabled
1/2 1003 not-connected 19 32 disabled
1/2 1005 not-connected 19 4 disabled
Switch_1> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-19
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Step 8 Divide the configured VLANs into two groups. You might want traffic from half of the VLANs to go
over one trunk link and half over the other, or if one VLAN has heavier traffic than the others, you can
forward traffic from that VLAN over one trunk and traffic from the other VLANs over the other trunk
link.

Note In the following steps, VLANs 10, 20, and 30 (Group 1) are forwarded over Trunk 1, and
VLANs 40, 50, and 60 (Group 2) are forwarded over Trunk 2.

Step 9 On Switch 1, change the port-VLAN priority for the Group 1 VLANs on Trunk 1 (port 1/1) to an integer
value lower than the default of 32 by entering the set spantree portvlanpri command.
Switch_1> (enable) set spantree portvlanpri 1/1 1 10
Port 1/1 vlans 1-9,11-1004 using portpri 32.
Port 1/1 vlans 10 using portpri 1.
Port 1/1 vlans 1005 using portpri 4.
Switch_1> (enable) set spantree portvlanpri 1/1 1 20
Port 1/1 vlans 1-9,11-19,21-1004 using portpri 32.
Port 1/1 vlans 10,20 using portpri 1.
Port 1/1 vlans 1005 using portpri 4.
Switch_1> (enable) set spantree portvlanpri 1/1 1 30
Port 1/1 vlans 1-9,11-19,21-29,31-1004 using portpri 32.
Port 1/1 vlans 10,20,30 using portpri 1.
Port 1/1 vlans 1005 using portpri 4.
Switch_1> (enable)

Step 10 On Switch 1, change the port-VLAN priority for the Group 2 VLANs on Trunk 2 (port 1/2) to an integer
value lower than the default of 32 by entering the set spantree portvlanpri command.
Switch_1> (enable) set spantree portvlanpri 1/2 1 40
Port 1/2 vlans 1-39,41-1004 using portpri 32.
Port 1/2 vlans 40 using portpri 1.
Port 1/2 vlans 1005 using portpri 4.
Switch_1> (enable) set spantree portvlanpri 1/2 1 50
Port 1/2 vlans 1-39,41-49,51-1004 using portpri 32.
Port 1/2 vlans 40,50 using portpri 1.
Port 1/2 vlans 1005 using portpri 4.
Switch_1> (enable) set spantree portvlanpri 1/2 1 60
Port 1/2 vlans 1-39,41-49,51-59,61-1004 using portpri 32.
Port 1/2 vlans 40,50,60 using portpri 1.
Port 1/2 vlans 1005 using portpri 4.
Switch_1> (enable)

Step 11 On Switch 2, change the port-VLAN priority for the Group 1 VLANs on Trunk 1 (port 1/1) to the same
value you configured for those VLANs on Switch 1 by entering the set spantree portvlanpri command.

Caution The port-VLAN priority for each VLAN must be equal on both ends of the link.
Switch_2> (enable) set spantree portvlanpri 1/1 1 10
Port 1/1 vlans 1-9,11-1004 using portpri 32.
Port 1/1 vlans 10 using portpri 1.
Port 1/1 vlans 1005 using portpri 4.
Switch_2> (enable) set spantree portvlanpri 1/1 1 20
Port 1/1 vlans 1-9,11-19,21-1004 using portpri 32.
Port 1/1 vlans 10,20 using portpri 1.
Port 1/1 vlans 1005 using portpri 4.
Switch_2> (enable) set spantree portvlanpri 1/1 1 30
Port 1/1 vlans 1-9,11-19,21-29,31-1004 using portpri 32.
Port 1/1 vlans 10,20,30 using portpri 1.
Port 1/1 vlans 1005 using portpri 4.
Switch_2> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-20 78-13315-02
Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Step 12 On Switch 2, change the port-VLAN priority for the Group 2 VLANs on Trunk 2 (port 1/2) to the same
value you configured for those VLANs on Switch 1 by entering the set spantree portvlanpri command.
Switch_2> (enable) set spantree portvlanpri 1/2 1 40
Port 1/2 vlans 1-39,41-1004 using portpri 32.
Port 1/2 vlans 40 using portpri 1.
Port 1/2 vlans 1005 using portpri 4.
Switch_2> (enable) set spantree portvlanpri 1/2 1 50
Port 1/2 vlans 1-39,41-49,51-1004 using portpri 32.
Port 1/2 vlans 40,50 using portpri 1.
Port 1/2 vlans 1005 using portpri 4.
Switch_2> (enable) set spantree portvlanpri 1/2 1 60
Port 1/2 vlans 1-39,41-49,51-59,61-1004 using portpri 32.
Port 1/2 vlans 40,50,60 using portpri 1.
Port 1/2 vlans 1005 using portpri 4.
Switch_2> (enable)

Note When you have configured the port-VLAN priorities on both ends of the link, the spanning
tree converges to use the new configuration.

Step 13 Check the spanning tree port states on Switch 1 by entering the show spantree command. The Group 1
VLANs should forward on Trunk 1 and block on Trunk 2. The Group 2 VLANs should block on Trunk 1
and forward on Trunk 2.
Switch_1> (enable) show spantree 1/1
Port Vlan Port-State Cost Priority Fast-Start Group-method
--------- ---- ------------- ----- -------- ---------- ------------
1/1 1 forwarding 19 32 disabled
1/1 10 forwarding 19 1 disabled
1/1 20 forwarding 19 1 disabled
1/1 30 forwarding 19 1 disabled
1/1 40 blocking 19 32 disabled
1/1 50 blocking 19 32 disabled
1/1 60 blocking 19 32 disabled
1/1 1003 not-connected 19 32 disabled
1/1 1005 not-connected 19 4 disabled
Switch_1> (enable) show spantree 1/2
Port Vlan Port-State Cost Priority Fast-Start Group-method
--------- ---- ------------- ----- -------- ---------- ------------
1/2 1 blocking 19 32 disabled
1/2 10 blocking 19 32 disabled
1/2 20 blocking 19 32 disabled
1/2 30 blocking 19 32 disabled
1/2 40 forwarding 19 1 disabled
1/2 50 forwarding 19 1 disabled
1/2 60 forwarding 19 1 disabled
1/2 1003 not-connected 19 32 disabled
1/2 1005 not-connected 19 4 disabled
Switch_1> (enable)

Figure 5-4 shows the network after you configure VLAN traffic load sharing.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-21
 Chapter 5 Configuring Ethernet VLAN Trunks
Example VLAN Trunk Configurations

Figure 5-4 Parallel Trunk Configuration After Configuring VLAN-Traffic Load Sharing

Trunk 2
VLANs 10, 20, and 30: port-VLAN priority 32 (blocking)
VLANs 40, 50, and 60: port-VLAN priority 1 (forwarding)

Switch 1 Switch 2

1/1 1/1
1/2 1/2

Trunk 1
VLANs 10, 20, and 30: port-VLAN priority 1 (forwarding)

16749
VLANs 40, 50, and 60: port-VLAN priority 32 (blocking)

Figure 5-4 shows that both trunks are utilized when the network is operating normally; if one trunk link
fails, the other trunk link acts as an alternate forwarding path for the traffic previously traveling over the
failed link.
If Trunk 1 fails in the network shown in Figure 5-4, STP reconverges to use Trunk 2 to forward traffic
from all the VLANs, as shown in this example:
Switch_1> (enable) 04/21/1998,03:15:40:DISL-5:Port 1/1 has become non-trunk

Switch_1> (enable) show spantree 1/1

Port Vlan Port-State Cost Priority Fast-Start Group-method
--------- ---- ------------- ----- -------- ---------- ------------
1/1 1 not-connected 19 32 disabled
Switch_1> (enable) show spantree 1/2
Port Vlan Port-State Cost Priority Fast-Start Group-method
--------- ---- ------------- ----- -------- ---------- ------------
1/2 1 learning 19 32 disabled
1/2 10 learning 19 32 disabled
1/2 20 learning 19 32 disabled
1/2 30 learning 19 32 disabled
1/2 40 forwarding 19 1 disabled
1/2 50 forwarding 19 1 disabled
1/2 60 forwarding 19 1 disabled
1/2 1003 not-connected 19 32 disabled
1/2 1005 not-connected 19 4 disabled
Switch_1> (enable) show spantree 1/2
Port Vlan Port-State Cost Priority Fast-Start Group-method
--------- ---- ------------- ----- -------- ---------- ------------
1/2 1 forwarding 19 32 disabled
1/2 10 forwarding 19 32 disabled
1/2 20 forwarding 19 32 disabled
1/2 30 forwarding 19 32 disabled
1/2 40 forwarding 19 1 disabled
1/2 50 forwarding 19 1 disabled
1/2 60 forwarding 19 1 disabled
1/2 1003 not-connected 19 32 disabled
1/2 1005 not-connected 19 4 disabled
Switch_1> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-22 78-13315-02
 Chapter 5 Configuring Ethernet VLAN Trunks
Disabling VLAN 1 on Trunks

Disabling VLAN 1 on Trunks

On the Catalyst 6000 family switches, VLAN 1 is enabled by default to allow control protocols to
transmit and receive packets across the network topology. However, when VLAN 1 is enabled on trunk
links in a large complex network, the impact of broadcast storms increases. Because spanning tree
applies to the entire network, spanning tree loops might increase when you enable VLAN 1 on all trunk
links. To prevent this scenario, you can disable VLAN 1 on trunk interfaces.
When you disable VLAN 1 on a trunk interface, no user traffic is transmitted and received across that
trunk interface, but the supervisor engine continues to transmit and receive packets from control
protocols such as Cisco Discovery Protocol (CDP), VTP, Port Aggregation Protocol (PAgP), and DTP.
When a trunk port with VLAN 1 disabled becomes a nontrunk port, it is added to the native VLAN. If
the native VLAN is VLAN 1, the port is enabled and added to VLAN 1.

Disabling VLAN 1 on a Trunk Link

To disable VLAN 1 on a trunk interface, perform this task in privileged mode:

Task Command
Step 1 Disable VLAN 1 on the trunk interface. clear trunk mod/port [vlan-range]
Step 2 Verify the allowed VLAN list for the trunk. show trunk [mod/port]

This example shows how to disable VLAN 1 on a trunk link and verify the configuration:
Console> (enable) clear trunk 8/1 1
Removing Vlan(s) 1 from allowed list.
Port 8/1 allowed vlans modified to 2-1005.
Console> (enable) show trunk 8/1
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
8/1 on isl trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
8/1 2-1005, 1025-4094

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
8/1 2-6,10,20,50,100,152,200,300,400,500,521,524,570,776,801-802,850,917,9
99,1003,1005

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
8/1 2-6,10,20,50,100,152,200,300,400,500,521,524,570,776,802,850,917,999,1
003,1005
Console> (enable) show config

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 5-23
 Chapter 5 Configuring Ethernet VLAN Trunks
Disabling VLAN 1 on Trunks

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

5-24 78-13315-02
 C H A P T E R 6
Configuring EtherChannel

This chapter describes how to use the command-line interface (CLI) to configure EtherChannel on the
Catalyst 6000 family switches. The configuration tasks in this chapter apply to Ethernet, Fast Ethernet,
and Gigabit Ethernet switching modules, as well as to the uplink ports on the supervisor engine.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How EtherChannel Works, page 6-1
• EtherChannel Configuration Guidelines, page 6-4
• Configuring EtherChannel, page 6-5

Note The commands in the following sections can be used on all Ethernet ports in the Catalyst 6000 family
switches.

Understanding How EtherChannel Works

EtherChannel bundles individual Ethernet links into a single logical link that provides bandwidth up to
1600 Mbps (Fast EtherChannel full duplex) or 16 Gbps (Gigabit EtherChannel) between a Catalyst 6000
family switch and another switch or host.
All Ethernet ports on all modules, including those on a standby supervisor engine, support EtherChannel
(maximum of eight compatibly configured ports) with no requirement that ports be contiguous or on the
same module. All ports in each EtherChannel must be the same speed.

Note With software release 6.2(1) and earlier releases, the 6- and 9-slot Catalyst 6000 family switches
support a maximum of 128 EtherChannels.

With software release 6.2(2) and later releases, due to the port ID handling by the spanning tree
feature, the maximum supported number of EtherChannels is 126 for a 6- or 9-slot chassis and 63
for a 13-slot chassis. Note that the 13-slot chassis was first supported in software release 6.2(2).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 6-1
 Chapter 6 Configuring EtherChannel
Understanding How EtherChannel Works

Note The network device to which a Catalyst 6000 family switch is connected may impose its own limits
on the number of ports in an EtherChannel.

If a segment within an EtherChannel fails, traffic previously carried over the failed link switches to the
remaining segments within the EtherChannel. A trap is sent upon a failure identifying the switch, the
EtherChannel, and the failed link. Inbound broadcast and multicast packets on one segment in an
EtherChannel are blocked from returning on any other segment of the EtherChannel.
You can configure EtherChannels as trunks. After a channel is formed, configuring any port in the
channel as a trunk applies the configuration to all ports in the channel. Identically configured trunk ports
can be configured as an EtherChannel.
These sections describe EtherChannel:
• Understanding Administrative Groups, page 6-2
• Understanding EtherChannel IDs, page 6-2
• Understanding Port Aggregation Protocol, page 6-2
• Understanding Frame Distribution, page 6-3

Understanding Administrative Groups

Configuring an EtherChannel creates an administrative group, designated by an integer between 1 and
1024, to which the EtherChannel belongs. When an administrative group is created, you can assign an
administrative group number or let the next available administrative group number be assigned
automatically. Forming a channel without specifying an administrative group number creates a new
automatically numbered administrative group. An administrative group may contain a maximum of eight
ports.

Understanding EtherChannel IDs

Each EtherChannel is automatically assigned a unique EtherChannel ID. Use the show channel group
admin_group command to display the EtherChannel ID.

Understanding Port Aggregation Protocol

The Port Aggregation Protocol (PAgP) facilitates the automatic creation of EtherChannels by
exchanging packets between Ethernet ports. PAgP packets are exchanged only between ports in auto
and desirable modes. Ports configured in on or off mode do not exchange PAgP packets. The protocol
learns the capabilities of port groups dynamically and informs the other ports. After PAgP identifies
correctly matched EtherChannel links, it groups the ports into an EtherChannel. The EtherChannel is
then added to the spanning tree as a single bridge port.
EtherChannel includes four user-configurable modes: on, off, auto, and desirable. Only auto and
desirable are PAgP modes. You can modify the auto and desirable modes with the silent and
non-silent keywords. By default, ports are in auto silent mode.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

6-2 78-13315-02
 Chapter 6 Configuring EtherChannel
Understanding How EtherChannel Works

Table 6-1 describes EtherChannel modes.

Table 6-1 EtherChannel Modes

Mode Description
on Mode that forces the port to channel without PAgP. With the on mode, a usable
EtherChannel exists only when a port group in on mode is connected to another port group
in on mode.
off Mode that prevents the port from channeling.
auto PAgP mode that places a port into a passive negotiating state, in which the port responds
to PAgP packets it receives but does not initiate PAgP packet negotiation. (Default)
desirable PAgP mode that places a port into an active negotiating state, in which the port initiates
negotiations with other ports by sending PAgP packets.
silent Keyword that is used with the auto or desirable mode when no traffic is expected from
the other device to prevent the link from being reported to the Spanning Tree Protocol as
down. (Default)
non-silent Keyword that is used with the auto or desirable mode when traffic is expected from the
other device.

Both the auto and desirable modes allow ports to negotiate with connected ports to determine if they
can form an EtherChannel, based on criteria such as port speed, trunking state, and VLAN numbers.
Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are
compatible:
• A port in desirable mode can form an EtherChannel successfully with another port that is in
desirable or auto mode.
• A port in auto mode can form an EtherChannel with another port in desirable mode.
• A port in auto mode cannot form an EtherChannel with another port that is also in auto mode,
because neither port will initiate negotiation.

Understanding Frame Distribution

EtherChannel distributes frames across the links in a channel by reducing part of the binary pattern
formed from the addresses in the frame to a numerical value that selects one of the links in the channel.
Enter the show module command for the supervisor engine to determine if EtherChannel frame
distribution is configurable on your switch:
• If the display shows the “Sub-Type” to be “L2 Switching Engine I WS-F6020,” then EtherChannel
frame distribution is not configurable on your switch; it uses source and destination Media Access
Control (MAC) addresses.
• EtherChannel frame distribution is configurable with all other switching engines. The default is to
use source and destination IP addresses.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 6-3
 Chapter 6 Configuring EtherChannel
EtherChannel Configuration Guidelines

When configurable, EtherChannel frame distribution can use MAC addresses, IP addresses, and Layer 4
port numbers. You can specify either source or destination address or both source and destination
addresses and Layer 4 port numbers. The mode you select applies to all EtherChannels configured on
the switch. Use the option that provides the greatest variety in your configuration. For example, if the
traffic on a channel is going to a single MAC address only, using source addresses or IP addresses or
Layer 4 port numbers as the basis for frame distribution may provide better frame distribution than
selecting MAC addresses as the basis.

EtherChannel Configuration Guidelines

If improperly configured, some EtherChannel ports are disabled automatically to avoid network loops
and other problems. Follow these guidelines to avoid configuration problems:
• You can have a maximum of eight compatibly configured ports per EtherChannel; the ports do not
have to be contiguous or on the same module.

Note To configure the EtherChannel across different modules, you must put the ports in the
same administrative group using the set port channel port_list admin_group command.

• Assign all ports in an EtherChannel to the same VLAN, or configure them as trunk ports.
• If you configure the EtherChannel as a trunk, configure the same trunk mode on all the ports in the
EtherChannel. Configuring ports in an EtherChannel in different trunk modes can have unexpected
results.
• An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking
EtherChannel. If the allowed range of VLANs is not the same for a port list, the ports do not form
an EtherChannel even when set to the auto or desirable mode with the set port channel command.
• Ports with different port path costs, set by the set spantree portcost command, can form an
EtherChannel as long they are otherwise compatibly configured. Setting different port path costs
does not, by itself, make ports incompatible for the formation of an EtherChannel.
• Do not configure the ports in an EtherChannel as dynamic VLAN ports. Doing so can adversely
affect switch performance.
• An EtherChannel will not form with ports that have different GARP VLAN Registration Protocol
(GVRP), GARP Multicast Registration Protocol (GMRP), and quality of service (QoS)
configurations.
• Configure all ports in an EtherChannel to operate at the same speed and duplex mode.
• An EtherChannel will not form with ports where the port security feature is enabled.
• You cannot enable the port security feature for ports in an EtherChannel.
• An EtherChannel will not form if one of the ports is a SPAN destination port.
• An EtherChannel will not form if protocol filtering is set differently on the ports.
• Enable all ports in an EtherChannel. If you disable a port in an EtherChannel, it is treated as a link
failure and its traffic is transferred to one of the remaining ports in the EtherChannel.
• With software release 6.3(1) and later releases, an EtherChannel is preserved even if it contains only
one port. In software releases prior to 6.3(1), traffic was disrupted when you removed a 1-port
channel from spanning tree and then added it to spanning tree as an individual port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

6-4 78-13315-02
 Chapter 6 Configuring EtherChannel
Configuring EtherChannel

Configuring EtherChannel
These sections describe how to configure EtherChannel:
• Configuring an EtherChannel, page 6-5
• Setting the EtherChannel Port Mode, page 6-5
• Setting the EtherChannel Port Path Cost, page 6-6
• Setting the EtherChannel VLAN Cost, page 6-6
• Configuring EtherChannel Frame Distribution, page 6-8
• Displaying EtherChannel Traffic Utilization, page 6-8
• Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number, page 6-8
• Disabling an EtherChannel, page 6-9

Configuring an EtherChannel
To configure EtherChannel on a group of Ethernet ports, perform this task in privileged mode:

Task Command
Configure the EtherChannel on the desired ports. set port channel mod/ports... [admin_group]
set port channel mod/port mode
{on | off | desirable | auto} [silent | non-silent]

This example shows how to configure a seven-port EtherChannel in a new administrative group:
Console> (enable) set port channel 2/2-8 mode desirable
Ports 2/2-8 left admin_group 1.
Ports 2/2-8 joined admin_group 2.
Console> (enable)

Setting the EtherChannel Port Mode

To set a port’s EtherChannel mode, perform this task in privileged mode:

Task Command
Set a port’s EtherChannel mode. set port channel mod/ports... [admin_group]
set port channel mod/port mode
{on | off | desirable | auto} [silent | non-silent]

This example shows how to set port 2/1 to auto mode:

Console> (enable) set port channel 2/1 mode auto
Ports 2/1 channel mode set to auto.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 6-5
 Chapter 6 Configuring EtherChannel
Configuring EtherChannel

Setting the EtherChannel Port Path Cost

To set the EtherChannel port path cost, perform this task in privileged mode:

Task Command
Step 1 Use the administrative group number to display show channel group admin_group
the EtherChannel ID.
Step 2 Use the EtherChannel ID to set the EtherChannel set channel cost {channel_id | all} cost
port path cost.

Note When you enter the set channel cost command, it does not appear in the configuration file.
The command causes a “set spantree portcost” entry to be created for each port in the
channel. See the “Configuring the PVST+ Port Cost” section in Chapter 8, “Configuring
Spanning Tree,” for information on using the set spantree portcost command.

This example shows how to set the EtherChannel port path cost for channel ID 768:
Console> (enable) show channel group 20
Admin Port Status Channel Channel
group Mode id
----- ----- ---------- --------- --------
20 1/1 notconnect on 768
20 1/2 connected on 768

Admin Port Device-ID Port-ID Platform

group
----- ----- ------------------------------- ------------------------- ----------
20 1/1
20 1/2 066510644(cat26-lnf(NET25)) 2/1 WS-C6009
Console> (enable)

Console> (enable) set channel cost 768 12

Port(s) 1/1,1/2 port path cost are updated to 31.
Channel 768 cost is set to 12.
Warning:channel cost may not be applicable if channel is broken.
Console> (enable)

Setting the EtherChannel VLAN Cost

The EtherChannel VLAN cost feature provides load balancing of VLAN traffic across multiple channels
configured with trunking.
You enter the set channel vlancost command to set the initial spanning tree costs for all VLANs in the
channel. The set channel vlancost command provides an alternate cost for some of the VLANs in the
channel (assuming you are trunking across the channel). This command allows you to have up to two
different spanning tree costs assigned per channel; some VLANs in the channel can have the “vlancost”
while the remaining VLANs in the channel have the “cost.”

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

6-6 78-13315-02
Chapter 6 Configuring EtherChannel
Configuring EtherChannel

The set channel vlancost command creates a “set spantree portvlancost” entry to the configuration file
for each port in the channel. Once you have entered the set channel vlancost command, you must enter
the set spantree portvlancost command for at least one port in the channel, specifying the VLAN or
VLANs that you want associated with each port. The following examples show what occurs when each
command is entered:
Console> (enable) set channel vlancost 856 10
Port(s) 3/47-48 vlan cost are updated to 16.
Channel 856 vlancost is set to 10.

The following commands are added to the configuration file:

• set spantree portvlancost 3/47 cost 16
• set spantree portvlancost 3/48 cost 16
Now you have to add the desired VLANs to the above created commands by entering the following:
Console> (enable) set spantree portvlancost 3/47 cost 16 1-1005
Port 3/47 VLANs 1025-4094 have path cost 19.
Port 3/47 VLANs 1-1005 have path cost 16.
Port 3/48 VLANs 1-1005 have path cost 16.

To set the EtherChannel VLAN cost, perform this task in privileged mode:

Task Command
Step 1 Use the administrative group number to display show channel group admin_group
the EtherChannel ID.
Step 2 Use the EtherChannel ID to set the EtherChannel set channel vlancost channel_id cost
VLAN cost.
Step 3 Configure the port cost for the desired VLANs on set spantree portvlancost {mod/port} [cost cost]
each port. [vlan_list]

This example shows how to set the EtherChannel VLAN cost for channel ID 856:
Console> (enable) show channel group 22
Admin Port Status Channel Channel
group Mode id
----- ----- ---------- --------- --------
22 1/1 notconnect on 856
22 1/2 connected on 856

Admin Port Device-ID Port-ID Platform

group
----- ----- ------------------------------- ------------------------- ----------
22 1/1
22 1/2 066510644(cat26-lnf(NET25)) 2/1 WS-C6009
Console> (enable)

Console> (enable) set channel vlancost 856 10

Port(s) 3/47-48 vlan cost are updated to 16.
Channel 856 vlancost is set to 10.
Console> (enable) set spantree portvlancost 3/47 cost 16 1-1005
Port 3/47 VLANs 1025-4094 have path cost 19.
Port 3/47 VLANs 1-1005 have path cost 16.
Port 3/48 VLANs 1-1005 have path cost 16.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 6-7
 Chapter 6 Configuring EtherChannel
Configuring EtherChannel

Configuring EtherChannel Frame Distribution

To configure EtherChannel frame distribution, perform this task in privileged mode:

Task Command
Configure EtherChannel frame set port channel all distribution {ip | mac}
distribution. [source | destination | both]
set port channel all distribution {session} [both]

Note The set port channel all distribution session command option is supported on Supervisor Engine 2
only.

This example shows how to configure EtherChannel to use MAC source addresses:
Console> (enable) set port channel all distribution mac source
Channel distribution is set to mac source.
Console> (enable)

Displaying EtherChannel Traffic Utilization

To display the traffic utilization on the EtherChannel ports, perform this task in privileged mode:

Task Command
Display traffic utilization. show channel traffic

This example shows how to display traffic utilization on EtherChannel ports:

Console> (enable) show channel traffic
ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst
------ ----- ------- ------- ------- ------- ------- -------
808 2/16 0.00% 0.00% 50.00% 75.75% 0.00% 0.00%
808 2/17 0.00% 0.00% 50.00% 25.25% 0.00% 0.00%
816 2/31 0.00% 0.00% 25.25% 50.50% 0.00% 0.00%
816 2/32 0.00% 0.00% 75.75% 50.50% 0.00% 0.00%
Console> (enable)

Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number

To display the outgoing port used in an EtherChannel for a specific address or Layer 4 port number,
perform this task in privileged mode:

Task Command
Display the outgoing port for a specified show channel hash channel_id src_ip_addr
address or Layer 4 port number. [dest_ip_addr] | dest_ip_address | src_mac_addr
[dest_mac_addr] | dest_mac_addr | src_port
dest_port

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

6-8 78-13315-02
 Chapter 6 Configuring EtherChannel
Configuring EtherChannel

This example shows how to display the outgoing port for the specified source and destination IP
addresses:
Console> (enable) show channel hash 808 172.20.32.10 172.20.32.66
Selected channel port:2/17
Console> (enable)

Disabling an EtherChannel
To disable an EtherChannel, perform this task in privileged mode:

Task Command
Disable an EtherChannel. set port channel mod/port mode off

This example shows how to disable an EtherChannel:

Console> (enable) set port channel 2/2-8 mode off
Ports 2/2-8 channel mode set to off.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 6-9
 Chapter 6 Configuring EtherChannel
Configuring EtherChannel

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

6-10 78-13315-02
 C H A P T E R 7
Configuring IEEE 802.1Q Tunneling

This chapter describes how to configure IEEE 802.1Q tunneling on the Catalyst 6000 family switches.
This chapter consists of these sections:
• Understanding How 802.1Q Tunneling Works, page 7-1
• 802.1Q Tunneling Configuration Guidelines, page 7-2
• Configuring Support for 802.1Q Tunneling, page 7-3

Understanding How 802.1Q Tunneling Works

802.1Q tunneling enables service providers to use a single VLAN to support customers who have
multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer
VLANs segregated.
A port configured to support 802.1Q tunneling is called a tunnel port. When you configure tunneling,
you assign a tunnel port to a VLAN that you dedicate to tunneling. To keep customer traffic segregated,
each customer requires a separate VLAN, but that one VLAN supports all of the customer’s VLANs.
With 802.1Q tunneling, tagged traffic comes from an 802.1Q trunk port on a customer device and enters
the switch through a tunnel port. The link between the 802.1Q trunk port on a customer device and the
tunnel port is called an asymmetrical link because one end is configured as an 802.1Q trunk port and the
other end is configured as a tunnel port.
When a tunnel port receives tagged customer traffic from an 802.1Q trunk port, it does not strip the
received 802.1Q tag from the frame header; instead, the tunnel port leaves the 802.1Q tag intact, adds a
1-byte Ethertype field (0x8100) and a 1-byte length field and puts the received customer traffic into the
VLAN to which the tunnel port is assigned. This Ethertype 0x8100 traffic, with the received 802.1Q tag
intact, is called tunnel traffic.
A VLAN carrying tunnel traffic is an 802.1Q tunnel. The tunnel ports in the VLAN are the tunnel’s
ingress and egress points.
The tunnel ports do not have to be on the same network device. The tunnel can cross other network links
and other network devices before reaching the egress tunnel port. A tunnel can have as many tunnel ports
as required to support the customer devices that need to communicate through the tunnel.
An egress tunnel port strips the 1-byte Ethertype field (0x8100) and the 1-byte length field and transmits
the traffic with the 802.1Q tag still intact to an 802.1Q trunk port on a customer device. The 802.1Q
trunk port on the customer device strips the 802.1Q tag and puts the traffic into the appropriate customer
VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 7-1
 Chapter 7 Configuring IEEE 802.1Q Tunneling
802.1Q Tunneling Configuration Guidelines

802.1Q Tunneling Configuration Guidelines

Follow these guidelines when configuring 802.1Q tunneling in your network:
• Use asymmetrical links to put traffic into a tunnel or to remove traffic from a tunnel.
• Configure tunnel ports only to form an asymmetrical link.
• Dedicate one VLAN for each tunnel.
• Assign only tunnel ports to VLANs used for tunneling.
• Trunks require no special configuration to carry tunnel VLANs.
• We recommend that you use ISL trunks to carry tunnel traffic between devices that do not have
tunnel ports. Because of the 802.1Q native VLAN feature, using 802.1Q trunks requires that you be
very careful when you configure tunneling: a mistake might direct tunnel traffic to a non-tunnel port.
• Ensure that the native VLAN of the 802.1Q trunk port in an asymmetrical link carries no traffic.
Because traffic in the native VLAN is untagged, it cannot be tunneled correctly. You must enter the
global set dot1q-all-tagged enable command to ensure that egress traffic in the native VLAN is
tagged with 802.1Q tags.
• Because tunnel traffic retains the 802.1Q tag within the switch, the Layer 2 frame header length
imposes the following restrictions:
– The Layer 3 packet within the Layer 2 frame cannot be identified.
– Layer 3 and higher parameters are not identifiable in tunnel traffic (for example, Layer 3
destination and source addresses).
– Tunnel traffic cannot be routed.
– The switch can filter tunnel traffic using only Layer 2 parameters (VLANs and source and
destination MAC addresses).
– The switch can provide only MAC-layer QoS for tunnel traffic.
– QoS cannot detect the received CoS value in the 802.1Q 2-byte Tag Control Information field.
• Asymmetrical links do not support the Dynamic Trunking Protocol (DTP), because only one port
on the link is a trunk. Configure the 802.1Q trunk port on an asymmetrical link with the nonegotiate
dot1q trunking keywords.
• On an asymmetrical link, the Cisco Discovery Protocol (CDP) reports a native VLAN mismatch if
the VLAN of the tunnel port does not match the native VLAN of the 802.1Q trunk. The 802.1Q
tunnel feature does not require that the VLANs match. Ignore the messages if your configuration
requires nonmatching VLANs.
• Jumbo frames can be tunneled as long as the jumbo frame length combined with the 802.1Q tag does
not exceed the maximum frame size.
• The 802.1Q tunneling feature cannot be configured on ports configured to support:
– Private VLANs
– Voice over IP (Cisco IP Phone 7960)
• The following Layer 2 protocols work between devices connected by an asymmetrical link:
– CDP
– UniDirectional Link Detection (UDLD)
– Port Aggregation Protocol (PAgP)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

7-2 78-13315-02
 Chapter 7 Configuring IEEE 802.1Q Tunneling
Configuring Support for 802.1Q Tunneling

• VLAN Trunk Protocol (VTP) does not work between the following devices:
– Devices connected by an asymmetrical link
– Devices communicating through a tunnel

Note To configure an EtherChannel as an asymmetrical link, all ports in the EtherChannel must have the
same tunneling configuration. Since the Layer 3 packet within the Layer 2 frame cannot be identified,
configure the EtherChannel to use MAC-address-based frame distribution.

• Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) works
between devices communicating through a tunnel, but does not work between devices connected by
an asymmetrical link.
• An interconnected network cannot have redundant paths to two different edge switches in an ISP.
An interconnected network may have redundant paths to the same edge switch in an ISP, but the
customer network must use Per VLAN Spanning Tree + (PVST+) and cannot be configured for
Multi-Instance Spanning Tree Protocol (MISTP). The ISP infrastructure must use either PVST+ or
MISTP-PVST+.

Configuring Support for 802.1Q Tunneling

These sections describe 802.1Q tunneling configuration:
• Configuring the Switch to Support 802.1Q Tunneling, page 7-3
• Configuring 802.1Q Tunnel Ports, page 7-4
• Clearing 802.1Q Tunnel Ports, page 7-4
• Removing Global Support for 802.1Q Tunneling, page 7-4

Caution Ensure that only the appropriate tunnel ports are in any VLAN used for tunneling and that one VLAN
is used for each tunnel. Incorrect assignment of tunnel ports to VLANs can forward traffic
inappropriately.

Configuring the Switch to Support 802.1Q Tunneling

The set dot1q-all-tagged enable command is a global command that configures a switch to forward all
frames from 802.1Q trunks with 802.1Q tagging, including traffic in the native VLAN, and admit only
802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the
native VLAN. You can enter this command on any switch that needs to support 802.1Q tunneling with
802.1Q trunks.
To configure the switch to support 802.1Q tunneling, perform this task in privileged mode:

Task Command
Step 1 Configure tunneling support on the switch. set dot1q-all-tagged enable [all]
Step 2 Verify the configuration. show dot1q-all-tagged

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 7-3
 Chapter 7 Configuring IEEE 802.1Q Tunneling
Configuring Support for 802.1Q Tunneling

This example shows how to configure tunneling on the switch and verify the configuration:
Console> (enable) set dot1q-all-tagged enable
Dot1q tagging is enabled
Console> (enable) show dot1q-all-tagged
Dot1q all tagged mode enabled
Console> (enable)

Configuring 802.1Q Tunnel Ports

To configure 802.1Q tunneling on a port, perform this task in privileged mode:

Task Command
Step 1 Configure tunneling on a port. set port dot1qtunnel {mod/port} access
Step 2 Verify the configuration. show port dot1qtunnel [mod[/port]]

This example shows how to configure tunneling on port 4/1 and verify the configuration:
Console> (enable) set port dot1qtunnel 4/1 access
Dot1q tunnel feature set to access mode on port 4/1.
Port 4/1 trunk mode set to off.
Console> (enable) show port dot1qtunnel 4/1
Port Dot1q tunnel mode
----- -----------------
4/1 access

Clearing 802.1Q Tunnel Ports

To clear 802.1Q tunneling support from a port, perform this task in privileged mode:

Task Command
Step 1 Clear tunneling from a port. set port dot1qtunnel {mod/port} disable
Step 2 Verify the configuration. show port dot1qtunnel [mod[/port]]

This example shows how to clear tunneling on port 4/1 and verify the configuration:
Console> (enable) set port dot1qtunnel 4/1 disable
Dot1q tunnel feature disabled on port 4/1.
Console> (enable) show port dot1qtunnel 4/1
Port Dot1q tunnel mode
----- -----------------
4/1 disabled

Removing Global Support for 802.1Q Tunneling

You do not need to enter the set dot1q-all-tagged disable command to clear 802.1Q tunneling. The set
port dot1qtunnel disable command is the only command required to clear the feature from the port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

7-4 78-13315-02
Chapter 7 Configuring IEEE 802.1Q Tunneling
Configuring Support for 802.1Q Tunneling

To remove global support for 802.1Q tunneling on the switch, perform this task in privileged mode:

Task Command
Step 1 Remove tunneling support on the switch. set dot1q-all-tagged disable [all]
Step 2 Verify the configuration. show dot1q-all-tagged

This example shows how to remove tunneling support on the switch and verify the configuration:
Console> (enable) set dot1q-all-tagged disable
Dot1q tagging is disabled
Console> (enable) show dot1q-all-tagged
Dot1q all tagged mode disabled
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 7-5
 Chapter 7 Configuring IEEE 802.1Q Tunneling
Configuring Support for 802.1Q Tunneling

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

7-6 78-13315-02
 C H A P T E R 8
Configuring Spanning Tree

This chapter describes the IEEE 802.1D bridge Spanning Tree Protocol (STP) and how to use and
configure Cisco’s proprietary spanning tree protocols, Per VLAN Spanning Tree + (PVST+) and
Multi-Instance Spanning Tree Protocol (MISTP), on the Catalyst 6000 family switches.

Note For information on configuring the spanning tree PortFast, UplinkFast, and BackboneFast features,
see Chapter 9, “Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard.”

This chapter consists of these sections:

• Understanding How Spanning Tree Protocols Work, page 8-1
• Understanding PVST+ and MISTP Modes, page 8-11
• Bridge Identifiers, page 8-13
• Using PVST+, page 8-15
• Using MISTP-PVST+ or MISTP, page 8-22
• Configuring a Root Switch, page 8-31
• Configuring Spanning Tree Timers, page 8-35
• Understanding How BPDU Skewing Works, page 8-37
• Configuring BPDU Skewing, page 8-38

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

Understanding How Spanning Tree Protocols Work

This section describes the specific functions that are common to all spanning tree protocols. Cisco’s
proprietary spanning tree protocols, PVST+ and MISTP, are based on IEEE 802.1D STP. (See the
“Understanding PVST+ and MISTP Modes” section on page 8-11 for information about PVST+ and
MISTP.) The 802.1D STP is a Layer 2 management protocol that provides path redundancy in a network
while preventing undesirable loops. All spanning tree protocols use an algorithm that calculates the best
loop-free path through the network.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-1
 Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

The Spanning Tree Protocol (STP) uses a distributed algorithm that selects one bridge of a redundantly
connected network as the root of a spanning tree connected active topology. STP assigns roles to each
port depending on what the port’s function is in the active topology. Port roles are as follows:
• Root—A unique forwarding port elected for the spanning tree topology
• Designated—A forwarding port elected for every switched LAN segment
• Alternate—A blocked port providing an alternate path to the root port in the spanning tree
• Backup—A blocked port in a loopback configuration
Switches that have ports with these assigned roles are called root or designated switches. For more
information, see the “Understanding How a Switch Becomes the Root Switch” section on page 8-3.
In Ethernet networks, only one active path may exist between any two stations. Multiple active paths
between stations can cause loops in the network. When loops occur, some switches recognize stations
on both sides of the switch. This situation causes the forwarding algorithm to malfunction allowing
duplicate frames to be forwarded.
Spanning tree algorithms provide path redundancy by defining a tree that spans all of the switches in an
extended network and then forces certain redundant data paths into a standby (blocked) state. At regular
intervals, the switches in the network send and receive spanning tree packets that they use to identify the
path. If one network segment becomes unreachable, or if spanning tree costs change, the spanning tree
algorithm reconfigures the spanning tree topology and reestablishes the link by activating the standby
path.
Spanning tree operation is transparent to end stations, which do not detect whether they are connected
to a single LAN segment or a switched LAN of multiple segments.
These sections describe the STP:
• Understanding How a Topology is Created, page 8-2
• Understanding How a Switch Becomes the Root Switch, page 8-3
• Understanding How Bridge Protocol Data Units Work, page 8-3
• Calculating and Assigning Port Costs, page 8-4
• Spanning Tree Port States, page 8-5

Understanding How a Topology is Created

All switches in an extended LAN participating in a spanning tree gather information about other
switches in the network through an exchange of data messages known as bridge protocol data units
(BPDUs). This exchange of messages results in the following actions:
• A unique root switch is elected for the spanning tree network topology
• A designated switch is elected for every switched LAN segment
• Any loops in the switched network are eliminated by placing redundant switch ports in a backup
state; all paths that are not needed to reach the root switch from anywhere in the switched network
are placed in STP-blocked mode.
The topology of an active switched network is determined by the following:
• The unique switch identifier Media Access Control ([MAC] address of the switch) associated with
each switch
• The path cost to the root associated with each switch port
• The port identifier (MAC address of the port) associated with each switch port

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-2 78-13315-02
 Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

In a switched network, the root switch is the logical center of the spanning tree topology. A spanning
tree protocol uses BPDUs to elect the root switch and root port for the switched network, as well as the
root port and designated port for each switched segment.

Understanding How a Switch Becomes the Root Switch

If all switches are enabled with default settings, the switch with the lowest MAC address in the network
becomes the root switch. In Figure 8-1, Switch A is the root switch because it has the lowest MAC
address. However, due to traffic patterns, number of forwarding ports, or line types, Switch A might not
be the ideal root switch. A switch can be forced to become the root switch by increasing the priority (that
is, lowering the numerical priority number) on the preferred switch. This action causes the spanning tree
to recalculate the topology and make the selected switch the root switch.

Figure 8-1 Configuring a Loop-Free Topology

DP
DP DP
A D
DP RP DP DP

RP RP DP S5688

B C

RP = Root Port
DP = Designated Port

You can change the priority of a port to make it the root port. When the spanning tree topology is based
on default parameters, the path between source and destination stations in a switched network might not
be ideal. Connecting higher-speed links to a port that has a higher number than the current root port can
cause a root-port change. The goal is to make the fastest link the root port.
For example, assume that a port on Switch B is a fiber-optic link. Also, another port on Switch B (an
unshielded twisted-pair [UTP] link) is the root port. Network traffic might be more efficient over the
high-speed fiber-optic link. By changing the Port Priority parameter for the fiber-optic port to a higher
priority (lower numerical value) than the UTP port, the fiber-optic port becomes the root port. You could
also accomplish this scenario by changing the Port Cost parameter for the fiber-optic port to a lower value
than that of the UTP port.

Understanding How Bridge Protocol Data Units Work

BPDUs contain configuration information about the transmitting switch and its ports, including switch
and port MAC addresses, switch priority, port priority, and port cost. Each configuration BPDU contains
this information:
• The unique identifier of the switch that the transmitting switch believes to be the root switch
• The cost of the path to the root from the transmitting port
• The identifier of the transmitting port

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-3
 Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

The switch sends configuration BPDUs to communicate and compute the spanning tree topology. A
MAC frame conveying a BPDU sends the switch group address to the destination address field. All
switches connected to the LAN on which the frame is transmitted receive the BPDU. BPDUs are not
directly forwarded by the switch, but the receiving switch uses the information in the frame to calculate
a BPDU, and if the topology changes, initiates a BPDU transmission.
A BPDU exchange results in the following:
• One switch is elected as the root switch.
• The shortest distance to the root switch is calculated for each switch.
• A designated switch is selected. This is the switch that is closest to the root switch through which
frames will be forwarded to the root.
• A port for each switch is selected. This is the port that provides the best path from the switch to the
root switch.
• Ports included in the STP are selected.

Calculating and Assigning Port Costs

By calculating and assigning the port cost of the switch ports, you can ensure that the shortest (lowest
cost) distance to the root switch is used to transmit data. You can calculate and assign lower path cost
values (port costs) to higher bandwidth ports by using either the short method (which is the default) or
the long method. Two methods are available for calculating the default port cost: the short method and
the long method. The short method uses a 16-bit format that yields values from 1 to 65535. The long
method uses a 32-bit format that yields values in the range of 1 to 200,000,000. For steps for setting the
default cost mode, see the “Configuring the PVST+ Default Port Cost Mode” section on page 8-18

Note You should configure all switches in your network to use the same method for calculating port cost. The
short method is used to calculate the port cost unless you specify that the long method be used. You can
specify the calculation method using the CLI.

Calculating the Port Cost Using the Short Method

The IEEE 802.1D specification assigns 16-bit (short) default port cost values to each port based on
bandwidth. You can also manually assign port costs between 1 and 65535. The 16-bit values are only
used for ports that have not been specifically configured for port cost. Table 8-1 shows the default port
cost values that are assigned by the switch for each type of port when you use the short method to
calculate the port cost.
Table 8-1 Default Port Cost Values Using the Short Method

Port Speed Default Cost Value Default Range

10 Mbps 100 1 to 65535
100 Mbps 19 1 to 65535
1 Gbps 4 1 to 65535

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-4 78-13315-02
 Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

Calculating the Port Cost Using the Long Method

802.1t assigns 32-bit (long) default port cost values to each port using a formula that is based on the
bandwidth of the port. You can also manually assign port costs between 1 and 200,000,000. The formula
for obtaining default 32-bit port costs is to divide the bandwidth of the port by 200,000,000. Table 8-1
shows the default port cost values that are assigned by the switch and the recommended cost values and
ranges for each type of port when you use the long method to calculate port cost.
Table 8-2 Default Port Cost Values Using the Long Method

Port Speed Recommended Value Recommended Range Available Range

≤100 kbps 200000000 20000000 to 200000000 1 to 200000000
1 Mbps 20000000 2000000 to 200000000 1 to 200000000
10 Mbps 2000000 200000 to 20000000 1 to 200000000
100 Mbps 200000 20000 to 2000000 1 to 200000000
1 Gbps 20000 2000 to 200000 1 to 200000000
10 Gbps 2000 200 to 20000 1 to 200000000

Calculating the Port Cost for Aggregate Links

• As individual links are added or removed from an aggregate link (port bundle), the bandwidth of the
aggregate link increases or decreases. These changes in bandwidth lead to recalculation of the
default port cost for the aggregated port. Changes to the default port cost or changes resulting from
links that autonegotiate their bandwidth could lead to recalculation of the spanning tree topology
which may not be desirable, especially if the added or removed link is of little consequence to the
bandwidth of the aggregate link (for example, if a 10-Mbps link were removed from a 10-Gbps
aggregate link). Because of the limitations presented by automatically recalculating the topology,
802.1t states that changes in bandwidth will not result in changes to the cost of the port concerned.
The aggregated port will therefore use the same port cost parameters as a stand alone port.

Spanning Tree Port States

Topology changes can take place in a switched network due to a link coming up or a link going down
(failing). When a switch port transitions directly from nonparticipation in the topology to the forwarding
state, it can create temporary data loops. Ports must wait for new topology information to propagate
through the switches in the LAN before they can start forwarding frames. Also, they must allow the
frame lifetime to expire for frames that have been forwarded using the old topology.

Note With IOS Release 12.1.(1)E or later releases on the Multilayer Switch Feature Card (MSFC), the
Address Resolution Protocol (ARP) on the STP Topology Change Notification feature ensures that
excessive flooding does not occur when the MSFC receives a topology change notification (TCN)
from the supervisor engine. The feature causes the MSFC to send ARP requests for all the ARP
entries belonging to the VLAN interface where the TCN is received. When the ARP replies come
back, the Policy Feature Card (PFC) learns the MAC entries, which were lost as a result of the
topology change. Learning the entries immediately following a topology change prevents excessive
flooding later. There is no configuration required on the MSFC. This feature works with supervisor
engine software release 5.4(2) or later releases.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-5
 Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

At any given time, each port on a switch using a spanning tree protocol is in one of these states:
• Blocking
• Listening
• Learning
• Forwarding
• Disabled
A port moves through these states as follows:
• From initialization to blocking
• From blocking to listening or to disabled
• From listening to learning or to disabled
• From learning to forwarding or to disabled
• From forwarding to disabled
Figure 8-2 illustrates how a port moves through the states.

Figure 8-2 STP Port States

Boot-up
initialization

Blocking
state

Listening Disabled
state state

Learning
state

Forwarding
S5691

state

You can modify each port state by using management software, for example, VLAN Trunking Protocol
(VTP). When you enable spanning tree, every switch in the network goes through the blocking state and
the transitory states of listening and learning at power up. If properly configured, each port stabilizes
into the forwarding or blocking state.
When the spanning tree algorithm places a port in the forwarding state, the following occurs:
• The port is put into the listening state while it waits for protocol information that suggests it should
go to the blocking state.
• The port waits for the expiration of a protocol timer that moves the port to the learning state.
• In the learning state, the port continues to block frame forwarding as it learns station location
information for the forwarding database.
• The expiration of a protocol timer moves the port to the forwarding state, where both learning and
forwarding are enabled.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-6 78-13315-02
 Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

Blocking State
A port in the blocking state does not participate in frame forwarding (see Figure 8-3). After
initialization, a BPDU is sent to each port in the switch. A switch initially assumes it is the root until it
exchanges BPDUs with other switches. This exchange establishes which switch in the network is really
the root. If only one switch resides in the network, no exchange occurs, the forward delay timer expires,
and the ports move to the listening state. A switch always enters the blocking state following switch
initialization.

Figure 8-3 Port 2 in Blocking State

Segment Forwarding
frames

Port 1

Network
Station
management
addresses BPDUs and data frames

Filtering System Frame

database module forwarding

BPDUs
Network
management
frames
Data
S5692

frames
Port 2

Blocking Segment
frames

A port in the blocking state performs as follows:

• Discards frames received from the attached segment.
• Discards frames switched from another port for forwarding.
• Does not incorporate station location into its address database. (There is no learning on a blocking
port, so there is no address database update.)
• Receives BPDUs and directs them to the system module.
• Does not transmit BPDUs received from the system module.
• Receives and responds to network management messages.

Listening State
The listening state is the first transitional state a port enters after the blocking state. The port enters this
state when the spanning tree determines that the port should participate in frame forwarding. Learning
is disabled in the listening state. Figure 8-4 shows a port in the listening state.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-7
 Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

Figure 8-4 Port 2 in Listening State

All segment Forwarding

frames

Port 1

Network
Station
management
addresses BPDUs and data frames

Filtering System Frame

database module forwarding

BPDUs
Network
management
frames
Data
frames

S5693
Port 2

Listening All segment

frames

BPDU and network

management frames

A port in the listening state performs as follows:

• Discards frames received from the attached segment.
• Discards frames switched from another port for forwarding.
• Does not incorporate station location into its address database. (There is no learning at this point, so
there is no address database update.)
• Receives BPDUs and directs them to the system module.
• Processes BPDUs received from the system module.
• Receives and responds to network management messages.

Learning State
A port in the learning state prepares to participate in frame forwarding. The port enters the learning state
from the listening state. Figure 8-5 shows a port in the learning state.
A port in the learning state performs as follows:
• Discards frames received from the attached segment.
• Discards frames switched from another port for forwarding.
• Incorporates station location into its address database.
• Receives BPDUs and directs them to the system module.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-8 78-13315-02
Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

• Receives, processes, and transmits BPDUs received from the system module.
• Receives and responds to network management messages.

Figure 8-5 Port 2 in Learning State

All segment Forwarding

frames

Port 1

Network
Station
management
addresses BPDUs and data frames

Filtering System Frame

database module forwarding

Station
addresses BPDUs Network
management
frames
Data
frames

S5694
Port 2

Learning All segment

frames

BPDU and network

management frames

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-9
 Chapter 8 Configuring Spanning Tree
Understanding How Spanning Tree Protocols Work

Forwarding State
A port in the forwarding state forwards frames, as shown in Figure 8-6. The port enters the forwarding
state from the learning state.

Figure 8-6 Port 2 in Forwarding State

All segment Forwarding

frames

Port 1

Network
Station
management
addresses BPDUs and data frames

Filtering System Frame

database module forwarding

BPDUs Network
Station
addresses management
and data frames

S5695
Port 2

Forwarding All segment

frames

A port in the forwarding state performs as follows:

• Forwards frames received from the attached segment.
• Forwards frames switched from another port for forwarding.
• Incorporates station location information into its address database.
• Receives BPDUs and directs them to the system module.
• Processes BPDUs received from the system module.
• Receives and responds to network management messages.

Caution Use spanning tree PortFast mode only on ports directly connected to individual workstations to allow
these ports to come up and go directly to the forwarding state, instead of having to go through the
entire spanning tree initialization process. To prevent illegal topologies, enable spanning tree on ports
connected to switches or other devices that forward messages. For more information about PortFast,
see Chapter 9, “Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard.”

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-10 78-13315-02
 Chapter 8 Configuring Spanning Tree
Understanding PVST+ and MISTP Modes

Disabled State
A port in the disabled state does not participate in frame forwarding or STP, as shown in Figure 8-7. A
port in the disabled state is virtually nonoperational.

Figure 8-7 Port 2 in Disabled State

All segment Forwarding

frames

Port 1

Network
Station
management
addresses BPDUs and data frames

Filtering System Frame

database module forwarding

Network
management
frames
Data

S5696
frames
Port 2

Disabled All segment

frames

A disabled port performs as follows:

• Discards frames received from the attached segment.
• Discards frames switched from another port for forwarding.
• Does not incorporate station location into its address database. (There is no learning, so there is no
address database update.)
• Receives BPDUs but does not direct them to the system module.
• Does not receive BPDUs for transmission from the system module.
• Receives and responds to network management messages.

Understanding PVST+ and MISTP Modes

Catalyst 6000 family switches provide two proprietary spanning tree modes based on the IEEE 802.1D
standard and one mode that is a combination of the two modes:
• Per VLAN Spanning Tree (PVST+)
• Multi-Instance Spanning Tree Protocol (MISTP)
• MISTP-PVST+ (combination mode)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-11
 Chapter 8 Configuring Spanning Tree
Understanding PVST+ and MISTP Modes

An overview of each mode is provided in this section. Each mode is described in detail in these sections:
• Using PVST+, page 8-15
• Using MISTP-PVST+ or MISTP, page 8-22

Caution If your network currently uses PVST+ and you plan to use MISTP on any switch, you must first
enable MISTP-PVST+ on the switch and configure an MISTP instance to avoid causing loops in the
network.

PVST+ Mode
PVST+ is the default spanning tree protocol used on all Ethernet, Fast Ethernet, and Gigabit Ethernet
port-based VLANs on Catalyst 6000 family switches. PVST+ runs on each VLAN on the switch,
ensuring that each VLAN has a loop-free path through the network.
PVST+ provides Layer 2 load balancing for the VLAN on which it runs; you can create different logical
topologies using the VLANs on your network to ensure that all the links are used and no link is
oversubscribed.
Each PVST+ instance on a VLAN has a single root switch. This root switch propagates the spanning tree
information associated with that VLAN to all other switches in the network. This process ensures that
the network topology is maintained because each switch has the same knowledge about the network.

MISTP Mode
MISTP is an optional spanning tree protocol that runs on Catalyst 6000 family switches. MISTP allows
you to group multiple VLANs under a single instance of spanning tree (an MISTP instance). MISTP
combines the Layer 2 load-balancing benefits of PVST+ with the lower CPU load of IEEE 802.1Q.
An MISTP instance is a virtual logical topology defined by a set of bridge and port parameters. When
you map VLANs to an MISTP instance, this virtual logical topology becomes a physical topology. Each
MISTP instance has its own root switch and a different set of forwarding links, that is, different bridge
and port parameters.
Each MISTP instance root switch propagates the information associated with it to all other switches in
the network. This process maintains the network topology because it ensures that each switch has the
same information about the network.
MISTP builds MISTP instances by exchanging MISTP BPDUs with peer entities in the network. MISTP
uses one BPDU for each MISTP instance, rather than one for each VLAN, as in PVST+. Because there
are fewer BPDUs in an MISTP network, MISTP networks converge faster with less overhead. MISTP
discards PVST+ BPDUs.
An MISTP instance can have any number of VLANs mapped to it, but a VLAN can be mapped only to
a single MISTP instance. You can easily move a VLAN (or VLANs) in an MISTP topology to another
MISTP instance if it has converged. (However, if ports are added at the same time the VLAN is moved,
convergence time is required.)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-12 78-13315-02
 Chapter 8 Configuring Spanning Tree
Bridge Identifiers

MISTP-PVST+ Mode
MISTP-PVST+ is a transition spanning tree mode that allows you to use the MISTP functionality on
Catalyst 6000 family switches while continuing to communicate with Catalyst 5000 and 6000 switches
in your network that use PVST+. A switch using PVST+ mode that is connected to a switch using MISTP
mode cannot see the BPDUs of the other switch, a condition that can cause loops in the network.
MISTP-PVST+ allows interoperability between PVST+ and pure MISTP because it sees the BPDUs of
both modes. To convert your network to MISTP, use MISTP-PVST+ to transition the network from
PVST+ to MISTP.
Because MISTP-PVST+ conforms to the limits of PVST+, you cannot configure more VLAN ports on
your MISTP-PVST+ switches than on your PVST+ switches.

Bridge Identifiers
These sections explain how MAC addresses are used in PVST+ and MISTP as unique bridge identifiers:
• MAC Address Allocation, page 8-13
• MAC Address Reduction, page 8-13

MAC Address Allocation

Catalyst 6000 family switches have a pool of 1024 MAC addresses that can be used as bridge identifiers
for VLANs running under PVST+ or for MISTP instances. You can use the show module command to
view the MAC address range.
MAC addresses are allocated sequentially, with the first MAC address in the range assigned to VLAN 1,
the second MAC address in the range assigned to VLAN 2, and so on. The last MAC address in the range
is assigned to the supervisor engine in-band (sc0) management interface.
For example, if the MAC address range is 00-e0-1e-9b-2e-00 to 00-e0-1e-9b-31-ff, the VLAN 1 bridge
ID is 00-e0-1e-9b-2e-00, the VLAN 2 bridge ID is 00-e0-1e-9b-2e-01, the VLAN 3 bridge ID is
00-e0-1e-9b-2e-02, and so forth. The in-band (sc0) interface MAC address is 00-e0-1e-9b-31-ff.

MAC Address Reduction

For Catalyst family switches that support 4096 VLANs, MAC address reduction allows up to
4096 VLANs running under PVST+ or 16 MISTP instances to have unique identifiers without increasing
the number of MAC addresses required on the switch. MAC address reduction reduces the number of
MAC addresses required by the STP from one per VLAN or MISTP instance to one per switch. However,
because VLANs running under PVST+ and MISTP instances running under MISTP-PVST+ or MISTP
are considered logical bridges, each bridge must have its own unique identifier in the network.
When you enable MAC address reduction, the bridge identifier stored in the spanning tree BPDU
contains an additional field called the system ID extension. Combined with the bridge priority, the system
ID extension functions as the unique identifier for a VLAN or an MISTP instance. The system ID
extension is always the number of the VLAN or the MISTP instance; for example, the system ID
extension for VLAN 100 is 100, and the system ID extension for MISTP instance 2 is 2.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-13
 Chapter 8 Configuring Spanning Tree
Bridge Identifiers

Figure 8-8 shows the bridge identifier when you do not enable MAC address reduction. The bridge
identifier consists of the bridge priority and the MAC address.

Figure 8-8 Bridge Identifier without MAC Address Reduction

Bridge Priority MAC Address

43841
2 bytes 6 bytes

Figure 8-9 shows the bridge identifier when you enable MAC address reduction. The bridge identifier
consists of the bridge priority, the system ID extension, and the MAC address. The bridge priority and
the system ID extension combined are known as the bridge ID priority. The bridge ID priority is the
unique identifier for the VLAN or the MISTP instance.

Figure 8-9 Bridge Identifier with MAC Address Reduction Enabled

Bridge ID Priority

Bridge Priority System ID Ext. MAC Address

43842
4 bits 12 bits 6 bytes

When you enter a show spantree command, you can see the bridge ID priority for a VLAN in PVST+
or for an MISTP instance in MISTP or MISTP-PVST+ mode.
This example shows the bridge ID priority for VLAN 1 when you enable MAC address reduction in
PVST+ mode. The unique identifier for this VLAN is 32769.
Console> (enable) show spantree 1
VLAN 1
Spanning tree mode PVST+
Spanning tree type ieee
.
.
.
Bridge ID MAC ADDR 00-d0-00-4c-18-00
Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

If you have a Catalyst switch in your network with MAC address reduction enabled, you should also
enable MAC address reduction on all other Layer-2 connected switches to avoid undesirable root
election and spanning tree topology issues.
When MAC address reduction is enabled, the root bridge priority becomes a multiple of 4096 plus the
VLAN ID. With MAC address reduction enabled, a switch bridge ID (used by the spanning-tree
algorithm to determine the identity of the root bridge, the lowest being preferred) can only be specified
as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480,
24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
Therefore, if another bridge in the same spanning-tree domain does not run the MAC address reduction
feature, it could claim and win root bridge ownership because of the finer granularity in the selection of
its bridge ID.

Note The MAC address reduction feature is enabled by default on Cisco switches that have 64 MAC addresses
(Cisco 7606, CISCO7603, WS-C6503, and WS-C6513).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-14 78-13315-02
 Chapter 8 Configuring Spanning Tree
Using PVST+

Using PVST+
PVST+ is the default spanning tree mode for Catalyst 6000 family switches. These sections describe how
to configure PVST+ on Ethernet VLANs:
• Default PVST+ Configuration, page 8-15
• Setting the PVST+ Bridge ID Priority, page 8-16
• Configuring the PVST+ Port Cost, page 8-17
• Configuring the PVST+ Port Priority, page 8-18
• Configuring the PVST+ Default Port Cost Mode, page 8-18
• Configuring the PVST+ Port Cost for a VLAN, page 8-19
• Configuring the PVST+ Port Priority for a VLAN, page 8-20
• Disabling the PVST+ Mode on a VLAN, page 8-20

Default PVST+ Configuration

Table 8-3 shows the default PVST+ configuration.

Table 8-3 PVST+ Default Configuration

Feature Default Value

VLAN 1 All ports assigned to VLAN 1
Enable state PVST+ enabled for all VLANs
MAC address reduction Disabled
Bridge priority 32768
Bridge ID priority 32769 (bridge priority plus system ID extension of VLAN 1)
Port priority 32
Port cost • Gigabit Ethernet: 4
• Fast Ethernet: 191
• FDDI/CDDI: 10
• Ethernet: 1002
Default spantree port cost Short (802.1D)
mode
Port VLAN priority Same as port priority but configurable on a per-VLAN basis in PVST+
Port VLAN cost Same as port cost but configurable on a per-VLAN basis in PVST+
Maximum aging time 20 seconds
Hello time 2 seconds
Forward delay time 15 seconds
1. If 10/100 Mbps ports autonegotiate or are hard set to 100 Mbps, the port cost is 19.
2. If 10/100 Mbps ports autonegotiate or are hard set to 10 Mbps, the port cost is 100.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-15
 Chapter 8 Configuring Spanning Tree
Using PVST+

Setting the PVST+ Bridge ID Priority

The bridge ID priority is the priority of a VLAN when the switch is in PVST+ mode.
When the switch is in PVST+ mode without MAC address reduction enabled, you can enter a bridge
priority value between 0–65535. The bridge priority value you enter also becomes the VLAN bridge ID
priority for that VLAN.
When the switch is in PVST+ mode with MAC address reduction enabled, you can enter one of 16 bridge
priority values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152,
53248, 57344, or 61440.
The bridge priority is combined with the system ID extension (that is, the ID of the VLAN) to create the
bridge ID priority for the VLAN.
To set the spanning tree bridge priority for a VLAN, perform this task in privileged mode:

Task Command
Step 1 Set the PVST+ bridge ID priority for a VLAN. set spantree priority bridge_ID_priority [vlan]
Step 2 Verify the bridge ID priority. show spantree [vlan] [active]

This example shows how to set the PVST+ bridge ID priority when MAC address reduction is not
enabled (default):
Console> (enable) set spantree priority 30000 1
Spantree 1 bridge priority set to 30000.
Console> (enable) show spantree 1
VLAN 1
Spanning tree mode PVST+
Spanning tree type ieee
Spanning tree enabled

Designated Root 00-60-70-4c-70-00

Designated Root Priority 16384
Designated Root Cost 19
Designated Root Port 2/3
Root Max Age 14 sec Hello Time 2 sec Forward Delay 10 sec

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 30000
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Port Vlan Port-State Cost Prio Portfast Channel_id

------------------------ ---- ------------- --------- ---- -------- ----------
1/1 1 not-connected 4 32 disabled 0
1/2 1 not-connected 4 32 disabled 0
2/1 1 not-connected 100 32 disabled 0
2/2 1 not-connected 100 32 disabled 0

This example shows how to set the PVST+ bridge ID priority when MAC reduction is enabled:
Console> (enable) set spantree priority 32768 1
Spantree 1 bridge ID priority set to 32769
(bridge priority: 32768 + sys ID extension: 1)
Console> (enable) show spantree 1/1 1
VLAN 1
Spanning tree mode PVST+
Spanning tree type ieee
Spanning tree enabled

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-16 78-13315-02
 Chapter 8 Configuring Spanning Tree
Using PVST+

Designated Root 00-60-70-4c-70-00

Designated Root Priority 16384
Designated Root Cost 19
Designated Root Port 2/3
Root Max Age 14 sec Hello Time 2 sec Forward Delay 10 sec

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Port Vlan Port-State Cost Prio Portfast Channel_id

------------------------ ---- ------------- --------- ---- -------- ----------
1/1 1 not-connected 4 32 disabled 0
1/2 1 not-connected 4 32 disabled 0
2/1 1 not-connected 100 32 disabled 0
2/2 1 not-connected 100 32 disabled 0

Configuring the PVST+ Port Cost

You can configure the port cost of switch ports. The ports with lower port costs are more likely to be
chosen to forward frames. Assign lower numbers to ports that are attached to faster media (such as full
duplex) and higher numbers to ports that are attached to slower media. The possible cost is from 1 to
65535 when using the short method for calculating port cost and from 1 to 200000000 when using the
long method. The default cost differs for different media. For information about calculating port cost,
see the “Calculating and Assigning Port Costs” section on page 8-4.
To configure the PVST+ port cost for a port, perform this task in privileged mode:

Task Command
Step 1 Configure the PVST+ port cost for a switch set spantree portcost {mod/port} cost
port.
Step 2 Verify the port cost setting. show spantree mod/port

Note When you enter the set channel cost command, it does not appear in the configuration file.
The command causes a “set spantree portcost” entry to be created for each port in the
channel. See the “Setting the EtherChannel Port Path Cost” section in Chapter 6,
“Configuring EtherChannel,” for information on using the set channel cost command.

This example shows how to configure the PVST+ port cost on a port and verify the configuration:
Console> (enable) set spantree portcost 2/3 12
Spantree port 2/3 path cost set to 12.
Console> (enable) show spantree 2/3
VLAN 1
.
.
.
Port Vlan Port-State Cost Prio Portfast Channel_id
------------------------ ---- ------------- --------- ---- -------- ----------
1/1 1 not-connected 4 32 disabled 0
1/2 1 not-connected 4 32 disabled 0
2/1 1 not-connected 100 32 disabled 0
2/2 1 not-connected 100 32 disabled 0
2/3 1 forwarding 12 32 disabled 0

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-17
 Chapter 8 Configuring Spanning Tree
Using PVST+

2/4 1 not-connected 100 32 disabled

Configuring the PVST+ Port Priority

You can configure the port priority of switch ports in PVST+ mode. The port with the lowest priority
value forwards frames for all VLANs. The possible port priority value is 0–63. The default is 32. If all
ports have the same priority value, the port with the lowest port number forwards frames.
To configure the PVST+ port priority for a port, perform this task in privileged mode:

Task Command
Step 1 Configure the PVST+ port priority for a set spantree portpri mod/port priority
switch port.
Step 2 Verify the port priority setting. show spantree mod/port

This example shows how to configure the PVST+ port priority for a port:
Console> (enable) set spantree portpri 2/3 16
Bridge port 2/3 port priority set to 16.
Console> (enable) show spantree 2/3
VLAN 1
.
.
.
Port Vlan Port-State Cost Prio Portfast Channel_id
------------------------ ---- ------------- --------- ---- -------- ----------
1/1 1 not-connected 4 32 disabled 0
1/2 1 not-connected 4 32 disabled 0
2/1 1 not-connected 100 32 disabled 0
2/2 1 not-connected 100 32 disabled 0
2/3 1 forwarding 19 16 disabled 0
2/4 1 not-connected 100 32 disabled 0

Configuring the PVST+ Default Port Cost Mode

If any switch in your network is using a port speed of 10 Gb or over and the network is using PVST+
spanning tree mode, all switches in the network must have the same path cost defaults. You can enter the
set spantree defaultcostmode command to force all VLANs associated with all the ports to have the
same port cost default set.
Two default port cost modes are available—short and long.
• The short mode has these parameters:
– Portcost
– Portvlancost (trunk ports only)
– When uplinkfast is enabled, the actual cost is incremented by 3000
• The long mode has these parameters:
– Portcost
– Portvlancost (trunk ports only)
– When uplinkfast is enabled, the actual cost is incremented by 10,000,000

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-18 78-13315-02
 Chapter 8 Configuring Spanning Tree
Using PVST+

– EtherChannel computes the cost of a bundle using the formula,

AVERAGE_COST/NUM_PORT
The default port cost mode is set to short in PVST+ mode. For port speeds of 10 Gb and greater, the
default port cost mode must be set to long.
To configure the PVST+ default port cost mode, perform this task in privileged mode:

Task Command
Configure the PVST+ default port cost mode. set spantree defaultcostmode {short | long}

This example shows how to configure the PVST+ default port cost mode:
Console> (enable) set spantree defaultcostmode long
Portcost and portvlancost set to use long format default values.
Console> (enable)

Configuring the PVST+ Port Cost for a VLAN

You can configure the port cost of switch ports. The ports with lower port costs are more likely to be
chosen to forward frames. Assign lower numbers to ports that are attached to faster media (such as full
duplex) and higher numbers to ports that are attached to slower media. The possible cost is from 1 to
65535 when using the short method for calculating port cost and from 1 to 200000000 when using the
long method. The default cost differs for different media. For information about calculating port cost,
see the “Calculating and Assigning Port Costs” section on page 8-4.
To configure the PVST+ port VLAN cost for a port, perform this task in privileged mode:

Task Command
Configure the PVST+ port cost for a set spantree portvlancost {mod/port} [cost cost]
VLAN on a port. [vlan_list]

Note When you use the set channel cost command, it does not appear in the configuration file. The
command causes a “set spantree portcost” entry to be created for each port in the channel. See the
“Setting the EtherChannel Port Path Cost” section in Chapter 6, “Configuring EtherChannel,” for
information on using the set channel cost command.

This example shows how to configure the PVST+ port VLAN cost on port 2/3 for VLANs 1 through 5:
Console> (enable) set spantree portvlancost 2/3 cost 20000 1-5
Port 2/3 VLANs 6-11,13-1005,1025-4094 have path cost 12.
Port 2/3 VLANs 1-5,12 have path cost 20000.
This parameter applies to trunking ports only.
Console> (enable

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-19
 Chapter 8 Configuring Spanning Tree
Using PVST+

Configuring the PVST+ Port Priority for a VLAN

When the switch is in PVST+ mode, you can set the port priority for a trunking port in a VLAN. The
port with the lowest priority value for a specific VLAN forwards frames for that VLAN. The possible
port priority range is 0–63. The default is 32. If all ports have the same priority value for a particular
VLAN, the port with the lowest port number forwards frames for that VLAN.
The port VLAN priority value must be lower than the port priority value.
To configure the port VLAN priority for a port, perform this task in privileged mode:

Task Command
Step 1 Configure the PVST+ port priority for a VLAN on set spantree portvlanpri mod/port priority
a port. [vlans]
Step 2 Verify the port VLAN priority. show config all

This example shows how to configure the port priority for VLAN 6 on port 2/3:
Console> (enable) set spantree portvlanpri 2/3 16 6
Port 2/3 vlans 6 using portpri 16.
Port 2/3 vlans 1-5,7-800,802-1004,1006-4094 using portpri 32.
Port 2/3 vlans 801,1005 using portpri 4.
This parameter applies to trunking ports only.
Console> (enable) show config all
.
.
.
set spantree portcost 2/12,2/15 19
set spantree portcost 2/1-2,2/4-11,2/13-14,2/16-48 100
set spantree portcost 2/3 12
set spantree portpri 2/1-48 32
set spantree portvlanpri 2/1 0
set spantree portvlanpri 2/2 0
.
.
.
set spantree portvlanpri 2/48 0
set spantree portvlancost 2/1 cost 99
set spantree portvlancost 2/2 cost 99
set spantree portvlancost 2/3 cost 20000 1-5,12

Disabling the PVST+ Mode on a VLAN

When the switch is in PVST+ mode, you can disable spanning-tree on individual VLANs or all VLANs.
When you disable spanning tree on a VLAN, the switch does not participate in spanning-tree and any
BPDUs received in that VLAN are flooded on all ports.

Caution We do not recommend disabling spanning tree, even in a topology that is free of physical loops.
Spanning tree serves as a safeguard against misconfigurations and cabling errors. Do not disable
spanning tree in a VLAN without ensuring that there are no physical loops present in the VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-20 78-13315-02
Chapter 8 Configuring Spanning Tree
Using PVST+

Caution Do not disable spanning tree on a VLAN unless all switches or routers in the VLAN have spanning
tree disabled. You cannot disable spanning tree on some switches or routers in a VLAN and leave
spanning tree enabled on other switches or routers in the VLAN. If spanning tree remains enabled on
the switches and routers, they will have incomplete information about the physical topology of the
network which may cause unexpected results.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-21
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

To disable PVST+, perform this task in privileged mode:

Task Command
Disable PVST+ mode on a VLAN. set spantree disable vlans [all]

This example shows how to disable PVST+ on a VLAN:

Console> (enable) set spantree disable 4
Spantree 4 disabled.
Console> (enable)

Using MISTP-PVST+ or MISTP

The default spanning tree mode on the Catalyst 6000 family switches is PVST+. If you want to use
MISTP mode in your network, we recommend you carefully follow the procedures described in the
following sections in order to avoid losing connectivity in your network.
When you change the spanning tree mode, the current mode stops, the information collected at runtime is used
to build the port database for the new mode, and the new spanning tree mode restarts the computation of the
active topology. Information about the port states is lost; however, all of the configuration parameters are
preserved for the previous mode. If you return to the previous mode, the configuration is still there.

Note We recommend that if you use MISTP mode, you should configure all of your Catalyst 6000 family
switches to run MISTP.

To use MISTP mode, you first enable an MISTP instance, then map at least one VLAN to the instance.
You must have at least one forwarding port in the VLAN in order for the MISTP instance to be active.

Note Map VLANs to MISTP instances on Catalyst 6000 family switches that are either in VTP server
mode or transparent mode only. You cannot map VLANs to MISTP instances on switches that are in
VTP client mode.

If you are changing a switch from PVST+ mode to MISTP mode and you have other switches in the
network that are using PVST+, you must first enable MISTP-PVST+ mode on each switch on which you
intend to use MISTP so that PVST+ BPDUs can flow through the switches while you configure them.
When all switches in the network are configured in MISTP-PVST+, you can then enable MISTP on all
of the switches.
These sections describe how to use MISTP-PVST+ or MISTP:
• Default MISTP and MISTP-PVST+ Configuration, page 8-23
• Setting MISTP-PVST+ Mode or MISTP Mode, page 8-23
• Configuring an MISTP Instance, page 8-25
• Mapping VLANs to an MISTP Instance, page 8-29
• Disabling MISTP-PVST+ or MISTP, page 8-31

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-22 78-13315-02
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

Default MISTP and MISTP-PVST+ Configuration

Table 8-4 shows the default MISTP and MISTP-PVST+ configuration.

Table 8-4 MISTP and MISTP-PVST+ Default Configuration

Feature Default Value

Enable state Disabled until a VLAN is mapped to an MISTP instance
MAC address reduction Disabled
Bridge priority 32768
Bridge ID priority 32769 (bridge priority plus the system ID extension of MISTP instance 1)
Port priority 32 (global)
Port cost • Gigabit Ethernet: 4
• Fast Ethernet: 191
• FDDI/CDDI: 10
• Ethernet: 1002
Default port cost mode Short (802.1D)
Port VLAN priority Same as port priority but configurable on a per-VLAN basis in PVST+
Port VLAN cost Same as port cost but configurable on a per-VLAN basis in PVST+
Maximum aging time 20 seconds
Hello time 2 seconds
Forward delay time 15 seconds
1. If 10/100 Mbps ports autonegotiate or are hard set to 100 Mbps, the port cost is 19.
2. If 10/100 Mbps ports autonegotiate or are hard set to 10 Mbps, the port cost is 100.

Setting MISTP-PVST+ Mode or MISTP Mode

If you enable MISTP in a PVST+ network, you must be careful to avoid bringing down the network. This
section explains how to enable MISTP or MISTP-PVST+ on your network.

Caution If you have more than 6000 VLAN ports configured on your switch, changing from MISTP to either
PVST+ or MISTP-PVST+ mode could bring down your network. Reduce the number of configured
VLAN ports on your switch to no more than 6000 to avoid losing connectivity.

Caution If you are working from a Telnet connection to your switch, the first time you enable MISTP-PVST+
or MISTP mode, you must do so from the switch console; do not use a Telnet connection through the
data port or you will lose your connection to the switch. After you map a VLAN to an MISTP
instance, you can Telnet to the switch.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-23
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

To change from PVST+ to MISTP-PVST+ or MISTP, perform this task in privileged mode:

Task Command
Set a spanning tree mode. set spantree mode {mistp | pvst+ | mistp-pvst+}

This example shows how to set a switch to MISTP-PVST+ mode:

Console> (enable) set spantree mode mistp-pvst+
PVST+ database cleaned up.
Spantree mode set to MISTP-PVST+.
Warning!! There are no VLANs mapped to any MISTP instance.
Console> (enable)

You can display VLAN-to-MISTP instance mapping information propagated from the root switch at
runtime. This display is available only in the MISTP or MISTP-PVST+ mode. When in the PVST+
mode, use the optional keyword config to display the list of mappings configured on the local switch.

Note MAC addresses are not displayed when you specify the keyword config.

To display spanning tree mapping, perform this task in privileged mode:

Task Command
Step 1 Set the spanning tree mode to MISTP. set spantree mode mistp
Step 2 Show the spanning tree mapping. show spantree mapping [config]

This example shows how to display the spanning tree VLAN instance mapping in MISTP mode:
MISTP/MISTP-PVST+
Console> (enable) set spantree mode mistp
PVST+ database cleaned up.
Spantree mode set to MISTP.
Console> (enable) show spantree mapping
Inst Root Mac Vlans
---- ----------------- --------------------------
1 00-50-3e-78-70-00 1
2 00-50-3e-78-70-00 -
3 00-50-3e-78-70-00 -
4 00-50-3e-78-70-00 -
5 00-50-3e-78-70-00 -
6 00-50-3e-78-70-00 -
7 00-50-3e-78-70-00 -
8 00-50-3e-78-70-00 -
9 00-50-3e-78-70-00 -
10 00-50-3e-78-70-00 -
11 00-50-3e-78-70-00 -
12 00-50-3e-78-70-00 -
13 00-50-3e-78-70-00 -
14 00-50-3e-78-70-00 -
15 00-50-3e-78-70-00 -
16 00-50-3e-78-70-00 -

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-24 78-13315-02
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

Configuring an MISTP Instance

These sections describe how to configure MISTP instances:
• Configuring the MISTP Bridge ID Priority, page 8-25
• Configuring the MISTP Port Cost, page 8-26
• Configuring the MISTP Port Priority, page 8-26
• Configuring the MISTP Port Instance Cost, page 8-27
• Configuring the MISTP Port Instance Priority, page 8-27

Configuring the MISTP Bridge ID Priority

You can set the bridge ID priority for an MISTP instance when the switch is in MISTP or MISTP-PVST+
mode.
The bridge priority value is combined with the system ID extension (the ID of the MISTP instance) to
create the bridge ID priority. You can set 16 possible bridge priority values: 0, 4096, 8192, 12288, 16384,
20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
To configure the bridge ID priority for an MISTP instance, perform this task in privileged mode:

Task Command
Step 1 Configure the bridge ID priority for an set spantree priority bridge_ID_priority [mistp-instance
MISTP instance. instance]
Step 2 Verify the bridge ID priority. show spantree mistp-instance instance [mod/port] active

The example shows how to configure the bridge ID priority for an MISTP instance:
Console> (enable) set spantree priority 8192 mistpinstance 1
Spantree 1 bridge ID priority set to 8193
(bridge priority: 8192 + sys ID extension: 1)
Console> (enable) show spantree mistp-instance 1
VLAN 1
Spanning tree mode MISTP
Spanning tree type ieee
Spanning tree enabled
VLAN mapped to MISTP Instance: 1

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 8193 (bridge priority: 8192, sys ID ext: 1)
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Port Vlan Port-State Cost Prio Portfast Channel_id

------------------------ ---- ------------- --------- ---- -------- ----------
1/1 1 not-connected 20000 32 disabled 0
1/2 1 not-connected 20000 32 disabled 0
2/1 1 not-connected 2000000 32 disabled 0
2/2 1 not-connected 2000000 32 disabled 0
2/3 1 forwarding 200000 32 disabled 0

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-25
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

Configuring the MISTP Port Cost

You can configure the port cost of switch ports. The ports with lower port costs are more likely to be
chosen to forward frames. Assign lower numbers to ports that are attached to faster media (such as full
duplex) and higher numbers to ports that are attached to slower media. The possible cost is from 1 to
65535 when using the short method for calculating port cost and from 1 to 200000000 when using the
long method. The default cost differs for different media. For information about calculating port cost,
see the “Calculating and Assigning Port Costs” section on page 8-4.
To configure the port cost for a port, perform this task in privileged mode:

Task Command
Step 1 Configure the MISTP port cost for a switch port. set spantree portcost mod/port cost
Step 2 Verify the port cost setting. show spantree mistp-instance instance
[mod/port] active

This example shows how to configure the port cost on a MISTP instance and verify the configuration:
Console> (enable) set spantree portcost 2/12 22222222
Spantree port 2/12 path cost set to 22222222.
Console> (enable) show spantree mistp-instance active
Instance 1
Spanning tree mode MISTP-PVST+
Spanning tree type ieee
Spanning tree instance enabled

Designated Root 00-d0-00-4c-18-00

Designated Root Priority 32769 (root priority: 32768, sys ID ext: 1)
Designated Root Cost 0
Designated Root Port none
VLANs mapped: 6
Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)
VLANs mapped: 6
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Port Inst Port-State Cost Prio Portfast Channel_id

------------------------ ---- ------------- --------- ---- -------- ----------
2/12 1 forwarding 22222222 40 disabled 0
Console> (enable)

Configuring the MISTP Port Priority

You can configure the port priority of ports. The port with the lowest priority value forwards frames for
all VLANs. The possible port priority value is 0–63; the default is 32. If all ports have the same priority
value, the port with the lowest port number forwards frames.
To configure the port priority for a port, perform this task in privileged mode:

Task Command
Step 1 Configure the MISTP port priority for a port. set spantree portpri mod/port priority [instance]
Step 2 Verify the port priority setting. show spantree mistp-instance instance [mod/port]
active

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-26 78-13315-02
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

This example shows how to configure the port priority and verify the configuration:
Console> (enable) set spantree portpri 2/12 40
Bridge port 2/12 port priority set to 40.
Console> (enable) show spantree mistp-instance 1
Instance 1
Spanning tree mode MISTP-PVST+
Spanning tree type ieee
Spanning tree instance enabled

Designated Root 00-d0-00-4c-18-00

Designated Root Priority 32769 (root priority: 32768, sys ID ext: 1)
Designated Root Cost 0
Designated Root Port none
VLANs mapped: 6
Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)
VLANs mapped: 6
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Port Inst Port-State Cost Prio Portfast Channel_id

------------------------ ---- ------------- --------- ---- -------- ----------
2/12 1 forwarding 22222222 40 disabled 0
Console> (enable)

Configuring the MISTP Port Instance Cost

You can configure the port instance cost for an instance of MISTP or MISTP-PVST+. Ports with a lower
instance cost are more likely to be chosen to forward frames. You should assign lower numbers to ports
attached to faster media (such as full duplex) and higher numbers to ports attached to slower media. The
default cost differs for different media. The possible value for port instance cost is 1–268435456.
To configure the port instance cost for a port, perform this task in privileged mode:

Task Command
Configure the MISTP port instance cost on set spantree portinstancecost {mod/port} [cost cost]
a port. [instances]

This example shows how to configure the MISTP port instance cost on a port:
Console> (enable) set spantree portinstancecost 2/12 cost 110110 2
Port 2/12 instances 1,3-16 have path cost 22222222.
Port 2/12 instances 2 have path cost 110110.
Console> (enable)

Configuring the MISTP Port Instance Priority

You can set the port priority for an instance of MISTP. The port with the lowest priority value for a
specific MISTP instance forwards frames for that instance. The possible port instance range is 0–63. If
all ports have the same priority value for an MISTP instance, the port with the lowest port number
forwards frames for that instance.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-27
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

To configure the port instance priority on an MISTP instance, perform this task in privileged mode:

Task Command
Configure the port instance priority on an MISTP set spantree portinstancepri {mod/port}
instance. priority [instances]

This example shows how to configure the port instance priority on an MISTP instance and verify the
configuration:
Console> (enable) set spantree portinstancepri 2/12 10 2
Port 2/12 instances 2 using portpri 10.
Port 2/12 mistp-instance 1,3-16 using portpri 40.
Console> (enable)

Enabling an MISTP Instance

You can enable up to 16 MISTP instances. Each MISTP instance defines a unique spanning tree
topology. MISTP instance 1, the default instance, is enabled by default; however, you must map a VLAN
to it in order for it to be active. You can enable a single MISTP instance, a range of instances, or all
instances at once using the all keyword.

Note The software does not display the status of an MISTP instance until it has a VLAN with an active
port mapped to it.

To enable an MISTP instance, perform this task in privileged mode.

Task Command
Step 1 Enable an MISTP instance. set spantree enable mistp-instance instance [all]
Step 2 Verify the instance is enabled. show spantree mistp-instance [instance] [active]
mod/port

Note Enter the active keyword to display active ports only.

This example shows how to enable an MISTP instance:

Console> (enable) set spantree enable mistp-instance 2
Spantree 2 enabled.

Console> (enable) show spantree mistp-instance 2

Instance 2
Spanning tree mode MISTP
Spanning tree type ieee
Spanning tree instance enabled
.
.
.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-28 78-13315-02
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

Mapping VLANs to an MISTP Instance

When you are using MISTP-PVST+ or MISTP on a switch, you must map at least one VLAN to an
MISTP instance in order for MISTP-PVST+ or MISTP to be active. These sections describe how to
configure MISTP instances:
• Determining MISTP Instances—VLAN Mapping Conflicts, page 8-30
• Unmapping VLANs from an MISTP Instance, page 8-30

Note See Chapter 11, “Configuring VLANs” for details on using and configuring VLANs.

• You can only map Ethernet VLANs to MISTP instances.

• At least one VLAN in the instance must have an active port in order for MISTP-PVST+ or MISTP
to be active.
• You can map as many Ethernet VLANs as you wish to an MISTP instance.
• You cannot map a VLAN to more than one MISTP instance.

Note To use VLANs 1025–4094, you must enable MAC address reduction. See the “Creating
Extended-Range VLANs” section on page 11-7 in Chapter 11, “Configuring VLANs” for details on
using extended-range VLANs.

To map a VLAN to an MISTP instance, perform this task in privileged mode:

Task Command
Step 1 Map a VLAN to an MISTP instance. set vlan vlan mistp-instance instance
Step 2 Verify the VLAN is mapped. show spantree mistp-instance [instance] [active]
mod/port

This example shows how to map a VLAN to MISTP instance 1 and verify the mapping:
Console> (enable) set vlan 6 mistp-instance 1
Vlan 6 configuration successful
Console> (enable) show spantree mist-instance 1
Instance 1
Spanning tree mode MISTP-PVST+
Spanning tree type ieee
Spanning tree instance enabled

Designated Root 00-d0-00-4c-18-00

Designated Root Priority 49153 (root priority: 49152, sys ID ext: 1)
Designated Root Cost 0
Designated Root Port none
VLANs mapped: 6
Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 49153 (bridge priority: 49152, sys ID ext: 1)
VLANs mapped: 6
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Port Inst Port-State Cost Prio Portfast Channel_id

------------------------ ---- ------------- --------- ---- -------- ----------

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-29
 Chapter 8 Configuring Spanning Tree
Using MISTP-PVST+ or MISTP

2/12 1 forwarding 22222222 40 disabled 0

Determining MISTP Instances—VLAN Mapping Conflicts

A VLAN can only be mapped to one MISTP instance. If you attempt to map a VLAN to more than one
instance, all of its ports are set to blocking mode. You can use the show spantree conflicts command to
determine to which MISTP instances you have attempted to map the VLAN.
This command prints a list of the MISTP instances associated with the VLAN, the MAC addresses of
the root switches that are sending the BPDUs containing the VLAN mapping information, and the timers
associated with the mapping of a VLAN to an MISTP instance. When only one entry is printed or when
all the entries are associated to the same instance, the VLAN is mapped to that instance. If two or more
entries in the list are associated with different MISTP instances, the VLAN is in conflict.
To clear up the conflict, you must manually remove the incorrect mapping(s) from the root switch. The
remaining entry on the list becomes the official mapping.
To determine VLAN mapping conflicts, perform this task in privileged mode:

Task Command
Determine VLAN mapping conflicts. show spantree conflicts vlan

This example shows there is an attempt to map VLAN 2 to MISTP instance 1 and to MISTP instance 3
on two different switches as seen from a third switch in the topology:
Console> (enable) show spantree conflicts 2
Inst MAC Delay Time left
---- ----------------- --------- ---------
1 00-30-a3-4a-0c-00 inactive 20
3 00-30-f1-e5-00-01 inactive 10

The Delay timer shows the time in seconds remaining before the VLAN joins the instance. The field
displays inactive if the VLAN is already mapped to an instance (the timer has expired), or if the VLAN
is in conflict between instances.
The Time Left timer shows the time in seconds left before the entry expires and is removed from the
table. The timer is restarted every time an incoming BPDU confirms the mapping. Entries pertaining to
the root switch show inactive on the root switch itself.

Unmapping VLANs from an MISTP Instance

The keyword none is used to unmap the specified VLANs from the MISTP instances to which they are
currently mapped. When you unmap a VLAN from an MISTP instance, the resulting state of all the ports
of the VLAN (if the VLAN exists) is blocking.
To unmap a VLAN or all VLANs from an MISTP instance, perform this task in privileged mode:

Task Command
Unmap a VLAN from an MISTP instance. set vlan vlan mistp-instance none

This example shows how to unmap a VLAN from an MISTP instance:

Console> (enable) set vlan 6 mistp-instance none
Vlan 6 configuration successful

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-30 78-13315-02
 Chapter 8 Configuring Spanning Tree
Configuring a Root Switch

Disabling MISTP-PVST+ or MISTP

When the switch is in MISTP mode, you disable spanning tree on an instance, not for the whole switch.
When you disable spanning tree on an MISTP instance, the instance still exists on the switch, all of the
VLANs mapped to it have all of their ports forwarding, and the instance BPDUs are flooded.
To disable an MISTP instance, perform this task in privileged mode:

Task Command
Disable an MISTP instance. set spantree disable mistp-instance instance [all]

This example shows how to disable an MISTP instance:

Console> (enable) set spantree disable mistp-instance 2
MI-STP instance 2 disabled.

Configuring a Root Switch

These sections explain how to configure a root switch:
• Configuring a Primary Root Switch, page 8-31
• Configuring a Secondary Root Switch, page 8-32
• Configuring a Root Switch to Improve Convergence, page 8-33
• Using Root Guard—Preventing Switches from Becoming Root, page 8-34

Configuring a Primary Root Switch

You can set a root switch on a VLAN when the switch is in PVST+ mode or on an MISTP instance when
the switch is in MISTP mode. You enter the set spantree root command to reduce the bridge priority
(the value associated with the switch) from the default (32768) to a lower value, which allows the switch
to become the root switch.
When you specify a switch as the primary root, the default bridge priority is modified so that it becomes
the root for the specified VLANs. The switch checks the bridge priority of the current root switches for
each VLAN. The bridge priority for the specified VLANs is set to 8192 if this value will cause the switch
to become the root for the specified VLANs. If any root switch for the specified VLANs has a bridge
priority lower than 8192, the switch sets the bridge priority for the specified VLANs to 1 less than the
lowest bridge priority. Because different VLANs could potentially have different root switches, the
bridge VLAN-priority chosen makes this switch the root for all the VLANs that are specified. If reducing
the bridge priority as low as 1 still does not make the switch the root switch, the system displays a
message.

Caution Enter the set spantree root command on backbone switches or distribution switches only, not on
access switches.

To configure a switch as the primary root switch, perform this task in privileged mode:

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-31
 Chapter 8 Configuring Spanning Tree
Configuring a Root Switch

Task Command
Configure a switch as the primary root switch. set spantree root [vlans] [dia network_diameter]
[hello hello_time]

This example shows how to configure the primary root switch for VLANs 1–10:
Console> (enable) set spantree root 1-10 dia 4
VLANs 1-10 bridge priority set to 8192
VLANs 1-10 bridge max aging time set to 14 seconds.
VLANs 1-10 bridge hello time set to 2 seconds.
VLANs 1-10 bridge forward delay set to 9 seconds.
Switch is now the root switch for active VLANs 1-6.
Console> (enable)

To configure a switch as the primary root switch for an instance, perform this task in privileged mode:

Task Command
Configure a switch as the primary root switch for set spantree root mistp-instance instance [dia
an instance. network_diameter] [hello hello_time]

This example shows how to configure the primary root switch for an instance:
Console> (enable) set spantree root mistp-instance 2-4 dia 4
Instances 2-4 bridge priority set to 8192
VLInstances 2-4 bridge max aging time set to 14 seconds.
Instances 2-4 bridge hello time set to 2 seconds.
Instances 2-4 bridge forward delay set to 9 seconds.
Switch is now the root switch for active Instances 1-6.
Console> (enable)

Configuring a Secondary Root Switch

You can set a secondary root switch on a VLAN when the switch is in PVST+ mode or on an MISTP
instance when the switch is in MISTP mode.
The set spantree root secondary command reduces the bridge priority to 16,384, making it the probable
candidate to become the root switch if the primary root switch fails. You can run this command on more
than one switch to create multiple backup switches in case the primary root switch fails.
To configure a switch as the secondary root switch, perform this task in privileged mode:

Task Command
Configure a switch as the secondary root switch. set spantree root [secondary] vlans [dia
network_diameter] [hello hello_time]

This example shows how to configure the secondary root switch for VLANs 22 and 24:
Console> (enable) set spantree root secondary 22,24 dia 5 hello 1
VLANs 22,24 bridge priority set to 16384.
VLANs 22,24 bridge max aging time set to 10 seconds.
VLANs 22,24 bridge hello time set to 1 second.
VLANs 22,24 bridge forward delay set to 7 seconds.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-32 78-13315-02
 Chapter 8 Configuring Spanning Tree
Configuring a Root Switch

To configure a switch as the secondary root switch for an instance, perform this task in privileged mode:

Task Command
Configure a switch as the secondary root switch set spantree root [secondary] mistp-instance
for an instance. instance [dia network_diameter]
[hello hello_time]

This example shows how to configure the secondary root for an instance:
Console> (enable) set spantree root secondary mistp-instance 2-4 dia 4
Instances 2-4 bridge priority set to 8192
VLInstances 2-4 bridge max aging time set to 14 seconds.
Instances 2-4 bridge hello time set to 2 seconds.
Instances 2-4 bridge forward delay set to 9 seconds.
Switch is now the root switch for active Instances 1-6.
Console> (enable)

Configuring a Root Switch to Improve Convergence

By lowering the values for the Hello Time, Forward Delay Timer, and Maximum Age Timer parameters
on the root switch, you can reduce the convergence time. For information on configuring these timers,
see the “Configuring Spanning Tree Timers” section on page 8-35.

Note Reducing the timer parameters values is possible only if your network has LAN links of 10 Mbps or
faster. In a network with links of 10 Mbps or faster, the network diameter can reach the maximum
value of 7. With WAN connections, you cannot reduce the parameters.

When a link failure occurs in a bridged network, the network reconfiguration is not immediate.
Reconfiguring the default parameters (specified by IEEE 802.1D) for the Hello Time, Forward Delay
Timer, and Maximum Age Timer requires a 50-second delay. This reconfiguration time depends on the
network diameter, which is the maximum number of bridges between any two end stations.
To speed up convergence, use nondefault parameter values permitted by the 802.1D standard. See
Table 8-5 for the nondefault parameters for a reconvergence of 14 seconds.

Table 8-5 Nondefault Parameters

Parameter Time
Network Diameter (dia) 2
Hello Time 2 seconds
Forward Delay Timer 4 seconds
Maximum Age Timer 6 seconds

Note You can set switch ports in PortFast mode for improved convergence. PortFast mode affects only the
transition from disable (link down) to enable (link up) by moving the port immediately to the
forwarding state. If a port in the PortFast mode begins blocking, it then goes through listening and

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-33
 Chapter 8 Configuring Spanning Tree
Configuring a Root Switch

learning before reaching the forwarding state. For information about PortFast, see the
“Understanding How PortFast Works” section on page 9-2 in Chapter 9, “Configuring Spanning Tree
PortFast, UplinkFast, BackboneFast, and Loop Guard.”

To configure the spanning tree parameters to improve convergence, perform this task in privileged
mode:

Task Command
Step 1 Configure the hello time for a VLAN or an set spantree hello interval [vlan] mistp-instance
MISTP instance. [instances]
Step 2 Verify the configuration. show spantree [vlan | mistp-instance instances]
Step 3 Configure the forward delay time for a set spantree fwddelay delay [vlan] mistp-instance
VLAN or an MISTP instance. [instances]
Step 4 Verify the configuration. show spantree [mod/port] mistp-instance [instances]
[active]
Step 5 Configure the maximum aging time for a set spantree maxage agingtime [vlans] mistp-instance
VLAN or an MISTP instance. instances
Step 6 Verify the configuration. show spantree [mod/port] mistp-instance [instances]
[active]

This example shows how to configure the spanning tree Hello Time, Forward Delay Timer, and
Maximum Age Timer to 2, 4, and 4 seconds respectively:
Console> (enable) set spantree hello 2 100
Spantree 100 hello time set to 7 seconds.
Console> (enable)
Console> (enable) set spantree fwddelay 4 100
Spantree 100 forward delay set to 21 seconds.
Console> (enable)
Console> (enable) set spantree maxage 6 100
Spantree 100 max aging time set to 36 seconds.
Console> (enable)
Console> (enable) set spantree root 1-10 dia 4
VLANs 1-10 bridge priority set to 8192
VLANs 1-10 bridge max aging time set to 14 seconds.
VLANs 1-10 bridge hello time set to 2 seconds.
VLANs 1-10 bridge forward delay set to 9 seconds.
Switch is now the root switch for active VLANs 1-6.
Console> (enable)

Using Root Guard—Preventing Switches from Becoming Root

You may want to prevent switches from becoming the root switch. The root guard feature forces a port
to become a designated port so that no switch on the other end of the link can become a root switch.
When you enable root guard on a per-port basis, it is automatically applied to all of the active VLANs to
which that port belongs. When you disable root guard, it is disabled for the specified port(s). If a port goes
into the root-inconsistent state, it automatically goes into the listening state.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-34 78-13315-02
 Chapter 8 Configuring Spanning Tree
Configuring Spanning Tree Timers

To prevent switches from becoming root, perform this task in privileged mode:

Task Command
Step 1 Enable root guard on a port. set spantree guard {root | none} mod/port
Step 2 Verify that root guard is enabled. show spantree guard {mod/port | vlan} {mistp-instance
instance | mod/port}

Configuring Spanning Tree Timers

Spanning tree timers affect the spanning tree performance. You can configure the spanning tree timers
for a VLAN in PVST+ or an MISTP instance in MISTP mode. If you do not specify a VLAN when the
switch is in PVST+ mode, VLAN 1 is assumed, or if you do not specify an MISTP instance when the
switch is in MISTP mode, MISTP instance 1 is assumed.
These sections describe how to configure spanning tree timers:
• Configuring the Hello Time, page 8-35
• Configuring the Forward Delay Time, page 8-36
• Configuring the Maximum Aging Time, page 8-36

Caution Exercise care using these commands. For most situations, we recommend that you use the set
spantree root and set spantree root secondary commands to modify the spanning tree performance
parameters.

Table 8-6 describes the switch variables that affect spanning tree performance.

Table 8-6 Spanning Tree Timers

Variable Description Default

Hello Time Determines how often the switch broadcasts its hello message to 2 seconds
other switches.
Maximum Age Measures the age of the received protocol information recorded for 20 seconds
Timer a port and ensures that this information is discarded when its age
limit exceeds the value of the maximum age parameter recorded by
the switch. The timeout value is the maximum age parameter of the
switches.
Forward Delay Monitors the time spent by a port in the learning and listening 15 seconds
Timer states. The timeout value is the forward delay parameter of the
switches.

Configuring the Hello Time

Enter the set spantree hello command to change the hello time for a VLAN or for an MISTP instance.
The possible range of interval is 1 to 10 seconds.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-35
 Chapter 8 Configuring Spanning Tree
Configuring Spanning Tree Timers

To configure the spanning tree bridge hello time for a VLAN or an MISTP instance, perform this task
in privileged mode:

Task Command
Step 1 Configure the hello time for a VLAN or an set spantree hello interval [vlan] mistp-instance
MISTP instance. [instances]
Step 2 Verify the configuration. show spantree [vlan | mistp-instance instances]

This example shows how to configure the spanning tree hello time for VLAN 100 to 7 seconds:
Console> (enable) set spantree hello 7 100
Spantree 100 hello time set to 7 seconds.
Console> (enable)

This example shows how to configure the spanning tree hello time for an instance to 3 seconds:
Console> (enable) set spantree hello 3 mistp-instance 1
Spantree 1 hello time set to 3 seconds.
Console> (enable)

Configuring the Forward Delay Time

Enter the set spantree fwddelay command to configure the spanning tree forward delay time for a
VLAN. The possible range of delay is 4 to 30 seconds.
To configure the spanning tree forward delay time for a VLAN, perform this task in privileged mode:

Task Command
Step 1 Configure the forward delay time for a VLAN or set spantree fwddelay delay [vlan]
an MISTP instance. mistp-instance [instances]
Step 2 Verify the configuration. show spantree [mod/port] mistp-instance
[instances] [active]

This example shows how to configure the spanning tree forward delay time for VLAN 100 to
21 seconds:
Console> (enable) set spantree fwddelay 21 100
Spantree 100 forward delay set to 21 seconds.
Console> (enable)

This example shows how to set the bridge forward delay for an instance to 16 seconds:
Console> (enable) set spantree fwddelay 16 mistp-instance 1
Instance 1 forward delay set to 16 seconds.
Console> (enable)

Configuring the Maximum Aging Time

Enter the set spantree maxage command to change the spanning tree maximum aging time for a VLAN
or an instance. The possible range of agingtime is 6 to 40 seconds.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-36 78-13315-02
Chapter 8 Configuring Spanning Tree
Understanding How BPDU Skewing Works

To configure the spanning tree maximum aging time for a VLAN or an instance, perform this task in
privileged mode:

Task Command
Step 1 Configure the maximum aging time for a VLAN set spantree maxage agingtime [vlans]
or an MISTP instance. mistp-instance instances
Step 2 Verify the configuration. show spantree [mod/port] mistp-instance
[instances] [active]

This example shows how to configure the spanning tree maximum aging time for VLAN 100 to
36 seconds:
Console> (enable) set spantree maxage 36 100
Spantree 100 max aging time set to 36 seconds.
Console> (enable)

This example shows how to set the maximum aging time for an instance to 25 seconds:
Console> (enable) set spantree maxage 25 mistp-instance 1
Instance 1 max aging time set to 25 seconds.
Console> (enable)

Understanding How BPDU Skewing Works

BPDU skewing is the difference between when the BPDUs are expected to be received and the time
BPDUs are actually received. Skewing occurs when the following occurs:
• Spanning tree timers lapse.
• Expected BPDUs are not received.
• Spanning tree detects topology changes.
The skew causes BPDUs to reflood the network to keep the spanning tree topology database current.
The root switch advertises its presence by sending out BPDUs for the configured Hello time interval.
The nonroot switches receive and process one BPDU during each configured time period. A VLAN may
not receive the BPDU as scheduled. If the BPDU is not received on a VLAN at the configured time
interval, the BPDU is skewed.
Spanning tree uses the Hello Time (see the “Configuring the Hello Time” section on page 8-35) to detect
when a connection to the root switch exists through a port and when that connection is lost. This feature
applies to both PVST+ and MISTP. In MISTP, the skew detection is on a per-instance basis.
BPDU skewing detects BPDUs that are not processed in a regular time frame on the nonroot switches in
the network. If BPDU skewing occurs, a syslog message is displayed. The syslog applies to both PVST+
and MISTP.
The number of syslog messages that are generated may impact the convergence of the network and the
CPU utilization of the switch. New syslog messages are not generated as individual messages for every
VLAN because the higher the number of syslog messages that are reported, the slower the switching
process will be. To reduce the impact on the switch, the syslog messages are as follows:
• Generated 50 percent of the maximum age time (see the “Configuring the Maximum Aging Time”
section on page 8-36)
• Rate limited at one for every 60 seconds

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-37
 Chapter 8 Configuring Spanning Tree
Configuring BPDU Skewing

Configuring BPDU Skewing

Commands that support the spanning tree BPDU skewing feature perform these functions:
• Allow you to enable or disable BPDU skewing. The default is disabled.
• Modify the show spantree summary output to show if the skew detection is enabled and for which
VLANs or PVST+ or MISTP instances the skew was detected.
• Provide a display of the VLAN or PVST+ or MISTP instance and the port affected by the skew
including this information:
– The last skew duration (in absolute time)
– The worst skew duration (in absolute time)
– The date and time of the worst duration
To change how spanning tree performs BPDU skewing statistics gathering, enter the set spantree
bpdu-skewing command. The bpdu-skewing command is disabled by default.
To configure the BPDU skewing statistics gathering for a VLAN, perform this task in privileged mode:

Task Command
Step 1 Configure BPDU skewing. set spantree bpdu-skewing [enable | disable]
Step 2 Verify the configuration. show spantree bpdu-skewing vlan [mod/port]
show spantree bpdu-skewing mistp-instance
[instance] [mod/port]

This example shows how to configure BPDU skewing and view the skewing statistics:
Console> (enable) set spantree bpdu-skewing
Usage:set spantree bpdu-skewing <enable|disable>
Console> (enable) set spantree bpdu-skewing enable
Spantree bpdu-skewing enabled on this switch.
Console> (enable)

Console> (enable) show spantree bpdu-skewing 1

Bpdu skewing statistics for vlan 1
Port Last Skew ms Worst Skew ms Worst Skew Time
------ ------------- ------------- -------------------------
8/2 5869 108370 Tue Nov 21 2000, 06:25:59
8/4 4050 113198 Tue Nov 21 2000, 06:26:04
8/6 113363 113363 Tue Nov 21 2000, 06:26:05
8/8 4111 113441 Tue Nov 21 2000, 06:26:05
8/10 113522 113522 Tue Nov 21 2000, 06:26:05
8/12 4111 113600 Tue Nov 21 2000, 06:26:05
8/14 113678 113678 Tue Nov 21 2000, 06:26:05
8/16 4111 113755 Tue Nov 21 2000, 06:26:05
8/18 113833 113833 Tue Nov 21 2000, 06:26:05
8/20 4111 113913 Tue Nov 21 2000, 06:26:05
8/22 113917 113917 Tue Nov 21 2000, 06:26:05
8/24 4110 113922 Tue Nov 21 2000, 06:26:05
8/26 113926 113926 Tue Nov 21 2000, 06:26:05
8/28 4111 113931 Tue Nov 21 2000, 06:26:05
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-38 78-13315-02
Chapter 8 Configuring Spanning Tree
Configuring BPDU Skewing

This example shows how to configure BPDU skewing for VLAN 1 on module 8, port 2 and view the
skewing statistics:
Console> (enable) show spantree bpdu-skewing 1 8/4
Bpdu skewing statistics for vlan 1
Port Last Skew ms Worst Skew ms Worst Skew Time
------ ------------- ------------- -------------------------
8/4 5869 108370 Tue Nov 21 2000, 06:25:59

You will receive a similar output when MISTP is running.

The show spantree summary command displays if BPDU skew detection is enabled and also lists the
VLANs or instances affected in the skew. This example shows the output when using the show spantree
summary command:
Console> (enable) show spantree summary
Root switch for vlans: 1
BPDU skewing detection enabled for the bridge
BPDU skewed for vlans: 1
Portfast bpdu-guard disabled for bridge.
Portfast bpdu-filter disabled for bridge.
Uplinkfast disabled for bridge.
Backbonefast disabled for bridge.

Summary of connected spanning tree ports by vlan

VLAN Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
1 6 4 2 0 12

Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
Total 6 4 2 0 12
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 8-39
 Chapter 8 Configuring Spanning Tree
Configuring BPDU Skewing

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

8-40 78-13315-02
 C H A P T E R 9
Configuring Spanning Tree PortFast, UplinkFast,
BackboneFast, and Loop Guard

This chapter describes how to configure the spanning tree PortFast, UplinkFast, BackboneFast, and loop
guard features on the Catalyst 6000 family switches.

Note For information on configuring the Spanning Tree Protocol (STP), see Chapter 8, “Configuring
Spanning Tree.”

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How PortFast Works, page 9-2
• Understanding How PortFast BPDU Guard Works, page 9-2
• Understanding How PortFast BPDU Filter Works, page 9-2
• Understanding How UplinkFast Works, page 9-3
• Understanding How BackboneFast Works, page 9-4
• Understanding How Loop Guard Works, page 9-5
• Configuring PortFast, page 9-7
• Configuring PortFast BPDU Guard, page 9-9
• Configuring PortFast BPDU Filter, page 9-11
• Configuring UplinkFast, page 9-13
• Configuring BackboneFast, page 9-15
• Configuring Loop Guard, page 9-17

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-1
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Understanding How PortFast Works

Understanding How PortFast Works

PortFast causes a spanning tree port to immediately enter the forwarding state, bypassing the listening
and learning states. You can use PortFast on switch ports connected to a single workstation or server to
allow those devices to connect to the network immediately, rather than waiting for spanning tree to
converge.

Caution Use PortFast only when connecting a single end station to a switch port. Otherwise, you might create
a network loop.

To prevent loops in a network, you can enable PortFast on nontrunking access ports only because these
ports typically do not transmit or receive bridge protocol data units (BPDUs). If you enable PortFast on
nontrunking ports that connect two switches, spanning tree loops can occur if BPDUs are being
transmitted and received on those ports. The most secure implementation of PortFast occurs when you
enable it on ports that connect end stations to switches.

Understanding How PortFast BPDU Guard Works

PortFast BPDU guard prevents spanning tree loops by moving a nontrunking port into the errdisable
state when a BPDU is received on that port. When you enable BPDU guard on the switch, spanning tree
shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the
spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive
BPDUs. In an invalid configuration, a BPDU is received by a PortFast-configured interface, such as a
connection of an unauthorized device. BPDU guard can prevent invalid configurations, because you
must manually put the interface back in service.

Note When enabled on the switch, spanning tree applies the PortFast BPDU guard feature to all
PortFast-configured interfaces.

Understanding How PortFast BPDU Filter Works

BPDU filtering allows you to avoid transmitting BPDUs on a PortFast-enabled port connected to an end
system. This feature is available on a per-port basis.
The PortFast BPDU filter allows access ports to move directly to the forwarding state as soon as end
hosts are connected. Spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled
or not. A port does not need to be PortFast enabled to actively filter BPDUs.
BPDU filtering operates in both the transmit and receive directions; BDPUs are dropped when received
and they are not transmitted.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-2 78-13315-02
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Understanding How UplinkFast Works

Understanding How UplinkFast Works

UplinkFast provides fast convergence after a spanning tree topology change and achieves load balancing
between redundant links using uplink groups. An uplink group is a set of ports (per VLAN), only one of
which is forwarding at any given time. Specifically, an uplink group consists of the root port (which is
forwarding) and a set of blocked ports. The blocked ports do not include self-looping ports. The uplink
group provides an alternate path in case the currently forwarding link fails.

Note UplinkFast is most useful in wiring-closet switches. This feature may not be useful for other types
of applications.

Figure 9-1 shows an example topology with no link failures. Switch A, the root switch, is connected
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected
directly to Switch B is in blocking state.

Figure 9-1 UplinkFast Example Before Direct Link Failure

Switch A
(Root) Switch B
L1

L2 L3

Blocked port
11241

Switch C

If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast
unblocks the blocked port on Switch C and transitions it to the forwarding state without going through
the listening and learning states, as shown in Figure 9-2. This switchover takes approximately 1 to
5 seconds.

Figure 9-2 UplinkFast Example After Direct Link Failure

Switch A
(Root) Switch B
L1

L2 L3

Link failure
UplinkFast transitions port
directly to forwarding state
11242

Switch C

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-3
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Understanding How BackboneFast Works

Understanding How BackboneFast Works

BackboneFast is initiated when a root port or blocked port on a switch receives inferior BPDUs from its
designated bridge. An inferior BPDU identifies one switch as both the root bridge and the designated
bridge. When a switch receives an inferior BPDU, it indicates that a link to which the switch is not
directly connected (an indirect link) has failed (that is, the designated bridge has lost its connection to
the root bridge). Under normal spanning tree rules, the switch ignores inferior BPDUs for the configured
maximum aging time, as specified by the agingtime variable of the set spantree maxage command.
The switch tries to determine if it has an alternate path to the root bridge. If the inferior BPDU arrives
on a blocked port, the root port and other blocked ports on the switch become alternate paths to the root
bridge. (Self-looped ports are not considered alternate paths to the root bridge.) If the inferior BPDU
arrives on the root port, all blocked ports become alternate paths to the root bridge. If the inferior BPDU
arrives on the root port and there are no blocked ports, the switch assumes that it has lost connectivity
to the root bridge, causes the maximum aging time on the root to expire, and becomes the root switch
according to normal spanning tree rules.
If the switch has alternate paths to the root bridge, it uses these alternate paths to transmit a new kind of
PDU called the Root Link Query PDU out all alternate paths to the root bridge. If the switch determines
that it still has an alternate path to the root, it causes the maximum aging time on the ports on which it
received the inferior BPDU to expire. If all the alternate paths to the root bridge indicate that the switch
has lost connectivity to the root bridge, the switch causes the maximum aging times on the ports on
which it received an inferior BPDU to expire. If one or more alternate paths can still connect to the root
bridge, the switch makes all ports on which it received an inferior BPDU its designated ports and moves
them out of the blocking state (if they were in the blocking state), through the listening and learning
states, and into the forwarding state.
Figure 9-3 shows an example topology with no link failures. Switch A, the root switch, connects directly
to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects directly to
Switch B is in the blocking state.

Figure 9-3 BackboneFast Example Before Indirect Link Failure

Switch A
(Root) Switch B
L1

L2 L3

Blocked port
11241

Switch C

If link L1 fails, Switch C detects this failure as an indirect failure, since it is not connected directly to
link L1. Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on
Switch C to move immediately to the listening state without waiting for the maximum aging time for the
port to expire. BackboneFast then transitions the port on Switch C to the forwarding state, providing a
path from Switch B to Switch A. This switchover takes approximately 30 seconds. Figure 9-4 shows
how BackboneFast reconfigures the topology to account for the failure of link L1.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-4 78-13315-02
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Understanding How Loop Guard Works

Figure 9-4 BackboneFast Example After Indirect Link Failure

Switch A
(Root) Switch B
L1

Link failure

L2 L3

BackboneFast transitions port

through listening and learning

11244
states to forwarding state
Switch C

If a new switch is introduced into a shared-medium topology, BackboneFast is not activated. Figure 9-5
shows a shared-medium topology in which a new switch is added. The new switch begins sending
inferior BPDUs that say it is the root switch. However, the other switches ignore these inferior BPDUs
and the new switch learns that Switch B is the designated bridge to Switch A, the root switch.

Figure 9-5 Adding a Switch in a Shared-Medium Topology

Switch A
(Root)

Switch C Switch B
(Designated Bridge)

Blocked port

Added switch
11245

Understanding How Loop Guard Works

Unidirectional link failures may cause a root port or alternate port to become designated as root if
BPDUs are absent. Some software failures may introduce temporary loops in the network. The loop
guard feature checks if a root port or an alternate root port receives BPDUs. If the port is not receiving
BPDUs, the loop guard feature puts the port into an inconsistent state until it starts receiving BPDUs
again. Loop guard isolates the failure and lets spanning tree converge to a stable topology without the
failed link or bridge.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-5
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Understanding How Loop Guard Works

You can enable loop guard on a per-port basis. When you enable loop guard, it is automatically applied
to all of the active instances or VLANs to which that port belongs. When you disable loop guard, it is
disabled for the specified ports. Disabling loop guard moves all loop-inconsistent ports to the listening
state.
If you enable loop guard on a channel and the first link becomes unidirectional, loop guard blocks the
entire channel until the affected port is removed from the channel. Figure 9-6 shows loop guard in a
triangle switch configuration.

Figure 9-6 Triangle Switch Configuration with Loop Guard

A B
3/1 3/1

3/2 3/2

3/1 3/2

Designated port

Root port
55772

Alternate port

Figure 9-6 illustrates the following configuration:

• Switches A and B are distribution switches.
• Switch C is an access switch.
• Loop guard is enabled on ports 3/1 and 3/2 on Switches A, B, and C.
Use loop guard only in topologies where there are blocked ports. Topologies that have no blocked ports,
which are loop free, do not need to enable this feature. Enabling loop guard on a root switch has no effect
but provides protection when a root switch becomes a nonroot switch.
Follow these guidelines when using loop guard:
• You cannot enable loop guard on PortFast-enabled or dynamic VLAN ports.
• You cannot enable PortFast on loop guard-enabled ports.
• You cannot enable loop guard if root guard is enabled.
Loop guard interacts with other features as follows:
• Loop guard does not affect the functionality of UplinkFast or BackboneFast.
• Do not enable loop guard on ports that are connected to a shared link.

Note We recommend that you enable loop guard on root ports and alternate root ports on access
switches.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-6 78-13315-02
Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring PortFast

• Root guard forces a port to be always designated as the root port. Loop guard is effective only if the
port is a root port or an alternate port. You cannot enable loop guard and root guard on a port at the
same time.
• PortFast transitions a port into a forwarding state immediately when a link is established. Because a
PortFast-enabled port will not be a root port or alternate port, loop guard and PortFast cannot be
configured on the same port. Assigning dynamic VLAN membership for the port requires that the port
is PortFast enabled. You cannot configure a loop guard-enabled port with dynamic VLAN membership.
• If your network has a type-inconsistent port or a PVID-inconsistent port, all BPDUs are dropped
until the misconfiguration is corrected. The port transitions out of the inconsistent state after the
message age expires. Loop guard ignores the message age expiration on type-inconsistent ports and
PVID-inconsistent ports. If the port is already blocked by loop guard, misconfigured BPDUs
received on the port make loop guard recover, but the port is moved into the type-inconsistent state
or PVID-inconsistent state.
• In high-availability switch configurations, if a port is put into the blocked state by loop guard, it
remains blocked even after switchover to the redundant supervisor engine. The newly activated
supervisor engine recovers the port only after receiving a BPDU on that port.
• Loop guard uses the ports known to spanning tree. Loop guard can take advantage of logical ports
provided by the Port Aggregation Protocol (PAgP). However, to form a channel, all the physical
ports grouped in the channel must have compatible configurations. PAgP enforces uniform
configurations of root guard or loop guard on all the physical ports to form a channel.
These caveats apply to loop guard:
– Spanning tree always chooses the first operational port in the channel to send the BPDUs. If that
link becomes unidirectional, loop guard blocks the channel, even if other links in the channel
are functioning properly.
– If a set of ports that are already blocked by loop guard are grouped together to form a channel,
spanning tree loses all the state information for those ports and the new channel port may obtain
the forwarding state with a designated role.
– If a channel is blocked by loop guard and the channel breaks, spanning tree loses all the state
information. The individual physical ports may obtain the forwarding state with the designated
role, even if one or more of the links that formed the channel are unidirectional.

Note You can enable UniDirectional Link Detection (UDLD) to help isolate the link failure. A loop may
occur until UDLD detects the failure, but loop guard will not be able to detect it.

• Loop guard has no effect on a disabled spanning tree instance or a VLAN.

Configuring PortFast
These sections describe how to configure PortFast on the switch:
• Enabling PortFast, page 9-8
• Disabling PortFast, page 9-8

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-7
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring PortFast

Enabling PortFast

Caution Use PortFast only when you connect a single end station to a switch port; otherwise, you might create
a network loop.

To enable PortFast on a switch port, perform this task in privileged mode:

Task Command
Step 1 Enable PortFast on a switch port connected to a set spantree portfast mod/port enable
single workstation or server.
Step 2 Verify the PortFast setting. show spantree mod/port

This example shows how to enable PortFast on a port and verify the configuration (the PortFast status
is shown in the “Fast-Start” column):
Console> (enable) set spantree portfast 4/1 enable
Warning: Spantree port fast start should only be enabled on ports connected
to a single host. Connecting hubs, concentrators, switches, bridges, etc. to
a fast start port can cause temporary spanning tree loops. Use with caution.
Spantree port 4/1 fast start enabled.

Console> (enable) show spantree 4/1

Port Vlan Port-State Cost Priority Fast-Start Group-method
--------- ---- ------------- ----- -------- ---------- ------------
4/1 1 blocking 19 20 enabled
4/1 100 forwarding 10 20 enabled
4/1 521 blocking 19 20 enabled
4/1 522 blocking 19 20 enabled
4/1 523 blocking 19 20 enabled
4/1 524 blocking 19 20 enabled
4/1 1003 not-connected 19 20 enabled
4/1 1005 not-connected 19 4 enabled
Console> (enable)

Disabling PortFast
To disable PortFast on a switch port, perform this task in privileged mode:

Task Command
Step 1 Disable PortFast on a switch port. set spantree portfast mod/port disable
Step 2 Verify the PortFast setting. show spantree mod/port

This example shows how to disable PortFast on a port:

Console> (enable) set spantree portfast 4/1 disable
Spantree port 4/1 fast start disabled.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-8 78-13315-02
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring PortFast BPDU Guard

Configuring PortFast BPDU Guard

These sections describe how to configure PortFast BPDU guard on the switch:
• Enabling PortFast BPDU Guard, page 9-9
• Disabling PortFast BPDU Guard, page 9-10

Enabling PortFast BPDU Guard

Note Although the PortFast feature is configured on an individual port, the PortFast BPDU guard option
is configured globally. When you disable PortFast on a port, PortFast BPDU guard becomes inactive.

To enable PortFast BPDU guard on a nontrunking switch port, perform this task in privileged mode:

Task Command
Step 1 Enable PortFast BPDU guard on the switch. set spantree portfast bpdu-guard enable
Step 2 Verify the PortFast BPDU guard setting. show spantree summary

This example shows how to enable PortFast BPDU guard on the switch and verify the configuration in
the Per VLAN Spanning Tree + (PVST+) mode:

Note For additional PVST+ information, see Chapter 8, “Configuring Spanning Tree.”

Console> (enable) set spantree portfast bpdu-guard enable

Spantree portfast bpdu-guard enabled on this switch.
Console> (enable) show spantree summary
Root switch for vlans: none.
Portfast bpdu-guard enabled for bridge.
Uplinkfast disabled for bridge.
Backbonefast disabled for bridge.

Vlan Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
1 0 0 0 4 4
2 0 0 0 4 4
3 0 0 0 4 4
4 0 0 0 4 4
5 0 0 0 4 4
6 0 0 0 4 4
10 0 0 0 4 4
20 0 0 0 4 4
50 0 0 0 4 4
100 0 0 0 4 4
152 0 0 0 4 4
200 0 0 0 5 5
300 0 0 0 4 4
400 0 0 0 4 4
500 0 0 0 4 4
521 0 0 0 4 4
524 0 0 0 4 4
570 0 0 0 4 4
801 0 0 0 0 0

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-9
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring PortFast BPDU Guard

802 0 0 0 0 0
850 0 0 0 4 4
917 0 0 0 4 4
999 0 0 0 4 4
1003 0 0 0 0 0
1005 0 0 0 0 0

Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
Total 0 0 0 85 85
Console> (enable)

Disabling PortFast BPDU Guard

To disable PortFast BPDU guard on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable PortFast BPDU guard on the switch. set spantree portfast bpdu-guard disable
Step 2 Verify the PortFast BPDU guard setting. show spantree

This example shows how to disable PortFast BPDU guard on the switch and verify the configuration:
Console> (enable) set spantree portfast bpdu-guard disable
Spantree portfast bpdu-guard disabled on this switch.
Console> (enable) show spantree summary
Summary of connected spanning tree ports by vlan

Portfast bpdu-guard disabled for bridge.

Uplinkfast disabled for bridge.
Backbonefast disabled for bridge.

Vlan Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
1 0 0 0 4 4
2 0 0 0 4 4
3 0 0 0 4 4
4 0 0 0 4 4
5 0 0 0 4 4
6 0 0 0 4 4
10 0 0 0 4 4
20 0 0 0 4 4
50 0 0 0 4 4
100 0 0 0 4 4
152 0 0 0 4 4
200 0 0 0 5 5
300 0 0 0 4 4
400 0 0 0 4 4
500 0 0 0 4 4
521 0 0 0 4 4
524 0 0 0 4 4
570 0 0 0 4 4
801 0 0 0 0 0
802 0 0 0 0 0
850 0 0 0 4 4
917 0 0 0 4 4
999 0 0 0 4 4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-10 78-13315-02
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring PortFast BPDU Filter

1003 0 0 0 0 0
1005 0 0 0 0 0

Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
Total 0 0 0 85 85
Console> (enable)

Configuring PortFast BPDU Filter

These sections describe how to configure PortFast BPDU filter on the switch:
• Enabling PortFast BPDU Filter, page 9-11
• Disabling PortFast BPDU Filter, page 9-12

Enabling PortFast BPDU Filter

To enable PortFast BPDU filtering on a nontrunking port, perform this task in privileged mode:

Task Command
Step 1 Enable PortFast BPDU filtering on the port. set spantree portfast bpdu-filter enable
Step 2 Verify the PortFast BPDU filter setting. show spantree summary
show spantree portfast

This example shows how to enable PortFast BPDU filtering on the port and verify the configuration in
PVST+ mode:

Note For PVST+ information, see Chapter 8, “Configuring Spanning Tree.”

Console> (enable) set spantree portfast bpdu-filter enable

Usage: set spantree portfast <mod/port> <enable|disable>
set spantree portfast bpdu-guard <enable|disable>
set spantree portfast bpdu-filter <enable|disable>
Spantree portfast bpdu-filter enabled on this switch.

Console> (enable) show spantree portfast

Portfast BPDU guard is disabled.
Portfast BPDU filter is disabled.

Console> (enable) show spantree summary

Root switch for vlans: none.
Portfast bpdu-filter enabled for bridge.
Uplinkfast disabled for bridge.
Backbonefast disabled for bridge.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-11
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring PortFast BPDU Filter

Vlan Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
1 0 0 0 4 4
2 0 0 0 4 4
3 0 0 0 4 4
4 0 0 0 4 4
5 0 0 0 4 4
6 0 0 0 4 4
.
.
.
850 0 0 0 4 4
917 0 0 0 4 4
999 0 0 0 4 4
1003 0 0 0 0 0
1005 0 0 0 0 0

Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
Total 0 0 0 85 85
Console> (enable)

Disabling PortFast BPDU Filter

To disable PortFast BPDU filtering on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable PortFast BPDU filtering on the switch. set spantree portfast bpdu-filter disable
Step 2 Verify the PortFast BPDU filter setting. show spantree
show portfast

This example shows how to disable PortFast BPDU filtering on the switch and verify the configuration:
Console> (enable) set spantree portfast bpdu-filter disable
Spantree portfast bpdu-filter disabled on this switch.
Console> (enable) show spantree summary
Summary of connected spanning tree ports by vlan

Portfast bpdu-filter disabled for bridge.

Uplinkfast disabled for bridge.
Backbonefast disabled for bridge.

Vlan Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
1 0 0 0 4 4
2 0 0 0 4 4
3 0 0 0 4 4
4 0 0 0 4 4
5 0 0 0 4 4
6 0 0 0 4 4
10 0 0 0 4 4
.
.
.
802 0 0 0 0 0
850 0 0 0 4 4
917 0 0 0 4 4
999 0 0 0 4 4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-12 78-13315-02
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring UplinkFast

1003 0 0 0 0 0
1005 0 0 0 0 0

Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
Total 0 0 0 85 85
Console> (enable)

Configuring UplinkFast
You can configure UplinkFast for PVST+ or for Multi-Instance Spanning Tree Protocol (MISTP). The
command is the same but the output may be slightly different.

Note For additional MISTP information, see Chapter 8, “Configuring Spanning Tree.”

These sections describe how to configure UplinkFast on the switch:

• Enabling UplinkFast, page 9-13
• Disabling UplinkFast, page 9-14

Enabling UplinkFast
The set spantree uplinkfast enable command increases the path cost of all ports on the switch, making
it unlikely that the switch will become the root switch. The station_update_rate value represents the
number of multicast packets transmitted per 100 milliseconds (the default is 15 packets per millisecond).

Note When you enable the set spantree uplinkfast command, it affects all VLANs on the switch. You
cannot configure UplinkFast on an individual VLAN.

To enable UplinkFast on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable UplinkFast on the switch. set spantree uplinkfast enable [rate station_update_rate]
[all-protocols off | on]
Step 2 Verify that UplinkFast is enabled. show spantree uplinkfast [{mistp-instance [instances]}|
vlans]

With PVST+ mode enabled, this example shows how to enable UplinkFast with a station-update rate of
40 packets per 100 milliseconds and how to verify that UplinkFast is enabled:
Console> (enable) set spantree uplinkfast enable
VLANs 1-4094 bridge priority set to 49152.
The port cost and portvlancost of all ports set to above 3000.
Station update rate set to 15 packets/100ms.
uplinkfast all-protocols field set to off.
uplinkfast enabled for bridge.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-13
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring UplinkFast

Console> (enable) show spantree uplinkfast 1 100 521-524

Station update rate set to 15 packets/100ms.
uplinkfast all-protocols field set to off.
VLAN port list
-----------------------------------------------
1 1/1(fwd),1/2
100 1/2(fwd)
521 1/1(fwd),1/2
522 1/1(fwd),1/2
523 1/1(fwd),1/2
524 1/1(fwd),1/2
Console> (enable)

This example shows how to display the UplinkFast feature settings for all VLANs:
Console> show spantree uplinkfast
Station update rate set to 15 packets/100ms.
uplinkfast all-protocols field set to off.
VLAN port list
------------------------------------------------
1-20 1/1(fwd),1/2-1/5
21-50 1/9(fwd), 1/6-1/8, 1/10-1/12
51-100 2/1(fwd), 2/12
Console>

With MISTP mode enabled, this example shows the output when you enable UplinkFast:
Console> (enable) set spantree uplinkfast enable
Instances 1-16 bridge priority set to 49152.
The port cost and portinstancecost of all ports set to above 10000000.
Station update rate set to 15 packets/100ms.
uplinkfast all-protocols field set to off.
uplinkfast enabled for bridge.
Console> (enable)

This example shows how to display the UplinkFast feature settings for a specific instance:
Console> show spantree uplinkfast mistp-instance 1
Station update rate set to 15 packets/100ms.
uplinkfast all-protocols field set to off.
Inst port list
------------------------------------------------
1 4/1(fwd)
Console>

Disabling UplinkFast
The set spantree uplinkfast disable command disables UplinkFast on the switch, but the switch priority
and port cost values are not reset to the factory defaults.

Note When you enter the set spantree uplinkfast disable command, it affects all VLANs on the switch.
You cannot disable UplinkFast on an individual VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-14 78-13315-02
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring BackboneFast

To disable UplinkFast on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable UplinkFast on the switch. set spantree uplinkfast disable
Step 2 Verify that UplinkFast is disabled. show spantree uplinkfast

With PVST+ mode enabled, this example shows how to disable UplinkFast on the switch and verify the
configuration:
Console> (enable) set spantree uplinkfast disable
Uplinkfast disabled for switch.
Use clear spantree uplinkfast to return stp parameters to default.
Console> (enable) show spantree uplinkfast
Station update rate set to 15 packets/100ms.
uplinkfast all-protocols field set to off.
VLAN port list
-----------------------------------------------
1 1/1(fwd),1/2
100 1/2(fwd)
521 1/1(fwd),1/2
522 1/1(fwd),1/2
523 1/1(fwd),1/2
524 1/1(fwd),1/2
Console> (enable)

Configuring BackboneFast
These sections describe how to configure BackboneFast:
• Enabling BackboneFast, page 9-15
• Displaying BackboneFast Statistics, page 9-16
• Disabling BackboneFast, page 9-16

Enabling BackboneFast

Note For BackboneFast to work, you must enable it on all switches in the network. BackboneFast is not
supported on Token Ring VLANs. This feature is supported for use with third-party switches.

To enable BackboneFast on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable BackboneFast on the switch. set spantree backbonefast enable
Step 2 Verify that BackboneFast is enabled. show spantree backbonefast

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-15
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring BackboneFast

This example shows how to enable BackboneFast on the switch and how to verify the configuration:
Console> (enable) set spantree backbonefast enable
Backbonefast enabled for all VLANs
Console> (enable) show spantree backbonefast
Backbonefast is enabled.
Console> (enable)

Displaying BackboneFast Statistics

To display BackboneFast statistics, perform this task in privileged mode:

Task Command
Display BackboneFast statistics. show spantree summary

This example shows how to display BackboneFast statistics:

Console> (enable) show spantree summary
Summary of connected spanning tree ports by vlan

Uplinkfast disabled for bridge.

Backbonefast enabled for bridge.

Vlan Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
1 0 0 0 1 1

Blocking Listening Learning Forwarding STP Active

----- -------- --------- -------- ---------- ----------
Total 0 0 0 1 1

BackboneFast statistics
-----------------------
Number of inferior BPDUs received (all VLANs) : 0
Number of RLQ req PDUs received (all VLANs) : 0
Number of RLQ res PDUs received (all VLANs) : 0
Number of RLQ req PDUs transmitted (all VLANs) : 0
Number of RLQ res PDUs transmitted (all VLANs) : 0
Console> (enable)

Disabling BackboneFast
To disable BackboneFast on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable BackboneFast on the switch. set spantree backbonefast disable
Step 2 Verify that BackboneFast is disabled. show spantree backbonefast

This example shows how to disable BackboneFast on the switch and how to verify the configuration:
Console> (enable) set spantree backbonefast disable
Backbonefast enabled for all VLANs
Console> (enable) show spantree backbonefast
Backbonefast is disable.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-16 78-13315-02
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring Loop Guard

Configuring Loop Guard

These sections describe how to configure BackboneFast:
• Enabling Loop Guard, page 9-17
• Disabling Loop Guard, page 9-17

Enabling Loop Guard

Use the set spantree guard command to enable or disable the spanning tree loop guard feature on a
per-port basis.
To enable loop guard on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable loop guard on a port. set spantree guard loop mod/port
Step 2 Verify that loop guard is enabled. show spantree guard {mod/port | vlan} mistp-instance
instance

This example shows how to enable loop guard:

Console> (enable) set spantree guard loop 5/1
Rootguard is enabled on port 5/1, enabling loopguard will disable rootguard on
this port.
Do you want to continue (y/n) [n]? y
Loopguard on port 5/1 is enabled.
Console> (enable)

Disabling Loop Guard

To disable loop guard on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable loop guard on a port. set spantree guard none mod/port
Step 2 Verify that loop guard is disabled. show spantree guard {mod/port | vlan} mistp-instance
instance

This example shows how to disable loop guard:

Console> (enable) set spantree guard none 5/1
Rootguard is disabled on port 5/1, disabling loopguard will disable rootguard on
this port.
Do you want to continue (y/n) [n]? y
Loopguard on port 5/1 is disabled.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 9-17
 Chapter 9 Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
Configuring Loop Guard

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

9-18 78-13315-02
 C H A P T E R 10
Configuring VTP

This chapter describes how to configure the VLAN Trunking Protocol (VTP) on the Catalyst 6000 family
switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How VTP Works, page 10-1
• Default VTP Configuration, page 10-5
• VTP Configuration Guidelines, page 10-5
• Configuring VTP, page 10-6

Understanding How VTP Works

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the
addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations
and configuration inconsistencies that can result in a number of problems, such as duplicate VLAN
names, incorrect VLAN-type specifications, and security violations.
You can use VTP to manage VLANs 1 to 1005 in your network. (Note that VTP does not support VLANs
1025 to 4094.) With VTP, you can make configuration changes centrally on one switch and have those
changes automatically communicated to all the other switches in the network.

Note For complete information on configuring VLANs, see Chapter 11, “Configuring VLANs.”

These sections describe how VTP works:

• Understanding the VTP Domain, page 10-2
• Understanding VTP Modes, page 10-2
• Understanding VTP Advertisements, page 10-2
• Understanding VTP Version 2, page 10-3
• Understanding VTP Pruning, page 10-3

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 10-1
 Chapter 10 Configuring VTP
Understanding How VTP Works

Understanding the VTP Domain

A VTP domain (also called a VLAN management domain) is made up of one or more interconnected
switches that share the same VTP domain name. A switch can be configured to be in one and only one
VTP domain. You make global VLAN configuration changes for the domain using either the
command-line interface (CLI) or Simple Network Management Protocol (SNMP).
By default, the switch is in VTP server mode and is in the no-management domain state until the switch
receives an advertisement for a domain over a trunk link or you configure a management domain. You
cannot create or modify VLANs on a VTP server until the management domain name is specified or
learned.
If the switch receives a VTP advertisement over a trunk link, it inherits the management domain name
and the VTP configuration revision number. The switch ignores advertisements with a different
management domain name or an earlier configuration revision number.
If you configure the switch as VTP transparent, you can create and modify VLANs but the changes affect
only the individual switch.
When you make a change to the VLAN configuration on a VTP server, the change is propagated to all
switches in the VTP domain. VTP advertisements are transmitted out all trunk connections, including
Inter-Switch Link (ISL), IEEE 802.1Q, IEEE 802.10, and ATM LAN Emulation (LANE).
VTP maps VLANs dynamically across multiple LAN types with unique names and internal index
associations. Mapping eliminates excessive device administration required from network administrators.

Understanding VTP Modes

You can configure a switch to operate in any one of these VTP modes:
• Server—In VTP server mode, you can create, modify, and delete VLANs and specify other
configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain. VTP
servers advertise their VLAN configuration to other switches in the same VTP domain and
synchronize their VLAN configuration with other switches based on advertisements received over
trunk links. VTP server is the default mode.
• Client—VTP clients behave the same way as VTP servers, but you cannot create, change, or delete
VLANs on a VTP client.
• Transparent—VTP transparent switches do not participate in VTP. A VTP transparent switch does
not advertise its VLAN configuration and does not synchronize its VLAN configuration based on
received advertisements. However, in VTP version 2, transparent switches do forward VTP
advertisements that they receive out their trunk ports.

Understanding VTP Advertisements

Each switch in the VTP domain sends periodic advertisements out each trunk port to a reserved multicast
address. VTP advertisements are received by neighboring switches, which update their VTP and VLAN
configurations as necessary.
The following global configuration information is distributed in VTP advertisements:
• VLAN IDs (ISL and 802.1Q)
• Emulated LAN names (for ATM LANE)
• 802.10 SAID values (FDDI)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

10-2 78-13315-02
 Chapter 10 Configuring VTP
Understanding How VTP Works

• VTP domain name

• VTP configuration revision number
• VLAN configuration, including the maximum transmission unit (MTU) size for each VLAN
• Frame format

Understanding VTP Version 2

If you use VTP in your network, you must decide whether to use VTP version 1 or version 2.

Note If you are using VTP in a Token Ring environment, you must use version 2.

VTP version 2 supports the following features not supported in version 1:

• Token Ring support—VTP version 2 supports Token Ring LAN switching and VLANs (Token Ring
Bridge Relay Function [TrBRF] and Token Ring Concentrator Relay Function [TrCRF]). For more
information about Token Ring VLANs, see Chapter 11, “Configuring VLANs.”
• Unrecognized Type-Length-Value (TLV) Support—A VTP server or client propagates configuration
changes to its other trunks, even for TLVs it is not able to parse. The unrecognized TLV is saved in
NVRAM.
• Version-Dependent Transparent Mode—In VTP version 1, a VTP transparent switch inspects VTP
messages for the domain name and version and forwards a message only if the version and domain
name match. Since only one domain is supported in the supervisor engine software, VTP version 2
forwards VTP messages in transparent mode, without checking the version.
• Consistency Checks—In VTP version 2, VLAN consistency checks (such as VLAN names and
values) are performed only when you enter new information through the CLI or SNMP. Consistency
checks are not performed when new information is obtained from a VTP message, or when
information is read from NVRAM. If the digest on a received VTP message is correct, its
information is accepted without consistency checks.

Understanding VTP Pruning

VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as
broadcast, multicast, unknown, and flooded unicast packets. VTP pruning increases available bandwidth
by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate
network devices. By default, VTP pruning is disabled.
Make sure that all devices in the management domain support VTP pruning before enabling it. VTP
pruning is supported in supervisor engine software release 5.1(1) and later releases.

Note If you are using routers to route between emulated LANS, you should disable VTP pruning in the VTP
management domain that contains the switches with ATM LANE modules installed (VTP pruning
messages are sent over the ATM LANE module because it is a trunk). Another solution is to disable
pruning for the LANE VLANs using the clear vtp pruneeligible command on all switches with ATM
LANE modules.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 10-3
 Chapter 10 Configuring VTP
Understanding How VTP Works

Figure 10-1 shows a switched network without VTP pruning enabled. Port 1 on Switch 1 and port 2 on
Switch 4 are assigned to the Red VLAN. A broadcast is sent from the host connected to Switch 1.
Switch 1 floods the broadcast and every switch in the network receives it, even though Switches 3, 5,
and 6 have no ports in the Red VLAN.

Figure 10-1 Flooding Traffic without VTP Pruning

Switch 4
Port 2

Switch 5 Switch 2
Red
VLAN

Port 1

S5812
Switch 6 Switch 3 Switch 1

Figure 10-2 shows the same switched network with VTP pruning enabled. The broadcast traffic from
Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on
the links indicated (port 5 on Switch 2 and port 4 on Switch 4).

Figure 10-2 Flooding Traffic with VTP Pruning

Switch 4
Port 2

Flooded traffic
is pruned. Port
4 Switch 2
Red
VLAN

Switch 5
Port
5

Port 1
24511

Switch 6 Switch 3 Switch 1

Enabling VTP pruning on a VTP server enables pruning for the entire management domain. VTP pruning
takes effect several seconds after you enable it. By default, VLANs 2 through 1000 are pruning eligible.
VTP pruning does not prune traffic from VLANs that are pruning ineligible. VLAN 1 is always pruning
ineligible; traffic from VLAN 1 cannot be pruned.
To make a VLAN pruning ineligible, enter the clear vtp pruneeligible command. To make a VLAN
pruning eligible again, enter the set vtp pruneeligible command. You can set VLAN pruning eligibility
regardless of whether VTP pruning is enabled or disabled for the domain. Pruning eligibility always
applies to the local device only, not for the entire VTP domain.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

10-4 78-13315-02
Chapter 10 Configuring VTP
Default VTP Configuration

Default VTP Configuration

Table 10-1 shows the default VTP configuration.

Table 10-1 VTP Default Configuration

Feature Default Value

VTP domain name Null
VTP mode Server
VTP version 2 enable state Version 2 is disabled
VTP password None
VTP pruning Disabled

VTP Configuration Guidelines

Follow these guidelines when implementing VTP in your network:
• All switches in a VTP domain must run the same VTP version.
• You must configure a password on each switch in the management domain when in secure mode.

Caution If you configure VTP in secure mode, the management domain will not function properly if you do
not assign a management domain password to each switch in the domain.

• A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP
version 1 provided VTP version 2 is disabled on the VTP version 2-capable switch (VTP version 2
is disabled by default).
• Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are
version 2 capable. When you enable VTP version 2 on a switch, all of the version 2-capable
switches in the domain enable VTP version 2.
• In a Token Ring environment, you must enable VTP version 2 for Token Ring VLAN switching to
function properly.
• Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire
management domain.
• Making VLANs pruning eligible or pruning ineligible on a switch affects pruning eligibility for
those VLANs on that device only (not on all switches in the VTP domain).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 10-5
 Chapter 10 Configuring VTP
Configuring VTP

Configuring VTP
These sections describe how to configure VTP:
• Configuring a VTP Server, page 10-6
• Configuring a VTP Client, page 10-6
• Disabling VTP (VTP Transparent Mode), page 10-7
• Enabling VTP Version 2, page 10-8
• Disabling VTP Version 2, page 10-9
• Enabling VTP Pruning, page 10-9
• Disabling VTP Pruning, page 10-10
• Displaying VTP, page 10-10

Configuring a VTP Server

When a switch is in VTP server mode, you can change the VLAN configuration and have it propagate
throughout the network.
To configure the switch as a VTP server, perform this task in privileged mode:

Task Command
Step 1 Define the VTP domain name. set vtp domain name
Step 2 Place the switch in VTP server mode. set vtp mode server
Step 3 (Optional) Set a password for the VTP domain. set vtp passwd passwd
Step 4 Verify the VTP configuration. show vtp domain

This example shows how to configure the switch as a VTP server and verify the configuration:
Console> (enable) set vtp domain Lab_Network
VTP domain Lab_Network modified
Console> (enable) set vtp mode server
VTP domain Lab_Network modified
Console> (enable) show vtp domain
Domain Name Domain Index VTP Version Local Mode Password
-------------------------------- ------------ ----------- ----------- ----------
Lab_Network 1 2 server -
Vlan-count Max-vlan-storage Config Revision Notifications
---------- ---------------- --------------- -------------
10 1023 40 enabled
Last Updater V2 Mode Pruning PruneEligible on Vlans
--------------- -------- -------- -------------------------
172.20.52.70 disabled disabled 2-1000
Console> (enable)

Configuring a VTP Client

When a switch is in VTP client mode, you cannot change the VLAN configuration on the switch. The
client switch receives VTP updates from a VTP server in the management domain and modifies its
configuration accordingly.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

10-6 78-13315-02
 Chapter 10 Configuring VTP
Configuring VTP

To configure the switch as a VTP client, perform this task in privileged mode:

Task Command
Step 1 Define the VTP domain name. set vtp domain name
Step 2 Place the switch in VTP client mode. set vtp mode client
Step 3 Verify the VTP configuration. show vtp domain

This example shows how to configure the switch as a VTP client and verify the configuration:
Console> (enable) set vtp domain Lab_Network
VTP domain Lab_Network modified
Console> (enable) set vtp mode client
VTP domain Lab_Network modified
Console> (enable) show vtp domain
Domain Name Domain Index VTP Version Local Mode Password
-------------------------------- ------------ ----------- ----------- ----------
Lab_Network 1 2 client -
Vlan-count Max-vlan-storage Config Revision Notifications
---------- ---------------- --------------- -------------
10 1023 40 enabled
Last Updater V2 Mode Pruning PruneEligible on Vlans
--------------- -------- -------- -------------------------
172.20.52.70 disabled disabled 2-1000
Console> (enable)

Disabling VTP (VTP Transparent Mode)

When you configure the switch as VTP transparent, you disable VTP on the switch. A VTP transparent
switch does not send VTP updates and does not act on VTP updates received from other switches.
However, a VTP transparent switch running VTP version 2 does forward received VTP advertisements
out all of its trunk links.

Note Network devices in VTP transparent mode do not send VTP Join messages. On Catalyst 6000 family
switches with trunk connections to network devices in VTP transparent mode, configure the VLANs that
are used by the transparent-mode network devices or that need to be carried across trunks as pruning
ineligible (use the clear vtp pruneeligible command).

To disable VTP on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable VTP on the switch by configuring it for set vtp mode transparent
VTP transparent mode.
Step 2 Verify the VTP configuration. show vtp domain

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 10-7
 Chapter 10 Configuring VTP
Configuring VTP

This example shows how to configure the switch as VTP transparent and verify the configuration:
Console> (enable) set vtp mode transparent
VTP domain Lab_Net modified
Console> (enable) show vtp domain
Domain Name Domain Index VTP Version Local Mode Password
-------------------------------- ------------ ----------- ----------- ----------
Lab_Net 1 2 Transparent -
Vlan-count Max-vlan-storage Config Revision Notifications
---------- ---------------- --------------- -------------
10 1023 0 enabled
Last Updater V2 Mode Pruning PruneEligible on Vlans
--------------- -------- -------- -------------------------
172.20.52.70 disabled disabled 2-1000
Console> (enable)

Enabling VTP Version 2

VTP version 2 is disabled by default on VTP version 2-capable switches. When you enable VTP
version 2 on a switch, every VTP version 2-capable switch in the VTP domain will enable version 2 as
well.

Caution VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain. Every
switch in the VTP domain must use the same VTP version. Do not enable VTP version 2 unless every
switch in the VTP domain supports version 2.

Note In a Token Ring environment, you must enable VTP version 2 for Token Ring VLAN switching to
function properly.

To enable VTP version 2, perform this task in privileged mode:

Task Command
Step 1 Enable VTP version 2 on the switch. set vtp v2 enable
Step 2 Verify that VTP version 2 is enabled. show vtp domain

This example shows how to enable VTP version 2 and verify the configuration:
Console> (enable) set vtp v2 enable
This command will enable the version 2 function in the entire management domain.
All devices in the management domain should be version2-capable before enabling.
Do you want to continue (y/n) [n]? y
VTP domain Lab_Net modified
Console> (enable) show vtp domain
Domain Name Domain Index VTP Version Local Mode Password
-------------------------------- ------------ ----------- ----------- ----------
Lab_Net 1 2 server -
Vlan-count Max-vlan-storage Config Revision Notifications
---------- ---------------- --------------- -------------
10 1023 1 enabled
Last Updater V2 Mode Pruning PruneEligible on Vlans
--------------- -------- -------- -------------------------
172.20.52.70 enabled disabled 2-1000
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

10-8 78-13315-02
 Chapter 10 Configuring VTP
Configuring VTP

Disabling VTP Version 2

To disable VTP version 2, perform this task in privileged mode:

Task Command
Step 1 Disable VTP version 2. set vtp v2 disable
Step 2 Verify that VTP version 2 is disabled. show vtp domain

This example shows how to disable VTP version 2:

Console> (enable) set vtp v2 disable
This command will disable the version 2 function in the entire management domain.
Warning: trbrf & trcrf vlans will not work properly in this mode.
Do you want to continue (y/n) [n]? y
VTP domain Lab_Net modified
Console> (enable)

Enabling VTP Pruning

To enable VTP pruning, perform this task in privileged mode:

Task Command
Step 1 Enable VTP pruning in the management domain. set vtp pruning enable
Step 2 (Optional) Make specific VLANs pruning clear vtp pruneeligible vlan_range
ineligible on the device. (By default,
VLANs 2–1000 are pruning eligible.)
Step 3 (Optional) Make specific VLANs pruning eligible set vtp pruneeligible vlan_range
on the device.
Step 4 Verify the VTP pruning configuration. show vtp domain
Step 5 Verify that the appropriate VLANs are being show trunk
pruned on trunk ports.

This example shows how to enable VTP pruning in the management domain and how to make
VLANs 2–99, 250–255, and 501–1000 pruning eligible on the particular device:
Console> (enable) set vtp pruning enable
This command will enable the pruning function in the entire management domain.
All devices in the management domain should be pruning-capable before enabling.
Do you want to continue (y/n) [n]? y
VTP domain Lab_Network modified
Console> (enable) clear vtp pruneeligible 100-500
Vlans 1,100-500,1001-1005 will not be pruned on this device.
VTP domain Lab_Network modified.
Console> (enable) set vtp pruneeligible 250-255
Vlans 2-99,250-255,501-1000 eligible for pruning on this device.
VTP domain Lab_Network modified.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 10-9
 Chapter 10 Configuring VTP
Configuring VTP

Console> (enable) show vtp domain

Domain Name Domain Index VTP Version Local Mode Password
-------------------------------- ------------ ----------- ----------- ----------
Lab_Network 1 2 server -

Vlan-count Max-vlan-storage Config Revision Notifications

---------- ---------------- --------------- -------------
8 1023 16 disabled

Last Updater V2 Mode Pruning PruneEligible on Vlans

--------------- -------- -------- -------------------------
172.20.52.2 disabled enabled 2-99,250-255,501-1000
Console> (enable) show trunk
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/1 auto isl trunking 523

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------
1/1 1-1005

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------
1/1 1,522-524

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------
1/1 1,522-524
Console> (enable)

Disabling VTP Pruning

To disable VTP pruning, perform this task in privileged mode:

Task Command
Step 1 Disable VTP pruning in the management domain. set vtp pruning disable
Step 2 Verify that VTP pruning is disabled. show vtp domain

This example shows how to disable VTP pruning in the management domain:
Console> (enable) set vtp pruning disable
This command will disable the pruning function in the entire management domain.
Do you want to continue (y/n) [n]? y
VTP domain Lab_Network modified
Console> (enable)

Displaying VTP
To display VTP activity, including VTP advertisements sent and received and VTP errors, perform this
task:

Task Command
Display VTP statistics for the switch. show vtp statistics

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

10-10 78-13315-02
Chapter 10 Configuring VTP
Configuring VTP

This example shows how to display VTP statistics on the switch:

Console> (enable) show vtp statistics
VTP statistics:
summary advts received 4690
subset advts received 7
request advts received 0
summary advts transmitted 4397
subset advts transmitted 8
request advts transmitted 0
No of config revision errors 0
No of config digest errors 0
VTP pruning statistics:
Trunk Join Trasmitted Join Received Summary advts received from
non-pruning-capable device
-------- --------------- ------------- ---------------------------
1/1 0 0 0
1/2 0 0 0
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 10-11
 Chapter 10 Configuring VTP
Configuring VTP

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

10-12 78-13315-02
 C H A P T E R 11
Configuring VLANs

This chapter describes how to configure VLANs for the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How VLANs Work, page 11-1
• Configuring Normal-Range VLANs, page 11-5
• Configuring Extended-Range VLANs, page 11-6
• Mapping VLANs to VLANs, page 11-8
• Assigning Switch Ports to a VLAN, page 11-12
• Deleting a VLAN, page 11-13
• Configuring Private VLANs, page 11-13
• Configuring FDDI VLANs, page 11-24
• Configuring Token Ring VLANs, page 11-24

Understanding How VLANs Work

A VLAN is a group of end stations with a common set of requirements, independent of their physical
location. A VLAN has the same attributes as a physical LAN but allows you to group end stations even
if they are not located physically on the same LAN segment.
VLANs allow you to group ports on a switch to limit unicast, multicast, and broadcast traffic flooding.
Flooded traffic originating from a particular VLAN is only flooded out ports belonging to that VLAN.
Figure 11-1 shows an example of VLANs segmented into logically defined networks.
These sections describe VLANs:
• VLAN Ranges, page 11-2
• Configurable VLAN Parameters, page 11-3
• Default VLAN Configuration, page 11-4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-1
 Chapter 11 Configuring VLANs
Understanding How VLANs Work

Figure 11-1 VLANs as Logically Defined Networks

Engineering Marketing Accounting

VLAN VLAN VLAN

Cisco router

Floor 3

Fast
Ethernet

Floor 2

Floor 1

16751
VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP
subnet belong to the same VLAN. Traffic between VLANs must be routed. Port VLAN membership on
the switch is assigned manually on a port-by-port basis. When you assign switch ports to VLANs using
this method, it is known as port-based, or static, VLAN membership.
The in-band (sc0) interface of a switch can be assigned to any VLAN, so you can access another switch
on the same VLAN directly without a router. Only one IP address at a time can be assigned to the in-band
interface. If you change the IP address and assign the interface to a different VLAN, the previous IP
address and VLAN assignment are overwritten.

VLAN Ranges
Catalyst 6000 family switches support 4096 VLANs in accordance with the IEEE 802.1Q standard.
These VLANs are organized into several ranges; you use each range slightly differently. Some of these
VLANs are propagated to other switches in the network when you use a management protocol, such as
the VLAN Trunking Protocol (VTP). Other VLANs are not propagated and you must configure them on
each applicable switch.
There are three ranges of VLANs:
• Normal-range VLANs: 1–1000
• Extended-range VLANs: 1025–4094
• Reserved-range VLANs: 0, 1002–1024, 4095

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-2 78-13315-02
 Chapter 11 Configuring VLANs
Understanding How VLANs Work

Table 11-1 describes the VLAN ranges.

Table 11-1 VLAN Ranges

Propagated
VLANs Range Usage by VTP (Y/N)
0, 4095 Reserved range For system use only. You cannot see or use these N/A
VLANs.
1 Normal range Cisco default. You can use this VLAN but you cannot Yes
delete it.
2–1000 Normal range Used for Ethernet VLANs; you can create, use, and Yes
delete these VLANs.
1001 Normal range You cannot create or use this VLAN. May be available Yes
in the future.
1002–1005 Reserved range Cisco defaults for FDDI and Token Ring. Not N/A
supported on Catalyst 6000 family switches. You
cannot delete these VLANs.
1006–1009 Reserved range Cisco defaults. Not currently used but may be used for N/A
defaults in the future. You can map nonreserved
VLANs to these reserved VLANs when necessary.
1010–1024 Reserved range You cannot see or use these VLANs but you can map N/A
nonreserved VLANs to these reserved VLANs when
necessary.
1025–4094 Extended range For Ethernet VLANs only. You can create, use, and No
delete these VLANs, with the following exception:
FlexWAN modules and routed ports automatically
allocate a sequential block of internal VLANs starting
at VLAN 1025. If you use these devices, you must
allow the required number of VLANs for them.

Configurable VLAN Parameters

Whenever you create or modify VLANs 2–1005, you can set the parameters as follows:

Note Ethernet VLANs 1 and 1025–4094 can use the defaults only.

• VLAN number
• VLAN name
• VLAN type: Ethernet, FDDI, FDDINET, Token Ring Bridge Relay Function (TrBRF), or Token
Ring Concentrator Relay Function (TrCRF)
• VLAN state: active or suspended
• Multi-Instance Spanning Tree Protocol (MISTP) instance
• Private VLAN type: primary, isolated, community, two-way community, or none
• Security Association Identifier (SAID)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-3
 Chapter 11 Configuring VLANs
Understanding How VLANs Work

• Maximum transmission unit (MTU) for the VLAN

• Ring number for FDDI and TrCRF VLANs
• Bridge identification number for TrBRF VLANs
• Parent VLAN number for TrCRF VLANs
• STP type for TrCRF VLANs: IEEE, IBM, or auto
• VLAN to use when translating from one VLAN media type to another (VLANs 1–1005 only);
requires a different VLAN number for each media type
• Source routing bridge mode for Token Ring VLANs: source-routing bridge (SRB) or source-routing
transparent bridge (SRT)
• Backup for TrCRF VLAN
• Maximum hops VLAN All-Routes Explorer frames (ARE) and Spanning Tree Explorer frames
(STE) for Token Ring
• Remote Switched Port Analyzer (RSPAN)

Default VLAN Configuration

Table 11-2 shows the default VLAN configuration for the Catalyst 6000 family switches.

Table 11-2 VLAN Default Configuration

Feature Default Value

Native (default) VLAN VLAN 1
Port VLAN assignments All ports assigned to VLAN 1
Token Ring ports assigned to VLAN 1003 (trcrf-default)
VLAN state Active
MTU size 1500 bytes
4472 bytes for Token Ring VLANs
SAID value 100,000 plus the VLAN number (for example, the SAID for
VLAN 8 is 100008, the SAID for VLAN 4050 is 104050)
Pruning eligibility VLANs 2–1000 are pruning eligible; VLANs 1025–4094
are not pruning eligible
MAC address reduction Disabled
Spanning tree mode PVST+
Default FDDI VLAN VLAN 1002
Default FDDI NET VLAN VLAN 1004
Default Token Ring TrBRF VLAN VLAN 1005 (trbrf-default) with bridge number 0F
Default Token Ring TrCRF VLAN VLAN 1003 (trcrf-default)
Spanning Tree Protocol (STP) version IBM
for TrBRF VLAN

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-4 78-13315-02
 Chapter 11 Configuring VLANs
Configuring Normal-Range VLANs

Table 11-2 VLAN Default Configuration (continued)

Feature Default Value

TrCRF bridge mode SRB
Remote switched port analyzer Disabled
(RSPAN)

Configuring Normal-Range VLANs

These sections explain how to configure normal-range VLANs 2–1000:
• Normal-Range VLAN Configuration Guidelines, page 11-5
• Creating Normal-Range VLANs, page 11-5
• Modifying Normal-Range VLANs, page 11-6

Note You cannot configure or modify normal-range VLAN 1.

Normal-Range VLAN Configuration Guidelines

Follow these guidelines when creating and modifying normal-range VLANs 2–1000 in your network:
• The default VLAN type is Ethernet; if you do not specify a VLAN type, the VLAN will be an
Ethernet VLAN.
• If you wish to use VTP to maintain global VLAN configuration information on your network,
configure VTP before you create any normal-range VLANs. See Chapter 10, “Configuring VTP” for
configuring VTP. (You cannot use VTP to manage extended-range VLANs 1025–4094.)
• FlexWAN modules and routed ports automatically allocate a number of VLANs for their own use,
starting at VLAN 1025. If you use these devices, you must allow for the number of VLANs required.

Creating Normal-Range VLANs

You can create one VLAN at a time or you can create a range of VLANs with a single command. If you
create a range of VLANs, you cannot specify a name; VLAN names must be unique.
To create a normal-range VLAN, perform this task in privileged mode:

Task Command
Step 1 Create a normal-range Ethernet VLAN. set vlan vlan [name name] [said said] [mtu mtu]
[translation vlan]
Step 2 Verify the VLAN configuration. show vlan [vlan]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-5
 Chapter 11 Configuring VLANs
Configuring Extended-Range VLANs

This example shows how to create normal-range VLANs and verify the configuration when the switch
is in Per VLAN Spanning Tree + (PVST+) mode:
Console> (enable) set vlan 500-520
Vlan 500 configuration successful
Vlan 501 configuration successful
Vlan 502 configuration successful
Vlan 503 configuration successful
.
.
.
Vlan 520 configuration successful
Console> (enable) show vlan 500-520
VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
500 active 342
501 active 343
502 active 344
503 active 345
.
.
.
520 active 362
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
500 enet 100500 1500 - - - - - 0 0
501 enet 100501 1500 - - - - - 0 0
502 enet 100502 1500 - - - - - 0 0
503 enet 100503 1500 - - - - - 0 0
.
.
.
520 enet 100520 1500 - - - - - 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
Console> (enable)

Modifying Normal-Range VLANs

To modify the VLAN parameters on an existing normal-range VLAN, perform this task in privileged
mode:

Task Command
Step 1 Modify an existing normal-range VLAN. set vlan vlan [name name] [state {active | suspend}]
[said said] [mtu mtu] [translation vlan]
Step 2 Verify the VLAN configuration. show vlan [vlan]

Configuring Extended-Range VLANs

These sections explain how to configure extended-range VLANs 1025–4094:
• Extended-Range VLAN Configuration Guidelines, page 11-7
• Creating Extended-Range VLANs, page 11-7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-6 78-13315-02
 Chapter 11 Configuring VLANs
Configuring Extended-Range VLANs

Extended-Range VLAN Configuration Guidelines

Follow these guidelines to create extended-range VLANs 1025–4094:
• You can only create Ethernet-type VLANs in the extended range.
• You must enable MAC address reduction in order to use extended-range VLANs.
• You can only create and delete extended-range VLANs from the CLI or SNMP.
• You cannot use VTP to manage these VLANs; they must be statically configured on each switch.
• You cannot use extended-range VLANs if you have dot1q-to-isl mappings.
• You can configure private VLAN parameters and RSPAN for extended-range VLANs; however, all
other parameters for extended-range VLANs use the system defaults only.
• The switch may allocate a block of VLANs from the extended range for internal purposes; for
example, the switch may allocate VLANs for routed ports or FlexWAN modules. The block of
VLANs is always allocated starting from VLAN 1025. If you have any VLANs within the range
required by the FlexWAN module, all of the VLANs required will not be allocated, because VLANs
are never allocated from the user’s VLAN area.

Caution FlexWAN modules and routed ports automatically allocate a sequential block of internal VLANs
starting at VLAN 1025. If you use these devices, you must allow the required number of VLANs for
them and must not use the lower-range VLANs starting with VLAN 1025. If not enough VLANs are
available for the FlexWAN module, some ports may not work. You must use the highest VLANs first.
For example, use VLAN 4090, then VLAN 4089, and so forth.

Caution If you move a FlexWAN module from one slot to another on the same switch, it will allocate another
block of VLANs without deleting the previous block. You should reboot the switch if you move the
FlexWAN module.

Creating Extended-Range VLANs

To create extended-range VLANs, you must first enable MAC address reduction, which provides IDs
for extended-range VLANs. After you enable MAC address reduction, you cannot disable it as long as
any extended-range VLANs exist.

Note If you wish to use extended-range VLANs and you have existing 802.1Q-to-ISL mappings in your
system, you must delete the mappings. See the “Deleting 802.1Q-to-ISL VLAN Mappings” section
on page 11-11 for more information.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-7
 Chapter 11 Configuring VLANs
Mapping VLANs to VLANs

To enable MAC address reduction and create an Ethernet VLAN in the extended range, perform this task
in privileged mode:

Task Command
Step 1 Enable MAC address reduction. set spantree macreduction {enable | disable}
Step 2 Create a VLAN. set vlan vlan
Step 3 Verify the VLAN configuration. show vlan [vlan]

This example shows how to enable MAC address reduction and create an extended-range Ethernet
VLAN:
Console> (enable) set spantree macreduction enable
MAC address reduction enabled
Console> (enable) set vlan 2000
Vlan 2000 configuration successful
Console> (enable) show vlan 2000
VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
2000 VLAN2000 active 61

VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
2000 enet 102000 1500 - - - - - 0 0

VLAN Inst DynCreated RSPAN

---- ---- ---------- --------
2000 - static disabled

VLAN AREHops STEHops Backup CRF 1q VLAN

---- ------- ------- ---------- -------
Console> (enable)

Mapping VLANs to VLANs

You can map VLANs to other VLANS on the Catalyst 6000 family switches in two ways:

Note If the list of VLANs does match in both the switches, packet loss might occur.

1. From non-Cisco devices in your network using VLANs 1006–1024 to nonreserved VLANs on the
Catalyst 6000 family switches.
2. From VLANs on non-Cisco devices on 802.1Q trunks to ISL trunks on the Catalyst 6000 family
switches.

Note If you use method 1, you can use extended-range VLANs (1025–4094) on the switch; if you use
method 2, you can retain mappings from a previous Catalyst 6000 family software release but you
cannot use extended-range VLANs.

This section describes how to map VLANs to VLANs:

• Mapping Reserved VLANs to Nonreserved VLANs, page 11-9
• Deleting Reserved-to-Nonreserved VLAN Mappings, page 11-10

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-8 78-13315-02
 Chapter 11 Configuring VLANs
Mapping VLANs to VLANs

• Mapping 802.1Q VLANs to ISL VLANs, page 11-10

• Deleting 802.1Q-to-ISL VLAN Mappings, page 11-11

Mapping Reserved VLANs to Nonreserved VLANs

You can map reserved-range VLANs to any nonreserved VLANs that are not in use. Nonreserved
VLANs are any VLANs that are not reserved by Cisco; this includes normal-range and extended-range
VLANs.

Note If you have dot1q-to-isl VLAN mappings from a previous Catalyst 6000 family switch software
release, you cannot use the mapped VLANs to map reserved VLANs to nonreserved VLANs.
Optionally, you can clear the dot1q-to-isl mappings and then use those reserved VLANs.

These restrictions apply when mapping reserved VLANs to nonreserved VLANs:

• You can create up to eight reserved-to-nonreserved VLAN mappings on the switch.
• You can only map Ethernet VLANs to Ethernet VLANs.
• Reserved VLAN mappings are local to each switch. You must configure the VLAN mappings on all
applicable switches in the network.
To map a reserved VLAN to a nonreserved VLAN, perform this task in privileged mode:

Task Command
Step 1 If necessary, clear old dot1q-to-isl VLAN mappings. clear vlan mapping dot1q all
Step 2 Map a reserved VLAN to a nonreserved VLAN. set vlan mapping reserved {reserved_vlan}
non-reserved {nonreserved_vlan}
Step 3 Verify the VLAN mapping. show vlan mapping

This example shows how to clear old VLAN mappings, map a reserved VLAN, and verify the mappings
on the mapping table:
Console> (enable) clear vlan mapping dot1q all
All dot1q vlan mapping entries deleted
Console> (enable) set vlan mapping reserved 1020 non-reserved 4070
Vlan 1020 successfully mapped to 4070.
Console> (enable) show vlan mapping
Reserved vlan Non-Reserved vlan Effective
----------------------------------------------------
1008 63 false
1010 4065 true
1011 4066 true
1020 4070 true

The Effective column in the mapping table indicates whether the mapping has taken effect (that is, true
or false). Mappings that are marked true can be used by the system. Mappings marked false cannot be
used by the system.

Note Reserved VLAN mappings are entered on the table in the order in which you map them. If you delete
a mapping, the line where it existed will not display on the table. However, the next mapping you
create will appear where the old one was deleted.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-9
 Chapter 11 Configuring VLANs
Mapping VLANs to VLANs

Deleting Reserved-to-Nonreserved VLAN Mappings

To clear the mappings for reserved-to-nonreserved VLAN mappings, you can delete the mappings one
at a time or all at once.
When you clear all entries from the mapping table at once, the table is completely cleared and the
nonreserved VLANs still exist in the list of VLANs.
To delete reserved VLAN mappings, perform this task in privileged mode:

Task Command
Step 1 Clear the reserved VLAN. clear vlan mapping reserved {reserved_vlan | all}
Step 2 Clear the nonreserved VLAN. clear vlan vlan
Step 3 Verify the mapping table entry has been cleared. show vlan mapping

This example shows how to clear a single mapping:

Console> (enable) clear vlan mapping reserved 1010
Vlan 1010 mapping entry deleted
Console> (enable)

This example shows how to clear all reserved VLAN mappings:

Console> (enable) clear vlan mapping reserved all
All reserved vlan mapping entries deleted
Console> (enable)

Mapping 802.1Q VLANs to ISL VLANs

Your network might have non-Cisco devices connected to the Catalyst 6000 family switches through
802.1Q trunks or traffic from a non-Cisco switch that has VLANs in the Catalyst 6000 family reserved
range, 1002–1024.
The valid range of user-configured Inter-Switch Link (ISL) VLANs is 1–1000. The valid range of
VLANs specified in the IEEE 802.1Q standard is 0–4095. In a network environment with non-Cisco
devices connected to Cisco switches through 802.1Q trunks, you can map 802.1Q VLAN numbers
greater than 1000 to ISL VLAN numbers. Note that if you use any VLANs in the extended range
(1025–4094) for dot1q mappings, you cannot use any of the extended-range VLANs for any other
purpose.
802.1Q VLANs in the range 1–1000 are automatically mapped to the corresponding ISL VLAN. 802.1Q
VLAN numbers greater than 1000 must be mapped to an ISL VLAN in order to be recognized and
forwarded by Cisco switches.
These restrictions apply when mapping 802.1Q VLANs to ISL VLANs:
• If there are any extended-range VLANs present on the switch, you cannot map any new 802.1Q
VLANs-to-ISL VLANs.
• You can configure up to eight 802.1Q-to-ISL VLAN mappings on the switch.
• You can only map 802.1Q VLANs to Ethernet-type ISL VLANs.
• Do not enter the native VLAN of any 802.1Q trunk in the mapping table.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-10 78-13315-02
 Chapter 11 Configuring VLANs
Mapping VLANs to VLANs

• When you map an 802.1Q VLAN to an ISL VLAN, traffic on the 802.1Q VLAN corresponding to
the mapped ISL VLAN is blocked. For example, if you map 802.1Q VLAN 2000 to ISL
VLAN 200, traffic on 802.1Q VLAN 200 is blocked.
• VLAN mappings are local to each switch. Make sure you configure the same VLAN mappings on
all appropriate switches in the network.
To map an 802.1Q VLAN to an ISL VLAN, perform this task in privileged mode:

Task Command
Step 1 Map an 802.1Q VLAN to an ISL Ethernet VLAN. The set vlan mapping dot1q dot1q_vlan isl
valid range for dot1q_vlan is 1001–4095. The valid isl_vlan
range for isl_vlan is 1–1000.
Step 2 Verify the VLAN mapping. show vlan mapping

This example shows how to map 802.1Q VLANs 2000, 3000, and 4000 to ISL VLANs 200, 300, and
400, and verify the configuration:
Console> (enable) set vlan mapping dot1q 2000 isl 200
802.1q vlan 2000 is existent in the mapping table
Console> (enable) set vlan mapping dot1q 3000 isl 300
Vlan mapping successful
Console> (enable) set vlan mapping dot1q 4000 isl 400
Vlan mapping successful
Console> (enable) show vlan mapping
802.1q vlan ISL vlan Effective
------------------------------------------
2000 200 true
3000 300 true
4000 400 true
Console> (enable)

Deleting 802.1Q-to-ISL VLAN Mappings

To delete an 802.1Q-to-ISL VLAN mapping, perform this task in privileged mode:

Task Command
Step 1 Delete an 802.1Q-to-ISL VLAN mapping. clear vlan mapping dot1q {dot1q_vlan | all}
Step 2 Verify the VLAN mapping. show vlan mapping

This example shows how to delete the VLAN mapping for 802.1Q VLAN 2000:
Console> (enable) clear vlan mapping dot1q 2000
Vlan 2000 mapping entry deleted
Console> (enable)

This example shows how to delete all 802.1Q-to-ISL VLAN mappings:

Console> (enable) clear vlan mapping dot1q all
All vlan mapping entries deleted
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-11
 Chapter 11 Configuring VLANs
Assigning Switch Ports to a VLAN

Assigning Switch Ports to a VLAN

A VLAN created in a management domain remains unused until you assign one or more switch ports to
the VLAN. You can create a new VLAN and then specify the module and ports later, or you can create
the VLAN and specify the module and ports in a single step.

Note Make sure you assign switch ports to a VLAN of the proper type. For example, assign Ethernet, Fast
Ethernet, and Gigabit Ethernet ports to Ethernet-type VLANs.

To assign one or more switch ports to a VLAN, perform this task in privileged mode:

Task Command
Step 1 Assign one or more switch ports to a VLAN. set vlan vlan mod/port
Step 2 Verify the port VLAN membership. show vlan [vlan]
show port [mod[/port]]

This example shows how to assign switch ports to a VLAN and verify the assignment:
Console> (enable) set vlan 560 4/10
VLAN 560 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
560 4/10

Console> (enable) show vlan 560

VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
560 Engineering active 348 4/10
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
560 enet 100560 1500 - - - - - 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
Console> (enable) show port 4/10
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
4/10 connected 560 a-half a-100 10/100BaseTX

Port AuxiliaryVlan AuxVlan-Status

----- ------------- --------------
4/10 none none

<...output truncated...>

Last-Time-Cleared
--------------------------
Tue Jun 6 2000, 16:45:18
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-12 78-13315-02
Chapter 11 Configuring VLANs
Deleting a VLAN

Deleting a VLAN
Follow these guidelines for deleting VLANs:
• When you delete a normal-range Ethernet VLAN in VTP server mode, the VLAN is removed from
all switches in the VTP domain.
• When you delete a normal-range VLAN in VTP transparent mode, the VLAN is deleted only on the
current switch.
• You can delete an extended-range VLAN only on the switch where it was created.
• To delete a Token Ring TrBRF VLAN, you must first reassign its child TrCRFs to another parent
TrBRF, or delete the child TrCRFs.

Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. Such ports remain
associated with the VLAN (and thus inactive) until you assign them to a new VLAN.

You can delete a single VLAN or a range of VLANs. To delete a VLAN on the switch, perform this task
in privileged mode:

Task Command
Delete a VLAN. clear vlan vlan

This example shows how to delete a VLAN (in this case, the switch is a VTP server):
Console> (enable) clear vlan 500
This command will deactivate all ports on vlan(s) 500
Do you want to continue(y/n) [n]?y
Vlan 500 deleted
Console> (enable)

This command will deactivate all ports on vlan(s) 10

All ports on normal range vlan(s) 10
will be deactivated in the entire management domain.
Do you want to continue(y/n) [n]?

Configuring Private VLANs

These sections describe how private VLANs work:
• Understanding How Private VLANs Work, page 11-14
• Private VLAN Configuration Guidelines, page 11-15
• Creating a Primary Private VLAN, page 11-18
• Viewing the Port Capability of a Private VLAN Port, page 11-21
• Deleting a Private VLAN, page 11-22
• Deleting an Isolated, Community, or Two-Way Community VLAN, page 11-22
• Deleting a Private VLAN Mapping, page 11-23
• Private VLAN Support on the MSFC, page 11-23

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-13
 Chapter 11 Configuring VLANs
Configuring Private VLANs

Understanding How Private VLANs Work

Private VLANs provide Layer-2 isolation between ports within the same private VLAN on the
Catalyst 6000 family switches. Ports belonging to a private VLAN are associated with a common set of
supporting VLANs that are used to create the private VLAN structure.
There are three types of private VLAN ports: promiscuous, isolated, and community.
• A promiscuous port communicates with all other private VLAN ports and is the port you use to
communicate with routers, LocalDirector, backup servers, and administrative workstations.
• An isolated port has complete Layer 2 separation from other ports within the same private VLAN
with the exception of the promiscuous port.
• Community ports communicate among themselves and with their promiscuous ports. These ports
are isolated at Layer 2 from all other ports in other communities or isolated ports within their private
VLAN.
Privacy is granted at the Layer 2 level by blocking outgoing traffic to all isolated ports. All isolated ports
are assigned to an isolated VLAN where this hardware function occurs. Traffic received from an isolated
port is forwarded to all promiscuous ports only.
Within a private VLAN are four distinct classifications of VLANs: a single primary VLAN, a single
isolated VLAN, and a series of community or two-way community VLANs.
You must define each supporting VLAN within a private VLAN structure before you can configure the
private VLAN:
• Primary VLAN—Conveys incoming traffic from the promiscuous port to all other promiscuous,
isolated, community, and two-way community ports.
• Isolated VLAN—Used by isolated ports to communicate to the promiscuous ports. The traffic from
an isolated port is blocked on all adjacent ports within its PVLAN and can only be received by its
promiscuous ports.
• Community VLAN—Unidirectional VLAN used by a group of community ports to communicate
among themselves and transmit traffic to outside the PVLAN through the designated promiscuous
port.
• Two-way community VLAN—Bidirectional VLAN used by a group of community ports to
communicate among themselves and to and from community ports from and to the Multilayer
Switch Feature Card (MSFC).

Note With software release 6.2(1) and later releases, you can use two-way community VLANs
to perform an inverse mapping from the primary VLAN to the secondary VLAN when
the traffic crosses the boundary of a private VLAN through an MSFC promiscuous port.
Both outbound and inbound traffic can be carried on the same VLAN allowing
VLAN-based features such as VACLs to be applied in both directions on a
per-community (per customer) basis.

To create a private VLAN, you assign two or more normal VLANs in the normal VLAN range: one
VLAN is designated as a primary VLAN, and a second VLAN is designated as either an isolated,
community, or two-way community VLAN. If you choose, you can then designate additional VLANs as
separate isolated, community, or two-way community VLANs in this private VLAN. After designating
the VLANs, you must bind them together and associate them to the promiscuous port.
You can extend private VLANs across multiple Ethernet switches by trunking the primary, isolated, and
any community or two-way community VLANs to other switches that support private VLANs.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-14 78-13315-02
 Chapter 11 Configuring VLANs
Configuring Private VLANs

In an Ethernet-switched environment, you can assign an individual VLAN and associated IP subnet to
each individual or common group of stations. The servers only require the ability to communicate with
a default gateway to gain access to end points outside the VLAN itself. By incorporating these stations,
regardless of ownership, into one private VLAN, you can do the following:
• Designate the server ports as isolated to prevent any interserver communication at Layer 2.
• Designate the ports to which the default gateway(s), backup server, or LocalDirector are attached as
promiscuous to allow all stations to have access to these gateways.
• Reduce VLAN consumption. You only need to allocate one IP subnet to the entire group of stations
because all stations reside in one common private VLAN.
On an MSFC port or a nontrunk promiscuous port, you can remap as many isolated or community
VLANs as desired; however, while a nontrunk promiscuous port can remap to only one primary VLAN,
an MSFC port does not have this limitation. An MSFC port can only connect an MSFC router. With a
nontrunk promiscuous port, you can connect a wide range of devices as “access points” to a private
VLAN. For example, you can connect a nontrunk promiscuous port to the “server port” of a
LocalDirector to remap a number of isolated or community VLANs to the server VLAN so that the
LocalDirector can load balance the servers present in the isolated or community VLANs, or you can use
a nontrunk promiscuous port to monitor and/or back up all the private VLAN servers from an
administration workstation.

Note A two-way community VLAN can only be mapped on the MSFC promiscuous port (it cannot be
mapped on nontrunk or other types of promiscuous ports).

Private VLAN Configuration Guidelines

Follow these guidelines to configure private VLANs:

Note In this section, the term community VLAN is used for both unidirectional community VLANs and
two-way community VLANs unless specifically differentiated.

• Designate one VLAN as the primary VLAN.

• You have the option of designating one VLAN as an isolated VLAN, but you can only use one
isolated VLAN.
• You have the option of using private VLAN communities, you need to designate a community
VLAN for each community.
• Bind the isolated and/or community VLAN(s) to the primary VLAN and assign the isolated or
community ports. You will achieve these results:
– Isolated/community VLAN spanning tree properties are set to those of the primary VLAN.
– VLAN membership becomes static.
– Access ports become host ports.
– BPDU guard protection is activated.
• Set up the automatic VLAN translation that maps the isolated and community VLANs to the primary
VLAN on the promiscuous port(s). Set the nontrunk ports or the MSFC ports as promiscuous ports.
• You must set VTP to transparent mode.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-15
 Chapter 11 Configuring VLANs
Configuring Private VLANs

• After you configure a private VLAN, you cannot change the VTP mode to client or server mode,
because VTP does not support private VLAN types and mapping propagation.
• You can configure VLANs as primary, isolated, or community only if no access ports are currently
assigned to the VLAN. Enter the show port command to verify that the VLAN has no access ports
assigned to it.
• A primary VLAN can have one isolated VLAN and/or multiple communities associated with it.
• An isolated or community VLAN can have only one primary VLAN associated with it.
• Private VLANs can use VLANs 2 through 1000 and 1025 through 4096.
• If you delete either the primary or secondary VLAN, the ports associated with the VLAN become
inactive.
• When configuring private VLANs, note the hardware and software interactions:
– You cannot use the inband port, sc0, in a private VLAN.

Note With software release 6.3(1) and later releases, the sc0 port can be configured as a private
VLAN port, however it cannot be configured as a promiscuous port.

– You cannot set private VLAN ports to trunking mode, channeling, or have dynamic VLAN
memberships, with the exception of MSFC ports that always have trunking activated.
– You cannot set ports belonging to the same ASIC where one port is set to trunking or promiscuous
mode or is a SPAN destination and another port is set to isolated or community port for the modules
listed in Table 11-3. (Note that a promiscuous port can be defined in the same ASIC as a trunk port
but not within the same ASIC as an isolated or community port.)
If you attempt such a configuration, a warning message displays and the command is rejected.

Table 11-3 Modules with Ports Listed by ASIC Groups

Module Number Description Ports by ASIC

WS-X6224-100FX-MT 24-port 100FX Multimode MT-RJ Ports 1–12
Ports 13–24
Ports 25–36
Ports 37–48
WS-X6248-RJ-45 48-port 10/100TX RJ-45 Ports 1–12
Ports 13–24
Ports 25–36
Ports 37–48
WS-X6248-TEL 48-Port 10/100TX RJ-21 Ports 1–12
Ports 13–24
Ports 25–36
Ports 37–48

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-16 78-13315-02
Chapter 11 Configuring VLANs
Configuring Private VLANs

Table 11-3 Modules with Ports Listed by ASIC Groups (continued)

Module Number Description Ports by ASIC

WS-X6348-RJ-45 48-port 10/100TX RJ-45 Ports 1–12
Ports 13–24
Ports 25–36
Ports 37–48
WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ Ports 1–12
Ports 13–24

• Isolated and community ports should run BPDU guard features to prevent spanning tree loops due
to misconfigurations.
• Primary VLANs and associated isolated/community VLANs must have the same spanning tree
configuration. This configuration maintains consistent spanning tree topologies between associated
primary, isolated, and community VLANs and avoids possible loss of connectivity. These priorities
and parameters automatically propagate from the primary VLAN to the isolated and community
VLANs.
• You can create private VLANs that run in MISTP mode as follows:
– If you disable MISTP, any change to the configuration of a primary VLAN propagates to all
corresponding isolated and community VLANs, and you cannot change the isolated or
community VLANs.
– If you enable MISTP, you can only configure the MISTP instance with the primary VLAN.
Changes will be applied to the primary VLAN and will propagate to the isolated and community
VLANs.
• In networks with some switches using MAC address reduction, and others not using MAC address
reduction, STP parameters do not necessarily propagate to ensure that the spanning tree topologies
match. You should manually check the STP configuration to ensure that the primary, isolated, and
community VLANs’ spanning tree topologies match.
• If you enable MAC address reduction on a Catalyst 6000 series switch, you might want to enable
MAC address reduction on all the switches in your network to ensure that the STP topologies of the
private VLANs match. Otherwise, in a network where private VLANs are configured, if you enable
MAC address reduction on some switches and disable it on others (mixed environment), you will
have to use the default bridge priorities to make sure that the root bridge is common to the primary
VLAN and to all its associated isolated and community VLANs. Be consistent with the ranges
employed by the MAC address reduction feature regardless of whether it is enabled on the system.
MAC address reduction allows only discrete levels and uses all intermediate values internally as a
range. You should disable a root bridge with private VLANs and MAC address reduction, and
configure the root bridge with any priority higher than the highest priority range used by any
nonroot bridge.
• BPDU guard mode is system wide and is enabled after you add the first port to a private VLAN.
• You cannot configure a destination SPAN port as a private VLAN port and vice versa.
• A source SPAN port can belong to a private VLAN.
• You can use VLAN-based SPAN (VSPAN) to span primary, isolated, and community VLANs
together, or use SPAN on only one VLAN to separately monitor egress or ingress traffic.
• You cannot use a remote SPAN VLAN (RSPAN) for a private VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-17
 Chapter 11 Configuring VLANs
Configuring Private VLANs

• IGMP snooping and multicast shortcuts are not supported in private VLANs.
• You cannot enable EtherChannel on isolated, community, or promiscuous ports.
• You can apply different VACLs and quality of service (QoS) ACLs to primary, isolated, and
community VLANs.

Note For information on configuring ACLs, see the “Configuring ACLs on Private VLANs”
section on page 16-26.

• Output ACLs need to be configured on both the two-way community VLANs and the primary
VLAN in order to be applied to all outgoing traffic from the MSFC.
• If you map a Cisco IOS ACL to a primary VLAN, the Cisco IOS ACL automatically maps to the
associated isolated and community VLANs.
• You cannot map Cisco IOS ACLs to an isolated or community VLAN.
• You cannot use policy-based routing (PBR) on a private VLAN interface. You get an error message
if you try to apply a policy to a private VLAN interface using the ip policy route-map
route_map_name command.
• You cannot set a VLAN to a private VLAN if the VLAN has dynamic access control entries (ACEs)
configured on it.
• You can stop Layer 3 switching on an isolated or community VLAN by destroying the binding of
that VLAN with its primary VLAN. Deleting the corresponding mapping is not sufficient.

Creating a Primary Private VLAN

To create a primary private VLAN, perform this task in privileged mode:

Task Command
Step 1 Create the primary private VLAN. set vlan vlan pvlan-type primary
Step 2 Set the isolated, community, or two-way set vlan vlan pvlan-type {isolated | community
community VLAN(s). | twoway-community}
Step 3 Bind the isolated, community, or two-way set pvlan primary_vlan {isolated_vlan |
community VLAN(s) to the primary VLAN. community_vlan | twoway_community_vlan}
Step 4 Associate the isolated, community, or two-way set pvlan primary_vlan {isolated_vlan |
community port(s) to the primary private VLAN. community_vlan | twoway_community_vlan}
[mod/ports | sc0]
Step 5 Map the isolated, community, or two-way set pvlan mapping primary_vlan {isolated_vlan
community VLAN to the primary private VLAN | community_vlan | twoway_community_vlan}
on the promiscuous port. mod/ports
Step 6 Verify the primary private VLAN configuration. show pvlan [vlan]
show pvlan mapping

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-18 78-13315-02
Chapter 11 Configuring VLANs
Configuring Private VLANs

Note You can bind the isolated, community, or two-way community port(s) and associated isolated,
community, or two-way community VLANs to the private VLAN using the set pvlan primary_vlan
{isolated_vlan | community_vlan | twoway_community_vlan} mod/port command.

Note Ports do not have to be on the same switch as long as the switches are trunk connected and the private
VLAN has not been removed from the trunk.

Note If you are using the MSFC for your promiscuous port in your private VLAN, use 15/1 as the MSFC
mod/port number if the supervisor engine is in slot 1, or use 16/1 if the supervisor engine is in slot 2.

Note You must enter the set pvlan command everywhere a private VLAN needs to be created, which
includes switches with isolated, community, or two-way community ports, switches with
promiscuous ports, and all intermediate switches that need to carry the private VLANs on their
trunks. On the edge switches that do not have any isolated, community, two-way community, or
promiscuous ports (typically, access switches with no private ports), you do not need to create private
VLANs and you can prune the private VLANs from the trunks for security reasons.

This example shows how to specify VLAN 7 as the primary VLAN:

Console> (enable) set vlan 7 pvlan-type primary
Vlan 7 configuration successful
Console> (enable)

This example shows how to specify VLAN 901 as the isolated VLAN and VLANs 902 and 903 as
community VLANs:
Console> (enable) set vlan 901 pvlan-type isolated
Vlan 901 configuration successful
Console> (enable) set vlan 902 pvlan-type community
Vlan 902 configuration successful
Console> (enable) set vlan 903 pvlan-type community
Vlan 903 configuration successful
Console> (enable)

This example shows how to bind VLAN 901 to primary VLAN 7 and assign port 4/3 as the isolated port:
Console> (enable) set pvlan 7 901 4/3
Successfully set the following ports to Private Vlan 7,901: 4/3
Console> (enable)

This example shows how to bind VLAN 902 to primary VLAN 7 and assign ports 4/4 through 4/6 as the
community port:
Console> (enable) set pvlan 7 902 4/4-6
Successfully set the following ports to Private Vlan 7,902:4/4-6
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-19
 Chapter 11 Configuring VLANs
Configuring Private VLANs

This example shows how to bind VLAN 903 to primary VLAN 7 and assign ports 4/7 through 4/9 as the
community ports:
Console> (enable) set pvlan 7 903
Successfully set association between 7 and 903.
Console> (enable) set pvlan 7 903 4/7-9
Successfully set the following ports to Private Vlan 7,903:4/7-9
Console> (enable)

This example shows how to map the isolated/community VLAN to the primary VLAN on the
promiscuous port, 3/1, for each isolated or community VLAN:
Console> (enable) set pvlan mapping 7 901 3/1
Successfully set mapping between 7 and 901 on 3/1
Console> (enable) set pvlan mapping 7 902 3/1
Successfully set mapping between 7 and 902 on 3/1
Console> (enable) set pvlan mapping 7 903 3/1
Successfully set mapping between 7 and 903 on 3/1

This example shows how to verify the private VLAN configuration:

Console> (enable) show vlan 7
VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
7 VLAN0007 active 35 4/4-6
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
7 enet 100010 1500 - - - - - 0 0
VLAN DynCreated RSPAN
---- ---------- --------
7 static disabled
VLAN AREHops STEHops Backup CRF 1q VLAN
---- ------- ------- ---------- -------
Primary Secondary Secondary-Type Ports
------- --------- ----------------- -----------------
7 901 Isolated 4/3
7 902 Community 4/4-6
7 903 Community 4/7-9

Console> (enable) show vlan 902

VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
902 VLAN0007 active 38 4/4-6
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
7 enet 100010 1500 - - - - - 0 0
VLAN DynCreated RSPAN
---- ---------- --------
7 static disabled
VLAN AREHops STEHops Backup CRF 1q VLAN
---- ------- ------- ---------- -------
Primary Secondary Secondary-Type Ports
------- --------- ----------------- -----------------
7 902 Isolated 4/4-6

Console> (enable) show pvlan

Primary Secondary Secondary-Type Ports
------- --------- -------------- ------------
7 901 isolated 4/3
7 902 community 4/4-6
7 903 community 4/7-9

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-20 78-13315-02
 Chapter 11 Configuring VLANs
Configuring Private VLANs

Console> (enable) show pvlan mapping

Port Primary Secondary
----- -------- ----------
3/1 7 901-903
Console> (enable) show port
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
...truncated output...
4/3 notconnect 7,901 half 100 100BaseFX MM
4/4 notconnect 7,902 half 100 100BaseFX MM
4/5 notconnect 7,902 half 100 100BaseFX MM
4/6 notconnect 7,902 half 100 100BaseFX MM
4/7 notconnect 7,903 half 100 100BaseFX MM
4/8 notconnect 7,903 half 100 100BaseFX MM
4/9 notconnect 7,903 half 100 100BaseFX MM
... truncated output...

Viewing the Port Capability of a Private VLAN Port

You can view the port capability of a port in a private VLAN using the show pvlan capability mod/port
command.
This example shows the port capability for several ports in the following configuration:
Console> (enable) set pvlan 10 20
Console> (enable) set pvlan mapping 10 20 3/1
Console> (enable) set pvlan mapping 10 20 5/2
Console> (enable) set trunk 5/1 desirable isl 1-1005,1025-4094

Console> (enable) show pvlan capability 5/20

Ports 5/13 - 5/24 are in the same ASIC range as port 5/20.

Port 5/20 can be made a private vlan port.

Console> (enable) show pvlan

Primary Secondary Secondary-Type Ports
------- --------- -------------- ------------
10 20 isolated

Console> (enable) show pvlan capability 3/1

Port 3/1 cannot be made a private vlan port due to:
------------------------------------------------------
Promiscuous ports cannot be made private vlan ports.

Console> (enable) show pvlan capability 5/1

Ports 5/1 - 5/12 are in the same ASIC range as port 5/1.

Port 5/1 cannot be made a private vlan port due to:

------------------------------------------------------
Trunking ports are not Private Vlan capable.
Conflict with Promiscuous port(s) : 5/2

Console> (enable) show pvlan capability 5/2

Ports 5/1 - 5/12 are in the same ASIC range as port 5/2.

Port 5/2 cannot be made a private vlan port due to:

------------------------------------------------------
Promiscuous ports cannot be made private vlan ports.
Conflict with Trunking port(s) : 5/1

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-21
 Chapter 11 Configuring VLANs
Configuring Private VLANs

Console> (enable) show pvlan capability 5/3

Ports 5/1 - 5/12 are in the same ASIC range as port 5/3.

Port 5/3 cannot be made a private vlan port due to:

------------------------------------------------------
Conflict with Promiscuous port(s) : 5/2
Conflict with Trunking port(s) : 5/1

Console> (enable) show pvlan capability 15/1

Port 15/1 cannot be made a private vlan port due to:
------------------------------------------------------
Only ethernet ports can be added to private vlans.

Deleting a Private VLAN

You can delete a private VLAN by deleting the primary VLAN. If you delete a primary VLAN, all
bindings to the primary VLAN are broken, all ports in the private VLAN become inactive, and any
related mappings on the promiscuous port(s) are deleted.
To delete a private VLAN, perform this task in privileged mode:

Task Command
Delete a primary VLAN. clear vlan primary_vlan

This example shows how to delete primary VLAN 7:

Console> (enable) clear vlan 7
This command will de-activate all ports on vlan 7
Do you want to continue(y/n) [n]?y
Vlan 7 deleted
Console> (enable)

Deleting an Isolated, Community, or Two-Way Community VLAN

If you delete an isolated, community, or two-way community VLAN, the binding with the primary
VLAN is broken, any isolated, community, or two-way community ports associated to the VLAN
become inactive, and any related mappings on the promiscuous port(s) are deleted.
To delete a VLAN on the switch, perform this task in privileged mode:

Task Command
Delete an isolated or community VLAN. clear vlan {isolated_vlan | community_vlan |
twoway_community_vlan}

This example shows how to delete the community VLAN 902:

Console> (enable) clear vlan 902
This command will de-activate all ports on vlan 902
Do you want to continue(y/n) [n]?y
Vlan 902 deleted
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-22 78-13315-02
 Chapter 11 Configuring VLANs
Configuring Private VLANs

Deleting a Private VLAN Mapping

If you delete the private VLAN mapping, the connectivity breaks between the isolated, community, or
two-way community ports and the promiscuous port. If you delete all the mappings on a promiscuous
port, the promiscuous port becomes inactive. When a private VLAN port is set to inactive, it displays
“pvlan-” as its VLAN number in the show port output.
A private VLAN port might be set to inactive for the following reasons:
• The primary, isolated, community, or two-way community VLAN to which it belongs is cleared.
• All mappings from a non-MSFC promiscuous port are deleted.
• An error occurs during the configuration of a port to be a private VLAN port.
To delete a port mapping from a private VLAN, perform this task in privileged mode:

Task Command
Delete the port mapping from the private VLAN. clear pvlan mapping primary_vlan {isolated |
community | twoway-community} {mod/ports}

This example shows how to delete the mapping of VLANs 902 to 901, previously set on ports 3/2
through 3/5:
Console> (enable) clear pvlan mapping 901 902 3/2-5
Successfully cleared mapping between 901 and 902 on 3/2-5
Console> (enable)

Private VLAN Support on the MSFC

These items describe private VLAN support on the MSFC:
• Enter the show pvlan command to display information about private VLANs. The show pvlan
command displays information about private VLANs only when the primary private VLAN is up.
• Entering a set pvlan mapping or a clear pvlan mapping command on the supervisor engine
generates MSFC syslog messages. See the following for an example:
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Created a private vlan mapping, Primary 200, Secondary 201
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 101

• Enter an interface vlan command to configure Layer 3 parameters only for primary private VLANs.
• On the supervisor engine, you cannot create isolated or community VLANs using VLAN numbers
for which interface vlan commands have been entered on the MSFC.
• ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries (we recommend
that you display and verify private VLAN interface ARP entries).
• For security reasons, private VLAN interface sticky ARP entries do not age out. Connecting new
equipment with the same IP address generates a message and the ARP entry is not created.
• Because the private VLAN interface ARP entries do not age out, you must manually remove private
VLAN interface ARP entries if a MAC address changes.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-23
 Chapter 11 Configuring VLANs
Configuring FDDI VLANs

• You can add or remove private VLAN ARP entries manually as follows:
obelix-rp(config)# no arp 11.1.3.30
IP ARP:Deleting Sticky ARP entry 11.1.3.30

obelix-rp(config)# arp 11.1.3.30 0000.5403.2356 arpa

IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by hw:0000.5403.2356

• Some commands clear and recreate private VLAN mapping as follows:

obelix-rp(config)# xns routing
obelix-rp(config)#
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 102
%PV-6-PV_MSG:Purged a private vlan mapping, Primary 100, Secondary 103
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 101
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 102
%PV-6-PV_MSG:Created a private vlan mapping, Primary 100, Secondary 103

Configuring FDDI VLANs

To create a new FDDI VLAN, perform this task in privileged mode:

Task Command
Step 1 Create a new FDDI or FDDI NET-type VLAN. set vlan vlan [name name] type {fddi | fddinet}
[said said] [mtu mtu]
Step 2 Verify the VLAN configuration. show vlan [vlan]

To modify the VLAN parameters on an existing FDDI VLAN, perform this task in privileged mode:

Task Command
Step 1 Modify an existing FDDI or FDDI NET-type set vlan vlan [name name] [state {active |
VLAN. suspend}] [said said] [mtu mtu]
Step 2 Verify the VLAN configuration. show vlan [vlan]

Configuring Token Ring VLANs

These sections describe the two Token Ring VLAN types that are supported on switches running VTP
version 2:
• Understanding Token Ring TrBRF VLANs, page 11-25
• Understanding Token Ring TrCRF VLANs, page 11-25
• Token Ring VLAN Configuration Guidelines, page 11-27
• Creating or Modifying a Token Ring TrBRF VLAN, page 11-27
• Creating or Modifying a Token Ring TrCRF VLAN, page 11-28
You must use VTP version 2 to configure and manage Token Ring VLANs.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-24 78-13315-02
 Chapter 11 Configuring VLANs
Configuring Token Ring VLANs

Note Catalyst 6000 family switches do not support ISL-encapsulated Token Ring frames.

Understanding Token Ring TrBRF VLANs

Token Ring Bridge Relay Function (TrBRF) VLANs interconnect multiple Token Ring Concentrator
Relay Function (TrCRF) VLANs in a switched Token Ring network (see Figure 11-2). The TrBRF can
be extended across a network of switches interconnected through trunk links. The connection between
the TrCRF and the TrBRF is referred to as a logical port.

Figure 11-2 Interconnected Token Ring TrBRF and TrCRF VLANs

SRB or SRT

BRF

CRF
SRS SRS SRS

Token Token Token Token Token Token

S6624
Ring Ring Ring Ring Ring Ring
001 001 011 002 002 002

For source routing, the switch appears as a single bridge between the logical rings. The TrBRF can
function as a source-route bridge (SRB) or as a source-route transparent (SRT) bridge running either the
IBM or IEEE STP. If SRB is used, you can define duplicate MAC addresses on different logical rings.
The Token Ring software runs an instance of STP for each TrBRF VLAN and each TrCRF VLAN. For
TrCRF VLANs, STP removes loops in the logical ring. For TrBRF VLANs, STP interacts with external
bridges to remove loops from the bridge topology, similar to STP operation on Ethernet VLANs.

Caution Certain parent TrBRF STP and TrCRF bridge mode configurations can place the logical ports (the
connection between the TrBRF and the TrCRF) of the TrBRF in a blocked state. For more
information, see the “Default VLAN Configuration” section on page 11-4.

For source routing, the switch appears as a single bridge between the logical rings. The TrBRF can
function as an SRB or SRT bridge running either the IBM or IEEE STP. If SRB is used, duplicate MAC
addresses can be defined on different logical rings.
To accommodate IBM System Network Architecture (SNA) traffic, you can use a combination of SRT
and SRB modes. In a mixed mode, the TrBRF considers some ports (logical ports connected to TrCRFs)
to operate in SRB mode while others operate in SRT mode.

Understanding Token Ring TrCRF VLANs

Token Ring Concentrator Relay Function (TrCRF) VLANs define port groups with the same logical ring
number. You can configure two types of TrCRFs in your network: undistributed and backup.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-25
 Chapter 11 Configuring VLANs
Configuring Token Ring VLANs

Typically, TrCRFs are undistributed, which means each TrCRF is limited to the ports on a single switch.
Multiple undistributed TrCRFs on the same or separate switches can be associated with a single parent
TrBRF (see Figure 11-3). The parent TrBRF acts as a multiport bridge, forwarding traffic between the
undistributed TrCRFs.

Note To pass data between rings located on separate switches, you can associate the rings to the same
TrBRF and configure the TrBRF for SRB.

Figure 11-3 Undistributed TrCRFs

Switch A Switch B
ISL

TrBRF 3
TrCRF TrCRF TrCRF
400 350 200

S6813
Note By default, Token Ring ports are associated with the default TrCRF (VLAN 1003, trcrf-default),
which has the default TrBRF (VLAN 1005, trbrf-default) as its parent. In this configuration, a
distributed TrCRF is possible (see Figure 11-4), and traffic is passed between the default TrCRFs
located on separate switches provided that the switches are connected through an ISL trunk.

Figure 11-4 Distributed TrCRF

Switch A Switch B
ISL

TrBRF 2
TrCRF TrCRF TrCRF
300 300 300
S6812

Within a TrCRF, source-route switching forwards frames based on either MAC addresses or route
descriptors. The entire VLAN can operate as a single ring, with frames switched between ports within a
single TrCRF.
You can specify the maximum hop count for All-Routes and Spanning Tree Explorer frames for each
TrCRF. This limits the maximum number of hops an explorer is allowed to traverse. If a port determines
that the explorer frame it is receiving has traversed more than the number of hops specified, it does not
forward the frame. The TrCRF determines the number of hops an explorer has traversed based on the
number of bridge hops in the route information field.
A backup TrCRF enables you to configure an alternate route for traffic between undistributed TrCRFs
located on separate switches that are connected by a TrBRF, in the event that the ISL connection between
the switches fails. Only one backup TrCRF for a TrBRF is allowed, and only one port per switch can
belong to a backup TrCRF.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-26 78-13315-02
 Chapter 11 Configuring VLANs
Configuring Token Ring VLANs

If the ISL connection between the switches fails, the port in the backup TrCRF on each affected switch
automatically becomes active, rerouting traffic between the undistributed TrCRFs through the backup
TrCRF. When the ISL connection is reestablished, all but one port in the backup TrCRF is disabled.
Figure 11-5 illustrates the backup TrCRF.

Figure 11-5 Backup TrCRF

Switch A Switch B
ISL

TrBRF 1

TrCRF TrCRF
600 601

Backup
TrCRF 612

S6811
Token Ring VLAN Configuration Guidelines
When you create or modify Token Ring VLANs, take the following guidelines into consideration:
• For Token Ring VLANs, the default TrBRF (VLAN 1005) can only be the parent of the default
TrCRF (VLAN 1003). You cannot specify the default TrBRF as the parent of a user-configured
TrCRF.
• You must configure a TrBRF before you configure the TrCRF; that is, the parent TrBRF VLAN you
specify for the TrCRF must already exist.
• In a Token Ring environment, the logical ports of the TrBRF (the connection between the TrBRF
and the TrCRF) are placed in a blocked state if either of these conditions exists:
– The TrBRF is running the IBM STP, and the TrCRF is in SRT mode.
– The TrBRF is running the IEEE STP, and the TrCRF is in SRB mode.

Creating or Modifying a Token Ring TrBRF VLAN

You must enable VTP version 2 before you create Token Ring VLANs. For information on enabling
VTP version 2, see Chapter 10, “Configuring VTP.”
You must specify a bridge number when you create a new TrBRF.
To create a new Token Ring TrBRF VLAN, perform this task in privileged mode:

Task Command
Step 1 Create a new Token Ring TrBRF-type VLAN. set vlan vlan [name name] type trbrf [said said]
[mtu mtu] bridge bridgeber [stp {ieee | ibm}]
Step 2 Verify the VLAN configuration. show vlan [vlan]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-27
 Chapter 11 Configuring VLANs
Configuring Token Ring VLANs

This example shows how to create a new Token Ring TrBRF VLAN and verify the configuration:
Console> (enable) set vlan 999 name TrBRF_999 type trbrf bridge a
Vlan 999 configuration successful
Console> (enable) show vlan 999
VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
999 TrBRF_999 active
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
999 trbrf 100999 4472 - - 0xa ibm - 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
Console> (enable)

To modify the VLAN parameters on an existing Token Ring TrBRF VLAN, perform this task in
privileged mode:

Task Command
Step 1 Modify an existing Token Ring TrBRF-type set vlan vlan [name name] [state {active | suspend}]
VLAN. [said said] [mtu mtu] [bridge bridgeber] [stp {ieee |
ibm}]
Step 2 Verify the VLAN configuration. show vlan [vlan]

Creating or Modifying a Token Ring TrCRF VLAN

Note You must enable VTP version 2 before you create Token Ring VLANs. For information on enabling
VTP version 2, see Chapter 10, “Configuring VTP.”

To create a new Token Ring TrCRF VLAN, perform this task in privileged mode:

Task Command
Step 1 Create a new Token Ring TrCRF-type VLAN. set vlan vlan [name name] type trcrf [said said]
[mtu mtu] {ring hex_ringber | decring
decimal_ringber} parent vlan
Step 2 Verify the VLAN configuration. show vlan [vlan]

Note You must specify a ring number (either in hexadecimal or in decimal) and a parent TrBRF VLAN
when creating a new TrCRF.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-28 78-13315-02
Chapter 11 Configuring VLANs
Configuring Token Ring VLANs

This example shows how to create a Token Ring TrCRF VLAN and verify the configuration:
Console> (enable) set vlan 998 name TrCRF_998 type trcrf decring 10 parent 999
Vlan 998 configuration successful
Console> (enable) show vlan 998
VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
998 TrCRF_998 active 352
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
998 trcrf 100998 4472 999 0xa - - srb 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
998 7 7 off
Console> (enable)

To modify the VLAN parameters on an existing Token Ring TrCRF VLAN, perform this task in
privileged mode:

Task Command
Step 1 Modify an existing Token Ring TrCRF set vlan vlan [name name] [state {active | suspend}] [said
VLAN. said] [mtu mtu] [ring hex_ring] [decring decimal_ring]
[bridge bridge] [parent vlan]
Step 2 Verify the VLAN configuration. show vlan [vlan]

To create a backup TrCRF, assign one port on each switch that the TrBRF traverses to the backup
TrCRF.
To configure a TrCRF VLAN as a backup TrCRF, perform this task in privileged mode:

Task Command
Step 1 Configure a TrCRF VLAN as a backup TrCRF. set vlan vlan backupcrf on
Step 2 Verify the VLAN configuration. show vlan [vlan]

Caution If the backup TrCRF port is attached to a Token Ring multistation access unit (MSAU), it does not
provide a backup path unless the ring speed and port mode are set by another device. We recommend
that you configure the ring speed and port mode for the backup TrCRF.

To specify the maximum number of hops for All-Routes Explorer frames or Spanning Tree Explorer
frames in the TrCRF, perform this task in privileged mode:

Task Command
Step 1 Specify the maximum number of hops for set vlan vlan aremaxhop hopcount
All-Routes Explorer frames in the TrCRF.
Step 2 Specify the maximum number of hops for set vlan vlan stemaxhop hopcount
Spanning Tree Explorer frames in the TrCRF.
Step 3 Verify the VLAN configuration. show vlan [vlan]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 11-29
 Chapter 11 Configuring VLANs
Configuring Token Ring VLANs

This example shows how to limit All-Routes Explorer frames and Spanning Tree Explorer frames to ten
hops and how to verify the configuration:
Console> (enable) set vlan 998 aremaxhop 10 stemaxhop 10
Vlan 998 configuration successful
Console> (enable) show vlan 998
VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
998 VLAN0998 active 357

VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
998 trcrf 100998 4472 999 0xff - - srb 0 0

VLAN AREHops STEHops Backup CRF

---- ------- ------- ----------
998 10 10 off
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

11-30 78-13315-02
 C H A P T E R 12
Configuring InterVLAN Routing

This chapter describes how to configure the Multilayer Switch Feature Card (MSFC) for interVLAN
routing on the Catalyst 6000 family switches.

Note For complete syntax and usage for the commands used in this chapter, refer to the Catalyst 6000
Family Command Reference publication.

This chapter consists of these sections:

• Understanding How InterVLAN Routing Works, page 12-1
• Configuring InterVLAN Routing on the MSFC, page 12-2

Note Refer to the FlexWAN Module Port Adapter Installation and Configuration Notes for information
about configuring routing on FlexWAN module interfaces.

Understanding How InterVLAN Routing Works

Network devices in different VLANs cannot communicate with one another without a router to forward
traffic between the VLANs. In most network environments, VLANs are associated with individual
networks or subnetworks.
For example, in an IP network, each subnetwork is mapped to an individual VLAN. In an IPX network,
each VLAN is mapped to an IPX network number.
Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local. When
an end station in one VLAN needs to communicate with an end station in another VLAN, interVLAN
communication is required. This communication is provided by interVLAN routing. You configure one
or more routers to route traffic to the appropriate destination VLAN.
Figure 12-1 shows a basic interVLAN routing topology. Switch A is in VLAN 10 and Switch B is in
VLAN 20. The router has an interface in each VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 12-1
 Chapter 12 Configuring InterVLAN Routing
Configuring InterVLAN Routing on the MSFC

Figure 12-1 Basic InterVLAN Routing Topology

VLAN 10 VLAN 20

A Switch A Switch B
Host
C
B Host
Host

18071
ISL Trunks

When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed
to that host. Switch A forwards the packet directly to Host B, without sending it to the router.
When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which
receives the traffic on the VLAN 10 interface. The router checks the routing table, determines the correct
outgoing interface, and forwards the packet out the VLAN 20 interface to Switch B. Switch B receives
the packet and forwards it to Host C.

Configuring InterVLAN Routing on the MSFC

Note This section is for users who are familiar with Cisco IOS software and have some experience
configuring Cisco IOS routing. If you are not familiar with configuring Cisco routing, refer to the
Cisco IOS documentation on Cisco.com.

These sections describe how to configure interVLAN routing on the MSFC:

• MSFC Routing Configuration Guidelines, page 12-2
• Configuring IP InterVLAN Routing on the MSFC, page 12-3
• Configuring IPX InterVLAN Routing on the MSFC, page 12-3
• Configuring AppleTalk InterVLAN Routing on the MSFC, page 12-4
• Configuring MSFC Features, page 12-4

MSFC Routing Configuration Guidelines

Configuring interVLAN routing on the MSFC consists of two main procedures:
1. Create and configure VLANs on the switch and assign VLAN membership to switch ports. For more
information, see Chapter 11, “Configuring VLANs.”
2. Create and configure VLAN interfaces for interVLAN routing on the MSFC. Configure a VLAN
interface for each VLAN for which you want to route traffic.
VLAN interfaces on the MSFC are virtual interfaces. However, you configure them much as you do a
physical router interface.
MSFC2 and MSFC support the same range of VLANs as the supervisor engine. MSFC2 supports up to
1,000 VLAN interfaces. MSFC supports up to 256 VLAN interfaces.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

12-2 78-13315-02
 Chapter 12 Configuring InterVLAN Routing
Configuring InterVLAN Routing on the MSFC

Configuring IP InterVLAN Routing on the MSFC

To configure interVLAN routing for IP, perform this task:

Task Command
Step 1 (Optional) Enable IP routing on Router(config)# ip routing
the router1.
Step 2 (Optional) Specify an IP routing Router(config)# router ip_routing_protocol
protocol2.
Step 3 Specify a VLAN interface on the Router(config)# interface vlan-id
MSFC.
Step 4 Assign an IP address to the Router(config-if)# ip address n.n.n.n mask
VLAN.
Step 5 Exit configuration mode. Router(config-if)# Ctrl-Z
1. This step is necessary if you have multiple routers in the network.
2. This step is necessary if you enabled IP routing in Step 1. This step might include other commands, such as using the
network router configuration command to specify the networks to route. Refer to the documentation for your router platform
for detailed information on configuring routing protocols.

This example shows how to enable IP routing on the MSFC, create a VLAN interface, and assign the
interface an IP address:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip routing
Router(config)# router rip
Router(config-router)# network 10.0.0.0
Router(config-router)# interface vlan 100
Router(config-if)# ip address 10.1.1.1 255.0.0.0
Router(config-if)# ^Z
Router#

Configuring IPX InterVLAN Routing on the MSFC

To configure interVLAN routing for Internetwork Packet Exchange (IPX), perform this task:

Task Command
Step 1 1
(Optional) Enable IPX routing on the router . Router(config)# ipx routing
Step 2 (Optional) Specify an IPX routing protocol2. Router(config)# ipx router ipx_routing_protocol
Step 3 Specify a VLAN interface on the MSFC. Router(config)# interface vlan-id
Step 4 3
Assign a network number to the VLAN . Router(config-if)# ipx network [network | unnumbered]
encapsulation encapsulation-type
Step 5 Exit configuration mode. Router(config-if)# Ctrl-Z
1. This step is necessary if you have multiple routers in the network.
2. This step is necessary if you enabled IPX routing in Step 1. This step might include other commands, such as using the network router
configuration command to specify the networks to route. Refer to the documentation for your router platform for detailed information on
configuring routing protocols.
3. This step enables IPX routing on the VLAN. When you enable IPX routing on the VLAN, you can also specify an encapsulation type.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 12-3
 Chapter 12 Configuring InterVLAN Routing
Configuring InterVLAN Routing on the MSFC

This example shows how to enable IPX routing on the MSFC, create a VLAN interface, and assign the
interface an IPX network address:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ipx routing
Router(config)# ipx router rip
Router(config-ipx-router)# network all
Router(config-ipx-router)# interface vlan100
Router(config-if)# ipx network 100 encapsulation snap
Router(config-if)# ^Z
Router#

Configuring AppleTalk InterVLAN Routing on the MSFC

To configure interVLAN routing for AppleTalk, perform this task:

Task Command
Step 1 (Optional) Enable AppleTalk routing on Router(config)# appletalk routing
the router1.
Step 2 Specify a VLAN interface on the MSFC. Router(config)# interface vlan-id
Step 3 Assign a cable range to the VLAN. Router(config-if)# appletalk cable-range cable-range
Step 4 Assign a zone name to the VLAN. Router(config-if)# appletalk zone zone-name
Step 5 Exit configuration mode. Router(config-if)# Ctrl-Z
1. This step is necessary if you have multiple routers in the network.

This example shows how to enable AppleTalk routing on the MSFC, create a VLAN interface, and
assign the interface an AppleTalk cable-range and zone name:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# appletalk routing
Router(config)# interface vlan100
Router(config-if)# appletalk cable-range 100-100
Router(config-if)# appletalk zone Engineering
Router(config-if)# ^Z
Router#

Configuring MSFC Features

These sections describe features implemented on the MSFC:
• Local Proxy ARP, page 12-5
• WCCP Layer 2 Redirection, page 12-5
• Auto State Feature, page 12-5

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

12-4 78-13315-02
 Chapter 12 Configuring InterVLAN Routing
Configuring InterVLAN Routing on the MSFC

Local Proxy ARP

With Release 12.1(2)E or later releases, the Local Proxy Address Resolution Protocol (ARP) allows the
MSFC to respond to ARP requests for IP addresses within a subnet where normally no routing is
required. With local proxy ARP enabled, the MSFC responds to all ARP requests for IP addresses within
the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where
hosts are intentionally prevented from communicating directly by the configuration on the switch to
which they are connected.
Local proxy ARP is disabled by default. Enter the ip local-proxy-arp interface configuration command
to enable local proxy ARP on an interface. Enter the no ip local-proxy-arp interface configuration
command to disable the feature. The Internet Control Message Protocol (ICMP) redirects are disabled
on interfaces where local proxy ARP is enabled.

WCCP Layer 2 Redirection

Note Supervisor Engine 1 with the Policy Feature Card (PFC) supports this feature with Release 12.1(2)E
or later releases. Supervisor Engine 2 with PFC2 supports this feature with Release 12.1(3a)E or later
releases.

Web Cache Communication Protocol (WCCP) Layer 2 redirection allows directly connected Cisco
Cache Engines to use Layer 2 redirection, which is more efficient than Layer 3 redirection, through
generic routing encapsulation (GRE). You can configure a directly connected Cache Engine to negotiate
use of WCCP Layer 2 redirection. WCCP Layer 2 redirection requires no configuration on the MSFC.
Enter the show ip wccp web-cache detail command to display which redirection method is in use for
each cache. Follow these guidelines when using this feature:
• WCCP Layer 2 redirection feature sets the IP flow mask to full-flow mode.
• You can configure the Cisco Cache Engine software release 2.2 or later releases to use WCCP
Layer 2 redirection.
• Layer 2 redirection takes place on the switch and is not visible to the MSFC. Entering the show ip
wccp web-cache detail command on the MSFC displays statistics for only the first packet of a
Layer 2 redirected flow, which provides an indication of how many flows, rather than packets, are
using Layer 2 redirection. Entering the show mls entries command on the supervisor engine
displays the other packets in the Layer 2 redirected flows.
Configure the Cisco IOS WCCP as described in the Cisco IOS Configuration Fundamentals
Configuration Guide at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_c/fcprt3/fcd305.htm

Auto State Feature

The auto state feature shuts down (or brings up) Layer 3 interfaces/subinterfaces on the MSFC and the
Multilayer Switch Module (MSM) when the following port configuration changes occur on the switch:
• When the last external port on a VLAN goes down, all Layer 3 interfaces/subinterfaces on that
VLAN shut down (are autostated) unless sc0 is on the VLAN or another router is in the chassis with
an interface/subinterface in the VLAN. When a Layer 3 interface goes down, this message is
reported to the console for each Layer 3 interface:
%AUTOSTATE-6-SHUT_DOWN

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 12-5
 Chapter 12 Configuring InterVLAN Routing
Configuring InterVLAN Routing on the MSFC

• When the first external port on the VLAN is brought back up, all Layer 3 interfaces on that VLAN
that were previously shut down are brought up. This message is reported to the console for each
Layer 3 interface:
%AUTOSTATE-6-BRING_UP

The Catalyst 6000 family switch does not have knowledge of, or control over, the MSM or MSFC
configuration (just as the switch does not have knowledge of, or control over, external router
configurations). The auto state feature will not work on MSM or MSFC interfaces if the MSM or MSFC
is not properly configured. For example, consider this MSM trunk configuration:
interface GigabitEthernet0/0/0.200
encap isl 200
.
.

In the example, the GigabitEthernet0/0/0.200 interface is not auto stated if any of these configuration
errors are made:
• VLAN 200 is not configured on the switch.
• Trunking is not configured on the corresponding Gigabit Ethernet switch port.
• Trunking is configured but VLAN 200 is not an allowed VLAN on that trunk.

Displaying the Auto State Configuration

To display the current line protocol state determination for the MSM, perform this task in normal mode:

Task Command
Display the current line protocol state show msmautostate mod
determination for the MSM.

This example shows how to display the current line protocol state determination for the MSM:
Console> show msmautostate
MSM Auto port state: enabled
Console>

To display the line protocol state determination for the MSFC, perform this task in privileged mode:

Task Command
Display the line protocol state determination for show msfcautostate
the MSFC.

This example shows how to display the line protocol state determination for the MSFC:
Console> (enable) show msfcautostate

MSFC Auto port state: enabled

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

12-6 78-13315-02
 Chapter 12 Configuring InterVLAN Routing
Configuring InterVLAN Routing on the MSFC

To check which MSM interfaces are currently auto stated, perform this task in enabled mode:

Task Command
Check which MSM interfaces are currently auto show autostate entries
stated.

This example shows how to check which MSM interfaces are currently auto stated (shutdown or brought
up through auto state):
Router# show autostate entries
Port-channel1.5
Port-channel1.6
Port-channel1.4
Router#

Disabling the Auto State Feature

To disable the auto state feature if you have an MSM installed, perform this task in privileged mode:

Task Command
Disable the auto state feature if you have an MSM set msmautostate disable
installed.

The auto state feature is enabled by default. This example shows how to disable the auto state feature if
you have an MSM installed:
Console> (enable) set msmautostate disable
MSM port auto state disabled.
Console> (enable)

To disable the line protocol state determination of the MSFC, perform this task in privileged mode:

Note If you toggle (enable to disable and/or disable to enable) the msfcautostate command you might have
to use the shutdown and no shutdown commands to disable and then restart the VLAN and WAN
interfaces on the MSFC to bring them back up. Unless there is a valid reason, the MSFC auto state
feature should not be disabled.

Task Command
Disable the line protocol state determination of set msfcautostate disable
the MSFC.

This example shows how to disable the line protocol state determination of the MSFC:
Console> (enable) set msfcautostate disable

MSM port auto state disabled.

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 12-7
 Chapter 12 Configuring InterVLAN Routing
Configuring InterVLAN Routing on the MSFC

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

12-8 78-13315-02
 C H A P T E R 13
Configuring CEF for PFC2

This chapter describes how to configure Cisco Express Forwarding (CEF) for Policy Feature Card 2
(PFC2). CEF for PFC2 provides IP and Internetwork Packet Exchange (IPX) unicast Layer 3 switching
and IP multicast Layer 3 switching for Supervisor Engine 2, PFC2, and Multilayer Switch Feature
Card 2 (MSFC2).

Note For complete information on the syntax and usage information for the supervisor engine commands
used in this chapter, refer to the Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How Layer 3 Switching Works, page 13-1
• Default CEF for PFC2 Configuration, page 13-10
• CEF for PFC2 Configuration Guidelines and Restrictions, page 13-11
• Configuring CEF for PFC2, page 13-12
• Configuring NetFlow Statistics, page 13-22

Note Supervisor Engine 1 with the PFC1 and the MSFC or MSFC2 provide Layer 3 switching with
Multilayer Switching (MLS). See Chapter 14, “Configuring MLS,” for more information.

Note To configure the MSFC2 to support MLS on a Catalyst 5000 family switch, refer to the Layer 3
Switching Software Configuration Guide at
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_2/layer3/index.htm.

Understanding How Layer 3 Switching Works

These sections describe Layer 3 switching with PFC2:
• Layer 3 Switching Overview, page 13-2
• Understanding Layer 3-Switched Packet Rewrite, page 13-2
• Understanding CEF for PFC2, page 13-4
• Understanding NetFlow Statistics, page 13-9

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-1
 Chapter 13 Configuring CEF for PFC2
Understanding How Layer 3 Switching Works

Layer 3 Switching Overview

Layer 3 switching allows the switch, instead of a router, to forward IP and IPX unicast traffic and IP
multicast traffic between VLANs. Layer 3 switching is implemented in hardware and provides
wire-speed interVLAN forwarding on the switch, rather than on the MSFC2. Layer 3 switching requires
minimal support from the MSFC2. The MSFC2 routes any traffic that cannot be Layer 3 switched.

Note Layer 3 switching supports the routing protocols configured on the MSFC2. Layer 3 switching does
not replace the routing protocols configured on the MSFC2. Layer 3 switching uses Protocol
Independent Multicast (PIM) for multicast route determination.

Layer 3 switching on Catalyst 6000 family switches provides flow statistics that you can use to identify
traffic characteristics for administration, planning, and troubleshooting. Layer 3 switching uses NetFlow
Data Export (NDE) to export flow statistics (for more information about NDE, see Chapter 15,
“Configuring NDE”).

Note Traffic is Layer 3 switched after being processed by the VLAN access control list (VACL) feature
and the quality of service (QoS) feature.

Understanding Layer 3-Switched Packet Rewrite

When a packet is Layer 3 switched from a source in one VLAN to a destination in another VLAN, the
switch performs a packet rewrite at the egress port based on information learned from the MSFC2 so that
the packets appear to have been routed by the MSFC2.

Note Rather than just forwarding IP multicast packets, the PFC2 replicates them as necessary on the
appropriate VLANs.

Packet rewrite alters five fields:

• Layer 2 (MAC) destination address
• Layer 2 (MAC) source address
• Layer 3 IP Time to Live (TTL) or IPX Transport Control
• Layer 3 checksum
• Layer 2 (MAC) checksum (also called the frame checksum or FCS)

Note Packets are rewritten with the encapsulation appropriate for the next-hop subnet.

If Source A and Destination B are on different VLANs and Source A sends a packet to the MSFC2 to be
routed to Destination B, the switch recognizes that the packet was sent to the Layer 2 (MAC) address of
the MSFC2.
To perform Layer 3 switching, the switch rewrites the Layer 2 frame header, changing the Layer 2
destination address to the Layer 2 address of Destination B and the Layer 2 source address to the Layer 2
address of the MSFC2. The Layer 3 addresses remain the same.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-2 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Understanding How Layer 3 Switching Works

In IP unicast and IP multicast traffic, the switch decrements the Layer 3 TTL value by 1 and recomputes
the Layer 3 packet checksum. In IPX traffic, the switch increments the Layer 3 Transport Control value
by 1 and recomputes the Layer 3 packet checksum. The switch recomputes the Layer 2 frame checksum
and forwards (or for multicast packets, replicates as necessary) the rewritten packet to Destination B’s
VLAN.
These sections describe how the packets are rewritten:
• Understanding IP Unicast Rewrite, page 13-3
• Understanding IPX Unicast Rewrite, page 13-3
• Understanding IP Multicast Rewrite, page 13-4

Understanding IP Unicast Rewrite

Received IP unicast packets are (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IP Header Data FCS

Destination Source Destination Source TTL Checksum
MSFC2 MAC Source A MAC Destination B IP Source A IP n calculation1

After the switch rewrites an IP unicast packet, it is (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IP Header Data FCS

Destination Source Destination Source TTL Checksum
Destination B MAC MSFC2 Destination B IP Source A IP n-1 calculation2
MAC

Understanding IPX Unicast Rewrite

Received IPX packets are (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IPX Header Data FCS

Destination Source Checksum/ Destination Net/ Source Net/
IPX Length/ Node/ Node/
Transport Control Socket Socket
MSFC2 MAC Source A MAC n Destination B IPX Source A IPX

After the switch rewrites an IPX packet, it is (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IPX Header Data FCS

Destination Source Checksum/ Destination Net/ Source Net/
IPX Length/ Node/ Node/
Transport Control Socket Socket
Destination B MSFC2 MAC n+1 Destination B IPX Source A IPX
MAC

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-3
 Chapter 13 Configuring CEF for PFC2
Understanding How Layer 3 Switching Works

Understanding IP Multicast Rewrite

Received IP multicast packets are (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IP Header Data FCS

Destination Source Destination Source TTL Checksum
1
Group G1 MAC Source A MAC Group G1 IP Source A IP n calculation1
1. In this example, Destination B is a member of Group G1.

After the switch rewrites an IP multicast packet, it is (conceptually) formatted as follows:

Frame Header IP Header Data FCS

Destination Source Destination Source TTL Checksum
Group G1 MAC MSFC2 MAC Group G1 IP Source A IP n–1 calculation2

Understanding CEF for PFC2

These sections describe CEF for PFC2:
• CEF for PFC2 Overview, page 13-4
• Understanding Forwarding Decisions, page 13-5
• Understanding the FIB, page 13-5
• Understanding the Adjacency Table, page 13-6
• Partially and Completely Switched Multicast Flows, page 13-7
• CEF for PFC2 Examples, page 13-7

CEF for PFC2 Overview

Supervisor Engine 2, PFC2, and MSFC2 provide Layer 3 switching with CEF for PFC2. CEF for PFC2
is permanently enabled on Supervisor Engine 2. Cisco IOS CEF is permanently enabled on the MSFC2
in support of CEF for PFC2.
CEF for PFC2 works with CEF (for unicast traffic) and PIM (for multicast traffic) on the MSFC2 to
support IP, IP multicast, and IPX traffic. CEF and PIM on the MSFC2 are enhanced to support CEF for
PFC2. CEF for PFC2 generates flow statistics for Layer 3-switched traffic that can be displayed at the
CLI or used for NDE.
CEF for PFC2 provides Layer 3 switching for all packets that match a complete forwarding information
base (FIB) entry (see the “Understanding the FIB” section on page 13-5). CEF for PFC2 sends all
packets that match an incomplete FIB entry (one where the MAC address has not been resolved) to the
MSFC2 to be routed until the MSFC2 resolves the MAC address.

Note CEF for PFC2 sends bridge traffic that is addressed at Layer 2 to the MSFC2 to be processed.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-4 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Understanding How Layer 3 Switching Works

Note Access control lists (ACLs) and policy-based routing can cause CEF for PFC2 to ignore the FIB
when making a forwarding decision (see the “Understanding Forwarding Decisions” section on
page 13-5).

Enter the show mls cef command to display a Layer 3 switching summary:
Console> (enable) show mls cef
Total L3 packets switched: 0
Total L3 octets switched: 0
Total route entries: 18
IP route entries: 15
IPX route entries: 3
IPM route entries: 0
IP load sharing entries: 0
IPX load sharing entries: 0
Forwarding entries: 4
Bridge entries: 12
Drop entries: 2

Understanding Forwarding Decisions

CEF for PFC2 provides Layer 3 switching based on:
• Entries in the ACL ternary content addressable memory (TCAM) for policy-based routing decisions
• Entries in the NetFlow table for TCP intercept and reflexive ACL forwarding decisions (see the
“Understanding NetFlow Statistics” section on page 13-9)
• Entries in the FIB and adjacency table for all other forwarding decisions
Enter the show mls entry command to display information about the entries used to make forwarding
decisions. CEF for PFC2 makes a forwarding decision for each packet and sends the rewrite information
for each packet to the egress port, where the rewrite occurs when the packet is transmitted from the
switch.

Understanding the FIB

The FIB resides in a separate TCAM. The adjacency table is stored separately in DRAM. The NetFlow
table is stored separately in DRAM. The FIB, the adjacency table, and the NetFlow table do not compete
with any other features for storage space.
The FIB is conceptually similar to a routing table. It maintains a mirror image of the forwarding
information contained in the unicast and multicast routing tables on the MSFC2. When routing or
topology changes occur in the network, the unicast and multicast routing tables on the MSFC2 are
updated and those changes are reflected in the FIB. The FIB maintains next-hop address information
based on the information in the routing tables on the MSFC2. The FIB supports 256K entries, which
includes 16K IP multicast entries. With reverse path forwarding (RPF) check enabled, the number of IP
entries doubles.
FIB lookup uses the following criteria:
• Destination IP address for IP unicast
• Destination IPX network for IPX unicast
• Source and destination IP address for IP unicast with RPF check
• Source and destination IP address for IP multicast with RPF check

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-5
 Chapter 13 Configuring CEF for PFC2
Understanding How Layer 3 Switching Works

Note Because the FIB mirrors the unicast and multicast routing tables on the MSFC2, any commands on
the MSFC2 that change the unicast or multicast routing tables affect the FIB. Forwarding entries
cannot be cleared from the Supervisor Engine 2 command-line interface (CLI).

In switches with redundant supervisor engines and MSFC2s, the designated MSFC2 supports the FIB on
the active Supervisor Engine 2. The routing protocols on the nondesignated MSFC2 send information to
the routing protocols on the designated MSFC2.
Enter the show mls entry cef command to display:
• Module number of the MSFC that is supporting the FIB
• FIB entry type (receive, connected, resolved, drop, wildcard, or default)
• Destination address (IP address or IPX network)
• Destination mask
• Next-hop address (IP address or IPX network)
• Next-hop mask
• Next-hop load-sharing weight

Understanding the Adjacency Table

For each FIB entry, CEF for PFC2 stores Layer 2 information from the designated MSFC2 for adjacent
nodes in the adjacency table. Adjacent nodes are nodes that are directly connected at Layer 2. To forward
traffic, CEF for PFC2 selects a route from a FIB entry, which points to an adjacency entry, and uses the
Layer 2 header for the adjacent node in the adjacency table entry to rewrite the packet during Layer 3
switching. CEF for PFC2 supports 256K adjacency table entries.
Table 13-1 lists the adjacency types.

Table 13-1 Adjacency Types

Adjacency Type Description

connect Entry type that contains complete rewrite information
punt Entry to send traffic to the MSFC2
no r/w Entry to send traffic to the MSFC2 when rewrite information is incomplete
frc drp Entry used to drop packets due to ARP throttling
drop, null, loopbk Entries used to drop packets

Enter the show mls entry cef adjacency command to display:

• FIB information (see the “Understanding the FIB” section on page 13-5)
• Adjacency type (connect, drop, null, loopbk, frc drp, punt, no r/w)
• Next-hop MAC address
• Next-hop VLAN
• Next-hop encapsulation
• Number of packets transmitted to this adjacency from the associated FIB entry
• Number of bytes transmitted to this adjacency from the associated FIB entry

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-6 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Understanding How Layer 3 Switching Works

Partially and Completely Switched Multicast Flows

Some flows might be partially Layer 3 switched instead of completely Layer 3 switched in these
situations:
• The MSFC is configured as a member of the IP multicast group (using the ip igmp join-group
command) on the RPF interface of the multicast source.
• The MSFC is the first-hop router to the source in PIM sparse mode (in this case, the MSFC must
send PIM-register messages to the rendezvous point).
• The multicast TTL threshold is configured on an egress interface for the flow.
• The multicast helper is configured on the RPF interface for the flow, and multicast to broadcast
translation is required.
• Multicast tag switching is configured on an egress interface.
• Network address translation (NAT) is configured on an interface, and source address translation is
required for the outgoing interface.

Note CEF for PFC2 provides Layer 3 switching when the extended access list deny condition on the RPF
interface specifies something other than the Layer 3 source, Layer 3 destination, or IP protocol (an
example is the Layer 4 port numbers).

For partially switched flows, all multicast traffic belonging to the flow reaches the MSFC and is software
switched for any interface that is not Layer 3 switched.

Note All (*,G) flows are always partially Layer 3 switched.

The PFC prevents multicast traffic in flows that are completely Layer 3 switched from reaching the
MSFC, reducing the load on the MSFC. The show ip mroute and show mls ip multicast commands
identify completely Layer 3-switched flows with the text string RPF-MFD (Multicast Fast Drop [MFD]
indicates that from the viewpoint of the MSFC, the multicast packet is dropped, because it is switched
by the PFC).
For all completely Layer 3-switched flows, the PFC periodically sends multicast packet and byte count
statistics to the MSFC, because the MSFC cannot record multicast statistics for completely switched
flows, which it never sees. The MSFC uses the statistics to update the corresponding multicast routing
table entries and reset the appropriate expiration timers.

CEF for PFC2 Examples

Figure 13-1 shows a simple IP CEF network topology. In this example, Host A is on the Sales VLAN
(IP subnet 171.59.1.0), Host B is on the Marketing VLAN (IP subnet 171.59.3.0), and Host C is on the
Engineering VLAN (IP subnet 171.59.2.0).
When Host A initiates an HTTP file transfer to Host C, the PFC2 uses the information in the FIB and
adjacency table to forward packets from Host A to Host C.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-7
 Chapter 13 Configuring CEF for PFC2
Understanding How Layer 3 Switching Works

Figure 13-1 IP CEF Example Topology

Source IP Destination Rewrite Src/Dst Destination

Address IP Address MAC Address VLAN
171.59.1.2 171.59.3.1 Dd:Bb Marketing

171.59.1.2 171.59.2.2 Dd:Cc Engineering

171.59.2.2 171.59.1.2 Dd:Aa Sales

MAC = Bb

MAC = Dd ing
a rket
MSFC
ne t 3/M
MAC = Aa Sub Host B
171.59.3.1
Subnet 1/Sales
Sub
net
2/E
ngin
Host A eeri
171.59.1.2 ng MAC = Cc

Data 171.59.1.2:171.59.2.2 Aa:Dd Host C

171.59.2.2

44610
Data 171.59.1.2:171.59.2.2 Dd:Cc

Figure 13-2 shows a simple IPX CEF network topology. In this example, Host A is on the Sales VLAN
(IPX address 01.Aa), Host B is on the Marketing VLAN (IPX address 03.Bb), and Host C is on the
Engineering VLAN (IPX address 02.Cc).
When Host A initiates a file transfer to Host C, the PFC2 uses the information in the FIB and adjacency
table to forward packets from Host A to Host C.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-8 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Understanding How Layer 3 Switching Works

Figure 13-2 IPX CEF Example Topology

Source IPX Destination Rewrite Src/Dst Destination

Address IPX Address MAC Address VLAN
01.Aa 03.Bb Dd:Bb Marketing

01.Aa 02.Cc Dd:Cc Engineering

02.Cc 01.Aa Dd:Aa Sales

MAC = Bb

MAC = Dd ting
MSFC / M arke
3
MAC = Aa Net 03 Host B
Net 1/Sales
01 Net
2/E
ngin
Host A eer
ing MAC = Cc
02

Data 01.Aa:02.Cc Aa:Dd Host C

25482
Data 01.Aa:02.Cc Dd:Cc

Understanding NetFlow Statistics

These sections describe NetFlow statistics:
• NetFlow Statistics Overview, page 13-9
• NetFlow Table Entry Aging, page 13-10
• Flow Masks, page 13-10

NetFlow Statistics Overview

CEF for PFC2 generates flow statistics for Layer 3-switched traffic, which are stored in the NetFlow
table. NetFlow statistics can be displayed with show commands and are also available to NetFlow Data
Export (NDE).

Note A NetFlow table with more than 32K entries increases the probability that there will be insufficient
room to store statistics. To reduce the number of entries in the NetFlow table, you can exclude
specified IP protocols from the statistics (see the “Excluding IP Protocol Entries from the NetFlow
Table” section on page 13-25).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-9
 Chapter 13 Configuring CEF for PFC2
Default CEF for PFC2 Configuration

NetFlow statistics supports unicast and multicast flows:

• A unicast flow can be any of the following:
– Destination only: all traffic to a particular destination
– Destination-source: all traffic from a particular source to a particular destination
– Full-flow: all traffic from a particular source to a particular destination that shares the same
protocol and transport-layer information
• A multicast flow is all traffic with the same protocol and transport-layer information from a
particular source to the members of a particular destination multicast group.

NetFlow Table Entry Aging

The state and identity of flows are maintained while packet traffic is active; when traffic for a flow
ceases, the entry ages out. You can configure the aging time for NetFlow table entries kept in the
NetFlow table. If an entry is not used for the specified period of time, the entry ages out and statistics
for that flow can be exported to a flow collector application.

Flow Masks
Flow masks determine how NetFlow table entries are created. CEF for PFC2 supports only one flow
mask (the most specific one) for all statistics. If CEF for PFC2 detects different flow masks from
different MSFCs for which it is performing Layer 3 switching, it changes its flow mask to the most
specific flow mask detected.
When the flow mask changes, the entire NetFlow table is purged. When CEF for PFC2 exports cached
entries, flow records are created based on the current flow mask. Depending on the current flow mask,
some fields in the flow record might not have values. Unsupported fields are filled with a zero (0).
The statistics flow masks are as follows:
• destination-ip—The least-specific flow mask for IP
• destination-ipx—The only flow mask for IPX
• source-destination-ip—For IP
• source-destination-vlan—For IP multicast
• full flow—The most-specific flow mask
Enter the show mls statistics entry command to display the contents of the NetFlow table and the
current flow mask. Use the keyword options to display information for specific traffic (refer to the
Catalyst 6000 Family Command Reference publication for more information).

Default CEF for PFC2 Configuration

Table 13-2 shows the default CEF for PFC2 configuration.

Table 13-2 Default CEF for PFC2 Configuration

Feature Default Value

CEF for PFC2 enable state Enabled (cannot be disabled)
CEF enable state on MSFC2 Enabled (cannot be disabled)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-10 78-13315-02
 Chapter 13 Configuring CEF for PFC2
CEF for PFC2 Configuration Guidelines and Restrictions

Table 13-2 Default CEF for PFC2 Configuration (continued)

Feature Default Value

Multicast services (IGMP snooping or GMRP) Disabled
Multicast routing on MSFC2 Disabled globally
PIM routing on MSFC2 Disabled on all interfaces
IP MMLS Threshold Unconfigured—no default value
IP MMLS Enabled when multicast routing is enabled and IP
PIM is enabled on the interface

CEF for PFC2 Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring CEF for PFC2:
• PFC2 supports a maximum of 16 unique Hot Standby Router Protocol (HSRP) group numbers. You
can use the same HSRP group numbers in different VLANs. If you configure more than 16 HSRP
groups, this restriction prevents use of the VLAN number as the HSRP group number.

Note Identically numbered HSRP groups use the same virtual MAC address, which might
cause errors if you configure bridging on the MSFC.

• Because of the restriction to 16 unique HSRP group numbers, CEF for PFC2 cannot support the
standby use-bia HSRP command.
• CEF for PFC2 supports the following ingress and egress encapsulations:
– For IP unicast:
Ethernet V2.0 (ARPA)
802.3 with 802.2 with 1 byte control (SAP1)
802.3 with 802.2 and SNAP
– For IPX:
Ethernet V2.0 (ARPA)
802.3 (raw)
802.2 with 1 byte control (SAP1)
SNAP

Note When the ingress encapsulation for IPX traffic is SAP1, CEF for PFC2 provides Layer 3
switching only when the egress encapsulation is also SAP1. The MSFC2 routes IPX
SAP1 traffic that requires an encapsulation change.

– For IP multicast—Ethernet V2.0 (ARPA)

CEF for PFC2 does not provide Layer 3 switching for an IP multicast flow in the following cases:
• For IP multicast groups that fall into the range 224.0.0.* (where * is in the range 0–255), which is
used by routing protocols. CEF for PFC2 supports 225.0.0.* through 239.0.0.* and 224.128.0.*
through 239.128.0.*.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-11
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

Note Groups in the 224.0.0.* range are reserved for routing control packets and must be flooded
to all forwarding ports of the VLAN. These addresses map to the multicast MAC address
range 01-00-5E-00-00-xx, where xx is in the range 0–0xFF.

• For PIM auto-RP multicast groups (IP multicast group addresses 224.0.1.39 and 224.0.1.40).

Note In systems with redundant MSFC2s, the PIM interface configuration must be the same on
both the active and the redundant MSFC2.

• If the shortest-path tree (SPT) bit for the flow is cleared when running PIM sparse mode for the
interface or group.
• For fragmented IP packets and packets with IP options. However, packets in the flow that are not
fragmented or that do not specify IP options are multilayer switched.
• For source traffic received on tunnel interfaces (such as MBONE traffic).
• For any RPF interface with multicast tag switching enabled.

Configuring CEF for PFC2

These sections describe how to configure CEF for PFC2:
• Displaying Layer 3-Switching Entries on the Supervisor Engine, page 13-12
• Configuring CEF on the MSFC2, page 13-14
• Configuring IP Multicast on the MSFC2, page 13-14
• Displaying IP Multicast Information, page 13-16

Note For information on configuring routing on the MSFC2, see Chapter 12, “Configuring InterVLAN
Routing.”

Displaying Layer 3-Switching Entries on the Supervisor Engine

CEF for PFC2 is permanently enabled on Supervisor Engine 2 with the PFC2 and the MSFC2. No
configuration is required.
To display all the Layer 3-switching entries on the supervisor engine, perform this task:

Task Command
Display Layer 3-switching information. show mls entry [cef] | [netflow-route]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-12 78-13315-02
Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

This example shows how to display the Layer 3-switching entries:

Console> (enable) show mls entry
Mod FIB-Type Destination-IP Destination-Mask NextHop-IP Weight
--- --------- --------------- ---------------- --------------- ------
15 receive 0.0.0.0 255.255.255.255
15 receive 255.255.255.255 255.255.255.255
15 receive 127.0.0.12 255.255.255.255
16 receive 127.0.0.0 255.255.255.255
16 receive 127.255.255.255 255.255.255.255
15 resolved 127.0.0.11 255.255.255.255 127.0.0.11 1
15 receive 21.2.0.4 255.255.255.255
16 receive 21.0.0.0 255.255.255.255
16 receive 21.255.255.255 255.255.255.255
15 receive 44.0.0.1 255.255.255.255
16 receive 44.0.0.0 255.255.255.255
16 receive 44.255.255.255 255.255.255.255
15 receive 42.0.0.1 255.255.255.255
16 receive 42.0.0.0 255.255.255.255
16 receive 42.255.255.255 255.255.255.255
15 receive 43.0.0.99 255.255.255.255
15 receive 43.0.0.0 255.255.255.255
15 receive 43.255.255.255 255.255.255.255
15 receive 192.20.20.20 255.255.255.255
16 receive 21.2.0.5 255.255.255.255
16 receive 42.0.0.20 255.255.255.255
15 connected 43.0.0.0 255.0.0.0
15 drop 224.0.0.0 240.0.0.0
15 wildcard 0.0.0.0 0.0.0.0

Mod FIB-Type Dest-IPX-net NextHop-IPX Weight

--- --------- ------------ ------------------------- ------
15 connected 21
15 connected 44
15 connected 42
15 resolved 450 42.0050.3EA9.ABFD 1
15 resolved 480 42.0050.3EA9.ABFD 1
15 wildcard 0

Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan EDst Stat-Pkts

Stat-Bytes Uptime Age TcpDltSeq TcpDltAck
--------------- --------------- ----- ------ ------ ----------------- ---- ---- ----------
----------- -------- -------- --------- ---------
0.0.0.5 0.0.0.5 5 204 104 cc-cc-cc-cc-cc-cc 5 ARPA 0
0 01:03:18 01:00:51 cccccccc cccccccc
0.0.0.2 0.0.0.2 2 201 101 cc-cc-cc-cc-cc-cc 2 ARPA 0
0 01:03:21 01:00:51 cccccccc cccccccc
0.0.0.4 0.0.0.4 4 203 X cc-cc-cc-cc-cc-cc 4 ARPA 0
0 01:03:19 01:00:51 cccccccc cccccccc
0.0.0.1 0.0.0.1 ICMP 200 100 cc-cc-cc-cc-cc-cc 1 ARPA 0
0 01:03:25 01:00:52 cccccccc cccccccc
0.0.0.3 0.0.0.3 3 202 102 cc-cc-cc-cc-cc-cc 3 ARPA 0
0 01:03:20 01:00:52 cccccccc cccccccc
0.0.0.6 0.0.0.6 TCP 205 105 cc-cc-cc-cc-cc-cc 6 ARPA 0
0 01:03:18 01:00:52 cccccccc cccccccc
Console> (enable)

Enter the show mls entry cef command to display only the FIB entries. Enter the show mls entry
netflow-route command to display only the entries from the TCP intercept feature and reflexive access
control lists (ACLs).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-13
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

Configuring CEF on the MSFC2

CEF is permanently enabled on the MSFC2. No configuration is required to support CEF for PFC2.

Note The ip load-sharing per-packet, ip cef accounting per-prefix, and ip cef accounting
non-recursive IOS CEF commands on the MSFC2 apply only to traffic that is CEF-switched on the
MSFC. The commands do not affect traffic that is switched by CEF for PFC2 on the supervisor
engine.

Configuring IP Multicast on the MSFC2

These sections describe how to configure the MSFC2 for IP multicast:
• Enabling IP Multicast Routing Globally, page 13-14
• Enabling IP PIM on an MSFC2 Interface, page 13-15
• Configuring the IP MMLS Global Threshold, page 13-15
• Enabling IP MMLS on MSFC Interfaces, page 13-15

Note This section describes how to enable IP multicast routing on the MSFC2. For more detailed IP
multicast configuration information, refer to the “IP Multicast” section of the Cisco IOS IP and IP
Routing Configuration Guide at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt3/index.htm

Enabling IP Multicast Routing Globally

You must enable IP multicast routing globally on the MSFC2 before you can enable PIM on MSFC
interfaces.
To enable IP multicast routing globally on the MSFC2, perform this task in global configuration mode:

Task Command
Enable IP multicast routing globally. Router(config)# ip multicast-routing

This example shows how to enable IP multicast routing globally:

Router(config)# ip multicast-routing
Router(config)#

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-14 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

Enabling IP PIM on an MSFC2 Interface

You must enable PIM on MSFC2 interfaces before IP multicast will function on those interfaces.
To enable IP PIM on an MSFC2 interface, perform this task in interface configuration mode:

Task Command
Enable IP PIM on an MSFC2 Router(config-if)# ip pim {dense-mode | sparse-mode |
interface. sparse-dense-mode}

This example shows how to enable PIM on an MSFC2 interface using the default mode
(sparse-dense-mode):
Router(config-if)# ip pim
Router(config-if)#

This example shows how to enable PIM sparse mode on an MSFC2 interface:
Router(config-if)# ip pim sparse-mode
Router(config-if)#

Configuring the IP MMLS Global Threshold

You can configure a global multicast rate threshold, specified in packets per second, below which all
multicast traffic is routed by the MSFC. This prevents creation of MLS entries for short-lived multicast
flows, such as join requests.

Note This command does not affect flows that are already being routed. To apply the threshold to existing
routes, clear the route and let it reestablish.

To configure the IP MMLS threshold, perform this task:

Task Command
Configure the IP MMLS threshold. Router(config)# [no] mls ip multicast threshold ppsec

This example shows how to configure the IP MMLS threshold to 10 packets per second:
Router(config)# mls ip multicast threshold 10
Router(config)#

Use the no keyword to deconfigure the threshold.

Enabling IP MMLS on MSFC Interfaces

IP MMLS is enabled by default on the MSFC interface when you enable IP PIM on the interface.
Perform this task only if you disabled IP MMLS on the interface and you want to reenable it.

Note You must enable IP PIM on all participating MSFC interfaces before IP MMLS will function. For
information on configuring IP PIM on MSFC interfaces, see the “Enabling IP PIM on an MSFC2
Interface” section on page 13-15.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-15
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

To enable IP MMLS on an MSFC interface, perform this task:

Task Command
Enable IP MMLS on an MSFC interface. Router(config-if)# [no] mls ip multicast

This example shows how to enable IP MMLS on an MSFC interface:

Router(config-if)# mls ip multicast
Router(config-if)#

Use the no keyword to disable IP MMLS on an MSFC interface.

Displaying IP Multicast Information

These sections describe how to display IP multicast information:
• Displaying IP Multicast Information on the MSFC2, page 13-16
• Displaying IP Multicast Information on the Supervisor Engine, page 13-20

Displaying IP Multicast Information on the MSFC2

These sections describe displaying IP multicast information on the MSFC2:
• Displaying IP MMLS Interface Information, page 13-16
• Displaying the IP Multicast Routing Table, page 13-17
• Displaying IP Multicast Details, page 13-17
• Using Debug Commands, page 13-19
• Using Debug Commands on the SCP, page 13-19

Displaying IP MMLS Interface Information

The show ip pim interface count command displays the IP MMLS enable state on MSFC IP PIM
interfaces and the number of packets received and sent on the interface.
The show ip interface command displays the IP MMLS enable state on an MSFC interface.
To display IP MMLS information for an IP PIM MSFC interface, perform one of these tasks:

Task Command
Display IP MMLS interface information. Router# show ip pim interface [type number] count
Display the IP MMLS interface enable state. Router# show ip interface

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-16 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

Displaying the IP Multicast Routing Table

The show ip mroute command displays the IP multicast routing table on the MSFC2.
To display the IP multicast routing table, perform this task:

Task Command
Display the IP multicast routing table. Router# show ip mroute [group[source]] |
[summary] | [count] | [active kbps]

This example shows how to display the IP multicast routing table:

Router# show ip mroute 239.252.1.1
IP Multicast Routing Table
Flags:D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT
M - MSDP created entry, X - Proxy Join Timer Running
A - Advertised via MSDP
Outgoing interface flags:H - Hardware switched
Timers:Uptime/Expires
Interface state:Interface, Next-Hop or VCD, State/Mode

(*, 239.252.1.1), 04:04:59/00:02:59, RP 80.0.0.2, flags:SJ

Incoming interface:Vlan800, RPF nbr 80.0.0.2
Outgoing interface list:
Vlan10, Forward/Dense, 01:29:57/00:00:00, H

(22.0.0.10, 239.252.1.1), 00:00:19/00:02:41, flags:JT

Incoming interface:Vlan800, RPF nbr 80.0.0.2, RPF-MFD
Outgoing interface list:
Vlan10, Forward/Dense, 00:00:19/00:00:00, H

Displaying IP Multicast Details

The show mls ip multicast command displays detailed information about IP MMLS.
To display detailed MMLS information on the MSFC, perform one of these tasks:

Task
Display IP MMLS group information.
Display IP MMLS details for all
interfaces.
Display a summary of IP MMLS
information.
Display IP MMLS statistics.
Display IP MMLS source information.
Command
Router# show mls ip multicast group group-address
[interface type number | statistics]
Router# show mls ip multicast interface type number
[statistics | summary]
Router# show mls ip multicast summary
Router# show mls ip multicast statistics
Router# show mls ip multicast source ip-address
[interface type number | statistics]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-17
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

This example shows how to display IP MMLS statistics on the MSFC:

Router# show mls ip multicast statistics
MLS Multicast configuration and state:
Router Mac:0050.0f2d.9bfd, Router IP:1.12.123.234
MLS multicast operating state:ACTIVE
Maximum number of allowed outstanding messages:1
Maximum size reached from feQ:1
Feature Notification sent:5
Feature Notification Ack received:4
Unsolicited Feature Notification received:0
MSM sent:33
MSM ACK received:33
Delete notifications received:1
Flow Statistics messages received:248

MLS Multicast statistics:

Flow install Ack:9
Flow install Nack:0
Flow update Ack:2
Flow update Nack:0
Flow delete Ack:0
Complete flow install Ack:10
Complete flow install Nack:0
Complete flow delete Ack:1
Input VLAN delete Ack:4
Output VLAN delete Ack:0
Group delete sent:0
Group delete Ack:0
Global delete sent:7
Global delete Ack:7

L2 entry not found error:0

Generic error :3
LTL entry not found error:0
MET entry not found error:0
L3 entry exists error :0
Hash collision error :0
L3 entry not found error:0
Complete flow exists error :0

This example shows how to display information on a specific IP MMLS entry on the MSFC:
Router# show mls ip multicast 224.1.1.1
Multicast hardware switched flows:
(1.1.13.1, 224.1.1.1) Incoming interface: Vlan13, Packets switched: 61590
Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan13

(1.1.9.3, 224.1.1.1) Incoming interface: Vlan9, Packets switched: 0

Hardware switched outgoing interfaces: Vlan20
RFD-MFD installed: Vlan9

(1.1.12.1, 224.1.1.1) Incoming interface: Vlan12, Packets switched: 62010

Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan12

(1.1.12.3, 224.1.1.1) Incoming interface: Vlan12, Packets switched: 61980

Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan12

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-18 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

(1.1.11.1, 224.1.1.1) Incoming interface: Vlan11, Packets switched: 62430

Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan11

(1.1.11.3, 224.1.1.1) Incoming interface: Vlan11, Packets switched: 62430

Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan11

Total hardware switched installed: 6

Router#

This example shows how to display a summary of IP MMLS information on the MSFC:
Router# show mls ip multicast summary
7 MMLS entries using 560 bytes of memory
Number of partial hardware-switched flows:2
Number of complete hardware-switched flows:5
Router#

Using Debug Commands

Table 13-3 describes IP MMLS-related debug troubleshooting commands.

Table 13-3 IP MMLS Debug Commands

Command Description
[no] debug mls ip multicast group group_id group_mask Configures filtering that applies to all other multicast
debugging commands.
[no] debug mls ip multicast events Displays IP MMLS events.
[no] debug mls ip multicast errors Turns on debug messages for multicast MLS-related errors.
[no] debug mls ip multicast messages Displays IP MMLS messages from/to the hardware switching
engine.
[no] debug mls ip multicast all Turns on all IP MMLS messages.
[no] debug mdss error Turns on MDSS1 error messages.
[no] debug mdss events Turns on MDSS-related events.
[no] debug mdss all Turns on all MDSS messages.
1. MDSS = Multicast Distributed Switching Services

Using Debug Commands on the SCP

Table 13-4 describes the Serial Control Protocol (SCP)-related debug commands to troubleshoot the
SCP that runs over the Ethernet out-of-band channel (EOBC).

Table 13-4 SCP Debug Commands

Command Description
[no] debug scp async Displays trace for asynchronous data in and out of the SCP
system.
[no] debug scp data Shows packet data trace.
[no] debug scp errors Displays errors and warnings in the SCP.
[no] debug scp packets Displays packet data in and out of the SCP system.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-19
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

Table 13-4 SCP Debug Commands (continued)

Command Description
[no] debug scp timeouts Reports timeouts.
[no] debug scp all Turns on all SCP debugging messages.

Displaying IP Multicast Information on the Supervisor Engine

These sections describe how to display IP multicast information:
• Displaying IP Multicast Statistics, page 13-20
• Clearing IP Multicast Statistics, page 13-21
• Displaying IP Multicast Entries, page 13-21

Displaying IP Multicast Statistics

The show mls multicast statistics command displays IP multicast statistics.

To display IP multicast statistics, perform this task:

Task Command
Display IP multicast statistics. show mls multicast statistics [ip_addr]

This example shows how to display IP multicast statistics for the MSFC2:
Console (enable) show mls multicast statistics
Router IP Router Name Router MAC
-------------------------------------------------------
1.1.9.254 ? 00-50-0f-06-3c-a0

Transmit:
Delete Notifications: 23
Acknowledgements: 92
Flow Statistics: 56

Receive:
Open Connection Requests: 1
Keep Alive Messages: 72
Shortcut Messages: 19
Shortcut Install TLV: 8
Selective Delete TLV: 4
Group Delete TLV: 0
Update TLV: 3
Input VLAN Delete TLV: 0
Output VLAN Delete TLV: 0
Global Delete TLV: 0
MFD Install TLV: 7
MFD Delete TLV: 0
Router IP Router Name Router MAC
-------------------------------------------------------
1.1.5.252 ? 00-10-29-8d-88-01

Transmit:
Delete Notifications: 22
Acknowledgements: 75
Flow Statistics: 22

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-20 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Configuring CEF for PFC2

Receive:
Open Connection Requests: 1
Keep Alive Messages: 68
Shortcut Messages: 6
Shortcut Install TLV: 4
Selective Delete TLV: 2
Group Delete TLV: 0
Update TLV: 0
Input VLAN Delete TLV: 0
Output VLAN Delete TLV: 0
Global Delete TLV: 0
MFD Install TLV: 4
MFD Delete TLV: 0
Console (enable)

Clearing IP Multicast Statistics

The clear mls multicast statistics command clears IP multicast statistics.

To clear IP multicast statistics, perform this task in privileged mode:

Task Command
Clear IP multicast statistics. clear mls multicast statistics

This example shows how to clear IP multicast statistics:

Console> (enable) clear mls multicast statistics
All statistics for the MLS routers in include list are cleared.
Console> (enable)

Displaying IP Multicast Entries

The show mls multicast entry command displays a variety of information about the multicast flows
being handled by the PFC. You can display entries based on any combination of the participating
MSFC2, the VLAN, the multicast group address, or the multicast traffic source.
To display information about IP multicast entries, perform this task in privileged mode:

Task Command
Display information about IP multicast show mls multicast entry [[[mod] [vlan vlan_id]
entries. [group ip_addr] [source ip_addr]] | [all]]

This example shows how to display all IP multicast entries:

Console> (enable) show mls multicast entry all
Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans
--------------- --------------- --------------- ---------- ----------- ------- --------

1.1.5.252 224.1.1.1 1.1.11.1 15870 2761380 20

1.1.9.254 224.1.1.1 1.1.12.3 473220 82340280 12
1.1.5.252 224.1.1.1 1.1.12.3 15759 2742066 20
1.1.9.254 224.1.1.1 1.1.11.1 473670 82418580 11
1.1.5.252 224.1.1.1 1.1.11.3 15810 2750940 20
1.1.9.254 224.1.1.1 1.1.12.1 473220 82340280 12
1.1.5.252 224.1.1.1 1.1.13.1 15840 2756160 20

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-21
 Chapter 13 Configuring CEF for PFC2
Configuring NetFlow Statistics

1.1.9.254 224.1.1.1 1.1.13.1 472770 82261980 13

1.1.5.252 224.1.1.1 1.1.12.1 15840 2756160 20
1.1.9.254 224.1.1.1 1.1.11.3 473667 82418058 11
Total Entries: 10
Console> (enable)

This example shows how to display IP multicast entries for a specific MSFC2:
Console> (enable) show mls multicast entry 15
Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans
--------------- --------------- --------------- ---------- ----------- ------- --------

1.1.5.252 224.1.1.1 1.1.11.1 15870 2761380 20

1.1.5.252 224.1.1.1 1.1.12.3 15759 2742066 20
1.1.5.252 224.1.1.1 1.1.11.3 15810 2750940 20
1.1.5.252 224.1.1.1 1.1.13.1 15840 2756160 20
1.1.5.252 224.1.1.1 1.1.12.1 15840 2756160 20
Total Entries: 5
Console> (enable)

This example shows how to display IP multicast entries for a specific multicast group address:
Console> (enable) show mls multicast entry group 226.0.1.3 short
Router IP Dest IP Source IP InVlan Pkts Bytes OutVlans
-------------- ----------- ------------ ------ ------ --------- ---------
171.69.2.1 226.0.1.3 172.2.3.8 20 171 23512 10,201,22,45
171.69.2.1 226.0.1.3 172.3.4.9 12 25 3120 8,20
Total Entries: 2
Console> (enable)

This example shows how to display IP multicast entries for a specific MSFC2 and a specific multicast
source address:
Console> (enable) show mls multicast entry 15 source 1.1.11.1 short
Router IP Dest IP Source IP Pkts Bytes
InVlan OutVlans
--------------- --------------- --------------- ---------- --------------------
------ ----------
172.20.49.159 224.1.1.6 1.1.40.4 368 57776
40 23,25
172.20.49.159 224.1.1.71 1.1.22.2 99 65142
22 30,37
172.20.49.159 224.1.1.8 1.1.22.2 396 235620
22 13,19
Console> (enable)

Configuring NetFlow Statistics

These sections describe how to configure NetFlow statistics:
• Specifying the NetFlow Table Entry Aging-Time Value, page 13-23
• Specifying NetFlow Table IP Entry Fast Aging Time and Packet Threshold Values, page 13-24
• Setting the Minimum Statistics Flow Mask, page 13-24
• Excluding IP Protocol Entries from the NetFlow Table, page 13-25
• Displaying NetFlow Statistics, page 13-25
• Clearing NetFlow IP and IPX Statistics, page 13-26
• Displaying NetFlow Statistics Debug Information, page 13-28

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-22 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Configuring NetFlow Statistics

Specifying the NetFlow Table Entry Aging-Time Value

The entry aging time for each protocol (IP and IPX) applies to all protocol-specific NetFlow table
entries. Any entry that has not been used for agingtime seconds is aged out. The default is 256 seconds.
You can specify the aging time in the range of 8 to 2032 seconds in 8-second increments. Any aging-time
value that is not a multiple of 8 seconds is adjusted to the closest multiple of 8 seconds. For example, a
value of 65 is adjusted to 64 and a value of 127 is adjusted to 128.
To specify the entry aging time for both IP and IPX, perform this task in privileged mode:

Task Command
Specify the aging time for NetFlow table entries. set mls agingtime [agingtime]

This example shows how to specify the entry aging time:

Console> (enable) set mls agingtime 512
Multilayer switching agingtime IP and IPX set to 512
Console> (enable)

To specify the IP entry aging time, perform this task in privileged mode:

Task Command
Specify the IP entry aging time for the NetFlow set mls agingtime ip [agingtime]
table.

This example shows how to specify the IP entry aging time:

Console> (enable) set mls agingtime ip 512
Multilayer switching aging time IP set to 512
Console> (enable)

To specify the IPX entry aging time, perform this task in privileged mode:

Task Command
Specify the IPX entry aging time for the NetFlow set mls agingtime ipx [agingtime]
table.

This example shows how to specify the IPX entry aging time:
Console> (enable) set mls agingtime ipx 512
Multilayer switching aging time IPX set to 512
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-23
 Chapter 13 Configuring CEF for PFC2
Configuring NetFlow Statistics

Specifying NetFlow Table IP Entry Fast Aging Time and Packet Threshold
Values

Note IPX entries do not use fast aging.

To minimize the size of the NetFlow table, enable IP entry fast aging time. The IP entry fast aging time
applies to NetFlow table entries that have no more than pkt_threshold packets routed within
fastagingtime seconds after they are created. A typical NetFlow table entry that is removed is the entry
for flows to and from a Domain Name Server (DNS) or TFTP server; the entry might never be used again
after it is created. Detecting and aging out these entries saves space in the NetFlow table for other data
traffic.
The default fastagingtime value is 0 (no fast aging). You can configure the fastagingtime value to 32, 64,
96, or 128 seconds. Any fastagingtime value that is not configured exactly as the indicated values is
adjusted to the closest one. You can configure the pkt_threshold value to 0, 1, 3, 7, 15, 31, or 63 packets.
If you need to enable IP entry fast aging time, initially set the value to 128 seconds. If the NetFlow table
remains full, decrease the setting. If the NetFlow table continues to remain full, decrease the normal IP
entry aging time.
Typical values for fastagingtime and pkt_threshold are 32 seconds and 0 packets (no packets switched
within 32 seconds after the entry is created).
To specify the IP entry fast aging time and packet threshold, perform this task in privileged mode:

Task Command
Specify the IP entry fast aging time and set mls agingtime fast [fastagingtime] [pkt_threshold]
packet threshold for a NetFlow table
entry.

This example shows how to set the IP entry fast aging time to 32 seconds with a packet threshold of
0 packets:
Console> (enable) set mls agingtime fast 32 0
Multilayer switching fast aging time set to 32 seconds for entries with no more than 0
packets switched.
Console> (enable)

Setting the Minimum Statistics Flow Mask

You can set the minimum granularity of the flow mask for the NetFlow table. The actual flow mask used
will be at least of the granularity specified by this command. For information on how the different flow
masks work, see the “Flow Masks” section on page 13-10.

Note Entering a set mls flow command purges all existing entries in the NetFlow table.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-24 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Configuring NetFlow Statistics

To set the minimum NetFlow statistics flow mask, perform this task in privileged mode:

Task Command
Set the minimum statistics flow mask. set mls flow {destination | destination-source | full}

This example shows how to set the minimum statistics flow mask to destination-source-ip:
Console> (enable) set mls flow destination-source
Configured IP flow mask is set to destination-source flow.
Console> (enable)

Excluding IP Protocol Entries from the NetFlow Table

You can configure the NetFlow table to exclude specified IP protocols.
To exclude IP protocols from the NetFlow table, perform this task in privileged mode:

Task Command
Exclude IP protocols from the NetFlow set mls exclude protocol {tcp | upd | both} port
table.

The port parameter can be a port number or a keyword: dns, ftp, smtp, telnet, x (X-Windows), or www.
This example shows how to exclude Telnet traffic from the NetFlow table:
Console> (enable) set mls exclude protocol tcp telnet
NetFlow table will not create entries for TCP packets with protocol port 23.
Note: MLS exclusion only works in full flow mode.
Console> (enable)

Displaying NetFlow Statistics

Note To display the forwarding decision entries, enter the show mls entry cef command (see the
“Displaying Layer 3-Switching Entries on the Supervisor Engine” section on page 13-12.)

To display a summary of NetFlow table entries and statistics, perform this task in privileged mode:

Task Command
Display all NetFlow table entries and show mls
statistics.

This example shows how to display all NetFlow table entries:

Console> (enable) show mls
show mls
=======
Total packets switched = 2
Total bytes switched = 112
Total routes = 48

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-25
 Chapter 13 Configuring CEF for PFC2
Configuring NetFlow Statistics

IP statistics flows aging time = 256 seconds

IP statistics flows fast aging time = 0 seconds, packet threshold = 0
IP Current flow mask is Full flow
Netflow Data Export version:7
Netflow Data Export disabled
Netflow Data Export port/host is not configured.
Total packets exported = 0

IPX statistics flows aging time = 256 seconds

IPX flow mask is Destination flow
IPX max hop is 15

Module 15:Physical MAC-Address 00-50-3e-a9-ab-fc

Vlan Virtual MAC-Address(es)
---- -----------------------
42 00-00-0c-07-ac-00
Console>

The show mls statistics entry command can display all statistics or statistics for specific NetFlow table
entries. Specify the destination address, source address, and for IP, the protocol, and source and
destination ports to see the statistics for a specific NetFlow table entry.
A value of zero (0) for src_port or dst_port is treated as a wildcard, and all NetFlow statistics are
displayed (unspecified options are treated as wildcards). If the protocol specified is not TCP or UDP, set
the src_port and dst_prt to 0 or no NetFlow statistics will display.
To display statistics for NetFlow table entries, perform this task in privileged mode:

Task Command
Display statistics for NetFlow table entries. show mls statistics entry [ip | ipx | uptime]
If you do not specify a NetFlow table entry, [destination ip_addr_spec] [source ip_addr_spec]
all NetFlow statistics are shown. [flow protocol src_port dst_port]

This example shows how to display NetFlow statistics for a particular NetFlow table entry:
Console> show mls statistics entry ip destination 172.20.22.14
Last Used
Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes
--------------- --------------- ---- ------ ------ --------- -----------
MSFC 127.0.0.12:
172.20.22.14 172.20.25.10 6 50648 80 3152 347854
Console>

Clearing NetFlow IP and IPX Statistics

These sections describe clearing NetFlow statistics:
• Clearing All NetFlow Statistics, page 13-27
• Clearing NetFlow IP Statistics, page 13-27
• Clearing NetFlow IPX Statistics, page 13-28
• Clearing NetFlow Statistics Totals, page 13-28

Note The clear mls commands affect only statistics. None of the clear mls commands affect forwarding
entries or the NetFlow table entries that correspond to the forwarding entries.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-26 78-13315-02
 Chapter 13 Configuring CEF for PFC2
Configuring NetFlow Statistics

Clearing All NetFlow Statistics

To clear all NetFlow IP and IPX statistics, perform this task in privileged mode:

Task Command
Clear all NetFlow statistics. clear mls statistics entry all

This example shows how to clear all NetFlow statistics:

Console> (enable) clear mls statistics entry all
All MLS IP and IPX entries cleared.
Console> (enable)

Clearing NetFlow IP Statistics

The clear mls statistics entry ip command clears NetFlow IP statistics. Use the all keyword to clear all
NetFlow IP statistics. The destination and source keywords specify the source and destination IP
addresses. The destination and source ip_addr_spec can be a full IP address or a subnet address in the
format ip_subnet_addr, ip_addr/subnet_mask, or ip_addr/subnet_mask_bits.
The flow keyword specifies the following additional flow information:
• Protocol family (protocol)—Specify tcp, udp, icmp, or a decimal number for other protocol
families. A value of zero (0) for protocol is treated as a wildcard (unspecified options are treated as
wildcards).
• TCP or UDP source and destination port numbers (src_port and dst_port)—If the protocol you
specify is TCP or UDP, specify the source and destination TCP or UDP port numbers. A value of
zero (0) for src_port or dst_port is treated as a wildcard (unspecified options are treated as
wildcards). For other protocols, set the src_port and dst_port to 0, or no entries will clear.
To clear statistics for a NetFlow table IP entry, perform this task in privileged mode:

Task Command
Clear statistics for a NetFlow table IP clear mls statistics entry ip [destination ip_addr_spec]
entry. [source ip_addr_spec] [flow protocol src_port dst_port]
[all]

This example shows how to clear statistics for NetFlow table entries with destination IP address
172.20.26.22:
Console> (enable) clear mls statistics entry ip destination 172.20.26.22
MLS IP entry cleared
Console> (enable)

This example shows how to clear statistics for NetFlow table entries with destination IP address
172.20.22.113, TCP source port 1652, and TCP destination port 23:
Console> (enable) clear mls statistics entry destination 172.20.26.22 source 172.20.22.113
flow tcp 1652 23
MLS IP entry cleared
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 13-27
 Chapter 13 Configuring CEF for PFC2
Configuring NetFlow Statistics

Clearing NetFlow IPX Statistics

The clear mls statistics entry ipx command clears NetFlow IPX statistics. Use the all keyword to clear
all NetFlow IPX statistics. The destination and source keywords specify the source and destination IPX
addresses.
To clear statistics for a NetFlow table IPX entry, perform this task in privileged mode:

Task Command
Clear statistics for a NetFlow table IPX clear mls statistics entry ipx [destination
entry. ipx_addr_spec] [source ipx_addr_spec] [all]

This example shows how to clear statistics for IPX MLS entries with destination IPX address
1.0002.00e0.fefc.6000:
Console> (enable) clear mls statistics entry ipx destination 1.0002.00e0.fefc.6000
MLS IPX entry cleared.
Console> (enable)

Clearing NetFlow Statistics Totals

The clear mls statistics command clears the following NetFlow statistics:
• Total packets switched (IP and IPX)
• Total packets exported (for NDE)
To clear NetFlow statistic totals, perform this task in privileged mode:

Task Command
Clear NetFlow statistics totals. clear mls statistics

This example shows how to clear NetFlow statistics totals:

Console> (enable) clear mls statistics
All mls statistics cleared.
Console> (enable)

Displaying NetFlow Statistics Debug Information

The show mls debug command displays NetFlow statistics debug information that you can send to your
technical support representative for analysis if necessary.
To display NetFlow statistics debug information, perform this task:

Task Command
Display NetFlow statistics debug information show mls debug
that you can send to your technical support
representative.

Note The show tech-support command displays supervisor engine system information. Use
application-specific commands to get more information about particular applications.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

13-28 78-13315-02
 C H A P T E R 14
Configuring MLS

This chapter describes how to configure Multilayer Switching (MLS) for the Catalyst 6000 family
switches. MLS provides IP and Internetwork Packet Exchange (IPX) unicast Layer 3 switching and IP
multicast Layer 3 switching with Supervisor Engine 1, the Policy Feature Card (PFC), and the
Multilayer Switch Feature Card (MSFC) or MSFC2.

Note For complete information on the syntax and usage information for the supervisor engine commands
used in this chapter, refer to the Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How Layer 3 Switching Works, page 14-1
• Default MLS Configuration, page 14-10
• Configuration Guidelines and Restrictions, page 14-11
• Configuring MLS, page 14-14

Note Supervisor Engine 2, PFC2, and MSFC2 provide Layer 3 switching with Cisco Express Forwarding
for PFC2 (CEF for PFC2). See Chapter 13, “Configuring CEF for PFC2,” for more information.

Understanding How Layer 3 Switching Works

Layer 3 switching allows the switch, instead of a router, to forward IP and IPX unicast traffic and IP
multicast traffic between VLANs. Layer 3 switching is implemented in hardware and provides
wire-speed interVLAN forwarding on the switch, rather than on the MSFC. Layer 3 switching requires
minimal support from the MSFC. The MSFC routes any traffic that cannot be Layer 3 switched.

Note Layer 3 switching supports the routing protocols configured on the MSFC. Layer 3 switching does
not replace the routing protocols configured on the MSFC. Layer 3 switching uses IP Protocol
Independent Multicast (IP PIM) for multicast route determination.

Layer 3 switching on Catalyst 6000 family switches provides traffic statistics that you can use to identify
traffic characteristics for administration, planning, and troubleshooting. Layer 3 switching uses NetFlow
Data Export (NDE) to export flow statistics (for more information about NDE, see Chapter 15,
“Configuring NDE”).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-1
 Chapter 14 Configuring MLS
Understanding How Layer 3 Switching Works

These sections describe Layer 3 switching and MLS on the Catalyst 6000 family switches:
• Understanding Layer 3-Switched Packet Rewrite, page 14-2
• Understanding MLS, page 14-4

Understanding Layer 3-Switched Packet Rewrite

When a packet is Layer 3 switched from a source in one VLAN to a destination in another VLAN, the
switch performs a packet rewrite at the egress port based on information learned from the MSFC so that
the packets appear to have been routed by the MSFC.

Note Rather than just forwarding multicast packets, the switch replicates them as necessary on the
appropriate VLANs.

Packet rewrite alters five fields:

• Layer 2 (MAC) destination address
• Layer 2 (MAC) source address
• Layer 3 IP Time to Live (TTL) or IPX Transport Control
• Layer 3 checksum
• Layer 2 (MAC) checksum (also called the frame checksum or FCS)
If Source A and Destination B are on different VLANs and Source A sends a packet to the MSFC to be
routed to Destination B, the switch recognizes that the packet was sent to the Layer 2 (MAC) address of
the MSFC.
To perform Layer 3 switching, the switch rewrites the Layer 2 frame header, changing the Layer 2
destination address to the Layer 2 address of Destination B and the Layer 2 source address to the Layer 2
address of the MSFC. The Layer 3 addresses remain the same.
In IP unicast and IP multicast traffic, the switch decrements the Layer 3 Time to Live (TTL) value by 1
and recomputes the Layer 3 packet checksum. In IPX traffic, the switch increments the Layer 3
Transport Control value by 1 and recomputes the Layer 3 packet checksum. The switch recomputes the
Layer 2 frame checksum and forwards (or for multicast packets, replicates as necessary) the rewritten
packet to Destination B’s VLAN.
These sections describe how the packets are rewritten:
• Understanding IP Unicast Rewrite, page 14-2
• Understanding IPX Unicast Rewrite, page 14-3
• Understanding IP Multicast Rewrite, page 14-3

Understanding IP Unicast Rewrite

Received IP unicast packets are (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IP Header Data FCS

Destination Source Destination Source TTL Checksum
MSFC MAC Source A MAC Destination B IP Source A IP n calculation1

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-2 78-13315-02
 Chapter 14 Configuring MLS
Understanding How Layer 3 Switching Works

After the switch rewrites an IP unicast packet, it is (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IP Header Data FCS

Destination Source Destination Source TTL Checksum
Destination B MAC MSFC MAC Destination B IP Source A IP n-1 calculation2

Understanding IPX Unicast Rewrite

Received IPX packets are (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IPX Header Data FCS

Destination Source Checksum/ Destination Net/ Source Net/
IPX Length/ Node/ Node/
Transport Control Socket Socket
MSFC MAC Source A MAC n Destination B IPX Source A IPX

After the switch rewrites an IPX packet, it is (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IPX Header Data FCS

Destination Source Checksum/ Destination Net/ Source Net/
IPX Length/ Node/ Node/
Transport Control Socket Socket
Destination B MSFC MAC n+1 Destination B IPX Source A IPX
MAC

Understanding IP Multicast Rewrite

Received IP multicast packets are (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IP Header Data FCS

Destination Source Destination Source TTL Checksum
Group G1 MAC1 Source A MAC Group G1 IP Source A IP n calculation1
1. In this example, Destination B is a member of Group G1.

After the switch rewrites an IP multicast packet, it is (conceptually) formatted as follows:

Layer 2 Frame Header Layer 3 IP Header Data FCS

Destination Source Destination Source TTL Checksum
Group G1 MAC MSFC MAC Group G1 IP Source A IP n–1 calculation2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-3
 Chapter 14 Configuring MLS
Understanding How Layer 3 Switching Works

Understanding MLS

Note Supervisor Engine 1, PFC, and MSFC or MSFC2 can only do MLS internally with the MSFC or
MSFC2 in the same chassis; an external MLS-RP cannot be used in place of the internal MLS-RP.

Supervisor Engine 1, PFC, and MSFC or MSFC2 provide Layer 3 switching with MLS. Layer 3
switching with MLS identifies flows on the switch after the first packet has been routed by the MSFC
and transfers the process of forwarding the remaining traffic in the flow to the switch, which reduces the
load on the MSFC.
These sections describe MLS:
• Understanding MLS Flows, page 14-4
• Understanding the MLS Cache, page 14-5
• Understanding Flow Masks, page 14-6
• Partially and Completely Switched Multicast Flows, page 14-8
• MLS Examples, page 14-8

Understanding MLS Flows

Layer 3 protocols, such as IP and IPX, are connectionless—they deliver every packet independently of
every other packet. However, actual network traffic consists of many end-to-end conversations, or flows,
between users or applications.
MLS supports unicast and multicast flows:
• A unicast flow can be any of the following:
– All traffic to a particular destination
– All traffic from a particular source to a particular destination
– All traffic from a particular source to a particular destination that shares the same protocol and
transport-layer information
• A multicast flow is all traffic with the same protocol and transport-layer information from a
particular source to the members of a particular destination multicast group.
For example, communication from a client to a server and from the server to the client are separate flows.
Telnet traffic transferred from a particular source to a particular destination comprises a separate flow
from File Transfer Protocol (FTP) packets between the same source and destination.

Note The PFC uses the Layer 2 multicast forwarding table to identify the ports to which Layer 2 multicast
traffic should be forwarded (if any). The multicast forwarding table entries are populated by
whichever multicast constraint feature is enabled on the switch (IGMP snooping or Generic Attribute
Registration Protocol [GARP] Multicast Registration Protocol [GMRP]). These entries map the
destination multicast MAC address to the outgoing switch ports for a given VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-4 78-13315-02
 Chapter 14 Configuring MLS
Understanding How Layer 3 Switching Works

Understanding the MLS Cache

These sections describe the MLS cache:
• MLS Cache, page 14-5
• Unicast Traffic, page 14-5
• Multicast Traffic, page 14-5
• MLS Cache Aging, page 14-5
• MLS Cache Size, page 14-6

MLS Cache

The PFC maintains a Layer 3 switching table called the MLS cache for Layer 3-switched flows. The
cache also includes entries for traffic statistics that are updated in tandem with the switching of packets.
After the PFC creates an MLS cache entry, packets identified as belonging to an existing flow can be
Layer 3 switched based on the cached information. The MLS cache maintains flow information for all
active flows.

Unicast Traffic

For unicast traffic, the PFC creates an MLS cache entry for the initial routed packet of each unicast flow.
Upon receipt of a routed packet that does not match any unicast flow currently in the MLS cache, the
PFC creates a new MLS entry.

Multicast Traffic

For multicast traffic, the PFC populates the MLS cache using information learned from the MSFC.
Whenever the MSFC receives traffic for a new multicast flow, it updates its multicast routing table and
forwards the new information to the PFC. In addition, if an entry in the multicast routing table ages out,
the MSFC deletes the entry and forwards the updated information to the PFC.
For each multicast flow cache entry, the PFC maintains a list of outgoing interfaces for the destination
IP multicast group. The PFC uses this list to identify the VLANs on which traffic to a given multicast
flow should be replicated.
These MSFC IOS commands affect the multicast MLS cache entries on the switch:
• Using the clear ip mroute command to clear the multicast routing table on the MSFC clears all
multicast MLS cache entries on the PFC.
• Using the no ip multicast-routing command to disable IP multicast routing on the MSFC purges
all multicast MLS cache entries on the PFC.

MLS Cache Aging

The state and identity of flows are maintained while packet traffic is active; when traffic for a flow
ceases, the entry ages out. You can configure the aging time for MLS entries kept in the MLS cache. If
an entry is not used for the specified period of time, the entry ages out and statistics for that flow can be
exported to a flow collector application.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-5
 Chapter 14 Configuring MLS
Understanding How Layer 3 Switching Works

MLS Cache Size

The maximum MLS cache size is 128K entries. The MLS cache is shared by all MLS processes on the
switch (IP MLS, IP MMLS, and IPX MLS). An MLS cache larger than 32K entries increases the
probability that a flow will not be Layer 3 switched, but will instead be forwarded to the MSFC.

Understanding Flow Masks

The PFC uses flow masks to determine how MLS entries are created.
These sections describe the flow mask modes:
• Flow Mask Modes, page 14-6
• Flow Mask Mode and show mls entry Command Output, page 14-7

Flow Mask Modes

The PFC supports only one flow mask (the most specific one) for all MSFCs that are Layer 3 switched
by that PFC. If the PFC detects different flow masks from different MSFCs for which it is performing
Layer 3 switching, it changes its flow mask to the most specific flow mask detected.
When the PFC flow mask changes, the entire MLS cache is purged. When the PFC exports cached
entries, flow records are created based on the current flow mask. Depending on the current flow mask,
some fields in the flow record might not have values. Unsupported fields are filled with a zero (0).
The MLS flow masks are as follows:
• destination-ip—The least-specific flow mask. The PFC maintains one MLS entry for each Layer 3
destination address. All flows to a given Layer 3 destination address use this MLS entry.
• destination-ipx—The only flow mask mode for IPX MLS is destination mode. The PFC maintains
one IPX MLS entry for each destination IPX address (network and node). All flows to a given
destination IPX address use this IPX MLS entry.
• source-destination-ip—The PFC maintains one MLS entry for each source and destination IP
address pair. All flows between a given source and destination use this MLS entry regardless of the
IP protocol ports.
• source-destination-vlan—For IP MMLS. The PFC maintains one MMLS cache entry for each
{source IP, destination group IP, source VLAN}. The multicast source-destination-vlan flow mask
differs from the IP unicast MLS source-destination-ip flow mask in that, for IP MMLS, the source
VLAN is included as part of the entry. The source VLAN is the multicast reverse path forwarding
(RPF) interface for the multicast flow.
• full flow—The most-specific flow mask. The PFC creates and maintains a separate MLS cache entry
for each IP flow. A full flow entry includes the source IP address, destination IP address, protocol,
and protocol ports.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-6 78-13315-02
 Chapter 14 Configuring MLS
Understanding How Layer 3 Switching Works

Flow Mask Mode and show mls entry Command Output

With the destination-ip flow mask, the source IP, protocol, and source and destination port fields show
the details of the last packet that was Layer 3 switched using the MLS cache entry.
This example shows how the show mls entry command output appears in destination-ip mode:
Console> (enable) show mls entry ip short
Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan
--------------- --------------- ----- ------ ------ ----------------- ----
ESrc EDst SPort DPort Stat-Pkts Stat-Byte Uptime Age
---- ---- ----- ----- --------- ------------ -------- --------
171.69.200.234 - - - - 00-60-70-6c-fc-22 4
ARPA SNAP 5/8 11/1 3152 347854 09:01:19 09:08:20
171.69.1.133 - - - - 00-60-70-6c-fc-23 2
SNAP ARPA 5/8 1/1 2345 123456 09:03:32 09:08:12

Total Entries: 2
* indicates TCP flow has ended
Console> (enable)

Note The short keyword exists for some show commands and displays the output by wrapping the text
after 80 characters. The default is long (no text wrap).

With the source-destination-ip flow mask, the protocol, source port, and destination port fields display
the details of the last packet that was Layer 3 switched using the MLS cache entry.
This example shows how the show mls entry command output appears in source-destination-ip mode:
Console> (enable) show mls entry ip short
Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan
--------------- --------------- ----- ------ ------ ----------------- ----
ESrc EDst SPort DPort Stat-Pkts Stat-Byte Uptime Age
---- ---- ----- ----- --------- ------------ -------- --------
171.69.200.234 171.69.192.41 - - - 00-60-70-6c-fc-22 4
ARPA SNAP 5/8 11/1 3152 347854 09:01:19 09:08:20
171.69.1.133 171.69.192.42 - - - 00-60-70-6c-fc-23 2
SNAP ARPA 5/8 1/1 2345 123456 09:03:32 09:08:12

Total Entries: 2
* indicates TCP flow has ended
Console> (enable)

With the full-flow flow mask, because a separate MLS entry is created for every ip flow, details are
shown for each flow.
This example shows how the show mls entry command output appears in full flow mode:
Console> (enable) show mls entry ip short
Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan
--------------- --------------- ----- ------ ------ ----------------- ----
ESrc EDst SPort DPort Stat-Pkts Stat-Byte Uptime Age
---- ---- ----- ----- --------- ------------ -------- --------
171.69.200.234 171.69.192.41 TCP* 6000 59181 00-60-70-6c-fc-22 4
ARPA SNAP 5/8 11/1 3152 347854 09:01:19 09:08:20
171.69.1.133 171.69.192.42 UDP 2049 41636 00-60-70-6c-fc-23 2
SNAP ARPA 5/8 1/1 2345 123456 09:03:32 09:08:12

Total Entries: 2
* indicates TCP flow has ended
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-7
 Chapter 14 Configuring MLS
Understanding How Layer 3 Switching Works

Partially and Completely Switched Multicast Flows

Some flows might be partially Layer 3 switched instead of completely Layer 3 switched in these
situations:
• The MSFC is configured as a member of the IP multicast group (using the ip igmp join-group
command) on the RPF interface of the multicast source.
• The MSFC is the first-hop router to the source in PIM sparse mode (in this case, the MSFC must
send PIM-register messages to the rendezvous point).
• The multicast TTL threshold is configured on an egress interface for the flow.
• The extended access list deny condition on the RPF interface specifies anything other than the
Layer 3 source, Layer 3 destination, or IP protocol (an example is Layer 4 port numbers).
• The multicast helper is configured on the RPF interface for the flow, and multicast to broadcast
translation is required.
• Multicast tag switching is configured on an egress interface.
• Network address translation (NAT) is configured on an interface, and source address translation is
required for the outgoing interface.
For partially switched flows, all multicast traffic belonging to the flow reaches the MSFC and is software
switched for any interface that is not Layer 3 switched.
The PFC prevents multicast traffic in flows that are completely Layer 3 switched from reaching the
MSFC, reducing the load on the MSFC. The show ip mroute and show mls ip multicast commands
identify completely Layer 3-switched flows with the text string RPF-MFD (Multicast Fast Drop [MFD]
indicates that from the perspective of the MSFC, the multicast packet is dropped, because it is switched
by the PFC).
For all completely Layer 3-switched flows, the PFC periodically sends multicast packet and byte count
statistics to the MSFC, because the MSFC cannot record multicast statistics for completely switched
flows, which it never sees. The MSFC uses the statistics to update the corresponding multicast routing
table entries and reset the appropriate expiration timers.

MLS Examples
Figure 14-1 shows a simple IP MLS network topology. In this example, Host A is on the Sales VLAN
(IP subnet 171.59.1.0), Host B is on the Marketing VLAN (IP subnet 171.59.3.0), and Host C is on the
Engineering VLAN (IP subnet 171.59.2.0).
When Host A initiates an HTTP file transfer to Host C, an MLS entry for this flow is created (this entry
is the second item in the MLS cache shown in Figure 14-1). The PFC stores the MAC addresses of the
MSFC and Host C in the MLS entry when the MSFC forwards the first packet from Host A through the
switch to Host C. The PFC uses this information to rewrite subsequent packets from Host A to Host C.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-8 78-13315-02
Chapter 14 Configuring MLS
Understanding How Layer 3 Switching Works

Figure 14-1 IP MLS Example Topology

Source IP Destination Rewrite Src/Dst Destination

Application
Address IP Address MAC Address VLAN
171.59.1.2 171.59.3.1 FTP Dd:Bb Marketing

171.59.1.2 171.59.2.2 HTTP Dd:Cc Engineering

171.59.2.2 171.59.1.2 HTTP Dd:Aa Sales

MAC = Bb

MAC = Dd ting
MSFC /M arke
net 3 Host B
MAC = Aa Sub
171.59.3.1
Subnet 1/Sales
Sub
net
2/E
ngin
Host A eeri
ng MAC = Cc
171.59.1.2

Data 171.59.1.2: 2000 Aa:Dd Host C

171.59.2.2

25481
Data 171.59.1.2: 2000 Dd:Cc

Figure 14-2 shows a simple IPX MLS network topology. In this example, Host A is on the Sales VLAN
(IPX address 01.Aa), Host B is on the Marketing VLAN (IPX address 03.Bb), and Host C is on the
Engineering VLAN (IPX address 02.Cc).
When Host A initiates a file transfer to Host B, an IPX MLS entry for this flow is created (this entry is
the first item in the table shown in Figure 14-1). The PFC stores the MAC addresses of the MSFC and
Host B in the IPX MLS entry when the MSFC forwards the first packet from Host A through the switch
to Host B. The PFC uses this information to rewrite subsequent packets from Host A to Host B.
Similarly, a separate IPX MLS entry is created in the MLS cache for the traffic from Host A to Host C,
and for the traffic from Host C to Host A. The destination VLAN is stored as part of each IPX MLS entry
so that the correct VLAN identifier is used when encapsulating traffic on trunk links.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-9
 Chapter 14 Configuring MLS
Default MLS Configuration

Figure 14-2 IPX MLS Example Topology

Source IPX Destination Rewrite Src/Dst Destination

Address IPX Address MAC Address VLAN
01.Aa 03.Bb Dd:Bb Marketing

01.Aa 02.Cc Dd:Cc Engineering

02.Cc 01.Aa Dd:Aa Sales

MAC = Bb

MAC = Dd ti ng
MSFC / M arke
3
MAC = Aa Net 03 Host B
Net 1/Sales
01 Net
2/E
ngin
Host A eer
ing MAC = Cc
02

Data 01.Aa:02.Cc Aa:Dd Host C

25482
Data 01.Aa:02.Cc Dd:Cc

Default MLS Configuration

Table 14-1 shows the default IP MLS configuration.

Table 14-1 Default IP MLS Configuration

Feature Default Value

IP MLS enable state Enabled
IP MLS aging time 256 seconds
IP MLS fast aging time 0 seconds (no fast aging)
IP MLS fast aging-time packet threshold 0 packets

Table 14-2 shows the default IP MMLS switch configuration.

Table 14-2 Default IP MMLS Supervisor Engine Configuration

Feature Default Value

Multicast services (IGMP snooping or GMRP) Disabled
IP MMLS Enabled

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-10 78-13315-02
 Chapter 14 Configuring MLS
Configuration Guidelines and Restrictions

Table 14-3 shows the default IP MMLS MSFC configuration.

Table 14-3 Default IP MMLS MSFC Configuration

Feature Default Value

Multicast routing Disabled globally
IP PIM routing Disabled on all interfaces
IP MMLS Threshold Unconfigured—no default value
IP MMLS Enabled when multicast routing is enabled and IP
PIM is enabled on the interface

Table 14-4 shows the default IPX MLS configuration.

Table 14-4 Default IPX MLS Configuration

Feature Default Value

IPX MLS enable state Enabled
IPX MLS aging time 256 seconds

Configuration Guidelines and Restrictions

These sections describe configuration guidelines and restrictions:
• IP MLS, page 14-11
• IP MMLS, page 14-12
• IPX MLS, page 14-13

IP MLS
These sections describe IP MLS configuration guidelines:
• Maximum Transmission Unit Size, page 14-11
• Restrictions on Using IP Routing Commands with IP MLS Enabled, page 14-12

Maximum Transmission Unit Size

The default maximum transmission unit (MTU) for IP MLS is 1500. To change the MTU on an IP
MLS-enabled interface, enter the ip mtu mtu command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-11
 Chapter 14 Configuring MLS
Configuration Guidelines and Restrictions

Restrictions on Using IP Routing Commands with IP MLS Enabled

Enabling certain IP processes on an interface will affect IP MLS on the interface. Table 14-5 shows the
affected commands and the resulting behavior.

Table 14-5 IP Routing Command Restrictions

Command Behavior
clear ip route Clears all MLS cache entries for all switches performing Layer 3
switching for this MSFC.
ip routing The no form purges all MLS cache entries and disables IP MLS
on this MSFC.
ip security (all forms of this Disables IP MLS on the interface.
command)
ip tcp compression-connections Disables IP MLS on the interface.
ip tcp header-compression Disables IP MLS on the interface.

IP MMLS
These sections describe IP MMLS configuration guidelines:
• IP MMLS Supervisor Engine Guidelines and Restrictions, page 14-12
• IP MMLS MSFC Configuration Restrictions, page 14-13
• Unsupported IP MMLS Features, page 14-13

IP MMLS Supervisor Engine Guidelines and Restrictions

These guidelines and restrictions apply when configuring Supervisor Engine 1 for IP MMLS:
• Only ARPA rewrites are supported for IP multicast packets.
• Subnetwork Address Protocol (SNAP) rewrites are not supported.
• You must enable one of the multicast services (IGMP snooping or GMRP) on the switch in order to
use IP MMLS.
• IP multicast flows are not multilayer switched if there is no entry in the Layer 2 multicast
forwarding table (for example, if no Layer 2 multicast services are enabled or the forwarding table
is full). Enter the show multicast group command to check for a Layer 2 entry for a particular IP
multicast destination.
• If a Layer 2 entry is cleared, the corresponding Layer 3 flow information is purged.
• When using two MSFCs that have one or more interfaces in the same VLAN, the switch uses two
reserved VLANs (VLANs 1012 and 1013) internally to forward multicast flows properly.
• The MSFC will not act as an external router for a Catalyst 5000 family switch that has Layer 3
switching hardware.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-12 78-13315-02
 Chapter 14 Configuring MLS
Configuration Guidelines and Restrictions

IP MMLS MSFC Configuration Restrictions

IP MMLS does not perform multilayer switching for an IP multicast flow in the following situations:
• For IP multicast groups that fall into these ranges (where * is in the range 0–255):
224.0.0.* through 239.0.0.*
224.128.0.* through 239.128.0.*

Note Groups in the 224.0.0.* range are reserved for routing control packets and must be
flooded to all forwarding ports of the VLAN. These addresses map to the multicast MAC
address range 01-00-5E-00-00-xx, where xx is in the range 0–0xFF.

• For IP PIM auto-RP multicast groups (IP multicast group addresses 224.0.1.39 and 224.0.1.40).

Note In systems with redundant MSFCs, the IP PIM interface configuration must be the same
on both the active and redundant MSFCs.

• For flows that are forwarded on the multicast-shared tree (that is, {*,G,*} forwarding) when the
interface or group is running IP PIM sparse mode.
• If the shortest-path tree (SPT) bit for the flow is cleared when running IP PIM sparse mode for the
interface or group.
• For fragmented IP packets and packets with IP options. However, packets in the flow that are not
fragmented or that do not specify IP options are multilayer switched.
• For source traffic received on tunnel interfaces (such as MBONE traffic).
• For any RPF interface with multicast tag switching enabled.

Unsupported IP MMLS Features

If you enable IP MMLS, IP accounting for the interface will not reflect accurate values.

IPX MLS
These sections describe configuration guidelines that apply when configuring IPX MLS:
• IPX MLS Interaction with Other Features, page 14-13
• IPX MLS and Maximum Transmission Unit Size, page 14-14

IPX MLS Interaction with Other Features

Other IOS software features affect IPX MLS as follows:
• IPX accounting—IPX accounting cannot be enabled on an IPX MLS-enabled interface.
• IPX EIGRP—To support MLS on EIGRP interfaces you must set the Transport Control (TC)
maximum to a value greater than the default (16). Enter the ipx maximum-hop tc_value global
configuration command on the MSFC, with the tc_value greater than 16.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-13
 Chapter 14 Configuring MLS
Configuring MLS

IPX MLS and Maximum Transmission Unit Size

In IPX, the two end points of communication negotiate the maximum transmission unit (MTU) to be
used. The MTU size is limited by the media type.

Configuring MLS
These sections describe how to configure MLS:
• Configuring Unicast MLS on the MSFC, page 14-14
• Configuring MLS on Supervisor Engine 1, page 14-17
• Configuring IP MMLS, page 14-28

Configuring Unicast MLS on the MSFC

These sections describe how to configure MLS on the MSFC:
• Disabling and Enabling Unicast MLS on an MSFC Interface, page 14-14
• Displaying MLS Information on the MSFC, page 14-15
• Using Debug Commands on the MSFC, page 14-16
• Using Debug Commands on the SCP, page 14-16
For information on configuring routing on the MSFC, see Chapter 12, “Configuring InterVLAN
Routing.” For information on configuring unicast Layer 3 switching on Supervisor Engine 1, see the
“Configuring MLS on Supervisor Engine 1” section on page 14-17.

Note The MSFC can be specified as the MLS route processor (MLS-RP) for Catalyst 5000 family switches
using MLS. Refer to the Layer 3 Switching Configuration Guide—Catalyst 5000 Family,
2926G Series, 2926 Series Switches, for MLS configuration procedures.

Disabling and Enabling Unicast MLS on an MSFC Interface

Unicast MLS for IP and IPX is enabled globally by default, but can be disabled and enabled on a
specified interface.
To disable unicast IP or IPX MLS on a specific MSFC interface, perform this task:

Task Command
Specify an MSFC interface. Router(config)# interface vlan-id
Disable IP MLS on an MSFC Router(config-if)# no mls ip
interface.
Disable IPX MLS on an MSFC Router(config-if)# no mls ipx
interface.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-14 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

This example shows how to disable IP MLS on an MSFC interface:

Router(config)# interface vlan 100
Router(config-if)# no mls ip
Router(config-if)#

This example shows how to disable IPX MLS on an MSFC interface:

Router(config)# interface vlan 100
Router(config-if)# no mls ipx
Router(config-if)#

Note Unicast MLS is enabled by default; you only need to enable (or reenable) it if you have previously
disabled it.

To enable unicast IP or IPX MLS on a specific MSFC interface, perform this task:

Task Command
Specify an MSFC interface. Router(config)# interface vlan-id
Enable IP MLS on an MSFC interface. Router(config-if)# mls ip
Enable IPX MLS on an MSFC Router(config-if)# mls ipx
interface.

This example shows how to enable IP MLS on an MSFC interface:

Router(config)# interface vlan 100
Router(config-if)# mls ip
Router(config-if)#

This example shows how to enable IPX MLS on an MSFC interface:

Router(config)# interface vlan 100
Router(config-if)# mls ipx
Router(config-if)#

Displaying MLS Information on the MSFC

The show mls status command displays MLS details.
To display MLS information on the MSFC, perform this task:

Task Command
Display MLS status. show mls status

This example shows how to display MLS status on the MSFC:

Router# show mls status
MLS global configuration status:

global mls ip: enabled

global mls ipx: enabled
global mls ip multicast: disabled
current ip flowmask for unicast: destination only
current ipx flowmask for unicast: destination only
Router#

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-15
 Chapter 14 Configuring MLS
Configuring MLS

Using Debug Commands on the MSFC

Table 14-6 describes MLS-related debug commands that you can use to troubleshoot MLS problems on
the MSFC.

Table 14-6 MLS Debug Commands

Command
[no] debug l3-mgr events
[no] debug l3-mgr packets
[no] debug l3-mgr global
[no] debug l3-mgr all
Description
Displays Layer 3 manager-related events.
Displays Layer 3 manager packets.
Displays bugtrace of ip global purge events.
Turns on all Layer 3 manager debugging messages.

Table 14-7 describes MLS-related debug commands that you can use to troubleshoot MLS problems
when using the MSFC as an external router for a Catalyst 5000 family switch.

Table 14-7 MLS Debug Commands—External Router Function

Command Description
[no] debug mls ip Turns on IP-related events for MLS, including route purging and
changes of access lists and flow masks.
[no] debug mls ipx Turns on IPX-related events for MLS, including route purging
and changes of access lists and flow masks.
[no] debug mls rp Turns on route processor-related events.
[no] debug mls locator Identifies which switch is switching a particular flow by using
MLS explorer packets.
[no] debug mls all Turns on all MLS debugging events.

Using Debug Commands on the SCP

Table 14-8 describes the Serial Control Protocol (SCP)-related debug commands to troubleshoot the
SCP that runs over the Ethernet out-of-band channel (EOBC).

Table 14-8 SCP Debug Commands

Command Description
[no] debug scp async Displays trace for asynchronous data in and out of the SCP
system.
[no] debug scp data Displays packet data trace.
[no] debug scp errors Displays errors and warnings in the SCP.
[no] debug scp packets Displays packet data in and out of the SCP system.
[no] debug scp timeouts Reports timeouts.
[no] debug scp all Turns on all SCP debugging messages.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-16 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

Configuring MLS on Supervisor Engine 1

MLS is enabled by default on Catalyst 6000 family switches. You only need to configure Supervisor
Engine 1 in these circumstances:
• You want to change the MLS aging time
• You want to enable NDE
These sections describe how to configure MLS on Supervisor Engine 1:
• Specifying MLS Aging-Time Value, page 14-17
• Specifying IP MLS Fast Aging Time and Packet Threshold Values, page 14-18
• Setting the Minimum IP MLS Flow Mask, page 14-19
• Displaying CAM Entries on the Supervisor Engine, page 14-20
• Displaying MLS Information, page 14-21
• Displaying IP MLS Cache Entries, page 14-22
• Clearing MLS Cache Entries, page 14-26
• Clearing IPX MLS Cache Entries, page 14-26
• Displaying IP MLS Statistics, page 14-26
• Clearing MLS Statistics, page 14-28
• Displaying MLS Debug Information, page 14-28
For information on configuring VLANs on the switch, see Chapter 11, “Configuring VLANs.” For
information on configuring MLS on the MSFC, see the “Configuring Unicast MLS on the MSFC”
section on page 14-14.

Note When you disable IP or IPX MLS on the MSFC, IP or IPX MLS is automatically disabled on
Supervisor Engine 1. All existing protocol-specific MLS cache entries are purged. To disable MLS
on the MSFC, see the “Disabling and Enabling Unicast MLS on an MSFC Interface” section on
page 14-14.

Note If NDE is enabled and you disable MLS, you will lose the statistics for existing cache entries—they
are not exported.

Specifying MLS Aging-Time Value

The MLS aging time for each protocol (IP and IPX) applies to all protocol-specific MLS cache entries.
Any MLS entry that has not been used for agingtime seconds is aged out. The default is 256 seconds.
You can configure the aging time in the range of 8 to 2032 seconds in 8-second increments. Any
aging-time value that is not a multiple of 8 seconds is adjusted to the closest multiple of 8 seconds. For
example, a value of 65 is adjusted to 64 and a value of 127 is adjusted to 128.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-17
 Chapter 14 Configuring MLS
Configuring MLS

Note We recommend that you keep the size of the MLS cache below 32K entries. If the number of MLS
entries exceeds 32K, some flows are sent to the MSFC. To help keep the size of the MLS cache down,
for IP, enable IP MLS fast aging, as described in the “Specifying IP MLS Fast Aging Time and Packet
Threshold Values” section on page 14-18.

To specify the MLS aging time for both IP and IPX, perform this task in privileged mode:

Task Command
Specify the MLS aging time for MLS cache entries. set mls agingtime [agingtime]

This example shows how to specify the MLS aging time:

Console> (enable) set mls agingtime 512
Multilayer switching agingtime IP and IPX set to 512
Console> (enable)

To specify the IP MLS aging time, perform this task in privileged mode:

Task Command
Specify the IP MLS aging time for an MLS cache set mls agingtime ip [agingtime]
entry.

This example shows how to specify the IP MLS aging time:

Console> (enable) set mls agingtime ip 512
Multilayer switching aging time IP set to 512
Console> (enable)

To specify the IPX MLS aging time, perform this task in privileged mode:

Task Command
Specify the IPX MLS aging time for an MLS set mls agingtime ipx [agingtime]
cache entry.

This example shows how to specify the IPX MLS aging time:
Console> (enable) set mls agingtime ipx 512
Multilayer switching aging time IPX set to 512
Console> (enable)

Specifying IP MLS Fast Aging Time and Packet Threshold Values

Note IPX MLS does not use fast aging. IPX MLS only operates in destination-source and destination flow
modes; therefore, the number of IPX MLS entries in the MLS table is low relative to IP MLS entries
in full-flow mode.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-18 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

To keep the MLS cache size below 32K entries, enable IP MLS fast aging time. The IP MLS fast aging
time applies to MLS entries that have no more than pkt_threshold packets switched within fastagingtime
seconds after they are created. A typical cache entry that is removed is the entry for flows to and from a
Domain Name Server (DNS) or TFTP server; the entry might never be used again after it is created.
Detecting and aging out these entries saves space in the MLS cache for other data traffic.
The default fastagingtime value is 0 (no fast aging). You can configure the fastagingtime value to 32,
64, 96, or 128 seconds. Any fastagingtime value that is not configured exactly as the indicated values is
adjusted to the closest one. You can configure the pkt_threshold value to 0, 1, 3, 7, 15, 31, or 63 packets.
If you need to enable IP MLS fast aging time, initially set the value to 128 seconds. If the size of the
MLS cache continues to grow over 32K entries, decrease the setting until the cache size stays below
32K. If the cache continues to grow over 32K entries, decrease the normal IP MLS aging time.
Typical values for fastagingtime and pkt_threshold are 32 seconds and 0 packets (no packets switched
within 32 seconds after the entry is created).
To specify the IP MLS fast aging time and packet threshold, perform this task in privileged mode:

Task Command
Specify the IP MLS fast aging time and set mls agingtime fast [fastagingtime] [pkt_threshold]
packet threshold for an MLS cache entry.

This example shows how to set the IP MLS fast aging time to 32 seconds with a packet threshold of
0 packets:
Console> (enable) set mls agingtime fast 32 0
Multilayer switching fast aging time set to 32 seconds for entries with no more than 0
packets switched.
Console> (enable)

Setting the Minimum IP MLS Flow Mask

You can set the minimum granularity of the flow mask for the MLS cache on the PFC. The actual flow
mask used will be at least of the granularity specified by this command. For information on how the
different flow masks work, see the “Understanding Flow Masks” section on page 14-6.
For example, if you do not configure access lists on any MSFC, then the IP MLS flow mask on the PFC
is destination-ip by default. However, you can force the PFC to use the source-destination-ip flow mask
by setting the minimum IP MLS flow mask using the set mls flow destination-source command.

Caution The set mls flow destination-source command purges all existing shortcuts in the MLS cache and
affects the number of active shortcuts on the PFC. Exercise care when using this command.

To set the minimum IP MLS flow mask, perform this task in privileged mode:

Task Command
Set the minimum IP MLS flow mask. set mls flow {destination | destination-source | full}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-19
 Chapter 14 Configuring MLS
Configuring MLS

This example shows how to set the minimum IP MLS flow mask to destination-source-ip:
Console> (enable) set mls flow destination-source
Configured IP flow mask is set to destination-source flow.
Console> (enable)

Displaying CAM Entries on the Supervisor Engine

The show cam command displays the content-addressable memory (CAM) entries associated with a
specific MAC address. If the MAC address belongs to an MSFC, an “R” is appended to the MAC
address.
If you specify a VLAN number, only those CAM entries corresponding to that VLAN number are
displayed. If a VLAN is not specified, entries for all VLANs are displayed.
To display CAM entries, perform this task:

Task Command
Display CAM entries by MAC address. show cam msfc [vlan]

This example shows how to display the CAM entries:

Console> show cam msfc
VLAN Destination MAC Destination-Ports or VCs Xtag Status
---- ------------------ ------------------------------ ---- ------
194 00-e0-f9-d1-2c-00R 7/1 2 H
193 00-00-0c-07-ac-c1R 7/1 2 H
193 00-00-0c-07-ac-5dR 7/1 2 H
202 00-00-0c-07-ac-caR 7/1 2 H
204 00-e0-f9-d1-2c-00R 7/1 2 H
195 00-e0-f9-d1-2c-00R 7/1 2 H
192 00-00-0c-07-ac-c0R 7/1 2 H
192 00-e0-f9-d1-2c-00R 7/1 2 H
204 00-00-0c-07-ac-ccR 7/1 2 H
202 00-e0-f9-d1-2c-00R 7/1 2 H
194 00-00-0c-07-ac-5eR 7/1 2 H
196 00-e0-f9-d1-2c-00R 7/1 2 H
194 00-00-0c-07-ac-c2R 7/1 2 H
193 00-e0-f9-d1-2c-00R 7/1 2 H
Total Matching CAM Entries Displayed = 14
Console>

This example shows how to display the CAM entries for a specified VLAN:
Console> show cam msfc 192
VLAN Destination MAC Destination-Ports or VCs Xtag Status
---- ------------------ ------------------------------ ---- ------
192 00-00-0c-07-ac-c0R 7/1 2 H
192 00-e0-f9-d1-2c-00R 7/1 2 H
Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-20 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

Displaying MLS Information

The show mls command displays protocol-specific MLS information and MSFC-specific information.
To display protocol-specific MLS information and MSFC-specific information, perform this task:

Task Command
Display general IP or IPX MLS show mls {ip | ipx} [mod1]
information and MSFC-specific
information for all MSFCs.
1. The mod keyword specifies the module number of the MSFC; either 15 (if the MSFC is installed on Supervisor Engine 1 in
slot 1) or 16 (if the MSFC is installed on Supervisor Engine 1 in slot 2).

This example shows how to display IP MLS information and MSFC-specific information:
Console> (enable) show mls ip
Total Active MLS entries = 0
Total packets switched = 0
IP Multilayer switching enabled
IP Multilayer switching aging time = 256 seconds
IP Multilayer switching fast aging time = 0 seconds, packet threshold = 0
IP Flow mask: Full Flow
Configured flow mask is Destination flow
Active IP MLS entries = 0
Netflow Data Export version: 8
Netflow Data Export disabled
Netflow Data Export port/host is not configured
Total packets exported = 0

MSFC ID Module XTAG MAC Vlans

--------------- ------ ---- ----------------- --------------------
52.0.03 15 1 01-10-29-8a-0c-00 1,10,123,434,121
222,666,959

Console> (enable)

This example shows how to display IPX MLS information:

Console> (enable) show mls ipx
IPX Multilayer switching aging time = 256 seconds
IPX flow mask is Destination flow
IPX max hop is 15
Active IPX MLS entries = 356

IPX MSFC ID Module XTAG MAC Vlans

--------------- ------ ---- ----------------- ----------------
22.1.0.56 15 1 00-10-07-38-29-18 2,3,4,5,6,
7,8,9,10,11,
12,13,14,15,16,
17,18,19,20,66,
77
00-d0-d3-9c-e3-f4 25
00-10-07-38-29-18 26,111
00-d0-d3-9c-e3-f4 112

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-21
 Chapter 14 Configuring MLS
Configuring MLS

22.1.0.58 16 2 00-10-07-38-22-22 2,3,4,5,6,

7,8,9,10,11,
12,13,14,15,16,
17,18,19,20
00-d0-d3-33-17-8c 25
00-10-07-38-22-22 26,66,77,88,99,
111
00-d0-d3-33-17-8c 112

Console> (enable)

Displaying IP MLS Cache Entries

These sections describe how to display MLS cache entries on Supervisor Engine 1:
• Displaying All MLS Entries, page 14-22
• Displaying MLS Entries for a Specific IP Destination Address, page 14-23
• Displaying IPX MLS Entries for a Specific IPX Destination Address, page 14-23
• Displaying Entries for a Specific IP Source Address, page 14-24
• Displaying Entries for a Specific IP Flow, page 14-24
• Displaying IPX MLS Entries for a Specific MSFC, page 14-25

Note For a description of how the flow mask mode affects the screen displays when showing MLS entries,
see the “Flow Mask Mode and show mls entry Command Output” section on page 14-7.

Displaying All MLS Entries

To display all MLS entries (IP and IPX), perform this task in privileged mode:

Task Command
Display all MLS entries. show mls entry [short | long]

This example shows how to display all MLS entries (IP and IPX):
Console> (enable) show mls entry short
Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan
--------------- --------------- ----- ------ ------ ----------------- ----
ESrc EDst SPort DPort Stat-Pkts Stat-Bytes Created LastUsed
---- ---- ----- ----- ---------- ------------ -------- --------
171.69.200.234 171.69.192.41 TCP* 6000 59181 00-60-70-6c-fc-22 4
ARPA SNAP 5/8 11/1 3152 347854 09:01:19 09:08:20
171.69.1.133 171.69.192.42 UDP 2049 41636 00-60-70-6c-fc-23 2
SNAP ARPA 5/8 1/1 2345 1234567 09:03:32 09:08:12
171.69.1.133 171.69.192.42 UDP 2049 41636 00-60-70-6c-fc-23 2
SNAP ARPA 5/8 1/1 2345 1234567 09:03:32 09:08:12
171.69.1.133 171.69.192.42 UDP 2049 41636 00-60-70-6c-fc-23 2
SNAP ARPA 5/8 1/1 2345 1234567 09:03:32 09:08:12
171.69.1.133 171.69.192.42 UDP 2049 41636 00-60-70-6c-fc-23 2
SNAP ARPA 5/8 1/1 2345 1234567 09:03:32 09:08:12

Total IP entries: 5
* indicates TCP flow has ended.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-22 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

Destination-IPX Source-IPX-net Destination-Mac Vlan Port

Stat-Pkts Stat-Bytes
------------------------- -------------- ----------------- ---- -----
--------- -----------
BABE.0000.0000.0001 - 00-a0-c9-0a-89-1d 211 13/37
30230 1510775
201.00A0.2451.7423 - 00-a0-24-51-74-23 201 14/33
30256 31795084
501.0000.3100.0501 - 31-00-05-01-00-00 501 9/37
12121 323232
401.0000.0000.0401 - 00-00-04-01-00-00 401 3/1
4633 38676

Total IPX entries: 4

Console>

Displaying MLS Entries for a Specific IP Destination Address

To display MLS entries for a specific destination IP address, perform this task in privileged mode:

Task Command
Display MLS entries for the specified show mls entry ip destination [ip_addr]
destination IP address.

This example shows how to display MLS entries for a specific destination IP address:
Console> (enable) show mls entry ip destination 172.20.22.14/24
Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan
EDst ESrc DPort SPort Stat-Pkts Stat-Bytes Uptime Age
--------------- --------------- ----- ------ ------ ----------------- ----
---- ---- ------ ------ ---------- ----------- -------- --------
MSFC 172.20.25.1 (Module 15):
172.20.22.14 - - - - 00-60-70-6c-fc-22 4
ARPA ARPA 5/39 5/40 115 5290 00:12:20 00:00:04
MSFC 172.20.27.1 (Module 16):

Total entries:1
Console> (enable)

Displaying IPX MLS Entries for a Specific IPX Destination Address

To display IPX MLS entries for a specific destination IPX address, perform this task in privileged mode:

Task Command
Display IPX MLS entries for a specific show mls entry ipx destination ipx_addr
destination IPX address
(net_address.node_address).

This example shows how to display IPX MLS entries for a specific destination IPX address:
Console> (enable) show mls entry ipx destination 3E.0010.298a.0c00
Destination IPX Source IPX net Destination Mac Vlan Port
------------------------- -------------- ----------------- ---- -----
MSFC 22.1.0.56 (Module 15):
3E.0010.298a.0c00 13 00-00-00-00-00-09 26 4/7

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-23
 Chapter 14 Configuring MLS
Configuring MLS

Displaying Entries for a Specific IP Source Address

To display MLS entries for a specific source IP address, perform this task in privileged mode:

Task Command
Display MLS entries for the specified show mls entry ip source [ip_addr]
source IP address.

This example shows how to display MLS entries for a specific source IP address:
Console> (enable) show mls entry ip source 10.0.2.15
Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan
EDst ESrc DPort SPort Stat-Pkts Stat-Bytes Uptime Age
--------------- --------------- ----- ------ ------ ----------------- ----
---- ---- ------ ------ ---------- ----------- -------- --------
MSFC 172.20.25.1 (Module 15):
172.20.22.14 10.0.2.15 TCP Telnet 37819 00-e0-4f-15-49-ff 51
ARPA ARPA 5/39 5/40 115 5290 00:12:20 00:00:04
MSFC 172.20.27.1 (Module 16):

Total entries:1
Console> (enable)

Displaying Entries for a Specific IP Flow

The show mls entry ip flow command displays MLS entries for a specific IP flow. The protocol
argument can be tcp, udp, icmp, or a decimal number for other protocol families. The src_port and
dst_port arguments specify the protocol ports if the protocol is TCP or User Datagram Protocol (UDP).
A value of zero (0) for src_port, dst_port, or protocol is treated as a wildcard and all entries are displayed
(unspecified options are treated as wildcards). If the protocol selected is not TCP or UDP, set the
src_port and dst_prt to 0 or no flows will display.
To display MLS entries for a specific IP flow (when the flow mask mode is full flow), perform this task
in privileged mode:

Task Command
Display entries for a specific IP flow (when show mls entry ip flow [protocol src_port dst_port]
the flow mask mode is full flow).

This example shows how to display MLS entries for a specific IP flow:
Console> (enable) show mls entry ip flow tcp 23 37819
Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- -----
MSFC 51.0.0.3:
10.0.2.15 51.0.0.2 TCP 37819 Telnet 08-00-20-7a-07-75 10 3/1
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-24 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

Displaying IPX MLS Entries for a Specific MSFC

To display IPX MLS entries for a specific MSFC, perform this task in privileged mode:

Task Command
Display IPX MLS entries for a specific show mls entry ipx mod1
MSFC.
1. The mod keyword specifies the module number of the MSFC; either 15 (if the MSFC is installed on Supervisor Engine 1 in
slot 1) or 16 (if the MSFC is installed on Supervisor Engine 1 in slot 2).

This example shows how to display IPX MLS entries for a specific MSFC:
Console> (enable) show mls entry ipx 15
Destination-IPX Destination-Mac Vlan EDst ESrc Port Stat-Pkts
Stat-Bytes Uptime Age
------------------------- ----------------- ---- ---- ---- ----- ----------
----------- -------- --------
MSFC 22.1.0.56 (Module 15):
11.0000.0000.2B10 00-00-00-00-2b-10 11 ARPA ARPA - 7869
361974 00:15:52 00:00:00
11.0000.0000.A810 00-00-00-00-a8-10 11 ARPA ARPA - 3934
180964 00:15:52 00:00:00
11.0000.0000.3210 00-00-00-00-32-10 11 ARPA ARPA - 7871
362066 00:15:52 00:00:00
11.0000.0000.B110 00-00-00-00-b1-10 11 ARPA ARPA - 3935
181010 00:15:52 00:00:00
11.0000.0000.1910 00-00-00-00-19-10 11 ARPA ARPA - 7873
362158 00:15:52 00:00:00
11.0000.0000.9A10 00-00-00-00-9a-10 11 ARPA ARPA - 3936
181056 00:15:52 00:00:00
11.0000.0000.0010 00-00-00-00-00-10 11 ARPA ARPA 3/11 7875
362250 00:15:52 00:00:00
11.0000.0000.8310 00-00-00-00-83-10 11 ARPA ARPA - 3937
181102 00:15:52 00:00:00
10.0000.0000.0109 00-00-00-00-01-09 10 ARPA ARPA 3/10 96364
4432744 00:15:52 00:00:00
11.0000.0000.4F10 00-00-00-00-4f-10 11 ARPA ARPA - 7877
362342 00:15:53 00:00:00
11.0000.0000.CC10 00-00-00-00-cc-10 11 ARPA ARPA - 3938
181148 00:15:53 00:00:00
11.0000.0000.5610 00-00-00-00-56-10 11 ARPA ARPA - 7879
362434 00:15:53 00:00:00
11.0000.0000.D510 00-00-00-00-d5-10 11 ARPA ARPA - 3939
181194 00:15:53 00:00:00
11.0000.0000.7D10 00-00-00-00-7d-10 11 ARPA ARPA - 3940
181240 00:15:53 00:00:00
11.0000.0000.FE10 00-00-00-00-fe-10 11 ARPA ARPA - 3941
181286 00:15:53 00:00:00
11.0000.0000.6410 00-00-00-00-64-10 11 ARPA ARPA - 7883
362618 00:15:53 00:00:00
11.0000.0000.E710 00-00-00-00-e7-10 11 ARPA ARPA - 3941
181286 00:15:53 00:00:00
11.0000.0000.6010 00-00-00-00-60-10 11 ARPA ARPA - 7885
362710 00:15:53 00:00:00
11.0000.0000.E310 00-00-00-00-e3-10 11 ARPA ARPA - 3942
181332 00:15:53 00:00:00
11.0000.0000.7910 00-00-00-00-79-10 11 ARPA ARPA - 3943
181378 00:15:54 00:00:00

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-25
 Chapter 14 Configuring MLS
Configuring MLS

Clearing MLS Cache Entries

The clear mls entry command removes specific MLS cache entries. The all keyword clears all MLS
entries. The destination and source keywords specify the source and destination IP addresses. The
destination and source ip_addr_spec can be a full IP address or a subnet address in the format
ip_subnet_addr, ip_addr/subnet_mask, or ip_addr/subnet_mask_bits.
The flow keyword specifies the following additional flow information:
• Protocol family (protocol)—Specify tcp, udp, icmp, or a decimal number for other protocol
families. A value of zero (0) for protocol is treated as a wildcard, and entries for all protocols are
cleared (unspecified options are treated as wildcards).
• TCP or UDP source and destination port numbers (src_port and dst_port)—If the protocol you
specify is TCP or UDP, specify the source and destination TCP or UDP port numbers. A value of
zero (0) for src_port or dst_port is treated as a wildcard, and entries for all source or destination
ports are cleared (unspecified options are treated as wildcards). For other protocols, set the src_port
and dst_port to 0, or no entries will clear.
To clear an MLS entry, perform this task in privileged mode:

Task Command
Clear an MLS entry. clear mls entry ip [destination ip_addr_spec] [source
ip_addr_spec] [flow protocol src_port dst_port] [all]

This example shows how to clear MLS entries with destination IP address 172.20.26.22:
Console> (enable) clear mls entry ip destination 172.20.26.22
MLS IP entry cleared
Console> (enable)

This example shows how to clear MLS entries with destination IP address 172.20.22.113, TCP source
port 1652, and TCP destination port 23:
Console> (enable) clear mls entry destination 172.20.26.22 source 172.20.22.113 flow tcp
1652 23
MLS IP entry cleared
Console> (enable)

Clearing IPX MLS Cache Entries

The clear mls entry ipx command removes specific IPX MLS cache entries. The destination and
source keywords specify the source and destination IPX addresses. The all keyword clears all MLS
entries.

Displaying IP MLS Statistics

These sections describe how to display a variety of IP MLS statistics:
• Displaying IP MLS Statistics by Protocol, page 14-27
• Displaying Statistics for MLS Cache Entries, page 14-27

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-26 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

Displaying IP MLS Statistics by Protocol

The show mls statistics protocol command displays IP MLS statistics by protocol (such as Telnet, FTP,
and WWW). The protocol keyword functions only if the flow mask mode is full flow. Enter the show
mls command to see the current flow mask.
To display IP MLS statistics by protocol, perform this task in privileged mode:

Task Command
Display IP MLS statistics by protocol (only show mls statistics protocol
if IP MLS is in full flow mode).

This example shows how to display IP MLS statistics by protocol:

Console> (enable) show mls statistics protocol
Protocol TotalFlows TotalPackets Total Bytes
------- ---------- -------------- ------------
Telnet 900 630 4298
FTP 688 2190 3105
WWW 389 42679 623686
SMTP 802 4966 92873
X 142 2487 36870
DNS 1580 52 1046
Others 82 1 73
Total 6583 53005 801951
Console> (enable)

Displaying Statistics for MLS Cache Entries

The show mls statistics entry command displays IP MLS statistics for MLS cache entries. Specify the
destination IP address, source IP address, protocol, and source and destination ports to see specific MLS
cache entries.
A value of zero (0) for src_port or dst_port is treated as a wildcard, and all statistics are displayed
(unspecified options are treated as wildcards). If the protocol specified is not TCP or UDP, set the
src_port and dst_prt to 0 or no statistics will display.
To display statistics for MLS cache entries, perform this task in privileged mode:

Task Command
Display statistics for MLS cache entries. If show mls statistics entry ip [destination
you do not specify an MLS cache entry, all ip_addr_spec] [source ip_addr_spec] [flow protocol
statistics are shown. src_port dst_port]

This example shows how to display statistics for a particular MLS cache entry:
Console> show mls statistics entry ip destination 172.20.22.14
Last Used
Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes
--------------- --------------- ---- ------ ------ --------- -----------
MSFC 127.0.0.12:
172.20.22.14 172.20.25.10 6 50648 80 3152 347854
Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-27
 Chapter 14 Configuring MLS
Configuring MLS

Clearing MLS Statistics

The clear mls statistics command clears the following statistics:
• Total packets switched (IP and IPX)
• Total packets exported (for NDE)
To clear IP MLS statistics, perform this task in privileged mode:

Task Command
Clear IP MLS statistics. clear mls statistics

This example shows how to clear IP MLS statistics:

Console> (enable) clear mls statistics
All mls statistics cleared.
Console> (enable)

Displaying MLS Debug Information

The show mls debug command displays MLS debug information that you can send to your technical
support representative for analysis if necessary.
To display MLS debug information, perform this task:

Task Command
Display MLS debug information that you can show mls debug
send to your technical support representative.

Note The show tech-support command displays supervisor engine system information. Use
application-specific commands to get more information about particular applications.

Configuring IP MMLS
These sections describe how to configure IP MMLS:
• Configuring IP MMLS on the MSFC, page 14-28
• Displaying Global IP MMLS Information on the Supervisor Engine, page 14-34

Configuring IP MMLS on the MSFC

These sections describe how to configure the MSFC for IP MMLS:
• Enabling IP Multicast Routing Globally, page 14-29
• Enabling IP PIM on MSFC Interfaces, page 14-29
• Configuring the IP MMLS Global Threshold, page 14-30
• Enabling IP MMLS on MSFC Interfaces, page 14-30

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-28 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

• Displaying IP MMLS Interface Information, page 14-31

• Displaying the IP Multicast Routing Table, page 14-31
• Monitoring IP MMLS on the MSFC, page 14-32
• Using Debug Commands on the IP MMLS MSFC, page 14-33
• Using Debug Commands on the SCP, page 14-34

Note For information on configuring routing on the MSFC, see Chapter 12, “Configuring InterVLAN
Routing.”

Note You can specify the MSFC as the MLS route processor (MLS-RP) for Catalyst 5000 family switches
using MLS. Refer to the Layer 3 Switching Configuration Guide—Catalyst 5000 Family, 2926G
Series, 2926 Series Switches for Catalyst 5000 family switch MLS configuration procedures.

Note This section describes how to enable IP multicast routing on the MSFC. For more detailed IP
multicast configuration information, refer to the “IP Multicast” section of the Cisco IOS IP and IP
Routing Configuration Guide at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt3/index.htm

Enabling IP Multicast Routing Globally

You must enable IP multicast routing globally on the MSFC before you can enable IP MMLS on MSFC
interfaces.
To enable IP multicast routing globally on the MSFC, perform this task in global configuration mode:

Task Command
Enable IP multicast routing globally. Router(config)# ip multicast-routing

This example shows how to enable IP multicast routing globally:

Router(config)# ip multicast-routing
Router(config)#

Enabling IP PIM on MSFC Interfaces

You must enable IP PIM on the MSFC interfaces before IP MMLS will function on those interfaces.
To enable IP PIM on an interface, perform this task:

Task Command
Enable IP PIM on an MSFC interface. Router(config-if)# ip pim {dense-mode | sparse-mode |
sparse-dense-mode}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-29
 Chapter 14 Configuring MLS
Configuring MLS

This example shows how to enable IP PIM on an interface using the default mode (sparse-dense-mode):
Router(config-if)# ip pim
Router(config-if)#

This example shows how to enable IP PIM sparse mode on an interface:

Router(config-if)# ip pim sparse-mode
Router(config-if)#

Configuring the IP MMLS Global Threshold

You can configure a global multicast rate threshold, specified in packets per second, below which all
(S,G) multicast traffic is routed by the MSFC. This prevents creation of MLS entries for short-lived
multicast flows, such as join requests.

Note This command does not affect flows that are already being routed. To apply the threshold to existing
routes, clear the route and let it reestablish.

To configure the IP MMLS threshold, perform this task:

Task Command
Configure the IP MMLS threshold. Router(config)# [no] mls ip multicast threshold ppsec

This example shows how to configure the IP MMLS threshold to 10 packets per second:
Router(config)# mls ip multicast threshold 10
Router(config)#

Use the no keyword to deconfigure the threshold.

Enabling IP MMLS on MSFC Interfaces

IP MMLS is enabled by default on the MSFC interface when you enable IP PIM on the interface.
Perform this task only if you disabled IP MMLS on the interface and you want to reenable it.

Note You must enable IP PIM on all participating MSFC interfaces before IP MMLS will function. For
information on configuring IP PIM on MSFC interfaces, see the “Enabling IP PIM on MSFC
Interfaces” section on page 14-29.

To enable IP MMLS on an MSFC interface, perform this task:

Task Command
Enable IP MMLS on an MSFC interface. Router(config-if)# [no] mls ip multicast

This example shows how to enable IP MMLS on an MSFC interface:

Router(config-if)# mls ip multicast
Router(config-if)#

Use the no keyword to disable IP MMLS on an MSFC interface.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-30 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

Displaying IP MMLS Interface Information

The show ip pim interface count command displays the IP MMLS enable state on MSFC IP PIM
interfaces and the number of packets received and sent on the interface.
The show ip interface command displays the IP MMLS enable state on an MSFC interface.
To display IP MMLS information for an IP PIM MSFC interface, perform one of these tasks:

Task Command
Display IP MMLS interface information. Router# show ip pim interface [type number] count
Display the IP MMLS interface enable state. Router# show ip interface

Displaying the IP Multicast Routing Table

The show ip mroute command displays the IP multicast routing table on the MSFC.
To display the IP multicast routing table, perform this task:

Task Command
Display the IP multicast routing table. Router# show ip mroute [group[source]] |
[summary] | [count] | [active kbps]

This example shows how to display the IP multicast routing table for 239.252.1.1:
Router# show ip mroute 239.252.1.1
IP Multicast Routing Table
Flags:D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT
M - MSDP created entry, X - Proxy Join Timer Running
A - Advertised via MSDP
Outgoing interface flags:H - Hardware switched
Timers:Uptime/Expires
Interface state:Interface, Next-Hop or VCD, State/Mode

(*, 239.252.1.1), 04:04:59/00:02:59, RP 80.0.0.2, flags:SJ

Incoming interface:Vlan800, RPF nbr 80.0.0.2
Outgoing interface list:
Vlan10, Forward/Dense, 01:29:57/00:00:00, H

(22.0.0.10, 239.252.1.1), 00:00:19/00:02:41, flags:JT

Incoming interface:Vlan800, RPF nbr 80.0.0.2, RPF-MFD
Outgoing interface list:
Vlan10, Forward/Dense, 00:00:19/00:00:00, H

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-31
 Chapter 14 Configuring MLS
Configuring MLS

Monitoring IP MMLS on the MSFC

The show mls ip multicast command displays detailed information about IP MMLS.
To display detailed IP MMLS information on the MSFC, perform one of these tasks:

Task
Display IP MMLS group information.
Display IP MMLS details for all
interfaces.
Display a summary of IP MMLS
information.
Display IP MMLS statistics.
Display IP MMLS source information.
Command
Router# show mls ip multicast group group-address
[interface type number | statistics]
Router# show mls ip multicast interface type number
[statistics | summary]
Router# show mls ip multicast summary
Router# show mls ip multicast statistics
Router# show mls ip multicast source ip-address
[interface type number | statistics]

This example shows how to display IP MMLS statistics on the MSFC:

Router# show mls ip multicast statistics
MLS Multicast configuration and state:
Router Mac:0050.0f2d.9bfd, Router IP:1.12.123.234
MLS multicast operating state:ACTIVE
Maximum number of allowed outstanding messages:1
Maximum size reached from feQ:1
Feature Notification sent:5
Feature Notification Ack received:4
Unsolicited Feature Notification received:0
MSM sent:33
MSM ACK received:33
Delete notifications received:1
Flow Statistics messages received:248

MLS Multicast statistics:

Flow install Ack:9
Flow install Nack:0
Flow update Ack:2
Flow update Nack:0
Flow delete Ack:0
Complete flow install Ack:10
Complete flow install Nack:0
Complete flow delete Ack:1
Input VLAN delete Ack:4
Output VLAN delete Ack:0
Group delete sent:0
Group delete Ack:0
Global delete sent:7
Global delete Ack:7

L2 entry not found error:0

Generic error :3
LTL entry not found error:0
MET entry not found error:0
L3 entry exists error :0
Hash collision error :0
L3 entry not found error:0
Complete flow exists error :0

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-32 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

This example shows how to display information on a specific IP MMLS entry on the MSFC:
Router# show mls ip multicast 224.1.1.1
Multicast hardware switched flows:
(1.1.13.1, 224.1.1.1) Incoming interface: Vlan13, Packets switched: 61590
Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan13

(1.1.9.3, 224.1.1.1) Incoming interface: Vlan9, Packets switched: 0

Hardware switched outgoing interfaces: Vlan20
RFD-MFD installed: Vlan9

(1.1.12.1, 224.1.1.1) Incoming interface: Vlan12, Packets switched: 62010

Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan12

(1.1.12.3, 224.1.1.1) Incoming interface: Vlan12, Packets switched: 61980

Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan12

(1.1.11.1, 224.1.1.1) Incoming interface: Vlan11, Packets switched: 62430

Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan11

(1.1.11.3, 224.1.1.1) Incoming interface: Vlan11, Packets switched: 62430

Hardware switched outgoing interfaces: Vlan20 Vlan9
RFD-MFD installed: Vlan11

Total hardware switched installed: 6

Router#

This example shows how to display a summary of IP MMLS information on the MSFC:
Router# show mls ip multicast summary
7 MMLS entries using 560 bytes of memory
Number of partial hardware-switched flows:2
Number of complete hardware-switched flows:5
Router#

Using Debug Commands on the IP MMLS MSFC

Table 14-9 describes IP MMLS-related debug troubleshooting commands.

Table 14-9 IP MMLS Debug Commands

Command
[no] debug mls ip multicast group group_id
group_mask
[no] debug mls ip multicast events
[no] debug mls ip multicast errors
[no] debug mls ip multicast messages
[no] debug mls ip multicast all
[no] debug mdss error
[no] debug mdss events
[no] debug mdss all
1. MDSS = Multicast Distributed Switching Services
Description
Configures filtering that applies to all other multicast debugging
commands.
Displays IP MMLS events.
Turns on debug messages for multicast MLS-related errors.
Displays IP MMLS messages from/to the hardware switching engine.
Turns on all IP MMLS messages.
Turns on MDSS1 error messages.
Turns on MDSS-related events.
Turns on all MDSS messages.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-33
 Chapter 14 Configuring MLS
Configuring MLS

Using Debug Commands on the SCP

Table 14-10 describes the Serial Control Protocol (SCP)-related debug commands to troubleshoot the
SCP that runs over the Ethernet out-of-band channel (EOBC).

Table 14-10 SCP Debug Commands

Command Description
[no] debug scp async Displays trace for asynchronous data in and out of the SCP
system.
[no] debug scp data Shows packet data trace.
[no] debug scp errors Displays errors and warnings in the SCP.
[no] debug scp packets Displays packet data in and out of the SCP system.
[no] debug scp timeouts Reports timeouts.
[no] debug scp all Turns on all SCP debugging messages.

Displaying Global IP MMLS Information on the Supervisor Engine

These sections describe how to configure IP MMLS on Supervisor Engine 1:
• Displaying IP MMLS Configuration Information, page 14-34
• Displaying IP MMLS Statistics, page 14-35
• Clearing IP MMLS Statistics, page 14-36
• Displaying IP MMLS Entries, page 14-36

Note IP MMLS is permanently enabled on Supervisor Engine 1 and cannot be disabled.

Note To configure IP MMLS on the MSFC, see the “Configuring IP MMLS on the MSFC” section on
page 14-28.

Displaying IP MMLS Configuration Information

The show mls multicast command displays global IP MMLS configuration information and the state of
participating MSFCs.
To display global IP MMLS configuration information, perform this task:

Task Command
Display global IP MMLS configuration show mls multicast
information.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-34 78-13315-02
 Chapter 14 Configuring MLS
Configuring MLS

This example shows how to display global IP MMLS configuration information:

Console> (enable) show mls multicast
Admin Status: Enabled
Operational Status: Active
Configured flow mask is {Destination-source-vlan flow}
Active Entries = 10
Router include list :
1.1.9.254 (Active)
1.1.5.252 (Active)
Console> (enable)

Displaying IP MMLS Statistics

The show mls multicast statistics command displays IP MMLS statistics for multicast MSFCs.
To display IP MMLS statistics for multicast MSFCs, perform this task:

Task Command
Display IP multicast MSFC statistics. show mls multicast statistics [ip_addr]

This example shows how to display IP MMLS statistics for multicast MSFCs:
Console (enable) show mls multicast statistics
Router IP Router Name Router MAC
-------------------------------------------------------
1.1.9.254 ? 00-50-0f-06-3c-a0

Transmit:
Delete Notifications: 23
Acknowledgements: 92
Flow Statistics: 56

Receive:
Open Connection Requests: 1
Keep Alive Messages: 72
Shortcut Messages: 19
Shortcut Install TLV: 8
Selective Delete TLV: 4
Group Delete TLV: 0
Update TLV: 3
Input VLAN Delete TLV: 0
Output VLAN Delete TLV: 0
Global Delete TLV: 0
MFD Install TLV: 7
MFD Delete TLV: 0
Router IP Router Name Router MAC
-------------------------------------------------------
1.1.5.252 ? 00-10-29-8d-88-01

Transmit:
Delete Notifications: 22
Acknowledgements: 75
Flow Statistics: 22

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-35
 Chapter 14 Configuring MLS
Configuring MLS

Receive:
Open Connection Requests: 1
Keep Alive Messages: 68
Shortcut Messages: 6
Shortcut Install TLV: 4
Selective Delete TLV: 2
Group Delete TLV: 0
Update TLV: 0
Input VLAN Delete TLV: 0
Output VLAN Delete TLV: 0
Global Delete TLV: 0
MFD Install TLV: 4
MFD Delete TLV: 0
Console (enable)

Clearing IP MMLS Statistics

The clear mls multicast statistics command clears IP MMLS statistics for all participating MSFCs.
To clear IP MMLS statistics, perform this task in privileged mode:

Task Command
Clear IP MMLS statistics. clear mls multicast statistics

This example shows how to clear IP MMLS statistics:

Console> (enable) clear mls multicast statistics
All statistics for the MLS routers in include list are cleared.
Console> (enable)

Displaying IP MMLS Entries

The show mls multicast entry command displays a variety of information about the multicast flows
being handled by the PFC. You can display entries based on any combination of the participating MSFC,
the VLAN, the multicast group address, or the multicast traffic source.
To display information about IP MMLS entries, perform this task in privileged mode:

Task Command
Display information about IP MMLS show mls multicast entry [[[mod] [vlan vlan_id]
entries. [group ip_addr] [source ip_addr]] | [all]]

This example shows how to display all IP MMLS entries:

Console> (enable) show mls multicast entry all
Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans
--------------- --------------- --------------- ---------- ----------- ------- --------

1.1.5.252 224.1.1.1 1.1.11.1 15870 2761380 20

1.1.9.254 224.1.1.1 1.1.12.3 473220 82340280 12
1.1.5.252 224.1.1.1 1.1.12.3 15759 2742066 20
1.1.9.254 224.1.1.1 1.1.11.1 473670 82418580 11
1.1.5.252 224.1.1.1 1.1.11.3 15810 2750940 20
1.1.9.254 224.1.1.1 1.1.12.1 473220 82340280 12
1.1.5.252 224.1.1.1 1.1.13.1 15840 2756160 20

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-36 78-13315-02
Chapter 14 Configuring MLS
Configuring MLS

1.1.9.254 224.1.1.1 1.1.13.1 472770 82261980 13

1.1.5.252 224.1.1.1 1.1.12.1 15840 2756160 20
1.1.9.254 224.1.1.1 1.1.11.3 473667 82418058 11
Total Entries: 10
Console> (enable)

This example shows how to display IP MMLS entries for a specific MSFC:
Console> (enable) show mls multicast entry 15
Router IP Dest IP Source IP Pkts Bytes InVlan OutVlans
--------------- --------------- --------------- ---------- ----------- ------- --------

1.1.5.252 224.1.1.1 1.1.11.1 15870 2761380 20

1.1.5.252 224.1.1.1 1.1.12.3 15759 2742066 20
1.1.5.252 224.1.1.1 1.1.11.3 15810 2750940 20
1.1.5.252 224.1.1.1 1.1.13.1 15840 2756160 20
1.1.5.252 224.1.1.1 1.1.12.1 15840 2756160 20
Total Entries: 5
Console> (enable)

This example shows how to display IP MMLS entries for a specific multicast group address:
Console> (enable) show mls multicast entry group 226.0.1.3 short
Router IP Dest IP Source IP InVlan Pkts Bytes OutVlans
-------------- ----------- ------------ ------ ------ --------- ---------
171.69.2.1 226.0.1.3 172.2.3.8 20 171 23512 10,201,22,45
171.69.2.1 226.0.1.3 172.3.4.9 12 25 3120 8,20
Total Entries: 2
Console> (enable)

This example shows how to display IP MMLS entries for a specific MSFC and a specific multicast
source address:
Console> (enable) show mls multicast entry 15 1.1.5.252 source 1.1.11.1 short
Router IP Dest IP Source IP Pkts Bytes
InVlan OutVlans
--------------- --------------- --------------- ---------- --------------------
------ ----------
172.20.49.159 224.1.1.6 1.1.40.4 368 57776
40 23,25
172.20.49.159 224.1.1.71 1.1.22.2 99 65142
22 30,37
172.20.49.159 224.1.1.8 1.1.22.2 396 235620
22 13,19
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 14-37
 Chapter 14 Configuring MLS
Configuring MLS

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

14-38 78-13315-02
 C H A P T E R 15
Configuring NDE

This chapter describes how to configure NetFlow Data Export (NDE) on the Catalyst 6000
family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How NDE Works, page 15-1
• Default NDE Configuration, page 15-3
• Configuring NDE, page 15-3

Understanding How NDE Works

These sections describe how NDE works:
• Overview of NDE and Integrated Layer 3 Switching Management, page 15-1
• Traffic Statistics Data Collection, page 15-2
• Using NDE Filters, page 15-3

Overview of NDE and Integrated Layer 3 Switching Management

Catalyst 6000 family switches provide Layer 3 switching with Cisco Express Forwarding for Policy
Feature Card 2 (CEF for PFC2) or with Multilayer Switching (MLS). You can use NDE to monitor all
Layer 3-switched traffic through the Multilayer Switch Feature Card (MSFC). NDE complements the
embedded Remote Monitoring (RMON) capabilities on the switch that allow you to see all port traffic.

Note NDE is not supported for IP multicast or Internetwork Packet Exchange (IPX) traffic.

Note NDE version 7 and NDE version 8 are not supported for the MSFC.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 15-1
 Chapter 15 Configuring NDE
Understanding How NDE Works

Note For information on configuring CEF for PFC2, see Chapter 13, “Configuring CEF for PFC2.” For
information on configuring MLS, see Chapter 14, “Configuring MLS.”

Integrated Layer 3-switching management includes products, management utilities, and partner
applications designed to gather flow statistics, export the statistics, collect and perform data reduction
on the exported statistics, and forward them to applications for traffic monitoring, planning, and
accounting. Flow collectors, such as the Cisco SwitchProbe and NetFlow FlowCollector, gather and
classify flows. This flow information is then aggregated and fed to applications such as TrafficDirector,
NetSys, or NetFlow Analyzer.

Traffic Statistics Data Collection

An external data collector gathers flow entries from the statistics cache of one or more switches or Cisco
routers. The switch or router transmits data to the flow collector by grouping flow entries for expired
flows from its statistics cache into a User Datagram Protocol (UDP) datagram, which consists of a
header and a series of flow entries. See Figure 15-1.

Figure 15-1 Integrated Layer 3 Switching Management

Network
planning

Routers

Accounting/Billing

Switches Flow profiling

RMON
Probe Network monitoring
Flow switching Flow Flow
10699

and data export collection consolidation Flow consumers

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

15-2 78-13315-02
 Chapter 15 Configuring NDE
Default NDE Configuration

Using NDE Filters

By default, all expired flows are exported until you specify a filter. After specifying a filter, only expired
and purged flows matching the specified filter criteria are exported. Filter values are stored in NVRAM
and are not cleared when NDE is disabled.
If the flow mask is destination-ip mode and the NDE filter contains a filter on both source and
destination, only the destination filter is effective. For example, in the filter specified in the following
display if the flow mask is in destination-ip mode, all flows with destination address 9.1.2.15 are
exported. The source filter for host 10.1.2.15 is not effective (it is ignored).
Console> (enable) set mls nde flow destination 9.1.2.15/32 source 10.1.2.15/32
Netflow data export: destination filter set to 9.1.2.15/32
Netflow data export: source filter set to 10.1.2.15/32
Console> (enable)

Default NDE Configuration

Table 15-1 shows the default NDE configuration.

Table 15-1 Default NDE Configuration

Feature Default Value

NDE Disabled
NDE data collector address and UDP port None specified
NDE filters None configured

Configuring NDE
These sections describe how to configure NDE:
• Usage Guidelines, page 15-4
• Specifying an NDE Collector, page 15-4
• Specifying an NDE Destination Address on the MSFC, page 15-5
• Specifying an NDE Source Address on the MSFC, page 15-5
• Enabling NDE, page 15-6
• Specifying a Destination Host Filter, page 15-6
• Specifying a Destination and Source Subnet Filter, page 15-6
• Specifying a Destination TCP/UDP Port Filter, page 15-7
• Specifying a Source Host and Destination TCP/UDP Port Filter, page 15-7
• Specifying a Protocol Filter, page 15-8
• Specifying Protocols for Statistics Collection, page 15-8
• Removing Protocols for Statistics Collection, page 15-8

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 15-3
 Chapter 15 Configuring NDE
Configuring NDE

• Clearing the NDE Flow Filter, page 15-9

• Disabling NDE, page 15-9
• Removing the NDE IP Address, page 15-9
• Displaying the NDE Configuration, page 15-10

Usage Guidelines
If too many entries are added to the NetFlow table, follow these guidelines:
• Reduce the MLS aging time. Set the aging time high enough to keep the number of entries within
the 32k-flow range of the PFC. For information on how to change the MLS aging time, see the
“Specifying MLS Aging-Time Value” section on page 14-17 in Chapter 14, “Configuring MLS.”
• If there are protocols with fewer packets per flow running, reduce the MLS fast aging time. For
information on how to change the MLS fast aging time, see the “Specifying IP MLS Fast Aging
Time and Packet Threshold Values” section on page 14-18 in Chapter 14, “Configuring MLS.”
• Use the correct flow mask. Use the flow mask required to extract the kind of information you want.
A full flow mask gives more information but as the number of flows increase, the load on the
Layer 3 aging also increases. Try to use a flow mask with the minimum granularity required to get
the data you need. With a full flow mask, you might need to decrease the MLS aging time because
a full flow mask increases the number of flows per second. For information on setting the flow mask,
see the “Setting the Minimum IP MLS Flow Mask” section on page 14-19 in Chapter 14,
“Configuring MLS.”
• Exclude entries with fewer packets per flow. Some query protocols, like Domain Name System
(DNS), generate fewer packets per flow and can be excluded from the NetFlow table with the set
mls exclude protocol command. You can specify up to four protocol filters, but packets from
filtered protocols will go to the MSFC.
• Keep specific flows from being added to the Netflow table with the set mls nde flow exclude
command.

Specifying an NDE Collector

Before enabling NDE for the first time, you must specify an NDE collector and UDP port to receive the
exported statistics. The collector address and UDP port number are saved in NVRAM and are preserved
if NDE is disabled and reenabled or if the switch is power cycled.

Note If you are using the NetFlow FlowCollector application for data collection, verify that the UDP port
number you specify is the same port number shown in the FlowCollector’s nfconfig.file. This file is
located at /opt/csconfc/config/nfconfig.file in the FlowCollector application.

To specify an NDE collector, perform this task in privileged mode:

Task Command
Specify an NDE collector and UDP port for set mls nde {collector_ip | collector_name}
data export of hardware-switched packets. {udp_port_number}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

15-4 78-13315-02
 Chapter 15 Configuring NDE
Configuring NDE

This example shows how to specify an NDE collector:

Console> (enable) set mls nde Stargate 9996
Netflow data export not enabled.
Netflow data export to port 9996 on 172.20.15.1(Stargate)
Console> (enable)

Specifying an NDE Destination Address on the MSFC

To monitor data and statistics about Layer 3 traffic that is switched in software by the MSFC, you must
specify the NDE collector and UDP port on the MSFC by entering the ip flow-export destination
command on the MSFC.
To specify the NDE collector for Layer 3 traffic that is being switched by the MSFC, peform this task
in privileged mode:

Task Command
Specify an NDE collector and UDP port for ip flow-export destination {hostname | ip_address}
data export of software-switched packets. {udp_port_number}

This example shows how to specify the NDE collector from the MSFC:
Router(config)# ip flow-export destination Stargate 9996
Router(config)#

Specifying an NDE Source Address on the MSFC

The MSFC and the PFC use the NDE source address when sending statistics to the data collection
application. You configure the source address on the MSFC so the data collection application can
aggregate export data from both the MSFC and the PFC for the same flow by entering the ip flow-export
source vlan command on the MSFC.

Note The ip flow-export source vlan command is optional. If you do not specify an NDE source address
on the MSFC, the MSFC and PFC automatically use the IP address of one of the MSFC VLAN
interfaces.

To specify the NDE source address for Layer 3 traffic that is being switched by the MSFC, peform this
task in privileged mode:

Task Command
Specify an NDE source address for data ip flow-export source vlan {vlan_interface_number}
export of software-switched packets.

This example shows how to specify the NDE source address on the MSFC:
Router(config)# ip flow-export source vlan 10
Router(config)#

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 15-5
 Chapter 15 Configuring NDE
Configuring NDE

Enabling NDE
To enable NDE, perform this task in privileged mode:

Task Command
Enable NDE on the switch. set mls nde enable

This example shows how to enable NDE on the switch:

Console> (enable) set mls nde enable
Netflow data export enabled.
Netflow data export to port 9996 on 172.20.15.1 (Stargate)
Console> (enable)

If you attempt to enable NDE without first specifying a collector, you see this display:
Console> (enable) set mls nde enable
Please set host name and UDP port number with ‘set mls nde <collector_ip>
<udp_port_number>’.
Console> (enable)

Specifying a Destination Host Filter

To specify a destination host filter, perform this task in privileged mode:

Task Command
Specify a destination host filter for an set mls nde flow destination [ip_addr_spec]
NDE flow.

This example shows how to specify a destination host filter so that only expired flows to host
171.69.194.140 are exported:
Console> (enable) set mls nde flow destination 171.69.194.140
Netflow Data Export successfully set
Destination filter is 171.69.194.140/255.255.255.255
Filter type: include
Console> (enable)

Specifying a Destination and Source Subnet Filter

To specify a destination and source subnet filter, perform this task in privileged mode:

Task Command
Specify a destination and source subnet set mls nde flow destination [ip_addr_spec] source
filter for an NDE flow. [ip_addr_spec]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

15-6 78-13315-02
 Chapter 15 Configuring NDE
Configuring NDE

This example shows how to specify a destination and source subnet filter so that only expired flows to
subnet 171.69.194.0 from subnet 171.69.173.0 are exported (assuming the flow mask is set to
source-destination-ip):
Console> (enable) set mls nde flow destination 171.69.194.140/24 source 171.69.173.5/24
Netflow Data Export successfully set
Source filter is 171.69.173.0/24
Destination filter is 171.69.194.0/24
Filter type: include
Console> (enable)

Specifying a Destination TCP/UDP Port Filter

To specify a destination TCP/UDP port filter, perform this task in privileged mode:

Task Command
Specify a destination TCP/UDP port filter set mls nde flow dst_prt [port_number]
for an NDE flow.

This example shows how to specify a destination TCP/UDP port filter so that only expired flows to
destination port 23 are exported (assuming the flow mask is set to ip-flow):
Console> (enable) set mls nde flow dst_port 23
Netflow Data Export successfully set
Destination port filter is 23
Filter type: include
Console> (enable)

Specifying a Source Host and Destination TCP/UDP Port Filter

To specify a source host and destination TCP/UDP port filter, perform this task in privileged mode:

Task Command
Specify a source host and destination set mls nde flow source [ip_addr_spec] dst_prt
TCP/UDP port filter for an NDE flow. [port_number]

This example shows how to specify a source host and destination TCP/UDP port filter so that only
expired flows from host 171.69.194.140 to destination port 23 are exported (assuming the flow mask is
set to ip-flow):
Console> (enable) set mls nde flow source 171.69.194.140 dst_port 23
Netflow Data Export successfully set
Source filter is 171.69.194.140/255.255.255.255
Destination port filter is 23
Filter type: include
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 15-7
 Chapter 15 Configuring NDE
Configuring NDE

Specifying a Protocol Filter

To specify a protocol filter, perform this task in privileged mode:

Task Command
Specify a protocol filter for an NDE set mls nde flow protocol protocol
flow.

This example shows how to specify a protocol filter so that only expired flows from protocol 17 are
exported:
Console> (enable) set mls nde flow protocol 17
Netflow Data Export filter successfully set.
Protocol filter is 17
Filter type: include
Console> (enable)

Specifying Protocols for Statistics Collection

You can enter the set mls statistics protocol protocol port command to specify up to 64 different
protocols for which to collect statistics to be exported using NDE. The protocol argument can be ip,
ipinip, icmp, igmp, tcp, and udp, or a decimal number for other protocol families. The port argument
specifies the protocol port.
To specify protocols for statistics collection, perform this task in privileged mode:

Task Command
Specify protocols for statistics set mls statistics protocol protocol port
collection.

This example shows how to specify a protocol for statistics collection:

Console> (enable) set mls statistics protocol 17 1934
Protocol 17 port 1934 is added to protocol statistics list.
Console> (enable)

Removing Protocols for Statistics Collection

You can enter the clear mls statistics protocol {protocol port | all} command to specify up to
64 different protocols for which to collect statistics to be exported using NDE. The protocol argument
can be tcp, udp, icmp, or a decimal number for other protocol families. The port argument specifies the
protocol port. Use the all keyword to remove all protocols for statistics collection.
To remove protocols for statistics collection, perform this task in privileged mode:

Task Command
Remove protocols for statistics clear mls statistics protocol {protocol port | all}
collection.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

15-8 78-13315-02
 Chapter 15 Configuring NDE
Configuring NDE

This example shows how to remove a protocol for statistics collection:

Console> (enable) clear mls statistics protocol 17 1934
Protocol 17 port 1934 cleared from protocol statistics list.
Console> (enable)

Clearing the NDE Flow Filter

To clear the NDE flow filter and reset the filter to the default (all flows exported), perform this task in
privileged mode:

Task Command
Clear the NDE flow filter. clear mls nde flow

This example shows how to clear the NDE flow filter so that all flows are exported:
Console> (enable) clear mls nde flow
Netflow data export filter cleared.
Console> (enable)

Disabling NDE

Note With Supervisor Engine 1 and a PFC, if NDE is enabled and you disable MLS, you lose the statistics
for existing cache entries—they are not exported.

To disable NDE on the switch, perform this task in privileged mode:

Task Command
Disable NDE on the switch. set mls nde disable

This example shows how to disable NDE on the switch:

Console> (enable) set mls nde disable
Netflow data export disabled.
Console> (enable)

Removing the NDE IP Address

To remove the NDE IP address from the MSFC, perform this task in global configuration mode:

Task Command
Remove the NDE IP address from the Router(config)# no mls nde-address [ip_addr]
MSFC.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 15-9
 Chapter 15 Configuring NDE
Configuring NDE

This example shows how to remove the NDE IP addresses from the MSFC:
Router(config)# no mls nde-address 170.170.2.1
Router(config)#

Displaying the NDE Configuration

To display the NDE configuration on the switch, perform this task in privileged mode:

Task Command
Display the NDE configuration on the show mls nde
switch.

This example shows how to display the NDE configuration on the switch:
Console> (enable) show mls nde
Netflow Data Export enabled
Netflow Data Export configured for port 1098 on host 172.20.15.1
Source filter is 171.69.194.140/255.255.255.0
Destination port filter is 23
Total packets exported = 26784
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

15-10 78-13315-02
 C H A P T E R 16
Configuring Access Control

This chapter describes how to configure access control lists (ACLs) on the Catalyst 6000 family
switches. Configuration of the ACLs depends on the type of hardware you install on your supervisor
engine. See the “Hardware Requirements” section on page 16-2 for details.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How ACLs Work, page 16-1
• Hardware Requirements, page 16-2
• Supported ACLs, page 16-2
• Applying Cisco IOS ACLs and VACLs on VLANs, page 16-7
• Using Cisco IOS ACLs in your Network, page 16-9
• Using VACLs with Cisco IOS ACLs, page 16-15
• Using VACLs in your Network, page 16-22
• Unsupported Features, page 16-27
• Configuring VACLs, page 16-28
• Configuring and Storing VACLs and QoS ACLs in Flash Memory, page 16-42
• Configuring Policy-Based Forwarding, page 16-48

Note Except where specifically differentiated, the information and procedures in this chapter apply to both
Supervisor Engine 2 with Layer 3 Switching Engine II (Policy Feature Card 2 or PFC2) and
Supervisor Engine 1 with Layer 3 Switching Engine II (Policy Feature Card or PFC).

Understanding How ACLs Work

Traditionally, switches operated at Layer 2 only; switches switched traffic within a VLAN and routers
routed traffic between VLANs. Catalyst 6000 family switches with the Multilayer Switch Feature Card
(MSFC) can accelerate packet routing between VLANs by using Layer 3 switching (Multilayer

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-1
 Chapter 16 Configuring Access Control
Hardware Requirements

Switching [MLS]). The switch first bridges the packet, the packet is then routed internally without going
to the router, and then the packet is bridged again to send it to its destination. During this process, the
switch can access control all packets it switches, including packets bridged within a VLAN.
Cisco IOS ACLs provide access control for routed traffic between VLANs, and VLAN ACLs (VACLs)
provide access control for all packets.
Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject
to a number of features such as access control (security), encryption, policy-based routing, and so on.
Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed
packets.
VACLs can provide access control based on Layer 3 addresses for IP and IPX protocols. Unsupported
protocols are access controlled through MAC addresses. A VACL is applied to all packets (bridged and
routed) and can be configured on any VLAN interface. Once a VACL is configured on a VLAN, all
packets (routed or bridged) entering the VLAN are checked against the VACL. Packets can either enter
the VLAN through a switch port or through a router port after being routed.

Hardware Requirements
The hardware that is required to configure ACLs on Catalyst 6000 family switches is as follows:
• Cisco IOS ACLs:
– Policy Feature Card (PFC) and MSFC or MSFC2
– PFC2 and MSFC2
• VACLs and QoS ACLs:
– PFC
– PFC2

Note The QoS feature set supported on your switch is determined by which switching engine daughter card
is installed on the supervisor engine. See Chapter 41, “Configuring QoS” for more information.

Supported ACLs
These sections describe the ACLs supported by the Catalyst 6000 family switches:
• QoS ACLs, page 16-2
• Cisco IOS ACLs, page 16-3
• VACLs, page 16-3

QoS ACLs
You can configure QoS ACLs on the switch; see Chapter 41, “Configuring QoS.”

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-2 78-13315-02
 Chapter 16 Configuring Access Control
Supported ACLs

Cisco IOS ACLs

Cisco IOS ACLs are configured on the MSFC VLAN interfaces. An ACL provides access control and
consists of an ordered set of access control entries (ACEs). Many other features in Cisco IOS software
also use ACLs for specifying flows. For example, Web Cache Redirect (through the Web Cache
Coordination Protocol [WCCP]) uses ACLs to specify HTTP flows that can be redirected to a Web cache
engine.
Most Cisco IOS features are applied on interfaces for specific directions (inbound versus outbound).
However, some features use ACLs globally. For such features, ACLs are applied on all interfaces for a
given direction. As an example, TCP intercept uses a global ACL that is applied on all interfaces for
outbound direction.
One Cisco IOS ACL can be used with multiple features for a given interface, and one feature can use
multiple ACLs. When a single ACL is used by multiple features, Cisco IOS software examines it
multiple times.
Cisco IOS software examines ACLs that are associated with features that are configured on a given
interface and a direction. As packets enter the router on a given interface, Cisco IOS software examines
ACLs that are associated with all inbound features that are configured on that interface for the following:
• Inbound access control ACLs (standard, extended, and/or reflexive)
• Encryption ACLs (not supported on the MSFC)
• Policy routing ACLs
• Network Address Translation (NAT) for outside-to-inside translation
After packets are routed and before they are forwarded out to the next hop, Cisco IOS examines all ACLs
that are associated with the outbound features that are configured on the egress interface for the
following:
• Outbound access control ACLs (standard, extended, and/or reflexive)
• Encryption ACLs (not supported on the MSFC)
• NAT ACLs (for inside-to-outside translation)
• WCCP ACL
• TCP intercept ACL

VACLs
The following sections describe VACLs:
• VACL Overview, page 16-3
• ACEs Supported in VACLs, page 16-4
• Handling Fragmented and Unfragmented Traffic, page 16-5

VACL Overview
VACLs can access control all traffic. You can configure VACLs on the switch to apply to all packets
that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security
packet filtering and redirecting traffic to specific physical switch ports. Unlike Cisco IOS ACLs, VACLs
are not defined by direction (input or output).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-3
 Chapter 16 Configuring Access Control
Supported ACLs

You can configure VACLs on Layer 3 addresses for IP and IPX. All other protocols are access controlled
through MAC addresses and Ethertype using MAC VACLs.

Caution IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types
(AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access
control this traffic.

You can enforce VACLs only on packets going through the Catalyst 6000 family switch; you cannot
enforce VACLs on traffic between hosts on a hub or another switch connected to the Catalyst 6000
family switch.

ACEs Supported in VACLs

A VACL contains an ordered list of access control entries (ACEs). Each VACL can contain ACEs of only
one type. Each ACE contains a number of fields that are matched against the contents of a packet. Each
field can have an associated bit mask to indicate which bits are relevant. An action is associated with
each ACE that describes what the system should do with the packet when a match occurs. The action is
feature dependent. Catalyst 6000 family switches support three types of ACEs in the hardware:
• IP ACEs
• IPX ACEs
• Ethernet ACEs
Table 16-1 lists the parameters associated with each ACE type.

Table 16-1 ACE Types and Parameters

ACE Type TCP or UDP1 ICMP1 Other IP1 IPX Ethernet2

Layer 4 Source port
parameters Source port
operator
Destination
port
Destination ICMP code1
port operator
N/A ICMP type N/A
Layer 3 IP ToS byte IP ToS byte IP ToS byte
parameters IP source IP source IP source IPX source
address address address network
IP destination IP destination IP destination IPX destination
address address address network
IPX destination
node
TCP or UDP ICMP Other protocol IPX packet type

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-4 78-13315-02
 Chapter 16 Configuring Access Control
Supported ACLs

Table 16-1 ACE Types and Parameters (continued)

ACE Type TCP or UDP1 ICMP1 Other IP1 IPX Ethernet2

Layer 2 Ethertype
parameters Ethernet
source
address
Ethernet
destination
address
1. IP ACEs.
2. For Ethernet packets that are not IP version 4 or IPX.

Handling Fragmented and Unfragmented Traffic

TCP/UDP or any Layer 4 protocol traffic, when fragmented, loses the Layer 4 information (Layer 4
source/destination ports). This situation makes it difficult to enforce security based on the application.
However, you can identify fragments and distinguish them from the rest of the TCP/UDP traffic.
Layer 4 parameters of ACEs can filter unfragmented traffic and fragmented traffic with fragments that
have offset 0. IP fragments that have an offset other than 0 miss the Layer 4 port information and cannot
be filtered. The following examples show how ACEs handle packet fragmentation.
This example shows that if the traffic from 1.1.1.1 port 68 is fragmented, only the first fragment goes to
port 4/3, and the rest of the traffic from port 68 does not hit this entry.
redirect 4/3 tcp host 1.1.1.1 eq 68 host 255.255.255.255

This example shows that the traffic coming from 1.1.1.1 port 68 and going to 2.2.2.2 port 34 is permitted.
If packets are fragmented, the first fragment hits this entry and is permitted; fragments that have an offset
other than 0 are also permitted as a default result for fragments.
permit tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34

This example shows that the fragment that has offset 0 of the traffic from 1.1.1.1 port 68 going to 2.2.2.2
port 34 is denied. The fragments that have an offset other than 0 are permitted as a default.
deny tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34

In releases prior to software release 6.1(1), the fragment filtering was completely transparent; you would
type an ACE such as permit tcp .... port eq port_number and the software would implicitly install the
following ACE at the top of the ACL: permit tcp any any fragments.
In software release 6.1(1) and later releases, there is a fragment option. If you do not specify the
fragment keyword, the behavior is the same as in previous releases. If you specify the fragment
keyword, the system does not automatically install a global permit statement for fragments. This
keyword allows you to control how fragments are handled.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-5
 Chapter 16 Configuring Access Control
Supported ACLs

In this example, 10.1.1.2 is configured to serve HTTP connections. If you do not use a fragment ACE,
all the fragments for TCP traffic are permitted as the permit tcp any any fragments ACE is added
automatically at the top of the ACL as follows:
permit tcp any any fragments

1. permit tcp any host 10.1.1.2 eq www

2. deny ip any host 10.1.1.2
3. permit ip any any
In the above example if you change entry 1 as follows:
1. deny tcp any host 10.1.1.2 eq www
there will not be a permit tcp any any fragments ACE added at the top of ACL. If the entry
is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial
fragments.

When you specify the fragment keyword, the system does not install the global permit TCP or UDP
fragments statement. When you specify the fragment keyword for at least one ACE, the software
implicitly installs ACEs to permit flows to a specific IP address (or subnet) that you specify.
In this ACL example, the deny tcp any host 10.1.1.2 fragment entry stops fragmented traffic going to
all TCP ports on host 10.1.1.2. Later in the ACL, the permit udp any host 10.1.1.2 eq 69 entry allows
clients to connect to the TFTP server 10.1.1.2. The system automatically installs a permit for all
fragments of udp traffic to host 10.1.1.2 ACE; otherwise, fragments would be denied by the entry deny
ip any host 10.1.1.2.
1. deny tcp any host 10.1.1.2 fragment
2. permit tcp any host 10.1.1.2 eq www
3. permit udp any host 10.1.1.2 eq 69
4. permit udp any gt 1023 10.1.1.2 gt 1023
5. deny ip any host 10.1.1.2
6. permit ip any any
If you explicitly want to stop fragmented UDP traffic to host 10.1.1.2, enter deny udp any host 10.1.1.2
fragment before entry number 3 as shown in this example:
[...]
3. deny udp any host 10.1.1.2 fragment
4. permit udp any host 10.1.1.2 eq 69
5. permit udp any gt 1023 10.1.1.2 gt 1023
[...]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-6 78-13315-02
 Chapter 16 Configuring Access Control
Applying Cisco IOS ACLs and VACLs on VLANs

Applying Cisco IOS ACLs and VACLs on VLANs

This section describes how to apply Cisco IOS ACLs and VACLs to the VLAN for bridged packets,
routed packets, and multicast packets.
These sections show how ACLs and VACLs are applied:
• Bridged Packets, page 16-7
• Routed Packets, page 16-7
• Multicast Packets, page 16-8

Bridged Packets
Figure 16-1 shows how an ACL is applied on bridged packets. For bridged packets, only Layer 2 ACLs
are applied to the input VLAN.

Figure 16-1 Applying ACLs on Bridged Packets

VACL Bridged

Host A Catalyst 6500 Series Switch Host B

(VLAN 10) with PFC (VLAN 10)

26961

Routed Packets
Figure 16-2 shows how ACLs are applied on routed/Layer 3-switched packets. For
routed/Layer 3-switched packets, the ACLs are applied in the following order:
1. VACL for input VLAN
2. Input Cisco IOS ACL
3. Output Cisco IOS ACL
4. VACL for output VLAN

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-7
 Chapter 16 Configuring Access Control
Applying Cisco IOS ACLs and VACLs on VLANs

Figure 16-2 Applying ACLs on Routed Packets

Routed

Output IOS ACL

Input IOS ACL
MSFC
VACL
Bridged
Bridged
VACL

Catalyst 6500 series switches

with MSFC
Host B

26964
Host A (VLAN 20)
(VLAN 10)

Multicast Packets
Figure 16-3 shows how ACLs are applied on packets that need multicast expansion. For packets that
need multicast expansion, the ACLs are applied in the following order:
1. Packets that need multicast expansion:
a. VACL for input VLAN
b. Input Cisco IOS ACL
2. Packets after multicast expansion:
a. Output Cisco IOS ACL
b. VACL for output VLAN
3. Packets originating from router:
a. VACL for output VLAN

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-8 78-13315-02
Chapter 16 Configuring Access Control
Using Cisco IOS ACLs in your Network

Figure 16-3 Applying ACLs on Multicast Packets

IOS ACL for

output VLAN
Catalyst 6500 Series Switch for packets
with MSFC originating from
router
Routed MSFC
Output IOS ACL
Input IOS ACL
VACL (Not supported
on PFC2)
Bridged

VACL

Host B
(VLAN 20)

26965
Host A Bridged
(VLAN 10)
Host D
(VLAN 20)

Host C
(VLAN 10)

Using Cisco IOS ACLs in your Network

Note Configuring Cisco IOS ACLs on the Catalyst 6000 family switch routed-VLAN interfaces is the
same as configuring ACLs on other Cisco routers. To configure Cisco IOS ACLs, see the
“Unsupported Features” section on page 16-27 and the “VACL Configuration Guidelines” section on
page 16-28. In addition, refer to the Cisco IOS configuration guides and command reference
publication. For example, to configure ACLs for IP, refer to the “Configuring IP Services” chapter in
the Network Protocols Configuration Guide, Part 1.

When a feature is configured on the router to process traffic (such as NAT), the Cisco IOS ACL
associated with the feature determines the specific traffic that is bridged to the router instead of being
Layer 3 switched. The router then applies the feature and routes the packet normally. Note that there are
some exceptions to this process as described in the “Hardware and Software Handling of Cisco IOS
ACLs with PFC” section on page 16-10.

Note In systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and VACLs must be
the same on both MSFCs.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-9
 Chapter 16 Configuring Access Control
Using Cisco IOS ACLs in your Network

Caution For PFC: By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachables
when a packet is denied by an access group. These access-group denied packets are not dropped in
the hardware but are bridged to the MSFC so that the MSFC can generate the ICMP-unreachable
message. To drop access-group denied packets in the hardware, you must disable ICMP unreachables
using the no ip unreachables interface configuration command. Note that the ip unreachables
command is enabled by default.

For PFC2: If IP unreachables or IP redirect is enabled on an interface, the deny is performed in

hardware although a small number of packets are sent to the MSFC2 to generate the appropriate
ICMP-unreachable messages.

These sections describe hardware and software handling of ACLs with PFC and PFC2:
• Hardware and Software Handling of Cisco IOS ACLs with PFC, page 16-10
• Hardware and Software Handling of Cisco IOS ACLs with PFC2, page 16-12

Hardware and Software Handling of Cisco IOS ACLs with PFC

This section describes hardware and software handling of Cisco IOS ACLs with the PFC.

Note For information on Cisco IOS ACLs with PFC2, see the “Hardware and Software Handling of Cisco
IOS ACLs with PFC2” section on page 16-12.

ACL feature processing requires forwarding of some flows by the software. The forwarding rate for
software-forwarded flows is substantially less than for hardware-forwarded flows. Flows that require
logging as specified by the ACL are handled in the software without impacting non-log flow forwarding
in the hardware.

Note When you enter the show ip access-list command, the match count displayed does not account for
packets access controlled in the hardware.

Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch
in the hardware; the MSFC has to process the ACL in the software. This process significantly
degrades system performance.

These sections describe how different types of ACLs and traffic flows are handled by the hardware and
the software:
• Security Cisco IOS ACLs, page 16-11
• Reflexive ACLs, page 16-11
• TCP Intercept, page 16-11
• Policy Routing, page 16-12
• WCCP, page 16-12

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-10 78-13315-02
 Chapter 16 Configuring Access Control
Using Cisco IOS ACLs in your Network

• NAT, page 16-12

• Unicast RPF Check, page 16-12
• Bridge-Groups, page 16-12

Security Cisco IOS ACLs

The IP and IPX security Cisco IOS ACLs with PFC are as follows:
• The flows that match a “deny” statement in a security ACL are dropped by the hardware if
“ip unreachables” is disabled. The flows matching a “permit” statement are switched in the
hardware.
• Permit and deny actions of standard and extended ACLs (input and output) for security access
control are handled in the hardware.
• IP accounting for an ACL access violation on a given interface is supported by forwarding all denied
packets for that interface to the software, without impacting other flows.
• Dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not
supported.
• IPX standard input and output ACLs are supported in the hardware when the ACL parameters are
IPX source network, destination network, and/or destination node. If the ACL contains any other
parameters, it is handled in the software.
• IPX extended input and output ACLs are supported in the hardware when the ACL parameters are
IPX source network, destination network, destination node, and/or protocol type.
• ACL flows requiring logging are handled in the software without impacting non-log flow
forwarding in the hardware.

Reflexive ACLs
Up to 512 simultaneous reflexive sessions are supported in the hardware. Note that when reflexive
ACLs are applied, the flow mask is changed to VLAN-full flow.

TCP Intercept
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks,
which are a type of denial-of-service attack. The TCP intercept feature helps prevent SYN-flooding
attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept
software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended
access list. The software establishes a connection with the client on behalf of the destination server, and
if successful, establishes the connection with the server on behalf of the client and binds the two
half-connections together transparently. This process ensures that connection attempts from unreachable
hosts never reach the server. The software continues to intercept and forward packets throughout the
duration of the connection.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-11
 Chapter 16 Configuring Access Control
Using Cisco IOS ACLs in your Network

Policy Routing
Policy routing-required flows are handled in the software without impacting non-policy routed flow
forwarding in the hardware. When a route map contains multiple “match” clauses, all conditions
imposed by these match clauses must be met before a packet is policy routed. However, for route maps
containing both “match ip address” and “match length,” all traffic matching the ACL in the “match ip
address” clause is forwarded to the software regardless of the match length criteria. For route maps that
only contain match length clauses, all packets received on the interface are forwarded to the software.
When you enable hardware policy routing using the mls ip pbr global command, all policy routing
occurs in the hardware.

Caution If you use the mls ip pbr command to enable policy routing, policy routing is applied in the hardware
for all interfaces regardless of which interface was configured for policy routing.

WCCP
HTTP requests subject to Web Cache Coordination Protocol (WCCP) redirection are handled in the
software; HTTP replies from the server and the Cache Engine are handled in the hardware.

NAT
NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the
hardware.

Unicast RPF Check

The unicast RPF feature is supported in hardware on the PFC. For ACL-based RPF checks, traffic denied
by the unicast RPF ACL is forwarded to the MSFC for RPF validation.

Caution With ACL-based unicast RPF, packets denied by the ACL are sent to the CPU for RPF validation. In the
event of DOS attacks, these packets will most likely match the deny ACE and be forwarded to the CPU.
Under heavy traffic conditions, this could cause high CPU utilization.

Note Drop-suppress statistics for ACL-based RPF check is not supported.

Bridge-Groups
Cisco IOS bridge-group ACLs are handled in the software.

Hardware and Software Handling of Cisco IOS ACLs with PFC2

This section describes hardware and software handling of Cisco IOS ACLs with the PFC2.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-12 78-13315-02
 Chapter 16 Configuring Access Control
Using Cisco IOS ACLs in your Network

ACL feature processing requires forwarding some flows to the software. The forwarding rate for
software-forwarded flows is substantially less than for hardware-forwarded flows. Flows that require
logging as specified by the ACL, are handled in the software without impacting non-log flow forwarding
in the hardware.

Note When you enter the show ip access-list command, the match count displayed does not account for
packets access controlled in the hardware.

Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch
in the hardware; the MSFC has to process the ACL in the software. This process significantly
degrades system performance.

These sections describe how different types of ACLs and traffic flows are handled by the hardware and
the software in systems with PFC2:
• Security Cisco IOS ACLs, page 16-13
• Reflexive ACLs, page 16-14
• TCP Intercept, page 16-14
• Policy Routing, page 16-14
• WCCP, page 16-14
• NAT, page 16-15
• Unicast RPF Check, page 16-15
• Bridge-Groups, page 16-15

Security Cisco IOS ACLs

The IP and IPX security Cisco IOS ACLs with PFC2 are as follows:
• If either the “ip unreachables” or “ip redirect” options are enabled, most of the packets of the flows
that match a “deny” statement in an ACL are dropped by the hardware, only a few packets are
processed in software in order for the router to send the appropriate ICMP-unreachable message.
• Permit and deny actions of standard and extended ACLs (input and output) for security access
control are handled in the hardware.
• IP accounting for an ACL access violation on a given interface is supported by forwarding all denied
packets for that interface to the software, without impacting other flows.
• Dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not
supported.
• IPX standard input and output ACLs are supported in the hardware when the ACL parameters are
IPX source network, destination network, and/or destination node. If the ACL contains any other
parameters, it is handled in the software.
• IPX extended input and output ACLs are supported in the hardware when the ACL parameters are
IPX source network, destination network, destination node, and/or protocol type.
• ACL flows requiring logging are handled in the software without impacting non-log flow
forwarding in the hardware.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-13
 Chapter 16 Configuring Access Control
Using Cisco IOS ACLs in your Network

Reflexive ACLs
ICMP packets are handled in the software. For TCP/UDP flows, once the flow is established, they are
handled in hardware. Note that when reflexive ACLs are applied, the flow mask is changed to VLAN-full
flow.

TCP Intercept
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks,
which are a type of denial-of-service attack. The TCP intercept feature helps prevent SYN-flooding
attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept
software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended
access list. The software establishes a connection with the client on behalf of the destination server, and
if successful, establishes the connection with the server on behalf of the client and binds the two
half-connections together transparently. This process ensures that connection attempts from unreachable
hosts never reach the server. The software continues to intercept and forward packets throughout the
duration of the connection.
The hardware support for TCP intercept on a PFC2 is as follows:
1. Once the TCP intercept feature has been configured, all TCP SYN packets matching the ACEs with
a permit clause in the TCP intercept ACL and which are permitted by the security ACL are sent to
the software to apply the TCP intercept functionality. This process occurs even if the security ACL
does not have the SYN flag specified.
2. If a connection is established successfully, the following applies:
a. If the TCP intercept is using intercept mode with timeout, all traffic belonging to the given
connection/flow is handled in the software.
b. For other modes of TCP intercept, once the connection is successfully established, the software
installs a hardware shortcut to switch the rest of the flow in the hardware.
3. If a connection is not established successfully, there cannot be any other traffic belonging to that
flow.

Policy Routing
Policy routing-required flows are handled in hardware or software depending on the route map. If the
route map contains only a “match ip address” and the “set” clause contains the “next hop” and the next
hop is reachable, then the packet is forwarded in hardware. When a route map contains multiple “match”
clauses, all conditions imposed by these match clauses must be met before a packet is policy routed.
However, for route maps containing both a match ip address and match length, all traffic matching the
ACL in the match ip address clause is forwarded to the software regardless of the match length criteria.
For route maps that only contain match length clauses, all packets received on the interface are
forwarded to the software.

Note The mls ip pbr command is not required (and not supported) on PFC2.

WCCP
HTTP requests subject to WCCP redirection are handled in the software; HTTP replies from the server
and the Cache Engine are handled in the hardware.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-14 78-13315-02
 Chapter 16 Configuring Access Control
Using VACLs with Cisco IOS ACLs

NAT
NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the
hardware.

Unicast RPF Check

The unicast RPF feature is supported in hardware on the PFC2. For ACL-based RPF checks, traffic
denied by the unicast RPF ACL is forwarded to the MSFC2 for RPF validation.

Caution With ACL-based unicast RPF, packets denied by the ACL are sent to the CPU for RPF validation. In the
event of DOS attacks, these packets will most likely match the deny ACE and be forwarded to the CPU.
Under heavy traffic conditions, this could cause high CPU utilization.

Note Drop-suppress statistics for ACL-based RPF check is not supported.

Bridge-Groups
Cisco IOS bridge-group ACLs are handled in the software.

Using VACLs with Cisco IOS ACLs

To access control both bridged and routed traffic, you can use VACLs only or a combination of
Cisco IOS ACLs and VACLs. You can define Cisco IOS ACLs on both input and output routed-VLAN
interfaces, and you can define a VACL to access control the bridged traffic.
If a flow matches a VACL deny or redirect clause in the ACL, irrespective of the IOS ACL
configuration, the flow is denied or redirected. The following caveats apply to IOS ACLs when used
with VACLs:
• Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.
• NAT—VACLs are applied on packets before NAT translation. Note that if the translated flow
should not be access controlled, the flow might get access controlled after the translation because
of the VACL configuration.

Note VACLs have an implicit deny at the end of the list; a packet is denied if it does not match any VACL
ACE.

These sections describe Cisco IOS ACL and VACL configuration guidelines and guidelines for Layer 4
operations:
• Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface, page 16-16
• Guidelines for Using Layer 4 Operations, page 16-20

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-15
 Chapter 16 Configuring Access Control
Using VACLs with Cisco IOS ACLs

Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN
Interface
Follow these guidelines when you need to configure a Cisco IOS ACL and a VACL on the same VLAN.
These guidelines do not apply to configurations where you are mapping Cisco IOS ACLs and VACLs on
different VLANs.
The Catalyst 6000 family switch hardware provides one lookup for security ACLs for each direction
(input and output); you must merge a Cisco IOS ACL and a VACL when they are configured on the same
VLAN. Merging the Cisco IOS ACL with the VACL might significantly increase the number of ACEs.
If you must configure a Cisco IOS ACL and a VACL on the same VLAN, use the following guidelines
for both Cisco IOS ACL and VACL configuration.

Note To display the percentage of ACL storage being used, enter the show security acl resource-usage
command.

These sections provide Cisco IOS ACL and VACL configuration guidelines and examples:
• Using the Implicit Deny Action, page 16-16
• Grouping Actions Together, page 16-16
• Limiting the Number of Actions, page 16-16
• Avoiding Layer 4 Port Information, page 16-17
• Estimating Merge Results, page 16-17
• Examples, page 16-17

Using the Implicit Deny Action

If possible, use the implicit deny action at the end of an ACL (deny any any) and define ACEs to permit
only allowed traffic. You can achieve this same effect by defining all the deny entries, and at the end of
the list specifying permit ip any any (see Example 1, page 16-17).

Grouping Actions Together

To define multiple actions in an ACL (permit, deny, redirect), group each action type together.
Example 3, page 16-18 shows what can happen when you do not group each type together. In the
example, the deny action in line 6 was grouped with permit actions. If this deny action is removed, the
result of merging would be 53 entries, instead of 329.

Limiting the Number of Actions

An ACL with only permit ACEs has two actions: permit and deny (because of the implicit deny at the
end of the list). An ACL with permit and redirect has three actions: permit, redirect, and deny (because
of the implicit deny at the end of the list).
When configuring an ACL, the best merge results are obtained when you specify only two different
actions: permit and deny, redirect and permit, or redirect and deny.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-16 78-13315-02
 Chapter 16 Configuring Access Control
Using VACLs with Cisco IOS ACLs

To specify a redirect and deny ACL, do not use any permit ACEs. To specify a redirect and permit ACL,
use permit ACEs, redirect ACEs, and for the last ACE, specify permit ip any any. If you specify permit
ip any any, you will override the implicit deny ip any at the end of the list (see Example 4, page 16-18).

Avoiding Layer 4 Port Information

Avoid including Layer 4 information in an ACL; adding this information will complicate the merging
process. You will obtain the best merge results if the ACLs are filtered based on IP addresses (source
and destination) and not on the full flow (source IP address, destination IP address, protocol, and
protocol ports).
If you need to specify the full flow, see the recommendations in the “Using the Implicit Deny Action”
section on page 16-16, “Grouping Actions Together” section on page 16-16, and Example 6, page 16-19.
If you cannot follow the recommendations because the ACL has both IP and TCP/UDP/ICMP ACEs with
Layer 4 information, put the Layer 4 ACEs at the end of the list to prioritize the traffic filtering based on
IP addresses.

Estimating Merge Results

If you follow the ACL guidelines when configuring ACLs, you can get a rough estimate of the merge
results for ACLs.
The following example uses ACL A, ACL B, and ACL C. If ACL C is the result of merging ACL A and
ACL B, and you know the size of ACL A and ACL B, you can estimate the upper limit of the size of
ACL C when no Layer 4 port information has been specified on ACL A and ACL B, as follows:
size of ACL C = (size of ACL A) x (size of ACL B) x (2)
If Layer 4 port information was specified, the upper limit could be higher.

Examples
These examples show the merge results for various Cisco IOS ACL and VACL configurations. Note that
in these examples, one VACL and one Cisco IOS ACL are configured on the same VLAN.

Example 1
This example shows that the VACL does not follow the recommended guidelines (see line 9) and the
resultant merge increases the number of ACEs:
******** VACL ***********
1 permit udp host 194.72.72.33 194.72.6.160 0.0.0.15
2 permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps
3 permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog
4 permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs
5 permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp
6 permit udp host 193.6.65.17 host 194.72.6.205 gt 1023
7 permit tcp any host 194.72.6.52
8 permit tcp any host 194.72.6.52 eq 113
9 deny tcp any host 194.72.6.51 eq ftp
10 permit tcp any host 194.72.6.51 eq ftp-data
11 permit tcp any host 194.72.6.51
12 permit tcp any eq domain host 194.72.6.51
13 permit tcp any host 194.72.6.51 gt 1023
14 permit ip any host 1.1.1.1

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-17
 Chapter 16 Configuring Access Control
Using VACLs with Cisco IOS ACLs

******** IOS ACL ************

1 deny ip any host 239.255.255.255
2 permit ip any any
******** MERGE **********
has 91 entries entries

Example 2
In Example 1, if you follow the guidelines and remove line 9 and modify lines 11 and 12, you get the
following equivalent ACL with improved merge results (note that a deny ACE is not specified):
******** VACL **********
1 permit udp host 194.72.72.33 194.72.6.160 0.0.0.15
2 permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps
3 permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog
4 permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs
5 permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp
6 permit udp host 193.6.65.17 host 194.72.6.205 gt 1023
7 permit tcp any host 194.72.6.52
8 permit tcp any host 194.72.6.52 eq 113
9 permit tcp any host 194.72.6.51 eq ftp-data
10 permit tcp any host 194.72.6.51 neq ftp
11 permit tcp any eq domain host 194.72.6.51 neq ftp
12 permit tcp any host 194.72.6.51 gt 1023
13 permit ip any host 1.1.1.1
******** IOS ACL ************
1 deny ip any host 239.255.255.255
2 permit ip any any
******** MERGE ***********
has 78 entries

Example 3
This example shows the VACL does not follow the recommended guidelines, and the resultant merge
significantly increases the number of ACEs:
******** VACL ***********
1 deny ip 0.0.0.0 255.255.255.0 any
2 deny ip 0.0.0.255 255.255.255.0 any
3 deny ip any 0.0.0.0 255.255.255.0
4 permit ip any host 239.255.255.255
5 permit ip any host 255.255.255.255
6 deny ip any 0.0.0.255 255.255.255.0
7 permit tcp any range 0 65534 any range 0 65534
8 permit udp any range 0 65534 any range 0 65534
9 permit icmp any any
10 permit ip any any
******** IOS ACL **********
1 deny ip any host 239.255.255.255
2 permit ip any any
******** MERGE **********
has 329 entries

Example 4
This example shows that the VACL does not follow the recommended guidelines (three different actions
are specified), and the resultant merge significantly increases the number of ACEs:
******** VACL ***********
1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255
2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255
3 deny tcp any any lt 30
4 deny udp any any lt 30
5 permit ip any any

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-18 78-13315-02
Chapter 16 Configuring Access Control
Using VACLs with Cisco IOS ACLs

******* IOS ACL ***********

1 deny ip any host 239.255.255.255
2 permit ip any any
******* MERGE **********
has 142 entries

Example 5
This example shows the VACL has two different actions specified and the merge results are significantly
improved:
******** VACL ***********
1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255
2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255
3 permit ip any any
******* IOS ACL ***********
1 deny ip any host 239.255.255.255
2 permit ip any any
******* MERGE **********
has 4 entries

Example 6
This example shows that applying the merging guidelines on a large Cisco IOS ACL (no Layer 4 port
information is specified on the Cisco IOS ACL), produces a merge result of 801 entries:
******** VACL **********
1 redirect 4/25 tcp host 192.168.1.67 255.255.255.255 0.0.0.0
2 redirect 4/25 udp host 192.168.1.67 255.255.255.255 0.0.0.0
3 redirect 4/25 icmp host 192.168.1.67 host 255.255.255.255
4 redirect 4/25 ip host 192.168.1.67 host 255.255.255.255
5 deny tcp any any lt 30
6 deny udp any any lt 30
7 permit ip any any
******** IOS ACL ***********
1 permit ip 147.150.213.64 0.0.0.31 194.72.6.64 0.0.0.15
2 permit ip 147.150.213.64 0.0.0.31 194.72.6.160 0.0.0.15
3 permit ip 147.150.213.64 0.0.0.31 host 194.72.6.205
4 permit ip 147.151.77.0 0.0.0.255 194.72.6.64 0.0.0.15
5 permit ip 147.151.77.0 0.0.0.255 194.72.6.160 0.0.0.15
6 permit ip 147.151.77.0 0.0.0.255 194.72.6.208 0.0.0.15
7 permit ip 147.151.77.0 0.0.0.255 host 194.72.6.205
8 permit ip host 193.37.169.121 194.72.6.64 0.0.0.15
[...] total 62 entries without L4 information
******** MERGE **********
has 801 ACEs

Example 7
This example shows that the same Cisco IOS ACL that was used in Example 6 is merged with a VACL
with Layer 4 port information. Following the guidelines in the “Using the Implicit Deny Action” section
on page 16-16, the merge results are good.
******** VACL *********
1 permit tcp host 193.131.248.24 194.73.73.0 0.0.0.15 gt 1023
2 permit tcp host 158.43.128.8 194.72.6.224 0.0.0.7 gt 1023
3 permit udp any 194.72.6.224 0.0.0.7 eq time
4 permit udp any 194.73.73.0 0.0.0.15 eq time
5 permit udp 194.72.7.128 0.0.0.7 194.72.6.224 0.0.0.7 eq 1645
6 permit udp 194.72.7.128 0.0.0.7 194.73.73.0 0.0.0.15 eq 1645
7 permit udp host 158.152.1.65 194.72.6.224 0.0.0.7 gt 1023
8 permit udp host 158.152.1.65 194.73.73.0 0.0.0.15 gt 1023
[...] total 168 entries

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-19
 Chapter 16 Configuring Access Control
Using VACLs with Cisco IOS ACLs

******** IOS ACL *********

1 permit ip 147.150.213.64 0.0.0.31 194.72.6.64 0.0.0.15
2 permit ip 147.150.213.64 0.0.0.31 194.72.6.160 0.0.0.15
3 permit ip 147.150.213.64 0.0.0.31 host 194.72.6.205
4 permit ip 147.151.77.0 0.0.0.255 194.72.6.64 0.0.0.15
5 permit ip 147.151.77.0 0.0.0.255 194.72.6.160 0.0.0.15
6 permit ip 147.151.77.0 0.0.0.255 194.72.6.208 0.0.0.15
7 permit ip 147.151.77.0 0.0.0.255 host 194.72.6.205
8 permit ip host 193.37.169.121 194.72.6.64 0.0.0.15
[...] total 62 entries without L4 information
******* MERGE ********
has 1259 ACEs.

Guidelines for Using Layer 4 Operations

Follow these guidelines for configurations where you need to specify Layer 4 port operations.
These sections provide guidelines for specifying Layer 4 port operations:
• Determining Layer 4 Operation Usage, page 16-20
• Determining Logical Operation Unit Usage, page 16-21

Determining Layer 4 Operation Usage

The switch hardware allows you to specify these types of operations:
• gt (greater than)
• lt (less than)
• neq (not equal)
• eq (equal)
• range (inclusive range)
We recommend that you do not specify more than nine different operations on the same ACL. If you
exceed this number, each new operation might cause the affected ACE to be translated into more than
one ACE.

Note If you have a Cisco IOS ACL and a VACL on the same VLAN interface, the recommended total
number of Layer 4 operations is still nine or less.

Use the following two guidelines to determine Layer 4 operation usage:

1. Layer 4 operations are considered different if the operator or the operand differ. For example, in this
ACL there are four different Layer 4 operations (“gt 10” and “gt 11” are considered two different
Layer 4 operations):
... gt 10 permit
... lt 9 deny
... gt 11 deny
... neq 6 redirect

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-20 78-13315-02
 Chapter 16 Configuring Access Control
Using VACLs with Cisco IOS ACLs

Note There is no limit to the use of “eq” operators as the “eq” operator does not use a logical operator unit
(LOU) or a Layer 4 operation bit. See the “Determining Logical Operation Unit Usage” section on
page 16-21 for a description of LOUs.

2. Layer 4 operations are considered different if the same operator/operand couple applies once to a
source port and once to a destination port. For example, in this ACL there are two different Layer 4
operations because one ACE applies to the source port and one applies to the destination port.
... Src gt 10 ...
... Dst gt 10

Note Check the ACL Layer 4 port operations resource usage using the show security acl resource-usage
command.

Determining Logical Operation Unit Usage

LOUs are registers that store operator/operand couples. All ACLs use LOUs. There can be up to
32 LOUs; each LOU can store two different operator/operand couples with the exception of the range
operator. LOU usage per Layer 4 operation is as follows:
• gt uses 1/2 LOU
• lt uses 1/2 LOU
• neq uses 1/2 LOU
• range uses 1 LOU
• eq does not require a LOU
For example, this ACL would use a single LOU to store two different operator/operand couples:
... Src gt 10 ...
... Dst gt 10

A more detailed example follows:

ACL1
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 redirect
... (src port) neq 6 redirect
... (dst port) gt 10 deny

ACL2
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 permit
... (dst port) neq 6 redirect

The Layer 4 operations and LOU usage is as follows:

• ACL1 Layer 4 operations: 5
• ACL2 Layer 4 operations: 4
• LOUs: 4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-21
 Chapter 16 Configuring Access Control
Using VACLs in your Network

An explanation of the LOU usage follows:

• LOU 1 stores “gt 10” and “lt 9”
• LOU 2 stores “gt 11” and “neq 6”
• LOU 3 stores “gt 20” (with space for one more)
• LOU 4 stores “range 11 13” (range needs the entire LOU)

Using VACLs in your Network

This section describes some typical uses for VACLs and includes the following:
• Wiring Closet Configuration, page 16-22
• Redirecting Broadcast Traffic to a Specific Server Port, page 16-23
• Restricting the DHCP Response for a Specific Server, page 16-24
• Denying Access to a Server on Another VLAN, page 16-25
• Restricting ARP Traffic, page 16-26
• Configuring ACLs on Private VLANs, page 16-26
• Capturing Traffic Flows, page 16-27

Wiring Closet Configuration

In a wiring closet configuration, Catalyst 6000 family switches might not be equipped with MSFCs
(routers). In this configuration, the switch can still support a VACL and a QoS ACL. Suppose Host X
and Host Y are in different VLANs and are connected to wiring closet Switch A and Switch C
(see Figure 16-4). Traffic from Host X to Host Y is eventually being routed by the switch equipped with
the MSFC. Traffic from Host X to Host Y can be access controlled at the traffic entry point, Switch A.
If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VACL on
Switch A. All HTTP traffic from Host X to Host Y would be dropped at Switch A and not be bridged to
the switch with the MSFC.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-22 78-13315-02
 Chapter 16 Configuring Access Control
Using VACLs in your Network

Figure 16-4 Wiring Closet Configuration

Catalyst 6500 series switches

with MSFC

Switch A Switch C
with PFC only with PFC only

VACL: deny http

from X to Y
http is dropped
at entry point

Host X Host Y

VLAN 1
VLAN 2

26959
Packet

Redirecting Broadcast Traffic to a Specific Server Port

Some application traffic uses broadcast packets that reach every host in a VLAN. With VACLs, you can
redirect these broadcast packets to the intended application server port.
Figure 16-5 shows an application broadcast packet from Host A being redirected to the target application
server port and preventing other ports from receiving the packet.
To redirect broadcast traffic to a specific server port, perform this task in privileged mode (TCP
port 5000 is the intended server application port):

Task Command
Step 1 Redirect the broadcast packets. set security acl ip SERVER redirect 4/1 tcp any host
255.255.255.255 eq 5000
Step 2 Permit all other traffic. set security acl ip SERVER permit ip any any
Step 3 Commit the VACL. commit security acl SERVER
Step 4 Map the VACL to VLAN 10. set security acl map SERVER 10

Note You could apply the same concept to direct broadcast traffic to a multicast destination by redirecting
the traffic to a group of ports (see Figure 16-5).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-23
 Chapter 16 Configuring Access Control
Using VACLs in your Network

Figure 16-5 Redirecting Broadcast Traffic to a Specific Server Port

Target
VACL server

4/1

Catalyst 6500 series switches

Host A with PFC Host B

Host C

VLAN 10

26960
Application broadcast packet

Restricting the DHCP Response for a Specific Server

When Dynamic Host Configuration Protocol (DHCP) requests are broadcast, they reach every DHCP
server in the VLAN and multiple responses are returned. With VACLs, you can restrict the response
from a specific DHCP server and drop the other responses.
To restrict DHCP responses for a specific server, perform this task in privileged mode (the target DHCP
server IP address is 1.2.3.4):

Task Command
Step 1 Permit a DHCP response from set security acl ip SERVER permit udp host 1.2.3.4 any eq 68
host 1.2.3.4.
Step 2 Deny DHCP responses from any set security acl ip SERVER deny udp any any eq 68
other host.
Step 3 Permit other IP traffic. set security acl ip SERVER permit any
Step 4 Commit the VACL. commit security acl SERVER
Step 5 Map the VACL to VLAN 10. set security acl map SERVER 10

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-24 78-13315-02
 Chapter 16 Configuring Access Control
Using VACLs in your Network

Figure 16-6 shows that only the target server returns a DHCP response from the DHCP request.

Figure 16-6 Redirect DHCP Response for a Specific Server

Target
VACL server

1.2.3.4

Host A Catalyst 6500 series switches Host B

with PFC

Host C

VLAN 10

26962
DHCP response packets

Denying Access to a Server on Another VLAN

You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs
to have access restricted as follows (see Figure 16-7):
• Hosts in subnet 10.1.2.0/24 in VLAN 20 should not have access.
• Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
To deny access to a server on another VLAN, perform this task in privileged mode:

Task Command
Step 1 Deny traffic from hosts in subnet set security acl ip SERVER deny ip 10.1.2.0 0.0.0.255 host
10.1.2.0/8. 10.1.1.100
Step 2 Deny traffic from host 10.1.1.4. set security acl ip SERVER deny ip host 10.1.1.4 host
10.1.1.100
Step 3 Deny traffic from host 10.1.1.8. set security acl ip SERVER deny ip host 10.1.1.8 host
10.1.1.100
Step 4 Permit other IP traffic. set security acl ip SERVER permit ip any any
Step 5 Commit the VACL. commit security acl SERVER
Step 6 Map the VACL to VLAN 10. set security acl map SERVER 10

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-25
 Chapter 16 Configuring Access Control
Using VACLs in your Network

Figure 16-7 Deny Access to a Server on Another VLAN

VACL

10.1.1.100

Server (VLAN 10)

Subnet
10.1.1.4 10.1.2.0/24
Host (VLAN 10) Catalyst 6500 series switches Host (VLAN 20)
with PFC
10.1.1.8

26963
Host (VLAN 10)

Restricting ARP Traffic

Note This feature is only available with Supervisor Engine 2 with PFC2.

ARP traffic is permitted on each VLAN by default. You can disallow ARP traffic on a per VLAN basis
using the set security acl ip acl_name deny arp command. When you enter this command, ARP traffic
is disallowed on the VLAN that the ACL is mapped to. To allow ARP traffic on a VLAN that has had
ARP traffic disallowed, enter the set security acl ip acl_name permit arp command.

Configuring ACLs on Private VLANs

Private VLANs allow you to split a primary VLAN into sub-VLANs (secondary VLANs) that can be
either community VLANs or isolated VLANs. In releases prior to software release 6.1(1), you could
configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary
VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows:
• You can map VACLs to secondary VLANs or primary VLANs.
• Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary
VLANs.
• You cannot map Cisco IOS ACLs to secondary VLANs.
• You cannot map dynamic ACEs to a private VLAN.
• You can map QoS ACLs to secondary VLANs or primary VLANs.
If you map a VACL to a primary VLAN, it filters the traffic from the router to the host and if you map
a VACL to a secondary VLAN, it filters the traffic from the host to the router.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-26 78-13315-02
 Chapter 16 Configuring Access Control
Unsupported Features

Note With software releases 6.2(1) and later, you can use two-way community VLANs to perform an
inverse mapping from the primary VLAN to the secondary VLAN when the traffic crosses the
boundary of a private VLAN through a promiscuous port. Both outbound and inbound traffic can be
carried on the same VLAN allowing VLAN-based VACLs to be applied in both directions on a
per-community (per customer) basis.

Note For additional information on private VLANS, see the “Configuring Private VLANs” section on
page 11-13.

Capturing Traffic Flows

See the “Capturing Traffic Flows on Specified Ports” section on page 16-38 for complete configuration
details.

Unsupported Features
This section lists ACL-related features that are not supported or have limited support on the
Catalyst 6000 family switches.
• Non-IP version 4/non-IPX Cisco IOS ACLs—The following types of Cisco IOS security ACLs
cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software
and this significantly degrades system performance:
– Bridge-group ACLs
– IP accounting
– Inbound and outbound rate limiting
– Standard IPX with source node number
– IPX extended access lists that specify a source node number or socket numbers are not enforced
in the hardware
– Standard XNS access list
– Extended XNS access list
– DECnet access list
– Extended MAC address access list
– Protocol type-code access list
• IP packets with a header length of less than five will not be access controlled.
• Non full-flow IPX VACL—IPX VACL is based on a flow specified by a source/destination network
number, packet type, and destination node number only. The source node number and socket number
are not supported when specifying the IPX flow.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-27
 Chapter 16 Configuring Access Control
Configuring VACLs

Configuring VACLs
This section describes how to configure VACLs. Prior to performing any configuration tasks, see the
“VACL Configuration Guidelines” section on page 16-28.
These sections provide guidelines and a summary for configuring VACLs:
• VACL Configuration Guidelines, page 16-28
• VACL Configuration Summary, page 16-29

VACL Configuration Guidelines

Follow these guidelines when configuring VACLs:

Caution All changes to ACLs are stored temporarily in an edit buffer. You must enter the commit command
to commit all ACEs to NVRAM. Committed ACLs with no ACEs are deleted. We recommend that
you enter ACEs in batches and enter the commit command to save all of them to NVRAM.

Note You can configure Cisco IOS ACLs and VACLs from Flash memory instead of NVRAM. See the
“Configuring and Storing VACLs and QoS ACLs in Flash Memory” section on page 16-42 for
detailed information.

• See the “Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface”
section on page 16-16.
• See the “Using VACLs in your Network” section on page 16-22 for configuration examples.
• See the “Unsupported Features” section on page 16-27.
• Note that a VACL has to be committed before you can map it to a VLAN. There are no default
VACLs and no default VACL-to-VLAN mappings.
• Note that if there is no Cisco IOS ACL configured to deny traffic on a routed VLAN interface (input
or output), and no VACL configured, all traffic is permitted.
• Note that the order of ACEs in an ACL is important. A packet that comes into the switch is applied
against the first ACE in the ACL. If there is no match, the packet is applied against the next ACE in
the list. If no ACEs match, the packet is denied (dropped).
• Always enter the show security acl info acl_name editbuffer command to see the current list of
ACEs before making any changes to the edit buffer.
• Note that in systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and
VACLs must be the same on both MSFCs.
• Note that the system might incorrectly calculate the maximum number of ACLs in the system if an
ACL is deleted but not committed.
• Note that the show security acl resource-usage and show qos acl resource-usage commands might
not show 100 percent usage even if there is no space in the hardware to store more ACLs. This
situation occurs because some ACL space is reserved in hardware for the ACL manager to perform
cleanup and mapping if necessary.
• Note that the system might take longer to boot if you configure a very large number of ACLs.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-28 78-13315-02
 Chapter 16 Configuring Access Control
Configuring VACLs

• Follow these guidelines for using the redirect option:

– Note that redirected packets can only go out a port that supports the VLAN that the traffic is in.
– Note that the redirect option only involves taking packets and sending them out the redirect
port; there is no routing involved.
– Note that if packets are coming in from many VLANs, the redirect port should have those
VLANs in forwarding state. You might have to configure the redirect port as a trunk to allow
multiple VLANs to go out of the port.
– Put caches in promiscuous mode so they can receive traffic that is not routed.
– Use the redirect option to do some basic VLAN-based load balancing by redirecting traffic to
multiple ports. Each port transmits only those packets that belong to the VLANs that are
forwarding on the port.

VACL Configuration Summary

To create a VACL and map it to a VLAN, perform these steps:

Step 1 Enter the set security acl ip command to create a VACL and add ACEs.
Step 2 Enter the commit command to commit the VACL and its associated ACEs to NVRAM.
Step 3 Enter the set security acl map command to map the VACL to a VLAN.

Note An IP VACL is used in this description; you can configure IPX and non-IP version 4/non-IPX VACLs
using the same basic steps.

Note VACLs have an implicit deny feature at the end of the list; a packet is denied if it does not match any
VACL ACE.

Configuring VACLs From the CLI

This section describes how to create and activate VACLs on the Catalyst 6000 family switches. These
tasks are listed in the order that they should be performed.
This section describes the following tasks:
• Creating an IP VACL and Adding ACEs, page 16-30
• Creating an IPX VACL and Adding ACEs, page 16-32
• Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs, page 16-34
• Committing ACLs, page 16-35
• Mapping a VACL to a VLAN, page 16-35
• Showing the Contents of a VACL, page 16-36
• Showing VACL-to-VLAN Mapping, page 16-36

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-29
 Chapter 16 Configuring Access Control
Configuring VACLs

• Clearing the Edit Buffer, page 16-37

• Removing ACEs from Security ACLs, page 16-37
• Clearing the Security ACL Map, page 16-37
• Displaying VACL Management Information, page 16-38
• Capturing Traffic Flows on Specified Ports, page 16-38
• Configuring VACL Logging, page 16-40

Creating an IP VACL and Adding ACEs

To create a new IP VACL and add ACEs, or to add ACEs to an existing IP VACL, perform these tasks
in privileged mode:

Task Command
• If an IP protocol specification is not set security acl ip {acl_name} {permit | deny} {src_ip_spec} [capture]
required, use the following syntax. [before editbuffer_index | modify editbuffer_index] [log1]

• If an IP protocol is specified, use the set security acl ip {acl_name} {permit | deny | redirect mod_num/
following syntax. port_num} {protocol} {src_ip_spec} {dest_ip_spec} [precedence
precedence] [tos tos] [capture] [before editbuffer_index | modify
editbuffer_index] [log1]
1. The log keyword provides logging messages for denied IP VACLs only.

This example shows how to create an ACE for IPACL1 to allow traffic from source address 172.20.53.4:
Console> (enable) set security acl ip IPACL1 permit host 172.20.53.4 0.0.0.0
IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

Note The example shows that because VACLs have an implicit deny feature at the end of the list, all other
traffic is denied.

This example shows how to create an ACE for IPACL1 to allow traffic from all source addresses:
Console> (enable) set security acl ip IPACL1 permit any
IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to create an ACE for IPACL1 to block traffic from source address 171.3.8.2:
Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2
IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPACL1 editbuffer
set security acl ip IPACL1
-----------------------------------------------------------------
1. permit ip host 172.20.53.4 any
2. permit ip any any
3. deny ip host 171.3.8.2 any
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-30 78-13315-02
Chapter 16 Configuring Access Control
Configuring VACLs

This example shows how to commit the ACEs to NVRAM:

Console> (enable) commit security acl all
ACL commit in progress.
ACL IPACL1 is committed to hardware.
Console> (enable)

Note For more information about the commit security acl all command, see the “Committing ACLs”
section on page 16-35.

Enter the show security acl info IPACL1 command to verify that the changes were committed. If this
VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.
This example shows how to create an ACE for IPACL2 to block traffic from source address 172.20.3.2
and place this ACE before ACE number 2 in the VACL. Optionally, you can use the modify keyword to
replace an existing ACE with a new ACE. Enter the show security acl info acl_name [editbuffer]
command to see the current ACE listing stored in NVRAM (enter the editbuffer keyword to see edit
buffer contents).
Console> (enable) set security acl ip IPACL2 deny host 172.20.3.2 before 2
IPACL2 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to create an ACE for IPACL2 to redirect IP traffic to port 3/1 from source
address 1.2.3.4 with the destination address of 255.255.255.255. Note that host can be used as an
abbreviation for a source and source-wildcard of 0.0.0.0. This ACE also specifies the following:
• precedence—IP precedence values that range between zero for low priority and seven for high
priority.
• tos—Type of service levels that range between 0 and 15.

Note The ToS is bits 3 through 6 of the IP ToS byte as defined by RFC-1349. The precedence is bits 0 through 2
as defined by RFC-791.

Console> (enable) set security acl ip IPACL2 redirect 3/1 ip 1.2.3.4 0.0.0.255 host
255.255.255.255 precedence 1 tos min-delay
IPACL2 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPACL2 editbuffer
set security acl ip IPACL2
-----------------------------------------------------------------
1. deny 172.20.3.2
2. redirect 1.2.3.4
Console> (enable)

Note For more information about the show security acl info command, see the “Showing the Contents of
a VACL” section on page 16-36.

This example shows how to commit the ACEs to NVRAM:

Console> (enable) commit security acl all
ACL commit in progress.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-31
 Chapter 16 Configuring Access Control
Configuring VACLs

ACL IPACL2 is committed to hardware.

Console> (enable)

Note For more information about the commit security acl all command see the “Committing ACLs”
section on page 16-35.

Enter the show security acl info IPACL2 command to verify that the changes were committed. If this
VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

Creating an IPX VACL and Adding ACEs

To create a new IPX VACL and add ACEs, or to add ACEs to an existing IPX VACL, perform this task
in privileged mode:

Task Command
Create a new IPX VACL and add set security acl ipx {acl_name} {permit | deny |
ACEs, or add ACEs to an existing redirect mod_num/port_num} {protocol} {src_net}
IPX VACL. [dest_net.[dest_node] [[dest_net_mask.]dest_node_mask]]
[capture] [before editbuffer_index modify editbuffer_index]

This example shows how to create an ACE for IPXACL1 to block all traffic from source network 1234:
Console> (enable) set security acl ipx IPXACL1 deny any 1234
IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to create an ACE for IPXACL1 to block all traffic with destination address
1.A.3.4:
Console> (enable) set security acl ipx IPXACL1 deny any any 1.A.3.4
IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to create an ACE for IPXACL1 to redirect broadcast traffic to port 4/1 from
source network 3456:
Console> (enable) set security acl ipx IPXACL1 redirect 4/1 any 3456
IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPXACL1 editbuffer
set security acl ipx IPXACL1
-----------------------------------------------------------------
1. deny any 1234
2. deny any any 1.A.3.4
3. redirect 4/1 any 3456
Console> (enable)

Note For more information about the show security acl info command, see the “Showing the Contents of
a VACL” section on page 16-36.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-32 78-13315-02
Chapter 16 Configuring Access Control
Configuring VACLs

This example shows how to commit the ACEs to NVRAM:

Console> (enable) commit security acl all
ACL commit in progress.
ACL IPXACL1 is committed to hardware.
Console> (enable)

Enter the show security acl info IPXACL1 command to verify that the changes were committed. If this
VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

This example shows how to create an ACE for IPXACL1 to allow all traffic from source network 1 and
insert this ACE before ACE number 2:
Console> (enable) set security acl ipx IPXACL1 permit any 1 before 2
IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to create an ACE for IPXACL1 to allow traffic from all source addresses:
Console> (enable) set security acl ipx IPXACL1 permit any any
IPXACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPXACL1 editbuffer
set security acl ipx IPXACL1
-----------------------------------------------------------------
1. deny any 1234
2. permit any 1
3. deny any any 1.A.3.4
4. redirect 4/1 any 3456
5. permit any any
ACL IPXACL1 Status: Not Committed
Console> (enable)

This example shows how to commit the ACEs to NVRAM:

Console> (enable) commit security acl all
ACL commit in progress.
ACL IPXACL1 is committed to hardware.
Console> (enable)

Note For more information about the commit security acl all command, see the “Committing ACLs”
section on page 16-35.

Enter the show security acl info IPXACL1 command to verify that the changes were committed. If this
VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-33
 Chapter 16 Configuring Access Control
Configuring VACLs

Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs

Caution IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types
(AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access
control this traffic.

To create a new non-IP version 4/non-IPX VACL and add ACEs, or to add ACEs to an existing non-IP
version 4/non-IPX VACL, perform this task in privileged mode:

Task
Create a new non-IP
version 4/non-IPX VACL and add
ACEs, or add ACEs to an existing
non-IP version 4/non-IPX VACL.
Command
set security acl mac {acl_name} {permit | deny}
{src_mac_addr_spec} {dest_mac_addr_spec} [ether-type]
[capture] [before editbuffer_index | modify
editbuffer_index]

This example shows how to create an ACE for MACACL1 to block all traffic from 8-2-3-4-7-A:
Console> (enable) set security acl mac MACACL1 deny host 8-2-3-4-7-A any
MACACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to create an ACE for MACACL1 to block all traffic to A-B-C-D-1-2:
Console> (enable) set security acl mac MACACL1 deny any host A-B-C-D-1-2
MACACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to create an ACE for MACACL1 to allow traffic from all sources:
Console> (enable) set security acl mac MACACL1 permit any any
MACACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info MACACL1 editbuffer
set security acl mac MACACL1
-----------------------------------------------------------------
1. deny 8-2-3-4-7-A any
2. deny any A-B-C-D-1-2
3. permit any any
Console> (enable)

Note For more information about the show security acl info command, see the “Showing the Contents of
a VACL” section on page 16-36.

This example shows how to commit the ACEs to NVRAM:

Console> (enable) commit security acl all
ACL commit in progress.
ACL MACACL1 is committed to hardware.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-34 78-13315-02
 Chapter 16 Configuring Access Control
Configuring VACLs

Note For more information about the commit security acl all command, see the “Committing ACLs”
section on page 16-35.

Enter the show security acl info MACACL1 command to verify that the changes were committed. If
this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a
VLAN.

Committing ACLs
You can commit all ACLs or a specific ACL to NVRAM with the commit command. Any committed
ACL with no ACEs will be deleted.
To commit an ACL to NVRAM, perform this task in privileged mode:

Task Command
Commit an ACL to NVRAM. commit security acl acl_name | all

This example shows how to commit a specific security ACL to NVRAM:

Console> (enable) commit security acl IPACL2
ACL commit in progress.
ACL IPACL2 is committed to hardware.
Console> (enable)

Mapping a VACL to a VLAN

You can map a VACL to a VLAN with the set security acl map command. Note that there is no default
ACL-to-VLAN mapping; all VACLs need to be mapped to a VLAN.
To map a VACL to a VLAN, perform this task in privileged mode:

Task Command
Map a VACL to a VLAN. set security acl map acl_name vlans

This example shows how to map IPACL1 to VLAN 10:

Console> (enable) set security acl map IPACL1 10
ACL IPACL1 mapped to vlan 10
Console> (enable)

This example shows the output if you try to map an ACL that has not been committed:
Console> (enable) set security acl map IPACL1 10
Commit ACL IPACL1 before mapping.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-35
 Chapter 16 Configuring Access Control
Configuring VACLs

Showing the Contents of a VACL

You can display the contents of a VACL with the show security acl info command.
To show the contents of a VACL, perform this task in privileged mode:

Task Command
Show the contents of a VACL. show security acl info {acl_name | all} [editbuffer
[editbuffer_index]]

This example shows how to show the contents of a VACL that has been saved in NVRAM:
Console> (enable) show security acl info IPACL1
set security acl ip IPACL1
------------------------------------------------------------------
1. deny A
2. deny ip B any
3. deny c
4. permit any

This example shows how to show the contents of a VACL that is still in the edit buffer:
Console> (enable) show security acl info IPACL1 editbuffer
set security acl ip IPACL1
-----------------------------------------------------------------
1. deny A
2. deny ip B any
3. deny C
4. deny D
5. permit any
Console> (enable)

Showing VACL-to-VLAN Mapping

You can display VACL-to-VLAN mapping for a specified ACL or VLAN with the show security acl
map command.
To show VACL-to-VLAN mapping, perform this task in privileged mode:

Task Command
Show VACL-to-VLAN mapping. show security acl map {acl_name | vlan | all}

This example shows how to show the mappings of a specific VACL:

Console> (enable) show security acl map IPACL1
ACL IPACL1 is mapped to VLANs:
1
Console> (enable)

This example shows how to show the mappings of a specific VLAN:

Console> (enable) show security acl map 1
VLAN 1 is mapped to IP ACL IPACL1.
VLAN 1 is mapped to IPX ACL IPXACL1.
VLAN 1 is mapped to MAC ACL MACACL1.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-36 78-13315-02
 Chapter 16 Configuring Access Control
Configuring VACLs

Clearing the Edit Buffer

You can clear changes made to the ACL edit buffer since its last save with the rollback command. The
ACL is rolled back to its state at the last commit command.
To clear the ACL edit buffer, perform this task in privileged mode:

Task Command
Clear the ACL edit buffer. rollback security acl {acl_name | all | adjacency}

This example shows how to clear the edit buffer of a specific security ACL:
Console> (enable) rollback security acl IPACL1
Editbuffer for ‘IPACL1’ rolled back to last commit state.
Console> (enable)

Removing ACEs from Security ACLs

You can remove a specific ACE or all ACEs from an ACL with the clear security acl command. This
command deletes the ACEs from the edit buffer.
To remove an ACE from a security ACL, perform this task in privileged mode:

Task Command
Remove an ACE from a security ACL. clear security acl all
clear security acl acl_name
clear security acl acl_name editbuffer_index

This example shows how to remove ACEs from all the ACLs:
Console> (enable) clear security acl all
All editbuffers modified. Use ‘commit’ command to apply changes.
Console> (enable)

This example shows how to remove a specific ACE from a specific ACL:
Console> (enable) clear security acl IPACL1 2
IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

Clearing the Security ACL Map

You can remove a VACL-to-VLAN mapping with the clear security acl map command.
To clear the security ACL map, perform this task in privileged mode:

Task Command
Clear the security ACL map. clear security acl map all
clear security acl map acl_name
clear security acl map vlan
clear security acl map acl_name vlan

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-37
 Chapter 16 Configuring Access Control
Configuring VACLs

This example shows how to clear all VACL-to-VLAN mappings:

Console> (enable) clear security acl map all
Map deletion in progress.

Successfully cleared mapping between ACL ip1 and VLAN 10.

Successfully cleared mapping between ACL ipx1 and VLAN 10.

.... display text omitted

Console> (enable)

This example shows how to clear the mapping for a specific VACL on a specific VLAN:
Console> (enable) clear security acl map IPACL1 50
Map deletion in progress.

Successfully cleared mapping between ACL ipacl1 and VLAN 50.

Console> (enable)

Displaying VACL Management Information

You can display VACL management information with the show security acl resource-usage command.
To display VACL management information, perform this task in privileged mode:

Task Command
Display VACL management show security acl resource-usage
information.

This example shows how to display VACL management information:

Console> (enable) show security acl resource-usage
ACL resource usage:
ACL storage (mask/value): 0.29%/0.10%
ACL to switch interface mapping table: 0.39%
ACL layer 4 port operators: 0.0%
Console (enable)

Capturing Traffic Flows on Specified Ports

You can use the capture option in the set security acl (ip, ipx, and mac) commands to specify that
packets that match the specified flows are captured and transmitted out of capture ports. You can specify
capture ports using the set security acl capture-ports mod/ports... command. When you use the
capture option, the packets that match the specified flows are captured in parallel and transmitted out
of the capture ports. Capture ports do not send out all the captured traffic; they send out only the traffic
belonging to the VLANs of the captured port.

Configuration Guidelines

Follow these guidelines when configuring capture ports:

• The capture port cannot be part of an EtherChannel.
• The capture port cannot be an ATM port.
• The capture port must be in the spanning tree forwarding state for the VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-38 78-13315-02
 Chapter 16 Configuring Access Control
Configuring VACLs

• You can specify any number of switch ports as capture ports. Capture ports are added to a capture
port list and the configuration is saved in NVRAM.
• Only permit traffic is captured. If a packet is dropped due to an ACL, the packet cannot be captured.
• Capture ports do not transmit out all captured traffic. They transmit only traffic belonging to the
capture port VLAN. To capture traffic going to many VLANs, the capture port should be a trunk
carrying the required VLANs.
For routed traffic, capture ports transmit packets only after they are Layer 3 switched; packets are
transmitted out of a port only if the output VLAN of the Layer 3 switched flow is the same as the
capture port VLAN. For example, assume you have flows from VLAN 10 to VLAN 20 and you add
a VACL (on one of the VLANs) permitting these flows and you specify a capture port. This traffic
gets transmitted out of the capture port only if it belongs to VLAN 20 or if the port is a trunk carrying
VLAN 20. If the capture port is in VLAN 10, it does not transmit any traffic. Whether a capture port
transmits the traffic or not is independent of the VLAN on which you placed the VACL.
If you want to capture traffic from one VLAN going to many VLANs, the capture port has to be a
trunk carrying all output VLANs.
For bridged traffic, because all the traffic remains in the same VLAN, ensure that the capture port
is in the same VLAN as the bridged traffic.
• To capture traffic, you can configure one ACL and map it to a group of VLANs or you can configure
a number of ACLs and map each to one VLAN. Configure as many ACEs per ACL as necessary to
capture the desired traffic.
To capture traffic flows, perform these steps:

Note An IP VACL is used in this description; you can configure IPX and non-IP version 4/non-IPX VACLs
using the same basic steps.

Step 1 Enter the set security acl ip command to create a VACL and add ACEs; include the capture option.
Step 2 Enter the commit command to commit the VACL and its associated ACEs to NVRAM.
Step 3 Enter the set security acl map command to map the VACL to a VLAN.
Step 4 Enter the set security acl capture-ports mod/ports... command to specify capture ports.

Configuration Examples

This example shows how to create an ACE for my_cap and specify that the allowed traffic be captured:
Console> (enable) set security acl ip my_cap permit ip host 60.1.1.1 host 60.1.1.98
capture
my_cap editbuffer modified. Use ’commit’ command to apply changes.
Console> (enable)

This example shows how to commit the my_cap ACL to NVRAM:

Console> (enable) commit security acl my_cap
ACL commit in progress.

ACL my_cap successfully committed.

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-39
 Chapter 16 Configuring Access Control
Configuring VACLs

This example shows how to map my_cap to VLAN 10:

Console> (enable) set security acl map my_cap 10
Mapping in progress.

VLAN 10 successfully mapped to ACL my_cap.

The old mapping with ACL captest was replaced with the new one.
Console> (enable)

This example shows how to specify capture ports:

Console> (enable) set security acl capture-ports 1/1-2,2/1-2
Successfully set the following ports to capture ACL traffic:
1/1-2,2/1-2
Console> (enable)

This example shows how to display ports that have been specified as capture ports:
Console> (enable) show security acl capture-ports
ACL Capture Ports: 1/1-2,2/1-2
Console> (enable)

This example shows how to clear capture ports:

Console> (enable) clear security acl capture-ports 1/1,2/1
Successfully cleared the following ports:
1/1,2/1
Console> (enable)

This example shows that ports 1/1 and 2/1 were cleared:
Console> (enable) show security acl capture-ports
ACL Capture Ports:1/2,2/2
Console> (enable)

Configuring VACL Logging

Note This feature is only available with Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2).

You can log messages about denied packets for the standard IP access list by entering the log keyword
for deny VACLs. That is, any packet that matches the access list will cause an informational logging
message about the packet to be sent to the console. The level of messages logged to the console is
controlled by the set logging level acl severity command.
The first packet that triggers the access list causes a logging message right away, and subsequent packets
are collected over 5-minute intervals before they are displayed or logged. The logging message includes
the flow pattern and number of packets received in the prior 5-minute interval.
By default, system logging messages are sent to the console. You can configure the switch to send
system logging messages to a syslog server. For information on configuring system message logging,
see Chapter 27, “Configuring System Message Logging.”

Configuration Guidelines

Follow these guidelines when configuring VACL logging:

• Log only deny traffic from IP VACLs.
• You must set the logging level to 6 (information) or 7 (debugging).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-40 78-13315-02
 Chapter 16 Configuring Access Control
Configuring VACLs

To enable VACL logging, perform these steps:

Step 1 Enter the set logging level acl severity command to set the logging level to 6 (information) or
7 (debugging).
Step 2 (Optional) Enter the set security acl log maxflow max_number to allocate a new log table based on
the maximum flow pattern number to store logged packet information. If successful, the new buffer
replaces the old one and all flows in the old table are cleared. If either memory is not enough or the
maximum number is over the limit, an error message is displayed and the command is dropped.
Valid values are from 256 to 2048; the default value is 500.

Note If the maximum flow pattern is over the max_num limit, an error message is displayed and
the command is dropped. Messages are not logged for these packets.

Step 3 (Optional) Enter the set security acl log ratelimit pps to set the redirect rate in pps (packet per second).
If the configuration is over the range, the command is discarded and the range is displayed on the
console. Valid values are from 500 to 5000; the default value is 2500.

Note If the redirect rate is over the pps range, the command is dropped and the range is displayed
on the console. Messages are not logged for these packets.

Step 4 Enter the set security acl ip acl_name deny log command to create an IP VACL and enable logging.
Step 5 Enter the commit security acl acl_name command to commit the VACL to NVRAM.
Step 6 Enter the set security acl map acl_name vlan command to map the VACL to a VLAN.

Configuration Examples

This example shows how to set the logging level:

Console> (enable) set logging level acl 6
System logging facility <acl> for this session set to severity 6(information)

This example shows how to allocate a new log table based on the maximum flow:
Console> (enable) set security acl log maxflow 512
Set VACL Log table to 512 flow patterns.

This example shows how to set the redirect rate:

Console> (enable) set security acl log ratelimit 1000
Set Redirect Rate to 1000 pps.

This example shows how to display the VACL log configuration:

Console> (enable) show security acl log config
VACL LOG Configration
-------------------------------------------------------------
Max Flow Pattern : 512
Redirect Rate (pps) : 1000

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-41
 Chapter 16 Configuring Access Control
Configuring and Storing VACLs and QoS ACLs in Flash Memory

This example shows how to create an ACE for my_cap and specify that denied traffic be logged:
Console> (enable) set security acl ip my_cap deny ip host 21.0.0.1 log
my_cap editbuffer modified. Use ’commit’ command to apply changes.
Console> (enable)

This example shows how to commit the my_cap ACL to NVRAM:

Console> (enable) commit security acl my_cap
ACL commit in progress.

ACL my_cap successfully committed.

Console> (enable)

This example shows how to map the VACL to a VLAN:

Console> (enable) set security acl map my_cap 1
Mapping in progress.
ACL my_cap successfully mapped to VLAN 1.
:
:
2000 Jul 19 01:14:06 %ACL-6-VACLLOG:VLAN 1(Port 2/1) denied ip tcp 21.0.0.1(2000) ->
255.255.255.255(3000), 1 packet
2000 Jul 19 01:19:06 %ACL-6-VACLLOG:VLAN 1(Port 2/1) denied ip tcp 21.0.0.1(2000) ->
255.255.255.255(3000), 7 packets
2000 Jul 19 01:25:06 %ACL-6-VACLLOG:VLAN 1(Port 2/2) denied ip tcp 21.0.0.1(2000) ->
255.255.255.255(3000), 1 packets

This example shows how to display the flow information in the log table:
Console> (enable) show security acl log flow ip any any
Total matched entry number = 1
Entry No. #1, IP Packet
----------------------------------------
Vlan Number : 1
Mod/Port Number : 2/1
Source IP address : 21.0.0.1
Destination IP address : 255.255.255.255
TCP Source port : 2000
TCP Destination port : 3000
Received Packet Number : 10

This example shows how to clear the log table:

Console> (enable) clear security acl log flow
Log table is cleared.
Console> (enable)

Configuring and Storing VACLs and QoS ACLs in Flash Memory

This section describes how to configure and store VACLs and QoS ACLs in Flash memory instead of
NVRAM. Prior to this feature, all configuration information was stored in NVRAM. With the addition
of QoS and security ACLs (VACLs), NVRAM could become full. In addition to limiting ACL
configuration, filling up NVRAM can cause problems when you attempt to upgrade from one software
version to another.

Note In most cases, the 512-KB NVRAM is sufficient for storing VACLs and QoS ACLs; therefore, all
ACL configurations are stored in NVRAM by default.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-42 78-13315-02
 Chapter 16 Configuring Access Control
Configuring and Storing VACLs and QoS ACLs in Flash Memory

This section describes the following tasks:

• Automatically Moving the VACL and QoS ACL Configuration to Flash Memory, page 16-43
• Manually Moving the VACL and QoS ACL Configuration to Flash Memory, page 16-44
• Running with the VACL and QoS ACL Configuration in Flash Memory, page 16-45
• Moving the VACL and QoS ACL Configuration Back to NVRAM, page 16-46
• Redundancy Synchronization Support, page 16-46
• Interacting with High Availability, page 16-46

Note See Chapter 23, “Modifying the Switch Boot Configuration,” for additional information on using the
commands described in this section.

Automatically Moving the VACL and QoS ACL Configuration to Flash Memory
Moving the VACL and QoS ACL configuration to Flash memory is done automatically only during
system software upgrades and then only if there is not sufficient NVRAM for the upgrade. If there is not
enough NVRAM to perform a software upgrade, the QoS ACL and VACL configuration is deleted from
NVRAM and the ACL configuration is automatically moved to Flash memory. When this occurs, these
syslog messages display:
1999 Sep 01 17:00:00 %SYS-1-CFG_FLASH:ACL configuration moved to bootflash:switchapp.cfg
1999 Sep 01 17:00:00 %SYS-1-CFG_ACL_DEALLOC:NVRAM full. Qos/Security ACL configuration
deleted from NVRAM.

The VACL and QoS ACL configuration has now been successfully moved to Flash memory. During this
process, the system also does the following:
• Sets the CONFIG_FILE variable to bootflash:switchapp.cfg
• Enables the set boot config-register auto-config command recurring, append, and sync options
If an error occurs during the upgrade, these syslog messages display:
1999 Sep 01 17:00:00 %SYS-1-CFG_FLASH_ERR:Failed to write ACL configuration to
bootflash:switchapp.cfg
1999 Sep 01 17:00:00 %SYS-1-CFG_ACL_DEALLOC:NVRAM full. Qos/Security ACL configuration
deleted from NVRAM.

If you receive these error messages, the VACL and QoS ACL configuration is stored in DRAM only.
You need to make more space available in Flash memory and then save the configuration to Flash
memory (as described in the “Moving the VACL and QoS ACL Configuration Back to NVRAM” section
on page 16-46). Alternatively, you might try to delete unneeded VACLs and QoS ACLs and save the ACL
configuration to NVRAM using the set config acl nvram command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-43
 Chapter 16 Configuring Access Control
Configuring and Storing VACLs and QoS ACLs in Flash Memory

Manually Moving the VACL and QoS ACL Configuration to Flash Memory
If your VACL and QoS ACL configuration requirements require more memory than the 512-KB
NVRAM, you can manually move the VACL and QoS ACL configuration to Flash memory as follows:

Step 1 Specify the VACL and QoS ACL auto-config file to use to configure the switch at startup.
Console> (enable) set boot auto-config bootflash:switchapp.cfg
CONFIG_FILE variable = bootflash:switchapp.cfg
Console> (enable)

Step 2 Specify if the switch should retain (recurring keyword) or clear (non-recurring keyword) the contents
of the CONFIG_FILE environment variable after a reset or power cycle.
Console> (enable) set boot config-register auto-config recurring
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, overwrite, sync disabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)

Step 3 Specify if the auto-config file should be used to overwrite the NVRAM configuration or be appended to
what is currently in NVRAM.
Console> (enable) set boot config-register auto-config append
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, append, sync disabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)

Step 4 Specify if synchronization should be enabled or disabled. With synchronization enabled, the auto-config
file(s) synchronize automatically to the standby supervisor engine.
Console> (enable) set boot config-register auto-config sync enable
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, append, sync enabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)

Step 5 Save committed VACL and QoS ACL configuration changes to the auto-config file.
Console> (enable) copy acl-config bootflash:switchapp.cfg
Upload ACL configuration to bootflash:switchapp.cfg
2843644 bytes available on device bootflash, proceed (y/n) [n]? y
ACL configuration has been copied successfully.
Console> (enable)

Step 6 Delete the VACL and QoS ACL configuration from NVRAM.
Console> (enable) clear config acl nvram
ACL configuration has been deleted from NVRAM.
Warning: Use the copy commands to save the ACL configuration to a file and
the ’set boot config-register auto-config’ commands to configure the
auto-config feature.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-44 78-13315-02
 Chapter 16 Configuring Access Control
Configuring and Storing VACLs and QoS ACLs in Flash Memory

Note VACL and QoS ACL mapping commands (set qos acl map and set security acl map) are also stored
in the auto-config file. If the VACL and QoS ACL configuration is in Flash memory and you use the
mapping commands, you need to enter the copy command to save the configuration to Flash memory.

At this point, the VACL and QoS ACL configuration is no longer in NVRAM, it is saved in the
auto-config file bootflash:switchapp.cfg and will be appended to the NVRAM configuration at system
startup.
After making any additional changes to the VACL and QoS ACL configuration and committing those
changes, you must enter the copy acl-config bootflash:switchapp.cfg command to save the
configuration to the auto-config file.
The auto-config file is synchronized automatically to the standby supervisor engine because
synchronization was enabled.
If you cannot write the VACL and QoS ACL configuration to Flash memory, it is removed from
NVRAM. At this point, the VACL and QoS ACL configuration exists in DRAM only. A system reset
for any reason can cause the VACL and QoS ACL configuration to revert to the default.

Note If you cannot write the configuration to Flash memory, you must copy the configuration to a file,
make additional room available in Flash memory, and then try to write the VACL and QoS ACL
configuration to Flash memory.

At system startup, if the VACL and QoS ACL configuration location is set to Flash memory but either
the CONFIG_FILE variable is not set or none of the files specified exist, the following syslog message
displays:
1999 Sep 01 17:00:00 %SYS-0-CFG_FLASH_ERR:ACL configuration set to flash but no ACL
configuration file found.

Running with the VACL and QoS ACL Configuration in Flash Memory
After you move the VACL and QoS ACL configuration to Flash memory, QoS ACLs and VACL commit
operations are no longer written to NVRAM. You have to copy the configuration to the Flash file
manually as follows:
• If you use the set boot config-register auto-config append option, the configuration from the
auto-config file is appended to the NVRAM configuration. You then only have to copy the VACL
and QoS ACL configuration to this file after commit operations.
• If you do not use the set boot config-register auto-config append option, the auto-config feature
clears the configuration before executing the auto-config file at system startup. Any changes made
in NVRAM are lost. You should always copy your entire configuration (not just the VACL and QoS
ACL configuration) to the auto-config file when you want to save it.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-45
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

Moving the VACL and QoS ACL Configuration Back to NVRAM

This example shows how to move the VACL and QoS ACL configuration back to NVRAM:
Console> (enable) set config acl nvram
ACL configuration copied to NVRAM.
Console> (enable)

Console> (enable) clear boot auto-config

CONFIG_FILE variable =
Console> (enable)

Redundancy Synchronization Support

The set boot commands contain an option to synchronize the auto-config file automatically.
When you enable the auto-config option, if the VACL and QoS ACL configuration resides in Flash
memory, the auto-config file on the active supervisor engine is automatically synchronized to the
standby supervisor engine whenever a change is made; for example, deleting the auto-config file on the
active supervisor engine causes the file to be deleted on the standby supervisor engine. Similarly, if you
insert a new standby supervisor engine, the active supervisor engine automatically synchronizes the
auto-config file.

Interacting with High Availability

After a supervisor engine switchover, the VACL and QoS ACL configuration on the standby supervisor
engine is consistent with what was on the active supervisor engine, just as in the case where the VACL
and QoS ACL configuration is saved in NVRAM. The only difference is that the data is stored in DRAM,
but the functional behavior of a switchover does not change.

Configuring Policy-Based Forwarding

The policy-based forwarding (PBF) feature is an extension of VACL redirection supported by the Policy
Feature Card 2 (PFC2). It can prove to be particularly beneficial in any flat Layer 2 network used for
transparent bridging where a limited amount of inter-VLAN communication is required. This feature can
also be used in server farms or DMZs where bridging devices like server load balancing appliances are
involved, or where firewall load balancing is performed.

Note PBF does not support Internetwork Packet Exchange (IPX) and multicast traffic.

Note PBF does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, it is
not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears
as Layer 2 traffic.

Note PBF may require some configuration on attached hosts. When a router is not present in the network,
ARP table entries have to be statically added on each host participating in PBF.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-46 78-13315-02
Chapter 16 Configuring Access Control
Understanding How Policy-Based Forwarding Works

PBF is described in these sections:

• Understanding How Policy-Based Forwarding Works, page 16-47
• Hardware and Software Requirements, page 16-47
• Configuring Policy-Based Forwarding, page 16-48
• Policy-Based Forwarding Configuration Example, page 16-55

Understanding How Policy-Based Forwarding Works

PBF configuration involves these steps:
• Enabling PBF and specifying a MAC address for the PFC2
• Configuring VACLs for PBF
• Configuring attached hosts for PBF
You enable PBF by specifying a MAC address for the PFC2. The MAC address can be a default or
user-specified MAC address. Packets have to be sent with the destination MAC address equal to the PFC2
MAC address. The PFC2 must think the packet is a Layer 3 packet or no rewrite operation occurs. If packets
are not sent with the PFC2 MAC address, the PFC2 treats the packets as Layer 2 packets.
The PBF VACL is created using the security ACL (VACL) commands (set security acl commands). The
PBF VACL contains an adjacency table entry for the PFC2 and a redirect ACE. You must set VACLs on
both VLANs that participate in PBF. When the packet from the source VLAN comes into the PFC2, it hits
the PBF VACL. Based on the information provided in the adjacency table, the packet header is rewritten
(destination VLAN and source and destination MAC addresses) and the packet is forwarded to the
destination VLAN. The packets are forwarded between VLANs only if they hit the VACL entries that are
associated with the adjacency information.

Note Because VACLs are applied to incoming and outgoing traffic, you must configure all VACLs
carefully when using PBF. If the VACLs are not specific, a rewritten packet could hit a deny statement
in the outgoing VACL and be dropped.

When a router is not present in the network, you need to specify static ARP entries on participating hosts.

Hardware and Software Requirements

PBF hardware and software requirements are as follows:
• PBF requires Supervisor Engine 2 with the Policy Feature Card 2 (PFC2) (WS-X6K-S2-PFC2).
• PBF is not supported with an operating (booted) Multilayer Switch Feature Card 2 (MSFC2) in the
Catalyst 6000 family switch that is being used for PBF.
If you try to configure PBF with an MSFC2 present and booted, the system responds with a message
indicating the feature is not supported with an MSFC2.
If an MSFC2 is present but has not booted, you can configure PBF.
• PBF requires supervisor engine software release 6.3(1) or later releases.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-47
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

Configuring Policy-Based Forwarding

This section provides guidelines and configuration examples for PBF. The configuration examples use
the example configuration shown in Figure 16-8. The Catalyst 6000 family switch redirects all the traffic
coming from Host A on VLAN 10 to Host B on VLAN 11, and redirects traffic from Host B to Host A.
This section contains the following example procedures:
• Enabling PBF and Specifying a MAC Address for the PFC2, page 16-48
• Configuring VACLs for PBF, page 16-50
• Displaying PBF Information, page 16-52
• Clearing Entries in PBF VACLs, page 16-52
• Rolling Back Adjacency Table Entries in the Edit Buffer, page 16-53
• Configuring Hosts for PBF, page 16-53

Figure 16-8 Policy-Based Forwarding

Catalyst 6500 series switches

PFC2 MAC address:

00-11-11-11-11-11

VLAN 10 VLAN 11

Host A Host B
IP 10.0.0.1 IP 11.0.0.1
MAC 00:00:00:00:00:0A MAC 00:00:00:00:00:0B
Interface: Ethernet1 Interface: Ethernet0

58995

Enabling PBF and Specifying a MAC Address for the PFC2

Note The MAC address can be a default or user-specified MAC address. The default MAC address is taken
from a MAC address PROM on the Catalyst 6000 family switch chassis. When specifying a MAC
address using the set pbf mac command, ensure that the MAC address is unique and not already
being used on any interfaces.

We recommend that you use the default MAC address provided by the MAC address PROM. When
you specify your own MAC address using the set pbf mac command, if the MAC address is a
duplicate of a MAC address already in use, packets might get dropped.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-48 78-13315-02
Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

To display PBF status and MAC address, perform this task in privileged mode:

Task Command
Display PBF status and MAC address. show pbf

To enable PBF, perform one of these tasks in privileged mode:

Task Command
Enable PBF with a default MAC address. set pbf
Enable PBF with a specific MAC address. set pbf [mac mac address]

This example shows how to check PBF status and MAC address, enable PBF with a default MAC
address, and verify the change:
Console> (enable) show pbf
Pbf status Mac address
----------- ------------------
not set 00-00-00-00-00-00
Console> (enable)
Console> (enable) set pbf
PBF committed successfully.
Operation successful.
Console> (enable)
Console> (enable) show pbf
Pbf status Mac address
----------- ------------------
ok 00-01-64-61-39-c2
Console> (enable)

This example shows how to enable PBF with a specific MAC address:
Console> (enable) set pbf mac 00-11-11-11-11-11
PBF committed successfully.
Operation successful.
Console> (enable)

Console> (enable) show pbf

Pbf status Mac address
----------- ------------------
ok 00-11-11-11-11-11
Console> (enable)

To disable PBF and clear the PBF MAC address, perform this task in privileged mode:

Task Command
Disable PBF and clear the PBF MAC address. clear pbf

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-49
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

This example shows how to clear the PBF MAC address:

Console> (enable) clear pbf
PBF cleared.
Console> (enable)

Console> (enable) show pbf

Pbf status Mac address
----------- ------------------
not set 00-00-00-00-00-00
Console> (enable)

Configuring VACLs for PBF

Note Enter the set security acl adjacency command to specify the rewrite information in the adjacency table
that causes the packet header to be rewritten (destination VLAN and source and destination MAC
addresses) and forwarded to the destination VLAN.

Note that the source MAC address is optional. If you do not specify the source MAC address, the system
defaults to the PBF MAC address.

Note You can configure a maximum of 256 adjacency table entries for a VLAN. The maximum number of
adjacency table entries is 1023.

Note To enable jumbo frame forwarding using PBF, enter the mtu keyword in the set security acl
adjacency command.

The order of entries in a PBF VACL is important. The adjacency table entry has to be defined in the VACL
before the redirect ACE because the redirect ACE uses it to redirect traffic. You should create entries for
PBF VACLs in the following order:
1. Specify the adjacency table entry.
2. Specify the redirect ACE in the PBF VACL that is using the adjacency table entry.
3. Commit the adjacency table entry.
4. Commit the PBF VACL.
5. Map the PBF VACL to a single VLAN or multiple VLANs.

Note You can combine steps 3 and 4 by entering the commit security acl all command.

Note The same adjacency table entry can be used by more than one redirect ACE.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-50 78-13315-02
Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

To specify an adjacency table entry for the PFC2, perform this task in privileged mode:

Task Command
Specify an adjacency table entry for the PFC2. set security acl adjacency adjacency_name
dest_vlan dest_mac [[source_mac] |
[source_mac mtu mtu_size] | [ mtu mtu_size]]

This example shows how to specify the adjacency table entry:

Console> (enable) set security acl adjacency ADJ1 11 00-00-00-00-00-0B
ADJ1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable)

This example shows how to create the PBF VACL for VLAN 10 (shown in Figure 16-8):
Console> (enable) set security acl adjacency ADJ1 11 00-00-00-00-00-0B
ADJ1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip IPACL1 redirect ADJ1 ip host 10.0.0.1 host 11.0.0.1
IPACL1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip IPACL1 permit any
IPACL1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl adjacency
Commit operation in progress.

Adjacency successfully committed.

Console> (enable) commit security acl IPACL1
ACL commit in progress.

ACL 'IPACL1' successfully committed.

Console> (enable) set security acl map IPACL1 10
Mapping in progress.

ACL IPACL1 successfully mapped to VLAN 10.

Console> (enable)

This example shows how to create the PBF VACL for VLAN 11 (see Figure 16-8):
Console> (enable) set security acl adjacency ADJ2 10 00-00-00-00-00-0A
ADJ2 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip IPACL2 redirect ADJ2 ip host 11.0.0.1 host 10.0.0.1
IPACL2 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip IPACL2 permit any
IPACL2 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl adjacency
Commit operation in progress.

Adjacency successfully committed.

Console> (enable) commit security acl IPACL2
ACL commit in progress.

ACL 'IPACL2' successfully committed.

Console> (enable) set security acl map IPACL2 11
Mapping in progress.

ACL IPACL2 successfully mapped to VLAN 11.

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-51
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

Displaying PBF Information

This section describes how to display PBF-related information.
To display adjacency table entries, perform these tasks in normal mode:

Task Command
Display adjacency table entries. show security acl info [acl_name | adjacency |
all] [editbuffer [editbuffer_index]]
Display PBF adjacency information for all show pbf adjacency [adj name]
adjacency table entries or a specific adjacency
table entry.
Display PBF statistics for all adjacency table show pbf statistics [adj name]
entries or a specific adjacency table entry.
Display the adjacency-to-VACL mappings for all show pbf map [adj name]
adjacency table entries or a specific adjacency
table entry.

Console> show security acl info adjacency

set security acl adjacency ADJ1
---------------------------------------------------
1. 11 00-00-00-00-00-0b

set security acl adjacency ADJ2

---------------------------------------------------

1. 10 00-00-00-00-00-0a
Console> show pbf adjacency
Index DstVlan DstMac SrcMac Name
------------------------------------------------------------------
1 11 00-00-00-00-00-0a 00-00-00-00-00-0b ADJ1
2 10 00-00-00-00-00-0a 00-00-00-00-00-0b ADJ2
Console> show pbf statistics
Index DstVlan DstMac SrcMac HitCount(hex) Name
-------------------------------------------------------------------------
1 11 00-00-00-00-00-0a 00-00-00-00-00-0b 0x00000000 ADJ1
2 10 00-00-00-00-00-0a 00-00-00-00-00-0b 0x00000000 ADJ2
Console> show pbf map
Adjacency ACL
------------------ --------------------
ADJ1 IPACL1

ADJ2 IPACL2
Console> (enable)

Clearing Entries in PBF VACLs

The adjacency table entry cannot be cleared before the redirect ACE. You should clear the redirect ACE
and the adjacency table entry in PBF VACLs in the following order:
1. Clear the redirect ACE.
2. Commit the PBF VACL.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-52 78-13315-02
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

3. Clear the adjacency table entry.

4. Commit the adjacency table entry.
To clear a PBF adjacency table entry, perform this task in privileged mode:

Task Command
Clear a PBF adjacency table entry. clear security acl adjacency adj name

This example shows how to clear a PBF adjacency table entry:

Console> (enable) clear security acl adjacency ADJ1
Adj is in use by a VACL, clear the VACL first then clear adj.
Console> (enable) clear security acl IPACL1
IPACL1 editbuffer modified. Use 'commit' command to save changes.
Console> (enable) commit security acl IPACL1
ACL commit in progress.

ACL 'IPACL1' successfully deleted.

Console> (enable) clear security acl adjacency ADJ1
ADJ1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl adjacency
Console> (enable) Adjacency committed successfully
Commit operation in progress.

Console> (enable)

Rolling Back Adjacency Table Entries in the Edit Buffer

You can clear adjacency table entries in the edit buffer that were made prior to the last commit by using
the rollback command. The adjacency table entries are rolled back to their state at the last commit.
To roll back the adjacency table entries in the edit buffer, perform this task in privileged mode:

Task Command
Roll back adjacency table entries in the rollback security acl {acl_name | all | adjacency}
edit buffer.

This example shows how to roll back adjacency table entries in the edit buffer:
Console> (enable) rollback security acl adjacency
Editbuffer for adjacency info rolled back to last commit state.
Console> (enable)

Configuring Hosts for PBF

This section provides host configuration procedures for the following platforms and operating systems:
• Linux, page 16-54
• Sun Workstation, page 16-54
• MS-Windows/NT/2000 Hosts, page 16-55

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-53
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

Note When a router is not present in the network, you need to specify static ARP entries on participating
hosts. The host’s ARP table maps the IP address of the host device to the MAC address of the PFC2.

Note The IP addresses in the following examples are the IP addresses used in Figure 16-8. These IP
addresses were randomly selected; make sure that the IP addresses you use in your network
configuration are unique.

Linux
These examples show how to configure the ARP table for hosts running the Linux operating system.
This example shows how to configure Host A:
arp -s 11.0.0.1 00:11:11:11:11:11 -i eth0
route add 11.0.0.1 eth0

This example shows how to configure Host B:

arp -s 10.0.0.1 00:11:11:11:11:11 -i eth1
route add 10.0.0.1 eth1

Sun Workstation
When using PBF to enable forwarding between two VLANs with Sun Workstation end hosts, note that
there are limitations you must take into account when configuring the hosts.

PBF Limitations

PBF does not support ARP; you must set a static ARP entry on each Sun Workstation that participates
in PBF. Each static ARP entry must point to the PBF MAC address that is mapped to the destination host.
You must also configure the Sun Workstation to have a gateway. If the Sun Workstation needs to
communicate to a different network, you must define the host routes for all networks that go through
PBF, and if required, you must define a default gateway.
For example, if host 10.0.0.1 on VLAN 40 needs to communicate with host 11.0.0.1 on VLAN 50, and
assuming the PBF MAC address is 00-11-11-11-11-11, the static ARP entry would be as follows:
arp -s 11.0.0.1 00:11:11:11:11:11

where 00-11-11-11-11-11 is the PBF MAC address, and 11.0.0.1 is the IP address of the destination host.

Sun Workstation Limitations

Sun Workstations do not allow you to set a static ARP entry if the destination is part of a different
network (11.x.x.x in this example). This is a limitation of ARP in all Sun Workstations. To overcome
this problem, you need to define a dummy gateway, which is a host route, and set a static ARP entry
pointing to the PBF MAC address mapped to the destination host.
Using the example above, you need to first define a dummy static ARP entry for the gateway. The IP
address of the gateway is one of the host addresses within that network as follows:
(A)Kubera# arp -s 10.0.0.2 00:11:11:11:11:11
(B)Kubera# route add host 11.0.0.1 10.0.0.2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-54 78-13315-02
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

You need to set only one dummy ARP entry for PBF-related traffic and the host routes for each
destination host.
If the number of hosts increase, you need to set the host route entries for each destination host. You can
set up a startup file in /etc/rc2.d which has host route entries for each of the destination hosts. Setting up
this file prevents you from having to key in all the host route entries after the Workstation is reset or
rebooted.
Entries in the file should use this form:
Route add host <destination Host IP Address> <dummy gateway IP Address>

The file that contains the host route entries needs to be started as one of the startup scripts. You can
create the file in a directory that has full permissions for the root/superuser, set a soft link pointing to
that file in /etc/rc2.d, or create the file in the /etc/rc2.d directory itself.

MS-Windows/NT/2000 Hosts
Similar to Sun Workstations setup, you must also set static ARP entries on Windows-based PCs. For
Windows-based PCs, you do not need to set up any dummy gateways for switching between VLANs
with PBF.
This example shows how to configure static ARP entries in Windows-based platforms:
C:\> arp -s 11.0.0.1 00-11-11-11-11-11
In this example, 00-11-11-11-11-11 is the PBF MAC address and 11.0.0.1 is the IP address of the
destination host.
If you need to configure more hosts, you can create a batch file with ARP entries to each destination host
and specify that Windows use this file at startup.

Policy-Based Forwarding Configuration Example

This section provides example configurations to enable PBF between hosts on VLAN 1 and hosts on
VLAN 2 (see Figure 16-9).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-55
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

Figure 16-9 Policy-Based Forwarding Configuration Example

Catalyst 6500 series switches

PFC2 MAC address:

00-11-22-33-44-55
6/17 6/9

VLAN 1 VLAN 2

VLAN 1 Hosts VLAN 2 Hosts

IP: 44.0.0.1 - 44.0.0.17 IP: 43.0.0.1 - 43.0.0.17
MAC:00-20-20-20-20-20 - MAC:00-0a-0a-0a-0a-0a -
00:20:20:20:20:2f 00:0a:0a:0a:0a:19
Interface: Port 4/1 Interface: Port 4/2

58974
This example shows the switch configuration file that was created to enable PBF between the hosts on
VLAN 1 and VLAN 2. Only the first four hosts from each VLAN are shown in the example (44.0.0.1
through 44.0.0.4 and 43.0.0.1 through 43.0.0.4).
#security ACLs
clear security acl all
#adj set
set security acl adjacency a_1 2 00-0a-0a-0a-0a-0a
set security acl adjacency a_2 2 00-0a-0a-0a-0a-0b
set security acl adjacency a_3 2 00-0a-0a-0a-0a-0c
set security acl adjacency a_4 2 00-0a-0a-0a-0a-0d
set security acl adjacency b_1 1 00-20-20-20-20-20
set security acl adjacency b_2 1 00-20-20-20-20-21
set security acl adjacency b_3 1 00-20-20-20-20-22
set security acl adjacency b_4 1 00-20-20-20-20-23
#ip1
set security acl ip ip1 permit arp
set security acl ip ip1 redirect a_1 ip host 44.0.0.1 host 43.0.0.1
set security acl ip ip1 redirect a_2 ip host 44.0.0.2 host 43.0.0.2
set security acl ip ip1 redirect a_3 ip host 44.0.0.3 host 43.0.0.3
set security acl ip ip1 redirect a_4 ip host 44.0.0.4 host 43.0.0.4
set security acl ip ip1 permit ip any any
#ip2
set security acl ip ip2 permit arp
set security acl ip ip2 redirect b_1 ip host 43.0.0.1 host 44.0.0.1
set security acl ip ip2 redirect b_2 ip host 43.0.0.2 host 44.0.0.2
set security acl ip ip2 redirect b_3 ip host 43.0.0.3 host 44.0.0.3
set security acl ip ip2 redirect b_4 ip host 43.0.0.4 host 44.0.0.4
set security acl ip ip2 permit ip any any
#pbf set
set pbf mac 00-11-22-33-44-55
#
commit security acl all
set security acl map ip1 1
set security acl map ip2 2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-56 78-13315-02
Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

This example shows how to display MAC addresses learned by the switch for port 6/17 on VLAN 1:
Console> (enable) show cam dynamic 6/17
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry

VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
1 00-20-20-20-20-23 6/17 [ALL]
1 00-20-20-20-20-22 6/17 [ALL]
1 00-20-20-20-20-21 6/17 [ALL]
1 00-20-20-20-20-20 6/17 [ALL]
1 00-20-20-20-20-27 6/17 [ALL]
1 00-20-20-20-20-26 6/17 [ALL]
1 00-20-20-20-20-25 6/17 [ALL]
1 00-20-20-20-20-24 6/17 [ALL]
1 00-20-20-20-20-2b 6/17 [ALL]
1 00-20-20-20-20-2a 6/17 [ALL]
1 00-20-20-20-20-29 6/17 [ALL]
1 00-20-20-20-20-28 6/17 [ALL]
1 00-20-20-20-20-2f 6/17 [ALL]
1 00-20-20-20-20-2e 6/17 [ALL]
1 00-20-20-20-20-2d 6/17 [ALL]
1 00-20-20-20-20-2c 6/17 [ALL]
Total Matching CAM Entries Displayed for 6/17 = 16 for port 6/9, vlan 2

This example shows how to display MAC addresses learned by the switch for port 6/9 on VLAN 2:
Console> (enable) show cam dynamic 6/9
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry

VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
2 00-0a-0a-0a-0a-0e 6/9 [ALL]
2 00-0a-0a-0a-0a-0f 6/9 [ALL]
2 00-0a-0a-0a-0a-0c 6/9 [ALL]
2 00-0a-0a-0a-0a-0d 6/9 [ALL]
2 00-0a-0a-0a-0a-0a 6/9 [ALL]
2 00-0a-0a-0a-0a-0b 6/9 [ALL]
2 00-0a-0a-0a-0a-19 6/9 [ALL]
2 00-0a-0a-0a-0a-18 6/9 [ALL]
2 00-0a-0a-0a-0a-17 6/9 [ALL]
2 00-0a-0a-0a-0a-16 6/9 [ALL]
2 00-0a-0a-0a-0a-15 6/9 [ALL]
2 00-0a-0a-0a-0a-14 6/9 [ALL]
2 00-0a-0a-0a-0a-13 6/9 [ALL]
2 00-0a-0a-0a-0a-12 6/9 [ALL]
2 00-0a-0a-0a-0a-11 6/9 [ALL]
2 00-0a-0a-0a-0a-10 6/9 [ALL]
Total Matching CAM Entries Displayed for 6/9 = 16

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 16-57
 Chapter 16 Configuring Access Control
Configuring Policy-Based Forwarding

This example shows how to display the PBF status and the PFC2 MAC address:
Console> (enable) show pbf
Pbf status Mac address
----------- ------------------
ok 00-11-22-33-44-55

This example shows how to display the PBF statistics:

Console> (enable) show pbf statistics
Index DstVlan DstMac SrcMac HitCount(hex) Name
-------------------------------------------------------------------------
1 2 00-0a-0a-0a-0a-0a 00-11-22-33-44-55 0x00026d7c a_1
2 2 00-0a-0a-0a-0a-0b 00-11-22-33-44-55 0x00026d83 a_2
3 2 00-0a-0a-0a-0a-0c 00-11-22-33-44-55 0x00026d89 a_3
4 2 00-0a-0a-0a-0a-0d 00-11-22-33-44-55 0x00026d90 a_4
5 1 00-20-20-20-20-20 00-11-22-33-44-55 0x000260e3 b_1
6 1 00-20-20-20-20-21 00-11-22-33-44-55 0x000260ea b_2
7 1 00-20-20-20-20-22 00-11-22-33-44-55 0x000260f1 b_3
8 1 00-20-20-20-20-23 00-11-22-33-44-55 0x000260f8 b_4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

16-58 78-13315-02
 C H A P T E R 17
Configuring GVRP

This chapter describes how to configure the Generic Attribute Registration Protocol (GARP) VLAN
Registration Protocol (GVRP) on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How GVRP Works, page 17-1
• Default GVRP Configuration, page 17-2
• GVRP Configuration Guidelines, page 17-2
• Configuring GVRP, page 17-2

Note GVRP requires supervisor engine software release 5.2 or later releases.

Understanding How GVRP Works

GVRP is a GARP application that provides IEEE 802.1Q-compliant VLAN pruning and dynamic VLAN
creation on 802.1Q trunk ports.
With GVRP, the switch can exchange VLAN configuration information with other GVRP switches,
prune unnecessary broadcast and unknown unicast traffic, and dynamically create and manage VLANs
on switches connected through 802.1Q trunk ports.

Note GARP and GVRP are industry-standard protocols described in IEEE 802.1p.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 17-1
 Chapter 17 Configuring GVRP
Default GVRP Configuration

Default GVRP Configuration

Table 17-1 shows the default GVRP configuration.

Table 17-1 GVRP Default Configuration

Feature Default Value

GVRP global enable state Disabled
GVRP per-trunk enable state Disabled on all ports
GVRP dynamic creation of VLANs Disabled
GVRP registration mode normal, with VLAN 1 set to fixed, for all ports
GVRP applicant state normal (ports do not declare VLANs when in the STP1
blocking state)
GARP timers • Join time: 200 ms
• Leave time: 600 ms
• Leaveall time: 10,000 ms
1. STP = Spanning Tree Protocol

GVRP Configuration Guidelines

Follow these guidelines when configuring GVRP:
• You can configure the per-port GVRP state only on 802.1Q-capable ports.
• You must enable GVRP on both ends of an 802.1Q trunk link.
• The GVRP registration mode for VLAN 1 is always fixed and is not configurable. VLAN 1 is always
carried by 802.1Q trunks on which GVRP is enabled.
• When VTP pruning is enabled, it runs on all GVRP-disabled 802.1Q trunk ports.

Configuring GVRP
These sections describe how to configure GVRP:
• Enabling GVRP Globally, page 17-3
• Enabling GVRP on Individual 802.1Q Trunk Ports, page 17-3
• Enabling GVRP Dynamic VLAN Creation, page 17-4
• Configuring GVRP Registration, page 17-5
• Configuring GVRP VLAN Declarations from Blocking Ports, page 17-6
• Setting the GARP Timers, page 17-7
• Displaying GVRP Statistics, page 17-8
• Clearing GVRP Statistics, page 17-8
• Disabling GVRP on Individual 802.1Q Trunk Ports, page 17-8
• Disabling GVRP Globally, page 17-9

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

17-2 78-13315-02
 Chapter 17 Configuring GVRP
Configuring GVRP

Enabling GVRP Globally

You must enable GVRP globally before any GVRP processing occurs on the switch. Enabling GVRP
globally enables GVRP to perform VLAN pruning on 802.1Q trunk links. Pruning occurs only on
GVRP-enabled trunks. For information on setting the per-trunk port GVRP enable state, see the
“Enabling GVRP on Individual 802.1Q Trunk Ports” section on page 17-3.
To enable dynamic VLAN creation, you must explicitly enable dynamic VLAN creation globally on the
switch as well. For information on enabling dynamic VLAN creation, see the “Enabling GVRP Dynamic
VLAN Creation” section on page 17-4.
To enable GVRP globally on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable GVRP on the switch. set gvrp enable
Step 2 Verify the configuration. show gvrp configuration

This example shows how to enable GVRP and verify the configuration:
Console> (enable) set gvrp enable
GVRP enabled
Console> (enable) show gvrp configuration
Global GVRP Configuration:
GVRP Feature is currently enabled on the switch.
GVRP dynamic VLAN creation is disabled.
GVRP Timers(milliseconds)
Join = 200
Leave = 600
LeaveAll = 10000

Port based GVRP Configuration:

Port GVRP Status Registration
------------------------------------------------------- ----------- ------------
2/1-2,3/1-8,7/1-24,8/1-24 Enabled Normal

GVRP Participants running on 3/7-8.

Console>

Enabling GVRP on Individual 802.1Q Trunk Ports

Note You can change the per-trunk GVRP configuration regardless of whether GVRP is enabled globally.
However, GVRP will not function on any ports until you enable it globally. For information on
configuring GVRP globally on the switch, see the “Enabling GVRP Globally” section on page 17-3.

There are two per-port GVRP states:

• The static GVRP state configured in the command-line interface (CLI) and stored in NVRAM
• The actual GVRP state of the ports (active GVRP participants)
You can configure the static GVRP port-state on any 802.1Q-capable switch ports, regardless of the
global GVRP enable state or whether the port is an 802.1Q trunk. However, in order for the port to
become an active GVRP participant, you must enable GVRP globally and the port must be an 802.1Q
trunk port, either through CLI configuration or Dynamic Trunking Protocol (DTP) negotiation.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 17-3
 Chapter 17 Configuring GVRP
Configuring GVRP

To enable GVRP on individual 802.1Q-capable ports, perform this task in privileged mode:

Task Command
Step 1 Enable GVRP on an individual 802.1Q-capable set port gvrp mod/port enable
port.
Step 2 Verify the configuration. show gvrp configuration

This example shows how to enable GVRP on 802.1Q-capable port 1/1:

Console> (enable) set port gvrp 1/1 enable
GVRP enabled on 1/1.
Console> (enable)

Enabling GVRP Dynamic VLAN Creation

You can enable GVRP dynamic VLAN creation only if these conditions are met:
• The switch is in VTP transparent mode
• All trunk ports on the switch are 802.1Q trunks (the trunk connection to an MSFC is exempt from
this restriction)
• GVRP is enabled on all trunk ports
If you enable dynamic VLAN creation, these configuration restrictions are imposed:
• You cannot change the switch to VTP server or client mode
• You cannot disable GVRP on a trunk port running GVRP
If any port on the switch becomes an Inter-Switch Link (ISL) trunk (either by CLI configuration or
negotiated using DTP) while dynamic VLAN creation is enabled, dynamic VLAN creation is disabled
automatically until the conditions for enabling dynamic VLAN creation are restored.

Note VLANs can only be created dynamically on 802.1Q trunks in the normal registration mode.

Note Dynamic VLAN creation supports all VLAN types.

To enable GVRP dynamic VLAN creation on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable dynamic VLAN creation on the switch. set gvrp dynamic-vlan-creation enable
Step 2 Verify the configuration. show gvrp configuration

This example shows how to enable dynamic VLAN creation on the switch:
Console> (enable) set gvrp dynamic-vlan-creation enable
Dynamic VLAN creation enabled.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

17-4 78-13315-02
 Chapter 17 Configuring GVRP
Configuring GVRP

Configuring GVRP Registration

These sections describe how to configure GVRP registration modes on switch ports:
• Configuring GVRP Normal Registration, page 17-5
• Configuring GVRP Fixed Registration, page 17-5
• Configuring GVRP Forbidden Registration, page 17-6

Configuring GVRP Normal Registration

Configuring an 802.1Q trunk port in normal registration mode allows dynamic creation (if dynamic
VLAN creation is enabled), registration, and deregistration of VLANs on the trunk port. Normal mode
is the default.
To configure GVRP normal registration on an 802.1Q trunk port, perform this task in privileged mode:

Task Command
Step 1 Configure normal registration on an 802.1Q trunk set gvrp registration normal mod/port
port.
Step 2 Verify the configuration. show gvrp configuration

This example shows how to configure normal registration on an 802.1Q trunk port:
Console> (enable) set gvrp registration normal 1/1
Registrar Administrative Control set to normal on port 1/1.
Console> (enable)

Configuring GVRP Fixed Registration

Configuring an 802.1Q trunk port in fixed registration mode allows manual creation and registration of
VLANs, prevents VLAN deregistration, and registers all VLANs known on other ports on the trunk port.
To configure GVRP fixed registration on an 802.1Q trunk port, perform this task in privileged mode:

Task Command
Step 1 Configure fixed registration on an 802.1Q trunk set gvrp registration fixed mod/port
port.
Step 2 Verify the configuration. show gvrp configuration

This example shows how to configure fixed registration on an 802.1Q trunk port:
Console> (enable) set gvrp registration fixed 1/1
Registrar Administrative Control set to fixed on port 1/1.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 17-5
 Chapter 17 Configuring GVRP
Configuring GVRP

Configuring GVRP Forbidden Registration

Configuring an 802.1Q trunk port in forbidden registration mode deregisters all VLANs (except
VLAN 1) and prevents any further VLAN creation or registration on the trunk port.
To configure GVRP forbidden registration on an 802.1Q trunk port, perform this task in privileged mode:

Task Command
Step 1 Configure forbidden registration on an 802.1Q set gvrp registration forbidden mod/port
trunk port.
Step 2 Verify the configuration. show gvrp configuration

This example shows how to configure forbidden registration on an 802.1Q trunk port:
Console> (enable) set gvrp registration forbidden 1/1
Registrar Administrative Control set to forbidden on port 1/1.
Console> (enable)

Configuring GVRP VLAN Declarations from Blocking Ports

To prevent undesirable Spanning Tree Protocol (STP) topology reconfiguration on a port connected to
a device that does not support Per-VLAN STP+ (PVST+), configure the GVRP active applicant state on
the port. Ports in the GVRP active applicant state send GVRP VLAN declarations when they are in the
STP blocking state, which prevents the STP bridge protocol data units (BPDUs) from being pruned from
the other port.

Note Configuring fixed registration on the other device’s port also prevents undesirable STP topology
reconfiguration.

To configure an 802.1Q trunk port to send VLAN declarations when in the blocking state, perform this
task in privileged mode:

Task Command
Configure an 802.1Q trunk port to send VLAN set gvrp applicant state {normal | active}
declarations when in the blocking state. mod/port

This example shows how to configure a group of 802.1Q trunk ports to send VLAN declarations when
in the blocking state:
Console> (enable) set gvrp applicant state active 4/2-3,4/9-10,4/12-24
Applicant was set to active on port(s) 4/2-3,4/9-10,4/12-24.
Console> (enable)

Use the normal keyword to return to the default state (active mode disabled).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

17-6 78-13315-02
 Chapter 17 Configuring GVRP
Configuring GVRP

Setting the GARP Timers

Note The commands set gvrp timer and show gvrp timer are aliases for set garp timer and show garp
timer. The aliases may be used if desired.

Note Modifying the GARP timer values affects the behavior of all GARP applications running on the
switch, not just GVRP. (For example, GMRP uses the same timers.)

You can modify the default GARP timer values on the switch.
When setting the timer values, the value for leave must be greater than three times the join value
(leave >= join * 3). The value for leaveall must be greater than the value for leave (leaveall > leave).
If you attempt to set a timer value that does not adhere to these rules, an error is returned. For example,
if you set the leave timer to 600 ms and you attempt to configure the join timer to 350 ms, an error is
returned. Set the leave timer to at least 1050 ms and then set the join timer to 350 ms.

Caution Set the same GARP timer values on all Layer 2-connected devices. If the GARP timers are set
differently on Layer 2-connected devices, GARP applications (for example, GMRP and GVRP) do
not operate successfully.

To set the GARP timer values, perform this task in privileged mode:

Task Command
Step 1 Set the GARP timer values. set garp timer {join | leave | leaveall}
timer_value
Step 2 Verify the configuration. show garp timer

This example shows how to set the GARP timers and verify the configuration:
Console> (enable) set garp timer leaveall 10000
GMRP/GARP leaveAll timer value is set to 10000 milliseconds.
Console> (enable) set garp timer leave 600
GMRP/GARP leave timer value is set to 600 milliseconds.
Console> (enable) set garp timer join 200
GMRP/GARP join timer value is set to 200 milliseconds.
Console> (enable) show garp timer
Timer Timer Value (milliseconds)
-------- --------------------------
Join 200
Leave 600
LeaveAll 10000
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 17-7
 Chapter 17 Configuring GVRP
Configuring GVRP

Displaying GVRP Statistics

To display GVRP statistics on the switch, perform this task:

Task Command
Display GVRP statistics. show gvrp statistics [mod/port]

This example shows how to display GVRP statistics for port 1/1:
Console> (enable) show gvrp statistics 1/1
Join Empty Received: 0
Join In Received: 0
Empty Received: 0
LeaveIn Received: 0
Leave Empty Received: 0
Leave All Received: 40
Join Empty Transmitted: 156
Join In Transmitted: 0
Empty Transmitted: 0
Leave In Transmitted: 0
Leave Empty Transmitted: 0
Leave All Transmitted: 41
VTP Message Received: 0
Console> (enable)

Clearing GVRP Statistics

To clear all GVRP statistics on the switch, perform this task in privileged mode:

Task Command
Clear GVRP statistics. clear gvrp statistics {mod/port | all}

This example shows how to clear all GVRP statistics on the switch:
Console> (enable) clear gvrp statistics all
GVRP Statistics cleared for all ports.
Console> (enable)

Disabling GVRP on Individual 802.1Q Trunk Ports

To disable GVRP on individual 802.1Q trunk ports, perform this task in privileged mode:

Task Command
Step 1 Disable GVRP on an individual 802.1Q trunk set port gvrp disable mod/port
port.
Step 2 Verify the configuration. show gvrp configuration

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

17-8 78-13315-02
 Chapter 17 Configuring GVRP
Configuring GVRP

This example shows how to disable GVRP on 802.1Q trunk port 1/1:
Console> (enable) set gvrp disable 1/1
GVRP disabled on 1/1.
Console> (enable)

Disabling GVRP Globally

To disable GVRP globally on the switch, perform this task in privileged mode:

Task Command
Disable GVRP on the switch. set gvrp disable

This example shows how to disable GVRP globally on the switch:

Console> (enable) set gvrp disable
GVRP disabled
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 17-9
 Chapter 17 Configuring GVRP
Configuring GVRP

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

17-10 78-13315-02
 C H A P T E R 18
Configuring Dynamic Port VLAN Membership
with VMPS

This chapter describes how to configure dynamic port VLAN membership using the VLAN Management
Policy Server (VMPS).

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How VMPS Works, page 18-1
• Default VMPS and Dynamic Port Configuration, page 18-2
• Dynamic Port VLAN Membership and VMPS Configuration Guidelines, page 18-3
• Configuring VMPS and Dynamic Port VLAN Membership, page 18-3
• Troubleshooting VMPS and Dynamic Port VLAN Membership, page 18-8
• Dynamic Port VLAN Membership with VMPS Configuration Examples, page 18-9
• Dynamic Port VLAN Membership with Auxiliary VLANs, page 18-12

Understanding How VMPS Works

With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media Access
Control (MAC) address of the device connected to the port. When you move a host from a port on one
switch in the network to a port on another switch in the network, the switch assigns the new port to the
proper VLAN for that host dynamically.
When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial File
Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or power cycle
the switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.
VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests.
When the VMPS server receives a valid request from a client, it searches its database for a MAC
address-to-VLAN mapping.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 18-1
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Default VMPS and Dynamic Port Configuration

If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this
group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not
allowed on the port and VMPS is not in secure mode, the host receives an “access denied” response. If
VMPS is in secure mode, the port is shut down.
If a VLAN in the database does not match the current VLAN on the port and active hosts are on the port,
VMPS sends an access denied or a port shutdown response based on the VMPS secure mode.
You can configure a fallback VLAN name. If you connect a device with a MAC address that is not in
the database, VMPS sends the fallback VLAN name to the client. If you do not configure a fallback
VLAN and the MAC address does not exist in the database, VMPS sends an access denied response. If
VMPS is in secure mode, it sends a port shutdown response.
You can also make an explicit entry in the configuration table to deny access to specific MAC addresses
for security reasons by specifying a --NONE-- keyword for the VLAN name. In this case, VMPS sends
an access denied or port shutdown response.
A dynamic port can belong to only one native VLAN in software releases prior to release 6.2(1)—with
software release 6.2(1), a port can belong to a native VLAN and an auxiliary VLAN. See the “Dynamic
Port VLAN Membership with Auxiliary VLANs” section on page 18-12 for complete details.
When the link comes up, a dynamic port is isolated from its static VLAN. The source MAC address from
the first packet of a new host on the dynamic port is sent to VMPS, which attempts to match the MAC
address to a VLAN in the VMPS database. If there is a match, VMPS provides the VLAN number to
assign to the port. If there is no match, VMPS either denies the request or shuts down the port (depending
on the VMPS secure mode setting).
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If
the link goes down on a dynamic port, the port returns to an isolated state. Any hosts that come online
through the port are checked again with VMPS before the port is assigned to a VLAN.

Default VMPS and Dynamic Port Configuration

Table 18-1 shows the default VMPS and dynamic port configuration.

Table 18-1 Default VMPS and Dynamic Port Configuration

Feature Default Configuration

VMPS server
VMPS enable state Disabled
VMPS management domain Null
VMPS TFTP server None
VMPS database configuration vmps-config-database.1
filename
VMPS fallback VLAN Null
VMPS secure mode Open
VMPS no domain requests Allow

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-2 78-13315-02
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Dynamic Port VLAN Membership and VMPS Configuration Guidelines

Table 18-1 Default VMPS and Dynamic Port Configuration (continued)

Feature Default Configuration

VMPS Client
VMPS domain server None
VMPS reconfirm interval 60 minutes
VMPS server retry count 3
Dynamic ports No dynamic ports configured

Dynamic Port VLAN Membership and VMPS Configuration

Guidelines
These guidelines and restrictions apply to dynamic port VLAN membership:
• You must configure VMPS before you configure ports as dynamic.
• When you configure a port as dynamic, spanning tree PortFast is enabled automatically for that port.
Automatic enabling of spanning tree PortFast prevents applications on the host from timing out and
entering loops caused by incorrect configurations. You can disable spanning tree PortFast mode on
a dynamic port.
• If you reconfigure a port from a static port to a dynamic port on the same VLAN, the port connects
immediately to that VLAN. However, VMPS checks the legality of the specific host on the dynamic
port after a certain period.
• Static secure ports cannot become dynamic ports. You must turn off security on the static secure
port before it can become dynamic.
• Static ports that are trunking cannot become dynamic ports. You must turn off trunking on the trunk
port before changing it from static to dynamic.

Note The VTP management domain and the management VLAN of VMPS clients and the VMPS server
must be the same. For more information, see Chapter 10, “Configuring VTP,” and Chapter 11,
“Configuring VLANs.”

Configuring VMPS and Dynamic Port VLAN Membership

These sections describe how to configure VMPS and define dynamic ports on clients:
• Creating the VMPS Database, page 18-4
• Configuring VMPS, page 18-5
• Configuring Dynamic Ports on VMPS Clients, page 18-5
• Administering and Monitoring VMPS, page 18-6
• Configuring Static VLAN Port Membership, page 18-7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 18-3
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Configuring VMPS and Dynamic Port VLAN Membership

Creating the VMPS Database

To use VMPS, you first must create a VMPS database and store it on a TFTP server. The VMPS parser
is line based. Start each entry in the file on a new line. Ranges are not allowed for the port numbers.

Note For an example ASCII text VMPS database configuration file, see the “VMPS Database
Configuration File Example” section on page 18-9.

Follow these guidelines for creating the VMPS database file:

• Begin the configuration file with the word “VMPS,” to prevent other types of configuration files
from incorrectly being read by the VMPS server.
• Define the VMPS domain—The VMPS domain should correspond to the VTP domain name
configured on the switch.
• Define the security mode—VMPS can operate in open or secure mode.
• (Optional) Define a fallback VLAN—The fallback VLAN is assigned if the MAC addresses of the
connected host is not defined in the database.
• Define the MAC address-to-VLAN name mappings—Enter the MAC address of each host and the
VLAN to which each should belong. Use the --NONE-- keyword as the VLAN name to deny the
specified host network connectivity. A port is identified by the IP address of the switch and the
module/port number of the port in the form mod/port.
• Define port groups—A port group is a logical group of ports. You can apply VMPS policies to
individual ports or to port groups. The keyword all-ports specifies all the ports in the specified
switch.
• Define VLAN groups—A VLAN group defines a logical group of VLANs. These logical groups
define the VLAN port policies.
• Define VLAN port policies—VLAN port policies define the ports associated with a restricted
VLAN. You can configure a restricted VLAN by defining the set of dynamic ports on which it can
exist.
To create a VMPS database, perform this task:

Task Command
Step 1 Determine the MAC addresses of the hosts you show cam
want to be assigned to VLANs dynamically.
Step 2 Create an ASCII text file on your workstation or —
PC that contains the MAC address-to-VLAN
mappings.
Step 3 Move the ASCII text file to a TFTP server so it —
can be downloaded to the switch.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-4 78-13315-02
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Configuring VMPS and Dynamic Port VLAN Membership

Configuring VMPS
When you enable VMPS, the switch downloads the VMPS database from the TFTP or rcp server and
begins accepting VMPS requests.
To configure VMPS, perform this task in privileged mode:

Task Command
Step 1 Specify the download method. set vmps downloadmethod rcp | tftp [username]
Step 2 Configure the IP address of the TFTP or rcp server set vmps downloadserver ip_addr [filename]
on which the ASCII text VMPS database
configuration file resides.
Step 3 Enable VMPS. set vmps state enable
Step 4 Verify the VMPS configuration. show vmps

This example shows how to enable VMPS on the switch:

Console> (enable) set vmps state enable
Vlan Membership Policy Server enable is in progress.
Console> (enable)

To disable VMPS, perform this task in privileged mode:

Task Command
Step 1 Disable VMPS. set vmps state disable
Step 2 Verify that VMPS is disabled. show vmps

This example shows how to disable VMPS on the switch:

Console> (enable) set vmps state disable
All the VMPS configuration information will be lost and the resources released on disable.
Do you want to continue (y/n[n]): y
Vlan Membership Policy Server disabled.
Console> (enable)

Configuring Dynamic Ports on VMPS Clients

To configure dynamic ports on VMPS client switches, perform this task in privileged mode:

Task Command
Step 1 Specify the IP address of the VMPS server (the set vmps server ip_addr [primary]
switch with VMPS enabled).
Step 2 Verify the VMPS server specification. show vmps server
Step 3 Configure dynamic port VLAN membership set port membership mod/port dynamic
assignment to a port.
Step 4 Verify the dynamic port assignments. show port [mod[/port]]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 18-5
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Configuring VMPS and Dynamic Port VLAN Membership

This example shows how to specify the VMPS server, verify the VMPS server specification, assign
dynamic ports, and verify the configuration:
Console> (enable) show vmps server
VMPS domain server VMPS Status
---------------------------------------
192.0.0.6
192.0.0.1 primary
192.0.0.9
Console> (enable) set port membership 3/1-3 dynamic
Ports 3/1-3 vlan assignment set to dynamic.
Spantree port fast start option enabled for ports 3/1-3.
Console> (enable) set port membership 1/2 dynamic
Trunking port 1/2 vlan assignment cannot be set to dynamic.
Console> (enable) set port membership 2/1 dynamic
ATM LANE port 2/1 vlan assignment can not be set to dynamic.
Console> show port
Port Name Status Vlan Level Duplex Speed Type
1/1 connect dyn-3 normal full 100 100 BASE-TX
1/2 connect trunk normal half 100 100 BASE-TX
2/1 connect trunk normal full 155 OC3 MMF ATM
3/1 connect dyn-5 normal half 10 10 BASE-T
3/2 connect dyn-5 normal half 10 10 BASE-T
3/3 connect dyn-5 normal half 10 10 BASE-T
Console> (enable)

Note The show port command displays dyn- under the Vlan column of the display when it has not yet been
assigned a VLAN for a port.

Administering and Monitoring VMPS

To show information about MAC address-to-VLAN mappings, perform one of these tasks in
privileged mode:

Task Command
Show the VLAN to which a MAC address is show vmps mac [mac_address]
mapped in the database.
Show the MAC addresses that are mapped to a show vmps vlan [vlan_name]
VLAN in the database.
Show ports belonging to a restricted VLAN. show vmps vlanports [vlan_name]

To show VMPS statistics, perform this task in privileged mode:

Task Command
Show VMPS statistics. show vmps statistics

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-6 78-13315-02
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Configuring VMPS and Dynamic Port VLAN Membership

To clear VMPS statistics, perform this task in privileged mode:

Task Command
Clear VMPS statistics. clear vmps statistics

To clear a VMPS server entry, perform this task in privileged mode:

Task Command
Clear a VMPS server entry. clear vmps server ip_addr

To reconfirm the dynamic port VLAN membership assignments, perform this task in privileged mode:

Task Command
Step 1 Reconfirm dynamic port VLAN membership. reconfirm vmps
Step 2 Verify the dynamic VLAN reconfirmation status. show dvlan statistics

This example shows how to reconfirm dynamic port VLAN membership assignments:
Console> (enable) reconfirm vmps
reconfirm process started
Use 'show dvlan statistics' to see reconfirm status
Console> (enable)

To download the VMPS database manually (to download a changed database configuration file or retry
after a failed download attempt), perform this task in privileged mode:

Task Command
Step 1 Download the VMPS database from the TFTP download vmps
server, or specify a different VMPS database
configuration file.
Step 2 Verify the VMPS database configuration file. show vmps

Configuring Static VLAN Port Membership

To return a port to static VLAN port membership, perform this task in privileged mode:

Task Command
Step 1 Configure static port VLAN membership set port membership mod/port static
assignment to a port.
Step 2 Verify the static port assignments. show port [mod[/port]]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 18-7
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Troubleshooting VMPS and Dynamic Port VLAN Membership

This example shows how to return a port to static VLAN port membership:
Console> (enable) set port membership 3/1 static
Port 3/1 vlan assignment set to static.
Console> (enable)

Troubleshooting VMPS and Dynamic Port VLAN Membership

These sections describe how to troubleshoot VMPS and dynamic port VLAN membership:
• Troubleshooting VMPS, page 18-8
• Troubleshooting Dynamic Port VLAN Membership, page 18-8

Troubleshooting VMPS
Table 18-2 shows VMPS error messages you might see when you enter the set vmps state enable or the
download vmps command.

Table 18-2 VMPS Error Messages

VMPS Error Message Recommended Action

TFTP server IP address is not configured.
Unable to contact the TFTP server
172.16.254.222.
File “vmps_configuration.db” not found on the
TFTP server 172.16.254.222.
Enable failed due to insufficient resources.
Specify the TFTP server address using the set vmps tftpserver
ip_addr [filename] command.
Enter a static route (using the set ip route command) to the
TFTP server.
Check the filename of the VMPS database configuration file on
the TFTP server. Make sure the permissions are set correctly.
The switch does not have sufficient resources to run the
database. You can fix this problem by increasing the dynamic
random-access memory (DRAM).

After VMPS successfully downloads the VMPS database configuration file, it parses the file and builds
a database. When the parsing is complete, VMPS outputs statistics about the total number of lines parsed
and the number of parsing errors.
To obtain more information on VMPS parsing errors, set the syslog level for VMPS to 3 using the set
logging level vmps 3 command.

Troubleshooting Dynamic Port VLAN Membership

A dynamic port might shut down under these circumstances:
• VMPS is in secure mode and it is illegal for the host to connect to the port. The port shuts down to
prevent the host from connecting to the network.
• More than 50 active hosts reside on a dynamic port.
To reenable a shut-down dynamic port, enter the set port enable mod/port command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-8 78-13315-02
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Dynamic Port VLAN Membership with VMPS Configuration Examples

Dynamic Port VLAN Membership with VMPS Configuration

Examples
These sections show examples of how to configure VMPS and dynamic ports:
• VMPS Database Configuration File Example, page 18-9
• Dynamic Port VLAN Membership Configuration Example, page 18-10

VMPS Database Configuration File Example

This example shows a sample VMPS database configuration file. A VMPS database configuration file
is an ASCII text file that is stored on a TFTP server accessible to the switch configured as the VMPS
server. A summary of the configuration example follows:
• The security mode is open.
• The default is used for the fallback VLAN.
• MAC address-to-VLAN name mappings—The MAC address of each host and the VLAN to which
each host belongs is defined.
• Port groups are defined.
• VLAN groups are defined.
• VLAN port policies are defined for the ports associated with restricted VLANs.
!VMPS File Format, version 1.1
! Always begin the configuration file with
! the word “VMPS”
!
!vmps domain <domain-name>
! The VMPS domain must be defined.
!vmps mode {open | secure}
! The default mode is open.
!vmps fallback <vlan-name>
!vmps no-domain-req { allow | deny }
!
! The default value is allow.
vmps domain WBU
vmps mode open
vmps fallback default
vmps no-domain-req deny
!
!
!MAC Addresses
!
vmps-mac-addrs
!
! address <addr> vlan-name <vlan_name>
!
address 0012.2233.4455 vlan-name hardware
address 0000.6509.a080 vlan-name hardware
address aabb.ccdd.eeff vlan-name Green
address 1223.5678.9abc vlan-name ExecStaff
address fedc.ba98.7654 vlan-name --NONE--
address fedc.ba23.1245 vlan-name Purple
!

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 18-9
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Dynamic Port VLAN Membership with VMPS Configuration Examples

!Port Groups
!
!vmps-port-group <group-name>
! device <device-id> { port <port-name> | all-ports }
!
vmps-port-group WiringCloset1
device 198.92.30.32 port 3/2
device 172.20.26.141 port 2/8
vmps-port-group “Executive Row”
device 198.4.254.222 port 1/2
device 198.4.254.222 port 1/3
device 198.4.254.223 all-ports
!
!
!VLAN groups
!
!vmps-vlan-group <group-name>
! vlan-name <vlan-name>
!
vmps-vlan-group Engineering
vlan-name hardware
vlan-name software
!
!
!VLAN port Policies
!
!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }
! { port-group <group-name> | device <device-id> port <port-name> }
!
vmps-port-policies vlan-group Engineering
port-group WiringCloset1
vmps-port-policies vlan-name Green
device 198.92.30.32 port 4/8
vmps-port-policies vlan-name Purple
device 198.4.254.22 port 1/2
port-group “Executive Row”

Dynamic Port VLAN Membership Configuration Example

Figure 18-1 shows a network with a VMPS server switch and VMPS client switches with dynamic ports.
In this example, these assumptions apply:
• The VMPS server and the VMPS client are separate switches.
• Switch 1 is the primary VMPS server.
• Switch 3 and Switch 10 are secondary VMPS servers.
• End stations are connected to these clients:
– Switch 2
– Switch 9
• The database configuration file is called Bldg-G.db and is stored on a TFTP server with IP address
172.20.22.7.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-10 78-13315-02
Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Dynamic Port VLAN Membership with VMPS Configuration Examples

Figure 18-1 Dynamic Port VLAN Membership Configuration

TFTP server
Catalyst 6500 series switches
Primary VMPS
Server 1 Switch 1
172.20.22.7
172.20.26.150
3/1 Client

Switch 2
End station 1 172.20.26.151

Catalyst 6000

Secondary VMPS
Server 2 Switch 3
172.20.26.152

Switch 4

Ethernet segment
172.20.26.153

Switch 5
172.20.26.154

Switch 6
172.20.26.155

Switch 7
172.20.26.156

Switch 8
172.20.26.157
Client

Switch 9
End station 2 172.20.26.158

Catalyst 6500
series switches
55908

Secondary VMPS
Server 3 Switch 10

172.20.26.159

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 18-11
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Dynamic Port VLAN Membership with Auxiliary VLANs

Use this procedure to configure VMPS and dynamic ports:

Step 1 Configure Switch 1 as the primary VMPS server.

a. Configure the IP address of the TFTP server on which the ASCII file resides:
Console> (enable) set vmps tftpserver 172.20.22.7 Bldg-G.db

b. Enable VMPS:
Console> (enable) set vmps state enable

After entering these commands, the file Bldg-G.db is downloaded to Switch 1. Switch 1 becomes the
VMPS server.
Step 2 Configure the VMPS server addresses on each VMPS client.
a. Configure the primary VMPS server IP address:
Console> (enable) set vmps server 172.20.26.150 primary

b. Configure the secondary VMPS server IP addresses:

Console> (enable) set vmps server 172.20.26.152

Console> (enable) set vmps server 172.20.26.159

c. Verify the VMPS server addresses:

Console> (enable) show vmps server

Step 3 Configure port 3/1 on Switch 2 as dynamic.

Console> (enable) set port membership 3/1 dynamic

Step 4 Connect End Station 2 on port 3/1. When End Station 2 sends a packet, Switch 2 sends a query to the
primary VMPS server, Switch 1. Switch 1 responds with the VLAN to assign to port 3/1. Because
spanning tree PortFast mode is enabled by default on dynamic ports, port 3/1 connects immediately and
enters forwarding mode.
Step 5 Repeat Steps 2 and 3 to configure the VMPS server addresses and assign dynamic ports on each VMPS
client switch.

Dynamic Port VLAN Membership with Auxiliary VLANs

Note This feature requires software release 6.2(1) or later releases.

This section describes how to configure a dynamic port to belong to two VLANs—a native VLAN and
an auxiliary VLAN. This section uses the following terminology:
• Auxiliary VLAN—Separate VLAN for IP phones
• Native VLAN—Traditional VLAN for data
• Auxiliary VLAN ID—VLAN ID of an auxiliary VLAN
• Native VLAN ID—VLAN ID of a native VLAN

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-12 78-13315-02
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Dynamic Port VLAN Membership with Auxiliary VLANs

Prior to software release 6.2(1), dynamic ports could only belong to one VLAN. You could not enable the
dynamic port VLAN feature on ports that carried a native VLAN and an auxiliary VLAN.
With software release 6.2(1) and later releases, the dynamic ports can belong to two VLANs. The switch
port configured for connecting an IP phone can have separate VLANs configured for carrying:
• Voice traffic to and from the IP phone (auxiliary VLAN)
• Data traffic to and from the PC connected to the switch through the access port of the IP phone
(native VLAN)
These sections include configuration guidelines and examples:
• Configuration Guidelines, page 18-13
• Configuring Dynamic Port VLAN Membership with Auxiliary VLANs, page 18-13

Note For detailed information on auxiliary VLANs and Cisco voice-over-IP networks, see Chapter 44,
“Configuring a VoIP Network.”

Configuration Guidelines
These guidelines and restrictions apply to configuring dynamic port VLAN membership for auxiliary
VLANs:
• Configuration of the native VLAN ID is dynamic for the PC connected to the access port of the IP phone.
Configuration of the auxiliary VLAN ID is not dynamic; you need to configure it manually. As the
auxiliary VLAN ID is manually configured, the VMPS server is queried for packets coming from the PC,
not for packets coming from the IP phone.
• All packets except Cisco Discovery Protocol (CDP) packets from the IP phone are tagged with the
auxiliary VLAN ID. All packets tagged with the auxiliary VLAN ID are considered to be packets
from the phone and all other packets are considered to be packets from the PC.
• When configuring the auxiliary VLAN ID with 802.1p or untagged frames, you need to configure
the VMPS server with the IP phone’s MAC address (see the “Dynamic Port VLAN Membership with
VMPS Configuration Examples” section on page 18-9 for information on configuring VMPS).
• For dynamic ports, the auxiliary VLAN ID cannot be the same as the native VLAN ID assigned by
VMPS for the dynamic port.
• See the “Dynamic Port VLAN Membership and VMPS Configuration Guidelines” section on
page 18-3 prior to configuring any port.

Configuring Dynamic Port VLAN Membership with Auxiliary VLANs

This example shows how to add voice ports to auxiliary VLANs and specify an encapsulation type:
Console> (enable) set port auxiliaryvlan 5/9 222
Auxiliaryvlan 222 configuration successful.
AuxiliaryVlan AuxVlanStatus Mod/Ports
------------- ------------- -------------------------
222 active 5/9
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 18-13
 Chapter 18 Configuring Dynamic Port VLAN Membership with VMPS
Dynamic Port VLAN Membership with Auxiliary VLANs

Console> (enable) set port auxiliaryvlan 5/9 dot1p

Port 5/9 allows the connected device send and receive packets with 802.1p priority.
Console> (enable)

This example shows how to specify port 5/9 as a dynamic port:

Console> (enable) set port membership 5/9 dynamic
Warning: Auxiliary Vlan set to dot1p|untagged on dynamic port. VMPS will be queried for IP
phones.
Port 5/9 vlan assignment set to dynamic.
Spantree port fast start option enabled for ports 5/9.
Console> (enable)

This example shows that the auxiliary VLAN ID specified cannot be the same as the native VLAN ID:
Console> (enable) set port auxiliaryvlan 5/10 223
Auxiliary vlan cannot be set to 223 as PVID=223.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

18-14 78-13315-02
 C H A P T E R 19
Checking Port Status and Connectivity

This chapter describes how to check switch port status and connectivity on the Catalyst 6000 family
switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Checking Module Status, page 19-1
• Checking Port Status, page 19-2
• Checking Port Capabilities, page 19-4
• Using Telnet, page 19-4
• Using Secure Shell Encryption for Telnet Sessions, page 19-5
• Monitoring User Sessions, page 19-6
• Using Ping, page 19-7
• Using Layer 2 Traceroute, page 19-9
• Using IP Traceroute, page 19-10

Checking Module Status

Catalyst 6000 family switches are multimodule systems. You can see what modules are installed, as well
as the MAC address ranges and version numbers for each module, using the show module [mod]
command. Specify a particular module number to see detailed information on that module.
This example shows how to check module status. The output shows that there is one supervisor engine
and four additional modules installed in the chassis.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 19-1
 Chapter 19 Checking Port Status and Connectivity
Checking Port Status

Console> (enable) show module

Mod Slot Ports Module-Type Model Status
--- ---- ----- ------------------------- ------------------- --------
1 1 2 1000BaseX Supervisor WS-X6K-SUP1-2GE ok
2 2 24 100BaseFX MM Ethernet WS-X6224-100FX-MT ok
3 3 8 1000BaseX Ethernet WS-X6408-GBIC ok
4 4 48 10/100BaseTX (Telco) WS-X6248-TEL ok
5 5 48 10/100BaseTX (RJ-45) WS-X6248-RJ-45 ok

Mod Module-Name Serial-Num

--- ------------------- -----------
1 SAD03040546
2 SAD03110020
3 SAD03070194
4 SAD03140787
5 SAD03181291

Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
1 00-50-f0-a8-26-b2 to 00-50-f0-a8-26-b3 1.4 5.1(1) 5.2(1)CSX
00-50-f0-a8-26-b0 to 00-50-f0-a8-26-b1
00-50-3e-8d-64-00 to 00-50-3e-8d-67-ff
2 00-50-54-6c-e9-a8 to 00-50-54-6c-e9-bf 1.3 4.2(0.24)V 5.2(1)CSX
3 00-50-54-6c-93-6c to 00-50-54-6c-93-73 1.4 4.2(0.24)V 5.2(1)CSX
4 00-50-54-bf-59-64 to 00-50-54-bf-59-93 0.103 4.2(0.24)V 5.2(1)CSX
5 00-50-f0-ac-30-54 to 00-50-f0-ac-30-83 1.0 4.2(0.24)V 5.2(1)CSX

Mod Sub-Type Sub-Model Sub-Serial Sub-Hw

--- ----------------------- ------------------- ----------- ------
1 L2 Switching Engine I WS-F6020 SAD03040312 1.0
Console> (enable)

This example shows how to check module status on a specific module:

Console> (enable) show module 4
Mod Slot Ports Module-Type Model Status
--- ---- ----- ------------------------- ------------------- --------
4 4 48 10/100BaseTX (Telco) WS-X6248-TEL ok

Mod Module-Name Serial-Num

--- ------------------- -----------
4 SAD03140787

Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
4 00-50-54-bf-59-64 to 00-50-54-bf-59-93 0.103 4.2(0.24)V 5.2(1)CSX
Console> (enable)

Checking Port Status

You can see summary or detailed information on the switch ports using the show port [mod[/port]]
command. To see summary information on all of the ports on the switch, enter the show port command
with no arguments. Specify a particular module number to see information on the ports on that module
only. Enter both the module number and the port number to see detailed information about the specified
port.
To apply configuration commands to a particular port, you must specify the appropriate logical module.
For more information, see the “Checking Module Status” section on page 19-1.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-2 78-13315-02
Chapter 19 Checking Port Status and Connectivity
Checking Port Status

This example shows how to see information on the ports on a specific module only:
Console> (enable) show port 1
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
1/1 connected 1 full 1000 1000BaseSX
1/2 notconnect 1 full 1000 1000BaseSX

Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex

----- -------- ----------------- ----------------- -------- -------- -------
1/1 disabled No disabled 3
1/2 disabled No disabled 4

Port Broadcast-Limit Broadcast-Drop

-------- --------------- --------------------
1/1 - 0
1/2 - 0

Port Send FlowControl Receive FlowControl RxPause TxPause

admin oper admin oper
----- -------- -------- -------- -------- ---------- ----------
1/1 desired off off off 0 0
1/2 desired off off off 0 0

Port Status Channel Admin Ch Neighbor Neighbor

Mode Group Id Device Port
----- ---------- --------- ----- ----- ----------------------------------- -----
1/1 connected auto 65 0
1/2 notconnect auto 65 0

Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize

----- ---------- ---------- ---------- ---------- ---------
1/1 0 0 0 0 0
1/2 0 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants

----- ---------- ---------- ---------- ---------- --------- --------- ---------
1/1 0 0 0 0 0 0 0
1/2 0 0 0 0 0 0 0

Last-Time-Cleared
--------------------------
Tue Jun 8 1999, 10:01:35
Console> (enable)

This example shows how to see information on an individual port:

Console> (enable) show port 1/1
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
1/1 connected 1 full 1000 1000BaseSX

Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex

----- -------- ----------------- ----------------- -------- -------- -------
1/1 disabled No disabled 3

Port Broadcast-Limit Broadcast-Drop

-------- --------------- --------------------
1/1 - 0
Port Send FlowControl Receive FlowControl RxPause TxPause
admin oper admin oper
----- -------- -------- -------- -------- ---------- ----------
1/1 desired off off off 0 0

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 19-3
 Chapter 19 Checking Port Status and Connectivity
Checking Port Capabilities

Port Status Channel Admin Ch Neighbor Neighbor

Mode Group Id Device Port
----- ---------- --------- ----- ----- ----------------------------------- -----
1/1 connected auto 65 0

Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize

----- ---------- ---------- ---------- ---------- ---------
1/1 0 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants

----- ---------- ---------- ---------- ---------- --------- --------- ---------
1/1 0 0 0 0 0 0 0

Last-Time-Cleared
--------------------------
Tue Jun 8 1999, 10:01:35
Console> (enable)

Checking Port Capabilities

You can display the capabilities of any port in a switch using the show port capabilities [[mod][/port]]
command.
This example shows you how to display the port capabilities for switch ports:
Console> (enable) show port capabilities 1/1
Model WS-X6K-SUP1A-2GE
Port 1/1
Type No Connector
Speed 1000
Duplex full
Trunk encap type 802.1Q,ISL
Trunk mode on,off,desirable,auto,nonegotiate
Channel yes
Broadcast suppression percentage(0-100)
Flow control receive-(off,on,desired),send-(off,on,desired)
Security yes
Membership static,dynamic
Fast start yes
QOS scheduling rx-(1p1q4t),tx-(1p2q2t)
CoS rewrite yes
ToS rewrite DSCP
UDLD yes
Inline power no
AuxiliaryVlan no
SPAN source,destination
COPS port group 1/1-2
Console> (enable)

Using Telnet
You can access the switch command-line interface (CLI) using Telnet. In addition, you can use Telnet
from the switch to access other devices in the network. Up to eight simultaneous Telnet sessions are
possible.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-4 78-13315-02
Chapter 19 Checking Port Status and Connectivity
Using Secure Shell Encryption for Telnet Sessions

To Telnet to another device on the network from the switch, perform this task in privileged mode:

Task Command
Open a Telnet session with a remote host. telnet host [port]

This example shows how to Telnet from the switch to a remote host:
Console> (enable) telnet labsparc
Trying 172.16.10.3...
Connected to labsparc.
Escape character is '^]'.

UNIX(r) System V Release 4.0 (labsparc)

login:

Using Secure Shell Encryption for Telnet Sessions

Note To use the Secure Shell encryption feature commands, you must be running an encryption image.
The set crypto key rsa, clear crypto key rsa, and show crypto key commands are used for
encryption. See Chapter 25, “Working with System Software Images” for the software image naming
conventions used for the encryption images.

The Secure Shell encryption feature provides security for Telnet sessions to the switch. Secure Shell
encryption is supported for remote logins to the switch only. Telnet sessions initiated from the switch
cannot be encrypted. To use this feature, you must install the application on the client accessing the
switch, and you must configure Secure Shell encryption on the switch.
The current implementation of Secure Shell encryption supports SSH version 1, the DES and 3DES
encryption methods, and can be used with RADIUS and TACACS+ authentication. To configure
authentication with Secure Shell encryption, use the telnet keyword in the set authentication
commands.

Note If you are using Kerberos to authenticate to the switch, you will not be able to use the Secure Shell
encryption feature.

To enable Secure Shell encryption on the switch, perform this task in privileged mode:

Task Command
Create the RSA host key. set crypto key rsa nbits [force]

This example shows how to create the RSA host key:

Console> (enable) set crypto key rsa 1024
Generating RSA keys.... [OK]
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 19-5
 Chapter 19 Checking Port Status and Connectivity
Monitoring User Sessions

The nbits value specifies the RSA key size. The valid key size range is 512 to 2048 bits. A key size with a
larger number provides higher security but takes longer to generate.
You can enter the optional force keyword to regenerate the keys and suppress the warning prompt of
overwriting existing keys.

Monitoring User Sessions

You can display the currently active user sessions on the switch using the show users command. The
command output displays all active console port and Telnet sessions on the switch.
To display the active user sessions on the switch, perform this task in privileged mode:

Task Command
Display the currently active user sessions on the show users [noalias]
switch.

This example shows the output of the show users command when local authentication is enabled for
console and Telnet sessions (the asterisk [*] indicates the current session):
Console> (enable) show users
Session User Location
-------- ---------------- -------------------------
console
telnet sam-pc.bigcorp.com
* telnet jake-mac.bigcorp.com
Console> (enable)

This example shows the output of the show users command when TACACS+ authentication is enabled
for console and Telnet sessions:
Console> (enable) show users
Session User Location
-------- ---------------- -------------------------
console sam
telnet jake jake-mac.bigcorp.com
telnet tim tim-nt.bigcorp.com
* telnet suzy suzy-pc.bigcorp.com
Console> (enable)

This example shows how to display information about user sessions using the noalias keyword to
display the IP addresses of connected hosts:
Console> (enable) show users noalias
Session User Location
-------- ---------------- -------------------------
console
telnet 10.10.10.12
* telnet 10.10.20.46
Console> (enable)

To disconnect an active user session, perform this task in privileged mode:

Task Command
Disconnect an active user session on the switch. disconnect {console | ip_addr}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-6 78-13315-02
 Chapter 19 Checking Port Status and Connectivity
Using Ping

This example shows how to disconnect an active console port session and an active Telnet session:
Console> (enable) show users
Session User Location
-------- ---------------- -------------------------
console sam
telnet jake jake-mac.bigcorp.com
telnet tim tim-nt.bigcorp.com
* telnet suzy suzy-pc.bigcorp.com
Console> (enable) disconnect console
Console session disconnected.
Console> (enable) disconnect tim-nt.bigcorp.com
Telnet session from tim-nt.bigcorp.com disconnected. (1)
Console> (enable) show users
Session User Location
-------- ---------------- -------------------------
telnet jake jake-mac.bigcorp.com
* telnet suzy suzy-pc.bigcorp.com
Console> (enable)

Using Ping
These sections describe how to use IP ping:
• Understanding How Ping Works, page 19-7
• Executing Ping, page 19-8

Understanding How Ping Works

You can use IP ping to test connectivity to remote hosts. If you attempt to ping a host in a different IP
subnetwork, you must define a static route to the network or configure a router to route between those
subnets.
The ping command is configurable from normal executive and privileged executive mode. In normal
executive mode, the ping command supports the -s parameter, which allows you to specify the packet
size and packet count. In privileged executive mode, the ping command lets you specify the packet size,
packet count, and the wait time.
Table 19-1 shows the default values that apply to the ping-s command.

Table 19-1 Ping Default Values

Description Ping Ping-s

Number of 5 0=continuous
Packets ping
Packet Size 56 56
Wait Time 2 2
Source Host IP N/A
Address Address

To stop a ping in progress, press Ctrl-C.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 19-7
 Chapter 19 Checking Port Status and Connectivity
Using Ping

Ping returns one of the following responses:

• Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending
on network traffic.
• Destination does not respond—If the host does not respond, a no answer message is returned.
• Unknown host—If the host does not exist, an unknown host message is returned.
• Destination unreachable—If the default gateway cannot reach the specified network, a destination
unreachable message is returned.
• Network or host unreachable—If there is no entry in the route table for the host or network, a
network or host unreachable message is returned.

Executing Ping
To ping another device on the network from the switch, perform one of these tasks in normal or
privileged mode:

Task Command
Ping a remote host. ping host
Ping a remote host using ping options. ping -s host [packet_size] [packet_count]

This example shows how to ping a remote host from normal executive mode:
Console> ping labsparc
labsparc is alive
Console> ping 72.16.10.3
12.16.10.3 is alive
Console>

This example shows how to ping a remote host using the ping -s option:
Console> ping -s 12.20.5.3 800 10
PING 12.20.2.3: 800 data bytes
808 bytes from 12.20.2.3: icmp_seq=0. time=2 ms
808 bytes from 12.20.2.3: icmp_seq=1. time=3 ms
808 bytes from 12.20.2.3: icmp_seq=2. time=2 ms
808 bytes from 12.20.2.3: icmp_seq=3. time=2 ms
808 bytes from 12.20.2.3: icmp_seq=4. time=2 ms
808 bytes from 12.20.2.3: icmp_seq=5. time=2 ms
808 bytes from 12.20.2.3: icmp_seq=6. time=2 ms
808 bytes from 12.20.2.3: icmp_seq=7. time=2 ms
808 bytes from 12.20.2.3: icmp_seq=8. time=2 ms
808 bytes from 12.20.2.3: icmp_seq=9. time=3 ms

----17.20.2.3 PING Statistics----

10 packets transmitted, 10 packets received, 0% packet loss
round-trip (ms) min/avg/max = 2/2/3
Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-8 78-13315-02
 Chapter 19 Checking Port Status and Connectivity
Using Layer 2 Traceroute

This example shows how to enter a ping command in privileged mode specifying the number of packets,
the packet size, and the timeout period:
Console> (enable) ping
Target IP Address []: 12.20.5.19
Number of Packets [5]: 10
Datagram Size [56]: 100
Timeout in seconds [2]: 10
Source IP Address [12.20.2.18]: 12.20.2.18
!!!!!!!!!!

----12.20.2.19 PING Statistics----

10 packets transmitted, 10 packets received, 0% packet loss
round-trip (ms) min/avg/max = 1/1/1
Console> (enable)

Using Layer 2 Traceroute

The Layer 2 Traceroute utility allows you to identify the physical path that a packet will take when going
from a source to a destination. The Layer 2 Traceroute utility determines the path by looking at the
forwarding engine tables of the switches in the path.
Information is displayed about all Catalyst 6000 family switches that are in the path from the source to
the destination.
These sections describe how to use Layer 2 Traceroute:
• Layer 2 Traceroute Usage Guidelines, page 19-9
• Identifying a Layer 2 Path, page 19-10

Layer 2 Traceroute Usage Guidelines

Follow these guidelines for using the Layer 2 Traceroute utility:
• The Layer 2 Traceroute utility works for unicast traffic only.
• You must enable CDP on all of the Catalyst 5000 and 6000 family switches in the network. (See
Chapter 29, “Configuring CDP” for information about enabling CDP.) If any devices in the path are
transparent to CDP, l2trace will not be able to trace the Layer 2 path through those devices.
• You can use this utility from a switch that is not in the Layer 2 path between the source and the
destination; however, all of the switches in the path, including the source and destination, must be
reachable from the switch.
• All switches in the path must be reachable from each other.
• You can trace a Layer 2 path by specifying the source and destination IP addresses (or IP aliases) or
the MAC addresses. If the source and destination belong to multiple VLANs and you specify MAC
addresses, you can also specify a VLAN.
• The source and destination switches must belong in the same VLAN.
• The maximum number of hops an l2trace query will try is 10; this includes hops involved in source
tracing.
• The Layer 2 Traceroute utility does not work with Token Ring VLANs, or when multiple devices are
attached to one port through hubs, or when multiple neighbors are on a port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 19-9
 Chapter 19 Checking Port Status and Connectivity
Using IP Traceroute

Identifying a Layer 2 Path

To identify a Layer 2 path, perform one of these tasks in privileged mode:

Task Command
(Optional) Trace a Layer 2 path using MAC l2trace {src-mac-addr} {dest-mac-addr} [vlan] [detail]
addresses.
(Optional) Trace a Layer 2 path using l2trace {src-ip-addr} {dest-ip-addr} [detail]
IP addresses or IP aliases.

This example shows the source and destination MAC addresses specified, with no VLAN specified, and
the detail option specified. For each Catalyst 5000 and 6000 family switch found in the path, the output
shows the device type, device name, device IP address, in port name, in port speed, in port duplex mode,
out port name, out port speed, and out port duplex mode.
Console> (enable) l2trace 00-01-22-33-44-55 10-22-33-44-55-66 detail

l2trace vlan number is 10.

00-01-22-33-44-55 found in C5500 named wiring-1 on port 4/1 10Mb half duplex
C5500:wiring-1:192.168.242.10:4/1 10Mb half duplex -> 5/2 100MB full duplex
C5000:backup-wiring-1:192.168.242.20:1/1 100Mb full duplex -> 3/1 100MB full duplex
C5000:backup-core-1:192.168.242.30:4/1 100 MB full duplex -> 1/1 100MB full duplex
C6000:core-1:192.168.242.40:1/1 100MB full duplex -> 2/1 10MB half duplex.
10-22-33-44-55-66 found in C6000 named core-1 on port 2/1 10MB half duplex.

Using IP Traceroute
The IP Traceroute utility allows you to identify the path that packets take through the network at Layer 3
on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as
routers, that the traffic passes through on the way to the destination.
These sections describe how to use IP Traceroute:
• Understanding How IP Traceroute Works, page 19-10
• Executing IP Traceroute, page 19-11

Understanding How IP Traceroute Works

The traceroute command uses the Time To Live (TTL) field in the IP header to cause routers and servers
to generate specific return messages. Traceroute starts by sending a User Datagram Protocol (UDP)
datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it
drops the datagram and sends back an Internet Control Message Protocol (ICMP) time-exceeded
message to the sender. The traceroute facility determines the address of the first hop by examining the
source address field of the ICMP time-exceeded message.
To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router
decrements the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL
value of 1, discards the datagram, and returns the time-exceeded message to the source. This process
continues until the TTL is incremented to a value large enough for the datagram to reach the destination
host (or until the maximum TTL is reached).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-10 78-13315-02
 Chapter 19 Checking Port Status and Connectivity
Using IP Traceroute

To determine when a datagram reaches its destination, traceroute sets the UDP destination port in the
datagram to a very large value which the destination host is unlikely to be using. When a host receives
a datagram with an unrecognized port number, it sends an ICMP port unreachable error to the source.
This message indicates to the traceroute facility that it has reached the destination.
Switches can participate as the source or destination of the traceroute command but will not appear as
a hop in the traceroute command output.

Executing IP Traceroute
To trace the path that packets take through the network, perform this task in privileged mode:

Task Command
Execute IP traceroute to trace the Layer 3 path traceroute [-n] [-w wait_time] [-i initial_ttl]
that packets take through the network. [-m max_ttl] [-p dest_port] [-q nqueries] [-t tos]
host [data_size]

This example shows how to use the traceroute command:

Console> (enable) traceroute 10.1.1.100
traceroute to 10.1.1.100 (10.1.1.100), 30 hops max, 40 byte packets
1 10.1.1.1 (10.1.1.1) 1 ms 2 ms 1 ms
2 10.1.1.100 (10.1.1.100) 2 ms 2 ms 2 ms
Console> (enable)

This example shows how to perform a traceroute with six queries to each hop with packets of
1400 bytes each:
Console> (enable) traceroute -q 6 10.1.1.100 1400
traceroute to 10.1.1.100 (10.1.1.100), 30 hops max, 1440 byte packets
1 10.1.1.1 (10.1.1.1) 2 ms 2 ms 2 ms 1 ms 2 ms 2 ms
2 10.1.1.100 (10.1.1.100) 2 ms 4 ms 3 ms 3 ms 3 ms 3 ms
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 19-11
 Chapter 19 Checking Port Status and Connectivity
Using IP Traceroute

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

19-12 78-13315-02
 C H A P T E R 20
Administering the Switch

This chapter describes how to perform various administrative tasks on the Catalyst 6000 family
switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Setting the System Name and System Prompt, page 20-1
• Setting the System Contact and Location, page 20-3
• Setting the System Clock, page 20-4
• Creating a Login Banner, page 20-4
• Defining Command Aliases, page 20-5
• Defining IP Aliases, page 20-6
• Configuring Static Routes, page 20-7
• Configuring Permanent and Static ARP Entries, page 20-8
• Scheduling a System Reset, page 20-9
• Power Management, page 20-11
• Environmental Monitoring, page 20-16
• Displaying System Status Information for Technical Support, page 20-17

Setting the System Name and System Prompt

The system name on the switch is a user-configurable string used to identify the device. The default
configuration has no system name configured.
If you do not manually configure a system name, the system name is obtained through the Domain Name
System (DNS) if you configure the switch as follows:
• Assign the sc0 interface an IP address that is mapped to the switch name on the DNS server
• Enable DNS on the switch
• Specify at least one valid DNS server on the switch

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-1
 Chapter 20 Administering the Switch
Setting the System Name and System Prompt

If the DNS lookup is successful, the DNS host name of the switch is configured as the system name of
the switch and is saved in NVRAM (the domain name is removed).
If you have not configured a system prompt, the first 20 characters of the system name are used as the
system prompt (a greater-than symbol [>] is appended). The prompt is updated whenever the system
name changes, unless you manually configure the prompt using the set prompt command.
The switch performs a DNS lookup for the system name whenever one of the following occurs:
• The switch is initialized (power on or reset)
• You configure the IP address on the sc0 interface using the command-line interface (CLI) or Simple
Network Management Protocol (SNMP)
• You configure a route using the set ip route command
• You clear the system name using the set system name command
• You enable DNS or specify DNS servers
If the system name is user configured, no DNS lookup is performed.

Setting the Static System Name and Prompt

These sections describe how to set the static system name and prompt:
• Setting the Static System Name, page 20-2
• Setting the Static System Prompt, page 20-3
• Clearing the System Name, page 20-3

Setting the Static System Name

To set a static system name, perform this task in privileged mode:

Task Command
Set the static system name. set system name name_string

Note When you set the system name, the system name is used as the system prompt. You can override the
prompt string with the set prompt command.

This example shows how to configure the system name on the switch:
Console> (enable) set system name Catalyst 6000
System name set.
Catalyst 6000> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-2 78-13315-02
 Chapter 20 Administering the Switch
Setting the System Contact and Location

Setting the Static System Prompt

To set the static system prompt, perform this task in privileged mode:

Task Command
Set the static system prompt. set prompt prompt_string

This example shows how to set the static system prompt on the switch:
Console> (enable) set prompt Catalyst6509>
Catalyst6509> (enable)

Clearing the System Name

To clear the system name, perform this task in privileged mode:

Task Command
Clear the system name. set system name

This example shows how to clear the system name:

Console> (enable) set system name
System name cleared.
Console> (enable)

Setting the System Contact and Location

You can set the system contact and location to help you with resource management tasks.
To set the system contact and location, perform this task in privileged mode:

Task Command
Step 1 Set the system contact. set system contact [contact_string]
Step 2 Set the system location. set system location [location_string]
Step 3 Verify the global system information. show system

This example shows how to set the system contact and location and verify the configuration:
Catalyst 6000> (enable) set system contact [email protected]
System contact set.
Catalyst 6000> (enable) set system location Sunnyvale CA
System location set.
Catalyst 6000> (enable) show system
PS1-Status PS2-Status Fan-Status Temp-Alarm Sys-Status Uptime d,h:m:s Logout
---------- ---------- ---------- ---------- ---------- -------------- ---------
ok none ok off ok 0,04:04:07 20 min

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-3
 Chapter 20 Administering the Switch
Setting the System Clock

PS1-Type PS2-Type Modem Baud Traffic Peak Peak-Time

---------- ---------- ------- ----- ------- ---- -------------------------
other none disable 9600 0% 0% Tue Jun 23 1998, 16:51:36

System Name System Location System Contact

------------------------ ------------------------ ------------------------
Catalyst 6000 Sunnyvale CA [email protected]
Catalyst 6000> (enable)

Setting the System Clock

Note You can configure the switch to obtain the time and date using the Network Time Protocol (NTP).
For information on configuring NTP, see Chapter 31, “Configuring NTP.”

To set the system clock, perform this task in privileged mode:

Task Command
Step 1 Set the system clock. set time [day_of_week] [mm/dd/yy] [hh:mm:ss]
Step 2 Display the current date and time. show time

This example shows how to set the system clock and display the current date and time:
Console> (enable) set time Mon 06/15/98 12:30:00
Mon Jun 15 1998, 12:30:00
Console> (enable) show time
Mon Jun 15 1998, 12:30:02
Console> (enable)

Creating a Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to
the switch. The first character following the motd keyword is used to delimit the beginning and end of
the banner text. Characters following the ending delimiter are discarded. After entering the ending
delimiter, press Return. The banner must be fewer than 3070 characters.
These sections describe how to configure and clear a login banner:
• Configuring a Login Banner, page 20-5
• Clearing the Login Banner, page 20-5

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-4 78-13315-02
 Chapter 20 Administering the Switch
Defining Command Aliases

Configuring a Login Banner

To configure a login banner, perform this task in privileged mode:

Task Command
Step 1 Enter the message of the day. set banner motd c message_of_the_day c
Step 2 Display the login banner by logging out and
logging back into the switch.

This example shows how to configure the login banner on the switch using the # symbol as the beginning
and ending delimiter:
Console> (enable) set banner motd #
Welcome to the Catalyst 6000 Switch!
Unauthorized access prohibited.
Contact [email protected] for access.
#
MOTD banner set
Console> (enable)

Clearing the Login Banner

To clear the login banner, perform this task in privileged mode:

Task Command
Clear the message of the day. set banner motd cc

This example shows how to clear the login banner:

Console> (enable) set banner motd ##
MOTD banner cleared
Console> (enable)

Defining Command Aliases

You can use the set alias command to define command aliases (shorthand versions of commands) for
frequently used or long and complex commands. Command aliases can save you time and can help
prevent typing errors when you are configuring or monitoring the switch.
The name argument defines the command alias. The command and parameter arguments define the
command to enter when the command alias is entered at the command line.
To define a command alias on the switch, perform this task in privileged mode:

Task Command
Step 1 Define a command alias on the switch. set alias name command [parameter] [parameter]
Step 2 Verify the currently defined command aliases. show alias [name]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-5
 Chapter 20 Administering the Switch
Defining IP Aliases

This example shows how to define two command aliases, sm8 and sp8. sm8 issues the show module 8
command, and sp8 issues the show port 8 command. This example also shows how to verify the
currently defined command aliases and what happens when you enter the command aliases at the
command line:
Console> (enable) set alias sm8 show module 8
Command alias added.
Console> (enable) set alias sp8 show port 8
Command alias added.
Console> (enable) show alias
sm8 show module 8
sp8 show port 8
Console> (enable) sm8
Mod Module-Name Ports Module-Type Model Serial-Num Status
--- ------------------- ----- --------------------- --------- --------- -------
8 2 DS3 Dual PHY ATM WS-X5166 007243262 ok

Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
8 00-60-2f-45-26-2f 2.0 1.3 51.1(103)
Console> (enable) sp8
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
8/1 notconnect trunk normal full 45 DS3 ATM
8/2 notconnect trunk normal full 45 DS3 ATM

Port ifIndex
----- -------
8/1 285
8/2 286

Use 'session' command to see ATM counters.

Last-Time-Cleared
--------------------------
Thu Sep 10 1998, 16:56:08
Console> (enable)

Defining IP Aliases
You can use the set ip alias command to define textual aliases for IP addresses. IP aliases can make it
easier to refer to other network devices when using ping, telnet, and other commands, even when DNS
is not enabled.
The name argument defines the IP alias. The ip_addr argument defines the IP address to which the name
refers.
To define an IP alias on the switch, perform this task in privileged mode:

Task Command
Step 1 Define an IP alias on the switch. set ip alias name ip_addr
Step 2 Verify the currently defined IP aliases. show ip alias [name]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-6 78-13315-02
Chapter 20 Administering the Switch
Configuring Static Routes

This example shows how to define two IP aliases, sparc and cat6509. sparc refers to IP address
172.20.52.3, and cat6509 refers to IP address 172.20.52.71. This example also shows how to verify the
currently defined IP aliases and what happens when you use the IP aliases with the ping command:
Console> (enable) set ip alias sparc 172.20.52.3
IP alias added.
Console> (enable) set ip alias cat6509 172.20.52.71
IP alias added.
Console> (enable) show ip alias
default 0.0.0.0
sparc 172.20.52.3
cat6509 172.20.52.71
Console> (enable) ping sparc
sparc is alive
Console> (enable) ping cat6509
cat6509 is alive
Console> (enable)

Configuring Static Routes

Note For information on configuring a default gateway (default route), see the “Configuring Default
Gateways” section on page 3-6.

In some situations, you might need to add a static routing table entry for one or more destination
networks. Static route entries consist of the destination IP network address, the IP address of the next
hop router, and the metric (hop count) for the route.
The destination IP network address can be variably subnetted to support Classless Interdomain Routing
(CIDR). You can specify the subnet mask (netmask) for a destination network using the number of
subnet bits or using the subnet mask in dotted decimal format. If no subnet mask is specified, the default
(classful) mask is used.
The switch forwards IP traffic generated by the switch using the longest address match in the IP routing
table. The switch does not use the IP routing table to forward traffic from connected devices, only IP
traffic generated by the switch itself (for example, Telnet, TFTP, and ping).
To configure a static route, perform this task in privileged mode:

Task Command
Step 1 Configure a static route to the remote network. set ip route destination[/netmask] gateway
[metric]
Step 2 Verify that the static route appears correctly in the show ip route
IP routing table.

This example shows how to configure a static route on the switch and how to verify that the route is
configured properly in the routing table:
Console> (enable) set ip route 172.16.16.0/20 172.20.52.127
Route added.
Console> (enable) show ip route
Fragmentation Redirect Unreachable
------------- -------- -----------
enabled enabled enabled

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-7
 Chapter 20 Administering the Switch
Configuring Permanent and Static ARP Entries

The primary gateway: 172.20.52.121

Destination Gateway RouteMask Flags Use Interface
--------------- --------------- ---------- ----- -------- ---------
172.16.16.0 172.20.52.127 0xfffff000 UG 0 sc0
default 172.20.52.121 0x0 UG 0 sc0
172.20.52.120 172.20.52.124 0xfffffff8 U 1 sc0
default default 0xff000000 UH 0 sl0
Console> (enable)

Configuring Permanent and Static ARP Entries

To enable your Catalyst LAN switch to communicate with devices that do not respond to Address
Resolution Protocol (ARP) requests, you can configure a static or permanent ARP entry that maps the
IP addresses of those devices to their MAC addresses. You can configure an ARP entry so that it does
not age out by configuring it as either static or permanent. When you configure a static ARP entry using
the set arp static command, the entry is removed from the ARP cache after a system reset. When you
configure a permanent ARP by using the set arp permanent command, the ARP entry is retained even
after a system reset.
Because most hosts support dynamic resolution, you usually do not need to specify static or permanent
ARP cache entries. When a device does not respond to ARP requests, you can configure an ARP entry
to be statically or permanently entered into the ARP cache so that those devices can still be reached.
To configure a static or permanent ARP entry, perform this task in privileged mode:

Task Command
Step 1 Configure a static or permanent ARP entry. set arp [dynamic | permanent | static] {ip_addr
hw_addr}
Step 2 (Optional) Specify the ARP aging time. set arp agingtime seconds
Step 3 Verify the ARP configuration. show arp

This example shows how to define a static ARP entry:

Console> (enable) set arp static 20.1.1.1 00-80-1c-93-80-40
Static ARP entry added as
20.1.1.1 at 00-80-1c-93-80-40 on vlan 1
Console> (enable)

This example shows how to define a permanent ARP entry:

Console> (enable) set arp permanent 10.1.1.1 00-80-1c-93-80-60
Permanent ARP entry added as
10.1.1.1 at 00-80-1c-93-80-60 on vlan 1
Console> (enable)

This example shows how to set the ARP aging time:

Console> (enable) set arp agingtime 300
ARP aging time set to 300 seconds.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-8 78-13315-02
Chapter 20 Administering the Switch
Scheduling a System Reset

This example shows how to display the ARP cache:

Console> (enable) show arp
ARP Aging time = 300 sec
+ - Permanent Arp Entries
* - Static Arp Entries
+ 10.1.1.1 at 00-80-1c-93-80-60 on vlan 1
172.20.52.1 at 00-60-5c-86-5b-28 port 8/1 on vlan 1
* 20.1.1.1 at 00-80-1c-93-80-40 port 8/1 on vlan 1
Console> (enable)

To clear ARP entries, perform this task in privileged mode:

Task Command
Step 1 Clear a dynamic, static, or permanent ARP entry. clear arp [dynamic | permanent | static]
{ip_addr hw_addr}
Step 2 Verify the ARP configuration. show arp

This example shows how to clear all permanent ARP entries and verify the configuration:
Console> (enable) clear arp permanent
Permanent ARP entries cleared.
Console> (enable)
Console> (enable) show arp
ARP Aging time = 300 sec
+ - Permanent Arp Entries
* - Static Arp Entries
172.20.52.1 at 00-60-5c-86-5b-28 port 8/1 on vlan 1
* 20.1.1.1 at 00-80-1c-93-80-40 port 8/1 on vlan 1
Console> (enable)

Scheduling a System Reset

These sections describe how to schedule a system reset:
• Scheduling a Reset at a Specific Time, page 20-10
• Scheduling a Reset Within a Specified Amount of Time, page 20-10
You can use the schedule reset command to schedule a system to reset at a future time. This feature
allows you to upgrade software during business hours and schedule the system upgrade after business
hours to avoid a major impact on users.
You can also use the schedule reset feature when trying out new features on a switch. To avoid
misconfiguration or the possibility of losing network connectivity to the device, you can set up the
startup configuration feature and schedule a reset to occur in 30 minutes. You can then change the
configuration, and if connectivity is lost, the system will reset in 30 minutes and return to the previous
configuration.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-9
 Chapter 20 Administering the Switch
Scheduling a System Reset

Scheduling a Reset at a Specific Time

You can specify an absolute time and date at which the reset should take place with the reset at
command. Entering the month and day argument with this command is optional. If you do not specify
the month and day, the reset will take place on the current day if the time specified is later than the
current time. If the time scheduled for reset is earlier than the current time, the reset will take place on
the following day.

Note The maximum scheduled reset time is 24 days.

To schedule a reset at a specific time, perform this task in privileged mode:

Task Command
Step 1 Schedule the reset time at a specific time. reset [mindown] at {hh:mm} [mm/dd] [reason]
Step 2 Verify the scheduled reset. show reset

Note The minimum downtime argument is valid only if the system has a standby supervisor engine.

This example shows how to schedule a reset at a specific time:

Console> (enable) reset at 20:00
Reset scheduled at 20:00:00, Wed Aug 18 1999.
Proceed with scheduled reset? (y/n) [n]? y
Reset scheduled for 20:00:00, Wed Aug 18 1999 (in 0 day 5 hours 40 minutes).
Console> (enable)

This example shows how to schedule a reset at a specific time and include a reason for the reset:
Console> (enable) reset at 23:00 8/18 Software upgrade to 5.3(1).
Reset scheduled at 23:00:00, Wed Aug 18 1999.
Reset reason: Software upgrade to 5.3(1).
Proceed with scheduled reset? (y/n) [n]? y
Reset scheduled for 23:00:00, Wed Aug 18 1999 (in 0 day 8 hours 39 minutes).
Console> (enable)

This example shows how to schedule a reset with a minimum downtime:

Console> (enable) reset mindown at 23:00 8/18 Software upgrade to 5.3(1).
Reset scheduled at 23:00:00, Wed Aug 18 1999.
Reset reason: Software upgrade to 5.3(1).
Proceed with scheduled reset? (y/n) [n]? y
Reset mindown scheduled for 23:00:00, Wed Aug 18 1999 (in 0 day 8 hours 39 minutes).
Console> (enable)

Scheduling a Reset Within a Specified Amount of Time

You can schedule a reset within a specified time with the reset in command. For instance, if the current
system time is 9:00 a.m. and reset is scheduled in one hour, the scheduled reset will take place at
10:00 a.m. If you or NTP advances the system clock to 10:00 a.m., the reset will take place at
11:00 a.m. If the clock is advanced ahead of the scheduled reset time, the reset will take place 5 minutes
after the current time.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-10 78-13315-02
 Chapter 20 Administering the Switch
Power Management

To schedule a reset within a specified time, perform this task in privileged mode:

Task Command
Step 1 Schedule the reset time within a specific amount reset [mindown] in [hh] {mm} [reason]
of time.
Step 2 Verify the scheduled reset. show reset

Note The minimum downtime argument is valid only if the system has a standby supervisor engine.

This example shows how to schedule a reset in a specified time:

Console> (enable) reset in 5:20 Configuration update
Reset scheduled in 5 hours 20 minutes.
Reset reason: Configuration update
Proceed with scheduled reset? (y/n) [n]? y
Reset scheduled for 19:56:01, Wed Aug 18 1999 (in 5 hours 20 minutes).
Reset reason: Configuration update
Console> (enable)

Power Management
This section describes power management in the Catalyst 6000 family switches and includes the
following information:
• Enabling or Disabling Power Redundancy, page 20-11
• Using the CLI to Power Modules Up or Down, page 20-13
• Determining System Power Requirements, page 20-14

Note In systems with redundant power supplies, both power supplies must be of the same wattage. The
Catalyst 6000 family switches allow you to mix AC-input and DC-input power supplies in the same
chassis. For detailed information on supported power supply configurations for each chassis, refer to
the Catalyst 6000 Family Installation Guide.

Catalyst 6000 family modules have different power requirements and, depending upon the wattage of
the power supply, certain switch configurations might require more power than a single power supply
can provide. Although the power management feature allows you to power all installed modules with
two power supplies, redundancy is not supported in this configuration. Redundant and nonredundant
power configurations are discussed in the following sections.

Enabling or Disabling Power Redundancy

Enter the set power redundancy enable | disable command to enable or disable redundancy
(redundancy is enabled by default). With redundancy enabled and two power supplies of equal wattage
installed, the total power drawn from both supplies is at no time greater than the capability of one supply.
If one supply malfunctions, the other supply can take over the entire system load. When you install and

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-11
 Chapter 20 Administering the Switch
Power Management

turn on two power supplies of equal wattage, each concurrently provides approximately half of the
required power to the system. Load sharing and redundancy are enabled automatically; no software
configuration is required.
With redundancy enabled, if you power up the system with two power supplies of unequal wattage, both
power supplies come online but a syslog message displays that the lower wattage power supply will be
disabled. If the active power supply fails, the lower wattage power supply that was disabled comes
online and, if necessary, modules are powered down to accommodate the lower wattage power supply.
In a nonredundant configuration, the power available to the system is the combined power capability of
both power supplies. The system powers up as many modules as the combined capacity allows.
However, if one supply should fail and there is not enough power for all previously powered up modules,
the system powers down some modules. These modules are marked as power-deny in the show module
Status field.
You can change the configuration of the power supplies to redundant or nonredundant at any time. If
you switch from a redundant to a nonredundant configuration, both power supplies are enabled (even a
power supply that was disabled because it was of a lower wattage than the other power supply). If you
change from a nonredundant to a redundant configuration, both power supplies are initially enabled, and
if they are of the same wattage, remain enabled. If they are of different wattage, a syslog message
displays and the lower wattage supply is disabled.
Table 20-1 describes how the system responds to changes in the power supply configuration.

Table 20-1 Effects of Power Supply Configuration Changes

Configuration Change Effect

Redundant to
nonredundant
Nonredundant to
redundant
Equal wattage power
supply is inserted with
redundancy enabled
Equal wattage power
supply is inserted with
redundancy disabled
Higher wattage power
supply is inserted with
redundancy enabled
• System log and syslog messages are generated.
• System power is increased to the combined power capability of both
supplies.
• The modules marked as power-deny in the show module Status field
are brought up if there is sufficient power.
• System log and syslog messages are generated.
• System power is the power capability of the larger wattage supply.
• If there is not enough power for all previously powered-up modules,
some modules are powered down and marked as power-deny in the
show module Status field.
• System log and syslog messages are generated.
• System power equals the power capability of one supply.
• No change in the module status because the power capability is
unchanged.
• System log and syslog messages are generated.
• System power is the combined power capability of both supplies.
• The modules marked as power-deny in the show module Status field
are brought up if there is sufficient power.
• System log and syslog messages are generated.
• The system disables the lower wattage power supply; the higher
wattage supply powers the system.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-12 78-13315-02
 Chapter 20 Administering the Switch
Power Management

Table 20-1 Effects of Power Supply Configuration Changes (continued)

Configuration Change Effect

Lower wattage power
supply is inserted with
redundancy enabled
Higher or lower wattage
power supply is inserted
with redundancy disabled
Power supply is removed
with redundancy enabled
Power supply is removed
with redundancy disabled
System is booted with
power supplies of different
wattage installed and
redundancy enabled
System is booted with
power supplies of equal or
different wattage installed
and redundancy disabled
• System log and syslog messages are generated.
• The system disables the lower wattage power supply; the higher
wattage supply powers the system.
• System log and syslog messages are generated.
• System power is increased to the combined power capability of both
supplies.
• The modules marked as power-deny in the show module Status field
are brought up if there is sufficient power.
• System log and syslog messages are generated.
• If the power supplies are of equal wattage, there is no change in the
module status because the power capability is unchanged.
If the power supplies are of unequal wattage and the lower wattage
supply is removed, there is no change in the module status.
If the power supplies are of unequal wattage and the higher wattage
supply is removed, and if there is not enough power for all previously
powered-up modules, some modules are powered down and marked
as power-deny in the show module Status field.
• System log and syslog messages are generated.
• System power is decreased to the power capability of one supply.
• If there is not enough power for all previously powered-up modules,
some modules are powered down and marked as power-deny in the
show module Status field.
• System log and syslog messages are generated.
• The lower wattage supply is disabled.
• System log and syslog messages are generated.
• System power equals the combined power capability of both
supplies.
• The system powers up as many modules as the combined capacity
allows.

Using the CLI to Power Modules Up or Down

You can power down a properly working module from the command-line interface (CLI) by entering the
set module power down mod command. The module is marked as power-down in the show module
Status field. Enter the set module power up mod command to check if adequate power is available in
the system to turn the power on for a module that was previously powered down. If not enough power is
available, the module status changes from power-down to power-deny.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-13
 Chapter 20 Administering the Switch
Power Management

Determining System Power Requirements

This section describes how to determine the system power requirements for 6-, 9-, and 13-slot chassis.
See Table 20-2 to determine the exact power requirements for your configuration.

Note Enter the show environment power command to display current system power usage.

Table 20-2 Module Power Requirements

Module Power Requirement

Supervisor Engine 1:
WS-X6K-SUP1A-2GE 1.70A
WS-X6K-SUP1-2GE 1.70A
Supervisor Engine 1 with PFC:
WS-X6K-SUP1A-PFC 2.50A
Supervisor Engine 1 with PFC and MSFC:
WS-X6K-SUP1A-MSFC 3.30A
Supervisor Engine 1 with PFC and MSFC2:
WS-X6K-S1A-MSFC2 2.90A
Supervisor Engine 2 with PFC2:
WS-X6K-S2-PFC2 3.06A
Supervisor Engine 2 with PFC2 and MSFC2:
WS-X6K-S2-MSFC2 3.46A
MSFC2 (spare):
WS-F6K-MSFC2= 0.40A
Multilayer Switching Module:
WS-X6302-MSM 5.20A
24-Port 10BASE-FL:
WS-X6024-10FL-MT 1.52A
Switch Fabric Modules:
WS-C6500-SFM 2.79A
WS-X6500-SFM2 3.09A
24-Port 100FX:
WS-X6224-100FX-MT 1.90A
WS-X6324-100FX-SM 1.52A
WS-X6324-100FX-MM 1.52A

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-14 78-13315-02
Chapter 20 Administering the Switch
Power Management

Table 20-2 Module Power Requirements (continued)

Module Power Requirement

48-Port 10/100TX:
WS-X6248-RJ-45 2.69A
WS-X6248-TEL 2.69A
WS-X6248A-TEL 2.69A
WS-X6348-RJ-45 2.39A
WS-X6548-RJ-45 2.90A
WS-X6648-PWR 2.39A
8-Port Gigabit Ethernet:
WS-X6408-GBIC 2.00A
WS-X6408A-GBIC 2.00A
16-Port Gigabit Ethernet:
WS-X6416-GBIC 2.81A
WS-X6416-GE-MT 2.50A
WS-X6316-GE-TX 5.15A
WS-X6516-GE-TX 3.45A
1-Port OC-12 ATM:
WS-X6101-OC12-MMF 2.10A
WS-X6101-OC12-SMF 2.10A
WAN module:
WS-X6182-2PA (FlexWAN) 2.38A1
Optical Services Modules:
OSM-2OC12-POS-MM, -SI, -SL 3.36A
OSM-4OC12-POS-MM, -SI, -SL 4.78A
OSM-8OC3-POS-MM, -SI, -SL 3.57A
OSM-16OC3-POS-MM, -SI, -SL 5.09A
OSM-10C48-POS-SS, -SI, -SL 4.25A
OSM-4GE-WAN (GBIC) 3.59
Server load balancing:
WS-X6066-SLB-APG 3.00A
8-Port T1/E1 PSTN Interface:
WS-X6608-T1 1.98A
WS-X6608-E1 1.98A
24-Port FXS Analog Interface:
WS-X6624-FXS 1.54A
Cisco IP Phone 7960 (when plugged into the WS-X6348-RJ-45 0.167A (default)
and WS-X6648-PWR modules)
0.120A (after bootup, initialization)
The total power available with the 4000W power supply is 95.70A.. The total power available with
the 2500W power supply is 55.50A. The total power available with the 1300W power supply is
27.46A. The total power available with the 1000W power supply is 21.40A.
1. Based on the base FlexWAN module power draw plus a worst-case 15W per port adapter, plus margin.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-15
 Chapter 20 Administering the Switch
Environmental Monitoring

Environmental Monitoring
Environmental monitoring of chassis components provides early warning indications of possible
component failure to ensure safe and reliable system operation and avoid network interruptions. This
section describes how to monitor these critical system components, enabling you to identify and rapidly
correct hardware-related problems in your system.
The following sections describe the environmental monitors:
• Environmental Monitoring Using CLI Commands, page 20-16
• LED Indications, page 20-16

Environmental Monitoring Using CLI Commands

Enter the show test [mod] command to display the errors reported from the diagnostic tests. If you do
not specify a module number, test statistics are given for the general system and for the module in slot 1.
If there are no errors, PASS is displayed in the Line Card Status field.
Enter the show environment [temperature | all | power] command to display system status
information. Keyword descriptions follow:
• temperature—(Optional) Displays temperature information.
• all—(Optional) Displays environmental status (for example, power supply, fan status, and
temperature information) and information about the power available to the system.
• power—(Optional) Displays environmental power information.

LED Indications
There are two alarm types, major and minor. Major alarms indicate a critical problem that could lead to
the system being shut down. Minor alarms are for informational purposes only, giving you notice of a
problem that could turn critical if corrective action is not taken.
When the system has an alarm (major or minor), indicating an overtemperature condition, the alarm is
not canceled or any action taken (such as a module reset or shutdown) for 5 minutes. If the temperature
falls 5°C (41°F) below the alarm threshold during this period, the alarm is canceled.
Table 20-3 lists the environmental indicators for the supervisor engine and switching modules.

Note For additional information on LED indications, refer to the Catalyst 6000 Family Module Installation
Guide.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-16 78-13315-02
Chapter 20 Administering the Switch
Displaying System Status Information for Technical Support

Table 20-3 Environmental Monitoring for Supervisor Engine and Switching Modules

Alarm
Component Type LED Indication Action
2 3
Supervisor engine Major STATUS LED red syslog message and SNMP trap
temperature sensor exceeds generated.
major threshold1
If redundancy, system switches to
redundant supervisor engine and the
active supervisor engine shuts down.
If there is no redundancy and the
overtemperature condition is not
corrected, the system shuts down after
5 minutes.
Supervisor engine Minor STATUS LED syslog message and SNMP trap
temperature sensor exceeds orange generated.
minor threshold
Monitor the condition.
Redundant supervisor engine Major STATUS LED red syslog message and SNMP trap
temperature sensor exceeds generated.
major or minor threshold If major alarm and the overtemperature
condition is not corrected, the system
shuts down after 5 minutes.
Minor STATUS LED If minor alarm, monitor the condition.
orange
Switching module Major STATUS LED red syslog message and SNMP trap
temperature sensor exceeds generated.
major threshold
Power down the module4.
Switching module Minor STATUS LED syslog message and SNMP trap
temperature sensor exceeds orange generated.
minor threshold
Monitor the condition.
1. Temperature sensors monitor key supervisor engine components including daughter cards.
2. A STATUS LED is located on the supervisor engine front panel and all module front panels.
3. The STATUS LED is red on the failed supervisor engine. If there is no redundant supervisor, the SYSTEM LED is red also.
4. See the “Power Management” section on page 20-11 for instructions.

Displaying System Status Information for Technical Support

These sections describe how to display system status information for technical support:
• Generating a System Status Report, page 20-18
• Using System Dump Files, page 20-18

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-17
 Chapter 20 Administering the Switch
Displaying System Status Information for Technical Support

Generating a System Status Report

Using a single command, you can generate a report that contains status information about your switch.
The information generated is useful when reporting a problem to Cisco Technical Assistance Center
(TAC). This command is a combination of several show system status commands. You can upload the
output of the command to a TFTP server, where you can send it to TAC.
You can use keywords to limit the output to certain areas, such as specific modules, VLANs, ports, and
so forth. If you do not specify any keywords, a report for the entire system is generated.
To generate a report and upload the report to a TFTP server, perform this task in privileged mode:

Task Command
Generate a system status report that write tech-support {host} {filename} [module mod] [port
you can send to TAC. mod/port] [vlan vlan] [memory] [config]

This example shows a report sent to host 172.20.32.10 to a filename you supply. No keywords are
specified, so the complete status of the switch will be included in the report.
Console> (enable) write tech-support 172.20.32.10 tech.txt
Upload tech-report to tech.txt on 172.20.32.10 (y/n) [n]? y
/
Finished network upload. (67784 bytes)
Console> (enable)

Using System Dump Files

The core dump and the stack dump features generate reports that contain status information about your
switch. Send images captured by the core dump or the stack dump to the Cisco TAC for analysis.

Enabling and Disabling the Core Dump

A core dump produces a comprehensive report of images when your system fails due to a software error.
This report contains system memory content, including text, code, and stack segments. The core image
is produced in Cisco core file format and is stored in the file system. By examining the core dump file,
TAC can analyze the error condition of a terminated process.
Enter the set system core-dump command to enable or disable the core dump feature. If the switch has
a redundant supervisor engine, the standby supervisor engine takes over automatically before the core
dump occurs. The previously active supervisor engine resets itself after the core dump is complete.
To enable or disable the core dump feature, perform this task in privileged mode:

Task Command
Enable or disable the core dump set system core-dump {enable | disable}
feature.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-18 78-13315-02
 Chapter 20 Administering the Switch
Displaying System Status Information for Technical Support

This example shows how to enable the core dump feature:

Console> (enable) set system core-dump enable
(1) In the event of a system crash, this feature will
cause a core file to be written out.
(2) Core file generation may take up to 20 minutes.
(3) Selected core file is slot0:crash.hz
(4) Please make sure the above device has been installed,
and ready to use
Core-dump enabled
Console> (enable)

This example shows how to disable the core dump feature:

Console> (enable) set system core-dump disable
Core-dump disabled
Console> (enable)

The size of the file system depends on the size of your memory card. An error process will generate a
core image that is proportional to the size of the system DRAM. Make sure that you have enough
memory available to store the core dump file.

Specifying the Core Image Filename

Enter the set system core-file command to specify the core image filename. The default filename is
“slot0:crash.hz.” This command automatically checks the validity of the device name that you input.
To specify the core image filename, perform this task in privileged mode:

Task Command
Specify the core image filename. set system core-file {device:filename}

This example shows how to specify the core image filename:

Console> (enable) set system core-file slot0:core.hz
System core-file set.
Console> (enable)

Displaying the Stack Dump

A stack dump provides only the images related to a particular process that has caused the system to fail.
This image stack is displayed on the console and is also saved in the log area. The stack dump is
automatic and becomes available when you enter the show log command after you reboot your system.
To display log information, perform this task in normal mode:

Task Command
Display the stack dump. show log

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 20-19
 Chapter 20 Administering the Switch
Displaying System Status Information for Technical Support

The following is an example of an image stack that may display after you enter the show log command:
Breakpoint Exception occurred.
Software version = 6.2(0.83)
Process ID #52, Name
= Console
EPC: 807523F4
Stack content:
sp+00: 00000000 80A75698 00000005 00000005
sp+10: BE000A00 00000000 83F84150 801194B8
sp+20: 80A75698 80A74BC8 80C8DBDC 000006E8
sp+30: 8006AF30 8006AE98 82040664 00000630
sp+40: 801AC744 801AC734 80A32488 80A32484
sp+50: 80A3249C 00000000 00000002 000009E4
sp+60: 8204067B 82040670 8011812C 81CAFC98
sp+70: 8011814C 82040670 8011812C 81CAFC98
sp+80: 00000002 000009E4 80110160 80110088
sp+90: 82040670 80A71EB4 81F1E9F8 00000004
sp+A0: 00000000 81F25EAC 81FF5750 00000000
sp+B0: 00000000 00000000 81F1E314 800840BC
sp+C0: 0000000B 80084EB0 00000001 8073A358
sp+D0: 00000003 0000000D 00000000 0000000A
sp+E0: 00000020 00000000 800831B4 0000001A
sp+F0: 00000000 00000000 00000000 000D84F0
Register content:
Status: 3401FC23 Cause: 00000024
AT: 81640000
V0: 00000007 V1: 00000007
A0: 00000000 A1: 80A756A6
A2: 00000011 A3: BE000BD0
T0: BFFFFFFE T1: 80000000
T2: 00000000 T3: 00000001
T4: 00000000 T5: 00000007
T6: 00000000 T7: 00000000
S0: 00000001 S1: 00000032
S2: 81F1E9F8 S3: 80A74BC8
S4: 80C8DBDC S5: 000006E8
S6: 00000000 S7: 00000000
T8: F0D09E3A T9: 82940828
K0: 3041C001 K1: 80C73038
GP: 811F39C0 SP: 83F84010
S8: 83F84010 RA: 807523F4
HIGH: 00000001 LOW: D5555559
BADVADDR: 7DFF7FFF ERR EPC: 58982466
GDB: Breakpoint Exception
GDB: The system has trapped into the debugger.
GDB: It will hang until examined with gdb.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

20-20 78-13315-02
 C H A P T E R 21
Configuring Switch Access Using AAA

This chapter describes how to configure authentication, authorization, and accounting (AAA) to monitor
and control access to the command-line interface (CLI) on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How Authentication Works, page 21-1
• Configuring Authentication, page 21-9
• Authentication Example, page 21-48
• Understanding How Authorization Works, page 21-49
• Configuring Authorization, page 21-51
• Authorization Example, page 21-55
• Understanding How Accounting Works, page 21-56
• Configuring Accounting, page 21-59
• Accounting Example, page 21-63

Understanding How Authentication Works

These sections describe how the different authentication methods work:
• Authentication Overview, page 21-2
• Understanding How Login Authentication Works, page 21-2
• Understanding How Local Authentication Works, page 21-2
• Understanding How TACACS+ Authentication Works, page 21-3
• Understanding How RADIUS Authentication Works, page 21-4
• Understanding How Kerberos Authentication Works, page 21-4
• Understanding How 802.1x Authentication Works, page 21-7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-1
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works

Authentication Overview
You can configure any combination of these authentication methods to control access to the switch:
• Login authentication
• Local authentication
• RADIUS authentication
• TACACS+ authentication
• Kerberos authentication
• 802.1x authentication

Note Kerberos authentication does not work if TACACS+ is used as the authentication method.

When you enable local authentication with one or more other authentication methods, local
authentication is always attempted last. However, you can specify different authentication methods
for console and Telnet connections. For example, you might use local authentication for console
connections and RADIUS authentication for Telnet connections.

Understanding How Login Authentication Works

Login authentication increases the security of the system by keeping unauthorized users from guessing
the password. The user is limited to a specific number of attempts to successfully log in to the switch.
If the user fails to authorize the password, the system delays accesses and captures the user ID and the
IP address of the station in the syslog and in the SNMP trap.
You can enable login authentication access attempts within a range of three (the default) to ten tries.
When a user reaches the set limit without successfully logging in, SNMP traps and syslog messages are
generated and the lockout restriction occurs. Setting the login authentication to zero (0) disables the
login limit checking.
If a user attempts to log in to privileged mode and fails, the system disables execution of the enable
command for the lockout period.
The lockout time is configurable from the CLI and SNMP. The configurable range is 30 to 600 seconds.
If a user is locked out at the console, the console does not allow the user to log in during that lockout
time. If a user is locked out with a Telnet session, the connection closes when the limit is reached, and
any subsequent accesses from that station are closed immediately (with proper notice) by the switch
during the lockout time.

Understanding How Local Authentication Works

Local authentication uses locally configured login and enable passwords to authenticate login attempts.
The login and enable passwords are local to each switch and are not mapped to individual user names.
By default, local authentication is enabled. You can disable local authentication only after enabling one
or more of the other authentication methods. However, when local authentication is disabled, if you
disable all other authentication methods, local authentication is reenabled automatically.
You can enable local authentication and one or more of the other authentication methods at the same
time. The switch attempts local authentication only if the other authentication methods fail.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-2 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works

Understanding How TACACS+ Authentication Works

TACACS+ controls access to network devices by exchanging Network Access Server (NAS)
information between a network device and a centralized database to determine the identity of a user or
an entity. TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based
access-control protocol specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and
encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and
challenge-response authentication. TACACS+ authentication usually occurs in these instances:
• When you first log on to a machine
• When you send a service request that requires privileged access
When you request privileged or restricted services, TACACS+ encrypts your user password information
using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information
identifies the packet type being sent (for example, an authentication packet), the packet sequence
number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards
the packet to the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These
services, while all part of TACACS+, are independent of one another, so a given TACACS+
configuration can use any or all of the three services.
When the TACACS+ server receives the packet, it does the following:
• Authenticates the user information and notifies the client that authentication has either passed or
failed.
• Notifies the client that authentication will continue and that the client must provide additional
information. This challenge-response process can continue through multiple iterations until
authentication either passes or fails.
You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it
must be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers
use the key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key,
packets are not encrypted.
You can configure the following TACACS+ parameters on the switch:
• Enable or disable TACACS+ authentication to determine if a user has permission to access the
switch
• Enable or disable TACACS+ authentication to determine if a user has permission to enter privileged
mode
• Specify a key used to encrypt the protocol packets
• Specify the server on which the TACACS+ server daemon resides
• Set the number of login attempts allowed
• Set the timeout interval for server daemon response
• Enable or disable the directed-request option
TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local
authentication at the same time.
When local authentication is disabled, if you disable all other authentication methods, local
authentication is reenabled automatically.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-3
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works

Understanding How RADIUS Authentication Works

RADIUS is a client-server authentication and authorization access protocol used by the NAS to
authenticate users attempting to connect to a network device. The NAS functions as a client, passing user
information to one or more RADIUS servers. The NAS permits or denies network access to a user based
on the response it receives from one or more RADIUS servers. RADIUS uses UDP for transport between
the RADIUS client and server.
You can configure a RADIUS key on the client and server. If you configure a key on the client, it must
be the same as the one configured on the RADIUS servers. The RADIUS clients and servers use the key
to encrypt all RADIUS packets transmitted. If you do not configure a RADIUS key, packets are not
encrypted. The key itself is never transmitted over the network.

Note For more information about how the RADIUS protocol operates, refer to RFC 2138, “Remote
Authentication Dial In User Service (RADIUS).”

You can configure the following RADIUS parameters on the switch:

• Enable or disable RADIUS authentication to control login access
• Enable or disable RADIUS authentication to control enable access
• Specify the IP addresses and UDP ports of the RADIUS servers
• Specify the RADIUS key used to encrypt RADIUS packets
• Specify the RADIUS server timeout interval
• Specify the RADIUS retransmit count
• Specify the RADIUS server deadtime interval
RADIUS authentication is disabled by default. You can enable RADIUS authentication and other
authentication methods at the same time. You can specify which method to use first using the primary
keyword.
When local authentication is disabled, if you disable all other authentication methods, local
authentication is reenabled automatically.

Understanding How Kerberos Authentication Works

Kerberos is a client-server based secret-key network authentication method that uses a trusted Kerberos
server to verify secure access to both services and users. In Kerberos, this trusted server is called the key
distribution center (KDC). The KDC issues tickets to validate users and services. A ticket is a temporary
set of electronic credentials that verifies the identity of a client for a particular service.
These tickets have a limited life span and can be used in place of the standard user password pair
authentication mechanism if a service trusts the Kerberos server that issued the ticket. If the standard
user password method is used, Kerberos encrypts user passwords into the tickets, ensuring that
passwords are not sent on the network in clear text. When you use Kerberos, passwords are not stored
on any machine, other than the Kerberos server, for more than a few seconds. Kerberos also guards
against intruders who might pick up the encrypted tickets from the network.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-4 78-13315-02
Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works

Table 21-1 defines the terms used in Kerberos.

Table 21-1 Kerberos Terminology

Term
Kerberized
Kerberos credential
Kerberos identity
Kerberos principal
Kerberos realm
Kerberos server
Key distribution center
(KDC)
Service credential
SRVTAB
Ticket granting ticket
(TGT)
Definition
Applications and services that have been modified to support the
Kerberos credential infrastructure.
General term referring to authentication tickets, such as ticket granting
tickets (TGTs) and service credentials. Kerberos credentials verify the
ticket of a user or service. If a network service decides to trust the
Kerberos server that issued the ticket, the Kerberos credential can be
used in place of retyping in a username and password. Credentials have
a default life span of eight hours.
(See Kerberos principal.)
The Kerberos principal is who you are or what a service is according to
the Kerberos server. (Also known as a Kerberos identity.)
A domain consisting of users, hosts, and network services that are
registered to a Kerberos server. The Kerberos server is trusted to verify
the identity of a user or network service to another user or network
service. Kerberos realms must always be in uppercase characters.
A daemon running on a network host. Users and network services
register their identity with the Kerberos server. Network services query
the Kerberos server to authenticate to other network services.
A Kerberos server and database program running on a network host that
allocates the Kerberos credentials to different users or network services.
A credential for a network service. When issued from the KDC, this
credential is encrypted with the password shared by the network service
and the KDC and with the user’s TGT.
A password that a network service shares with the KDC. The network
service authenticates an encrypted service credential by using the
SRVTAB (also known as a KEYTAB) to decrypt it.
A credential that the KDC issues to authenticated users. When users
receive a TGT, they can authenticate to network services within the
Kerberos realm represented by the KDC.

In the Catalyst 6000 family switches, Telnet clients and servers through both the console and in-band
management port can be Kerberized.

Note Kerberos authentication does not work if TACACS+ is used as the authentication mechanism.

Note If you are logged in to the console through a modem or a terminal server, you cannot use a Kerberized
login procedure.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-5
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works

Using Kerberized Login Procedure

You can use a Kerberized Telnet session if you are logging in through the in-band management port.
When the Telnet client and services have been Kerberized, you will follow this process when attempting
to Telnet to the switch:
1. The Telnet client asks the user for the username and issues a request for a TGT to the KDC on the
Kerberos server.
2. The KDC creates the TGT, which contains the user’s identity, the KDC’s identity, and the TGT’s
expiration time. The KDC then encrypts the TGT with the user’s password and sends the TGT to the
client.
3. When the Telnet client receives the encrypted TGT, it prompts the user for the password. If the
Telnet client can decrypt the TGT with the entered password, the user is successfully authenticated
to the KDC. The client then builds a service credential request and sends this to the KDC. This
request contains the user’s identity and a message saying that it wants to Telnet to the switch. This
request is encrypted using the TGT.
4. When the KDC successfully decrypts the service credential request with the TGT that it issued to
the client, it builds a service to the switch. The service credential has the client’s identity and the
identity of the desired Telnet server. The KDC then encrypts the credential with the password that
it shares with the switch’s Telnet server and encrypts the resulting packet with the Telnet client’s
TGT and sends this packet to the client.
5. The Telnet client decrypts the packet first with its TGT. If encryption is successful, the client then
sends the resulting packet to the switch’s Telnet server. At this point, the packet is still encrypted
with the password that the switch’s Telnet server and the KDC share.
6. If the Telnet client has been instructed to do so, it forwards the TGT to the switch. This step ensures
that the user does not need to get another TGT in order to use another network service from the
switch.
Figure 21-1 shows the Kerberos Telnet connection process.

Figure 21-1 Kerberized Telnet Connection

Host Kerberos server

(Telnet client) (contains KDC)
1
2
3
4

5
6

6000
30794

Catalyst 6500 series switches

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-6 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works

Using a Non-Kerberized Login Procedure

If you use a non-Kerberized login procedure to log in to the switch, the switch takes care of
authentication to the KDC on behalf of the login client. However, the user password is now
transferred in clear text from the login client to the switch.

Note A non-Kerberized login can be performed through a modem or terminal server through the in-band
management port. Telnet does not support non-Kerberized login.

If you launch a non-Kerberized login, the following process takes place:

1. The switch prompts you for a username and password.
2. The switch requests a TGT from the KDC so that you can be authenticated to the switch.
3. The KDC sends an encrypted TGT to the switch, which contains your identity, KDC’s identity, and
TGT’s expiration time.
4. The switch tries to decrypt the TGT with the password that you entered. If the decryption is
successful, you are authenticated to the switch.
5. If you want to access other network services, the KDC must be contacted directly for authentication.
To obtain the TGT, you can run the program “kinit,” the client software provided with the Kerberos
package.
Figure 21-2 shows the non-Kerberized login process.

Figure 21-2 Non-Kerberized Telnet Connection

Host
(Telnet client) Kerberos server
(contains KDC)

1 2
3
55510

Catalyst switch

Understanding How 802.1x Authentication Works

IEEE 802.1x is a client-server-based access control and authentication protocol that restricts
unauthorized devices from connecting to a LAN through publicly accessible
ports. 802.1x authenticates each user device connected to a switch port before making available
any services offered by the switch or the LAN. Until the device is authenticated, 802.1x access
control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port
to which the device is connected. After authentication is successful, normal traffic can pass through
the port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-7
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works

802.1x controls network access by creating two distinct virtual access points at each port. One access
point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available
to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is
always open. The controlled port is open only when the device connected to the port has been authorized
by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass.
Table 21-2 defines the terms used in 802.1x.

Table 21-2 802.1x Terminology

Term Definition
Authenticator PAE (Referred to as the “authenticator”) entity at one end of a
point-to-point LAN segment that enforces supplicant authentication.
The authenticator is independent of the actual authentication method
and functions only as a pass-through for the authentication exchange.
It communicates with the supplicant, submits the information from
the supplicant to the authentication server, and authorizes the
supplicant when instructed to do so by the authentication server.
Authentication server Entity that provides the authentication service for the authenticator
PAE. It checks the credentials of the supplicant PAE and then notifies
its client, the authenticator PAE, whether the supplicant PAE is
authorized to access the LAN/switch services.
Authorized state Status of the port after the supplicant PAE is authorized.
Both Bidirectional flow control, incoming and outgoing, at an
unauthorized switch port.
Controlled port Secured access point.
EAP Extensible Authentication Protocol.
1
EAPOL Encapsulated EAP messages that can be handled directly by a LAN
MAC service.
In Flow control only on incoming frames in an unauthorized switch port.
Port Single point of attachment to the LAN infrastructure (for example,
MAC bridge ports).
PAE2 Protocol object associated with a specific system port.
PDU Protocol data unit.
RADIUS Remote Access Dial-In User Service.
Supplicant PAE (Referred to as the “supplicant”) entity that requests access to the
LAN/switch services and responds to information requests from the
authenticator.
Unauthorized state Status of the port before the supplicant PAE is authorized.
Uncontrolled port Unsecured access point that allows the uncontrolled exchange of
PDUs.
1. EAPOL=Extensible Authorization Protocol over LAN
2. PAE=port access entity

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-8 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Traffic Control
You can restrict traffic in both directions or just incoming traffic.

Authentication Server
The frames exchanged between the authenticator and the authentication server are dependent on the
authentication mechanism, so they are not defined by the 802.1x standard. You can use other protocols,
but we recommend RADIUS for authentication, particularly when the authentication server is located
remotely, because RADIUS has extensions that support encapsulation of EAP frames built into it.

802.1x Parameters Configurable on the Switch

You can configure these 802.1x parameters on the switch:
• Force-Authorized, Force-Unauthorized, or Automatic 802.1x port control
• Enable or disable multiple hosts on a specific port
• Enable or disable system authentication control
• Specify quiet time interval
• Specify the authenticator to supplicant retransmission time interval
• Specify the back-end authenticator to supplicant retransmission time interval
• Specify the back-end authenticator to authentication server retransmission time interval
• Specify the number of frames retransmitted from the back-end authenticator to supplicant
• Specify the automatic supplicant reauthentication time interval
• Enable or disable automatic supplicant reauthentication

Configuring Authentication
These sections describe how to configure the different authentication methods:
• Authentication Default Configuration, page 21-10
• Authentication Configuration Guidelines, page 21-11
• Configuring Login Authentication, page 21-12
• Configuring Local Authentication, page 21-13
• Configuring TACACS+ Authentication, page 21-17
• Configuring RADIUS Authentication, page 21-23
• Configuring Kerberos Authentication, page 21-31
• Configuring 802.1x Authentication, page 21-40
• Authentication Example, page 21-48

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-9
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Authentication Default Configuration

Table 21-3 shows the default authentication configuration.

Table 21-3 Authentication Default Configuration

Feature Default Value

Login authentication (console and Telnet) Enabled
Local authentication (console and Telnet) Enabled
TACACS+ login authentication (console and Telnet) Disabled
TACACS+ enable authentication (console and Telnet) Disabled
TACACS+ key None specified
TACACS+ login attempts 3
TACACS+ server timeout 5 seconds
TACACS+ directed request Disabled
RADIUS login authentication (console and Telnet) Disabled
RADIUS enable authentication (console and Telnet) Disabled
RADIUS server IP address None specified
RADIUS server UDP auth-port Port 1812
RADIUS key None specified
RADIUS server timeout 5 seconds
RADIUS server deadtime 0 (servers not marked dead)
RADIUS retransmit attempts 2 times
Kerberos login authentication (console and Telnet) Disabled
Kerberos enable authentication (console and Telnet) Disabled
Kerberos server IP address None specified
Kerberos DES key None specified
Kerberos server auth-port Port 750
Kerberos local-realm name NULL string
Kerberos credentials forwarding Disabled
Kerberos clients mandatory Not mandatory
Kerberos preauthentication Disabled
802.1x port control Force-Authorized
802.1x multiple hosts Disabled
802.1x system authentication control Enable
802.1x quiet period time 60 seconds
802.1x authenticator to supplicant retransmission time 30 seconds
802.1x back-end authenticator to supplicant retransmission 30 seconds
time

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-10 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Table 21-3 Authentication Default Configuration (continued)

Feature Default Value

802.1x back-end authenticator to authentication server 30 seconds
retransmission time
802.1x number of frames retransmitted from back-end 2
authenticator to supplicant
802.1x automatic supplicant reauthentication time 3600 seconds
802.1x automatic authenticator reauthentication of supplicant Disabled

Authentication Configuration Guidelines

Follow these guidelines when configuring authentication on the switch:
• Authentication configuration applies both to console and Telnet connection attempts unless you use
the console and telnet keywords to specify the authentication methods to use for each connection
type individually.
• If you configure a RADIUS or TACACS+ key on the switch, make sure you configure an identical
key on the RADIUS or TACACS+ server.
• You must specify a RADIUS or TACACS+ server before enabling RADIUS or TACACS+ on the
switch.
• If you configure multiple RADIUS or TACACS+ servers, the first server configured is the primary
server and authentication requests are sent to this server first. You can specify a server as primary
by using the primary keyword.
• RADIUS and TACACS+ support one privileged mode only (level 1).
• Kerberos authentication does not work if TACACS+ is also used as an authentication mechanism.
• 802.1x will work with other protocols, but we recommend RADIUS, particularly with a remotely
located authentication server.
• You cannot enable 802.1x on a secure port until you turn off the security feature on that port. You
cannot enable security on an 802.1x port.
• 802.1x is only supported on Ethernet ports.
• You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port. You
cannot enable trunking on an 802.1x port.
• You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port. You
cannot enable DVLAN on an 802.1x port.
• You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port.
You cannot enable channeling on an 802.1x port.
• You cannot enable 802.1x on a Multiple VLAN Access Port (MVAP) with an auxiliary VLAN ID
until you turn off the auxiliary VLAN ID feature on that port. You cannot enable an auxiliary VLAN
ID on an 802.1x port.
• You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot
configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a
SPAN source port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-11
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Configuring Login Authentication

These sections describe how to configure login authentication on the switch:
• Setting Authentication Login Attempts on the Switch, page 21-12
• Setting Authentication Login Attempts for the Privileged Mode, page 21-13

Setting Authentication Login Attempts on the Switch

To set up login authentication on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable login attempt limits on the switch. Enter set authentication login attempt {count}
the console or telnet keyword if you want to [console | telnet]
enable local authentication only for the console
port or for Telnet connection attempts.
Step 2 Enable the login lockout time on the switch. Enter set authentication login lockout {time} [console
the console or telnet keyword if you want to | telnet]
enable local authentication only for the console
port or for Telnet connection attempts.
Step 3 Verify the local authentication configuration. show authentication

This example shows how to limit login attempts to five, set the lockout time for both console and Telnet
connections to 50 seconds, and verify the configuration:
Console> (enable) set authentication login attempt 5
Login authentication attempts for console and telnet logins set to 5.
Console> (enable) set authentication login lockout 50
Login lockout time for console and telnet logins set to 50.
Console> (enable) show authentication

Login Authentication: Console Session Telnet Session Http Session

--------------------- ---------------- ---------------- ----------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
local enabled(primary) enabled(primary) enabled(primary)
attempt limit 5 5 -
lockout timeout (sec) 50 50 -

Enable Authentication: Console Session Telnet Session Http Session

---------------------- ----------------- ---------------- ----------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
local enabled(primary) enabled(primary) enabled(primary)
attempt limit 3 3 -
lockout timeout (sec) disabled disabled -
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-12 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Setting Authentication Login Attempts for the Privileged Mode

To set up login authentication for privileged mode, perform this task in privileged mode:

Task Command
Step 1 Enable the login attempt limits for privileged set authentication enable attempt {count}
mode. Enter the console or telnet keyword if you [console | telnet]
want to enable local authentication only for the
console port or for Telnet connection attempts.
Step 2 Enable the login lockout time for privileged set authentication enable lockout {time}
mode. Enter the console or telnet keyword if you [console | telnet]
want to enable local authentication only for the
console port or for Telnet connection attempts.
Step 3 Verify the local authentication configuration. show authentication

This example shows how to limit enable mode login attempts to five, set the enable mode lockout time
for both console and Telnet connections to 50 seconds, and verify the configuration:
Console> (enable) set authentication enable attempt 5
Enable mode authentication attempts for console and telnet logins set to 5.
Console> (enable) set authentication enable lockout 50
Enable mode lockout time for console and telnet logins set to 50.
Console> (enable) show authentication

Login Authentication: Console Session Telnet Session Http Session

--------------------- ---------------- ---------------- ----------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
local enabled(primary) enabled(primary) enabled(primary)
attempt limit 5 5 -
lockout timeout (sec) 50 50 -

Enable Authentication: Console Session Telnet Session Http Session

---------------------- ----------------- ---------------- ----------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
local enabled(primary) enabled(primary) enabled(primary)
attempt limit 5 5 -
lockout timeout (sec) 50 50 -
Console> (enable)

Configuring Local Authentication

These sections describe how to configure local authentication on the switch:
• Enabling Local Authentication, page 21-14
• Setting the Login Password, page 21-14
• Setting the Enable Password, page 21-15
• Disabling Local Authentication, page 21-15
• Recovering a Lost Password, page 21-16

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-13
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Enabling Local Authentication

Note Local login and enable authentication are enabled for both console and Telnet connections by default.
You do not need to perform this task unless you want to modify the default configuration or you have
disabled local authentication.

To enable local authentication on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable local login authentication on the switch. set authentication login local enable [all |
Enter the console or telnet keyword if you want to console | http | telnet]
enable local authentication only for console port
or Telnet connection attempts.
Step 2 Enable local enable authentication on the switch. set authentication enable local enable [all |
Enter the console or telnet keyword if you want to console | http | telnet]
enable local authentication only for console port
or Telnet connection attempts.
Step 3 Verify the local authentication configuration. show authentication

This example shows how to enable local login, how to enable authentication for both console and Telnet
connections, and how to verify the configuration:
Console> (enable) set authentication login local enable
local login authentication set to enable for console and telnet session.
Console> (enable) set authentication enable local enable
local enable authentication set to enable for console and telnet session.
Console> (enable) show authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
kerberos disabled disabled
local enabled(primary) enabled(primary)

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
kerberos disabled disabled
local enabled(primary) enabled(primary)
Console> (enable)

Setting the Login Password

The login password controls access to the user mode CLI. Passwords are case sensitive, contain up to
19 characters, and use any printable character, including a space.

Note Passwords set in releases prior to software release 5.4 remain non-case sensitive. You must reset the
password after installing software release 5.4 to activate case sensitivity.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-14 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To set the login password for local authentication, perform this task in privileged mode:

Task Command
Set the login password for access. Enter your old set password
password (press Return on a switch with no
password configured), enter your new password,
and reenter your new password.

This example shows how to set the login password on the switch:
Console> (enable) set password
Enter old password: <old_password>
Enter new password: <new_password>
Retype new password: <new_password>
Password changed.
Console> (enable)

Setting the Enable Password

The login password controls access to the user mode CLI. Passwords are case sensitive, contain up to
19 characters, and use any printable character, including a space.

Note Passwords set in releases prior to software release 5.4 remain non-case sensitive. You must reset the
password after installing software release 5.4 to activate case sensitivity.

To set the enable password for local authentication, perform this task in privileged mode:

Task Command
Set the password for privileged mode. Enter your set enablepass
old password (press Return on a switch with no
password configured), enter your new password,
and reenter your new password.

This example shows how to set the enable password on the switch:
Console> (enable) set enablepass
Enter old password: <old_password>
Enter new password: <new_password>
Retype new password: <new_password>
Password changed.
Console> (enable)

Disabling Local Authentication

Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before
disabling local login or enable authentication. If you disable local authentication and RADIUS or
TACACS+ is not configured correctly, or if the RADIUS or TACACS+ server is not online, you may
be unable to log in to the switch.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-15
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To disable local authentication on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable local login authentication on the switch. set authentication login local disable [all |
Enter the console or telnet keyword if you want to console | http | telnet]
disable local authentication only for console port
or Telnet connection attempts.
Step 2 Disable local enable authentication on the switch. set authentication enable local disable [all |
Enter the console or telnet keyword if you want to console | http | telnet]
disable local authentication only for console port
or Telnet connection attempts.
Step 3 Verify the local authentication configuration. show authentication

Note You must have either RADIUS or TACACS+ authentication enabled before you disable local
authentication.

This example shows how to disable local login authentication, how to enable authentication for both
console and Telnet connections, and how to verify the configuration:
Console> (enable) set authentication login local disable
local login authentication set to disable for console and telnet session.
Console> (enable) set authentication enable local disable
local enable authentication set to disable for console and telnet session.
Console> (enable) show authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
kerberos disabled disabled
local disabled disabled

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
kerberos disabled disabled
local disabled disabled
Console> (enable)

Recovering a Lost Password

Use the following procedure to recover a lost local authentication password. You must complete Steps 3
through 7 within 30 seconds of a power cycle or the recovery will fail. If you lost both the login and
enable passwords, repeat the process for each password.
To recover a lost password, perform the following task in privileged mode:

Step 1 Connect to the switch through the supervisor engine console port. You cannot recover the password if
you are connected through a Telnet connection.
Step 2 Enter the reset system command to reboot the switch.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-16 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Step 3 At the “Enter Password” prompt, press Return. The login password is null for 30 seconds when you are
connected to the console port.
Step 4 Enter privileged mode using the enable command.
Step 5 At the “Enter Password” prompt, press Return. (The enable password is null for 30 seconds when you
are connected to the console port.)
Step 6 Enter the set password or set enablepass command, as appropriate.
Step 7 When prompted for your old password, press Return.
Step 8 Enter and confirm your new password.

Configuring TACACS+ Authentication

These sections describe how to configure TACACS+ authentication on the switch:
• Specifying TACACS+ Servers, page 21-17
• Enabling TACACS+ Authentication, page 21-18
• Specifying the TACACS+ Key, page 21-19
• Specifying the TACACS+ Timeout Interval, page 21-19
• Specifying the TACACS+ Login Attempts, page 21-20
• Enabling TACACS+ Directed Request, page 21-21
• Disabling TACACS+ Directed Request, page 21-21
• Clearing TACACS+ Servers, page 21-22
• Clearing the TACACS+ Key, page 21-22
• Disabling TACACS+ Authentication, page 21-23

Specifying TACACS+ Servers

Specify one or more TACACS+ servers before you enable TACACS+ authentication on the switch. The
first server you specify is the primary server, unless you explicitly make one server the primary using
the primary keyword.
To specify one or more TACACS+ servers, perform this task in privileged mode:

Task Command
Step 1 Specify the IP address of one or more TACACS+ set tacacs server ip_addr [primary]
servers.
Step 2 Verify the TACACS+ configuration. show tacacs

This example shows how to specify TACACS+ servers and verify the configuration:
Console> (enable) set tacacs server 172.20.52.3
172.20.52.3 added to TACACS server table as primary server.
Console> (enable) set tacacs server 172.20.52.2 primary
172.20.52.2 added to TACACS server table as primary server.
Console> (enable) set tacacs server 172.20.52.10
172.20.52.10 added to TACACS server table as backup server.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-17
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Console> (enable) show tacacs

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)
Tacacs key:
Tacacs login attempts: 3
Tacacs timeout: 5 seconds
Tacacs direct request: disabled
Tacacs-Server Status
---------------------------------------- -------
172.20.52.3
172.20.52.2 primary
172.20.52.10
Console> (enable)

Enabling TACACS+ Authentication

Note Specify at least one TACACS+ server before enabling TACACS+ authentication on the switch. For
information on specifying a TACACS+ server, see the “Specifying TACACS+ Servers” section on
page 21-17.

You can enable TACACS+ authentication for login and enable access to the switch. If desired, you can
use the console and telnet keywords to specify that TACACS+ authentication be used only on console
or Telnet connections. If you are using both RADIUS and TACACS+, you can use the primary keyword
to force the switch to try TACACS+ authentication first.
To enable TACACS+ authentication, perform this task in privileged mode:

Task Command
Step 1 Enable TACACS+ authentication for normal login set authentication login tacacs enable [all |
mode. Enter the console or telnet keyword if you console | http | telnet] [primary]
want to enable TACACS+ only for console port or
Telnet connection attempts.
Step 2 Enable TACACS+ authentication for enable set authentication enable tacacs enable [all |
mode. Enter the console or telnet keyword if you console | http | telnet] [primary]
want to enable TACACS+ only for console port or
Telnet connection attempts.
Step 3 Verify the TACACS+ configuration. show authentication

This example shows how to enable TACACS+ authentication for console and Telnet connections and
how to verify the configuration:
Console> (enable) set authentication login tacacs enable
tacacs login authentication set to enable for console and telnet session.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-18 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Console> (enable) set authentication enable tacacs enable

tacacs enable authentication set to enable for console and telnet session.
Console> (enable) show authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs enabled(primary) enabled(primary)
radius disabled disabled
local enabled enabled

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs enabled(primary) enabled(primary)
radius disabled disabled
local enabled enabled
Console> (enable)

Specifying the TACACS+ Key

Note If you configure a TACACS+ key on the client, make sure you configure an identical key on the
TACACS+ server.

To specify the TACACS+ key, perform this task in privileged mode:

Task Command
Step 1 Specify the key used to encrypt packets. set tacacs key key
Step 2 Verify the TACACS+ configuration. show tacacs

This example shows how to specify the TACACS+ key and verify the configuration:
Console> (enable) set tacacs key Secret_TACACS_key
The tacacs key has been set to Secret_TACACS_key.
Console> (enable) show tacacs
Tacacs key: Secret_TACACS_key
Tacacs login attempts: 3
Tacacs timeout: 5 seconds
Tacacs direct request: disabled

Tacacs-Server Status
---------------------------------------- -------
172.20.52.3
172.20.52.2 primary
172.20.52.10
Console> (enable)

Specifying the TACACS+ Timeout Interval

You can specify the timeout interval between retransmissions to the TACACS+ server. The default
timeout is 5 seconds.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-19
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To specify the TACACS+ timeout interval, perform this task in privileged mode:

Task Command
Step 1 Specify the TACACS+ timeout interval. set tacacs timeout seconds
Step 2 Verify the TACACS+ configuration. show tacacs

This example shows how to specify the server timeout interval and verify the configuration:
Console> (enable) set tacacs timeout 30
Tacacs timeout set to 30 seconds.
Console> (enable) show tacacs
Tacacs key: Secret_TACACS_key
Tacacs login attempts: 3
Tacacs timeout: 30 seconds
Tacacs direct request: disabled

Tacacs-Server Status
---------------------------------------- -------
172.20.52.3
172.20.52.2 primary
172.20.52.10
Console> (enable)

Specifying the TACACS+ Login Attempts

You can specify the number of failed login attempts allowed.
To specify the number of login attempts allowed, perform this task in privileged mode:

Task Command
Step 1 Specify the number of allowed login attempts. set tacacs attempts number
Step 2 Verify the TACACS+ configuration. show tacacs

This example shows how to specify the number of login attempts and verify the configuration:
Console> (enable) set tacacs attempts 5
Tacacs number of attempts set to 5.
Console> (enable) show tacacs
Tacacs key: Secret_TACACS_key
Tacacs login attempts: 5
Tacacs timeout: 30 seconds
Tacacs direct request: disabled
Tacacs-Server Status
---------------------------------------- -------
172.20.52.3
172.20.52.2 primary
172.20.52.10
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-20 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Enabling TACACS+ Directed Request

When you enable TACACS+ directed request, you can optionally specify the host name of a configured
TACACS+ server to direct the TACACS+ authentication request to that particular TACACS+ server.
Authentication will fail if the server that the switch contacts does not have an account for the user that
is attempting to log in.
To enable TACACS+ directed request, perform this task in privileged mode:

Task Command
Step 1 Enable TACACS+ directed request on the switch. set tacacs directedrequest enable
Step 2 Verify the TACACS+ configuration. show tacacs

This example shows how to enable TACACS+ directed request and verify the configuration:
Console> (enable) set tacacs directedrequest enable
Tacacs direct request has been enabled.
Console> (enable) show tacacs
Tacacs key: Secret_TACACS_key
Tacacs login attempts: 5
Tacacs timeout: 30 seconds
Tacacs direct request: enabled

Tacacs-Server Status
---------------------------------------- -------
172.20.52.3
172.20.52.2 primary
172.20.52.10
Console> (enable)

Disabling TACACS+ Directed Request

To disable TACACS+ directed request, perform this task in privileged mode:

Task Command
Step 1 Disable TACACS+ directed request on the switch. set tacacs directedrequest disable
Step 2 Verify the TACACS+ configuration. show tacacs

This example shows how to disable TACACS+ directed request:

Console> (enable) set tacacs directedrequest disable
Tacacs direct request has been disabled.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-21
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Clearing TACACS+ Servers

To clear one or more TACACS+ servers, perform this task in privileged mode:

Task Command
Step 1 Specify the IP address of the TACACS+ server to clear tacacs server [ip_addr | all]
clear from the configuration. Enter the all
keyword to clear all of the servers from the
configuration.
Step 2 Verify the TACACS+ server configuration. show tacacs

This example shows how to clear a specific TACACS+ server from the configuration:
Console> (enable) clear tacacs server 172.20.52.3
172.20.52.3 cleared from TACACS table
Console> (enable)

This example shows how to clear all TACACS+ servers from the configuration:
Console> (enable) clear tacacs server all
All TACACS servers cleared
Console> (enable)

Clearing the TACACS+ Key

To clear the TACACS+ key, perform this task in privileged mode:

Task Command
Step 1 Clear the TACACS+ key. clear tacacs key
Step 2 Verify the TACACS+ configuration. show tacacs

This example shows how to clear the TACACS+ key:

Console> (enable) clear tacacs key
TACACS server key cleared.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-22 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Disabling TACACS+ Authentication

When local authentication is disabled and only TACACS+ authentication is enabled, if you disable
TACACS+ authentication, local authentication is reenabled automatically.
To disable TACACS+ authentication, perform this task in privileged mode:

Task Command
Step 1 Disable TACACS+ authentication for normal set authentication login tacacs disable [all |
login mode. Enter the console or telnet keyword console | http | telnet]
if you want to disable TACACS+ only for console
port or Telnet connection attempts.
Step 2 Disable TACACS+ authentication for enable set authentication enable tacacs disable [all |
mode. Enter the console or telnet keyword if you console | http | telnet]
want to disable TACACS+ only for console port
or Telnet connection attempts.
Step 3 Verify the TACACS+ configuration. show authentication

This example shows how to disable TACACS+ authentication for console and Telnet connections and
how to verify the configuration:
Console> (enable) set authentication login tacacs disable
tacacs login authentication set to disable for console and telnet session.
Console> (enable) set authentication enable tacacs disable
tacacs enable authentication set to disable for console and telnet session.
Console> (enable) show authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)
Console> (enable)

Configuring RADIUS Authentication

These sections describe how to configure RADIUS authentication on the switch:
• Specifying RADIUS Servers, page 21-24
• Specifying the RADIUS Key, page 21-24
• Enabling RADIUS Authentication, page 21-25
• Specifying the RADIUS Timeout Interval, page 21-27
• Specifying the RADIUS Retransmit Count, page 21-27
• Specifying the RADIUS Deadtime, page 21-28
• Clearing RADIUS Servers, page 21-29

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-23
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

• Clearing the RADIUS Key, page 21-29

• Disabling RADIUS Authentication, page 21-30

Specifying RADIUS Servers

To specify one or more RADIUS servers, perform this task in privileged mode:

Task Command
Step 1 Specify the IP address of up to three RADIUS set radius server ip_addr [auth-port port]
servers. Specify the primary server using the [primary]
primary keyword. Optionally, specify the
destination UDP port to use on the server.
Step 2 Verify the RADIUS server configuration. show radius

This example shows how to specify a RADIUS server and verify the configuration:
Console> (enable) set radius server 172.20.52.3
172.20.52.3 with auth-port 1812 added to radius server table as primary server.
Console> (enable) show radius

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)
Enable Authentication: Console Session Telnet Session
---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Radius Deadtime: 0 minutes

Radius Key:
Radius Retransmit: 2
Radius Timeout: 5 seconds

Radius-Server Status Auth-port

----------------------------- ------- ------------
172.20.52.3 primary 1812
Console> (enable)

Specifying the RADIUS Key

Note If you specify a RADIUS key on the client, make sure you specify an identical key on the RADIUS
server.

The RADIUS key is used to encrypt and authenticate all communication between the RADIUS client
and server. You must configure the same key on the client and the RADIUS server.
The length of the key is limited to 65 characters. It can include any printable ASCII characters except
tabs.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-24 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To specify the RADIUS key, perform this task in privileged mode:

Task Command
Step 1 Specify the RADIUS key used to encrypt packets set radius key key
sent to the RADIUS server.
Step 2 Verify the RADIUS configuration. show radius

This example shows how to specify the RADIUS key and verify the configuration (in normal mode, the
RADIUS key value is hidden):
Console> (enable) set radius key Secret_RADIUS_key
Radius key set to Secret_RADIUS_key
Console> (enable) show radius
Login Authentication: Console Session Telnet Session
--------------------- ---------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled

Radius Deadtime: 0 minutes

Radius Key: Secret_RADIUS_key
Radius Retransmit: 2
Radius Timeout: 5 seconds

Radius-Server Status Auth-port

----------------------------- ------- ------------
172.20.52.3 primary 1812
Console> (enable)

Enabling RADIUS Authentication

Note Specify at least one RADIUS server before enabling RADIUS authentication on the switch. For
information on specifying a RADIUS server, see the “Specifying RADIUS Servers” section on
page 21-24.

You can enable RADIUS authentication for login and enable access to the switch. If desired, you can
enter the console or telnet keyword to specify that RADIUS authentication be used only on console or
Telnet connections. If you are using both RADIUS and TACACS+, you can use the primary keyword
to force the switch to try RADIUS authentication first.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-25
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To set up the RADIUS username and enable RADIUS authentication, perform this task in privileged
mode:

Step 1 Enable RADIUS authentication for normal login set authentication login radius enable [all |
mode. Enter the console or telnet keyword if you console | http | telnet] [primary]
want to enable RADIUS only for console port or
Telnet connection attempts.
Step 2 Enable RADIUS authentication for enable mode. set authentication enable radius enable [all |
Enter the console or telnet keyword if you want console | http | telnet] [primary]
to enable RADIUS only for console port or Telnet
connection attempts.
Step 3 Create a user $enab15$ on the RADIUS server, See the Note below for additional information.
and assign a password to that user.
Step 4 Verify the RADIUS configuration. show authentication

Note To use RADIUS authentication for enable mode, you will need to create a user $enab15$ on the
RADIUS server, and assign a password to that user. This user needs to be created in addition to your
assigned username and password on the RADIUS server (example: username john, password hello.)
After you log in to the Catalyst 6000 family switch with your assigned username and password
(john/hello), you can enter enable mode using the password assigned to the $enab15$ user.

If your RADIUS server does not support the $enab15$ username, you can set the service-type
attribute (attribute 6) to Administrative (value 6) for a RADUIS user to directly launch the user into
enable mode without asking for a separate enable password.

This example shows how to enable RADIUS authentication and verify the configuration:
Console> (enable) set authentication login radius enable
radius login authentication set to enable for console and telnet session.
Console> (enable) set authentication enable radius enable
radius enable authentication set to enable for console and telnet session.
Console> (enable) show authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-26 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Specifying the RADIUS Timeout Interval

You can specify the timeout interval between retransmissions to the RADIUS server. The default timeout
is 5 seconds.
To specify the RADIUS timeout interval, perform this task in privileged mode:

Task Command
Step 1 Specify the RADIUS timeout interval. set radius timeout seconds
Step 2 Verify the RADIUS configuration. show radius

This example shows how to specify the RADIUS timeout interval and verify the configuration:
Console> (enable) set radius timeout 10
Radius timeout set to 10 seconds.
Console> (enable) show radius

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled

Radius Deadtime: 0 minutes

Radius Key: Secret_RADIUS_key
Radius Retransmit: 2
Radius Timeout: 10 seconds

Radius-Server Status Auth-port

----------------------------- ------- ------------
172.20.52.3 primary 1812
Console> (enable)

Specifying the RADIUS Retransmit Count

You can specify the number of times the switch will attempt to contact a RADIUS server before the next
configured server is tried. By default, each RADIUS server will be tried two times.
To specify the RADIUS retransmit count, perform this task in privileged mode:

Task Command
Step 1 Specify the RADIUS server retransmit count. set radius retransmit count
Step 2 Verify the RADIUS configuration. show radius

This example shows how to specify the RADIUS retransmit count and verify the configuration:
Console> (enable) set radius retransmit 4
Radius retransmit count set to 4.
Console> (enable) show radius

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-27
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled
Enable Authentication: Console Session Telnet Session
---------------------- ----------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled

Radius Deadtime: 0 minutes

Radius Key: Secret_RADIUS_key
Radius Retransmit: 4
Radius Timeout: 10 seconds

Radius-Server Status Auth-port

----------------------------- ------- ------------
172.20.52.3 primary 1812
Console> (enable)

Specifying the RADIUS Deadtime

You can configure the switch so that, when a RADIUS server does not respond to an authentication
request, the switch marks that server as dead for the length of time specified by the deadtime. Any
authentication requests received during the deadtime interval (such as other users attempting to log in to
the switch) are not sent to a RADIUS server marked dead. Configuring a deadtime speeds up the
authentication process by eliminating timeouts and retransmissions to the dead RADIUS server.
If you configure only one RADIUS server, or if all of the configured servers are marked dead, the
deadtime is ignored because there are no alternate servers available.
To set the RADIUS deadtime, perform this task in privileged mode:

Task Command
Step 1 Specify the RADIUS server deadtime interval. set radius deadtime minutes
Step 2 Verify the RADIUS configuration. show radius

This example shows how to specify the RADIUS deadtime interval and verify the configuration:
Console> (enable) set radius deadtime 5
Radius deadtime set to 5 minute(s)
Console> (enable) show radius

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius enabled(primary) enabled(primary)
local enabled enabled

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-28 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Radius Deadtime: 5 minutes

Radius Key: Secret_RADIUS_key
Radius Retransmit: 4
Radius Timeout: 10 seconds

Radius-Server Status Auth-port

----------------------------- ------- ------------
172.20.52.3 primary 1812
172.20.52.2 1812
Console> (enable)

Clearing RADIUS Servers

To clear one or more RADIUS servers, perform this task in privileged mode:

Task Command
Step 1 Specify the IP address of the RADIUS server to clear radius server [ip_addr | all]
clear from the configuration. Enter the all
keyword to clear all of the servers from the
configuration.
Step 2 Verify the RADIUS server configuration. show radius

This example shows how to clear a single RADIUS server from the configuration:
Console> (enable) clear radius server 172.20.52.3
172.20.52.3 cleared from radius server table.
Console> (enable)

This example shows how to clear all RADIUS servers from the configuration:
Console> (enable) clear radius server all
All radius servers cleared from radius server table.
Console> (enable)

Clearing the RADIUS Key

To clear the RADIUS key, perform this task in privileged mode:

Task Command
Step 1 Clear the RADIUS key. clear radius key
Step 2 Verify the RADIUS configuration. show radius

This example shows how to clear the RADIUS key and verify the configuration:
Console> (enable) clear radius key
Radius key cleared.
Console> (enable) show radius

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-29
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Radius Deadtime: 0 minutes

Radius Key:
Radius Retransmit: 2
Radius Timeout: 5 seconds

Radius-Server Status Auth-port

----------------------------- ------- ------------
172.20.52.3 primary 1812
Console> (enable)

Disabling RADIUS Authentication

When local authentication is disabled and only RADIUS authentication is enabled, if you disable
RADIUS authentication, local authentication is reenabled automatically.
To disable RADIUS authentication, perform this task in privileged mode:

Task Command
Step 1 Disable RADIUS authentication for login mode. set authentication login radius disable [all |
console | http | telnet]
Step 2 Disable RADIUS authentication for enable mode. set authentication enable radius disable [all |
console | http | telnet]
Step 3 Verify the RADIUS configuration. show authentication

This example shows how to disable RADIUS authentication:

Console> (enable) set authentication login radius disable
radius login authentication set to disable for console and telnet session.
Console> (enable) set authentication enable radius disable
radius enable authentication set to disable for console and telnet session.
Console> (enable) show authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-30 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Configuring Kerberos Authentication

These sections describe how to configure Kerberos authentication on the switch.
• Configuring a Kerberos Server, page 21-31
• Enabling Kerberos, page 21-32
• Defining the Kerberos Local Realm, page 21-33
• Specifying a Kerberos Server, page 21-33
• Mapping a Kerberos Realm to a Host Name or DNS Domain, page 21-34
• Copying SRVTAB Files, page 21-34
• Deleting an SRVTAB Entry, page 21-35
• Enabling Credentials Forwarding, page 21-36
• Disabling Credentials Forwarding, page 21-37
• Defining and Clearing a Private DES Key, page 21-38
• Encrypting a Telnet Session, page 21-38
• Displaying and Clearing Kerberos Configurations, page 21-39

Configuring a Kerberos Server

Before you can use Kerberos as an authentication method on the switch, you need to configure the
Kerberos server. You will need to create a database for the KDC and add the switch to the database.

Note Kerberos authentication requires that NTP is enabled. Additionally, we recommend that you enable
DNS.

To configure the Kerberos server, perform this procedure:

Step 1 Before you can enter the switch in the Kerberos server’s key table, you must create the database the KDC
will use. In the following example, a database called CISCO.EDU is created:
/usr/local/sbin/kdb5_util create -r CISCO.EDU -s

Step 2 Add the switch to the database. The following example adds a switch called Cat6509 to the CISCO.EDU
database:
ank host/[email protected]

Step 3 Add the username as follows:

ank [email protected]

Step 4 Add the administrative principals as follows:

ank user1/[email protected]

Step 5 Using the admin.local ktadd command, create the database entry for the switch as follows:
ktadd host/[email protected]

Step 6 Move the keytab file to a place where the switch can reach it.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-31
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Step 7 Start the KDC server as follows:

/usr/local/sbin/krb5kdc
/usr/local/sbin/kadmind

Enabling Kerberos
To enable Kerberos authentication, perform this task in privileged mode:

Task Command
Step 1 Specify Kerberos as the authentication method. set authentication login kerberos enable [all |
console | http | telnet] [primary]
Step 2 Verify the configuration. show authentication

This example shows how to enable Kerberos as the login authentication method for Telnet and verify
the configuration:
kerberos> (enable) set authentication login kerberos enable telnet
kerberos login authentication set to enable for telnet session.
kerberos> (enable) show authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
kerberos disabled enabled(primary)
local enabled(primary) enabled

Enable Authentication:Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
kerberos disabled enabled(primary)
local enabled(primary) enabled
kerberos> (enable)

This example shows how to enable Kerberos as the login authentication method for the console and
verify the configuration:
kerberos> (enable) set authentication login kerberos enable console
kerberos login authentication set to enable for console session.
kerberos> (enable) show authentication

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
kerberos enabled(primary) enabled(primary)
local enabled enabled

Enable Authentication:Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
kerberos enabled(primary) enabled(primary)
local enabled enabled
kerberos> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-32 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Defining the Kerberos Local Realm

The Kerberos realm is a domain consisting of users, hosts, and network services that are registered to a
Kerberos server. To authenticate a user defined in the Kerberos database, the switch must know the host
name or IP address of the host running the KDC and the name of the Kerberos realm.
To configure the switch to authenticate to the KDC in a specified Kerberos realm, perform this task in
privileged mode:

Task Command
Define the default realm for the switch. set kerberos local-realm kerberos_realm

Note Make sure the realm is entered in uppercase letters. Kerberos will not authenticate users if the realm
is entered in lowercase letters.

This example shows how to define a local realm and how to verify the configuration:
kerberos> (enable) set kerberos local-realm CISCO.COM
Kerberos local realm for this switch set to CISCO.COM.
kerberos> (enable) show kerberos
Kerberos Local Realm:CISCO.COM
Kerberos server entries:
Realm:CISCO.COM, Server:187.0.2.1, Port:750

Kerberos Domain<->Realm entries:

Domain:cisco.com, Realm:CISCO.COM

Kerberos Clients NOT Mandatory

Kerberos Credentials Forwarding Enabled
Kerberos Pre Authentication Method set to None
Kerberos config key:
Kerberos SRVTAB Entries
Srvtab Entry 1:host/[email protected] 0 932423923 1 1 8 01;;8>00>50;0=0=0
kerberos> (enable)

Specifying a Kerberos Server

You can specify to the switch which KDC to use in a specific Kerberos realm. Optionally, you can also
specify the port number which the KDC is monitoring. The Kerberos server information you enter is
maintained in a table with one entry for each Kerberos realm. The maximum number of entries in the
table is 100.
To specify the Kerberos server, perform this task in privileged mode:

Task Command
Step 1 Specify which KDC to use in a given Kerberos set kerberos server kerberos_realm {hostname |
realm. Optionally, enter the port number the KDC ip_address} [port]
is monitoring. (The default port number is 750.)
Step 2 Clear the Kerberos server entry. clear kerberos server kerberos_realm {hostname
| ip_address} [port]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-33
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

This example shows how to specify which Kerberos server will serve as the KDC for the specified
Kerberos realm and how to clear the entry:
kerberos> (enable) set kerberos server CISCO.COM 187.0.2.1 750
Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750
kerberos> (enable)

Console> (enable) clear kerberos server CISCO.COM 187.0.2.1 750

Kerberos Realm-Server-Port entry CISCO.COM-187.0.2.1-750 deleted
Console> (enable)

Mapping a Kerberos Realm to a Host Name or DNS Domain

Optionally, you can map a host name or domain name system (DNS) domain to a Kerberos realm.
To map a Kerberos realm to either a host name or DNS domain, perform this task in privileged mode:

Task Command
Step 1 (Optional) Map a host name or DNS domain to a set kerberos realm {dns_domain | host}
Kerberos realm. kerberos_realm
Step 2 Clear the Kerberos realm domain or host mapping clear kerberos realm {dns_domain | host}
entry. kerberos_realm

This example shows how to map a Kerberos realm to a DNS domain and how to clear the entry:
Console> (enable) set kerberos realm CISCO CISCO.COM
Kerberos DnsDomain-Realm entry set to CISCO - CISCO.COM
Console> (enable)

Console> (enable) clear kerberos realm CISCO CISCO.COM

Kerberos DnsDomain-Realm entry CISCO - CISCO.COM deleted
Console> (enable)

Copying SRVTAB Files

To make it possible for remote users to authenticate to the switch using Kerberos credentials, the switch
must share a key with the KDC. To allow this configuration, you must give the switch a copy of the file
stored in the KDC that contains the key. These files are called SRVTAB files on the switch and
KEYTAB files on the servers.
The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto
physical media and go to each host in turn and manually copy the files onto the system. To copy
SRVTAB files to a switch that does not have a physical media drive, you must transfer them through the
network by using the Trivial File Transfer Protocol (TFTP).
When you copy the SRVTAB file from the switch to the KDC, the switch parses the information in this
file and stores it in the running configuration in the Kerberos SRVTAB entry format. If you enter the
SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch.
The entries are maintained in the SRVTAB table. The maximum size of the table is 20 entries.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-34 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To remotely copy SRVTAB files to the switch from the KDC, perform this task in privileged mode:

Task Command
Step 1 Retrieve a specified SRVTAB file from the KDC. set kerberos srvtab remote {hostname |
ip_address} filename
Step 2 (Optional) Enter the SRVTAB directly into the set kerberos srvtab entry kerberos_principal
switch. principal_type timestamp key_version number
key_type key_length encrypted_keytab

This example shows how to retrieve an SRVTAB file from the KDC, enter an SRVTAB directly into the
switch, and verify the configuration:
kerberos> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab
kerberos> (enable)

kerberos> (enable) set kerberos srvtab entry host/[email protected] 0 932423923 1

1 8 03;;5>00>50;0=0=0
Kerberos SRVTAB entry set to
Principal:host/[email protected]
Principal Type:0
Timestamp:932423923
Key version number:1
Key type:1
Key length:8
Encrypted key tab:03;;5>00>50;0=0=0

kerberos> (enable) show kerberos

Kerberos Local Realm:CISCO.COM
Kerberos server entries:
Realm:CISCO.COM, Server:187.0.2.1, Port:750
Realm:CISCO.COM, Server:187.20.2.1, Port:750

Kerberos Domain<->Realm entries:

Domain:cisco.com, Realm:CISCO.COM

Kerberos Clients NOT Mandatory

Kerberos Credentials Forwarding Enabled
Kerberos Pre Authentication Method set to None
Kerberos config key:
Kerberos SRVTAB Entries
Srvtab Entry 1:host/[email protected] 0 932423923 1 1 8 03;;5>00>50;0=0=0
Srvtab Entry 2:host/[email protected] 0 933974942 1 1 8 00?58:127:223=:;9
Console> (enable)

Deleting an SRVTAB Entry

To delete an SRVTAB entry, perform this task in privileged mode:

Task Command
Delete the SRVTAB entry for a particular clear kerberos srvtab entry kerberos_principal
Kerberos principal. principal_type

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-35
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

This example shows how to delete an SRVTAB entry:

kerberos> (enable) clear kerberos srvtab entry host/[email protected] 0
kerberos> (enable)

Enabling Credentials Forwarding

A user authenticated to a Kerberized switch has a TGT and can use it to authenticate to a host on the
network. However, if forwarding is not enabled and a user tries to list credentials after authenticating to
a host, the output will show no Kerberos credentials present.
To enable credentials forwarding, configure the switch to forward user TGTs when they authenticate
from the switch to Kerberized remote hosts on the network using Kerberized Telnet.
As an additional layer of security, you can configure the switch so that after users authenticate to it, these
users can authenticate only to other services on the network with Kerberized clients. If you do not make
Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to
authenticate users using the default method of authentication for that network service. For example,
Telnet prompts for a password.
To configure clients to forward user credentials as they connect to other hosts in the Kerberos realm,
perform this task in privileged mode:

Task Command
Step 1 Set all clients to forward user credentials upon set kerberos credentials forward
successful Kerberos authentication.
Step 2 (Optional) Configure Telnet to fail if clients set kerberos clients mandatory
cannot authenticate to the remote server.

This example shows how to configure clients to forward user credentials and verify the configuration:
kerberos> (enable) set kerberos credentials forward
Kerberos credentials forwarding enabled
kerberos> (enable) show kerberos
Kerberos Local Realm:CISCO.COM
Kerberos server entries:
Realm:CISCO.COM, Server:187.0.2.1, Port:750
Realm:CISCO.COM, Server:187.20.2.1, Port:750

Kerberos Domain<->Realm entries:

Domain:cisco.com, Realm:CISCO.COM

Kerberos Clients NOT Mandatory

Kerberos Credentials Forwarding Enabled
Kerberos Pre Authentication Method set to None
Kerberos config key:
Kerberos SRVTAB Entries
Srvtab Entry 1:host/[email protected] 0 933974942 1 1 8 00?91:107:423=:;9
kerberos> (enable)

This example shows how to configure the switch so that Kerberos clients are mandatory for users to
authenticate to other network services:
Console> (enable) set kerberos clients mandatory
Kerberos clients set to mandatory
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-36 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Disabling Credentials Forwarding

To clear the credentials forwarding configuration, perform this task in privileged mode:

Task Command
Clear the credentials forwarding configuration. clear kerberos credentials forward

This example shows how to clear the credentials forwarding configuration and verify the change:
Console> (enable) clear kerberos credentials forward
Kerberos credentials forwarding disabled
Console> (enable) show kerberos
Kerberos Local Realm not configured
Kerberos server entries:

Kerberos Domain<->Realm entries:

Kerberos Clients NOT Mandatory

Kerberos Credentials Forwarding Disabled
Kerberos Pre Authentication Method set to None
Kerberos config key:
Kerberos SRVTAB Entries
Console> (enable)

To clear the Kerberos clients mandatory configuration, perform this task in privileged mode:

Task Command
Clear the Kerberos clients mandatory clear kerberos clients mandatory
configuration.

This example shows how to clear the clients mandatory configuration and verify the change:
Console> (enable) clear kerberos clients mandatory
Kerberos clients mandatory cleared
Console> (enable) show kerberos
Kerberos Local Realm not configured
Kerberos server entries:

Kerberos Domain<->Realm entries:

Kerberos Clients NOT Mandatory

Kerberos Credentials Forwarding Disabled
Kerberos Pre Authentication Method set to None
Kerberos config key:
Kerberos SRVTAB Entries
Console> (enable)
Kerberos server entries:

Kerberos Domain<->Realm entries:

Kerberos Clients Mandatory

Kerberos Credentials Forwarding Disabled
Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp
Kerberos config key:
Kerberos SRVTAB Entries
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-37
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Defining and Clearing a Private DES Key

You can define a private DES key for the switch. The private DES key can be used to encrypt the secret
key that the switch shares with the KDC so that when the show kerberos command is executed, the
secret key is not displayed in clear text. The key length should be eight characters or less.
To define a DES key, perform this task in privileged mode:

Task Command
Define a DES key for the switch. set key config-key string

This example shows how to define a DES key and verify the configuration:
kerberos> (enable) set key config-key abcd
Kerberos config key set to abcd
kerberos> (enable) show kerberos
Kerberos Local Realm:CISCO.COM
Kerberos server entries:
Realm:CISCO.COM, Server:170.20.2.1, Port:750
Realm:CISCO.COM, Server:172.20.2.1, Port:750

Kerberos Domain<->Realm entries:

Domain:cisco.com, Realm:CISCO.COM

Kerberos Clients Mandatory

Kerberos Credentials Forwarding Disabled
Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp
Kerberos config key:abcd
Kerberos SRVTAB Entries
Srvtab Entry 1:host/[email protected] 0 933974942 1 1 8 12151><88?=>>3>11
kerberos> (enable)

To clear the DES key, perform this task in privileged mode:

Task Command
Clear a DES key from the switch. clear key config-key string

This example shows how to clear the DES key:

Console> (enable) clear key config-key
Kerberos config key cleared
Console> (enable)

Encrypting a Telnet Session

After a user authenticates to the switch using Kerberos and wants to Telnet to another switch or host,
whether or not this will be a Kerberized Telnet depends on the authentication method that the Telnet
server uses. If the Telnet server uses Kerberos for authentication, you can choose to have all the
application data packets encrypted for the duration of the Telnet session. To encrypt the Telnet session,
select the encrypt kerberos option in the telnet command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-38 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To encrypt a Telnet session, perform this task:

Task Command
Encrypt a Telnet session. telnet encrypt kerberos host

This example shows how to configure a Telnet session for Kerberos authentication and encryption:
Console> (enable) telnet encrypt kerberos

Displaying and Clearing Kerberos Configurations

These commands can be used to display and clear Kerberos configurations on the switch:
• show kerberos
• show kerberos creds
• clear kerberos creds
To display the Kerberos configuration, perform this task in privileged mode:

Task Command
Display the Kerberos configuration. show kerberos

This example shows how to display the Kerberos configuration:

kerberos> (enable) show kerberos
Kerberos Local Realm:CISCO.COM
Kerberos server entries:
Realm:CISCO.COM, Server:187.0.2.1, Port:750
Realm:CISCO.COM, Server:187.20.2.1, Port:750

Kerberos Domain<->Realm entries:

Domain:cisco.com, Realm:CISCO.COM
Kerberos Clients NOT Mandatory
Kerberos Credentials Forwarding Enabled
Kerberos Pre Authentication Method set to None
Kerberos config key:
Kerberos SRVTAB Entries
Srvtab Entry 1:host/[email protected] 0 932423923 1 1 8 03;;5>00>50;0=0=0
Srvtab Entry 2:host/[email protected] 0 933974942 1 1 8 00?58:127:223=:;9
kerberos> (enable)

To display the Kerberos credentials, perform this task in privileged mode:

Task Command
Display the Kerberos credentials. show kerberos creds

This example shows how to display the Kerberos credentials:

Console> (enable) show kerberos creds
No Kerberos credentials.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-39
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To clear all Kerberos credentials, perform this task in privileged mode:

Task Command
Clear all credentials. clear kerberos creds

This example shows how to clear all Kerberos credentials from the switch:
Console> (enable) clear kerberos creds
Console> (enable)

Configuring 802.1x Authentication

These sections describe how to configure 802.1x authentication on the switch:
• Enabling 802.1x Globally, page 21-40
• Disabling 802.1x Globally, page 21-41
• Enabling and Initializing 802.1x Authentication for Individual Ports, page 21-41
• Setting and Enabling Automatic Reauthentication of the Supplicant, page 21-42
• Manually Reauthenticating the Supplicant, page 21-42
• Enabling Multiple Hosts, page 21-43
• Disabling Multiple Hosts, page 21-43
• Setting the Quiet Period, page 21-43
• Setting the Authenticator-to-Supplicant Retransmission Time for EAP-Request/Identity Frames,
page 21-44
• Setting the Back-End Authenticator-to-Supplicant Retransmission Time for EAP-Request Frames,
page 21-44
• Setting theBack-End Authenticator-to-Authentication-Server Retransmission Time for Transport
Layer Packets, page 21-45
• Setting the Back-End Authenticator-to-Supplicant Frame-Retransmission Number, page 21-45
• Resetting the 802.1x Configuration Parameters to the Default Values, page 21-45
• Using the show Commands, page 21-46

Enabling 802.1x Globally

You must enable 802.1x authentication for the entire system before configuring it for individual ports.
After you globally enable 802.1x authentication, you can configure individual ports for 802.1x
authentication if they meet the specific requirements required by 802.1x. To enable 802.1x
authentication for individual ports, see the “Enabling and Initializing 802.1x Authentication for
Individual Ports” section on page 21-41.
To globally enable 802.1x authentication, perform this task in privileged mode:

Task Command
Globally enable 802.1x. set dot1x system-auth-control enable

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-40 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

This example shows how to globally enable 802.1x authentication:

Console> (enable) set dot1x system-auth-control enable
dot1x system-auth-control enabled.

Disabling 802.1x Globally

When 802.1x authentication is enabled for the entire system, you can disable it globally. When 802.1x
authentication is disabled globally, it is no longer available at any port, even ports that were previously
configured for it.
To globally disable 802.1x authentication, perform this task in privileged mode:

Task Command
Globally disable 802.1x. set dot1x system-auth-control disable

This example shows how to globally disable 802.1x authentication:

Console> (enable) set dot1x system-auth-control disable
dot1x system-auth-control disabled.

Enabling and Initializing 802.1x Authentication for Individual Ports

After 802.1x authentication is globally enabled, you must enable and initialize 802.1x authentication
from the console for individual ports. To globally enable 802.1x authentication, see the “Enabling 802.1x
Globally” section on page 21-40.

Note You must specify at least one RADIUS server before you can enable 802.1x authentication on the
switch. For information on specifying a RADIUS server, see the “Specifying RADIUS Servers”
section on page 21-24.

To enable and initialize 802.1x authentication for access to the switch, perform this task in privileged
mode:

Task Command
Step 1 Enable 802.1x control on a specific port. set port dot1x mod/port port-control auto
Step 2 Initialize 802.1x on the same port. set port dot1x mod/port initialize
Step 3 Verify the 802.1x configuration. show port dot1x mod/port

This example shows how to enable 802.1x authentication on port 1 in module 4, initialize 802.1x
authentication on the same port, and verify the configuration:
Console> (enable) set port dot1x 4/1 port-control auto
Port 4/1 dot1x port-control is set to auto.
Trunking disabled for port 4/1 due to Dot1x feature.
Spantree port fast start option enabled for port 4/1.
Console> (enable) set port dot1x 4/1 initialize
Port 4/1 initializing...
Port 4/1 dot1x initialization complete.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-41
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Console> (enable) show port dot1x 4/1

Port Auth-State BEnd-State Port-Control Port-Status
----- ------------------- ---------- ------------------- -------------
4/1 connecting finished auto unauthorized
Port Multiple-Host Re-authentication
----- ------------- -----------------
4/1 disabled disabled

Setting and Enabling Automatic Reauthentication of the Supplicant

You can specify how often 802.1x authentication reauthenticates the supplicant if you do so before you
enable automatic 802.1x supplicant reauthentication. If you do not specify a time period before you
enable supplicant reauthentication, 802.1x defaults to 3,600 seconds (valid values are from 1 to
65,535 seconds).
Automatic 802.1x supplicant reauthentication can be enabled for supplicants connected to a specific
port. To manually reauthenticate the supplicant connected to a specific port, see the “Manually
Reauthenticating the Supplicant” section on page 21-42.
To set how often 802.1x authentication reauthenticates the supplicant and enable automatic 802.1x
reauthentication, perform this task in privileged mode:

Task Command
Step 1 Set the time constant for reauthenticating the set dot1x re-authperiod seconds
supplicant.
Step 2 Enable reauthentication. set port dot1x re-authentication enable
Step 3 Verify the 802.1x configuration. show port dot1x mod/port

This example shows how to set automatic reauthentication to 7200 seconds, enable 802.1x
reauthentication, and verify the configuration:
Console> (enable) set dot1x re-authperiod 7200
dot1x re-authperiod set to 7200 seconds
Console> (enable) set port dot1x re-authentication enable
Port 4/1 re-authentication enabled.
Console> (enable) show port dot1x 4/1
Port Auth-State BEnd-State Port-Control Port-Status
----- ------------------- ---------- ------------------- -------------
4/1 connecting finished auto unauthorized
Port Multiple-Host Re-authentication
----- ------------- -----------------
4/1 disabled enabled

Manually Reauthenticating the Supplicant

You can manually reauthenticate the supplicant connected to a specific port at any time. When you want
to configure automatic 802.1x supplicant reauthentication, see the “Setting and Enabling Automatic
Reauthentication of the Supplicant” section on page 21-42.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-42 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To manually reauthenticate a supplicant connected to a specific port, perform this task in privileged
mode:

Task Command
Manually reauthenticate the supplicant connected set port dot1x mod/port re-authenticate
to a specific port.

This example shows how to manually reauthenticate the supplicant connected to port 1 on module 4:
Console> (enable) set port dot1x 4/1 re-authenticate
Port 4/1 re-authenticating...
dot1x re-authentication successful...
dot1x port 4/1 authorized.

Enabling Multiple Hosts

You can enable a specific port to allow multiple-user access. When a port is enabled for multiple users,
and a supplicant connected to that port is authorized successfully, any host (with any MAC address) is
allowed to send and receive traffic on that port. If you then connect multiple supplicants to that port
through a hub, you can reduce the security level on that port.
To enable multiple-user access on a specific port, perform this task in privileged mode:

Task Command
Enable multiple hosts on a specific port. set port dot1x mod/port multiple-host enable

This example shows how to enable access for multiple hosts on port 1 on module 4:
Console> (enable) set port dot1x 4/1 multiple-host enable
Port 4/1 multiple hosts allowed.

Disabling Multiple Hosts

You can disable multiple-user access on any port where it is enabled.
To disable multiple-user access on a specific port, perform this task in privileged mode:

Task Command
Disable multiple hosts on a specific port. set port dot1x mod/port multiple-host disable

This example shows how to disable access for multiple hosts on port 1 on module 4:
Console> (enable) set port dot1x 4/1 multiple-host disable
Port 4/1 multiple hosts not allowed.

Setting the Quiet Period

When the authenticator cannot authenticate the supplicant, it remains idle for set a period of time, and
then tries again. The idle time is determined by the quiet-period value. (The default is 60 seconds.) You
may set the value from 0 to 65535 seconds.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-43
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To set the value for the quiet period, perform this task in privileged mode:

Task Command
Set the quiet-period value. set dot1x quiet-period seconds

This example shows how to set the quiet period to 45 seconds:

Console> (enable) set dot1x quiet-period 45
dot1x quiet-period set to 45 seconds.

Setting the Authenticator-to-Supplicant Retransmission Time for EAP-Request/Identity Frames

The supplicant notifies the authenticator that it received the EAP-request/identity frame. When the
authenticator does not receive this notification, the authenticator waits a set period of time, and then
retransmits the frame. You may set the amount of time that the authenticator waits for notification from
1 to 65535 seconds. (The default is 30 seconds.)
To set the authenticator-to-supplicant retransmission time for the EAP-request/identity frames, perform
this task in privileged mode:

Task Command
Set the authenticator-to-supplicant set dot1x tx-period seconds
retransmission time for EAP-request/identity
frames.

This example shows how to set the authenticator-to-supplicant retransmission time for the
EAP-request/identity frame to 15 seconds:
Console> (enable) set dot1x tx-period 15
dot1x tx-period set to 15 seconds.

Setting the Back-End Authenticator-to-Supplicant Retransmission Time for EAP-Request Frames

The supplicant notifies the back-end authenticator that it received the EAP-request frame. When the
back-end authenticator does not receive this notification, the back-end authenticator waits a set period
of time, and then retransmits the frame. You may set the amount of time that the back-end authenticator
waits for notification from 1 to 65535 seconds. (The default is 30 seconds.)
To set the back-end authenticator-to-supplicant retransmission time for the EAP-request frames,
perform this task in privileged mode:

Task Command
Set the back-end authenticator-to-supplicant set dot1x supp-timeout seconds
retransmission time for the EAP-request frame.

This example shows how to set the back-end authenticator-to-supplicant retransmission time for the
EAP-request frame to 15 seconds:
Console> (enable) set dot1x supp-timeout 15
dot1x supp-timeout set to 15 seconds.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-44 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

Setting theBack-End Authenticator-to-Authentication-Server Retransmission Time for Transport

Layer Packets
The authentication server notifies the back-end authenticator each time it receives a transport layer
packet. When the back-end authenticator does not receive a notification after sending a packet, the
back-end authenticator waits a set period of time, and then retransmits the packet. You may set the
amount of time that the back-end authenticator waits for notification from 1 to 65535 seconds. (The
default is 30 seconds.)
To set the value for the retransmission of transport layer packets from the back-end authenticator to the
authentication server, perform this task in privileged mode:

Task Command
Set the back-end authenticator-to-authentication-server set dot1x server-timeout seconds
retransmission time for transport layer packets.

This example shows how to set the value for the retransmission time for transport layer packets sent from
the back-end authenticator to the authentication server to 15 seconds:
Console> (enable) set dot1x server-timeout 15
dot1x server-timeout set to 15 seconds.

Setting the Back-End Authenticator-to-Supplicant Frame-Retransmission Number

The authentication server notifies the back-end authenticator each time it receives a specific number of
frames. When the back-end authenticator does not receive this notification after sending the frames, the
back-end authenticator waits a set period of time, and then retransmits the frames. You may set the
number of frames that the back-end authenticator retransmits from 1 to 10 (the default is 2).
To set the number of frames retransmitted from the back-end authenticator to the supplicant, perform
this task in privileged mode:

Task Command
Set the back-end authenticator-to-supplicant set dot1x max-req count
frame retransmission number.

This example shows how to set the number of retransmitted frames sent from the back-end authenticator
to the supplicant to 4:
Console> (enable) set dot1x max-req 4
dot1x max-req set to 4.

Resetting the 802.1x Configuration Parameters to the Default Values

You can reset the 802.1x configuration parameters to the default values with a single command, which
also globally disables 802.1x.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-45
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To reset the 802.1x configuration parameters to the default values, perform this task in privileged mode:

Task Command
Step 1 Reset the 802.1x configuration parameters to the clear dot1x config
default values and globally disable 802.1x.
Step 2 Verify the 802.1x configuration. show dot1x

This example shows how to reset the 802.1x configuration parameters to the default values and verify
the configuration:
Console> (enable) clear dot1x config
This command will disable dot1x on all ports and take dot1x parameter values back to
factory defaults.
Do you want to continue (y/n) [n]?
Console> (enable) show dot1x
PAE Capability Authenticator Only
Protocol Version 1
system-auth-control enabled
max-req 2
quiet-period 60 seconds
re-authperiod 3600 seconds
server-timeout 30 seconds
supp-timeout 30 seconds
tx-period 30 seconds

Using the show Commands

You can use these show commands to access information about 802.1x authentication and its
configuration:
• show port dot1x help
• show port dot1x
• show port dot1x statistics
• show dot1x
To display the usage options for the show port dot1x command, perform this task in normal mode:

Task Command
Display the usage options for the show port show port dot1x help
dot1x command.

This example shows how to display the usage options for the show port dot1x command:

Console> (enable) show port dot1x help

Usage: show port dot1x [<mod[/port]>]
show port dot1x statistics [<mod[/port]>]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-46 78-13315-02
Chapter 21 Configuring Switch Access Using AAA
Configuring Authentication

To display the values for all the parameters associated with the authenticator PAE and back-end
authenticator on a specific port on a specific module, perform this task in normal mode:

Task Command
Display the values for all configurable and current show port dot1x mod/port
state parameters associated with the authenticator
PAE and back-end authenticator on a specific port
on a specific module.

This example shows how to display the values for all the parameters associated with the authenticator
PAE and back-end authenticator on port 1 on module 4:
Console> (enable) show port dot1x 4/1
Port Auth-State BEnd-State Port-Control Port-Status
----- ------------------- ---------- ------------------- -------------
4/1 connecting finished auto unauthorized
Port Multiple-Host Re-authentication
----- ------------- -----------------
4/1 disabled enabled

To display the statistics for the different types of EAP frames transmitted and received by the
authenticator on a specific port on a specific module, perform this task in normal mode:

Task Command
Display the statistics for the different types of show port dot1x statistics mod/port
EAP frames transmitted and received by the
authenticator on a specific port on a specific
module.

This example shows how to display the statistics for the different types of EAP frames transmitted and
received by the authenticator on port 1 on module 4:
Console> (enable) show port dot1x statistics 4/1
Port Tx_Req/Id Tx_Req Tx_Total Rx_Start Rx_Logoff Rx_Resp/Id Rx_Resp
----- --------- ------ -------- -------- --------- ---------- -------
4/1 97 0 97 0 0 0 0
Port Rx_Invalid Rx_Len_Err Rx_Total Last_Rx_Frm_Ver Last_Rx_Frm_Src_Mac
----- ---------- ---------- -------- --------------- -------------------
4/1 0 0 0 0 00-00-00-00-00-00

To display the global 802.1x parameters, perform this task in normal mode:

Task Command
Display the PAE capabilities, protocol version, show dot1x
system-auth-control, and other global dot1x
parameters.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-47
 Chapter 21 Configuring Switch Access Using AAA
Authentication Example

This example shows how to display the global 802.1x parameters:

Console> (enable) show dot1x
PAE Capability Authenticator Only
Protocol Version 1
system-auth-control enabled
max-req 2
quiet-period 60 seconds
re-authperiod 3600 seconds
server-timeout 30 seconds
supp-timeout 30 seconds
tx-period 30 seconds

Authentication Example
Figure 21-3 shows a simple network topology using TACACS+.
In this example, TACACS+ authentication is enabled and local authentication is disabled for both login
and enable access to the switch for all Telnet connections. When Workstation A attempts to connect to
the switch, the user is challenged for a TACACS+ username and password.
However, only local authentication is enabled for both login and enable access on the console port. Any
user with access to the directly connected terminal can access the switch using the login and enable
passwords.

Figure 21-3 TACACS+ Example Network Topology

TACACS+
server
172.20.52.10

Switch

Console port
connection

Terminal
18927

Workstation A

This example shows how to configure the switch so that TACACS+ authentication is enabled for Telnet
connections, local authentication is enabled for console connections, and a TACACS+ encryption key
is specified:
Console> (enable) show tacacs
Tacacs key:
Tacacs login attempts: 3
Tacacs timeout: 5 seconds
Tacacs direct request: disabled

Tacacs-Server Status
---------------------------------------- -------
Console> (enable) set tacacs server 172.20.52.10
172.20.52.10 added to TACACS server table as primary server.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-48 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Authorization Works

Console> (enable) set tacacs key tintin_et_milou

The tacacs key has been set to tintin_et_milou.
Console> (enable) set authentication login tacacs enable telnet
tacacs login authentication set to enable for telnet session.
Console> (enable) set authentication enable tacacs enable telnet
tacacs enable authentication set to enable for telnet session.
Console> (enable) set authentication login local disable telnet
local login authentication set to disable for telnet session.
Console> (enable) set authentication enable local disable telnet
local enable authentication set to disable for telnet session.
Console> (enable) show tacacs
Tacacs key: tintin_et_milou
Tacacs login attempts: 3
Tacacs timeout: 5 seconds
Tacacs direct request: disabled

Tacacs-Server Status
---------------------------------------- -------
172.20.52.10 primary
Console> (enable)

Understanding How Authorization Works

These sections describe how authorization works:
• Authorization Overview, page 21-49
• Authorization Events, page 21-49
• TACACS+ Primary Options and Fallback Options, page 21-50
• TACACS+ Command Authorization, page 21-50
• RADIUS Authorization, page 21-51

Authorization Overview
Catalyst 6000 family switches support TACACS+ and RADIUS authorization. Authorization limits
access to specified users using a dynamically applied access list (or user profile) based on the username
and password pair. The access list resides on the host running the TACACS+ or RADIUS server. The
server responds to the user password information with an access list number that causes the specific list
to be applied.

Authorization Events
You can enable authorization for the following:
• Commands—When you enable the authorization feature for commands, the user must supply a valid
username and password pair to execute certain commands. You can require authorization for all
commands or for configuration (enable mode) commands only. When a user issues a command, the
authorization server receives the command and user information and compares it against an access
list. If the user is authorized to issue that command, the command is executed; otherwise, the
command is not executed.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-49
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Authorization Works

• EXEC mode (normal login)—When the authorization feature is enabled for EXEC mode, the user
must supply a valid username and password pair to gain access to EXEC mode. Authorization is
required only if you have enabled the authorization feature.
• Enable mode (privileged login)—When the authorization feature is enabled for enable mode, the
user must supply a valid username and password pair to gain access to enable mode. Authorization
is required only if you have enabled the authorization feature for enable mode.

TACACS+ Primary Options and Fallback Options

You can specify the primary option and fallback option used in the authorization process. Available
options and fallback options include the following:
• tacacs+—If you have been authenticated, and there is no response from the TACACS+ server, then
authorization will succeed immediately.
• deny—Deny is strictly a fallback option. Authorization will fail if the TACACS+ server fails to
respond. This is the default behavior.
• if-authenticated—If you have been authenticated, and there is no response from the TACACS+
server, then authorization will succeed immediately.
• none—Authorization will succeed if the TACACS+ server does not respond.

TACACS+ Command Authorization

You can require authorization for all commands or for configuration (enable mode) commands only.
Configuration commands include the following:
• copy
• clear
• commit
• configure
• delete
• download
• format
• reload
• rollback
• session
• set
• squeeze
• switch
• undelete
The following TACACS+ authorization process occurs for every command that you enter:
• If you have disabled the command authorization feature, the TACACS+ server will allow you to
execute any command on the switch.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-50 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authorization

• If you have enabled authorization for configuration commands only, the switch will verify that the
argument string matches one of the commands listed above. If there is no match, the switch
completes the command. If there is a match, the switch forwards the command to the NAS for
authorization.
• If you have enabled authorization for all commands, the switch forwards the command to the NAS
for authorization.

RADIUS Authorization
RADUIS has limited authorization. There is one attribute, Service-Type, in the authentication protocol
that provides authorization information. This attribute is part of the user-profile.
When you log in using RADIUS authentication and you do not have Administrative/Shell (6)
Service-Type access, the network access server (NAS) authenticates you, and then logs you in to the
EXEC mode. If you have Administrative/Shell (6) Service-Type access, the NAS authenticates you, and
then logs you in to the privileged mode.

Configuring Authorization
These sections describe how to configure authorization:
• TACACS+ Authorization Default Configuration, page 21-51
• TACACS+ Authorization Configuration Guidelines, page 21-51
• Configuring TACACS+ Authorization, page 21-52
• Configuring RADIUS Authorization, page 21-55

TACACS+ Authorization Default Configuration

Table 21-4 shows the TACACS+ default authorization configuration.

Table 21-4 Default Authorization Configuration

Feature Default Value

TACACS+ login authorization (console and Telnet) Disabled
TACACS+ EXEC authorization (console and Telnet) Disabled
TACACS+ enable authorization (console and Telnet) Disabled
TACACS+ commands authorization (console and Telnet) Disabled

TACACS+ Authorization Configuration Guidelines

Follow these guidelines when configuring TACACS+ authorization on the switch:
• TACACS+ authorization is disabled by default.
• Authorization configuration applies to console connections, Telnet connections, or both types of
connections.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-51
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authorization

• You must specify the mode, option, fallback option, and connection type when enabling
authorization.
• Configure RADIUS and TACACS+ servers before enabling authorization. See the “Specifying
TACACS+ Servers” section on page 21-17 or the “Specifying RADIUS Servers” section on
page 21-24 for more information on server setup.
• Configure RADIUS and TACACS+ keys to encrypt protocol packets before enabling authorization.
See the “Specifying the TACACS+ Key” section on page 21-19 or the “Specifying the RADIUS
Key” section on page 21-24 for more information on the key setup.

Configuring TACACS+ Authorization

These sections describe how to configure TACACS+ authorization on the switch.
• Enabling TACACS+ Authorization, page 21-52
• Disabling TACACS+ Authorization, page 21-53

Enabling TACACS+ Authorization

To enable TACACS+ authorization on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable authorization for normal mode. Enter the set authorization exec enable
console or telnet keyword if you want to enable {option}{fallbackoption} [console | telnet | both]
authorization only for console port or Telnet
connection attempts. Enter the both keyword to
enable authorization for both console port and
Telnet connection attempts.
Step 2 Enable authorization for enable mode. Enter the set authorization enable enable {option}
console or telnet keyword if you want to enable {fallbackoption} [console | telnet | both]
authorization only for console port or Telnet
connection attempts. Enter the both keyword to
enable authorization for both console port and
Telnet connection attempts.
Step 3 Enable authorization of configuration commands. set authorization commands enable {config |
Enter the console or telnet keyword if you want to all} {option}{fallbackoption} [console | telnet |
enable authorization only for console port or both]
Telnet connection attempts. Enter the both
keyword to enable authorization for both console
port and Telnet connection attempts.
Step 4 Verify the TACACS+ authorization configuration. show authorization

This example shows how to enable TACACS+ EXEC mode authorization for both console and Telnet
connections. Authorization is configured with the tacacs+ option. The fallback option is deny:
Console> (enable) set authorization exec enable tacacs+ deny both
Successfully enabled enable authorization.
Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-52 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authorization

This example shows how to enable TACACS+ enable mode authorization for console and Telnet
connections. Authorization is configured with the tacacs+ option. The fallback option is deny:
Console> (enable) set authorization enable enable tacacs+ deny both
Successfully enabled enable authorization.
Console>

This example shows how to enable TACACS+ command authorization for both console and Telnet
connections. Authorization is configured with the tacacs+ option. The fallback option is deny:
Console> (enable) set authorization commands enable config tacacs+ deny both
Successfully enabled commands authorization.
Console> (enable)

This example shows how to verify the configuration:

Console> (enable) show authorization
Telnet:
-------
Primary Fallback
------- --------
exec: tacacs+ deny
enable: tacacs+ deny
commands:
config: tacacs+ deny
all: - -

Console:
--------
Primary Fallback
------- --------
exec: tacacs+ deny
enable: tacacs+ deny
commands:
config: tacacs+ deny
all: - -
Console> (enable)

Disabling TACACS+ Authorization

To disable TACACS+ authorization on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable authorization for normal mode. Enter the set authorization exec disable [console | telnet |
console or telnet keyword if you want to disable both]
authorization only for console port or Telnet
connection attempts. Enter the both keyword to
disable authorization for both console port and
Telnet connection attempts.
Step 2 Disable authorization for enable mode. Enter the set authorization enable disable [console |
console or telnet keyword if you want to disable telnet | both]
authorization only for console port or Telnet
connection attempts. Enter the both keyword to
disable authorization for both console port and
Telnet connection attempts.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-53
 Chapter 21 Configuring Switch Access Using AAA
Configuring Authorization

Task Command
Step 3 Disable authorization of configuration set authorization commands disable [console |
commands. Enter the console or telnet keyword if telnet | both]
you want to disable authorization only for console
port or Telnet connection attempts. Enter the both
keyword to disable authorization for both console
port and Telnet connection attempts.
Step 4 Verify the TACACS+ authorization configuration. show authorization

This example shows how to disable TACACS+ EXEC mode authorization for both console and Telnet
connections and how to verify the configuration:
Console> (enable) set authorization exec disable both
Successfully disabled enable authorization.
Console> (enable)

This example shows how to disable TACACS+ enable mode authorization for both console and Telnet
connections and how to verify the configuration:
Console> (enable) set authorization enable disable both
Successfully disabled enable authorization.
Console> (enable)

This example shows how to disable TACACS+ command authorization for both console and Telnet
connections and how to verify the configuration:
Console> (enable) set authorization commands disable both
Successfully disabled commands authorization.
Console> (enable)

This example shows how to verify the configuration:

Console> (enable) show authorization

Telnet:
-------
Primary Fallback
------- --------
exec: tacacs+ deny
enable: tacacs+ deny
commands:
config: tacacs+ deny
all: - -

Console:
--------
Primary Fallback
------- --------
exec: tacacs+ deny
enable: tacacs+ deny
commands:
config: tacacs+ deny
all: - -
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-54 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Authorization Example

Configuring RADIUS Authorization

These sections describe how to configure RADIUS authorization on the switch:
• Enabling RADIUS Authorization, page 21-55
• Disabling RADIUS Authorization, page 21-55

Enabling RADIUS Authorization

To enable RADIUS authorization and authentication on the switch, perform this task in privileged mode:

Step 1 Enter the set authentication login radius enable command in privileged mode. This command enables
both RADIUS authentication and authorization.
Step 2 Set the Service-Type (RADIUS attribute 6) for the user to Admistrative (that is, a value of 6) in the
RADIUS server to launch the user into enable mode in the RADIUS server. If the service-type is set for
anything other than 6-administrative (for example, 1-login, 7-shell, or 2-framed), you will be at the
switch EXEC prompt, not the enable prompt.

Disabling RADIUS Authorization

Enter the set authentication login radius disable command in privileged mode to disable RADIUS
authorization.

Authorization Example
Figure 21-4 shows a simple network topology using TACACS+.
When Workstation A initiates a command on the switch, the switch registers a request with the
TACACS+ daemon. The TACACS+ daemon determines if the user is authorized to use the feature and
sends a response either executing the command or denying access.

Figure 21-4 TACACS+ Example Network Topology

TACACS+
server
172.20.52.10

Switch

Console port
connection

Terminal
18927

Workstation A

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-55
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Accounting Works

In this example, TACACS+ authorization is enabled for enable mode access to the switch for both Telnet
and console connections, authorizing configuration commands:
Console> (enable) set authorization enable enable tacacs+ deny both
Successfully enabled enable authorization.
Console> (enable) set authorization commands enable config tacacs+ deny both
Successfully enabled commands authorization.
Console> (enable) show authorization
Telnet:
-------
Primary Fallback
------- --------
exec: tacacs+ deny
enable: tacacs+ deny
commands:
config: tacacs+ deny
all: - -

Console:
--------
Primary Fallback
------- --------
exec: tacacs+ deny
enable: tacacs+ deny
commands:
config: tacacs+ deny
all: - -
Console> (enable)

Understanding How Accounting Works

These sections describe how the different accounting methods work:
• Accounting Overview, page 21-56
• Accounting Events, page 21-57
• Specifying When to Create Accounting Records, page 21-57
• Specifying RADIUS Servers, page 21-58
• Updating the Server, page 21-59
• Suppressing Accounting, page 21-59

Accounting Overview
You can configure these accounting methods to monitor access to the switch:
• TACACS+ accounting
• RADIUS accounting
Accounting allows you to track user activity to a specified host, suspicious connection attempts in the
network, and unauthorized changes to the NAS configuration itself. The accounting information is sent
to the accounting server where it is saved in the form of a record. Accounting information typically
consists of the user’s action and the duration for which the action lasted. You can use the accounting
feature for security, billing, and resource allocation purposes.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-56 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Accounting Works

The accounting protocol operates in a client-server model, using TCP for transport. The NAS acts as the
client and the accounting server acts as the daemon. The NAS sends accounting information to the
server. The server, after successfully processing the information, sends a response to the NAS,
acknowledging the request. All transactions between the NAS and server are authenticated using a key.
Once accounting has been enabled and an accountable event occurs on the system, the accounting
information is gathered dynamically in memory. When the event ends, an accounting record is created
and sent to the NAS, and then the system deletes the record from memory. The amount of memory used
by the NAS for accounting varies depending on the number of concurrent accountable events.

Accounting Events
You can configure accounting for the following types of events:
• EXEC mode accounting—Provides information about user EXEC sessions (normal login sessions)
on the NAS (includes the duration of the EXEC session but does not include traffic statistics).
• Connect accounting—Provides information about all outbound connections from the NAS (such as
Telnet, rlogin).

Note If you get a connection immediately upon login and then your connection terminates, the
EXEC and connect events overlap and have almost identical start and stop times.

• System accounting—Provides information on system events not related to users (includes system
reset, system boot, and user configuration of accounting).
• Command accounting—Sends a record for each command issued by the user. This permits audit trail
information to be gathered.

Specifying When to Create Accounting Records

You configure the switch to gather accounting information to create records. When you configure
accounting (using the set accounting commands), the switch can generate two types of records:
• Start records—Include partial information of the event (when the event started, type of service, and
traffic statistics).
• Stop records—Include complete information of the event (when the event started, its duration, type
of service, and traffic statistics).
Accounting records are created and sent to the server at two events:
• Start-stop—Records are sent at both the start and stop of an action if the action has duration. If the
NAS fails to send the accounting record at the start of the action, it still allows you to proceed with
the action.
• Stop-only—Records are sent only at the termination of the event. Commands are assumed to have
zero duration, so only stop records are generated for command accounting. No users are associated
with system events; therefore, the start-stop option in the set accounting system command is
ignored for system events.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-57
 Chapter 21 Configuring Switch Access Using AAA
Understanding How Accounting Works

Note Stop records include complete information of the event (when the event started, its
duration, and traffic statistics). However, you might want redundancy and, therefore,
may monitor both start and stop records of events occurring on the NAS.

Specifying RADIUS Servers

To specify one or more RADIUS servers, perform this task in privileged mode:

Task Command
Step 1 Specify the IP address of up to three RADIUS set radius server ip_addr [acct-port port]
servers. Specify the primary server using the [primary]
primary keyword. Optionally, specify the
destination UDP port to use on the server.
Step 2 Verify the RADIUS server configuration. show radius

This example shows how to specify a RADIUS server and verify the configuration:
Console> (enable) set radius server 172.20.52.3
172.20.52.3 with auth-port 1812 added to radius server table as primary server.
Console> (enable) show radius

Login Authentication: Console Session Telnet Session

--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Enable Authentication: Console Session Telnet Session

---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Radius Deadtime: 0 minutes

Radius Key:
Radius Retransmit: 2
Radius Timeout: 5 seconds

Radius-Server Status Auth-port

----------------------------- ------- ------------
172.20.52.3 primary 1812
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-58 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Accounting

Updating the Server

You can configure the switch to send accounting information to the TACACS+ server. There are two
options:
• Newinfo—Sends accounting information to the server only when new accounting information
becomes available.
• Periodic—Sends accounting update records at regular intervals. This option could be used to keep
up-to-date connection and session information even if the NAS restarts and loses the initial start
time. You must set a time lapse between periodic updates. Valid intervals are from 1 to
71,582 minutes.

Suppressing Accounting
You can configure the system to suppress accounting when an unknown user with no username accesses
the switch by using the set accounting suppress null-username enable command.

Note RADIUS and TACACS+ accounting are the same, except that RADIUS does not do command
accounting, periodic updates, or allow null-username suppression.

Configuring Accounting
These sections describe how to configure accounting for both TACACS+ and RADIUS:
• Accounting Default Configuration, page 21-59
• Accounting Configuration Guidelines, page 21-60
• Configuring Accounting, page 21-60

Accounting Default Configuration

Table 21-5 shows the accounting default configuration.

Table 21-5 Accounting Default Configuration

Feature Default Value

Accounting Disabled
Accounting events (exec, system, commands, and connect) Disabled
Accounting records Stop-only

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-59
 Chapter 21 Configuring Switch Access Using AAA
Configuring Accounting

Accounting Configuration Guidelines

Follow these guidelines when configuring accounting on the switch:
• Configure RADIUS and TACACS+ servers before enabling accounting. See the “Specifying
TACACS+ Servers” section on page 21-17 or the “Specifying RADIUS Servers” section on
page 21-24 for more information on server setup.
• Configure RADIUS and TACACS+ keys to encrypt protocol packets before enabling accounting.
See the “Specifying the TACACS+ Key” section on page 21-19 or the “Specifying the RADIUS
Key” section on page 21-24 for more information on the key setup.

Note The amount of DRAM allocated for one accounting event is approximately 500 bytes. The total
amount of DRAM used by accounting depends on the number of concurrent accountable events in
the system.

Configuring Accounting
These sections describe how to configure RADIUS and TACACS+ accounting on the switch:
• Enabling Accounting, page 21-60
• Disabling Accounting, page 21-61

Enabling Accounting
To enable accounting on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable accounting for connection events. set accounting connect enable {start-stop |
stop-only} {tacacs+ | radius}
Step 2 Enable accounting for EXEC mode. set accounting exec enable {start-stop |
stop-only} {tacacs+ | radius}
Step 3 Enable accounting for system events. set accounting system enable {start-stop |
stop-only} {tacacs+ | radius}
Step 4 Enable accounting of configuration commands. set accounting commands enable {config | all}
{stop-only} tacacs+
Step 5 Enable suppression of information for unknown set accounting suppress null-username enable
users.
Step 6 Configure accounting to be updated as new set accounting update {new-info | {periodic
information is available. [interval]}}
Step 7 Verify the accounting configuration. show accounting

This example shows how to enable stop-only TACACS+ accounting events:

Console> (enable) set accounting connect enable stop-only tacacs+
Accounting set to enable for connect events in stop-only mode.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-60 78-13315-02
 Chapter 21 Configuring Switch Access Using AAA
Configuring Accounting

Console> (enable) set accounting exec enable stop-only tacacs+

Accounting set to enable for exec events in stop-only mode.
Console> (enable)

Console> (enable) set accounting system enable stop-only tacacs+

Accounting set to enable for system events in stop-only mode.
Console> (enable)

Console> (enable) set accounting commands enable all stop-only tacacs+

Accounting set to enable for commands-all events in stop-only mode.
Console> (enable)

This example shows how to suppress accounting of unknown users:

Console> (enable) set accounting suppress null-username enable
Accounting will be suppressed for user with no username.
Console> (enable)

This example shows how to periodically update the server:

Console> (enable) set accounting update periodic 120
Accounting updates will be periodic at 120 minute intervals.
Console> (enable)

This example shows how to verify the configuration:

Console> (enable) show accounting
Event Method Mode
----- ------- ----
exec: tacacs+ stop-only
connect: tacacs+ stop-only
system: tacacs+ stop-only
commands:
config: - -
all: tacacs+ stop-only
TACACS+ Suppress for no username: enabled
Update Frequency: periodic, Interval = 120

Accounting information:
-----------------------
Active Accounted actions on tty0, User (null) Priv 0
Active Accounted actions on tty288091924, User (null) Priv 0
Overall Accounting Traffic:
Starts Stops Active
----- ----- ------
Exec 0 0 0
Connect 0 0 0
Command 0 0 0
System 1 0 0
Console> (enable)

Disabling Accounting
To disable RADIUS accounting on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable accounting for connection events. set accounting connect disable
Step 2 Disable accounting for EXEC mode. set accounting exec disable
Step 3 Disable accounting for system events. set accounting system disable

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-61
 Chapter 21 Configuring Switch Access Using AAA
Configuring Accounting

Task Command
Step 4 Disable accounting of configuration commands. set accounting commands disable
Step 5 Disable suppression of information for unknown set accounting suppress null-username disable
users.
Step 6 Verify the accounting configuration. show accounting

This example shows how to disable stop-only accounting:

Console> (enable) set accounting connect disable
Accounting set to disable for connect events.
Console> (enable)

Console> (enable) set accounting exec disable

Accounting set to disable for exec events.
Console> (enable)

Console> (enable) set accounting system disable

Accounting set to disable for system events.
Console> (enable)

Console> (enable) set accounting commands disable

Accounting set to disable for commands-all events.
Console> (enable)

This example shows how to disable suppression of unknown users:

Console> (enable) set accounting suppress null-username disable
Accounting will be not be suppressed for user with no username.
Console> (enable)

This example shows how to verify the configuration:

Console> (enable) show accounting
Event Method Mode
----- ------- ----
exec: - -
connect: - -
system: - -
commands:
config: - -
all: - -

TACACS+ Suppress for no username: disabled

Update Frequency: new-info

Accounting information:
-----------------------
Active Accounted actions on tty0, User (null) Priv 0
Active Accounted actions on tty288091924, User (null) Priv 0
Overall Accounting Traffic:
Starts Stops Active
----- ----- ------
Exec 0 0 0
Connect 0 0 0
Command 0 0 0
System 1 2 0
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-62 78-13315-02
Chapter 21 Configuring Switch Access Using AAA
Accounting Example

Accounting Example
Figure 21-5 shows a simple network topology using TACACS+.
When Workstation A initiates an accountable event on the switch, the switch gathers event information
and forwards the information to the server at the conclusion of the event. Accounting information is
gathered at the conclusion of the event. Accounting is suspended for unknown users and the system is
updated every 120 minutes.

Figure 21-5 TACACS+ Example Network Topology

TACACS+
server
172.20.52.10

Switch

Console port
connection

Terminal
18927

Workstation A

In this example, TACACS+ accounting is enabled for connection, exec, system, and all command
accounting:
Console> (enable) set accounting connect enable stop-only tacacs+
Accounting set to enable for connect events in stop-only mode.
Console> (enable) set accounting exec enable stop-only tacacs+
Accounting set to enable for exec events in stop-only mode.
Console> (enable) set accounting commands enable all stop-only tacacs+
Accounting set to enable for commands-all events in stop-only mode.
Console> (enable) set accounting update periodic 120
Accounting updates will be periodic at 120 minute intervals.
Console> (enable) show accounting
Event Method Mode
----- ------- ----
exec: tacacs+ stop-only
connect: tacacs+ stop-only
system: tacacs+ stop-only
commands:
config: - -
all: tacacs+ stop-only

TACACS+ Suppress for no username: enabled

Update Frequency: periodic, Interval = 120

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 21-63
 Chapter 21 Configuring Switch Access Using AAA
Accounting Example

Accounting information:
-----------------------
Active Accounted actions on tty0, User (null) Priv 0
Active Accounted actions on tty288091924, User (null) Priv 0
Overall Accounting Traffic:
Starts Stops Active
----- ----- ------
Exec 0 0 0
Connect 0 0 0
Command 0 0 0
System 1 0 0
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

21-64 78-13315-02
 C H A P T E R 22
Configuring Redundancy

This chapter describes how to configure redundant supervisor engines and how to configure redundancy
on Multilayer Switch Feature Cards (MSFCs) on the Catalyst 6000 family switches.
This chapter consists of these sections:
• Understanding How Supervisor Engine Redundancy Works, page 22-2
• Configuring Redundant Supervisor Engines, page 22-3
• MSFC Redundancy, page 22-18

Caution Dual MSFCs in a single chassis are designed to be used in redundant mode only and must have
identical configurations. See the “MSFC Redundancy” section on page 22-18 for detailed
information.

We do not support configurations where the MSFCs are not configured identically.

Note Except where specifically differentiated, the information and procedures in this chapter apply to both
Supervisor Engine 2 with Layer 3 Switching Engine II (Policy Feature Card 2 or PFC2) and
Supervisor Engine 1 with Layer 3 Switching Engine II.

Note The term MSFC is used to refer to the MSFC and MSFC2 except where specifically differentiated.

For more information about installing redundant Catalyst 6000 family supervisor engines, refer to the
Catalyst 6000 Family Module Installation Guide. For syntax and usage information for the commands
used in this chapter, refer to the Catalyst 6000 Family Command Reference publication.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-1
 Chapter 22 Configuring Redundancy
Understanding How Supervisor Engine Redundancy Works

Understanding How Supervisor Engine Redundancy Works

Note Redundant supervisor engines must be of the same type with the same model feature card.

When you install two supervisor engines, the first supervisor engine to come online becomes the active
module; the second supervisor engine goes into standby mode. All administrative and network
management functions, such as SNMP, command-line interface (CLI) console, Telnet, Spanning Tree
Protocol (STP), Cisco Discovery Protocol (CDP), and VLAN Trunk Protocol (VTP) are processed on
the active supervisor engine.
On the standby supervisor engine, the console port is inactive, the module status shows as “standby,” and
the status for the uplink ports is shown normally.
You must install redundant supervisor engines in slots 1 and 2 of the chassis. Redundant supervisor
engines are hot swappable. The system continues to operate with the same configuration after switching
over to the redundant supervisor engine.

Note To allow you to control the booting of each supervisor engine separately, the configuration registers
are not synchronized between the supervisor engines.

Note The switchover time from the active to the standby supervisor engine does not include spanning tree
convergence time.

At power-up, both supervisor engines run initial module-level diagnostics. Assuming both supervisor
engines pass this level of diagnostics, the two supervisor engines communicate over the backplane,
allowing them to cooperate during switching-bus diagnostics. The supervisor engine in slot 1 becomes
active, and the supervisor engine in slot 2 enters standby mode. If the software versions of the two
supervisor engines are different, or if the NVRAM configuration of the two supervisor engines is
different, the active supervisor engine automatically downloads its software image and configuration to
the standby supervisor engine.
If the background diagnostics on the active supervisor engine detect a major problem or an exception
occurs, the active supervisor engine resets. The standby supervisor engine detects that the active
supervisor engine is no longer running and becomes active. The standby supervisor engine can detect if
the active supervisor engine is not functioning and can force a reset, if necessary. If the reset supervisor
engine comes online again, it enters standby mode.
If you hot insert a second supervisor engine, the second module communicates with the active supervisor
engine after completing its initial module-level diagnostics. Because the active supervisor engine is
already switching traffic on the backplane, no switching-bus diagnostics are run for the second
supervisor engine because running diagnostics can disrupt normal traffic. The second supervisor engine
immediately enters standby mode. The active supervisor engine downloads the software image and
configuration to the standby supervisor engine, if necessary.
The supervisor engines use two Flash images: the boot image and the runtime image. The boot image
filename is specified in the BOOT environment variable, which is stored in NVRAM. The runtime image
is the boot image that the ROM monitor uses to boot the supervisor engine. After the system boots, the
runtime image resides in dynamic RAM (DRAM).
When you power up or reset a switch with redundant supervisor engines, synchronization occurs to
ensure that the runtime and boot images on the standby supervisor engine are the same as the images on
the active supervisor engine.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-2 78-13315-02
Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

The supervisor engines can have different runtime and boot images. If the boot image and the runtime
image are the same, and you change the BOOT environment variable or overwrite or destroy the current
boot image on the Flash device that was used to boot the system, the runtime and boot images will differ.
Whenever you reconfigure the boot image, the active supervisor engine synchronizes its current boot
image with the standby supervisor engine.
The boot image is read directly into the Flash file system. You can perform operations (such as copy,
delete, undelete, and so on) on files stored on Flash memory devices, and you can store the boot image
of the active supervisor engine in the standby supervisor engine bootflash. For more information about
using the Flash file system, see Chapter 24, “Working With the Flash File System.”
The supervisor engine has a Flash PC card (PCMCIA) slot (slot0) in addition to the onboard Flash
memory; this slot can hold a Flash PC card that can store additional boot images.

Note Throughout this publication, the term Flash PC card is used in place of the term PCMCIA card.

Because you can store multiple boot images, you must specify the name of the boot file image and the
location of the image file in the Flash file system in order to boot and synchronize properly. For
information about how to specify the name and location of the boot image, see Chapter 23, “Modifying
the Switch Boot Configuration.”
In the synchronization process, the active supervisor engine checks the standby supervisor engine
runtime image to make sure it matches its own runtime image. The active supervisor engine checks three
conditions:
• If it needs to copy its boot image to the standby supervisor engine
• If the standby supervisor engine bootstring needs to be changed
• If the standby supervisor engine needs to be reset
The following section describes the conditions that can initiate Flash synchronization. For examples of
how the system synchronizes the supervisor engine Flash images with various configurations, see the
“Supervisor Engine Synchronization Examples” section on page 22-14.

Configuring Redundant Supervisor Engines

These sections describe how to configure redundant supervisor engines:
• Synchronization Process Initiation, page 22-4
• Redundant Supervisor Engine Configuration Guidelines and Restrictions, page 22-4
• Verifying Standby Supervisor Engine Status, page 22-5
• Forcing a Switchover to the Standby Supervisor Engine, page 22-6
• High Availability, page 22-8
• Supervisor Engine Synchronization Examples, page 22-14

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-3
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

Synchronization Process Initiation

These conditions initiate the synchronization of the runtime and boot images on the active and standby
supervisor engines:
• Time stamp mismatch between the runtime images on the active and standby supervisor
engines—The active supervisor engine synchronizes its runtime image with the standby supervisor
engine if the time stamps of their respective runtime images differ when the system is booted or
reset.
• Time stamp mismatch between the boot images on the active and standby supervisor engines—The
active supervisor engine synchronizes its boot image with the standby supervisor engine if the time
stamps of their respective boot images differ when the system is booted or reset, or if you change
the BOOT environment variable.
• Current boot image overwritten—If you overwrite the current boot image stored on one of the Flash
devices, the file system management module detects this event and initiates synchronization. The
active supervisor engine copies its new boot image to the standby supervisor engine.
• BOOT environment variables changed—If you change the BOOT environment variables to specify
a different default boot image, the active supervisor engine initiates boot-image synchronization.
The NVRAM configuration module detects this event and calls the Flash synchronization function
with the next probable boot filename by looking at the boot configuration parameter.
• Flash PC cards with same boot-image filename—If you change the Flash device on either the active
or standby supervisor engine and the new Flash device contains a boot image that has the same name
(but a different time stamp) as the boot image from the previous Flash device, the Flash file
management module initiates synchronization.
• Current runtime image deleted—If you delete the current runtime image from the Flash device, the
Flash file management module prompts you to verify that you want to delete the current runtime
image. If you confirm the deletion, the Flash file management module initiates Flash
synchronization and informs the NVRAM configuration module of the change. The NVRAM
configuration module examines the BOOT environment variable to determine the next probable
image to boot and calls the Flash synchronization function using the new image name.

Redundant Supervisor Engine Configuration Guidelines and Restrictions

These conditions and events can cause the synchronization of images between redundant supervisor
engines to fail or to produce unexpected results:
• Downloading a new image to the active supervisor engine
When you download a new image to the active supervisor engine, it is copied to the file system (in
bootflash or on a Flash PC card in the Flash PC card slot). Because you may or may not have
configured this image as the boot image, the newly downloaded image is not copied to the standby
supervisor engine automatically.
To initiate the synchronization function between the active and standby supervisor engines, you
must configure this newly downloaded image as the boot image on the active supervisor engine.
Synchronization occurs when you change the boot variable. To run the new image, you must reset
the system.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-4 78-13315-02
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

• Unable to find the current runtime image

If the active supervisor engine is unable to find the current runtime image on any of the Flash
devices, it signals an error condition. In this case, if the standby supervisor engine is inserted or
reset, Flash synchronization does not occur. In addition, the STATUS LED on the standby
supervisor engine turns red and the system generates a syslog error message.
• Active supervisor engine in slot 2
When the active supervisor engine is in slot 2, the standby supervisor engine is in slot 1. If you
change the configuration to specify a new boot image and then reset the system, the supervisor
engine in slot 1 becomes the active supervisor engine and loads its default boot image, canceling the
configuration changes you have just made. To avoid this problem, the switch prompts you for Flash
synchronization as soon as you change the boot file configuration.

Verifying Standby Supervisor Engine Status

You can verify the status of the standby supervisor engine using a number of CLI commands.

Note The show module output provides information about installed daughter cards. The show test
command provides information about onboard application-specific integrated circuits (ASICs).

To verify the status of the standby supervisor engine, perform one or more of these tasks:

Task Command
Show the status of the standby supervisor engine. show module [mod]
Show the state of the standby supervisor engine show port [mod[/port]]
uplink ports.
Show diagnostic test results for the standby show test [mod]
supervisor engine.

This example shows how to check the status of the standby supervisor engine using the show module
and show test commands:
Console> (enable) show module 2
Mod Slot Ports Module-Type Model Status
--- ---- ----- ------------------------- ------------------- --------
2 2 2 1000BaseX Supervisor WS-X6K-SUP1-2GE ok

Mod Module-Name Serial-Num

--- ------------------- -----------
2 SAD02330231

Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
2 00-e0-14-0e-f5-6c to 00-e0-14-0e-f5-6d 0.404 4.2(2038) 4.2(0.24)VAI50
00-e0-14-0e-f5-6e to 00-e0-14-0e-f5-6f
00-10-7b-bb-2b-00 to 00-10-7b-bb-2e-ff

Mod Sub-Type Sub-Model Sub-Serial Sub-Hw

--- ------------------- ------------------- ----------- ------
2 L2 Switching Engine WS-F6020 SAD02350211 0.101
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-5
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

Console> (enable) show test 2

Module 2 : 2-port 1000BaseX Supervisor
Network Management Processor (NMP) Status: (. = Pass, F = Fail, U = Unknown)
ROM: . Flash-EEPROM: . Ser-EEPROM: . NVRAM: . EOBC Comm: .

Line Card Status for Module 1 : PASS

Port Status :
Ports 1 2
-----------
. .
Line Card Diag Status for Module 2 (. = Pass, F = Fail, N = N/A)

Module 2
Cafe II Status :
NewLearnTest: .
IndexLearnTest: .
DontForwardTest: .
DontLearnTest: .
ConditionalLearnTest: .
BadBpduTest: .
TrapTest: .
Loopback Status [Reported by Module 2] :
Ports 1 2
-----------
. .
Console> (enable)

Forcing a Switchover to the Standby Supervisor Engine

You can force a switchover to the standby supervisor engine by resetting the active supervisor engine.

Note Resetting the active supervisor engine disconnects any open Telnet sessions.

To force a switchover to the standby supervisor engine, perform this task in privileged mode:

Task Command
Reset the active supervisor engine (where mod is reset mod
the number of the active supervisor engine).

In addition, you can also force a switchover to the standby supervisor engine by setting the
CISCO-STACK-MIB moduleAction variable to reset(2) on the active supervisor engine. When the
switchover occurs, the system sends a standard SNMP warm-start trap to the configured trap receivers.
This example shows the console output on the active supervisor engine when you force a switchover
from the active to the standby supervisor engine:
Console> (enable) reset 1
This command will force a switch-over to the standby Supervisor module.
Do you want to continue (y/n) [n]? y
Console> (enable) 12/07/1998,17:04:39:SYS-5:Module 1 reset from Console//

System Bootstrap, Version 3.1(2)

Copyright (c) 1994-1997 by cisco Systems, Inc.

System Bootstrap, Version 3.1(2)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-6 78-13315-02
Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

Copyright (c) 1994-1997 by cisco Systems, Inc.

Presto processor with 32768 Kbytes of main memory

Autoboot executing command: "boot bootflash:cat6000-sup.5-4-1a.bin"

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Uncompressing file: ###########################################################

System Power On Diagnostics

NVRAM Size .. .................512KB
ID Prom Test ..................Passed
DPRAM Size ....................16KB
DPRAM Data 0x55 Test ..........Passed
DPRAM Data 0xaa Test ..........Passed
DPRAM Address Test ............Passed
Clearing DPRAM ................Done
System DRAM Memory Size .......32MB
DRAM Data 0x55 Test ...........Passed
DRAM Data 0xaa Test ...........Passed
DRAM Address Test ............Passed
Clearing DRAM .................Done
EARLII ........................Present
EARLII RAM Test ...............Passed
EARL Serial Prom Test .........Passed
Level2 Cache ..................Present
Level2 Cache test..............Passed

Boot image: bootflash:cat6000-sup.5-4-1a.bin

Downloading epld sram device please wait ...
Programming successful for Altera 10K50 SRAM EPLD
This module is now in standby mode.
Console is disabled for standby supervisor

This example shows the console output on the standby supervisor engine when you force a switchover
from the active to the standby supervisor engine:
Cisco Systems Console

Enter password:
12/07/1998,17:04:43:MLS-5:Multilayer switching is enabled
12/07/1998,17:04:43:MLS-5:Netflow Data Export disabled
12/07/1998,17:04:44:SYS-5:Module 2 is online
12/07/1998,17:04:45:SYS-5:Module 5 is online
12/07/1998,17:04:45:SYS-5:Module 7 is online
12/07/1998,17:04:45:SYS-5:Module 3 is online
12/07/1998,17:04:52:MLS-5:Route Processor 172.20.52.6 added
12/07/1998,17:05:10:SYS-5:Module 8 is online
12/07/1998,17:05:14:SYS-5:Module 9 is online
12/07/1998,17:05:22:SYS-5:Module 4 is online
12/07/1998,17:06:13:SYS-5:Module 1 is in standby mode
Supervisor image synchronization process will start in 10 seconds
12/07/1998,17:06:37:SYS-5:Ports on standby supervisor(Module 1) are UP
12/07/1998,17:06:41:SYS-5:Active supervisor is synchronizing the NMP image.
12/07/1998,17:06:44:SYS-5:The active supervisor has synchronized the NMP image.

Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-7
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

High Availability
High availability allows you to minimize the switchover time from the active supervisor engine to the
standby supervisor engine if the active supervisor engine fails.
Prior to this feature, fast switchover ensured that a switchover to the standby supervisor engine happened
quickly. However, with fast switchover, because the state of the switch features before the switchover
was unknown, you had to reinitialize and restart all the switch features when the standby supervisor
engine assumed the active role.
High availability removes this limitation; high availability allows the active supervisor engine to
communicate with the standby supervisor engine, keeping feature protocol states synchronized.
Synchronization between the supervisor engines allows the standby supervisor engine to take over in the
event of a failure.
In addition, high availability provides a versioning option that allows you to run different software
images on the active and standby supervisor engines.
These features are discussed in these sections:
• High-Availability Overview, page 22-8
• High-Availability Supported Features, page 22-9
• Versioning Overview, page 22-10
• CLI Commands, page 22-11
• Loading a Different (but Compatible) Image on the Standby Supervisor Engine, page 22-13

High-Availability Overview
For high availability, a system database is maintained on the active supervisor engine and updates are
sent to the standby supervisor engine for any change of data in the system database. The active
supervisor engine communicates and updates the standby supervisor engine when any state changes
occur, ensuring that the standby supervisor engine knows the current protocol state of supported
features. The standby supervisor engine knows the current protocol states for all modules, ports, and
VLANs; the protocols can initialize with this state information and start running immediately.
The active supervisor engine controls the system bus (backplane), sends and receives packets to and
from the network, and controls all modules. Protocols run on the active supervisor engine only.
The standby supervisor engine is isolated from the system bus and does not switch packets. But it does
receive packets from the switching bus to learn and populate its Layer 2 forwarding table for
Layer 2-switched flows. The standby supervisor engine also receives packets from the switching bus to
learn and populate the Multilayer Switching (MLS) table for Layer 3-switched flows. The standby
supervisor engine does not participate in forwarding any packets and does not communicate with any
modules.
If you enable high availability when the standby supervisor engine is running, image version
compatibility is checked and if found compatible, the database synchronization is started. High
availability compatible features continue from the saved states on the standby supervisor engine after a
switchover.
When you disable high availability, the database synchronization is not done and all features must restart
on the standby supervisor engine after a switchover.
If you change high availability from enabled to disabled, synchronization from the active supervisor
engine is stopped and the standby supervisor engine discards all current synchronization data.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-8 78-13315-02
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

If you change high availability from disabled to enabled, synchronization from the active to standby
supervisor engine is started (provided the standby supervisor engine is present and its image version is
compatible).
NVRAM synchronization occurs irrespective of high availability being enabled or disabled (provided
there are compatible NVRAM versions on the two supervisor engines).
If you do not install a standby supervisor engine during system bootup, the active supervisor engine
detects this and the database updates are not queued for synchronization. Similarly, when you reset or
remove the standby supervisor engine, the synchronization updates are not queued and any pending
updates in the synchronization queue are discarded. When you hot insert or restart a second supervisor
engine that becomes the standby supervisor engine, the active supervisor engine downloads the entire
system database to the standby supervisor engine. Only after this global synchronization is completed,
the active supervisor engine queues and synchronizes the individual updates to the standby supervisor
engine.

Note When you hot insert or restart a second supervisor engine, it might take a few minutes for the global
synchronization to complete.

High-Availability Supported Features

Note MLS flows are preserved from the active supervisor engine to the standby supervisor engine.

Note High availability does not preserve routing table entries on the active MSFC because high
availability is not run on the MSFC IOS software. However, you can configure both MSFCs on the
active and standby supervisor engines with the same configuration to preserve routing table entries
across the active and standby MSFCs. You can then configure HSRP on the MSFCs to provide
automatic routing backup. See the “MSFC Redundancy” section on page 22-18 for detailed
information.

High availability for the Catalyst 6000 family switch is classified into three categories (see Table 22-1):
• Supported features—High availability is fully supported; the feature’s database is synchronized
from the active supervisor engine to the standby supervisor engine.
• Compatible features—High availability is not supported; the feature’s database is not synchronized
from the active supervisor engine to the standby supervisor engine. However, the feature can be
enabled (operational) with high availability.
• Incompatible features—High availability is not supported; the feature’s database is not
synchronized from the active supervisor engine to the standby supervisor engine. The feature cannot
be enabled if high availability is enabled and similarly, high availability cannot be enabled if the
feature is enabled.

Note Timers and statistics are not synchronized from the active to the standby supervisor engine.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-9
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

Table 22-1 High Availability Feature Support

Supported Features Compatible Features Incompatible Features

CEF ASLB Dynamic VLAN
COPS-DS CDP GVRP
COPS-PR GMRP Port security
DTP IGMP snooping Protocol filtering
EtherChannel RMON
IOS ACLs RSVP
MLS SNMP
PAgP Telnet sessions
QoS UplinkFast
SPAN VTP pruning
STP
Trunking
UDLD
VACLs
VTP

Versioning Overview
When you enable high-availability versioning, you can have two different but compatible images on the
active and standby supervisor engines. The active supervisor engine exchanges image version
information with the standby supervisor engine and determines whether the images are compatible for
enabling high availability. If the active and standby supervisor engines are not running compatible image
versions, you cannot enable high availability.
Image versioning is supported in supervisor engine software release 5.4(1)CSX and later releases. With
versioning enabled, high availability is fully supported with the active and standby supervisor engines
running different images as long as the images are compatible. The only fully compatible images are as
follows:
• 5.5(3) and 5.5(4)
• 6.1(3) and 6.1(4)
Images that are compatible with all modules except Gigabit Ethernet switching modules are as follows:
• 5.4(3) and 5.4(4)
• 5.5(3) and 5.5(5)
• 5.5(4) and 5.5(5)
Images that are compatible with Gigabit Ethernet switching modules but not compatible with
10/100BASE-T modules are as follows:
• 5.5(6a) and 5.5(7)

Note Attempting to run incompatible image versions could result in configuration loss.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-10 78-13315-02
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

Note When you install two supervisor engines, the first supervisor engine to come online becomes the
active module; the second supervisor engine goes into standby mode. If two supervisor engines are
installed in your system, at power up the supervisor engine in slot 1 becomes active, and the
supervisor engine in slot 2 enters standby mode. If the software versions of the two supervisor
engines are different, or if the NVRAM configuration of the two supervisor engines is different, and
if you do not enable versioning, the active supervisor engine automatically downloads its software
image and configuration to the standby supervisor engine.

CLI Commands
This section describes the CLI commands for high availability and versioning.

Enabling or Disabling High Availability

High availability is disabled by default. To enable or disable high availability, perform this task in
privileged mode:

Task Command
Enable or disable high availability. set system highavailability {enable | disable}

This example shows how to enable high availability:

Console> (enable) set system highavailability enable
System high availability enabled.
Console> (enable)

This example shows how to disable high availability:

Console> (enable) set system highavailability disable
System high availability disabled.
Console> (enable)

Enabling or Disabling High-Availability Versioning

High-availability versioning is disabled by default. To enable or disable high-availability versioning,

perform this task in privileged mode:

Task Command
Enable or disable high-availability versioning. set system highavailability versioning {enable |
disable}

This example shows how to enable high-availability versioning:

Console> (enable) set system highavailability versioning enable
Image versioning enabled.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-11
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

This example shows how to disable high-availability versioning:

Console> (enable) set system highavailability versioning disable
Image versioning disabled.
Console> (enable)

Showing High-Availability Settings and Operational Status

The show system highavailability command displays the following:

• High-availability setting (enabled or disabled)
• Versioning setting (enabled or disabled)
• High-availability operational status (based on whether the standby supervisor engine is present and
operational). The operational status field displays one of the following:
– OFF (high-availability-not-enabled): The high availability option in NVRAM is disabled.
– OFF (standby-supervisor-not-present): The standby supervisor engine is not installed.
– OFF (standby-supervisor-image-incompatible): The standby supervisor engine is running a
different image than the active supervisor engine and it is not version compatible (the
versioning option in NVRAM is enabled). No synchronization is done (even a configuration
change in NVRAM on the active supervisor engine cannot be propagated to the standby
supervisor engine because of the version incompatibility).
– OFF (standby-supervisor-image-nvram-only-compat): The standby supervisor engine is
running a different image than the active supervisor engine (versioning option in NVRAM is
enabled) and the image is only NVRAM compatible (that is, a configuration change in NVRAM
on the active supervisor engine is propagated to the standby supervisor engine). However, high
availability cannot be supported.
– OFF (standby-supervisor-not-operational-yet): The standby supervisor engine is detected but is
not operational (not online yet).
– OFF (high-availability-not-operational-yet): The standby supervisor engine is operational
(online), but high availability is not operational yet (when the system is booted from reset, it
takes a few minutes before high availability is operational).
– ON: High availability is operational. The active supervisor engine’s features have started
queuing their state changes for synchronizing to the standby supervisor engine.
To show the high-availability configuration and operational states, perform this task:

Task Command
Show high-availability configuration and show system highavailability
operational states.

This example shows how to disable high availability and versioning:

Console> (enable) show system highavailability
Highavailability: disabled
Highavailability versioning: disabled
Highavailability Operational-status: OFF (high-availability-not-enabled)
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-12 78-13315-02
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

This example shows how to enable high availability:

Console> (enable) set system highavailability enable
System high availability enabled.
Console> (enable)

Console> (enable) show system highavailability

Highavailability: enabled
Highavailability versioning: disabled
Highavailability Operational-status: ON
Console> (enable)

Loading a Different (but Compatible) Image on the Standby Supervisor Engine

Use this procedure to load a new image on the standby supervisor engine that is different from the image
on the active supervisor engine. From the active supervisor engine console port, perform these steps
(active supervisor engine is in slot 1):

Step 1 Enable high availability versioning.

Console> (enable) set system highavailability enable
System high availability enabled.
Console> (enable)

Step 2 Download the new image to the active supervisor engine bootflash.
Console> (enable) copy tftp:image2.bin bootflash
IP address or name of remote host []? 172.20.52.3

8763532 bytes available on device bootflash, proceed (y/n) [n]? y

... display text truncated

Console> (enable)

Step 3 Copy the new image to the standby supervisor engine bootflash.
Console> (enable) copy bootflash:image2.bin 2/bootflash:

5786532 bytes available on device bootflash, proceed (y/n) [n]? y

... display text truncated

Console> (enable)

Step 4 Modify the BOOT environment variable so the standby supervisor engine boots the new image.
Console> (enable) set boot system flash bootflash:image2.bin prepend 2
BOOT variable = bootflash:image2.bin,1;slot0:image1.bin,1
Console> (enable)

Step 5 To boot the new image, reset the standby supervisor engine.
Console> (enable) reset 2
This command will reset the system.
Do you want to continue (y/n) [n]? y

... display text truncated

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-13
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

Supervisor Engine Synchronization Examples

These sections contain examples that show what happens when the synchronization function encounters
certain conditions:
• Synchronizing the Runtime Image with the Bootstring, page 22-14
• Synchronizing the Boot Images on the Active and Standby Supervisor Engines, page 22-16

Note In the following examples, the number 1 following the filename in the bootstring (for example,
bootflash:f1,1) indicates the number of Trivial File Transfer Protocol (TFTP) boot retries that are
attempted. However, the supervisor engine does not support TFTP booting. The number is included
in these examples to be consistent with Cisco IOS conventions.

Note These examples are not intended to cover every possible condition.

Synchronizing the Runtime Image with the Bootstring

This section contains four examples in which the active supervisor engine runtime image is synchronized
with the standby supervisor engine.

Example 1: Runtime image not synchronized

The configuration for example 1 is as follows:

• The active supervisor engine configuration is as follows (if the image in the standby supervisor
engine is identical to the image in the active supervisor engine, the output is the same):
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1
– Bootflash: f1
• The time stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor
engine.
• The expected results are as follows:
– The active supervisor engine f1 image is not copied to the standby supervisor engine.
– The standby supervisor engine bootstring is not modified.
– The standby supervisor engine is not reset.

Example 2: File copied, bootstring changed, standby supervisor engine reset

The configuration for example 2 is as follows:

• The active supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1
– Bootflash: f1

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-14 78-13315-02
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

• The standby supervisor engine configuration is as follows:

– Runtime image: bootflash:f2
– Boot string: bootflash:f2,1
– Bootflash: f2
• The time stamp for f1 on the active supervisor engine is not the same as f2 on the standby supervisor
engine.
• The expected results are as follows:
– The active supervisor engine copies f1 to the standby supervisor engine and renames the file
RTSYNC_f1.
– The standby supervisor engine bootflash is modified to the following: f2, RTSYNC_f1.
– The standby supervisor engine bootstring is modified to the following:
bootflash:RTSYNC_f1,1;f2,1;.
– The standby supervisor engine is reset.

Example 3: File not copied, bootstring changed, standby supervisor engine reset

The configuration for example 3 is as follows:

• The active supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1
– Bootflash: f1
• The standby supervisor engine configuration is as follows:
– Runtime image: bootflash:f2
– Boot string: bootflash:f2,1
– Bootflash: f1,f2
• The time stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor
engine but is not the same as f2 on the standby supervisor engine.
• The expected results are as follows:
– The active supervisor engine runtime image is synchronized to the standby supervisor engine.
– The active supervisor engine f1 image is not copied to the standby supervisor engine.
– The standby supervisor engine boot string is modified to the following: f1,1;f2,1;.
– The standby supervisor engine is reset.

Example 4: Oldest bootflash file deleted, bootflash squeezed

The configuration for example 4 is as follows:

• The active supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1
– Bootflash: f1

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-15
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

• The standby supervisor engine configuration is as follows:

– Runtime image: bootflash:f2
– Boot string: bootflash:f2,1;
– Bootflash: f2, f3, f4 (less than 1 MB left on device)
• The time stamp for f1 on the active supervisor engine is not the same as f2 on the standby supervisor
engine. The f2 time stamp is older than f3, and the f3 time stamp is older than f4.
• The expected results are as follows:
– The active supervisor engine runtime image is synchronized with the standby supervisor engine.
– The active supervisor engine attempts to copy its f1 image to the standby supervisor engine.
– Because there is not enough space on the standby supervisor engine bootflash, the redundant
synchronization function finds the oldest file, deletes it, and squeezes bootflash.
– The active supervisor engine copies the f1 image to the standby supervisor engine and renames
it RTSYNC_f1.
– The standby supervisor engine bootflash is modified to the following: f3, f4, RTSYNC_f1.
– The standby supervisor engine boot string is modified to the following: RTSYNC_f1,1;f2,1;.
– The standby supervisor engine is reset.

Synchronizing the Boot Images on the Active and Standby Supervisor Engines
This section contains four examples in which the bootstrings on the active and standby supervisor
engines are synchronized.

Example 1: Unable to allocate the boot image

The configuration for this example is as follows:

• The active supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1;
– Bootflash: f1
• The standby supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1;
– Bootflash: f1
• The time stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor
engine.
• The system attempts to modify the active supervisor engine bootstring to the following: f2,1;.
• The expected results are as follows:
– The active supervisor engine is unable to allocate f2, causing the synchronization to fail.
– An error is recorded in syslog.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-16 78-13315-02
 Chapter 22 Configuring Redundancy
Configuring Redundant Supervisor Engines

– The active supervisor engine f1 image is not copied to the standby supervisor engine.
– The standby supervisor engine bootstring is not modified.
– The standby supervisor engine is not reset.

Example 2: File copied, bootflash modified, standby supervisor engine not reset

The configuration for this example is as follows:

• The active supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1;
– Bootflash: f1,f2
• The standby supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1;
– Bootflash:
• The time stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor
engine.
• You modify the active supervisor engine bootstring to the following: f2,1;.
• The expected results are as follows:
– The active supervisor engine copies its f2 image to the standby supervisor engine and renames
it BTSYNC_f2.
– The standby supervisor engine bootflash is modified to the following: f1, BTSYNC_f2.
– The standby supervisor engine bootstring is modified to the following:
bootflash:BTSYNC_f2,1;f1,1;.
– The standby supervisor engine is not reset.

Example 3: File not copied, bootstring modified, standby supervisor engine not reset

The configuration for this example is as follows:

• The active supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1;
– Bootflash: f1,f2
• The standby supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1;
– Bootflash: f1,f2
• The time stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor
engine; the time stamp for f2 on the active supervisor engine is the same as f2 on the standby
supervisor engine.
• The active supervisor engine bootstring is modified to the following: f2,1; f1,1;.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-17
 Chapter 22 Configuring Redundancy
MSFC Redundancy

• The expected results are as follows:

– The active supervisor engine f1 image is not copied to the standby supervisor engine.
– The standby supervisor engine bootstring is modified to the following:
bootflash:f2,1;bootflash:f1,1;.
– The standby supervisor engine is not reset.

Example 4: File copied, oldest file deleted, bootflash squeezed, bootstring modified, standby supervisor engine not reset

The configuration for this example is as follows:

• The active supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1;
– Bootflash: f1,f2
• The standby supervisor engine configuration is as follows:
– Runtime image: bootflash:f1
– Boot string: bootflash:f1,1;
– Bootflash: f0,f1,f3 (less than 1 MB left on device)
• The time stamp for f1 on the active supervisor engine is the same as f1 on the standby supervisor
engine. The time stamp for f0 is older than f1, and the time stamp for f1 is older than f3.
• The active supervisor engine bootstring is modified to the following:
bootflash:f2,1;bootflash:f1,1;
• The expected results are as follows:
– The active supervisor engine attempts to copy its f2 image to the standby supervisor engine.
– Because there is not enough space available on the standby supervisor engine bootflash, the
redundant synchronization function finds the oldest file (f0), deletes it, and squeezes bootflash.
– The active supervisor engine copies its f2 image to the standby supervisor engine and renames
it BTSYNC_f2.
– The standby supervisor engine bootflash is modified to the following: f1, f3, BTSYNC_f2.
– The standby supervisor engine boot string is modified to the following:
bootflash:BTSYNC_f2,1;bootflash:f1,1;.

MSFC Redundancy
MSFC redundancy is described in these sections:
• Dual MSFC Redundancy, page 22-19
• Single Router Mode Redundancy, page 22-41
• Manual-Mode MSFC Redundancy, page 22-45

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-18 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Dual MSFC Redundancy

Caution You must configure both MSFCs identically. Table 22-2 on page 22-20 summarizes the identical
requirements and the exceptions for Layer 3 redundancy for a single switch chassis.

We do not support configurations where the MSFCs are not configured identically.

These sections describe how to configure MSFC redundancy:

• Hardware and Software Requirements, page 22-19
• Layer 3 Redundancy for a Single Chassis, page 22-19
• Routing Protocol Peering, page 22-20
• Access Control List Configuration, page 22-22
• Dual MSFC Operational Model for Redundancy and Load Sharing, page 22-22
• Understanding Failure Scenarios, page 22-24

Hardware and Software Requirements

To configure Layer 3 redundancy, you must have at least one of the following configurations:
• A single chassis with two identical supervisor engine daughter card configurations:
– Supervisor Engine 1 with Policy Feature Card (PFC) and MSFC or MSFC2 (both supervisor
engines must have the same type of MSFC)
– Supervisor Engine 2 with PFC2 and MSFC2
• Two chassis with a supervisor engine in each—You must have at least one supervisor engine in each
chassis. Each supervisor engine must be equipped with a PFC and an MSFC.

Note Each MSFC must be running the same release of Cisco IOS software.

Layer 3 Redundancy for a Single Chassis

In a single Catalyst 6000 family chassis, you can have redundant supervisor engines, each with an
MSFC. You can configure HSRP on the MSFCs to provide transparent default gateway redundancy for
IP hosts in the network. HSRP configuration can coexist with IPX and AppleTalk configuration on the
same interfaces.
If one MSFC fails, HSRP allows one MSFC (router) to assume the function automatically of the other.
Combined with the high-availability feature of supervisor engine software release 5.4(1), this
configuration provides an added level of redundancy for your network.

Caution You must configure both MSFCs identically. Table 22-2 summarizes the identical requirements and
the exceptions for Layer 3 redundancy for a single switch chassis.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-19
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Table 22-2 Single Chassis Layer 3-Redundancy Requirements

Identical Requirements—
Global and Interface Levels Exceptions—Interface Level Exceptions—Global Level
• Both MSFCs must have the • HSRP standby commands • IP default-gateway
following: 3
• IP address commands • IPX internal-network
– Same routing protocols
• IPX network3 • IPX default-route
– Same static routes
– Same default routes
– Same policy routes
– Same VLAN interfaces
– Same IOS ACLs 1, 2

• All interfaces must have the

same administrative status
1. Dynamic and reflexive ACLs, which are based on actual data flow, may be programmed by either MSFC.
2. In addition to defining the same ACLs on both MSFCs, you must also apply the ACLs to the same VLAN interfaces, in the
same direction, on both MSFCs.
3. The IP or IPX addresses do not have to be identical on both MSFCs, but there must be an IP or IPX address configured on
both MSFCs.

For information on specifying alternate configurations for the interface and global level exceptions
listed in Table 22-2, see the “alt Keyword Usage” section on page 22-33.
Redundant supervisor engines must have identical hardware (MSFC and PFC). See the “Hardware and
Software Requirements” section on page 22-19 for more information.

Note For MSFC and MSFC2 memory requirements, refer to the Release Notes for MSFC publication:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/index.htm

Routing Protocol Peering

In a redundant supervisor engine and dual MSFC configuration, one supervisor engine is fully
operational (active) and the other supervisor engine is in standby mode; however, both MSFCs are
operational (in terms of programming the PFC on the active supervisor engine) and act as independent
routers.

Note PFC: With the PFC, MLS entries can be associated with either MSFC (based on which MSFC routed
the first packet). Only the PFC on the active supervisor engine switches the packets.

Note PFC2: With PFC2, only the designated MSFC programs the forwarding information base (FIB) the
adjacency table, Cisco IOS software, and policy routing ACLs on the active supervisor engine. If you
configure static routes or policy routing, you must have the identical configuration on both MSFCs.
If you have a static route on the nondesignated MSFC that is not on the designated MSFC, that route
will not be programmed in the PFC2.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-20 78-13315-02
Chapter 22 Configuring Redundancy
MSFC Redundancy

Both MSFCs are operational from a routing protocol peering perspective. For example, if you
have two MSFCs in a single Catalyst 6000 family switch chassis, each configured with interface
VLAN 10 and VLAN 21, the MSFCs are peered to each other over these VLANs. Combined with a dual
chassis and dual MSFC design for the same VLANs, each MSFC has 6 peers: its peer in the same chassis
as well as the 2 MSFCs in the second chassis (3 in VLAN 10 and 3 in VLAN 21). See Figure 22-1.

Figure 22-1 Dual Chassis and Dual MSFC Peering

Switch 1 Switch 2

Trunk

Slot 1 Slot 1
Sup#1/MSFC#1 Sup#1/MSFC#1

Slot 2 Slot 2
Sup#2/MSFC#2 Sup#2/MSFC#2

VLAN 10

38594
VLAN 21

Although the MSFCs (from a peering perspective) act as independent routers, the two MSFCs in the
chassis operate at the same time, have the same interfaces, and run the same routing protocols.
If you combine high availability on the supervisor engines with HSRP on the MSFCs, you have the
following Layer 2 and Layer 3 redundancy mechanisms:
• Layer 2 redundancy for the supervisor engines (one active and one in standby)—If the active
supervisor engine fails (the MSFC installed on it will also fail), both Layer 2 and Layer 3 functions
roll over to the redundant supervisor engine and MSFC combination.
• Layer 3 redundancy and load sharing for the two MSFCs—If one MSFC fails, the other MSFC takes
over almost immediately (using HSRP) without any Layer 2 disruption (the active supervisor engine
continues to forward Layer 2 traffic).
The Layer 3 entries programmed by the failed MSFC on the active supervisor engine are used until they
gracefully age out and are replaced by the Layer 3 entries populated by the newly active MSFC. Aging
takes 4 minutes and allows the newly active MSFC to repopulate the MLS entries using its XTAG value,
while concurrently hardware-switching flows yet to be aged. In addition, this process prevents a newly
active MSFC from being overwhelmed with initial flow traffic.

Note Each MSFC has its own XTAG value to identify itself as the MLS Route Processor. MSFC #1 (on the
active supervisor engine) has an XTAG of 1, and MSFC #2 (on the standby supervisor engine) has
an XTAG of 2.

Only Supervisor Engine 1 uses the XTAG values; XTAG values are not used on Supervisor Engine 2.

Caution For same-chassis Layer 3 redundancy to function as expected, the configuration on each MSFC must
be the same (see Table 22-2 on page 22-20).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-21
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Note Table 22-2 lists configuration exceptions. For example, in Figure 22-1, there are 4 MSFCs on
VLAN 10; therefore, each MSFC has different IP addresses and HSRP priorities.

Access Control List Configuration

If you use Cisco IOS access control lists (ACLs) on the MSFC, you must configure the ACLs on both
MSFCs identically, globally, and at the interface level. Only the designated MSFC (the MSFC to come
online first, or the MSFC that has been online the longest) programs the PFC with ACL information.
The active supervisor engine’s PFC multilayer switches packets (CEF [Cisco Express Forwarding] for
PFC2) after consulting with its ACL ASIC to determine whether a packet is forwarded or not, depending
on the IOS ACL configured. If a designated MSFC fails, the new designated MSFC must reprogram the
PFC for static ACLs. For consistent results, both MSFCs must have identical ACL configurations,
including static ACLs.

Note In addition to defining the same ACLs on both MSFCs, you must also apply the ACLs to the same
VLAN interfaces on both MSFCs.

Note Dynamic and reflexive ACLs, which are based on actual data flow, may be programmed by either
MSFC.

Note PFC: For detailed information on hardware and software handling of IOS ACLs with the PFC, see
the “Hardware and Software Handling of Cisco IOS ACLs with PFC” section on page 16-10.

Note PFC2: For detailed information on hardware and software handling of IOS ACLs with the PFC2, see
the “Hardware and Software Handling of Cisco IOS ACLs with PFC2” section on page 16-12.

To determine the status of the designated MSFC, enter the show fm features or the show redundancy
command:
Router-15# show redundancy
Designated Router: 1 Non-designated Router:2
Redundancy Status: non-designated
Config Sync AdminStatus : enabled
Config Sync RuntimeStatus: enabled

Router-16# show redundancy

Designated Router: 1 Non-designated Router:2
Redundancy Status: designated
Config Sync AdminStatus : enabled
Config sync RuntimeStatus: enabled

Dual MSFC Operational Model for Redundancy and Load Sharing

Figure 22-2 shows a typical access and distribution layer building block with multiple VLANs in an
access layer switch. Because there is no Layer 2 loop, HSRP is used for convergence and load sharing.
Switches S1 and S2 have a supervisor engine with an MSFC in slot 1 (Sup #1/MSFC #1) and in slot 2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-22 78-13315-02
Chapter 22 Configuring Redundancy
MSFC Redundancy

(Sup #2/MSFC #2). Sup #1 is active and Sup #2 is in standby mode in both switches. High availability
is enabled on the supervisor engines. The supervisor engines automatically perform image and
configuration synchronization; you must manually synchronize the images and configurations on the
MSFCs.

Figure 22-2 Dual MSFC Operational Model for Redundancy and Load Sharing—VLANs 10 and 21

VLAN 10/21 VLAN 12/23

Trunk 1 Trunk 2

Switch S1 Switch S2

Slot 1 Slot 1

Sup#1/MSFC#1 Sup#1/MSFC#1
HSRP Active VLAN 10: priority 110 HSRP Standby VLAN 10: priority 108
HSRP Standby VLAN 21: priority 108 HSRP Active VLAN 21: priority 110

Slot 2 Slot 2

Sup#2/MSFC#2 Sup2/MSFC#2

38595
HSRP Standby VLAN 10: priority 109 HSRP Standby VLAN 10: priority 107
HSRP Standby VLAN 21: priority 107 HSRP Standby VLAN 21: priority 109

In Figure 22-2, you should configure redundancy and load sharing as follows:
• VLAN 10 (even-numbered VLANs)—Configure MSFC #1 in Switch S1 as the primary HSRP
router (priority 110) and configure MSFC #2 as the standby router (priority 109).
• VLAN 21 (odd-numbered VLANs)—Configure MSFC #1 in Switch S2 as the primary HSRP router
(priority 110) and configure MSFC #2 as the standby router (priority 109).
Load sharing is achieved by having the even-numbered VLANs routed by Switch S1 and the
odd-numbered VLANs by Switch S2. In a complete switch failure, the remaining switch would service
both even and odd VLANs.
You can achieve further load sharing by using MSFC #2 in Switch S1 as the primary HSRP router for
VLAN 12 and MSFC #2 as the primary HSRP router in Switch S2 for VLAN 23 (see Figure 22-3).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-23
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Figure 22-3 Dual MSFC Operational Model for Redundancy and Load Sharing—
VLANs 10, 12, 21, and 23

VLAN 10/21 VLAN 12/23

Trunk 1 Trunk 2

Switch S1 Switch S2

Slot 1 Slot 1

Sup#1/MSFC#1
HSRP Active VLAN 10: priority 110
HSRP Standby VLAN 21: priority 108
HSRP Standby VLAN 12: priority 109
HSRP Standby VLAN 23: priority 107
Sup#1/MSFC#1
HSRP Standby VLAN 10: priority 108
HSRP Active VLAN 21: priority 110
HSRP Standby VLAN 12: priority 107
HSRP Standby VLAN 23: priority 109

Slot 2 Slot 2

Sup#2/MSFC#2 Sup#2/MSFC#2
HSRP Standby VLAN 10: priority 109 HSRP Standby VLAN 10: priority 107
HSRP Standby VLAN 21: priority 107 HSRP Standby VLAN 21: priority 109
HSRP Active VLAN 12: priority 110 HSRP Standby VLAN 12: priority 108

38850
HSRP Standby VLAN 23: priority 108 HSRP Active VLAN 23: priority 110

Only the active HSRP router for a VLAN will respond with the HSRP MAC address for ARP requests
to the HSRP IP address. The active HSRP router will in turn ARP for the end stations’ MAC address and
populate its ARP cache. By using both MSFCs in a single chassis to share HSRP duties for even VLANs,
you can share the control plane ARP traffic. In an MSFC failure, only the ARP entries on the affected
VLAN would need to be relearned.
The tradeoff for this level of redundancy and load sharing is the added complexity of keeping track of
the even and odd VLANs on the MSFCs within a Catalyst 6000 family switch chassis.
MLS entries are created for packets arriving at the HSRP MAC addresses as well as those arriving with
the router’s real MAC addresses. HSRP is used for unicast traffic first-hop redundancy; for traffic
received through another router attached to VLAN 10, for example, the actual MAC address of
Sup #1/MSFC #1 is used.

Understanding Failure Scenarios

The five examples in this section describe possible failure scenarios within a single chassis with dual
supervisor engines and dual MSFCs (see Figure 22-4) when you enable high availability. The designated
MSFC refers to the MSFC that is used to program the ACL ASIC for static ACLs.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-24 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Note While the examples are specific to the PFC, the failover scenarios for the PFC2/MSFC2 would be
similar for handling ACLs and CEF table entries. On a Supervisor Engine 2, the designated MSFC2
programs many of the ASICs on the PFC2 including building the CEF table. In a designated MSFC2
HSRP failover to the nondesignated MSFC2, the PFC2 continues to function with the CEF table
programmed by the previously designated MSFC2. Similar to the process with the MLS cache in a
Supervisor Engine 1/MSFC configuration, the newly designated MSFC2 eventually reprograms the
CEF table with its own entries and the old entries age out.

Figure 22-4 Single Chassis with Dual Supervisor Engines and Dual MSFCs

VLAN 10 VLAN 21

Slot 1

Sup#1(active)/MSFC#1
HSRP Active VLAN 10: priority 110
HSRP Standby VLAN 21: priority 109

Slot 2
Switch S1
Sup#2(standby)/MSFC#2

38596
HSRP Active VLAN 21: priority 110
HSRP Standby VLAN 10: priority 109

Failure Case 1: Designated MSFC #1 Fails

This sequence occurs when the designated MSFC #1 fails:

1. MLS entries for MSFC #1 gracefully age out of the Sup #1 Layer-3 cache, while MSFC #2 takes
temporary ownership of these MLS entries using its XTAG value.
2. MLS entries for MSFC #2 are not affected.
3. MSFC #2 removes all dynamic and reflexive ACLs programmed in hardware by MSFC #1.
4. MSFC #2 reprograms the static ACLs in the Sup #1 ACL ASIC because it is now the designated
MSFC.

Failure Case 2: Nondesignated MSFC #2 Fails

This sequence occurs when the nondesignated MSFC #2 fails:

1. MLS entries for MSFC #2 gracefully age out of the Sup #1 Layer 3 cache, while MSFC #1 takes
temporary ownership of these MLS entries using its XTAG value.
2. MLS entries from MSFC #1 are not affected.
3. MSFC #1 removes all dynamic and reflexive ACLs programmed in hardware by MSFC #2.
4. MSFC #1 remains the designated MSFC.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-25
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Failure Case 3: Active Sup #1 Fails

This sequence occurs when the active supervisor engine (Sup #1) fails:
1. Because the Layer 3 state is maintained, MLS entries of MSFC #1 gracefully age out of the
Sup #2 Layer 3 cache while MSFC #2 takes temporary ownership of these MLS entries using its
XTAG value.
2. The standby supervisor engine maintains the Layer 2 state so that there is no Layer 2 convergence
time.
3. MSFC #2 removes all dynamic and reflexive ACLs programmed in hardware by MSFC #1.
4. MSFC #2 reprograms the static ACLs in the Sup #2 ACL ASIC. MSFC #2 is now the designated
MSFC.

Failure Case 4: Standby Sup #2 Fails

This sequence occurs when the standby supervisor engine (Sup #2) fails:
1. MLS entries for MSFC #2 gracefully age out of the Sup #1 Layer 3 cache while MSFC #1 takes
temporary ownership of these MLS entries using its XTAG value.
2. MLS entries from MSFC #1 are not affected.
3. MSFC #1 removes all dynamic and reflexive ACLs programmed in hardware by MSFC #2.
MSFC #1 remains the designated MSFC.

Failure Case 5: New or Previously Failed Supervisor Comes Back Online

This sequence occurs when the previously failed supervisor engine (Sup #2) comes online:
1. Sup #1 continues to be the active supervisor engine.
2. Sup #2 synchronizes its image and configuration with Sup #1 (unless high-availability versioning is
enabled).
3. MSFC #2 (on Sup #2) comes up. If the HSRP preempt for VLAN 21 is configured, then MSFC #2
becomes HSRP active. The MLS entries for MSFC #1 are purged and then relearned via MSFC #2.
4. MSFC #1 remains the designated MSFC for the static ACLs.

Configuring Redundancy with HSRP

Although the supervisor engine software high-availability feature maintains the protocol state between
redundant supervisor engines, you need to configure HSRP for failover between redundant MSFCs.
HSRP is used to provide the first-hop, unicast redundancy. You can configure one or more HSRP groups
on MSFC VLAN interfaces to provide automatic routing backup for your network. Each VLAN interface
in an HSRP group shares a virtual IP address and MAC address. You can configure end stations and
other devices to use the HSRP address as the default gateway so that if one router interface fails, service
is not interrupted to those devices.
The interface with the highest HSRP priority is the active interface for that HSRP group.

Note PFC2: The PFC2 supports a maximum of 16 unique HSRP group numbers. You can use the same
HSRP group numbers in different VLANs. If you configure more than 16 HSRP groups, this
restriction prevents use of the VLAN number as the HSRP group number.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-26 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Note PFC2: Identically numbered HSRP groups use the same virtual MAC address, which might cause errors
if you configure bridging on the MSFC.

The standby use-bia option should not be used in an HSRP configuration. MLS entries are not created
when you use the standby use-bia option. When the standby use-bia option is configured, if an HSRP
active interface goes up and down, there will be no router CAM address for the standby VLAN interface
and without the router CAM entry, no shortcuts are created. This problem is independent of any MSFC
Cisco IOS release. (This problem is documented in caveat CSCdz17169.)

To configure HSRP on an MSFC VLAN interface, perform this task in interface configuration mode:

Task Command
Step 1 Enable HSRP and specify the HSRP IP Router(config-if)# standby [group_number] ip [ip_address]
address. If you do not specify a
group_number, group 0 is used. To assist in
troubleshooting, configure the group number
to match the VLAN number.
Step 2 Specify the priority for the HSRP interface. Router(config-if)# standby [group_number] priority priority
Increase the priority of at least one interface
in the HSRP group (the default is 100). The
interface with the highest priority becomes
active for that HSRP group.
Step 3 Configure the interface to preempt the current Router(config-if)# standby [group_number] preempt [delay
active HSRP interface and become active if delay]
the interface priority is higher than the
priority of the current active interface.
Step 4 (Optional) Set the HSRP hello timer and Router(config-if)# standby [group_number] timers hellotime
holdtime timer for the interface. The default holdtime
values are 3 (hello) and 10 (holdtime). All
interfaces in the HSRP group should use the
same timer values.
Step 5 (Optional) Specify a clear-text HSRP Router(config-if)# standby [group_number] authentication
authentication string for the interface. All string
interfaces in the HSRP group should use the
same authentication string.

This example shows how to configure an interface as part of HSRP group 100:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan100
Router(config-if)# standby 100 ip 172.20.100.10
Router(config-if)# standby 100 priority 110
Router(config-if)# standby 100 preempt
Router(config-if)# standby 100 timers 5 15
Router(config-if)# standby 100 authentication Secret
Router(config-if)# ^Z
Router#

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-27
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Configuration Examples
This section describes three configuration options for achieving redundancy:
• Example 1—Two Chassis with One Supervisor Engine and One MSFC Each, page 22-28
• Example 2—Single Chassis with Dual Supervisor Engines and MSFCs, page 22-29
• Example 3—Double Chassis with Dual Supervisor Engines and MSFCs, page 22-30
For the following examples, the designated MSFC is on the active supervisor engine. To determine the
status of the designated MSFC, enter the show fm features or the show redundancy command. This
example shows that Router-16 is the designated MSFC:
Router-15# show redundancy
Designated Router: 1 Non-designated Router:2

Redundancy Status: non-designated

Config Sync AdminStatus : enabled
Config Sync RuntimeStatus: enabled

Router-16# show redundancy

Designated Router: 1 Non-designated Router:2

Redundancy Status: designated

Config Sync AdminStatus : enabled
Config sync RuntimeStatus: enabled

Example 1—Two Chassis with One Supervisor Engine and One MSFC Each

In the example in Figure 22-5, high availability cannot be configured on the supervisor engines but
HSRP can be configured on the MSFCs.

Figure 22-5 Two Chassis with One Supervisor Engine and One MSFC Each

VLAN 10 VLAN 21

Slot 1 Slot 1

Sup#1/MSFC#1 Sup#1/MSFC#1
HSRP Active VLAN 10: priority 110 HSRP Active VLAN 21: priority 110
HSRP Standby VLAN 21: priority 109 HSRP Standby VLAN 10: priority 109
38597
Switch S1 Switch S2

This example shows how to configure HSRP on the MSFC in Switch S1:
Console> (enable) switch console 15
Trying Router-15...
Connected to Router-15.
Type ^C^C^C to switch back...
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan10
Router(config-if)# standby 10 ip 172.20.100.10
Router(config-if)# standby 10 priority 110
Router(config-if)# standby 10 preempt
Router(config-if)# standby 10 timers 5 15
Router(config-if)# standby 10 authentication Secret
Router(config-if)# interface vlan21
Router(config-if)# standby 21 ip 192.20.100.21

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-28 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Router(config-if)# standby 21 priority 109

Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 timers 5 15
Router(config-if)# standby 21 authentication Secret
Router(config-if)# ^Z
Router# ^C^C^C

This example shows how to configure HSRP on the MSFC in Switch S2:
Console> (enable) switch console 15
Trying Router-15...
Connected to Router-15.
Type ^C^C^C to switch back...
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan10
Router(config-if)# standby 10 ip 172.20.100.10
Router(config-if)# standby 10 priority 109
Router(config-if)# standby 10 preempt
Router(config-if)# standby 10 timers 5 15
Router(config-if)# standby 10 authentication Secret
Router(config-if)# interface vlan21
Router(config-if)# standby 21 ip 192.20.100.21
Router(config-if)# standby 21 priority 110
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 timers 5 15
Router(config-if)# standby 21 authentication Secret
Router(config-if)# ^Z
Router# ^C^C^C

Example 2—Single Chassis with Dual Supervisor Engines and MSFCs

In the example in Figure 22-6, high availability is configured on the supervisor engines, and HSRP is
configured on the MSFCs.

Figure 22-6 Single Chassis with Redundant Supervisors and MSFCs

VLAN 10 VLAN 21

Slot 1

Sup#1(active)/MSFC#1
HSRP Active VLAN 10: priority 110
HSRP Standby VLAN 21: priority 109

Slot 2
Switch S1
Sup#2(standby)/MSFC#2
38596

HSRP Active VLAN 21: priority 110

HSRP Standby VLAN 10: priority 109

This example shows how to configure HSRP on the MSFC in Switch S1:
Console> (enable) switch console 15
Trying Router-15...
Connected to Router-15.
Type ^C^C^C to switch back...
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan10
Router(config-if)# standby 10 ip 172.20.100.10

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-29
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Router(config-if)# standby 10 priority 110

Router(config-if)# standby 10 preempt
Router(config-if)# standby 10 timers 5 15
Router(config-if)# standby 10 authentication Secret
Router(config-if)# interface vlan21
Router(config-if)# standby 21 ip 192.20.100.21
Router(config-if)# standby 21 priority 109
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 timers 5 15
Router(config-if)# standby 21 authentication Secret
Router(config-if)# ^Z
Router# ^C^C^C

Console> (enable) switch console 16

Trying Router-16...
Connected to Router-16.
Type ^C^C^C to switch back...
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan10
Router(config-if)# standby 10 ip 172.20.100.10
Router(config-if)# standby 10 priority 109
Router(config-if)# standby 10 preempt
Router(config-if)# standby 10 timers 5 15
Router(config-if)# standby 10 authentication Secret
Router(config-if)# interface vlan21
Router(config-if)# standby 21 ip 192.20.100.21
Router(config-if)# standby 21 priority 110
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 timers 5 15
Router(config-if)# standby 21 authentication Secret
Router(config-if)# ^Z
Router# ^C^C^C

Example 3—Double Chassis with Dual Supervisor Engines and MSFCs

Figure 22-7 shows two Catalyst 6000 family switches (S1 and S2), each with a supervisor engine and
MSFC in slot 1 (Sup #1/MSFC #1) and slot 2 (Sup #2/MSFC #2). Because there is no Layer-2 loop,
HSRP is used for convergence and load sharing. In both switches, Sup #1 is the active supervisor engine,
and Sup #2 is the standby supervisor engine.

Figure 22-7 Dual MSFC Operational Model for Redundancy and Load Sharing

VLAN 10 VLAN 21
Slot 1 Slot 1

Sup#1/MSFC#1 Sup#1/MSFC#1
HSRP Active VLAN 10: priority 110 HSRP Standby VLAN 10: priority 108
HSRP Standby VLAN 21: priority 108 HSRP Active VLAN 21: priority 110

Slot 2 Slot 2
Switch S1 Switch S2
Sup#2/MSFC#2 Sup#2/MSFC#2
HSRP Standby VLAN 10: priority 109
38599

HSRP Standby VLAN 10: priority 107

HSRP Standby VLAN 21: priority 107 HSRP Standby VLAN 21: priority 109

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-30 78-13315-02
Chapter 22 Configuring Redundancy
MSFC Redundancy

This example shows how to configure HSRP on the MSFC in Switch S1:
Console> (enable) switch console 15
Trying Router-15...
Connected to Router-15.
Type ^C^C^C to switch back...
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan10
Router(config-if)# standby 10 ip 172.20.100.10
Router(config-if)# standby 10 priority 110
Router(config-if)# standby 10 preempt
Router(config-if)# standby 10 timers 5 15
Router(config-if)# standby 10 authentication Secret
Router(config-if)# interface vlan21
Router(config-if)# standby 21 ip 192.20.100.21
Router(config-if)# standby 21 priority 108
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 timers 5 15
Router(config-if)# standby 21 authentication Secret
Router(config-if)# ^Z
Router# ^C^C^C

Console> (enable) switch console 16

Trying Router-16...
Connected to Router-16.
Type ^C^C^C to switch back...
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan10
Router(config-if)# standby 10 ip 172.20.100.10
Router(config-if)# standby 10 priority 109
Router(config-if)# standby 10 preempt
Router(config-if)# standby 10 timers 5 15
Router(config-if)# standby 10 authentication Secret
Router(config-if)# interface vlan21
Router(config-if)# standby 21 ip 192.20.100.21
Router(config-if)# standby 21 priority 107
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 timers 5 15
Router(config-if)# standby 21 authentication Secret
Router(config-if)# ^Z
Router# ^C^C^C

This example shows how to configure HSRP on the MSFC in Switch S2:
Console> (enable) switch console 15
Trying Router-15...
Connected to Router-15.
Type ^C^C^C to switch back...
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan10
Router(config-if)# standby 10 ip 172.20.100.10
Router(config-if)# standby 10 priority 108
Router(config-if)# standby 10 preempt
Router(config-if)# standby 10 timers 5 15
Router(config-if)# standby 10 authentication Secret
Router(config-if)# interface vlan21
Router(config-if)# standby 21 ip 192.20.100.21
Router(config-if)# standby 21 priority 110
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 timers 5 15
Router(config-if)# standby 21 authentication Secret

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-31
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Router(config-if)# ^Z
Router# ^C^C^C

Console> (enable) switch console 16

Trying Router-16...
Connected to Router-16.
Type ^C^C^C to switch back...
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface vlan10
Router(config-if)# standby 10 ip 172.20.100.10
Router(config-if)# standby 10 priority 107
Router(config-if)# standby 10 preempt
Router(config-if)# standby 10 timers 5 15
Router(config-if)# standby 10 authentication Secret
Router(config-if)# interface vlan21
Router(config-if)# standby 21 ip 192.20.100.21
Router(config-if)# standby 21 priority 109
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 timers 5 15
Router(config-if)# standby 21 authentication Secret
Router(config-if)# ^Z
Router# ^C^C^C

MSFC Configuration Synchronization Overview

MSFC high availability allows for automatic synchronization of the startup configuration and running
configuration between the designated MSFC (the MSFC to come online first, or the MSFC that has been
online the longest) and the nondesignated MSFC. High-availability redundancy is disabled by default.

Caution Configuration synchronization is only supported for IP and IPX configurations. Before enabling
synchronization, you must ensure that both MSFCs have identical configurations for all protocols. If
you are using AppleTalk, DECnet, VINES or any other routing, you must manually ensure that
identical configurations are on both MSFCs for all protocols.

To determine the status of the designated MSFC, enter the show fm features or the show redundancy
command:
Router-15# show redundancy
Designated Router: 1 Non-designated Router:2

Redundancy Status: non-designated

Config Sync AdminStatus : enabled
Config Sync RuntimeStatus: enabled

Router-16# show redundancy

Designated Router: 1 Non-designated Router:2

Redundancy Status: designated

Config Sync AdminStatus : enabled
Config sync RuntimeStatus: enabled

High-availability redundancy provides startup and running configuration synchronization.

When you enable high-availability redundancy, the startup configuration of both MSFCs is updated
when you enter either of these commands on the designated MSFC:
• write mem
• copy source startup-config

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-32 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

When you enable high-availability redundancy, every configuration command executed on the
designated MSFC is sent to the nondesignated MSFC. Also, the running configuration synchronization
is updated when you enter the copy source running-config command on the designated MSFC.
These sections provide information about MSFC configuration synchronization:
• Configuration Synchronization States, page 22-33
• alt Keyword Usage, page 22-33

Configuration Synchronization States

The two states for the configuration synchronization are as follows:

• Config Sync AdminStatus—signifies what the user has configured for this feature at that moment
• Config Sync RuntimeStatus—enabled only when the following occurs:
– The Config Sync AdminStatus is enabled on both designated and nondesignated MSFCs
– The designated and nondesignated MSFCs are running compatible images
When you enable the Config Sync RuntimeStatus, the following occurs:
• No configuration mode is available on the CLI of the nondesignated MSFC; EXEC mode is
available
• The alt keyword is available and required (see the “alt Keyword Usage” section on page 22-33 for
more information on the alt keyword)
• The running and startup configurations are synchronized
When the Config Sync RuntimeStatus is in disabled mode, the following occurs:
• Configuration mode is available on the CLI of both MSFCs
• The alt keyword is available but optional
• The running and startup configurations are not synchronized
Various configuration and operation cases are covered in the “High-Availability Redundancy
Configuration Examples” section on page 22-35.

alt Keyword Usage

When you enable the Config Sync RuntimeStatus, the configuration mode on the nondesignated MSFC
is disabled; only the EXEC mode is still available. Configuration of both MSFCs is made through the
console or a Telnet session on the designated MSFC.
To configure both MSFCs from a single console, enter the alt keyword to specify an alternate
configuration. When specifying the alternate configuration, the configuration specified before the alt
keyword relates to the MSFC on the supervisor engine in slot 1 of the switch; the configuration specified
after the alt keyword relates to the MSFC on the supervisor engine in slot 2.

Note The alt keyword is required when Config Sync AdminStatus is enabled.

Table 22-3 shows the interface and global configuration commands that contain the alt keyword.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-33
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Table 22-3 Interface and Global Configuration Commands Containing the alt Keyword

Interface Configuration Commands Global Configuration Commands

• [no] standby [group_number] ip [ip_address • [no] hostname hostname alt hostname hostname
[secondary]] alt [no] standby [group_number] ip
• [no] ip default-gateway ip_address alt [no] ip
[ip_address [secondary]]
default-gateway ip_address
• [no] standby [group_number] priority priority
• router bgp autonomous_system
[preempt [delay delay]] alt [no] standby
bgp router-id ip_address [alt ip_address]
[group_number] priority priority [preempt [delay
delay]] • router ospf process_id
router-id ip_address [alt ip_address]
• [no] ip address ip_address mask [secondary] alt [no]
ip address ip_address mask [secondary]
• [no] ipx network network [encapsulation
encapsulation_type [secondary]] [alt [no] ipx
network network [encapsulation encapsulation_type
[secondary]]]

This example shows how the alt keyword is used when entering the ip address command:
Router-1(config-if)# ip address 1.2.3.4 255.255.255.0 alt ip address 1.2.3.5 255.255.255.0

Enabling or Disabling Configuration Synchronization

To enable high-availability redundancy, perform this task in privileged mode:

Task Command
Step 1 Enable redundancy. redundancy
Step 2 Enable high availability. high-availability
Step 3 Enable or disable configuration [no] config-sync
synchronization.

This example shows how to enable high-availability redundancy and configuration synchronization
(Router-15 is the designated MSFC):
Console>(enable) session 15
Trying Router-15...
Connected to Router-15.
Escape character is ’^]’.

Router-15> enable
Router-15# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-15(config)# redundancy
Router-15(config-r)# high-availability
Router-15(config-r-ha)# config-sync
Router-15(config-r-ha)# end

Note When you enable high-availability redundancy, the configuration mode is disabled on the
nondesignated MSFC; only the EXEC mode is available.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-34 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

In this example, Router-16 is the nondesignated MSFC; high-availability redundancy and configuration
synchronization are enabled:
Console>(enable) session 16
Trying Router-16...
Connected to Router-16.
Escape character is ’^]’.

Router-16> enable
Router-16# configure terminal
Config mode is disabled on non-designated Router, please configure from designated Router

High-Availability Redundancy Configuration Examples

This section discusses different scenarios for enabling high availability and configuration
synchronization:
• Scenario 1: Enabling Configuration Synchronization on Both MSFCs, page 22-35
• Scenario 2: Disabling Configuration Synchronization on the Designated MSFC, page 22-38
• Scenario 3: Designated MSFC Comes Up, page 22-39
• Scenario 4: Nondesignated MSFC Comes Up, page 22-39
• Scenario 5: Designated MSFC Goes Down, page 22-40

Scenario 1: Enabling Configuration Synchronization on Both MSFCs

This scenario assumes both MSFCs are up.

When you enable configuration synchronization on both MSFCs, the IP addresses on all the interfaces
are checked first. If an IP address is specified for the designated MSFC but not specified for the
nondesignated MSFC, a message is displayed indicating the first interface for which the alternate IP
address was not specified.
After checking IP addresses, the HSRP addresses are checked; if an HSRP address is specified for the
designated MSFC but not specified for the nondesignated MSFC, a message is displayed indicating the
first interface for which the alternate HSRP (standby) address was not specified.
After checking the HSRP addresses, the IPX network address is checked.
The designated MSFC is configured first. This example shows a missing alternate configuration for the
VLAN 1 interface:
Router-16# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-16(config)# redundancy
Router-16(config-r)# high-availability
Router-16(config-r-ha)# config-sync

Alternate IP address missing for Vlan1

The alternate configuration is missing. The auto-config sync can not be enabled

Note When specifying the alternate IP configuration, the configuration specified before the alt keyword
relates to the MSFC on the supervisor engine in slot 1 of the switch; the configuration specified after
the alt keyword relates to the MSFC on the supervisor engine in slot 2. See the “alt Keyword Usage”
section on page 22-33 for more information.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-35
 Chapter 22 Configuring Redundancy
MSFC Redundancy

This example shows how to specify the alternate configuration for VLAN 1:
Router-16(config)# interface vlan 1
Router-16(config-if)# ip address 70.0.70.4 255.255.0.0 alt ip address 70.0.70.5
255.255.0.0
Router-16(config-if)# exit

This example shows that high-availability redundancy is accepted:

Router-16(config)# redundancy
Router-16(config-r)# high-availability
Router-16(config-r-ha)# config-sync
Router-16(config-r-ha)# end
Router-16#
00:03:31: %SYS-5-CONFIG_I: Configured from console by console

Because the Config Sync AdminStatus on the nondesignated MSFC is disabled, the Config Sync
RuntimeStatus on the designated MSFC will remain in disabled mode. The following message is
displayed on the designated MSFC:
00:17:05: %RUNCFGSYNC-6-SYNCEVENT:
Non-Designated Router is now online
High-Availability Redundancy Feature is not enabled on the Non-Designated Router

This example shows how to enable the configuration synchronization feature on the nondesignated
MSFC:
Router-151(config)# redundancy
Router-15(config-r)# high-availability
Router-15(config-r-ha)# config-sync
Router-15(config-r-ha)# end
Router-15#
00:03:31: %SYS-5-CONFIG_I: Configured from console by console

Note When you enable high-availability redundancy, the configuration mode is disabled on the console of
the nondesignated MSFC; only the EXEC mode is available.

The following message, acknowledging that the high-availability redundancy is enabled, and that the
configuration mode will be automatically exited, is displayed on the nondesignated MSFC:
00:18:57: %RUNCFGSYNC-6-SYNCEVENT:
The High-Availability Redundancy Feature is enabled
The config mode is no longer accessible

Router-15#

00:19:41: %RUNCFGSYNC-6-SYNCEVENT:
Non-Designated Router is now online
Running Configuration Synchronization will begin in 1 minute

A one-minute timer will start, allowing for stabilization of the nondesignated MSFC. When the timer
expires, a snapshot of the current running configuration is sent to the nondesignated MSFC. This
message is displayed before the running configuration is synchronized:
00:20:41: %RUNCFGSYNC-6-SYNCEVENT:
Syncing Running Configuration to the Non-Designated Router

00:20:41: %RUNCFGSYNC-6-SYNCEVENT:
Syncing Startup Configuration to the Non-Designated Router

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-36 78-13315-02
Chapter 22 Configuring Redundancy
MSFC Redundancy

These examples show that the designated MSFC and nondesignated MSFC have the same running
configuration after synchronization:
<designated MSFC>
Router-16# show running-config
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router-15 alt hostname Router-16
!
boot bootldr bootflash:c6msfc-boot-mz.120-7.XE1
!
ip subnet-zero
!
ip cef
redundancy
high-availability
config-sync
cns event-service server
!
!
!
interface Vlan1
ip address 70.0.70.4 255.255.0.0 alt ip address 70.0.70.5 255.255.0.0
!
interface Vlan10
ip address 192.10.10.1 255.255.255.0 alt ip address 192.10.10.2 255.255.255.0
no ip redirects
shutdown
standby ip 192.20.20.1 alt standby ip 192.20.20.1
!
ip classless
ip route 223.255.254.0 255.255.255.0 70.0.100.0
no ip http server
!
!
!
line con 0
transport input none
line vty 0 4
login
transport input lat pad mop telnet rlogin udptn nasi
!
end

<nondesignated MSFC>
Router-15# show running-config
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-37
 Chapter 22 Configuring Redundancy
MSFC Redundancy

hostname Router1 alt hostname Router2

!
boot bootldr bootflash:c6msfc-boot-mz.120-7.XE1
!
ip subnet-zero
!
ip cef
redundancy
high-availability
config-sync
cns event-service server
!
!
!
interface Vlan1
ip address 70.0.70.4 255.255.0.0 alt ip address 70.0.70.5 255.255.0.0
!
interface Vlan10
ip address 192.10.10.1 255.255.255.0 alt ip address 192.10.10.2 255.255.255.0
no ip redirects
shutdown
standby ip 192.20.20.1 alt standby ip 192.20.20.1
!
ip classless
ip route 223.255.254.0 255.255.255.0 70.0.100.0
no ip http server
!
!
!
line con 0
transport input none
line vty 0 4
login
transport input lat pad mop telnet rlogin udptn nasi
!
end

Scenario 2: Disabling Configuration Synchronization on the Designated MSFC

In this scenario, configuration synchronization is enabled. These examples show how to disable
configuration synchronization:
Router-16# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)# redundancy
Router2(config-r)# high-availability
Router2(config-r-ha)# no config-sync

When configuration synchronization is disabled, the following message is displayed on the

nondesignated MSFC:
00:13:00: %RUNCFGSYNC-6-SYNCEVENT:
The High-Availability Redundancy Feature is now disabled
The config mode is now accessible

Configuration mode is available on the CLI of the designated and nondesignated MSFC.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-38 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Scenario 3: Designated MSFC Comes Up

In this scenario, Config Sync AdminStatus is enabled. The designated MSFC validates the alternate
configuration, allowing configuration synchronization to occur when the nondesignated MSFC
comes up.
Because the nondesignated MSFC is not up yet, Config Sync RuntimeStatus is disabled, and there is no
configuration synchronization. See the “Scenario 4: Nondesignated MSFC Comes Up” section on
page 22-39 for information on the nondesignated MSFC.
This example shows that Router-16 is the designated MSFC, Config Sync AdminStatus is enabled, and
Config Sync RuntimeStatus is disabled:
Router-16# show redundancy
Designated Router: 1 Non-designated Router:0

Redundancy Status: designated

Config Sync AdminStatus : enabled
Config Sync RuntimeStatus: disabled

Scenario 4: Nondesignated MSFC Comes Up

Config Sync AdminStatus is Enabled

In this scenario, the nondesignated MSFC notifies the designated MSFC that it is up and Config Sync
AdminStatus is enabled. The designated MSFC requests the nondesignated MSFC to enable Config Sync
RuntimeStatus. The nondesignated MSFC enables Config Sync RuntimeStatus.
The following message is displayed on the nondesignated MSFC:
00:00:07: %RUNCFGSYNC-6-SYNCEVENT:
The High-Availability Redundancy Feature is enabled
The config mode is no longer accessible

00:00:51: %RUNCFGSYNC-6-SYNCEVENT:
Non-Designated Router is now online
Running Configuration Synchronization will begin in 1 minute

A one-minute timer will start, allowing the nondesignated MSFC to stabilize. When the timer expires, a
snapshot of the current running configuration is sent to the nondesignated MSFC. The following
message is displayed before synchronizing the running configuration:
00:01:51: %RUNCFGSYNC-6-SYNCEVENT:
Syncing Running Configuration to the Non-Designated Router

Config Sync AdminStatus is Disabled

In this scenario, the nondesignated MSFC notifies the designated MSFC that it is up. Because the Config
Sync AdminStatus is disabled on the nondesignated MSFC, the designated MSFC displays the following
message indicating that high-availability redundancy needs to be enabled on the nondesignated MSFC:
Router-16#
Non-Designated Router came up.
High-Availability Redundancy Feature is not enabled on the Non-Designated Router

This example shows how to enable the high-redundancy availability feature on the nondesignated
MSFC:
Router-15# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-15(config)# redundancy
Router-15(config-r)# high-availability
Router-15(config-r-ha)# config-sync

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-39
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Router-15(config-r-ha)#
00:03:47: %SYS-5-CONFIG_I: Configured from console by console
00:03:47: %RUNCFGSYNC-6-SYNCEVENT:
The High-Availability Redundancy Feature is enabled
The config mode is no longer accessible

00:00:51: %RUNCFGSYNC-6-SYNCEVENT:
Non-Designated Router is now online
Running Configuration Synchronization will begin in 1 minute

A one-minute timer will start, allowing the nondesignated MSFC to stabilize. When the timer expires, a
snapshot of the current running configuration is sent to the nondesignated MSFC. This message is
displayed before synchronizing the running configuration:
00:01:51: %RUNCFGSYNC-6-SYNCEVENT:
Syncing Running Configuration to the Non-Designated Router

These examples show that Config Sync AdminStatus and RuntimeStatus are enabled on the designated
and nondesignated MSFCs:
Router-15# show redundancy
Designated Router: 1 Non-designated Router:2

Redundancy Status: non-designated

Config Sync AdminStatus : enabled
Config Sync RuntimeStatus: enabled

Router-16# show redundancy

Designated Router: 1 Non-designated Router:2

Redundancy Status: designated

Config Sync AdminStatus : enabled
Config sync RuntimeStatus: enabled

Scenario 5: Designated MSFC Goes Down

In this scenario, the nondesignated MSFC will become the designated MSFC. Configuration
synchronization is disabled, and the configuration mode on the CLI is now available.
When the previously designated MSFC comes back up, it will become the nondesignated MSFC; see the
“Scenario 4: Nondesignated MSFC Comes Up” section on page 22-39.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-40 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Single Router Mode Redundancy

These sections describe how to configure single router mode (SRM) redundancy:
• Hardware and Software Requirements, page 22-41
• Configuration Guidelines, page 22-42
• Configuring Single Router Mode Redundancy, page 22-42
• Upgrading Images with Single Router Mode Enabled, page 22-44
• Getting Out of Single Router Mode, page 22-45
SRM redundancy is an alternative to internally redundant (dual) MSFC2 configurations where both
MSFC2s are active at the same time. In SRM redundancy, only the designated router is visible to the
network at any given time. The nondesignated router is booted up completely and participates in
configuration synchronization which is automatically enabled when entering SRM. All configuration
following the “alt” keyword is ignored in SRM. Due to this, the nondesignated router’s configuration is
exactly the same as the designated router but its interfaces are kept in a line down state and are not visible
to the network. Processes, such as routing protocols, are created on the nondesignated router and the
designated router, but all nondesignated router interfaces are in a line down state; they do not send or
receive updates from the network.
When the designated router fails, the nondesignated router changes its state from a nondesignated router
to a designated router and its interface state changes to link up. It builds up its routing table while the
existing supervisor engine switch processor entries are used to forward Layer 3 traffic. After the newly
designated router builds its routing table, the entries in the switch processor are updated.

Hardware and Software Requirements

To configure SRM redundancy, you must have the following hardware and software:
• A single chassis with two identical supervisor engine daughter card configurations:
– Supervisor Engine 2 with PFC2 and MSFC2
– Supervisor Engine 1 with PFC and MSFC or MSFC2

Note Cisco IOS Release 12.1(8a)E4 provides initial support for single router mode (SRM)
redundancy with Supervisor Engine 1 and MSFC.

When using Supevisor Engine 1 with the MSFC or MSFC2 for SRM redundancy, be aware that
failover to the second MSFC is not stateful for multicast MLS. When the primary MSFC fails, all
multicast MLS entries are removed and are then recreated and reinstalled in the hardware by the
newly active MSFC.

• Supervisor engine software release 6.3(1) or later releases

• Cisco IOS Release 12.1(8a)E2 or later releases

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-41
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Configuration Guidelines
Use these guidelines when configuring SRM redundancy:
• SRM redundancy requires that both the designated router and nondesignated router run the same
Cisco IOS image.
• SRM redundancy requires that a Cisco IOS image is present in the bootflash of both the designated
router and nondesignated router.
• With SRM redundancy, the nondesignated router cannot connect to external networks.
• With SRM redundancy, we do not recommend booting from an external network with the designated
router. Booting from the network could severely degrade SRM functionality.
• With SRM redundancy, the designated router can reach external networks and copy commands such
as copy tftp: can be used without any restrictions.
• For SRM to work properly, high availability must be enabled on the supervisor engine.
• When using authentication methods to control access to the switch such as RADIUS or TACACS+,
you need to configure a fallback option to login in with a local username and password if you want
to be able to access the nondesignated router through the switch console or session commands.
See Chapter 21, “Configuring Switch Access Using AAA” for information on configuring the
fallback option.

Configuring Single Router Mode Redundancy

To configure SRM redundancy, perform these steps:

Caution Before going from dual router mode to SRM redundancy, we recommend that you use the copy
running-config command on the MSFCs to save the non-SRM configuration to bootflash. When
going to SRM redundancy, the alternative configuration (the configuration following the alt
keyword) is lost. Therefore, before enabling SRM redundancy, save the dual router mode
configuration to bootflash by entering the following command on both MSFCs:
copy running-config bootflash:nosrm_dual_router_config.

See the “Getting Out of Single Router Mode” section on page 22-45 for additional information.

Note This procedure assumes that the designated router is the MSFC2 in slot 1 and the nondesignated
router is the MSFC2 in slot 2; the active supervisor engine is in slot 1 and the standby supervisor
engine is in slot 2.

Step 1 Enter the show version command to ensure that both supervisor engines are running supervisor engine
software release 6.3(1) or later releases.
Step 2 Enter the set system highavailability enable command to enable high availability on the active
supervisor engine. Enter the show system highavailability command to verify that high availability is
enabled.
Step 3 If you have a console connection, enter the switch console command to access the designated router. If
connected through a Telnet session, enter the session mod command to access the designated router.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-42 78-13315-02
Chapter 22 Configuring Redundancy
MSFC Redundancy

Step 4 Copy the Cisco IOS Release 12.1(8a)E2 or later image to the bootflash of the designated router and
nondesignated router.
Step 5 Set the boot image and configuration register on the designated router and nondesignated router to boot
the new image on a reload:
For the designated router, enter boot system flash bootflash:image_name and ensure that this image is
the first in the boot list. Clear any existing “'boot system” commands that appear in the running
configuration (show running-config) using the no form of the boot system command.
For the nondesignated router, set the configuration register to auto boot by entering
config-register 0x102.
Step 6 Enter the reload command to reload the designated router and nondesignated router.

Note If you already have SRM-capable Cisco IOS images loaded, you do not need to perform
Step 6.

Step 7 Disable configuration synchronization (config-sync) on the designated router using the no form of the
command. Enter the write memory command. This lets you have access to configuration mode on both
designated and nondesignated routers.
Step 8 Enable SRM on the designated router first, and then enable SRM on the nondesignated router as follows:
Router(config)#redundancy
Router(config-r)#high-availability
Router(config-r-ha)#single-router-mode

Step 9 Enter the write memory command on the designated router to ensure that the nondesignated router’s
start-up configuration has SRM enabled.
Step 10 Enter the show startup-config command on the nondesignated router to ensure that the nondesignated
router has the following configuration statements:
redundancy
high-availability
single-router-mode

Step 11 Enter the show redundancy command on the designated router and nondesignated router to ensure that
both have the following configuration statement:
Single Router Mode RuntimeStatus: enabled

If not, repeat Steps 9 and 10 allowing sufficient time between steps.

Step 12 Enter the reload command to reload the nondesignated router. When asked whether the configuration
should be saved, enter no.
This display summarizes the above configuration commands used on the designated router and
nondesignated router to enable SRM redundancy:
Time Designated Router Nondesignated Router
---- --- ----
t0: conf t->red->hi->no config-sync
t1: conf t->red->hi->no config-sync
t2: conf t->red->hi->single-router-mode
t3: conf t->red->hi->single-router-m
t4: write mem
t5: reload

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-43
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Upgrading Images with Single Router Mode Enabled

This section describes how to upgrade the Cisco IOS image on the active and standby MSFC when SRM
is running. The new image name is c6msfc2-jsv-mz.9E. The standby MSFC cannot load an image using
TFTP, but it can load an image from the supervisor engine Flash PC card (sup-slot0:).

Note This procedure impacts data traffic. We recommend that it be performed during a scheduled maintenance
window.

To upgrade the images, perform these steps:

Step 1 On the active supervisor engine, enter the copy tftp sup-slot0: command and follow the prompts to load
the new (c6msfc2-jsv-mz.9E) image onto the supervisor engine Flash PC card.
Step 2 If you have a console connection, enter the switch console command to access the active MSFC. If you
are connected through a Telnet session, enter the session mod command to access the active MSFC.
Step 3 On the active MSFC, copy the new image from the supervisor engine Flash PC card to the MSFC
bootflash as follows:
copy sup-slot0:c6msfc2-jsv-mz.9E bootflash:c6msfc2-jsv-mz.9E

Step 4 Access the standby MSFC by entering the switch supervisor command and then the switch console
command on the active supervisor engine.

Note The standby MSFC does not appear in the show module command display that is issued from the active
supervisor engine.

Step 5 On the standby MSFC, copy the new image from the supervisor engine Flash PC card to the MSFC
bootflash as follows:
copy sup-slot0:c6msfc2-jsv-mz.9E bootflash:c6msfc2-jsv-mz.9E

Step 6 On the active MSFC, specify that the new image is booted when the MSFC is reloaded as follows:
boot system flash bootflash:c6msfc2-jsv-mz.9E

Step 7 On the active MSFC, enter the write memory command to ensure that the standby MSFC start-up
configuration gets the boot information.
Step 8 Enter the reload command to reload the standby MSFC.
Step 9 Enter the show redundancy command on the active and standby MSFCs to ensure that both have the
following configuration statement:
Single Router Mode RuntimeStatus: enabled

Step 10 Enter the reload command to reload the active MSFC.

Both MSFCs are now running the c6msfc2-jsv-mz.9E image.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-44 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Getting Out of Single Router Mode

Note If you saved a copy of the running configuration used in dual router mode before configuring SRM
redundancy, you do not need to use the procedure in this section. To get out of SRM redundancy and
back to dual router mode, enter the following command on both MSFCs:
copy bootflash:nosrm_dual_router_config startup-config. After the configurations are copied,
reload the MSFCs using the reload command.

To get out of SRM, perform these steps:

Step 1 On the designated router, disable SRM using the no form of the command as follows:
Router(config)#redundancy
Router(config-r)#high-availability
Router(config-r-ha)#no single-router-mode

Step 2 Enter the write memory command on the designated router and nondesignated router.
Step 3 Enter the show startup-config command on the designated and nondesignated routers to ensure that
“single-router mode” is not in the startup configuration.
Step 4 Enter the reload command to reload the designated router and nondesignated router.
SRM is now disabled on the designated router and nondesignated router.

Manual-Mode MSFC Redundancy

Note Manual-mode MSFC redundancy will be supported until December, 2002, due to the release of
supervisor engine software release 6.3(1), which contains the feature SRM. Cisco recommends using
SRM rather than manual-mode MSFC redundancy to attain automatic Layer-3 failover capabilities
in addition to unlimited support of the feature.

These sections describe how to configure redundant MSFCs with one MSFC active and the other MSFC
in ROM-monitor mode:
• Hardware and Software Requirements, page 22-46
• Guidelines for Configuring Manual-Mode MSFC Redundancy, page 22-46
• Accessing the Standby MSFC, page 22-47
• Manually Booting the MSFC, page 22-47
• Setting the MSFC Configuration Register, page 22-47
• MSFC Recovery Procedures, page 22-48

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-45
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Hardware and Software Requirements

To configure Layer 3 redundancy, you must have at least one of the following configurations:
• A single chassis with two identical supervisor engine daughtercard configurations:
– Supervisor Engine 1 with Policy Feature Card (PFC) and MSFC or MSFC2 (both supervisor
engines must have the same type of MSFC)
– Supervisor Engine 2 with PFC2 and MSFC2
• Two chassis with a supervisor engine in each—You must have at least one supervisor engine in each
chassis. Each supervisor engine must be equipped with a PFC and an MSFC.
• Manual-mode MSFC redundancy requires the following software:
– Supervisor engine software release 6.1(3) or later releases and MSFC IOS Release 12.1(7)E or
later releases
– Supervisor engine software release 5.5.8 or later releases and MSFC IOS Release 12.1(7a)E1
or later releases

Note Each MSFC must be running the same release of Cisco IOS software.

Guidelines for Configuring Manual-Mode MSFC Redundancy

Follow these guidelines to configure manual-mode MSFC redundancy:
• Because the MSFC switchover is manual, we recommend that you have this feature only in
environments where externally redundant routers are present and where either HSRP is used or some
form of gateway discovery is implemented on hosts.
• Ensure that the configuration register on the active MSFC (MSFC-15) is set to 0x2102 and that the
configuration register on the MSFC in ROM-monitor mode (MSFC-16) is set to 0x0. This setting
prevents both MSFCs from becoming active at the same time and allows the active MSFC to come
online after a reset. See the “Setting the MSFC Configuration Register” section on page 22-47 for
details on setting the configuration register.

Note Setting both MSFCs to 0x0 is a supported option but requires user intervention in the event the switch
is reset.

• To conserve IP address space and reduce the overall Layer 3 complexity, ensure that configuration
synchronization is disabled on both MSFCs and that all “alt” addresses are removed. If alt addresses
are used, IP address space is not conserved and in cases where link-level peering is present (such as
BGP), the Layer 3 complexity is increased.
• When the MSFC in ROM-monitor mode is brought up during a maintenance window, ensure that it
has the exact same configuration as the active MSFC. Follow the configuration guidelines in
Table 22-2 on page 22-20.
• During manual-mode MSFC redundancy, high availability should be enabled on the supervisor
engine to keep Layer 2 downtime to a minimum when doing an MSFC switchover. Since high
availability is not compatible with protocol filtering, port security, DVLAN, or GVRP, we
recommend that you disable these features when using manual-mode MSFC redundancy.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-46 78-13315-02
 Chapter 22 Configuring Redundancy
MSFC Redundancy

• Ensure that the console port on both supervisor engines is accessible to operations personnel
(out-of-band access through terminal server or modem).
The procedures in this section use the switch console command to access the MSFC from the
supervisor engine. The switch console command is not supported on Telnet sessions.

Accessing the Standby MSFC

To access the standby MSFC, enter the switch supervisor command followed by the switch console
command.

Note The standby MSFC does not appear in the show module command display issued from the active
supervisor engine.

Manually Booting the MSFC

If the configuration register on both MSFCs is set to 0x0, then MSFC manual mode requires that the
MSFC be manually booted each time the switch is reset. To manually boot the MSFC, perform these
steps:

Step 1 Enter the switch console command to gain access to the MSFC ROMMON prompt.
Step 2 Enter the boot bootflash:image command.
Step 3 Once the MSFC has booted, enter ^C^C^C at the Router> prompt to return to the supervisor engine
prompt. Now you may enter the session command to access the MSFC.

Setting the MSFC Configuration Register

For manual-mode MSFC redundancy, set the configuration registers as follows:

Step 1 From Cisco IOS configuration mode on the active MSFC (MSFC-15), perform the following:
Router(config)#config-register 0x2102
Router(config)#

Step 2 From Cisco IOS configuration mode on the MSFC in ROM-monitor mode (MSFC-16), perform the
following:
Router(config)#config-register 0x0
Router(config)#

Note We recommend that boot system commands in both MSFC configurations point to a valid image on
bootflash and that you do not set the configuration registers to ignore these boot commands.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-47
 Chapter 22 Configuring Redundancy
MSFC Redundancy

MSFC Recovery Procedures

This section describes how to recover from temporary or permanent MSFC failures.
A temporary failure of the active MSFC results in the MSFC simply rebooting because the configuration
register is set to 0x2102.
A suspected permanent failure of the active MSFC first needs to be verified. Do this by entering the reset
15 command from the active supervisor engine’s console port and see if the active MSFC reboots
without problems. If it does not, you have the following two options to switch over to the standby MSFC.

Option 1: If You Have Physical Access to the Switch

If you have physical access to the switch, use this option. You can remove the active supervisor engine
with the problematic MSFC, so the redundant supervisor engine will take over. From the redundant
supervisor engine’s physical console port, perform these steps:

Step 1 Enter the switch console command.

Step 2 From the ROMMON prompt, enter the boot bootflash:image command.
Step 3 After the standby MSFC has booted, from Cisco IOS configuration mode enter the config-register
0x2102 command to ensure the MSFC will boot when the switch is reset.

Option 2: If You Have Remote Access Only to the Switch

If you only have remote access to the switch, use this option. From the active supervisor engine with the
problematic MSFC, perform these steps:

Note If the problematic MSFC is on the standby supervisor engine, enter the switch supervisor
command.

Step 1 Enter the switch console command.

Step 2 Send a Break signal to get into the problematic MSFC’s ROMMON (the break will work if the MSFC
is continually rebooting). You need to time the break so that it is issued after the system bootstrap
message, but before the main Cisco IOS image is decompressed (see the two arrows in the following
display output):
System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE
Copyright (c) 1998 by cisco Systems, Inc.
Cat6k-MSFC platform with 131072 Kbytes of main memory <======= ISSUE BREAK AFTER THIS
POINT

Self decompressing the image :

######################################################################################
[OK]

<==========BUT BEFORE THIS POINT

Self decompressing the image :

##########################################################################################
##########################################################################################
##########################################################################################

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-48 78-13315-02
Chapter 22 Configuring Redundancy
MSFC Redundancy

##########################################################################################
##########################################################################################
##########################################################################################
##########################################################################################
##########################################################################################
### [OK]

Step 3 At the ROMMON prompt, enter the confreg command:

a. Enter y at the “do you wish to change the configuration? y/n [n]:” prompt
b. Press Enter to accept the default for all questions until you reach this prompt: “change the boot
characteristics? y/n [n]:”
c. Enter y
d. Enter 0 to select the “0 = ROM Monitor” option at the next prompt
e. Review the Configuration Summary to ensure the following value: boot: the ROM Monitor
f. You are again prompted with: “do you wish to change the configuration? y/n [n]:”
g. Enter n
h. You are returned to the ROMMON prompt
Step 4 Enter the reset command and verify that the MSFC boots into ROMMON. This step ensures that this
MSFC and the active MSFC will not boot concurrently.
Step 5 Enter ^C^C^C to return to the supervisor engine prompt.
Step 6 Ensure that high availability has synchronized the supervisor engine state by entering the show system
highavailability command and verifying that high availability “Operational-status” is ON.
Step 7 Enter the switch supervisor command.
Step 8 Enter the switch console command.
Step 9 From the standby MSFC’s ROMMON prompt, perform step 3 above but in step 3d, select option 2 “boot
system” as follows:
change the boot characteristics? y/n [n]: y
enter to boot:
0 = ROM Monitor
1 = the boot helper image
2-15 = boot system
[2]: 2 <========================

Configuration Summary
enabled are:
load rom after netboot fails
console baud: 9600
boot: the ROM Monitor

do you wish to change the configuration? y/n [n]: n

You must reset or power cycle for new config to take effect
rommon 2 >

Step 10 Enter the reset command at the ROMMON prompt to boot the system.
Step 11 After the MSFC has booted from the IOS configuration mode on the newly active MSFC’s console port,
enter the config-register 0x2102 command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 22-49
 Chapter 22 Configuring Redundancy
MSFC Redundancy

Step 12 Enter ^C^C^C to return to the supervisor engine prompt.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

22-50 78-13315-02
 C H A P T E R 23
Modifying the Switch Boot Configuration

This chapter describes how to modify the switch boot configuration on the Catalyst 6000 family
switches, including the BOOT environment variable, the CONFIG_FILE environment variable, and the
configuration register.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How the Switch Boot Configuration Works, page 23-1
• Default Switch Boot Configuration, page 23-4
• Setting the Configuration Register, page 23-5
• Setting the BOOT Environment Variable, page 23-10
• Setting the CONFIG_FILE Environment Variable, page 23-11
• Displaying the Switch Boot Configuration, page 23-12

Understanding How the Switch Boot Configuration Works

These sections describe how the boot configuration works:
• Understanding the Boot Process, page 23-1
• Understanding the ROM Monitor, page 23-2
• Understanding the Configuration Register, page 23-2
• Understanding the BOOT Environment Variable, page 23-3
• Understanding the CONFIG_FILE Environment Variable, page 23-3

Understanding the Boot Process

The boot process involves two software images: ROM monitor and supervisor engine system code.
When the switch is powered up or reset, the ROM-monitor code is executed. Depending on the
nonvolatile RAM (NVRAM) configuration, the switch either stays in ROM-monitor mode or loads the
supervisor engine system code.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 23-1
 Chapter 23 Modifying the Switch Boot Configuration
Understanding How the Switch Boot Configuration Works

Two user-configurable parameters determine how the switch boots: the configuration register and the
BOOT environment variable. The configuration register is described in the “Understanding the
Configuration Register” section on page 23-2. The BOOT environment variable is described in the
“Understanding the BOOT Environment Variable” section on page 23-3.

Understanding the ROM Monitor

The ROM-monitor code executes upon switch power up, reset, or when a fatal exception occurs. The
system enters ROM-monitor mode if the switch does not find a valid system image, if the NVRAM
configuration is corrupted, or if the configuration register is set to enter ROM-monitor mode. From
ROM-monitor mode, you can manually load a system image from Flash memory, from a network server
file, or from bootflash.
You can enter ROM-monitor mode by restarting the switch and then pressing the Break key during the
first 60 seconds of startup. If you are connected through a terminal server, you can escape to the Telnet
prompt and enter the send break command to enter ROM-monitor mode.

Note The Break key is always enabled for 60 seconds after rebooting the system, regardless of whether
the configuration-register setting has the Break key disabled.

The following functionality is built into the ROM monitor:

• Power-on confidence test
• Hardware initialization
• Boot capability (allows manual boot and autoboot)
• Debug utility and crash analysis
• Monitor call interface (EMT calls—the ROM monitor provides information and some functionality
to the running system images via EMT calls)
• File system (the ROM monitor knows the simple file system and supports the newly developed file
system through the dynamic linked file system library [MONLIB])
• Exception handling

Understanding the Configuration Register

The configuration register determines whether the switch loads an operating system image and where
the system image is stored. The configuration register boot field determines if and how the ROM monitor
loads a supervisor engine system image at startup. You can modify the boot field to force the switch to
boot a particular system image at startup instead of using the default system image.
The lowest four bits (bits 3, 2, 1, and 0) of the 16-bit configuration register form the boot field. The
default boot field value is 0x10F. The possible configuration register boot field settings are as follows:
• When the boot field equals 0000, the switch does not load a system image. Instead, it enters
ROM-monitor mode from which you can enter ROM-monitor commands to load a system image
manually.
• When the boot field equals 0001, the switch loads the first valid system image found in onboard
Flash memory.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

23-2 78-13315-02
 Chapter 23 Modifying the Switch Boot Configuration
Understanding How the Switch Boot Configuration Works

• When the boot field equals a value between 0010 and 1111, the switch loads the system image
specified by boot system commands in the NVRAM configuration. It attempts to boot the image in
the order in which you entered the boot system commands. If it cannot boot any image in the BOOT
environment variable list, the switch remains in ROM-monitor mode. The exact booting sequence
is defined by the ROM monitor.
The other bits in the configuration register function as follows when set:
• Bit 5 (0x0020)—Enables CONFIG_FILE recurrence.
• Bit 6 (0x0040)—Causes system software to clear NVRAM contents.
• Bit 7 (0x0080)—Enables OEM bit (not used).
• Bit 8 (0x0100)—Disables break.
• Bit 9 (0x0200)—Uses secondary bootstrap (not used by the ROM monitor).
• Bit 10 (0x0400)—Provides IP broadcast with all zeros (not used).
• Bits 11/12 (0x0800/0x1000)—Provide console line speed: 0/0=9600, 0/1=1200, 1/0=4800,
1/1=2400 (default is 9600).
• Bit 13 (0x2000)—Boots default Flash software if network boot fails (not used).
• Bit 14 (0x4000)—IP broadcasts do not have network numbers (not used).
• Bit 15 (0x8000)—Enables diagnostic messages and ignores NVRAM contents (not used).

Understanding the BOOT Environment Variable

The BOOT environment variable specifies a list of image files on various devices from which the switch
can boot at startup.
You can add several images to the BOOT environment variable to provide a fail-safe boot configuration.
If the first file fails to boot the switch, subsequent images specified in the BOOT environment variable
are tried until the switch boots or there are no additional images to attempt to boot. If there is no valid
image to boot, the system enters ROM-monitor mode where you can manually specify an image to boot.
The system stores and executes images in the order in which you added them to the BOOT environment
variable. If you want to change the order in which images are tried at startup, you can either prepend and
clear images from the BOOT environment variable to attain the desired order or you can clear the entire
BOOT environment variable and then redefine the list in the desired order.

Understanding the CONFIG_FILE Environment Variable

You can use the CONFIG_FILE environment variable to specify a list of configuration files (auto-config
files) on various devices to use to configure the switch at startup. You can specify the following
functions:
• Nonrecurring—When you add a list of configuration files to the CONFIG_FILE environment
variable, the next time the switch is restarted, the system erases the configuration in NVRAM and
uses the specified files to configure the switch. The CONFIG_FILE environment variable is cleared
before the switch is configured. Nonrecurring is the default setting.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 23-3
 Chapter 23 Modifying the Switch Boot Configuration
Default Switch Boot Configuration

• Recurring—When you add a list of configuration files to the CONFIG_FILE environment variable,
the list is stored indefinitely in NVRAM. Each time the switch is restarted, the system erases the
configuration in NVRAM and configures the switch using the configuration files specified. The
CONFIG_FILE environment variable is not cleared.
For information on specifying recurrence or nonrecurrence, see the “Setting CONFIG_FILE
Recurrence” section on page 23-7.
• Overwrite—When you add a list of configuration files to the CONFIG_FILE environment variable,
overwriting means that the NVRAM configuration will be cleared before executing the
configuration files. Overwrite is the default setting.
• Append—Append means that the configuration files will be executed without first clearing
NVRAM.
For information on specifying overwriting or appending, see the “Setting CONFIG_FILE
Overwrite” section on page 23-7.
• Sync enable—Enables synchronization to force the configuration files to synchronize automatically
to the standby supervisor engine. The file(s) are kept consistent with what is on the active supervisor
engine.
• Sync disable—Disables synchronization.
For information on specifying synchronization, see the “Setting CONFIG_FILE Synchronization”
section on page 23-8.

Tip Remember that you can alter the CONFIG_FILE environment variable or change its other properties
by commands in the configuration files used to configure the switch at startup.

You can add multiple configuration files to the CONFIG_FILE environment variable. The specified files
can be any valid configuration file stored on a local Flash device (bootflash: or slot0:).
When the switch boots up, if any of the files specified in the CONFIG_FILE environment variable are
valid configuration files, the configuration in NVRAM is erased and the system uses the specified
configuration file to configure the switch. If multiple valid configuration files are specified, each
configuration file is executed in the order in which it appears in the CONFIG_FILE environment
variable.
If any specified file is not a valid configuration file, the entry is skipped and subsequent files are tried
until there are no additional images specified. If no valid configuration file is specified, the system
retains the last configuration stored in NVRAM.

Default Switch Boot Configuration

Table 23-1 shows the default switch boot configuration.

Table 23-1 Default Switch Boot Configuration

Feature Default Configuration

Configuration register value 0x10f
Boot method System boots from the image specified in the
BOOT environment variable
ROM-monitor console port baud rate 9600 baud

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

23-4 78-13315-02
 Chapter 23 Modifying the Switch Boot Configuration
Setting the Configuration Register

Table 23-1 Default Switch Boot Configuration (continued)

Feature Default Configuration

ignore-config parameter Disabled
BOOT environment variable Empty
CONFIG_FILE environment variable slot0:switch.cfg
CONFIG_FILE recurrence configuration register Nonrecurring
parameter
CONFIG_FILE overwrite configuration register Overwrite
parameter
CONFIG_FILE synchronization configuration Synchronization disabled
register parameter

Setting the Configuration Register

Note Configuration register settings are not copied automatically to a redundant supervisor engine. You
must set the configuration register separately for each supervisor engine in the switch.

These sections describe how to modify the configuration register:

• Setting the Boot Field in the Configuration Register, page 23-5
• Setting the ROM-Monitor Console-Port Baud Rate, page 23-6
• Setting CONFIG_FILE Recurrence, page 23-7
• Setting CONFIG_FILE Overwrite, page 23-7
• Setting CONFIG_FILE Synchronization, page 23-8
• Setting the Switch to Ignore the NVRAM Configuration, page 23-9
• Setting the Configuration Register Value, page 23-10

Setting the Boot Field in the Configuration Register

You can determine the boot method the switch will use at the next startup by setting the boot field in the
configuration register. This command affects only the configuration register bits that control the boot
field and leaves the remaining bits unaltered. The following boot methods are supported:
• ROM monitor—Enter the rommon keyword to force the switch to remain in ROM-monitor mode
at startup.
• Bootflash—Enter the bootflash keyword to cause the switch to boot from the first image stored in
the onboard Flash.
• System—Enter the system keyword to boot from the image specified in the BOOT environment
variable (the default).

Note We recommend that you use only the rommon and system options to the set boot config-register
boot command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 23-5
 Chapter 23 Modifying the Switch Boot Configuration
Setting the Configuration Register

To set the configuration register boot field, perform this task in privileged mode:

Task Command
Set the boot field in the configuration register. set boot config-register boot {rommon |
bootflash | system} [mod]

This example shows how to set the boot field in the configuration register:
Console> (enable) set boot config-register boot rommon
Configuration register is 0x0
ignore-config: disabled
auto-config: non-recurring
console baud: 9600
boot: the ROM monitor
Console> (enable)

Setting the ROM-Monitor Console-Port Baud Rate

You can set the console-port baud rate used by the ROM monitor. The new baud rate is used the next
time the switch is restarted. This command affects only the configuration register bits that control the
baud rate and leaves the remaining bits unaltered.

Note The baud rate specified in the configuration register is used by the ROM monitor only and is different
from the baud rate specified by the set system baud command.

To set the ROM-monitor console-port baud rate in the configuration register, perform this task in
privileged mode:

Task Command
Set the ROM-monitor console-port baud rate in set boot config-register baud {1200 | 2400 | 4800
the configuration register. | 9600} [mod]

This example shows how to set the ROM-monitor console-port baud rate in the configuration register to
2400:
Console> (enable) set boot config-register baud 2400
Configuration register is 0x1800
ignore-config: disabled
auto-config: non-recurring
console baud: 2400
boot: the ROM monitor
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

23-6 78-13315-02
 Chapter 23 Modifying the Switch Boot Configuration
Setting the Configuration Register

Setting CONFIG_FILE Recurrence

By default, when you set the CONFIG_FILE environment variable, the list of configuration files to use
at startup is retained only until the next time the switch is restarted.
You can cause the system software to retain the CONFIG_FILE environment variable settings
indefinitely so that each time the switch is restarted, the specified configuration files are used to
configure the switch.
This command affects only the configuration register bit that controls whether the CONFIG_FILE
environment variable settings are recurring or nonrecurring. The remaining configuration register bits
are unaltered.

Caution With the CONFIG_FILE environment variable set to recurring, the current configuration in
NVRAM is erased each time the switch is restarted and the switch is configured using the specified
configuration files. With the CONFIG_FILE environment variable set to non-recurring, the current
configuration in NVRAM is erased at the next restart and the switch is configured using the specified
configuration files. The NVRAM configuration is retained after subsequent restarts (unless you again
set the CONFIG_FILE variable).

To set the switch to retain the current CONFIG_FILE environment variable indefinitely, perform this
task in privileged mode:

Task Command
Set the switch to retain the current set boot config-register auto-config
CONFIG_FILE environment variable {recurring | non-recurring}
indefinitely.

This example shows how to set the switch to retain the current CONFIG_FILE environment variable
indefinitely:
Console> (enable) set boot config-register auto-config recurring
Configuration register is 0x1820
ignore-config: disabled
auto-config: recurring, overwrite, sync disabled
console baud: 2400
boot: the ROM monitor
Console> (enable)

Setting CONFIG_FILE Overwrite

This command allows you to specify if the auto-config file should be used to overwrite the NVRAM
configuration or if the file configuration should be appended to what is currently in NVRAM.
Overwriting means that the NVRAM configuration will be cleared before executing the auto-config file;
appending means that the auto-config file will be executed without first clearing NVRAM. The default
is overwrite.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 23-7
 Chapter 23 Modifying the Switch Boot Configuration
Setting the Configuration Register

To specify if the auto-config file should be used to overwrite the NVRAM configuration or if the file
configuration should be appended to what is currently in NVRAM, perform this task in privileged mode:

Task Command
Specify if the auto-config file should be used to set boot config-register auto-config
overwrite the NVRAM configuration or if the file {overwrite | append}
configuration should be appended to what is
currently in NVRAM.

This example shows how to specify that the auto-config file be used to overwrite the NVRAM
configuration:
Console> (enable) set boot config-register auto-config overwrite
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, overwrite, sync disabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)

This example shows how to specify that the auto-config file be appended to what is currently in
NVRAM:
Console> (enable) set boot config-register auto-config append
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, append, sync disabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)

Setting CONFIG_FILE Synchronization

This command allows you to enable synchronization to force the auto-config file(s) to synchronize
automatically to the standby supervisor engine. The file(s) are kept consistent with what is on the active
supervisor engine. The default is disabled. These events can trigger a synchronization check and a
synchronization (if necessary):
• Changing the auto-config file(s) on either supervisor engine (if the file is deleted on the active
supervisor engine, it is also deleted on the standby supervisor engine)
• Changing the boot string CONFIG_FILE variable setting
• Inserting a new supervisor engine
• System startup
The CONFIG_FILE variable from the active supervisor engine is made identical on the standby
supervisor engine. Each auto-config file on the active supervisor engine is compared against each
corresponding auto-config file on the standby supervisor engine. Two files are considered identical if
their lengths and CRC are the same. If a file on the standby supervisor engine is not identical to the file
on the active supervisor engine, a new file is generated on the standby supervisor engine with the name
of the file on the active supervisor engine. If a file with that name already exists on the standby
supervisor engine, it is overwritten.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

23-8 78-13315-02
 Chapter 23 Modifying the Switch Boot Configuration
Setting the Configuration Register

To enable or disable synchronization, perform this task in privileged mode:

Task Command
Specify if synchronization should be enabled or set boot config-register auto-config sync
disabled. {enable | disable}

This example shows how to enable synchronization:

Console> (enable) set boot config-register auto-config sync enable
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, append, sync enabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)

This example shows how to disable synchronization:

Console> (enable) set boot config-register auto-config sync disable
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, append, sync disabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)

Setting the Switch to Ignore the NVRAM Configuration

You can cause the system software to ignore the configuration information stored in NVRAM the next
time the switch is restarted. This command affects only the configuration register bits that control
whether the switch ignores the NVRAM configuration and leaves the remaining bits unaltered. This
command affects the next system restart only.

Caution Enabling the ignore-config parameter is the same as entering the clear config all command; that is,
it clears the entire configuration stored in NVRAM the next time the switch is restarted.

To set the switch to ignore the NVRAM configuration at the next startup, perform this task in privileged
mode:

Task Command
Set the switch to ignore the contents of NVRAM set boot config-register ignore-config enable
at startup.

This example shows how to set the switch to ignore the NVRAM configuration at the next startup:
Console> (enable) set boot config-register ignore-config enable
Configuration register is 0x1860
ignore-config: enabled
auto-config: recurring
console baud: 2400
boot: the ROM monitor
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 23-9
 Chapter 23 Modifying the Switch Boot Configuration
Setting the BOOT Environment Variable

Setting the Configuration Register Value

To set the configuration register value, perform this task in privileged mode:

Task Command
Set the configuration register. set boot config-register 0xvalue [mod]

This example shows how to set the configuration register value to 0x90f:
Console> (enable) set boot config-register 0x90f
Configuration register is 0x90f
ignore-config: disabled
auto-config: non-recurring
console baud: 4800
boot: image specified by the boot system commands
Console> (enable)

Setting the BOOT Environment Variable

Note BOOT environment variable settings are not copied automatically to a redundant supervisor engine
(if present). You must set the BOOT variable separately for each supervisor engine in the switch.

These sections describe how to modify the BOOT environment variable:

• Setting the BOOT Environment Variable, page 23-10
• Clearing the BOOT Environment Variable Settings, page 23-11

Setting the BOOT Environment Variable

To set the BOOT environment variable, perform this task in privileged mode:

Task Command
Set the BOOT environment variable. set boot system flash device:[filename]
[prepend] [mod]

This example shows how to set the BOOT environment variable:

Console> (enable) set boot system flash bootflash:cat6000-sup.5-5-1.bin
BOOT variable = bootflash:cat6000-sup.5-5-1.bin,1;
Console> (enable) set boot system flash bootflash:cat6000-sup.4-5-2.bin
BOOT variable = bootflash:cat6000-sup.5-1-1.bin,1;bootflash:cat6000-sup.4-5-2.
bin,1;
Console> (enable) set boot system flash bootflash:cat6000-sup.5-2-1.bin prepend
BOOT variable = bootflash:cat6000-sup.5-2-1.bin,1;bootflash:cat6000-sup.5-5-1.
bin,1;bootflash:cat6000-sup.4-5-2.bin,1;
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

23-10 78-13315-02
 Chapter 23 Modifying the Switch Boot Configuration
Setting the CONFIG_FILE Environment Variable

Clearing the BOOT Environment Variable Settings

To clear entries from the BOOT environment variable, perform one of these tasks in privileged mode:

Task Command
Clear a specific image from the BOOT clear boot system flash device:[filename] [mod]
environment variable.
Clear the entire BOOT environment variable. clear boot system all [mod]

This example shows how to clear a specific entry from the BOOT environment variable:
Console> (enable) clear boot system flash bootflash:cat6000-sup.5-1-1.bin
BOOT variable = bootflash:cat6000-sup.5-2-1.bin,1;bootflash:cat6000-sup.4-5-2.
bin,1;
Console> (enable)

This example shows how to clear the entire BOOT environment variable:
Console> (enable) clear boot system all
BOOT variable =
Console> (enable)

Setting the CONFIG_FILE Environment Variable

These sections describe how to modify the CONFIG_FILE environment variable:
• Setting the CONFIG_FILE Environment Variable, page 23-11
• Clearing the CONFIG_FILE Environment Variable Settings, page 23-12

Setting the CONFIG_FILE Environment Variable

You can specify multiple configuration files with the set boot auto-config command by separating them
with a semicolon (;). You must specify both the device name and the filename for each configuration file.

Note You cannot prepend or append configuration files to the CONFIG_FILE environment variable.
Entering the set boot auto-config command erases any list of configuration files previously specified
using the set boot auto-config command.

To set the CONFIG_FILE environment variable, perform this task in privileged mode:

Task Command
Set the CONFIG_FILE environment variable. set boot auto-config
device:filename[;device:filename...]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 23-11
 Chapter 23 Modifying the Switch Boot Configuration
Displaying the Switch Boot Configuration

This example shows how to set the CONFIG_FILE environment variable:

Console> (enable) set boot auto-config bootflash:generic.cfg;bootflash:6509_1_noc.cfg
CONFIG_FILE variable = bootflash:generic.cfg;bootflash:6509_1_noc.cfg
WARNING: nvram configuration may be lost during next bootup,
and re-configured using the file(s) specified.
Console> (enable)

Clearing the CONFIG_FILE Environment Variable Settings

To clear the entries from the CONFIG_FILE environment variable, perform this task in privileged mode:

Task Command
Clear the entries in the CONFIG_FILE clear boot auto-config
environment variable.

This example shows how to clear the entries in the CONFIG_FILE environment variable:
Console> (enable) clear boot auto-config
CONFIG_FILE variable =
Console> (enable)

Displaying the Switch Boot Configuration

To display the current configuration register, the BOOT environment variable, and the CONFIG_FILE
environment variable settings, perform this task:

Task Command
Display the current configuration register, the show boot [mod]
BOOT environment variable, and the
CONFIG_FILE environment variable settings.

This example shows how to display the current configuration register, the BOOT environment variable,
and the CONFIG_FILE environment variable settings:
Console> (enable) show boot
BOOT variable = bootflash:cat6000-sup.5-2-1.bin,1;
CONFIG_FILE variable = bootflash:generic.cfg;bootflash:6509_1_noc.cfg

Configuration register is 0x12f

ignore-config: disabled
auto-config: recurring
console baud: 9600
boot: image specified by the boot system commands

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

23-12 78-13315-02
 C H A P T E R 24
Working With the Flash File System

This chapter describes how to use the Flash file system on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How the Flash File System Works, page 24-1
• Working with the Flash File System, page 24-1

Understanding How the Flash File System Works

The Flash file system on a Catalyst 6000 family supervisor engine provides a number of useful
commands to help you manage software image and configuration files.
The Flash file system on the supervisor engine consists of two Flash devices on which you can store
files:
• bootflash: onboard Flash memory
• slot0: Flash PC card in the PCMCIA slot

Working with the Flash File System

These sections describe how to work with the Flash file system:
• Setting the Default Flash Device, page 24-2
• Setting the Text File Configuration Mode, page 24-2
• Listing the Files on a Flash Device, page 24-3
• Copying Files, page 24-4
• Deleting Files, page 24-6
• Restoring Deleted Files, page 24-7
• Verifying a File Checksum, page 24-7
• Formatting a Flash Device, page 24-8

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 24-1
 Chapter 24 Working With the Flash File System
Working with the Flash File System

Setting the Default Flash Device

When you set the default Flash device for the switch, the default device is assumed when you enter a
Flash file system command without specifying the Flash device.
To set the default Flash device, perform this task:

Task Command
Step 1 Set the default Flash device for the switch. cd [[m/][bootflash: | slot0:]]
Step 2 Verify the default Flash device for the switch. pwd [mod]

This example shows how to change the default Flash device to slot0: and verify the default device:
Console> (enable) cd slot0:
Console> (enable) pwd
slot0
Console> (enable)

Setting the Text File Configuration Mode

When you use text file configuration mode, the switch stores its configuration as a text file in nonvolatile
storage, either in NVRAM or Flash memory. This text file consists of commands entered by you to
configure various features. For example, if you disable a port, the command to disable that port will be
in the text configuration file.
Because the text file only contains commands you have used to configure your switch, it typically uses
less NVRAM or Flash memory space than binary configuration mode. Because the text file in most cases
requires less space, NVRAM is a good place to store the file. If the text file exceeds NVRAM space, it
can also be saved to Flash memory.
When operating in text file configuration mode, most user settings are not immediately saved to
NVRAM; configuration changes are only written to DRAM. You will need to enter the write memory
command to store the configuration in nonvolatile storage.

Note VLAN commands are not saved as part of the configuration file when the switch is operating in text
mode with the VTP mode set to server.

To set the text file configuration mode, perform this task:

Task Command
Step 1 Set the file configuration mode for the system to set config mode {binary | text} [nvram |
text. device:file-id]
Step 2 Verify the file configuration mode for the system. show config mode
Step 3 Save the text file configuration. write memory
Step 4 Display the current runtime configuration. show running-config all
Step 5 Display the startup configuration that will be used show config
after the next reset.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

24-2 78-13315-02
 Chapter 24 Working With the Flash File System
Working with the Flash File System

This example shows how to configure the system to save its configuration as a text file in NVRAM,
verify the configuration mode, and display the current runtime configuration:
Console> (enable) set config mode text nvram
Binary system configuration has been deleted from NVRAM. Configuration
mode set to text. Use the write memory command to save configuration changes.
System configuration file set to: nvram
The nvram file will be used for configuration during the next bootup.
Console> (enable) show config mode
System configuration mode set to text.
System configuration file set to nvram.
Console> (enable) show running-config all
...........
begin
!
# ***** ALL (DEFAULT and NON-DEFAULT) CONFIGURATION *****
!
!
#time: Wed Jul 18 2001, 06:51:56
!
#version 6.3(0.74)
!
set password $2$FMFQ$HfZR5DUszVHIRhrz4h6V70
set enablepass $2$FMFQ$HfZR5DUszVHIRhrz4h6V70
set prompt Console>
set length 24 default
set logout 20
set config mode text nvram
set banner motd ^C^C
set banner lcd ^C^C
!
#test
set test diaglevel complete
!
#errordetection
set errordetection inband disable
set errordetection memory disable
set errordetection portcounter enable
!
#system
set system baud 9600
set system modem disable
set system name
set system location
----display truncated------
Console> (enable)

Listing the Files on a Flash Device

To list the files on a Flash device, perform one of these tasks:

Task Command
Display a list of files on a Flash device. dir [[m/]device:][filename]
Display a list of deleted files on a Flash device. dir [[m/]device:][filename] deleted
Display a list of all files on a Flash device, including dir [[m/]device:][filename] all
deleted files.
Display a detailed list of files on a Flash device. dir [[m/]device:][filename] long

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 24-3
 Chapter 24 Working With the Flash File System
Working with the Flash File System

This example shows how to list the files on the default Flash device:
Console> (enable) dir
-#- -length- -----date/time------ name
4 3134688 Mar 15 1999 08:27:01 cat6000-sup.5-2-1-CSX.bin
5 3231989 Jan 24 1999 12:04:40 cat6000-sup.5-1-1-CSX.bin
6 135 Feb 17 1999 11:30:05 dns_config.cfg

1213952 bytes available (6388224 bytes used)

Console> (enable)

This example shows how to list the files on a Flash device other than the default device:
Console> (enable) dir slot0:
-#- -length- -----date/time------ name
1 3209261 Jun 16 1998 13:18:19 cat6000-sup.5-2-1-CSX.bin
2 135 Jul 17 1998 11:32:53 dns-config.cfg
3 3231989 Jul 17 1998 16:54:23 cat5000-sup3.4-1-2.bin
4 8589 Jul 17 1998 17:02:52 6000_config.cfg

9933504 bytes available (6450496 bytes used)

Console> (enable)

This example shows how to list the deleted files on the default Flash device:
Console> (enable) dir deleted
-#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name
1 .D ffffffff 81a027ca 41bdc 22 7004 Apr 01 1998 15:27:45 5002.config.
4.1.98.cfg
2 .D ffffffff ccce97a3 43644 23 6630 Apr 01 1998 15:36:47 5002.default
.config.cfg
3 .D ffffffff 81a027ca 45220 15 7004 Apr 19 1998 10:05:59 5002_config.
cfg

1213952 bytes available (6388224 bytes used)

Console> (enable)

Copying Files
To copy a file, perform one of these tasks in privileged mode:

Task Command
Copy a Flash file to a TFTP server, rcp server, copy file-id {tftp | rcp | flash | file-id | config}
Flash memory, another Flash device, or to the
running configuration.
Copy a file from a TFTP server, rcp server to copy {tftp | rcp} {flash | file-id | config}
Flash memory, to a Flash device, or to the running
configuration.
Copy a file from Flash memory to a TFTP server, copy flash {tftp | rcp | file-id | config}
rcp server, to a Flash device, or to the running
configuration.
Copy the running configuration to Flash memory, copy config {flash | file-id | tftp | rcp}
another Flash device, to a TFTP server, or rcp
server.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

24-4 78-13315-02
Chapter 24 Working With the Flash File System
Working with the Flash File System

This example shows how to copy a file from the default Flash device to another Flash device:
Console> (enable) copy cat6000-sup.5-2-1-CSX.bin slot0:

13174216 bytes available on device slot0, proceed (y/n) [n]? y

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
ccccccccccccCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
File has been copied successfully.
Console> (enable)

This example shows how to copy a file from a TFTP server to the running configuration:
Console> (enable) copy tftp config
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? dns_config.cfg

Configure using tftp:dns_config.cfg (y/n) [n]? y

/
Finished network download. (135 bytes)
>>
>> set ip dns server 172.16.10.70 primary
172.16.10.70 added to DNS server table as primary server.
>> set ip dns server 172.16.10.140
172.16.10.140 added to DNS server table as backup server.
>> set ip dns enable
DNS is enabled
>> set ip dns domain corp.com
Default DNS domain name set to corp.com
Console> (enable)

This example shows how to download a configuration file from a TFTP server for storage on a Flash
device:
Console> (enable) copy tftp flash
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? dns-config.cfg
Flash device [slot0]?
Name of file to copy to [dns-config.cfg]?

9932056 bytes available on device slot0, proceed (y/n) [n]? y

/
File has been copied successfully.
Console> (enable)

This example shows how to copy the running configuration to Flash memory:
Console> (enable) copy config flash
Flash device [bootflash]? slot0:
Name of file to copy to []? 6000_config.cfg

Upload configuration to slot0:6000_config.cfg

9942096 bytes available on device slot0, proceed (y/n) [n]? y
.....
..........
.......

..
Configuration has been copied successfully.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 24-5
 Chapter 24 Working With the Flash File System
Working with the Flash File System

This example shows how to upload a configuration file on a Flash device to a TFTP server:
Console> (enable) copy slot0:6000_config.cfg tftp
IP address or name of remote host []? 172.20.52.3
Name of file to copy to [6000_config.cfg]?
/
File has been copied successfully.
Console> (enable)

This example shows how to upload an image from a remote host into Flash using rcp:
Console> (enable) copy rcp flash
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? 6000_config.cfg
Flash device [bootflash]?
Name of file to copy to [6000_config.cfg]?

4369664 bytes available on device bootflash, proceed (y/n) [n]? y

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCC
File has been copied successfully.
Console> (enable)

Deleting Files

Caution If you enter the squeeze command on a Flash device, you cannot restore files deleted prior to the
squeeze command.

To delete files on a Flash device, perform this task in privileged mode:

Task Command
Step 1 Delete a file on a Flash device. delete [[m/]device:]filename
Step 2 If desired, permanently remove all deleted files on squeeze [m/]device:
the Flash device (this operation can take a number
of minutes to complete).
Step 3 Verify the files are deleted. dir [[m/]device:][filename]

This example shows how to delete a file from a Flash device:

Console> (enable) delete dns_config.cfg
Console> (enable)

This example shows how to permanently remove all deleted files from a Flash device:
Console> (enable) squeeze slot0:
All deleted files will be removed, proceed (y/n) [n]? y
Squeeze operation may take a while, proceed (y/n) [n]? y
Erasing squeeze log
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

24-6 78-13315-02
 Chapter 24 Working With the Flash File System
Working with the Flash File System

Restoring Deleted Files

You must specify the index number of a deleted file to identify the file to undelete. The index number
for each file appears in the first column of the dir command output. A file cannot be undeleted if a valid
file with the same name already exists. Instead, you must delete the existing file and then undelete the
desired file. A file can be deleted and undeleted up to 15 times.
To restore deleted files on a Flash device, perform this task in privileged mode:

Task Command
Step 1 Identify the index number of the deleted files on dir [[m/]device:][filename] deleted
the Flash device.
Step 2 Undelete a file on a Flash device. undelete index [[m/]device:]
Step 3 Verify that the file is restored. dir [[m/]device:][filename]

This example shows how to restore a deleted file:

Console> (enable) dir deleted
-#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name
6 .D ffffffff 42da7f71 657a00 14 135 Jul 17 1998 11:30:05 dns_config.cfg

1213952 bytes available (6388224 bytes used)

Console> (enable) undelete 6
Console> (enable) dir
-#- -length- -----date/time------ name
4 3134688 Apr 27 1998 08:27:01 cat6000-sup.5-2-1.bin
5 3231989 Jun 24 1998 12:04:40 cat6000-sup.5-2-1.bin
6 135 Jul 17 1998 11:30:05 dns_config.cfg

1213952 bytes available (6388224 bytes used)

Console> (enable)

Verifying a File Checksum

To verify the checksum of a file on a Flash device, perform this task in privileged mode:

Task Command
Verify the checksum of a file on a Flash device. verify [[m/]device:] filename

This example shows how to verify the checksum of a file:

Console> (enable) verify cat6000-sup.5-2-1-CSX.bin
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCC
File bootflash:cat6000-sup.5-2-1-CSX.bin verified OK
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 24-7
 Chapter 24 Working With the Flash File System
Working with the Flash File System

Formatting a Flash Device

Before you use a new Flash device, you must format it. You can reserve up to 16 spare sectors for use
when other sectors fail (by default, none are reserved). If you do not reserve spare sectors and later some
sectors fail, you will have to reformat the entire Flash memory, erasing all existing data.

Note Flash PC cards formatted on Supervisor Engine 1 or on a route-switch processor (RSP)-based

Cisco 7500 series router are interchangeable if the router is running software at least at the same level
as the supervisor engine. You cannot use Flash PC cards formatted on a route processor (RP)-based
Cisco 7000 series router without reformatting.

When you format a Flash device, you can specify the monlib file (the ROM monitor library), which the
ROM monitor uses to access files in the Flash file system. The monlib file is also compiled into the
software image.
In the format command syntax, use the device2 argument to specify the device that contains the monlib
file to use. If you omit the entire device2 argument, the switch formats the device using the monlib file
that is bundled with the software. If you omit just the device name (device2) from the
[[device2:][monlib-filename]] argument, the switch formats the device using the named monlib file from
the default Flash device. If you omit the monlib-filename from the [[device2:][monlib-filename]]
argument, the switch formats the device using the monlib file from device2. If you specify the entire
[[device2:][monlib-filename]] argument, the switch formats the device using the specified monlib file
from the specified device. If the switch cannot find a monlib file, it terminates the formatting process.

Note If the Flash device has a volume ID, you must provide the volume ID to format the device. The
volume ID is displayed using the show flash m/device: filesys command.

To format a Flash device, perform this task in privileged mode:

Task Command
Format a Flash device. format [spare spare-number] [m/]device1:
[[device2:] [monlib-filename]]

This example shows how to format the Flash device in slot0:

Console> (enable) format slot0:
All sectors will be erased, proceed (y/n) [n]?y
Enter volume id (up to 31 characters):
Formatting sector 1
Format device slot0 completed.
Console> (enable)

Note Supervisor Engine 2 and Supervisor Engine 1 do not support the same Flash PC card format. To use
a Flash PC card with Supervisor Engine 2, format the card with Supervisor Engine 2. To use a Flash
PC card with Supervisor Engine 1, format the card with Supervisor Engine 1.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

24-8 78-13315-02
 C H A P T E R 25
Working with System Software Images

This chapter describes how to how to work with system software image files on the Catalyst 6000 family
switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Software Image Naming Conventions, page 25-1
• Downloading Software Images to the Switch With TFTP, page 25-2
• Uploading System Software Images to a TFTP Server, page 25-8
• Downloading System Software Images Using rcp, page 25-9
• Uploading System Software Images to an rcp Server, page 25-14
• Downloading Software Images Over a Serial Connection on the Console Port, page 25-15
• Downloading a System Image Using Xmodem or Ymodem, page 25-21

Software Image Naming Conventions

The software images on the Catalyst 6000 family switches use the following naming conventions
(software release 6.1(3) is used in the examples):
• 6.1(3) Flash image (standard)—cat6000-sup2.6-1-3.bin
• 6.1(3) Flash image (CiscoView)—cat6000-sup2cv.6-1-3.bin
• 6.1(3) Flash image (Secure Shell)—cat6000-sup2k9.6-1-3.bin
• 6.1(3) Flash image (Secure Shell and CiscoView)—cat6000-sup2cvk9.6-1-3.bin

Note Notice the sup2cv, sup2k9, and sup2cvk9 designations; sup2cv means it is a Ciscoview image,
sup2k9 means it is a Secure Shell image, sup2cvk9 means it is a Secure Shell and CiscoView image.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-1
 Chapter 25 Working with System Software Images
Downloading Software Images to the Switch With TFTP

Downloading Software Images to the Switch With TFTP

These sections describe how to download system software images to the switch supervisor engine and
to intelligent modules:
• Understanding How TFTP Software Image Downloads Work, page 25-2
• Preparing to Download an Image Using TFTP, page 25-2
• Downloading Supervisor Engine Images Using TFTP, page 25-3
• Downloading Switching Module Images Using TFTP, page 25-4
• TFTP Download Procedures Example, page 25-5

Understanding How TFTP Software Image Downloads Work

You can download system software images to the switch using the Trivial File Transfer Protocol (TFTP).
TFTP allows you to download system image files over the network from a TFTP server.
Some modules, such as ATM modules, have their own onboard Flash. When you download a software
image file, the switch checks the header of the image file to determine the type of software image.
Depending on the type of software image you are downloading, one of the following occurs:
• Supervisor engine software image—The image file is downloaded to the supervisor engine Flash
memory. You can store multiple image files on the Flash memory system devices (such as boot
Flash and Flash PC cards).
• Intelligent module software images—If you specified a module number, the image file is
downloaded to the specified module only (provided the image file is designed for the specified
module type). If you do not specify a module number, the image file is downloaded to every module
of the appropriate type. The file is relayed packet by packet to the appropriate modules using the
Inter-Process Communications protocol internal to the system, with communication taking place
across the switching bus. Downloading a software image to multiple modules significantly speeds
up the process of updating the software on multiple modules of the same type.

Note For more information on working with system software image files on the Flash file system, see
Chapter 24, “Working With the Flash File System.”

Preparing to Download an Image Using TFTP

Before you begin downloading a software image using TFTP, make sure of the following:
• Ensure that the workstation acting as the TFTP server is configured properly. On a Sun workstation,
make sure that the /etc/inetd.conf file contains the following line:
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpboot

Make sure that the /etc/services file contains this line:

tftp 69/udp

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-2 78-13315-02
 Chapter 25 Working with System Software Images
Downloading Software Images to the Switch With TFTP

Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services
files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot
command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). Refer
to the documentation for your workstation for more information on using the TFTP
daemon.

• Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in
the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity
to the TFTP server using the ping command.
• Ensure that the software image to be downloaded is in the correct directory on the TFTP server
(usually /tftpboot on a UNIX workstation).
• Ensure that the permissions on the file are set correctly. Permissions on the file should be
world-read.
• A power interruption (or other problem) during the download procedure can corrupt the Flash code.
If the Flash code is corrupted, you can connect to the switch through the console port and boot from
an uncorrupted system image on a Flash PC card.

Downloading Supervisor Engine Images Using TFTP

Note If you have a redundant supervisor engine, you cannot download a system image directly from a
TFTP server to the Flash memory on the standby supervisor engine. When you download the image
to the active supervisor engine, the standby supervisor engine synchronizes automatically with the
new image. In addition, you cannot copy an image from the standby supervisor engine to the active
supervisor engine.

To download a supervisor engine software image to the switch from a TFTP server, perform these steps:

Step 1 Copy the software image file to the appropriate TFTP directory on the workstation.
Step 2 Log into the switch through the console port or through a Telnet session. If you log in using Telnet, your
Telnet session disconnects when you reset the switch to run the new software.
Step 3 Enter the copy tftp flash command. When prompted, enter the IP address or host name of the TFTP
server and the name of the file to download. On those platforms that support the Flash file system, you
are also prompted for the Flash device to which to copy the file and the destination filename.
The switch downloads the image file from the TFTP server to the specified Flash device.

Note The switch remains operational while the image downloads.

Step 4 Modify the BOOT environment variable using the set boot system flash device:filename prepend
command, so that the new image boots when you reset the switch. Specify the Flash device (device:) and
the filename of the downloaded image (filename).
Step 5 Reset the switch using the reset system command. If you are connected to the switch through Telnet,
your Telnet session disconnects.
During startup, the Flash memory on the supervisor engine is reprogrammed with the new Flash code.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-3
 Chapter 25 Working with System Software Images
Downloading Software Images to the Switch With TFTP

Step 6 When the switch reboots, enter the show version command to check the version of the code on the
switch.

Note For examples that show complete TFTP download procedures for the various supervisor engine and
switch types, see the “TFTP Download Procedures Example” section on page 25-5.

Downloading Switching Module Images Using TFTP

To download a software image to an intelligent module, perform these steps:

Step 1 Copy the software image file to the appropriate TFTP directory on the workstation.
Step 2 Log into the switch through the console port or a Telnet session. If you log in using Telnet, your Telnet
session might disconnect when you reset modules to run the new software.
Step 3 If there is only one module of the type appropriate for the image, or if there are multiple modules of the
same type and you want to update the image on all of them, enter the copy tftp flash command. When
prompted, enter the IP address or host name of the TFTP server, the name of the file to download, the
Flash device to which to copy the file, and the destination filename.
Step 4 If there are multiple modules of the type appropriate for the image but you only want to update a single
module, enter the copy tftp m/bootflash: command, where m is the number of the module to which to
download the software image.

Note If you do not specify a module number, the switch examines the header of the image file to
determine to which modules the software is downloaded. The image is then downloaded to
all the modules of that type.

The switch downloads the image file, erases the Flash memory on the appropriate modules, and
reprograms the Flash memory with the downloaded Flash code.

Note All modules in the switch remain operational while the image downloads.

Step 5 Reset the appropriate modules using the reset mod command. If you are connected through Telnet, your
Telnet session disconnects if you reset the module through which your connection was made.
Step 6 When the upgraded modules come online, enter the show version [mod] command to check the version
of the code on the switch.

Note For examples that show complete procedures for TFTP downloads to intelligent modules, see the
“Single Module Image TFTP Download Example” section on page 25-6 and the “Multiple Module
Image TFTP Download Example” section on page 25-7.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-4 78-13315-02
 Chapter 25 Working with System Software Images
Downloading Software Images to the Switch With TFTP

TFTP Download Procedures Example

These sections show example TFTP download procedures:
• Supervisor Image TFTP Download Example, page 25-5
• Single Module Image TFTP Download Example, page 25-6
• Multiple Module Image TFTP Download Example, page 25-7

Supervisor Image TFTP Download Example

Note For a step-by-step procedure for downloading a supervisor engine software image from a TFTP
server, see the “Downloading Supervisor Engine Images Using TFTP” section on page 25-3.

This example shows a complete TFTP download procedure of a supervisor engine software image to a
Catalyst 6000 family switch:
Console> (enable) copy tftp flash
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? cat6000-sup.5-2-1-CSX.bin
Flash device [bootflash]?
Name of file to copy to [cat6000-sup.5-2-1-CSX.bin]?

4369664 bytes available on device bootflash, proceed (y/n) [n]? y

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCC
File has been copied successfully.

Console> (enable) set boot system flash bootflash:cat6000-sup.5-2-1-CSX.bin

BOOT variable = bootflash:cat6000-sup.5-2-1-CSX.bin,1;
Console> (enable) reset system
This command will reset the system.
Do you want to continue (y/n) [n]? y
Console> (enable) 07/21/1998,13:51:39:SYS-5:System reset from Console//

System Bootstrap, Version 4.2

Copyright (c) 1994-1998 by cisco Systems, Inc.
c6k_sup1 processor with 32768 Kbytes of main memory

Autoboot executing command: "boot bootflash:cat6000-sup.5-2-1-CSX.bin"

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCC
Uncompressing file: ###########################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
#############

System Power On Diagnostics

DRAM Size ....................32 MB
Testing DRAM..................Passed
Verifying Text segment .......Passed
NVRAM Size ...................512 KB

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-5
 Chapter 25 Working with System Software Images
Downloading Software Images to the Switch With TFTP

Saving NVRAM .................

Testing NVRAM ................Passed
Restoring NVRAM...............
Level2 Cache ..................Present
Level2 Cache test..............Passed

Leaving power_on_diags

Cafe Daughter Present.

EOBC link up

Boot image: bootflash:cat6000-sup.5-2-1-CSX.bin

Flash Size = 0X1000000, num_flash_sectors = 64
readCafe2Version: 0x00000001
RIn Local Test Mode, Pinnacle Synch Retries: 2
Running System Diagnostics from this Supervisor (Module 1)
This may take up to 2 minutes....please wait

Cisco Systems Console

Enter password:
07/21/1998,13:52:51:SYS-5:Module 1 is online
07/21/1998,13:53:11:SYS-5:Module 4 is online
07/21/1998,13:53:11:SYS-5:Module 5 is online
07/21/1998,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
07/21/1998,13:53:14:PAGP-5:Port 1/2 joined bridge port 1/2.
07/21/1998,13:53:40:SYS-5:Module 2 is online
07/21/1998,13:53:45:SYS-5:Module 3 is online

Console>

Single Module Image TFTP Download Example

Note For a step-by-step procedure for downloading software images to intelligent modules, see the
“Downloading Switching Module Images Using TFTP” section on page 25-4.

This example shows a complete TFTP download procedure of an ATM software image to a single ATM
module:
Console> (enable) show version 4
Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
4 1 WS-X6101 003414855 Hw : 1.2
Fw : 1.3
Sw : 3.2(6)

Console> (enable) copy tftp 4/flash

IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? cat6000-atm.3-2-7.bin
Download image tftp:cat6000-atm.3-2-7.bin to Module 4 FLASH (y/n) [n]? y
This command will reset Download Module(s) you selected.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-6 78-13315-02
 Chapter 25 Working with System Software Images
Downloading Software Images to the Switch With TFTP

Do you wish to continue download flash (y/n) [n]? y

Download done for module 4, please wait for it to come online

File has been copied successfully.

Console> (enable) 07/21/1998,13:13:54:SYS-5:Module 4 is online

Console> (enable) show version 4

Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
4 1 WS-X6101 003414855 Hw : 1.2
Fw : 1.3
Sw : 3.2(7)
Console> (enable)

Multiple Module Image TFTP Download Example

Note For a step-by-step procedure for downloading software images to intelligent modules, see the
“Downloading Switching Module Images Using TFTP” section on page 25-4.

This example shows a complete TFTP download procedure of an ATM software image to multiple ATM
modules:
Console> (enable) show version 4
Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
4 1 WS-X6101 003414855 Hw : 1.2
Fw : 1.3
Sw : 3.2(6)
Console> (enable) show version 5
Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
5 1 WS-X6101 003414463 Hw : 1.2
Fw : 1.3
Sw : 3.2(6)
Console> (enable) copy tftp flash
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? cat6000-atm.3-2-7.bin
Download image tftp:cat6000-atm.3-2-7.bin to Module 4 FLASH (y/n) [n]? y
Download image tftp:cat6000-atm.3-2-7.bin to Module 5 FLASH (y/n) [n]? y
This command will reset Download Module(s) you selected.

Do you wish to continue download flash (y/n) [n]? y

-
Download done for module 4, please wait for it to come online

Download done for module 5, please wait for it to come online

File has been copied successfully.

Console> (enable) 07/21/1998,12:25:10:SYS-5:Module 4 is online
07/21/1998,12:25:10:SYS-5:Module 5 is online

Console> (enable) show version 4

Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
4 1 WS-X6101 003414855 Hw : 1.2
Fw : 1.3
Sw : 3.2(7)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-7
 Chapter 25 Working with System Software Images
Uploading System Software Images to a TFTP Server

Console> (enable) show version 5

Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
5 1 WS-X6101 003414463 Hw : 1.2
Fw : 1.3
Sw : 3.2(7)
Console> (enable)

Uploading System Software Images to a TFTP Server

These sections describe how to upload system software images from a switch to a TFTP server:
• Preparing to Upload an Image to a TFTP Server, page 25-8
• Uploading Software Images to a TFTP Server, page 25-9

Note For more information on working with system software image files on the Flash file system, see
Chapter 24, “Working With the Flash File System.”

Preparing to Upload an Image to a TFTP Server

Before you attempt to upload a software image to a TFTP server, do the following:
• Ensure that the workstation acting as the TFTP server is configured properly. On a Sun workstation,
make sure that the /etc/inetd.conf file contains this line:
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpboot

Make sure that the /etc/services file contains this line:

tftp 69/udp

Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services
files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot
command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). Refer
to the documentation for your workstation for more information on using the TFTP
daemon.

• Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in
the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity
to the TFTP server using the ping command.
• You might need to create an empty file on the TFTP server before uploading the image. To create
an empty file, enter the touch filename command, where filename is the name of the file you will
use when uploading the image to the server.
• If you are overwriting an existing file (including an empty file, if you had to create one), ensure that
the permissions on the file are set correctly. Permissions on the file should be world-write.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-8 78-13315-02
 Chapter 25 Working with System Software Images
Downloading System Software Images Using rcp

Uploading Software Images to a TFTP Server

To upload a software image on a switch to a TFTP server for storage, perform these steps:

Step 1 Log into the switch through the console port or a Telnet session.
Step 2 Upload the software image to the TFTP server with the copy flash tftp command. When prompted,
specify the TFTP server address and destination filename. On platforms that support the Flash file
systems, you are first prompted for the Flash device and source filename. If desired, you can use the copy
file-id tftp command on these platforms.
The software image is uploaded to the TFTP server.

This example shows how to upload the supervisor engine software image:
Console> (enable) copy flash tftp
Flash device [bootflash]? slot0:
Name of file to copy from []? cat6000-sup.5-4-1.bin
IP address or name of remote host [172.20.52.3]? 172.20.52.10
Name of file to copy to [cat6000-sup.5-4-1.bin]?
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC|
File has been copied successfully.
Console> (enable)

Downloading System Software Images Using rcp

These sections describe how to download system software images to the switch supervisor engine and
to intelligent modules:
• Preparing to Download an Image Using rcp, page 25-9
• Downloading Supervisor Engine Images Using rcp, page 25-10
• Downloading Switching Module Images Using rcp, page 25-10
• Example rcp Download Procedures, page 25-11

Preparing to Download an Image Using rcp

Before you begin downloading a software image using rcp, make sure of the following:
• Ensure that the workstation acting as the rcp server supports the remote shell (rsh).
• Ensure that the switch has a route to the rcp server. The switch and the rcp server must be in the
same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to
the rcp server using the ping command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-9
 Chapter 25 Working with System Software Images
Downloading System Software Images Using rcp

• If you are accessing the switch through the console or a Telnet session without a valid username,
make sure that the current rcp username is the one you want to use for the rcp download. You can
enter the show users command to view the current valid username. If you do not want to use the
current username, create a new rcp username using the set rcp username command. The new
username will be stored in NVRAM. If you are accessing the switch through a Telnet session with
a valid username, this username will be used and there is no need to set the rcp username.
• A power interruption (or other problem) during the download procedure can corrupt the Flash code.
If the Flash code is corrupted, you can connect to the switch through the console port and boot from
an uncorrupted system image on a Flash PC card.

Downloading Supervisor Engine Images Using rcp

To download a supervisor engine software image to the switch from an rcp server, perform these steps:

Step 1 Copy the software image file to the appropriate rcp directory on the workstation.
Step 2 Log into the switch through the console port or through a Telnet session. If you log in using Telnet, your
Telnet session disconnects when you reset the switch to run the new software.
Step 3 Download the software image from the rcp server by entering the copy rcp flash command. When
prompted, enter the IP address or host name of the rcp server and the name of the file to download. On
those platforms that support the Flash file system, you are also prompted for the Flash device to which
to copy the file and the destination filename.
The switch downloads the image file from the rcp server.

Note The switch remains operational while the image downloads.

Step 4 Modify the BOOT environment variable by entering the set boot system flash device:filename prepend
command, so that the new image boots when you reset the switch. Specify the Flash device (device:) and
the filename of the downloaded image (filename).
Step 5 Reset the switch by entering the reset system command. If you are connected to the switch through
Telnet, your Telnet session disconnects.
During startup, the Flash memory on the supervisor engine is reprogrammed with the new Flash code.
Step 6 When the switch reboots, enter the show version command to check the version of the code on the
switch.

Downloading Switching Module Images Using rcp

To download a software image to an intelligent module on a Catalyst 6000 family switch, perform these
steps:

Step 1 Copy the software image file to the appropriate rcp directory on the workstation.
Step 2 Log into the switch through the console port or a Telnet session. If you log in using Telnet, your Telnet
session might disconnect when you reset modules to run the new software.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-10 78-13315-02
 Chapter 25 Working with System Software Images
Downloading System Software Images Using rcp

Step 3 Enter the command appropriate for your switch and supervisor engine to download the software image
from the rcp server:
• If there is only one module of the type appropriate for the image, or if there are multiple modules of
the same type and you want to update the image on all of them, enter the copy rcp flash command.
When prompted, enter the IP address or host name of the rcp server, the name of the file to
download, the Flash device to which to copy the file, and the destination filename.
• If there are multiple modules of the type appropriate for the image but you only want to update a
single module, enter the copy rcp | m/bootflash: command, where m is the number of the module
to which to download the software image. If you do not specify the module, all modules of the same
type will be updated.

Note If you do not specify a module number, the switch examines the header of the image file to
determine to which modules the software is downloaded. The image is then downloaded to
all the modules of that type.

The switch downloads the image file, erases the Flash memory on the appropriate modules, and
reprograms the Flash memory with the downloaded Flash code.

Note All modules in the switch remain operational while the image downloads.

Step 4 Reset the appropriate modules using the reset mod command. If you are connected through Telnet, your
Telnet session disconnects if you reset the module through which your connection was made.
Step 5 When the upgraded modules come online, enter the show version [mod] command to check the version
of the code on the switch.

Example rcp Download Procedures

These sections show example rcp download procedures:
• Supervisor Image rcp Download Example, page 25-11
• Single Module Image rcp Download Example, page 25-13
• Multiple Module Image rcp Download Example, page 25-13

Supervisor Image rcp Download Example

Note For a step-by-step procedure for downloading a supervisor engine software image from an rcp server,
see the “Downloading Supervisor Engine Images Using rcp” section on page 25-10.

This example shows a complete rcp download procedure of a supervisor engine software image to a
Catalyst 6000 family switch:
Console> (enable) copy rcp flash
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? cat6000-sup.5-2-1-csx.bin
Flash device [bootflash]?

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-11
 Chapter 25 Working with System Software Images
Downloading System Software Images Using rcp

Name of file to copy to [cat6000-sup.5-2-1-csx.bin]?

4369664 bytes available on device bootflash, proceed (y/n) [n]? y

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCC
File has been copied successfully.
Console> (enable) set boot system flash bootflash:cat6000-sup.5-2-1-csx.bin prepend
BOOT variable = bootflash:cat6000-sup.5-2-1-csx.bin,1;bootflash:cat6000-sup.5-2-
1-csx.bin,1;
Console> (enable) reset system
This command will reset the system.
Do you want to continue (y/n) [n]? y
Console> (enable) 09/2/1999,13:51:39:SYS-5:System reset from Console//

System Bootstrap, Version 4.2

Copyright (c) 1994-1999 by cisco Systems, Inc.
Presto processor with 32768 Kbytes of main memory

Autoboot executing command: "boot bootflash:cat6000-sup.5-2-1-csx.bin"

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCC
Uncompressing file: ###########################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
#############

System Power On Diagnostics

DRAM Size ....................32 MB
Testing DRAM..................Passed
Verifying Text segment .......Passed
NVRAM Size ...................512 KB
Saving NVRAM .................
Testing NVRAM ................Passed
Restoring NVRAM...............
Level2 Cache ..................Present
Level2 Cache test..............Passed

Leaving power_on_diags

Cafe Daughter Present.

EOBC link up

Boot image: bootflash:cat6000-sup.5-2-1-CSX.bin

Flash Size = 0X1000000, num_flash_sectors = 64
readCafe2Version: 0x00000001
RIn Local Test Mode, Pinnacle Synch Retries: 2
Running System Diagnostics from this Supervisor (Module 1)
This may take up to 2 minutes....please wait

Cisco Systems Console

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-12 78-13315-02
 Chapter 25 Working with System Software Images
Downloading System Software Images Using rcp

Enter password:
09/2/1999,13:52:51:SYS-5:Module 1 is online
09/2/1999,13:53:11:SYS-5:Module 4 is online
09/2/1999,13:53:11:SYS-5:Module 5 is online
09/2/1999,13:53:14:PAGP-5:Port 1/1 joined bridge port 1/1.
09/2/1999,13:53:14:PAGP-5:Port 1/2 joined bridge port 1/2.
09/2/1999,13:53:40:SYS-5:Module 2 is online
09/2/1999,13:53:45:SYS-5:Module 3 is online
Console> (enable)

Single Module Image rcp Download Example

Note For a step-by-step procedure for downloading software images to intelligent modules, see the
“Downloading Switching Module Images Using rcp” section on page 25-10.

This example shows a complete rcp download procedure of an ATM software image to a single ATM
module:
Console> (enable) show version 4
Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
4 1 WS-X6101 003414855 Hw : 1.2
Fw : 1.3
Sw : 3.2(6)
Console> (enable) copy rcp 4/flash
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? cat6000-atm.3-2-7.bin
Download image rcp:cat6000-atm.3-2-7.bin to Module 4 FLASH (y/n) [n]? y
This command will reset Download Module(s) you selected.

Do you wish to continue download flash (y/n) [n]? y

Download done for module 4, please wait for it to come online

File has been copied successfully.

Console> (enable) 09/2/1999,13:13:54:SYS-5:Module 4 is online

Console> (enable) show version 4

Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
4 1 WS-X6101 003414855 Hw : 1.2
Fw : 1.3
Sw : 3.2(7)
Console> (enable)

Multiple Module Image rcp Download Example

Note For a step-by-step procedure for downloading software images to intelligent modules, see the
“Downloading Switching Module Images Using rcp” section on page 25-10.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-13
 Chapter 25 Working with System Software Images
Uploading System Software Images to an rcp Server

This example shows a complete rcp download procedure of an ATM software image to multiple ATM
modules:
Console> (enable) show version 4
Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
4 1 WS-X6101 003414855 Hw : 1.2
Fw : 1.3
Sw : 3.2(6)
Console> (enable) show version 5
Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
5 1 WS-X6101 003414463 Hw : 1.2
Fw : 1.3
Sw : 3.2(6)
Console> (enable) copy rcp flash
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? cat6000-atm.3-2-7.bin
Download image rcp:cat6000-atm.3-2-7.bin to Module 4 FLASH (y/n) [n]? y
Download image rcp:cat6000-atm.3-2-7.bin to Module 5 FLASH (y/n) [n]? y
This command will reset Download Module(s) you selected.

Do you wish to continue download flash (y/n) [n]? y

-
Download done for module 4, please wait for it to come online
Download done for module 5, please wait for it to come online

File has been copied successfully.

Console> (enable) 09/2/1999,12:25:10:SYS-5:Module 4 is online
09/2/1999,12:25:10:SYS-5:Module 5 is online

Console> (enable) show version 4

Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
4 1 WS-X6101 003414855 Hw : 1.2
Fw : 1.3
Sw : 3.2(7)
Console> (enable) show version 5
Mod Port Model Serial # Versions
--- ---- ---------- --------- ----------------------------------------
5 1 WS-X6101 003414463 Hw : 1.2
Fw : 1.3
Sw : 3.2(7)
Console> (enable)

Uploading System Software Images to an rcp Server

These sections describe how to upload system software images from a switch to an rcp server:
• Preparing to Upload an Image to an rcp Server, page 25-15
• Uploading Software Images to an rcp Server, page 25-15

Note For more information on working with system software image files on the Flash file system, see
Chapter 24, “Working With the Flash File System.”

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-14 78-13315-02
 Chapter 25 Working with System Software Images
Downloading Software Images Over a Serial Connection on the Console Port

Preparing to Upload an Image to an rcp Server

Before you attempt to upload a software image to an rcp server, do the following:
• Ensure that the workstation acting as the rcp server is configured properly.
• Ensure that the switch has a route to the rcp server. The switch and the rcp server must be in the
same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to
the rcp server using the ping command.
• If you are overwriting an existing file (including an empty file, if you had to create one), ensure that
the permissions on the file are set correctly. Permissions on the file should be write for the specific
username.

Uploading Software Images to an rcp Server

To upload a software image on a switch to an rcp server for storage, perform these steps:

Step 1 Log into the switch through the console port or a Telnet session.
Step 2 Upload the software image to the rcp server using the copy flash rcp command. When prompted, specify
the rcp server address and destination filename. On platforms that support the Flash file systems, you
are first prompted for the Flash device and source filename. If desired, you can use the copy file-id rcp
command on these platforms.
The software image is uploaded to the rcp server.

This example shows how to upload the supervisor engine software image to an rcp server:
Console> (enable) copy flash rcp
Flash device [bootflash]? slot0:
Name of file to copy from []? cat6000-sup.5-3-1.bin
IP address or name of remote host [172.20.52.3]? 172.20.52.10
Name of file to copy to [cat6000-sup.5-3-1.bin]?
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC|
File has been copied successfully.
Console> (enable)

Downloading Software Images Over a Serial Connection on the

Console Port
These sections describe how to perform a serial download of software images over the supervisor engine
console port using Kermit, a popular file-transfer and terminal-emulation software program:
• Preparing to Download an Image Using Kermit, page 25-16
• Downloading Software Images Using Kermit (PC Procedure), page 25-16
• Downloading Software Images Using Kermit (UNIX Procedure), page 25-17
• Example Serial Software Image Download Procedures, page 25-18

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-15
 Chapter 25 Working with System Software Images
Downloading Software Images Over a Serial Connection on the Console Port

Preparing to Download an Image Using Kermit

Before you begin a serial download of a software image using Kermit, make sure of the following:
• On a UNIX workstation, make sure your shell window is local (not an rlogin window to a different
workstation).
• Ensure that the supervisor engine console port is connected to a serial port on your PC or
workstation with a serial cable.
• Ensure that the Kermit software is installed on your PC or workstation.
• Ensure that the line speed settings are the same on the PC or workstation and on the switch:
– On the switch, you can change the console port speed by entering the set system baud rate
command. The default baud rate is 9600 baud.
– On the PC or workstation, you can change the baud rate of the serial port by entering the set
speed rate command at the Kermit> prompt.

Caution To prevent communication problems, do not use a speed greater than 19,200 baud.

• Ensure that Kermit is using the proper serial port.

– On a PC, specify the serial port using the set port comx command, where x is the PC serial port
number (1 through 8) that you connected to the switch.
– On a UNIX workstation, specify the serial port using the set port /dev/ttyx command, where x
is the serial port (a or b) that you connected to the switch.

Downloading Software Images Using Kermit (PC Procedure)

Note This procedure applies to PC serial downloads only. For information on performing a serial
download on a UNIX workstation, see the “Downloading Software Images Using Kermit (UNIX
Procedure)” section on page 25-17.

To perform a serial download of a software image over the supervisor engine console port, perform these
steps:

Step 1 Copy the software image file to the directory where Kermit is loaded.
Step 2 Start Kermit on the PC.

Note Before continuing, ensure that the line speed is correct and that you have selected the proper
serial line, as described in the “Preparing to Download an Image Using Kermit” section on
page 25-16.

Step 3 At the Kermit> prompt, enter the connect command to connect to the switch. If your line and speed are
set correctly, the switch Console> prompt appears.
Step 4 Enter the enable command to enter privileged mode.
Step 5 Enter the download serial command. The file is downloaded to module 1 by default.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-16 78-13315-02
 Chapter 25 Working with System Software Images
Downloading Software Images Over a Serial Connection on the Console Port

Step 6 When prompted, confirm the download.

Step 7 Enter the escape sequence Ctrl-]-c by holding down the Ctrl key while you press ], and then press c.
Step 8 At the Kermit> prompt, enter the send filename command to send the file to the switch.
The switch downloads the image file, erases the Flash memory on the supervisor engine or the
appropriate module, and reprograms the Flash memory with the downloaded Flash code.

Note The switch remains operational while the image downloads.

Step 9 When the Kermit> prompt reappears, enter the connect command to return to the switch Console>
prompt. You will see status information as the switch erases and reprograms the Flash memory.

Note If you enter the connect command more than two minutes after the Kermit> prompt
reappears, you might see only a Console> prompt instead of the status information about
erasing and programming Flash code.

Step 10 Reset the switch using the reset system command.

Step 11 When the switch reboots, enter the show version [mod] command to check the version of the code on
the switch.

Note For an example that shows a complete serial download procedure using Kermit on a PC, see the “PC
Serial Download Procedure Example” section on page 25-19.

Downloading Software Images Using Kermit (UNIX Procedure)

Note This procedure applies to UNIX serial downloads only. For information on performing a serial
download on a PC, see the “Downloading Software Images Using Kermit (PC Procedure)” section
on page 25-16.

Use this procedure to perform a serial download of a software image over the supervisor engine console
port.
To copy the software to the workstation, log in as root, and perform these steps:

Step 1 Copy the software image file to your home directory.

Step 2 At the UNIX command prompt, start Kermit by entering the kermit command (make sure the directory
where Kermit is installed is included in the $PATH environment variable on the workstation).

Note Before continuing, ensure that the line speed is correct and that you have selected the proper
serial line, as described in the “Preparing to Download an Image Using Kermit” section on
page 25-16.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-17
 Chapter 25 Working with System Software Images
Downloading Software Images Over a Serial Connection on the Console Port

Step 3 At the C-Kermit> prompt, enter the connect command to connect to the switch. If your line and speed
are set correctly, the switch Console> prompt appears.
Step 4 Enter the enable command to enter privileged mode.
Step 5 Enter the download serial command. The file downloads to module 1 by default.
Step 6 When prompted, confirm the download.
Step 7 Enter the escape sequence Ctrl-\-c by holding down the Ctrl key while you press \, and then press c.
Step 8 At the Kermit> prompt, enter the send filename command to send the file to the switch.
You can monitor the progress of the download by pressing the a key at any time during the Kermit
download. A dot appears onscreen for every four packets transferred. If there is a problem transferring
the file, one or more of the following letter codes appear:
• T—Kermit timed out.
• N—Kermit is not acknowledging the switch download process.
• E—Kermit detected an error in the progress of the transaction.
The switch downloads the image file, erases the Flash memory on the supervisor engine or the
appropriate module, and reprograms the Flash memory with the downloaded Flash code.

Note The switch remains operational while the image downloads.

Step 9 Press Return to return to the C-Kermit> prompt. When the Kermit> prompt reappears, enter the connect
command to return to the switch Console> prompt. You will see status information as the switch erases
and reprograms the Flash memory.

Note If you enter the connect command more than two minutes after the Kermit> prompt
reappears, you might see only a Console> prompt instead of the status information about
erasing and programming Flash code.

Step 10 Reset the switch using the reset system command.

Step 11 When the switch reboots, enter the show version [mod] command to check the version of the code on
the switch.

Note For an example that shows a complete serial download procedure using Kermit on a
UNIX workstation, see the “UNIX Workstation Serial Download Procedure Example” section on
page 25-20.

Example Serial Software Image Download Procedures

These sections show example serial download procedures over the supervisor engine console port using
Kermit:
• PC Serial Download Procedure Example, page 25-19
• UNIX Workstation Serial Download Procedure Example, page 25-20

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-18 78-13315-02
 Chapter 25 Working with System Software Images
Downloading Software Images Over a Serial Connection on the Console Port

PC Serial Download Procedure Example

This screen output shows an example of a complete serial download procedure on a PC:
C:\ copy A:\*.*
copying c6509_xx.bin
C:\ kermit
Kermit, 4C(057) 06 Apr 98, 4.2 BSD
Type ? for help
Kermit> set port com1
Kermit> set speed 9600
Kermit> connect
Connecting to com1,speed 9600.
The escape character is ^] (ASCII 29).
Type the escape character followed by C to get back,
or followed by ? to see other options

Console> enable
Console> (enable) download serial
Download CBI image via console port (y/n) [n]? y

Waiting for DOWNLOAD!

Return to your local Machine by typing its escape sequence
Issue Kermit send command from there[ Send `Filename`]

<CONTROL-] c to return to Local Machine>

Kermit> send c6509_xx .bin

File name: c6509_xx.bin

KBytes transferred: xxxx
Percent transferred: 100%
Sending: Complete

Number of Packets: xxxx

Number of retries: None
Last error: None
Last warning: None
Kermit> connect

Finished network download. (1136844 bytes)

Flash erase in progress ... Erase done
Programming Flash: Flash Programming Complete
Flash erase in progress ... Erase done
Programming Flash: Flash Programming Complete
Flash erase in progress ... Erase done
Programming Flash: Flash Programming Complete
Flash erase in progress ... Erase done
Programming Flash: Flash Programming Complete
Flash erase in progress ... Erase done
Programming Flash: Flash Programming Complete
Flash erase in progress ... Erase done
Programming Flash: Flash Programming Complete
Flash erase in progress ... Erase done
Programming Flash: Flash Programming Complete
The system needs to be reset to run the new image.

Cisco Systems Console

Enter password:
Mon Apr 06, 1998, 14:35:08
Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-19
 Chapter 25 Working with System Software Images
Downloading Software Images Over a Serial Connection on the Console Port

UNIX Workstation Serial Download Procedure Example

This screen output shows an example of a complete serial download procedure on a UNIX workstation:
workstation% cd /tmp
workstation% tar -xvfp /dev/rfd0
c5009_xx.bin, 1156046 bytes, 2258 tape blocks
workstation% ls -la
total 1150
drwxrwsrwt 5 bin 512 Sep 28 04:15 .
drwxr-xr-x 18 root 1536 Sep 27 15:41 ..
-r--r--r-- 1 60000 1156046 Jul 18 10:32 c5009_xx.bin
workstation% kermit
C-Kermit, 4E(072) 06 Apr 98, SUNOS 4.x
Type ? for help
C-Kermit> set line /dev/ttya
C-Kermit> set speed 9600
/dev/ttya: 9600 baud
C-Kermit> connect
Connecting thru /dev/ttya, speed 9600.
The escape character is CTRL-\ (28).

Type the escape character followed by C to get back,

or followed by ? to see other options.

Console> enable
Console> (enable) download serial c5009_xx.bin

Download CBI image via console port (y/n) [n]? y

Waiting for DOWNLOAD!

Return to your local Machine by typing its escape sequence
Issue Kermit send command from there[ Send `Filename`]
[Back at Local System]
C-Kermit> send c5009_xx .bin
SF
c5009_xx.bin => c5009_xx.bin, Size: 1156046

CTRL-F to cancel file, CTRL-R to resend current packet

CTRL-B to cancel batch, CTRL-A for status report:
..........................................................................................
....................................
*** Display Truncated ***
...............................................................
.................................... [OK]
ZB?
C-Kermit> connect
Connecting thru /dev/ttya, speed 9600.
The escape character is CTRL-\ (28).
Type the escape character followed by C to get back,
or followed by ? to see other options.

Download OK
Initializing Flash
Programming Flash
Base....Code....Length....Time....Done

Cisco Systems Console

Enter password:
Mon Apr 06, 1998, 17:35:08
Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-20 78-13315-02
Chapter 25 Working with System Software Images
Downloading a System Image Using Xmodem or Ymodem

Downloading a System Image Using Xmodem or Ymodem

When you need a system image on the switch, but the switch does not have network access and you do
not have a software image on a Flash PC card, you can download an image from a local or remote
computer (such as a PC, UNIX workstation, or Macintosh) through the console port using the Xmodem
or Ymodem protocol.
Xmodem and Ymodem are common protocols used to transfer files and are included in applications such
as Windows 3.1 (TERMINAL.EXE), Windows 95 (HyperTerminal), Windows NT 3.5x
(TERMINAL.EXE), Windows NT 4.0 (HyperTerminal), and Linux UNIX freeware (minicom).
Xmodem and Ymodem downloads are slow: use them only when the switch does not have network
access. You can speed up the transfer by setting the console port speed to 38400 bps.
Xmodem and Ymodem file transfers are performed from the ROM monitor with the following
command:
xmodem [-y] [-c] [-s data-rate]

In the example, the -y option uses the Ymodem protocol; -c provides CRC-16 checksumming; and -s sets
the console port data rate.

Note See the “ROM Monitor Command-Line Interface” section in the “Command-Line Interfaces”
chapter for more information about the ROM monitor.

The computer from which you transfer the supervisor engine software image must be running terminal
emulation software that supports the Xmodem or Ymodem protocol.
The following procedure shows a file transfer using the Xmodem protocol. To use the Ymodem protocol,
include the -y option with the xmodem command.

Caution A modem connection from the telephone network to your console port introduces security issues that
you should consider before enabling the connection. For example, remote users can dial into your
modem and access the switch configuration settings.

Caution If you have redundant supervisor engines, you must remove the second (redundant) supervisor
engine before you perform this procedure. The image that is downloaded via Xmodem is not saved
to memory; therefore, after the download if you have two supervisor engines installed and attempt
to reboot the active supervisor engine with the downloaded image, the redundant supervisor engine
will take over and synchronize with the active supervisor engine; the downloaded image will not be
booted.

Step 1 Place a supervisor engine software image on the computer’s hard drive. You can download an image
from Cisco.com.
Step 2 To download from a local computer, connect the console port (port mode switch in the in position) to a
serial port on the computer, using a null-modem cable. The console port speed must match the speed
configured on the local computer.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 25-21
 Chapter 25 Working with System Software Images
Downloading a System Image Using Xmodem or Ymodem

Note If you are transferring from a local computer, you may need to configure the terminal
emulation program to ignore RTS/DTR signals.

Step 3 To download from a remote computer:

a. Connect a modem to the console port and to the telephone network.
b. The modem and console port must communicate at the same speed, which can be from 1200 to
38400 bps, depending on the speed supported by your modem. Enter the confreg ROM monitor
command to configure the console port transmission speed.
c. Connect a modem to the remote computer and to the telephone network and configure it for the same
speed as the supervisor engine.
d. Dial the number of the supervisor engine modem from the remote computer.
Step 4 Enter the xmodem command at the ROM-monitor prompt in the terminal emulation window:
rommon > xmodem -s 38400 -c

Step 5 Start an Xmodem or Ymodem send operation with the computer’s terminal emulation software. The
computer downloads the system image to the supervisor engine. See your terminal emulation software
application manual for instructions on how to execute a Xmodem or Ymodem file transfer.
Step 6 After the new image is completely downloaded, the ROM monitor boots it.

Note Downloading an image through the console port does not create an image file on any of the
Flash devices. The downloaded image resides only in memory. The image in memory cannot
be saved as a file.

Step 7 After the download, the console port returns to the default baud rate: 9600. If the download took place
at other than 9600 baud, you must change the remote computer’s baud rate back to 9600 baud.

Note Establish network connectivity to the switch to copy an image file from a TFTP server to one of the
Flash devices.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

25-22 78-13315-02
 C H A P T E R 26
Working with Configuration Files

This chapter describes how to work with switch configuration files on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Working with Configuration Files on the Switch, page 26-1
• Working with Configuration Files on the MSFC, page 26-9

Working with Configuration Files on the Switch

These sections describe how to work with configuration files on the switch:
• Creating and Using Configuration File Guidelines, page 26-1
• Creating a Configuration File, page 26-2
• Downloading Configuration Files to the Switch Using TFTP, page 26-3
• Uploading Configuration Files to a TFTP Server, page 26-5
• Copying Configuration Files Using rcp, page 26-6
• Downloading Configuration Files from an rcp Server, page 26-6
• Uploading Configuration Files to an rcp Server, page 26-7
• Clearing the Configuration, page 26-8

Note For more information on working with configuration files on the Flash file system, see Chapter 24,
“Working With the Flash File System.”

Creating and Using Configuration File Guidelines

Creating configuration files can aid in the configuration of your switch. Configuration files can contain
some or all the commands needed to configure one or more switches. For example, you might want to
download the same configuration file to several switches that have the same hardware configuration so
that they have identical module and port configurations.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 26-1
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the Switch

Use the following guidelines when creating a configuration file:

• We recommend that you connect through the console port when using configuration files to
configure the switch. If you configure the switch from a Telnet session, IP addresses are not
changed, and ports and modules are not disabled.
• If no passwords have been set on the switch, you must set them on each switch by entering the set
password and set enablepass commands. Enter a blank line after the set password and set
enablepass commands. The passwords are saved in the configuration file as clear text.
If passwords already exist, you cannot enter the set password and set enablepass commands
because the password verification will fail. If you enter passwords in the configuration file, the
switch mistakenly attempts to execute the passwords as commands as it executes the file.
• Certain commands must be followed by a blank line in the configuration file. The blank line is
necessary; without the blank line, these commands might disconnect your Telnet session. Before
disconnecting a session, the switch prompts you for confirmation. The blank line acts as a carriage
return, which indicates a negative response to the prompt and retains the Telnet session.
Include a blank line after each occurrence of these commands in a configuration file:
– set interface sc0 ip_addr netmask
– set interface sc0 disable
– set module disable mod
– set port disable mod/port

Creating a Configuration File

When creating a configuration file, you must list commands in a logical way so that the system can
respond appropriately. One method of creating a configuration file is as follows:

Step 1 Download an existing configuration from a switch.

Step 2 Open the configuration file in a text editor, such as vi or emacs on UNIX or Notepad on a PC.
Step 3 Extract the portion of the configuration file with the desired commands and save it in a new file. Make
sure the file begins with the word begin on a line by itself and ends with the word end on a line by itself.
Step 4 Copy the configuration file to the appropriate TFTP directory on the workstation (usually /tftpboot on a
UNIX workstation).
Step 5 Make sure the permissions on the file are set to world-read.

This example shows an example configuration file. This file could be used to set the Domain Name
System (DNS) configuration on multiple switches.
begin

!
#dns
set ip dns server 172.16.10.70 primary
set ip dns server 172.16.10.140
set ip dns enable
set ip dns domain corp.com
end

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

26-2 78-13315-02
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the Switch

Downloading Configuration Files to the Switch Using TFTP

You can configure the switch using configuration files you create or download from another switch. In
addition, you can store configuration files on Flash devices on hardware that supports the Flash file
system, and you can configure the switch using a configuration stored on a Flash device.
These sections describe how to configure the switch using configuration files downloaded from a TFTP
server or stored on a Flash device:
• Preparing to Download a Configuration File Using TFTP, page 26-3
• Configuring the Switch Using a File on a TFTP Server, page 26-3
• Configuring the Switch Using a File on a Flash Device, page 26-4

Preparing to Download a Configuration File Using TFTP

Before you begin downloading a configuration file using TFTP, do the following:
• Ensure that the workstation acting as the TFTP server is configured properly. On a Sun workstation,
make sure that the /etc/inetd.conf file contains this line:
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpboot

Make sure that the /etc/services file contains this line:

tftp 69/udp

Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services
files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot
command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). Refer
to the documentation for your workstation for more information about the TFTP daemon.

• Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in
the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity
to the TFTP server using the ping command.
• Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server
(usually /tftpboot on a UNIX workstation).
• Ensure that the permissions on the file are set as world-read.

Configuring the Switch Using a File on a TFTP Server

To configure the switch using a configuration file downloaded from a TFTP server, perform these steps:

Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation.
Step 2 Log into the switch through the console port or a Telnet session.
Step 3 Configure the switch using the configuration file downloaded from the TFTP server with the copy tftp
config command. Specify the IP address or host name of the TFTP server and the name of the file to
download.
The configuration file downloads, and the commands are executed as the file is parsed line-by-line.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 26-3
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the Switch

This example shows how to configure the switch using a configuration file downloaded from a TFTP
server:
Console> (enable) copy tftp config
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? dns-config.cfg

Configure using tftp:dns-config.cfg (y/n) [n]? y

/
Finished network download. (134 bytes)
>>
>> set ip dns server 172.16.10.70 primary
172.16.10.70 added to DNS server table as primary server.
>> set ip dns server 172.16.10.140
172.16.10.140 added to DNS server table as backup server.
>> set ip dns enable
DNS is enabled
>> set ip dns domain corp.com
Default DNS domain name set to corp.com
Console> (enable)

Configuring the Switch Using a File on a Flash Device

To configure a switch using a configuration file stored on a Flash device in the Flash file system, perform
these steps:

Step 1 Log into the switch through the console port or a Telnet session.
Step 2 Locate the configuration file using the cd and dir commands (for more information, see Chapter 24,
“Working With the Flash File System”).
Step 3 Configure the switch using the configuration file stored on the Flash device using the copy file-id config
command.
The commands are executed as the file is parsed line-by-line.

This example shows how to configure the switch using a configuration file stored on a Flash device:
Console> (enable) copy slot0:dns-config.cfg config

Configure using slot0:dns-config.cfg (y/n) [n]? y

Finished network download. (134 bytes)

>>
>> set ip dns server 172.16.10.70 primary
172.16.10.70 added to DNS server table as primary server.
>> set ip dns server 172.16.10.140
172.16.10.140 added to DNS server table as backup server.
>> set ip dns enable
DNS is enabled
>> set ip dns domain corp.com
Default DNS domain name set to corp.com
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

26-4 78-13315-02
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the Switch

Uploading Configuration Files to a TFTP Server

These sections describe how to upload the running configuration or a configuration file stored on a Flash
device to a TFTP server:
• Preparing to Upload a Configuration File to a TFTP Server, page 26-5
• Uploading a Configuration File to a TFTP Server, page 26-5

Preparing to Upload a Configuration File to a TFTP Server

Before you attempt to upload a configuration file to a TFTP server, do the following:
• Ensure that the workstation acting as the TFTP server is configured properly. On a Sun workstation,
make sure that the /etc/inetd.conf file contains this line:
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpboot

Make sure that the /etc/services file contains this line:

tftp 69/udp

Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services
files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot
command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). Refer
to the documentation for your workstation for more information about the TFTP daemon.

• Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in
the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity
to the TFTP server using the ping command.
• You might need to create an empty file on the TFTP server before uploading the configuration file.
To create an empty file, enter the touch filename command, where filename is the name of the file
you will use when uploading the configuration to the server.
• If you are overwriting an existing file (including an empty file, if you had to create one), ensure that
the permissions on the file are set as world-write.

Uploading a Configuration File to a TFTP Server

To upload a configuration file from a switch to a TFTP server for storage, perform these steps:

Step 1 Log into the switch through the console port or a Telnet session.
Step 2 Upload the switch configuration to the TFTP server with the copy config tftp command. Specify the IP
address or host name of the TFTP server and the destination filename.
The file is uploaded to the TFTP server.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 26-5
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the Switch

This example shows how to upload the running configuration to a TFTP server for storage:
Console> (enable) copy config tftp
IP address or name of remote host []? 172.20.52.3
Name of file to copy to []? cat6000_config.cfg

Upload configuration to tftp:cat6000_config.cfg, (y/n) [n]? y

.....
..........
.......

..........
...........
..
/
Configuration has been copied successfully.
Console> (enable)

Copying Configuration Files Using rcp

Remote copy protocol (rcp) provides another method of downloading, uploading, and copying
configuration files between remote hosts and the switch. Unlike TFTP which uses User Datagram
Protocol (UDP), a connectionless protocol, rcp uses Transmission Control Protocol (TCP), which is
connection-oriented.
To use rcp to copy files, the server from or to which you will be copying files must support rcp. The rcp
copy commands rely on the rsh server (or daemon) on the remote system. To copy files using rcp, you
do not need to create a server for file distribution, as you do with TFTP. You need only to have access
to a server that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are
copying a file from one place to another, you must have read permission on the source file and write
permission on the destination file. If the destination file does not exist, rcp creates it for you.

Downloading Configuration Files from an rcp Server

These sections describe how to download a configuration file from an rcp server to the running
configuration or to a Flash device:
• Preparing to Download a Configuration File Using rcp, page 26-6
• Configuring the Switch Using a File on an rcp Server, page 26-7

Preparing to Download a Configuration File Using rcp

Before you begin downloading a configuration file using rcp, do the following:
• Ensure that the workstation acting as the rcp server supports the remote shell (rsh).
• Ensure that the switch has a route to the rcp server. The switch and the server must be in the same
subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the
rcp server using the ping command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

26-6 78-13315-02
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the Switch

• If you are accessing the switch through the console or a Telnet session without a valid username,
make sure that the current rcp username is the one you want to use for the rcp download. You can
enter the show users command to view the current valid username. If you do not want to use the
current username, create a new rcp username using the set rcp username command. The new
username will be stored in NVRAM. If you are accessing the switch through a Telnet session with
a valid username, this username will be used and there is no need to set the rcp username.

Configuring the Switch Using a File on an rcp Server

To configure a Catalyst 6000 family switch using a configuration file downloaded from an rcp server,
perform these steps:

Step 1 Copy the configuration file to the appropriate rcp directory on the workstation.
Step 2 Log into the switch through the console port or a Telnet session.
Step 3 Configure the switch using the configuration file downloaded from the rcp server using the copy rcp
config command. Specify the IP address or host name of the rcp server and the name of the file to
download.
The configuration file downloads and the commands are executed as the file is parsed line-by-line.

This example shows how to configure a Catalyst 6000 family switch using a configuration file
downloaded from an rcp server:
Console> (enable) copy rcp config
IP address or name of remote host []? 172.20.52.3
Name of file to copy from []? dns-config.cfg

Configure using rcp:dns-config.cfg (y/n) [n]? y

/
Finished network download. (134 bytes)
>>
>> set ip dns server 172.16.10.70 primary
172.16.10.70 added to DNS server table as primary server.
>> set ip dns server 172.16.10.140
172.16.10.140 added to DNS server table as backup server.
>> set ip dns enable
DNS is enabled
>> set ip dns domain corp.com
Default DNS domain name set to corp.com
Console> (enable)

Uploading Configuration Files to an rcp Server

These sections describe how to upload the running configuration or a configuration file stored on a Flash
device to an rcp server:
• Preparing to Upload a Configuration File to an rcp Server, page 26-8
• Uploading a Configuration File to an rcp Server, page 26-8

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 26-7
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the Switch

Preparing to Upload a Configuration File to an rcp Server

Before you attempt to upload a configuration file to an rcp server, do the following:
• Ensure that the workstation acting as the rcp server is configured properly.
• Ensure that the switch has a route to the rcp server. The switch and the rcp server must be in the
same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to
the rcp server using the ping command.
• If you are overwriting an existing file (including an empty file, if you had to create one), ensure that
the permissions on the file are set correctly. Permissions on the file should be user-write.

Uploading a Configuration File to an rcp Server

To upload a configuration file from a switch to an rcp server for storage, perform these steps:

Step 1 Log into the switch through the console port or a Telnet session.
Step 2 Upload the switch configuration to the rcp server using the copy config rcp command. Specify the IP
address or host name of the rcp server and the destination filename.
The file is uploaded to the rcp server.

This example shows how to upload the running configuration on a Catalyst 6000 family switch to an rcp
server for storage:
Console> (enable) copy config rcp
IP address or name of remote host []? 172.20.52.3
Name of file to copy to []? cat6000_config.cfg

Upload configuration to rcp:cat6000_config.cfg, (y/n) [n]? y

.....
..........
.......

..........
...........
..
/
Configuration has been copied successfully.
Console> (enable)

Clearing the Configuration

To clear the configuration on the entire switch, perform this task in privileged mode:

Task Command
Clear the switch configuration. clear config all

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

26-8 78-13315-02
Chapter 26 Working with Configuration Files
Working with Configuration Files on the MSFC

This example shows how to clear the configuration for the entire switch:
Console> (enable) clear config all
This command will clear all configuration in NVRAM.
This command will cause ifIndex to be reassigned on the next system startup.
Do you want to continue (y/n) [n]? y
........
.............................

System configuration cleared.

Console> (enable)

To clear the configuration on an individual module, perform this task in privileged mode:

Task Command
Clear the configuration for a specific module. clear config mod

Note If you remove a module and replace it with a module of another type (for example, if you remove a
10/100 Ethernet module and insert a Gigabit Ethernet module), the module configuration is
inconsistent. The output of the show module command indicates this problem. To resolve the
inconsistency, clear the configuration on the problem module.

This example shows how to clear the configuration on a specific module:

Console> (enable) clear config 2
This command will clear module 2 configuration.
Do you want to continue (y/n) [n]? y
.............................
Module 2 configuration cleared.
Console> (enable)

Working with Configuration Files on the MSFC

These sections describe how to work with configuration files on the Multilayer Switch Feature Card
(MSFC):
• Uploading the Configuration File to a TFTP Server, page 26-10
• Uploading the Configuration File to the Supervisor Engine Flash PC Card, page 26-11
• Downloading the Configuration File from a Remote Host, page 26-11
• Downloading the Configuration File from the Supervisor Engine Flash PC Card, page 26-13
Configuration information resides in two places when the MSFC is operating: the default (permanent)
configuration in NVRAM and the running (temporary) memory in RAM. The default configuration
always remains available; NVRAM retains the information even when the power is shut down. The
current information is lost if the system power is shut down. The current configuration contains all
nondefault configuration information that you added by using the configure command or the setup
command facility, or by editing the configuration file.
The copy running-config startup-config command adds the current configuration to the default
configuration in NVRAM, so that it is saved if power is shut down. Whenever you make changes to the
system configuration, enter the copy running-config startup-config command to save the new
configuration.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 26-9
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the MSFC

If you replace the MSFC, you need to replace the entire configuration. If you upload (copy) the
configuration file to a remote server before removing the MSFC, you can retrieve it later and write it
into NVRAM on the new MSFC. If you do not upload the configuration file, you need to use the
configure command to reenter the configuration information after you install the new MSFC.
Saving and retrieving the configuration file is not necessary if you are temporarily removing an MSFC
that you are going to reinstall; the lithium batteries retain the configuration in memory. This procedure
requires privileged-level access to the EXEC command interpreter, which usually requires a password.

Uploading the Configuration File to a TFTP Server

Before you upload (copy) the running configuration to the TFTP file server, ensure the following:
• You have a connection to the MSFC either with a console terminal or remotely through a Telnet
session.
• The MSFC is connected to a network supporting a file server (remote host).
• The remote host supports the TFTP application.
• You have the IP address or name of the remote host available.
To store information on a remote host, enter the privileged write network EXEC command. This
command prompts you for the destination host address and a filename and then displays the instructions
for confirmation. When you confirm the instructions, the MSFC sends a copy of the currently running
configuration to the remote host. The system default is to store the configuration in a file called by the
name of the MSFC with -confg appended. You can either accept the default filename by pressing Return
at the prompt, or enter a different name before pressing Return.
To upload (copy) the currently running configuration to a remote host, perform these steps:

Step 1 Check if the system prompt displays a pound sign (#) to indicate the privileged level of the EXEC
command interpreter.
Step 2 Enter the ping command to check the connection between the MSFC and the remote host.
Step 3 Enter the write term command to display the currently running configuration on the terminal and ensure
that the configuration information is complete and correct. If it is not correct, enter the configure
command to add or modify the existing configuration.
Step 4 Enter the write net command. The EXEC command interpreter prompts you for the name or IP address
of the remote host that is to receive the configuration file. (The prompt might include the name or
address of a default file server.)
Router# write net
Remote host []?

Step 5 Enter the name or IP address of the remote host. In this example, the name of the remote server is
servername:
Router# write net
Remote host []? servername
Translating "servername"...domain server (1.1.1.1) [OK]

Step 6 Note that the EXEC command interpreter prompts you to specify a name for the file that is to hold the
configuration. By default, the system appends -confg to the MSFC name to create the new filename.
Press Return to accept the default filename, or enter a different name for the file before pressing
Return. In the following example, the default is accepted:
Name of configuration file to write [Router-confg]?

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

26-10 78-13315-02
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the MSFC

Write file Router-confg on host 1.1.1.1? [confirm]

Writing Router-confg .....

Step 7 Note that before the MSFC executes the copy process, it displays the instructions you entered for
confirmation. If the instructions are not correct, enter n (no) and then Return to abort the process. To
accept the instructions, press Return or y (yes) and then Return, and the system begins the copy
process. In the following example, the default is accepted:
Write file Router-confg on host 1.1.1.1? [confirm]
Writing Router-confg: !!!! [ok]

While the MSFC copies the configuration to the remote host, it displays a series of exclamation points
(! ! !) or periods (. . .). The ! ! ! and [ok] indicate that the operation is successful. A display of . . . [timed
out] or [failed] indicates a failure, which would probably be due to a network fault or the lack of a
writable, readable file on the remote file server.
Step 8 Note that if the display indicates that the process was successful (with the series of ! ! ! and [ok]), the
upload process is complete. The configuration is safely stored in the temporary file on the remote file
server.
If the display indicates that the process failed (with the series of . . . as shown in the following example):
Writing Router-confg .....

your configuration was not saved. Repeat the preceding steps, or select a different remote file server and
repeat the preceding steps.
If you are unable to copy the configuration to a remote host successfully, contact your network
administrator or see http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for
instructions on contacting the technical assistance center.

Uploading the Configuration File to the Supervisor Engine Flash PC Card

To upload the configuration file to the supervisor engine Flash PC card in PCMCIA slot 0, perform this
task:

Task Command
Step 1 At the EXEC prompt, enter enable mode. Router> enable
Step 2 Copy the startup configuration file to slot 0. Router# copy startup-config sup-slot0:file_name
Step 3 Copy the running configuration file to slot 0. Router# copy running-config sup-slot0:file_name

Downloading the Configuration File from a Remote Host

After you install the new MSFC, you can retrieve the saved configuration and copy it to NVRAM. Enter
configuration mode and specify that you want to configure the MSFC from the network. The system
prompts you for a host name and address, the name of the configuration file stored on the host, and
confirmation to reboot using the remote file.
To download (retrieve) the currently running configuration from a remote host, perform these steps:

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 26-11
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the MSFC

Step 1 Check if the system prompt displays a pound sign (#) to indicate the privileged level of the EXEC
command interpreter.

Note Until you retrieve the previous configuration, the MSFC runs from the default configuration
in NVRAM. Any passwords that were configured on the previous system are not valid until
you retrieve the configuration.

Step 2 Enter the ping command to verify the connection between the router and the remote host.
Step 3 At the system prompt, enter the configure network command and press Return to enter configuration
mode. Specify that you want to configure the system from a network device (instead of from the console
terminal, which is the default).
Router# configure network

Step 4 Note that the system prompts you to select a host or network configuration file. The default is host; press
Return to accept the default.
Host or network configuration file [host]?

Step 5 Note that the system prompts you for the IP address of the host. Enter the IP address or name of the
remote host (the remote file server to which you uploaded the configuration file).
IP address of remote host [255.255.255.255]? 1.1.1.1

Step 6 Note that the system prompts you for the configuration filename. When uploading the file, the default is
to use the name of the MSFC with the suffix -confg (router-confg in the following example). If you
specified a different filename when you uploaded the configuration, enter the filename; otherwise, press
Return to accept the default.
Name of configuration file [router-confg]?

Step 7 Note that before the system reboots with the new configuration, it displays the instructions you entered
for confirmation. If the instructions are not correct, enter n (no), and then press Return to cancel the
process. To accept the instructions, press Return, or y, and then Return.
Configure using router-confg from 1.1.1.1? [confirm]
Booting router-confg from 1.1.1.1: ! ! [OK - 874/16000 bytes]

While the MSFC retrieves and boots from the configuration on the remote host, the console display
indicates whether or not the operation was successful. A series of !!!! and [OK] (as shown in the
preceding example) indicate that the operation was successful. A series of . . . and [timed out] or [failed]
indicate a failure (which would probably be due to a network fault or an incorrect server name, address,
or filename). The following is an example of a failed attempt to boot from a remote server:
Booting Router-confg ..... [timed out]

Step 8 Proceed to the next step if the display indicates that the process was successful.
If the display indicates that the process failed, verify the name or address of the remote server and the
filename, and repeat the preceding steps. If you are unable to retrieve the configuration, contact your
network administrator or see http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for instructions on contacting the technical assistance center.
Step 9 Enter the write term command to display the currently running configuration on the terminal. Review
the display and ensure that the configuration information is complete and correct. If it is not, verify the
filename and repeat the preceding steps to retrieve the correct file, or use the configure command to add
or modify the existing configuration. (See the appropriate software documentation for the configuration
options available for the system, the individual interfaces, and specific configuration instructions.)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

26-12 78-13315-02
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the MSFC

Step 10 When you have verified that the currently running configuration is correct, enter the
copy running-config startup-config command to save the retrieved configuration in NVRAM.
Otherwise, you will lose the new configuration if you restart the system.

This completes the procedure for downloading (retrieving) the configuration file.

Downloading the Configuration File from the Supervisor Engine Flash PC Card
To download the configuration file from the supervisor engine Flash PC card in PCMCIA slot 0, perform
this task:

Task Command
Step 1 At the EXEC prompt, enter enable Router> enable
mode.
Step 2 Copy the stored running Router# copy sup-slot0: file_name running-config
configuration file to the MSFC
running configuration.
Step 3 Copy the stored startup Router# copy sup-slot0:file_name startup-config
configuration file to the MSFC
running configuration.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 26-13
 Chapter 26 Working with Configuration Files
Working with Configuration Files on the MSFC

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

26-14 78-13315-02
 C H A P T E R 27
Configuring System Message Logging

This chapter describes how to configure system message logging on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

Note For more information on system messages, refer to the System Message Guide—Catalyst 6000
Family, Catalyst 5000 Family, and Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G
publication.

This chapter consists of these sections:

• Understanding How System Message Logging Works, page 27-1
• System Log Message Format, page 27-3
• Default System Message Logging Configuration, page 27-4
• Configuring System Message Logging, page 27-4

Understanding How System Message Logging Works

The system message logging software can save messages in a log file or direct the messages to other
devices. The system message logging facility has these features:
• Provides you with logging information for monitoring and troubleshooting
• Allows you to select the types of logging information captured
• Allows you to select the destination of captured logging information
By default, the switch logs normal but significant system messages to its internal buffer and sends these
messages to the system console. You can specify which system messages should be saved based on the
type of facility (see Table 27-1) and the severity level (see Table 27-2). Messages are time-stamped to
enhance real-time debugging and management.
You can access logged system messages using the switch command-line interface (CLI) or by saving
them to a properly configured syslog server. The switch software saves syslog messages in an internal
buffer that can store up to 500 messages. You can monitor system messages remotely by accessing the
switch through Telnet or the console port, or by viewing the logs on a syslog server.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 27-1
 Chapter 27 Configuring System Message Logging
Understanding How System Message Logging Works

Note When the switch first initializes, the network is not connected until the initialization completes.
Therefore, messages redirected to a syslog server are delayed up to 90 seconds.

Table 27-1 describes the facility types supported by the system message logs.

Table 27-1 System Message Log Facility Types

Facility Name Definition

all All facilities
acl ACL facility
cdp Cisco Discovery Protocol
cops Common Open Policy Server
dtp Dynamic Trunking Protocol
dvlan Dynamic VLAN
earl Enhanced Address Recognition Logic
filesys File System
gvrp GARP VLAN Registration Protocol
ip Internet Protocol
kernel Kernel
ld ASLB facility
mcast Multicast
mgmt Management
mls Multilayer Switching
pagp Port Aggregation Protocol
protfilt Protocol Filter
pruning VTP pruning
privatevlan Private VLAN facility
qos Quality of Service
radius Remote Access Dial-In User Service
rsvp ReSerVation Protocol
security Security
snmp Simple Network Management Protocol
spantree Spanning Tree Protocol
sys System
tac Terminal Access Controller
tcp Transmission Control Protocol

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

27-2 78-13315-02
Chapter 27 Configuring System Message Logging
System Log Message Format

Table 27-1 System Message Log Facility Types (continued)

Facility Name Definition

telnet Terminal Emulation Protocol
tftp Trivial File Transfer Protocol
udld User Datagram Protocol
vmps VLAN Membership Policy Server
vtp VLAN Trunking Protocol

Table 27-2 describes the severity levels supported by the system message logs.

Table 27-2 Severity Level Definitions

Severity Level Description

0—emergencies System unusable
1—alerts Immediate action required
2—critical Critical condition
3—errors Error conditions
4—warnings Warning conditions
5—notifications Normal bug significant condition
6—informational Informational messages
7—debugging Debugging messages

System Log Message Format

System log messages begin with a percent sign (%) and can contain up to 80 characters. Messages are
displayed in the following format:
mm/dd/yyy:hh/mm/ss:facility-severity-MNEMONIC:description
Table 27-3 describes the elements of syslog messages.

Table 27-3 System Log Message Elements

Element Description
mm/dd/yyy:hh/mm/ss Date and time of the error or event. This information appears only if
configured using the set logging timestamp enable command.
facility Indicates the facility to which the message refers (for example, SNMP, SYS,
etc.).
severity Single-digit code from 0 to 7 that indicates the severity of the message.
MNEMONIC Text string that uniquely describes the error message.
description Text string containing detailed information about the event being reported.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 27-3
 Chapter 27 Configuring System Message Logging
Default System Message Logging Configuration

This example shows typical switch system messages (at system startup):
1999 Apr 16 10:01:26 %MLS-5-MLSENABLED:IP Multilayer switching is enabled
1999 Apr 16 10:01:26 %MLS-5-NDEDISABLED:Netflow Data Export disabled
1999 Apr 16 10:01:26 %SYS-5-MOD_OK:Module 1 is online
1999 Apr 16 10:01:47 %SYS-5-MOD_OK:Module 3 is online
1999 Apr 16 10:01:42 %SYS-5-MOD_OK:Module 6 is online
1999 Apr 16 10:02:27 %PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1
1999 Apr 16 10:02:28 %PAGP-5-PORTTOSTP:Port 3/2 joined bridge port 3/2

Default System Message Logging Configuration

Table 27-4 describes the default system message logging configuration.

Table 27-4 Default System Message Logging Configuration

Configuration Parameter Default Setting

System message logging to the console Enabled
System message logging to Telnet sessions Enabled
Logging buffer size 500 (default and maximum setting)
Logging history size 1
Timestamp option Enabled
Logging server Disabled
Syslog server IP address None configured
Server facility LOCAL7
Server severity Warnings (4)
Facility/severity level for system messages sys/5
dtp/5
pagp/5
mgmt/5
mls/5
cdp/4
udld/4
all other facilities/2

Configuring System Message Logging

These sections describe how to configure system message logging on the switch:
• Enabling and Disabling Session Logging Settings, page 27-5
• Setting the System Message Logging Levels, page 27-6
• Enabling and Disabling the Logging Time Stamp Enable State, page 27-6
• Setting the Logging Buffer Size, page 27-6
• Configuring the syslog Daemon on a UNIX syslog Server, page 27-7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

27-4 78-13315-02
 Chapter 27 Configuring System Message Logging
Configuring System Message Logging

• Configuring syslog Servers, page 27-7

• Displaying the Logging Configuration, page 27-9
• Displaying System Messages, page 27-10

Enabling and Disabling Session Logging Settings

By default, system logging messages are sent to console and Telnet sessions based on the default logging
facility and severity values. If desired, you can disable logging to the console or logging to a given
Telnet session.
When you disable or enable logging to console sessions, the enable state is applied to all future console
sessions. For example, if you disable logging to the console, disconnect from the console port, and later
reconnect, logging is still disabled for the console.
In contrast, when you disable or enable logging to a Telnet session, the enable state is applied only to
that session. If you disable logging to a Telnet session, disconnect the session, and later reconnect,
logging is enabled for the new session.

Note If you enter the set logging session command while connected through the console port, the
command has the same effect as entering the set logging console command. However, if you enter
the set logging console command while connected through a Telnet session, the default console
logging enable state is changed.

To enable or disable the logging state for console sessions, perform this task in privileged mode:

Task Command
Step 1 Enable or disable the default logging state for set logging console {enable | disable}
console sessions.
Step 2 Verify the logging configuration. show logging [noalias]

This example shows how to disable logging to the current and future console sessions:
Console> (enable) set logging console disable
System logging messages will not be sent to the console.
Console> (enable)

To enable or disable the logging state for the current Telnet session, perform this task in privileged
mode:

Task Command
Step 1 Enable or disable the logging state for a Telnet set logging session {enable | disable}
session.
Step 2 Verify the logging configuration. show logging [noalias]

This example shows how to disable logging to the current Telnet session:
Console> (enable) set logging session disable
System logging messages will not be sent to the current login session.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 27-5
 Chapter 27 Configuring System Message Logging
Configuring System Message Logging

Setting the System Message Logging Levels

You can set the severity level for each logging facility using the set logging level command. Enter the
all keyword to specify all facilities. Enter the default keyword to make the specified severity level the
default for the specified facilities. If you do not enter the default keyword, the specified severity level
applies only to the current session.
To set the system message logging severity level setting for a logging facility, perform this task in
privileged mode:

Task Command
Step 1 Set the severity level for logging facilities. set logging level {all | facility} severity [default]
Step 2 Verify the system message logging configuration. show logging [noalias]

This example shows how to set the logging severity level to 5 for all facilities (for the current session
only):
Console> (enable) set logging level all 5
All system logging facilities for this session set to severity 5(notifications)
Console> (enable)

This example shows how to set the default logging severity level to 3 for the cdp facility:
Console> (enable) set logging level cdp 3 default
System logging facility <cdp> set to severity 3(errors)
Console> (enable)

Enabling and Disabling the Logging Time Stamp Enable State

To enable or disable the logging time stamp, perform this task in privileged mode:

Task Command
Step 1 Enable or disable the logging time stamp state. set logging timestamp {enable | disable}
Step 2 Verify the logging time stamp state. show logging [noalias]

This example shows how to enable the time stamp display on system logging messages:
Console> (enable) set logging timestamp enable
System logging messages timestamp will be enabled.
Console> (enable)

Setting the Logging Buffer Size

To set the number of messages to log to the logging buffer, perform this task in privileged mode:

Task Command
Step 1 Set the number of messages to log to the logging set logging buffer buffer_size
buffer.
Step 2 Verify the system message logging configuration. show logging [noalias]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

27-6 78-13315-02
 Chapter 27 Configuring System Message Logging
Configuring System Message Logging

This example shows how to set the logging buffer size to 200 messages:
Console> (enable) set logging buffer 200
System logging buffer size set to <200>
Console> (enable)

Configuring the syslog Daemon on a UNIX syslog Server

Before you can send system log messages to a UNIX syslog server, you must configure the syslog
daemon on a UNIX server. Log in as root, and perform these steps:

Step 1 Add a line such as the following to the file /etc/syslog.conf:

user.debug /var/log/myfile.log

Note There must be five tab characters between user.debug and /var/log/myfile.log. Refer to
entries in the /etc/syslog.conf file for further examples.

The switch sends messages according to specified facility types and severity levels. The user keyword
specifies the UNIX logging facility used. The messages from the switch are generated by user processes.
The debug keyword specifies the severity level of the condition being logged. You can set UNIX
systems to receive all messages from the switch.
Step 2 Create the log file by entering these commands at the UNIX shell prompt:
$ touch /var/log/myfile.log
$ chmod 666 /var/log/myfile.log

Step 3 Make sure that the syslog daemon reads the new changes by entering this command:
$ kill -HUP `cat /etc/syslog.pid

Configuring syslog Servers

Note Before you can send system log messages to a UNIX syslog server, you must configure the syslog
daemon on the UNIX server as described in the “Configuring the syslog Daemon on a UNIX syslog
Server” section on page 27-7.

To configure the switch to log messages to a syslog server, perform this task in privileged mode:

Task Command
Step 1 Specify the IP address of one or more syslog set logging server ip_addr
servers1.
Step 2 Set the facility and severity levels for syslog set logging server facility
server messages. server_facility_parameter
set logging server severity server_severity_level

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 27-7
 Chapter 27 Configuring System Message Logging
Configuring System Message Logging

Task Command
Step 3 Enable system message logging to configured set logging server enable
syslog servers.
Step 4 Verify the configuration. show logging [noalias]
1. You can configure a maximum of three syslog servers.

This example shows how to specify a syslog server, set the facility and severity levels, and enable
logging to the server:
Console> (enable) set logging server 10.10.10.100
10.10.10.100 added to System logging server table.
Console> (enable) set logging server facility local5
System logging server facility set to <local5>
Console> (enable) set logging server severity 5
System logging server severity set to <5>
Console> (enable) set logging server enable
System logging messages will be sent to the configured syslog servers.
Console> (enable)

To delete a syslog server from the syslog server table, perform this task in privileged mode:

Task Command
Delete a syslog server from the syslog server clear logging server ip_addr
table.

This example shows how to delete a syslog server from the syslog server table:
Console> (enable) clear logging server 10.10.10.100
System logging server 10.10.10.100 removed from system logging server table.
Console> (enable)

To disable logging to the syslog server, perform this task in privileged mode:

Task Command
Disable system message logging to configured set logging server disable
syslog servers.

This example shows how to disable logging to syslog servers:

Console> (enable) set logging server disable
System logging messages will not be sent to the configured syslog servers.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

27-8 78-13315-02
 Chapter 27 Configuring System Message Logging
Configuring System Message Logging

Displaying the Logging Configuration

Enter the show logging command to display the current system message logging configuration. Enter
the noalias keyword to display the IP addresses instead of the host names of the configured syslog
servers.
To display the current system message logging configuration, perform this task:

Task Command
Display the current system message logging show logging [noalias]
configuration.

This example shows how to display the current system message logging configuration:
Console> (enable) show logging
Logging buffered size: 500
timestamp option: enabled
Logging history size: 1
Logging console: enabled
Logging server: disabled
server facility: LOCAL7
server severity: warnings(4
Current Logging Session: enabled

Facility Default Severity Current Session Sever

------------- ----------------------- ---------------------
acl 5 5
cdp 4 4
cops 3 3
dtp 5 5
dvlan 2 2
earl 2 2
filesys 2 2
gvrp 2 2
ip 2 2
kernel 2 2
ld 3 3
mcast 2 2
mgmt 5 5
mls 5 5
pagp 5 5
protfilt 2 2
pruning 2 2
privatevlan 3 3
qos 3 3
radius 2 2
rsvp 3 3
security 2 2
snmp 2 2
spantree 2 2
sys 5 5
tac 2 2
tcp 2 2
telnet 2 2
tftp 2 2
udld 4 4
vmps 2 2
vtp 2 2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 27-9
 Chapter 27 Configuring System Message Logging
Configuring System Message Logging

0(emergencies) 1(alerts) 2(critical)

3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
Console> (enable)

Displaying System Messages

Enter the show logging buffer command to display the messages in the switch logging buffer. If you do
not specify number_of_messages, the default is to display the last 20 messages in the buffer (-20).
To display the messages in the switch logging buffer, perform one of these tasks:

Task Command
Display the first number_of_messages messages show logging buffer [number_of_messages]
in the buffer.
Display the last number_of_messages messages in show logging buffer -[number_of_messages]
the buffer.

This example shows how to display the first five messages in the buffer:
Console> (enable) show logging buffer 5
1999 Apr 16 08:40:11 %SYS-5-MOD_OK:Module 1 is online
1999 Apr 16 08:40:14 %SYS-5-MOD_OK:Module 3 is online
1999 Apr 16 08:40:14 %SYS-5-MOD_OK:Module 2 is online
1999 Apr 16 08:41:15 %PAGP-5-PORTTOSTP:Port 2/1 joined bridge port 2/1
1999 Apr 16 08:41:15 %PAGP-5-PORTTOSTP:Port 2/2 joined bridge port 2/2

This example shows how to display the last five messages in the buffer:
Console> (enable) show logging buffer -5
%PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1
%SPANTREE-5-PORTDEL_SUCCESS:3/2 deleted from vlan 1 (PAgP_Group_Rx)
%PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/2
%PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1-2
%PAGP-5-PORTTOSTP:Port 3/2 joined bridge port 3/1-2
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

27-10 78-13315-02
 C H A P T E R 28
Configuring DNS

This chapter describes how to configure the Domain Name System (DNS) on the Catalyst 6000 family
switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How DNS Works, page 28-1
• DNS Default Configuration, page 28-1
• Configuring DNS, page 28-2

Understanding How DNS Works

DNS is a distributed database with which you can map host names to IP addresses through the DNS
protocol from a DNS server. When you configure DNS on the switch, you can substitute the host name
for the IP address with all IP commands, such as ping, telnet, upload, and download.
To use DNS, you must have a DNS name server present on your network.
You can specify a primary DNS name server on the switch as well as two backup servers. The first server
specified is the primary unless you explicitly identify the primary server. The switch sends DNS queries
to the primary server first. If the query to the primary server fails, the backup servers are queried.

DNS Default Configuration

Table 28-1 shows the default DNS configuration.

Table 28-1 DNS Default Configuration

Feature Default Value

DNS enable state Disabled
DNS default domain name Null
DNS servers None specified

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 28-1
 Chapter 28 Configuring DNS
Configuring DNS

Configuring DNS
These sections describe how to configure DNS:
• Setting Up and Enabling DNS, page 28-2
• Clearing a DNS Server, page 28-3
• Clearing the DNS Domain Name, page 28-3
• Disabling DNS, page 28-3

Setting Up and Enabling DNS

To set up and enable DNS on the switch, perform this task in privileged mode:

Task Command
Step 1 Specify the IP address of one or more DNS set ip dns server ip_addr [primary]
servers.
Step 2 Set the domain name. set ip dns domain name
Step 3 Enable DNS. set ip dns enable
Step 4 Verify the DNS configuration. show ip dns [noalias]

This example shows how to set up and enable DNS on the switch and verify the configuration:
Console> (enable) set ip dns server 10.2.2.1
10.2.2.1 added to DNS server table as primary server.
Console> (enable) set ip dns server 10.2.24.54 primary
10.2.24.54 added to DNS server table as primary server.
Console> (enable) set ip dns server 10.12.12.24
10.12.12.24 added to DNS server table as backup server.
Console> (enable) set ip dns domain corp.com
Default DNS domain name set to corp.com
Console> (enable) set ip dns enable
DNS is enabled
Console> (enable) show ip dns
DNS is currently enabled.
The default DNS domain name is: corp.com

DNS name server status

---------------------------------------- -------
dns_serv2
dns_serv1 primary
dns_serv3
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

28-2 78-13315-02
 Chapter 28 Configuring DNS
Configuring DNS

Clearing a DNS Server

To clear DNS servers from the DNS server table, perform this task in privileged mode:

Task Command
Step 1 Remove one or all of the DNS servers from the clear ip dns server [ip_addr | all]
table.
Step 2 Verify the DNS configuration. show ip dns [noalias]

This example shows how to clear a DNS server from the DNS server table:
Console> (enable) clear ip dns server 10.12.12.24
10.12.12.24 cleared from DNS table
Console> (enable)

This example shows how to clear all of the DNS servers from the DNS server table:
Console> (enable) clear ip dns server all
All DNS servers cleared
Console> (enable)

Clearing the DNS Domain Name

To clear the default DNS domain name, perform this task in privileged mode:

Task Command
Step 1 Clear the default DNS domain name. clear ip dns domain
Step 2 Verify the DNS configuration. show ip dns [noalias]

This example shows how to clear the default DNS domain name:
Console> (enable) clear ip dns domain
Default DNS domain name cleared.
Console> (enable)

Disabling DNS
To disable DNS, perform this task in privileged mode:

Task Command
Step 1 Disable DNS on the switch. set ip dns disable
Step 2 Verify the DNS configuration. show ip dns [noalias]

This example shows how to disable DNS on the switch:

Console> (enable) set ip dns disable
DNS is disabled
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 28-3
 Chapter 28 Configuring DNS
Configuring DNS

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

28-4 78-13315-02
 C H A P T E R 29
Configuring CDP

This chapter describes how to configure the Cisco Discovery Protocol (CDP) on the Catalyst 6000
family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How CDP Works, page 29-1
• Default CDP Configuration, page 29-2
• Configuring CDP, page 29-2

Understanding How CDP Works

CDP is a media- and protocol-independent protocol that runs on all Cisco-manufactured equipment
including routers, bridges, access and communication servers, and switches. Using CDP, you can view
information about all the Cisco devices directly attached to the switch. In addition, CDP detects native
VLAN and port duplex mismatches.
Network management applications can retrieve the device type and SNMP-agent address of neighboring
Cisco devices using CDP. This enables applications to send SNMP queries to neighboring devices. CDP
allows network management applications to discover Cisco devices that are neighbors of already known
devices, in particular, neighbors running lower-layer, transparent protocols.
CDP runs on all media that support Subnetwork Access Protocol (SNAP). CDP runs over the data link
layer only.
Cisco devices never forward CDP packets. When new CDP information is received, Cisco devices
discard old information.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 29-1
 Chapter 29 Configuring CDP
Default CDP Configuration

Default CDP Configuration

Table 29-1 shows the default CDP configuration.

Table 29-1 CDP Default Configuration

Feature Default Value

CDP global enable state Enabled
CDP port enable state Enabled on all ports
CDP message interval 60 seconds
CDP holdtime 180 seconds

Configuring CDP
These sections describe how to configure CDP:
• Setting the CDP Global Enable and Disable States, page 29-2
• Setting the CDP Enable and Disable States on a Port, page 29-3
• Setting the CDP Message Interval, page 29-4
• Setting the CDP Holdtime, page 29-4
• Displaying CDP Neighbor Information, page 29-5

Setting the CDP Global Enable and Disable States

To set the CDP global enable state, perform this task in privileged mode:

Task Command
Step 1 Set the CDP global enable state on the switch. set cdp {enable | disable}
Step 2 Verify the CDP configuration. show cdp

This example shows how to enable CDP globally and verify the configuration:
Console> (enable) set cdp enable
CDP enabled globally
Console> (enable) show cdp
CDP : enabled
Message Interval : 60
Hold Time : 180
Console> (enable)

This example shows how to disable CDP globally and verify the configuration:
Console> (enable) set cdp disable
CDP disabled globally
Console> (enable) show cdp
CDP : disabled
Message Interval : 60
Hold Time : 180
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

29-2 78-13315-02
 Chapter 29 Configuring CDP
Configuring CDP

Setting the CDP Enable and Disable States on a Port

You can enable or disable CDP on a per-port basis. You must enable CDP globally before the switch
will transmit CDP messages on any ports.
To set the CDP enable state on a per-port basis, perform this task in privileged mode:

Task Command
Step 1 Set the CDP enable state on individual ports. set cdp {enable | disable} [mod/port]
Step 2 Verify the CDP configuration. show cdp port [mod[/port]]

This example shows how to enable CDP on ports 3/1-2 and verify the configuration:
Console> (enable) set cdp enable 3/1-2
CDP enabled on ports 3/1-2.
Console> (enable) show cdp port 3
CDP : enabled
Message Interval : 60
Hold Time : 180

Port CDP Status

-------- ----------
3/1 enabled
3/2 enabled
3/3 disabled
3/4 disabled
3/5 disabled
3/6 disabled
3/7 enabled
3/8 enabled
3/9 enabled
3/10 enabled
3/11 enabled
3/12 enabled
Console> (enable)

This example shows how to disable CDP on ports 3/1-6 and verify the configuration:
Console> (enable) set cdp disable 3/1-6
CDP disabled on ports 3/1-6.
Console> (enable) show cdp port 3
CDP : enabled
Message Interval : 60
Hold Time : 180

Port CDP Status

-------- ----------
3/1 disabled
3/2 disabled
3/3 disabled
3/4 disabled
3/5 disabled
3/6 disabled
3/7 enabled
3/8 enabled
3/9 enabled
3/10 enabled
3/11 enabled
3/12 enabled
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 29-3
 Chapter 29 Configuring CDP
Configuring CDP

Setting the CDP Message Interval

The CDP message interval specifies how often the switch will transmit CDP messages to directly
connected Cisco devices.
To set the default CDP message interval, perform this task in privileged mode:

Task Command
Step 1 Set the default CDP message interval. The set cdp interval interval
allowed range is 5–900 seconds.
Step 2 Verify the CDP configuration. show cdp

This example shows how to set the default CDP message interval to 100 seconds and verify the
configuration:
Console> (enable) set cdp interval 100
CDP message interval set to 100 seconds for all ports.
Console> (enable) show cdp
CDP : enabled
Message Interval : 100
Hold Time : 180
Console> (enable)

Setting the CDP Holdtime

The CDP holdtime specifies how much time can pass between CDP messages from neighboring devices
before the device is no longer considered connected and the neighboring entry is aged out.
To set the default CDP holdtime, perform this task in privileged mode:

Task Command
Step 1 Set the default CDP holdtime. The allowed range set cdp holdtime interval
is 10–255 seconds.
Step 2 Verify the CDP configuration. show cdp

This example shows how to set the default CDP holdtime to 225 seconds and verify the configuration:
Console> (enable) set cdp holdtime 225
CDP holdtime set to 225 seconds.
Console> (enable) show cdp
CDP : enabled
Message Interval : 100
Hold Time : 225
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

29-4 78-13315-02
 Chapter 29 Configuring CDP
Configuring CDP

Displaying CDP Neighbor Information

To display information about directly connected Cisco devices, enter the show cdp neighbors command.
Enter the vlan keyword to display the native VLAN for the connected ports. Enter the duplex keyword
to display the duplex mode for the connected ports. Enter the capabilities keyword to display the device
capability codes for the connected device. Enter the detail keyword to display detailed information about
the neighboring device.

Note If you enter the show cdp neighbors command for a device that supports earlier versions of CDP,
“unknown” is displayed in the following fields: VTP Management Domain, Native VLAN, and
Duplex.

To display information about directly connected Cisco devices, perform this task:

Task Command
Display information about CDP neighbors. show cdp neighbors [mod[/port]] [vlan |
duplex | capabilities | detail]

This example shows how to display CDP neighbor information for connected Cisco devices:
Console> (enable) show cdp neighbors
* - indicates vlan mismatch.
# - indicates duplex mismatch.
Port Device-ID Port-ID Platform
-------- ------------------------------- ------------------------- ------------
2/3 JAB023807H1(2948) 2/2 WS-C2948
3/1 JAB023806JR(4003) 2/1 WS-C4003
3/2 JAB023806JR(4003) 2/2 WS-C4003
3/5 JAB023806JR(4003) 2/5 WS-C4003
3/6 JAB023806JR(4003) 2/6 WS-C4003
Console> (enable)

This example shows how to display the native VLAN for each port connected on the neighboring device
(there is a native VLAN mismatch between port 3/6 on the local switch and port 2/6 on the neighboring
device, as indicated by the asterisk [*]):
Console> (enable) show cdp neighbors vlan
* - indicates vlan mismatch.
# - indicates duplex mismatch.
Port Device-ID Port-ID NativeVLAN
-------- ------------------------------- ------------------------- ----------
2/3 JAB023807H1(2948) 2/2 522
3/1 JAB023806JR(4003) 2/1 100
3/2 JAB023806JR(4003) 2/2 100
3/5 JAB023806JR(4003) 2/5 1
3/6 JAB023806JR(4003) 2/6* 1
Console> (enable)

This example shows how to display detailed information about the neighboring device:
Console> (enable) show cdp neighbors 2/3 detail
Port (Our Port): 2/3
Device-ID: JAB023807H1(2948)
Device Addresses:
IP Address: 172.20.52.36
Holdtime: 132 sec
Capabilities: TRANSPARENT_BRIDGE SWITCH

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 29-5
 Chapter 29 Configuring CDP
Configuring CDP

Version:
WS-C2948 Software, Version McpSW: 5.1(57) NmpSW: 5.1(1)
Copyright (c) 1995-1999 by Cisco Systems, Inc.
Platform: WS-C2948
Port-ID (Port on Neighbors's Device): 2/2
VTP Management Domain: Lab_Network
Native VLAN: 522
Duplex: full
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

29-6 78-13315-02
 C H A P T E R 30
Configuring UDLD

This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the
Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How UDLD Works, page 30-1
• Default UDLD Configuration, page 30-2
• Configuring UDLD, page 30-3

Understanding How UDLD Works

The UDLD protocol allows devices connected through fiber-optic or copper (for example, Category 5
cabling) Ethernet cables to monitor the physical configuration of the cables and detect when a
unidirectional link exists. When a unidirectional link is detected, UDLD shuts down the affected port
and alerts the user. Unidirectional links can cause a variety of problems, including spanning tree
topology loops.
UDLD is a Layer 2 protocol that works with the Layer 1 mechanisms to determine the physical status of
a link. At Layer 1, autonegotiation takes care of physical signaling and fault detection. UDLD performs
tasks that autonegotiation cannot perform, such as detecting the identities of neighbors and shutting
down misconnected ports. When you enable both autonegotiation and UDLD, Layer 1 and Layer 2
detections work together to prevent physical and logical unidirectional connections and the
malfunctioning of other protocols.
A unidirectional link occurs whenever traffic transmitted by the local device over a link is received by
the neighbor but traffic transmitted from the neighbor is not received by the local device. If one of the
fiber strands in a pair is disconnected, as long as autonegotiation is active, the link does not stay up. In
this case, the logical link is undetermined, and UDLD does not take any action. If both fibers are working
normally from a Layer 1 perspective, then UDLD at Layer 2 determines whether those fibers are
connected correctly and whether traffic is flowing bidirectionally between the right neighbors. This
check cannot be performed by autonegotiation, because autonegotiation is a Layer 1 mechanism.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 30-1
 Chapter 30 Configuring UDLD
Default UDLD Configuration

The switch periodically transmits UDLD messages (packets) to neighbor devices on ports with UDLD
enabled. If the messages are echoed back to the sender within a specific time frame and they are lacking
a specific acknowledgment (echo), the link is flagged as unidirectional and the port is shut down.
Devices on both ends of the link must support UDLD in order for the protocol to successfully identify
and disable unidirectional links.

Note With supervisor engine software release 5.4(3) and later releases, you can specify the message
interval between UDLD messages. Previously, the message interval was fixed at 60 seconds. With a
configurable message interval, UDLD reacts much faster to link failures.

Note By default, UDLD is locally disabled on copper ports to avoid sending unnecessary control traffic
on this type of media since it is often used for access ports.

Figure 30-1 shows an example of a unidirectional link condition. Each switch can send packets to a
neighbor switch but is not able to receive packets from the same switch that it is sending packets to. UDLD
detects and disables these one-way connections.

Figure 30-1 Unidirectional Link

Switch X Tx Rx
Switch Y

Rx Tx

Switch Z
Tx Rx
144608

Default UDLD Configuration

Table 30-1 shows the default UDLD configuration.

Table 30-1 UDLD Default Configuration

Feature Default Value

UDLD global enable state Globally disabled
UDLD per-port enable state for fiber-optic media Enabled on all Ethernet fiber-optic ports
UDLD per-port enable state for twisted-pair Disabled on all Ethernet 10/100 and
(copper) media 1000BASE-TX ports
UDLD message interval 15 seconds
UDLD aggressive mode Disabled

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

30-2 78-13315-02
 Chapter 30 Configuring UDLD
Configuring UDLD

Configuring UDLD
These sections describe how to configure UDLD:
• Enabling UDLD Globally, page 30-3
• Enabling UDLD on Individual Ports, page 30-3
• Disabling UDLD on Individual Ports, page 30-4
• Disabling UDLD Globally, page 30-4
• Specifying the UDLD Message Interval, page 30-4
• Enabling UDLD Aggressive Mode, page 30-5
• Displaying the UDLD Configuration, page 30-5

Enabling UDLD Globally

To enable UDLD globally on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable UDLD globally on the switch. set udld enable
Step 2 Verify the configuration. show udld

This example shows how to enable UDLD globally and verify the configuration:
Console> (enable) set udld enable
UDLD enabled globally
Console> (enable) show udld
UDLD : enabled
Console> (enable)

Enabling UDLD on Individual Ports

To enable UDLD on individual ports, perform this task in privileged mode:

Task Command
Step 1 Enable UDLD on a specific port. set udld enable mod/port
Step 2 Verify the configuration. show udld port [mod[/port]]

This example shows how to enable UDLD on port 4/1 and verify the configuration:
Console> (enable) set udld enable 4/1
UDLD enabled on port 4/1
Console> (enable) show udld port 4/1
UDLD : enabled
Message Interval: 15 seconds
Port Admin Status Aggressive Mode Link State
-------- ------------ --------------- ---------
4/1 enabled disabled bidirectional
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 30-3
 Chapter 30 Configuring UDLD
Configuring UDLD

Disabling UDLD on Individual Ports

To disable UDLD on individual ports, perform this task in privileged mode:

Task Command
Step 1 Disable UDLD on a specific port. set udld disable mod/port
Step 2 Verify the configuration. show udld port [mod[/port]]

This example shows how to disable UDLD on port 4/1:

Console> (enable) set udld disable 4/1
UDLD disabled on port 4/1.
Console> (enable)

Disabling UDLD Globally

To disable UDLD globally on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable UDLD globally on the switch. set udld disable
Step 2 Verify the configuration. show udld

This example shows how to disable UDLD globally on the switch:

Console> (enable) set udld disable
UDLD disabled globally
Console> (enable)

Specifying the UDLD Message Interval

To specify the UDLD message interval, perform this task in privileged mode:

Task Command
Step 1 Specify the UDLD message interval. set udld interval interval
Step 2 Verify the configuration. show udld

This example shows how to specify the UDLD message interval on the switch:
Console> (enable) set udld interval 20
UDLD message interval set to 20 seconds
Console> (enable)

This example shows how to verify the message interval on the switch:
Console> (enable) show udld
UDLD : enabled
Message Interval : 20 seconds
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

30-4 78-13315-02
 Chapter 30 Configuring UDLD
Configuring UDLD

Enabling UDLD Aggressive Mode

Software release 5.4(3) and later releases have UDLD aggressive mode. UDLD aggressive mode is
disabled by default and its use is recommended only for point-to-point links between Cisco switches
running software release 5.4(3) or later releases. With UDLD aggressive mode enabled, when a port on a
bidirectional link which has a UDLD neighbor relationship established stops receiving UDLD packets,
UDLD tries to reestablish the connection with the neighbor. After eight failed retries, the port is put into
errdisable state.
In order to prevent spanning tree loops, normal UDLD with the default interval of 15 seconds is fast
enough to shut down a unidirectional link before a blocking port transitions to the forwarding state
(when default spanning tree parameters are used).
Enabling UDLD aggressive mode provides additional benefits in the following cases:
• One side of a link has a port stuck (both Tx and Rx)
• One side of a link remains up while the other side of the link has gone down
In these cases, UDLD aggressive mode errdisables one of the ports on the link and stops the blackholing
of traffic. Even with aggressive mode disabled, there would have been no risk for a broadcast storm due
to a spanning tree loop in this situation, as one port is unable to pass traffic in both directions.

Task Command
Step 1 Enable UDLD aggressive mode. set udld aggressive-mode enable mod/port
Step 2 Verify the configuration. show udld

This example shows how to enable UDLD aggressive mode on the switch:
Console> (enable) set udld aggressive-mode enable 4/1
Aggressive UDLD enabled on port 4/1.
Console> (enable)

This example shows how to verify that UDLD aggressive mode is enabled on the switch:
Console> (enable) show udld port 4/1
UDLD : enabled
Message Interval: 30 seconds
Port Admin Status Aggressive Mode Link State
-------- ------------ --------------- ---------
4/1 enabled Enabled bidirectional
Console> (enable)

Displaying the UDLD Configuration

To display the UDLD enable state, perform this task in privileged mode:

Task Command
Display the UDLD enable state. show udld

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 30-5
 Chapter 30 Configuring UDLD
Configuring UDLD

This example shows how to display the UDLD enable state:

Console> (enable) show udld
UDLD : enabled
Message Interval : 15 seconds
Console> (enable)

To display UDLD configuration for a module or port, perform this task in privileged mode:

Task Command
Display the UDLD configuration for a module or show udld port [mod] [mod/port]
port.

This example shows how to display the UDLD configuration for ports on module 4:
Console> (enable) show udld port 4
UDLD : enabled
Message Interval: 15 seconds
Port Admin Status Aggressive Mode Link State
-------- ------------ --------------- ---------
4/1 enabled disabled bidirectional
4/2 enabled disabled bidirectional
4/3 enabled disabled undetermined
4/4 enabled disabled bidirectional

.
.

Console> (enable)

Table 30-2 describes the fields in the show udld command output.

Table 30-2 show udld Command Output Fields

Field Description
UDLD Status of whether UDLD is enabled or disabled.
Message Interval Message interval in seconds.
Port Module and port number(s).
Admin Status Status of whether administration status is enabled or disabled.
Aggressive Mode Status of whether aggressive mode is enabled or disabled.
Link State Status of the link: undetermined (detection in progress or UDLD on the
neighbors has been disabled), not applicable (UDLD and/or the local port has
been manually disabled), shutdown (unidirectional link has been detected and the
port err-disabled), or bidirectional (a bidirectional link has been detected since
the port is functioning properly in both directions).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

30-6 78-13315-02
 C H A P T E R 31
Configuring NTP

This chapter describes how to configure the Network Time Protocol (NTP) on the Catalyst 6000 family
switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How NTP Works, page 31-1
• NTP Default Configuration, page 31-2
• Configuring NTP, page 31-2

Understanding How NTP Works

NTP synchronizes timekeeping among a set of distributed time servers and clients. This synchronization
allows events to be correlated when system logs are created and other time-specific events occur.
An NTP server must be accessible by the client switch. NTP runs over User Datagram Protocol (UDP),
which runs over IP. NTP is documented in RFC 1305. All NTP communication uses Coordinated
Universal Time (UTC), which is the same as Greenwich Mean Time. An NTP network usually gets its
time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server.
NTP distributes this time across the network. NTP is extremely efficient; no more than one packet per
minute is necessary to synchronize two machines to within a millisecond of one another.
NTP uses a stratum to describe how many NTP hops away a machine is from an authoritative time
source. A stratum 1 time server has a radio or atomic clock directly attached; a stratum 2 time server
receives its time from a stratum 1 time server, and so on. A machine running NTP automatically chooses
as its time source the machine with the lowest stratum number that it is configured to communicate with
through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP has two ways to avoid synchronizing to a machine whose time might be ambiguous:
• NTP never synchronizes to a machine that is not synchronized itself.
• NTP compares the time reported by several machines and does not synchronize to a machine whose
time is significantly different from the others, even if its stratum is lower.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 31-1
 Chapter 31 Configuring NTP
NTP Default Configuration

The communications between machines running NTP, known as associations, are usually statically
configured; each machine is given the IP address of all machines with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an
association. However, in a LAN environment, you can configure NTP to use IP broadcast messages.
With this alternative, you can configure the machine to send or receive broadcast messages, but the
accuracy of timekeeping is marginally reduced because the information flow is one-way only.
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio
or atomic clock. We recommend that you obtain the time service for your network from the public NTP
servers available in the IP Internet. If the network is isolated from the Internet, Cisco’s NTP
implementation allows a machine to be configured so that it acts as though it is synchronized using NTP,
when in fact it has determined the time using other means. Other machines then synchronize to that
machine using NTP.
A number of manufacturers include NTP software for their host systems, and a publicly available version
for systems running UNIX and its various derivatives is also available. This software allows
time-synchronized host systems.

NTP Default Configuration

Table 31-1 shows the default NTP configuration.

Table 31-1 NTP Default Configuration

Feature Default Value

Broadcast client mode Disabled
Client mode Disabled
Broadcast delay 3000 microseconds
Time zone Not specified
Offset from UTC 0 hours
Summertime adjustment Disabled
NTP server None specified
Authentication mode Disabled

Configuring NTP
These sections describe how to configure NTP:
• Enabling NTP in Broadcast-Client Mode, page 31-3
• Configuring NTP in Client Mode, page 31-3
• Configuring Authentication in Client Mode, page 31-4
• Setting the Time Zone, page 31-5
• Enabling the Daylight Saving Time Adjustment, page 31-5
• Disabling the Daylight Saving Time Adjustment, page 31-7
• Clearing the Time Zone, page 31-7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

31-2 78-13315-02
 Chapter 31 Configuring NTP
Configuring NTP

• Clearing NTP Servers, page 31-7

• Disabling NTP, page 31-8

Enabling NTP in Broadcast-Client Mode

Configure the switch in NTP broadcast-client mode if an NTP broadcast server, such as a router,
regularly broadcasts time-of-day information on the network. To compensate for any server-to-client
packet latency, you can specify an NTP broadcast delay (a time adjustment factor for the receiving of
broadcast packets by the switch).
To enable NTP broadcast-client mode on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable NTP broadcast-client mode. set ntp broadcastclient enable
Step 2 (Optional) Set the estimated NTP broadcast set ntp broadcast delay microseconds
packet delay.
Step 3 Verify the NTP configuration. show ntp [noalias]

This example shows how to enable NTP broadcast-client mode on the switch, set a broadcast delay of
4000 microseconds, and verify the configuration:
Console> (enable) set ntp broadcastclient enable
NTP Broadcast Client mode enabled
Console> (enable) set ntp broadcastdelay 4000
NTP Broadcast delay set to 4000 microseconds
Console> (enable) show ntp

Current time: Tue Jun 23 1998, 20:25:43

Timezone: '', offset from UTC is 0 hours
Summertime: '', disabled
Last NTP update:
Broadcast client mode: enabled
Broadcast delay: 4000 microseconds
Client mode: disabled

NTP-Server
----------------------------------------
Console> (enable)

Configuring NTP in Client Mode

Configure the switch in NTP client mode if you want the client switch to regularly send time-of day
requests to an NTP server. You can configure up to ten server addresses per client.
To configure the switch in NTP client mode, perform this task in privileged mode:

Task Command
Step 1 Configure the IP address of the NTP server. set ntp server ip_addr
Step 2 Enable NTP client mode. set ntp client enable
Step 3 Verify the NTP configuration. show ntp [noalias]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 31-3
 Chapter 31 Configuring NTP
Configuring NTP

This example shows how to configure the NTP server address, enable NTP client mode on the switch,
and verify the configuration:
Console> (enable) set ntp server 172.20.52.65
NTP server 172.20.52.65 added.
Console> (enable) set ntp client enable
NTP Client mode enabled
Console> (enable) show ntp

Current time: Tue Jun 23 1998, 20:29:25

Timezone: '', offset from UTC is 0 hours
Summertime: '', disabled
Last NTP update: Tue Jun 23 1998, 20:29:07
Broadcast client mode: disabled
Broadcast delay: 3000 microseconds
Client mode: enabled

NTP-Server
----------------------------------------
172.16.52.65
Console> (enable)

Configuring Authentication in Client Mode

Authentication can enhance the security of a system running NTP. When you enable the authentication
feature, the client switch sends time-of-day requests to trusted NTP servers only. The authentication
feature is documented in RFC 1305.
You can configure up to ten authentication keys per client. Each authentication key is actually a pair of
two keys:
• A public key number—A 32-bit integer that can range from 1 to 4294967295
• A secret key string—An arbitrary string of 32 characters, including all printable characters and
spaces
To authenticate the message, the client authentication key must match that of the server. Therefore, the
authentication key must be securely distributed in advance (that is, the client administrator must get the
key pair from the server administrator and configure it on the client).
To configure authentication, perform this task in privileged mode:

Task Command
Step 1 Configure an authentication key pair for NTP and set ntp key public_key [trusted | untrusted] md5
specify whether the key is trusted or untrusted. secret_key
Step 2 Specify the IP address of the NTP server and the set ntp server ip_addr [key public_key]
public key.
Step 3 Enable NTP client mode. set ntp client enable
Step 4 Enable NTP authentication. set ntp authentication enable
Step 5 Verify the NTP configuration. show ntp [noalias]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

31-4 78-13315-02
 Chapter 31 Configuring NTP
Configuring NTP

This example shows how to configure the NTP server address, enable NTP client and authentication
modes on the switch, and verify the configuration:
Console> (enable) set ntp server 172.20.52.65 key 879
NTP server 172.20.52.65 with key 879 added.
Console> (enable) set ntp client enable
NTP Client mode enabled
Console> (enable) set ntp authentication enable
NTP authentication feature enabled
Console> (enable) show ntp

Current time: Tue Jun 23 1998, 20:29:25

Timezone: '', offset from UTC is 0 hours
Summertime: '', disabled
Last NTP update: Tue Jun 23 1998, 20:29:07
Broadcast client mode: disabled
Broadcast delay: 3000 microseconds
Client mode: enabled
Authentication: enabled

NTP-Server Server Key

---------------------------------------- ----------
172.16.52.65

Key Number Mode Key String

---------- --------- --------------------------------

Console> (enable)

Setting the Time Zone

You can specify a time zone for the switch to display the time in that time zone. You must enable NTP
before you set the time zone. If NTP is not enabled, this command has no effect. If you enable NTP and
do not specify a time zone, UTC is shown by default.
To set the time zone, perform this task in privileged mode:

Task Command
Step 1 Set the time zone. set timezone zone hours [minutes]
Step 2 Verify the time zone configuration. show timezone

This example shows how to set the time zone on the switch:
Console> (enable) set timezone Pacific -8
Timezone set to 'Pacific', offset from UTC is -8 hours
Console> (enable)

Enabling the Daylight Saving Time Adjustment

Following U.S. standards, you can have the switch advance the clock one hour at 2:00 a.m. on the first
Sunday in April and move back the clock one hour at 2:00 a.m. on the last Sunday in October. You can
also explicitly specify the start and end dates and times and whether or not the time adjustment recurs
every year.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 31-5
 Chapter 31 Configuring NTP
Configuring NTP

To enable the daylight saving time clock adjustment following the U.S. rules, perform this task in
privileged mode:

Task Command
Step 1 Enable the daylight saving time clock adjustment. set summertime enable [zone_name]
set summertime recurring
Step 2 Verify the configuration. show summertime

This example shows how to set the clock adjusted for Pacific Daylight Time following the U.S.
standards:
Console> (enable) set summertime enable PDT
Console> (enable) set summertime recurring
Summertime is enabled and set to 'PDT'
Console> (enable)

To enable the daylight saving time clock adjustment that recurs every year on different days or with a
different offset than the U.S. standard, perform this task in privileged mode:

Task Command
Step 1 Enable the daylight saving time clock adjustment. set summertime recurring week day month
hh:mm week day month hh:mm offset
Step 2 Verify the configuration. show summertime

This example shows how to set the daylight saving time clock adjustment, repeating every year, starting
on the third Monday of February at noon and ending on the second Saturday of August at 3:00 p.m. with
a 30-minute offset forward in February and back in August:
Console> (enable) set summertime recurring 3 mon feb 3:00 2 saturday aug 15:00 30
Summer time is disabled and set to ’’
start: Sun Feb 13 2000, 03:00:00
end: Sat Aug 26 2000, 14:00:00
Offset: 30 minutes
Recurring: yes, starting at 3:00am Sunday of the third week of February and ending
14:00pm Saturday of the fourth week of August.
Console> (enable)

To enable the daylight saving time clock adjustment to a nonrecurring specific date, perform this task in
privileged mode:

Task Command
Step 1 Enable the daylight saving time clock adjustment. set summertime date month date year hh:mm
month date year hh:mm offset
Step 2 Verify the configuration. show summertime

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

31-6 78-13315-02
 Chapter 31 Configuring NTP
Configuring NTP

This example shows how to set the nonrecurring daylight saving time clock adjustment on April 30, 1999
at 11:32, ending on February 1, 2003 at 12:02 a.m., with an offset of 50 minutes:
Console> (enable) set summertime date apr 13 2000 4:30 jan 21 2002 5:30 1440
Summertime is disabled and set to ''
Start : Thu Apr 13 2000, 04:30:00
End : Mon Jan 21 2002, 05:30:00
Offset: 1440 minutes (1 day)
Recurring: no
Console> (enable)

Disabling the Daylight Saving Time Adjustment

To disable the daylight saving time clock adjustment, perform this task in privileged mode:

Task Command
Step 1 Disable the daylight saving time clock set summertime disable [zone_name]
adjustment.
Step 2 Verify the configuration. show summertime

This example shows how to disable the daylight saving time adjustment:
Console> (enable) set summertime disable Arizona
Summertime is disabled and set to 'Arizona'
Console> (enable)

Clearing the Time Zone

To clear the time zone settings and return the time zone to Coordinated Universal Time (UTC), perform
this task in privileged mode:

Task Command
Clear the time zone settings. clear timezone

This example shows how to clear the time zone settings:

Console> (enable) clear timezone
Timezone name and offset cleared
Console> (enable)

Clearing NTP Servers

To clear an NTP server address from the NTP servers table on the switch, perform this task in privileged
mode:

Task Command
Step 1 Specify the NTP server to clear. clear ntp server [ip_addr | all]
Step 2 Verify the NTP configuration. show ntp [noalias]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 31-7
 Chapter 31 Configuring NTP
Configuring NTP

This example shows how to clear an NTP server address from the NTP server table:
Console> (enable) clear ntp server 172.16.64.10
NTP server 172.16.64.10 removed.
Console> (enable)

Disabling NTP
To disable NTP broadcast-client mode on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable NTP broadcast-client mode. set ntp broadcastclient disable
Step 2 Verify the NTP configuration. show ntp [noalias]

This example shows how to disable NTP client mode on the switch:
Console> (enable) set ntp broadcastclient disable
NTP Broadcast Client mode disabled
Console> (enable)

To disable NTP client mode on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable NTP client mode. set ntp client disable
Step 2 Verify the NTP configuration. show ntp [noalias]

This example shows how to disable NTP client mode on the switch:
Console> (enable) set ntp client disable
NTP Client mode disabled
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

31-8 78-13315-02
 C H A P T E R 32
Configuring Broadcast Suppression

This chapter describes how to configure broadcast suppression on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How Broadcast Suppression Works, page 32-1
• Configuring Broadcast Suppression, page 32-2

Understanding How Broadcast Suppression Works

Broadcast suppression prevents switched ports on a LAN from being disrupted by a broadcast storm on
one of the ports. A LAN broadcast storm occurs when broadcast or multicast packets flood the LAN,
creating excessive traffic and degrading network performance. Errors in the protocol-stack
implementation or in the network configuration can cause a broadcast storm.
Broadcast suppression uses filtering that measures broadcast activity on a LAN over a one-second time
period and compares the measurement with a predefined threshold. If the threshold is reached, further
broadcast activity is suppressed for the duration of a specified time period. Broadcast suppression is
disabled by default.
Figure 32-1 shows the broadcast traffic patterns on a port over a given period of time. In this example,
broadcast suppression occurs between time intervals T1 and T2 and between T4 and T5. During those
time periods, the amount of broadcast traffic exceeded the configured threshold.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 32-1
 Chapter 32 Configuring Broadcast Suppression
Configuring Broadcast Suppression

Figure 32-1 Broadcast Suppression

Total
number of
Threshold
broadcast
packets
or bytes

S5706
0 T1 T2 T3 T4 T5 Time

The broadcast suppression threshold numbers and the time interval make the broadcast suppression
algorithm work with different levels of granularity. A higher threshold allows more broadcast packets
to pass through.
Broadcast suppression on the Catalyst 6000 family switches is implemented in hardware. The
suppression circuitry monitors packets passing from a port to the switching bus. Using the
Individual/Group bit in the packet destination address, the broadcast suppression circuitry determines if
the packet is unicast or broadcast. It keeps track of the current count of broadcasts within the one-second
time interval, and when a threshold is reached, filters out subsequent broadcast packets.
Because hardware broadcast suppression uses a bandwidth-based method to measure broadcast activity,
the most significant implementation factor is setting the percentage of total available bandwidth that can
be used by broadcast traffic. A threshold value of 100 percent means that no limit is placed on broadcast
traffic. Using the set port broadcast command, you can set up the broadcast suppression threshold
value.
Because packets do not arrive at uniform intervals, the one-second time interval during which broadcast
activity is measured can affect the behavior of broadcast suppression.
On Gigabit Ethernet ports, you can use the broadcast suppression to filter multicast and unicast traffic.
You can suppress multicast or unicast traffic separately on a port; both require that you configure
broadcast suppression. When you specify a percentage of the total bandwidth to be used for multicast or
unicast traffic, the same limit applies to the broadcast traffic.

Note Multicast suppression does not drop bridge protocol data unit (BPDU) packets.

Configuring Broadcast Suppression

These sections describe how to configure broadcast suppression on the Catalyst 6000 family switches:
• Enabling Broadcast Suppression, page 32-3
• Disabling Broadcast Suppression, page 32-4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

32-2 78-13315-02
 Chapter 32 Configuring Broadcast Suppression
Configuring Broadcast Suppression

Enabling Broadcast Suppression

To enable broadcast suppression for one or more ports, perform this task in privileged mode:

Task Command
Step 1 Configure the broadcast suppression threshold for set port broadcast mod/port threshold%
one or more ports as a percentage of total [multicast {enable | disable}] [unicast {enable |
bandwidth. disable}]
Step 2 Verify the broadcast suppression configuration. show port broadcast [mod[/port]]

Note Although you can specify the broadcast suppression threshold to 0.01 percent, not all modules adjust
to that level of precision. Most thresholds vary between 0.01 percent and 0.05 percent. If you specify
a finer threshold, the threshold percent adjusts as closely as possible.

This example shows how to enable bandwidth-based broadcast suppression and verify the configuration:
Console> (enable) set port broadcast 3/1-6 75.25%
Port(s) 3/1-24 broadcast traffic limited to 75.25%.
Console> (enable) show port broadcast 3

Port Broadcast-Limit Broadcast-Drop

-------- --------------- --------------
3/1 75.25 % -
3/2 75.25 % -
3/3 75.25 % -
3/4 75.25 % -
3/5 75.25 % -
3/6 75.25 % -
3/7 0 % -
3/8 0 % -
3/90 % -
3/10 0 % -
3/110 % -
3/120 % -

This example shows how to limit the multicast and broadcast traffic to 80 percent for port 2 on
module 1 and verify the configuration:
Console> (enable) set port broadcast 1/2 80% multicast enable
Port 1/2 broadcast and multicast traffic limited to 80.00%.
Console> (enable) show port broadcast 1/2

Port Broadcast-Limit Total-Drop Multicast Unicast

-------- --------------- -------------------- --------- -------
1/2 80.00 % 0 80.00 % -
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 32-3
 Chapter 32 Configuring Broadcast Suppression
Configuring Broadcast Suppression

Disabling Broadcast Suppression

To disable broadcast suppression on one or more ports, perform this task in privileged mode:

Task Command
Disable broadcast suppression on one or more clear port broadcast mod/port
ports.

This example shows how to disable broadcast suppression on one or more ports:
Console> (enable) clear port broadcast 3/1
Port 3/1-8 broadcast traffic unlimited.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

32-4 78-13315-02
 C H A P T E R 33
Configuring Layer 3 Protocol Filtering

This chapter describes how to configure Layer 3 protocol filtering on Ethernet, Fast Ethernet, and
Gigabit Ethernet ports on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How Layer 3 Protocol Filtering Works, page 33-1
• Default Layer 3 Protocol Filtering Configuration, page 33-2
• Configuring Layer 3 Protocol Filtering, page 33-2

Understanding How Layer 3 Protocol Filtering Works

Layer 3 protocol filtering prevents certain protocol traffic from being forwarded out switch ports.
Layer 3 protocol filtering is implemented on the supervisor engine and does not require a Policy Feature
Card (PFC) or Multilayer Switch Feature Card (MSFC). Broadcast and unicast flood traffic is filtered
based on the membership of ports in different protocol groups. This filtering is in addition to the filtering
provided by port-VLAN membership. Layer 3 protocol filtering is supported only on nontrunking
Ethernet, Fast Ethernet, and Gigabit Ethernet ports.
Trunking ports are always members of all protocol groups. To avoid compatibility issues with other
networking devices, Layer 3 protocol filtering is not performed on trunk ports. Layer 2 protocols, such
as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by Layer 3
protocol filtering. Dynamic ports and ports that have port security enabled are members of all protocol
groups.
You can configure a port with any one of these modes for each protocol group: on, off, or auto.
If the configuration is set to on, the port receives all the flood traffic for that protocol. If the
configuration is set to off, the port does not receive any flood traffic for that protocol.
If the configuration is set to auto, the port is added to the group only after packets of the specific protocol
are received on that port. With autolearning, ports become members of the protocol group only after
receiving packets of the corresponding protocol from the device attached to that port. Autoconfigured
ports are removed from the protocol group if no packets are received for that protocol within 60 minutes.
Ports are also removed from the protocol group when the supervisor engine detects that the link is down
on the port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 33-1
 Chapter 33 Configuring Layer 3 Protocol Filtering
Default Layer 3 Protocol Filtering Configuration

For example, if a host that supports both IP and Internetwork Packet Exchange (IPX) is connected to a
switch port configured as auto for IPX, but the host is transmitting only IP traffic, the port to which the
host is connected will not forward any IPX flood traffic to the host. However, if the host sends an IPX
packet, the supervisor engine software detects the protocol traffic and the port is added to the IPX group,
allowing the port to receive IPX flood traffic. If the host stops sending IPX traffic for more than
60 minutes, the port is removed from the IPX protocol group.
By default, ports are configured to on for the IP protocol group. Typically, you should only configure a
port to auto for IP if there is a directly connected end station out the port. The default port configuration
for IPX and Group is auto.
With Layer 3 protocol filtering enabled, ports are identified on a protocol basis. A port can be a member
of one or more of the protocol groups. Flood traffic for each protocol group is forwarded out a port only
if that port belongs to the appropriate protocol group.
Packets are classified into the following protocol groups:
• IP
• IPX
• AppleTalk, DECnet, and Banyan VINES (group mode)
• Packets not belonging to any of these protocols

Default Layer 3 Protocol Filtering Configuration

Table 33-1 shows the default Layer 3 protocol filtering configuration.

Table 33-1 Layer 3 Protocol Filtering Default Configuration

Feature Default Value

Layer 3 protocol filtering Disabled
ip mode on
ipx mode auto
group mode auto

Configuring Layer 3 Protocol Filtering

These sections describe how to configure Layer 3 protocol filtering on Ethernet-type VLANs and on any
type of Ethernet port:
• Enabling Layer 3 Protocol Filtering, page 33-3
• Disabling Layer 3 Protocol Filtering, page 33-3

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

33-2 78-13315-02
 Chapter 33 Configuring Layer 3 Protocol Filtering
Configuring Layer 3 Protocol Filtering

Enabling Layer 3 Protocol Filtering

To configure Layer 3 protocol filtering on Ethernet ports, perform this task in privileged mode:

Task Command
Step 1 Enable Layer 3 protocol filtering on the switch. set protocolfilter enable
Step 2 Set the protocol membership of the desired ports. set port protocol mod/port {ip | ipx | group} {on
| off | auto}
Step 3 Verify the port filtering configuration. show port protocol [mod[/port]]

This example shows how to enable Layer 3 protocol filtering, set the protocol membership of ports, and
verify the configuration:
Console> (enable) set protocolfilter enable
Protocol filtering enabled on this switch.
Console> (enable) set port protocol 7/1-4 ip on
IP protocol set to on mode on ports 7/1-4.
Console> (enable) set port protocol 7/1-4 ipx off
IPX protocol disabled on ports 7/1-4.
Console> (enable) set port protocol 7/1-4 group auto
Group protocol set to auto mode on ports 7/1-4.
Console> (enable) show port protocol 7/1-4
Port Vlan IP IP Hosts IPX IPX Hosts Group Group Hosts
-------- ---------- -------- -------- -------- --------- -------- -----------
7/1 4 on 1 off 0 auto-off 0
7/2 5 on 1 off 0 auto-on 1
7/3 2 on 1 off 0 auto-off 0
7/4 4 on 1 off 0 auto-on 1
Console> (enable)

Disabling Layer 3 Protocol Filtering

To disable Layer 3 protocol filtering, perform this task in privileged mode:

Task Command
Disable Layer 3 protocol filtering on the switch. set protocolfilter disable

This example shows how to disable Layer 3 protocol filtering:

Console> (enable) set protocolfilter disable

Protocol filtering disabled on this switch.

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 33-3
 Chapter 33 Configuring Layer 3 Protocol Filtering
Configuring Layer 3 Protocol Filtering

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

33-4 78-13315-02
 C H A P T E R 34
Configuring the IP Permit List

This chapter describes how to configure the IP permit list on the Catalyst 6000 family switches.

Note The functionality of the IP permit list can also be achieved with VLAN access control lists (VACLs).
Because VACLs are handled by hardware (Policy Feature Card [PFC]), VACL processing is
considerably faster than IP permit list processing.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How the IP Permit List Works, page 34-1
• IP Permit List Default Configuration, page 34-2
• Configuring the IP Permit List, page 34-2

Understanding How the IP Permit List Works

The IP permit list prevents inbound Telnet and SNMP access to the switch from unauthorized source IP
addresses. All other TCP/IP services (such as IP traceroute and IP ping) continue to work normally when
you enable the IP permit list. Outbound Telnet, TFTP, and other IP-based services are unaffected by the
IP permit list.
Telnet attempts from unauthorized source IP addresses are denied a connection. SNMP requests from
unauthorized IP addresses receive no response; the request times out. If you want to log unauthorized
access attempts to the console or a syslog server, you must change the logging severity level for IP, as
described in the “Enabling the IP Permit List” section on page 34-3. If you want to generate SNMP traps
when unauthorized access attempts are made, you must enable IP permit list (ippermit) SNMP traps, as
described in the “Enabling the IP Permit List” section on page 34-3. Multiple access attempts from the
same unauthorized host only trigger notifications every ten minutes.
You can configure up to 100 entries in the permit list. Each entry consists of an IP address and subnet
mask pair in dotted decimal format and information on whether the IP address is part of the SNMP
permit list, Telnet permit list, or both lists. The bits set to one in the mask are checked for a match with
the source IP address of incoming packets, while the bits set to zero are not checked. This process allows
wildcard address specification.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 34-1
 Chapter 34 Configuring the IP Permit List
IP Permit List Default Configuration

If you do not specify the mask for an IP permit list entry, or if you enter a host name instead of an IP
address, the mask has an implicit value of all bits set to one (255.255.255.255 or 0xffffffff), which
matches only the IP address of that host.
If you do not specify SNMP or Telnet for the type of permit list for the IP address, the IP address is added
to both the SNMP and Telnet permit lists.
You can specify the same IP address in more than one entry in the permit list if the masks are different.
The mask is applied to the address before it is stored in NVRAM, so that entries that have the same effect
(but different addresses) are not stored. When you add such an address to the IP permit list, the system
displays the address after the mask is applied.

IP Permit List Default Configuration

Table 34-1 shows the default IP permit list configuration.

Table 34-1 IP Permit List Default Configuration

Feature Default Value

IP permit list enable state Disabled
Permit list entries None configured
IP syslog message severity level 2
SNMP IP permit trap (ippermit) Disabled

Configuring the IP Permit List

These sections describe how to configure the IP permit list:
• Adding IP Addresses to the IP Permit List, page 34-2
• Enabling the IP Permit List, page 34-3
• Disabling the IP Permit List, page 34-4
• Clearing an IP Permit List Entry, page 34-4

Adding IP Addresses to the IP Permit List

An IP address can be added to the SNMP permit list, the Telnet permit list, or both lists.
To add IP addresses to the IP permit list, perform this task in privileged mode:

Task Command
Step 1 Specify the IP addresses to add to the IP permit set ip permit ip_address [mask] [telnet | snmp |
list. ssh]
Step 2 Verify the IP permit list configuration. show ip permit

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

34-2 78-13315-02
 Chapter 34 Configuring the IP Permit List
Configuring the IP Permit List

This example shows how to add IP addresses to the IP permit list and verify the configuration:
Console> (enable) set ip permit 172.16.0.0 255.255.0.0 telnet
172.16.0.0 with mask 255.255.0.0 added to telnet permit list.
Console> (enable) set ip permit 172.20.52.32 255.255.255.224 snmp
172.20.52.32 with mask 255.255.255.224 added to snmp permit list.
Console> (enable) set ip permit 172.20.52.3 all
172.20.52.3 added to IP permit list.
Console> (enable) show ip permit
Telnet permit list feature enabled.
Snmp permit list feature enabled.
Permit List Mask Access Type
---------------- ---------------- -------------
172.16.0.0 255.255.0.0 telnet
172.20.52.3 snmp telnet
172.20.52.32 255.255.255.224 snmp
Denied IP Address Last Accessed Time Type Telnet Count SNMP Count
----------------- ------------------ ------ ------------ ----------
172.100.101.104 01/20/97,07:45:20 SNMP 14 1430
172.187.206.222 01/21/97,14:23:05 Telnet 7 236

Console> (enable)

Enabling the IP Permit List

You can enable either the SNMP permit list, the Telnet permit list, or both lists. If you do not specify a
permit list, both the SNMP and Telnet permit lists are enabled.

Caution Before enabling the IP permit list, make sure you add the IP address of your workstation or network
management system to the permit list, especially when configuring through SNMP. Failure to do so
could result in your connection being dropped by the switch you are configuring. We recommend that
you disable the IP permit list before clearing IP permit entries or host addresses.

To enable the IP permit list on the switch, perform this task in privileged mode:

Task Command
Step 1 Enable the IP permit list. set ip permit enable [telnet | snmp | ssh]
Step 2 If desired, enable the IP permit trap to generate set snmp trap enable ippermit
traps for unauthorized access attempts.
Step 3 If desired, configure the logging level to see set logging level ip 4 default
syslog messages for unauthorized access
attempts.
Step 4 Verify the IP permit list configuration. show ip permit
show snmp

This example shows how to enable the IP permit list and verify the configuration:
Console> (enable) set ip permit enable
IP permit list enabled.
Console> (enable) set snmp trap enable ippermit
SNMP IP Permit traps enabled.
Console> (enable) set logging level ip 4 default
System logging facility <ip> set to severity 4(warnings)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 34-3
 Chapter 34 Configuring the IP Permit List
Configuring the IP Permit List

Console> (enable) show ip permit

Telnet permit list feature enabled.
Snmp permit list feature disabled.

Permit List Mask Access-Type

---------------- --------------- ---------------
172.16.0.0 255.255.0.0 telnet
172.20.52.3 snmp telnet
172.20.52.32 255.255.255.224 snmp

Denied IP Address Last Accessed Time Type Telnet Count SNMP Count
----------------- ------------------ ------ ------------ ----------
172.100.101.104 01/20/97,07:45:20 SNMP 14 1430
172.187.206.222 01/21/97,14:23:05 Telnet 7 236

Console> (enable) show snmp

RMON: Disabled
Extended Rmon: Extended RMON module is not present
Traps Enabled:
ippermit
Port Traps Enabled: None

Community-Access Community-String
---------------- --------------------
read-only public
read-write private
read-write-all secret

Trap-Rec-Address Trap-Rec-Community
---------------------------------------- --------------------
Console> (enable)

Disabling the IP Permit List

To disable the IP permit list on the switch, perform this task in privileged mode:

Task Command
Step 1 Disable the IP permit list on the switch. set ip permit disable [telnet | snmp | ssh]
Step 2 Verify the IP permit list configuration. show ip permit

This example shows how to disable the IP permit list:

Console> (enable) set ip permit disable
IP permit list disabled.
Console> (enable)

Clearing an IP Permit List Entry

An IP address can be cleared from the SNMP permit list, the Telnet permit list, or both lists. If you do
not specify which permit list to clear the IP address from, the IP address is deleted from both permit lists.

Caution Disable the IP permit list before you clear IP permit entries or host addresses to prevent your
connection from being dropped by the switch you are configuring in case you clear your current IP
address.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

34-4 78-13315-02
Chapter 34 Configuring the IP Permit List
Configuring the IP Permit List

To clear an IP permit list entry, perform this task in privileged mode:

Task Command
Step 1 Disable the IP permit list. set ip permit disable [telnet | snmp | ssh]
Step 2 Specify the IP address to remove from the IP clear ip permit {ip_address [mask] | all} [telnet |
permit list. snmp | ssh]
Step 3 Verify the IP permit list configuration. show ip permit

This example shows how to clear an IP permit list entry:

Console> (enable) set ip permit disable all
Console> (enable) clear ip permit 172.100.101.102
172.100.101.102 cleared from IP permit list.
Console> (enable) clear ip permit 172.160.161.0 255.255.192.0 snmp
172.160.128.0 with mask 255.255.192.0 cleared from snmp permit list.
Console> (enable) clear ip permit 172.100.101.102 telnet
172.100.101.102 cleared from telnet permit list.
Console> (enable) clear ip permit all
IP permit list cleared.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 34-5
 Chapter 34 Configuring the IP Permit List
Configuring the IP Permit List

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

34-6 78-13315-02
 C H A P T E R 35
Configuring Port Security

This chapter describes how to configure port security on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How Port Security Works, page 35-1
• Port Security Configuration Guidelines, page 35-3
• Configuring Port Security, page 35-3

Understanding How Port Security Works

You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the
MAC address of the station attempting to access the port is different from any of the MAC addresses
specified for that port. Alternatively, you can use port security to filter traffic destined to or received
from a specific host based on the host MAC address.
This section describes the following traffic filtering methods:
• Allowing Traffic Based on the Host MAC Address, page 35-1
• Restricting Traffic Based on the Host MAC Address, page 35-2

Allowing Traffic Based on the Host MAC Address

The total number of MAC addresses that can be specified per port is limited to the global resource of
1024 plus one default MAC address. The total number of MAC addresses on any port cannot exceed
1025.
Allocation of the maximum number of MAC addresses for each port depends on your network
configuration. The following combinations are examples of valid allocations:
• 1025 (1 + 1024) addresses on 1 port and 1 address each on the rest of the ports.
• 513 (1 + 512) each on 2 ports in a system and 1 address each on the rest of the ports.
• 901 (1 + 900) on one port, 101 (1 + 100) on another port, 25 (1 + 24) on the third port, and 1 address
each on the rest of the ports.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 35-1
 Chapter 35 Configuring Port Security
Understanding How Port Security Works

After you allocate the maximum number of MAC addresses on a port, you can either specify the secure
MAC address for the port manually or you can have the port dynamically configure the MAC address of
the connected devices. Out of an allocated number of maximum MAC addresses on a port, you can
manually configure all, allow all to be autoconfigured, or configure some manually and allow the rest to
be autoconfigured. Once you manually configure or autoconfigure the addresses, they are stored in
NVRAM and maintained after a reset.
After you allocate a maximum number of MAC addresses on a port, you can specify how long addresses
on the port will remain secure. After the age time expires, the MAC addresses on the port become
insecure. By default, all addresses on a port are secured permanently.
If a security violation occurs, you can configure the port to go into shutdown mode or restrictive mode.
The shutdown mode option allows you to specify whether the port is permanently disabled or disabled
for only a specified time. The default is for the port to shut down permanently. The restrictive mode
allows you to configure the port to remain enabled during a security violation and drop only packets that
are coming in from insecure hosts.

Note If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC
address is already configured as a secure MAC address on another port on the switch, the port in
restrictive mode shuts down instead of restricting traffic from that station. For example, if you
configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on
port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for
restrictive mode, port 2/2 shuts down instead of restricting traffic from MAC-1.

When a secure port receives a packet, the source MAC address of the packet is compared to the list of
secure source addresses that were manually configured or autoconfigured (learned) on the port. If a
MAC address of a device attached to the port differs from the list of secure addresses, the port either
shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming
packets from the insecure host. The port’s behavior depends on how you configure it to respond to a
security violation.
If a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the
Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the
port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a
security violation.

Restricting Traffic Based on the Host MAC Address

You can filter traffic based on a host MAC address so that packets that are tagged with a specific source
MAC address are discarded. When you specify a MAC address filter with the set cam filter command,
incoming traffic from that host MAC address is dropped and packets addressed to that host are not
forwarded.

Note The set cam filter command allows filtering for unicast addresses only. You cannot filter traffic for
multicast addresses with this command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

35-2 78-13315-02
 Chapter 35 Configuring Port Security
Port Security Configuration Guidelines

Port Security Configuration Guidelines

Follow these guidelines when configuring port security:
• You cannot configure port security on a trunk port.
• You cannot enable port security on a SPAN destination port and vice versa.
• You cannot configure dynamic, static, or permanent CAM entries on a secure port.
• When you enable port security on a port, any static or dynamic CAM entries associated with the port
are cleared; any currently configured permanent CAM entries are treated as secure.

Configuring Port Security

These sections describe how to configure port security:
• Enabling Port Security, page 35-3
• Setting the Maximum Number of Secure MAC Addresses, page 35-4
• Setting the Port Security Age Time, page 35-5
• Clearing MAC Addresses, page 35-5
• Specifying the Security Violation Action, page 35-6
• Setting the Shutdown Timeout, page 35-6
• Disabling Port Security, page 35-7
• Restricting Traffic Based on a Host MAC Address, page 35-7
• Displaying Port Security, page 35-8

Enabling Port Security

To enable port security, perform this task in privileged mode:

Task Command
Step 1 Enable port security on the desired ports. If set port security mod/port enable [mac_addr]
desired, specify the secure MAC address.
Step 2 You can add MAC addresses to the list of secure set port security mod/port mac_addr
addresses.
Step 3 Verify the configuration. show port [mod[/port]]

This example shows how to enable port security using the learned MAC address on a port and verify the
configuration:
Console> (enable) set port security 2/1 enable
Port 2/1 port security enabled with the learned mac address.
Trunking disabled for Port 2/1 due to Security Mode
Console> (enable) show port 2/1
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
2/1 connected 522 normal half 100 100BaseTX

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 35-3
 Chapter 35 Configuring Port Security
Configuring Port Security

Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex

----- -------- ----------------- ----------------- -------- -------- -------
2/1 enabled 00-90-2b-03-34-08 00-90-2b-03-34-08 No disabled 1081

Port Broadcast-Limit Broadcast-Drop

-------- --------------- --------------
2/1 - 0

Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize

----- ---------- ---------- ---------- ---------- ---------
2/1 0 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants

----- ---------- ---------- ---------- ---------- --------- --------- ---------
2/1 0 0 0 0 0 0 0

Last-Time-Cleared
--------------------------
Fri Jul 10 1998, 17:53:38

This example shows how to enable port security on a port and manually specify the secure MAC address:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08
Port 2/1 port security enabled with 00-90-2b-03-34-08 as the secure mac address
Trunking disabled for Port 2/1 due to Security Mode
Console> (enable)

Setting the Maximum Number of Secure MAC Addresses

You can set the number of MAC addresses to secure on a port. By default, at least one MAC address per
port can be secured. In addition to this default, a global resource of up to 1024 MAC addresses is
available to be shared by the ports. This means that if the entire global resource of 1024 MAC addresses
is used on some ports, you can still enable port security on the rest of the ports with a maximum of one
MAC per port.
If you reduce the maximum number of MAC addresses, the system clears the specified number of MAC
addresses and displays the list of removed addresses.
To set a number of MAC addresses to be secured for a particular port, perform this task in privileged
mode:

Task Command
Set the number of MAC addresses to be set port security mod/port maximum num_of_mac
secured on a port.

This example shows how to set the number of MAC addresses to be secured:
Console> (enable) set port security 7/7 maximum 20
Maximum number of secure addresses set to 20 for port 7/7.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

35-4 78-13315-02
 Chapter 35 Configuring Port Security
Configuring Port Security

This example shows how to reduce the number of MAC addresses and the list that displays the cleared
MAC addresses:
Console> (enable) set port security 7/7 maximum 18
Maximum number of secure addresses set to 18 for port 7/7
00-11-22-33-44-55 cleared from secure address list for port 7/7
00-11-22-33-44-66 cleared from secure address list for port 7/7
Console> (enable)

Setting the Port Security Age Time

The age time on a port specifies how long all addresses on that port will be secured. This age time is
activated when a MAC address initiates traffic on the port. After the age time expires for a MAC address,
the entry for that MAC address on the port is removed from the secure address list. The valid range is
10–1440 minutes. Setting the age time to zero disables aging of secure addresses.
To set the age time on a port, perform this task in privileged mode:

Task Command
Set the age time for which addresses on a port will set port security mod/port age time
be secured.

This example shows how to set the age time on port 7/7:
Console> (enable) set port security 7/7 age 600
Secure address age time set to 600 minutes for port 7/7.
Console> (enable)

Clearing MAC Addresses

Enter the clear port security command to clear MAC addresses from a list of secure addresses on a port.

Note If the clear command is executed on a MAC address that is in use, that MAC address may be learned
and made secure again. We recommend that you disable port security before you clear MAC
addresses.

To clear all or a particular MAC address from the list of secure MAC addresses, perform this task in
privileged mode:

Task Command
Clear all or a particular MAC address from the list clear port security mod/port {mac_addr | all}
of secure MAC addresses.

This example shows how to clear one MAC address from the secure address list on port 7/7:
Console> (enable) clear port security 7/7 00-11-22-33-44-55
00-11-22-33-44-55 cleared from secure address list for port 7/7
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 35-5
 Chapter 35 Configuring Port Security
Configuring Port Security

This example shows how to clear all MAC addresses from ports 7/5-7:
Console> (enable) clear port security 7/5-7 all
All addresses cleared from secure address list for ports 7/5-7
Console> (enable)

Specifying the Security Violation Action

You can set the port for the following two modes to handle a security violation:
• Shutdown—Shuts down the port permanently or for a specified time. Permanent shutdown is the
default mode.
• Restrictive—Drops all packets from insecure hosts but remains enabled.
To specify the security violation action to be taken, perform this task in privileged mode:

Task Command
Specify the violation action on a port. set port security mod/port violation {shutdown
| restrict}

This example shows how to specify that port 7/7 drop all packets from insecure hosts:
Console> (enable) set port security 7/7 violation restrict
Port security violation on port 7/7 will cause insecure packets to be dropped.
Console> (enable)

Note If you restrict the number of secure MAC addresses on a port to one and additional hosts attempt to
connect to that port, port security blocks these additional hosts from connecting to that port and to
any other port in the same VLAN for the duration of the VLAN aging time. By default, the VLAN
aging time is five minutes. If a host is blocked from joining a port in the same VLAN as the secured
port, allow the VLAN aging time to expire before you attempt to connect the host to the port again.

Setting the Shutdown Timeout

You can set the time a port remains disabled in case of a security violation. By default, the port is shut
down permanently. The valid range is 10–1440 minutes.
If the time is set to zero, the shutdown is disabled for this port.

Note When the shutdown timeout expires, the port is reenabled and all port security-related configuration
is maintained.

To set the shutdown timeout, perform this task in privileged mode:

Task Command
Set the shutdown timeout on a port. set port security mod/port shutdown time

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

35-6 78-13315-02
 Chapter 35 Configuring Port Security
Configuring Port Security

This example shows how to set the shutdown timeout to 600 minutes on port 7/7:
Console> (enable) set port security 7/7 shutdown 600
Secure address shutdown time set to 600 minutes for port 7/7.
Console> (enable)

Disabling Port Security

To disable port security, perform this task in privileged mode:

Task Command
Step 1 Disable port security on the desired ports. set port security mod/port disable
Step 2 Verify the configuration. show port security [mod/port]

This example shows how to disable security on a port:

Console> (enable) set port security 2/1 disable
Port 2/1 port security disabled.
Console> (enable)
Console> (enable) show port security 2/1
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
3/24 disabled restrict 20 300 10 disabled 921

Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left

----- -------- ----------------- -------- ----------------- ------------------
3/24 1 00-e0-4f-ac-b4-00 - - - -
Console> (enable)

Restricting Traffic Based on a Host MAC Address

To restrict incoming or outgoing traffic for a specific MAC address, perform this task in privileged
mode:

Task Command
Step 1 Restrict traffic destined to or originating from a set cam static | permanent filter unicast_mac
specific MAC address. vlan
Step 2 Remove the filter. clear cam mac_address vlan
Step 3 Verify the configuration. show cam static

This example shows how to create a filter that restricts traffic for a specific MAC address:
Console> (enable) set cam static filter 00-02-03-04-05-06 1
Filter entry added to CAM table.
Console> (enable)

This example shows how to clear the filter:

Console> (enable) clear cam 00-02-03-04-05-06 1
CAM entry cleared.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 35-7
 Chapter 35 Configuring Port Security
Configuring Port Security

This example shows how to display the static CAM entries:

Console> show cam static

VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
3 04-04-05-06-07-08 * FILTER

Displaying Port Security

The show port security command displays the following information:
• List of secure MAC addresses for a port
• Maximum number of secure addresses allowed on a port
• Total number of secure MAC addresses
• Age
• Age left and shutdown timeout left
• Shutdown/security mode
• Statistics related to port security
To display port security configuration information and statistics, perform this task in privileged mode:

Task Command
Step 1 Display the configuration. show port security [statistics] mod/port
Step 2 Display the port security statistics. show port security statistics [system]
[mod/port]

This example shows how to display port security configuration information and statistics:
Console> (enable) show port security 3/24
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
3/24 enabled shutdown 300 60 10 disabled 921

Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left

----- -------- ----------------- -------- ----------------- ------------------
3/24 4 00-e0-4f-ac-b4-00 60 00-e0-4f-ac-b4-00 no -
00-11-22-33-44-55 0
00-11-22-33-44-66 0
00-11-22-33-44-77 0

Console> (enable) show port security statistics 3/24

Port Total-Addrs Maximum-Addrs
----- ----------- -------------
3/24 4 10
Console> (enable)
Port Total-Addrs Maximum-Addrs
----- ----------- -------------
3/24 1 10
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

35-8 78-13315-02
Chapter 35 Configuring Port Security
Configuring Port Security

This example shows how to display port security statistics on a module:

Console> (enable) show port security statistics 7
Port Total-Addrs Maximum-Addrs
----- ----------- -------------
7/1 0 1
7/2 0 1
7/3 0 1
7/4 0 1
7/5 0 1
7/6 0 1
7/7 0 1
7/8 0 1
7/9 0 1
7/10 0 200
7/11 0 1
7/12 0 1
7/13 0 1
7/14 0 1
7/15 0 1
7/16 0 1
7/17 0 1
7/18 0 1
7/19 0 1
7/20 0 1
7/21 0 1
7/22 0 1
7/23 0 1
7/24 0 1
Module 7:
Total ports: 24
Total MAC address(es): 223
Total global address space used (out of 1024): 199
Status: installed
Console> (enable)

This example shows how to display port security statistics on the system:
Console> (enable) show port security statistics system
Module 1:
Total ports: 2
Total MAC address(es): 2
Total global address space used (out of 1024): 0
Status: installed
Module 3:
Module does not support port security feature
Module 6:
Total ports: 48
Total MAC address(es): 48
Total global address space used (out of 1024): 0
Status: installed
Module 7:
Total ports: 24
Total MAC address(es): 223
Total global address space used (out of 1024): 199
Status: installed
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 35-9
 Chapter 35 Configuring Port Security
Configuring Port Security

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

35-10 78-13315-02
 C H A P T E R 36
Configuring SNMP

This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the
Catalyst 6000 family switches.
This chapter consists of these sections:
• SNMP Terminology, page 36-1
• Understanding SNMP, page 36-3
• Understanding How SNMPv1 and SNMPv2c Works, page 36-5
• Understanding SNMPv3, page 36-7
• Configuring SNMPv1 and SNMPv2c, page 36-10
• Configuring SNMPv3, page 36-11

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

SNMP Terminology
Table 36-1 lists the terms used in SNMP technology.

Table 36-1 SNMP Terminology

Term Definition
authentication The process of ensuring message integrity and protection against
message replays, including both data integrity and data origin
authentication.
authoritative SNMP engine One of the SNMP copies involved in network communication is
designated the allowed SNMP engine to protect against message
replay, delay, and redirection. The security keys used for
authenticating and encrypting SNMPv3 packets are generated as
a function of the authoritative SNMP engine’s ID and user
passwords. When an SNMP message expects a response (for
example, get exact, get next, set request), the receiver of these
messages is authoritative. When an SNMP message does not
expect a response, the sender is authoritative.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 36-1
 Chapter 36 Configuring SNMP
SNMP Terminology

Table 36-1 SNMP Terminology (continued)

Term Definition
community string A text string used to authenticate messages between a
management station and an SNMPv1 or SNMPv2c engine.
data integrity A condition or state of data in which a message packet has not
been altered or destroyed in an unauthorized manner.
data origin authentication The ability to verify the identity of a user that the message is
supposedly sent to. This ability protects users against both
message capture and replay by a different SNMP engine, and
against packets received or sent to a particular user that uses an
incorrect password or security level.
encryption A method of hiding data from an unauthorized user by scrambling
the contents of an SNMP packet.
group A set of users belonging to a particular security model. A group
defines the access rights for all the users belonging to it. Access
rights define the SNMP objects that can be read, written to, or
created. In addition, the group defines the notifications that a user
is allowed to receive.
notification host An SNMP entity to which notifications (traps and informs) are to
be sent.
notify view A view name (not to exceed 64 characters) for each group; the
view name defines the list of notifications that can be sent to each
user in the group.
privacy An encrypted state of the contents of an SNMP packet; in this
state the contents are prevented from being disclosed on a
network. Encryption is performed with an algorithm called
CBC-DES (DES-56).
read view A view name (not to exceed 64 characters) for each group; the
view name defines the list of object identifiers (OIDs) that can be
read by users belonging to the group.
security level A type of security algorithm performed on each SNMP packet.
There are three levels: noauth, auth, and priv. The noauth level
authenticates a packet by a string match of the username. The auth
level authenticates a packet by using either the HMAC MD5 or
SHA algorithms. The priv level authenticates a packet by using
either the HMAC MD5 or SHA algorithms and encrypts the
packet using the CBC-DES (DES-56) algorithm.
security model The security strategy used by the SNMP agent. Currently, Cisco
IOS supports three security models: SNMPv1, SNMPv2c, and
SNMPv3.
Simple Network Management A network management protocol that provides a method to
Protocol (SNMP) monitor and control network devices, and to manage
configurations, statistics collection, performance, and security.
Simple Network Management Second version of SNMP. This protocol supports centralized and
Protocol Version 2c distributed network management strategies and includes
(SNMPv2c) improvements in the structure of management information (SMI),
protocol operations, management architecture, and security.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

36-2 78-13315-02
Chapter 36 Configuring SNMP
Understanding SNMP

Table 36-1 SNMP Terminology (continued)

Term Definition
SNMP engine A copy of SNMP that can reside on the local or remote device.
SNMP entity Unlike SNMPv1 and SNMPv2c, in SNMPv3 the terms SNMP
Agents and SNMP Managers are no longer used. These concepts
have been combined and called an SNMP entity. An SNMP entity
is made up of an SNMP engine and SNMP applications.
SNMP group A collection of SNMP users that belong to a common SNMP list
that defines an access policy, in which object identification
numbers (OIDs) are both read-accessible and write-accessible.
Users belonging to a particular SNMP group inherit all of these
attributes defined by the group.
SNMP user A person for which an SNMP management operation is
performed. The user is the person on a remote SNMP engine who
receives the inform messages.
SNMP view A mapping between SNMP objects and the access rights available
for those objects. An object can have different access rights in
each view. Access rights indicate whether the object is accessible
by either a community string or a user.
write view A view name (not to exceed 64 characters) for each group; the
view name defines the list of object identifiers (OIDs) that can be
created or modified by users of the group.

Understanding SNMP
SNMP is an application-layer protocol that facilitates the exchange of management information between
network devices. SNMP enables network administrators to manage network performance, find and solve
network problems, and plan for network growth.
There are three versions of SNMP:
• Version 1 (SNMPv1)—This is the initial implementation of SNMP. Refer to RFC 1157 for a full
description of functionality. See the “Understanding How SNMPv1 and SNMPv2c Works” section
on page 36-5 for more information on SNMPv1.
• Version 2 (SNMPv2c)—The second release of SNMP, described in RFC 1902, has additions and
enhancements to data types, counter size, and protocol operations. See the “Understanding How
SNMPv1 and SNMPv2c Works” section on page 36-5 for more information on SNMPv2.
• Version 3 (SNMPv3)—This is the most recent version of SNMP and is fully described in RFC 2571,
RFC 2572, RFC 2573, RFC 2574, and RFC 2575. The SNMP functionality on the Catalyst
enterprise LAN switches for SNMPv1 and SNMPv2c remain intact; however, SNMPv3 has
significant enhancements to administration and security. See the “Understanding SNMPv3” section
on page 36-7 for more information on SNMPv3.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 36-3
 Chapter 36 Configuring SNMP
Understanding SNMP

Security Models and Levels

A security model is an authentication strategy that is set up for a user and the group in which the user
resides. A security level is the permitted level of security within a security model. A combination of a
security model and a security level determines which security mechanism is employed when handling
an SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. Table 36-2
identifies the combinations of security models and defines the levels for SNMPv1, SNMPv2c, and
SNMPv3.

Table 36-2 SNMP Security Levels

Model Level Authentication Encryption What Happens

v1 noAuthNoPriv Community No Uses a community string
String match for authentication.
v2c noAuthNoPriv Community No Uses a community string
String match for authentication.
v3 noAuthNoPriv Username No Uses a username match for
authentication.
v3 authNoPriv MD5 or SHA No Provides authentication based
on the HMAC-MD5 or
HMAC-SHA algorithms.
v3 authPriv MD5 or SHA DES Provides authentication based
on the HMAC-MD5 or
HMAC-SHA algorithms.
Provides DES 56-bit
encryption in addition to
authentication based on the
CBC-DES (DES-56) standard.

Note the following about SNMPv3 objects:

– Each user belongs to a group
– A group defines the access policy for a set of users
– SNMP objects access an access policy for reading, writing, and creating
– A group determines the list of notifications its users can receive
– A group also defines the security model and security level for its users

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

36-4 78-13315-02
 Chapter 36 Configuring SNMP
Understanding How SNMPv1 and SNMPv2c Works

SNMP ifindex Persistence Feature

The SNMP ifIndex persistence feature is always enabled. With the ifIndex persistence feature, the
ifIndex value of the port and VLAN is always retained and used after the following occurrences:
• Switch reboot
• High-availability switchover
• Software upgrade
• Module reset
• Module removal and insertion of the same type of module
For Fast EtherChannel and Gigabit EtherChannel interfaces, the ifIndex value is only retained and used
after a high-availability switchover.

Understanding How SNMPv1 and SNMPv2c Works

The components of SNMPv1 and SNMPv2c network management fall into three categories:
• Managed devices (such as a switch)
• SNMP agents and MIBs, including Remote Monitoring (RMON) MIBs, which run on managed
devices
• SNMP network management applications, such as CiscoWorks2000, which communicate with
agents to get statistics and alerts from the managed devices. See the “Using CiscoWorks2000”
section on page 36-6 for more information on CiscoWorks2000.

Note An SNMP management application, together with the computer it runs on, is called a
Network ManagementSystem (NMS).

Using Managed Devices

Catalyst 6000 family switches are managed devices that support SNMP network management with the
following features:
• SNMP traps (see the “Configuring SNMPv1 and SNMPv2c from the CLI” section on page 36-10)
• RMON in the supervisor engine module software (see Chapter 37, “Configuring RMON”)
• RMON and RMON2 on an external SwitchProbe device

Using SNMP Agents and MIBs

SNMP network management uses these SNMP agent functions:
• Accessing a MIB variable—This function is initiated by the SNMP agent in response to a request
from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS
with that value.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 36-5
 Chapter 36 Configuring SNMP
Understanding How SNMPv1 and SNMPv2c Works

• Setting a MIB variable—This function is also initiated by the SNMP agent in response to a message
from the NMS. The SNMP agent changes the value of the MIB variable to the value requested by
the NMS.

Note For more information about MIBs, refer to

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

• SNMP trap—This function is used to notify an NMS that a significant event has occurred at an
agent. When a trap condition occurs, the SNMP agent sends an SNMP trap message to any NMSs
specified as the trap receivers, under the following conditions:
– When a port or module goes up or down
– When temperature limitations are exceeded
– When there are spanning tree topology changes
– When there are authentication failures
– When power supply errors occur
• SNMP community strings—SNMP community strings authenticate access to MIB objects and
function as embedded passwords:
– Read-only—Gives read access to all objects in the MIB except the community strings, but does
not allow write access
– Read-write—Gives read and write access to all objects in the MIB, but does not allow access to
the community strings
– Read-write-all—Gives read and write access to all objects in the MIB, including the community
strings

Note The community string definitions on your NMS must match at least one of the three
community string definitions on the switch.

Using CiscoWorks2000
CiscoWorks2000 is a family of Web-based and management platform-independent products for
managing Cisco enterprise networks and devices. CiscoWorks2000 includes Resource Manager
Essentials and CWSI Campus, which allow you to deploy, configure, monitor, manage, and troubleshoot
a switched internetwork. For more information, refer to the following publications:
• Getting Started With Resource Manager Essentials
• Getting Started With CWSI Campus

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

36-6 78-13315-02
 Chapter 36 Configuring SNMP
Understanding SNMPv3

Understanding SNMPv3
SNMPv3 contains all the functionality of SNMPv1 and SNMPv2c, but SNMPv3 has significant
enhancements to administration and security. SNMPv3 is an interoperable standards-based protocol and
provides secure access to devices by authenticating and encrypting packets over the network. The
security features provided in SNMPv3 are as follows:
• Message integrity—Collects data securely without being tampered with or corrupted
• Authentication—Determines the message is from a valid source
• Encryption—Scrambles the contents of a packet to prevent it from being seen by an unauthorized
source

SNMP Entity
Unlike SNMPv1 and SNMPv2c, in SNMPv3 the concept of SNMP Agents and SNMP Managers no
longer apply. These concepts have been combined into an SNMP entity. An SNMP entity consists of an
SNMP engine and SNMP applications. An SNMP engine consists of the following four components:
• Dispatcher
• Message processing subsystem
• Security subsystem
• Access control subsystem
Figure 36-1 provides an illustration of the SNMP entity.

Dispatcher
The dispatcher is a traffic manager that sends and receives messages. After receiving a message, the
dispatcher tries to determine the version number of the message and then passes the message to the
appropriate message processing model. The dispatcher is also responsible for dispatching PDUs to
applications and for selecting the appropriate transports for sending messages.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 36-7
 Chapter 36 Configuring SNMP
Understanding SNMPv3

Figure 36-1 SNMP Entity for Traditional SNMP Agents

UDP IPX Other

SNMP Entity
SNMP Engine

Dispatcher Message Processing Security Access Control

Subsystem Subsystem Subsystem

Transport Mapping v1MP

User-based View-based
security access control
model model
v2c MP
Message Dispatcher
Other Other
v3MP access control
security
model model

PDU Dispatcher otherMP

Proxy Command Notification

foward responder originator
applications applications applications

58568
MIB Instrumentation SNMP Applications

Message Processing Subsystem

The message processing subsystem accepts outgoing PDUs from the dispatcher and prepares them for
transmission by wrapping them in a message header and returning them to the dispatcher. The message
processing subsystem also accepts incoming messages from the dispatcher, processes each message
header, and returns the enclosed PDU to the dispatcher. An implementation of the message processing
subsystem may support a single message format corresponding to a single version of SNMP (SNMPv1,
SNMPv2c, SNMPv3), or it may contain a number of modules, each supporting a different version of
SNMP.

Security Subsystem
The security subsystem authenticates and encrypts messages. Each outgoing message is passed to the
security subsystem from the message processing subsystem. Depending on the services required, the
security subsystem may encrypt the enclosed PDU and some fields in the message header. In addition,
the security subsystem may generate an authentication code and insert it into the message header. After
encryption, the message is returned to the message processing subsystem.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

36-8 78-13315-02
 Chapter 36 Configuring SNMP
Understanding SNMPv3

Each incoming message is passed to the security subsystem from the message processing subsystem. If
required, the security subsystem checks the authentication code and performs decryption. The processed
message is returned to the message processing subsystem. An implementation of the security subsystem
may support one or more distinct security models. The only currently defined security model is the
user-based security model (USM) for SNMPv3, specified in RFC 2274.
The USM protects SNMPv3 messages from the following potential security threats:
• An authorized user sending a message that gets modified in transit by an unauthorized SNMP entity.
• An unauthorized user trying to masquerade as an authorized user.
• A user modifying the message stream.
• An unauthorized user listening to the message.
The USM currently defines the use of HMAC-MD5-96 and HMAC-SHA-96 as the possible
authentication protocols and CBC-DES as the privacy protocol.
SNMPv1 and SNMPv2c security models provide only community names for authentication and no
privacy.

Access Control Subsystem

The responsibility of the access control subsystem is to determine whether access to a managed object
should be allowed. One access control model, the view-based access control model (VACM), currently
has been defined. With VACM, you can control which users and which operations can have access to
which managed objects.

Applications
SNMPv3 applications refer to internal applications within an SNMP entity. These internal applications
can do the following operations:
• Generate SNMP messages
• Respond to received SNMP messages
• Generate and receive notifications
• Forward messages between SNMP entities
There are currently five types of applications:
• Command generators—Generate SNMP commands to collect or set management data.
• Command responders—Provide access to management data. For example, processing get, get-next,
get-bulk and set pdus are used in a command responder application.
• Notification originators —Initiate Trap or Inform messages.
• Notification receivers—Receive and process Trap or Inform messages.
• Proxy forwarders—Forward messages between SNMP entities.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 36-9
 Chapter 36 Configuring SNMP
Configuring SNMPv1 and SNMPv2c

Configuring SNMPv1 and SNMPv2c

This section provides basic SNMPv1 and SNMPv2c configuration information. For detailed information
on the SNMP commands supported by the Catalyst 6000 family switches, refer to the Catalyst 6000
Family Command Reference publication.

SNMPv1 and SNMPv2c Default Configuration

Refer to the Catalyst 6000 Family Command Reference for SNMP default configuration settings for
each command listed in the configuration section.

Configuring SNMPv1 and SNMPv2c from an NMS

To configure SNMP from an NMS, refer to the NMS documentation (see the “Using CiscoWorks2000”
section on page 36-6).
The switch supports up to 20 trap receivers through the RMON2 trap destination table. You configure
the RMON2 trap destination table from the NMS.

Configuring SNMPv1 and SNMPv2c from the CLI

To configure SNMP from the command-line interface (CLI), perform this task in privileged mode:

Task Command
Step 1 Define the SNMP community strings for each set snmp community read-only
access type. community_string
set snmp community read-write
community_string
set snmp community read-write-all
community_string
Step 2 Assign a trap receiver and community. You can set snmp trap rcvr_address rcvr_community
specify up to ten trap receivers.
Step 3 Specify the SNMP traps to send to the trap set snmp trap enable [all | module | chassis |
receiver. bridge | repeater | auth | vtp | ippermit | vmps |
config | entity | stpx]
Step 4 Verify the SNMP configuration. show snmp

This example shows how to define community strings, assign a trap receiver, and specify which traps to
send to the trap receiver:
Console> (enable) set snmp community read-only Everyone
SNMP read-only community string set to 'Everyone'.
Console> (enable) set snmp community read-write Administrators
SNMP read-write community string set to 'Administrators'.
Console> (enable) set snmp community read-write-all Root
SNMP read-write-all community string set to 'Root'.
Console> (enable) set snmp trap 172.16.10.10 read-write
SNMP trap receiver added.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

36-10 78-13315-02
 Chapter 36 Configuring SNMP
Configuring SNMPv3

Console> (enable) set snmp trap 172.16.10.20 read-write-all

SNMP trap receiver added.
Console> (enable) set snmp trap enable all
All SNMP traps enabled.
Console> (enable) show snmp
RMON: Disabled
Extended RMON: Extended RMON module is not present
Traps Enabled:
Port,Module,Chassis,Bridge,Repeater,Vtp,Auth,ippermit,Vmps,config,entity,stpx
Port Traps Enabled: 1/1-2,4/1-48,5/1
Community-Access Community-String
---------------- --------------------
read-only Everyone
read-write Administrators
read-write-all Root
Trap-Rec-Address Trap-Rec-Community
---------------------------------------- --------------------
172.16.10.10 read-write
172.16.10.20 read-write-all
Console> (enable)

Note To disable access for an SNMP community, set the community string for that community to the null
string (do not enter a value for the community string).

Configuring SNMPv3
This section provides basic SNMPv3 configuration information. For detailed information on the SNMP
commands supported by the Catalyst 6000 family switches, refer to the Catalyst 6000 Family Command
Reference publication.

SNMPv3 Default Configuration

Refer to the Catalyst 6000 Family Command Reference publication for SNMP default configuration
settings for each command listed in the configuration section.

Configuring SNMPv3 from an NMS

To configure SNMP from an NMS, refer to the NMS documentation (see the “Using CiscoWorks2000”
section on page 36-6).
The switch supports up to 20 trap receivers through the RMON2 trap destination table. You configure
the RMON2 trap destination table from the NMS.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 36-11
 Chapter 36 Configuring SNMP
Configuring SNMPv3

Configuring SNMPv3 from the CLI

To configure SNMPv3 from the command-line interface (CLI), perform this task in privileged mode:

Task
Step 1 Set the SNMP-Server EngineID
name for the local SNMP engine.
Step 2 Configure the MIB views.
Step 3 Set the access rights for a group
with a certain security model in
different security levels.
Step 4 Specify the target addresses for
notifications.
Step 5 Set the snmpTargetAddrEntry in
the target address table.
Step 6 Set the SNMP parameters used to
generate a message to a target.
Step 7 Configure a new user.
Step 8 Relate a user to a group using a
specified security model.
Step 9 Configure the community table for set snmp community {read-only | read-write | read-write-all}
the system default part, which
maps community strings of
previous versions of SNMP to
SNMPv3.
Step 10 Configure the community table for
mappings between different
community strings and security
models with full permissions.
Step 11 Verify the SNMP configuration.
Command
set snmp engineid engineid
set snmp view [-hex] {viewname} {subtree} [mask] [included |
excluded] [volatile | nonvolatile]
set snmp access [-hex] {groupname} {security-model v3}
{noauthentication | authentication | privacy} [read [-hex]
{readview}] [write [-hex] {writeview}] [notify [-hex]
{notifyview}] [context [-hex] {contextname} [exact | prefix]]
[volatile | nonvolatile]
set snmp notify [-hex] {notifyname} tag [-hex] {notifytag}
[trap | inform] [volatile | nonvolatile]
set snmp targetaddr [-hex] {addrname} param [-hex]
{paramsname} {ipaddr} [udpport {port}] [timeout {value}]
[retries {value}] [volatile | nonvolatile] [taglist {[-hex] tag}
[[-hex] tag]]
set snmp targetparams [-hex] {paramsname} user [-hex]
{username} {security-model v3} {message-processing v3}
{noauthentication | authentication | privacy} [volatile |
nonvolatile]
set snmp user [-hex] {username} [remote {engineid}]
[{authentication [md5 | sha] {authpassword}] [privacy
{privpassword}] [volatile | nonvolatile]
set snmp group [-hex] {groupname} user [-hex] {username}
{security-model v1 | v2 | v3} [volatile | nonvolatile]
[community_string]
set snmp community index {index_name} name
[community_string] security {security_name} context
{context_name} transporttag {tag_value} [volatile |
nonvolatile]
show snmp

This example shows how to set a MIB view to interfacesMibView:

Console> (enable) set snmp view interfacesMibView 1.3.6.1.2.1.2 included
Snmp view name was set to interfacesMibView with subtree 1.3.6.1.2.1.2 included,
nonvolatile.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

36-12 78-13315-02
Chapter 36 Configuring SNMP
Configuring SNMPv3

This example shows how to set the access rights for a group called guestgroup to SNMPv3
authentication read mode:
Console> (enable) set snmp access guestgroup security-model v3 authentication read
interfacesMibView
Snmp access group was set to guestgroup version v3 level authentication,
readview interfacesMibView, context match:exact, nonvolatile.

This example shows how to specify the target addresses:

Console> (enable) set snmp notify notifytable1 tag routers trap
Snmp notify name was set to notifytable1 with tag routers notifyType trap, and storageType
nonvolatile.

These examples show how to set the snmpTargetAddrEntry in the target address table:
Console> (enable) set snmp targetaddr router_1 param p1 172.20.21.1
Snmp targetaddr name was set to router_1 with param p1
ipAddr 172.20.21.1, udpport 162, timeout 1500, retries 3, storageType nonvolatile.

Console> (enable) set snmp targetaddr router_2 param p2 172.20.30.1

Snmp targetaddr name was set to router_2 with param p2
ipAddr 172.20.30.1, udpport 162, timeout 1500, retries 3, storageType nonvolatile.

These examples show how to set SNMP target parameters:

Console> (enable) set snmp targetparams p1 user guestuser1 security-model v3
message-processing v3 authentication
Snmp target params was set to p1 v3 authentication, message-processing v3,
user guestuser1 nonvolatile.

Console> (enable) set snmp targetparams p2 user guestuser2 security-model v3

message-processing v3 privacy
Snmp target params was set to p2 v3 privacy, message-processing v3,
user guestuser2 nonvolatile.

These examples show how to configure guestuser1 and guestuser2 as users:

Console> (enable) set snmp user guestuser1 authentication md5 guestuser1password privacy
privacypasswd1
Snmp user was set to guestuser1 authProt md5 authPasswd guestuser1password privProt des
privPasswd
privacypasswd1 with engineid 00:00:00:09:00:10:7b:f2:82:00:00:00 nonvolatile.

Console> (enable) set snmp user guestuser2 authentication sha guestuser2password

Snmp user was set to guestuser2 authProt sha authPasswd guestuser2password privProt
no-priv with engineid
00:00:00:09:00:10:7b:f2:82:00:00:00 nonvolatile.

These examples show how to set guestuser1 and guestuser2 as members of the groups guestgroup and
mygroup:
Console> (enable) set snmp group guestgroup user guestuser1 security-model v3
Snmp group was set to guestgroup user guestuser1 and version v3, nonvolatile.

Console> (enable) set snmp group mygroup user guestuser1 security-model v3

Snmp group was set to mygroup user guestuser1 and version v3, nonvolatile.

Console> (enable) set snmp group mygroup user guestuser2 security-model v3

Snmp group was set to mygroup user guestuser2 and version v3, nonvolatile.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 36-13
 Chapter 36 Configuring SNMP
Configuring SNMPv3

This example shows how to verify the SNMPv3 setup for guestuser1 from a workstation:
workstation% getnext -v3 10.6.4.201 guestuser1 ifDescr.0
Enter Authentication password :guestuser1password
Enter Privacy password :privacypasswd1
ifDescr.1 = sc0

This example shows how to verify the SNMPv3 setup for guestgroup in the snmpEngineID MIB from a
workstation:
workstation% getnext -v3 10.6.4.201 guestuser1 snmpEngineID
Enter Authentication password :guestuser1pasword
Enter Privacy password :privacypasswd1
snmpEngineID = END_OF_MIB_VIEW_EXCEPTION

This example shows how to verify the SNMPv2c setup for public access from a workstation:
workstation% getnext -v2c 10.6.4.201 public snmpEngineID
snmpEngineID.0 =
00 00 00 09 00 10 7b f2 82 00 00 00

These examples show how to increase guestgroup’s access right to read privileges for
snmpEngineMibView:
Console> (enable) set snmp view snmpEngineMibView 1.3.6.1.6.3.10.2.1 included
Snmp view name was set to snmpEngineMibView with subtree 1.3.6.1.6.3.10.2.1 included,
nonvolatile

Console> (enable) set snmp access guestgroup security-model v3 authentication read

snmpEngineMibView
Snmp access group was set to guestgroup version v3 level authentication,
readview snmpEngineMibView, nonvolatile.

This example shows how to verify the SNMPv3 access for guestuser1 from a workstation:
workstation% getnext -v3 10.6.4.201 guestuser1 snmpEngineID
Enter Authentication password :guestuser1password
Enter Privacy password :privacypasswd1
snmpEngineID.0 =
00 00 00 09 00 10 7b f2 82 00 00 00

This example shows how to remove access for guestgroup:

Console> (enable) clear snmp acc guestgroup security-model v3 authentication
Cleared snmp access guestgroup version v3 level authentication.

This example shows how to verify that the access for guestuser1 has been removed from a workstation:
workstation% getnext -v3 10.6.4.201 guestuser1 ifDescr.1
Enter Authentication password :guestuser1password
Enter Privacy password :privacypasswd1
Error code set in packet - AUTHORIZATION_ERROR:1.

This example shows how to verify the access for guestuser2 from a workstation:
workstation% getnext -v3 10.6.4.201 guestuser2 ifDescr.1
Enter Authentication password :guestuser2password
Enter Privacy password :privacypasswd2
REPORT received, cannot recover:
usmStatsUnsupportedSecLevels.0 = 1

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

36-14 78-13315-02
 C H A P T E R 37
Configuring RMON

This chapter describes how to configure RMON on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How RMON Works, page 37-1
• Enabling RMON, page 37-2
• Viewing RMON Data, page 37-2
• Supported RMON and RMON2 MIB Objects, page 37-2

Understanding How RMON Works

RMON is an Internet Engineering Task Force (IETF) standard monitoring specification that allows
various network agents and console systems to exchange network monitoring data. The supervisor
engine software provides embedded support for these components of the RMON specification (see the
“Supported RMON and RMON2 MIB Objects” section on page 37-2 for details):
• The following RMON groups are defined in RFC 1757:
– Statistics (RMON group 1) for Ethernet, Fast Ethernet, Fast EtherChannel, and Gigabit Ethernet
switch ports (uses 140 bytes of supervisor engine RAM per port)
– History (RMON group 2) for Ethernet, Fast Ethernet, Fast EtherChannel, and Gigabit Ethernet
switch ports (uses 3 KB of supervisor engine RAM for the first 50 buckets; each additional
bucket uses another 56 bytes)
– Alarm (RMON group 3; each alarm configured uses 1.3 KB of supervisor engine RAM)
– Event (RMON group 9; each event configured uses 1.3 KB of supervisor engine RAM)
• The following RMON2 groups are defined in RFC 2021:
– UsrHistory (RMON2 group 18)
– ProbeConfig (RMON2 group 19)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 37-1
 Chapter 37 Configuring RMON
Enabling RMON

The embedded RMON agent allows the switch to monitor network traffic from all ports simultaneously
at Layer 2 without requiring a dedicated monitoring probe or network analyzer. For more information
on RMON, visit:
http://www.cisco.com/en/US/docs/internetworking/technology/handbook/RMON.html

Enabling RMON
Note RMON is disabled by default.

To enable RMON, perform this task in privileged mode:

Task Command
Step 1 Enable RMON on the switch. set snmp rmon enable
Step 2 Verify that RMON is enabled. show snmp

This example shows how to enable RMON on the switch and how to verify that RMON is enabled:
Console> (enable) set snmp rmon enable
SNMP RMON support enabled.
Console> (enable) show snmp
RMON: Enabled
Extended RMON: Extended RMON module is not present
Traps Enabled:
Port,Module,Chassis,Bridge,Repeater,Vtp,Auth,ippermit,Vmps,config,entity,stpx
Port Traps Enabled: 1/1-2,4/1-48,5/1
Community-Access Community-String
---------------- --------------------
read-only Everyone
read-write Administrators
read-write-all Root
Trap-Rec-Address Trap-Rec-Community
---------------------------------------- --------------------
172.16.10.10 read-write
172.16.10.20 read-write-all
Console> (enable)

Viewing RMON Data

Access to RMON data is available only on a network management system (NMS) that supports
RFC 1757 and RFC 2021 (see the “Using CiscoWorks2000” section on page 36-6). You cannot access
RMON data through the switch CLI; however, CLI show commands provide similar information.

Supported RMON and RMON2 MIB Objects

Table 37-1 lists the RMON and RMON2 MIB objects supported by the supervisor engine software.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

37-2 78-13315-02
 Chapter 37 Configuring RMON
Supported RMON and RMON2 MIB Objects

Table 37-1 Supervisor Engine RMON and RMON2 Support

Object Identifier (OID) and Description Source

...mib-2(1).rmon(16).statistics(1).etherStatsTable(1) RFC 1757 (RMON-MIB)
Counters for packets, octets, broadcasts, errors, etc.
...mib-2(1).rmon(16).history(2).historyControlTable(1) RFC 1757 (RMON-MIB)
...mib-2(1).rmon(16).history(2).etherHistoryTable(2) RFC 1757 (RMON-MIB)
Periodically samples and saves statistics group counters for later retrieval.
...mib-2(1).rmon(16).alarm(3) RFC 1757 (RMON-MIB)
A threshold that can be set on critical RMON variables for network management.
...mib-2(1).rmon(16).event(9) RFC 1757 (RMON-MIB)
Generates SNMP traps when an Alarms group threshold is exceeded and logs the events.
...mib-2(1).rmon(16).usrHistory(18) RFC 2021 (RMON2-MIB)
Extends history beyond RMON1 link-layer statistics to include any RMON, RMON2, MIB-I, or MIB-II statistic.
...mib-2(1).rmon(16).probeConfig(19) RFC 2021 (RMON2-MIB)
Displays a list of agent capabilities and configurations.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 37-3
 Chapter 37 Configuring RMON
Supported RMON and RMON2 MIB Objects

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

37-4 78-13315-02
 C H A P T E R 38
Configuring SPAN and RSPAN

This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN)
on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How SPAN and RSPAN Works, page 38-1
• SPAN and RSPAN Session Limits, page 38-4
• Configuring SPAN, page 38-5
• Configuring RSPAN, page 38-8

Note To configure SPAN or RSPAN from a network management station (NMS), refer to the NMS
documentation (see the “Using CiscoWorks2000” section on page 36-6).

Understanding How SPAN and RSPAN Works

These sections describe the concepts and terminology associated with SPAN and RSPAN configuration:
• SPAN Session, page 38-2
• Destination Port, page 38-2
• Source Port, page 38-2
• Ingress SPAN, page 38-3
• Egress SPAN, page 38-3
• VSPAN, page 38-3
• Trunk VLAN Filtering, page 38-4
• SPAN Traffic, page 38-4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-1
 Chapter 38 Configuring SPAN and RSPAN
Understanding How SPAN and RSPAN Works

SPAN Session
A SPAN session is an association of a destination port with a set of source ports, configured with
parameters that specify the monitored network traffic. You can configure multiple SPAN sessions in a
switched network. SPAN sessions do not interfere with the normal operation of the switches. You can
enable or disable SPAN sessions with command-line interface (CLI) or SNMP commands. When
enabled, a SPAN session might become active or inactive based on various events or actions, and this
would be indicated by a syslog message. The “Status” field in the show span and show rspan commands
displays the operational status of a SPAN or RSPAN session.
A SPAN or RSPAN destination session remains inactive after system power up until the destination port
is operational. An RSPAN source session remains inactive until any of the source ports are operational
or the RSPAN VLAN becomes active.

Destination Port
A destination port (also called a monitor port) is a switch port where SPAN sends packets for analysis.
After a port becomes an active destination port, it does not forward any traffic except that required for
the SPAN session. By default, an active destination port disables incoming traffic (from the network to
the switching bus), unless you specifically enable the port. If incoming traffic is enabled for the
destination port, it is switched in the native VLAN of the destination port. The destination port does not
participate in spanning tree while the SPAN session is active. See the caution statement in the
“Configuring SPAN from the CLI” section on page 38-7 for information on how to prevent loops in your
network topology.
Only one destination port is allowed per SPAN session, and the same port cannot be a destination port
for multiple SPAN sessions. A switch port configured as a destination port cannot be configured as a
source port. EtherChannel ports cannot be SPAN destination ports.
If the trunking mode of a SPAN destination port is “on” or “nonegotiate” during SPAN session
configuration, the SPAN packets forwarded by the destination port have the encapsulation as specified
by the trunk type; however, the destination port stops trunking, and the show trunk command reflects
the trunking status for the port prior to SPAN session configuration.

Source Port
A source port is a switch port monitored for network traffic analysis. The traffic through the source ports
can be categorized as ingress, egress, or both. You can monitor one or more source ports in a single
SPAN session with user-specified traffic types (ingress, egress, or both) applicable for all the source
ports.
You can configure source ports in any VLAN. You can configure VLANs as source ports (src_vlans),
which means that all ports in the specified VLANs are source ports for the SPAN session.
Source ports are administrative (Admin Source) or operational (Oper Source) or both. Administrative
source ports are the source ports or source VLANs specified during SPAN session configuration.
Operational source ports are the source ports monitored by the destination port. For example, when
source VLANs are used as the administrative source, the operational source is all the ports in all the
specified VLANs.
The operational sources are always active ports. If a port is not in the spanning tree, it is not an
operational source. All physical ports in an EtherChannel source are included in operational sources if
the logical port is included in the spanning tree.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-2 78-13315-02
 Chapter 38 Configuring SPAN and RSPAN
Understanding How SPAN and RSPAN Works

The destination port, if it belongs to any of the administrative source VLANs, is excluded from the
operational source.
You can configure a port as a source port in multiple active SPAN sessions, but you cannot configure
an active source port as a destination port for any SPAN session.
If a SPAN session is inactive, the “oper source” field is not updated until the session becomes active.
Trunk ports can be configured as source ports and can be mixed with nontrunk source ports; however,
the encapsulation of the packets forwarded by the destination port are determined by the trunk settings
of the destination port during SPAN session configuration.

Ingress SPAN
Ingress SPAN copies network traffic received by the source ports for analysis at the destination port.

Egress SPAN
Egress SPAN copies network traffic transmitted from the source ports for analysis at the destination port.

VSPAN
VLAN-based SPAN (VSPAN) is analysis of the network traffic in one or more VLANs. You can
configure VSPAN as ingress SPAN, egress SPAN, or both. All the ports in the source VLANs become
operational source ports for the VSPAN session. The destination port, if it belongs to any of the
administrative source VLANs, is excluded from the operational source. If you add or remove ports from
the administrative source VLANs, the operational sources are modified accordingly.
Use the following guidelines for VSPAN sessions:
• Trunk ports are included as source ports for VSPAN sessions, but only the VLANs that are in the
Admin source list are monitored, provided these VLANs are active for the trunk.
• For VSPAN sessions with both ingress and egress SPAN configured, the system operates as follows
based upon the type of supervisor engine you have:
– WS-X6K-SUP1A-PFC, WS-X6K-SUP1A-MSFC, WS-X6K-SUP1A-MSFC2,
WS-X6K-SUP2-PFC2, WS-X6K-SUP2-MSFC2—Two packets are forwarded by the SPAN
destination port if the packets get switched on the same VLAN.
– WS-X6K-SUP1-2GE, WS-X6K-SUP1A-2GE—Only one packet is forwarded by the SPAN
destination port.
• An inband port is not included as Oper source for VSPAN sessions.
• When a VLAN is cleared, it is removed from the source list for VSPAN sessions.
• A VSPAN session is disabled if the Admin source VLANs list is empty.
• Inactive VLANs are not allowed for VSPAN configuration.
• A VSPAN session is made inactive if any of the source VLANs become RSPAN VLANs.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-3
 Chapter 38 Configuring SPAN and RSPAN
SPAN and RSPAN Session Limits

Trunk VLAN Filtering

Trunk VLAN filtering is analysis of network traffic on a selected set of VLANs on trunk source ports.
You can combine trunk VLAN filtering with other source ports that belong to any of the selected
VLANs, and you can also use trunk VLAN filtering for RSPAN. Based on the traffic type (ingress,
egress, or both), SPAN sends a copy of the network traffic in the selected VLANs to the destination port.
Use trunk VLAN filtering only with trunk source ports. If you combine trunk VLAN filtering with other
source ports that belong to VLANs not included in the selected list of filter VLANs, SPAN includes only
the ports that belong to one or more of the selected VLANs in the operational sources.
When a VLAN is cleared, it is removed from the VLAN filter list. A SPAN session is disabled if the
VLAN filter list becomes empty.
Trunk VLAN filtering is not applicable to VSPAN sessions.

SPAN Traffic
All network traffic, including the multicast and bridge protocol data unit (BPDU) packets, can be monitored
using SPAN (RSPAN does not support monitoring of BPDU packets or Layer 2 protocol packets such as
CDP, DTP, and VTP). Multicast packet monitoring is enabled by default.
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN
destination port. For example, a bidirectional (both ingress and egress) SPAN session is configured for
sources a1 and a2 to a destination port d1. If a packet enters the switch through a1 and gets switched to
a2, both incoming and outgoing packets are sent to destination port d1; both packets would be the same
(if a Layer-3 rewrite occurs, the packets are different). Similarly, for RSPAN sessions with sources
distributed in multiple switches, the destination ports might forward multiple copies of the same packet.

SPAN and RSPAN Session Limits

You can configure (and store in NVRAM) a maximum of 30 SPAN sessions in a Catalyst 6000 family
switch. See Table 38-1 for the supported combinations of SPAN/RSPAN sessions. You can configure
multiple ports or VLANs as sources for each session.

Table 38-1 SPAN and RSPAN Session Limits

SPAN/RSPAN Sessions Catalyst 6000 Family Switches1

rx or both SPAN sessions 2
tx SPAN sessions 4
tx, rx, or both RSPAN source sessions 1
RSPAN destinations 24
Total SPAN sessions 302
1. When an RSPAN source session is configured, it will reduce the limit for rx or both SPAN sessions by one.
2. 2 rx or both SPAN sessions + 4 tx SPAN sessions + 24 RSPAN destination sessions = 30 total SPAN sessions.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-4 78-13315-02
 Chapter 38 Configuring SPAN and RSPAN
Configuring SPAN

Configuring SPAN
These sections describe how to configure SPAN:
• SPAN Hardware Requirements, page 38-5
• Understanding How SPAN Works, page 38-5
• SPAN Configuration Guidelines, page 38-6
• Configuring SPAN from the CLI, page 38-7

SPAN Hardware Requirements

All Catalyst 6000 family switch supervisor engines support the SPAN feature.

Understanding How SPAN Works

SPAN selects network traffic for analysis by a network analyzer such as a SwitchProbe device or other
Remote Monitoring (RMON) probe. SPAN mirrors traffic from one or more source ports on any VLAN,
from one or more VLANs, or from the sc0 console interface to a destination port for analysis (see
Figure 38-1). In Figure 38-1, all traffic on Ethernet port 5 (the source port) is mirrored to Ethernet
port 10. A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 without
being physically attached to it.

Figure 38-1 SPAN Configuration

Port 5 traffic mirrored

1 2 3 4 5 6 7 8 9 10 11 12 on port 10

E6 E7
E5 E8 E11
E4 E9 E12
E3 E10
E2
E1
S6884

Network analyzer

For SPAN configuration, the source ports and the destination port must be on the same switch.
SPAN does not affect the switching of network traffic on source ports; a copy of the packets received or
transmitted by the source ports are sent to the destination port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-5
 Chapter 38 Configuring SPAN and RSPAN
Configuring SPAN

SPAN Configuration Guidelines

Follow these guidelines when configuring SPAN:
• Use a network analyzer to monitor ports.
• For SPAN source ports, SPAN is not supported with ATM ports; it works with Ethernet
10/100/1000-Mbps ports and 10-Gbps ports.
• When enabled, SPAN uses any previously entered configuration; if you have not entered any
configuration commands, SPAN uses default parameters.
• If you specify multiple SPAN source ports, the ports can belong to different VLANs.
• See the “SPAN and RSPAN Session Limits” section on page 38-4.
• RSPAN sessions can coexist with SPAN sessions within the SPAN/RSPAN limits described in the
“SPAN and RSPAN Session Limits” section on page 38-4.
• The inpkts option is disabled by default. Use the inpkts keyword with the enable option to allow
the SPAN destination port to receive normal incoming traffic. Use the disable option to prevent the
SPAN destination port from receiving normal incoming traffic.
• When you enable the inpkts option, a warning message notifies you that the destination port does
not support the Spanning Tree Protocol (STP) and may cause loops if you enable this option.
• Learning is enabled by default. Use the inpkts keyword with the learning option to enable or disable
learning for a specific port.
• You can specify a Multilayer Switch Module (MSM) port as the SPAN source port. However, you
cannot specify an MSM port as the SPAN destination port.
• When you configure multiple SPAN sessions, the destination module number/port number must be
known to index the particular SPAN session.
• If any VLANs on SPAN source port(s) are blocked by spanning tree, you may see extra packets
transmitted on the destination port that were not actually transmitted out the source port(s). The
extra packets seen at the destination port are packets sent through the switch fabric to the source port
and then blocked by spanning tree at the source port.

Caution In software releases prior to software release 8.4(1), if you use the set span command without the create
keyword, and you have only one session configured, the session is overwritten. If there are two SPAN
sessions already configured, you receive an error message. If a matching destination port exists, the
particular session is overwritten (with or without specifying the create keyword). If you specify the
create keyword and there is no matching destination port, the session is created.

In software release 8.4(1) and later releases, the create keyword has been removed from the set span
command. When you enable a SPAN session without the create keyword, and another session is
available, the first session is not overwritten.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-6 78-13315-02
 Chapter 38 Configuring SPAN and RSPAN
Configuring SPAN

Configuring SPAN from the CLI

To configure SPAN, you specify the source, the destination port, the direction of the traffic through the
source that you want to mirror to the destination port, and whether or not the destination port can receive
packets.
To configure a SPAN port, perform this task in privileged mode:

Task Command
Step 1 Configure the SPAN source and destination ports. set span {src_mod/src_ports | src_vlans | sc0}
{dest_mod/dest_port} [rx | tx | both] [inpkts
{enable | disable}] [learning {enable | disable}]
[multicast {enable | disable}]
[filter vlans...] [create]
Step 2 Verify the SPAN configuration. show span

Caution If the SPAN destination port is connected to another device and you enable reception of incoming
packets (using the inpkts enable keywords), the SPAN destination port receives traffic for whatever
VLAN the SPAN destination port belongs to. However, the SPAN destination port does not
participate in spanning tree for that VLAN. Use caution when using the inpkts keyword to avoid
creating network loops with the SPAN destination port or assigning the SPAN destination port to an
unused VLAN.

This example shows how to configure SPAN so that both transmit and receive traffic from port 1/1 (the
SPAN source) is mirrored on port 2/1 (the SPAN destination):
Console> (enable) set span 1/1 2/1

Destination : Port 2/1

Admin Source : Port 1/1
Oper Source : Port 1/1
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -

This example shows how to set VLAN 522 as the SPAN source and port 2/1 as the SPAN destination:
Console> (enable) set span 522 2/1

Destination : Port 2/1

Admin Source : VLAN 522
Oper Source : Port 3/1-2
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Console> (enable)

This example shows how to set VLAN 522 as the SPAN source and port 2/12 as the SPAN destination.
Only transmit traffic is monitored. Normal incoming packets on the SPAN destination port are allowed.
Console> (enable) set span 522 2/12 tx inpkts enable

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-7
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

Destination : Port 2/12

Admin Source : VLAN 522
Oper Source : Port 2/1-2
Direction : transmit
Incoming Packets: enabled
Learning : enabled
Multicast : enabled
Filter : -
Console> (enable)

This example shows how to set port 3/2 as the SPAN source and port 2/2 as the SPAN destination:
Console> (enable) set span 3/2 2/2 tx create

Destination : Port 2/1

Admin Source : port 3/1
Oper Source : Port 3/1
Direction : transmit/receive
Incoming Packets: disabled

Destination : Port 2/2

Admin Source : port 3/2
Oper Source : Port 3/2
Direction : transmit
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Console> (enable)

To disable SPAN, perform this task in privileged mode:

Task Command
Disable SPAN on the switch. set span disable [dest_mod/dest_port | all]

This example shows how to disable SPAN on the switch:

Console> (enable) set span disable 2/1
This command will disable your span session.
Do you want to continue (y/n) [n]?y
Disabled port 2/1 to monitor transmit traffic of VLAN 522
Console> (enable)

Configuring RSPAN
These sections describe how to configure RSPAN:
• RSPAN Hardware Requirements, page 38-9
• Understanding How RSPAN Works, page 38-9
• RSPAN Configuration Guidelines, page 38-10
• Configuring RSPAN, page 38-11
• RSPAN Configuration Examples, page 38-14

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-8 78-13315-02
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

RSPAN Hardware Requirements

RSPAN supervisor engine requirements are as follows:
• For source switches—Catalyst 6000 family switch with any of the following:
– Supervisor Engine 1 and Policy Feature Card (PFC): WS-X6K-SUP1A-PFC
– Supervisor Engine 1, PFC, and Multilayer Switch Feature Card (MSFC):
WS-X6K-SUP1A-MSFC
– Supervisor Engine 1, PFC, and MSFC2: WS-X6K-S1A-MSFC2
– Supervisor Engine 2 and PFC2: WS-X6K-S2-PFC2
– Supervisor Engine 2, PFC2, and MSFC2: WS-X6K-S1A-MSFC2
• For destination or intermediate switches—Any Cisco switch supporting RSPAN VLAN
No third party or other Cisco switches can be placed in the end-to-end path for RSPAN traffic.

Understanding How RSPAN Works

Note See the “Understanding How SPAN and RSPAN Works” section on page 38-1 for concepts and
terminology that apply to both SPAN and RSPAN configuration.

RSPAN has all the features of SPAN (see the “Understanding How SPAN Works” section on page 38-5),
plus support for source ports and destination ports distributed across multiple switches, allowing remote
monitoring of multiple switches across your network (see Figure 38-2).
The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for
that RSPAN session in all participating switches. The SPAN traffic from the sources, which cannot be
in the RSPAN VLAN, is switched to the RSPAN VLAN and then forwarded to destination ports
configured in the RSPAN VLAN. The traffic type for sources (ingress, egress, or both) in an RSPAN
session can be different in different source switches, but is the same for all sources in each source switch
for each RSPAN session. Do not configure any ports in an RSPAN VLAN except those selected to carry
RSPAN traffic. Learning is disabled on the RSPAN VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-9
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

Figure 38-2 RSPAN Configuration

Destination switch
Switch D
(data center)
D1 D2
Layer 2 trunk
Probe
C3
Switch C Intermediate switch
C1 C2 (distribution)

Layer 2 trunk Layer 2 trunk

A3 B4
Source switch(es)
Switch A Switch B
(access)
A1 A2 B1 B2 B3

27389
RSPAN Configuration Guidelines
Follow these guidelines when configuring RSPAN:

Tip As RSPAN VLANs have special properties, we recommend that you reserve a few VLANs across
your network for use as RSPAN VLANs; do not assign access ports to these VLANs.

Tip You can apply an output access control list (ACL) to RSPAN traffic to selectively filter specific flows.
Specify these ACLs on the RSPAN VLAN in the RSPAN source switches.

• All the items in the “SPAN Configuration Guidelines” section on page 38-6 apply to RSPAN.
• RSPAN sessions can coexist with SPAN sessions within the SPAN/RSPAN limits described in the
“SPAN and RSPAN Session Limits” section on page 38-4.
• For RSPAN configuration, you can distribute the source ports and the destination port across
multiple switches.
• For RSPAN, trunking is required if you have a source switch with all source ports in one VLAN
(VLAN 2 for example) and it is connected to the destination switch through an uplink port that is
also in VLAN 2. With RSPAN, the traffic is forwarded to remote switches in the RSPAN VLAN.
The RSPAN VLAN is configured only on trunk ports and not on access ports.
• The learning option applies to RSPAN destination ports only.
• RSPAN does not support monitoring of BPDU packets or Layer 2 protocol packets such as CDP, DTP,
and VTP.
• To optimize bandwidth utilization in the connecting links, you can configure quality of service
(QoS) parameters for the RSPAN VLAN in each of the participating source, intermediate, or
destination switches.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-10 78-13315-02
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

• Each Catalyst 6000 family switch can source a maximum of one RSPAN session (ingress, egress, or
both). When you configure a remote ingress or bidirectional SPAN session in a source switch, the
limit for local ingress or bidirectional SPAN sessions is reduced to one. There are no limits on the
number of RSPAN sessions carried across the network within the RSPAN session limits (see the
“SPAN and RSPAN Session Limits” section on page 38-4).
• RSPAN VLANs cannot be included as sources for port-based RSPAN sessions when source trunk
ports have active RSPAN VLANs. Additionally, RSPAN VLANs cannot be sources in VSPAN
sessions.
• You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:
– The same RSPAN VLAN is used for an RSPAN session in all the switches.
– All participating switches have appropriate hardware and software.
– No access port (including the sc0 interface) is configured in the RSPAN VLAN.
• If you enable VLAN Trunk Protocol (VTP) and VTP pruning, RSPAN traffic is pruned in the trunks
to prevent the unwanted flooding of RSPAN traffic across the network.
• If you enable GARP VLAN Registration Protocol (GVRP) and GVRP requests conflict with existing
RSPAN VLANs, you might observe unwanted traffic might in the respective RSPAN sessions.
• You can use RSPAN VLANs in Inter-Switch Link (ISL) to dot1q mapping. However, ensure that the
special properties of RSPAN VLANs are supported in all the switches to avoid unwanted traffic in
these VLANs.

Configuring RSPAN
The first step in configuring an RSPAN session is to select an RSPAN VLAN for the RSPAN session that
does not exist in any of the switches that will participate in RSPAN. With VTP enabled in the network,
you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in the VTP
domain.
Use VTP pruning to get efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all
trunks that do not need to carry the RSPAN traffic.
Once the RSPAN VLAN is created, you configure the source and destination switches using the set
rspan command.
To configure RSPAN VLANs, perform this task in privileged mode:

Task Command
Step 1 Configure RSPAN VLANs. set vlan vlan [rspan]
Step 2 Verify the RSPAN VLAN configuration. show vlan

This example shows how to set VLAN 500 as an RSPAN VLAN:

Console> (enable) set vlan 500 rspan
vlan 500 configuration successful
Console> (enable)
Console> (enable) show vlan
.
display truncated
.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-11
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

VLAN DynCreated RSPAN

---- ---------- --------
1 static disabled
2 static disabled
3 static disabled
99 static disabled
500 static enabled
Console> (enable)

To configure RSPAN source ports, perform this task in privileged mode:

Task Command
Step 1 Configure RSPAN source ports. Use this set rspan source {mod/ports... | vlans... | sc0}
command on each of the source switches {rspan_vlan} [rx | tx | both] [multicast {enable |
participating in RSPAN. disable}] [filter vlans...] [create]
Step 2 Verify the RSPAN configuration. show rspan

This example shows how to specify ports 4/1 and 4/2 as ingress source ports for RSPAN VLAN 500:
Console> (enable) set rspan source 4/1-2 500 rx
Rspan Type : Source
Destination : -
Rspan Vlan : 500
Admin Source : Port 4/1-2
Oper Source : None
Direction : receive
Incoming Packets: -
Learning : -
Multicast : enabled
Filter : -
Console> (enable)

To configure RSPAN source VLANs, perform this task in privileged mode:

Task Command
Step 1 Configure RSPAN source VLANs. All the ports in set rspan source {mod/ports... | vlans... | sc0}
the source VLAN become operational source {rspan_vlan} [rx | tx | both] [multicast {enable |
ports. disable}] [filter vlans...] [create]
Step 2 Verify the RSPAN configuration. show rspan

This example shows how to specify VLAN 200 as a source VLAN for RSPAN VLAN 500 (selecting the
rx option makes all the ports in the VLAN ingress ports):
Console> (enable) set rspan source 200 500 rx
Rspan Type : Source
Destination : -
Rspan Vlan : 500
Admin Source : VLAN 200
Oper Source : None
Direction : receive
Incoming Packets: -
Learning : -
Multicast : enabled
Filter : -
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-12 78-13315-02
Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

To configure RSPAN destination ports, perform this task in privileged mode:

Task Command
Step 1 Configure RSPAN destination ports. Use this set rspan destination {mod/port} {rspan_vlan}
command on each of the destination switches [inpkts {enable | disable}] [learning {enable |
participating in RSPAN. disable}] [create]
Step 2 Verify the RSPAN configuration. show rspan

Console> (enable) set rspan destination 3/1 500

Rspan Type : Destination
Destination : Port 3/1
Rspan Vlan : 500
Admin Source : -
Oper Source : -
Direction : -
Incoming Packets: disabled
Learning : enabled
Multicast : -
Filter : -
Console> (enable)

To disable RSPAN, perform this task in privileged mode:

Task Command
Disable RSPAN on the switch. set rspan disable source [rspan_vlan | all]
set rpsan disable destination [mod/port | all]

This example shows how to disable all enabled source sessions:

Console> (enable) set rspan disable source all
This command will disable all remote span source session(s).
Do you want to continue (y/n) [n]? y
Disabled monitoring of all source(s) on the switch for remote span.
Console> (enable)

This example shows how to disable one source session by rspan_vlan number:
Console> (enable) set rspan disable source 903
Disabled monitoring of all source(s) on the switch for rspan_vlan 903.
Console> (enable)

This example shows how to disable all enabled destination sessions:

Console> (enable) set rspan disable destination all
This command will disable all remote span destination session(s).
Do you want to continue (y/n) [n]? y
Disabled monitoring of remote span traffic for all rspan destination ports.
Console> (enable)

This example shows how to disable one destination session by mod/port:

Console> (enable) set rspan disable destination 4/1
Disabled monitoring of remote span traffic on port 4/1.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-13
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

RSPAN Configuration Examples

These sections describe how to configure RSPAN:
• Configuring a Single RSPAN Session, page 38-14
• Modifying an Active RSPAN Session, page 38-15
• Adding RSPAN Source Ports in Intermediate Switches, page 38-15
• Configuring Multiple RSPAN Sessions, page 38-16
• Adding Multiple Network Analyzers to an RSPAN Session, page 38-17

Configuring a Single RSPAN Session

This example shows how to configure a single RSPAN session. Figure 38-3 shows an RSPAN
configuration; see Table 38-2 for the necessary commands to configure this RSPAN session. Table 38-2
assumes that you have already set up RSPAN VLAN 901 for this session on all the switches using the
set vlan vlan rspan command. With VTP enabled in the network, you can create the RSPAN VLAN in
one switch and VTP propagates it to the other switches in the VTP domain. Note that in the configuration
example shown in Table 38-2, the RSPAN session may be disabled in Switch A or B or both without
modifying the configuration in Switch C or Switch D.

Figure 38-3 Single RSPAN Session

Destination switch
Switch D
1/1 1/2 (data center)

T1
Probe
1/2 Intermediate switch
Switch C (distribution)
3/1 3/2

T2 T3

1/2 1/1 Source switch(es)

Switch A Switch B (access)
4/1 4/2 3/1 3/2 3/3
27390

Table 38-2 Configuring a Single RSPAN Session

Switch Ports RSPAN VLAN Direction RSPAN CLI Commands

A (source) 4/1, 4/2 901 Ingress set rspan source 4/1-2 901 rx
B (source) 3/1, 3/2, 3/3 901 Bidirectional set rspan source 3/1-3 901
C (intermediate) – 901 – No RSPAN CLI command needed
D (destination) 1/2 901 – set rspan destination 1/2 901

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-14 78-13315-02
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

Modifying an Active RSPAN Session

This example shows how to modify an active RSPAN session. Use Figure 38-3 for reference; see
Table 38-3 for the necessary commands to disable an RSPAN session and to add or remove source ports
from an RSPAN session.

Table 38-3 Making Modifications to an Active RSPAN Session

Switch Action RSPAN CLI Commands

A (source) Disable the RSPAN session. set rspan disable source 901
B (source) Remove source port 3/2 from RSPAN session. set rspan source 3/1, 3/3 901
B (source) Add back source port 3/2 to RSPAN session. set rspan source 3/1-3 901

Adding RSPAN Source Ports in Intermediate Switches

This example shows how to add RSPAN source ports in intermediate switches. Figure 38-4 shows an
RSPAN configuration; see Table 38-4 for the necessary commands to configure this RSPAN session.
Ports 2/1-2 in Switch C can be configured for the same RSPAN session.

Figure 38-4 Adding RSPAN Source Ports in Intermediate Switch

Destination switch
Switch D
1/1 1/2 (data center)

T1
Probe
1/2 Intermediate switch
Switch C (distribution)
3/1 2/1 2/2 3/2

T2 T3

1/2 1/1 Source switch(es)

Switch A Switch B (access)
4/1 4/2 3/1 3/2 3/3
27391

Table 38-4 Adding RSPAN Source Ports in Intermediate Switch

Switch Ports RSPAN VLAN Direction RSPAN CLI Commands

A (source) 4/1, 4/2 901 Ingress set rspan source 4/1-2 901 rx
B (source) 3/1, 3/2, 3/3 901 Bidirectional set rspan source 3/1-3 901
C (intermediate) – 901 – No RSPAN CLI command needed
C (source) 2/1, 2/2 901 Bidirectional set rspan source 2/1-2 901
D (destination) 1/2 901 – set rspan destination 1/2 901

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-15
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

Configuring Multiple RSPAN Sessions

This example shows how to configure multiple RSPAN sessions. Figure 38-5 shows an RSPAN
configuration; see Table 38-5 for the necessary configuration commands to configure this RSPAN
session. This is a typical scenario where the monitoring probes would be placed in the data center and
source ports in the access switches (other ports in any of the switches can also be configured for
RSPAN). If there is no change in the route for SPAN traffic, the destination switch and the intermediate
switches need to be configured only once.
In Figure 38-5, two RSPAN sessions are used with RSPAN VLANs 901 (for probe 1) and 902 (for
probe 2). The direction of traffic over trunks T1 through T6 is shown only for understanding; the
direction of the trunks depends on the STP states of the respective trunks for the RSPAN VLAN(s). You
need to configure the RSPAN VLANs in each of the switches for the respective RSPAN sessions. With
VTP enabled in the network, you can create the RSPAN VLAN in one switch and VTP propagates it to
the other switches in that VTP domain. With VTP disabled, create the RSPAN VLANs in each switch.

Figure 38-5 Configuring Multiple RSPAN Sessions

Switch A
Probe 1 2/1 2/2 Probe 2 Destination switch
1/1 1/2 (data center)

T1 T2

1/2 1/2 Intermediate switch(es)

Switch B Switch C (distribution)
3/1 3/2 3/3 3/1 3/2 3/3

T3 T4 T5 T6

Source switch(es)
1/1 1/2 1/1 1/2 1/1 1/2 (access)
Switch D Switch F
2/1 2/2 3/1 3/2 4/1 4/2 4/3
Switch E

27392

Table 38-5 Configuring Multiple RSPAN Sessions

RSPAN
Switch Port VLAN(s) Direction RSPAN CLI Commands
A (destination) 2/1 901 – set rspan destination 2/1 901
A (destination) 2/2 902 – set rspan destination 2/2 902
B (intermediate) – 901, 902 – No RSPAN CLI command needed
C (intermediate) – 901, 902 – No RSPAN CLI command needed
D (source) 2/1-2 901 Ingress set rspan source 2/1-2 901 rx
E (source) 3/1-2 901 Egress set rspan source 3/1-2 901 tx
F (source) 4/1-3 901 Both set rspan source 4/1-3 902

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-16 78-13315-02
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

Adding Multiple Network Analyzers to an RSPAN Session

You can attach multiple network analyzers (probes) to the same RSPAN session. For example, in
Figure 38-6, you can add probe 3 in Switch B to monitor RSPAN VLAN 901 using the set rspan
destination 1/2 901 command. Similarly, you could add source ports to Switch C.

Figure 38-6 Adding Multiple Probes to an RSPAN Session

Switch A
Probe 1 2/1 2/2 Probe 2 Destination switch
1/1 1/2 (data center)

T1 T2
Switch B Switch C
Probe 3 1/2 1/1 1/2 Intermediate switch(es)
3/1 3/2 3/3 3/1 3/2 3/3 (distribution)

T3 T4 T5 T6

Source switch(es)
1/1 1/2 1/1 1/2 1/1 1/2 (access)
Switch D Switch F
2/1 2/2 3/1 3/2 4/1 4/2 4/3
Switch E

27393

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 38-17
 Chapter 38 Configuring SPAN and RSPAN
Configuring RSPAN

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

38-18 78-13315-02
 C H A P T E R 39
Using Switch TopN Reports

This chapter describes how to use the Switch TopN Reports utility on the Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How the Switch TopN Reports Utility Works, page 39-1
• Running and Viewing Switch TopN Reports, page 39-3

Understanding How the Switch TopN Reports Utility Works

These sections describe how the Switch TopN Reports utility works:
• TopN Reports Overview, page 39-1
• Running Switch TopN Reports without the Background Option, page 39-2
• Running Switch TopN Reports with the Background Option, page 39-2

TopN Reports Overview

The Switch TopN Reports utility allows you to collect and analyze data for each physical port on a
switch.

Note The Switch TopN Reports utility cannot be used to generate reports on Multilayer Switch Module
(MSM) or Multilayer Switch Feature Card (MSFC and MSFC2) ports.

Note When calculating port utilization, the Switch TopN Reports utility bundles the Tx and Rx lines into the same
counter and also looks at the full-duplex bandwidth when calculating the percentage of utilization. For
example, a Gigabit Ethernet port would be 2000 Mbps full duplex.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 39-1
 Chapter 39 Using Switch TopN Reports
Understanding How the Switch TopN Reports Utility Works

The Switch TopN Reports utility collects the following data for each physical port:
• Port utilization (util)
• Number of in/out bytes (bytes)
• Number of in/out packets (pkts)
• Number of in/out broadcast packets (bcst)
• Number of in/out multicast packets (mcst)
• Number of in errors (in-errors)
• Number of buffer-overflow errors (buf-ovflw)
When the Switch TopN Reports utility starts, it gathers data from the appropriate hardware counters, and
then goes into sleep mode for a user-specified period. When the sleep time ends, the utility gathers the
current data from the same hardware counters, compares the current data from the earlier data, and stores
the difference. The data for each port is sorted using a user-specified metric chosen from the values
shown in Table 39-1.

Table 39-1 Valid Switch TopN Reports Metric Values

Metric Value Definition

util Utilization
bytes Input/output bytes
pkts Input/output packets
bcst Input/output broadcast packets
mcst Input/output multicast packets
errors Input errors
overflow Buffer overflows

Running Switch TopN Reports without the Background Option

If you enter the show top command without specifying the background option, processing begins but
the system prompt does not reappear on the screen and you cannot enter other commands while the report
is being generated.
You can terminate the Switch TopN process before it finishes by pressing Ctrl-C from the same console
or Telnet session, or by opening a separate console or Telnet session and entering the clear top
[report_num] command. After the Switch TopN Reports utility finishes processing the data, it displays
the output on the screen immediately. The output is not saved.

Running Switch TopN Reports with the Background Option

If you enter the show top command and specify the background option, processing begins and the
system prompt reappears immediately. When processing completes, the reports do not display
immediately on the screen, but are saved for later viewing.
The system notifies you when the reports are complete by sending a syslog message to the screen. Enter
the show top report [report_num] command to view the completed reports. The system displays only
those reports that are completed. For reports that are not completed, the system displays a short
description of the Switch TopN process information.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

39-2 78-13315-02
Chapter 39 Using Switch TopN Reports
Running and Viewing Switch TopN Reports

You can terminate a Switch TopN process invoked with the background option only by entering the
clear top [report_num] command. Pressing Ctrl-C does not terminate the process. Completed reports
remain available for viewing until you remove them using the clear top {all | report_num} command.

Running and Viewing Switch TopN Reports

To start the Switch TopN Reports utility in the background and view the results, perform this task in
privileged mode:

Task Command
Step 1 Run the Switch TopN Reports utility in the show top [N] [metric] [interval interval]
background. [port_type] background
Step 2 View the generated report when it is complete. show top report [report_num]

Note You must run the Switch TopN Reports utility with the background keyword in order to use the
show top report command to view the completed report contents. Otherwise, the report is displayed
immediately upon completion of the process, and the results are not saved.

If you specify the report_num with the show top report command, the associated report is displayed.
Each process is associated with a unique report number.
If you do not specify the report_num variable, all active Switch TopN processes and all available Switch
TopN reports for the switch are displayed. All Switch TopN processes (both with and without the
background option) are shown in the list.
This example shows how to run the Switch TopN Reports utility with the background option:
Console> (enable) show top 5 pkts background
Console> (enable) 06/16/1998,17:21:08:MGMT-5:TopN report 4 started by Console//.
Console> (enable) 06/16/1998,17:21:39:MGMT-5:TopN report 4 available.
Console> (enable) show top report 4
Start Time: 06/16/1998,17:21:08
End Time: 06/16/1998,17:21:39
PortType: all
Metric: pkts (Tx + Rx)
Port Band- Uti Bytes Pkts Bcst Mcst Error Over
width % (Tx + Rx) (Tx + Rx) (Tx + Rx) (Tx + Rx) (Rx) flow
----- ----- --- -------------------- ---------- ---------- ---------- ----- ----
1/1 100 0 7950 81 0 81 0 0
2/1 100 0 2244 29 0 23 0 0
1/2 100 0 1548 12 0 12 0 0
2/10 100 0 0 0 0 0 0 0
2/9 100 0 0 0 0 0 0 0
Console> (enable)

To run the Switch TopN Reports utility in the foreground and view the results immediately, perform this
task in privileged mode:

Task Command
Run the Switch TopN Reports utility in the show top [N] [metric] [interval interval]
foreground. [port_type]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 39-3
 Chapter 39 Using Switch TopN Reports
Running and Viewing Switch TopN Reports

This example shows how to run the Switch TopN Reports utility in the foreground:
Console> (enable) show top 5 pkts
Start Time: 06/16/1998,17:26:38
End Time: 06/16/1998,17:27:09
PortType: all
Metric: pkts (Tx + Rx)
Port Band- Uti Bytes Pkts Bcst Mcst Error Over
width % (Tx + Rx) (Tx + Rx) (Tx + Rx) (Tx + Rx) (Rx) flow
----- ----- --- -------------------- ---------- ---------- ---------- ----- ----
2/1 100 0 10838 94 2 26 0 0
1/1 100 0 7504 79 0 79 0 0
1/2 100 0 2622 21 0 21 0 0
2/10 100 0 0 0 0 0 0 0
2/9 100 0 0 0 0 0 0 0
Console> (enable)

To display stored and pending reports, perform this task in privileged mode:

Task Command
Display a report. show top report [report_num]

Note To display all stored and pending reports, do not specify a report_num.

This example shows how to display a specific report and how to display all stored and pending reports:
Console> (enable) show top report 5
Start Time: 06/16/1998,17:29:40
End Time: 06/16/1998,17:30:11
PortType: all
Metric: overflow
Port Band- Uti Bytes Pkts Bcst Mcst Error Over
width % (Tx + Rx) (Tx + Rx) (Tx + Rx) (Tx + Rx) (Rx) flow
----- ----- --- -------------------- ---------- ---------- ---------- ----- ----
1/1 100 0 7880 83 0 83 0 0
2/12 100 0 0 0 0 0 0 0
2/11 100 0 0 0 0 0 0 0
2/10 100 0 0 0 0 0 0 0
2/9 100 0 0 0 0 0 0 0
Console> (enable) show top report
Rpt Start time Int N Metric Status Owner (type/machine/user)
--- ------------------- --- --- ---------- -------- -------------------------
1 06/16/1998,17:05:00 30 20 Util done telnet/172.16.52.3/
2 06/16/1998,17:05:59 30 5 Util done telnet/172.16.52.3/
3 06/16/1998,17:08:06 30 5 Pkts done telnet/172.16.52.3/
4 06/16/1998,17:21:08 30 5 Pkts done Console//
5 06/16/1998,17:29:40 30 5 Overflow pending Console//
Console> (enable)

To remove stored reports, perform this task in privileged mode:

Task Command
Remove reports. Use the all keyword to remove clear top {all | report_num}
all completed reports.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

39-4 78-13315-02
Chapter 39 Using Switch TopN Reports
Running and Viewing Switch TopN Reports

Note The command clear top all command does not clear pending reports. Only the reports that have
completed are cleared.

This example shows how to remove a specific report and how to remove all stored reports:
Console> (enable) clear top 4
Console> (enable) 06/16/1998,17:36:45:MGMT-5:TopN report 4 killed by Console//.
Console> (enable) clear top all
06/16/1998,17:36:52:MGMT-5:TopN report 1 killed by Console//.
06/16/1998,17:36:52:MGMT-5:TopN report 2 killed by Console//.
Console> (enable) 06/16/1998,17:36:52:MGMT-5:TopN report 3 killed by Console//.
06/16/1998,17:36:52:MGMT-5:TopN report 5 killed by Console//.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 39-5
 Chapter 39 Using Switch TopN Reports
Running and Viewing Switch TopN Reports

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

39-6 78-13315-02
 C H A P T E R 40
Configuring Multicast Services

This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping, GARP
Multicast Registration Protocol (GMRP), and Router-Port Group Management Protocol (RGMP) on the
Catalyst 6000 family switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How Multicasting Works, page 40-1
• Configuring IGMP Snooping, page 40-6
• Configuring GMRP, page 40-12
• Configuring Multicast Router Ports and Group Entries, page 40-20
• Configuring RGMP, page 40-22
• Displaying Multicast Protocol Status, page 40-25

Understanding How Multicasting Works

These sections describe how multicasting works on the Catalyst 6000 family switches:
• Multicasting and Multicast Services Overview, page 40-2
• Understanding How IGMP Snooping Works, page 40-2
• Understanding How GMRP Works, page 40-4
• Understanding How RGMP Works, page 40-5
• Suppressing Multicast Traffic, page 40-5
• Nonreverse Path Forwarding Multicast Fast Drop, page 40-5
• Enabling Installation of Directly Connected Subnets, page 40-6

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-1
 Chapter 40 Configuring Multicast Services
Understanding How Multicasting Works

Multicasting and Multicast Services Overview

IGMP snooping manages multicast traffic in switches by allowing directed switching of IP multicast
traffic. GMRP is protocol independent and can manage both IP multicast traffic and any Layer 2
multicast traffic.
Switches can use IGMP snooping or GMRP to configure switch ports dynamically so that IP multicast
traffic is forwarded only to those ports associated with IP multicast hosts. IGMP software components
run on both the Cisco router and the switch.

Note For more information on IP multicast and IGMP, refer to RFC 1112. GMRP is described in
IEEE 802.1p.

You can statically configure multicast groups using the set cam static command. Multicast groups
learned through IGMP snooping are dynamic. If you specify group membership for a multicast group
address, your static setting supersedes any automatic manipulation by IGMP snooping or GMRP.
Multicast group membership lists can consist of both user-defined setting and setting learned through
IGMP snooping or GMRP.

Understanding How IGMP Snooping Works

Note You can run IGMP snooping on any Catalyst 6000 family supervisor engine model (Supervisor Engine 1,
Supervisor Engine 1A, and Supervisor Engine 2). A PFC is not required to enable IGMP snooping. Cisco
Group Management Protocol (CGMP) is not supported on the Catalyst 6000 family switches, although
CGMP server is supported on the MSFC. To support CGMP client devices, configure the MSFC as a
CGMP server.

IGMP snooping manages multicast traffic at Layer 2 on the Catalyst 6000 family switches by allowing
directed switching of IP multicast traffic.
Switches can use IGMP snooping to configure Layer 2 interfaces dynamically so that IP multicast traffic
is forwarded only to those interfaces associated with IP multicast devices.
Catalyst 6000 switches can distinguish IGMP control traffic from multicast data traffic. When IGMP is
enabled on the switch, IGMP control traffic is redirected to the CPU for further processing. This process is
performed in hardware by specialized ASICs, which allow the switch to snoop IGMP control traffic with no
performance penalty.
The route processor periodically sends out general queries to all VLANs, and as multicast receivers
respond to the router’s queries, the switch intercepts them. Only the first IGMP join (report) per VLAN
and per IP multicast group is forwarded to the router. Subsequent reports for the same VLAN and group are
suppressed. The switch processor creates one entry per VLAN in the Layer 2 forwarding table for each
MAC group from which it receives an IGMP join request. All hosts interested in this multicast traffic
send join requests and are added to the port list of this forwarding table entry.
If a port is disabled, it will be removed from all multicast group entries.

Note You cannot enable IGMP snooping on a switch if GMRP is already enabled on the switch.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-2 78-13315-02
 Chapter 40 Configuring Multicast Services
Understanding How Multicasting Works

Joining a Multicast Group

When a host wants to join an IP multicast group, it sends an IGMP join (also known as a join message)
specifying the IP multicast group it wants to join (for example, group 224.1.2.3). The switch hardware
recognizes that the packet is an IGMP report and redirects it to the switch CPU. The switch installs a
new group entry for 01-00-5e-01-02-03 and adds the host port and the router port to that entry. The
switch then relays the join from the host to all multicast router ports. The designated multicast router for
the segment adds the outgoing interface (OIF) to the outgoing interface list (OIL) for the group and begins
forwarding multicast traffic for 224.1.2.3 to this segment.
When a second host in this VLAN wants to join group 244.1.2.3, it sends out an IGMP join for this
group. The switch hardware recognizes that this is an IGMP control packet and redirects it to the switch
CPU. Since the switch already has a group entry for 01-00-5e-01-02-03 in this VLAN, it just adds the
second host port to the entry. Because this is not the first host joining the group, the switch suppresses
the report (does not send it to the router).

Constraining Multicast Traffic

When a host sends multicast traffic to a group, the switch hardware does not recognize the stream as IGMP
control packets and therefore the packets are not redirected to the switch CPU. Instead the multicast traffic
hits the MAC group entry and the switch constrains the traffic to only those ports that have been added to that
group entry.
The router sends IGMP general queries every 60 seconds by default. The switch floods these queries on
all ports in the VLAN, and hosts that are interested in a multicast group respond with an IGMP join for
each group in which they are interested.
The switch intercepts these IGMP joins, and only the first join per VLAN and per IP multicast group is
forwarded on the multicast router ports. Subsequent reports for the same VLAN and group are
suppressed (not sent to the router).

Note If there are CGMP switches in the network, join and leave suppression does not occur. In a network
that has both IGMP and CGMP switches, all join and leave messages are forwarded to the multicast
routers so that CGMP join and leave messages can be generated by the router.

Leaving a Multicast Group

The designated multicast router for a segment continues forwarding the multicast traffic to that VLAN as long
as at least one host in the VLAN wishes to receive multicast traffic. When hosts want to leave a multicast
group, they can either ignore the periodic general queries sent by the multicast router (IGMP v1 host
behavior), or they can send an IGMP leave (IGMP v2 host behavior). When the switch receives a leave
message, it sends out a MAC-based general query on the port on which it received the leave message to
determine if any devices connected to this port are interested in traffic for the specific multicast group. If this
port is the last port in the VLAN, the switch sends a MAC-based general query to all ports in the VLAN.
MAC-based general queries are addressed to the Layer 2 Group Destination Address (GDA) MAC
address for which the IGMP leave message was received. At Layer 3, the MAC-based general queries
are addressed to 244.0.0.1 (all hosts), and in the IGMP header, the group address field is set to 0.0.0.0.
If no IGMP join is received for any of the IP multicast groups that map to the MAC multicast group address,
the port is removed from the multicast forwarding entry. If the port is not the last non-multicast-router
port in the entry, the switch suppresses the IGMP leave (does not send it to the router). If the port is the last
non-multicast-router port in the entry, the IGMP leave is forwarded to the multicast router ports and the
MAC group forwarding entry is removed.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-3
 Chapter 40 Configuring Multicast Services
Understanding How Multicasting Works

When the router receives the IGMP leave, it sends several IGMP group-specific queries. If no join
messages are received in response to the queries, and there are no downstream routers connected through
that interface, the router removes the interface from the OIL for that IP multicast group entry in the
multicast routing table.

IGMP Fast-Leave Processing

IGMP snooping fast-leave processing allows the switch processor to remove an interface from the port
list of a forwarding-table entry without first sending out a MAC-based general query on the port. When an
IGMP leave is received on a port, the port is immediately removed from the multicast forwarding entry (or
the entire entry is removed).

Note Do not use the fast-leave processing feature if more than one host is connected to each port. If
fast-leave is enabled when more than one host is connected to a port, some hosts might be dropped
inadvertently. Fast leave is supported with IGMP version 2 hosts only.

Understanding How GMRP Works

GMRP is a Generic Attribute Registration Protocol (GARP) application that provides a constrained
multicast flooding facility similar to IGMP snooping. GMRP and GARP are industry-standard protocols
defined by the IEEE. For detailed protocol operational information, refer to 802.1p.
GMRP software components run on both the switch and on the host. (Cisco is not a source for GMRP
host software.) On the host, in an IP multicast environment, you must use IGMP with GMRP; the host
GMRP software spawns Layer 2 GMRP versions of the host’s Layer 3 IGMP control packets. The
switch receives both the Layer 2 GMRP and the Layer 3 IGMP traffic from the host. The switch
forwards the Layer 3 IGMP control packets to the router and uses the received GMRP traffic to constrain
multicasts at Layer 2 in the host’s VLAN.
When a host wants to join an IP multicast group, it sends an IGMP join, which spawns a GMRP join.
When the switch receives the GMRP join, it adds the port through which the join was received to the
appropriate multicast group. The switch propagates the GMRP join to all other hosts in the VLAN, one
of which is typically the multicast source. When the source is multicasting to the group, the switch
forwards the multicast only to the ports from which it received join messages for the group.
The switch sends periodic GMRP queries. If a host wants to remain in a multicast group, it responds to
the query and the switch does nothing. If a host does not want to remain in the multicast group, it can
either send a leave message or not respond to the periodic queries from the switch. If the switch receives
a leave message or receives no response from the host for the duration of the leaveall timer, the switch
removes the host from the multicast group.

Note To use GMRP in a routed environment, enable the GMRP forwardall option on all ports where
routers are attached. (See the “Enabling GMRP Forward-All Option” section on page 40-15.)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-4 78-13315-02
 Chapter 40 Configuring Multicast Services
Understanding How Multicasting Works

Understanding How RGMP Works

Without RGMP, all multicast routers receive all multicast data traffic entering the switch. With RGMP, a
multicast router can request not to receive multicast traffic if that router has no downstream receivers for the
multicast traffic. Catalyst 6000 family switches support RGMP, which enables a switch to reduce network
congestion by forwarding multicast data traffic only to those routers that are configured to receive it.

Note To use RGMP, IGMP Snooping must be enabled on the switch. Protocol independent multicast (PIM)
must be enabled on all routers for RGMP to work. Only PIM sparse mode is currently supported.

All routers on the network must be RGMP-capable. RGMP-capable routers periodically send an RGMP
hello message to the switch. The RGMP hello message tells the switch not to send multicast data to the
router unless an RGMP join has also been sent to the switch from that router. When an RGMP join is
sent, the router is able to receive multicast data. To learn how to set a router to receive RGMP data, see
the “RGMP-Related CLI Commands” section on page 40-25.
To stop receiving multicast data, a router must send an RGMP leave message to the switch. To disable
RGMP on a router, the router must send an RGMP bye message to the switch.
Table 40-1 provides a summary of the RGMP packet types.

Table 40-1 RGMP Message Types

Description Action
Hello When the RGMP feature is enabled on the router, no multicast data traffic is sent to
the router by the switch unless an RGMP join is specifically sent for a group.
Bye When RGMP feature is disabled on the router, all multicast data traffic will be sent
to the router by the switch.
Join Multicast data traffic for a multicast MAC address from the L3 group address G are
sent to the router. These packets will have group G in the Group Address field of the
RGMP packet.
Leave Multicast data traffic for the group G will not be sent to the router. These packets will
have group G in the group address field of the RGMP packet.

Suppressing Multicast Traffic

On Gigabit Ethernet ports, you can limit the amount of bandwidth to be used for multicast traffic. Use
the set port broadcast command to specify a percentage of the total bandwidth to be used for multicast
traffic on Gigabit Ethernet ports.

Nonreverse Path Forwarding Multicast Fast Drop

In a redundant configuration where multiple routers connect to the same LAN segment, only one router
forwards the multicast traffic from the source to the receivers on the outgoing interfaces. In this kind of
topology, only the Protocol Independent Multicast designated forwarder (PIM-DF) forwards the data in
the common VLAN, but the non-PIM-DF receives the forwarded multicast traffic. The redundant router
(non-PIM-DF) must drop this traffic because it has arrived on the wrong interface and will fail the
reverse path forwarding (RPF) check. Traffic that fails the RPF check is called non-RPF traffic.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-5
 Chapter 40 Configuring Multicast Services
Configuring IGMP Snooping

Non-RPF multicast fast drop (MFD) rate limits packets that fail the RPF check (non-RPF packets) and
drops the majority of the non-RPF packets in hardware. According to the multicast protocol
specification, the router needs to see the non-RPF packets for the PIM assert mechanism to work, so all
non-RPF packets cannot be dropped in hardware. To support the PIM assert mechanism, the PFC leaks
a percentage of the non-RFP flow packets to the MSFC.
Non-RPF MFD is enabled on the switch by default. Non-RPF MFD is supported with Supervisor
Engine 2 only.

Enabling Installation of Directly Connected Subnets

In PIM sparse mode, a first-hop router that is the designated router (DR) for the interface may need to
encapsulate the source traffic in a PIM register message and unicast it to the rendezvous point (RP). To
prevent new sources for the group from being learned in the routing table, the (*,G) flows should remain
completely hardware-switched flows. (subnet/mask, 224/4) entries installed in the hardware FIB allow
both (*,G) flows to remain completely hardware-switched flows, and new, directly connected sources to
be learned correctly. Installation of directly connected subnets is enabled globally by default. One
(subnet/mask, 224/4) is installed per PIM-enabled interface.
Use the show mls ip multicast connected command to view such FIB entries.
To enable installation of directly connected subnets, perform this task:

Task Command
Enable downloading of directly connected subnets. Router(config) # mls ip multicast connected

This example shows how to install directly connected subnets:

Router(config)# mls ip multicast connected
Router(config)#

Configuring IGMP Snooping

IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on
their content.

Note Quality of service (QoS) does not support IGMP traffic when IGMP snooping is enabled.

These sections describe how to configure IGMP snooping:

• Default IGMP Snooping Configuration, page 40-7
• Enabling IGMP Snooping, page 40-7
• Specifying IGMP Snooping Mode, page 40-8
• Enabling IGMP Fast-Leave Processing, page 40-9
• Enabling IGMP Rate Limiting, page 40-8
• Displaying Multicast Router Information, page 40-9
• Displaying Multicast Group Information, page 40-10
• Displaying IGMP Snooping Statistics, page 40-11

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-6 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring IGMP Snooping

• Disabling IGMP Fast-Leave Processing, page 40-12

• Disabling IGMP Snooping, page 40-12

Default IGMP Snooping Configuration

Table 40-2 shows the default IGMP snooping configuration.

Note IGMP snooping is enabled by default in supervisor engine software release 5.5(9) and later releases
and 6.3(1) and later releases.

Table 40-2 IGMP Snooping Default Configuration

Feature Default Value

IGMP snooping Disabled
Multicast routers None configured

Enabling IGMP Snooping

Note You cannot enable IGMP snooping if GMRP is enabled.

To enable IGMP snooping, perform this task in privileged mode:

Task Command
Step 1 Enable IGMP snooping on the switch. set igmp enable
Step 2 Verify that IGMP snooping is enabled. show igmp statistics [vlan]

This example shows how to enable IGMP snooping and verify the configuration:
Console> (enable) set igmp enable
IGMP Snooping is enabled.
Console> (enable) show igmp statistics
IGMP enabled
IGMP statistics for vlan 1:
Total valid pkts rcvd: 18951
Total invalid pkts recvd 0
General Queries recvd 377
Group Specific Queries recvd 0
MAC-Based General Queries recvd 0
Leaves recvd 14
Reports recvd 16741
Queries Xmitted 0
GS Queries Xmitted 16
Reports Xmitted 0
Leaves Xmitted 0
Failures to add GDA to EARL 0
Topology Notifications rcvd 10
IGMP packets dropped 0
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-7
 Chapter 40 Configuring Multicast Services
Configuring IGMP Snooping

Specifying IGMP Snooping Mode

IGMP snooping runs in teither IGMP-only mode or IGMP-CGMP mode. The switch dynamically
chooses either IGMP-only or IGMP-CGMP mode, depending on the traffic present on the network.
IGMP-only mode is used in networks with no CGMP devices. IGMP-CGMP mode is used in networks
with both IGMP and CGMP devices. Auto mode overrides the dynamic switching of the modes.
To specify the IGMP snooping mode, perform this task in privileged mode:

Task Command
Step 1 Specifies the IGMP snooping mode. set igmp mode {igmp-only | igmp-cgmp | auto}
Step 2 Displays the IGMP snooping mode. show igmp mode

This example shows how to set the IGMP mode to IGMP-only and verify the configuration:
Console> (enable) set igmp mode igmp-only
IGMP mode set to igmp-only
Console> (enable) show igmp mode
IGMP Mode: igmp-only
IGMP Operational Mode: igmp-only
IGMP Address Aliasing Mode: normal
Console> (enable)

Enabling IGMP Rate Limiting

IGMP rate limiting is disabled by default and the default rate limit is 100 packets per 30 seconds for all
packet types. Valid rate-limit values are from 1 to 65535 packets per 30 seconds.

Note If IGMP rate limiting and multicast are enabled, multicast router ports might age out sporadically
because the rate of the multicast control packets (such as PIMv2 hellos or IGMP general queries)
exceeds the IGMP rate limit watermarks that were configured. The default value for these
watermarks is 100. We recommend that you increase the PIMv2 hello ratelimit to 3000 by entering
the set igmp ratelimit pimv2 3000 command. You can also increase the IGMP general queries rate
limit; we recommend that you set the value to 500 by entering the set igmp ratelimit
general-query 500 command.

To enable IGMP rate limiting and set the rate limit for IGMP snooping packets, perform this task in
privileged mode:

Task Command
Enable IGMP rate limiting and set a rate limit for set igmp ratelimit {enable | disable}
IGMP snooping packets.
set igmp ratelimit {dvmrp | general-query |
mospf1 | mospf2 | pimv2} rate

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-8 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring IGMP Snooping

This example shows how to enable IGMP rate limiting:

Console> (enable) set igmp ratelimit enable
IGMP Ratelimiting enabled
Console> (enable)

This example shows how to set the IGMP rate limit for MOSPF2 to 550 packets per every 30 seconds:
Console> (enable) set igmp ratelimit mospf2 550
MOSPF2 Watermark set to allow 550 messages in 30 seconds
Console> (enable)

Enabling IGMP Fast-Leave Processing

To enable IGMP fast-leave processing, perform this task in privileged mode:

Task Command
Step 1 Enable IGMP fast-leave processing on the switch. set igmp fastleave enable
Step 2 Verify that IGMP fast-leave processing is show igmp statistics
enabled.

This example shows how to enable IGMP fast-leave processing and verify the configuration:
Console> (enable) set igmp fastleave enable
IGMP fastleave set to enable.
Console> (enable) show igmp statistics
IGMP enabled
IGMP fastleave enabled

IGMP statistics for vlan 1:

Total valid pkts rcvd: 18951
Total invalid pkts recvd 0
General Queries recvd 377
Group Specific Queries recvd 0
MAC-Based General Queries recvd 0
Leaves recvd 14
Reports recvd 16741
Other Pkts recvd 0
Queries Xmitted 0
GS Queries Xmitted 16
Reports Xmitted 0
Leaves Xmitted 0
Failures to add GDA to EARL 0
Topology Notifications rcvd 10
Console> (enable)

Displaying Multicast Router Information

When you enable IGMP snooping, the switch automatically learns to which ports a multicast router is
connected.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-9
 Chapter 40 Configuring Multicast Services
Configuring IGMP Snooping

To display the dynamically learned multicast router information, perform these tasks in privileged mode:

Task Command
Display information on dynamically learned and show multicast router [mod/port] [vlan_id]
manually configured multicast router ports.
Display information only on those multicast show multicast router igmp [mod/port]
router ports learned dynamically using IGMP [vlan_id]
snooping.

This example shows how to display information on all multicast router ports (the asterisk [*] next to the
multicast router on port 5/7 indicates that the entry was configured manually):
Console> (enable) show multicast router
IGMP enabled

Port Vlan
--------- ----------------
1/1 1
2/1 2,99,255
5/7 * 99

Total Number of Entries = 3

'*' - Configured
Console> (enable)

This example shows how to display only those multicast router ports that were learned dynamically
through IGMP:
Console> (enable) show multicast router igmp
IGMP enabled

Port Vlan
--------- ----------------
1/1 1
2/1 2,99,255

Total Number of Entries = 2

'*' - Configured
Console> (enable)

Displaying Multicast Group Information

To display information about multicast groups, perform these tasks in privileged mode:

Task Command
Display information about multicast groups. show multicast group [mac_addr] [vlan_id]
Display only information about multicast groups show multicast group igmp [mac_addr]
learned dynamically through IGMP. [vlan_id]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-10 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring IGMP Snooping

Task Command
Display the total number of multicast addresses show multicast group count [vlan_id]
(groups) in each VLAN.
Display the total number of multicast addresses show multicast group count igmp [vlan_id]
(groups) in each VLAN that were learned
dynamically through IGMP.

This example shows how to display information about all multicast groups on the switch:
Console> (enable) show multicast group
IGMP enabled

VLAN Dest MAC/Route Des Destination Ports or VCs / [Protocol Type]

---- ------------------ ----------------------------------------------------
1 01-00-11-22-33-44* 2/6-12
1 01-11-22-33-44-55* 2/6-12
1 01-22-33-44-55-66* 2/6-12
1 01-33-44-55-66-77* 2/6-12

Total Number of Entries = 4

Console> (enable)

Displaying IGMP Snooping Statistics

To display IGMP snooping statistics on the switch, perform this task:

Task Command
Display IGMP snooping statistics. show igmp statistics [vlan_id]

This example shows how to display IGMP snooping statistics:

Console> (enable) show igmp statistics
IGMP enabled

IGMP statistics for vlan 1:

Total valid pkts rcvd: 18951
Total invalid pkts recvd 0
General Queries recvd 377
Group Specific Queries recvd 0
MAC-Based General Queries recvd 0
Leaves recvd 14
Reports recvd 16741
Queries Xmitted 0
GS Queries Xmitted 16
Reports Xmitted 0
Leaves Xmitted 0
Failures to add GDA to EARL 0
Topology Notifications rcvd 10
IGMP packets dropped 0
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-11
 Chapter 40 Configuring Multicast Services
Configuring GMRP

Disabling IGMP Fast-Leave Processing

To disable IGMP fast-leave processing, perform this task in privileged mode:

Task Command
Disable IGMP fast-leave processing on the set igmp fastleave disable
switch.

This example shows how to disable IGMP fast-leave processing on the switch:
Console> (enable) set igmp fastleave disable
IGMP fastleave set to disable.
Console> (enable)

Disabling IGMP Snooping

To disable IGMP snooping on the switch, perform this task in privileged mode:

Task Command
Disable IGMP snooping on the switch. set igmp disable

This example shows how to disable IGMP snooping:

Console> (enable) set igmp disable
IGMP feature for IP multicast disabled
Console> (enable)

Configuring GMRP
These sections describe how to configure the GARP Multicast Registration Protocol (GMRP):
• GMRP Software Requirements, page 40-13
• Default GMRP Configuration, page 40-13
• Enabling GMRP Globally, page 40-13
• Enabling GMRP on Individual Switch Ports, page 40-14
• Disabling GMRP on Individual Switch Ports, page 40-14
• Enabling GMRP Forward-All Option, page 40-15
• Disabling GMRP Forward-All Option, page 40-15
• Configuring GMRP Registration, page 40-16
• Setting the GARP Timers, page 40-17
• Displaying GMRP Statistics, page 40-19
• Clearing GMRP Statistics, page 40-19
• Disabling GMRP Globally on the Switch, page 40-19

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-12 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring GMRP

Note For an overview of GMRP operation, see the “Understanding How GMRP Works” section on
page 40-4.

GMRP Software Requirements

GMRP requires supervisor engine software release 5.2 or later releases.

Default GMRP Configuration

Table 40-3 shows the default GMRP configuration.

Table 40-3 GMRP Default Configuration

Feature Default Value

GMRP enable state Disabled
GMRP per-port enable state Disabled
GMRP forward all Disabled on all ports
GMRP registration Normal on all ports
GARP/GMRP timers • Join time: 200 ms
• Leave time: 600 ms
• Leaveall time: 10,000 ms

Enabling GMRP Globally

Note You cannot enable GMRP if IGMP snooping is enabled.

To enable GMRP globally, perform this task in privileged mode:

Task Command
Step 1 Enable GMRP globally on the switch. set gmrp enable
Step 2 Verify the configuration. show gmrp configuration

This example shows how to enable GMRP globally and verify the configuration:
Console> (enable) set gmrp enable
GMRP enabled.
Console> (enable) show gmrp configuration
Global GMRP Configuration:
GMRP Feature is currently enabled on this switch.
GMRP Timers (milliseconds):
Join = 200
Leave = 600
LeaveAll = 10000

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-13
 Chapter 40 Configuring Multicast Services
Configuring GMRP

Port based GMRP Configuration:

Port GMRP Status Registration ForwardAll
-------------------------------------------- ----------- ------------ ----------
1/1-2,3/1,6/1-48,7/1-24 Enabled Normal Disabled
Console> (enable)

Enabling GMRP on Individual Switch Ports

Note You can change the per-port GMRP configuration regardless of whether GMRP is enabled globally.
However, GMRP will not function on any ports until you enable it globally. For information on
configuring GMRP globally on the switch, see the “Enabling GMRP Globally” section on
page 40-13.

To enable GMRP on individual switch ports, perform this task in privileged mode:

Task Command
Step 1 Enable GMRP on an individual switch port. set port gmrp enable mod/port
Step 2 Verify the configuration. show gmrp configuration

This example shows how to enable GMRP on port 6/12 and verify the configuration:
Console> (enable) set port gmrp enable 6/12
GMRP enabled on port 6/12.
Console> (enable) show gmrp configuration
Global GMRP Configuration:
GMRP Feature is currently enabled on this switch.
GMRP Timers (milliseconds):
Join = 200
Leave = 600
LeaveAll = 10000
Port based GMRP Configuration:
Port GMRP Status Registration ForwardAll
-------------------------------------------- ----------- ------------ ----------
1/1-2,3/1,6/1-9,6/12,6/15-48,7/1-24 Enabled Normal Disabled
6/10-11,6/13-14 Disabled Normal Disabled
Console> (enable)

Disabling GMRP on Individual Switch Ports

Note You can change the per-port GMRP configuration regardless of whether GMRP is enabled globally.
However, GMRP will not function on any ports until you enable it globally. For information on
configuring GMRP globally on the switch, see the “Enabling GMRP Globally” section on
page 40-13.

To disable GMRP on individual switch ports, perform this task in privileged mode:

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-14 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring GMRP

Task Command
Step 1 Disable GMRP on individual switch ports. set port gmrp disable mod/port
Step 2 Verify the configuration. show gmrp configuration

This example shows how to disable GMRP on ports 6/10–14 and verify the configuration:
Console> (enable) set port gmrp disable 6/10-14
GMRP disabled on ports 6/10-14.
Console> (enable) show gmrp configuration
Global GMRP Configuration:
GMRP Feature is currently enabled on this switch.
GMRP Timers (milliseconds):
Join = 200
Leave = 600
LeaveAll = 10000
Port based GMRP Configuration:
Port GMRP Status Registration ForwardAll
-------------------------------------------- ----------- ------------ ----------
1/1-2,3/1,6/1-9,6/15-48,7/1-24 Enabled Normal Disabled
6/10-14 Disabled Normal Disabled
Console> (enable)

Enabling GMRP Forward-All Option

When you enable the GMRP forward-all option on a port, a copy of all multicast traffic registered on the
switch is forwarded to that port. Enable the forward-all option on any port connected to a router that
needs to receive any multicasts (routers do not support GMRP and so cannot send GMRP join mesages).
The forward-all option can also be used to forward all registered multicast traffic to a port with a network
analyzer or probe attached.
To enable the GMRP forward-all option on a switch port, perform this task in privileged mode:

Task Command
Enable the GMRP forward-all option on a switch set gmrp fwdall enable mod/port
port.

This example shows how to enable the GMRP forward-all option on port 1/1:
Console> (enable) set gmrp fwdall enable 1/1
GMRP Forward All groups option enabled on port 1/1.
Console> (enable)

Disabling GMRP Forward-All Option

To disable the GMRP forward-all option on a port, perform this task in privileged mode:

Task Command
Disable the GMRP forward-all option on a port. set gmrp fwdall disable mod/port

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-15
 Chapter 40 Configuring Multicast Services
Configuring GMRP

This example shows how to disable the GMRP forward-all option on port 1/1:
Console> (enable) set gmrp fwdall disable 1/1
GMRP Forward All groups option disabled on port 1/1.
Console> (enable)

Configuring GMRP Registration

These sections describe how to configure GMRP registration modes on switch ports:
• Setting Normal Registration, page 40-16
• Setting Fixed Registration, page 40-16
• Setting Forbidden Registration, page 40-17

Setting Normal Registration

Configuring a port in normal registration mode allows dynamic GMRP multicast registration and
deregistration on the port. Normal mode is the default on all switch ports.
To set normal registration on a port, perform this task in privileged mode:

Task Command
Step 1 Set normal registration on a port. set gmrp registration normal mod/port
Step 2 Verify the configuration. show gmrp configuration

This example shows how to set normal registration on port 2/10:

Console> (enable) set gmrp registration normal 2/10
GMRP Registration is set normal on port 2/10.
Console> (enable)

Setting Fixed Registration

When you configure a port in fixed registration mode, all the multicast groups currently registered on
all ports are registered on the port, but the port ignores any subsequent registrations or deregistrations
on other ports. A port in fixed registration mode continues to register multicast groups that are specific
to the port. You must return the port to normal registration mode to deregister multicast groups on the
port.
To set fixed registration on a port, perform this task in privileged mode:

Task Command
Step 1 Set fixed registration on a port. set gmrp registration fixed mod/port
Step 2 Verify the configuration. show gmrp configuration

This example shows how to set fixed registration on port 2/10 and verify the configuration:

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-16 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring GMRP

Console> (enable) set gmrp registration fixed 2/10

GMRP Registration is set fixed on port 2/10.
Console> (enable) show gmrp configuration
Global GMRP Configuration:
GMRP Feature is currently enabled on this switch.
GMRP Timers (milliseconds):
Join = 200
Leave = 600
LeaveAll = 10000
Port based GMRP Configuration:
GMRP-Status Registration ForwardAll Port(s)
----------- ------------ ---------- --------------------------------------------
Enabled Normal Disabled 1/1-4
2/1-9,2/11-48
3/1-24
5/1
Enabled Fixed Disabled 2/10
Console> (enable)

Setting Forbidden Registration

Setting a port in forbidden registration mode deregisters all GMRP multicasts and prevents any further
GMRP multicast registration on the port.
To set forbidden registration on a port, perform this task in privileged mode:

Task Command
Step 1 Set forbidden registration on a port. set gmrp registration forbidden mod/port
Step 2 Verify the configuration. show gmrp configuration

This example shows how to set forbidden registration on port 2/10 and verify the configuration:
Console> (enable) set gmrp registration forbidden 2/10
GMRP Registration is set forbidden on port 2/10.
Console> (enable) show gmrp configuration
Global GMRP Configuration:
GMRP Feature is currently enabled on this switch.
GMRP Timers (milliseconds):
Join = 200
Leave = 600
LeaveAll = 10000
Port based GMRP Configuration:
GMRP-Status Registration ForwardAll Port(s)
----------- ------------ ---------- --------------------------------------------
Enabled Normal Disabled 1/1-4
2/1-9,2/11-48
3/1-24
5/1
Enabled Forbidden Disabled 2/10
Console> (enable)

Setting the GARP Timers

Note The commands set gmrp timer and show gmrp timer are aliases for set garp timer and show garp
timer. The aliases may be used if desired.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-17
 Chapter 40 Configuring Multicast Services
Configuring GMRP

Note Modifying the GARP timer values affects the behavior of all GARP applications running on the
switch, not just GMRP. (For example, GVRP uses the same timers.)

Note The only ports that send out the GMRP LeaveAll messages are the ports that have previously received
GMRP joins.

You can modify the default GARP timer values on the switch.
When setting the timer values, the value for leave must be equal to or greater than three times the join
value (leave >= join * 3). The value for leaveall must be greater than the value for leave (leaveall >
leave). The more registered attributes on the switch, the greater you should configure the difference
between the leave value and the join value.
For better performance on switches with many registered multicast groups, increase the timer values to
the order of seconds.
If you attempt to set a timer value that does not adhere to these rules, an error is returned. For example,
if you set the leave timer to 600 ms and you attempt to configure the join timer to 350 ms, an error is
returned. Set the leave timer to at least 1050 ms and then set the join timer to 350 ms.

Caution Set the same GARP timer values on all Layer 2-connected devices. If the GARP timers are set
differently on the Layer 2-connected devices, GARP applications (for example, GMRP and GVRP)
do not operate successfully.

To set the GARP timer values, perform this task in privileged mode:

Task Command
Step 1 Set the GARP timer values. set garp timer {join | leave | leaveall}
timer_value
Step 2 Verify the configuration. show garp timer

This example shows how to set the GARP timers and verify the configuration:
Console> (enable) set garp timer leaveall 12000
GMRP/GARP leaveAll timer value is set to 12000 milliseconds.
Console> (enable) set garp timer leave 650
GMRP/GARP leave timer value is set to 650 milliseconds.
Console> (enable) set garp timer join 300
GMRP/GARP join timer value is set to 300 milliseconds.
Console> (enable) show garp timer
Timer Timer Value (milliseconds)
-------- --------------------------
Join 300
Leave 650
LeaveAll 12000
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-18 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring GMRP

Displaying GMRP Statistics

To display GMRP statistics on the switch, perform this task in privileged mode:

Task Command
Display GMRP statistics. show gmrp statistics [vlan_id]

This example shows how to display GMRP statistics for VLAN 23:
Console> show gmrp statistics 23
GMRP Statistics for vlan <23>:
Total valid GMRP Packets Received:500
Join Empties:200
Join INs:250
Leaves:10
Leave Alls:35
Empties:5
Fwd Alls:0
Fwd Unregistered:0
Total valid GMRP Packets Transmitted:600
Join Empties:200
Join INs:150
Leaves:45
Leave Alls:200
Empties:5
Fwd Alls:0
Fwd Unregistered:0
Total valid GMRP Packets Received:0
Total GMRP packets dropped:0
Total GMRP Registrations Failed:0
Console>

Clearing GMRP Statistics

To clear all GMRP statistics on the switch, perform this task in privileged mode:

Task Command
Clear GMRP statistics. clear gmrp statistics {vlan_id | all}

This example shows how to clear the GMRP statistics for all VLANs:
Console> (enable) clear gmrp statistics all
Console> (enable)

Disabling GMRP Globally on the Switch

To disable GMRP globally on the switch, perform this task in privileged mode:

Task Command
Disable GMRP globally on the switch. set gmrp disable

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-19
 Chapter 40 Configuring Multicast Services
Configuring Multicast Router Ports and Group Entries

This example shows how to disable GMRP globally on the switch:

Console> (enable) set gmrp disable
GMRP disabled.
Console> (enable)

Configuring Multicast Router Ports and Group Entries

These sections describe how to specify multicast router ports manually and configure multicast group
entries:
• Specifying Multicast Router Ports, page 40-20
• Configuring Multicast Groups, page 40-21
• Clearing Multicast Router Ports, page 40-21
• Clearing Multicast Group Entries, page 40-22

Specifying Multicast Router Ports

When you enable IGMP snooping, the switch automatically learns to which ports a multicast router is
connected. However, if desired, you can manually specify multicast router ports.
To specify multicast router ports manually, perform this task in privileged mode:

Task Command
Step 1 Manually specify a multicast router port. set multicast router mod/port
Step 2 Verify the configuration. show multicast router [mod/port] [vlan_id]

This example shows how to specify a multicast router port manually and verify the configuration (the
asterisk [*] next to the multicast router on port 3/1 indicates that the entry was configured manually):
Console> (enable) set multicast router 3/1
Port 3/1 added to multicast router port list.
Console> (enable) show multicast router
IGMP disabled

Port Vlan
--------- ----------------
2/1 99
2/2 255
3/1 * 1
7/9 2,99

Total Number of Entries = 4

'*' - Configured
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-20 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring Multicast Router Ports and Group Entries

Configuring Multicast Groups

To configure a multicast group manually, perform this task in privileged mode:

Note With software release 6.3(2) and later releases, the maximum number of Layer 2 multicast entries is
15488.

Task Command
Step 1 Add one or more multicast MAC addresses to the set cam {static | permanent} multicast_mac
CAM table. mod/port [vlan]
Step 2 Verify the multicast group configuration. show multicast group [mac_addr] [vlan_id]

This example shows how to configure multicast groups manually and verify the configuration (the
asterisks indicate the entry was manually configured):
Console> (enable) set cam static 01-00-11-22-33-44 2/6-12
Static multicast entry added to CAM table.
Console> (enable) set cam static 01-11-22-33-44-55 2/6-12
Static multicast entry added to CAM table.
Console> (enable) set cam static 01-22-33-44-55-66 2/6-12
Static multicast entry added to CAM table.
Console> (enable) set cam static 01-33-44-55-66-77 2/6-12
Static multicast entry added to CAM table.
Console> (enable) show multicast group
IGMP disabled

VLAN Dest MAC/Route Des Destination Ports or VCs / [Protocol Type]

---- ------------------ ----------------------------------------------------
1 01-00-11-22-33-44* 2/6-12
1 01-11-22-33-44-55* 2/6-12
1 01-22-33-44-55-66* 2/6-12
1 01-33-44-55-66-77* 2/6-12

Total Number of Entries = 4

Console> (enable)

Clearing Multicast Router Ports

To clear manually configured multicast router ports, perform one of these tasks in privileged mode:

Task Command
Clear specific, manually configured multicast clear multicast router mod/port
router ports.
Clear all manually configured multicast router clear multicast router all
ports.

This example shows how to clear a manually configured multicast router port entry:
Console> (enable) clear multicast router 2/12
Port 2/12 cleared from multicast router port list.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-21
 Chapter 40 Configuring Multicast Services
Configuring RGMP

Clearing Multicast Group Entries

To clear manually configured multicast group entries, perform this task in privileged mode:

Task Command
Clear a multicast group entry from the CAM clear cam mac_addr [vlan]
table.

This example shows how to clear a multicast group entry from the CAM table:
Console> (enable) clear cam 01-11-22-33-44-55 1
CAM entry cleared.
Console> (enable)

Configuring RGMP
These sections describe the commands for configuring RGMP:
• Configuring RGMP on the Supervisor Engine, page 40-22
• Configuring RGMP on the MSFC, page 40-25

Configuring RGMP on the Supervisor Engine

These sections describe the commands for configuring RGMP:
• Default RGMP Configuration, page 40-22
• Enabling and Disabling RGMP, page 40-22
• Displaying RGMP Group Information, page 40-23
• Displaying RGMP VLAN Statistics, page 40-23
• Displaying Ports Connected to RGMP-Capable Routers, page 40-24
• Clearing RGMP Statistics, page 40-25
• RGMP-Related CLI Commands, page 40-25

Default RGMP Configuration

RGMP is disabled by default.

Enabling and Disabling RGMP

Note To enable RGMP, you must have IGMP snooping enabled.

To enable or disable RGMP, perform these tasks in privileged mode:

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-22 78-13315-02
 Chapter 40 Configuring Multicast Services
Configuring RGMP

Task Command
Enable RGMP. set rgmp enable
Disable RGMP. set rgmp disable

This example shows how to enable RGMP:

Console> (enable) set rgmp enable
RGMP enabled.
Console> (enable)

This example shows how to disable RGMP:

Console> (enable) set rgmp disable
RGMP disabled.
Console> (enable)

Displaying RGMP Group Information

Use these commands to display all multicast groups that were joined by one or more RGMP-capable
routers and to display the count of multicast groups that were joined by one or more RGMP-capable
routers.
To display RGMP group information, perform these tasks in privileged mode:

Task
Display all multicast groups that were joined by
one or more RGMP-capable routers.
Display the count of multicast groups that were
joined by one or more RGMP-capable routers.
Command
show rgmp group [mac_addr] [vlan_id]
show rgmp group count [vlan_id]

This example shows how to display RGMP group information:

Console> (enable) show rgmp group
VlanDest MAC/Route DesRGMP Joined Router Ports
---------------------------------------------------------------------------------------
101-00-5e-00-01-285/1,5/15
101-00-5e-01-01-015/1
201-00-5e-27-23-70*3/1, 5/1
Total Number of Entries = 3
‘*’ - Configured
Console> (enable)

Console> (enable) show rgmp group count 1

Total Number of Entries = 2

Displaying RGMP VLAN Statistics

To display RGMP statistics for a given VLAN, perform this task in privileged mode:

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-23
 Chapter 40 Configuring Multicast Services
Configuring RGMP

Task Command
Display the RGMP statistics for a specified show rgmp statistics [vlan]
VLAN.

This example shows how to display RGMP statistics:

Console> (enable) show rgmp statistics 23
RGMP enabled
RGMP Statistics for vlan <23>:
Receive:
Valid pkts:20
Hellos:10
Joins:5
Leaves:5
Byes:0
Discarded:0
Transmit:
Total Pkts:10
Failures:0
Hellos:10
Joins:0
Leaves:0
Byes:0
Console> (enable)

Displaying Ports Connected to RGMP-Capable Routers

This command displays detected RGMP-capable router ports. A “+” in front of the port indicates that it
is an RGMP-capable router.
To display RGMP-capable router ports, perform this task in privileged mode:

Task Command
Display RGMP-capable router ports. show multicast router [igmp | rgmp] [mod/port]
[vlan_id]

This example shows how to display ports connected to RGMP-capable routers:

Console> (enable) show multicast router
Port Vlan
------ ------
5/1 + 1
5/14 + 2
5/15 1
Total Number of Entries = 3
’*’ - Configured
’+’ - RGMP-capable
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-24 78-13315-02
 Chapter 40 Configuring Multicast Services
Displaying Multicast Protocol Status

Clearing RGMP Statistics

This command clears stored RGMP statistics.
To clear RGMP statistics, perform this task in privileged mode:

Task Command
Clear RGMP statistics. clear rgmp statistics

This example shows how to clear RGMP statistics:

Console> (enable) clear rgmp statistics
RGMP statistics cleared.
Console> (enable)

RGMP-Related CLI Commands

The following RGMP-related CLI commands are accessible from the router:

Task Command
Enable or disable RGMP. ip rgmp
Enable or disable RGMP debugging. debug ip rgmp {group name | group address}

Configuring RGMP on the MSFC

To configure RGMP on a VLAN interface on the MSFC, perform this task:

Task Command
Step 1 Access VLAN interface configuration mode. Router(config)# interface vlan vlan_ID
Step 2 Enable RGMP. Router(config-if)# ip rgmp

You can use the debug ip rgmp command to monitor RGMP on the MSFC.

Displaying Multicast Protocol Status

This command displays the status (enabled or disabled) of the Layer 2 multicast protocols on the switch.
To display the multicast protocol status, perform this task in privileged mode:

Task Command
Display the multicast protocol status. show multicast protocols status

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 40-25
 Chapter 40 Configuring Multicast Services
Displaying Multicast Protocol Status

This example shows how to display the multicast protocol status:

Console> (enable) show multicast protocols status
IGMP disabled
IGMP fastleave enabled
RGMP enabled
GMRP disabled

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

40-26 78-13315-02
 C H A P T E R 41
Configuring QoS

This chapter describes how to configure quality of service (QoS) on the Catalyst 6000 family switches
and includes the configuration information required to support Common Open Policy Service (COPS)
and Resouce ReSerVation Protocol (RSVP).

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

You can configure QoS using one of the following:

• SNMP
• COPS protocol
• RSVP null service template and receiver proxy functionality
• Command-line interface (CLI)
This chapter consists of these sections:
• Understanding How QoS Works, page 41-1
• QoS Default Configuration, page 41-28
• Configuring QoS, page 41-30

Understanding How QoS Works

Note • Throughout this publication and all Catalyst 6500 series documents, the term “QoS” refers to the
QoS feature as implemented on the Catalyst 6500 series.
• Supervisor Engine 1 and Supervisor Engine 2 provide policing only for ingress traffic.

Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority
and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an
equal chance of being dropped.
The QoS feature on the Catalyst 6000 family switches selects network traffic, prioritizes it according to
its relative importance, and provides priority-indexed treatment through congestion avoidance
techniques. Implementing QoS in your network makes network performance more predictable and
bandwidth utilization more effective.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-1
 Chapter 41 Configuring QoS
Understanding How QoS Works

QoS sets Layer 2 and Layer 3 values in network traffic to a configured value or to a value based on
received Layer 2 or Layer 3 values. IP traffic retains the Layer 3 value when it leaves the switch.
These sections describe QoS:
• Definitions, page 41-2
• Flowcharts, page 41-3
• QoS Feature Set Summary, page 41-8
• Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and Classification, page 41-10
• Classification, Marking, and Policing with a Layer 3 Switching Engine, page 41-14
• Classification and Marking with a Layer 2 Switching Engine, page 41-24
• Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking, page 41-24
• QoS Statistics Data Export, page 41-27

Definitions
This section defines some QoS terminology:
• Packets carry traffic at Layer 3.
• Frames carry traffic at Layer 2. Layer 2 frames carry Layer 3 packets.
• Labels are prioritization values carried in packets and frames:
– Layer 2 class of service (CoS) values range between zero for low priority and seven for high
priority:
Layer 2 Inter-Switch Link (ISL) frame headers have a 1-byte User field that carries an
IEEE 802.1p CoS value in the three least significant bits.
Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the CoS
value in the three most significant bits, which are called the User Priority bits.
Other frame types cannot carry CoS values.

Note On ports configured as ISL trunks, all traffic is in ISL frames. On ports configured as
802.1Q trunks, all traffic is in 802.1Q frames except for traffic in the native VLAN.

– Layer 3 IP precedence values—The IP version 4 specification defines the three most significant
bits of the 1-byte Type of Service (ToS) field as IP precedence. IP precedence values range
between zero for low priority and seven for high priority.
– Layer 3 differentiated services code point (DSCP) values—The Internet Engineering Task
Force (IETF) defines the six most significant bits of the 1-byte ToS field as the DSCP. The
priority represented by a particular DSCP value is configurable. DSCP values range between 0
and 63 (for more information, see the “Configuring DSCP Value Maps” section on page 41-55).

Note Layer 3 IP packets can carry either an IP precedence value or a DSCP value. QoS
supports the use of either value, because DSCP values can be set equal to IP precedence
values.

• Classification is the selection of traffic to be marked.

• Marking, according to RFC 2475, is the process of setting a Layer 3 DSCP value in a packet; in this
publication, the definition of marking is extended to include setting Layer 2 CoS values.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-2 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

• Scheduling is the assignment of traffic to a queue. QoS assigns traffic based on CoS values.
• Congestion avoidance is the process by which QoS reserves ingress and egress port capacity for
traffic with high-priority CoS values. QoS implements congestion avoidance with CoS value-based
drop thresholds. A drop threshold is the percentage of buffer utilization at which traffic with a
specified CoS value is dropped, leaving the buffer available for traffic with higher-priority CoS
values.
• Policing is the process by which the switch limits the bandwidth consumed by a flow of traffic.
Policing can mark or drop traffic.
• Except where specifically differentiated, Layer 3 switching engine refers to either:
– Supervisor Engine 2 with Layer 3 Switching Engine II (Policy Feature Card 2 or PFC2)
– Supervisor Engine 1 with Layer 3 Switching Engine WS-F6K-PFC (Policy Feature Card
or PFC)

Flowcharts
Figure 41-1 shows how traffic flows through the QoS features; Figure 41-2 through Figure 41-7 show
more details of the traffic flow through QoS features.

Figure 41-1 Traffic Flow Through QoS Features

Ethernet
Transmit
egress
frame
port
Ethernet CoS = 0 for all traffic
Frame enters
ingress (not configurable)
switch
port
L3 Switching Engine* Multilayer Switch FlexWAN Module
or Feature Card (MSFC) interfaces
L2 Switching Engine
ATM-LANE
Cell enters *PFC or PFC2
ingress
switch
port
CoS = 0 for all traffic ATM-LANE
(not configurable) Transmit
egress
41866

cell
port

Note Traffic that is Layer 3 switched does not go through the Multilayer Switch Feature Card (MSFC or
MSFC2) and retains the CoS value assigned by the Layer 3 switching engine.

Note Enter the show port capabilities command to see the queue structure of a port (for more information,
see the “Receive Queues” section on page 41-11 and the “Transmit Queues” section on page 41-25).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-3
 Chapter 41 Configuring QoS
Understanding How QoS Works

Figure 41-2 Ethernet ingress Port Classification, Marking, Scheduling, and Congestion Avoidance

Frame
enters
Ethernet ingress port classification, marking,
switch
scheduling, and congestion avoidance

Yes Apply
Port set to
untrusted? port
CoS

No

No Apply
ISL or
port
802.1Q?
CoS

Yes

Port set to Yes

trust-ipprec?

No

Port set to Yes

trust-dscp?
1q4t port
(tail-drop thresholds)
No 100% for CoS 6 and 7
80% for CoS 4 and 5
60% for CoS 2 and 3
Port is set to 50% for CoS 0 and 1
trust-cos
1p1q4t
(tail-drop thresholds)
Strict pr iority queue
(Default values 100% for CoS 5
shown) Standard queue
100% for CoS 6 and 7
80% for CoS 4
60% for CoS 2 and 3
50% for CoS 0 and 1

1p1q0t port
(tail-drop thresholds)
Strict priority queue
100% for CoS 5
Standard queue
49393

100% for CoS 0, 1, 2, 3, 4, 6, 7

To
switching engine

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-4 78-13315-02
Chapter 41 Configuring QoS
Understanding How QoS Works

Figure 41-3 Layer 3 Switching Engine Classification, Marking, and Policing

From ingress
port or VLAN

L3 Switching Engine (PFC) classification, marking, and policing

1
ACL(s) Yes Trust Yes Use received
No IP
on received DSCP
Packet?
interface? DSCP?

No No
Yes

1
Trust
2
Match Yes received IP Yes Set DSCP
ACE in ACL? precedence? from received
IP precedence

No No

Use default
ACL 1
Trust Yes
3
Set DSCP
received or port from received
CoS? or port CoS

No
1
Traffic is from Use DSCP
an untrusted from
port ACE

No Yes Out of Yes Policing

Markdown? profile? rule in
ACE?

Yes No No

4
Drop Set DSCP 5
Derive CoS
packet to marked from DSCP
down value
25041

1
Specified by ACE keyword or by
port keyword and dscp ACE keyword To egress
2 interface
From IP precedence-to-DSCP map
3
From CoS-to-DSCP map
4
From DSCP markdown map
5
From DSCP-to-CoS map

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-5
 Chapter 41 Configuring QoS
Understanding How QoS Works

Figure 41-4 Layer 2 Switching Engine Classification and Marking

From
Ingress port

L2 Switching Engine Classification and Marking

*Match *From SET QOS MAC-COS command

Destination No
MAC Address/
VLAN?

Yes

Apply
configured
CoS

25031
To
Egress port

Figure 41-5 Multilayer Switch Feature Card Marking (MSFC and MSFC2)

From PFC

Multilayer Switch Feature Card (MSFC) marking

IP traffic Yes Write ToS

from PFC? byte into
packet

No

Route
traffic
27107

CoS = 0 for all traffic

(not configurable)

To egress
port

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-6 78-13315-02
Chapter 41 Configuring QoS
Understanding How QoS Works

Figure 41-6 Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking

From switching
engine or MSFC

Ethernet egress port scheduling, congestion avoidance, and marking

2q2t port
(tail-drop thresholds)

High priority
standard queue
100% for CoS 6 and 7 IP traffic Yes Write ToS
80% for CoS 4 and 5 from PFC? byte into
packet
Low priority
standard queue No
100% for CoS 2 and 3
80% for CoS 0 and 1

1p2q2t port
Yes Write CoS
ISL or into
Strict priority queue 802.1Q?
100% for CoS 5 frame

High priority No
standard queue
(WRED-drop thresholds)

70%:100% for CoS 6 and 7

40%:70% for CoS 4

Low priority
standard queue
(WRED-drop thresholds)

70%:100% for CoS 2 and 3

40%:70% for CoS 0 and 1

1p3q1t port
Strict priority queue
100% for CoS 5

standard queues
(WRED-drop or
tail-drop thresholds)

High priority
100% for CoS 6 and 7

Medium priority
100% for CoS 2, 3 and 4

Low priority
49380

100% for CoS 0 and 1

(Default values shown)

Transmit
frame

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-7
 Chapter 41 Configuring QoS
Understanding How QoS Works

Figure 41-7 Single-Port ATM OC-12 Switching Module Marking

From switching
engine or MSFC

Single-port ATM OC-12 switching module marking

IP traffic Yes Write ToS

from PFC? byte into
packet

No

27105
Transmit
cell

QoS Feature Set Summary

The QoS feature set on your switch is determined by the switching engine on the supervisor engine.
Enter the show module command for the supervisor engine to display your switching engine
configuration. The display shows the “Sub-Type” to be one of the following:
• Supervisor Engine 2 (WS-X6K-SUP2-2GE) with Layer 3 Switching Engine II
(WS-F6K-PFC2—Policy Feature Card 2 or PFC2)
• Supervisor Engine 1 (WS-X6K-SUP1A-2GE or WS-X6K-SUP1-2GE) with one of the following:
– Layer 3 Switching Engine (WS-F6K-PFC—Policy Feature Card or PFC)
– Layer 2 Switching Engine II (WS-F6020A)
– Layer 2 Switching Engine I (WS-F6020)
The Layer 3 Switching Engine WS-F6K-PFC and Layer 3 Switching Engine II support similar feature
sets. The two Layer 2 switching engines support the same QoS feature set.
These sections describe the QoS feature sets:
• Ethernet Ingress Port Features, page 41-9
• Layer 3 Switching Engine Features, page 41-9
• Layer 2 Switching Engine Features, page 41-9
• Ethernet Egress Port Features, page 41-9
• Single-Port ATM OC-12 Switching Module Features, page 41-9
• Multilayer Switch Feature Card (MSFC or MSFC2), page 41-9

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-8 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

Ethernet Ingress Port Features

With any switching engine, QoS supports classification, marking, scheduling, and congestion avoidance
using Layer 2 CoS values at Ethernet ingress ports. Classification, marking, scheduling, and congestion
avoidance at Ethernet ingress ports do not use or set Layer 3 IP precedence or DSCP values. With a
Layer 3 switching engine, you can configure Ethernet ingress port trust states that can be used by the
switching engine to set Layer 3 IP precedence or DSCP values and the Layer 2 CoS value. For more
information, see the “Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and
Classification” section on page 41-10.

Layer 3 Switching Engine Features

With a Layer 3 switching engine, QoS supports classification, marking, and policing using IP, IPX, and
Media Access Control (MAC) access control lists (ACLs). ACLs contain access control entries (ACEs)
that specify Layer 2, 3, and 4 classification criteria, a marking rule, and policing rules. Marking sets the
Layer 3 IP precedence or DSCP values and the Layer 2 CoS value to either received or configured
Layer 2 or Layer 3 values. Policing uses bandwidth limits to either drop or mark nonconforming traffic.
For more information, see the “Classification, Marking, and Policing with a Layer 3 Switching Engine”
section on page 41-14.
During processing, a Layer 3 switching engine associates a DSCP value with all traffic, including non-IP
traffic (for more information, see the “Internal DSCP Values” section on page 41-15).

Layer 2 Switching Engine Features

With a Layer 2 Switching Engine, QoS can classify traffic using Layer 2 destination MAC addresses,
VLANs, and marking using Layer 2 CoS values. Classification and marking with a Layer 2 Switching
Engine do not use or set Layer 3 IP precedence or DSCP values. For more information, see the
“Classification and Marking with a Layer 2 Switching Engine” section on page 41-24.

Ethernet Egress Port Features

With any switching engine, QoS supports Ethernet egress port scheduling and congestion avoidance
using Layer 2 CoS values. Ethernet egress port marking sets Layer 2 CoS values and, with a Layer 3
switching engine, Layer 3 DSCP values. For more information, see the “Ethernet Egress Port
Scheduling, Congestion Avoidance, and Marking” section on page 41-24.

Single-Port ATM OC-12 Switching Module Features

The ingress interface from a single-port ATM OC-12 switching module is untrusted, and QoS sets CoS
to zero in all traffic received from it. With a Layer 3 switching engine, QoS can mark IP traffic
transmitted to a single-port ATM OC-12 switching module with Layer 3 DSCP values.

Multilayer Switch Feature Card (MSFC or MSFC2)

QoS marks IP traffic transmitted to an MSFC with Layer 3 DSCP values. CoS is zero in all traffic sent
from an MSFC to egress ports.

Note Traffic that is Layer 3 switched does not go through the MFSC and retains the CoS value assigned
by the Layer 3 switching engine.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-9
 Chapter 41 Configuring QoS
Understanding How QoS Works

Ethernet Ingress Port Marking, Scheduling, Congestion Avoidance, and

Classification
These sections describe Ethernet ingress port marking, scheduling, congestion avoidance, and
classification:
• Overview, page 41-10
• Marking at Untrusted Ports, page 41-11
• Marking at Trusted Ports, page 41-11
• Ethernet Ingress Port Scheduling and Congestion Avoidance, page 41-11
• Receive Queues, page 41-11
• Ingress Scheduling, page 41-11
• Ingress Congestion Avoidance, page 41-11
• Ethernet Ingress Port Classification Features with a Layer 3 Switching Engine, page 41-13

Overview
The trust state of an Ethernet port determines how it marks, schedules, and classifies received traffic,
and whether or not congestion avoidance is implemented. You can configure the trust state of each port
with one of these keywords:
• untrusted (default)
• trust-ipprec (Layer 3 switching engine only—not supported on 1q4t ports except Gigabit Ethernet)
• trust-dscp (Layer 3 switching engine only—not supported on 1q4t ports except Gigabit Ethernet)
• trust-cos

Note • 1q4t ports (except Gigabit Ethernet) do not support the trust-ipprec and trust-dscp port keywords.
You must configure a trust-ipprec or trust-dscp ACL that matches the ingress traffic to apply the
trust-ipprec or trust-dscp trust state.
• On 1q4t ports (except Gigabit Ethernet), the trust-cos port keyword displays an error message,
activates receive queue drop thresholds, and—as indicated by the error message—does not apply
the trust-cos trust state to traffic. You must configure a trust-cos ACL that matches the ingress
traffic to apply the trust-cos trust state.

For more information, see the “Configuring the Trust State of a Port” section on page 41-32.
In addition to the port configuration keywords listed above, with a Layer 3 switching engine, QoS uses
trust-ipprec, trust-dscp, and trust-cos ACE keywords. Do not confuse the ACE keywords with the port
keywords.
Ports configured with the untrusted keyword are called untrusted ports. Ports configured with the
trust-ipprec, trust-dscp, or trust-cos keywords are called trusted ports. QoS implements ingress port
congestion avoidance only on ports configured with the trust-cos keyword.
Ingress port marking, scheduling, and congestion avoidance use Layer 2 CoS values. Ingress port
marking, scheduling, and congestion avoidance do not use or set Layer 3 IP precedence or DSCP values.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-10 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

Marking at Untrusted Ports

QoS marks all frames received through untrusted ports with the port CoS value (the default is zero). QoS
does not implement ingress port congestion avoidance on untrusted ports: the traffic goes directly to the
switching engine.

Marking at Trusted Ports

When an ISL frame enters the switch through a trusted port, QoS accepts the three least significant bits
in the User field as a CoS value. When an 802.1Q frame enters the switch through a trusted port, QoS
accepts the User Priority bits as a CoS value. QoS marks all traffic received in other frame types with
the port CoS value.
The port CoS value is configurable for each Ethernet port (for more information, see the “Configuring
the CoS Value for a Port” section on page 41-33).

Ethernet Ingress Port Scheduling and Congestion Avoidance

QoS does not implement ingress port congestion avoidance on ports configured with the untrusted,
trust-ipprec, or trust-dscp keywords: the traffic goes directly to the switching engine.
QoS uses CoS-value-based receive-queue drop thresholds to avoid congestion in traffic entering the
switch through a port configured with the trust-cos keyword (for more information, see the
“Configuring the Trust State of a Port” section on page 41-32).

Receive Queues
Enter a show port capabilities command to see the queue structure of a port. The command displays
one of the following:
• rx-(1p1q4t)—one strict-priority queue and one standard queue with four thresholds
• rx-(1q4t)—one standard queue with four thresholds
• rx-(1p1q0t)—one strict-priority queue and one standard queue with no configurable thresholds
Strict-priority queues are serviced in preference to other queues. QoS services traffic in a strict-priority
queue before servicing the standard queue. When QoS services the standard queue, after receiving a
packet, it checks for traffic in the strict-priority queue. If QoS detects traffic in the strict-priority queue,
it suspends its service of the standard queue and completes service of all traffic in the strict-priority
queue before returning to the standard queue.

Ingress Scheduling
QoS schedules traffic through the receive queues based on CoS values. In the 1p1q4t and 1p1q0t default
configurations, QoS assigns all traffic with CoS 5 to the strict-priority queue; QoS assigns all other
traffic to the standard queue. In the 1q4t default configuration, QoS assigns all traffic to the standard
queue.

Ingress Congestion Avoidance

If a port is configured with the trust-cos keyword, QoS implements CoS-value-based receive-drop
thresholds to avoid congestion in received traffic.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-11
 Chapter 41 Configuring QoS
Understanding How QoS Works

1q4t ports have this default drop-threshold configuration:

• Using receive-queue drop threshold 1, the switch drops incoming frames with CoS 0 or 1 when the
receive-queue buffer is 50 percent or more full.
• Using receive-queue drop threshold 2, the switch drops incoming frames with CoS 2 or 3 when the
receive-queue buffer is 60 percent or more full.
• Using receive-queue drop threshold 3, the switch drops incoming frames with CoS 4 or 5 when the
receive-queue buffer is 80 percent or more full.
• Using receive-queue drop threshold 4, the switch drops incoming frames with CoS 6 or 7 when the
receive-queue buffer is 100 percent full.
1p1q4t ports have this default drop-threshold configuration:
• Frames with CoS 0, 1, 2, 3, 4, 6, or 7 go to the standard receive queue:
– Using standard receive-queue drop threshold 1, the switch drops incoming frames with CoS 0
or 1 when the receive-queue buffer is 50 percent or more full.
– Using standard receive-queue drop threshold 2, the switch drops incoming frames with CoS 2
or 3 when the receive-queue buffer is 60 percent or more full.
– Using standard receive-queue drop threshold 3, the switch drops incoming frames with CoS 4
when the receive-queue buffer is 80 percent or more full.
– Using standard receive-queue drop threshold 4, the switch drops incoming frames with CoS 6
or 7 when the receive-queue buffer is 100 percent full.
• Frames with CoS 5 go to the strict-priority receive queue (queue 2), where the switch drops
incoming frames only when the strict-priority receive-queue buffer is 100 percent full.
1p1q0t ports have this default drop-threshold configuration:
• Frames with CoS 0, 1, 2, 3, 4, 6, or 7 go to the standard receive queue. The switch drops incoming
frames when the receive-queue buffer is 100 percent full.
• Frames with CoS 5 go to the strict-priority receive queue (queue 2), where the switch drops
incoming frames only when the strict-priority receive-queue buffer is 100 percent full.

Note The explanations in this section use default values. You can configure many of the parameters (for
more information, see the “Configuring QoS” section on page 41-30). All ports of the same type use
the same drop-threshold configuration.

Figure 41-8 shows the drop thresholds for a 1q4t port. Drop thresholds in other configurations function
similarly.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-12 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

Figure 41-8 Receive Queue Drop Thresholds

Drop threshold 4: 100%

Co
Reserved for

S
CoS 6 and 7

6
Drop threshold 3: 80%

an
Co

d7
S
Reserved for

4
CoS 4 and higher Drop threshold 2: 60%

an
Co
S

d5
2
Reserved for Drop threshold 1: 50% CoS

an
CoS 2 and higher

d3
0
and
1
Available for
traffic with any Traffic is dropped
CoS value

100% available for CoS 6 and 7

80% available for CoS 4 and 5 Receive queue (Default values shown)

60% available for CoS 2 and 3

26249
50% available for CoS 0 and 1

Ethernet Ingress Port Classification Features with a Layer 3 Switching Engine

You can use the untrusted, trust-ipprec, trust-dscp, and trust-cos port keywords to classify traffic on
a per-port basis for a Layer 3 switching engine to mark.
The trust-ipprec and trust-dscp keywords are supported only with a Layer 3 switching engine and are
not supported on 1q4t ports except Gigabit Ethernet. On 1q4t ports (except Gigabit Ethernet), the
trust-cos port keyword displays an error message, activates receive-queue drop thresholds, and—as
indicated by the error message—does not apply the trust-cos trust state to traffic. You must configure
the trust-cos ACL that matches the ingress traffic to apply the trust-cos trust state.
In addition to per-port classification, you can create ACEs that classify traffic on a per-packet basis (for
IP and IPX traffic, see the “Named IP ACLs” section on page 41-38 and the “Creating or Modifying
Named IPX ACLs” section on page 41-42) or on a per-frame basis (for other traffic, see the “Creating
or Modifying Named MAC ACLs” section on page 41-43), regardless of the port configuration (see the
“Marking Rules” section on page 41-21).
To mark traffic in response to per-port classification, the traffic must match an ACE that contains the
dscp ACE keyword (see the “Marking Rules” section on page 41-21). In their default configuration, the
ACEs in the default ACLs contain the dscp ACE keyword. Table 41-1 lists the per-port classifications
and the marking rules that they invoke.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-13
 Chapter 41 Configuring QoS
Understanding How QoS Works

Table 41-1 Marking Based on Per-Port Classification

Port Keyword ACE Keyword Marking Rule

untrusted dscp Set internal and egress DSCP as specified in the ACE.
trust-ipprec dscp For IP traffic, set internal and egress DSCP from the received Layer 3
IP precedence value. For other traffic, set internal and egress from the
received or port Layer 2 CoS value.
Note—With the trust-ipprec port keyword, QoS uses only the IP
precedence bits. If traffic with a DSCP value enters the switch through
a port configured with the trust-ipprec port keyword, the three most
significant bits of the DSCP value are interpreted as an IP precedence
value; QoS ignores the rest of the DSCP value.
trust-dscp dscp For IP traffic, set internal and egress DSCP from the received Layer 3
DSCP value. For other traffic, set internal and egress DSCP from the
received or port Layer 2 CoS value.
trust-cos dscp Set internal and egress DSCP from the received or port Layer 2 CoS
value.

QoS uses configurable mapping tables to set internal and egress DSCP, which is a 6-bit value, from CoS
and IP precedence, which are 3-bit values (for more information, see the “Internal DSCP Values” section
on page 41-15 and the “Configuring DSCP Value Maps” section on page 41-55).

Classification, Marking, and Policing with a Layer 3 Switching Engine

Note With a Layer 3 switching engine, the Catalyst 6000 family switches provide QoS only for the
following frame types: Ethernet_II, Ethernet_802.3, Ethernet_802.2, and Ethernet_SNAP.

These sections describe classification, marking, and policing with a Layer 3 switching engine:
• Internal DSCP Values, page 41-15
• ACLs, page 41-15
• Named ACLs, page 41-16
• Default ACLs, page 41-20
• Marking Rules, page 41-21
• Policing Rules, page 41-22
• PFC2 Policing Decisions, page 41-23
• Attaching ACLs, page 41-23
• Final Layer 3 Switching Engine CoS and ToS Values, page 41-24

Note Classification with a Layer 3 switching engine uses Layer 2, 3, and 4 values. Marking with a Layer 3
switching engine uses Layer 2 CoS values and Layer 3 IP precedence or DSCP values.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-14 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

Internal DSCP Values

These sections describe the internal DSCP values:
• Internal DSCP Sources, page 41-15
• Egress DSCP and CoS Sources, page 41-15

Internal DSCP Sources

During processing, the priority of all traffic (including non-IP traffic) is represented with an internal
DSCP value. QoS derives the internal DSCP value from the following:
• For trust-cos traffic, from received or port Layer 2 CoS values (traffic from an untrusted port has
the port CoS value and if traffic from an untrusted port matches a trust-cos ACL, QoS derives the
internal DSCP value from the port CoS value)
• For trust-ipprec traffic, from received IP precedence values
• For trust-dscp traffic, from received DSCP values
• For untrusted traffic, from port CoS or configured DSCP values
The trust state of traffic is the trust state of the ingress port unless set otherwise by the matching ACE.

Note A trust-cos ACL cannot restore received CoS in traffic from untrusted ports. Traffic from untrusted
ports always has the port CoS value.

QoS uses configurable mapping tables to derive the internal 6-bit DSCP value from CoS or IP
precedence, which are 3-bit values (see the“Mapping Received CoS Values to Internal DSCP Values”
section on page 41-55 or the “Mapping Received IP Precedence Values to Internal DSCP Values” section
on page 41-56).

Egress DSCP and CoS Sources

For egress IP traffic, QoS creates a ToS byte from the internal DSCP value (which you can set equal to
an IP precedence value) and sends it to the egress port to be written into IP packets. For trust-dscp and
untrusted IP traffic, the ToS byte includes the original 2 least-significant bits from the received ToS
byte.
For all egress traffic, QoS uses a configurable mapping table to derive a CoS value from the internal
DSCP value associated with traffic (see the “Mapping Internal DSCP Values to Egress CoS Values”
section on page 41-56). QoS sends the CoS value to Ethernet egress ports for use in scheduling and to
be written into ISL and 802.1Q frames.

ACLs
QoS uses ACLs that contain ACEs. The ACEs specify classification criteria, a marking rule, and
policing rules. QoS compares received traffic to the ACEs in ACLs until a match occurs. When the
traffic matches the classification criteria in an ACE, QoS marks and polices the packet as specified in
the ACE and makes no further comparisons.
There are three ACL types: IP and, with a Layer 3 switching engine, IPX and MAC. QoS compares
traffic of each type (IP, IPX, and MAC) only to the corresponding ACL type (see Table 41-2).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-15
 Chapter 41 Configuring QoS
Understanding How QoS Works

Table 41-2 Supported Ethertype Field Values

ACL Type Ethertype Field Value Protocol

IP 0x0800 IP
IPX 0x8137 and 0x8138 IPX
1
MAC 0x0600 and 0x0601 XNS
0x0BAD and 0x0BAF Banyan VINES
0x6000-0x6009 and 0x8038-0x8042 DECnet
0x809b and 0x80f3 AppleTalk
1. QoS MAC ACLs that do not include an ethertype parameter match traffic with any value in the ethertype field, which allows
MAC-level QoS to be applied to any traffic except IP and IPX.

QoS supports user-created named ACLs, each containing an ordered list of ACEs, and user-configurable
default ACLs, each containing a single ACE.

Named ACLs
You create a named ACL when you enter an ACE with a new ACL name. You add an ACE to an existing
ACL when you enter an ACE with the name of the existing ACL.
You can specify the classification criteria for each ACE in a named ACL. The classification criteria can
be specific values or wildcards (for more information, see the “Creating or Modifying ACLs” section on
page 41-37).
These sections describe the classification criteria that can be specified in a named ACL:
• IP ACE Layer 3 Classification Criteria, page 41-16
• IP ACE Layer 4 Protocol Classification Criteria, page 41-17
• IP ACE Layer 4 TCP Classification Criteria, page 41-17
• IP ACE Layer 4 UDP Classification Criteria, page 41-18
• IP ACE Layer 4 ICMP Classification Criteria, page 41-18
• IP ACE Layer 4 IGMP Classification Criteria, page 41-19
• IPX ACE Classification Criteria, page 41-19
• MAC ACE Layer 2 Classification Criteria, page 41-20

IP ACE Layer 3 Classification Criteria

You can create IP ACEs that match traffic with specific Layer 3 values by including these Layer 3
parameters (see the “Named IP ACLs” section on page 41-38):
• IP source address and mask, entered as specific values or with the any keyword or with the host
keyword and a host address.
• IP destination address and mask, entered as specific values or with the any keyword or with the host
keyword and a host address.
• DSCP value (0–63) or IP precedence specified with a numeric value (0–7) or these keywords:
– Network (IP precedence 7)
– Internet (IP precedence 6)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-16 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

– Critical (IP precedence 5)

– Flash-override (IP precedence 4)
– Flash (IP precedence 3)
– Immediate (IP precedence 2)
– Priority (IP precedence 1)
– Routine (IP precedence 0)

Note IP ACEs that do not include a DSCP or IP precedence value parameter match all DSCP
or IP precedence values.

IP ACE Layer 4 Protocol Classification Criteria

You can create IP ACEs that match specific Layer 4 protocol traffic by including a Layer 4 protocol
parameter (see the “IP ACLs for Other Layer 4 Protocols” section on page 41-41). You can specify the
protocol numerically (0–255) or with these keywords: ahp (51), eigrp (88), esp (50), gre (47), igrp (9),
icmp (1), igmp (2), igrp (9), ip (0), ipinip (4), nos (94), ospf (89), pcp (108), pim (103), tcp (6), or
udp (17).

Note IP ACEs that do not include a Layer 4 protocol parameter or that include the ip keyword match all
IP traffic.

IP ACE Layer 4 TCP Classification Criteria

You can create Transmission Control Protocol (TCP) ACEs that match traffic for specific TCP ports by
including TCP source and/or destination port parameters (for more information, see the “IP ACEs for
TCP Traffic” section on page 41-39). You can specify TCP port parameters numerically (0–65535) or
with these keywords:

Keyword Port Keyword Port Keyword Port Keyword Port

bgp 179 ftp 21 lpd 515 telnet 23
chargen 19 ftp-data 20 nntp 119 time 37
daytime 13 gopher 70 pop2 109 uucp 540
discard 9 hostname 101 pop3 110 whois 43
domain 53 irc 194 smtp 25 www 80
echo 7 klogin 543 sunrpc 111
finger 79 kshell 544 tacacs 49

Note TCP ACEs that do not include a Layer 4 TCP port parameter match all TCP traffic.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-17
 Chapter 41 Configuring QoS
Understanding How QoS Works

IP ACE Layer 4 UDP Classification Criteria

You can create User Datagram Protocol (UDP) ACEs that match traffic for specific UDP source and/or
destination ports by including UDP port parameters (for more information, see the “IP ACEs for UDP
Traffic” section on page 41-39). You can specify UDP port parameters numerically (0–65535) or with
these keywords:

Keyword Port Keyword Port Keyword Port Keyword Port

biff 512 echo 7 rip 520 talk 517
bootpc 68 mobile-ip 434 snmp 161 tftp 69
bootps 67 nameserver 42 snmptrap 162 time 37
discard 9 netbios-dgm 138 sunrpc 111 who 513
dns 53 netbios-ns 137 syslog 514 xdmcp 177
dnsix 195 ntp 123 tacacs 49

Note UDP ACEs that do not include a Layer 4 UDP port parameter match all UDP traffic.

IP ACE Layer 4 ICMP Classification Criteria

You can create Internet Control Management Protocol (ICMP) ACEs that match traffic containing
specific ICMP messages by including ICMP types and, optionally, ICMP codes (for more information,
see the “IP ACEs for ICMP Traffic” section on page 41-40). You can specify ICMP types and codes
numerically (0–255) or with these keywords:

Keyword Type Code Keyword Type Code

administratively-prohibited 3 13 net-tos-unreachable 3 11
1
alternate-address 6 — net-unreachable 3 0
conversion-error 31 0 network-unknown 3 6
dod-host-prohibited 3 10 no-room-for-option 12 2
dod-net-prohibited 3 9 option-missing 12 1
echo 8 0 packet-too-big 3 4
echo-reply 0 0 parameter-problem 12 0
1
general-parameter-problem 12 — port-unreachable 3 3
host-isolated 3 8 precedence-unreachable 3 15
host-precedence-unreachable 3 14 protocol-unreachable 3 2
host-redirect 5 1 reassembly-timeout 11 1
1
host-tos-redirect 5 3 redirect 5 —
host-tos-unreachable 3 12 router-advertisement 9 0
host-unknown 3 7 router-solicitation 10 0
host-unreachable 3 1 source-quench 4 0
information-reply 16 0 source-route-failed 3 5

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-18 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

Keyword Type Code Keyword Type Code

information-request 15 0 time-exceeded1 11 —
mask-reply 18 0 timestamp-reply 14 0
mask-request 17 0 timestamp-request 13 0
mobile-redirect 32 0 traceroute 30 0
net-redirect 5 0 ttl-exceeded 11 0
1
net-tos-redirect 5 2 unreachable 3 —
1. Matches all code values

Note ICMP ACEs with only a Layer 4 ICMP type parameter match all code values for that type value.
ICMP ACEs that do not include any Layer 4 ICMP type and code parameters match all ICMP traffic.

IP ACE Layer 4 IGMP Classification Criteria

You can create IGMP ACEs that match traffic containing specific IGMP messages by including an
IGMP type parameter (for more information, see the “IP ACEs for IGMP Traffic” section on
page 41-40). You can specify the IGMP type numerically (0–255) or with these keywords:
host-query (1), host-report (2), dvmrp (3), pim (4), or trace (5).

Note QoS does not support Internet Group Management Protocol (IGMP) traffic when IGMP snooping is
enabled. QoS supports IGMP classification using version 1 four-bit Type fields.

Note IGMP ACEs that do not include a Layer 4 IGMP type parameter match all IGMP traffic.

IPX ACE Classification Criteria

You can create IPX ACEs that match specific IPX traffic by including these parameters (for more
information, see the “Creating or Modifying Named IPX ACLs” section on page 41-42):
• IPX source network (-1 matches any network number)
• Protocol, which can be specified numerically (0–255) or with these keywords: any, ncp (17),
netbios (20), rip (1), sap (4), spx (5)
• IPX ACEs support the following optional parameters:
– IPX destination network (-1 matches any network number)
– If you specify an IPX destination network, IPX ACEs support the following optional
parameters: an IPX destination network mask (-1 matches any network number), an IPX
destination node, and an IPX destination node mask

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-19
 Chapter 41 Configuring QoS
Understanding How QoS Works

MAC ACE Layer 2 Classification Criteria

You can create MAC ACEs that match specific Ethernet traffic by including these Layer 2 parameters
(for more information, see the “Creating or Modifying Named MAC ACLs” section on page 41-43):
• Ethernet source and destination addresses and masks, entered as specific values or with the any
keyword or with the host keyword and a host Ethernet address
• Optionally, an ethertype parameter from this list:
– 0x809B (or ethertalk)
– 0x80F3 (or aarp)
– 0x6001 (or dec-mop-dump)
– 0x6002 (or dec-mop-remote-console)
– 0x6003 (or dec-phase-iv)
– 0x6004 (or dec-lat)
– 0x6005 (or dec-diagnostic-protocol)
– 0x6007 (or dec-lavc-sca)
– 0x6008 (or dec-amber)
– 0x6009 (or dec-mumps)
– 0x8038 (or dec-lanbridge)
– 0x8039 (or dec-dsm)
– 0x8040 (or dec-netbios)
– 0x8041 (or dec-msdos)
– 0x8042 (no keyword)
– 0x0BAD (no keyword)
– 0x0baf (or banyan-vines-echo)
– 0x0600 (or xerox-ns-idp)
QoS MAC ACLs that do not include an ethertype parameter match traffic with any value in the ethertype
field, which allows MAC-level QoS to be applied to any traffic except IP and IPX.

Default ACLs
There are three default ACLs, one each for IP and, with a Layer 3 switching engine, IPX and MAC
traffic. Each ACL has a single ACE that has a configurable marking rule and configurable policing rules.
The default ACLs have nonconfigurable classification criteria that matches all traffic. QoS compares
any traffic with a supported ethertype field value that does not match a named ACL to the default ACLs.
Unmatched IP traffic matches the default IP ACL. Unmatched IPX traffic matches the default IPX ACL.
Unmatched Ethernet traffic matches the default MAC ACL.

Note All traffic matches an ACE in an ACL, either an ACE in a named ACL or one of the default ACLs,
because the default ACLs match all traffic.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-20 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

Marking Rules

Note Marking is not supported for IPX or MAC traffic with a PFC2.

Marking rules specify how QoS marks traffic when the traffic matches the filtering parameters in an
ACE (see the “ACE Name, Marking Rule, Policing, and Filtering Syntax” section on page 41-37). QoS
supports four marking rules, specified with the following four ACE keywords: trust-dscp, trust-ipprec,
trust-cos, and dscp. Each ACE contains one of the keywords. The marking rules are as follows:
• trust-dscp (IP ACLs only)—Instructs QoS to set internal and egress DSCP from received DSCP
values (see the “Internal DSCP Values” section on page 41-15).
• trust-ipprec (IP ACLs only)—Instructs QoS to set internal and egress DSCP from received IP
precedence values.

Note With the trust-ipprec port keyword, QoS uses only the IP precedence bits. If traffic with
a DSCP value enters the switch through a port configured with the trust-ipprec port
keyword, the three most significant bits of the DSCP value are interpreted as an IP
precedence value; QoS ignores the rest of the DSCP value.

• trust-cos (all ACLs except IPX and MAC with a PFC2)—Instructs QoS to set internal and egress
DSCP from received or port CoS values. In traffic from ports configured with the trust-cos
keyword, the CoS value is that received in ISL and 802.1Q frames; in all other cases, the CoS value
is that configured on the port (default is zero).
• dscp (all ACLs except IPX and MAC with a PFC2)—Instructs QoS to mark traffic as indicated by
the port trust keywords:
– In IP traffic from ingress ports configured with the trust-dscp port keyword, the dscp ACE
keyword instructs QoS to set the internal and egress DSCP values from the received DSCP
values. In non-IP traffic, QoS sets the DSCP from the received or port CoS value.
– In IP traffic from ingress ports configured with the trust-ipprec port keyword, the dscp ACE
keyword instructs QoS to set the internal and egress DSCP values from the received IP
precedence values. In non-IP traffic, QoS sets the DSCP value from the received or port CoS
value.
– In traffic from ingress ports configured with the trust-cos port keyword, the dscp ACE keyword
instructs QoS to set the internal and egress DSCP values from the received or port CoS values.
– In traffic from ingress ports configured with the untrusted port keyword, the dscp ACE
keyword instructs QoS to set the internal and egress DSCP values from the DSCP value in the
ACE.

Note The default configuration of the ACEs in the default ACLs contains the dscp ACE
keyword, which supports per-port classification of traffic. With the default values, the
ACEs in the default ACLs apply DSCP zero to traffic from ingress ports configured with
the untrusted port keyword.

QoS uses configurable mapping tables to set the DSCP value, which is 6 bits, from CoS and IP
precedence, which are 3-bit values (for more information, see the “Mapping Received CoS Values to
Internal DSCP Values” section on page 41-55 and the “Mapping Received IP Precedence Values to
Internal DSCP Values” section on page 41-56).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-21
 Chapter 41 Configuring QoS
Understanding How QoS Works

Policing Rules
You can create named policing rules that specify bandwidth utilization limits, which you can apply to
traffic by including the policing rule name in an ACE (for more information, see the “Creating Policing
Rules” section on page 41-34).
Policing uses a token bucket scheme. As packets arrive, the packet size in bytes is added to the bucket
level. Every 0.25 milliseconds, a value equal to the token rate is subtracted from the bucket level.
You specify the bandwidth utilization limits as an average rate and a maximum burst size. Packets that
exceed these limits are “out of profile.” Traffic is in profile as long as it flows in at an average rate and
never bursts beyond the burst size.
In each policing rule, you specify if out-of-profile packets are to be dropped or to have a new DSCP
value applied to them (applying a new DSCP value is called “markdown”). Since out-of-profile packets
do not retain their original priority, they are not counted as part of the bandwidth consumed by in-profile
packets.
For all policing rules, QoS uses a configurable table that maps received DSCP values to marked-down
DSCP values (for more information, see the “Mapping DSCP Markdown Values” section on
page 41-57). When markdown occurs, QoS gets the marked-down DSCP value from the table. You
cannot specify a marked-down DSCP value in individual policing rules.

Note By default, the markdown table is configured so that no markdown occurs: the marked-down DSCP
values are equal to the received DSCP values. To enable markdown, configure the table appropriately
for your network.

You give each policing rule a unique name when you create it and then use the name to include the
policing rule in an ACE. The same policing rule can be used in multiple ACEs.
You can create these policing rules:
• Microflow—QoS applies the bandwidth limit specified in a microflow policing rule separately to
each flow that matches any ACEs that use that particular microflow policing rule. You can create
up to 63 microflow policing rules.
• Aggregate—QoS applies the bandwidth limits specified in an aggregate policing rule cumulatively
to all flows that match any ACEs that use that particular aggregate policing rule. You can create up
to 1023 aggregate policing rules.
• With a PFC2, you can specify a dual rate aggregate policing rule with a normal rate and an excess
rate.
– Normal rate—packets exceeding this rate are marked down.
– Excess rate—packets exceeding this rate are either marked down or dropped as specified by the
drop indication flag.

Note The drop indication flag applies to the excess rate policer and cannot be set for the normal
rate policer. To achieve the effect of a drop indication flag for the normal rate aggregate
policer, set the excess rate equal to the normal rate and set the drop indication flag.
Alternatively, you can set the normal rate without specifying an excess rate, which
automatically sets the excess rate to the normal rate when the drop indicator flag is on.

You can include both a microflow policing rule and an aggregate policing rule in each ACE to police a
flow based on both its own bandwidth utilization and on its bandwidth utilization combined with that of
other flows.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-22 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

For example, you could create a microflow policing rule named “group_individual” with bandwidth
limits suitable for individuals in a group and you could create an aggregate policing rule named
“group_all” with bandwidth limits suitable for the group as a whole. You could include both policing
rules in ACEs that match the group’s traffic. The combination would affect individuals separately and
the group cumulatively.
For ACEs that include both a microflow policing rule and an aggregate policing rule, QoS responds to
an out-of-profile status from either policing rule and, as specified by the policing rule, applies a new
DSCP value or drops the packet. If both policing rules return an out-of-profile status, then if either
policing rule specifies that the packet is to be dropped, it is dropped; otherwise, QoS applies a new DSCP
value.
Follow these guidelines when creating policing rules:
• You can include a microflow policing rule in IP ACEs. You cannot include a microflow policing
rule in IPX or MAC ACEs. IPX and MAC ACEs support only aggregate policing rules.
• By default, microflow policing rules do not affect bridged traffic. To enable microflow policing of
bridged traffic, enter the set qos bridged-microflow-policing command (for more information, see
the “Enabling or Disabling Microflow Policing of Bridged Traffic” section on page 41-48).
• With a Layer 3 Switching Engine II, to do any microflow policing, you must enable microflow
policing of bridged traffic.
• With an MSFC, QoS does not apply microflow policing rules to Multilayer Switching (MLS)
candidate frames (MSFC2 does not use candidate and enabler frames).
• To avoid inconsistent results, all ACEs that include the same aggregate policing rule must use the
same ACE keyword: trust-dscp, trust-ipprec, trust-cos, or dscp. If the ACE uses the dscp
keyword, all traffic that matches the ACE must come through ports configured with the same port
keyword: trust-dscp, trust-ipprec, trust-cos, or untrusted. If the ACL is attached to a VLAN, all
ports in the VLAN must be configured with the same port keyword.

PFC2 Policing Decisions

With a PFC2, the policing decision consists of two levels:
• Normal Police Level—Set if either the microflow policer or the aggregate normal rate policer
returns an out-of-profile decision.
• Excess Police Level—Set if the aggregate excess rate policer returns an out-of-profile decision.
Packets are dropped if the excess rate aggregate policer returns an out-of-profile decision and the drop
indication flag is set, or if the microflow policer returns an out-of-profile decision and the drop
indication flag is set.
If an excess police level is set, the excess DSCP mapping is used to replace the original DSCP value with
a marked-down value. If only a normal police level is set, the normal DSCP mapping is used. The excess
police level has precedence for selecting mapping rules when both police levels are set because the
excess police level represents the worst out-of-profile transgression.

Attaching ACLs
You can configure each port for either port-based QoS (default) or VLAN-based QoS (see the “Enabling
Port-Based or VLAN-Based QoS” section on page 41-32) and attach ACLs to the selected interface (see
the “Attaching ACLs to Interfaces” section on page 41-46). You can attach up to three named ACLs, one
of each type (IP, IPX, and Ethernet) to each port and VLAN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-23
 Chapter 41 Configuring QoS
Understanding How QoS Works

On ports configured for VLAN-based QoS, you can attach named ACLs to the port’s VLAN; or for a
trunk, you can attach named ACLs to any VLANs allowed on the trunk as follows:
• On a port configured for VLAN-based QoS, traffic received through the port is compared to any
named ACLs attached to the port’s VLAN. If you do not attach any named ACLs to the port’s
VLAN, or if the traffic does not match an ACE in a named ACL, QoS compares the traffic received
through the port to the default ACLs.
• On a trunk configured for VLAN-based QoS, traffic received through the port is compared to any
named ACLs attached to the traffic’s VLAN. For traffic in VLANs that have no named ACLs
attached, or if the traffic does not match an ACE in a named ACL, QoS compares the traffic to the
default ACLs.
On ports configured for port-based QoS, you can attach named ACLs to the port as follows:
• On a port configured for port-based QoS, traffic received through the port is compared to any named
ACLs attached to the port. If you do not attach any named ACLs to the port, or if the traffic does
not match an ACE in a named ACL, QoS compares the traffic received through the port to the
default ACLs.
• On a trunk configured for port-based QoS, traffic in all VLANs received through the port is
compared to any named ACLs attached to the port. If you do not attach any named ACLs to the port,
or if the traffic does not match an ACE in a named ACL, QoS compares the traffic received through
the port to the default ACLs.

Final Layer 3 Switching Engine CoS and ToS Values

With a Layer 3 switching engine, QoS associates CoS and ToS values with traffic as specified by the
marking and policing rules in the ACE that the traffic matches (see the “Internal DSCP Values” section
on page 41-15). The associated CoS and ToS are used at the Ethernet egress port (see the “Ethernet
Egress Port Scheduling, Congestion Avoidance, and Marking” section on page 41-24).

Classification and Marking with a Layer 2 Switching Engine

With a Layer 2 Switching Engine, QoS can classify traffic addressed to specified MAC address/VLAN
pairs to be marked with a configured CoS value (for more information, see the “Definitions” section on
page 41-2 and the “Mapping a CoS Value to a Host Destination MAC Address/VLAN Pair” section on
page 41-47).

Note Classification and marking with a Layer 2 Switching Engine uses Layer 2 CoS values. Classification
and marking with a Layer 2 Switching Engine does not use or set Layer 3 IP precedence or DSCP
values.

Ethernet Egress Port Scheduling, Congestion Avoidance, and Marking

These sections describe Ethernet egress port scheduling, congestion avoidance, and marking:
• Overview, page 41-25
• Transmit Queues, page 41-25
• Scheduling and Congestion Avoidance, page 41-25
• Marking, page 41-27

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-24 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

Overview
QoS schedules traffic through the transmit queues based on CoS values and uses CoS-value-based
transmit-queue drop thresholds to avoid congestion in traffic transmitted from Ethernet ports.

Note Ethernet egress port scheduling and congestion avoidance uses Layer 2 CoS values. Ethernet egress
port marking writes Layer 2 CoS values and, for IP traffic, the Layer 3 ToS byte.

Transmit Queues
Enter the show port capabilities command to see the queue structure of a port. The command displays
one of the following:
• tx-(2q2t)—Two standard queues with two thresholds each
• tx-(1p2q2t)—One strict-priority queue and two standard queues with two thresholds each
• tx-(1p3q1t)—One strict-priority queue and three standard queues with one threshold each
All ports have a low-priority and a high-priority standard transmit queue. 1p3q1t ports have a
medium-priority standard transmit queue. 1p2q2t and 1p3q1t ports have a strict-priority transmit queue
in addition to the standard queues.
On 2q2t ports, the default QoS configuration allocates a minimum of 80 percent of the total transmit
queue size to the low-priority standard queue and a minimum of 20 percent to the high-priority standard
queue.
On 1p2q2t and 1p3q1t ports, the switch services traffic in the strict-priority queue before servicing the
standard queues. When the switch is servicing a standard queue, after transmitting a packet, it checks
for traffic in the strict-priority queue. If the switch detects traffic in the strict-priority queue, it suspends
its service of the standard queue and completes service of all traffic in the strict-priority queue before
returning to the standard queue.
On 1p2q2t ports, the default QoS configuration allocates a minimum of 70 percent of the total transmit
queue size to the low-priority standard queue, a minimum of 15 percent to the high-priority standard
queue, and a minimum of 15 percent to the strict-priority queue.
On 1p3q1t ports, the transmit queue size is not configurable and is allocated equally among all queues.

Scheduling and Congestion Avoidance

These sections describe scheduling and congestion avoidance:
• 2q2t Ports, page 41-26
• 1p2q2t Ports, page 41-26
• 1p3q1t Ports, page 41-26

Note The explanations in these sections use default values. You can configure many of the parameters (for
more information, see the “Configuring QoS” section on page 41-30). All ports of the same type use
the same drop-threshold configuration.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-25
 Chapter 41 Configuring QoS
Understanding How QoS Works

2q2t Ports

For 2q2t ports, each transmit queue has two drop thresholds that function as follows:
• Frames with CoS 0, 1, 2, or 3 go to the low-priority transmit queue (queue 1):
– Using transmit queue 1, drop-threshold 1, the switch drops frames with CoS 0 or 1 when the
low-priority transmit-queue buffer is 80 percent full.
– Using transmit queue 1, drop threshold 2, the switch drops frames with CoS 2 or 3 when the
low-priority transmit-queue buffer is 100 percent full.
• Frames with CoS 4, 5, 6, or 7 go to the high-priority transmit queue (queue 2):
– Using transmit queue 2, drop threshold 1, the switch drops frames with CoS 4 or 5 when the
high-priority transmit-queue buffer is 80 percent full.
– Using transmit queue 2, drop threshold 2, the switch drops frames with CoS 6 or 7 when the
high-priority transmit-queue buffer is 100 percent full.

1p2q2t Ports

For 1p2q2t ports, the low- and high-priority standard transmit queues each have two drop thresholds that
function as follows:
• Frames with CoS 0, 1, 2, or 3 go to the low-priority standard transmit queue (queue 1):
– Using standard transmit queue 1, drop threshold 1, the switch drops frames with CoS 0 or 1
when the low-priority transmit-queue buffer is 80 percent full.
– Using standard transmit queue 1, drop threshold 2, the switch drops frames with CoS 2 or 3
when the low-priority transmit-queue buffer is 100 percent full.
• Frames with CoS 4, 6, or 7 go to the high-priority standard transmit queue (queue 2):
– Using standard transmit queue 2, drop threshold 1, the switch drops frames with CoS 4 when
the high-priority transmit-queue buffer is 80 percent full.
– Using standard transmit queue 2, drop threshold 2, the switch drops frames with CoS 6 or 7
when the high-priority transmit-queue buffer is 100 percent full.
• Frames with CoS 5 go to the strict-priority transmit queue (queue 3), where the switch drops frames
only when the buffer is 100 percent full.

1p3q1t Ports

For 1p3q1t ports, the queues each have one drop threshold that function as follows:
• Frames with CoS 0 and 1 go to the low-priority standard transmit queue (queue 1).
• Frames with CoS 2, 3, or 4 go to the medium-priority standard transmit queue (queue 2).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-26 78-13315-02
 Chapter 41 Configuring QoS
Understanding How QoS Works

• Frames with CoS 6 or 7 go to the high-priority standard transmit queue (queue 3).

Note You can configure each standard transmit queue to use both a tail-drop and a
WRED-drop threshold by mapping a CoS value to a queue or to a queue and a threshold.
The switch uses tail-drop thresholds for traffic carrying CoS values mapped only to a
queue. The switch uses WRED-drop thresholds for traffic carrying CoS values mapped
to a queue and a threshold.

• Frames with CoS 5 go to the strict-priority transmit queue (queue 3), where the switch drops frames
only when the buffer is 100 percent full.

Marking
When traffic is transmitted from the switch, QoS writes the ToS byte into IP traffic (Layer 3 switching
engine only) and the CoS value that was used for scheduling and congestion avoidance into ISL or
802.1Q traffic (for more information, see the “Final Layer 3 Switching Engine CoS and ToS Values”
section on page 41-24).

QoS Statistics Data Export

The QoS statistics data export feature generates per port and per aggregate policer utilization
information and forwards this information in UDP packets to traffic monitoring, planning, or accounting
applications. You can enable QoS statistics data export on a per port or on a per-aggregate policer basis.
The statistics data generated per port consists of counts of the input and output packets and bytes. The
aggregate policer statistics consists of counts of allowed packets and counts of packets exceeding the
policed rate.
The QoS statistics data collection occurs periodically at a fixed interval of 5 minutes, but the interval at
which the data is exported is configurable. QoS statistics collection is enabled by default, and the data
export feature is disabled by default for all ports and all aggregate policers configured on the
Catalyst 6000 family switch.

Note Per-port counter information and utilization statistics are not available for ATM ports.

Note The QoS statistics data export feature is completely separate from TopN and NetFlow Data Export
and does not interact with either of these features.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-27
 Chapter 41 Configuring QoS
QoS Default Configuration

QoS Default Configuration

Table 41-3 shows the QoS default configuration.

Table 41-3 QoS Default Configuration

Feature Default Value

QoS enable state Disabled
Note—With QoS enabled and all other QoS parameters at default values,
QoS sets Layer 3 DSCP to zero and Layer 2 CoS to zero in all traffic
transmitted from the switch.
Port CoS value 0
IntraVLAN microflow policing Disabled
CoS to internal DSCP map CoS 0 = DSCP 0
(internal DSCP set from CoS values) CoS 1 = DSCP 8
CoS 2 = DSCP 16
CoS 3 = DSCP 24
CoS 4 = DSCP 32
CoS 5 = DSCP 40
CoS 6 = DSCP 48
CoS 7 = DSCP 56
IP precedence to internal DSCP map IP precedence 0 = DSCP 0
(internal DSCP set from IP precedence values) IP precedence 1 = DSCP 8
IP precedence 2 = DSCP 16
IP precedence 3 = DSCP 24
IP precedence 4 = DSCP 32
IP precedence 5 = DSCP 40
IP precedence 6 = DSCP 48
IP precedence 7 = DSCP 56
Internal DSCP to egress CoS map DSCP 0–7 = CoS 0
(egress CoS set from internal DSCP values) DSCP 8–15 = CoS 1
DSCP 16–23 = CoS 2
DSCP 24–31 = CoS 3
DSCP 32–39 = CoS 4
DSCP 40–47 = CoS 5
DSCP 48–55 = CoS 6
DSCP 56–63 = CoS 7
Marked-down DSCP from DSCP map Marked-down DSCP value equals original DSCP value (no markdown)
Policing rules None
Named ACLs None
Default ACLs Supports per-port classification and marking, sets DSCP to 0 in traffic
from untrusted ports, no policing
COPS1 support Disabled
RSVP support Disabled
QoS statistics data export Disabled

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-28 78-13315-02
 Chapter 41 Configuring QoS
QoS Default Configuration

Table 41-3 QoS Default Configuration (continued)

Feature Default Value

With QoS enabled
Runtime—Port based or VLAN based
Config—Port based or VLAN based
Port trust state
Receive-queue tail-drop threshold 2 percentages
Transmit-queue tail-drop threshold percentages
1p2q2t transmit-queue WRED-drop threshold
percentages
1p3q1t transmit-queue WRED-drop threshold
percentages
Transmit-queue low-priority/high-priority ratio 4:255
Standard transmit-queue size ratio
Port based
Port based
Untrusted
• Threshold 1: 50%
• Threshold 2: 60%
• Threshold 3: 80%
• Threshold 4: 100%
• Low-priority queue threshold 1: 80%
• Low-priority queue threshold 2: 100%
• High-priority queue threshold 1: 80%
• High-priority queue threshold 2: 100%
• Low-priority queue threshold 1:
– Low WRED-drop threshold: 40%
– High WRED-drop threshold: 70%
• Low-priority queue threshold 2:
– Low WRED-drop threshold: 70%
– High WRED-drop threshold: 100%
• High-priority queue threshold 1:
– Low WRED-drop threshold: 40%
– High WRED-drop threshold: 70%
• High-priority queue threshold 2:
– Low WRED-drop threshold: 70%
– High WRED-drop threshold: 100%
• Low WRED-drop threshold: 70%
• High WRED-drop threshold: 100%
• Low priority: 80%
• High priority: 20%

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-29
 Chapter 41 Configuring QoS
Configuring QoS

Table 41-3 QoS Default Configuration (continued)

Feature Default Value

CoS value/drop-threshold mapping
With QoS disabled
Runtime—Port based or VLAN based
Config—Port based or VLAN based
Port trust state
Receive-queue drop-threshold percentages
Transmit-queue drop-threshold percentages
Transmit-queue low-priority/high-priority
bandwidth allocation ratio
Transmit-queue size ratio
CoS value/drop-threshold mapping
1. COPS=Common Open Policy Service
2. QoS implements receive-queue drop thresholds only on ports configured with the trust-cos port keyword.
3. On 1p1q4t and 1p2q2t ports, QoS maps CoS 5 to the strict-priority queues.
• 1q4t/2q2t and 1p1q4t/1p2q2t ports:
– Receive queue 1/drop threshold 1 and
transmit queue 1/drop threshold 1: CoS 0 and 1
– Receive queue 1/drop threshold 2 and
transmit queue 1/drop threshold 2: CoS 2 and 3
– Receive queue 1/drop threshold 3 and
transmit queue 2/drop threshold 1: CoS 4 and 53
– Receive queue 1/drop threshold 4 and
transmit queue 2/drop threshold 2: CoS 6 and 7
• 1p1q0t/1p3q1t ports:
– Receive queue 1 (standard) tail-drop threshold:
CoS 0, 1, 2, 3, 4, 6, and 7
– Receive queue 2 (priority): CoS 5
VLAN based
Port based
trust-cos (Layer 2 switching engine)
trust-dscp (Layer 3 switching engine)
All thresholds set to 100%
All thresholds set to 100%
255:1
• Low priority: 100%
• High priority: Not used
Receive-drop threshold 1 and transmit-queue 1/drop threshold 1: CoS 0–7

Configuring QoS
These sections describe how to configure QoS on the Catalyst 6000 family switches:
• Enabling QoS, page 41-31
• Enabling Port-Based or VLAN-Based QoS, page 41-32
• Configuring the Trust State of a Port, page 41-32
• Configuring the CoS Value for a Port, page 41-33
• Creating Policing Rules, page 41-34
• Deleting Policing Rules, page 41-36

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-30 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

• Creating or Modifying ACLs, page 41-37

• Attaching ACLs to Interfaces, page 41-46
• Detaching ACLs from Interfaces, page 41-46
• Mapping a CoS Value to a Host Destination MAC Address/VLAN Pair, page 41-47
• Deleting a CoS Value to a Host Destination MAC Address/VLAN Pair, page 41-47
• Enabling or Disabling Microflow Policing of Bridged Traffic, page 41-48
• Configuring Standard Receive-Queue Tail-Drop Thresholds, page 41-48
• Configuring 2q2t Port Standard Transmit-Queue Tail-Drop Thresholds, page 41-49
• Configuring Standard Transmit-Queue WRED-Drop Thresholds, page 41-49
• Allocating Bandwidth Between Standard Transmit Queues, page 41-50
• Configuring the Receive-Queue Size Ratio, page 41-51
• Configuring the Transmit-Queue Size Ratio, page 41-51
• Mapping CoS Values to Drop Thresholds, page 41-52
• Configuring DSCP Value Maps, page 41-55
• Displaying QoS Information, page 41-58
• Displaying QoS Statistics, page 41-59
• Reverting to QoS Defaults, page 41-60
• Disabling QoS, page 41-60
• Configuring COPS Support, page 41-60
• Configuring RSVP Support, page 41-66
• Configuring QoS Statistics Data Export, page 41-70

Note Some QoS show commands support the config and runtime keywords. Use the runtime keyword to
display the QoS values currently programmed into the hardware. When you disable QoS, the display
with the runtime keyword is “QoS is disabled.” Use the config keyword to display values from
commands that have been entered, but which may not currently be programmed into the hardware
(for example, locally configured QoS values that are currently not used because COPS has been
selected as the QoS policy source or QoS values configured when QoS is disabled).

Enabling QoS
To enable QoS, perform this task in privileged mode:

Task Command
Enable QoS on the switch. set qos {enable | disable}

This example shows how to enable QoS:

Console> (enable) set qos enable
QoS is enabled.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-31
 Chapter 41 Configuring QoS
Configuring QoS

Enabling Port-Based or VLAN-Based QoS

Note The commands in this section are not supported with a Layer 2 Switching Engine.

By default, QoS uses ACLs attached to ports. On a per-port basis, you can configure QoS to use ACLs
attached to a VLAN. To enable VLAN-based QoS on a port, perform this task in privileged mode:

Task Command
Step 1 Enable VLAN-based QoS on a port. set port qos mod/port {port-based | vlan-based}
Step 2 Verify the configuration. show port qos mod/port

For more information, see the “Attaching ACLs” section on page 41-23.
This example shows how to enable VLAN-based QoS on a port:
Console> (enable) set port qos 1/1-2 vlan-based
Hardware programming in progress...
QoS interface is set to vlan-based for ports 1/1-2.
Console> (enable)

Changing a port from port-based to VLAN-based QoS detaches all ACLs from the port. Any ACLs
attached to the VLAN apply to the port immediately (for more information, see the “Attaching ACLs to
Interfaces” section on page 41-46).

Configuring the Trust State of a Port

This command configures the trust state of a port (for more information, see the “Ethernet Ingress Port
Marking, Scheduling, Congestion Avoidance, and Classification” section on page 41-10). By default, all
ports are untrusted.
To configure the trust state of a port, perform this task in privileged mode:

Task Command
Step 1 Configure the trust state of a port. set port qos trust {untrusted | trust-cos |
trust-ipprec | trust-dscp}
Step 2 Verify the configuration. show port qos

Note the following syntax guidelines whenconfiguring the trust state of a port:
• The trust-ipprec and trust-dscp keywords are supported only with a Layer 3 switching engine.
• 1q4t ports (except Gigabit Ethernet) do not support the trust-ipprec and trust-dscp port keywords.
You must configure a trust-ipprec or trust-dscp ACL that matches the ingress traffic to apply the
trust-ipprec or trust-dscp trust state.
• On 1q4t ports (except Gigabit Ethernet), the trust-cos port keyword displays an error message,
activates receive-queue drop thresholds, and—as indicated by the error message—does not apply the
trust-cos trust state to traffic. You must configure a trust-cos ACL that matches the ingress traffic
to apply the trust-cos trust state.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-32 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to configure port 1/1 with the trust-cos keyword:
Console> (enable) set port qos 1/1 trust trust-cos
Port 1/1 qos set to trust-cos
Console> (enable)

Note Only ISL or 802.1Q frames carry CoS values. Configure ports with the trust-cos keyword only when
the received traffic is ISL or 802.1Q frames carrying CoS values that you know to be consistent with
network policy or to trust a configured port CoS value.

Configuring the CoS Value for a Port

Note Whether or not QoS uses the CoS value applied with the set port qos ... cos command depends on the
trust state of the port and the trust state of the traffic received through the port. The set port qos ... cos
command does not configure the trust state of the port or the trust state of the traffic received through
the port. To use the CoS value applied with the set port qos ... cos command, configure a trust-CoS ACL
that matches the ingress traffic; or for a port that receives no tagged traffic, configure the port to trust
CoS.

Unmarked frames from ports configured as trusted and all frames from ports configured as untrusted are
assigned the CoS value specified with this command.
To configure the CoS value for a port, perform this task in privileged mode:

Task Command
Step 1 Configure the CoS value for a port. set port qos cos cos-value
Step 2 Verify the configuration. show port qos

This example shows how to configure the port CoS value to 3 for port 1/1:
Console> (enable) set port qos 1/1 cos 3
Port 1/1 qos cos set to 3
Console> (enable)

To revert to the default CoS value for a port, perform this task in privileged mode:

Task Command
Step 1 Revert to the default CoS value for a port. clear port qos cos
Step 2 Verify the configuration. show port qos

This example shows how to revert to the default CoS value for port 1/1:
Console> (enable) clear port qos 1/1 cos
Port 1/1 qos cos setting cleared.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-33
 Chapter 41 Configuring QoS
Configuring QoS

Creating Policing Rules

Note The commands in this section are not supported with a Layer 2 Switching Engine.

To create a policing rule, perform this task in privileged mode:

Task Command
Step 1 Create a policing rule. set qos policer microflow microflow_name {rate
rate} {burst burst} {drop | policed-dscp}
With PFC or PFC2:
set qos policer aggregate aggregate_name {rate
rate} {burst burst} {drop | policed-dscp}
With PFC2:
set qos policer aggregate aggregate_name {rate
rate} policed-dscp {erate erate} {drop |
policed-dscp} burst burst
Step 2 Verify the configuration. show qos policer {config | runtime}
{microflow | aggregate | all}

For more information, see the “Policing Rules” section on page 41-22.
The policer_name parameter can be up to 31 characters long, is case sensitive, and may include a–z,
A–Z, 0–9, the dash character (-), the underscore character (_), and the period character (.). Policing rule
names must start with an alphabetic character (not a digit) and must be unique across all microflow and
aggregate policing rules. You cannot use keywords from any command as a policing rule name.
The valid values for the rate and erate parameters are 32 Kbps (entered as 32) to 8 Gbps (entered as
8000000); or to classify all traffic as out of profile, set the rate parameter to zero (0). The PFC1 and
PFC2 have the following hardware granularity for rate values:

Rate Value Range Granularity Rate Value Range Granularity

1 to 1000 (1 Mbs) 32768 (32 K) 64001 to 128000 (128 Mbs) 4194304 (4 M)
1001 to 2000 (2 Mbs) 65536 (64 K) 128001 to 256000 (256 Mbs) 8388608 (8 M)
2001 to 4000 (4 Mbs) 131072 (128 K) 256001 to 512000 (512 Mbs) 16777216 (16 M)
4001 to 8000 (8 Mbs) 262144 (256 K) 512001 to 1024000 (1 Gps) 33554432 (32 M)
8001 to 16000 (16 Mbs) 524288 (512 K) 1024001 to 2048000 (2 Gps) 67108864 (64 M)
16001 to 32000 (32 Mbs) 1048576 (1 M) 2048001 to 4096000 (4 Gps) 134217728 (128 M)
32001 to 64000 (64 Mbs) 2097152 (2 M) 4096001 to 8192000 (8 Gps) 268435456 (256 M)

Within each range, QoS programs the hardware with rate values that are multiples of the granularity
values.
The valid values for the burst parameter are 1 Kb (entered as 1) to 32 Mb (entered as 32000).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-34 78-13315-02
Chapter 41 Configuring QoS
Configuring QoS

Note The burst parameter sets the token bucket size. To sustain a specific rate, set the token bucket size
with the burst parameter to be at least the rate divided by 4000, because tokens are removed from
the bucket every 1/4000th of a second (0.25 ms) and the bucket needs to be at least burst-size long
to sustain the specified rate.

Note Because any packet larger than the burst size is considered an out-of-profile packet, make sure that
the burst size is greater than or equal to the largest packet size of the policer that is applied to it.

Note QoS programs the hardware with values that are multiples of 32K (32,768), not with the specific
value entered.

Enter either the drop keyword to cause all out-of-profile packets to be dropped or the policed-dscp
keyword to cause all out-of-profile packets with the normal rate to be marked down as specified in the
normal markdown DSCP map (for more information, see the “Mapping DSCP Markdown Values”
section on page 41-57).
This example shows how to create a microflow policing rule with a 1-Mbps rate limit and a 10-Mb burst
limit that marks down out-of-profile traffic:
Console> (enable) set qos policer microflow my-micro rate 1000 burst 10000
policed-dscp
Hardware programming in progress...
QoS policer for microflow my-micro created successfully.
Console> (enable)

For PFC2, this example shows how to create an aggregate excess rate policing rule with a 64-Kbps rate
limit and a 128-Kb burst limit that drops traffic exceeding these values:
Console> (enable) set qos policer aggregate test rate 64 burst 128 drop
QoS policer for aggregate test created successfully.
Console> (enable) show qos policer config aggregate test
QoS aggregate policers:
QoS aggregate policers:
Aggregate name Normal rate (kbps) Burst size (kb) Normal action
----------------------------- ------------------ --------------- -------------
test 64 128 policed-dscp
Excess rate (kbps) Burst size (kb) Excess action
------------------ --------------- -------------
64 128 drop
ACL attached
------------------------------------
Console> (enable)

For PFC2, this example shows how to create an aggregate excess rate policing rule with a 64-Kbps rate
limit and a 100-Kb burst limit that will cause all out-of-profile packets to be marked down as specified
in the normal markdown DSCP map:
Console> (enable) set qos policer aggregate test2 rate 64 burst 100 policed-dscp
QoS policer for aggregate test2 created successfully.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-35
 Chapter 41 Configuring QoS
Configuring QoS

Console> (enable) show qos policer config aggregate test2

QoS aggregate policers:
Aggregate name Normal rate (kbps) Burst size (kb) Normal action
----------------------------- ------------------ --------------- -------------
test2 64 100 policed-dscp
Excess rate (kbps) Burst size (kb) Excess action
------------------ -------------- ---------------
8000000 100 policed-dscp
ACL attached
------------------------------------

Console> (enable)

For PFC2, this example shows how to create an aggregate excess rate policing rule with a 64-Kbps rate
limit and a 128-Kb burst limit that will cause traffic that exceeds the normal rate of 64 Kbps and a burst
size of 96 Kb to be marked down as specified in the normal markdown DSCP map, and traffic that
exceeds 128 Kbps and a burst size of 96 Kb to be dropped:
Console> (enable) set qos policer aggregate test3 rate 64 policed-dscp erate 128 drop
burst 96
QoS policer for aggregate test3 created successfully.
Console> (enable) show qos policer config aggregate test3
QoS aggregate policers:
Aggregate name Normal rate (kbps) Burst size (kb) Normal action
----------------------------- ------------------ --------------- -------------
test3 64 96 policed-dscp
Excess rate (kbps) Burst size (kb) Excess action
------------------ --------------- ---------------
128 96 drop
ACL attached
------------------------------------

Console> (enable)

Deleting Policing Rules

Note You can only delete policing rules if they are not attached to any interfaces (for more information,
see the “Detaching ACLs from Interfaces” section on page 41-46).

To delete one or all policing rules, perform this task in privileged mode:

Task Command
Step 1 Delete one or all policing rules. clear qos policer {microflow | aggregate}
{policer_name | all}
Step 2 Verify the configuration. show qos policer {config | runtime}
{microflow | aggregate | all}

This example shows how to delete the microflow policing rule named my_micro:
Console> (enable) clear qos policer microflow my_micro
my_micro QoS microflow policer cleared.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-36 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

Creating or Modifying ACLs

Note The commands in this section are not supported with a Layer 2 Switching Engine.

These sections describe ACL creation and modification:

• ACL Names, page 41-37
• ACE Name, Marking Rule, Policing, and Filtering Syntax, page 41-37
• Named IP ACLs, page 41-38
• Modifying the Default IP ACL, page 41-42
• Creating or Modifying Named IPX ACLs, page 41-42
• Creating or Modifying Named MAC ACLs, page 41-43
• Creating or Modifying the Default IPX and MAC ACLs, page 41-44
• Deleting Named ACLs, page 41-44
• Reverting to Default Values in Default ACLs, page 41-44
• Discarding Uncommitted ACLs, page 41-45
• Committing ACLs, page 41-45

ACL Names
ACL names can be up to 31 characters long, are case sensitive, and may include a–z, A–Z, 0–9, the dash
character (-), the underscore character (_), and the period character (.). ACL names must start with an
alphabetic character and must be unique across all QoS ACLs of all types. You cannot use keywords
from any command as an ACL name.

ACE Name, Marking Rule, Policing, and Filtering Syntax

ACE command syntax is organized as follows:
ACL_command ACL_type_and_name marking_rule policing_rule filtering
For example, in an IP ACE, the command syntax is as follows:
set qos acl ip acl_name {dscp dscp | trust-cos | trust-ipprec | trust-dscp} [microflow
microflow_name] [aggregate aggregate_name] src_ip_spec [precedence precedence | dscp-field dscp]
[before editbuffer_index | modify editbuffer_index]
• set qos acl ip acl_name—Creates a named ACL of the specified type or adds the ACE to the ACL
if it already exists. See the “ACL Names” section on page 41-37.
• {dscp dscp | trust-cos | trust-ipprec | trust-dscp}—Selects a marking rule. See the “Marking
Rules” section on page 41-21.
• [microflow microflow_name] [aggregate aggregate_name]—Optionally configures policing in the
ACE. See the “Policing Rules” section on page 41-22.
• src_ip_spec [precedence precedence | dscp-field dscp]—The rest of the parameters, except the
editbuffer keywords, configure filtering.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-37
 Chapter 41 Configuring QoS
Configuring QoS

Named IP ACLs
These sections describe creating or modifying IP ACLs:
• Source and Destination IP Addresses and Masks, page 41-38
• Port Operator Parameters, page 41-38
• Precedence Parameter Options, page 41-38
• IP ACEs for TCP Traffic, page 41-39
• IP ACEs for UDP Traffic, page 41-39
• IP ACEs for ICMP Traffic, page 41-40
• IP ACEs for IGMP Traffic, page 41-40
• IP ACLs for Other Layer 4 Protocols, page 41-41
• IP ACEs for Any IP Traffic, page 41-41

Source and Destination IP Addresses and Masks

In IP ACEs, specify source and destination IP addresses and masks (represented by the src_ip_spec and
dest_ip_spec parameters in the following sections) in the form ip_address mask. The mask is mandatory.
Use one bits, which need not be contiguous, where you want wildcards.
Use any of the following formats for the address and mask:
• Four-part dotted-decimal 32-bit values
• The keyword any as an abbreviation for a wildcard address and wildcard mask of 0.0.0.0
255.255.255.255
• The abbreviation host ip_address for an address and wildcard mask of ip_address 0.0.0.0

Port Operator Parameters

In IP ACEs, the operator parameter can be one of the following:

• lt (less than)
• gt (greater than)
• eq (equal)
• neq (not equal)
• range (with a pair of port parameters)
See the “Guidelines for Using Layer 4 Operations” section on page 16-20 for restrictions that apply to
QoS ACLs.

Precedence Parameter Options

For precedence parameter keyword options in IP ACEs, see the “IP ACE Layer 3 Classification Criteria”
section on page 41-16.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-38 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

IP ACEs for TCP Traffic

To create or modify an IP ACE for TCP traffic, perform this task in privileged mode:

Task Command
Step 1 Create or modify an IP ACE for TCP traffic. set qos acl ip {acl_name} {{dscp dscp} |
trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate
aggregate_name] tcp {src_ip_spec} [{operator}
{port} [port]] {dest_ip_spec} [{operator} {port}
[port]] [established] [precedence precedence |
dscp-field dscp] [before editbuffer_index |
modify editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}
editbuffer [editbuffer_index]

For port parameter keyword options, see the “IP ACE Layer 4 TCP Classification Criteria” section on
page 41-17.
The established keyword matches traffic with the ACK or RST bits set.
This example shows how to create an IP ACE for TCP traffic:
Console> (enable) set qos acl ip my_IPacl trust-ipprec microflow my-micro aggregate my-agg
tcp any any
my_IPacl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

IP ACEs for UDP Traffic

To create or modify an IP ACE for UDP traffic, perform this task in privileged mode:

Task Command
Step 1 Create or modify an IP ACE for UDP traffic. set qos acl ip {acl_name} {{dscp dscp} |
trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate
aggregate_name] udp {src_ip_spec} [{operator}
{port} [port]] {dest_ip_spec} [{operator} {port}
[port]] [precedence precedence |
dscp-field dscp] [before editbuffer_index |
modify editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}
editbuffer [editbuffer_index]

For port parameter keyword options, see the “IP ACE Layer 4 UDP Classification Criteria” section on
page 41-18.
This example shows how to create an IP ACE for UDP traffic:
Console> (enable) set qos acl ip my_IPacl trust-ipprec microflow my-micro aggregate my-agg
udp any any
my_IPacl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-39
 Chapter 41 Configuring QoS
Configuring QoS

IP ACEs for ICMP Traffic

To create or modify an IP ACE for ICMP traffic, perform this task in privileged mode:

Task Command
Step 1 Create or modify an IP ACE for ICMP traffic. set qos acl ip acl_name {dscp dscp | trust-cos |
trust-ipprec | trust-dscp} [microflow
microflow_name] [aggregate aggregate_name]
icmp src_ip_spec dest_ip_spec
[icmp_type [icmp_code] | icmp_message]
[precedence precedence | dscp-field dscp]
[before editbuffer_index | modify
editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}
editbuffer [editbuffer_index]

For icmp_code and icmp_type parameter keyword options, see the “IP ACE Layer 4 ICMP Classification
Criteria” section on page 41-18.
This example shows how to create an IP ACE for ICMP echo traffic:
Console> (enable) set qos acl ip my_IPacl trust-ipprec microflow my-micro aggregate my-agg
icmp any any echo
my_IPacl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

IP ACEs for IGMP Traffic

Note QoS does not support IGMP traffic when IGMP snooping is enabled.

To create or modify an IP ACE for IGMP traffic, perform this task in privileged mode:

Task Command
Step 1 Create or modify an IP ACE for IGMP traffic. set qos acl ip acl_name {dscp dscp | trust-cos |
trust-ipprec | trust-dscp} [microflow
microflow_name] [aggregate aggregate_name]
igmp src_ip_spec dest_ip_spec [igmp_type]
[precedence precedence | dscp-field dscp]
[before editbuffer_index | modify
editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}
editbuffer [editbuffer_index]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-40 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

For igmp_type parameter keyword options, see the “IP ACE Layer 4 IGMP Classification Criteria”
section on page 41-19.
This example shows how to create an IP ACE for IGMP protocol independent multicast (PIM) traffic:
Console> (enable) set qos acl ip my_IPacl trust-ipprec microflow my-micro aggregate my-agg
igmp any any pim
my_IPacl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

IP ACLs for Other Layer 4 Protocols

To create or modify a named IP ACL with additional parameters that match all Layer 4 protocols,
perform this task in privileged mode:

Task Command
Step 1 Create or modify an IP ACE. set qos acl ip acl_name {dscp dscp | trust-cos |
trust-ipprec | trust-dscp} [microflow
microflow_name] [aggregate aggregate_name]
protocol src_ip_spec dest_ip_spec [precedence
precedence | dscp-field dscp] [before
editbuffer_index | modify editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}
editbuffer [editbuffer_index]

For protocol parameter keyword options, see the “IP ACE Layer 4 Protocol Classification Criteria”
section on page 41-17.
This example shows how to create an IP ACE for IPINIP traffic:
Console> (enable) set qos acl ip my_IPacl trust-ipprec microflow my-micro aggregate my-agg
ipinip any any
my_IPacl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

IP ACEs for Any IP Traffic

To create or modify an IP ACE that matches all IP traffic, perform this task in privileged mode:

Task Command
Step 1 Create or modify an IP ACE. set qos acl ip acl_name {dscp dscp | trust-cos |
trust-ipprec | trust-dscp} [microflow
microflow_name] [aggregate aggregate_name]
src_ip_spec [precedence precedence | dscp-field
dscp] [before editbuffer_index | modify
editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}
editbuffer [editbuffer_index]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-41
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to create an IP ACE:

Console> (enable) set qos acl ip my_IPacl trust-ipprec microflow my-micro aggregate my-agg
any
my_IPacl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

Modifying the Default IP ACL

To modify the default IP ACL, perform this task in privileged mode:

Task Command
Step 1 Modify the default IP ACL. set qos acl default-action ip {dscp dscp |
trust-cos | trust-ipprec | trust-dscp} [microflow
microflow_name] [aggregate aggregate_name]
Step 2 Verify the configuration. show qos acl info default-action {ip | ipx | mac |
all}

For more information, see the “Default ACLs” section on page 41-20.
This example shows how to modify the default IP ACL:
Console> (enable) set qos acl default-action ip dscp 5 microflow my-micro aggregate my-agg
QoS default-action for IP ACL is set successfully.
Console> (enable)

Creating or Modifying Named IPX ACLs

To create or modify a named IPX ACL, perform this task in privileged mode:

Task Command
Step 1 Create or modify an IPX ACL. With PFC:
set qos acl ipx acl_name {dscp dscp | trust-cos}
[aggregate aggregate_name] protocol src_net
[dest_net[.dest_node] [[dest_net_mask].dest_node_
mask]] [before editbuffer_index | modify
editbuffer_index]
With PFC2:
set qos acl ipx acl_name aggregate
aggregate_name protocol src_net
[dest_net[.dest_node] [[dest_net_mask].dest_node_
mask]] [before editbuffer_index | modify
editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}
editbuffer [editbuffer_index]

The protocol parameter can be specified numerically (0–255) or with these keywords: any, ncp (17),
netbios (20), rip (1), sap (4), or spx (5).
The src_net and dest_net parameters are IPX network numbers, entered as up to 8 hexadecimal digits in
the range 1 to FFFFFFFE (-1 matches any network number). You do not need to enter leading zeros.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-42 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

If you specify an IPX destination network, IPX ACEs support the following optional parameters:
• An IPX destination network mask, entered as up to 8 hexadecimal digits in the range 1 to FFFFFFFE
(-1 matches any network number). Use one bits, which need not be contiguous, where you want
wildcards.
• An IPX destination node, entered as 12 hexadecimal digits (48 bits), formatted as a dotted triplet of
four-digit hexadecimal digits each (xxxx.xxxx.xxxx).
• If you specify an IPX destination node, IPX ACEs support an IPX destination node mask, entered
as 12 hexadecimal digits (48 bits), formatted as a dotted triplet of four-digit hexadecimal digits each
(xxxx.xxxx.xxxx). Use one bits, which need not be contiguous, where you want wildcards.
This example shows how to create an IPX ACE:
Console> (enable) set qos acl ipx my_IPXacl trust-cos aggregate my-agg -1
my_IPXacl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

Creating or Modifying Named MAC ACLs

To create or modify a named MAC ACL, perform this task in privileged mode:

Task Command
Step 1 Create or modify a MAC ACL. With PFC:
set qos acl mac acl_name {dscp dscp | trust-cos}
[aggregate aggregate_name] src_mac_spec
dest_mac_spec [ethertype] [before
editbuffer_index | modify editbuffer_index]
With PFC2:
set qos acl mac acl_name aggregate
aggregate_name src_mac_spec dest_mac_spec
[ethertype] [before editbuffer_index |
modify editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}
editbuffer [editbuffer_index]

Enter the src_mac_spec and dest_mac_spec parameters as a MAC address and a mask. Each parameter
is 12 hexadecimal digits (48 bits), formatted as dash-separated pairs. Use one bits, which need not be
contiguous, where you want wildcards. Use the any keyword for a MAC address and mask of
0-0-0-0-0-0 ff-ff-ff-ff-ff-ff. Use the host keyword with a MAC address to specify an all-zero mask
(mac_address 0-0-0-0-0-0).
Enter the ethertype parameter as 4 hexadecimal digits (16 bits) prefaced with 0x (for example, 0x0600)
or as a keyword (see the “MAC ACE Layer 2 Classification Criteria” section on page 41-20).
This example shows how to create a MAC ACE:
Console> (enable) set qos acl mac my_MACacl trust-cos aggregate my-agg any any
my_MACacl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

Note QoS MAC ACLs that do not include an ethertype parameter match traffic with any value in the
ethertype field, which allows MAC-level QoS to be applied to any traffic except IP and IPX.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-43
 Chapter 41 Configuring QoS
Configuring QoS

Creating or Modifying the Default IPX and MAC ACLs

To create or modify the default IPX or MAC ACL, perform this task in privileged mode:

Task Command
Step 1 Modify the default IPX or MAC ACL. With PFC:
set qos acl default-action {ipx | mac} {dscp
dscp | trust-cos} [aggregate aggregate_name]
With PFC2:
set qos acl default-action {ipx | mac} aggregate
aggregate_name
Step 2 Verify the configuration. show qos acl info default-action {ip | ipx | mac |
all}

For more information, see the “Default ACLs” section on page 41-20.
This example shows how to modify the default IPX ACL:
Console> (enable) set qos acl default-action ipx dscp 5 aggregate my-agg
QoS default-action for IPX ACL is set successfully.
Console> (enable)

Note IPX and MAC ACLs do not support microflow policing rules.

Deleting Named ACLs

To delete a named ACL, perform this task in privileged mode:

Task Command
Step 1 Delete a named ACL. clear qos acl acl_name [editbuffer_index]
Step 2 Verify the configuration. show qos acl info {acl_name | all}

This example shows how to delete the ACL named icmp_acl:

Console> (enable) clear qos acl icmp_acl 1
ACL icmp_acl ACE# 1 is deleted.
icmp_acl editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)

Reverting to Default Values in Default ACLs

To revert to the default values for a default ACL, perform this task in privileged mode:

Task Command
Step 1 Revert to the default values for a default ACL. clear qos acl default-action {ip | ipx | mac}
Step 2 Verify the configuration. show qos acl info default-action {ip | ipx | mac |
all}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-44 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to revert to the default values for the default IP ACL:
Console> (enable) clear qos acl default-action ip
Hardware programming in progress...
QoS default-action for IP ACL is restored to default setting.
Console> (enable)

Discarding Uncommitted ACLs

To discard an uncommitted new ACL or uncommitted changes to an existing ACL, perform this task in
privileged mode:

Task Command
Step 1 Discard an uncommitted ACL. rollback qos acl {acl_name | all}
Step 2 If you discarded changes to an existing ACL, show qos acl info {acl_name | all}
verify the configuration.

This example shows how to discard an uncommitted ACL named my_acl:

Console> (enable) rollback qos acl my_acl
Rollback for QoS ACL my_acl is successful.
Console> (enable)

Note Changes to the default ACLs take effect immediately and cannot be discarded.

Committing ACLs
When you create, change, or delete a named ACL, the changes exist temporarily in an edit buffer in
memory. To commit the ACL so that it can be used, perform this task in privileged mode:

Task Command
Step 1 Commit an ACL. commit qos acl acl_name
Step 2 Verify the configuration. show config qos acl {acl_name | all}

This example shows how to commit an ACL named my_acl:

Console> (enable) commit qos acl my_acl
Hardware programming in progress...
ACL my_acl is committed to hardware.
Console> (enable)

Note When you commit an ACL that has already been attached to interfaces, the new values go into effect
immediately. Changes to the default ACLs do not need to be committed.

See “Configuring and Storing VACLs and QoS ACLs in Flash Memory” section on page 16-42 for
information about where QoS ACLs are stored.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-45
 Chapter 41 Configuring QoS
Configuring QoS

Attaching ACLs to Interfaces

Note The commands in this section are not supported with a Layer 2 Switching Engine.

You can attach one ACL of each type to each VLAN and to each port configured for port-based QoS.
You cannot attach ACLs to a port configured for VLAN-based QoS (for more information, see the
“Enabling Port-Based or VLAN-Based QoS” section on page 41-32). When an ACL of a particular type
(IP, IPX, or Ethernet) is already attached to an interface, attaching a different ACL of the same type
detaches the previous ACL.
To attach an ACL to a port or a VLAN, perform this task in privileged mode:

Task Command
Step 1 Attach an ACL to an interface. set qos acl map acl_name {mod/port | vlan}
Step 2 Verify the configuration. show qos acl map {config | runtime} {acl_name
| mod/port | vlan | all}

This example shows how to attach an ACL named my_acl to port 2/1:
Console> (enable) set qos acl map my_acl 2/1
Hardware programming in progress...
ACL my_acl is attached to port 2/1.
Console> (enable)

This example shows how to attach an ACL named my_acl to VLAN 4:

Console> (enable) set qos acl map my_acl 4
Hardware programming in progress...
ACL my_acl is attached to vlan 4.
Console> (enable)

Note The default ACLs do not need to be attached to any interfaces.

Detaching ACLs from Interfaces

Note The commands in this section are not supported with a Layer 2 Switching Engine.

To detach an ACL from a port or a VLAN, perform this task in privileged mode:

Task Command
Step 1 Detach an ACL from an interface. clear qos acl map acl_name {mod/port | vlan |
all}
Step 2 Verify the configuration. show qos acl map {config | runtime} {acl_name
| mod/port | vlan | all}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-46 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to detach an ACL named my_acl from port 2/1:
Console> (enable) clear qos acl map my_acl 2/1
Hardware programming in progress...
ACL my_acl is detached from port 2/1.
Console> (enable)

This example shows how to detach an ACL named my_acl from VLAN 4:
Console> (enable) clear qos acl map my_acl 4
Hardware programming in progress...
ACL my_acl is detached from vlan 4.
Console> (enable)

Note The default ACLs cannot be detached from any interfaces.

Mapping a CoS Value to a Host Destination MAC Address/VLAN Pair

Note QoS only supports this command with a Layer 2 Switching Engine.

To map a CoS value to all frames destined for a particular host destination MAC address and VLAN
number value pair, perform this task in privileged mode:

Task Command
Step 1 Map a CoS value to a host destination MAC set qos mac-cos dest_mac VLAN cos_value
address/VLAN pair.
Step 2 Verify the configuration. show qos mac-cos {dest_mac [vlan] | all}

This example shows how to map CoS 2 to a destination MAC address and VLAN 525:
Console> (enable) set qos mac-cos 00-40-0b-30-03-48 525 2
CoS 2 is assigned to 00-40-0b-30-03-48 vlan 525.
Console> (enable)

Deleting a CoS Value to a Host Destination MAC Address/VLAN Pair

Note QoS only supports this command with a Layer 2 Switching Engine.

To delete a host destination MAC address and VLAN number value pair CoS assignment, perform this
task in privileged mode:

Task Command
Step 1 Delete a host destination MAC address and clear qos mac-cos {dest_mac [vlan] | all}
VLAN number value pair CoS assignment.
Step 2 Verify the configuration. show qos mac-cos {dest_mac [vlan] | all}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-47
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to delete all CoS assignments to destination MAC addresses and VLANs:
Console> (enable) clear qos mac-cos all
All CoS to Mac/Vlan entries are cleared.
Console> (enable)

Enabling or Disabling Microflow Policing of Bridged Traffic

Note The commands in this section are not supported with a Layer 2 Switching Engine.

By default, microflow policing rules affect only Layer 3-switched traffic. To enable or disable
microflow policing of bridged traffic on the switch or on specified VLANs, perform one of these tasks
in privileged mode:

Task Command
Enable microflow policing of bridged traffic on set qos bridged-microflow-policing {enable |
the switch or on specified VLANs. disable} vlan
Disable microflow policing of bridged traffic on set qos bridged-microflow-policing {enable |
the switch or on specified VLANs. disable} vlan
Verify the configuration. show qos bridged-packet-policing {config |
runtime} vlan

Note With Layer 3 Switching Engine II, to do any microflow policing, you must enable microflow
policing of bridged traffic.

For more information, see the “Policing Rules” section on page 41-22.
This example shows how to enable microflow policing of traffic in VLANs 1 through 20:
Console> (enable) set qos bridged-microflow-policing enable 1-20
QoS microflow policing is enabled for bridged packets on vlans 1-20.
Console> (enable)

Configuring Standard Receive-Queue Tail-Drop Thresholds

To configure the standard receive-queue tail-drop thresholds on the switch, perform this task in
privileged mode:

Task Command
Configure the standard receive-queue tail-drop set qos drop-threshold port_type rx queue 1
thresholds. thr1 thr2 thr3 thr4

For more information, see the “Receive Queues” section on page 41-11.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-48 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

QoS maintains separate configurations for 1q4t ports and 1p1q4t ports. With either keyword, this
command configures only the standard queue. Specify queue 1 for both port types (the threshold in the
strict-priority queue is not separately configurable; it uses threshold 4 as specified for queue 1).
The thresholds are all specified as percentages ranging from 1 to 100. A value of 10 indicates a threshold
when the buffer is 10 percent full.
This example shows how to configure the standard receive-queue tail-drop thresholds:
Console> (enable) set qos drop-threshold 1q4t rx queue 1 20 40 75 100
Receive drop thresholds for queue 1 set at 20% 40% 75% 100%
Console> (enable)

Note You cannot configure a drop threshold in a 1p1q0t receive queue.

Configuring 2q2t Port Standard Transmit-Queue Tail-Drop Thresholds

To configure the standard transmit-queue tail-drop thresholds on all 2q2t ports, perform this task in
privileged mode:

Task Command
Configure the standard transmit-queue tail-drop set qos drop-threshold port_type tx queue q#
thresholds on all 2q2t ports. thr1 thr2

Queue number 1 is the low-priority transmit queue and queue number 2 is high priority. In each queue,
the low-priority threshold number is 1 and the high-priority threshold number is 2.
The thresholds are all specified as percentages ranging from 1 to 100. A value of 10 indicates a threshold
when the buffer is 10 percent full.
This example shows how to configure the low-priority transmit-queue tail-drop thresholds:
Console> (enable) set qos drop-threshold 2q2t tx queue 1 40 100
Transmit drop thresholds for queue 1 set at 40% 100%
Console> (enable)

Note You cannot configure the tail-drop thresholds in 1p3q1t transmit queues.

Configuring Standard Transmit-Queue WRED-Drop Thresholds

1p2q2t and 1p3q1t ports have weighted early random detection (WRED)-drop thresholds in their
standard transmit queues.

Note 1p3q1t ports also have nonconfigurable tail-drop thresholds (see the “1p3q1t Ports” section on
page 41-26).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-49
 Chapter 41 Configuring QoS
Configuring QoS

To configure the standard transmit-queue WRED-drop thresholds on all ports of each type, perform this
task in privileged mode:

Task Command
Configure the standard transmit-queue set qos wred 1p2q2t [tx] queue q#
WRED-drop thresholds on all ports of a given [thr1Lo:]thr1Hi [thr2Lo:]thr2Hi
type.
set qos wred 1p3q1t [tx] queue q#
[thr1Lo:]thr1Hi

For 1p2q2t ports, queue number 1 is the low-priority transmit queue and queue number 2 is high priority.
In each queue, the low-priority threshold is number 1 and the high-priority threshold is number 2.
For 1p3q1t ports, queue number 1 is the low-priority transmit queue, queue number 2 is medium
priority, and queue number 3 is high priority. In each queue, the threshold is number 1.
The thresholds are all specified as percentages ranging from 0 to 100. A value of 10 indicates a threshold
when the buffer is 10 percent full.
You can configure both the low WRED threshold and the high WRED threshold. You must set the low
threshold to a lower percentage than the high threshold.
The low WRED threshold is the traffic level under which no traffic is dropped. The high WRED
threshold is the traffic level above which all traffic is dropped. Traffic in the queue between the low and
high WRED thresholds has an increasing chance of being dropped as the queue fills. The default low
WRED threshold is zero (all traffic has some chance of being dropped).
This example shows how to configure the low-priority transmit-queue WRED-drop thresholds:
Console> (enable) set qos wred 1p2q2t queue 1 40:70 70:100
WRED thresholds for queue 1 set to 40:70 and 70:100 on all WRED-capable 1p2q2t ports.
Console> (enable)

Note The threshold in the strict-priority queue is not configurable.

Allocating Bandwidth Between Standard Transmit Queues

The switch transmits frames from one standard queue at a time using a weighted-round robin (WRR)
algorithm. WRR uses a weight value to decide how much to transmit from one queue before switching
to the other. The higher the weight assigned to a queue, the more transmit bandwidth is allocated to it.
To allocate bandwidth between standard transmit queues, perform this task in privileged mode:

Task Command
Allocate bandwidth between standard transmit set qos wrr port_type queue1-weight
queues. queue2-weight [queue3-weight]

QoS maintains separate configurations for each port type. This command configures only the standard
queues; the strict-priority queue requires no configuration. The valid values for weight range from
1–255.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-50 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to allocate bandwidth for the 2q2t ports:
Console> (enable) set qos wrr 2q2t 30 70
QoS wrr ratio is set successfully.
Console> (enable)

Configuring the Receive-Queue Size Ratio

For 1p1q0t ports, estimate the mix of standard-priority and strict-priority traffic on your network (for
example, 85 percent standard-priority traffic and 15 percent strict-priority traffic). Specify queue ratios
with the estimated percentages, which must range from 1 to 99 and together add up to 100.
To configure the receive-queue size ratio, perform this task in privileged mode:

Task Command
Configure the receive-queue size ratio between set qos rxq-ratio 1p1q0t queue1-val queue2-val
receive queue 1 (standard priority) and receive
queue 2 (strict priority).

This example shows how to configure the receive-queue size ratio:

Console> (enable) set qos rxq-ratio 1p1q0t 80 20
QoS rxq-ratio is set successfully.
Console> (enable)

Configuring the Transmit-Queue Size Ratio

Estimate the mix of traffic of various priorities on your network (for example, 75 percent low-priority
traffic, 15 percent high-priority traffic, and 10 percent strict-priority traffic). Specify queue ratios with
the estimated percentages, which must range from 1 to 99 and together add up to 100.
To configure the transmit-queue size ratio for each port type, perform this task in privileged mode:

Task Command
Configure the transmit-queue size ratio. set qos txq-ratio port_type queue1-val
queue2-val [queue3-val]

Valid port_type parameters are 2q2t and 1p2q2t. QoS maintains separate configurations for each port
type. This example shows how to configure the transmit-queue size ratio:
Console> (enable) set qos txq-ratio 2q2t 80 20
QoS txq-ratio is set successfully.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-51
 Chapter 41 Configuring QoS
Configuring QoS

Mapping CoS Values to Drop Thresholds

This command associates CoS values with receive- and transmit-queue drop thresholds. QoS maintains
separate configurations for each port type.
These sections describe mapping CoS values to drop thresholds:
• Associating 1q4t, 2q2t Ports, page 41-52
• Associating 1p1q4t, 1p2q2t Ports, page 41-52
• Associating 1p1q0t, 1p3q1t Ports, page 41-53
• Reverting to CoS Map Defaults, page 41-54

Associating 1q4t, 2q2t Ports

To associate CoS values to the drop thresholds on 1q4t, 2q2t ports, perform this task in privileged mode:

Task Command
Step 1 Associate a CoS value to a drop threshold. set qos map 2q2t tx q# thr# cos coslist
Step 2 Verify the configuration. show qos info config {1p1q4t rx | 1p1q0t rx |
1p2q2t tx | 2q2t tx | 1p3q1t tx}

The receive- and transmit-drop thresholds have this relationship:

• Receive queue 1 (standard) threshold 1 = transmit queue 1 (standard low priority) threshold 1
• Receive queue 1 (standard) threshold 2 = transmit queue 1 (standard low priority) threshold 2
• Receive queue 1 (standard) threshold 3 = transmit queue 2 (standard high priority) threshold 1
• Receive queue 1 (standard) threshold 4 = transmit queue 2 (standard high priority) threshold 2
Use the transmit queue and transmit-queue drop-threshold values in this command. This example shows
how to associate the CoS values 0 and 1 to both standard receive-queue 1/threshold 1 and standard
transmit- queue 1/threshold 1:
Console> (enable) set qos map 2q2t tx 1 1 cos 0,1
Qos tx priority queue and threshold mapped to cos successfully.
Console> (enable)

Associating 1p1q4t, 1p2q2t Ports

On 1p1q4t, 1p2q2t ports, you configure the receive queues and the transmit queues separately.

1p1q4t Receive Queues

To associate CoS values to 1p1q4t receive-queue drop thresholds, perform this task in privileged mode:

Task Command
Step 1 Associate a CoS value to a receive-queue drop set qos map 1p1q4t rx q# thr# cos coslist
threshold.
Step 2 Verify the configuration. show qos info config {1p1q4t rx | 1p1q0t rx |
1p2q2t tx | 2q2t tx | 1p3q1t tx}

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-52 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

Queue 1 is the standard queue. Queue 2 is the strict-priority queue.

Threshold numbers range from 1 for low priority to 4 for high priority.
This example shows how to associate the CoS value 5 to strict-priority receive-queue 2/threshold 1:
Console> (enable) set qos map 1p1q4t rx 2 1 cos 5
Qos rx strict queue and threshold mapped to cos successfully.
Console> (enable)

1p2q2t Transmit Queues

To associate CoS values to the 1p2q2t transmit-queue drop thresholds, perform this task in privileged
mode:

Task Command
Step 1 Associate a CoS value to a transmit-queue drop set qos map 1p2q2t tx q# thr# cos coslist
threshold.
Step 2 Verify the configuration. show qos info config {1p1q4t rx | 1p1q0t rx |
1p2q2t tx | 2q2t tx | 1p3q1t tx}

Queue 1 is standard low priority, queue 2 is high priority, and queue 3 is strict priority.
Threshold 1 low priority and 2 is high priority.
This example shows how to associate the CoS value 5 to strict-priority transmit-queue 3/drop
threshold 1:
Console> (enable) set qos map 1p2q2t tx 3 1 cos 5
Qos tx strict queue and threshold mapped to cos successfully.
Console> (enable)

Associating 1p1q0t, 1p3q1t Ports

On 1p1q0t, 1p3q1t ports, you configure the receive queues and the transmit queues separately.

1p1q0t Receive Queues

To associate CoS values to a 1p1q0t receive queue, perform this task in privileged mode:

Task Command
Step 1 Associate a CoS value to a receive queue. set qos map 1p1q0t rx q# cos coslist
Step 2 Verify the configuration. show qos info config {1p1q4t rx | 1p1q0t rx |
1p2q2t tx | 2q2t tx | 1p3q1t tx}

Queue 1 is the standard queue. Queue 2 is the strict-priority queue.

This example shows how to associate the CoS value 5 to strict-priority receive-queue 2:
Console> (enable) set qos map 1p1q0t rx 2 cos 7
QoS queue mapped to cos successfully.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-53
 Chapter 41 Configuring QoS
Configuring QoS

1p3q1t Transmit Queues

With 1p3q1t transmit queues, you can associate a CoS value with either the nonconfigurable tail-drop
threshold or the configurable WRED-drop threshold:
• To associate a CoS value with the tail-drop threshold, map the CoS value to the queue.
• To associate a CoS value with the WRED-drop threshold, map the CoS value to the queue and
threshold.
To associate CoS values to the 1p3q1t transmit-queue drop thresholds, perform this task in privileged
mode:

Task Command
Step 1 Associate a CoS value to a transmit-queue drop set qos map 1p3q1t tx q# [thr#] cos coslist
threshold.
Step 2 Verify the configuration. show qos info config {1p1q4t rx | 1p1q0t rx |
1p2q2t tx | 2q2t tx | 1p3q1t tx}

Queue 1 is standard low priority, queue 2 is medium priority, and queue 3 is high priority. Queue 4 is
strict priority.
To map CoS values to the tail-drop threshold, omit the threshold number or enter 0.
The WRED-drop threshold number is 1.
This example shows how to associate the CoS value 0 to transmit-queue 1/drop threshold 1:
Console> (enable) set qos map 1p3q1t tx 1 1 cos 0
Qos tx strict queue and threshold mapped to cos successfully.
Console> (enable)

Reverting to CoS Map Defaults

To revert to default CoS value/drop threshold mapping, perform this task in privileged mode:

Task Command
Step 1 Revert to QoS map defaults. clear qos map {1p1q4t rx | 1p1q0t rx |
1p2q2t tx | 2q2t tx | 1p3q1t tx}
Step 2 Verify the configuration. show qos info config {1p1q4t rx | 1p1q0t rx |
1p2q2t tx | 2q2t tx | 1p3q1t tx}

This example shows how to revert to QoS map defaults:

Console> (enable) clear qos map 1p3q1t tx
Qos map setting cleared.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-54 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

Configuring DSCP Value Maps

Note The commands in this section are not supported with a Layer 2 Switching Engine.

These sections describe how DSCP values are mapped to other values:
• Mapping Received CoS Values to Internal DSCP Values, page 41-55
• Mapping Received IP Precedence Values to Internal DSCP Values, page 41-56
• Mapping Internal DSCP Values to Egress CoS Values, page 41-56
• Mapping DSCP Markdown Values, page 41-57

Mapping Received CoS Values to Internal DSCP Values

To map received CoS values to the internal DSCP value (see the “Internal DSCP Values” section on
page 41-15), perform this task in privileged mode:

Task Command
Step 1 Map received CoS values to internal DSCP set qos cos-dscp-map dscp1 dscp2 dscp3 dscp4
values. dscp5 dscp6 dscp7 dscp8
Step 2 Verify the configuration. show qos maps {config | runtime}
[cos-dscp-map | ipprec-dscp-map |
dscp-cos-map | policed-dscp-map]

Enter 8 DSCP values to which QoS maps received CoS values 0 through 7. This example shows how to
map received CoS values to internal DSCP values:
Console> (enable) set qos cos-dscp-map 20 30 1 43 63 12 13 8
QoS cos-dscp-map set successfully.
Console> (enable)

To revert to default CoS to DSCP value mapping, perform this task in privileged mode:

Task Command
Step 1 Revert to CoS value/DSCP value map defaults. clear qos cos-dscp-map
Step 2 Verify the configuration. show qos maps {config | runtime}
[cos-dscp-map | ipprec-dscp-map |
dscp-cos-map | policed-dscp-map]

This example shows how to revert to CoS-DSCP map defaults:

Console> (enable) clear qos cos-dscp-map
QoS cos-dscp-map setting restored to default.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-55
 Chapter 41 Configuring QoS
Configuring QoS

Mapping Received IP Precedence Values to Internal DSCP Values

To map received IP precedence values to the internal DSCP value (see the “Internal DSCP Values”
section on page 41-15), perform this task in privileged mode:

Task Command
Step 1 Map received IP precedence values to internal set qos ipprec-dscp-map dscp1 dscp2 dscp3
DSCP values. dscp4 dscp5 dscp6 dscp7 dscp8
Step 2 Verify the configuration. show qos maps {config | runtime}
[cos-dscp-map | ipprec-dscp-map |
dscp-cos-map | policed-dscp-map]

Enter 8 internal DSCP values to which QoS maps received IP precedence values 0 through 7. This
example shows how to map received IP precedence values to internal DSCP values:
Console> (enable) set qos ipprec-dscp-map 20 30 1 43 63 12 13 8
QoS ipprec-dscp-map set successfully.
Console> (enable)

To revert to default IP precedence to DSCP value mapping, perform this task in privileged mode:

Task Command
Step 1 Revert to IP precedence value to DSCP value map clear qos ipprec-dscp-map
defaults.
Step 2 Verify the configuration. show qos maps {config | runtime}
[cos-dscp-map | ipprec-dscp-map |
dscp-cos-map | policed-dscp-map]

This example shows how to revert to QoS map defaults:

Console> (enable) clear qos ipprec-dscp-map
QoS ipprec-dscp-map setting restored to default.
Console> (enable)

Mapping Internal DSCP Values to Egress CoS Values

To map internal DSCP values to the egress CoS values used for egress port scheduling and congestion
avoidance, perform this task in privileged mode:

Task Command
Step 1 Map internal DSCP values to egress CoS values. set qos dscp-cos-map dscp_list:cos ...
Step 2 Verify the configuration. show qos maps {config | runtime}
[cos-dscp-map | ipprec-dscp-map |
dscp-cos-map | policed-dscp-map]

For more information, see the “Internal DSCP Values” section on page 41-15 and the “Ethernet Egress
Port Scheduling, Congestion Avoidance, and Marking” section on page 41-24.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-56 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

Enter up to 64 internal DSCP value list/egress CoS value pairs. This example shows how to map internal
DSCP values to egress CoS values:
Console> (enable) set qos dscp-cos-map 20-25:7 33-38:3
QoS dscp-cos-map set successfully.
Console> (enable)

To revert to default CoS to DSCP value mapping, perform this task in privileged mode:

Task Command
Step 1 Revert to DSCP value/CoS value map defaults. clear qos dscp-cos-map
Step 2 Verify the configuration. show qos maps {config | runtime}
[cos-dscp-map | ipprec-dscp-map |
dscp-cos-map | policed-dscp-map]

This example shows how to revert to CoS-DSCP map defaults:

Console> (enable) clear qos dscp-cos-map
QoS dscp-cos-map setting restored to default.
Console> (enable)

Mapping DSCP Markdown Values

To map DSCP markdown values used by policing rules, perform this task in privileged mode:

Task Command
Step 1 Map DSCP values to markdown DSCP values. set qos policed-dscp-map
dscp_list:markdown_dscp ...
Step 2 With PFC2, map DSCP values to markdown set qos policed-dscp-map [normal | excess]
DSCP values. in_profile_dscp_list:policed_dscp ...
Step 3 Verify the configuration. show qos maps {config | runtime}
[cos-dscp-map | ipprec-dscp-map |
dscp-cos-map | policed-dscp-map]

For more information, see the “Policing Rules” section on page 41-22.
Enter up to 64 DSCP-value-list/DSCP-value pairs.
This example shows how to map DSCP markdown values:
Console> (enable) set qos policed-dscp-map 20-25:7 33-38:3
QoS dscp-dscp-map set successfully.
Console> (enable)

This example shows how to map DSCP markdown values for packets exceeding the excess rate:
Console> (enable) set qos policed-dscp-map 33:30
QoS normal-rate policed-dscp-map set successfully.
Console> (enable) set qos policed-dscp-map excess-rate 33:30
QoS excess-rate policed-dscp-map set successfully.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-57
 Chapter 41 Configuring QoS
Configuring QoS

Note Configure marked-down DSCP values that map to CoS values consistent with the markdown penalty
(see the “Mapping Internal DSCP Values to Egress CoS Values” section on page 41-56).

To revert to default DSCP markdown value mapping, perform this task in privileged mode:

Task Command
Step 1 Revert to DSCP markdown map defaults. clear qos policed-dscp-map
[normal-rate | excess-rate]
Step 2 Verify the configuration. show qos maps {config | runtime}
[cos-dscp-map | ipprec-dscp-map |
dscp-cos-map | policed-dscp-map]

This example shows how to revert to DSCP markdown map defaults:

Console> (enable) clear qos policed-dscp-map
QoS dscp-cos-map setting restored to default.
Console> (enable)

Note Without the normal-rate or the excess-rate keywords, the clear qos policed-dscp-map command
clears only the normal policed-dscp map.

Displaying QoS Information

To display QoS information, perform this task:

Task Command
Display QoS information. show qos info [runtime | config]

This example shows how to display the QoS runtime information for port 2/1:
Console> show qos info config 2/1
QoS setting in NVRAM:
QoS is enabled
Port 2/1 has 2 transmit queue with 2 drop thresholds (2q2t).
Port 2/1 has 1 receive queue with 4 drop thresholds (1q4t).
Interface type:vlan-based
ACL attached:
The qos trust type is set to untrusted.
Default CoS = 0
Queue and Threshold Mapping:
Queue Threshold CoS
----- --------- ---------------
1 1 0 1
1 2 2 3
2 1 4 5
2 2 6 7
Rx drop thresholds:
Rx drop thresholds are disabled for untrusted ports.
Queue # Thresholds - percentage (abs values )
------- -------------------------------------

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-58 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

1 50% 60% 80% 100%

Tx drop thresholds:
Queue # Thresholds - percentage (abs values )
------- -------------------------------------
1 40% 100%
2 40% 100%
Tx WRED thresholds:
WRED feature is not supported for this port_type.
Queue Sizes:
Queue # Sizes - percentage (abs values )
------- -------------------------------------
1 80%
2 20%
WRR Configuration of ports with speed 1000Mbps:
Queue # Ratios (abs values )
------- -------------------------------------
1 100
2 255
Console> (enable)

Displaying QoS Statistics

To display QoS statistics, perform this task:

Task Command
Display QoS statistics. show qos statistics {mod[/port] | l3stats |
aggregate-policer [policer_name]}

This example shows how to display QoS statistics for port 2/1:
Console> (enable) show qos statistics 2/1
On Transmit:Port 2/1 has 2 Queue(s) 2 Threshold(s)
Q # Threshold #:Packets dropped
--- -----------------------------------------------
1 1:0 pkts, 2:0 pkts
2 1:0 pkts, 2:0 pkts
On Receive:Port 2/1 has 1 Queue(s) 4 Threshold(s)
Q # Threshold #:Packets dropped
--- -----------------------------------------------
1 1:0 pkts, 2:0 pkts, 3:0 pkts, 4:0 pkts

This example shows how to display QoS Layer 3 statistics:

Console> (enable) show qos statistics l3stats
QoS Layer 3 Statistics show statistics since last read.
Packets dropped due to policing: 0
IP packets with ToS changed: 0
IP packets with CoS changed: 26
Non-IP packets with CoS changed: 0
Console>

This example shows how to display QoS aggregate policer statistics:

Console> (enable) show qos statistics aggregate-policer
QoS aggregate-policer statistics:
Aggregate Policer Packet Count Packets exceed Packets exceed
normal rate excess rate
-------------------------------- ------------ -------------- -----------------
test 1000 20 5

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-59
 Chapter 41 Configuring QoS
Configuring QoS

Reverting to QoS Defaults

Note Reverting to defaults disables QoS, because QoS is disabled by default.

To revert to QoS defaults, perform this task in privileged mode:

Task Command
Revert to QoS defaults. clear qos config

This example shows how to revert to QoS defaults:

Console> (enable) clear qos config
This command will disable QoS and take values back to factory default.
Do you want to continue (y/n) [n]? y
QoS config cleared.
Console> (enable)

Disabling QoS
To disable QoS, perform this task in privileged mode:

Task Command
Disable QoS on the switch. set qos {enable | disable}

This example shows how to disable QoS:

Console> (enable) set qos disable
QoS is disabled.
Console> (enable)

Configuring COPS Support

Note The commands in this section are not supported with a Layer 2 Switching Engine.

Note COPS can configure QoS only for IP traffic. Use the CLI or SNMP to configure QoS for all other
traffic.

These sections describe configuring COPS support:

• Port ASICs, page 41-61
• Understanding QoS Policy, page 41-61
• Selecting COPS as the QoS Policy Source, page 41-61
• Selecting Locally Configured QoS Policy, page 41-62

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-60 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

• Enabling Use of Locally Configured QoS Policy, page 41-62

• Assigning Port Roles, page 41-63
• Removing Roles from Port ASICs, page 41-63
• Deleting Roles, page 41-64
• Configuring Policy Decision Point Servers, page 41-64
• Deleting PDP Server Configuration, page 41-64
• Configuring the COPS Domain Name, page 41-65
• Deleting the COPS Domain Name, page 41-65
• Configuring the COPS Communications Parameters, page 41-65

Note Throughout this publication and all Catalyst 6000 family documents, the term “COPS” refers to
COPS support as implemented on the Catalyst 6000 family switches.

Port ASICs
Some COPS support features affect all ports controlled by a port ASIC. The following sections use the
term “per-ASIC” to identify features that configure all ports on the same port ASIC:
• The port ASICs on Gigabit Ethernet switching modules control up to 4 ports each: 1–4, 5–8, 9–12,
and 13–16.
• There is a port ASIC on 10-Mbps, 10/100-Mbps, and 100-Mbps Ethernet switching modules that
controls all ports.
• On 10-Mbps, 10/100-Mbps, and 100-Mbps Ethernet switching modules, there is another set of port
ASICs that control 12 ports each (1–12, 13–24, 25–36, and 37–48), but COPS cannot configure
them.
• Changes to an EtherChannel port apply to all ports in the EtherChannel and to all ports controlled
by the ASIC (or ASICs) that control the EtherChannel ports.

Understanding QoS Policy

The term QoS policy refers to the QoS values in effect, such as port trust state and which ACLs are
applied to ports and VLANs.

Selecting COPS as the QoS Policy Source

QoS uses locally configured QoS values as the default QoS policy source. To select COPS as the QoS
policy source, perform this task in privileged mode:

Task Command
Step 1 Select COPS as the QoS policy source. set qos policy-source {local | cops}
Step 2 Verify the QoS policy source. show qos policy-source

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-61
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to select COPS as the QoS policy source:
Console> (enable) set qos policy-source cops
QoS policy source for the switch set to COPS.
Console> (enable) show qos policy-source
QoS policy source for the switch set to COPS.
Console> (enable)

Selecting COPS as the QoS policy source switches the following values from locally configured values
to received COPS values:
• All DSCP maps
• Named and default ACL definitions
• Microflow and aggregate policing rules
• CoS to queue assignments
• Threshold configuration
• WRR weight and buffer configuration
• Default port CoS and ACL-to-interface attachments

Selecting Locally Configured QoS Policy

To select locally configured QoS policy, perform this task in privileged mode:

Task Command
Step 1 Select locally configured QoS policy. set qos policy-source {local | cops}
Step 2 Verify the QoS policy source. show qos policy-source

This example shows how to select locally configured QoS policy:

Console> (enable) set qos policy-source local
QoS policy source for the switch set to local.
Console> (enable) show qos policy-source
QoS policy source for the switch set to local.
Console> (enable)

Enabling Use of Locally Configured QoS Policy

When enabled, COPS is the default QoS policy source for all ports. You can use locally configured QoS
policy on a per-ASIC basis. To enable use of locally configured QoS policy on a port ASIC, perform this
task in privileged mode:

Task Command
Step 1 Enable use of locally configured QoS policy on a set port qos policy-source {local | cops}
port.
Step 2 Verify the QoS policy source for the port. show port qos

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-62 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to enable use of locally configured QoS policy:
Console> (enable) set port qos 1/1 policy-source local
QoS policy source set to local on port(s) 1/1-2.
Console> (enable)

Assigning Port Roles

COPS does not configure ports using slot number and port number parameters. COPS uses roles that you
create and assign to port ASICs.
A role is a name that describes the capability of ports (for example, access or mod2_1-4). QoS supports
64 roles per switch. You can assign more than one role to a port ASIC (for example, mod2ports1-12 and
access), with the limitation that the combined length of role names assigned to a port ASIC cannot
exceed 255 characters.
The role name can be up to 31 characters long, is not case sensitive but may include uppercase and
lowercase characters, and may consist of a–z, A–Z, 0–9, the dash character (-), the underscore character
(_), and the period character (.). Role names cannot start with the underscore character.
The first assignment of a new role to a port creates the role.
To assign roles to a port ASIC, perform this task in privileged mode:

Task Command
Step 1 Assign roles to a port ASIC. set port cops {mod/port} roles role1 [role2] ...
Step 2 Verify the roles for the port. show port cops [mod[/port]]

This example shows how to assign two new roles to the ASIC controlling port 2/1:
Console> (enable) set port cops 2/1 roles mod2ports1-12 access
New role ‘mod2ports1-12’ created.
New role ‘access’ created.
Roles added for port 2/1-12.
Console> (enable)

Removing Roles from Port ASICs

To remove a role from a port ASIC, perform this task in privileged mode:

Task Command
Step 1 Remove a role from a port ASIC. clear port cops {mod/port} {all-roles |
roles role1 [role2] ...}
Step 2 Verify the roles for the port. show port cops [mod[/port]]

This example shows how to remove a role from a port ASIC:

Console> (enable) clear port cops 3/1 roles backbone_port main_port
Roles cleared for port(s) 3/1-4.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-63
 Chapter 41 Configuring QoS
Configuring QoS

Deleting Roles
To delete a role (which removes it from all ports), perform this task in privileged mode:

Task Command
Step 1 Delete a role. clear cops {all-roles | roles role1 [role2] ...}
Step 2 Verify the roles for the port. show port cops [mod[/port]]

This example shows how to delete a role:

Console> (enable) clear cops roles backbone_port main_port
Roles cleared.
Console> (enable)

Configuring Policy Decision Point Servers

Note COPS and RSVP can use the same policy decision point (PDP) server.

COPS obtains QoS policy from a PDP server. Configure a primary PDP server and, optionally, a backup
PDP server.
To configure a PDP server, perform this task in privileged mode:

Task Command
Step 1 Configure a PDP server. set cops server ip_address [port] [primary]
[diff-serv | rsvp]
Step 2 Verify the PDP server configuration. show cops info

The ip_address parameter can be the IP address or name of the server.

The port variable is the PDP server TCP port number.
Use the diff-serv keyword to set the address only for COPS.
This example shows how to configure a PDP server:
Console> (enable) set cops server my_server1 primary
my_server1 added to the COPS diff-serv server table as primary server.
my_server1 added to the COPS rsvp server table as primary server.
Console> (enable)

Deleting PDP Server Configuration

To delete PDP server configuration, perform this task in privileged mode:

Task Command
Step 1 Delete PDP server configuration. clear cops server {all | ip_address [diff-serv |
rsvp]}
Step 2 Verify the PDP server configuration. show cops info

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-64 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to delete PDP server configuration:

Console> (enable) clear cops server all
All COPS diff-serv servers cleared.
All COPS rsvp servers cleared.
Console> (enable)

Configuring the COPS Domain Name

PDP servers use a COPS domain name to communicate with policy enforcement point (PEP) devices
such as switches. To configure a COPS domain name for the switch, perform this task in privileged
mode:

Task Command
Step 1 Configure the COPS domain name. set cops domain-name domain_name
Step 2 Verify the COPS domain name. show cops info

This example shows how to configure a COPS domain name:

Console> (enable) set cops domain-name my_domain
Domain name set to my_domain.
Console> (enable)

Deleting the COPS Domain Name

To delete the COPS domain name, perform this task in privileged mode:

Task Command
Step 1 Delete the COPS domain name. clear cops domain-name
Step 2 Verify the configuration. show cops info

This example shows how to delete the COPS domain name:

Console> (enable) clear cops domain-name
Domain name cleared.
Console> (enable)

Configuring the COPS Communications Parameters

To configure the parameters COPS uses to communicate with the PDP server, perform this task in
privileged mode:

Task Command
Step 1 Configure the parameters COPS uses to set cops retry-interval initial increment
communicate with the PDP server. maximum
Step 2 Verify the configuration. show cops info

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-65
 Chapter 41 Configuring QoS
Configuring QoS

Enter the parameters as a number of seconds in the range 0 to 65535. The value of the initial parameter
plus the value of the increment parameter must not exceed the value of the maximum parameter.
This example shows how to configure the parameters COPS uses to communicate with the PDP server:
Console> (enable) set cops retry-interval 15 1 30
Connection retry intervals set.
Console> (enable)

Configuring RSVP Support

Note The commands in this section are not supported with a Layer 2 Switching Engine.

These sections describe configuring RSVP null service template and receiver proxy functionality
support:
• Enabling RSVP Support, page 41-66
• Disabling RSVP Support, page 41-67
• Enabling Participation in the DSBM Election, page 41-67
• Disabling Participation in the DSBM Election, page 41-67
• Configuring Policy Decision Point Servers, page 41-68
• Deleting PDP Server Configuration, page 41-68
• Configuring RSVP Policy Timeout, page 41-69
• Configuring RSVP Use of Local Policy, page 41-69

Note Throughout this publication and all Catalyst 6000 family switch documents, the term “RSVP” refers
to RSVP null service template and receiver proxy functionality support as implemented on the
Catalyst 6000 family switches.

Enabling RSVP Support

To enable RSVP support, perform this task in privileged mode:

Task Command
Step 1 Enable RSVP support on the switch. set qos rsvp {enable | disable}
Step 2 Verify the configuration. show qos rsvp info
Step 3 Display RSVP activity. show qos rsvp flow-info

This example shows how to enable RSVP support:

Console> (enable) set qos rsvp enable
RSVP enabled on the switch.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-66 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

Disabling RSVP Support

To disable RSVP support, perform this task in privileged mode:

Task Command
Step 1 Disable RSVP support on the switch. set qos rsvp {enable | disable}
Step 2 Verify the configuration. show qos rsvp info

This example shows how to disable RSVP support:

Console> (enable) set qos rsvp disable
RSVP disabled on the switch.
Console> (enable)

Enabling Participation in the DSBM Election

Catalyst 6000 family switches can serve as the Designated Subnet Bandwidth Manager (DSBM). You
can enable participation in the election of the DSBM on a per-port basis.

Note The DSBM is not reelected when additional RSVP devices join the network. To control which device
is the DSBM, disable election participation in all devices except the one that you want elected as
DSBM. After the DSBM is elected, reenable election participation in other devices, as appropriate
for the network configuration.

To enable the participation of a port in the election of the DSBM, perform this task in privileged mode:

Task Command
Step 1 Enable the participation of a port in the election of set port rsvp {mod/port} dsbm-election
the DSBM. {disable | enable priority}
Step 2 Verify the configuration of the port. show port rsvp [mod[/port]

The range for the priority parameter is 128 to 255.

This example shows how to enable the participation of ports 2/1 and 3/2 in the election of the DSBM:
Console> (enable) set port rsvp 2/1,3/2 dsbm-election enable 232
DSBM enabled and priority set to 232 for ports 2/1,3/2.
Console> (enable)

Disabling Participation in the DSBM Election

To disable the participation of a port in the election of the DSBM, perform this task in privileged mode:

Task Command
Step 1 Disable the participation of a port in the election set port rsvp {mod/port} dsbm-election
of the DSBM. {disable | enable priority}
Step 2 Verify the configuration. show port rsvp show port rsvp [mod[/port]]

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-67
 Chapter 41 Configuring QoS
Configuring QoS

This example shows how to disable the participation of port 2/1 in the election of the DSBM:
Console> (enable) set port rsvp 2/1 dsbm-election disable
DSBM disabled for port 2/1.
Console> (enable)

Configuring Policy Decision Point Servers

Note COPS and RSVP can use the same PDP server.

When the switch is the DSBM, RSVP communicates with a PDP server. Configure a primary PDP server
and, optionally, a backup PDP server.
To configure a PDP server, perform this task in privileged mode:

Task Command
Step 1 Configure a PDP server. set cops server ip_address [port] [primary]
[diff-serv | rsvp]
Step 2 Verify the PDP server configuration. show cops info

The ip_address parameter can be the IP address or name of the server.

The port variable is the PDP server TCP port number.
Use the rsvp keyword to set the address only for RSVP.
This example shows how to configure a PDP server:
Console> (enable) set cops server my_server1 primary rsvp
my_server1 added to the COPS rsvp server table as primary server.
Console> (enable)

Deleting PDP Server Configuration

To delete PDP server configuration, perform this task in privileged mode:

Task Command
Step 1 Delete PDP server configuration. clear cops server {all | ip_address [diff-serv |
rsvp]}
Step 2 Verify the PDP server configuration. show cops info

Use the rsvp keyword to delete only the RSVP address.

This example shows how to delete PDP server configuration:
Console> (enable) clear cops server all
All COPS diff-serv servers cleared.
All COPS rsvp servers cleared.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-68 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

Configuring RSVP Policy Timeout

When the switch is the DSBM and communication with the PDP server is lost, the switch continues to
function as the DSBM, using cached values, for the period specified by the timeout value; the behavior
for new or modified RSVP path messages is determined by the RSVP local policy setting.
If communication with the PDP server is not reestablished before the timeout period expires, the switch
reverts to the role of Subnet Bandwidth Manager (SBM) client for all ports and forwards RSVP messages
to a newly elected DSBM on the segment. When there is no communication with the PDP server, the
switch does not participate in election of the DSBM.
To configure the time that the switch continues to be the DSBM after communication with the PDP
server is lost, perform this task in privileged mode:

Task Command
Step 1 Configure the RSVP policy timeout. set qos rsvp policy-timeout timeout
Step 2 Verify the configuration. show qos rsvp info

Enter the timeout parameter as a number of minutes in the range 0 to 65535 (default is 30).
This example shows how to configure the RSVP policy timeout:
Console> (enable) set qos rsvp policy-timeout 45
RSVP database policy timeout set to 45 minutes.
Console> (enable)

Configuring RSVP Use of Local Policy

To configure how RSVP operates after communication with the PDP is lost, perform this task in
privileged mode:

Task Command
Step 1 Configure how RSVP operates when there is no set qos rsvp local-policy {forward | reject}
communication with the PDP server.
Step 2 Verify the configuration. show qos rsvp info

The forward keyword sets the local policy to forward all new or modified RSVP path messages. The
reject keyword sets the local policy to reject all new or modified RSVP path messages. This example
shows how to change the default local RSVP policy setting to reject all new or modified RSVP path
messages:
Console> (enable) set qos rsvp local-policy reject
RSVP local policy set to reject.
Console> (enable)

Note The RSVP local policy is only used until the RSVP policy timeout expires after the connection to the
PDP is lost. After the RSVP policy timeout expires, the switch behaves as an SBM client. RSVP
messages pass through the switch unchanged regardless of the RSVP local policy setting. The RSVP
local policy setting is not used if the switch never establishes a connection to the PDP.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-69
 Chapter 41 Configuring QoS
Configuring QoS

Configuring QoS Statistics Data Export

These sections describe how to configure the QoS statistics data export feature:
• Enabling QoS Statistics Data Export Globally, page 41-70
• Enabling Per-Port QoS Statistics Data Export, page 41-71
• Enabling Per-Aggregate Policer QoS Statistics Data Export, page 41-72
• Setting the QoS Statistics Data Export Time Interval, page 41-73
• Configuring QoS Statistics Data Export Destination Host and UDP Port, page 41-73
• Displaying QoS Statistics Information, page 41-74

Enabling QoS Statistics Data Export Globally

To export QoS statistics data for ports and aggregate policers, you must first configure the feature
globally.
To enable QoS statistics data export globally, perform this task in privileged mode:

Task Command
Step 1 Enable QoS statistics data export. set qos statistics export enable | disable
Step 2 Verify the configuration. show qos statistics export info

This example shows how to enable QoS statistics data export globally and verify the configuration:
Console> (enable) set qos statistics export enable
Export is enabled.
Export destination:172.20.52.3 SYSLOG facility LOG_LOCAL6 (176), severity LOG_DE
BUG (7)
Aggregate policer export is not supported
Console> (enable) show qos statistics export info
Statistics export status and configuration information
------------------------------------------------------
Export status: enabled
Export time interval: 300
Export destination:172.20.52.3 SYSLOG facility LOG_LOCAL6 (176), severity LOG_DE
BUG (7)
Port Export
------ --------
1/1 disabled
1/2 disabled
3/1 disabled
3/2 disabled
5/1 disabled
5/2 disabled
5/3 disabled
5/4 disabled
<output truncated>
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-70 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

Enabling Per-Port QoS Statistics Data Export

To enable QoS statistics data export on a per-port basis, perform this task in privileged mode:

Task Command
Step 1 Enable QoS statistics data export per port. set qos statistics export port mod/port enable |
disable
Step 2 Verify the configuration. show qos statistics export info

Note You must enable QoS statistics data export globally in order for the per-port configuration to take
effect.

This example shows how to enable the QoS statistics data export feature per port and verify the
configuration:
Console> (enable) set qos statistics export port 5/1 enable
Port export enabled on 5/1.
Console> (enable) show qos statistics export info
Statistics export status and configuration information
------------------------------------------------------
Export status: enabled
Export time interval: 300
Export destination:172.20.52.3 SYSLOG facility LOG_LOCAL6 (176), severity LOG_DE
BUG (7)
Port Export
------ --------
1/1 disabled
1/2 disabled
3/1 disabled
3/2 disabled
5/1 enabled
5/2 disabled
<output truncated>
Console> (enable)

When enabled on a port, QoS statistics data export contains the following fields, separated by the
delimiter character:
• Export type ("1" for a port)
• Slot/port
• Number of ingress packets
• Number of ingress bytes
• Number of egress packets
• Number of egress bytes
• Time stamp

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-71
 Chapter 41 Configuring QoS
Configuring QoS

Enabling Per-Aggregate Policer QoS Statistics Data Export

To enable QoS statistics data export on a per-aggregate policer basis, perform this task in privileged
mode:

Task Command
Step 1 Enable QoS statistics data export per aggregate set qos statistics export enable | disable
policer.
Step 2 Verify the configuration. show qos statistics export info

Note You must enable QoS statistics data export globally in order for the per-aggregate policer
configuration to take effect.

This example shows how to enable QoS statistics data export for a specific aggregate policer and verify
the configuration:
Console> (enable) set qos statistics export aggregate ipagg_3 enable
Statistics data export enabled for aggregate policer ipagg_3
Console> (enable) show qos statistics export info
Statistics export status and configuration information
------------------------------------------------------
Export status: enabled
Export time interval: 300
Export destination:172.20.52.3 SYSLOG facility LOG_LOCAL6 (176), severity LOG_DE
BUG (7)
Port Export
------ --------
1/1 disabled
1/2 disabled
3/1 disabled
3/2 disabled
5/1 enabled
5/2 disabled
<output truncated>

Aggregate name Export

-------------- --------
ipagg_3 enabled
Console> (enable)

When enabled for a named aggregate policer, QoS statistics data export contains the following fields,
separated by the delimiter character:
• Export type ("2" for an aggregate policer)
• Aggregate policer name
• Number of in-profile packets
• Number of packets that exceed the CIR
• Number of packets that exceed the PIR
• Time stamp

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-72 78-13315-02
 Chapter 41 Configuring QoS
Configuring QoS

Setting the QoS Statistics Data Export Time Interval

The default interval at which QoS statistics is exported is 30 seconds. To set the time interval for the
QoS statistics data export, perform this task in privileged mode:

Task Command
Step 1 Set the time interval for the QoS statistics data set qos statistics export interval interval
export.
Step 2 Verify the configuration. show qos statistics export info

This example shows how to set the QoS statistics data export interval and verify the configuration:
Console> (enable) set qos statistics export interval 500
Time interval set to 500
Console> (enable) show qos statistics export info
Statistics export status and configuration information
------------------------------------------------------
Export status: enabled
Export time interval: 500
Export destination:172.20.52.3 SYSLOG facility LOG_LOCAL6 (176), severity LOG_DE
BUG (7)
Port Export
------ --------
1/1 disabled
1/2 disabled
3/1 disabled
3/2 disabled
5/1 enabled
5/2 disabled
<output truncated>

Aggregate name Export

-------------- --------
ipagg_3 enabled
Console> (enable)

Configuring QoS Statistics Data Export Destination Host and UDP Port
To configure the QoS statistics data export destination host and UDP port number, perform this task in
privileged mode:

Task Command
Step 1 Configure the QoS statistics data export set qos statistics export destination {host_name
destination host and UDP port number. | ip_address} [syslog [facility | severity] port]
Step 2 Verify the configuration. show qos statistics export info

This example shows how to configure the QoS statistics data export destination host and UDP port
number and verify the configuration:
Console> (enable) set qos statistics export destination stargate 9996
Statistics data export destination set to stargate port 9996.
Console> (enable) show qos statistics export info
Statistics export status and configuration information
------------------------------------------------------
Export status: enabled

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 41-73
 Chapter 41 Configuring QoS
Configuring QoS

Export time interval: 500

Export destination:Stargate, UDP port 9996
Port Export
------ --------
1/1 disabled
1/2 disabled
3/1 disabled
3/2 disabled
5/1 enabled
5/2 disabled
<output truncated>

Aggregate name Export

-------------- --------
ipagg_3 enabled
Console> (enable)

Displaying QoS Statistics Information

To display the QoS statistics per-aggregate policer packet and byte rates, perform this task in privileged
mode:

Task Command
Display the QoS statistics per-aggregate policer show qos statistics aggregate-policer
packet and byte rates. [policer_name]

This example shows how to display the QoS statistics per-aggregate policer packet and byte rates:
Console> show qos statistics aggregate-policer
QoS aggregate-policer statistics:
Aggregate Policer Packet Count Packets exceed Packets exceed
normal rate excess rate
-------------------------------- ------------ -------------- -----------------
test 1000 20 5
Console>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

41-74 78-13315-02
 C H A P T E R 42
Configuring ASLB

This chapter describes how to configure accelerated server load balancing (ASLB) on the Catalyst 6000
family switches.

Note For complete syntax and usage information for hte commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

Note The information and procedures in this chapter apply only to the Supervisor Engine 1 with Layer 3
switching engine (Policy Feature Card or PFC). ASLB is not supported on Supervisor Engine 2 with
Layer 3 Switching Engine II (PFC2).

This chapter consists of these sections:

• Hardware and Software Requirements, page 42-1
• Understanding How ASLB Works, page 42-2
• Cabling Guidelines, page 42-7
• Configuring ASLB, page 42-7
• ASLB Configuration Example, page 42-19
• ASLB Redundant Configuration Example, page 42-21
• Troubleshooting the ASLB Configuration, page 42-25

Hardware and Software Requirements

The hardware and software requirements for your ASLB configuration are as follows:
• The LocalDirector requirements are as follows:
– Hardware platforms—LocalDirector models 410, 415, 416, 420, or 430
– Interface Modules—ASLB configuration requires two 10/100BASE-X Ethernet interfaces or
two 1000BASE-X Gigabit Ethernet interfaces

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-1
 Chapter 42 Configuring ASLB
Understanding How ASLB Works

Note 1000BASE-X interfaces are only supported on the LocalDirector 420 and 430. They are
not supported on the LocalDirector 410, 415, or 416.

– Software—Cisco configuration version 3.2.x

• The Catalyst 6000 family switch requirements are as follows:
– Supervisor engine with the Policy Feature Card (PFC)
– Supervisor engine software release 5.3(1)CSX or later releases
• The participating routers are as follows:
– MSFC—With supervisor engine software release 5.4(1)CSX or later releases, an MSFC in the
Catalyst 6000 family switch can be used as a participating router for ASLB. With earlier
supervisor engine software releases, an internal MSFC cannot be a participating router.
– External MSFC—An MSFC in an externally attached Catalyst 6000 family switch can be used
as a participating router.
– Multilayer Switch Module (MSM)—If the Catalyst 6000 family switch that you are using for
ASLB has an MSM, it can be used as a participating router for ASLB. The MSM in an externally
attached Catalyst 6000 family switch can also be used as a participating router.
– Other Cisco routers can also be used as participating routers for ASLB.

Understanding How ASLB Works

Note Refer to the Cisco LocalDirector Installation and Configuration Guide, Version 3.2, for an overview
on load balancing TCP/IP traffic.

These sections describe ASLB:

• Layer 3 Operations for ASLB, page 42-3
• Layer 2 Operations for ASLB, page 42-3
• Client-to-Server Data Forwarding, page 42-4
• Server-to-Client Data Forwarding, page 42-6
The LocalDirector is a secure, real-time, embedded operating system that intelligently load balances
TCP/IP traffic across multiple servers. ASLB enables Catalyst 6000 family switches to cache Cisco
LocalDirector load-balancing flows, accelerating the performance of the LocalDirector.

Note The accelerated performance of the LocalDirector is achieved through the Catalyst 6000 family
Layer 3 switching technology.

Figure 42-1 shows a network using the ASLB feature. You must connect the LocalDirector to the switch
with two links; one link connects to the same VLAN that the router is on and the other link connects to
the VLAN that the servers are on. In Figure 42-1, one LocalDirector link is connected to VLAN 10, the
router VLAN; the other link is connected to VLAN 20, the server VLAN.
The LocalDirector supports directed mode and dispatched mode. Only the dispatched mode can be
supported for ASLB feature implementation on Catalyst 6000 family switches.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-2 78-13315-02
 Chapter 42 Configuring ASLB
Understanding How ASLB Works

Figure 42-1 ASLB Functional Description

Server pool
S1
Catalyst 6500 S2
series switches
Clients S3
PK
PR PL
PA PB PM

VLAN 10

28062
VLAN 20 LocalDirector

Layer 3 Operations for ASLB

You can specify up to 1024 server virtual-IP addresses and TCP port pairs for acceleration by the switch.
All traffic for the virtual-IP/port pairs specified is accelerated except for the SYN, FIN, RST, and
fragment packets with a non-zero offset. These packets are redirected to both the active and standby
LocalDirectors (if a backup LocalDirector is configured).

Layer 2 Operations for ASLB

The Catalyst 6000 family switch content-addressable memory (CAM) table contains entries for the
router VLAN and the server VLAN. In the CAM table, the router VLAN has an entry for the MAC
address of the LocalDirector associated with a port index, and the server VLAN has entries for the router
MAC addresses associated with port indexes. In these port indexes, the ports appear as 0/0. Display
system CAM entries by entering the show cam system command.
Table 42-1 shows the entries in the CAM table (the ASLB configuration is shown in Figure 42-1). The
first entry identifies the MAC address of the LocalDirector on VLAN 10. The CAM table shows that the
MAC address has an Xtag value of 14. This value indicates that the MAC address requires a Layer 3
lookup. The second entry identifies the MAC address of the router and also requires a Layer 3 lookup.

Table 42-1 Layer 2 Table Entries

VLAN MAC Address Index Xtag1

10 LocalDirector MAC 0/0 14
20 Router MAC2 0/0 14
1. Xtag = The identifier field in the Layer 2 table that identifies the router to which the MAC address belongs.
2. Note that the router MAC address is added on the server VLAN (VLAN 20), not on the router VLAN (VLAN 10).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-3
 Chapter 42 Configuring ASLB
Understanding How ASLB Works

Client-to-Server Data Forwarding

Figure 42-2 shows how data is forwarded from the router to the servers. Table 42-2 lists the sequence of
events, and Table 42-3 lists the Layer 3 table entries.
These sections describe the client-to-server data-forwarding paths:
• Path 1, page 42-4
• Path 2, page 42-4
• Path 3—N, page 42-4
• Path N + 1, N + 2..., page 42-4

Path 1
The first packet from the router has a destination MAC address of the LocalDirector and is on VLAN 10.
The MAC address has an Xtag value of 14 in the Layer 2 table. This value indicates that it requires a
Layer 3 lookup, and the SYN flag is set so the frame goes to port PA.
In addition to forwarding the frame to port PA, the switch hardware creates a “candidate” entry in the
Layer 3 forwarding table. This entry is updated later by an “enabler” frame to become a full ASLB
Multilayer Switching (MLS) entry.

Path 2
After receiving the frame from port PA, the LocalDirector makes its standard load-balancing decision and
forwards the frame to port PB. The LocalDirector changes the destination MAC address to that of the
appropriate server. When this frame enters the switch, it is considered an “enabler” frame. The switch
hardware does a lookup in the Layer 3 table and searches for the entry created by the previous candidate
packet (the packet forwarded through the LocalDirector). If the search was successful, a “hit” occurs in
the Layer 3 table.

Path 3—N
The ASLB MLS entry has been created and the next and subsequent frames from the router with a
destination MAC address of the LocalDirector MAC will be Layer 3 switched unless the packet has
SYN, FIN, or RST flags set or the packet is fragmented.

Path N + 1, N + 2...
On the last frame of a connection, either the FIN or RST flags will be set in the TCP header causing the
packet to go to the LocalDirector. The LocalDirector must then forward the frame back to the switch
after modifying the destination MAC address to be that of the appropriate server. This redirected frame
takes the same path as the first frame of the flow. The FIN packet is used by the LocalDirector as an
indication that the connection with the server has been terminated, and by the ASLB to purge the affected
ASLB MLS entry.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-4 78-13315-02
 Chapter 42 Configuring ASLB
Understanding How ASLB Works

Figure 42-2 Client to Server ASLB Packet Flow

Server pool
S1
Catalyst 6500
series switches S2
Path 3 PK S3
Clients
PR PL
PA PB PM
Path 1
Path 2

VLAN 10

28063
VLAN 20 LocalDirector

Table 42-2 Client to Server ASLB Packet Flow

MAC
Path Destination MAC Source IP Destination IP Source
Number VLAN Address Address Address Address Flags Action
1 10 LocalDirector Router MAC VIP2 CIP3 SYN Candidate entry in
MAC1 Layer 3 table
2 20 Server MAC4 Router MAC1 VIP CIP - Enabler frame
3—N 10 LocalDirector Router MAC VIP CIP - Full ASLB MLS
MAC1 entry created
N+1 10 LocalDirector Router MAC VIP CIP FIN/RST Path 1 redirect
MAC1
N + 2... 20 Server MAC Router MAC1 VIP CIP FIN/RST Path 2
1. This MAC address has an Xtag value of 14 in the Layer 2 table for this packet’s VLAN.
2. VIP = virtual-IP address.
3. CIP = client’s IP address.
4. MAC address of the server that the LocalDirector selected.

Table 42-3 Client to Server ASLB Layer 3 Table Entries

IP Destination IP Source MAC Destination MAC Source

Address Address Protocol Ports VLAN Address Address
VIP1 CIP2 TCP 80/YZ 20 Server MAC3 Router MAC
1. VIP = virtual-IP address.
2. CIP = client’s IP address.
3. MAC address of the server that the LocalDirector selected.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-5
 Chapter 42 Configuring ASLB
Understanding How ASLB Works

Server-to-Client Data Forwarding

Figure 42-3 shows how data is forwarded from the servers to the clients. Table 42-4 lists the sequence
of events, and Table 42-5 lists the Layer 3 table entries.
The traffic from the servers to the router or client devices works in the same manner, but in the reverse
direction, as the data forwarding described in the “Client-to-Server Data Forwarding” section on
page 42-4 with the exception that the LocalDirector put its own MAC address as the source of the packet
for all packets going to the router. For the traffic in the client-to-server direction, the source MAC
address of the packet was unmodified.

Figure 42-3 Server to Client ASLB Packet Flow

Server pool
S1
Catalyst 6500
series switches S2
Path 3 PK S3
Clients
PR PL
PA PB PM
Path 2
Path 1

VLAN 10

28064
VLAN 20 LocalDirector

Table 42-4 Server to Client ASLB Packet Flow

MAC
Path Destination MAC Source IP Destination IP Source
Number VLAN Address Address Address Address Flags Action
1 2 3 4
1 20 Router MAC Server MAC CIP VIP SYN Candidate entry in
Layer 3 table
2 10 Router MAC LocalDirector CIP VIP - Enabler packet
MAC1
3—N 20 Router MAC1 Server MAC CIP VIP - Full ASLB MLS
entry created
N+1 20 Router MAC1 Server MAC CIP VIP FIN/RST Path 1 redirect
N +2... 10 Router MAC LocalDirector CIP VIP FIN/RST Path 2
MAC1
1. This MAC address has an Xtag value of 14 in the Layer 2 table for this packet’s VLAN.
2. MAC address of the server that the LocalDirector selected.
3. CIP = client’s IP address.
4. VIP = virtual-IP address.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-6 78-13315-02
 Chapter 42 Configuring ASLB
Cabling Guidelines

Table 42-5 Server to Client ASLB Layer 3 Table Entries

IP Destination IP Source MAC Destination MAC Source

Address Address Protocol Ports VLAN Address Address
VIP1 CIP2 TCP 80/YZ 20 Server MAC3 Router MAC
CIP VIP TCP YZ/80 10 Router MAC LocalDirector
MAC
1. VIP = virtual-IP address.
2. CIP = client’s IP address.
3. MAC address of the server that the LocalDirector selected.

Cabling Guidelines
Follow these cabling guidelines for your ASLB configuration:
• Check your connections to the servers attached to the switch. The servers must be either directly
attached to the switch or within the same bridging domain as the LocalDirector port in the server
VLAN.
• Use two Category 5 unshielded twisted-pair cables to connect two 10/100 or two 1000BASE-X
switch ports to two comparable LocalDirector interfaces.

Caution Connect the LocalDirector directly to the Catalyst 6000 family switch.

See the “Configuring the LocalDirector Interfaces” section on page 42-7 to configure the LocalDirector
interfaces. See the “Configuring ASLB from the CLI” section on page 42-11 to configure the switch.

Configuring ASLB
This section lists the tasks necessary to configure ASLB:
• Configuring the LocalDirector Interfaces, page 42-7
• ASLB Configuration Guidelines, page 42-8
To implement these tasks, follow the guidelines and use the detailed configuration procedures in the
sections that follow.

Configuring the LocalDirector Interfaces

Refer to the Cisco LocalDirector Installation and Configuration Guide, Version 3.2, for detailed
information on configuring the LocalDirector interfaces for ASLB.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-7
 Chapter 42 Configuring ASLB
Configuring ASLB

ASLB Configuration Guidelines

This section lists the usage guidelines and restrictions for configuring ASLB:
• Routers, page 42-8
• Servers, page 42-8
• IP Addresses, page 42-9
• Supervisor Engine, page 42-9
• Backup LocalDirector Configuration (Optional), page 42-9
• MSFC and Multilayer Switching, page 42-10
• NetFlow Data Export, page 42-10
• VLANs, page 42-10
• Switch Port Configuration, page 42-10
For configuration examples, see the “ASLB Configuration Example” section on page 42-19. If you run
into problems during your configuration, see the “Troubleshooting the ASLB Configuration” section on
page 42-25.

Routers
Follow these router configuration guidelines:
• The router must be the default gateway for the servers being load balanced and its MAC address
must be known.
• Multiple routers must be on the same router VLAN. Specify all the participating router MAC
addresses using the set lda mac router command.
• When ASLB is configured, a VACL is created to redirect TCP traffic on the two VLANs that the
LocalDirector is connected to; no security IOS ACLs or VACLs can be configured on these VLANs.

Servers
Follow these server configuration guidelines:
• The servers must be either directly attached to the switch or within the same bridging domain as the
LocalDirector port in the server VLAN.
• Configure the servers to ignore ARP requests for the virtual-IP address.
• Configure the server default route as the aliased address of the router that is on the same subnet as
the real IP address of the server.

Caution To accelerate traffic in the client to server direction, you must configure the servers to ignore ARP
requests for the virtual-IP address. If you fail to do this step, traffic acceleration will not start, and
fully redundant topologies in your network will take a long time to recover from a LocalDirector
failure.

• On some server operating systems you cannot disable responses to ARP requests on alias
(secondary) IP addresses. Use static ARP entries at the routers as a workaround for the servers that
respond to ARP requests for the virtual-IP address.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-8 78-13315-02
 Chapter 42 Configuring ASLB
Configuring ASLB

IP Addresses
Follow these IP address configuration guidelines:

Note You can specify an IP address for the virtual-IP address other than server IP network addresses.

• Ensure that the LocalDirectors and servers are on the same subnet to allow the LocalDirector to ARP
the real IP address of each server.
• Ensure that the routers are on the same subnet as the virtual-IP address to allow the router to ARP
the virtual-IP address.
Configure the network for ASLB is as follows (the virtual-IP address in this example is 171.1.1.200):

Router LocalDirector Servers1

171.1.1.1 171.1.1.2 171.1.1.x
1. The default router on each server is 171.1.1.1.

If the servers in your ASLB configuration need to follow RFC 1918 for privacy, use the following as a
guideline (the virtual-IP address in this example is 171.1.1.200):

Routers LocalDirector Servers1

171.1.1.1 171.1.1.2 10.1.1.x (real IP address)
Alias 10.1.1.1 Alias 10.1.1.2 Loopback alias to 171.1.1.200
1. The default router on each server is 10.1.1.1.

Supervisor Engine
Follow these supervisor engine configuration guidelines:
• Up to 32 router MAC addresses are supported.
• Up to 1024 virtual-IP/TCP port pairs are supported.

Backup LocalDirector Configuration (Optional)

Connect the ports on the backup LocalDirector to the switch and specify the server and router
configuration using the set lda server and set lda router commands. Connect the active and backup
LocalDirectors to their specified ports or the ASLB feature will not work.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-9
 Chapter 42 Configuring ASLB
Configuring ASLB

MSFC and Multilayer Switching

Follow these Multilayer Switch Feature Card (MSFC) and Multilayer Switching (MLS) configuration
guidelines:
• With supervisor engine software release 5.4(1)CSX or later releases, an MSFC can be the
participating router for ASLB.

Note Traffic is Layer 3 switched when an MSFC routes traffic from clients. This process
creates MLS entries that exist separately from the ASLB MLS entries for the same
traffic.

• The aging task that removes terminated ASLB flows also purges MLS terminated flows. ASLB MLS
entries share the Layer 3 MLS cache with the MLS shortcut entries.
The MLS commands (set mls, clear mls, and show mls) do not interoperate with ASLB (set lda,
clear lda, show lda, and commit lda) commands. ASLB uses separate commands to view the
LocalDirector MLS entries.
• When you enable ASLB, ASLB MLS entries are established using one flow mask, full-flow mode
(ip-flow).

NetFlow Data Export

You cannot use NetFlow Data Export (NDE) if you enable ASLB, and you cannot use ASLB if you
enable NDE.

VLANs
Follow these VLAN configuration guidelines:
• When you configure ASLB, a VACL is created to redirect TCP traffic on the two VLANs to which
the LocalDirector is connected (router VLAN and server VLAN). You cannot configure any security
IOS access control lists (ACLs) or VLAN access control lists (VACLs) on these VLANs.
• Dedicate the router VLAN and server VLAN for ASLB use only. Do not connect other network
devices (such as end stations and clients) to these two VLANs.
• The VLANs created for ASLB propagate to other switches through VLAN Trunking Protocol (VTP)
when VTP is in the server mode. Spanning Tree Protocol runs over these ASLB VLANs on all VTP
switches in the network, introducing additional overhead over the entire network. To avoid spanning
tree propagation delays, do the following:
– Configure the switch as VTP transparent so it does not populate the VLANs.
– Remove the ASLB VLANs from all trunks on all switches (enter the clear trunk command).

Switch Port Configuration

Follow these switch port configuration guidelines:
• Disable CDP on ports connected to the LocalDirectors (both active and standby LocalDirectors if a
backup is configured).
• If you specify a port that is part of an EtherChannel, traffic is automatically redirected among all
ports in the EtherChannel.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-10 78-13315-02
 Chapter 42 Configuring ASLB
Configuring ASLB

Configuring ASLB from the CLI

This section describes how to configure ASLB using the Catalyst 6000 family switch lda command set
and includes the following descriptions:
• Configuring the Switch Ports Connected to the LocalDirector, page 42-11
• Enabling and Disabling ASLB, page 42-11
• Specifying Server Virtual-IP Addresses and TCP Ports for Acceleration, page 42-12
• Specifying MAC Addresses for Participating Routers, page 42-12
• Specifying a MAC Address for the LocalDirector, page 42-13
• Specifying the Router VLAN and the LocalDirector Port on the VLAN, page 42-13
• Specifying the Server VLAN and the LocalDirector Port on the VLAN, page 42-14
• Configuring UDP Aging, page 42-14
• Committing the ASLB Configuration, page 42-14
• Displaying the ASLB Configuration, page 42-15
• Displaying the ASLB MLS Entries, page 42-16
• Displaying the ASLB MLS Statistics, page 42-17
• Clearing the ASLB Configuration, page 42-18

Configuring the Switch Ports Connected to the LocalDirector

To configure the 10/100 Ethernet switch ports connected to the LocalDirector, perform these steps:

Step 1 Enter the set vlan vlan_num mod_ports command to add the switch ports to the correct VLANs (router
VLAN and server VLAN).
Step 2 Note that the port speed and duplex type for the switch ports should not need setting as all 10/100 switch
ports are set to autonegotiate as the default. If you have a problem with autonegotiation, configure the
port speed and duplex type as follows:
Enter the set port speed mod/port {10 | 100 | auto} command to set the port speed.
Enter the set port duplex mod/port {full | half | auto} command to set the type of duplex.

Enabling and Disabling ASLB

Note ASLB is disabled by default. When ASLB is disabled, you cannot enter the set lda commands to
perform configuration tasks; to enter the set lda commands, you must enable ASLB.

To enable or disable ASLB, perform these tasks in privileged mode:

Task Command
Enable or disable ASLB. set lda enable | disable

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-11
 Chapter 42 Configuring ASLB
Configuring ASLB

This example shows how to enable ASLB on the switch:

Console> (enable) set lda enable
Successfully enabled Local Director Accelerator.
Console> (enable)

This example shows how to disable ASLB on the switch:

Console> (enable) set lda disable
Successfully disabled Local Director Accelerator.
Console> (enable)

Specifying Server Virtual-IP Addresses and TCP Ports for Acceleration

Note You can specify up to 1024 virtual-IP addresses and TCP port pairs for acceleration by the
Catalyst 6000 family switch. Newly specified pairs do not replace previously specified pairs. To
cancel a previously entered pair, enter the clear lda vip command.

Note You can use a zero (0) as a wildcard (don’t care) digit for the destination_tcp_port.

To specify server virtual-IP addresses and TCP ports for acceleration, perform this task in privileged
mode:

Task Command
Specify server virtual-IP addresses and TCP set lda vip {server_virtual_ip}
ports for acceleration. {destination_tcp_port} [{server_virtual_ip}
{destination_tcp_port}...]

This example shows how to specify a server virtual-IP address and TCP port for acceleration:
Console> (enable) set lda vip 10.0.0.8 8
Successfully set server virtual ip and port information.
Use commit lda command to save settings to hardware.
Console> (enable)

Specifying MAC Addresses for Participating Routers

Note You can specify up to 32 router MAC addresses.

To specify MAC addresses for participating routers, perform this task in privileged mode:

Task Command
Specify MAC addresses for participating routers. set lda mac router {mac-address}...

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-12 78-13315-02
 Chapter 42 Configuring ASLB
Configuring ASLB

This example shows how to specify MAC addresses for participating routers:
Console> (enable) set lda mac router 00-23-45-67-ee-7f
Successfully set mac address.
Use commit lda command to save settings to hardware.
Console> (enable)

Specifying a MAC Address for the LocalDirector

To specify a MAC address for the LocalDirector, perform this task in privileged mode:

Task Command
Specify a MAC address for the LocalDirector. set lda mac ld {ld_mac-address}

This example shows how to specify a MAC address for the LocalDirector:
Console> (enable) set lda mac ld 00-11-22-33-55-66
Successfully set mac address.
Use commit lda command to save settings to hardware.
Console> (enable)

Specifying the Router VLAN and the LocalDirector Port on the VLAN

Note After entering the set lda router command, if you change the switch port(s) that the LocalDirector
is connected to, you must enter the set lda router command again to specify the new configuration.

Note Specifying a backup LocalDirector port is optional unless you are setting up a failover configuration
of LocalDirectors. If you are setting up a failover configuration, you must specify the ports for the
backup LocalDirector. If this is not done, failover will not work because the supervisor engine will
not send any traffic to the intended backup LocalDirector.

To specify the VLAN the router is on and the LocalDirector port on the VLAN, perform this task in
privileged mode:

Task Command
Specify the router VLAN and the set lda router {router_vlan} {ld_mod/port}
LocalDirector port on the VLAN. [backup_ld_mod/port]

This example shows how to specify the router VLAN and the LocalDirector port on the VLAN:
Console> (enable) set lda router 110 4/26
Successfully set router vlan and LD port.
Use commit lda command to save settings to hardware.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-13
 Chapter 42 Configuring ASLB
Configuring ASLB

Specifying the Server VLAN and the LocalDirector Port on the VLAN

Note After entering the set lda server command, if you change the switch port(s) that the LocalDirector
is connected to, you must enter the set lda server command again to specify the new configuration.

Note Specifying a backup LocalDirector port is optional unless you are setting up a failover configuration
of LocalDirectors. If you are setting up a failover configuration, you must specify the ports for the
backup LocalDirector. If this is not done, failover will not work because the supervisor engine will
not send any traffic to the intended backup LocalDirector.

To specify the VLAN the server is on and the LocalDirector port on the VLAN, perform this task in
privileged mode:

Task Command
Specify the server VLAN and the set lda server {server_vlan} {ld_mod/port}
LocalDirector port on the VLAN. [backup_ld_mod/port]

This example shows how to specify the server VLAN and the LocalDirector port on the VLAN:
Console> (enable) set lda server 105 4/40
Successfully set server vlan and LD port.
Use commit lda command to save settings to hardware.
Console> (enable)

Configuring UDP Aging

To configure User Datagram Protocol (UDP) aging, perform this task in privileged mode:

Task Command
Configure UDP aging. set lda udpage time_in_ms

You can set aging from 1 to 2024000 milliseconds (ms). Enter a value of zero to disable UDP aging.
This example shows how to configure UDP aging to 500 ms:
Console> (enable) set lda udpage 500
Successfully set LDA UDP aging time to 500ms.
Console> (enable)

Committing the ASLB Configuration

Note ASLB configuration settings are temporarily stored in an edit buffer. The settings are saved in
NVRAM, but for the settings to take effect, you must enter the commit lda command. This command
verifies your configuration settings and if the information is entered correctly and passes a
consistency check, the settings are programmed into hardware. Once the ASLB configuration is
successfully committed, the mapping is saved in NVRAM and restored at system bootup.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-14 78-13315-02
 Chapter 42 Configuring ASLB
Configuring ASLB

To commit your ASLB configuration settings, perform this task in privileged mode:

Task Command
Commit your ASLB configuration commit lda
settings.

This example shows how to commit the ASLB configuration settings:

Console> (enable) commit lda
Commit operation in progress...
Successfully committed Local Director Accelerator.
Console> (enable)

Displaying the ASLB Configuration

Note Entering show lda without a keyword (committed | uncommitted) displays committed
configuration settings.

To display committed or uncommitted ASLB configuration settings, perform this task in privileged
mode:

Task Command
Display committed or uncommitted show lda [committed | uncommitted]
ASLB configuration settings.

This example shows how to display committed ASLB configuration settings:

Console> (enable) show lda committed
Status:Committed

Virtual IP addresses:
Local Director Flow:10.0.0.8/ (TCP port 8)

Router MAC:
00-23-45-67-ee-7f

LD MAC:00-11-22-33-55-66

LD Router Side:
---------------
Router and LD are on VLAN 110
LD is connected to switch port 4/26 on VLAN 110

LD Server Side:
---------------
Server(s) and LD are on VLAN 105
LD is connected to switch port 4/40 on VLAN 105
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-15
 Chapter 42 Configuring ASLB
Configuring ASLB

If the configuration is then modified and the changes are not committed, entering the show lda command
again gives an indication that the configuration has been modified since the last commit but the new
modifications are not shown, only the committed modifications are displayed. To view the new
modifications, enter the show lda uncommitted command.

Displaying the ASLB MLS Entries

Note The short | long options give the flexibility to display the output in regular (80 characters in width)
or wide-screen format.

To display the ASLB MLS entries, perform this task in privileged mode:

Task Command
Display ASLB MLS entries. show lda mls entry
show lda mls entry [destination ip_addr_spec] [source
ip_addr_spec] [protocol protocol] [src-port port] [dst-port
port] [short | long]

This example shows how to display all ASLB MLS entries in short format:
Console> (enable) show lda mls entry short
Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan
--------------- --------------- ----- ------ ------ ----------------- ----
EDst ESrc DPort SPort Stat-Pkts Stat-Bytes Uptime Age
---- ---- ------ ------ ---------- ----------- -------- --------
10.0.0.8 172.20.20.10 TCP 8 64 00-33-66-99-22-44 105
ARPA ARPA - 4/25 0 0 00:00:02 00:00:05

10.0.0.8 172.20.20.11 TCP 8 64 00-33-66-99-22-44 105

ARPA ARPA - 4/25 0 0 00:00:05 00:00:08
Console> (enable)

This example shows how to display ASLB information for the source IP address in short format:
Console> (enable) show lda mls entry source 172.20.20.11 short
Destination-IP Source-IP Prot DstPrt SrcPrt Destination-Mac Vlan
--------------- --------------- ----- ------ ------ ----------------- ----
EDst ESrc DPort SPort Stat-Pkts Stat-Bytes Uptime Age
---- ---- ------ ------ ---------- ----------- -------- --------
10.0.0.8 172.20.20.11 TCP 8 64 00-33-66-99-22-44 105
ARPA ARPA - 4/25 0 0 00:00:05 00:00:08
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-16 78-13315-02
 Chapter 42 Configuring ASLB
Configuring ASLB

Displaying the ASLB MLS Statistics

To display the ASLB MLS statistics, perform this task in privileged mode:

Task Command
Display ASLB MLS entry statistics. show lda mls statistics entry
show lda mls statistics count
show lda mls statistics entry [destination ip_addr_spec]
[source ip_addr_spec] [protocol protocol]
[src-port port] [dst-port port]

This example shows how to display all ASLB MLS entry statistics:
Console> (enable) show lda mls statistics entry
Last Used
Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes
--------------- --------------- ---- ------ ------ ---------- ---------------
10.0.0.8 172.20.20.10 TCP WWW 64 636 29256
10.0.0.8 172.20.22.10 TCP WWW 64 0 0
Console> (enable)

This example shows how to display the number of ASLB active MLS entries:
Console> (enable) show lda mls statistics count
LDA active shortcuts: 20
Console> (enable)

This example shows how to display the statistics for a specific destination IP address:
Console> (enable) show lda mls statistics entry destination 172.20.22.14
Last Used Last Used
Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes
--------------- --------------- ---- ------ ------ ---------- ---------------
172.20.22.14 172.20.25.10 6 50648 80 3152 347854
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-17
 Chapter 42 Configuring ASLB
Configuring ASLB

Clearing the ASLB Configuration

Caution If you do not enter any keywords with the clear lda command, the entire ASLB configuration is
removed from the hardware and NVRAM along with the MLS entries. If you do not enter any
keywords with the clear lda mls command, all MLS entries are cleared.

To clear ASLB entries or router MAC addresses, perform this task in privileged mode:

Task Command
Clear ASLB configuration settings. clear lda mls
clear lda mls [destination ip_addr_spec] [source
ip_addr_spec] [protocol protocol src-port src_port
dst-port dst_port]
clear lda vip {all | vip | vip tcp_port}
clear lda mac {all | router_mac_address}

This example shows how to clear the MLS entry at a specific destination address:
Console> (enable) clear lda mls destination 172.20.26.22
MLS IP entry cleared.
Console> (enable)

This example shows how to delete a virtual-IP address and port pair (10.0.0.8, port 8):
Console> (enable) clear lda vip 10.0.0.8 8
Successfully deleted vip/port pairs.
Console> (enable)

This example shows how to clear all ASLB router MAC addresses:
Console> (enable) clear lda mac all
Successfully cleared Router MAC address.
Console> (enable)

This example shows how to clear a specific ASLB router MAC address:
Console> (enable) clear lda mac 1-2-3-4-5-6
Successfully cleared Router MAC address.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-18 78-13315-02
Chapter 42 Configuring ASLB
ASLB Configuration Example

ASLB Configuration Example

This section provides an example of a typical ASLB network configuration. Figure 42-4 shows the
example network; the configuration specifications are as follows:
• The virtual-IP address is 192.255.201.55.
• The router interface MAC address is 00-d0-bc-e9-fb-47 and its IP address is 192.255.201.1.
• The LocalDirector IP address is 192.255.201.2.
• The LocalDirector MAC address is 00-e0-b6-00-4b-04.
• The server farm IP addresses are 192.255.201.3 through 192.255.201.11.
• The servers have been configured to ignore ARP requests for the virtual-IP address 192.255.201.55.
The example in Figure 42-4 shows how to do the following:
• Load balance HTTP connections in a round-robin fashion among servers 192.255.201.3 through
192.255.201.10.
• Forward connections to port 8001 to server 192.255.201.11.
• Load balance FTP connections to servers 192.255.201.3 through 192.255.201.8 in a “leastconns”
fashion (which is the default for the LocalDirector).

Figure 42-4 ASLB Configuration Example

Server pool

S1
Catalyst 6500
series switches
Clients
5/n S2
5/6 5/n
5/7 5/5 5/n

S3

VLAN 7
VLAN 5 LocalDirector
S
28229

The router configuration is as follows (MSM is used in this example):

!
interface Port-channel1.7
encapsulation isl 7
ip address 192.255.201.1 255.255.255.0
no ip redirects
no ip directed-broadcast
!

The Catalyst 6000 family switch configuration is as follows:

Console (enable) show lda
Status:Committed

Virtual IP addresses:

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-19
 Chapter 42 Configuring ASLB
ASLB Configuration Example

Local Director Flow:192.255.201.55/www (TCP port 80)

Local Director Flow:192.255.201.55/ (TCP port 8001)
Local Director Flow:192.255.201.55/ftp (TCP port 21)

Router MAC:
00-d0-bc-e9-fb-47

LD MAC: 00-e0-b6-00-4b-04

LD Router Side:
---------------
Router and LD are on VLAN 7
LD is connected to switch port 5/7 on VLAN 7

LD Server Side:
---------------
Server(s) and LD are on VLAN 5
LD is connected to switch port 5/5 on VLAN 5
Console (enable)

The LocalDirector configuration is as follows:

LD430# show configuration
:Saved
:LocalDirector 430 Version 3.1.3.105
syslog output 20.3
no syslog console
hostname LD430
no shutdown ethernet 0
no shutdown ethernet 1
shutdown ethernet 2
shutdown ethernet 3
interface ethernet 0 100full
interface ethernet 1 100full
interface ethernet 2 auto
interface ethernet 3 auto
mtu 0 1500
mtu 1 1500
mtu 2 1500
mtu 3 1500
no multiring all
no secure 0
no secure 1
no secure 2
no secure 3
ping-allow 0
ping-allow 1
no ping-allow 2
no ping-allow 3

ip address 192.255.201.2 255.255.255.0

route 0.0.0.0 0.0.0.0 192.255.201.1 1
no rip passive
rip version 1
failover ip address 0.0.0.0
no failover
snmp-server enable traps
no snmp-server contact
no snmp-server location
virtual 192.255.201.55:80:0:tcp is
virtual 192.255.201.55:8001:0:tcp is
virtual 192.255.201.55:21:0:tcp is
predictor 192.255.201.55:80:0:tcp roundrobin
redirection 192.255.201.55:80:0:tcp dispatched assisted wildcard-ttl 60

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-20 78-13315-02
Chapter 42 Configuring ASLB
ASLB Redundant Configuration Example

fixed-ttl 60 igmp 224.0.1.2 port 1637

redirection 192.255.201.55:8001:0:tcp dispatched assisted wildcard-ttl 60
fixed-ttl 60 igmp 224.0.1.2 port 1637
redirection 192.255.201.55:21:0:tcp dispatched assisted wildcard-ttl 60
fixed-ttl 60 igmp 224.0.1.2 port 1637
real 192.255.201.5:80:0:tcp is
real 192.255.201.3:80:0:tcp is
real 192.255.201.4:80:0:tcp is
real 192.255.201.6:80:0:tcp is
real 192.255.201.7:80:0:tcp is
real 192.255.201.8:80:0:tcp is
real 192.255.201.9:80:0:tcp oos
real 192.255.201.10:80:0:tcp oos
real 192.255.201.11:8001:0:tcp oos
real 192.255.201.3:21:0:tcp is
real 192.255.201.4:21:0:tcp is
real 192.255.201.5:21:0:tcp is
real 192.255.201.6:21:0:tcp is
real 192.255.201.7:21:0:tcp is
real 192.255.201.8:21:0:tcp is
bind 192.255.201.55:80:0:tcp 192.255.201.3:80:0:tcp
bind 192.255.201.55:80:0:tcp 192.255.201.4:80:0:tcp
bind 192.255.201.55:80:0:tcp 192.255.201.5:80:0:tcp
bind 192.255.201.55:80:0:tcp 192.255.201.6:80:0:tcp
bind 192.255.201.55:80:0:tcp 192.255.201.7:80:0:tcp
bind 192.255.201.55:80:0:tcp 192.255.201.8:80:0:tcp
bind 192.255.201.55:80:0:tcp 192.255.201.9:80:0:tcp
bind 192.255.201.55:80:0:tcp 192.255.201.10:80:0:tcp
bind 192.255.201.55:8001:0:tcp 192.255.201.11:8001:0:tcp
bind 192.255.201.55:21:0:tcp 192.255.201.3:21:0:tcp
bind 192.255.201.55:21:0:tcp 192.255.201.4:21:0:tcp
bind 192.255.201.55:21:0:tcp 192.255.201.5:21:0:tcp
bind 192.255.201.55:21:0:tcp 192.255.201.6:21:0:tcp
bind 192.255.201.55:21:0:tcp 192.255.201.7:21:0:tcp
bind 192.255.201.55:21:0:tcp 192.255.201.8:21:0:tcp

ASLB Redundant Configuration Example

This section provides an example of a typical ASLB redundant network configuration. Figure 42-5
shows the example redundant network. The LocalDirectors and Catalyst 6000 family switches are
configured to accelerate HTTP and Telnet for server VIP address 13.13.13.13.

Caution Router 1 and router 2 are running Hot Standby Routing Protocol (HSRP) on both interfaces, f1 and
f2 in Figure 42-5. Interface f1 must be active on the same router where f2 is active; otherwise, traffic
will reach interface f1 on one router and will not be forwarded to interface f2 which is active on the
other router. Use the HSRP track command to track the opposite side interface of each router.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-21
 Chapter 42 Configuring ASLB
ASLB Redundant Configuration Example

Figure 42-5 ASLB Redundant Configuration Example

LocalDirector 1

VLAN 9 VLAN 5

Router 1 3/7 3/8 Catalyst 6500

series switches 1
f1 f2 3/41
Clients VLAN 9 VLAN 5
3/23 Servers

VLAN 5 & 9
(ISL trunk)

Router 2 3/23 Catalyst 6500

series switches 2
f1 f2 3/42
VLAN 9 VLAN 5
3/27 3/28

VLAN 9 VLAN 5

33440
LocalDirector
LocalDirector 2 failover cable

IP Addresses
The IP addresses are as follows:
• Router 1, f1 IP address: 7.0.0.100 (network 7)
• Router 2, f1 IP address: 7.0.0.101 (network 7)
• HSRP IP address: 7.0.0.1 for network 7
• Router 1, f2 IP address: 5.0.0.100 (network 5)
• Router 2, f2 IP address: 5.0.0.101 (network 5)
• HSRP IP address: 5.0.0.2 for network 5
• LocalDirector IP address: 5.0.0.1
• Server IP address: 5.100.100.100
• VIP address for servers: 13.13.13.13

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-22 78-13315-02
 Chapter 42 Configuring ASLB
ASLB Redundant Configuration Example

MAC Addresses
The MAC addresses are as follows:
• HSRP MAC address for network 7: 00-00-0c-07-ac-00
• HSRP MAC address for network 5: 00-00-0c-07-ac-01
• Router 1, f2 MAC address: 00-d0-79-7b-20-88
• Router 2, f2 MAC address: 00-d0-79-7b-18-88
• LocalDirector MAC address: 00-e0-b6-00-47-ec

Catalyst 6000 Family Switch 1 Configuration

The switch 1 configuration is as follows:
set trunk 3/23 on isl 1,5,9
set lda enable
clear lda vip all
set lda vip 13.13.13.13 80 13.13.13.13 23
clear lda mac all
set lda mac router 00-00-0c-07-ac-01
set lda mac router 00-d0-79-7b-20-88
set lda mac router 00-d0-79-7b-18-88
set lda mac ld 00-e0-b6-00-47-ec
set lda router 9 3/7 3/23
set lda server 5 3/8 3/23
commit lda

Catalyst 6000 Family Switch 2 Configuration

The switch 2 configuration is as follows:
set trunk 3/23 on isl 1,5,9
set lda enable
clear lda vip all
set lda vip 13.13.13.13 80 13.13.13.13 23
clear lda mac all
set lda mac router 00-00-0c-07-ac-01
set lda mac router 00-d0-79-7b-20-88
set lda mac router 00-d0-79-7b-18-88
set lda mac ld 00-e0-b6-00-47-ec
set lda router 9 3/27 3/23
set lda server 5 3/28 3/23
commit lda

Router 1 Configuration
The router 1 configuration is as follows:
interface FastEthernet1
ip address 7.0.0.100 255.0.0.0
no ip redirects
no ip directed-broadcast
no ip route-cache distributed
load-interval 30
no keepalive

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-23
 Chapter 42 Configuring ASLB
ASLB Redundant Configuration Example

full-duplex
standby 1 ip 7.0.0.1
standby 1 track FastEthernet2
!
interface FastEthernet2
ip address 5.0.0.100 255.0.0.0
no ip redirects
no ip directed-broadcast
no ip route-cache distributed
no keepalive
full-duplex
standby priority 250
standby 2 ip 5.0.0.2
standby 2 track FastEthernet1
!
ip route 13.13.13.13 255.255.255.255 5.0.0.1

Router 2 Configuration
The router 2 configuration is as follows:
interface FastEthernet1
ip address 7.0.0.101 255.0.0.0
no ip redirects
no ip directed-broadcast
no ip route-cache distributed
load-interval 30
no keepalive
full-duplex
standby 1 ip 7.0.0.1
standby 1 track FastEthernet2
!
interface FastEthernet2
ip address 5.0.0.101 255.0.0.0
no ip redirects
no ip directed-broadcast
no ip route-cache distributed
no keepalive
full-duplex
standby priority 250
standby 2 ip 5.0.0.2
standby 2 track FastEthernet1
!
ip route 13.13.13.13 255.255.255.255 5.0.0.1

LocalDirector Configuration
The LocalDirector 1 and LocalDirector 2 configuration is as follows (the configuration is the same for
both LocalDirectors):
no shutdown ethernet 0
no shutdown ethernet 4
interface ethernet 0 100full
interface ethernet 4 100full
ip address 5.0.0.1 255.0.0.0
failover ip address 5.0.0.5
virtual 13.13.13.13:80:0:tcp is
virtual 13.13.13.13:23:0:tcp is
predictor 13.13.13.13:80:0:tcp roundrobin
predictor 13.13.13.13:23:0:tcp roundrobin

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-24 78-13315-02
 Chapter 42 Configuring ASLB
Troubleshooting the ASLB Configuration

redirection 13.13.13.13:80:0:tcp dispatched assisted

redirection 13.13.13.13:23:0:tcp dispatched assisted
real 5.100.100.100:80:0:tcp is
real 5.100.100.100:23:0:tcp is
bind 13.13.13.13:80:0:tcp 5.100.100.100:80:0:tcp
bind 13.13.13.13:23:0:tcp 5.100.100.100:23:0:tcp

Troubleshooting the ASLB Configuration

Table 42-6 lists the possible problem symptoms and recommended actions to troubleshoot the ASLB
configuration.

Table 42-6 Troubleshooting the ASLB Configuration

Symptom Recommended Action

LocalDirector does not receive any Ensure that the LocalDirector is connected to the ports you specified by entering
traffic. the set lda server and set lda router commands.
LocalDirector connection entries are not Ensure that you configured all the virtual-IP/port pairs by entering the set lda vip
purged. command.
ASLB MLS entries are created in only Ensure that you configured all the virtual-IP/port pairs on both the supervisor
one direction. engine (set lda vip command) and the LocalDirector.
Ensure that the LocalDirector is in the “dispatched assisted” mode.
Ensure that you configured the IP addresses of the routers, LocalDirector, and
servers following the guidelines in the “IP Addresses” section on page 42-9.
Ensure that the router knows how to reach the LocalDirector when traffic goes to
the virtual-IP address (if the virtual-IP address is on a different subnet than the
router interface).
Ensure that the router MAC address is the same as specified by entering the set
lda mac router command.
Ensure that the LocalDirector MAC address is the same as specified by entering
the set lda mac ld command.
Backup LocalDirector does not receive Ensure that you configured the backup LocalDirector ports by entering the set lda
any traffic. router and set lda server commands; for example, enter set lda router
{router_vlan} 3/7 3/9 and set lda server {server_vlan} 3/8 3/10.
You can ping servers from the router, but Ensure that the servers were configured to ignore ARP requests for the virtual-IP
ASLB MLS entries are not created when address.
you send data traffic.
You see the message: Disable CDP on ports connected to the LocalDirector (enter set cdp disable
command).
%CDP-4-NVLANMISMATCH: Native
vlan mismatch detected on port ...

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 42-25
 Chapter 42 Configuring ASLB
Troubleshooting the ASLB Configuration

Table 42-6 Troubleshooting the ASLB Configuration (continued)

Symptom Recommended Action

LocalDirector set commands did not take The set lda commands will not take effect until you enter the commit lda
effect.
You see “collisions” or “port disabled”
on the Catalyst 6000 port.
command.
You can verify which set lda commands are in effect by entering the show lda
commit command.
You can determine which set lda commands are set but not committed, or
determine what changes will occur if the current set lda commands are committed
by entering the show lda uncommitted command.
Ensure that the port speed and duplex settings are compatible on both ends of the
link between the LocalDirector and the switch. For example, if port 3/7 on the
switch is connected to interface ethernet 0 on the LocalDirector, make sure that
port 3/7 is set to 100full and that interface ethernet 0 on the LocalDirector is also
set to 100full.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

42-26 78-13315-02
 C H A P T E R 43
Configuring the Switch Fabric Modules

This chapter describes how to configure the Switch Fabric Module (WS-C6500-SFM) and Switch Fabric
Module 2 (WS-X6500-SFM 2) for the Catalyst 6500 series switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Understanding How the Switch Fabric Module Works, page 43-1
• Configuring and Monitoring the Switch Fabric Module, page 43-2

Note The WS-C6500-SFM is supported in the Catalyst 6500 6-and 9-slot chassis only. The
WS-X6500-SFM 2 is supported in the Catalyst 6500 6-slot, 9-slot, 13-slot, and 6509-NEB chassis.

Understanding How the Switch Fabric Module Works

Note The Switch Fabric Module is supported only with Supervisor Engine 2 in the Catalyst 6500 series
switch.

The Switch Fabric Module creates a dedicated connection between fabric-enabled modules and provides
uninterrupted transmission of frames between these modules. The Switch Fabric Module also provides
fabric-enabled modules with a direct connection to the Catalyst 6500 32-Gbps forwarding bus.
You can use the set system crossbar-fallback bus-mode | none command to specify how packets are
handled if the Switch Fabric Module is removed or fails. If you specify bus-mode, the switching is done in
flow-through mode. If you specify none, the switch ports are disabled and switching stops.
The Switch Fabric Module does not have a console. A two-line LCD display on the front panel shows
fabric utilization, software revision, and basic system information.
Install the WS-C6500-SFM in either slot 5 or 6 in the 6-slot and 9-slot Catalyst 6500 series switches.
Install the WS-X6500-SFM 2 in slots 7 or 8 in the 13-slot Catalyst 6500 switches. The Switch Fabric
Module first installed functions as the primary module. For redundancy, you can install a standby Switch
Fabric Module.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 43-1
 Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

When you install two Switch Fabric Modules at the same time in a 6- or 9-slot chassis, the primary
module is in slot 5 and the backup is in slot 6. If you reset the module in slot 5, the module in slot 6
becomes active.
When you install two Switch Fabric Modules at the same time in a 13-slot chassis, the primary module
is in slot 7 and the backup is in slot 8. If you reset the module in slot 7, the module in slot 8 becomes
active.
When you install a Switch Fabric Module in a Catalyst 6500 series switch, the traffic is forwarded to
and from modules in one of these modes:
• Flow-through mode—Data passes between the local bus and the supervisor engine bus. This mode
is used for traffic to or from nonfabric-enabled modules.
• Truncated mode—If there are at least two fabric-enabled modules installed in a system with both
fabric-enabled and nonfabric-enabled modules, traffic between the fabric-enabled modules is
forwarded in truncated mode. In this mode, only the truncated data (the first 64 bytes of the frame)
is sent over the switch fabric channel if both the destination and the source are fabric-enabled
modules. If either the source or destination is a nonfabric-enabled module, the data goes through the
switch fabric channel and the data bus. The Switch Fabric Module does not get involved when traffic
is forwarded between nonfabric-enabled modules.
• Compact mode—A compact version of the DBus header is forwarded over the switch fabric channel,
delivering the best possible switching rate. Nonfabric-enabled modules do not support the compact
mode and generate cyclic redundancy check (CRC) errors if they receive frames in compact mode. This
mode is used only when no nonfabric-enabled modules are installed in the chassis.
Table 43-1 shows the switch modes used with fabric-enabled and nonfabric-enabled modules installed.

Table 43-1 Switching Modes with Switch Fabric Module Installed

Modules Switching Modes

Between fabric-enabled modules Compact
(no nonfabric-enabled modules
installed)
Between fabric-enabled modules Truncated
(when nonfabric-enabled
modules are also installed)
Between fabric-enabled and Flow-through
nonfabric-enabled modules
Between non-fabric-enabled Flow-through
modules

Configuring and Monitoring the Switch Fabric Module

The Switch Fabric Module does not require any user configuration but supports a number of show
commands for monitoring purposes. A fully automated startup sequence brings the module online and
runs the connectivity diagnostics on the ports.
From the supervisor engine, you can reset the module using the reset module command, disable and
enable the module using the set module enable | disable command, and power it down using the set
module powerdown module command.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

43-2 78-13315-02
 Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

These sections describe how to configure the Switch Fabric Module:

• Configuring a Fallback Option, page 43-3
• Configuring the Switching Mode, page 43-3
• Switch Fabric Redundancy, page 43-4
• Monitoring the Switch Fabric Module, page 43-4
• Configuring the LCD Banner, page 43-8

Configuring a Fallback Option

The set system crossbar-fallback {bus-mode | none} command allows you to configure a fallback option
if the Switch Fabric Module connection fails.
To configure a fallback option for the Switch Fabric Module, perform this task in privileged mode:

Task Command
Configure a fallback option for the Switch Fabric set system crossbar-fallback {bus-mode | none}
Module.

This example shows how to configure a fallback option to bus-mode:

Console> (enable) set system crossbar-fallback bus-mode
System crossbar-fallback set to bus-mode.
Console> (enable)

Configuring the Switching Mode

To improve performance, you can manually specify which switching mode the system uses. If you have
one or more nonfabric-enabled modules installed in the chassis, configure the switch to use flow-through
mode. If you have only fabric-enabled modules installed, configure the switch to use compact mode.

Note Nonfabric-enabled modules do not support compact mode.

To configure the switch to use flow-through mode if you have non-fabric enabled modules installed,
perform this task:

Task Command
Configure the switch to use flow-through mode. set system switchmode allow bus-only

This example shows how to configure the switch to use flow-through mode:
Console> (enable) set system switchmode allow bus-only

Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 43-3
 Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

To configure the switch to use compact mode if you have only fabric-enabled modules installed, perform
this task:

Task Command
Configure the switch to use compact mode. set system switchmode allow truncated

This example shows how to configure the switch to use compact mode:
Console> (enable) set system switchmode allow truncated

Console> (enable)

Switch Fabric Redundancy

No configuration is required for Switch Fabric Module redundancy. The module in slot 5 functions as
the primary module and a redundant Switch Fabric Module in slot 6 automatically takes over if the
primary module fails. A mixed redundant configuration with a WS-C6500-SFM and a
WS-X6500-SFM 2 is not supported.

Monitoring the Switch Fabric Module

This section describes how to monitor the Switch Fabric Module:
• Displaying the Module Information, page 43-4
• Displaying the Fabric Channel Counters, page 43-5
• Displaying the Fabric Channel Switching Mode and Channel Status, page 43-5
• Displaying the Fabric Channel Utilization, page 43-6
• Displaying the Backplane Traffic and Fabric Channel Input and Output, page 43-7
• Displaying Switching Mode Configuration, page 43-8

Note Enter all show commands supported by the Switch Fabric Module from the supervisor engine.

Displaying the Module Information

To display the module information, perform this task in privileged mode:

Task Command
Display the module information. show module mod

This example shows how to display module information:

Console> (enable) show module
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
1 1 2 1000BaseX Supervisor WS-X6K-SUP2-2GE yes ok
4 4 24 100BaseFX MM Ethernet WS-X6224-MM-MT no ok

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

43-4 78-13315-02
 Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

5 5 0 Switch Fabric Module WS-C6500-SFM no ok

Mod Module-Name Serial-Num

--- ------------------- -----------
1 Munish
4 SAD02390156
5 SAD042818BR

Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
1 00-40-0b-ff-00-00 to 00-40-0b-ff-00-01 0.219 6.1(0.146) 6.2(0.33-Eng)KEY
00-50-3e-7e-71-56 to 00-50-3e-7e-71-57
00-01-64-f8-ca-00 to 00-01-64-f8-cd-ff
4 00-10-7b-c2-3a-c0 to 00-10-7b-c2-3a-d7 0.204 4.2(0.24)V 6.2(0.14)KEY
5 00-40-0b-ff-00-00 0.204 6.1(0.133) 6.2(0.14)KEY

Mod Sub-Type Sub-Model Sub-Serial Sub-Hw

--- ----------------------- ------------------- ----------- ------
1 L3 Switching Engine II WS-F6K-PFC2 SAD04110B5S 0.305
Console> (enable)

Displaying the Fabric Channel Counters

To display the fabric channel counters, perform this task in privileged mode:

Task Command
Display the fabric channel counters. show fabric channel counters module

This example shows how to display the fabric channel counters:

Console> show fabric channel counters 5
Channel 0 counters:
0 rxTotalPkts = 0
1 txTotalPkts = 0
2 rxGoodPkts = 0
3 rxErrors = 0
4 txErrors = 0
5 txDropped = 0

Displaying the Fabric Channel Switching Mode and Channel Status

To display the fabric channel switching mode and channel status, perform this task in privileged mode:

Task Command
Display the fabric channel switching mode and show fabric channel switchmode
channel status.

This example shows how to display the fabric channel switching mode and channel status:
Console> (enable) show fabric channel switchmode
Global switching mode:truncated

Module Num Fab Chan Fab Chan Switch Mode Channel Status
------ ------------ -------- ------------ --------------
1 1 0, 0 flow through ok

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 43-5
 Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

4 0 n/a n/a n/a

5 18 0, 0 n/a ok
5 18 1, 1 n/a unused
5 18 2, 2 n/a unused
5 18 3, 3 n/a unused
5 18 4, 4 n/a unused
5 18 5, 5 n/a unused
5 18 6, 6 n/a unused
5 18 7, 7 n/a unused
5 18 8, 8 n/a unused
5 18 9, 9 n/a unused
5 18 10, 10 n/a unused
5 18 11, 11 n/a unused
5 18 12, 12 n/a unused
5 18 13, 13 n/a unused
5 18 14, 14 n/a unused
5 18 15, 15 n/a unused
5 18 16, 16 n/a unused
5 18 17, 17 n/a unused

In the show fabric channel switchmode command output, the Switch Mode field displays one of the
following modes:
• Flow-through mode
• Truncated mode
• Compact mode

Note See the “Understanding How the Switch Fabric Module Works” section on page 43-1 for definitions
for the different modes.

Displaying the Fabric Channel Utilization

To display the fabric channel utilization, perform this task in privileged mode:

Task Command
Display the fabric channel utilization. show fabric channel utilization

This example shows how to display the fabric channel utilization:

Console> show fabric channel utilization
Fab Chan Input Output
-------- ----- ------
0 0% 0%
1 0% 0%
2 0% 0%
3 0% 0%
4 0% 0%
5 0% 0%
6 0% 0%
7 0% 0%
8 0% 0%
9 0% 0%
10 0% 0%
11 0% 0%
12 0% 0%
13 0% 0%

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

43-6 78-13315-02
 Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

14 0% 0%
15 0% 0%
16 0% 0%
17 0% 0%

Displaying the Backplane Traffic and Fabric Channel Input and Output
To display the backplane traffic and fabric channel input and output, perform either of these tasks:

Task Command
Display system status including the backplane show system
traffic and fabric channel input and output.
Display the backplane traffic and fabric channel show traffic
input and output.

This example shows how to display the system status including backplane traffic and fabric channel
input and output:
Console> (enable) show system

PS1-Status PS2-Status
---------- ----------
ok none

Fan-Status Temp-Alarm Sys-Status Uptime d,h:m:s Logout

---------- ---------- ---------- -------------- ---------
ok off ok 0,00:02:52 20 min

PS1-Type PS2-Type
------------ ------------
WS-CAC-1000W none

Modem Baud Backplane-Traffic Peak Peak-Time

------- ----- ----------------- ---- -------------------------
disable 9600 0% 0% Thu Jul 27 2000, 14:03:27

PS1 Capacity:852.60 Watts (20.30 Amps @42V)

System Name System Location System Contact CC

------------------------ ------------------------ ------------------------ ---

Fab Chan Input Output

-------- ----- ------
0 0% 0%
1 0% 0%
2 0% 0%
3 0% 0%
4 0% 0%
5 0% 0%
6 0% 0%
7 0% 0%
8 0% 0%
9 0% 0%
10 0% 0%
11 0% 0%
12 0% 0%

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 43-7
 Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

13 0% 0%
14 0% 0%
15 0% 0%
16 0% 0%
17 0% 0%
Console> (enable)

This example shows how to display backplane traffic and fabric channel input and output:
Console> (enable) show traffic

Threshold:100%
Backplane-Traffic Peak Peak-Time
----------------- ---- -------------------------
0% 0% Thu Jul 27 2000, 14:03:27

Fab Chan Input Output

-------- ----- ------
0 0% 0%
1 0% 0%
2 0% 0%
3 0% 0%
4 0% 0%
.
.
.
14 0% 0%
15 0% 0%
16 0% 0%
17 0% 0%
Console> (enable)

Displaying Switching Mode Configuration

To display the switching mode configuration, perform this task in privileged mode:

Task Command
Display the switching mode configuration. show system switchmode

This example shows how to display the switching mode configuration:

Console> (enable) show system switchmode
Switchmode allow:truncated
Switchmode threshold:2
Console> (enable)

Configuring the LCD Banner

You can modify the LCD banner from the supervisor engine by entering the set banner lcd command
to include the following information:
• Chassis serial number
• Switch IP address
• System Name
• Supervisor engine version

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

43-8 78-13315-02
Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

• Multilayer Switch Feature Card (MSFC) version on active and standby supervisor engine
• System contact
After the LCD banner content is modified, this information is sent to the Switch Fabric Modules installed
in the chassis and displayed in the LCDs.
To modify the LCD banner content, perform this task in privileged mode:

Task Command
Step 1 Modify the LCD banner content. set banner lcd c [text] c
Step 2 Verify the LCD bannder change. show banner

This example shows how to modify the LCD banner for the Switch Fabric Module:
Console> (enable) set banner lcd &HelloWorld!&
LCD banner set
Console> (enable) show banner
MOTD banner:

LCD config:
Hello
World!

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 43-9
 Chapter 43 Configuring the Switch Fabric Modules
Configuring and Monitoring the Switch Fabric Module

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

43-10 78-13315-02
 C H A P T E R 44
Configuring a VoIP Network

This chapter describes how to configure a Voice-over-IP (VoIP) network on the Catalyst 6000 family
switches.

Note While this chapter introduces a number of Cisco networking products related to VoIP, the primary
focus of the chapter is to provide configuration information for integrating Catalyst 6000 family
products into your VoIP network.

Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

• Hardware and Software Requirements, page 44-1
• Understanding How a VoIP Network Works, page 44-2
• Understanding How VLANs Work, page 44-8
• Configuring VoIP on a Switch, page 44-9

Hardware and Software Requirements

The hardware and software requirements for the Catalyst 6000 family switches and Cisco CallManager
are as follows:
• Catalyst 4000, 5000, and 6000 switches running supervisor engine software release 6.1(1) or later
releases.
• Cisco CallManager release 3.0 or later releases

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-1
 Chapter 44 Configuring a VoIP Network
Understanding How a VoIP Network Works

Understanding How a VoIP Network Works

A telephony system built on an IP network instead of the traditional circuit-switched private branch
exchange (PBX) network is called an IP PBX system. See Figure 44-1; the individual components of this
system are described in these sections:
• Cisco IP Phone 7960, page 44-2
• Cisco CallManager, page 44-4
• Access Gateways, page 44-4
• How a Call Is Made, page 44-7

Figure 44-1 IP PBX System

Cisco CallManager IP cloud Analog Trunk Gateway PSTN or PBX

PSTN or PBX Digital Trunk Gateway

(WS-X6608-T1/E1)

Analog Station Gateway Analog stations

(WS-X6624-FXS) (phone, fax, modem)

Voice Gateway 200 10/100BASE-TX Module * WS-PWR-PNL IP phone PC

10/100BASE-TX Module
Analog stations IP phone PC
(WS-X6348-RJ45V)
(phone, fax, modem)

Catalyst 6500 series switches

* Catalyst 4000, 5000, and 6000 10/100 modules 38202

Cisco IP Phone 7960

The Cisco IP Phone 7960 provides connectivity to the IP PBX system. The IP phone has two RJ-45 jacks
for connecting to external devices, a LAN-to-phone jack and a PC-to-phone jack. The jacks use either
Category 3 or Category 5 unshielded twisted-pair (UTP) cable. The LAN-to-phone jack is used to
connect the phone to the LAN using a crossover cable; a workstation or a PC can be connected to the
PC-to-phone jack using a straight-through cable.
The IP phone is Dynamic Host Configuration Protocol (DHCP) capable. Optionally, the IP phone can
be programmed with a static IP address.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-2 78-13315-02
 Chapter 44 Configuring a VoIP Network
Understanding How a VoIP Network Works

The IP phone can be powered by the following sources:

• External power source—Optional transformer and power cord for connecting to a standard wall
receptacle.
• WS-X6348-RJ45V 10/100 switching module—Provides inline power to the IP phone.
• WS-PWR-PNL—Inline-power patch panel provides inline power to the IP phone. The inline patch
panel allows the IP phone to be connected to existing Catalyst 4000, 5000, and 6000 family
10/100BASE-TX switching modules.
Examples 1 through 4 in Figure 44-2 show how to connect the Cisco IP Phone 7960 and PCs to the
Catalyst 6000 family switch.

Figure 44-2 Connecting the Cisco IP Phone 7960 to the Catalyst 6000 Family Switch

Example 1—Single Cisco IP Phone 7960

Example 1 shows one IP phone connected to the 10/100 port on the Catalyst 6000 family switch. The
PC-to-phone jack on the phone is not used. The phone can be powered through either the 10/100 port or
wall-powered.

Example 2—Single PC
Example 2 shows one PC connected to the 10/100 port on the Catalyst 6000 family switch. The PC is
wall-powered.

Example 3—One Cisco IP Phone 7960 and One PC

Example 3 shows one IP phone connected to the 10/100 port on the Catalyst 6000 family switch and one
PC connected to the PC-to-phone jack on the phone. The PC behaves as if it is connected directly to the
10/100 port on the Catalyst 6000 family switch. The phone can be powered through the 10/100 port or
wall-powered. The PC must be wall-powered.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-3
 Chapter 44 Configuring a VoIP Network
Understanding How a VoIP Network Works

Example 4—Two Cisco IP Phone 7960s and One PC

Example 4 shows two IP phones connected to the 10/100 port on the Catalyst 6000 family switch and
one PC connected to the PC-to-phone jack on the phone. The PC behaves as if it is connected directly to
the 10/100 port on the Catalyst 6000 family switch. The first phone can be powered through the
10/100 port or wall-powered. The second phone and the PC must be wall-powered.

Note For information on configuring Cisco IP phones and third-party vendor phones, refer to the
documentation that shipped with the phone.

Cisco CallManager
Cisco CallManager is an open and industry-standard call processing system; its software runs on a
Windows NT server and sets up and tears down calls between phones, integrating traditional PBX
functionality with the corporate IP network. Cisco CallManager manages the components of the IP PBX
system, the phones, access gateways, and the resources necessary for such features as call conferencing
and media mixing. Each Cisco CallManager manages the devices within its zone and exchanges
information with the Cisco CallManager in charge of another zone to make calls possible across multiple
zones. Additionally, Cisco CallManager can work with existing PBX systems to route a call over the
Public Switched Telephone Network (PSTN).

Note For information on configuring Cisco CallManager to work with the IP devices described in this
chapter, refer to the Cisco CallManager Administration Guide, Release 3.0, the Configuration Notes
for Cisco CallManager Release 3.0, and the Cisco CallManager v3.0 Remote Serviceability Users
Guide publications.

Access Gateways
Access gateways allow the IP PBX system to talk to existing PSTN or PBX systems. Access gateways
consist of analog station gateways, analog trunk gateways, digital trunk gateways, and a converged voice
gateway.
These sections describe the gateways:
• Analog Station Gateway, page 44-4
• Analog Trunk Gateway, page 44-5
• Digital Trunk Gateway, page 44-6
• Converged Voice Gateway, page 44-7

Analog Station Gateway

The Catalyst 6000 family 24-port Foreign Exchange Station (FXS) analog interface module allows plain
old telephone service (POTS) phones and fax machines to connect to the IP PBX network. The analog
station gateway behaves like the PSTN side for the POTS equipment. It requires an IP address, is
registered with Cisco CallManager in its domain, and is managed by Cisco CallManager.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-4 78-13315-02
 Chapter 44 Configuring a VoIP Network
Understanding How a VoIP Network Works

The 24-port FXS analog interface module features are listed in Table 44-1.
To configure the analog station interfaces, see the “Configuring VoIP on a Switch” section on page 44-9.

Table 44-1 24-Port FXS Analog Interface Module Features

Digital Signal Processing Per Port

G.711 and G.729 voice encoding
Silence suppression; voice activity detection
Comfort noise generation
Ringer, software programmable frequency and cadence, based on country
DTMF1 detection
Signaling, loop start
Line echo cancellation (32 ms)
Impedance (600 ohms)
Programmable analog gain, signaling timers
Fax passthrough
SPAN2 or port mirroring support
FXS Interface Features
Address signaling formats: In-band DTMF
Signaling formats: Loop start
Ringing tone: Programmable
Ringing voltage: Programmable, based on country
Ringing frequency: Programmable, based on country
Distance: 500-ohms maximum loop
1. DTMF = dual tone multifrequency
2. SPAN = Switched Port Analyzer

Analog Trunk Gateway

Cisco access analog trunk gateways allow the IP PBX to connect to the PSTN or PBX. The gateway
supports up to eight trunks to the PSTN and appears like a phone to the trunk lines coming from the
PSTN. Using this gateway, the IP PBX places an IP call through the PSTN. Similar to the analog station
gateway, the analog trunk gateway provides line echo cancellation and dual tone multifrequency
(DTMF) tone generation and detection. The analog trunk gateway does not provide ring voltage as it is
not connected to POTS end devices such as POTS-phones or fax machines. The analog trunk gateway
requires an IP address, is registered with Cisco CallManager in its domain, and is managed by Cisco
CallManager.
To configure the analog trunk gateways, refer to the documentation that shipped with the gateway.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-5
 Chapter 44 Configuring a VoIP Network
Understanding How a VoIP Network Works

Digital Trunk Gateway

The Catalyst 6000 family 8-port T1/E1 PSTN interface module is a high-density, eight port, T1/E1 VoIP
module that can support both digital T1/E1 connectivity to the PSTN or transcoding and conferencing.
The module requires an IP address, is registered with Cisco CallManager in its domain, and is managed
by Cisco CallManager.
The module software is downloaded from a TFTP server. Depending upon which software you
download, the ports can serve as T1/E1 interfaces or the ports support transcoding and conferencing.
Transcoding and conferencing functions are mutually exclusive. For every transcoding port in use, one
less conferencing port is available and vice versa.
To configure the 8-port T1/E1 PSTN interfaces, see the “Configuring VoIP on a Switch” section on
page 44-9.
The 8-port T1/E1 PSTN interface module features are listed in Table 44-2.

Table 44-2 8-Port T1/E1 PSTN Interface Module Features

Digital Signal Processing Per T1/E1 Port

G.711 to G.723 and G.729a transcoding (maximum of 8 x 32 channels of transcoding)
Conference bridging, meet-me and ad-hoc conference modes (maximum of 8 x 16 channels of
conferencing)
Comfort noise generation
Fax passthrough
Silence suppression, voice activity detection
Line echo cancellation
Common channel signaling
For T1: 23 DS0 channels for voice traffic; 24th channel is used for signaling
For E1: 29 DS0 channels for voice traffic; 16th channel is reserved for signaling
Any channel can be configured for common channel signaling
ISDN Primary Rate Interface signaling: Each interface supports 23 channels for T1 and 30 channels
for E1. The default mode is for the 24th T1 channel or 16th E1 channel to be reserved for signaling.
Both network side and user side operation modes are supported.
T1 binary 8-zero substitution/alternate mark inversion (B8ZS/AMI) line coding, u-law or a-law
coding
E1 HDB3 line coding
T1 line bit rate: 1.544 Mbps
E1 line bit rate: 2.048 Mbps
T1 line code: AMI, B8ZS
E1 line code: HDB3
Framing format: D4 superframe and extended superframe
Link Management
FDL1 is a link management protocol used to help diagnose problems and gather statistics on T1 lines
1. FDL = Facilities Data Link

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-6 78-13315-02
 Chapter 44 Configuring a VoIP Network
Understanding How a VoIP Network Works

Converged Voice Gateway

The Cisco Voice Gateway 200 (VG200) allows you to connect standard POTS phones (connected
directly to the gateway or anywhere on the PSTN) with Cisco IP or any H.323-compliant telephony
devices. When used with Cisco CallManager, the VG200 functions as a Media Gateway Control
Protocol (MGCP) gateway. The Cisco VG200 provides a 10/100BASE-T Ethernet port for connection
to the data network. The following telephony connections are also available:
• One to four Foreign Exchange Office (FXO) ports for connecting to a central office or PBX
• One to four FXS ports for connecting to POTS telephony devices
• One or two T1 digital ports for connecting to the following:
– PSTN using FXO emulation
– T1 channel bank using FXS emulation
– PBX through a trunk (tie) line using ear and mouth (E&M) emulation
These ports can be used to integrate a VoIP network with POTS devices, PBXs, or the PSTN.
To configure the Cisco VG200, refer to the documentation that shipped with the gateway.

How a Call Is Made

An IP phone connects to a LAN either through a hub port or a switch port. The IP phone boots up and
uses DHCP to get its IP address and the IP address of its TFTP file server. The IP phone uses its IP
address to talk to the TFTP server and gets its configuration file. The configuration file includs the IP
address of the phone’s Cisco CallManager(s). The phone then talks with Cisco CallManager and
registers itself. Each time a phone boots up, it might get a different IP address. Cisco CallManager knows
how to associate a consistent user phone number to a particular phone by using the MAC address of the
phone. Cisco CallManager always maintains a table mapping the “phone MAC address” and “phone
number.” Each time a phone registers, the table is updated with the new IP address. During registration,
Cisco CallManager downloads the key pad template and the feature capability for the phone. It tells the
phone which run-time image it should use. The phone then goes to the TFTP server to get its run-time
image. Each phone has a dedicated TCP connection to Cisco CallManager called the “control channel.”
All control information, such as key pressing, goes from the phone to Cisco CallManager through this
channel. Instructions to generate ring tone, busy tone, and so on comes from Cisco CallManager to the
phone through this channel.
Cisco CallManager stores the IP-address-to-phone-number mapping (and vice versa) in its tables. When
a user wants to call another user, the user keys in the called party’s phone number. Cisco CallManager
translates the phone number to an IP address and generates an IP packet version of ring tone to the called
IP phone through the TCP connection. When the called IP phone receives the packet, it generates a ring
tone. When the user picks up the phone, Cisco CallManager instructs the called IP phone to start talking
with the calling party and removes itself from the loop. From this point on, the call goes between the two
IP phones through the Real-Time Transport Protocol (RTP) which runs over the User Datagram Protocol
(UDP). Because voice packets are sensitive to delays, TCP is not suitable for voice transmission as
timeouts and retries increase the delay between packets. When any change occurs during the call due to
a feature being pressed on one of the phones, or one of the users hanging up or pressing the flash button,
the information goes to Cisco CallManager through the control channel.
If a call is made to a number outside of the IP PBX network, Cisco CallManager routes the call to an
analog or digital trunk gateway which in turn routes it to the PSTN.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-7
 Chapter 44 Configuring a VoIP Network
Understanding How VLANs Work

Understanding How VLANs Work

This section describes native VLANs and auxiliary VLANs. This section uses the following
terminology:
• Auxiliary VLAN—Separate VLAN for IP phones
• Native VLAN—Traditional VLAN for data
• Auxiliary VLAN ID—VLAN ID of an auxiliary VLAN
• Native VLAN ID—VLAN ID of a native VLAN

Note For more information about VLANs, see Chapter 11, “Configuring VLANs.”

Figure 44-3 shows how a Cisco IP Phone 7960 can be connected to a Catalyst 6000 family switch.

Figure 44-3 Switch-to-Phone Connections

When the IP phone connects to a 10/100 port on the Catalyst 6000 family switch, the access port
(PC-to-phone jack) of the IP phone can be used to connect a PC.
Packets to and from the PC and to and from the phone share the same physical link to the switch and the
same port of the switch. Various configurations of connecting the phone and the PC are possible (see the
“Cisco IP Phone 7960” section on page 44-2).
Introducing IP-based phones into existing switch-based networks raises the following issues:
• The current VLANs might be configured on an IP subnet basis and additional IP addresses might
not be available to assign the phone to a port so that it belongs to the same subnet as other devices
(PC) connected to the same port.
• Data traffic present on the VLAN supporting phones might reduce the quality of VoIP traffic.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-8 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

You can resolve these issues by isolating the voice traffic onto a separate VLAN on each of the ports
connected to a phone. The switch port configured for connecting a phone would have separate VLANs
configured for carrying the following:
• Voice traffic to and from the IP phone (auxiliary VLAN)
• Data traffic to and from the PC connected to the switch through the access port of the IP phone
(native VLAN)
Isolating the phones on a separate, auxiliary VLAN increases the quality of the voice traffic and allows
a large number of phones to be added to an existing network where there are not enough IP addresses.
A new VLAN means a new subnet and a new set of IP addresses.

Configuring VoIP on a Switch

This section describes the command-line interface (CLI) commands and the procedures used to
configure the Catalyst 6000 family switch for VoIP operation:
• Voice-Related CLI Commands, page 44-9
• Configuring Per-Port Power Management, page 44-10
• Configuring Auxiliary VLANs on Catalyst LAN Switches, page 44-19
• Configuring the Access Gateways, page 44-21
• Displaying Active Call Information, page 44-27
• Configuring QoS in the Cisco IP Phone 7960, page 44-29

Note You must enable Cisco Discovery Protocol (CDP) on the Catalyst 6000 family switch port connected
to the IP phone in order to communicate information such as auxiliary VLAN ID, per-port power
management details, and quality of service (QoS) configuration information.

Voice-Related CLI Commands

Table 44-3 lists the CLI commands described in the configuration procedures.

Table 44-3 Voice-Related CLI Command Module and Platform Support

CLI Commands WS-X6348-RJ45V1 WS-X6608-T1/E12 WS-X6624-FXS3

Inline-power related commands
set port inlinepower X4
set inlinepower defaultallocation X
show port inlinepower X
show environment power X X X

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-9
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Table 44-3 Voice-Related CLI Command Module and Platform Support (continued)

CLI Commands WS-X6348-RJ45V1 WS-X6608-T1/E12 WS-X6624-FXS3

Voice-related commands
set port auxiliaryvlan X/X
show port auxiliaryvlan X/X
set port voice interface X X
show port voice interface X X
show port voice X X X
show port voice fdl X
show port voice active X X X
QoS commands related to voice
set port qos mod/port cos-ext X/X
set port qos mod/port trust-ext
show port qos X/X
1. WS-X6348-RJ45V = 48-port 10/100BASE-TX switching module with voice daughter card.
2. WS-X6608-T1 and WS-X6608-E1 = 8-port T1/E1 ISDN PRI modules.
3. WS-X6624-FXS = 24-port FXS analog station interface module.
4. X = Command supported on Catalyst 6000 family switch only; XX = Command supported on Catalyst 4000, 5000, and 6000 family switches (note that
all modules listed in Table 44-3 are supported only on Catalyst 6000 family switches).

Configuring Per-Port Power Management

This section describes per-port power management and the CLI commands used to configure power
management for IP phones.

Note To determine the exact power requirements for your configuration to ensure that you are within the
system power budget, see the “Determining System Power Requirements” section on page 20-14.

Note This section applies to the WS-X6348-RJ45V 10/100BASE-TX Ethernet switching module only. For
information on powering IP phones connected to other Catalyst 10/100BASE-TX switching
modules, refer to the Catalyst Family Inline-Power Patch Panel Installation Note publication.

For each IP phone connected to the WS-X6348-RJ45V module, the supervisor engine software allocates
part of the available system power to power up and run the phone. The power can be applied on an
individual port basis.
Only one IP phone can be powered per port; the phone must be connected directly to the switch port. If
a second phone is daisy chained off the phone connected to the switch port, the second phone cannot be
powered by the switch.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-10 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

This section describes the following:

• Using show Commands to Display Module Type and Version Information, page 44-11
• Power Management Modes, page 44-12
• Phone Detection Summary, page 44-14
• Error Detection and Handling, page 44-16
• Setting the Power Mode of a Port or Group of Ports, page 44-17
• Setting the Default Power Allocation for a Port, page 44-17
• Displaying the Power Status for Modules and Individual Ports, page 44-17
• Displaying the Power Status for Modules and Individual Ports, page 44-18

Using show Commands to Display Module Type and Version Information

The Catalyst 6000 family 48-port 10/100BASE-TX Ethernet switching module has three versions:
• WS-X6248-RJ-45—standard 10/100BASE-TX switching module
• WS-X6348-RJ-45—enhanced 10/100BASE-TX switching module (enhanced QoS features and
128K per port packet buffers), accepts field-upgradable voice daughter card
• WS-X6348-RJ45V—enhanced 10/100BASE-TX switching module with voice daughter card
When you enter the show module command, the WS-X6348 modules both display as WS-X6348-RJ-45
in the “Model” field. To determine if the module has a voice daughter card installed, look at the “Sub”
field. For example, in the following display, the 10/100BASE-TX module in slot 8 does not have a voice
daughter card, while the module in slot 9 does have a voice daughter card.
To display module status and information, perform this task in normal mode:

Task Command
Display module status and information. show module [mod]

This example shows that there is a submodule field that provides information about submodules. The
EARL daughter card is treated as a submodule while the Multilayer Switch Feature Card (MSFC)
internal router is not treated as a submodule. The model number for the voice daughter card, as shown
in the display, is WS-F6K-VPWR.
Console> (enable) show module
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- -----------
1 1 2 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes ok
15 1 1 Multilayer Switch Feature WS-F6K-MSFC no ok
8 8 48 10/100BaseTX Ethernet WS-X6348-RJ-45 no ok
9 9 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok

Mod Module-Name Serial-Num

--- ------------------- -----------
1 SAD03436055
15 SAD03432597
9 SAD03414268

Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ------------------------
1 00-30-80-f7-a5-06 to 00-30-80-f7-a5-07 1.0 5.2(1) 6.2(0.32-Eng)FTL
00-30-80-f7-a5-04 to 00-30-80-f7-a5-05

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-11
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

00-30-a3-4a-a0-00 to 00-30-a3-4a-a3-ff
15 00-d0-bc-ee-d0-dc to 00-d0-bc-ee-d1-1b 1.2 12.0(3)XE1 12.0(3)XE1
8 00-d0-c0-c8-83-ac to 00-d0-c0-c8-83-db 1.1 4.2(0.24)V6.1(0.37)FTL
9 00-50-3e-7c-43-00 to 00-50-3e-7c-43-2f 0.201 5.3(1)

Mod Sub-Type Sub-Model Sub-Serial Sub-Hw

--- ----------------------- ------------------- ----------- ------
1 L3 Switching Engine WS-F6K-PFC SAD03451187 1.0
9 Inline Power Module WS-F6K-VPWR 1.0
Console> (enable)

To display the version of modules and submodules, perform this task in normal mode:

Task Command
Display the version of modules and submodules. show version [mod]

This example shows the version of modules and submodules:

Console> (enable) show version 2
Mod Port Model Serial # Versions
--- ---- ------------------- ----------- --------------------------------------
2 2 WS-X6K-SUP2-2GE SAD04450LF1 Hw : 1.1
Fw : 6.1(2)
Fw1: 6.1(3)
Sw : 6.3(0.62)PAN
Sw1: 6.3(0.62)PAN
WS-F6K-PFC2 SAD04440HVU Hw : 1.0
Console>

Power Management Modes

Each port is configured through the CLI, SNMP, or a configuration file to be in one of the following
modes (configured through the set port inlinepower CLI command):
• Auto—The supervisor engine directs the switching module to power up the port only if the
switching module discovers the phone.
• Off—The supervisor engine does not direct the switching module to power up the port even if an
unpowered phone is connected.
Each port also has a status, defined as one of the following:
• on—Power is supplied by the port.
• off—Power is not supplied by the port.
• Power-deny—The supervisor engine does not have enough power to allocate to the port; power is
not being supplied by the port.
• faulty—The port is unable to provide power to the connected device.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-12 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

These sections provide information related to IP phone power requirements and management:
• Unpowered Phone, page 44-13
• Power Requirements, page 44-13
• Wall-Powered Phones, page 44-13
• Powering Off the Phone, page 44-14
• Phone Removal, page 44-14
• High-Availability Support, page 44-14

Unpowered Phone

When an unpowered phone is discovered on a switching module port, the switching module reports to
the supervisor engine that an unpowered phone is present and on which module/port. If the port is
configured in Auto mode, the supervisor engine determines if there is enough available system power
to allow the switching module to power up and run the phone. If there is sufficient power, the supervisor
engine removes the default allocated power required by a phone from the total available system power
and then sends a message to the switching module instructing it to provide power to the port. If there is
not enough available power for the phone, the supervisor engine sends a message to the switching
module indicating that power is denied to the port.
After power is applied to the port, the supervisor engine monitors the port to ensure that the link comes
up. If the link does not come up within 4 seconds, the supervisor engine instructs the switching module
to turn power off. The entire cycle is repeated, and the switching module performs discovery and reports
to the supervisor engine if a device is present on the port.

Power Requirements

IP Phones may have different power requirements. The supervisor engine initially allocates the
configured default of 7W (167 mA at 42V) to the Cisco IP Phone. When the correct amount of power is
determined from the CDP messaging with the Cisco IP Phone, the supervisor engine reduces or increases
the allocated power.
For example, the default allocated power is 7W. A Cisco IP Phone requiring 6.3W is plugged into a port.
The supervisor engine allocates 7W for the Cisco IP Phone and powers it up. Once the Cisco IP Phone
is operational, it sends a CDP message with the actual power requirement to the supervisor engine. The
supervisor engine then decreases the allocated power to the required amount.

Wall-Powered Phones

When a wall-powered phone is present on a switching module port, the switching module cannot detect
its presence. The supervisor engine discovers the phone through CDP messaging with the port. If the
phone supports inline power (the supervisor engine determines this through CDP), and the mode is set
to Auto or Off, the supervisor engine does not attempt to power on the port. If a power outage occurs,
and the mode is set to Auto, the phone loses power, but the switching module discovers the phone and
informs the supervisor engine, which then applies inline power to the phone.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-13
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Powering Off the Phone

The supervisor engine can turn off power to a specific port by sending a message to the switching
module. That power is then added back to the available system power. This situation occurs only when
you power off the phone through the CLI or SNMP.

Phone Removal

The switching module informs the supervisor engine if a powered phone is removed using a link-down
message. The supervisor engine then adds the allocated power for that port back to the available system
power.
In addition, the switching module informs the supervisor engine if an unpowered phone is removed.

Caution When a phone cable is plugged into a port and power is turned on, the supervisor engine has a
4-second timeout waiting for the link to go up on the line. During those 4 seconds, if the phone cable
is unplugged and a network device is plugged in, the device could be damaged. We recommend that
you wait at least 10 seconds between unplugging a device and plugging in a new device.

High-Availability Support

To support high availability during a failover from the active supervisor engine to the standby supervisor
engine, the per-port power management and phone status information is synchronized between the active
and standby supervisor engines.
The information to be synchronized (on a per-port basis) is the presence of a phone, the phone power
status (on, off, denied, or faulty), and the amount of power consumed by the phone. The active supervisor
engine sends this information to the standby supervisor engine, and the standby supervisor engine
updates its internal data structures. When a switchover occurs, the standby supervisor engine allocates
power to the modules and ports from the available power, one module at a time. Once the power for each
module has been allocated, the supervisor engine allocates power to the phones, beginning with the
lowest slot number, until all inline powered ports have been either powered on, off, or denied.

Phone Detection Summary

Figure 44-4 shows how the system detects a phone connected to a Catalyst 6000 family switch port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-14 78-13315-02
Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Figure 44-4 Power Detection Summary

Catalyst Switch

10/100 module Cisco phone Switching module

discovers the phone.

Cisco phone Supervisor engine discovers

10/100 module
or third party phone. the phone through CDP and/or
IEEE.

Wall-power

Third party phone Switching module will not discover

10/100 module the phone because CDP is not
without CDP.
supported. However, the supervisor
engine detects the phone and powers
it up.

Phone is inserted but has not booted,

10/100 module Network then phone is removed. A network
device device is plugged in. Inline power
might damage the network device.

Network Cisco phone

10/100 module Supervisor engine discovers the
device or third party phone
phone through CDP and/or IEEE.
with CDP.

38205
Wall-power

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-15
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Error Detection and Handling

This section describes how the Catalyst 6000 family switch handles fault detection and errors related to
per-port power management.
These sections discuss fault detection and power-management error scenarios:
• Device is Powered but Link is Not Up, page 44-16
• Port is Unable to Provide Inline Power to the Device, page 44-16
• Not Enough Available Power to Power the Device, page 44-16
• Power Supply Configured from Nonredundant to Redundant, page 44-16
• Power Supply Configured from Redundant to Nonredundant, page 44-16

Device is Powered but Link is Not Up

The supervisor engine detects that the device is powered but the link is not up by setting a timeout when
the switching module is directed to power up the device. If the timeout occurs and the supervisor engine
has not received a “link up” for the port, this syslog message is displayed:
1999 Jul 14 10:05:58 %SYS-5-PORT_DEVICENOLINK: Device on Port 4/7 powered, no link up.

The supervisor engine also directs the switching module to power off the port. The switching module
then performs discovery again on the port.

Port is Unable to Provide Inline Power to the Device

The switching module detects if there is a problem providing inline power to the device and reports this
problem to the supervisor engine. This syslog message is displayed:
1999 Jul 14 10:05:58 %SYS-5-PORT_INLINEPWRFLTY: Port 4/7 reporting inline power as faulty.

Not Enough Available Power to Power the Device

The supervisor engine tracks the available power left in the system and does not power up any ports if
no available power remains. This syslog message is displayed:
1999 Jul 14 10:05:58 %SYS-5-PORT_NOPOWERAVAIL: Device on Port 4/7 will remain unpowered.

The supervisor engine informs the switching module that power to the port is denied.

Power Supply Configured from Nonredundant to Redundant

Depending upon the number and type of modules in the chassis, you might need to power off some
modules to prevent overdrawing power from the power supply. The supervisor engine first powers off
and reallocates the power supplied by the ports and then starts powering off and reallocating the power
used by the module.

Power Supply Configured from Redundant to Nonredundant

Once a module that was powered down due to lack of power is powered up and comes online, the module
begins discovery on the ports to determine the presence of unpowered connected devices (phones). The
module reports discovered devices to the supervisor engine, which then directs the switching module to
power up the device (if the port is configured to do so).

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-16 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

For modules that are already powered on, but have devices connected that are power denied, the
supervisor engine attempts to power on the devices starting with the lowest numbered slot to the highest
numbered slot, and from the lowest port number to the highest port number, one module at a time.

Setting the Power Mode of a Port or Group of Ports

To set the power mode of a port or group of ports, perform this task in normal mode:

Task Command
Set the power mode of a port or group of ports. set port inlinepower mod/port {off | auto}

This example shows how to set the power mode of a port or group of ports:
Console> (enable) set port inlinepower 2/5 off
Inline power for port 2/5 set to off.
Console> (enable) set port inlinepower 2/3-9 auto
Inline power for ports 2/3-9 set to auto.
Console> (enable)

Setting the Default Power Allocation for a Port

To set the default power allocation for a port, perform this task in privileged mode:

Task Command
Set the default power allocation for a port. set inlinepower defaultallocation value

This example shows how to set the default power allocation for a port:
Console> (enable) set inlinepower defaultallocation 9500
Default inline power allocation set to 9500 mWatt per applicable port.
Console> (enable)

Displaying the Power Status for Modules and Individual Ports

To display the power status for modules and individual ports, perform this task in normal mode:

Task Command
Display the power status for modules and show port inlinepower [mod[/port]]
individual ports.

This example shows how to display the power status for modules and individual ports:
Console> show port inlinepower 3/2-6
Default Inline Power allocation per port: 9.500 Watts (0.22 Amps @42V)
Total inline power drawn by module 3: 0 Watt
Port InlinePowered PowerAllocated
Admin Oper Detected mWatt mA @42V
----- ----- ------ -------- ----- --------
3/2 auto on yes 10.00 0.250
3/3 auto on yes 9.8 0.198
3/4 auto denied yes 0 0

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-17
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

3/5 off off no 0 0

3/6 off off yes 0 0
Console> (enable)

The Operational (Oper) status field descriptions in the display are as follows:
• on—Power is supplied by the port.
• off—Power is not supplied by the port.
• denied—The system does not have enough available power for the port.
• faulty—The port is unable to supply power.

Displaying the Power Status for Modules and Individual Ports

To display the power status for modules and individual ports, perform this task in privileged mode:

Task Command
Display the power status for modules and show environment power [mod]
individual ports.

This example shows how to display the power status for modules and individual ports:
Console> (enable) show environment power 5
Feature not supported on module 5.
Console> (enable) show environment power 9
Module 9:
Default Inline Power allocation per port: 9.500 Watts (0.22 Amps @42V)
Total inline power drawn by module 9: 0 Watt

Slot power Requirement/Usage :

Slot Card Type PowerRequested PowerAllocated CardStatus

Watts A @42V Watts A @42V
---- ------------------- ------- ------ ------- ------ ----------
9 WS-X6348 123.06 2.93 123.06 2.93 ok

Default Inline Power allocation per port: 9.500 Watts (0.22 Amps @42V)
Port InlinePowered PowerAllocated
Admin Oper Detected mWatt mA @42V
----- ----- ------ -------- ----- --------
9/1 auto off no 0 0
9/2 auto off no 0 0
9/3 auto off no 0 0
9/4 auto off no 0 0
9/5 auto off no 0 0
9/6 auto off no 0 0
9/7 auto off no 0 0
9/8 auto off no 0 0
.
(display text omitted)
.
9/48 auto off no 0 0
Console> (enable)

Console> (enable) show environment power

PS1 Capacity: 1153.32 Watts (27.46 Amps @ 42V)
PS2 Capacity: none

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-18 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

PS Configuration : PS1 and PS2 in Redundant Configuration.

Total Power Available: 1153.32 Watts (27.46 Amps @ 42V)
Total Power Available for Line Card Usage: 1153.32 Watts (27.46 Amps @ 42V)
Total Power Drawn From the System: 289.80 Watts (6.90 Amps @ 42V)
Remaining Power in the System: 863.52 Watts (20.56 Amps @42V)
Default inline power allocation: 10.5 Watts/port (0.25 Amps @ 42V)

Slot power Requirement/Usage :

Slot Card-Type Power-Requested Power-Allocated Card-Status

Watts A @ 42V Watts A @ 42V
---- ------------------- ------- ------- ------- ------- ------------
1 0.00 0.00 126.42 3.01 none
2 WS-X6K-SUP1-2GE 138.60 3.30 138.60 3.30 ok
3 WS-X6348-RJ-45 114.24 2.72 151.20 3.60 ok
5 WS-X6348-RJ-45 109.20 2.60 100.88 2.40 partial-deny
6 Unknown 112.98 2.69 0 0 unknown
7 WS-X6248-RJ-45 84.84 2.02 0 0 power-bad
9 WS-X6416-GE-MT 105.00 2.50 0 0 power-deny
Console> (enable)

A partial-deny status indicates that some module ports are inline powered but not all the ports on the
module are inline powered.

Configuring Auxiliary VLANs on Catalyst LAN Switches

These sections describe how to configure auxiliary VLANs:
• Understanding Auxiliary VLANs, page 44-19
• Auxiliary VLAN Configuration Guidelines, page 44-20
• Configuring Auxiliary VLANs, page 44-20
• Verifying Auxiliary VLAN Configuration, page 44-21

Understanding Auxiliary VLANs

You can configure switch ports to send CDP packets that instruct an attached Cisco IP Phone 7960 to
transmit voice traffic to the switch in these frame types:
• 802.1Q frames carrying the auxiliary VLAN ID and Layer 2 CoS set to 5 (the switch port drops all
802.1Q frames except those carrying the auxiliary VLAN ID).
– Reset the Cisco IP Phone 7960 if the auxiliary VLAN ID changes.
– Enter the set port auxiliaryvlan mod[/port] aux_vlan_id command.

Note We recommend that you use 802.1Q frames and a separate VLAN.

• 802.1p frames, which are 802.1Q frames carrying VLAN ID 0 and Layer 2 CoS set to 5 (enter the
set port auxiliaryvlan mod[/port] dot1p command)
• 802.3 frames, which are untagged and carry no VLAN ID and no Layer 2 CoS value (enter the set
port auxiliaryvlan mod[/port] untagged command)

Note The Cisco IP Phone 7960 always sets Layer 3 IP precedence to 5 in voice traffic.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-19
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Auxiliary VLAN Configuration Guidelines

Follow these guidelines when configuring auxiliary VLANs:
• An auxiliary VLAN port is operationally a trunk, even though it is not treated like a “normal” trunk
port. When an auxiliary VLAN is added to a port and the set dot1q-all-tagged command is enabled,
the set dot1q-all-tagged command tags the native VLAN on the port where the auxiliary VLAN is
configured. A port with an auxiliary VLAN configured is not viewed as a dot1q trunk in the show
trunk command output, but the port acts like a dot1q trunk if the set dot1q-all-tagged command is
enabled.
• The IP phone and a device attached to the phone are in the same VLAN and must be in the same IP
subnet:
– If they use the same frame type
– If the phone uses 802.1p frames and the device uses untagged frames
– If the phone uses untagged frames and the device uses 802.1p frames
– If the phone uses 802.1Q frames and the auxiliary VLAN equals the native VLAN
• The IP phone and a device attached to the phone cannot communicate if they are in the same VLAN
and subnet but use different frame types, because traffic between devices in the same subnet is not
routed (routing would eliminate the frame type difference).
• You cannot use switch commands to configure the frame type used by traffic received from a device
attached to the phone’s access port.
• With software release 6.2(1) and later releases, dynamic ports can belong to two VLANs—a native
VLAN and an auxiliary VLAN. See Chapter 18, “Configuring Dynamic Port VLAN Membership
with VMPS,” for configuration details for auxiliary VLANs.

Configuring Auxiliary VLANs

To configure auxiliary VLANs, perform this task in privileged mode:

Task Command
Configure auxiliary VLANs. set port auxiliaryvlan mod[/ports] {vlan |
untagged | dot1p | none}

This example shows how to add voice ports to auxiliary VLANs, specify an encapsulation type, or
specify that the VLAN will not send or receive CDP messages with voice-related information:
Console> (enable) set port auxiliaryvlan 2/1-3 222
Auxiliaryvlan 222 configuration successful.
AuxiliaryVlan AuxVlanStatus Mod/Ports
------------- ------------- -------------------------
222 active 1/2,2/1-3
Console> (enable) set port auxiliaryvlan 5/7 untagged
Port 5/7 allows the connected device send and receive untagged packets and without 802.1p
priority.
Console> (enable) set port auxiliaryvlan 5/9 dot1p
Port 5/9 allows the connected device send and receive packets with 802.1p priority.
Console> (enable) set port auxiliaryvlan 5/12 none
Port 5/12 will not allow sending CDP packets with Voice VLAN information.
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-20 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

The default setting is none. Table 44-4 lists the set port auxiliaryvlan command keywords and their
descriptions.

Table 44-4 Keyword Descriptions

Keyword Action of the Phone

dot1p Specify that the phone send packets with 802.1p priority 5.
untagged Specify that the phone send untagged packets.
none Specify that the switch not send any auxiliary VLAN information in the CDP
packets from that port.

Verifying Auxiliary VLAN Configuration

To verify auxiliary VLAN configuration status, perform this task in privileged mode:

Task Command
Verify auxiliary VLAN configuration status. show port auxiliaryvlan {vlan | untagged |
dot1p | none}

This example shows how to verify auxiliary VLAN configuration status:

Console> show port auxiliaryvlan 123
AuxiliaryVlan AuxVlanStatus Mod/Ports
------------- ------------- -------------------------
222 active 1/2,2/1-3
Console>

Configuring the Access Gateways

This section describes the commands used to configure the following Catalyst 6000 family access
gateway modules:
• Analog station gateway—24-port FXS analog interface module
• Digital trunk gateway—8-port T1/E1 PSTN interface module

Configuring Port Voice Interface

If DHCP is enabled for a port, the port obtains all other configuration information from the TFTP server.
When disabling DHCP on a port, you must specify some mandatory parameters as follows:
• If you do not specify DNS parameters, the software uses the system DNS configuration on the
supervisor engine to configure the port.
• 8-port T1/E1 PSTN interface module only: You cannot specify more than one port at a time because
a unique IP address must be set for each port.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-21
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

To configure port voice interface for DHCP, TFTP, and DNS servers, perform this task in privileged
mode:

Task Command
Configure port voice interface for DHCP, TFTP, set port voice interface mod/port dhcp enable
and DNS servers. [vlan vlan]
set port voice interface mod/port dhcp disable
{ipaddrspec} {tftp ipaddr} [vlan vlan]
[gateway ipaddr] [dns [ipaddr] [domain_name]]

These examples shows how to configure the port voice interface for DHCP, TFTP, and DNS servers:
Console> (enable) set port voice interface 7/1 dhcp enable
Port 7/1 DHCP enabled.

Console> (enable) set port voice interface 7/3 dhcp disable 171.68.111.41/24 tftp
173.32.43.11 dns 172.20.34.204 cisco.com
Port 7/3 dhcp disabled.
System DNS configurations applied.

Console> (enable) set port voice interface 7/4-6 dhcp enable vlan 3
Vlan 3 configuration successful
Ports 7/4-6 DHCP enabled.
Console> (enable)

Displaying Port Voice Interface

To display the port voice interface configuration, perform this task in privileged mode:

Task Command
Display the port voice interface configuration. show port voice interface [mod[/port]]

This example shows how to display the port voice interface configuration (this display is from the
24-port FXS analog interface module):
Console> show port voice interface 5
Port DHCP MAC-Address IP-Address Subnet-Mask
-------- ------- ----------------- --------------- ---------------
5/1-24 disable 00-10-7b-00-13-ea 10.6.15.158 255.255.255.0

Port Call-Manager(s) DHCP-Server TFTP-Server Gateway

-------- ----------------- --------------- --------------- ---------------
5/1-24 10.6.15.155 - 10.6.15.155 -

Port DNS-Server(s) Domain

-------- ----------------- -------------------------------------------------
5/1-24 12.2.2.1* cisco.cisco.com
7.7.7.7
(*): Primary
Console> (enable)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-22 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Displaying FDL Statistics

Note FDL is a link management protocol used to help diagnose problems and gather statistics.

To display Facilities Data Link (FDL) statistics for the specified ports, perform this task in privileged
mode:

Task Command
Display FDL statistics for the specified ports. show port voice fdl [mod[/port]]

This example shows how to display FDL statistics for the specified ports:
Console> (enable) show port voice fdl 7/1-3
Port ErrorEvents ErroredSecond SeverlyErroredSecond
Last 15' Last 24h Last 15' Last 24h Last 15' Last 24h
----- -------- -------- -------- -------- -------- -----------
7/1 17 18 19 20 21 22
7/2 17 18 19 20 21 22
7/3 17 18 19 20 21 22

Port FailedSignalState FailedSignalSecond

Last 15' Last 24h Last 15' Last 24h
----- -------- -------- -------- ---------
7/1 37 38 39 40
7/2 37 38 39 40
7/3 37 38 39 40

Port LES BES LCV

Last 15' Last 24h Last 15' Last 24h Last 15' Last 24h
----- -------- -------- -------- -------- -------- --------
7/1 41 48 49 50 53 54
7/2 41 48 49 50 53 54
7/3 41 48 49 50 53 54
Console> (enable)

Table 44-5 describes the possible fields (depending on the port type queried) in the show port voice fdl
command output.

Table 44-5 FDL Field Descriptions

Field Description
ErrorEvents Count of errored events.
ErroredSecond Count of errored seconds.
SeverelyErroredSecond Count of severely errored seconds.
FailedSignalState Count of failed signal state errors.
FailedSignalSecond Count of errored events.
LES Line errored seconds detected.
BES Bursty errored seconds detected.
LCV Line code violation seconds detected.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-23
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Displaying the Port Configuration for Individual Ports

To display the port configuration for individual ports, perform this task in normal mode:

Task Command
Display the port configuration for individual show port [mod[/port]]
ports.

This section provides the show port command displays for the following gateway modules:
• 8-Port T1/E1 PSTN Interface Module, page 44-24
• 8-Port T1/E1 PSTN Interface Module Configured for Trancoding/Conferencing, page 44-25
• 24-Port FXS Analog Interface Module, page 44-26

8-Port T1/E1 PSTN Interface Module

The Status field shows Layer 2 status of the ports. Possible values are notconnect, connected, disabled,
and faulty. The following display is for the T1 module. The E1 module display would be the same except
the port speed for the E1 module would be 2.048.
Console> show port 7
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
7/1 connected 123 full 1.544 T1
7/2 connected 2 full 1.544 T1
7/3 disable 1 full 1.544 T1
7/4 connected 11 full 1.544 T1
7/5 connected 123 full 1.544 T1
7/6 connected 1 full 1.544 T1
7/7 faulty 2 full 1.544 T1
7/8 faulty 2 full 1.544 T1

Port DHCP MAC-Address IP-Address Subnet-Mask

-------- ------- ----------------- --------------- ---------------
7/1 enable 00-10-7b-00-0a-58 172.20.34.68 255.255.255.0
7/2 enable 00-10-7b-00-0a-59 172.20.34.70 255.255.255.0
7/3 enable 00-10-7b-00-0a-5a 172.20.34.64 255.255.255.0
7/4 enable 00-10-7b-00-0a-5b 172.20.34.66 255.255.255.0
7/5 enable 00-10-7b-00-0a-5c 172.20.34.59 255.255.255.0
7/6 enable 00-10-7b-00-0a-5d 172.20.34.67 255.255.255.0
7/7 enable 00-10-7b-00-0a-5e (Port host processor not online)
7/8 enable 00-10-7b-00-0a-5f (Port host processor not online)

Port Call-Manager(s) DHCP-Server TFTP-Sever Gateway

-------- ----------------- --------------- --------------- ---------------
7/1 172.20.34.207* 172.20.34.207 172.20.34.207 -
callm.cisco.com
7/2 172.20.34.207 172.20.34.207 172.20.34.207 172.20.34.20
7/3 172.20.34.207 172.20.34.207 172.20.34.207 -
7/4 172.20.34.207 172.20.34.207 172.20.34.207 -
7/5 172.20.34.207 172.20.34.207 172.20.34.207 -
7/6 172.20.34.207 172.20.34.207 172.20.34.207 -
7/7 (Port host processor not online)
7/8 (Port host processor not online)

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-24 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Port DNS-Server(s) Domain

-------- --------------- -------------------------------------------------
7/1 172.20.34.207 cisco.com
7/2 172.20.34.207* int.cisco.com
171.69.45.34
172.78.111.132
7/3 172.20.34.207 -
7/4 172.20.34.207 -
7/5 172.20.34.207 -
7/6 172.20.34.207 -
7/7 (Port host processor not online)
7/8 (Port host processor not online)

Port CallManagerState DSP-Type

-------- ---------------- --------
7/1 registered C549
7/2 registered C549
7/3 registered C549
7/4 registered C549
7/5 registered C549
7/6 notregistered C549
7/7 (Port host processor not online)
7/8 (Port host processor not online)

Port NoiseRegen NonLinearProcessing

----- ---------- -------------------
7/1 disabled disabled
7/2 disabled disabled
7/3 disabled disabled
7/4 disabled disabled
7/5 enabled disabled
7/6 disabled enabled
7/7 (Port host processor not online)
7/8 (Port host processor not online)

(*): Primary
Console>

8-Port T1/E1 PSTN Interface Module Configured for Trancoding/Conferencing

MTP (media termination point) and Conf Bridge (conference bridge) are types of ports. Transcoding
applies to a call on an MTP port.
In this example a transcoding port shows as “MTP” and a conference port shows as
“Conf Bridge.”
Console> (enable) show port 7
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
7/1 notconnect 1 full 1.544 T1
7/2 notconnect 1 full 1.544 T1
7/3 connected 1 full 1.544 T1
7/4 connected 1 full 1.544 T1
7/5 connected 1 full 1.544 T1
7/6 connected 1 full 1.544 T1
7/7 enabled 1 full - Conf Bridge
7/8 enabled 1 full - MTP

Port DHCP MAC-Address IP-Address Subnet-Mask

-------- ------- ----------------- --------------- ---------------
7/1 enable 00-10-7b-00-12-08 10.6.15.165 255.255.255.0
7/2 enable 00-10-7b-00-12-09 10.6.15.166 255.255.255.0
7/3 enable 00-10-7b-00-12-0a 10.6.15.167 255.255.255.0

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-25
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

7/4 enable 00-10-7b-00-12-0b 10.6.15.168 255.255.255.0

7/5 enable 00-10-7b-00-12-0c 10.6.15.169 255.255.255.0
7/6 enable 00-10-7b-00-12-0d 10.6.15.170 255.255.255.0
7/7 enable 00-10-7b-00-12-0e 10.6.15.171 255.255.255.0
7/8 enable 00-10-7b-00-12-0f 10.6.15.172 255.255.255.0

Port Call-Manager(s) DHCP-Server TFTP-Server Gateway

-------- ----------------- --------------- --------------- ---------------
7/1 10.6.15.155 10.6.15.155 10.6.15.155 -
7/2 10.6.15.155 10.6.15.155 10.6.15.155 -
7/3 10.6.15.155 10.6.15.155 10.6.15.155 -
7/4 10.6.15.155 10.6.15.155 10.6.15.155 -
7/5 10.6.15.155 10.6.15.155 10.6.15.155 -
7/6 10.6.15.155 10.6.15.155 10.6.15.155 -
7/7 10.6.15.155 10.6.15.155 10.6.15.155 -
7/8 10.6.15.155 10.6.15.155 10.6.15.155 -

Port DNS-Server(s) Domain

-------- ----------------- -------------------------------------------------
7/1 - -
7/2 - -
7/3 - -
7/4 - -
7/5 - -
7/6 - -
7/7 - -
7/8 - -

Port CallManagerState DSP-Type

-------- ---------------- --------
7/1 registered C549
7/2 registered C549
7/3 registered C549
7/4 registered C549
7/5 registered C549
7/6 registered C549
7/7 registered C549
7/8 registered C549

Port NoiseRegen NonLinearProcessing

----- ---------- -------------------
7/1 enabled enabled
7/2 enabled enabled
7/3 enabled enabled
7/4 enabled enabled
7/5 enabled enabled
7/6 enabled enabled
7/7 disabled disabled
7/8 disabled disabled
Console> (enable)

24-Port FXS Analog Interface Module

In this example all ports should have a Type of FXS, and all ports in the same module should belong to
one VLAN:
Console> (enable) show port 3
Port Name Status Vlan Duplex Speed Type
----- ------------------ ---------- ---------- ------ ----- ------------
3/1 onhook 1 full 64k FXS
3/2 onhook 1 full 64k FXS
3/3 onhook 1 full 64k FXS
3/4 onhook 1 full 64k FXS

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-26 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

3/5 onhook 1 full 64k FXS

3/6 onhook 1 full 64k FXS
3/7 onhook 1 full 64k FXS
3/8 offhook 1 full 64k FXS
3/9 offhook 1 full 64k FXS
3/10 onhook 1 full 64k FXS
3/11 onhook 1 full 64k FXS
3/12 onhook 1 full 64k FXS
3/13 onhook 1 full 64k FXS
3/14 onhook 1 full 64k FXS
3/15 onhook 1 full 64k FXS
3/16 onhook 1 full 64k FXS
3/17 onhook 1 full 64k FXS
3/18 onhook 1 full 64k FXS
3/19 onhook 1 full 64k FXS
3/20 onhook 1 full 64k FXS
3/21 onhook 1 full 64k FXS
3/22 onhook 1 full 64k FXS
3/23 onhook 1 full 64k FXS
3/24 onhook 1 full 64k FXS

Port DHCP MAC-Address IP-Address Subnet-Mask

-------- ------- ----------------- --------------- ---------------
3/1-24 enable 00-10-7b-00-13-e4 172.20.34.50 255.255.255.0

Port Call-Manager(s) DHCP-Server TFTP-Sever Gateway

-------- ----------------- --------------- --------------- ---------------
3/1-24 172.20.34.207 172.20.34.207 172.20.34.207 -

Port DNS-Server(s) Domain

-------- ----------------- -------------------------------------------------
3/1-24 172.20.34.207* cisco.com
172.34.23.111

Port CallManagerState DSP-Type

-------- ---------------- --------
3/1-24 registered C549

Port ToneLocal Impedance InputGain(dB) OutputAtten(dB)

-------- ------------- --------- ------------- ---------------
3/1-24 northamerica 0 0 0

Port RingFreq Timing Timing Timing Timing

(Hz) Digit(ms) InterDigit(ms) Pulse(ms) PulseDigit(ms)
-------- -------- --------- -------------- --------- --------------
3/1-24 20 100 100 0 0
(*): Primary
Console> (enable)

Displaying Active Call Information

Enter the show port voice active command to display active call information on a port. There are up to
8 calls per port for the 8-port T1/E1 PSTN interface module but only one call per port for the 24-port
FXS analog station interface module.

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-27
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

To display active call information, perform this task in normal mode:

Task Command
Display active call information. show port voice active [mod/port]
[all | call | conference | transcode] [ipaddr]

Entering the show port voice active command without any parameters shows all the calls in the system
(regular calls, conference calls, and transcoding calls). Display field descriptions are as follows:
• Type—The “call” notation is for 24-port FXS analog interface module and 8-port PSTN interface
module calls.
When you configure 8-port T1/E1 PSTN interfaces for transcoding and/or conferencing, the Type
field displays “conferencing” for conferencing calls and “transcoding” for transcoding calls.
• Conference-ID, Transcoding-ID, and Party-ID are only applicable to 8-port T1/E1 PSTN interfaces
configured for transcoding and/or conferencing.
This example shows all active calls in the system:
Console> show port voice active
Port Type Total Conference-ID/ Party-ID IP-Address
Transcoding-ID
----- ------------ ----- -------------- -------- ---------------
3/1 call 1 - - 199.22.25.254
3/2 call 1 - - 172.225.25.54
4/5 call 3 - - 165.34.234.111
172.32.34.12
198.96.23.111
3/8 conferencing 2 1 1 255.255.255.241
2 173.23.13.42
3 198.97.123.98
5 182.34.54.26
2 1 199.22.25.25
3 182.34.54.2
6 121.43.23.43
3/2 call 1 - - 172.225.25.54
3/8 transcoding 1 1 1 255.255.255.241
2 183.32.43.3

This example shows how to display detailed call information for a port (specifying the module only, this
example shows detailed call information for all ports on the module):
Console> show port voice active 3/2
Port 3/2:
Channel #1:
Remote IP address : 165.34.234.111
Remote UDP port : 124
Call state : Ringing
Codec Type : G.711
Coder Type Rate : 35243
Tx duration : 438543 sec
Voice Tx duration : 34534 sec
ACOM Level Current : 123213
ERL Level : 123 dB
Fax Transmit Duration : 332433
Hi Water Playout Delay : 23004 ms
Logical If index : 4
Low water playout delay : 234 ms
Receive delay : 23423 ms
Receive bytes : 2342342332423

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-28 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Receive packets : 23423423402384

Transmit bytes : 23472377
Transmit packets : 94540
Channel #2:
Remote IP address : 165.34.234.112
Remote UDP port : 125
Call state : Ringing
Codec Type : G.711
Coder Type Rate : 35243
Tx duration : 438543 sec
Voice Tx duration : 34534 sec
ACOM Level Current : 123213
ERL Level : 123 dB
Fax Transmit Duration : 332433
Hi Water Playout Delay : 23004 ms
Logical If index : 4
Low water playout delay : 234 ms
Receive delay : 23423 ms
Receive bytes : 2342342332423
Receive packets : 23423423402384
Transmit bytes : 23472377
Transmit packets : 94540
Channel #3:
.
(display text omitted)
.
Console>

This example shows how to display a specific call at a specified IP address:

Console> show port voice active 3/2 171.69.67.91
Remote IP address : 171.69.67.91
Remote UDP port : 125
Call state : Ringing
Codec Type : G.711
Coder Type Rate : 35243
Tx duration : 438543 sec
Voice Tx duration : 34534 sec
ACOM Level Current : 123213
ERL Level : 123 dB
Fax Transmit Duration : 332433
Hi Water Playout Delay : 23004 ms
Logical If index : 4
Low water playout delay : 234 ms
Receive delay : 23423 ms
Receive bytes : 2342342332423
Receive packets : 23423423402384
Transmit bytes : 23472377
Transmit packets : 94540
Console>

Configuring QoS in the Cisco IP Phone 7960

These sections describe QoS in the Cisco IP Phone 7960:
• Understanding How QoS Works in the Cisco IP Phone 7960, page 44-30
• Configuring QoS in the Cisco IP Phone 7960, page 44-30

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-29
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Understanding How QoS Works in the Cisco IP Phone 7960

Note The Cisco IP Phone 7960 always sets Layer 3 IP precedence and Layer 2 CoS to 5 in voice traffic
generated by the phone. The Layer 3 IP precedence and Layer 2 CoS values in voice traffic generated
by the phone are not configurable.

You can configure the Cisco IP Phone 7960 access port (see Figure 44-5) to either trusted or untrusted
mode.
Untrusted mode means that all traffic in 802.1Q or 802.1p frames received through the access port is
marked with a configured Layer 2 CoS value. The default Layer 2 CoS value is 0. Untrusted mode is the
default when the phone is connected to a Cisco LAN switch.
Trusted mode means that all traffic received through the access port passes through the phone switch
unchanged. Trusted mode is the default when the phone is not connected to a Cisco LAN switch.
Traffic in frame types other than 802.1Q or 802.1p passes through the phone switch unchanged,
regardless of the access port trust state.

Figure 44-5 Configuring QoS on the IP Phone Ports

Configuring QoS in the Cisco IP Phone 7960

These sections describe how to configure QoS in the Cisco IP Phone 7960:
• Setting the Phone Access Port Trust Mode, page 44-31
• Setting the Phone Access Port CoS Value, page 44-31
• Verifying the Phone Access Port QoS Configuration, page 44-31

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-30 78-13315-02
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Setting the Phone Access Port Trust Mode

To set the phone access port trust mode, perform this task in privileged mode:

Task Command
Set the phone access port trust mode. set port qos mod/ports...trust-ext {trusted |
untrusted}

This example shows how to set the phone access port to the trusted mode:
Console> (enable) set port qos 3/7 trust-ext trusted
Port in the phone device connected to port 3/7 is configured to be trusted.
Console> (enable)

This example shows how to set the phone access port to the untrusted mode:
Console> (enable) set port qos 3/7 trust-ext untrusted
Port in the phone device connected to port 3/7 is configured to be untrusted.
Console> (enable)

Setting the Phone Access Port CoS Value

To set the phone access port CoS value, perform this task in privileged mode:

Task Command
Set the phone access port CoS value. set port qos mod/ports cos cos_value
set port qos mod/ports cos-ext cos_value

This example shows how to set the Layer 2 CoS value used by a phone access port in untrusted mode:
Console> (enable) set port qos 2/1 cos-ext 3
Port 2/1 qos cos-ext set to 3.
Console> (enable)

Verifying the Phone Access Port QoS Configuration

To verify QoS configuration information, perform this task in normal mode:

Task Command
Verify QoS configuration information. show port qos [mod[/port]]

This example shows how to verify QoS configuration information:

Console> (enable) show port qos 3/4
<...Output Truncated...>
Port Ext-Trust Ext-Cos
----- --------- -------
3/4 untrusted 0
<...Output Truncated...>

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 44-31
 Chapter 44 Configuring a VoIP Network
Configuring VoIP on a Switch

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

44-32 78-13315-02
 I N D E X

setting retransmission number 45

Numerics
supplicant
10/100-Mbps port speeds, setting 5 automatic reauthentication 42
24-port FXS analog interface module manual reauthentication 42
configuring 26 transport layer packets
description 4 setting retransmission time 45
802.1Q 8-port T1/E1 PSTN interface module
configuring 6 configuring 25
example configuration 13 description 6
mapping VLANs to ISL 9, 10
overview 1
restrictions 4
A
VLAN mapping 10 abbreviating commands 9
802.1x authentication Accelerated Server Load Balancing
disabling multiple hosts 43 See ASLB
EAP-request frames access control entries
setting retransmit time 44 See IOS ACLs
enabling automatic reauthentication 42 See QoS ACE
enabling multiple hosts 43 See VACLs
global access control lists
disabling 41 See IOS ACLs
enabling 40 See QoS ACL
identity frames See VACLs
setting retransmit time 44 access control subsystem
individual ports SNMP entity 7
enabling 41 accessing the MSFC
initializing 41 console port 4
manual reauthentication 42 Telnet session 4
overview 7 accounting
returning to default values 45 configuration guidelines 60
setting automatic reauthentication 42 creating accounting records 57
setting idle time 43 default configuration 59
setting reauthentication manually 42 disabling 61

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-1
 Index

enabling 60 restricting ARP traffic using VACLs 26

events 57 ASLB
example configuration 63 cabling guidelines 7
overview 56 configuration examples 19
specifying RADIUS servers 58 configuring ASLB on the switch 7
suppressing accounting 59 configuring the LocalDirector interfaces 7
updating the server 59 data forwarding 4
ACE hardware and software requirements 1
See IOS ACLs Layer 2 operation 3
See QoS ACE Layer 3 operation 3
See VACLs overview 1, 2
ACL audience 27
See IOS ACLs authentication
See QoS ACL login
See VACLs enabling 12, 13
addresses overview 2
IP, see IP addresses password 14
MAC, see MAC addresses NTP and 4
address resolution protocol overview 2
See ARP recovering password 16
address table and switching 2 See also
adjacency table 6 Kerberos authentication
administering the switch 1 local authentication
advertisements, VTP 2 login authentication
aggregate policing rule RADIUS authentication
See QoS policing TACACS+ authentication
aging-time authorization
CEF 10 overview 49
MLS 17 See also
PFC2 NetFlow statistics 23 RADIUS
alarms, major and minor 16 TACACS+
aliases autonegotiation
creating for commands 5 duplex 5
IP speed 5
creating 6 trunks 2
designating 6 auto state
AppleTalk, configuring interVLAN routing 4 disabling 7
ARP displaying configuration 6
configuring permanent and static entries 8 overview 5

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-2 78-13315-02
 Index

auxiliary VLANs disabling 10, 12

configuring 19 enabling 9, 11
dynamic port VLAN membership 12 note 9
overview 8 BPDU overview 2
Break key (note) 1
bridge ID and MAC addresses 13
B
bridge ID priority, PVST+ 16
BackboneFast 4 bridge protocol data units
disabling 16 See BPDUs
displaying statistics 16 broadcast suppression 1
enabling 15 disabling 4
figure enabling 3
adding a switch 5, 6 suppressing multicast traffic 5
after indirect link failure 5 suppressing unicast traffic 2
before indirect link failure 4 bundling
back-end authenticator-to-supplicant 45 See EtherChannel
banner
See login banner
C
BOOT environment variables
clearing 11, 12 cache
default 4 IP MLS, displaying entries 22
displaying 12 MLS, overview 5
overview 3 CAM, IP MLS 20
setting 10, 11 capturing traffic flows 38
boot field CDP
overview 2 default configuration 2
setting 5 disabling
boot image and switch 2 globally 2
booting on ports 3
configuration register, setting value 10 displaying neighbor information 5
ignoring NVRAM 9 enabling
booting the MSFC for the first time 4 globally 2
BOOTP and in-band (sc0) interface 9 on ports 3
Bootstrap Protocol holdtime, setting 4
See BOOTP message interval, setting 4
BPDU overview 1
skewing 38 CEF 1
overview 37 adjacency table 6
BPDU guard aging 10

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-3
 Index

configuration guidelines for multicast 11 See VLANs

configuring 12 clear mls entry command 27, 26
IP multicast 14 clear mls entry ipx command 26
MSFC2 14 clear mls statistics command 28
supervisor engine 12 CLI
displaying information 12 backing out one level 9
examples 7 configuration mode 8
FIB 5 console configuration mode 9
flow masks 10 getting list of commands 9
destination-ip 10 global configuration mode 9
destination-ipx 10 interface configuration mode (IOS) 9
full flow 10 levels of access 8
modes 10 privileged EXEC mode 9
source-destination-ip 10 ROM monitor 1
source-destination-vlan 10 software basics 8
guidelines 11 switch
Layer 3 switching 2 accessing 2
overview 4 console port 2
packet rewrite 2 designating addresses and aliases 6
restrictions for multicast 11 designating modules, ports, VLANs 5
CEF for PFC2 editing 6
See CEF help 8
CGMP history substitution 7
leaving multicast group 3 normal mode 5
channel modes, EtherChannel (table) 3 operating 5
checksum, verifying Flash file 7 overview 2
CIDR, configuring static routes 7 port ranges 5
Cisco CallManager, overview 4 ports, designating 5
Cisco Discovery Protocol privileged mode 5
See CDP shortcuts 6
Cisco Group Management Protocol Telnet 3
See CGMP VLANs, designating 5
Cisco IP Phone 7960 2 clock, setting 4
Cisco VG200 7 command aliases, creating 5
classless interdomain routing command-line interface
See CIDR See CLI
clear boot system flash command 11 commands, getting list of 9
clearing the configuration 8 committing ACLs
clearing VLAN mappings See QoS ACL committing

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-4 78-13315-02
 Index

community ports 14 example PC download 19

CONFIG_FILE variable, setting recurrence 7 example UNIX download 20
configuration PC procedure 16
clearing (switch) 8 preparation 16
MISTP 25 UNIX procedure 17
configuration files ROM monitor baud rate 6
clearing using rcp 8 SLIP and 7
copying using rcp 6 system message logging settings 5
creating 2 user sessions
downloading disconnecting 6
from Flash device 4 monitoring 6
preparation 3 contact, setting 3
rcp 7 content-addressable memory
via TFTP 3 See CAM
guidelines for creating 1 convergence
running configuration improving 33
downloading via rcp 7 COPS
downloading via TFTP 3 communications parameters 65
uploading via rcp 8 configuring 60
uploading via TFTP 5 domain name 65
uploading deleting 65
preparation 5, 8 PDP server configuration
to rcp server 8 deleting 64
to TFTP server 5 port ASICs 61
configuration mode 8 QoS policy source 61
configuration register roles 63
boot field, setting switch 5 deleting 64
CONFIG_FILE recurrence, setting 7 removing 63
default setting 4 selecting locally configured QoS policy 62
ignoring NVRAM at boot 9 selecting local QoS policy 62
overview 2 CoS
ROM monitor console port baud rate 6 See QoS
setting 10
congestion avoidance
D
See QoS congestion avoidance
console configuration mode 9 database, VMPS
console port downloading 7
accessing MSFC 4 example configuration file 9
downloading software images date, setting 4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-5
 Index

daylight saving time server

disabling adjustment 7 clearing 3
enabling adjustment 5 specifying 2
default gateway setting up 2
configuring 6 system name and 1
removing 7 system prompt and 1
designated MSFC 22 documentation, related 29
DES key document organization 27
clearing 38 domain name
defining 38 clearing 3
destination-based QoS setting 2
See QoS Domain Name System
destination flow masks 6 See DNS
destination-ip flow masks 10 dot1x
destination-ipx flow masks 10 disabling multiple hosts 43
detection EAP-request frames
BPDU skewing 39 setting retransmit time 44
DHCP enabling automatic reauthentication 42
in-band (sc0) interface and 9 enabling multiple hosts 43
options 3 global
releasing lease 10 disabling 41
renewing lease 10 enabling 40
differentiated services codepoint identity frames
See QoS DSCP setting retransmit time 44
disabling MLS manual reauthentication 42
on MSFC interfaces 14 returning to default values 45
on the supervisor engine (note) 17 setting idle time 43
DISL setting retransmission number 45
See DTP transport layer packets
dispatcher setting retransmission time 45
SNMP entity 7 downloading
DNS configuration files
default configuration 1 from Flash device 4
disabling 3 preparation 3
domain name via rcp 6
clearing 3 via TFTP 3
setting 2 software images
enabling 2 example, multiple module 7, 13
overview 1 example, single module 6, 13

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-6 78-13315-02
 Index

example, supervisor engine 5, 11 encapsulation type descriptions, trunks (table) 2

overview 2 environmental monitoring
preparation 2, 9 LED indications 16
supervisor 3, 10 SNMP traps 16
switching module 4, 10 supervisor engine and switching modules 16
xmodem or ymodem 21 syslog messages 16
drop thresholds using CLI commands 16
See QoS congestion avoidance environment variables
DSCP See BOOT environment variables
See QoS DSCP errdisable timeout, configuring 9
DTP error messages
non-Cisco devices and 4 system message logging (syslog) 1
overview 2 VMPS (table) 8
duplex, Ethernet 5 EtherChannel
Dynamic Host Configuration Protocol administrative groups 2
See DHCP bundling 1
dynamic interswitch link (DISL) protocol channel modes (table) 3
See DTP configuration guidelines 4
dynamic port VLAN membership configuring 5
configuring 5 port modes 5
default configuration 2 port path cost 6
example 10 VLAN cost 6
for auxiliary VLANs 12 example configuration 10, 13
overview 1 frame distribution 3
reconfirming 7 IDs 2
troubleshooting 8 maximum number of channels supported 1, 4
Dynamic Trunking Protocol modes 3
See DTP overview 1
PAgP and 2
port aggregation protocol 2
E
port VLAN cost 6
enable mode 9 Ethernet
enable password autonegotiation, speed 5
recovering lost 16 checking connectivity 13
setting 15 configuring 1
enabling default configuration 3
MLS, on MSFC interfaces 14 flow control keywords (table) 6
enabling IP MMLS overview 1
on MSFC interfaces 15, 30 port duplex, setting 5

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-7
 Index

port enable state 7 overview 1

port name, setting 4 setting configuration modes 2
port negotiation 7 Flash memory
port speed, setting 5 storing ACLs 42
setting port duplex 8 Flash PC cards, formatting 8
switching frames 2 Flash synchronization
timeout periods 9 examples 14
Ethernet ingress port overview 3
ACLs 16 flowcharts, QoS 3
QoS ACLs 15 flow control 6
ethertypes 16 configuring 6
extended range VLANs keywords (table) 6
See VLANs flow masks
CEF 10
destination-ip 10
F
destination-ipx 10
fast aging-time 19 full flow 10
PFC2 statistics 24 source-destination-ip 10
Fast EtherChannel source-destination-vlan 10
See EtherChannel IP MLS entries and 7
Fast Ethernet IP MLS full flow 6
See Ethernet IPX MLS 6
setting port duplex 8 minimum 19
FIB 5 PFC2 statistics 24
fiber-optic, detecting unidirectional links 1 MLS
filtering syntax for QoS 37 destination 6
filters source-destination-ip 6
See protocol filtering source-destination-vlan 6
filters, NDE modes 6
See NDE filters CEF 10
Flash file system overview 6
checksum 7 flows
files IP MMLS
copying 4 completely and partially switched 8
deleting 6 IP MMLS, completely and partially switched 7
listing 3 MLS 4
restoring 7 multicast
setting default 2 completely and partially switched 8
formatting device 8 formatting Flash devices 8

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-8 78-13315-02
 Index

forwarding information base (FIB) 5 disabling

frame retransmission number 45 globally 9
full flow flow mask 10, 6 on 802.1Q ports 8
enabling
dynamic VLAN creation 4
G
globally 3
GARP Multicast Registration Protocol on 802.1Q ports 3
See GMRP registration
GARP timers, setting 7, 17 fixed 5
Gigabit Ethernet forbidden 6
See Ethernet normal 5
Gigabit Ethernet trunks setting GARP timers 7
See trunks statistics
global configuration mode 9 clearing 8
GMRP viewing 8
default configuration 13 timers 7
disabling
globally 19
H
per-port 14
enabling high availability
globally 13 configuring 11
per-port 14 downloading different image on standby supervisor
engine 13
forward-all option
overview 8
disabling 15
supported features 9
enabling 15
versioning overview 10
hardware and software requirements 13
history, switch CLI 7
overview 4
Hot Standby Routing Protocol
registration
See HSRP
fixed 16
HSRP
forbidden 17
ACLs
normal 16
IOS ACL configuration 22
statistics
reflexive and dynamic ACLs (note) 22
clearing 19
configuration examples 28
viewing 19
configuration requirements 20
timers 17
configuring 26
GVRP
designated MSFC 22
configuration guidelines 2
failure scenarios 24
declarations from blocking ports 6
hardware and software requirements 19, 46
default configuration 2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-9
 Index

overview 18 inferior BPDU, BackboneFast and 4

routing protocol peering 20 interface configuration mode 9
interfaces
in-band (sc0) 4, 5, 2
I
SLIP (sl0) 4, 7
ICMP Internet Group Management Protocol
ping See IGMP
executing 8 interVLAN routing
overview 7 AppleTalk, configuring 4
testing connectivity with 13 IP, configuring 3
time exceeded messages 10 IPX, configuring 3
traceroute and 10 overview 1
IGMP IOS
configuration guidelines 7 bringing up interface 11
disabling 12 viewing and saving configuration 11
enabling 7, 8 IOS ACLs 3
enabling rate limiting 8 common uses for 9
joining multicast group 3 features
leave processing supported in PFC 10
disabling 12 supported in PFC II 12
enabling 9 unsupported 27
leaving multicast group 3 hardware and software handling in PFC 10
multicast group hardware and software handling in PFC II 12
clearing 22 hardware requirements 2
configuring 10, 21 overview 1
multicast router ports reflexive ACLs with PFC 11
clearing 21 reflexive ACLs with PFC II 14
specifying 20 supported features 10, 12
overview 2 with VACLS 15
statistics, viewing 11 IP
images accounting, IP MMLS and 13
See software images CIDR and 7
in-band (sc0) interface configuring interVLAN routing 3
configuring 5 default gateway, configuring 6
DHCP and 9 static routes 7
IP address, assigning 5 subnetworks, VLANs and 2
overview 1, 4 IP addresses
RARP and 9 adding to IP permit list 2
VLAN assignment 2 aliases, creating 6

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-10 78-13315-02
 Index

automatic assignment 2 router information 10

BOOTP 9 router ports
clearing from IP permit list 4 clearing 21
designating 6 router ports and 20
DHCP 9 routing table 17, 31
in-band (sc0) interface 5 IP permit list
obtaining from DHCP, BOOTP or RARP 9 addresses, adding 2
RARP 9 caution 4
setting on supervisor 5 clearing entries 4
SLIP (sl0) interface 9 default configuration 2
IP aliases disabling 4
creating 6 enabling 3
designating 6 overview 1
IP CEF IP PIM 15, 29
topology (figure) 8 IP traceroute
IP MLS or IP MMLS executing 11
See MLS overview 10
ip mtu command 11 IPX, configuring interVLAN routing 3
IP multicast IPX MLS
broadcast suppression See MLS
disabling 4 ISL 9
enabling 3 example configuration 9, 10
configuration guidelines mapping 802.1Q VLANs 9, 10
CEF 11 overview 1
displaying routing table 17, 31 isolated port 14
GMRP and 12
group entries 20
J
group information 10
groups jumbo frames
clearing 22 configuring 11
configuring 10, 21 disabling 11
joining 3 enabling 11
IGMP fast-leave processing 12
IGMP snooping and 6
IGMP statistics 11
K
overview 1 Kerberos authentication
router DES key, defining and clearing 38
clearing ports 21 disabling credentials forwarding 37
specifying port for 20

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-11
 Index

enabling 32 load sharing on trunks 16

enabling credentials forwarding 36 local authentication
login procedure 6 configuration guidelines 11
mapping realm to host name 34 default configuration 10
non-kerberized login procedure 7 disabling 15
overview 4 enable password, setting 15
realm, defining 33 enabling 14
servers, specifying 33 login password, setting 14
SRVTAB files 34 overview 2
SRVTAB files, copying 34 password recovery 16
Telnet connection (figure) 6 location, setting 3
terminology 5, 8 logging messages, VACLs 40
Kermit logical operation unit
example downloads See LOU
caution 16 login authentication
PC procedure 19 enabling 12, 13
UNIX procedure 20 overview 2
PC software download procedure 16 login banners
preparing to download software images 16 clearing 5
UNIX software download procedure 17 configuring 5
keys overview 4
see DES key login passwords
see RADIUS key recovering 16
see TACACS+ key setting 14
loop guard
configuring 17
L
overview 5
Layer 2 forwarding table, IP MMLS and 4 LOU
Layer 2 traceroute utility 9 description 21
Layer 3 switched packet rewrite determining maximum number of 21
CEF 2
MLS 2
M
Layer 3 switching
CEF 2 MAC addresses
MLS 1 address table 2
Layer 4 port operations (ACLs) 20 allocation 13
leave processing, IGMP blocking 1
disabling 12 designating 6
enabling 9 port security and 1

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-12 78-13315-02
 Index

MAC address reduction 13 entries, displaying IP unicast 22

mapping reserved VLANs 9 overview 5
mapping VLANs 10 size (note) 18
markdown (QoS) 22 CAM entries, displaying 20
marking (QoS) 27 clearing
message-of-the-day cache entries 26
See login banner statistics 28
message processing subsystem 8 configuration guidelines
SNMP entity 7, 8 MTU 11
metric values, switch TopN reports (table) 2 routing commands with IP MLS 12
MIBs configuration guidelines for IP MMLS
RMON/RMON2 support (table) 3 MSFC 13
microflow policing rule 22 switches 12
MISTP configuration guidelines for IPX MLS
bridge ID priority 25 interaction with other features 13
caution 23 MTU 14
configuring an instance 25 configuration information, displaying
conflicts, MISTP VLAN 30 IP or IPX 21
default configuration 23 multicast 34
enabling an instance 28 configuring threshold 15, 30
mapping VLANs to 29 debug commands on MSFC 16
MIST-PVST+ 22 debug commands on MSFC2 for multicast traffic 19
port cost 26 debug commands on MSFC for multicast traffic 33
port instance cost 27 debugging
port instance priority 27 on MSFC 19, 16, 33
port priority 26 on supervisor engine 28
unmapping VLANs from 30 default configuration 10
MLS disabling
access lists, flow masks and 6 on MSFC interface 14
aging-time 17 on supervisor engine (note) 17
cache displaying
clearing entries 26 cache entries 22
displaying all entries 22 information 21
displaying by IP destination address 23 multicast routing table 17, 31
displaying by IP source address 24 statistics 20, 35
displaying by IPX destination address 23 enabling
displaying by specific flow 24 IP PIM on MSFC 29
entries, clearing 26 IP PIM on router 15
entries, displaying IP multicast 36 on MSFC interfaces 15, 30

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-13
 Index

enabling on MSFC interface 14 routers

entries (note) 18 enabling globally 14
examples 8 multicast routing table, displaying 17
fast aging-time 19 PIM, enabling 15
flow masks routing command restrictions 12
access lists and 6 setting minimum flow mask 19
destination 6 specifying aging time 17
full flow 6 specifying fast aging time 19
IP MLS entries and 7 statistics
minimum 19 clearing 28
modes 6 displaying by protocol 27
overview 6 displaying for MLS cache entries 27
source-destination-ip 6 switches
source-destination-vlan 6 cache entries, displaying 36
flows 4 configuration, displaying 34
completely and partially switched 7, 8 NetFlow table entries, displaying 21
completely and partially switched multicast 7, 8 statistics, clearing 21, 36
guidelines 11 statistics, displaying 20, 35
Layer 2 forwarding table 4 switches, disabling (note) 17
monitoring on MSFC 17, 15, 32 topology (figure) 9
MSFC unsupported IP MMLS features 13
disabling on interfaces 14 MMLS
displaying interface information 16, 31 See MLS
enabling globally 29 modules
enabling on interfaces 15, 14, 30 checking status 1
monitoring 17, 15, 32 designating on command-line 5
multicast routing table, displaying 31 downloading software images 4, 10
PIM, enabling 29 status, checking 1
threshold 15, 30 supervisor engine
MTU size configuring 1
IP 11 MOTD
IPX 14 See login banner
NetFlow table entries, displaying 21 MSFC
packet rewrite 2 accessing from switch
packet threshold values for IP 19 console port 4
restrictions 12 telnet session 4
restrictions for IP MMLS, MSFC 13 AppleTalk interVLAN routing, configuring 4
restrictions for IP MMLS, switches 12 as MLS route processor for Catalyst 5000 family
switches 14
route-processor (note) 29

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-14 78-13315-02
 Index

booting for the first time 4 multicast

configuration guidelines groups
interVLAN routing 2 leaving 3
IP MMLS 13 See IP multicast
MLS 11 multicast suppression 2, 5
configuration mode 10 Multilayer Switch Feature Card
configuring See MSFC or MSFC2
Appletalk interVLAN routing 4 Multilayer Switching
interVLAN routing 1 See MLS
IP interVLAN routing 3
IP MMLS 28
N
IPX interVLAN routing 3
MLS 14 NAT 12, 15
MMLS threshold 15, 30 native VLAN
redundancy with HSRP 26 802.1Q and 4
configuring redundancy 18 NDE
displaying IP MMLS interface information 16, 31 configuration, displaying 10
enabling data collection 2
IP multicast routing 29 data export address
MMLS on MSFC interfaces 15, 30 removing 9
IP interVLAN routing, configuring 3 data export collector, specifying 4
IP MMLS, monitoring 17, 32 disabling 9
IPX interVLAN routing, configuring 3 displaying configuration 10
multicast routing table, displaying 31 filters
overview 1 clearing 9
PIM, enabling on MSFC interfaces 29 destination and source subnet 6
session command and 4 destination host, specifying 6
switch console command and 4 destination TCP/UDP port, specifying 7
MSFC2 overview 3
Catalyst 5000 support 1 protocol, specifying 8
configuring source host and destination TCP/UDP port,
IP multicast 14 specifying 7

unicast Layer 3 switching 14 overview 1

enabling IP multicast routing 14 protocols

multicast routing table, displaying 17 removing for statistics collection 8

PIM, enabling on MSFC2 VLAN interfaces 15 specifying for statistics collection 8

MTU RMON 1

IP MLS and 11 specifying

IPX MLS and 14 collectors 4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-15
 Index

destination and source subnets 6 setting 5

destination host filters 6 NVRAM
destination TCP/UDP port filters 7 caution 9
protocol filters 8 ignoring content at boot 9
protocols for statistics collection 8 setting configuration modes 2
statistics collection
removing protocols for 8
O
specifying protocols for 8
NetFlow Data Export out of profile
See NDE See QoS out of profile
Network Address Translation
See NAT
network management
P
See RMON packet rewrite
Network Time Protocol CEF 2
See NTP MLS and 2
NMS packets
SPAN, configuring 1 bridged 7
normal-range VLANs multicast 8
See VLANs routed 7
NTP packet threshold
authentication 4 CEF 24
broadcast-client mode IP MLS 19
configuring 3 PAgP 2
disabling 8 passwords
client mode enable 15
configuring 3 login 14
disabling 8 recovering lost 16
daylight saving time adjustment PBF
disabling 7 configuration example 55
enabling 5 configuring 48
default configuration 2 clearing PBF ACEs 52
disabling 8 committing PBF VACLs 51
overview 1 configuring hosts for PBF 53
server configuring VACLs for PBF 50
clearing 7 disabling PBF and clearing the MAC address 49
specifying 3 displaying PBF information 52
time zone displaying PBF statistics 52
clearing 7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-16 78-13315-02
 Index

enabling jumbo frame forwarding 50 PIM, IP MMLS and 29

enabling PBF 48 PIM, IP multicast and 15
specifying adjacency table entries 50 ping
specifying a PBF MAC address 48 command 13
hardware and software requirements 47 executing 8
limitations overview 7
2000 hosts 55 testing connectivity 13
Linus 54 policy-based forwarding, see PBF
MS-Windows 55 policy decision point servers
NT 55 See COPS or RSVP PDP
Sun Workstations 54 Policy Feature Card
overview 47 See PFC
PC card Port Aggregation Protocol
See Flash PC card See PAgP
PCMCIA port-based QoS features
See Flash PC card See QoS
PDP server port bundling, EtherChannel 1
See COPS or RSVP port cost
permit list aggregate links 5
See IP permit list calculating and assigning 4
PFC long method 5
IGMP snooping and 7 short method 4
protocol filtering and 1 port debounce timer
QoS, see Layer 3 Switching Engine disabling 8
PFC2 displaying 8
NetFlow enabling 8
fast aging-time 24 PortFast
flow masks 24 BPDU filter 2
packet threshold values for IP 24 configuring 11
statistics 22 BPDU guard 2
statistics, clearing 26 configuring 9
statistics, specifying aging time 23 disabling 10, 12
statistics aging-time 23 enabling 9, 11
table, displaying entries 25 caution 2, 8
QoS policing rule 22 configuring 7
statistics 9 disabling 8
displaying for NetFlow table entries 26 enabling 8
phones, Cisco IP Phone 7960 2 ports
PIM 5 capabilities, checking 4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-17
 Index

changing the default port enable state 7 private VLANs 13

checking status 2 community VLAN 14
community 14 configuration guidelines 15
designating on command-line 5 configuring ACLs 26
duplex 5 creating 18
dynamic VLAN membership delete mapping 23
configuring 5 deleting 22
default configuration 2 deleting isolated, community, or two-way community
VLANs 22
example 10
hardware/software interactions 16
overview 1
isolated VLAN 14
reconfirming 7
primary VLAN 14
troubleshooting 8
errdisable timeout, configuring 9
two-way community VLAN 14

isolated 14
privileged EXEC mode 9

name 4
prompt

promiscuous 14
configuring 3

setting the debounce timer 8

overview 1

speed, 10/100 Ethernet 5

protocol filtering

VLAN assignments 12
configuring 3

port security default configuration 2

age time, specifying 5

disabling 3

changing the default port enable state 7

enabling 3

clearing MAC addresses 5

overview 1

configuration guidelines 3
protocol support 2

disabling 7
pruning, VTP

enabling 3
See VTP, pruning

MAC addresses, specifying number 4

PVST+ 15
bridge ID priority, configuring 16
monitoring 8
default configuration 15
overview 1
default port cost mode 18
security violation action, specifying 6
disabling 20
shutdown time, specifying 6
port cost 17
port status, checking 2
port priority 18
power management
port VLAN priority 20
determining system power requirements, nine-slot
chassis 14
enabling/disabling redundancy 11
Q
overview 11
powering modules up or down 13 QoS
voice 15, 10 (note) 2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-18 78-13315-02
 Index

COPS default IP 42
See COPS default IPX, creating 44
receive queue default MAC, creating 44
statistics data export 27 deleting named 44
configuring 70 detaching 46
configuring destination host 73 discarding uncommitted 45
configuring time interval 73 IP, named 38
displaying information 74 marking rules 21
trust-cos modifying 37
port keyword 10 named 16
trust-dscp names 37
port keyword 10 policing rules 22
trust-ipprec policing rules, creating 34
port keyword 10 policing rules, deleting 36
QoS ACE reverting to default values 44
ICMP, creating 40 storing in Flash memory 42
ICMP, options 18 QoS classification (definition) 2
IGMP, creating 40 QoS classification criteria
IGMP, options 19 IP ACE Layer 3 16
IP addresses and masks 38 IP ACE Layer 4 ICMP 18
IP Layer 3 options 16 IP ACE Layer 4 IGMP 19
IP Layer 4 port options 38 IP ACE Layer 4 protocol 17
IP Layer 4 protocol options 17 IP ACE Layer 4 TCP 17
IP precedence parameter options 38 IP ACE Layer 4 UDP 18
IP with Layer 4 options 41 IPX ACE 19
IP with only Layer 3 options 41 MAC ACE Layer 2 20
IPX, creating 42 QoS configuring 30
IPX, options 19 QoS configuring on Cisco IP Phone 7960 29
MAC, creating 43 QoS congestion avoidance
MAC, options 20 definition 3
TCP, creating 39 dual transmit queue ports 25
TCP, options 17 receive queue 11
UDP, creating 39 QoS CoS
UDP, options 18 and ToS final values from Layer 3 Switching Engine 24
QoS ACL 15 configuring port value 33
attaching 23, 46 definition 2
committing 45 QoS default configuration 28
creating 37 QoS definitions 2
default 20 QoS destination-based 47

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-19
 Index

deleting 47 QoS Layer 2 Switching Engine

QoS disabling 60 classification and marking 6, 24
QoS display feature summary 9
information 58 QoS Layer 3 Switching Engine
statistics 59 classification, marking, and policing 5, 14
QoS DSCP feature summary 9
definition 2 QoS MAC ACE Layer 2 20
internal values 15 QoS mapping
maps, configuring 55 CoS values to drop thresholds 52
QoS DSCP ACE keyword 21 CoS values to DSCP values 55
QoS dual receive, triple transmit queue ports DSCP markdown values 57
clearing 54 DSCP values to CoS values 56
configuring 52, 53 IP precedence values to DSCP values 56
QoS dual transmit queue QoS markdown 22
thresholds, configuring 49 QoS marking 27
QoS dual transmit queue ports based on per-port classification 14
congestion avoidance 25 definition 2
QoS enabling 31 MSFC 6
QoS Ethernet egress port trusted ports 11
feature summary 9 untrusted ports 11
scheduling, congestion avoidance, and marking 7, 24 QoS MSFC 6
QoS Ethernet ingress port QoS out of profile 22
classification, marking, scheduling, and congestion QoS policing
avoidance 4
definition 3
feature summary 9
microflow, enabling for nonrouted traffic 48
Layer 3 Switching Engine classification features 13
token bucket 22
marking, scheduling, congestion avoidance, and QoS policing rule 22
classification 10
aggregate 22
scheduling 11
dual rate 22
scheduling and congestion avoidance 11
deleting 36
QoS ethertype field values 16
microflow 22
QoS feature set summary 8
QoS port
QoS filtering 37
trust state 32
QoS final Layer 3 Switching Engine CoS and ToS
values 24 QoS port-based or VLAN-based 32
QoS flowcharts 3 QoS port keywords 10

QoS internal DSCP values 15 QoS receive queue 11

QoS IP phone, configuring 29 drop thresholds 11, 54

QoS IPX ACE 19 drop thresholds (figure) 13

QoS labels (definition) 2 tail-drop thresholds, configuring 48

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-20 78-13315-02
 Index

QoS reverting to defaults 60 overview 56

QoS scheduling (definition) 3 servers, specifying 58
QoS single-port ATM OC-12 switching module suppressing 59
features 9
updating the server 59
QoS single-port ATM OC-12 switching module
RADIUS authentication
marking 8
configuration guidelines 11
QoS single-receive, dual-transmit queue ports
deadtime, setting 28
configuring 52
default configuration 10
QoS strict priority receive queue 11
disabling 30
QoS ToS
enabling 25
and CoS final values from Layer 3 Switching Engine 24
key, clearing 29
definition 2
key, specifying 24
QoS traffic flow through QoS features 3
overview 4
QoS transmit queue
retransmit count, setting 27
allocating bandwidth between 50
servers
size ratio 51
clearing 29
QoS transmit queues 25, 53, 54
specifying 24
QoS triple transmit queue WRED drop thresholds 49
servers, clearing 29
QoS trust-cos
servers, specifying 24
ACE keyword 21
timeout, setting 27
QoS trust-dscp
RADIUS authorization
ACE keyword 21
disabling 55
QoS trust-ipprec
enabling 55
ACE keyword 21
RARP
QoS understanding 1
in-band (SC0) interface and 3
QoS understanding policy 61
rate limiting for IGMP 8
QoS untrusted port keyword 10
rcp
QoS VLAN-based or port-based 23, 32
downloading configuration files 7
QoS WRED drop thresholds 49
downloading supervisor engine images 10
downloading switching module images 10
R uploading configuration files 8
receive queues
RADIUS accounting
See QoS receive queues
configuration guidelines 60
redundancy overview 18
creating records 57
redundant
disabling 61
synchronizing boot images 16
enabling 60
synchronizing runtime image with bootstring 14
events 57
redundant supervisor engine
example configuration 63
See supervisor engine, redundant

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-21
 Index

related documentation 29 RMON 1

Remote Monitoring enabling 2
See RMON overview 1
Remote Switched Port Analyzer supported MIB objects 2
See RSPAN viewing data 2
reserved-range VLANs ROM monitor
See VLANs BOOT environment variable and 3
reset boot process and 2
scheduling CLI 1
absolute date and time 10 configuration register and 2
within a specific timeframe 10 console port baud rate 6
scheduling system reset 9 root guard
retransmission time disabling 34
authenticator-to-supplicant 44 enabling 34
back-end authenticator-to-authentication-server 45 root switch
back-end authenticator-to-supplicant 44 improving convergence 33
Reverse Address Resolution Protocol primary, configuring 31
See RARP secondary, configuring 32
rewrite, packet See also root guard
CEF 2 router, multicast 20
MLS 2 Router Group Management Protocol
RGMP See RGMP
configuring 22 routing tables, multicast 17, 31
default configuration 22 RSPAN
disabling 22 concepts and terminology 1
enabling 22 configuration examples 14
joining multicast group 3 configuration guidelines 10
multicast groups 23 configuring
multicast protocols 25 examples 14, 15, 16
overview 5 from CLI 11
packet types 5 multiple RSPAN sessions 16
RGMP-capable router ports 24 single RSPAN session 14
RGMP-related router commands 25 hardware requirements 9
RGMP statistics session limits 4
displaying 23 session limits table 4
statistics RSVP 66
clearing 25 disabling 67
VLAN statistics DSBM election participation
displaying 23 disabling 67

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-22 78-13315-02
 Index

enabling 67 set spantree portcost command 17, 26

enabling 66 set spantree portpri command 18
PDP server configuration set spantree portvlancost command 19
deleting 68 set spantree priority command 16, 25
policy timeout 69 shortcuts, Layer 3
See MLS
short keyword (note) 7
S
show cam command 20
sc0 (in-band) interface show mls command 12, 21
configuring 5 show mls debug command 28
IP address, assigning 5 show mls entry command 25, 7, 22
overview 1 show mls entry ip destination command 23
VLAN assignment 2 show mls entry ip flow command 24
scheduling show mls entry ip source command 24
See QoS show mls entry ipx command 25
scheduling a system reset 9 show mls ip multicast group command
secure shell encryption displaying IP MMLS group 17, 32
configuring 5 show mls ip multicast interface command
security displaying IP MMLS interface 17, 32
configuring 1 show mls ip multicast source command
IP permit list 1 displaying IP MMLS source 17, 32
passwords, configuring 14, 15 show mls ip multicast statistics command
security ACL, removing VACL to VLAN mapping 37 displaying IP MMLS statistics 17, 32
See also RADIUS accounting, TACACS+ accounting show mls ip multicast summary
Serial Control Protocol commands (table) 16 displaying IP MMLS configuration 17, 32
serial download show mls rp command 15
example PC software image download 19 show mls statistics entry command 26, 27
example UNIX software image download 20 show mls statistics protocol command 27
PC software image download procedure 16 show module command 12, 13
preparing to download 16 show spantree conflicts command 30
UNIX software image download procedure 17 Simple Network Management Protocol, see SNMP
session command, MSFC and 4 single router mode redundancy
set defaultcostmode command 19 See SRM
set logging level acl command 40 skewing
set mls agingtime command 23, 18 BPDU configuring 38
set mls agingtime fast command 24, 19 sl0 (SLIP) interface
set mls flow command 25, 19 configuring 7
set module power up/down command 13 overview 1
set power redundancy enable/disable command 11 SLIP

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-23
 Index

caution 7 supervisor engine 9

console port and 7 source-destination-ip flow mask 10, 6
enabling 7 source-destination-vlan flow mask 10, 6
overview 1 SPAN
sl0 interface 4 caution 7
slip attach command 7 configuration guidelines 6
slip detach command 7 configuring from CLI 7
SLIP (sl0) interface destination port 2
configuring 7 disabling 8, 13
SNMP egress 3
configuring SNMPv1 and SNMPv2c 10 hardware requirements 5
configuring SNMPv3 11 ingress 3
ifindex persistence feature 5 NMS and 1
overview 3 overview 5
security models and levels 4 session 2
SNMP agents and MIBs 5 session limits 4
SNMPv1 overview 5 session limits table 4
SNMPv2c overview 5 source port 2
SNMPv3 overview 7 traffic 4
supported RMON MIB objects 2 Spanning Tree Protocol
terms 1 See STP
SNMP entity speed
access control subsystem 7 10/100 Ethernet port, setting 5
definition 7 SRM
dispatcher 7 configuration guidelines 42
message processing subsystem 7, 8 configuration procedure 42
software images getting out of SRM 45
downloading hardware and software requirements 41
example, multiple module 7, 13 upgrading images with SRM enabled 44
example, single module 6, 13 SSH 5
example, supervisor 5, 11 standby supervisor engine
overview 2 See redundant supervisor engine
preparation 2, 9 See supervisor engine, redundant
supervisor 3, 10 startup tasks
switching module 4, 10 booting the MSFC 4
uploading static route, configuring 7
preparation 8, 15 static routes
rcp server 15 CIDR and 7
supervisor 9, 15 VLSM and 7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-24 78-13315-02
 Index

statistics SLIP and 7

BPDU skewing 38 default boot configuration 4
statistics, PFC2 9 default configuration 5
STP default gateways 6
BPDUs and 2 downloading software images 3, 10
bridge ID priority, understanding 13 Flash file system
forward delay timer 35 See Flash file system
hello time 35 IP address, setting 5
IEEE, overview 1 management interfaces
MAC address allocation 13 overview 1
MAC address reduction 13 sc0 (in-band), configuring 5
enabling 7 sl0 (SLIP), configuring 7
maximum age timer 35 preparing to configure 4
port states 5 redundant
See also BackboneFast configuration guidelines 4
See also MISTP and PVST+ Flash synchronization 4, 14
See also PortFast forcing switchover to standby 6
See also UplinkFast overview 2
timers slot assignment 2
See timers, configuring understanding 2
strict-priority queue verifying status 5
See QoS ROM monitor 2
strict priority sc0 (in-band) interface 5
supervisor engine sl0 (SLIP) interface 7
BOOT environment variables software images
clearing 11, 12 downloading 3, 10
displaying 12 startup, specifying 1
overview 3 uploading 9, 15
setting 10, 11 startup configuration 1
boot image 2 static routes 7
configuration register switchover 6
boot field, setting 5 uploading software images 9, 15
ignore NVRAM, setting 9 Supervisor Engine 1
overview 2 environmental monitoring 16
ROM monitor baud rate, setting 6 supplicant
setting 10 automatic reauthentication 42
configuring 1 manual reauthentication 42
console port switch administration
ROM monitor baud rate 6 modules, checking status 1

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-25
 Index

ports, checking status 2 configuring 4

procedures 1 daemon, configuring 7
switch boot process 1 default configuration 4
switch CLI logging levels, setting 6
accessing 2 message format 3
help 8 message log, displaying 10
history substitution 7 overview 1
IP addresses, designating 6 session settings, setting 5
IP aliases, designating 6 timestamp, changing enable state 6
MAC addresses, designating 6 system clock, setting 4
modules, designating 5 system contact, setting 3
operating 5 system image
overview 2 switch
ports, designating 5 downloading 3, 10
VLANs, designating 5 startup, specifying 1
switch console command, MSFC and 4 uploading 9, 15
Switched Port Analyzer system location, setting 3
See SPAN system message logging
switch fabric module buffer size, setting 6
configuring and monitoring 2 configuration, displaying 9
overview 1 configuring 4
slot locations 2 console session logging
switching address table 2 disabling 5
switching modules enabling 5
See modules daemon, configuring 7
switch management interfaces default configuration 4
See supervisor engine, management interfaces definitions
switchover elements (table) 3
See supervisor engine, switchover severity level (table) 3
switch TopN reports displaying system messages 9
background execution 2 logging levels, setting 6
foreground execution 2 message format 3
metric values (table) 2 message log, displaying 10
overview 1 overview 1
running 3 server, configuring 7
viewing 3 session settings, setting 5
syslog syslog daemon, configuring 7
buffer size, setting 6 syslog server
configuration, displaying 9 configuring 7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-26 78-13315-02
 Index

deleting 8 directed request, enabling and disabling 17, 21

disabling logging 8 disabling 23, 53
Telnet session logging enabling 18, 52
disabling 5 example configuration 48, 55
enabling 5 key, clearing 22
timestamp, changing enable state 6 key, specifying 19
system name login attempts allowed 20
clearing 3 overview 3, 49
configuring primary options and fallback options 50
static system name 2 servers, clearing 22
static system prompt 3 servers, specifying 17
overview 1 timeout interval 19
system prompt TACACS+ authorization overview 49
configuring 3 TCP intercept with PFC 11
overview 1 TCP intercept with PFC II 14
system reset TCP QoS features
scheduling 9 See QoS ACE or ACL
absolute date and time 10 Telnet
within a specific timeframe 10 executing 4
system status report 17 limit login attempts
authentication 2
configure authentication 12
T
configure TACACS+ 18, 20
TACACS+ accounting guidelines 11
configuration guidelines 60 local authentication 14
creating records 57 privileged mode 13
disabling 61 TACACS+ 3
enabling 60 system message logging settings 5
events 57 user sessions
example configuration 63 disconnecting 6
overview 56 monitoring 6
suppressing 59 Telnet, accessing MSFC 4
updating the server 59 text file configuration mode
TACACS+ authentication setting the configuration mode 2
clearing servers 22 TFTP
command authorization 50 downloading configuration files 3
command authorization overview 50 downloading software images
configuration guidelines 11, 51 example, multiple module 7, 13
default configuration 10, 51 example, single module 6

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-27
 Index

example, supervisor 5, 11 trunks

supervisor engine 3, 10 802.1Q
switching modules 4, 10 configuring 6
uploading configuration files 5 negotiating 7
uploading software images 9, 15 restrictions 4
thresholds allowed VLANs 7
See QoS congestion avoidance autonegotiation 2
time, setting 4 configuring
timers, configuring 802.1Q trunk 6
forward delay 35 ISL/802.1Q negotiating trunk port 7
hello time 35 ISL trunk 5
maximum aging time 35 default configuration 5
time zone defining allowed VLANs 7
clearing 7 disabling 8
setting 5 encapsulation types
token bucket 22 descriptions (table) 2
Token Ring example configurations
See VLANs, Token Ring 24 802.1Q 13
TopN reports ISL 9, 10
See switch TopN reports load sharing 16
ToS ISL
See QoS over EtherChannel link 10
traceroute trunk configuration 9
See IP traceroute load-sharing traffic 16
traceroute command 13 modes (table) 2
traffic, handling overview 1
fragmented 5 parallel configuration 22
unfragmented 5 possible configurations (table) 3
transmit queues VLAN 1, disabling 22
See QoS transmit queues VLANs, allowed 7
TrBRF trust-dscp
See VLANS, Token Ring see QoS trust-dscp
TrCRF trust-ipprec
See VLANS, Token Ring see QoS trust-ipprec
Trivial File Transfer Protocol
See TFTP
U
troubleshooting
system message logging and 1 UDLD
VMPS 8 default configuration 2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-28 78-13315-02
 Index

disabling
V
globally 4
on ports 4 VACLs 3
displaying configuration 5 ACEs
enabling overview 4
globally 3 applying on
on ports 3 bridged packets 7
overview 1 multicast packets 8
specify the message interval 4 routed packets 7
UDP QoS features capturing traffic flows 38
See QoS ACE or ACL common uses for 22
unicast suppression 2 configuration
UniDirectional Link Detection Protocol figure 23
See UDLD guidelines 28
untrusted summary 29
see QoS trust-cos configuration guidelines 28
See QoS untrusted configuring 28
UplinkFast 3 configuring for policy-based forwarding 46
disabling 14 configuring on private VLANs 26
enabling 13 denying access to a server on another VLAN
figure 3 figure 26
MISTP mode 13 procedure 25
PVST+ mode 13 features unsupported 27
uploading hardware requirements 2
configuration files Layer 2 parameters 5
preparation 5, 8 Layer 3 parameters 4
running configuration 5, 8 Layer 4 parameters 4
TFTP 5 Layer 4 port operations 20
software images logging messages 40
preparation 8, 15 overview 1
rcp server 15 redirecting broadcast traffic to a specific server port
supervisor 9, 15 figure 24
supervisor engine 9 procedure 23
user EXEC mode 9 restricting ARP traffic 26
user sessions restricting the DHCP response for a specific server
disconnecting 6 figure 25
monitoring 6 procedure 24
storing in Flash memory 42
supported features 4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-29
 Index

types and ACE parameters 4 reserved range 2

types and parameters 4 sc0 (in-band) interface assignment 2
with IOS ACLs 15 Token Ring 24
virtual LAN trunks
See VLANs See trunks
VLAN Access Control Lists VTP domain and 1
See VACLs VLAN Trunk Protocol
VLAN-based SPAN, see VSPAN See VTP
VLAN filtering VLSM
trunk 4 static routes and 7
VLAN Management Policy Server VMPS
See VMPS administering 6
VLANs configuring 5
allowed on trunk 7 database
auxiliary 8, 19 creating 4
clearing VLAN mappings 9 downloading 7
default configuration 4 example configuration file 9
deleting 13 default configuration 2
designating on command-line 5 disabling 5
Ethernet 5 dynamic port membership
extended range 2, 7 configuring 5
FDDI 24 example 10
in-band (sc0) interface assignment 2 overview 1
internet reconfirming 7
assigning ports to 12 troubleshooting 8
mapping 802.1Q to ISL 9, 10 error messages (table) 8
ports, assigning to 12 example configurations
IP subnetworks and 2 database configuration file 9
mapping 802.1Q to ISL 10 dynamic port VLAN membership 10
mapping reserved to non-reserved 9 monitoring 6
mapping VLANs to VLANs 9 overview 1
MISTP VLAN conflicts reconfirming membership 7
See MISTP troubleshooting 8
native voice-over-IP network
802.1Q and 4 analog station gateway, 24-port FXS analog interface
module 4
normal range 2, 5
private analog trunk gateway, description 5

See private VLANs auxiliary VLANs, configuring 19

protocol filtering and 1

Cisco CallManager 4

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-30 78-13315-02
 Index

Cisco IP Phone 7960 2 disabling 9

CLI commands 9 enabling 8
configuring access gateways 21 overview 3
converged voice gateway, Cisco VG200 7 VLANs and 1
digital trunk gateway, 8-port T1/E1 PSTN interface VTP pruning
module 6
configuring 9
display active call information 27
disabling 10
how a call is made 7
overview 3
overview 1
QoS, configuring 29
software and hardware requirements 1 W
VLAN overview 8
WCCP 3, 12, 14
VSPAN 3
Web Cache Coordination Protocol
VTP
See WCCP 12, 14
advertisements 2
WRED 49
caution 5
write tech support 17
client, configuring 6
writetechsupport 17
configuration guidelines 5
configuring
client 6 X
server 6
xmodem software download 21
default configuration 5
disabling 7
domains 2 Y
modes
ymodem software download 21
client 2
server 2
transparent 2
monitoring 10
overview 1
pruning
configuring 9
disabling 10
figure 4
overview 3
server, configuring 6
statistics 10
transparent mode, configuring 7
version 2

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02 IN-31
 Index

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

IN-32 78-13315-02