An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular object or system resource. Access control lists are also installed in routers or switches, where they act as filters, managing which traffic can access the network. Show Each system resource has a security attribute that identifies its access control list. The list includes an entry for every user who can access the system. The most common privileges for a file system ACL include the ability to read a file or all the files in a directory, to write to the file or files, and to execute the file if it is an executable file or program. ACLs are also built into network interfaces and operating systems (OSes), including Linux and Windows. On a computer network, access control lists are used to prohibit or allow certain types of traffic to the network. They commonly filter traffic based on its source and destination. What are access control lists used for?Access control lists are used for controlling permissions to a computer system or computer network. They are used to filter traffic in and out of a specific device. Those devices can be network devices that act as network gateways or endpoint devices that users access directly. On a computer system, certain users have different levels of privilege, depending on their role. For example, a user logged in as network administrator may have read, write and edit permissions for a sensitive file or other resource. By contrast, a user logged in as a guest may only have read permissions. Access control lists can help organize traffic to improve network efficiency and to give network administrators granular control over users on their computer systems and networks. ACLs can also be used to improve network security by keeping out malicious traffic. How do ACLs work?Each ACL has one or more access control entries (ACEs) consisting of the name of a user or group of users. The user can also be a role name, such as programmer or tester. For each of these users, groups or roles, the access privileges are stated in a string of bits called an access mask. Generally, the system administrator or the object owner creates the access control list for an object. Types of access control listsThere are two basic types of ACLs:
ACLs can also be categorized by the way they identify traffic:
Benefits of using an ACLThere are several benefits of using an ACL, including the following:
Where can you place an access control list?Access control lists can be placed on virtually any security or routing device, and having multiple ACLs in different parts of the network can be beneficial. ACLs are well suited to network endpoints -- like applications or servers -- that require high speed and performance, as well as security. Network administrators may choose to place an access control list at different points in the network depending on the network architecture. ACLs are often placed on the edge routers of a network because they border the public internet. This gives the ACL a chance to filter traffic before it reaches the rest of the network. Edge routers with ACLs can be placed in the demilitarized zone (DMZ) between the public internet and the rest of the network. A DMZ is a buffer zone with an outward-facing router that provides general security from all external networks. It also features an internal router that separates the DMZ from the protected network. DMZs may contain different network resources, like application servers, web servers, domain name servers or virtual private networks. The configuration of the ACL on the routing device is different, depending on the devices behind it and the categories of user that need access to those devices. ACLs are commonly placed in the DMZ or on the perimeter to filter traffic.Components of an access control listACL entries consist of several different components that specify how the ACL treats different traffic types. Some examples of common ACL components include the following:
More advanced ACL entries can specify traffic based on certain IP packet header fields, like Differentiated Services Code Point, Type of Service or IP precedence. How to implement an ACLTo implement an ACL, network administrators must understand the types of traffic that flow in and out of the network, as well as the types of resources they are trying to protect. Administrators should hierarchically organize and manage IT assets in separate categories and administer different privileges to users. Maintaining access control is a fundamental component of network security.A standard ACL list is generally implemented close to the destination that it is trying to protect. Extended access control lists are generally implemented close to the source. Extended ACLs can be configured using access list names instead of access list numbers. The basic syntax used to create a standard numbered access control list on a Cisco router is as follows: Router (config)# access-list (1300-1999) (permit | deny) source-addr (source-wildcard)The various parts mean the following:
A wildcard mask tells a router which bits of an IP address are available for a network device to examine and determine if it matches the access list. Users can enter the above configuration code into the command line to create the access control list. Cloud platforms from vendors, including Oracle and IBM, also typically offer an option to create an access control list in their user login portal. Setting user permissions throughout a computer system can be tedious, but there are ways to automate the script. Access control lists must be configured differently based on differences in network architecture. This includes differences between on-premises, physical networks and cloud networks. Learn the basics of cloud network architecture and network management.
This chapter describes how to configure port ACLs (PACLs) and VLAN ACLs (VACLs) in Cisco IOS Release 12.2SX. Note ● For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: The following sections describe ACLs in Cisco IOS Release 12.2SX: Access control lists (ACLs) provide the ability to filter ingress and egress traffic based on conditions specified in the ACL. Cisco IOS Release 12.2SX supports the following types of ACLs:
PACLs and VACLs can provide access control based on the Layer 3 addresses (for IP protocols) or Layer 2 MAC addresses (for non-IP protocols). You can apply only one IP access list and one MAC access list to a Layer 2 interface. VLAN ACLs (VACLs) can provide access control for all packet s that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike Cisco IOS ACLs that are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VACLs are processed in the ACL TCAM hardware. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware. You can configure VACLs for IP and MAC-layer traffic. VACLs applied to WAN interfaces support only IP traffic for VACL capture. If a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default action is to deny the packet. Note IGMP packets are not checked against VACLs. Cisco IOS Release 12.2(33)SXI and later releases support MAC Policy-Based Forwarding (PBF), a type of MAC-based VACL by which packets can be bridged between VLANs. MAC PBF forwards packets based solely on the source and destination MAC addresses, ignoring any information above Layer 2. Unlike other VACLs, which are processed in the ACL TCAM hardware, MAC PBF is performed in software, with optional rate limiters to control CPU usage. Also, PBF is applied only to incoming packets. Note Layer 2 port ACLs (PACLs) take precedence over MAC PBF. The port ACL (PACL) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software). When you create a port ACL, an entry is created in the ACL TCAM. You can use the show tcam counts command to see how much TCAM space is available. The PACL feature does not affect Layer 2 control packets received on the port. You can use the access-group mode command to change the way that PACLs interact with other ACLs. PACLs use the following modes:
You configure the access-group mode command on each interface. The default is merge mode. Note If we set access-group mode prefer port, it will not only overwrite the effect of other ACLs, but also other features like Netflow (applied to SVI interface) will be affected. Note A PACL can be configured on a trunk port only after prefer port mode has been selected. Trunk ports do not support merge mode. To illustrate access group mode, assume a physical port belongs to VLAN100, and the following ACLs are configured:
In this situation, the following ACL interactions occur:
Note The CLI syntax for creating a PACL is identical to the syntax for creating a Cisco IOS ACL. An instance of an ACL that is mapped to a Layer 2 port is called a PACL. An instance of an ACL that is mapped to a Layer 3 interface is called a Cisco IOS ACL. The same ACL can be mapped to both a Layer 2 port and a Layer 3 interface. The PACL feature supports MAC ACLs and IPv4 ACLs. The PACL feature does not support ACLs for IPV6, ARP, or Multiprotocol Label Switching (MPLS) traffic. PACLs are explained in more detail in the following sections: This section describes the guidelines for the EtherChannel and PACL interactions:
Dynamic ACLs are VLAN-based and are used by GWIP. The merge mode does not support the merging of the dynamic ACLs with the PACLs. In merge mode, the following configurations are not allowed:
To configure a PACL on a trunk port, you must first configure port prefer mode. The configuration commands to apply a PACL on a trunk or dynamic port will not be available until you configure the port in port prefer mode by entering the access-group mode prefer port interface command. Trunk ports do not support merge mode. If you reconfigure a port from Layer 2 to Layer 3, any PACL configured on the port becomes inactive but remains in the configuration. If you subsequently configure the port as Layer 2, any PACL configured on the port becomes active again. You can enter port configuration commands that alter the port-VLAN association, which triggers an ACL remerge. Unmapping and then mapping a PACL, VACL, or Cisco IOS ACL automatically triggers a remerge. In merge mode, online insertion or removal of a switching module also triggers a remerge, if ports on the module have PACLs configured. The following sections describe interactions between the different types of ACL: This section describes the guidelines for the PACL interaction with the VACLs and Cisco IOS ACLs. For an incoming packet on a physical port, the PACL is applied first. If the packet is permitted by the PACL, the VACL on the ingress VLAN is applied next. If the packet is Layer 3 forwarded and is permitted by the VACL, it is filtered by the Cisco IOS ACL on the same VLAN. The same process happens in reverse in the egress direction. However, there is currently no hardware support for output PACLs. The PACLs override both the VACLs and Cisco IOS ACLs when the port is configured in prefer port mode. The one exception to this rule is when the packets are forwarded in the software by the route processor (RP). The RP applies the ingress Cisco IOS ACL regardless of the PACL mode. Two examples where the packets are forwarded in the software are as follows:
Figure 51-1 shows a PACL and a VACL applied to bridged packets. In merge mode, the ACLs are applied in the following order: 1. PACL for the ingress port 2. VACL for the ingress VLAN 3. VACL for the egress VLAN Figure 51-1 Applying ACLs on Bridged Packets In prefer port mode, only the PACL is applied to the ingress packets (the input VACL is not applied). Figure 51-2 shows how ACLs are applied on routed and Layer 3-switched packets. In merge mode, the ACLs are applied in the following order: 1. PACL for the ingress port 2. VACL for the ingress VLAN 3. Input Cisco IOS ACL 4. Output Cisco IOS ACL 5. VACL for the egress VLAN In prefer port mode, only the PACL is applied to the ingress packets (the input VACL and Cisco IOS ACL are not applied). Figure 51-2 Applying ACLs on Routed Packets Figure 51-3 shows how ACLs are applied on packets that need multicast expansion. For packets that need multicast expansion, the ACLs are applied in the following order: 1. Packets that need multicast expansion: a. PACL for the ingress port b. VACL for the ingress VLAN c. Input Cisco IOS ACL 2. Packets after multicast expansion: a. Output Cisco IOS ACL b. VACL for the egress VLAN 3. Packets originating from router: a. Output Cisco IOS ACL b. VACL for the egress VLAN In prefer port mode, only the PACL is applied to the ingress packets (the input VACL and Cisco IOS ACL are not applied). Figure 51-3 Applying ACLs on Multicast Packets Cisco IOS Release 12.2(33)SXH and later releases support PACLs. This section describes how to configure PACLs. PACLs filter incoming traffic on Layer 2 interfaces, using Layer 3 information, Layer 4 header information, or non-IP Layer 2 information. The PACL feature uses existing Cisco IOS access-list commands to create the standard or extended IP ACLs or named MAC-extended ACLs that you want to apply to the port. Use the ip access-group or mac access-group interface command to apply an IP ACL or MAC ACL to one or more Layer 2 interfaces. Note PACLs cannot filter Physical Link Protocols and Logical Link Protocols, such as CDP, VTP, DTP, PAgP, UDLD, and STP, because the protocols are redirected to the switch processor (SP) before the ACL takes effect. This section contains the following topics: Consider the following guidelines when configuring PACLs:
IP and MAC ACLs can be applied to Layer 2 physical interfaces. Standard (numbered, named) and Extended (numbered, named) IP ACLs, and Extended Named MAC ACLs are supported. To apply IP or MAC ACLs on a Layer 2 interface, perform this task:
This example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all TCP traffic and implicitly deny all other IP traffic: This example shows how to configure the Extended Named MAC ACL simple-mac-acl to permit source host 000.000.011 to any destination host: To configure the access mode on a Layer 2 interface, perform this task:
This example shows how to configure an interface to use prefer port mode: This example shows how to configure an interface to use merge mode: To apply IP and MAC ACLs to a Layer 2 interface, perform one of these tasks:
This example applies the extended named IP ACL simple-ip-acl to interface GigabitEthernet 6/1 ingress traffic: This example applies the extended named MAC ACL simple-mac-acl to interface GigabitEthernet 6/1 ingress traffic: To apply IP and MAC ACLs to a port channel logical interface, perform this task:
This example applies the extended named IP ACL simple-ip-acl to port channel 3 ingress traffic: To display information about an ACL configuration on Layer 2 interfaces, perform one of these tasks:
This example shows that the IP access group simple-ip-acl is configured on the inbound direction of interface fa6/1: This example shows that MAC access group simple-mac-acl is configured on the inbound direction of interface fa6/1: This example shows that access group merge is configured on interface fa6/1: These sections describe how to configure VACLs: Consider the following guidelines when configuring VACLs:
– Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL. – VACLs are applied on packets before NAT translation. If the translated flow is not subject to access control, the flow might be subject to access control after the translation because of the VACL configuration.
Note ● VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type.
To define a VLAN access map, perform this task:
When defining a VLAN access map, note the following information:
See the “VLAN Access Map Configuration and Verification Examples” section. To configure a match clause in a VLAN access map sequence, perform this task:
When configuring a match clause in a VLAN access map sequence, note the following information:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html See the “VLAN Access Map Configuration and Verification Examples” section. To configure an action clause in a VLAN access map sequence, perform this task:
When configuring an action clause in a VLAN access map sequence, note the following information:
See the “VLAN Access Map Configuration and Verification Examples” section. To apply a VLAN access map, perform this task:
When applying a VLAN access map, note the following information:
See the “VLAN Access Map Configuration and Verification Examples” section. To verify VLAN access map configuration, perform this task:
Assume IP-named ACL net_10 and any_host are defined as follows: This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16. This example shows how to define and apply a VLAN access map to drop and log IP packets. In this example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded: This example shows how to define and apply a VLAN access map to forward and capture IP packets. In this example, IP traffic matching net_10 is forwarded and captured and all other IP packets are dropped: A port configured to capture VACL-filtered traffic is called a capture port. Note To apply IEEE 802.1Q or ISL tags to the captured traffic, configure the capture port to trunk unconditionally (see the “Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section and the “Configuring the Layer 2 Trunk Not to Use DTP” section). To configure a capture port, perform this task:
When configuring a capture port, note the following information:
This example shows how to configure a Fast Ethernet interface 5/1 as a capture port: This example shows how to display VLAN access map information: This example shows how to display mappings between VACLs and VLANs. For each VACL map, there is information about the VLANs that the map is configured on and the VLANs that the map is active on. A VACL is not active if the VLAN does not have an interface. To configure MAC policy-based forwarding (PBF), perform this task on each source VLAN:
When configuring MAC PBF, note the following information:
– Rcv Vlan — The number of the VLAN to which packets are forwarded by PBF. – Snd Vlan — The number of the VLAN which will forward packets by PBF. – DMAC — The MAC address of the destination host on the receiving VLAN. – SMAC — The MAC address of the source host on the sending VLAN. – (Local) — Displays 1 if the local keyword is configured in the action forward vlan command on the sending VLAN; displays 0 if the local keyword is not configured. – (Packet counter) — The number of packets that have been forwarded from the sending VLAN to the receiving VLAN. To clear this counter, enter the clear vlan mac-pbf counters command. – Pkts dropped — The number of packets that have been dropped by the sending VLAN. To clear this counter, enter the clear vlan mac-pbf counters command.
This example shows how to configure and display MAC PBF to allow two hosts in separate VLANs (“red” VLAN 100 and “blue” VLAN 200) on the same switch to exchange packets: When you configure VACL logging, IP packets that are denied generate log messages in these situations:
Log messages are generated on a per-flow basis. A flow is defined as packets with the same IP addresses and Layer 4 (UDP or TCP) port numbers. When a log message is generated, the timer and packet count is reset. These restrictions apply to VACL logging:
To configure VACL logging, use the action drop log command action in VLAN access map submode (see the “Configuring PACLs” section for configuration information) and perform this task in global configuration mode to specify the global VACL logging parameters:
This example shows how to configure global VACL logging in hardware: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 2 This chapter describes Cisco IOS access control list (ACL) support in Cisco IOS Release 12.2SX: •ACL Support in Hardware and Software •Cisco IOS ACL Configuration Guidelines and Restrictions •Policy-Based ACLs •Configuring IPv6 Address Compression •Optimized ACL Logging •Guidelines and Restrictions for Using Layer 4 Operators in ACLs Note For complete information about configuring Cisco IOS ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2, "Traffic Filtering and Firewalls," at this URL: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-2sx/sec-data-acl-12-2sx-book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum ACLs can be processed in hardware by the Policy Feature Card (PFC), a Distributed Forwarding Card (DFC), or in software by the route processor (RP): •ACL flows that match a "deny" statement in standard and extended ACLs (input and output) are dropped in hardware if "ip unreachables" is disabled. •ACL flows that match a "permit" statement in standard and extended ACLs (input and output) are processed in hardware. •VLAN ACL (VACL) and port ACL (PACL) flows are processed in hardware. If a field that is specified in a VACL or PACL is not supported by hardware processing, then that field is ignored (for example, the log keyword in an ACL), or the whole configuration is rejected (for example, a VACL containing IPX ACL parameters). •VACL logging is processed in software. •Dynamic ACL flows are processed in hardware. •Idle timeout is processed in software. Note Idle timeout is not configurable. Cisco IOS Release 12.2SX does not support the access-enable host timeout command. •Except on MPLS interfaces, reflexive ACL flows are processed in hardware after the first packet in a session is processed in software on the RP. •IP accounting for an ACL access violation on a given port is supported by forwarding all denied packets for that port to the RP for software processing without impacting other flows. •The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are supported in software on the RP. •Extended name-based MAC address ACLs are supported in hardware. •The following ACL types are processed in software: –Internetwork Packet Exchange (IPX) access lists –Standard XNS access list –Extended XNS access list –DECnet access list –Extended MAC address access list –Protocol type-code access list Note IP packets with a header length of less than five will not be access controlled. •Unless you configure optimized ACL logging (OAL), flows that require logging are processed in software without impacting nonlogged flow processing in hardware (see the "Optimized ACL Logging" section). •The forwarding rate for software-processed flows is substantially less than for hardware-processed flows. •When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware. •Hardware-supported counters for hardware-supported ACLs, displayed by the show tcam interface command (not supported in PFC3A mode). See this publication: http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-s6.html#GUID-1D17939B-1C8F-422C-83CE-64B096DAD13D •When you enter the show policy-map interface command, sometimes the counters that are displayed do not include all of the hardware switching platform counters. The following guidelines and restrictions apply to Cisco IOS ACLs configured for use with any feature: •You can apply Cisco IOS ACLs directly to Layer 3 ports and to VLAN interfaces. •You can apply VLAN ACLs and port ACLs to Layer 2 interfaces (see Chapter 51 "Configuring Port ACLs and VLAN ACLs"). •Each type of ACL (IP, IPX, and MAC) filters only traffic of the corresponding type. A Cisco IOS MAC ACL never matches IP or IPX traffic. •The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are supported in software on the route processor (RP). •By default, the RP sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group. With the ip unreachables command enabled (which is the default), the switch processor (SP) drops most of the denied packets in hardware and sends only a small number of packets to the RP to be dropped (10 packets per second, maximum), which generates ICMP-unreachable messages. To eliminate the load imposed on the RP CPU by the task of dropping denied packets and generating ICMP-unreachable messages, you can enter the no ip unreachables interface configuration command to disable ICMP unreachable messages, which allows all access group-denied packets to be dropped in hardware. •ICMP unreachable messages are not sent if a packet is denied by a VACL or a PACL. •Use named ACLs (instead of numbered ACLs) because this causes less CPU usage when creating or modifying ACL configurations and during system restarts. When you create ACL entries (or modify existing ACL entries), the software performs a CPU-intensive operation called an ACL merge to load the ACL configurations into the PFC hardware. An ACL merge also occurs when the startup configuration is applied during a system restart. With named ACLs, the ACL merge is triggered only when the user exits the named-acl configuration mode. However, with numbered ACLs, the ACL merge is triggered for every ACE definition and results in a number of intermediate merges during ACL configuration. Release 12.2(33)SXH and later releases support policy-based ACLs (PBACLs). The following sections describe PBACLs: •Understanding PBACLs •PBACL Guidelines and Restrictions •Configuring PBACL PBACLs provide the capability to apply access control policies across object groups. An object group is a group of users or servers. You define an object group as a group of IP addresses or as a group of protocol ports. You then create access control entries (ACEs) that apply a policy (such as permit or deny) to the object group. For example, a policy-based ACE can permit a group of users to access a group of servers. An ACE defined using a group name is equivalent to multiple ACEs (one applied to each entry in the object group). The system expands the PBACL ACE into multiple Cisco IOS ACEs (one ACE for each entry in the group) and populates the ACEs in the TCAM. Therefore, the PBACL feature reduces the number of entries you need to configure but does not reduce TCAM usage. If you make changes in group membership, or change the contents of an ACE that uses an access group, the system updates the ACEs in the TCAM. The following types of changes trigger the update: •Adding a member to a group •Deleting a member from a group •Modifying the policy statements in an ACE that uses an access group You configure a PBACL using extended Cisco IOS ACL configuration commands. As with regular ACEs, you can associate the same access policy with one or more interfaces. When you configure an ACE, you can use an object group to define the source, the destination, or both. When configuring PBACLs, note the following guidelines and restrictions: •PBACLs are supported on Layer 3 interfaces (such as routed interfaces and VLAN interfaces). •The PBACL feature only supports IPv4 ACEs. •The PBACL feature supports only Cisco IOS ACLs. It is not supported with any other features. The keywords reflexive and evaluate are not supported. •The PBACL feature supports only named Cisco IOS ACLs. It does not support numbered ACLs. •Feature interactions for policy-based ACLs are the same as for Cisco IOS ACLs. Configure PBACLs using the following tasks: •Configuring a PBACL IP Address Object Group •Configuring a PBACL Protocol Port Object Group •Configuring ACLs with PBACL Object Groups •Configuring PBACL on an Interface To create or modify a PBACL IP address object group, perform this task:
The following example creates an object group with three hosts and a network address: To create or modify a PBACL protocol port object group, perform this task:
The following example creates a port object group that matches protocol port 100 and any port greater than 200, except 300: To configure an ACL to use a PBACL object group, perform this task:
The following example creates an access list that permits packets from the users in myAG if the protocol ports match the ports specified in myPG: To configure a PBACL on an interface, use the ip access-group command. The command syntax and usage is the same as for Cisco IOS ACLs. For additional information, see the "Cisco IOS ACL Configuration Guidelines and Restrictions" section. The following example shows how to associate access list my-pbacl-policy with VLAN 100: ACLs are implemented in hardware in the Policy Feature Card (PFC), which uses the source or destination IP address and port number in the packet to index the ACL table. The index has a maximum address length of 128 bits. The IP address field in an IPv6 packet is 128 bits, and the port field is 16 bits. To use full IPv6 addresses in the ACL hardware table, you can turn on compression of IPv6 addresses using the mls ipv6 acl compress address unicast command. This feature compresses the IPv6 address (including port) into 128 bits by removing 16 unused bits from the IPv6 address. Compressible address types can be compressed without losing any information. See Table 49-1 for details about the compression methods. By default, the command is set for no compression.
To turn on the compression of IPv6 addresses, enter the mls ipv6 acl compress address unicast command. To turn off the compression of IPv6 addresses, enter the no form of this command. This example shows how to turn on address compression for IPv6 addresses: This example shows how to turn off address compression for IPv6 addresses: These sections describe optimized ACL logging (OAL): •Understanding OAL •OAL Guidelines and Restrictions •Configuring OAL OAL provides hardware support for ACL logging. Unless you configure OAL, packets that require logging are processed completely in software on the RP. OAL permits or drops packets in hardware on the PFC3 and uses an optimized routine to send information to the RP to generate the logging messages. The following guidelines and restrictions apply to OAL: •OAL and VACL capture are incompatible. Do not configure both features on the switch. With OAL configured, use SPAN to capture traffic. •OAL is supported only on the PFC3. •OAL supports only IPv4 unicast packets. •OAL supports VACL logging of permitted ingress traffic. •OAL does not support port ACLs (PACLs). •OAL does not provide hardware support for the following: –Reflexive ACLs –ACLs used to filter traffic for other features (for example, QoS) –ACLs for unicast reverse path forwarding (uRPF) check exceptions –Exception packets (for example, TTL failure and MTU failure) –Packets with IP options –Packets addressed at Layer 3 to the router –Packets sent to the RP to generate ICMP unreachable messages –Packets being processed by features not accelerated in hardware •To provide OAL support for denied packets, enter the mls rate-limit unicast ip icmp unreachable acl-drop 0 command. •OAL and the mls verify ip length minimum command are incompatible. Do not configure both. These sections describe how to configure OAL: •Configuring OAL Global Parameters •Configuring OAL on an Interface •Displaying OAL Information •Clearing Cached OAL Entries Note•For complete syntax and usage information for the commands used in this section, see the Cisco IOS Master Command List. •To provide OAL support for denied packets, enter the mls rate-limit unicast ip icmp unreachable acl-drop 0 command. To configure global OAL parameters, perform this task:
When configuring OAL global parameters, note the following information: •entries number_of_entries –Sets the maximum number of entries cached. –Range: 0-1,048,576 (entered without commas). –Default: 8192. •interval seconds –Sets the maximum time interval before an entry is sent to be logged. Also if the entry is inactive for this duration it is removed from the cache. –Range: 5-86,400 (1440 minutes or 24 hours, entered without commas). –Default: 300 seconds (5 minutes). •rate-limit number_of_packets –Sets the number of packets logged per second in software. –Range: 10-1,000,000 (entered without commas). –Default: 0 (rate limiting is off and all packets are logged). •threshold number_of_packets –Sets the number of packet matches before an entry is logged. –Range: 1-1,000,000 (entered without commas). –Default: 0 (logging is not triggered by the number of packet matches). To configure OAL on an interface, perform this task:
To display OAL information, perform this task:
To clear cached OAL entries, perform this task:
These sections describe guidelines and restrictions when configuring ACLs that include Layer 4 port operations: •Determining Layer 4 Operation Usage •Determining Logical Operation Unit Usage You can specify these types of operations: •gt (greater than) •lt (less than) •neq (not equal) •eq (equal) •range (inclusive range) We recommend that you do not specify more than nine different operations on the same ACL. If you exceed this number, each new operation might cause the affected ACE to be translated into more than one ACE. Use the following two guidelines to determine Layer 4 operation usage: •Layer 4 operations are considered different if the operator or the operand differ. For example, in this ACL there are three different Layer 4 operations ("gt 10" and "gt 11" are considered two different Layer 4 operations): Note There is no limit to the use of "eq" operators as the "eq" operator does not use a logical operator unit (LOU) or a Layer 4 operation bit. See the "Determining Logical Operation Unit Usage" section for a description of LOUs. •Layer 4 operations are considered different if the same operator/operand couple applies once to a source port and once to a destination port. For example, in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port. Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator-operand couples with the exception of the range operator. LOU usage per Layer 4 operation is as follows: •gt uses 1/2 LOU •lt uses 1/2 LOU •neq uses 1/2 LOU •range uses 1 LOU •eq does not require a LOU For example, this ACL would use a single LOU to store two different operator-operand couples: A more detailed example follows: The Layer 4 operations and LOU usage is as follows: •ACL1 Layer 4 operations: 5 •ACL2 Layer 4 operations: 4 •LOUs: 4 An explanation of the LOU usage follows: •LOU 1 stores "gt 10" and "lt 9" •LOU 2 stores "gt 11" and "neq 6" •LOU 3 stores "gt 20" (with space for one more) •LOU 4 stores "range 11 13" (range needs the entire LOU) Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 3 This chapter describes the command-line interfaces (CLIs) you use to configure the switches supported by Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see these publications: •The Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html •The Release 12.2 publications at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Accessing the CLI •Performing Command Line Processing •Performing History Substitution •Cisco IOS Command Modes •Displaying a List of Cisco IOS Commands and Syntax •Securing the CLI •ROM-Monitor Command-Line Interface These sections describe accessing the CLI: •Accessing the CLI through the EIA/TIA-232 Console Interface •Accessing the CLI through Telnet Note EIA/TIA-232 was known as recommended standard 232 (RS-232) before its acceptance as a standard by the Electronic Industries Alliance (EIA) and Telecommunications Industry Association (TIA). Perform initial configuration over a connection to the EIA/TIA-232 console interface. See the Catalyst 6500 Series Switch Module Installation Guide for console interface cable connection procedures. To make a console connection, perform this task:
After making a console connection, you see this display: Note Before you can make a Telnet connection to the switch, you must configure an IP address (see the "Configuring IPv4 Routing and Addresses" section). The switch supports up to eight simultaneous Telnet sessions. Telnet sessions disconnect automatically after remaining idle for the period specified with the exec-timeout command. To make a Telnet connection to the switch, perform this task:
This example shows how to open a Telnet session to the switch: Commands are not case sensitive. You can abbreviate commands and parameters if the abbreviations contain enough letters to be different from any other currently available commands or parameters. You can scroll through the last 20 commands stored in the history buffer, and enter or edit the command at the prompt. Table 2-1 lists the keyboard shortcuts for entering and editing commands.
The history buffer stores the last 20 commands you entered. History substitution allows you to access these commands without retyping them, by using special abbreviated commands. Table 2-2 lists the history substitution commands.
Note For complete information about Cisco IOS command modes, see the Cisco IOS Configuration Fundamentals Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. To get a list of the commands in a given mode, type a question mark (?) at the system prompt. See the "Displaying a List of Cisco IOS Commands and Syntax" section. When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in EXEC mode. To have access to all commands, you must enter privileged EXEC mode. Normally, you must type in a password to access privileged EXEC mode. From privileged EXEC mode, you can type in any EXEC command or access global configuration mode. The configuration modes allow you to make changes to the running configuration. If you later save the configuration, these commands are stored across reboots. You must start at global configuration mode. From global configuration mode, you can enter interface configuration mode, subinterface configuration mode, and a variety of protocol-specific modes. Note With Release 12.1(11b)E and later, when you are in configuration mode you can enter EXEC mode-level commands by entering the do keyword before the EXEC mode-level command. ROM-monitor mode is a separate mode used when the switch cannot boot properly. For example, the switch might enter ROM-monitor mode if it does not find a valid system image when it is booting, or if its configuration file is corrupted at startup. See the "ROM-Monitor Command-Line Interface" section. Table 2-3 lists and describes frequently used Cisco IOS modes.
The Cisco IOS command interpreter, called the EXEC, interprets and executes the commands you enter. You can abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. For example, you can abbreviate the show command to sh and the configure terminal command to config t. When you type exit, the switch backs out one level. To exit configuration mode completely and return to privileged EXEC mode, press Ctrl-Z. In any command mode, you can display a list of available commands by entering a question mark (?). To display a list of commands that begin with a particular character sequence, type in those characters followed by the question mark (?). Do not include a space. This form of help is called word help because it completes a word for you. To display keywords or arguments, enter a question mark in place of a keyword or argument. Include a space before the question mark. This form of help is called command syntax help because it reminds you which keywords or arguments are applicable based on the command, keywords, and arguments you have already entered. For example: To redisplay a command you previously entered, press the up arrow key or Ctrl-P. You can continue to press the up arrow key to see the last 20 commands you entered. Tip If you are having trouble entering a command, check the system prompt, and enter the question mark (?) for a list of available commands. You might be in the wrong command mode or using incorrect syntax. Enter exit to return to the previous mode. Press Ctrl-Z or enter the end command in any mode to immediately return to privileged EXEC mode. Securing access to the CLI prevents unauthorized users from viewing configuration settings or making configuration changes that can disrupt the stability of your network or compromise your network security. You can create a strong and flexible security scheme for your switch by configuring one or more of these security features: •Protecting access to privileged EXEC commands At a minimum, you should configure separate passwords for the user EXEC and privileged EXEC (enable) IOS command modes. You can further increase the level of security by configuring username and password pairs to limit access to CLI sessions to specific users. For more information, see "Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices" at this URL: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli.html •Controlling switch access with RADIUS, TACACS+, or Kerberos For a centralized and scalable security scheme, you can require users to be authenticated and authorized by an external security server running either Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+), or Kerberos. For more information about RADIUS, see "Configuring RADIUS" at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html For more information about TACACS+, see "Configuring TACACS+" at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html For more information about Kerberos, see "Configuring Kerberos" at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html •Configuring a secure connection with SSH or HTTPS To prevent eavesdropping of your configuration session, you can use a Secure Shell (SSH) client or a browser that supports HTTP over Secure Socket Layer (HTTPS) to make an encrypted connection to the switch. For more information about SSH, see "Configuring Secure Shell" at this URL: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sx/sec-secure-copy.html For more information about HTTPS, see "HTTPS - HTTP Server and Client with SSL 3.0" at this URL: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_sec_4cli.html •Copying configuration files securely with SCP To prevent eavesdropping when copying configuration files or image files to or from the switch, you can use the Secure Copy Protocol (SCP) to perform an encrypted file transfer. For more information about SCP, see "Secure Copy" at this URL: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/12-2sy/sec-usr-ssh-sec-copy.html For additional information about securing the CLI, see "Cisco IOS Security Configuration Guide: Securing User Services, Release 12.2SX" at this URL: http://www.cisco.com/en/US/docs/ios-xml/ios/security/config_library/12-2sx/secuser-12-2sx-library.html The ROM-monitor is a ROM-based program that executes upon platform power-up, reset, or when a fatal exception occurs. The switch enters ROM-monitor mode if it does not find a valid software image, if the NVRAM configuration is corrupted, or if the configuration register is set to enter ROM-monitor mode. From the ROM-monitor mode, you can load a software image manually from flash memory, from a network server file, or from bootflash. You can also enter ROM-monitor mode by restarting and pressing the Break key during the first 60 seconds of startup. Note The Break key is always enabled for 60 seconds after rebooting, regardless of whether the Break key is configured to be off by configuration register settings. To access the ROM-monitor mode through a terminal server, you can escape to the Telnet prompt and enter the send break command for your terminal emulation program to break into ROM-monitor mode. Once you are in ROM-monitor mode, the prompt changes to rommon 1>. Enter a question mark (?) to see the available ROM-monitor commands. For more information about the ROM-monitor commands, see the Cisco IOS Master Command List. Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 4
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 5
This chapter describes how to use the Mini Protocol Analyzer on the Catalyst 6500 series switches. Release 12.2(33)SXI and later releases support the Mini Protocol Analyzer feature. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: The Mini Protocol Analyzer captures network traffic from a SPAN session and stores the captured packets in a local memory buffer. Using the provided filtering options, you can limit the captured packets to:
You can start and stop the capture using immediate commands, or you can schedule the capture to begin at a specified date and time. The captured data can be displayed on the console, stored to a local file system, or exported to an external server using normal file transfer protocols. The format of the captured file is libpcap, which is supported by many packet analysis and sniffer programs. Details of this format can be found at the following URL: http://www.tcpdump.org/ By default, only the first 68 bytes of each packet are captured. To configure a capture session using the Mini Protocol Analyzer, perform this task:
When configuring a capture session, note the following information:
Note When configuring a source interface list, you must enter a space before and after the comma. When configuring a source interface range, you must enter a space before and after the dash.
Note When configuring a source VLAN list, do not enter a space before or after the comma. When configuring a source VLAN range, do not enter a space before or after the dash. Note that this requirement differs from the requirement for source interface lists and ranges.
Note Ignore the Rate-limiter is not configurable system message.
Several options are provided for filtering the packets to be captured. Filtering by ACL and VLAN is performed in hardware before any rate-limiting is applied; all other filters are executed in software. Software filtering can decrease the capture rate. To filter the packets to be captured by the Mini Protocol Analyzer, perform this task in capture session configuration mode:
When configuring capture filtering, note the following information:
Note When configuring a filter VLAN list, you must enter a space before and after the comma. When configuring a filter VLAN range, you must enter a space before and after the dash. Note that this requirement differs from the requirement for source VLAN lists and ranges described in the preceding section.
Note After removing a VLAN filter using the no keyword, you must exit configuration mode, reenter the capture configuration mode, and issue the source vlan command before making other capture configuration changes.
The commands to start and stop a capture are not stored as configuration settings. These commands are executed from the console in EXEC mode. You can start a capture immediately or you can set a future date and time for the capture to start. The capture ends when one of the following conditions occurs:
When the capture stops, the SPAN session is ended and no further capture session packets are forwarded to the processor. When starting a packet capture, you have the option to override some configured settings. To start, stop, or cancel a capture, perform this task:
When using these commands, note the following information:
To display the captured packets or information about the capture session, or to export the captured packets for analysis, perform this task:
This section provides examples for configuring the Mini Protocol Analyzer, for starting and stopping a capture session, and for displaying the results of a capture session. This example shows how to minimally configure the Mini Protocol Analyzer: This example shows how to configure the buffer size, session description, and rate limit: This example shows how to configure the source as a mixed list of ports: This example shows how to configure the source as a mixed list of VLANs: This example shows how to configure for capturing packets with the following attributes:
Router(config-mon-capture)# filter ethertype 0x8100 This example shows how to capture packets whose size is less than 128 bytes: Router(config-mon-capture)# filter length 0 128 This example shows how to capture packets whose size is more than 256 bytes: Router(config-mon-capture)# filter length 256 9216 This example shows how to start and stop a capture: This example shows how to start a capture to end after 60 seconds: This example shows how to start a capture at a future date and time: This example shows how to start a capture with options to override the buffer size and to change to a circular buffer: This example shows how to export the capture buffer to an external server and a local disk: These examples show how to display configuration information, session status, and capture buffer contents. To display the capture session configuration, enter the show monitor capture command. This example shows how to display more details using the show monitor session n command: This example shows how to display the full details using the show monitor session n detail command: To display the capture session status, enter the show monitor capture status command. To display the capture session contents, enter the show monitor capture buffer command. These examples show the resulting display using several options of this command: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 6 This chapter describes how to configure local Switched Port Analyzer (SPAN), remote SPAN (RSPAN), and Encapsulated RSPAN (ERSPAN) in Cisco IOS Release 12.2SX. Note•For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html •SPA ports and FlexWAN ports do not support SPAN, RSPAN, or ERSPAN. Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding Local SPAN, RSPAN, and ERSPAN •Local SPAN, RSPAN, and ERSPAN Configuration Guidelines and Restrictions •Configuring Local SPAN, RSPAN, and ERSPAN These sections describe how local SPAN, RSPAN, and ERSPAN work: •Local SPAN, RSPAN, and ERSPAN Overview •Local SPAN, RSPAN, and ERSPAN Sources •Local SPAN, RSPAN, and ERSPAN Destinations SPAN copies traffic from one or more CPUs, one or more ports, one or more EtherChannels, or one or more VLANs, and sends the copied traffic to one or more destinations for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. Traffic can also be sent to the processor for packet capture by the Mini Protocol Analyzer, as described in Chapter 72 "Using the Mini Protocol Analyzer." SPAN does not affect the switching of traffic on sources. You must dedicate the destination for SPAN use. The SPAN-generated copies of traffic compete with user traffic for switch resources. These sections provide an overview of local SPAN, RSPAN, and ERSPAN: •Local SPAN Overview •RSPAN Overview •ERSPAN Overview •Understanding the Traffic Monitored at SPAN Sources A local SPAN session is an association of source ports and source VLANs with one or more destinations. You configure a local SPAN session on a single switch. Local SPAN does not have separate source and destination sessions. Local SPAN sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs. Local SPAN sessions do not copy locally sourced RSPAN GRE-encapsulated traffic from source ports. Each local SPAN session can have either ports or VLANs as sources, but not both. Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination for analysis (see Figure 68-1). For example, as shown in Figure 68-1, all traffic on Ethernet port 5 (the source port) is copied to Ethernet port 10. A network analyzer on Ethernet port 10 receives all traffic from Ethernet port 5 without being physically attached to Ethernet port 5. Figure 68-1 Example SPAN Configuration RSPAN supports source ports, source VLANs, and destinations on different switches, which provides remote monitoring of multiple switches across your network (see Figure 68-2). RSPAN uses a Layer 2 VLAN to carry SPAN traffic between switches. RSPAN consists of an RSPAN source session, an RSPAN VLAN, and an RSPAN destination session. You separately configure RSPAN source sessions and destination sessions on different switches. To configure an RSPAN source session on one switch, you associate a set of source ports or VLANs with an RSPAN VLAN. To configure an RSPAN destination session on another switch, you associate the destinations with the RSPAN VLAN. The traffic for each RSPAN session is carried as Layer 2 nonroutable traffic over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. All participating switches must be trunk-connected at Layer 2. RSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs. RSPAN source sessions do not copy locally sourced RSPAN GRE-encapsulated traffic from source ports. Each RSPAN source session can have either ports or VLANs as sources, but not both. The RSPAN source session copies traffic from the source ports or source VLANs and switches the traffic over the RSPAN VLAN to the RSPAN destination session. The RSPAN destination session switches the traffic to the destinations. Figure 68-2 RSPAN Configuration ERSPAN supports source ports, source VLANs, and destinations on different switches, which provides remote monitoring of multiple switches across your network (see Figure 68-3). ERSPAN uses a GRE tunnel to carry traffic between switches. ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions on different switches. To configure an ERSPAN source session on one switch, you associate a set of source ports or VLANs with a destination IP address, ERSPAN ID number, and optionally with a VRF name. To configure an ERSPAN destination session on another switch, you associate the destinations with the source IP address, ERSPAN ID number, and optionally with a VRF name. ERSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs. ERSPAN source sessions do not copy locally sourced ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have either ports or VLANs as sources, but not both. The ERSPAN source session copies traffic from the source ports or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destination session switches the traffic to the destinations. Figure 68-3 ERSPAN Configuration These sections describe the traffic that local SPAN, RSPAN, and ERSPAN sources can monitor: •Monitored Traffic Direction •Monitored Traffic Type •Duplicate Traffic You can configure local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions to monitor the following traffic: •Ingress traffic –Called ingress SPAN. –Copies traffic received by the sources (ingress traffic). –Ingress traffic is sent to the supervisor engine SPAN ASIC to be copied. •Egress traffic –Called egress SPAN. –Copies traffic transmitted from the sources (egress traffic). –Distributed egress SPAN mode—With Release 12.2(33)SXH and later releases, on some fabric-enabled switching modules, egress traffic can be copied locally by the switching module SPAN ASIC and then sent to the SPAN destinations. See the "Distributed Egress SPAN Mode Guidelines and Restrictions" section for information about switching modules that support distributed egress SPAN mode. –Centralized egress SPAN mode—On all other switching modules, egress traffic is sent to the supervisor engine SPAN ASIC to be copied and is then sent to the SPAN destinations. •Both –Copies both the received traffic and the transmitted traffic (ingress and egress traffic). –Both ingress traffic and egress traffic is sent to the supervisor engine SPAN ASIC to be copied. By default, local SPAN and ERSPAN monitor all traffic, including multicast and bridge protocol data unit (BPDU) frames. RSPAN does not support BPDU monitoring. In some configurations, SPAN sends multiple copies of the same source traffic to the destination. For example, in a configuration with a bidirectional SPAN session (both ingress and egress) for two SPAN sources, called s1 and s2, to a SPAN destination, called d1, if a packet enters the switch through s1 and is sent for egress from the switch to s2, ingress SPAN at s1 sends a copy of the packet to SPAN destination d1 and egress SPAN at s2 sends a copy of the packet to SPAN destination d1. If the packet was Layer 2 switched from s1 to s2, both SPAN packets would be the same. If the packet was Layer 3 switched from s1 to s2, the Layer 3 rewrite would alter the source and destination Layer 2 addresses, in which case the SPAN packets would be different. These sections describe local SPAN, RSPAN, and ERSPAN sources: •Source CPUs •Source Ports and EtherChannels •Source VLANs A source CPU is a CPU monitored for traffic analysis. With Release 12.2(33)SXH and later releases, you can configure both the SP CPU and the RP CPU as SPAN sources. These are examples of what you can do with the data generated by CPU monitoring: •Develop baseline information about CPU traffic. •Develop information to use when creating control plane policing (CoPP) policies. •Troubleshoot CPU-related issues (for example, high CPU utilization). Note•CPU SPAN monitors CPU traffic from the perspective of the ASICs that send and receive the CPU traffic, rather than from onboard the CPUs themselves. •Traffic to and from the CPU is tagged with VLAN IDs. You can configure source VLAN filtering of the CPU traffic. A source port or EtherChannel is a port or EtherChannel monitored for traffic analysis. You can configure both Layer 2 and Layer 3 ports and EtherChannels as SPAN sources. SPAN can monitor one or more source ports or EtherChannels in a single SPAN session. You can configure ports or EtherChannels in any VLAN as SPAN sources. Trunk ports or EtherChannels can be configured as sources and mixed with nontrunk sources. Note SPAN does not copy the encapsulation from trunk sources. You can configure SPAN destinations as trunks to tag the monitored traffic before it is transmitted for analysis. A source VLAN is a VLAN monitored for traffic analysis. VLAN-based SPAN (VSPAN) uses a VLAN as the SPAN source. All the ports and EtherChannels in the source VLANs become sources of SPAN traffic. Note Layer 3 VLAN interfaces on source VLANs are not sources of SPAN traffic. Traffic that enters a VLAN through a Layer 3 VLAN interface is monitored when it is transmitted from the switch through an egress port or EtherChannel that is in the source VLAN. A SPAN destination is a Layer 2 or Layer 3 port or, with Release 12.2(33)SXH and later releases, an EtherChannel, to which local SPAN, RSPAN, or ERSPAN sends traffic for analysis. When you configure a port or EtherChannel as a SPAN destination, it is dedicated for use only by the SPAN feature. Destination EtherChannels do not support the Port Aggregation Control Protocol (PAgP) or Link Aggregation Control Protocol (LACP) EtherChannel protocols; only the on mode is supported, with all EtherChannel protocol support disabled. There is no requirement that the member links of a destination EtherChannel be connected to a device that supports EtherChannels. For example, you can connect the member links to separate network analyzers. See Chapter 19 "Configuring EtherChannels," for more information about EtherChannel. Destinations, by default, cannot receive any traffic. With Release 12.2(33)SXH and later releases, you can configure Layer 2 destinations to receive traffic from any attached devices. Destinations, by default, do not transmit anything except SPAN traffic. Layer 2 destinations that you have configured to receive traffic can be configured to learn the Layer 2 address of any devices attached to the destination and transmit traffic that is addressed to the devices. You can configure trunks as destinations, which allows trunk destinations to transmit encapsulated traffic. You can use allowed VLAN lists to configure destination trunk VLAN filtering. These sections describe local SPAN, RSPAN, and ERSPAN configuration guidelines and restrictions: •General Guidelines and Restrictions •Feature Incompatibilities •Local SPAN, RSPAN, and ERSPAN Session Limits •Local SPAN, RSPAN, and ERSPAN Interface Limits •Local SPAN, RSPAN, and ERSPAN Guidelines and Restrictions •VSPAN Guidelines and Restrictions •RSPAN Guidelines and Restrictions •ERSPAN Guidelines and Restrictions •Distributed Egress SPAN Mode Guidelines and Restrictions Use SPAN for troubleshooting. Except in carefully planned topologies, SPAN consumes too many switch and network resources to enable permanently. Exercise all possible care when enabling and configuring SPAN. The traffic copied by SPAN can impose a significant load on the switch and the network. To minimize the load, configure SPAN to copy only the specific traffic that you want to analyze. Select sources that carry as little unwanted traffic as possible. For example, a port as a SPAN source might carry less unwanted traffic than a VLAN. Note To monitor traffic that can be matched with an ACL, consider using VACL capture. Before enabling SPAN, carefully evaluate the SPAN source traffic rates, and consider the performance implications and possible oversubscription points, which include these: •SPAN destination •Fabric channel •Rewrite/replication engine •Forwarding engine (PFC/DFC) To avoid disrupting traffic, do not oversubscribe any of these points in your SPAN topology. Some oversubscription and performance considerations are: •SPAN doubles traffic internally •SPAN adds to the traffic being processed by the switch fabric •SPAN doubles forwarding engine load •The supervisor engine handles the entire load imposed by egress SPAN (also called transmit SPAN). Note Egress SPAN should only be enabled for short periods of time during active troubleshooting. •The ingress modules handle the load imposed by ingress SPAN sources (also called receive SPAN) on each module. Ingress SPAN adds to rewrite/replication engine load. These feature incompatibilities exist with local SPAN, RSPAN, and ERSPAN: •In releases where CSCth62957 is not resolved, in PFC3B mode or PFC3BXL mode, the xconnect target_ip_address vc_value encapsulation mpls command might cause traffic to loop continuously with these SPAN configurations: –If the xconnect target_ip_address vc_value encapsulation mpls command is configured on a physical interface, the CLI prevents configuration of that port as part of a SPAN session. –If a SPAN session is configured on a physical port and you attempt to configure the xconnect target_ip_address vc_value encapsulation mpls command, the CLI prints a warning that recommends against the configuration. –If the xconnect target_ip_address vc_value encapsulation mpls command is configured on a physical interface, you should not configure source cpu {rp | sp} in any SPAN session, but the CLI does not enforce any restriction. –If a SPAN session is configured with source cpu {rp | sp} and you attempt to configure the xconnect target_ip_address vc_value encapsulation mpls command, the CLI does not enforce any restriction. •In releases where CSCth62957 is resolved, to avoid a configuration that might cause traffic to loop continuously, the CLI enforces these restrictions in PFC3B mode or PFC3BXL mode: –If the xconnect target_ip_address vc_value encapsulation mpls command is configured on a physical interface, the CLI prevents configuration of that port as part of a SPAN session. –If a SPAN session is configured on a physical port and you attempt to configure the the xconnect target_ip_address vc_value encapsulation mpls command command on that port, the CLI prints a warning that recommends against the configuration. –If the the xconnect target_ip_address vc_value encapsulation mpls command command is configured on a physical interface, you cannot configure source cpu {rp | sp} in any SPAN session. –If a SPAN session is configured with source cpu {rp | sp} and you attempt to configure the xconnect target_ip_address vc_value encapsulation mpls command, the CLI prints a warning that recommends against the configuration. •Egress SPAN is not supported in egress multicast mode. (CSCsa95965) •Unknown unicast flood blocking (UUFB) ports cannot be RSPAN or local SPAN egress-only destinations. (CSCsj27695) •Except in PFC3C mode or PFC3CXL mode, Ethernet over MultiProtocol Label Switching (EoMPLS) ports cannot be SPAN sources. (CSCed51245) •A port-channel interface (an EtherChannel) can be a SPAN source, but you cannot configure active member ports of an EtherChannel as SPAN source ports. Inactive member ports of an EtherChannel can be configured as SPAN sources but they are put into the suspended state and carry no traffic. •These features are incompatible with SPAN destinations: –Private VLANs –IEEE 802.1X port-based authentication –Port security –Spanning Tree Protocol (STP) and related features (PortFast, PortFast BPDU filtering, BPDU Guard, UplinkFast, BackboneFast, EtherChannel Guard, Root Guard, Loop Guard) –VLAN trunk protocol (VTP) –Dynamic trunking protocol (DTP) –IEEE 802.1Q tunneling Note•SPAN destinations can participate in IEEE 802.3Z flow control. •IP multicast switching using egress packet replication is not compatible with SPAN. In some cases, egress replication can result in multicast packets not being sent to the SPAN destination port. If you are using SPAN and your switching modules are capable of egress replication, enter the mls ip multicast replication-mode ingress command to force ingress replication. With Release 12.2(33)SXH and later releases, these are the PFC3 local SPAN, RSPAN, and ERSPAN session limits:
With Release 12.2(33)SXH and later releases, these are the PFC3 local SPAN, RSPAN, and ERSPAN source and destination interface limits:
These guidelines and restrictions apply to local SPAN, RSPAN, and ERSPAN: •A SPAN destination that is copying traffic from a single egress SPAN source port sends only egress traffic to the network analyzer. If you configure more than one egress SPAN source port, the traffic that is sent to the network analyzer also includes these types of ingress traffic that were received from the egress SPAN source ports: –Any unicast traffic that is flooded on the VLAN –Broadcast and multicast traffic This situation occurs because an egress SPAN source port receives these types of traffic from the VLAN but then recognizes itself as the source of the traffic and drops it instead of sending it back to the source from which it was received. Before the traffic is dropped, SPAN copies the traffic and sends it to the SPAN destination. (CSCds22021) •Entering additional monitor session commands does not clear previously configured SPAN parameters. You must enter the no monitor session command to clear configured SPAN parameters. •Connect a network analyzer to the SPAN destinations. •Within a SPAN session, all of the SPAN destinations receive all of the traffic from all of the SPAN sources, except when source-VLAN filtering is configured on the SPAN source. •You can configure destination trunk VLAN filtering to select which traffic is transmitted from the SPAN destination. •You can configure both Layer 2 LAN ports (LAN ports configured with the switchport command) and Layer 3 LAN ports (LAN ports not configured with the switchport command) as sources or destinations. •You cannot mix individual source ports and source VLANs within a single session. •If you specify multiple ingress source ports, the ports can belong to different VLANs. •Within a session, you cannot configure both VLANs as SPAN sources and do source VLAN filtering. You can configure VLANs as SPAN sources or you can do source VLAN filtering of traffic from source ports and EtherChannels, but not both in the same session. •You cannot configure source VLAN filtering for internal VLANs. •When enabled, local SPAN, RSPAN, and ERSPAN use any previously entered configuration. •When you specify sources and do not specify a traffic direction (ingress, egress, or both), "both" is used by default. •SPAN copies Layer 2 Ethernet frames, but SPAN does not copy source trunk port ISL or 802.1Q tags. You can configure destinations as trunks to send locally tagged traffic to the traffic analyzer. Note A destination configured as a trunk tags traffic from a Layer 3 LAN source with the internal VLAN used by the Layer 3 LAN source. •Local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs. •Local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions do not copy locally sourced ERSPAN GRE-encapsulated traffic from source ports. •With Release 12.2(33)SXH and later, SPAN sessions can share destinations. •SPAN destinations cannot be SPAN sources. •Destinations never participate in any spanning tree instance. Local SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the destination are from the source. RSPAN does not support BPDU monitoring. •All packets forwarded through the switch for transmission from a port that is configured as an egress SPAN source are copied to the SPAN destination, including packets that do not exit the switch through the egress port because STP has put the egress port into the blocking state, or on an egress trunk port because STP has put the VLAN into the blocking state on the trunk port. Note Local SPAN, RSPAN, and ERSPAN all support VSPAN. These are VSPAN guidelines and restrictions: •VSPAN sessions do not support source VLAN filtering. •For VSPAN sessions with both ingress and egress configured, two packets are forwarded from the destination to the analyzer if the packets get switched on the same VLAN (one as ingress traffic from the ingress port and one as egress traffic from the egress port). •VSPAN only monitors traffic that leaves or enters Layer 2 ports in the VLAN. –If you configure a VLAN as an ingress source and traffic gets routed into the monitored VLAN, the routed traffic is not monitored because it never appears as ingress traffic entering a Layer 2 port in the VLAN. –If you configure a VLAN as an egress source and traffic gets routed out of the monitored VLAN, the routed traffic is not monitored because it never appears as egress traffic leaving a Layer 2 port in the VLAN. These are RSPAN guidelines and restrictions: •All participating switches must be connected by Layer 2 trunks. •Any network device that supports RSPAN VLANs can be an RSPAN intermediate device. •Networks impose no limit on the number of RSPAN VLANs that the networks carry. •Intermediate network devices might impose limits on the number of RSPAN VLANs that they can support. •You must configure the RSPAN VLANs in all source, intermediate, and destination network devices. If enabled, the VLAN Trunking Protocol (VTP) can propagate configuration of VLANs numbered 1 through 1024 as RSPAN VLANs. You must manually configure VLANs numbered higher than 1024 as RSPAN VLANs on all source, intermediate, and destination network devices. •If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network. •RSPAN VLANs can be used only for RSPAN traffic. •Do not configure a VLAN used to carry management traffic as an RSPAN VLAN. •Do not assign access ports to RSPAN VLANs. RSPAN puts access ports in an RSPAN VLAN into the suspended state. •Do not configure any ports in an RSPAN VLAN except trunk ports selected to carry RSPAN traffic. •MAC address learning is disabled in the RSPAN VLAN. •You can use output access control lists (ACLs) on the RSPAN VLAN in the RSPAN source switch to filter the traffic sent to an RSPAN destination. •RSPAN does not support BPDU monitoring. •Do not configure RSPAN VLANs as sources in VSPAN sessions. •You can configure any VLAN as an RSPAN VLAN as long as all participating network devices support configuration of RSPAN VLANs and you use the same RSPAN VLAN for each RSPAN session in all participating network devices. These are ERSPAN guidelines and restrictions: •A WS-SUP720 (a Supervisor Engine 720 manufactured with a PFC3A) can only support ERSPAN if it has hardware version 3.2 or higher. Enter the show module version | include WS-SUP720-BASE command to display the hardware version. For example: •For ERSPAN packets, the "protocol type" field value in the GRE header is 0x88BE. •The payload of a Layer 3 ERSPAN packet is a copied Layer 2 Ethernet frame, excluding any ISL or 802.1Q tags. •ERSPAN adds a 50-byte header to each copied Layer 2 Ethernet frame and replaces the 4-byte cyclic redundancy check (CRC) trailer. •ERSPAN supports jumbo frames that contain Layer 3 packets of up to 9,202 bytes. If the length of the copied Layer 2 Ethernet frame is greater than 9,170 (9,152-byte Layer 3 packet), ERSPAN truncates the copied Layer 2 Ethernet frame to create a 9,202-byte ERSPAN Layer 3 packet. Note The Layer 3 IP header in truncated packets retains the nontruncated Layer 3 packet size. The length consistency check between the Layer 2 frame and the Layer 3 packet on ERSPAN destinations that are 6500 switches drops truncated ERSPAN packets unless you configure the no mls verify ip length consistent global configuration command on the ERSPAN destination 6500 switch. •Regardless of any configured MTU size, ERSPAN creates Layer 3 packets that can be as long as 9,202 bytes. ERSPAN traffic might be dropped by any interface in the network that enforces an MTU size smaller than 9,202 bytes. •With the default MTU size (1,500 bytes), if the length of the copied Layer 2 Ethernet frame is greater than 1,468 bytes (1,450-byte Layer 3 packet), the ERSPAN traffic is dropped by any interface in the network that enforces the 1,500-byte MTU size. Note The mtu interface command and the system jumbomtu command (see the "Configuring Jumbo Frame Support" section) set the maximum Layer 3 packet size (default is 1,500 bytes, maximum is 9,216 bytes). •All participating switches must be connected at Layer 3 and the network path must support the size of the ERSPAN traffic. •ERSPAN does not support packet fragmentation. The "do not fragment" bit is set in the IP header of ERSPAN packets. ERSPAN destination sessions cannot reassemble fragmented ERSPAN packets. •ERSPAN traffic is subject to the traffic load conditions of the network. You can set the ERSPAN packet IP precedence or DSCP value to prioritize ERSPAN traffic for QoS. •The only supported destination for ERSPAN traffic is an ERSPAN destination session on a PFC3. •All ERSPAN source sessions on a switch must use the same origin IP address, configured with the origin ip address command (see the "Configuring ERSPAN Source Sessions" section). •All ERSPAN destination sessions on a switch must use the same IP address on the same destination interface. You enter the destination interface IP address with the ip address command (see the "Configuring ERSPAN Destination Sessions" section). •The ERSPAN source session's destination IP address, which must be configured on an interface on the destination switch, is the source of traffic that an ERSPAN destination session sends to the destinations. You configure the same address in both the source and destination sessions with the ip address command. •The ERSPAN ID differentiates the ERSPAN traffic arriving at the same destination IP address from various different ERSPAN source sessions. These are distributed egress SPAN mode guidelines and restrictions: •These switching modules disable distributed egress SPAN mode: –WS-X6502-10GE –WS-X6816-GBIC –WS-X6516-GBIC –WS-X6516-GE-TX –WS-X6524-100FX-MM –WS-X6548-RJ-45 –WS-X6548-RJ-21 With any of these switching modules installed, the egress SPAN mode is centralized. Enter the show monitor session egress replication-mode | include Operational|slot command to display any switching modules that disable distributed egress SPAN mode. If there are no modules installed that disable distributed egress SPAN mode, the command displays only the egress SPAN operational mode. •Some switching modules have ASICs that do not support distributed egress SPAN mode for ERSPAN sources. Enter the show monitor session egress replication-mode | include Distributed.*Distributed.*Centralized command to display the slot number of any switching modules that do not support distributed egress SPAN mode for ERSPAN sources. Enter the show asic-version slot slot_number command to display the versions of the ASICs on the switching module in the slot where distributed egress SPAN mode is not supported for ERSPAN sources. Hyperion ASIC revision levels 5.0 and higher and all versions of the Metropolis ASIC support distributed egress SPAN mode for ERSPAN sources. Switching modules with Hyperion ASIC revision levels lower than 5.0 do not support distributed egress SPAN mode for ERSPAN sources. These sections describe how to configure local SPAN, RSPAN, and ERSPAN: •Local SPAN, RSPAN, and ERSPAN Default Configuration •Configuring a Destination as an Unconditional Trunk (Optional) •Configuring Destination Trunk VLAN Filtering (Optional) •Configuring Destination Port Permit Lists (Optional) •Configuring the Egress SPAN Mode (Optional) •Configuring Local SPAN •Configuring RSPAN •Configuring ERSPAN •Configuring Source VLAN Filtering in Global Configuration Mode •Verifying the Configuration •Configuration Examples This section describes the local SPAN, RSPAN, and ERSPAN default configuration:
To tag the monitored traffic as it leaves a destination, configure the destination as a trunk before you configure it as a destination. To configure the destination as a trunk, perform this task:
This example shows how to configure a port as an unconditional IEEE 802.1Q trunk: Note Releases earlier than Release 12.2(33)SXH required you to enter the switchport nonegotiate command when you configured a destination port as an unconditional trunk. This requirement has been removed in Release 12.2(33)SXH and later releases. Note•In addition to filtering VLANs on a trunk, you can also apply the allowed VLAN list to access ports. •Destination trunk VLAN filtering is applied at the destination. Destination trunk VLAN filtering does not reduce the amount of traffic being sent from the SPAN sources to the SPAN destinations. When a destination is a trunk, you can use the list of VLANs allowed on the trunk to filter the traffic transmitted from the destination. (CSCeb01318) Destination trunk VLAN filtering removes the restriction that, within a SPAN session, all destinations receive all the traffic from all the sources. Destination trunk VLAN filtering allows you to select, on a per-VLAN basis, the traffic that is transmitted from each destination trunk to the network analyzer. To configure destination trunk VLAN filtering on a destination trunk, perform this task:
When configuring the list of VLANs allowed on a destination trunk port, note the following information: •The vlan parameter is either a single VLAN number from 1 through 4094, or a range of VLANs described by two VLAN numbers, the lesser one first, separated by a dash. Do not enter any spaces between comma-separated vlan parameters or in dash-specified ranges. •All VLANs are allowed by default. •To remove all VLANs from the allowed list, enter the switchport trunk allowed vlan none command. •To add VLANs to the allowed list, enter the switchport trunk allowed vlan add command. •You can modify the allowed VLAN list without removing the SPAN configuration. This example shows the configuration of a local SPAN session that has several VLANs as sources and several trunk ports as destinations, with destination trunk VLAN filtering that filters the SPAN traffic so that each destination trunk port transmits the traffic from one VLAN: To prevent accidental configuration of ports as destinations, you can create a permit list of the ports that are valid for use as destinations. With a destination port permit list configured, you can only configure the ports in the permit list as destinations. To configure a destination port permit list, perform this task:
This example shows how to configure a destination port permit list that includes Gigabit Ethernet ports 5/1 through 5/4 and 6/1: This example shows how to verify the configuration: With Release 12.2(33)SXH, Release 12.2(33)SXH1, and Release 12.2(33)SXH2, distributed egress SPAN mode is the default if there are no switching modules installed that disable it. With Release 12.2(33)SXH2a and later releases, centralized egress SPAN mode is the default. See the "Distributed Egress SPAN Mode Guidelines and Restrictions" section for information about switching modules that support distributed egress SPAN mode. With Release 12.2(33)SXH2a and later releases, to configure the egress SPAN mode, perform this task:
This example shows how to enable distributed egress SPAN mode: With Release 12.2(33)SXH, Release 12.2(33)SXH1, and Release 12.2(33)SXH2, to configure the egress SPAN mode, perform this task:
This example shows how to disable distributed egress SPAN mode: This example shows how to display the configured egress SPAN mode: These sections describe how to configure local SPAN sessions: •Configuring Local SPAN (SPAN Configuration Mode) •Configuring Local SPAN (Global Configuration Mode) Note To tag the monitored traffic as it leaves a destination, you must configure the destination to trunk unconditionally before you configure it as a destination (see the "Configuring a Destination as an Unconditional Trunk (Optional)" section). To configure a local SPAN session in SPAN configuration mode, perform this task:
When configuring monitor sessions, note the following information: •session_description can be up to 240 characters and cannot contain special characters; with Release 12.2(33)SXH and later releases, the description can contain spaces. Note You can enter 240 characters after the description command. •local_span_session_number can range from 1 to 80. •cpu rp is the route processor (RP). •cpu sp is the switch processor (SP). •single_interface is as follows: –interface type slot/port; type is fastethernet, gigabitethernet, or tengigabitethernet. –interface port-channel number Note Destination port channel interfaces must be configured with the channel-group group_num mode on command and the no channel-protocol command. See the "Configuring EtherChannels" section. •interface_list is single_interface , single_interface , single_interface ... Note In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash. •interface_range is interface type slot/first_port - last_port. •mixed_interface_list is, in any order, single_interface , interface_range , ... •single_vlan is the ID number of a single VLAN. •vlan_list is single_vlan , single_vlan , single_vlan ... •vlan_range is first_vlan_ID - last_vlan_ID. •mixed_vlan_list is, in any order, single_vlan , vlan_range , ... •Enter the ingress keyword to configure destinations to receive traffic from attached devices. •Enter the learning keyword to enable MAC address learning from the destinations, which allows the switch to transmit traffic that is addressed to devices attached to the destinations. When configuring destinations with the ingress and learning keywords, note the following: –Configure the destinations for Layer 2 switching. See the "Configuring LAN Interfaces for Layer 2 Switching" section. –If the destination is a trunk and the attached device transmits tagged traffic back to the switch, you can use either ISL or 802.1Q trunking. –If the destination is a trunk and the attached device transmits untagged traffic back to the switch, use 802.1Q trunking with the native VLAN configured to accept the traffic from the attached device. –Do not configure the destinations with Layer 3 addresses. Use a VLAN interface to route traffic to and from devices attached to destinations. –Destinations are held in the down state. To route the traffic to and from attached devices, configure an additional active Layer 2 port in the VLAN to keep the VLAN interface up. This example shows how to configure session 1 to monitor ingress traffic from Gigabit Ethernet port 1/1 and configure Gigabit Ethernet port 1/2 as the destination: For additional examples, see the "Configuration Examples" section. Note•To tag the monitored traffic as it leaves a destination, you must configure the destination to trunk unconditionally before you configure it as a destination (see the "Configuring a Destination as an Unconditional Trunk (Optional)" section). •You can configure up to two local SPAN sessions in global configuration mode. •You can use SPAN configuration mode for all SPAN configuration tasks. •You must use SPAN configuration mode to configure the supported maximum number of SPAN sessions. Local SPAN does not use separate source and destination sessions. To configure a local SPAN session, configure local SPAN sources and destinations with the same session number. To configure a local SPAN session, perform this task:
When configuring local SPAN sessions, note the following information: •local_span_session_number can range from 1 to 80. •single_interface is as follows: –interface type slot/port; type is fastethernet, gigabitethernet, or tengigabitethernet. –interface port-channel number Note Destination port channel interfaces must be configured with the channel-group group_num mode on command and the no channel-protocol command. See the "Configuring EtherChannels" section. •interface_list is single_interface , single_interface , single_interface ... Note In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash. •interface_range is interface type slot/first_port - last_port. •mixed_interface_list is, in any order, single_interface , interface_range , ... •single_vlan is the ID number of a single VLAN. •vlan_list is single_vlan , single_vlan , single_vlan ... •vlan_range is first_vlan_ID - last_vlan_ID. •mixed_vlan_list is, in any order, single_vlan , vlan_range , ... •Enter the ingress keyword to configure destinations to receive traffic from attached devices. •Enter the learning keyword to enable MAC address learning from the destinations, which allows the switch to transmit traffic that is addressed to devices attached to the destinations. When configuring destinations with the ingress and learning keywords, note the following: –Configure the destinations for Layer 2 switching. See the "Configuring LAN Interfaces for Layer 2 Switching" section. –If the destination is a trunk and the attached device transmits tagged traffic back to the switch, you can use either ISL or 802.1Q trunking. –If the destination is a trunk and the attached device transmits untagged traffic back to the switch, use 802.1Q trunking with the native VLAN configured to accept the traffic from the attached device. –Do not configure the destinations with Layer 3 addresses. Use a VLAN interface to route traffic to and from devices attached to destinations. –Destinations are held in the down state. To route the traffic to and from attached devices, configure an additional active Layer 2 port in the VLAN to keep the VLAN interface up. This example shows how to configure Fast Ethernet port 5/1 as a bidirectional source for session 1: This example shows how to configure Fast Ethernet port 5/48 as the destination for SPAN session 1: For additional examples, see the "Configuration Examples" section. RSPAN uses a source session on one switch and a destination session on a different switch. These sections describe how to configure RSPAN sessions: •Configuring RSPAN VLANs •Configuring RSPAN Sessions (SPAN Configuration Mode) •Configuring RSPAN Sessions (Global Configuration Mode) To configure a VLAN as an RSPAN VLAN, perform this task:
These sections describe how to configure RSPAN sessions in SPAN configuration mode: •Configuring RSPAN Source Sessions in SPAN Configuration Mode •Configuring RSPAN Destination Sessions in SPAN Configuration Mode To configure an RSPAN source session in SPAN configuration mode, perform this task:
When configuring RSPAN source sessions, note the following information: •session_description can be up to 240 characters and cannot contain special characters; with Release 12.2(33)SXH and later releases, the description can contain spaces. Note You can enter 240 characters after the description command. •RSPAN_source_span_session_number can range from 1 to 80. •cpu rp is the route processor (RP). •cpu sp is the switch processor (SP). •single_interface is as follows: –interface type slot/port; type is fastethernet, gigabitethernet, or tengigabitethernet. –interface port-channel number •interface_list is single_interface , single_interface , single_interface ... Note In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash. •interface_range is interface type slot/first_port - last_port. •mixed_interface_list is, in any order, single_interface , interface_range , ... •single_vlan is the ID number of a single VLAN. •vlan_list is single_vlan , single_vlan , single_vlan ... •vlan_range is first_vlan_ID - last_vlan_ID. •mixed_vlan_list is, in any order, single_vlan , vlan_range , ... •See the "Configuring RSPAN VLANs" section for information about the RSPAN VLAN ID. This example shows how to configure session 1 to monitor bidirectional traffic from Gigabit Ethernet port 1/1: For additional examples, see the "Configuration Examples" section. Note•To tag the monitored traffic, you must configure the port to trunk unconditionally before you configure it as a destination (see the "Configuring a Destination as an Unconditional Trunk (Optional)" section). •You can configure an RSPAN destination session on the RSPAN source session switch to monitor RSPAN traffic locally. To configure an RSPAN destination session, perform this task:
When configuring RSPAN destination sessions, note the following information: •RSPAN_destination_span_session_number can range from 1 to 80. •single_interface is as follows: –interface type slot/port; type is fastethernet, gigabitethernet, or tengigabitethernet. –interface port-channel number Note Destination port channel interfaces must be configured with the channel-group group_num mode on command and the no channel-protocol command. See the "Configuring EtherChannels" section. •interface_list is single_interface , single_interface , single_interface ... Note In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash. •interface_range is interface type slot/first_port - last_port. •mixed_interface_list is, in any order, single_interface , interface_range , ... •Enter the ingress keyword to configure destinations to receive traffic from attached devices. •Enter the learning keyword to enable MAC address learning from the destinations, which allows the switch to transmit traffic that is addressed to devices attached to the destinations. When configuring destinations with the ingress and learning keywords, note the following: –Configure the destinations for Layer 2 switching. See the "Configuring LAN Interfaces for Layer 2 Switching" section. –If the destination is a trunk and the attached device transmits tagged traffic back to the switch, you can use either ISL or 802.1Q trunking. –If the destination is a trunk and the attached device transmits untagged traffic back to the switch, use 802.1Q trunking with the native VLAN configured to accept the traffic from the attached device. –Do not configure the destinations with Layer 3 addresses. Use a VLAN interface to route traffic to and from devices attached to destinations. –Destinations are held in the down state. To route the traffic to and from attached devices, configure an additional active Layer 2 port in the VLAN to keep the VLAN interface up. •The no shutdown command and shutdown commands are not supported for RSPAN destination sessions. This example shows how to configure RSPAN VLAN 2 as the source for session 1 and Gigabit Ethernet port 1/2 as the destination: For additional examples, see the "Configuration Examples" section. These sections describe how to configure RSPAN sessions in global configuration mode: •Configuring RSPAN Source Sessions in Global Configuration Mode •Configuring RSPAN Destination Sessions in Global Configuration Mode To configure an RSPAN source session in global configuration mode, perform this task:
When configuring RSPAN source sessions, note the following information: •To configure RSPAN VLANs, see the "Configuring RSPAN VLANs" section. •RSPAN_source_span_session_number can range from 1 to 80. •single_interface is as follows: –interface type slot/port; type is fastethernet, gigabitethernet, or tengigabitethernet. –interface port-channel number •interface_list is single_interface , single_interface , single_interface ... Note In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash. •interface_range is interface type slot/first_port - last_port. •mixed_interface_list is, in any order, single_interface , interface_range , ... •single_vlan is the ID number of a single VLAN. •vlan_list is single_vlan , single_vlan , single_vlan ... •vlan_range is first_vlan_ID - last_vlan_ID. •mixed_vlan_list is, in any order, single_vlan , vlan_range , ... •See the "Configuring RSPAN VLANs" section for information about the RSPAN VLAN ID. This example shows how to configure Fast Ethernet port 5/2 as the source for session 2: This example shows how to configure RSPAN VLAN 200 as the destination for session 2: For additional examples, see the "Configuration Examples" section. Note•To tag the monitored traffic, you must configure the port to trunk unconditionally before you configure it as a destination (see the "Configuring a Destination as an Unconditional Trunk (Optional)" section). •You can configure an RSPAN destination session on the RSPAN source session switch to monitor RSPAN traffic locally. To configure an RSPAN destination session in global configuration mode, perform this task:
When configuring monitor sessions, note the following information: •RSPAN_destination_span_session_number can range from 1 to 80. •See the "Configuring RSPAN VLANs" section for information about the RSPAN VLAN ID. •single_interface is as follows: –interface type slot/port; type is fastethernet, gigabitethernet, or tengigabitethernet. –interface port-channel number Note Destination port channel interfaces must be configured with the channel-group group_num mode on command and the no channel-protocol command. See the "Configuring EtherChannels" section. •interface_list is single_interface , single_interface , single_interface ... Note In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash. •interface_range is interface type slot/first_port - last_port. •mixed_interface_list is, in any order, single_interface , interface_range , ... •Enter the ingress keyword to configure destinations to receive traffic from attached devices. •Enter the learning keyword to enable MAC address learning from the destinations, which allows the switch to transmit traffic that is addressed to devices attached to the destinations. When configuring destinations with the ingress and learning keywords, note the following: –Configure the destinations for Layer 2 switching. See the "Configuring LAN Interfaces for Layer 2 Switching" section. –If the destination is a trunk and the attached device transmits tagged traffic back to the switch, you can use either ISL or 802.1Q trunking. –If the destination is a trunk and the attached device transmits untagged traffic back to the switch, use 802.1Q trunking with the native VLAN configured to accept the traffic from the attached device. –Do not configure the destinations with Layer 3 addresses. Use a VLAN interface to route traffic to and from devices attached to destinations. –Destinations are held in the down state. To route the traffic to and from attached devices, configure an additional active Layer 2 port in the VLAN to keep the VLAN interface up. This example shows how to configure RSPAN VLAN 200 as the source for session 3: This example shows how to configure Fast Ethernet port 5/47 as the destination for session 3: For additional examples, see the "Configuration Examples" section. ERSPAN uses separate source and destination sessions. You configure the source and destination sessions on different switches. These sections describe how to configure ERSPAN sessions: •Configuring ERSPAN Source Sessions •Configuring ERSPAN Destination Sessions To configure an ERSPAN source session, perform this task:
When configuring monitor sessions, note the following information: •session_description can be up to 240 characters and cannot contain special characters; with Release 12.2(33)SXH and later releases, the description can contain spaces. Note You can enter 240 characters after the description command. •ERSPAN_source_span_session_number can range from 1 to 80. •cpu rp is the route processor (RP). •cpu sp is the switch processor (SP). •single_interface is as follows: –interface type slot/port; type is fastethernet, gigabitethernet, or tengigabitethernet. –interface port-channel number Note Port channel interfaces must be configured with the channel-group group_num mode on command and the no channel-protocol command. See the "Configuring EtherChannels" section. •interface_list is single_interface , single_interface , single_interface ... Note In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash. •interface_range is interface type slot/first_port - last_port. •mixed_interface_list is, in any order, single_interface , interface_range , ... •single_vlan is the ID number of a single VLAN. •vlan_list is single_vlan , single_vlan , single_vlan ... •vlan_range is first_vlan_ID - last_vlan_ID. •mixed_vlan_list is, in any order, single_vlan , vlan_range , ... •ERSPAN_flow_id can range from 1 to 1023. •All ERSPAN source sessions on a switch must use the same source IP address. Enter the origin ip address ip_address force command to change the origin IP address configured in all ERSPAN source sessions on the switch. •ttl_value can range from 1 to 255. •ipp_value can range from 0 to 7. •dscp_value can range from 0 to 63. This example shows how to configure session 3 to monitor bidirectional traffic from Gigabit Ethernet port 4/1: For additional examples, see the "Configuration Examples" section. Note You cannot monitor ERSPAN traffic locally. To configure an ERSPAN destination session, perform this task:
When configuring monitor sessions, note the following information: •ERSPAN_destination_span_session_number can range from 1 to 80. •single_interface is as follows: –interface type slot/port; type is fastethernet, gigabitethernet, or tengigabitethernet. –interface port-channel number Note Destination port channel interfaces must be configured with the channel-group group_num mode on command and the no channel-protocol command. See the "Configuring EtherChannels" section. •interface_list is single_interface , single_interface , single_interface ... Note In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash. •interface_range is interface type slot/first_port - last_port. •mixed_interface_list is, in any order, single_interface , interface_range , ... •All ERSPAN destination sessions on a switch must use the same IP address on the same destination interface. Enter the ip address ip_address force command to change the IP address configured in all ERSPAN destination sessions on the switch. Note You must also change all ERSPAN source session destination IP addresses (see the "Configuring ERSPAN Source Sessions" section, Step 7). •ERSPAN_flow_id can range from 1 to 1023. •Enter the ingress keyword to configure destinations to receive traffic from attached devices. •Enter the learning keyword to enable MAC address learning from the destinations, which allows the switch to transmit traffic that is addressed to devices attached to the destinations. When configuring destinations with the ingress and learning keywords, note the following: –Configure the destinations for Layer 2 switching. See the "Configuring LAN Interfaces for Layer 2 Switching" section. –If the destination is a trunk and the attached device transmits tagged traffic back to the switch, you can use either ISL or 802.1Q trunking. –If the destination is a trunk and the attached device transmits untagged traffic back to the switch, use 802.1Q trunking with the native VLAN configured to accept the traffic from the attached device. –Do not configure the destinations with Layer 3 addresses. Use a VLAN interface to route traffic to and from devices attached to destinations. –Destinations are held in the down state. To route the traffic to and from attached devices, configure an additional active Layer 2 port in the VLAN to keep the VLAN interface up. This example shows how to configure an ERSPAN destination session to send ERSPAN ID 101 traffic arriving at IP address 10.1.1.1 to Gigabit Ethernet port 2/1: For additional examples, see the "Configuration Examples" section. Note•To configure source VLAN filtering in SPAN configuration mode, see the following sections: –Configuring Local SPAN (SPAN Configuration Mode) –Configuring RSPAN Source Sessions in SPAN Configuration Mode –Configuring ERSPAN •Source VLAN filtering reduces the amount of traffic that is sent from SPAN sources to SPAN destinations. Source VLAN filtering monitors specific VLANs when the source is a trunk port. To configure source VLAN filtering when the local SPAN or RSPAN source is a trunk port, perform this task:
When configuring source VLAN filtering, note the following information: •single_vlan is the ID number of a single VLAN. •vlan_list is single_vlan , single_vlan , single_vlan ... •vlan_range is first_vlan_ID - last_vlan_ID. •mixed_vlan_list is, in any order, single_vlan , vlan_range , ... This example shows how to monitor VLANs 1 through 5 and VLAN 9 when the source is a trunk port: To verify the configuration, enter the show monitor session command. This example shows how to verify the configuration of session 2: This example shows how to display the full details of session 2: This example shows the configuration of RSPAN source session 2: This example shows how to clear the configuration for sessions 1 and 2: This example shows the configuration of an RSPAN source session with multiple sources: This example shows how to remove sources for a session: This example shows how to remove options for sources for a session: This example shows how to remove source VLAN filtering for a session: This example shows the configuration of RSPAN destination session 8: This example shows the configuration of ERSPAN source session 12: This example shows the configuration of ERSPAN destination session 12: This example shows the configuration of ERSPAN source session 13: This example shows the configuration of ERSPAN destination session 13: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 7 This chapter describes how to configure private VLANs in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding Private VLANs •Private VLAN Configuration Guidelines and Restrictions •Configuring Private VLANs •Monitoring Private VLANs These sections describe how private VLANs work: •Private VLAN Domains •Private VLAN Ports •Primary, Isolated, and Community VLANs •Private VLAN Port Isolation •IP Addressing Scheme with Private VLANs •Private VLANs Across Multiple Switches •Private VLAN Interaction with Other Features The private VLAN feature addresses two problems that service providers encounter when using VLANs: •The switch supports up to 4096 VLANs. If a service provider assigns one VLAN per customer, the number of customers that service provider can support is limited. •To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses and creating IP address management problems. Using private VLANs solves the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers. The private VLAN feature partitions the Layer 2 broadcast domain of a VLAN into subdomains. A subdomain is represented by a pair of private VLANs: a primary VLAN and a secondary VLAN. A private VLAN domain can have multiple private VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another (see Figure 24-1). Figure 24-1 Private VLAN Domain A private VLAN domain has only one primary VLAN. Every port in a private VLAN domain is a member of the primary VLAN. In other words, the primary VLAN is the entire private VLAN domain. Secondary VLANs provide Layer 2 isolation between ports within the same private VLAN domain. There are two types of secondary VLANs: •Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level. •Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level. There are three types of private VLAN ports: •Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs that are associated with the primary VLAN. •Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete Layer 2 isolation from other ports within the same private VLAN domain, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. •Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN domain. Note Because trunks can support the VLANs carrying traffic between isolated, community, and promiscuous ports, isolated and community port traffic might enter or leave the switch through a trunk interface. Primary VLANs and the two types of secondary VLANs, isolated VLANs and community VLANs, have these characteristics: •Primary VLAN— The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. •Isolated VLAN —A private VLAN domain has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway. •Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN domain. A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are connected typically to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private VLAN servers from an administration workstation. In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN. You can use private VLANs to control access to end stations in these ways: •Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers. •Configure interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway. You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure private VLANs on all intermediate devices, including devices that have no private VLAN ports. When you assign a separate VLAN to each customer, an inefficient IP addressing scheme is created as follows: •Assigning a block of addresses to a customer VLAN can result in unused IP addresses. •If the number of devices in the VLAN increases, the number of assigned addresses might not be large enough to accommodate them. These problems are reduced by using private VLANs, where all members in the private VLAN share a common address space, which is allocated to the primary VLAN. Hosts are connected to secondary VLANs, and the DHCP server assigns them IP addresses from the block of addresses allocated to the primary VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses. As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port deals with the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. (See Figure 24-2.) Figure 24-2 Private VLANs Across Switches Because VTP versions 1 and 2 do not support private VLANs, you must manually configure private VLANs on all switches in the Layer 2 network. If you do not configure the primary and secondary VLAN association in some switches in the network, the Layer 2 databases in these switches are not merged. This situation can result in unnecessary flooding of private VLAN traffic on those switches. VTP version 3 does support private VLANs, so you do not need to manually configure private VLANs on all switches in the Layer 2 network. These sections describe how private VLANs interact with some other features: •Private VLANs and Unicast, Broadcast, and Multicast Traffic •Private VLANs and SVIs See also the "Private VLAN Configuration Guidelines and Restrictions" section. In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the these VLANs can communicate with each other at the Layer 2 level. In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. Private VLAN broadcast forwarding depends on the port sending the broadcast: •An isolated port sends a broadcast only to the promiscuous ports or trunk ports. •A community port sends a broadcast to all promiscuous ports, trunk ports, and ports in the same community VLAN. •A promiscuous port sends a broadcast to all ports in the private VLAN (other promiscuous ports, trunk ports, isolated ports, and community ports). Multicast traffic is routed or bridged across private VLAN boundaries and within a single community VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs. A switch virtual interface (SVI) is the Layer 3 interface of a Layer 2 VLAN. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN SVIs only for primary VLANs. Do not configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN. •If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI. •If you try to create an SVI on a VLAN that is configured as a secondary VLAN, and the secondary VLAN is already mapped at Layer 3, the SVI is not created, and an error is returned. If the SVI is not mapped at Layer 3, the SVI is created, but it is automatically shut down. When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the primary VLAN is propagated to the secondary VLAN SVIs. For example, if you assign an IP subnet to the primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN. The guidelines for configuring private VLANs are described in the following sections: •Secondary and Primary VLAN Configuration •Private VLAN Port Configuration •Limitations with Other Features When configuring private VLANs consider these guidelines: •After you configure a private VLAN and set VTP to transparent mode, you are not allowed to change the VTP mode to client or server. For information about VTP, see Chapter 22 "Configuring VTP." •You must use VLAN configuration (config-vlan) mode to configure private VLANs. You cannot configure private VLANs in VLAN database configuration mode. For more information about VLAN configuration, see "Configurable VLAN Parameters" section. •After you have configured private VLANs, use the copy running-config startup config privileged EXEC command to save the VTP transparent mode configuration and private VLAN configuration in the startup-config file. If the switch resets it must default to VTP transparent mode to support private VLANs. •In VTP versions 1 and 2, VTP does not propagate a private VLAN configuration and you must configure private VLANs on each device where you want private VLAN ports. In VTP version 3, VTP does propagate private VLAN configurations automatically. •You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. Extended VLANs (VLAN IDs 1006 to 4094) cannot belong to private VLANs. Only Ethernet VLANs can be private VLANs. •A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it. •When a secondary VLAN is associated with the primary VLAN, the STP parameters of the primary VLAN, such as bridge priorities, are propagated to the secondary VLAN. However, STP parameters do not necessarily propagate to other devices. You should manually check the STP configuration to ensure that the primary, isolated, and community VLANs' spanning tree topologies match so that the VLANs can properly share the same forwarding database. •If you enable MAC address reduction on the switch, we recommend that you enable MAC address reduction on all the devices in your network to ensure that the STP topologies of the private VLANs match. •In a network where private VLANs are configured, if you enable MAC address reduction on some devices and disable it on others (mixed environment), use the default bridge priorities to make sure that the root bridge is common to the primary VLAN and to all its associated isolated and community VLANs. Be consistent with the ranges employed by the MAC address reduction feature regardless of whether it is enabled on the system. MAC address reduction allows only discrete levels and uses all intermediate values internally as a range. You should disable a root bridge with private VLANs and MAC address reduction, and configure the root bridge with any priority higher than the highest priority range used by any nonroot bridge. •You cannot apply VACLs to secondary VLANs. (See Chapter 51 "Configuring Port ACLs and VLAN ACLs".) •You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the primary VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary VLAN, the configuration does not take effect if the primary VLAN is already configured. •We recommend that you prune the private VLANs from the trunks on devices that carry no traffic in the private VLANs. •You can apply different quality of service (QoS) configurations to primary, isolated, and community VLANs. (See Chapter 43 "Configuring PFC QoS".) •When you configure private VLANs, sticky Address Resolution Protocol (ARP) is enabled by default, and ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries. For security reasons, private VLAN port sticky ARP entries do not age out. For information about configuring sticky ARP, see the "Configuring Sticky ARP" section. •We recommend that you display and verify private VLAN interface ARP entries. •Sticky ARP prevents MAC address spoofing by ensuring that ARP entries (IP address, MAC address, and source VLAN) do not age out. You can configure sticky ARP on a per-interface basis. For information about configuring sticky ARP, see the "Configuring Sticky ARP" section. The following guidelines and restrictions apply to private VLAN sticky ARP: –ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries. –Connecting a device with a different MAC address but with the same IP address generates a message and the ARP entry is not created. –Because the private VLAN port sticky ARP entries do not age out, you must manually remove private VLAN port ARP entries if a MAC address changes. You can add or remove private VLAN ARP entries manually as follows: •You can configure VLAN maps on primary and secondary VLANs. (See the "Applying a VLAN Access Map" section.) However, we recommend that you configure the same VLAN maps on private VLAN primary and secondary VLANs. •When a frame is Layer 2 forwarded within a private VLAN, the same VLAN map is applied at the ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private VLAN map is applied at the ingress side. –For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied. –For frames going downstream from a promiscuous port to a host port, the VLAN map configured on the primary VLAN is applied. To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the primary and secondary VLANs. •To apply Cisco IOS output ACLs to all outgoing private VLAN traffic, configure them on the Layer 3 VLAN interface of the primary VLAN. (See Chapter 47 "Configuring Network Security".) •Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to the associated isolated and community VLANs. •Do not apply Cisco IOS ACLs to isolated or community VLANs. Cisco IOS ACL configuration applied to isolated and community VLANs is inactive while the VLANs are part of the private VLAN configuration. •Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3. •Private VLANs support these Switched Port Analyzer (SPAN) features: –You can configure a private VLAN port as a SPAN source port. –You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic. –For more information about SPAN, see Chapter 68 "Configuring Local SPAN, RSPAN, and ERSPAN." When configuring private VLAN ports follow these guidelines: •Use only the private VLAN configuration commands to assign ports to primary, isolated, or community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private VLAN configuration. Layer 2 trunk interfaces remain in the STP forwarding state. •Do not configure ports that belong to a PAgP or LACP EtherChannel as private VLAN ports. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive. •Enable PortFast and BPDU guard on isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence. (See Chapter 29 "Configuring Optional STP Features".) When enabled, STP applies the BPDU guard feature to all PortFast-configured Layer 2 LAN ports. Do not enable PortFast and BPDU guard on promiscuous ports. •If you delete a VLAN used in the private VLAN configuration, the private VLAN ports associated with the VLAN become inactive. •Private VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk. •All primary, isolated, and community VLANs associated within a private VLAN must maintain the same topology across trunks. You are highly recommended to configure the same STP bridge parameters and trunk port parameters on all associated VLANs in order to maintain the same topology. When configuring private VLANs, consider these configuration limitations with other features: Note In some cases, the configuration is accepted with no error messages, but the commands have no effect. •VTP version 3 is not supported on private VLAN (PVLAN) ports. •Do not configure fallback bridging on switches with private VLANs. •A port is only affected by the private VLAN feature if it is currently in private VLAN mode and its private VLAN configuration indicates that it is a primary, isolated, or community port. If a port is in any other mode, such as Dynamic Trunking Protocol (DTP), it does not function as a private port. •Do not configure private VLAN ports on interfaces configured for these other features: –Port Aggregation Protocol (PAgP) –Link Aggregation Control Protocol (LACP) –Voice VLAN •You can configure IEEE 802.1x port-based authentication on a private VLAN port, but do not configure 802.1x with port security, voice VLAN, or per-user ACL on private VLAN ports. •IEEE 802.1q mapping works normally. Traffic is remapped to or from dot1Q ports as configured, as if received from the ISL VLANs. •Do not configure a remote SPAN (RSPAN) VLAN as a private VLAN primary or secondary VLAN. For more information about SPAN, see Chapter 68 "Configuring Local SPAN, RSPAN, and ERSPAN." •A private VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a SPAN destination port as a private VLAN port, the port becomes inactive. •A destination SPAN port should not be an isolated port. (However, a source SPAN port can be an isolated port.) VSPAN could be configured to span both primary and secondary VLANs or, alternatively, to span either one if the user is interested only in ingress or egress traffic. •If using the shortcuts between different VLANs (if any of these VLANs is private) consider both primary and isolated and community VLANs. The primary VLAN should be used both as the destination and as the virtual source, because the secondary VLAN (the real source) is always remapped to the primary VLAN in the Layer 2 FID table. •If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add the same static address to all associated secondary VLANs. If you configure a static MAC address on a host port in a secondary VLAN, you must add the same static MAC address to the associated primary VLAN. When you delete a static MAC address from a private VLAN port, you must remove all instances of the configured MAC address from the private VLAN. Note Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the replicated addresses are removed from the MAC address table. •Do not configure private VLAN ports as EtherChannels. A port can be part of the private VLAN configuration, but any EtherChannel configuration for the port is inactive. •When you enter the shutdown or the no shutdown command on the primary VLAN, the corresponding secondary VLANs also are shutdown or brought up. •These restrictions apply when you configure groups of 12 ports as secondary ports: The 12-port restriction applies to these 10 Mb, 10/100 Mb, and 100 Mb Ethernet switching modules: WS-X6324-100FX, WS-X6348-RJ-45, WS-X6348-RJ-45V, WS-X6348-RJ-21V, WS-X6248-RJ-45, WS-X6248A-TEL, WS-X6248-TEL, WS-X6148-RJ-45, WS-X6148-RJ-45V, WS-X6148-45AF, WS-X6148-RJ-21, WS-X6148-RJ-21V, WS-X6148-21AF, WS-X6024-10FL-MT. Within groups of 12 ports (1-12, 13-24, 25-36, and 37-48), do not configure ports as isolated ports or community VLAN ports when one port within the group of 12 ports is any of these: –A trunk port –A SPAN destination port –A promiscuous private VLAN port –In releases where CSCsb44185 is resolved, a port that has been configured with the switchport mode dynamic auto or switchport mode dynamic desirable command. If one port within the group of 12 ports is one of these ports listed and has the above properties, any isolated or community VLAN configuration for other ports within the 12 ports is inactive. To reactivate the ports, remove the isolated or community VLAN port configuration and enter the shutdown and no shutdown commands. •These restrictions apply when you configure groups of 24 ports as secondary ports: In all releases, this 24-port restriction applies to the WS-X6548-GE-TX and WS-X6148-GE-TX 10/100/1000 Mb Ethernet switching modules. Within groups of 24 ports (1-24, 25-48), do not configure ports as isolated ports or community VLAN ports when one port within the group of 24 ports is any of these: –A trunk port –A SPAN destination port –A promiscuous private VLAN port –In releases where CSCsb44185 is resolved, a port that has been configured with the switchport mode dynamic auto or switchport mode dynamic desirable command. If one port within the group of 24 ports is one of these ports listed and has the above properties, any isolated or community VLAN configuration for other ports within the 24 ports is inactive. To reactivate the ports, remove the isolated or community VLAN port configuration and enter the shutdown and no shutdown commands. These sections contain configuration information: •Configuring a VLAN as a Private VLAN •Associating Secondary VLANs with a Primary VLAN •Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN •Configuring a Layer 2 Interface as a Private VLAN Host Port •Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port Note If the VLAN is not defined already, the private VLAN configuration process defines it. To configure a VLAN as a private VLAN, perform this task:
This example shows how to configure VLAN 202 as a primary VLAN and verify the configuration: This example shows how to configure VLAN 303 as a community VLAN and verify the configuration: This example shows how to configure VLAN 440 as an isolated VLAN and verify the configuration: To associate secondary VLANs with a primary VLAN, perform this task:
When you associate secondary VLANs with a primary VLAN, note the following information: •The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs. •The secondary_vlan_list parameter can contain multiple community VLAN IDs. •The secondary_vlan_list parameter can contain only one isolated VLAN ID. •Enter a secondary_vlan_list or use the add keyword with a secondary_vlan_list to associate secondary VLANs with a primary VLAN. •Use the remove keyword with a secondary_vlan_list to clear the association between secondary VLANs and a primary VLAN. •The command does not take effect until you exit VLAN configuration submode. •When you exit the VLAN configuration submode, only the last specified configuration takes effect. This example shows how to associate community VLANs 303 through 307 and 309 and isolated VLAN 440 with primary VLAN 202 and verify the configuration: Note Isolated and community VLANs are both called secondary VLANs. To map secondary VLANs to the Layer 3 VLAN interface of a primary VLAN to allow Layer 3 switching of private VLAN ingress traffic, perform this task:
When you map secondary VLANs to the Layer 3 VLAN interface of a primary VLAN, note the following information: •The private-vlan mapping interface configuration command only affects private VLAN ingress traffic that is Layer 3-switched. •The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs. •Enter a secondary_vlan_list parameter or use the add keyword with a secondary_vlan_list parameter to map the secondary VLANs to the primary VLAN. •Use the remove keyword with a secondary_vlan_list parameter to clear the mapping between secondary VLANs and the primary VLAN. This example shows how to permit routing of secondary VLAN ingress traffic from private VLANs 303 through 307, 309, and 440 and verify the configuration: To configure a Layer 2 interface as a private VLAN host port, perform this task:
This example shows how to configure interface FastEthernet 5/1 as a private VLAN host port and verify the configuration: To configure a Layer 2 interface as a private VLAN promiscuous port, perform this task:
When you configure a Layer 2 interface as a private VLAN promiscuous port, note the following information: •The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs. •If VLAN locking is enabled, enter VLAN names instead of VLAN numbers in the secondary_vlan_list. When entering a range of VLAN names, you must leave spaces between the VLAN names and the dash. •Enter a secondary_vlan_list value or use the add keyword with a secondary_vlan_list value to map the secondary VLANs to the private VLAN promiscuous port. •Use the remove keyword with a secondary_vlan_list value to clear the mapping between secondary VLANs and the private VLAN promiscuous port. This example shows how to configure interface FastEthernet 5/2 as a private VLAN promiscuous port and map it to a private VLAN: This example shows how to verify the configuration: Table 24-1 shows the privileged EXEC commands for monitoring private VLAN activity.
This is an example of the output from the show vlan private-vlan command: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 8 This chapter describes how to configure VLANs in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding VLANs •VLAN Configuration Guidelines and Restrictions •Configuring VLANs The following sections describe how VLANs work: •VLAN Overview •VLAN Ranges A VLAN is a group of end stations with a common set of requirements, independent of physical location. VLANs have the same attributes as a physical LAN but allow you to group end stations even if they are not located physically on the same LAN segment. VLANs are usually associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Traffic between VLANs must be routed. LAN port VLAN membership is assigned manually on an port-by-port basis. Note You must enable the extended system ID to use 4096 VLANs (see the "Understanding the Bridge ID" section). Cisco IOS Release 12.2SX supports 4096 VLANs in accordance with the IEEE 802.1Q standard. These VLANs are organized into several ranges; you use each range slightly differently. Some of these VLANs are propagated to other switches in the network when you use the VLAN Trunking Protocol (VTP). The extended-range VLANs are not propagated, so you must configure extended-range VLANs manually on each network device. Table 23-1 describes the VLAN ranges.
The following information applies to VLAN ranges: •Layer 3 LAN ports, WAN interfaces and subinterfaces, and some software features use internal VLANs in the extended range. You cannot use an extended range VLAN that has been allocated for internal use. •To display the VLANs used internally, enter the show vlan internal usage command. With earlier releases, enter the show vlan internal usage and show cwan vlans commands. •You can configure ascending internal VLAN allocation (from 1006 and up) or descending internal VLAN allocation (from 4094 and down). •You must enable the extended system ID to use extended range VLANs (see the "Understanding the Bridge ID" section). When creating and modifying VLANs in your network, follow these guidelines and restrictions: •VLANs support a number of parameters that are not discussed in detail in this section. For complete information, see the Cisco IOS Master Command List publication. •If the switch is in VTP server or transparent mode (see the "Configuring VTP" section), you can configure VLANs in global and config-vlan configuration modes. When you configure VLANs in global and config-vlan configuration modes, the VLAN configuration is saved in the vlan.dat files. To display the VLAN configuration, enter the show vlan command. If the switch is in VLAN transparent mode, use the copy running-config startup-config command to save the VLAN configuration to the startup-config file. After you save the running configuration as the startup configuration, use the show running-config and show startup-config commands to display the VLAN configuration. •When the switch boots, if the VTP domain name and the VTP mode in the startup-config file and vlan.dat files do not match, the switch uses the configuration in the vlan.dat file. •You can configure extended-range VLANs only in global configuration mode. •Supervisor engine redundancy does not support nondefault VLAN data file names or locations. Do not enter the vtp file file_name command on a switch that has a redundant supervisor engine. •Before installing a redundant supervisor engine, enter the no vtp file command to return to the default configuration. •Before you can create a VLAN, the switch must be in VTP server mode or VTP transparent mode. For information on configuring VTP, see Chapter 22 "Configuring VTP." •The VLAN configuration is stored in the vlan.dat file, which is stored in nonvolatile memory. You can cause inconsistency in the VLAN database if you manually delete the vlan.dat file. If you want to modify the VLAN configuration or VTP, use the commands described in this guide and in the Cisco IOS Master Command List, publication. •To do a complete backup of your configuration, include the vlan.dat file in the backup. These sections describe how to configure VLANs: •Configurable VLAN Parameters •Ethernet VLAN Default Parameters •VLAN Locking •Creating or Modifying an Ethernet VLAN •Assigning a Layer 2 LAN Interface to a VLAN •Configuring the Internal VLAN Allocation Policy •Configuring VLAN Translation •Mapping 802.1Q VLANs to ISL VLANs •Saving VLAN Information Note•Ethernet VLAN 1 uses only default values. •Except for the VLAN name, Ethernet VLANs 1006 through 4094 use only default values. •You can configure the VLAN name for Ethernet VLANs 1006 through 4094. You can configure the following parameters for VLANs 2 through 1001: •VLAN name •VLAN type (Ethernet, FDDI, FDDI network entity title [NET], TrBRF, or TrCRF) •VLAN state (active or suspended) •Security Association Identifier (SAID) •Bridge identification number for TrBRF VLANs •Ring number for FDDI and TrCRF VLANs •Parent VLAN number for TrCRF VLANs •Spanning Tree Protocol (STP) type for TrCRF VLANs •VLAN ID: 1; range: 1-4094 •VLAN name: –VLAN 1: "default" –Other VLANs: "VLANvlan_ID" •802.10 SAID: 10vlan_ID; range: 100001-104094 •MTU size: 1500; range: 1500-18190 •Translational bridge 1: 0; range: 0-1005 •Translational bridge 2: 0; range: 0-1005 •VLAN state: active: active, suspend •Pruning eligibility: –VLANs 2-1001 are pruning eligible –VLANs 1006-4094 are not pruning eligible Release 12.2(33)SXH and later releases support the VLAN locking feature, which provides an extra level of verification to ensure that you have configured the intended VLAN. When VLAN locking is enabled, you need to specify the VLAN name when you change a port from one VLAN to another. This feature affects switchport commands (in interface configuration mode) that specify the VLANs or private VLANs for access and trunk ports. For additional information about how to configure access and trunk ports with VLAN locking enabled, see the "Configuring LAN Interfaces for Layer 2 Switching" section. For additional information about how to configure ports in private VLANs with VLAN locking enabled, see the "Configuring Private VLANs" section. By default, the VLAN locking is disabled. To enable VLAN locking, perform this task:
User-configured VLANs have unique IDs from 1 to 4094, except for reserved VLANs (see Table 23-1). Enter the vlan command with an unused ID to create a VLAN. Enter the vlan command for an existing VLAN to modify the VLAN (you cannot modify an existing VLAN that is being used by a Layer 3 port or a software feature). See the "Ethernet VLAN Default Parameters" section for the list of default parameters that are assigned when you create a VLAN. If you do not specify the VLAN type with the media keyword, the VLAN is an Ethernet VLAN. To create or modify a VLAN, perform this task:
When you create or modify an Ethernet VLAN, note the following information: •Because Layer 3 ports and some software features require internal VLANs allocated from 1006 and up, configure extended-range VLANs starting with 4094. •You can configure extended-range VLANs only in global configuration mode. You cannot configure extended-range VLANs in VLAN database mode. •Layer 3 ports and some software features use extended-range VLANs. If the VLAN you are trying to create or modify is being used by a Layer 3 port or a software feature, the switch displays a message and does not modify the VLAN configuration. When deleting VLANs, note the following information: •You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005. •When you delete a VLAN, any LAN ports configured as access ports assigned to that VLAN become inactive. The ports remain associated with the VLAN (and inactive) until you assign them to a new VLAN. This example shows how to create an Ethernet VLAN in global configuration mode and verify the configuration: This example shows how to create an Ethernet VLAN in VLAN database mode: This example shows how to verify the configuration: A VLAN created in a management domain remains unused until you assign one or more LAN ports to the VLAN. Note Make sure you assign LAN ports to a VLAN of the appropriate type. Assign Ethernet ports to Ethernet-type VLANs. To assign one or more LAN ports to a VLAN, complete the procedures in the "Configuring LAN Interfaces for Layer 2 Switching" section. For more information about VLAN allocation, see the "VLAN Ranges" section. Note The internal VLAN allocation policy is applied only following a reload. To configure the internal VLAN allocation policy, perform this task:
When you configure the internal VLAN allocation policy, note the following information: •Enter the ascending keyword to allocate internal VLANs from 1006 and up. •Enter the descending keyword to allocate internal VLAN from 4094 and down. This example shows how to configure descending as the internal VLAN allocation policy: On trunk ports, you can translate one VLAN number to another VLAN number, which transfers all traffic received in one VLAN to the other VLAN. These sections describe VLAN translation: •VLAN Translation Guidelines and Restrictions •Configuring VLAN Translation on a Trunk Port •Enabling VLAN Translation on Other Ports in a Port Group Note To avoid spanning tree loops, be careful not to misconfigure the VLAN translation feature. When translating VLANs, follow these guidelines and restrictions: •A VLAN translation configuration is inactive if it is applied to ports that are not Layer 2 trunks. •Do not configure translation of ingress native VLAN traffic on an 802.1Q trunk. Because 802.1Q native VLAN traffic is untagged, it cannot be recognized for translation. You can translate traffic from other VLANs to the native VLAN of an 802.1Q trunk. •Do not remove the VLAN to which you are translating from the trunk. •The VLAN translation configuration applies to all ports in a port group. VLAN translation is disabled by default on all ports in a port group. Enable VLAN translation on ports as needed. •For the modules that support VLAN translation, Table 23-2 lists: –The port groups to which VLAN translation configuration applies –The number of VLAN translations supported by the port groups –The trunk types supported by the modules
Note To configure a port as a trunk, see the "Configuring a Layer 2 Switching Port as a Trunk" section. To translate VLANs on a trunk port, perform this task:
This example shows how to map VLAN 1649 to VLAN 755 Gigabit Ethernet port 5/2: This example shows how to verify the configuration: To enable VLAN translation on other ports in a port group, perform this task:
This example shows how to enable VLAN translation on a port: The valid range of user-configurable ISL VLANs is 1 through 1001 and 1006 through 4094. The valid range of VLANs specified in the IEEE 802.1Q standard is 1 to 4094. You can map 802.1Q VLAN numbers to ISL VLAN numbers. 802.1Q VLANs in the range 1 through 1001 and 1006 through 4094 are automatically mapped to the corresponding ISL VLAN. 802.1Q VLAN numbers corresponding to reserved VLAN numbers must be mapped to an ISL VLAN in order to be recognized and forwarded by Cisco network devices. These restrictions apply when mapping 802.1Q VLANs to ISL VLANs: •You can configure up to eight 802.1Q-to-ISL VLAN mappings. •You can only map 802.1Q VLANs to Ethernet-type ISL VLANs. •Do not enter the native VLAN of any 802.1Q trunk in the mapping table. •When you map an 802.1Q VLAN to an ISL VLAN, traffic on the 802.1Q VLAN corresponding to the mapped ISL VLAN is blocked. For example, if you map 802.1Q VLAN 1007 to ISL VLAN 200, traffic on 802.1Q VLAN 200 is blocked. •VLAN mappings are local to each switch. Make sure that you configure the same VLAN mappings on all appropriate network devices. To map an 802.1Q VLAN to an ISL VLAN, perform this task:
This example shows how to map 802.1Q VLAN 1003 to ISL VLAN 200: This example shows how to verify the configuration: The VLAN database is stored in the vlan.dat file. You should create a backup of the vlan.dat file in addition to backing up the running-config and startup-config files. If you replace the existing supervisor engine, copy the startup-config file as well as the vlan.dat file to restore the system. The vlan.dat file is read on bootup and you will have to reload the supervisor engine after uploading the file. To view the file location, use the dir vlan.dat command. To copy the file (binary), use the copy vlan.dat tftp command. Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 9 This chapter describes how to configure the online diagnostics in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding Online Diagnostics •Configuring Online Diagnostics •Running Online Diagnostic Tests •Performing Memory Tests With online diagnostics, you can test and verify the hardware functionality of the switch while the switch is connected to a live network. The online diagnostics contain packet switching tests that check different hardware components and verify the data path and control signals. Disruptive online diagnostic tests, such as the built-in self-test (BIST) and the disruptive loopback test, and nondisruptive online diagnostic tests, such as packet switching, run during bootup, module online insertion and removal (OIR), and system reset. The nondisruptive online diagnostic tests run as part of background health monitoring. Either disruptive or nondisruptive tests can be run at the user's request (on-demand). The online diagnostics detect problems in the following areas: •Hardware components •Interfaces (GBICs, Ethernet ports, and so forth) •Connectors (loose connectors, bent pins, and so forth) •Solder joints •Memory (failure over time) Online diagnostics is one of the requirements for the high availability feature. High availability is a set of quality standards that seek to limit the impact of equipment failures on the network. A key part of high availability is detecting hardware failures and taking corrective action while the switch runs in a live network. Online diagnostics in high availability detect hardware failures and provide feedback to high availability software components to make switchover decisions. Online diagnostics are categorized as bootup, on-demand, schedule, or health-monitoring diagnostics. Bootup diagnostics run during bootup; on-demand diagnostics run from the CLI; schedule diagnostics run at user-designated intervals or specified times when the switch is connected to a live network; and health-monitoring runs in the background. These sections describe how to configure online diagnostics: •Setting Bootup Online Diagnostics Level •Configuring On-Demand Online Diagnostics •Scheduling Online Diagnostics You can set the bootup diagnostics level as minimal or complete or you can bypass the bootup diagnostics entirely. Enter the complete keyword to run all diagnostic tests; enter the minimal keyword to run only EARL tests and loopback tests for all ports in the switch. Enter the no form of the command to bypass all diagnostic tests. The default bootup diagnositcs level is minimal. To set the bootup diagnostic level, perform this task:
This example shows how to set the bootup online diagnostic level: This example shows how to display the bootup online diagnostic level: You can run the on-demand online diagnostic tests from the CLI. You can set the execution action to either stop or continue the test when a failure is detected or to stop the test after a specific number of failures occur by using the failure count setting. You can configure a test to run multiple times using the iteration setting. You should run packet-switching tests before memory tests. Note Do not use the diagnostic start all command until all of the following steps are completed. Because some on-demand online diagnostic tests can affect the outcome of other tests, you should perform the tests in the following order: 1. Run the nondisruptive tests. 2. Run all tests in the relevant functional area. 3. Run the TestTrafficStress test. 4. Run the TestEobcStressPing test. 5. Run the exhaustive-memory tests. To run on-demand online diagnostic tests, perform this task: Step 1 Run the nondisruptive tests. To display the available tests and their attributes, and determine which commands are in the nondisruptive category, enter the show diagnostic content command. Step 2 Run all tests in the relevant functional area. Packet-switching tests fall into specific functional areas. When a problem is suspected in a particular functional area, run all tests in that functional area. If you are unsure about which functional area you need to test, or if you want to run all available tests, enter the complete keyword. Step 3 Run the TestTrafficStress test. This is a disruptive packet-switching test. This test switches packets between pairs of ports at line rate for the purpose of stress testing. During this test all of the ports are shut down, and you may see link flaps. The link flaps will recover after the test is complete. The test takes several minutes to complete. Disable all health-monitoring tests f before running this test by using the no diagnostic monitor module number test all command. Step 4 Run the TestEobcStressPing test. This is a disruptive test and tests the Ethernet over backplane channel (EOBC) connection for the module. The test takes several minutes to complete. You cannot run any of the packet-switching tests described in previous steps after running this test. However, you can run tests described in subsequent steps after running this test. Disable all health-monitoring tests before running this test by using the no diagnostic monitor module number test all command. The EOBC connection is disrupted during this test and will cause the health-monitoring tests to fail and take recovery action. Step 5 Run the exhaustive-memory tests. Before running the exhaustive-memory tests, all health-monitoring tests should be disabled because the tests will fail with health monitoring enabled and the switch will take recovery action. Disable the health-monitoring diagnostic tests by using the no diagnostic monitor module number test all command. Perform the exhaustive-memory tests in the following order: 1. TestFibTcamSSRAM 2. TestAclQosTcam 3. TestNetFlowTcam 4. TestAsicMemory 5. TestAsicMemory You must reboot the after running the exhaustive-memory tests before it is operational again. You cannot run any other tests on the switch after running the exhaustive-memory tests. Do not save the configuration when rebooting as it will have changed during the tests. After the reboot, reenable the health-monitoring tests using the diagnostic monitor module number test all command. To set the bootup diagnostic level, perform this task:
This example shows how to set the on-demand testing iteration count: This example shows how to set the execution action when an error is detected: You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis. You can schedule tests to run only once or to repeat at an interval. Use the no form of this command to remove the scheduling. To schedule online diagnostics, perform this task:
This example shows how to schedule diagnostic testing on a specific date and time for a specific port on module 1: This example shows how to schedule diagnostic testing to occur daily at a certain time for a specific port: This example shows how to schedule diagnostic testing to occur weekly on a certain day for a specific port: You can configure health-monitoring diagnostic testing while the switch is connected to a live network. You can configure the execution interval for each health-monitoring test, the generation of a system message upon test failure, or the enabling or disabling an individual test. Use the no form of this command to disable testing. To configure health-monitoring diagnostic testing, perform this task:
This example shows how to configure the specified test to run every two minutes on module 1: This example shows how to run the test if health monitoring has not previously been enabled: This example shows how to enable the generation of a syslog message when any health-monitoring test fails: After you configure online diagnostics, you can start or stop diagnostic tests or display the test results. You can also see which tests are configured and what diagnostic tests have already run. These sections describe how to run online diagnostic tests after they have been configured: •Starting and Stopping Online Diagnostic Tests •Running All Online Diagnostic Tests •Displaying Online Diagnostic Tests and Test Results Note•We recommend that before you enable any online diagnostics tests that you enable the logging console/monitor to see all warning messages. •We recommend that when you are running disruptive tests that you only run the tests when connected through the console. When disruptive tests are complete, a warning message on the console recommends that you reload the system to return to normal operation. Strictly follow this warning. •While tests are running, all ports are shut down because a stress test is being performed with ports configured to loop internally; external traffic might alter the test results. The switch must be rebooted to bring the switch to normal operation. When you issue the command to reload the switch, the system will ask you if the configuration should be saved. Do not save the configuration. •If you are running the tests on a supervisor engine, after the test is initiated and complete, you must reload or power down and then power up the entire system. •If you are running the tests on a switching module, rather than the supervisor engine, after the test is initiated and complete, you must reset the switching module. After you configure diagnostic tests to run, you can use the start and stop to begin or end a diagnostic test. To start or stop an online diagnostic command, perform one of these tasks:
This example shows how to start a diagnostic test on module 1: This example shows how to stop a diagnostic test: You can run all diagnostic tests, disruptive and nondisruptive, at once with a single command. In this case, all test dependencies will be handled automatically. Note•Running all online diagnostic tests will disrupt normal system operation. Reset the system after the diagnostic start system test all command has completed. •Do not insert, remove, or power down modules or the supervisor while the system test is running. •Do not issue any diagnostic command other than the diagnostic stop system test all command while the system test is running. •Make sure no traffic is running in background. To start or stop all online diagnostic tests, perform one of these tasks:
This example shows how to start all online diagnostic tests: You can display the online diagnostic tests that are configured and check the results of the tests using the following show commands: •show diagnostic content •show diagnostic health To display the diagnostic tests that are configured, perform this task:
This example shows how to display the online diagnostics that are configured on module 1: This example shows how to display the online diagnostic results for module 1: This example shows how to display the detailed online diagnostic results for module 1: This example shows how to display the output for the health checks performed: Most online diagnostic tests do not need any special setup or configuration. However, the memory tests, which include the TestFibTcamSSRAM and TestLinecardMemory tests, have some required tasks and some recommended tasks that you should complete before running them. Before you run any of the online diagnostic memory tests, perform the following tasks: •Required tasks –Isolate network traffic by disabling all connected ports. –Do not send test packets during a memory test. –Reset the system before returning the system to normal operating mode. •Turn off all background health-monitoring tests using the no diagnostic monitor module number test all command. Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 10 •Global Health-Monitoring Tests •Per-Port Tests •PFC Layer 2 Tests •DFC Layer 2 Tests •PFC Layer 3 Tests •DFC Layer 3 Tests •Replication Engine Tests •Fabric Tests •Exhaustive Memory Tests •Service Module Tests •Stress Tests •General Tests •Critical Recovery Tests •ViSN Tests Note•For information about configuring online diagnostic tests see Chapter 12 "Configuring Online Diagnostics." •Before you enable any online diagnostics tests, enable console logging to see all warning messages. •We recommend that when you are running disruptive tests that you only run the tests when connected through console. When disruptive tests are complete a warning message on the console recommends that you reload the system to return to normal operation: strictly follow this warning. •While tests are running, all ports are shut down as a stress test is being performed with looping ports internally and external traffic might affect the test results. The switch must be rebooted to bring the switch to normal operation. When you issue the command to reload the switch, the system will ask you if the configuration should be saved. •Do not save the configuration. •If you are running the tests on other modules, after the test is initiated and complete, you must reset the module. Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum •TestAsicSync •TestEARLInternalTables •TestErrorCounterMonitor •TestIntPortLoopback •TestLtlFpoeMemoryConsistency •TestMacNotification •TestPortTxMonitoring •TestScratchRegister •TestSnrMonitoring •TestSPRPInbandPing •TestUnusedPortIndexDirect •TestUnusedPortLoopback This test periodically verifies the status of bus and port synchronization ASICs.
This test detects most PFC and DFC hardware table problems by running consistency checks on the PFC and DFC hardware tables. The test runs every 5 minutes. A failure of the test for the PFC results in one of these actions: •Failover to the redundant supervisor engine. •If a redundant supervisor engine is not installed, shutdown of the supervisor engine. A failure of the test for the DFC results in one of these actions: •Up to two resets of the DFC-equipped switching module. •Shutdown following a third failure. A CallHome message is generated if CallHome is configured on the system.
This test monitors the errors and interrupts that occur on each module in the system by periodically polling for the error counters maintained in the module. If the errors exceed a threshold value, a syslog message is displayed with detailed information including the error-counter identifier, port number, total failures, consecutive failures, and the severity of the error counter.
This test uses the switching module internal port to run a non-disruptive loopback test. It can be used to detect fabric channel failure and also port ASIC failure. This test is similar to TestFabricCh0Health. The test runs every 15 seconds.
This test verifies that the LTL and FPOE memories are working properly. The test runs every 15 seconds. Self-correction is applied if an error is detected. If self-correction fails, corrective action is triggered to reset the module. The module is powered-down on the third consecutive module reset. If self-correction passes, no action is taken. If too many self-corrections occur within a short period of time (more than three self-corrections in less than 300 seconds), the module is reset.
This test verifies the data and control path between DFC-equipped modules and supervisor engines. This test also ensures Layer 2 MAC address consistency across Layer 2 MAC address tables. The test runs every six seconds. Ten consecutive failures causes the module to reset during bootup or runtime (default). After three consecutive resets, the module powers down. This test runs every 15 seconds.
This test periodically polls the transmit counters on each port. The test displays a syslog message and error disables the port if no activity is seen for the configured time interval and failure threshold. You configure the time interval and threshold by entering the diagnostic monitor interval and diagnostic monitor threshold commands. The test does not source any packets, but leverages the CDP protocol that transmits packets periodically. If the CDP protocol is disabled, the polling for that port is not performed. The test runs every 75 seconds, and the failure threshold is set to five by default.
This test monitors the health of application-specific integrated circuits (ASICs) by writing values into registers and reading back the values from these registers. The test runs every 30 seconds. Five consecutive failures causes a supervisor engine to switchover (or reset), if you are testing the supervisor engine, or in the module powering down when testing a module.
This test monitors the SNR (signal-to-noise ratio) margin for a port, which varies between -12.7 dB to +12.7 dB. The test uses the following two threshold levels to compare SNR: •Minor threshold at +1.0 dB •Major threshold at 0.0 dB When the SNR value drops below the minor threshold, the test logs a minor warning message. When the SNR value drops below the major threshold, the test logs a major warning message. Similarly, recovery messages are logged when SNR recovers the two threshold levels. The default interval for the test is 30 seconds and can be configured to as low as 10 seconds for faster monitoring. The TestSnrMonitoring is not a bootup test and cannot be run on demand.
This test detects most runtime software driver and hardware problems on supervisor engines by running diagnostic packet tests using the Layer 2 forwarding engine, the Layer 3 and 4 forwarding engine, and the replication engine on the path from the switch processor to the route processor. Packets are sent at 15-second intervals. Ten consecutive failures of the test results in failover to the redundant supervisor engine (default) or reload of the supervisor engine if a redundant supervisor engine is not installed.
This test periodically verifies the data path between the supervisor engine and the network ports of a module in the runtime. In this test, a Layer 2 packet is index-directed to the test port from the supervisor's inband port. The packet is looped back in the test port and index-directed back to the supervisor's inband port. It's similar to TestPortIndexDirect but only runs on unused (admin down) network ports and only one unused port per port ASIC. This test substitutes the lack of a nondisruptive loopback test in current ASICs. This test runs every 60 seconds.
This test periodically verifies the data path between the supervisor engine and the network ports of a module in the runtime. In this test, a Layer 2 packet is flooded onto the VLAN associated with the test port and the inband port of the supervisor engine. The packet loops back in the test port and returns to the supervisor engine on the same VLAN. This test is similar to TestLoopback but only runs on unused (admin down) network ports and on only one unused port per port ASIC. This test substitutes the lack of a nondisruptive loopback test in current ASICs. This test runs every 60 seconds.
•TestActiveToStandbyLoopback •TestLoopback •TestMgmtPortsLoopback •TestNetflowInlineRewrite •TestNonDisruptiveLoopback •TestNPLoopback •TestPortIndexDirect •TestTransceiverIntegrity This test verifies the data path between the active supervisor engine and the network ports of the standby supervisor engine. In this test, a Layer 2 packet is flooded onto a VLAN that consists of only the test port and the active supervisor engine's inband port. The test packets are looped back in the targeted port and are flooded back onto the bus with only the active supervisor engine's inband port listening in on the flooded VLAN.
This test checks the control plane data path. This test sends an online diagnostics packet from the supervisor engine to service or high availability port on the Wireless Services Module (WiSM2). The TestCCPLoopback checks whether the test packet loops back. If the test fails, a syslog message is displayed to indicate the error. This test also can be run as health monitoring, on-demand, and scheduled tests.
This test sends a packet from the inband port of the supervisor to the data port on the Firewall or NAM service module to verify the data packet path. The packet is looped back to the supervisor in hardware. If the packet does not return from the supervisor, hardware counters are polled to isolate the faulty path. This test runs every 45 seconds.
This test checks the data plane data path. This test sends an online diagnostics packet from the supervisor engine to data ports on the Wireless Services Module (WiSM2). This test checks whether the test packet loops back. If the test fails, a syslog message is displayed to indicate the error. This test also can be run as health monitoring, on-demand, and scheduled tests.
This test verifies the data path between the supervisor engine and the network ports of a module. In this test, a Layer 2 packet is flooded onto a VLAN that consists of only the test port and the supervisor engine's inband port. The packet loops back in the port and returns to the supervisor engine on that same VLAN.
This test sends a packet from the inband port of the supervisor to the Firewall or NAM service module to verify the health of the backplane ports. The packet is looped back to the supervisor in hardware. If the packet does not return from the supervisor, the service application is queried for the status of the packet and depending on the action suggested by the service module, a syslog message is displayed and the module is reset. This test runs every 30 seconds.
This test verifies the NetFlow lookup operation, the ACL permit and deny functionality, and the inline rewrite capabilities of the port ASIC. The test packet will undergo a NetFlow table lookup to obtain the rewrite information. The VLAN and the source and destination MAC addresses are rewritten when the packet reaches the targeted port.
This test verifies the data path between the supervisor engine and the network ports of a module. In this test, a Layer 2 packet is flooded onto VLAN that contains a group of test ports. The test port group consists of one port per port ASIC channel. Each port in the test port group nondisruptively loops back the packet and directs it back to the supervisor engine's inband port. The ports in the test port group are tested in parallel.
This test checks the data path of the ACE30 module for data path errors. This test runs at bootup, and the default configuration is a health-monitoring test that runs every 15 seconds. If TestNPLoopback fails, an SCP (Switch-module Configuration Protocol) message is sent to the ACE30 module indicating which network processors have failed. Upon receipt of the SCP message, ACE30 will take corrective action. If the TestNPLoopback test fails for ten consecutive times, the ACE30 module is reset.
This test verifies the data path between the supervisor engine and the network ports of a module. In this test, a Layer 2 packet is index-directed to the test port from the supervisor engine inband port. The packet is looped back in the test port and index-directed back to the supervisor engine inband port.
This security test is performed on the transceiver during transceiver online insertion and removal (OIR) or module bootup to make sure that the transceiver is supported.
•TestBadBpduTrap •TestDontConditionalLearn •TestMatchCapture •TestNewIndexLearn This test is a combination of the TestTrap and the TestBadBpdu tests, which are described in the "DFC Layer 2 Tests" section.
This test is a combination of the TestDontLearn and the TestConditionalLearn tests, which are described in the "DFC Layer 2 Tests" section.
This test is a combination of the TestProtocolMatchChannel and the TestCapture tests, which are described in the "DFC Layer 2 Tests" section.
This test is a combination of the TestNewLearn and the TestIndexLearn tests, which are described in the "DFC Layer 2 Tests" section.
•TestBadBpdu •TestCapture •TestConditionalLearn •TestDontLearn •TestIndexLearn •TestNewLearn •TestPortSecurity •TestProtocolMatchChannel •TestStaticEntry •TestTrap This test verifies the ability to trap or redirect packets to the switch processor. This test verifies that the Trap feature of the Layer 2 forwarding engine is working properly. When running the test on the supervisor engine, the diagnostic packet is sent from the supervisor engine's inband port and performs a packet lookup using the supervisor engine's Layer 2 forwarding engine. For DFC-equipped modules, the diagnostic packet is sent from the supervisor engine's inband port through the switch fabric and looped back from one of the DFC ports. The BPDU feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
This test verifies that the capture feature of Layer 2 forwarding engine is working properly. The capture functionality is used for multicast replication. When running the test on the supervisor engine, the diagnostic packet is sent from the supervisor engine's inband port and performs a packet lookup using the supervisor engine's Layer 2 forwarding engine. For DFC-equipped modules, the diagnostic packet is sent from the supervisor engine's inband port through the switch fabric and looped back from one of the DFC ports. The Capture feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
This test verifies the ability to learn a Layer 2 source MAC address under specific conditions. When running the test on the supervisor engine, the diagnostic packet is sent from the supervisor engine's inband port and performs a packet lookup using the supervisor engine Layer 2 forwarding engine. For DFC-equipped modules, the diagnostic packet is sent from the supervisor engine's inband port through the switch fabric and looped back from one of the DFC ports. The Conditional Learn feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
This test verifies that new source MAC addresses are not populated in the MAC address table when they should not be learned. This test verifies that the "don't learn" feature of the Layer 2 forwarding engine is working properly. For DFC-equipped modules, the diagnostic packet is sent from the supervisor engine inband port through the switch fabric and looped back from one of the ports on the DFC-enabled module. The "don't learn" feature is verified during diagnostic packet lookup by the Layer 2 forwarding engine.
This test ensures that existing MAC address table entries can be updated. This test verifies the Index Learn feature of the Layer 2 forwarding engine is working properly. When running the test on the supervisor engine, the diagnostic packet is sent from the supervisor engine's inband port and performs a packet lookup using the supervisor engine Layer 2 forwarding engine. For DFC-equipped modules, the diagnostic packet is sent from the supervisor engine's inband port through the switch fabric and looped back from one of the DFC ports. The Index Learn feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
This test verifies the Layer 2 source MAC address learning functionality of the Layer 2 forwarding engine. For supervisor engines, a diagnostic packet is sent from the supervisor engine inband port to verify that the Layer 2 forwarding engine is learning the new source MAC address from the diagnostic packet. For DFC-equipped modules, a diagnostic packet is sent from the supervisor engine inband port through the switch fabric and looped backed from one of the ports on the DFC-enabled module. The Layer 2 learning functionality is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
This test verifies the ability to redirect packets to the CPU if a secure MAC address is transmitting the packets from a different port. For the supervisor engine, a diagnostic packet is sent from the supervisor engine's inband port and the port security feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine. For DFC-equipped modules, a diagnostic packet is sent from the supervisor engine inband port through the fabric and is looped back in one of the ports on the DFC-equipped module. The port security feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
This test verifies the ability to match specific Layer 2 protocols in the Layer 2 forwarding engine. When running the test on the supervisor engine, the diagnostic packet is sent from the supervisor engine's inband port and performs a packet lookup using the supervisor engine's Layer 2 forwarding engine. For DFC-equipped modules, the diagnostic packet is sent from the supervisor engine's inband port through the switch fabric and looped back from one of the DFC ports. The Match feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
This test verifies the ability to populate static entries in the Layer 2 MAC address table. For DFC-equipped modules, the diagnostic packet is sent from the supervisor engine's inband port through the switch fabric and looped back from one of the DFC ports. The Static Entry feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
This test verifies the ability to trap or redirect packets to the switch processor. This test verifies that the Trap feature of the Layer 2 forwarding engine is working properly. When running the test on the supervisor engine, the diagnostic packet is sent from the supervisor engine's inband port and performs a packet lookup using the supervisor engine's Layer 2 forwarding engine. For DFC-equipped modules, the diagnostic packet is sent from the supervisor engine's inband port through the switch fabric and looped back from one of the DFC ports. The Trap feature is verified during the diagnostic packet lookup by the Layer 2 forwarding engine.
•TestAclDeny •TestAclPermit •TestFibDevices •TestIPv4FibShortcut •TestIPv6FibShortcut •TestL3Capture2 •TestMPLSFibShortcut •TestNATFibShortcut •TestNetflowShortcut •TestQoSTcam This test verifies that the ACL deny feature of the Layer 2 and Layer 3 forwarding engine is working properly. The test uses different ACL deny scenarios such as input, output, Layer 2 redirect, Layer 3 redirect, and Layer 3 bridges to determine whether or not the ACL deny feature is working properly.
This test verifies that the ACL permit functionality is working properly. An ACL entry permitting a specific diagnostics packet is installed in the ACL TCAM. The corresponding diagnostic packet is sent from the supervisor engine and looked up by the Layer 3 forwarding engine to make sure that it hits the ACL TCAM entry and gets permitted and forwarded appropriately.
This test verifies whether the FIB TCAM and adjacency devices are functional. One FIB entry is installed on each FIB TCAM device. A diagnostic packet is sent to make sure that the diagnostic packet is switched by the FIB TCAM entry installed on the TCAM device. This is not an exhaustive TCAM device test; only one entry is installed on each TCAM device. Note Compared to the IPv4FibShortcut and IPv6FibShortcut tests, this test tests all FIB and adjacency devices using IPv4 or IPv6 packets, depending on your configuration.
This test does the following: •Verifies whether the IPv4 FIB forwarding of the Layer 3 forwarding engine is working properly. One diagnostic IPv4 FIB and an adjacency entry are installed, and a diagnostic packet is sent to make sure that the diagnostic packet is forwarded according to rewritten MAC and VLAN information. •Verifies whether the FIB TCAM and adjacency devices are functional. One FIB entry is installed on each FIB TCAM device. A diagnostic packet is sent to make sure that the diagnostic packet is switched by the FIB TCAM entry installed on the TCAM device. This is not an exhaustive TCAM device test; only one entry is installed on each TCAM device.
This test verifies that the IPV6 FIB forwarding of the Layer 3 forwarding engine is working properly. One diagnostic IPV6 FIB and an adjacency entry is installed, and a diagnostic IPv6 packet is sent to make sure the diagnostic packet is forwarded according to rewritten MAC and VLAN information.
This test verifies that the Layer 3 capture (capture 2) feature of the Layer 3 forwarding engine is working properly. This capture feature is used for ACL logging and VACL logging. One diagnostic FIB and an adjacency entry with a capture 2 bit set is installed, and a diagnostic packet is sent to make sure that the diagnostic packet is forwarded according to the capture bit information.
This test does the following: •Verifies that the MPLS forwarding of the Layer 3 forwarding engine is working properly. One diagnostic MPLS FIB and an adjacency entry is installed, and a diagnostic MPLS packet is sent to make sure that the diagnostic packet is forwarded according to the MPLS label from the adjacency entry. •Verifies the EoMPLS forwarding of the Layer 3 forwarding engine. One diagnostic EoMPLS Layer 2 FIB and an adjacency entry are installed and a diagnostic Layer 2 packet is sent to the forwarding engine to make sure it is forwarded accordingly with the MPLS labels and the encapsulated Layer 2 packet.
This test verifies the ability to rewrite a packet based on the NAT adjacency information (rewrite destination IP address). One diagnostic NAT FIB and an adjacency entry is installed, and the diagnostic packet is sent to make sure that the diagnostic packet is forwarded according to the rewritten IP address.
This test verifies that the NetFlow forwarding functionality of the Layer 3 forwarding engine is working properly. One diagnostic NetFlow entry and an adjacency entry is installed, and a diagnostic packet is sent to make sure it is forwarded according to the rewritten MAC and VLAN information.
This test performs exhaustive memory tests for QoS TCAM devices.
•TestAclDeny •TestAclFpgaMonitor •TestAclPermit •TestFibDevices •TestIPv4FibShortcut •TestIPv6FibShortcut •TestL3Capture2 •TestMPLSFibShortcut •TestNATFibShortcut •TestNetflowShortcut •TestQoSTcam This test verifies that the ACL deny feature of the Layer 2 and Layer 3 forwarding engine is working properly. The test uses different ACL deny scenarios such as input and output Layer 2 redirect, Layer 3 redirect, and Layer 3 bridges.
This test monitors the ACL FPGA for an invalid ACL TCAM reply and takes recovery action if an invalid reply is detected.
This test verifies that the ACL permit functionality is working properly. An ACL entry permitting a specific diagnostics packet is installed in the ACL TCAM. The corresponding diagnostic packet is sent from the supervisor engine and is looked up by the Layer 3 forwarding engine to make sure it hits the ACL TCAM entry and gets permitted and forwarded correctly.
This test verifies whether the FIB TCAM and adjacency devices are functional. One FIB entry is installed on each FIB TCAM device. A diagnostic packet is sent to make sure that the diagnostic packet is switched by the FIB TCAM entry installed on the TCAM device. This is not an exhaustive TCAM device test; only one entry is installed on each TCAM device. Note Compared to the IPv4FibShortcut and IPv6FibShortcut tests, this test tests all FIB and adjacency devices using IPv4 or IPv6 packets, depending on your configuration.
These tests do the following: •Verifies whether the IPv4 FIB forwarding of the Layer 3 forwarding engine is working properly. One diagnostic IPv4 FIB and an adjacency entry is installed, and a diagnostic packet is sent to make sure that the diagnostic packet is forwarded according to rewritten MAC and VLAN information. •Verifies whether the FIB TCAM and adjacency devices are functional. One FIB entry is installed on each FIB TCAM device. A diagnostic packet is sent to make sure that the diagnostic packet is switched by the FIB TCAM entry installed on the TCAM device. This is not an exhaustive TCAM device test; only one entry is installed on each TCAM device.
This test verifies that the IPv6 FIB forwarding functionality of the Layer 3 forwarding engine is working properly. One diagnostic IPv6 FIB and an adjacency entry is installed, and a diagnostic IPv6 packet is sent to make sure that the diagnostic packet is forwarded according to rewritten MAC and VLAN information.
This test verifies that the Layer 3 capture (capture 2) feature of the Layer 3 forwarding engine is working properly. This capture feature is used for ACL logging and VACL logging. One diagnostic FIB and an adjacency entry with a capture 2-bit set is installed, and a diagnostic packet is sent to make sure that the diagnostic packet is forwarded according to capture bit information.
This test does the following: •Verifies that the MPLS forwarding of the Layer 3 forwarding engine is working properly. One diagnostic MPLS FIB and an adjacency entry is installed, and a diagnostic MPLS packet is sent to make sure that the diagnostic packet is forwarded according to the MPLS label from the adjacency entry. •Verifies the EoMPLS forwarding of the Layer 3 forwarding engine. One diagnostic EoMPLS Layer 2 FIB and an adjacency entry are installed and a diagnostic Layer 2 packet is sent to the forwarding engine to make sure it is forwarded accordingly with the MPLS labels and the encapsulated Layer 2 packet.
This test verifies the ability to rewrite a packet based on NAT adjacency information, such as the rewrite destination IP address. One diagnostic NAT FIB and an adjacency entry is installed, and a diagnostic packet is sent to the forwarding engine to make sure the diagnostic packet is forwarded according to the rewritten IP address.
This test verifies that the NetFlow forwarding functionality of the Layer 3 forwarding engine is working properly. One diagnostic NetFlow entry and an adjacency entry is installed, and a diagnostic packet is sent to make sure it is forwarded according to the rewritten MAC and VLAN information.
This test performs exhaustive memory tests for QoS TCAM devices.
•TestEgressSpan •TestIngressSpan •TestL3VlanMet This test verifies that the egress SPAN replication functionality of the rewrite engine for both SPAN queues is working properly.
This test ensures that the port ASIC is able to tag packets for ingress SPAN. This test also verifies that the ingress SPAN operation of the rewrite engine for both SPAN queues is working properly.
This test verifies that the multicast functionality of the replication engine is working properly. The replication engine is configured to perform multicast replication of a diagnostic packet onto two different VLANs. After the diagnostic packet is sent out from the supervisor engine's inband port, the test verifies that two packets are received back in the inband port on the two VLANs configured in the replication engine.
•TestFabricCh0Health •TestFabricCh1Health •TestFabricFlowControlStatus •TestFabricSnakeBackward •TestFabricSnakeBackward •TestSynchedFabChannel This test constantly monitors the health of the ingress and egress data paths for fabric channel 0 on 10-gigabit modules. The test runs every five seconds. Ten consecutive failures are treated as fatal and the module resets; three consecutive reset cycles may result in a fabric switchover.
This test constantly monitors the health of the ingress and egress data paths for fabric channel 1 on 10-gigabit modules. The test runs every five seconds. Ten consecutive failures are treated as fatal and the module resets; three consecutive reset cycles might result in a fabric switchover.
This test reads the switch fabric ASIC registers to detect flow-control status for each fabric channel. Flow-control events are logged into the diagnostic events queue. By default, this test is disabled as a health-monitoring test, and when enabled, this test runs every 15 seconds. This test reports per-slot or per-channel rate reduction, current fabric channel utilization, peak fabric-channel utilization, and SP CPU utilization in both ingress and egress directions.
This test consists of two test cases: the internal snake test and the external snake test. The internal snake test generates the test packets inside the fabric ASIC, and the test data path is limited so that it stays inside the fabric ASIC. The external snake test generates the test packet using the supervisor engine inband port and the test data path involves the port ASIC, the rewrite engine ASIC inside the supervisor engine, and the fabric ASIC. Whether or not the supervisor engine local channel is synchronized to the fabric ASIC determines which test is used. If it is synchronized, the external snake test is used; if it is not, internal snake test is used. For both tests, only the channels that are not synchronized to any modules are involved in the test. The backward direction indicates that the snaking direction is from the high-numbered channel to the low-numbered channel.
This test consists of two test cases: the internal snake test and the external snake test. The internal snake test generates the test packets inside the fabric ASIC and the test data path is limited so that it stays inside the fabric ASIC. The external snake test generates the test packet using the supervisor engine inband port; the test data path involves the port ASIC, the rewrite engine ASIC inside the supervisor engine, and the fabric ASIC. Whether or not the supervisor engine local channel is synchronized to the fabric ASIC determines which test is used. If it is synchronized, the external snake test is used; if it is not, the internal snake test is used. For both tests, only the channels that are not synchronized to any modules are involved in the test. The Forward direction indicates that the snaking direction is from the low-numbered channel to the high-numbered channel.
This test periodically checks the fabric synchronization status for both the module and the fabric. This test is available only for fabric-enabled modules. This test is not a packet-switching test so it does not involve the data path. This test sends an SCP control message to the module and fabric to query the synchronization status.
•TestAsicMemory •TestFibTcamSSRAM Note Because the supervisor engine must be rebooted after running memory tests, run memory tests on the other modules before running them on the supervisor engine. For more information about running on-demand online diagnostic tests see the "Configuring On-Demand Online Diagnostics" section. This test uses an algorithm to test the memory on a module.
This test verifies the FIB TCAM and Layer 3 Adjacency SSRAM memory.
This test tests all the bits and checks the location of the Netflow TCAM.
This test performs exhaustive memory tests for QoS TCAM devices.
•TestHapiEchoPkt •TestIPSecBaseComponents •TestIPSecClearPkt •TestIPSecEncryptDecryptPkt •TestIPSecSPAComponents •TestPcLoopback •TestPortASICLoopback This test sends a Hapi Echo packet to the crypto engine using the control path. After the Hapi Echo packet is sent to the crypto engine, it is echoed back from the crypto engine. The packet is sent from the supervisor engine inband port to the crypto engine using index-direct and is sent back using broadcast to a diagnostic VLAN.
This test verifies components in 7600-SSC-400 modules in the run-time environment for hardware functionality and integrity.
This test sends a packet through the switch fabric or bus from the supervisor engine inband port through to the crypto engine. The packet is sent back without encryption from the crypto engine to the supervisor engine in-band port. The packet is checked to verify that the encryption is not done and that the packet data fields are reserved. The Layer 2 lookup drives the packet between the supervisor in-band port and the crypto engine.
This test checks the encryption functionality by exchanging a packet between the supervisor engine in-band port and the crypto engine of the IPsec services modules (WS-SVC-IPSEC, SPA-IPSEC) using the switch fabric or bus (whichever is applicable). After several exchanges, the packet is checked to verify that the original data is preserved after the encryption and decryption process performed by the crypto engine. The Layer 2 lookup drives the packet between the supervisor in-band port and the crypto engine.
This test verifies components in SPA-IPSEC-2G modules in the run-time environment for hardware functionality and integrity.
This test verifies the longest datapath between the supervisor and the NAM service module. A packet is sent from the supervisor to the module and is looped back by the PC to the supervisor engine.
This test verifies the health of the ASIC ports on the NAM service module. A packet is sent from the supervisor engine and looped back at the ASIC.
•TestEobcStressPing •TestTrafficStress This test stresses a module's EOBC link with the supervisor engine. The test is started when the supervisor engine initiates a number of sweep-ping processes (the default is one). The sweep-ping process pings the module with 20,000 SCP-ping packets. The test passes if all 20,000 packets respond before each packet-ping timeout, which is two seconds. If unsuccessful, the test allows five retries to account for traffic bursts on the EOBC bus during the test.
This test stress tests the switch and the installed modules by configuring all of the ports on the modules into pairs, which then pass packets between each other. After allowing the packets to pass through the switch for a predetermined period, the test verifies that the packets are not dropped.
•BusConnectivityTest •ScheduleSwitchover •TestCFRW •TestFirmwareDiagStatus •TestOBFL •TestRwEngineOverSubscription •TestSpuriousIsrDetection •TestVDB This test verifies the bus connectivity on WAN modules by sending packets from the supervisor engine to the module, where they are looped back by the bus ASIC and returned to the supervisor engine.
This test allows you to trigger a switchover at any time using the online diagnostics scheduling capability.
This test verifies the CompactFlash disk or disks on the supervisor engine. This test is performed during system boot-up or whenever a disk is inserted. A 128-byte temporary file is written to each disk present in the slot and read back. The content read back is checked and the temporary file is deleted. You can also execute this test from the CLI.
This test displays the results of the power-on diagnostic tests run by the firmware during the module bootup.
This test verifies the on-board failure logging capabilities. During this test a diagnostic message is logged on the module.
This is a health-monitoring test that is not enabled by default. This test runs on the module every one second and checks if the rewrite engine gets oversubscribed by retrieving drop counters and generates a syslog message if the drops exceed the set threshold.
This test is run when an interrupt is detected on a fabric ASIC.This test is not a bootup test and cannot be run on demand. Failure of this test is treated as fatal, leading to supervisor engine crash.
This test is available on PoE-equipped modules. This test queries the result of diagnostic tests that run on the PoE daughter card.
•TestAclFpgaMonitor •TestL3HealthMonitoring •TestTxPathMonitoring Note These tests are also considered critical recovery tests: •TestFabricCh0Health •TestFabricCh1Health •TestSynchedFabChannel This test monitors the ACL FPGA for an invalid ACL TCAM reply status and takes recovery action if an invalid reply is detected.
This test triggers a set of diagnostic tests involving IPv4 and IPv6 packet switching on a DFC whenever the system tries to self-recover from a detected hardware fault. The tests shut down the front panel port (usually port 1) for testing purposes. If the diagnostic tests are not passing, it is an indication that the hardware fault cannot be fixed and a self-recovery sequence will be applied again.
This test sends index-directed packets periodically to each port on the supervisor engine and supported modules to verify ASIC synchronization and correct any related problems. The test runs every two seconds.
•TestRslHm •TestVSActiveToStandbyLoopback •TestVslBridgeLink •TestVslLocalLoopback •TestVslStatus This test monitors the data and control links between the remote switch and core switches. A diagnostic packet is sent from the supervisor engine inband port on the remote switch to the supervisor engine inband port on the core switch and is pinged back along the reverse data path. This tests each RSL link between the remote switch and both active and standby core switches.
This test is the only GOLD test that tests the full data path across the virtual switch links. This test selects an uplink port in the standby virtual switch supervisor engine as the loopback point and sends the VLAN flood packet from the active virtual switch supervisor engine inband port to the system. Due to the configuration of the FPOE and LTL VLAN flood region for all VSL modules and VSL interfaces in the active and standby virtual switch, the packet goes across VSL and arrives at the uplink port of the standby virtual switch supervisor engines, and loopbacks from there. The packet comes back to the inband port of the active supervisor engine due to the preconfiguration of FPOE and LTL in the standby and active virtual switches. In case of a test failure, the error check is executed for SP CPU, fabric flow control, and other errors in both active and standby virtual swtiches.
This test provides diagnostic coverage for VSL-capable modules and the supervisor engine during module bootup. The data path of this test picks only one port corresponding to the local and remote bridge inband port as the loopback points. A diagnostic packet is sent from the inband port of the supervisor engine to the loopback points on the VSL module, and the packet traverses the bridge link between two fabric data path complexes to verify the hardware bridge link functionality.
This test verifies the hardware functionality of each port on the VSL module before the VSL link interface is up. The data path of this test is constrained with the VSL module. A diagnostic packet is sent from the local inband port of the VSL module to each port to run a loopback test. This test is run only during module bootup.
This test reports the status change detected by the VSLP protocol. When any link problem is detected by the VSLP protocol, the status of the link is changed and the result is updated accordingly. This test also triggers the loopback test to check the hardware status requested by the VSLP protocol.
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 11 This chapter describes how to configure NetFlow Data Export (NDE). Note For complete syntax and usage information for the commands used in this chapter, see these publications: •The Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_book.html •The Cisco IOS NetFlow Configuration Guide, Release 12.2SX , which provides information about NetFlow version 9. Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter contains the following sections: •Understanding NDE •Default NDE Configuration •NDE Configuration Guidelines and Restrictions •Configuring NDE These sections describe how NetFlow Data Export (NDE) works: •NDE Overview •NDE on the RP NetFlow collects traffic statistics by monitoring the packets that flow through the switch and storing the statistics in the NetFlow table. For more information about NetFlow, see Chapter 63 "Configuring NetFlow." NetFlow Data Export (NDE) converts the NetFlow table statistics into records and exports the records to an external device, which is called a NetFlow collector. In PFC3A mode, NDE exports statistics only for routed traffic. With modes other than PFC3A, you can configure NDE to export statistics for both routed and bridged traffic. You can export IP unicast statistics using NDE record format versions 5, 7 or 9. Use NDE version 8 record format for NetFlow aggregation, and version 9 record format for IP multicast. Exporting a large volume of statistics can significantly impact SP and RP CPU utilization. You can control the volume of records exported by configuring NDE flow filters to include or exclude flows from the NDE export. When you configure a filter, NDE exports only the flows that match the filter criteria. You can configure up to two external data collector addresses. A second data collector improves the probability of receiving complete NetFlow data by providing redundant data streams. The RP supports these features, which are documented in the Cisco IOS NetFlow Configuration Guide, Release 12.2SX: •NDE for flows routed in software •NetFlow aggregation •NetFlow ToS-based router aggregation •NetFlow flow sampling •NetFlow version 9 export NDE on the PFC exports statistics for flows routed or bridged in hardware. These sections describe NDE on the PFC in more detail: •NDE Flow Mask •NDE Versions •Exporting NetFlow Data •NetFlow Sampling You can configure the minimum NetFlow flow mask for NDE. The NetFlow flow mask determines the granularity of the statistics gathered, which controls the volume of statistics for NDE to export. For more details about flow masks, see Chapter 63 "Configuring NetFlow." You can configure NDE to populate the following additional fields in the NDE packets: •IP address of the next hop router •Egress interface SNMP ifIndex •BGP AS These fields are populated by the software looking up the FIB table entry before sending out the NDE record to the collector. These fields are empty when you use the show command to display the hardware NetFlow table. •NetFlow version 9 is described in this publication: http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-2sx/cfg-nflow-data-expt.html •NDE exports statistics for NetFlow aggregation flows using NDE version 8. The following document describes the version 8 header format: http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-2sx/ios-netflow-ov.html •With 12.2SX releases, NDE exports IP unicast traffic using NDE versions 5, 7 and 9. Some fields in the flow records might not have values, depending on the current flow mask. Unsupported fields contain a zero (0). Note With the WCCP Layer 2 redirect, the nexthop field and the output field might not contain accurate information for all NetFlows. Therefore, the destination interface for traffic returned from the web server has a client interface instead of the cache interface or the ANCS interface. The following tables describe the supported fields for NDE versions 5 and 7: –Table 64-1—Version 5 header format –Table 64-2—Version 7 header format –Table 64-3—Version 5 flow record format –Table 64-4—Version 7 flow record format
NetFlow maintains traffic statistics for each active flow in the NetFlow table and increments the statistics when packets within each flow are switched. Periodically, NDE exports summarized traffic statistics for all expired flows, which the external data collector receives and processes. Exported NetFlow data contains statistics for the flow entries in the NetFlow table that have expired since the last export. Flow entries in the NetFlow table expire and are flushed from the NetFlow table when one of the following conditions occurs: •The entry ages out. •The entry is cleared by the user. •An interface goes down. •Route flaps occur. To ensure periodic reporting of continuously active flows, entries for continuously active flows expire at the end of the interval configured with the mls aging long command (default 32 minutes). NDE packets go to the external data collector either when the number of recently expired flows reaches a predetermined maximum or after: •30 seconds for version 5 export. •10 seconds for version 9 export. By default, all expired flows are exported unless they are filtered. If you configure a filter, NDE only exports expired and purged flows that match the filter criteria. NDE flow filters are stored in NVRAM and are not cleared when NDE is disabled. See the "Configuring NDE Flow Filters" section for NDE filter configuration procedures. NetFlow sampling is used when you want to report statistics for a subset of the traffic flowing through your network. The Netflow statistics can be exported to an external collector for further analysis. There are two types of NetFlow sampling: NetFlow traffic sampling and NetFlow flow sampling. The configuration steps for configuring MSFC-based NetFlow traffic sampling for traffic switched in the software path and PFC/DFC-based NetFlow flow sampling for traffic switched in the hardware path on a Cisco 6500 series switch use different commands because they are mutually independent features. The following sections provide additional information on the two types of NetFlow sampling supported by Cisco 6500 series switches: •NetFlow Traffic Sampling •NetFlow Flow Sampling NetFlow traffic sampling provides NetFlow data for a subset of traffic forwarded by a Cisco router or switch by analyzing only one randomly selected packet out of n sequential packets (n is a user-configurable parameter) from the traffic that is processed by the router or switch. NetFlow traffic sampling is used on platforms that perform software-based NetFlow accounting, such as Cisco 7200 series routers and Cisco 6500 series MSFCs, to reduce the CPU overhead of running NetFlow by reducing the number of packets that are analyzed (sampled) by NetFlow. The reduction in the number of packets sampled by NetFlow on platforms that perform software based NetFlow accounting also reduces the number of packets that need to be exported to an external collector. Reducing the number of packets that need to be exported to an external collector by reducing the number of packets that are analyzed is useful when the volume of exported traffic created by analyzing every packet will overwhelm the collector, or result in an over-subscription of an outbound interface. NetFlow traffic sampling and export for software-based NetFlow accounting behaves in the following manner: •The flows are populated with statistics from a subset of the traffic that is seen by the router. •The flows are expired. •The statistics are exported. On Cisco 6500 series switches, NetFlow traffic sampling is supported only on the MSFC for software switched packets. For more information on configuring NetFlow traffic sampling, see the Cisco IOS NetFlow Configuration Guide. NetFlow flow sampling does not limit the number of packets that are analyzed by NetFlow. NetFlow flow sampling is used to select a subset of the flows processed by the router for export. NetFlow flow sampling is not a solution to reduce oversubscribed CPUs or oversubscribed hardware NetFlow table usage. NetFlow flow sampling can help reduce CPU usage by reducing the amount of data that is exported. Using NetFlow flow sampling to reduce the number of packets that need to be exported to an external collector by reporting statistics on only a subset of the flows is useful when the volume of exported traffic created by reporting statistics for all of the flows will overwhelm the collector, or result in an over-subscription of an outbound interface. NetFlow flow sampling is available on Cisco Catalyst 6500 series switches for hardware-based NetFlow accounting on the PFCs and DFCs installed in the router. NetFlow flow sampling and export for hardware-based NetFlow accounting behaves in the following manner: •Packets arrive at the switch and flows are created/updated to reflect the traffic seen. •The flows are expired. •The flows are sampled to select a subset of flows for exporting. •The statistics for the subset of flows that have been selected by the NetFlow flow sampler are exported. Note When NetFlow flow sampling is enabled, aging schemes such as fast, normal, long aging are disabled. You can configure NetFlow flow sampling to use time-based sampling or packet-based sampling. With either the full-interface or destination-source-interface flow masks, you can enable or disable NetFlow Flow Sampling on each Layer 3 interface. Packet-based NetFlow Flow Sampling Packet-based NetFlow flow sampling uses a sampling-rate in packets and an interval in milliseconds to select a subset (sample) of flows from the total number of flows processed by the router. The values for the sampling-rate are: 64, 128, 256, 512, 1024, 2048, 4096, 8192. The interval is a user-configurable value in the range 8000-16000 milliseconds. The default for the interval is 16000 milliseconds. The interval value replaces the aging schemes such as fast, normal, long aging for expiring flows from the cache. The command syntax for configuring packet-based NetFlow flow sampling is: mls sampling packet-based rate [interval]. Packet-based NetFlow flow sampling uses one of these two methods to select flows for sampling and export: •The number of packets in the expired flow exceeds the sampling rate: If in a interval of X - where X is a value in the range of 8000-16000 (inclusive), a flow has a greater number of packets than the value configured for the sampling-rate, the flow is sampled (selected) and then exported. •The number of packets in the expired flow is less than the sampling rate: If in a interval of X - where X is a value in the range of 8000-16000 (inclusive), a flow has a smaller number of packets than the value configured for the sampling-rate, the packet count for the flow is added to one of eight buckets based on the number of packets in the flow. The eight bucket sizes are 1/8th increments of the sampling rate. The packet count for a flow that contains a quantity of packets that is 0-1/8th of the sampling rate is assigned to the first bucket. The packet count for a flow that contains a quantity of packets that is 1/8th-2/8th of the sampling rate is assigned to the second bucket. And so on. When adding the packet count for a flow to a bucket causes the counter for the bucket to exceed the sampling rate, the last flow for which the counters were added to the bucket is sampled and exported. The bucket counter is changed to 0 and the process of increasing the bucket counter is started over. This method ensures that some flows for which the packet count never exceeds the sampling rate are selected for sampling and export. Time-based Netflow Flow Sampling Time-based Netflow flow sampling samples flows created in the first sampling time (in milliseconds) of the export interval time (in milliseconds). Each of the sampling rates that you can configure with the mls sampling time-based rate command has fixed values for the sampling time and export interval used by time-based NetFlow flow sampling. For example: •If you configure a sampling rate of 64, NefFlow flow sampling selects flows created within the first 64 milliseconds (sampling time) of every 4096 millisecond export interval. •If you configure a sampling rate of 2048, NefFlow flow sampling selects flows created within the first 4 milliseconds (sampling time) of every 8192 millisecond export interval. Table 64-5 lists the sampling rates and export intervals for time-based NetFlow flow sampling.
Table 64-6 shows the default NDE configuration.
When configuring NDE, follow these guidelines and restrictions: •You must enable NetFlow on the PFC to export data for packets forwarded in hardware. •When you configure NAT and NDE on an interface, the PFC sends all fragmented packets to the RP to be processed in software. (CSCdz51590) •NDE supports IP multicast traffic only with NetFlow version 9. •NetFlow aggregation must use NDE version 8 or version 9. •Except in PFC3A mode, NDE supports bridged IP traffic. PFC3A mode does not support NDE for bridged IP traffic. •NDE does not support Internetwork Packet Exchange (IPX) traffic or any other non-IP protocol. The following IPv4 Netflow and NDE options are not available for IPv6 flows: •Aggregation support (ip flow-aggregation cache command) •Export of Layer 2 switched IPv6 flows •Netflow and NDE sampling •NDE filter support These sections describe how to configure NDE: •Configuring NDE on the PFC •Configuring NDE on the RP •Enabling NDE for Ingress-Bridged IP Traffic •Displaying the NDE Address and Port Configuration •Configuring NDE Flow Filters •Displaying the NDE Configuration These sections describe how to configure NDE on the PFC: •Enabling NDE From the PFC •Populating Additional NDE Fields •Configuring NetFlow Flow Sampling To enable NDE from the PFC, perform this task:
Note•NDE from the PFC uses the source interface configured for the RP (see the "Configuring the RP NDE Source Layer 3 Interface" section). •NetFlow version 9 is described at this URL: http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-2sx/cfg-nflow-data-expt.html This example shows how to enable NDE from the PFC: This example shows how to enable NDE from the PFC and configure NDE version 5: You can configure NDE to populate the following additional fields in the NDE packets: •IP address of the next hop router •Egress interface SNMP ifIndex •BGP AS Not all of the additional fields are populated with all flow masks. See the "NDE Versions" section for additional information. To populate the additional fields in NDE packets, perform this task:
This example shows how to populate the additional fields in NDE packets: These sections describe how to configure NetFlow flow sampling on the PFC: •Configuring NetFlow Flow Sampling Globally •Configuring NetFlow Flow Sampling on a Layer 3 Interface To configure NetFlow flow sampling globally, perform this task:
When you configure NetFlow flow sampling globally, note the following information: •The valid values for rate are 64, 128, 256, 512, 1024, 2048, 4096, and 8192. •The valid values for the packet-based export interval are from 8,000 through 16,000. •To export any data, you must also configure NetFlow flow sampling on a Layer 3 interface. Note•With the full-interface or destination-source-interface flow masks, you can enable or disable NetFlow flow sampling on individual Layer 3 interfaces. With all other flow masks, NetFlow flow sampling is enabled or disabled globally. •The Layer 3 interface must be configured with an IP address. To configure NetFlow flow sampling on a Layer 3 interface, perform this task:
This example shows how to enable NetFlow flow sampling on Fast Ethernet port 5/12: These sections describe how to configure NDE on the RP: •Configuring the RP NDE Source Layer 3 Interface •Configuring the NDE Destination •Configuring NetFlow Sampling To configure the Layer 3 interface used as the source of the NDE packets containing statistics from the RP, perform this task:
When configuring the RP NDE source Layer 3 interface, note the following information: •You must select an interface configured with an IP address. •You can use a loopback interface. This example shows how to configure a loopback interface as the NDE flow source: To configure the destination IP address and UDP port to receive the NDE statistics, perform this task:
Note NetFlow Multiple Export Destinations—To configure redundant NDE data streams, which improves the probability of receiving complete NetFlow data, you can enter the ip flow-export destination command twice and configure a different destination IP address in each command. Configuring two destinations increases the RP CPU utilization, as you are exporting the data records twice. This example shows how to configure the NDE flow destination IP address and UDP port: Note The destination address and UDP port number are saved in NVRAM and are preserved if NDE is disabled and reenabled or if the switch is power cycled. If you are using the NetFlow FlowCollector application for data collection, verify that the UDP port number you configure is the same port number shown in the FlowCollector's /opt/csconfc/config/nfconfig.file file. The RP supports NetFlow sampling for software-routed traffic. For additional information, see the Cisco IOS NetFlow Configuration Guide. Except in PFC3A mode, NDE supports ingress-bridged IP traffic. PFC3A mode does not support NDE for bridged IP traffic. NDE is enabled by default when you enable NetFlow on the VLAN. For additional information, see "Configuring NetFlow on Layer 3 Interfaces" section. To disable NDE for ingress-bridged IP traffic in VLANs, perform this task:
This example shows how to enable NDE for ingress bridged IP traffic in VLAN 200: To display the NDE address and port configuration, perform these tasks:
This example shows how to display the NDE export flow source IP address and UDP port configuration: This example shows how to display the NDE export flow IP address, UDP port, and the NDE source interface configuration: These sections describe NDE flow filters: •NDE Flow Filter Overview •Configuring a Port Flow Filter •Configuring a Host and Port Filter •Configuring a Host Flow Filter •Configuring a Protocol Flow Filter By default, all expired flows are exported until you configure a filter. After you configure a filter, only expired and purged flows matching the specified filter criteria are exported. Filter values are stored in NVRAM and are not cleared when NDE is disabled. To display the configuration of the NDE flow filters you configure, use the show mls nde command described in the "Displaying the NDE Configuration" section. To configure a destination or source port flow filter, perform this task:
This example shows how to configure a port flow filter so that only expired flows to destination port 23 are exported (assuming the flow mask is set to full): To configure a host and TCP/UDP port flow filter, perform this task:
This example shows how to configure a source host and destination TCP/UDP port flow filter so that only expired flows from host 171.69.194.140 to destination port 23 are exported (assuming the flow mask is set to ip-flow): To configure a destination or source host flow filter, perform this task:
This example shows how to configure a host flow filter to export only flows to destination host 172.20.52.37: To configure a protocol flow filter, perform this task:
This example shows how to configure a TCP protocol flow filter so that only expired flows from destination port 35 are exported: To display the status of the NDE flow filters, use the show mls nde command described in the "Displaying the NDE Configuration" section. To display the NDE configuration, perform this task:
This example shows how to display the NDE configuration: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 12 This chapter describes how to configure the SNMP ifIndex persistence feature in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding SNMP IfIndex Persistence •Configuring SNMP IfIndex Persistence The SNMP ifIndex persistence feature provides an interface index (ifIndex) value that is retained and used when the switch reboots. The ifIndex value is a unique identifying number associated with a physical or logical interface. There is no requirement in the relevant RFCs that the correspondence between particular ifIndex values and their interfaces be maintained when the switch reboots, but many applications (for example, device inventory, billing, and fault detection) require maintenance of this correspondence. You can poll the switch at regular intervals to correlate the interfaces to the ifIndexes, but it is not practical to poll constantly. The SNMP ifIndex persistence feature provides permanent ifIndex values, which eliminates the need to poll interfaces. The following definitions are based on RFC 2233, "The Interfaces Group MIB using SMIv2." The following terms are values in the Interfaces MIB (IF-MIB): •ifIndex —A unique number (greater than zero) that identifies each interface for SNMP identification of that interface. •ifName—The text-based name of the interface, for example, "ethernet 3/1." •ifDescr—A description of the interface. Recommended information for this description includes the name of the manufacturer, the product name, and the version of the interface hardware and software. These sections describe how to configure SNMP ifIndex persistence: •Enabling SNMP IfIndex Persistence Globally (Optional) •Enabling and Disabling SNMP IfIndex Persistence on Specific Interfaces (Optional) Note To verify that ifIndex commands have been configured, use the more system:running-config command. SNMP ifIndex persistence is disabled by default. To globally enableSNMP ifIndex persistence, perform this task:
In the following example, SNMP ifIndex persistence is enabled for all interfaces: To globally disable SNMP ifIndex persistence after enabling it, perform this task:
In the following example, SNMP ifIndex persistence is disabled for all interfaces: To enable SNMP ifIndex persistence only on a specific interface, perform this task:
Note The [no] snmp ifindex persistence interface command cannot be used on subinterfaces. A command applied to an interface is automatically applied to all the subinterfaces associated with that interface. In the following example, SNMP ifIndex persistence is enabled for Ethernet interface 3/1 only: In the following example, SNMP ifIndex persistence is disabled for Ethernet interface 3/1 only: To clear the interface-specific SNMP ifIndex persistence setting and configure the interface to use the global configuration setting, perform this task:
In the following example, any previous setting for SNMP ifIndex persistence on Ethernet interface 3/1 is removed from the configuration. If SNMP ifIndex persistence is globally enabled, SNMP ifIndex persistence will be enabled for Ethernet interface 3/1. If SNMP ifIndex persistence is globally disabled, SNMP ifIndex persistence will be disabled for Ethernet interface 3/1. Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 13 This chapter consists of these sections: •Supervisor Engine Memory Devices and Ports •User Interfaces •Module Status Monitoring •Software Features Supported in Hardware by the PFC and DFC Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum For complete information about the chassis, modules, and software features supported by Cisco IOS Release 12.2SX, see the Release Notes for Cisco IOS Release 12.2SX: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html These sections describe the ports and flash memory devices on the supervisor engines: •Understanding Supervisor Engine 720-10GE Memory Devices and Ports •Understanding Supervisor Engine 720 Memory Devices and Ports •Understanding Supervisor Engine 32 Memory Devices and Ports •Understanding ME6500 Flash Memory Devices and Ports These sections describe the Supervisor Engine 720-10GE memory devices and ports: •Supervisor Engine 720-10GE Flash Memory Devices •Supervisor Engine 720-10GE Ports The Supervisor Engine 720-10GE has these flash memory devices: •disk0: (active) and slavedisk0: (standby): –External CompactFlash Type II slots –For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc. •sup-bootdisk: (active) and slavesup-bootdisk: (standby): –Switch processor (SP) 1-GB internal CompactFlash flash memory –From SP ROMMON, it is bootdisk: –Not accessible from route processor (RP) ROMMON •bootflash: (active) and slave-bootflash: (standby): –RP 64-MB internal flash memory –Not accessible from SP ROMMON The Supervisor Engine 720-10GE has these ports: •Console port—EIA/TIA-232 (RS-232) port •Ports 1 and 2 –Gigabit Ethernet SFP (fiber or 10/100/1000 Mbps RJ-45) –Fast Ethernet SFP •Port 3—10/100/1000 Mbps RJ-45 •Ports 4 and 5—10-Gigabit Ethernet X2 Note The 1-Gigabit Ethernet ports and the 10-Gigabit Ethernet ports have the same QoS port architecture (2q4t/1p3q4t) unless you disable the 1-Gigabit Ethernet ports with the mls qos 10g-only global configuration command. With the 1-Gigabit Ethernet ports disabled, the QoS port architecture of the 10-Gigabit Ethernet ports is 8q4t/1p7q4t. See the "Configuring Optional Interface Features" section for information about configuring the ports. These sections describe the Supervisor Engine 720 memory devices and ports: •Supervisor Engine 720 Flash Memory Devices •Configuring Supervisor Engine 720 Ports The Supervisor Engine 720 has these flash memory devices: •disk0: and disk1: (active) and slavedisk0: and slavedisk1: (standby): –External CompactFlash Type II slots –For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc. •sup-bootflash: (active) and slavesup-bootflash: (standby): –Switch processor (SP) 64-MB internal flash memory –From SP ROMMON, it is bootflash: –Not accessible from route processor (RP) ROMMON •With WS-CF-UPG=, sup-bootdisk: (active) and slavesup-bootflash: (standby): –SP 512-MB internal CompactFlash flash memory –From SP ROMMON, it is bootdisk: –Not accessible from RP ROMMON –See this publication for more information: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_17277.html •bootflash: (active) and slave-bootflash: (standby): –RP 64-MB internal flash memory –Not accessible from SP ROMMON The Supervisor Engine 720 has these ports: •Port 1—Small form-factor pluggable (SFP); no unique configuration options. •Port 2— RJ-45 connector and an SFP connector (default). To use the RJ-45 connector, you must change the configuration. To configure port 2 on a Supervisor Engine 720 to use either the RJ-45 connector or the SFP connector, perform this task:
This example shows how to configure port 2 on a Supervisor Engine 720 in slot 5 to use the RJ-45 connector: See the "Configuring Optional Interface Features" section for more information about configuring the ports. These sections describe the Supervisor Engine 32 memory devices and ports: •Supervisor Engine 32 Flash Memory Devices •Supervisor Engine 32 Ports Note Supervisor Engine 32 does not support switch fabric connectivity. The Supervisor Engine 32 has these flash memory devices: •disk0: (active) and slavedisk0: (standby): –External CompactFlash Type II slots –For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc. •sup-bootdisk: (active) and slavesup-bootflash: (standby): –Switch processor (SP) 256-MB internal CompactFlash flash memory –From SP ROMMON, it is bootdisk: –Not accessible from route processor (RP) ROMMON •bootflash: (active) and slave-bootflash: (standby): –RP 64-MB internal flash memory –Not accessible from SP ROMMON The Supervisor Engine 32 has these ports: •Console port—EIA/TIA-232 (RS-232) port •Two Universal Serial Bus (USB) 2.0 ports—Not currently enabled •WS-SUP32-GE-3B: –Ports 1 through 8—Small form-factor pluggable (SFP) –Port 9—10/100/1000 Mbps RJ-45 •WS-SUP32-10GE: –Ports 1 and 2—10-Gigabit Ethernet XENPAK –Port 3—10/100/1000 Mbps RJ-45 See the "Configuring Optional Interface Features" section for information about configuring the ports. These sections describe the Cisco ME6500 series Ethernet switch memory devices and ports: •ME6500 Flash Memory Devices •ME6500 Ports The ME6500 has these flash memory devices: •disk0: –One external CompactFlash Type II slot –Supports CompactFlash Type II flash PC cards •sup-bootflash: –Switch processor (SP) 128 MB internal CompactFlash flash memory –From SP ROMMON, it is bootflash: –Not accessible from route processor (RP) ROMMON •bootflash: –RP 64-MB internal flash memory –Not accessible from SP ROMMON The ME6500 has these ports: •ME-C6524GS-8S and ME-C6524GT-8S –Ports 25-32: Gigabit Ethernet SFP –Requires Gigabit Ethernet SFPs •ME-C6524GS-8S –Ports 1-24: Gigabit Ethernet SFP –Requires Gigabit Ethernet SFPs •ME-C6524GT-8S—Ports 1-24: 10/100/1000 Mbps RJ-45 Ethernet ports Release 12.2SX supports configuration using the following interfaces: •CLI—See Chapter 2 "Command-Line Interfaces." •SNMP—See the Release 12.2 IOS Configuration Fundamentals Configuration Guide and Command Reference at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html •Cisco IOS web browser interface—See "Using the Cisco Web Browser" in the IOS Configuration Fundamentals Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf005.html The supervisor engine polls the installed modules with Switch Communication Protocol (SCP) messages to monitor module status. The SCP sends a message every two seconds to each module. Module nonresponse after 3 messages (6 seconds) is classified as a failure. CPU_MONITOR system messages are sent every 30 seconds. After 25 sequential failures (150 seconds), the supervisor engine power cycles the module and sends a CPU_MONITOR TIMED_OUT system message and OIR PWRCYCLE system messages. The PFC3 and DFC3 provide hardware support for these Cisco IOS software features: •Access Control Lists (ACLs) for Layer 3 ports and VLAN interfaces: –Permit and deny actions of input and output standard and extended ACLs Note Flows that require ACL logging are processed in software on the route processor (RP). –Except on MPLS interfaces, reflexive ACL flows after the first packet in a session is processed in software on the RP –Dynamic ACL flows Note Idle timeout is processed in software on the RP. For more information about PFC and DFC support for ACLs, see Chapter 49 "Understanding Cisco IOS ACL Support." For complete information about configuring ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2, "Traffic Filtering and Firewalls," at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html •Bidirectional Protocol Independent Multicast (PIM) in hardware—See "Understanding IPv4 Bidirectional PIM" section. •IPv4 Multicast over point-to-point generic route encapsulation (GRE) Tunnels—See the publication at this URL: http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html •Multiple-path Unicast Reverse Path Forwarding (RPF) Check—To configure Unicast RPF Check, see the "Configuring Unicast Reverse Path Forwarding Check" section. •Except on MPLS interfaces, Network Address Translation (NAT) for IPv4 unicast and multicast traffic. Note the following information about hardware-assisted NAT: –NAT of UDP traffic is not supported in PFC3A mode. –The PFC3 does not support NAT of multicast traffic. –The PFC3 does not support NAT configured with a route-map that specifies length. –When you configure NAT and NDE on an interface, the PFC3 sends all traffic in fragmented packets to the RP to be processed in software. (CSCdz51590) To configure NAT, see the Cisco IOS IP Configuration Guide, Release 12.2, "IP Addressing and Services," "Configuring IP Addressing," "Configuring Network Address Translation," at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html To prevent a significant volume of NAT traffic from being sent to the RP, due to either a DoS attack or a misconfiguration, enter the mls rate-limit unicast acl {ingress | egress} command described at this URL: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#mls_rate-limit_unicast_acl (CSCea23296) •NetFlow Aggregation—See this URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/netflow.html#NetFlow_Aggregation •Policy-based routing (PBR) for route-map sequences that use the match ip address, set ip next-hop, and ip default next-hop PBR keywords. To configure PBR, see the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, "Classification," "Configuring Policy-Based Routing," at this URL: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html Note If the RP address falls within the range of a PBR ACL, traffic addressed to the RP is policy routed in hardware instead of being forwarded to the RP. To prevent policy routing of traffic addressed to the RP, configure PBR ACLs to deny traffic addressed to the RP. •Except on MPLS interfaces, TCP intercept—To configure TCP intercept, see the "Configuring TCP Intercept" section. Note The PFC3 does not provide hardware acceleration for tunnels configured with the tunnel key command. •GRE Tunneling and IP in IP Tunneling—The PFC3 and DFC3s support the following tunnel commands: –tunnel destination –tunnel mode gre –tunnel mode ipip –tunnel source –tunnel ttl –tunnel tos Other supported types of tunneling run in software on the RP. The tunnel ttl command (default 255) sets the TTL of encapsulated packets. The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated. If the tunnel tos command is not present and QoS is enabled, the ToS byte of a packet as modified by PFC QoS sets the ToS byte of the packet when it is encapsulated. To configure GRE Tunneling and IP in IP Tunneling, see these publications: http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html To configure the tunnel tos and tunnel ttl commands, see this publication for more information: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html Note the following information about tunnels: –Each hardware-assisted tunnel must have a unique source. Hardware-assisted tunnels cannot share a source even if the destinations are different. Use secondary addresses on loopback interfaces or create multiple loopback interfaces. Failure to use unique source addresses may result in control plane failures when software path congestion occurs. (CSCdy72539) –Each tunnel interface uses one internal VLAN. –Each tunnel interface uses one additional router MAC address entry per router MAC address. –The PFC3A does not support any PFC QoS features on tunnel interfaces. –Other PFC versions support PFC QoS features on tunnel interfaces. –The RP supports tunnels configured with egress features on the tunnel interface. Examples of egress features are output Cisco IOS ACLs, NAT (for inside to outside translation), TCP intercept, and encryption. •VLAN ACLs (VACLs)—To configure VACLs, see Chapter 51 "Configuring Port ACLs and VLAN ACLs." Page 14 This chapter describes how to configure interfaces in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see these publications: •The Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html •The Release 12.2 publications at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding Interface Configuration •Using the Interface Command •Configuring a Range of Interfaces •Defining and Using Interface-Range Macros •Configuring Optional Interface Features •Understanding Online Insertion and Removal •Monitoring and Maintaining Interfaces •Checking the Cable Status Using the TDR Many features in the software are enabled on a per-interface basis. When you enter the interface command, you must specify the following information: •Interface type: –Fast Ethernet (use the fastethernet keyword) –Gigabit Ethernet (use the gigabitethernet keyword) –10-Gigabit Ethernet (use the tengigabitethernet keyword) Note For WAN interfaces, see the configuration note for the WAN module. •Slot number—The slot in which the module is installed. On switches supported by Cisco IOS Release 12.2SX, slots are numbered starting with 1 from top to bottom. •Port number—The physical port number on the module. On switches supported by Cisco IOS Release 12.2SX, the port numbers always begin with 1. When facing the rear of the switch, ports are numbered from the left to the right. You can identify ports from the physical location. You also can use show commands to display information about a specific port, or all the ports. Note You use the commands described in this section to configure both physical ports and logical interfaces. These procedures apply to all interface configuration processes. Begin the interface configuration process in global configuration mode. To use the interface command, follow these steps: Step 1 Enter the configure terminal command at the privileged EXEC prompt to enter global configuration mode: Step 2 In the global configuration mode, enter the interfaces command. Identify the interface type and the number of the connector or interface card. The following example shows how to select Fast Ethernet, slot 5, interface 1: Step 3 Enter the show interfaces EXEC command to see a list of all interfaces that are installed. A report is provided for each interface that the device supports, as shown in this display: Step 4 Enter the show hardware EXEC command to see a list of the system software and hardware: Step 5 To begin configuring Fast Ethernet port 5/5, enter the interface keyword, interface type, and slot number/port number at the privileged EXEC prompt, as shown in the following example: Note You do not need to add a space between the interface type and interface number. For example, in the preceding line you can specify either fastethernet 5/5 or fastethernet5/5. Step 6 After each interface command, enter the interface configuration commands your particular interface requires. The commands you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface command until you enter another interface command or press Ctrl-Z to get out of interface configuration mode and return to privileged EXEC mode. Step 7 After you configure an interface, check its status by using the EXEC show commands listed in "Monitoring and Maintaining Interfaces" section. The interface-range configuration mode allows you to configure multiple interfaces with the same configuration parameters. After you enter the interface-range configuration mode, all command parameters you enter are attributed to all interfaces within that range until you exit out of the interface-range configuration mode. To configure a range of interfaces with the same configuration, perform this task:
When configuring a range of interfaces, note the following information: •For information about macros, see the "Defining and Using Interface-Range Macros" section. •You can enter up to five comma-separated ranges. •You are not required to enter spaces before or after the comma. •You do not need to add a space between the interface numbers and the dash when using the interface range command. •The no interface range command supports VLAN interfaces. •The interface range command supports VLAN interfaces for which Layer 2 VLANs have not been created with the interface vlan command. Note The link state messages (LINK-3-UPDOWN and LINEPROTO-5-UPDOWN) are disabled by default. Enter the logging event link status command on each interface where you want the messages enabled. This example shows how to reenable all Fast Ethernet ports 5/1 to 5/5: This example shows how to use a comma to add different interface type strings to the range to reenable all Fast Ethernet ports in the range 5/1 to 5/5 and both Gigabit Ethernet ports (1/1 and 1/2): If you enter multiple configuration commands while you are in interface-range configuration mode, each command is executed as it is entered (they are not batched together and executed after you exit interface-range configuration mode). If you exit interface-range configuration mode while the commands are being executed, some commands may not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting interface-range configuration mode. You can define an interface-range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro command string, you must define the macro. To define an interface-range macro, perform this task:
This example shows how to define an interface-range macro named enet_list to select Fast Ethernet ports 5/1 through 5/4: To show the defined interface-range macro configuration, perform this task:
This example shows how to display the defined interface-range macro named enet_list: To use an interface-range macro in the interface range command, perform this task:
This example shows how to change to the interface-range configuration mode using the interface-range macro enet_list: These sections describe optional interface features: •Configuring Ethernet Interface Speed and Duplex Mode •Configuring Jumbo Frame Support •Configuring IEEE 802.3x Flow Control •Configuring the Port Debounce Timer •Adding a Description for an Interface These sections describe how to configure Ethernet port speed and duplex mode: •Speed and Duplex Mode Configuration Guidelines •Configuring the Ethernet Interface Speed •Setting the Interface Duplex Mode •Configuring Link Negotiation on Gigabit Ethernet Ports •Displaying the Speed and Duplex Mode Configuration You usually configure Ethernet port speed and duplex mode parameters to auto and allow ports to negotiate the speed and duplex mode. If you decide to configure the port speed and duplex modes manually, consider the following information: •You cannot set the Ethernet port speed to auto (the no speed command) if the duplex mode in not set to auto (the no duplex command). •If you configure an Ethernet port speed to a value other than auto (for example, 10, 100, or 1000 Mbps), configure the connecting port to match. Do not configure the connecting port to negotiate the speed. •If you manually configure the Ethernet port speed to either 10 Mbps or 100 Mbps, the switch prompts you to also configure the duplex mode on the port. Note A LAN port cannot automatically negotiate Ethernet port speed and duplex mode if the connecting port is configured to a value other than auto. Note If you configure the Ethernet port speed to auto on a 10/100-Mbps or 10/100/1000-Mbps Ethernet port, both speed and duplex are autonegotiated. 10-Gigabit Ethernet ports do not support autonegotiation. To configure the port speed for a 10/100 or a 10/100/1000-Mbps Ethernet port, perform this task:
When configuring the port speed for a 10/100/1000-Mbps Ethernet port, note the following: •Enter the auto 10 100 keywords to restrict the negotiated speed to 10-Mbps or 100-Mbps. •The auto 10 100 1000 keywords have the same effect as the auto keyword by itself. This example shows how to configure the speed to 100 Mbps on the Fast Ethernet port 5/4: Note•10-Gigabit Ethernet and Gigabit Ethernet are full duplex only. You cannot change the duplex mode on 10-Gigabit Ethernet or Gigabit Ethernet ports or on a 10/100/1000-Mps port configured for Gigabit Ethernet. •If you set the port speed to auto on a 10/100-Mbps or a 10/100/1000-Mbps Ethernet port, both speed and duplex are autonegotiated. You cannot change the duplex mode of autonegotiation ports. To set the duplex mode of an Ethernet or Fast Ethernet port, perform this task:
This example shows how to set the duplex mode to full on Fast Ethernet port 5/4: Note Link negotiation does not negotiate port speed. On Gigabit Ethernet ports, link negotiation exchanges flow-control parameters, remote fault information, and duplex information. Link negotiation is enabled by default. The ports on both ends of a link must have the same setting. The link will not come up if the ports at each end of the link are set inconsistently (link negotiation enabled on one port and disabled on the other port). Table 8-1 shows the four possible link negotiation configurations and the resulting link status for each configuration.
To configure link negotiation on a port, perform this task:
This example shows how to enable link negotiation on Gigabit Ethernet port 5/4: To display the speed and duplex mode configuration for a port, perform this task:
This example shows how to display the speed and duplex mode of Fast Ethernet port 5/4: This example shows how to display the speed and duplex autonegotiation status for Gigabit Ethernet port 3/1: These sections describe jumbo frame support: •Understanding Jumbo Frame Support •Configuring MTU Sizes · WS-X6516-GE-TX when operating at 100 Mbps · WS-X6148-RJ-45, WS-X6148-RJ-45V and WS-X6148-RJ21, WS-X6148-RJ21V · WS-X6248-RJ-45 and WS-X6248-TEL · WS-X6248A-RJ-45 and WS-X6248A-TEL · WS-X6348-RJ-45, WS-X6348-RJ45V and WS-X6348-RJ-21, WX-X6348-RJ21V Note The WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6148-GE-TX, and WS-X6148V-GE-TX do not support jumbo frames. These sections describe jumbo frame support: •Jumbo Frame Support Overview •Ethernet Ports •VLAN Interfaces A jumbo frame is a frame larger than the default Ethernet size. You enable jumbo frame support by configuring a larger-than-default maximum transmission unit (MTU) size on a port or VLAN interface and configuring the global LAN port MTU size. Note•Jumbo frame support fragments routed traffic in software on the route processor (RP). •Jumbo frame support does not fragment bridged traffic. Bridged and Routed Traffic Size Check at Ingress 10, 10/100, and 100 Mbps Ethernet and 10-Gigabit Ethernet Ports Jumbo frame support compares ingress traffic size with the global LAN port MTU size at ingress 10, 10/100, and 100 Mbps Ethernet and 10-Gigabit Ethernet LAN ports that have a nondefault MTU size configured. The port drops traffic that is oversized. You can configure the global LAN port MTU size (see the "Configuring the Global Egress LAN Port MTU Size" section). Bridged and Routed Traffic Size Check at Ingress Gigabit Ethernet Ports Gigabit Ethernet LAN ports configured with a nondefault MTU size accept frames containing packets of any size larger than 64 bytes. With a nondefault MTU size configured, Gigabit Ethernet LAN ports do not check for oversize ingress frames. Routed Traffic Size Check on the PFC For traffic that needs to be routed, Jumbo frame support on the PFC compares traffic sizes to the configured MTU sizes and provides Layer 3 switching for jumbo traffic between interfaces configured with MTU sizes large enough to accommodate the traffic. Between interfaces that are not configured with large enough MTU sizes, if the "do not fragment bit" is not set, the PFC sends the traffic to the RP to be fragmented and routed in software. If the "do not fragment bit" is set, the PFC drops the traffic. Bridged and Routed Traffic Size Check at Egress 10, 10/100, and 100 Mbps Ethernet Ports 10, 10/100, and 100 Mbps Ethernet LAN ports configured with a nondefault MTU size transmit frames containing packets of any size larger than 64 bytes. With a nondefault MTU size configured, 10, 10/100, and 100 Mbps Ethernet LAN ports do not check for oversize egress frames. Bridged and Routed Traffic Size Check at Egress Gigabit Ethernet and 10-Gigabit Ethernet Ports Jumbo frame support compares egress traffic size with the global egress LAN port MTU size at egress Gigabit Ethernet and 10-Gigabit Ethernet LAN ports that have a nondefault MTU size configured. The port drops traffic that is oversized. You can configure the global LAN port MTU size (see the "Configuring the Global Egress LAN Port MTU Size" section). These sections describe configuring nondefault MTU sizes on Ethernet ports: •Ethernet Port Overview •Layer 3 Ethernet Ports •Layer 2 Ethernet Ports Ethernet Port Overview Configuring a nondefault MTU size on a 10, 10/100, or 100 Mbps Ethernet port limits ingress packets to the global LAN port MTU size and permits egress traffic of any size larger than 64 bytes. Configuring a nondefault MTU size on a Gigabit Ethernet port permits ingress packets of any size larger than 64 bytes and limits egress traffic to the global LAN port MTU size. Configuring a nondefault MTU size on a 10-Gigabit Ethernet port limits ingress and egress packets to the global LAN port MTU size. Configuring a nondefault MTU size on an Ethernet port limits routed traffic to the configured MTU size. You can configure the MTU size on any Ethernet port. Layer 3 Ethernet Ports On a Layer 3 port, you can configure an MTU size on each Layer 3 Ethernet port that is different than the global LAN port MTU size. Note Traffic through a Layer 3 Ethernet LAN port that is configured with a nondefault MTU size is also subject to the global LAN port MTU size (see the "Configuring the Global Egress LAN Port MTU Size" section). Layer 2 Ethernet Ports On a Layer 2 port, you can only configure an MTU size that matches the global LAN port MTU size (see the "Configuring the Global Egress LAN Port MTU Size" section). You can configure a different MTU size on each Layer 3 VLAN interface. Configuring a nondefault MTU size on a VLAN interface limits traffic to the nondefault MTU size. You can configure the MTU size on VLAN interfaces to support jumbo frames. These sections describe how to configure MTU sizes: •Configuring MTU Sizes •Configuring the Global Egress LAN Port MTU Size To configure the MTU size, perform this task:
When configuring the MTU size, note the following information: •For VLAN interfaces and Layer 3 Ethernet ports, supported MTU values are from 64 to 9216 bytes. •For Layer 2 Ethernet ports, you can configure only the global egress LAN port MTU size (see the "Configuring the Global Egress LAN Port MTU Size" section). This example shows how to configure the MTU size on Gigabit Ethernet port 1/2: This example shows how to verify the configuration: To configure the global egress LAN port MTU size, perform this task:
Gigabit Ethernet and 10-Gigabit Ethernet ports use flow control to stop the transmission of frames to the port for a specified time; other Ethernet ports use flow control to respond to flow-control requests. If a Gigabit Ethernet or 10-Gigabit Ethernet port receive buffer becomes full, the port can be configured to transmit an IEEE 802.3x pause frame that requests the remote port to delay sending frames for a specified time. All Ethernet ports can can be configured to respond to IEEE 802.3x pause frames from other devices. To configure flow control on an Ethernet port, perform this task:
When configuring flow control, note the following information: •Because auto negotiation does not work on 10 Gigbit Ethernet fiber optic ports, they respond to pause frames by default. On 10 Gigbit Ethernet fiber optic ports, the flow-control operational mode is always the same as administrative mode. •You cannot configure how WS-X6502-10GE 10-Gigabit Ethernet ports respond to pause frames. WS-X6502-10GE 10-Gigabit Ethernet ports are permanently configured to respond to pause frames. •When configuring how a port responds to pause frames, note the following information: –For a Gigabit Ethernet port, when the configuration of a remote port is unknown, you can use the receive desired keywords to configure the Gigabit Ethernet port to respond to received pause frames. (Supported only on Gigabit Ethernet ports.) –Use the receive on keywords to configure a port to respond to received pause frames. –Use the receive off keywords to configure a port to ignore received pause frames. •When configuring transmission of pause frames on a port, note the following information: –For a Gigabit Ethernet port, when the configuration of the remote ports is unknown, you can use the send desired keywords to configure the Gigabit Ethernet port to send pause frames. (Supported only on Gigabit Ethernet ports.) –Use the send on keywords to configure a port to send pause frames. –Use the send off keywords to configure a port not to send pause frames. This example shows how to turn on receive flow control and how to verify the flow-control configuration: The port debounce timer delays notification of a link change. Delayed notification of a link changecan decrease traffic loss due to network reconfiguration. If the status of a link changes quickly from up to down and then back to up, the port debounce timer suppresses the link status notification. If the link transitions from up to down, but does not come back up, the port debounce timer delays the link status notification. Delayed link status notification allows a quick port status change and recovery to occur without triggering any of the changes that are necessary when a port stays down. The normal operation of DWDM links sometimes includes quick port status changes and recoveries. Delayed link status notification can also be used to mitigate link flaps because of bad cabling. You can configure the port debounce timer separately on each LAN port. To configure the debounce timer on a port, perform this task:
When configuring the debounce timer on a port, note the following information: •The time keyword is supported only on fiber Gigabit Ethernet ports. With the time keyword, you can increase the port debounce timer value in increments of 100 milliseconds up to 5000 milliseconds on ports operating at 1000 Mpbs over copper media. •The debounce timer recognizes 10-Gbps copper media and detects media-only changes. Table 8-2 lists the time delay that occurs before notification of a link change.
This example shows how to enable the port debounce timer on Fast Ethernet port 5/12: This example shows how to display the port debounce timer settings: You can add a description about an interface to help you remember its function. The description appears in the output of the following commands: show configuration, show running-config, and show interfaces. To add a description for an interface, perform this task:
This example shows how to add a description on Fast Ethernet port 5/5: The online insertion and removal (OIR) feature supported on the Catalyst 6500 series switches allows you to remove and replace modules while the system is online. You can shut down the modules before removal and restart it after insertion without causing other software or interfaces to shut down. Note Do not remove or install more than one module at a time. After you remove or install a module, check the LEDs before continuing. For module LED descriptions, see the Catalyst 6500 Series Switch Installation Guide. When a module has been removed or installed, the Catalyst 6500 series switch stops processing traffic for the module and scans the system for a configuration change. Each interface type is verified against the system configuration, and then the system runs diagnostics on the new module. There is no disruption to normal operation during module insertion or removal. The switch can bring only an identical replacement module online. To support OIR of an identical module, the module configuration is not removed from the running-config file when you remove a module. If the replacement module is different from the removed module, you must configure it before the switch can bring it online. Layer 2 MAC addresses are stored in an EEPROM, which allows modules to be replaced online without requiring the system to update switching tables and data structures. Regardless of the types of modules installed, the Layer 2 MAC addresses do not change unless you replace the supervisor engine. If you do replace the supervisor engine, the Layer 2 MAC addresses of all ports change to those specified in the address allocator on the new supervisor engine. You can perform the tasks in the following sections to monitor and maintain interfaces: •Monitoring Interface Status •Clearing Counters on an Interface •Resetting an Interface •Shutting Down and Restarting an Interface The software contains commands that you can enter at the EXEC prompt to display information about the interface including the version of the software and the hardware and statistics about interfaces. The following table lists some of the interface monitoring commands. (You can display the complete list of show commands by using the show ? command at the EXEC prompt.) These commands are described in the Cisco IOS Interface Command Reference publication. To display information about the interface, perform these tasks:
This example shows how to display the status of Fast Ethernet port 5/5: To clear the interface counters shown with the show interfaces command, perform this task:
This example shows how to clear and reset the counters on Fast Ethernet port 5/5: The clear counters command clears all the current counters from the interface unless the optional arguments specify a specific interface. Note The clear counters command clears counters displayed with the EXEC show interfaces command, not counters retrieved using SNMP. To reset an interface, perform this task:
This example shows how to reset Fast Ethernet port 5/5: You can shut down an interface, which disables all functions on the specified interface and shows the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols. The interface is not included in any routing updates. To shut down an interface and then restart it, perform this task:
This example shows how to shut down Fast Ethernet port 5/5: This example shows how to reenable Fast Ethernet port 5/5: To check if an interface is disabled, enter the EXEC show interfaces command. An interface that has been shut down is shown as administratively down in the show interfaces command display. You can check the status of copper cables using the time domain reflectometer (TDR). The TDR detects a cable fault by sending a signal through the cable and reading the signal that is reflected back to it. All or part of the signal can be reflected back by any number of cable defects or by the end of the cable itself. Use the TDR to determine if the cabling is at fault if you cannot establish a link. This test is especially important when replacing an existing switch, upgrading to Gigabit Ethernet, or installing new cables. Note•TDR can test cables up to a maximum length of 115 meters. •For information about which modules support the TDR, see this document: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html •TDR results are not meaningful for a link that is operating successfully. •The port must be up before running the TDR test. If the port is down, you cannot enter the test cable-diagnostics tdr command successfully, and the following message is displayed: To start or stop the TDR test, perform this task:
This example shows how to run the TDR-cable diagnostics: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 15 This chapter describes how to configure the Spanning Tree Protocol (STP) and Multiple Spanning Tree (MST) protocol in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding STP •Understanding IEEE 802.1w RSTP •Understanding MST •Configuring STP •Configuring MST •Displaying the MST Configuration and Status Note For information on configuring the PortFast, UplinkFast, and BackboneFast STP enhancements, see Chapter 29 "Configuring Optional STP Features." These sections describe how STP works: •STP Overview •Understanding the Bridge ID •Understanding Bridge Protocol Data Units •Election of the Root Bridge •STP Protocol Timers •Creating the Spanning Tree Topology •STP Port States •STP and IEEE 802.1Q Trunks STP, the IEEE 802.1D bridge protocol, is a Layer 2 link-management protocol that provides path redundancy while preventing undesirable loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. STP operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments. In an extension known as per-VLAN spanning tree (PVST), Layer 2 Ethernet ports can use STP on all VLANs. By default, a single instance of STP runs on each configured VLAN (provided you do not manually disable STP). You can enable and disable STP on a per-VLAN basis. When you create fault-tolerant internetworks, you must have a loop-free path between all nodes in a network. The STP algorithm calculates the best loop-free path throughout a switched Layer 2 network. Layer 2 LAN ports send and receive STP frames at regular intervals. Network devices do not forward these frames, but use the frames to construct a loop-free path. Multiple active paths between end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages and network devices might learn end station MAC addresses on multiple Layer 2 LAN ports. These conditions result in an unstable network. STP defines a tree with a root bridge and a loop-free path from the root to all network devices in the Layer 2 network. STP forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the STP algorithm recalculates the spanning tree topology and activates the standby path. When two Layer 2 LAN ports on a network device are part of a loop, the STP port priority and port path cost setting determine which port is put in the forwarding state and which port is put in the blocking state. The STP port priority value represents the location of a port in the network topology and how efficiently that location allows the port to pass traffic. The STP port path cost value represents media speed. Each VLAN on each network device has a unique 64-bit bridge ID consisting of a bridge priority value, an extended system ID, and an STP MAC address allocation. This section contains these topics: •Bridge Priority Value •Extended System ID •STP MAC Address Allocation The bridge priority is a 4-bit value when the extended system ID is enabled (see Table 28-1 and the "Configuring the Bridge Priority of a VLAN" section). A 12-bit extended system ID field is part of the bridge ID (see Table 28-1). Chassis that support only 64 MAC addresses always use the 12-bit extended system ID. On chassis that support 1024 MAC addresses, you can enable use of the extended system ID. STP uses the VLAN ID as the extended system ID. See the "Enabling the Extended System ID" section.
Catalyst 6500 series switch chassis have either 64 or 1024 MAC addresses available to support software features such as STP. To view the MAC address range on your chassis, enter the show catalyst6000 chassis-mac-address command. For chassis with 64 MAC addresses, STP uses the extended system ID plus a MAC address to make the bridge ID unique for each VLAN. When the extended system ID is not enabled, STP uses one MAC address per VLAN to make the bridge ID unique for each VLAN. If you have a network device in your network with the extended system ID enabled, you should also enable the extended system ID on all other Layer 2 connected network devices to avoid undesirable root bridge election and spanning tree topology issues. When the extended system ID is enabled, the root bridge priority becomes a multiple of 4096 plus the VLAN ID. With the extended system ID enabled, a switch bridge ID (used by the spanning tree algorithm to determine the identity of the root bridge, the lowest being preferred) can only be specified as a multiple of 4096. Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. If another bridge in the same spanning tree domain does not have the extended system ID enabled, it could win root bridge ownership because of the finer granularity in the selection of its bridge ID. Bridge protocol data units (BPDUs) are transmitted in one direction from the root bridge. Each network device sends configuration BPDUs to communicate and compute the spanning tree topology. Each configuration BPDU contains the following minimal information: •The unique bridge ID of the network device that the transmitting network device believes to be the root bridge •The STP path cost to the root •The bridge ID of the transmitting bridge •Message age •The identifier of the transmitting port •Values for the hello, forward delay, and max-age protocol timers When a network device transmits a BPDU frame, all network devices connected to the LAN on which the frame is transmitted receive the BPDU. When a network device receives a BPDU, it does not forward the frame but instead uses the information in the frame to calculate a BPDU, and, if the topology changes, initiate a BPDU transmission. A BPDU exchange results in the following: •One network device is elected as the root bridge. •The shortest distance to the root bridge is calculated for each network device based on the path cost. •A designated bridge for each LAN segment is selected. This is the network device closest to the root bridge through which frames are forwarded to the root. •A root port is selected. This is the port providing the best path from the bridge to the root bridge. •Ports included in the spanning tree are selected. For each VLAN, the network device with the highest-priority bridge ID (the lowest numerical ID value) is elected as the root bridge. If all network devices are configured with the default priority (32768), the network device with the lowest MAC address in the VLAN becomes the root bridge. The bridge priority value occupies the most significant bits of the bridge ID. When you change the bridge priority value, you change the probability that the switch will be elected as the root bridge. Configuring a higher-priority value increases the probability; a lower-priority value decreases the probability. The STP root bridge is the logical center of the spanning tree topology in a Layer 2 network. All paths that are not needed to reach the root bridge from anywhere in the Layer 2 network are placed in STP blocking mode. BPDUs contain information about the transmitting bridge and its ports, including bridge and MAC addresses, bridge priority, port priority, and path cost. STP uses this information to elect the root bridge for the Layer 2 network, to elect the root port leading to the root bridge, and to determine the designated port for each Layer 2 segment. Table 28-2 describes the STP protocol timers that affect STP performance.
In Figure 28-1, Switch A is elected as the root bridge because the bridge priority of all the network devices is set to the default (32768) and Switch A has the lowest MAC address. However, due to traffic patterns, number of forwarding ports, or link types, Switch A might not be the ideal root bridge. By increasing the priority (lowering the numerical value) of the ideal network device so that it becomes the root bridge, you force an STP recalculation to form a new spanning tree topology with the ideal network device as the root. Figure 28-1 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters, the path between source and destination end stations in a switched network might not be ideal. For instance, connecting higher-speed links to a port that has a higher number than the current root port can cause a root-port change. The goal is to make the fastest link the root port. For example, assume that one port on Switch B is a fiber-optic link, and another port on Switch B (an unshielded twisted-pair [UTP] link) is the root port. Network traffic might be more efficient over the high-speed fiber-optic link. By changing the STP port priority on the fiber-optic port to a higher priority (lower numerical value) than the root port, the fiber-optic port becomes the new root port. These sections describe the STP port states: •STP Port State Overview •Blocking State •Listening State •Learning State •Forwarding State •Disabled State Propagation delays can occur when protocol information passes through a switched LAN. As a result, topology changes can take place at different times and at different places in a switched network. When a Layer 2 LAN port transitions directly from nonparticipation in the spanning tree topology to the forwarding state, it can create temporary data loops. Ports must wait for new topology information to propagate through the switched LAN before starting to forward frames. They must allow the frame lifetime to expire for frames that have been forwarded using the old topology. Each Layer 2 LAN port using STP exists in one of the following five states: •Blocking—The Layer 2 LAN port does not participate in frame forwarding. •Listening—First transitional state after the blocking state when STP determines that the Layer 2 LAN port should participate in frame forwarding. •Learning—The Layer 2 LAN port prepares to participate in frame forwarding. •Forwarding—The Layer 2 LAN port forwards frames. •Disabled—The Layer 2 LAN port does not participate in STP and is not forwarding frames. A Layer 2 LAN port moves through these five states as follows: •From initialization to blocking •From blocking to listening or to disabled •From listening to learning or to disabled •From learning to forwarding or to disabled •From forwarding to disabled Figure 28-2 illustrates how a Layer 2 LAN port moves through the five states. Figure 28-2 STP Layer 2 LAN Interface States When you enable STP, every port, VLAN, and network goes through the blocking state and the transitory states of listening and learning at power up. If properly configured, each Layer 2 LAN port stabilizes to the forwarding or blocking state. When the STP algorithm places a Layer 2 LAN port in the forwarding state, the following process occurs: 1. The Layer 2 LAN port is put into the listening state while it waits for protocol information that suggests it should go to the blocking state. 2. The Layer 2 LAN port waits for the forward delay timer to expire, moves the Layer 2 LAN port to the learning state, and resets the forward delay timer. 3. In the learning state, the Layer 2 LAN port continues to block frame forwarding as it learns end station location information for the forwarding database. 4. The Layer 2 LAN port waits for the forward delay timer to expire and then moves the Layer 2 LAN port to the forwarding state, where both learning and frame forwarding are enabled. A Layer 2 LAN port in the blocking state does not participate in frame forwarding, as shown in Figure 28-3. After initialization, a BPDU is sent out to each Layer 2 LAN port. A network device initially assumes it is the root until it exchanges BPDUs with other network devices. This exchange establishes which network device in the network is the root or root bridge. If only one network device is in the network, no exchange occurs, the forward delay timer expires, and the ports move to the listening state. A port always enters the blocking state following initialization. Figure 28-3 Interface 2 in Blocking State A Layer 2 LAN port in the blocking state performs as follows: •Discards frames received from the attached segment. •Discards frames switched from another port for forwarding. •Does not incorporate end station location into its address database. (There is no learning on a blocking Layer 2 LAN port, so there is no address database update.) •Receives BPDUs and directs them to the system module. •Does not transmit BPDUs received from the system module. •Receives and responds to network management messages. The listening state is the first transitional state a Layer 2 LAN port enters after the blocking state. The Layer 2 LAN port enters this state when STP determines that the Layer 2 LAN port should participate in frame forwarding. Figure 28-4 shows a Layer 2 LAN port in the listening state. Figure 28-4 Interface 2 in Listening State A Layer 2 LAN port in the listening state performs as follows: •Discards frames received from the attached segment. •Discards frames switched from another LAN port for forwarding. •Does not incorporate end station location into its address database. (There is no learning at this point, so there is no address database update.) •Receives BPDUs and directs them to the system module. •Receives, processes, and transmits BPDUs received from the system module. •Receives and responds to network management messages. A Layer 2 LAN port in the learning state prepares to participate in frame forwarding. The Layer 2 LAN port enters the learning state from the listening state. Figure 28-5 shows a Layer 2 LAN port in the learning state. Figure 28-5 Interface 2 in Learning State A Layer 2 LAN port in the learning state performs as follows: •Discards frames received from the attached segment. •Discards frames switched from another port for forwarding. •Incorporates end station location into its address database. •Receives BPDUs and directs them to the system module. •Receives, processes, and transmits BPDUs received from the system module. •Receives and responds to network management messages. A Layer 2 LAN port in the forwarding state forwards frames, as shown in Figure 28-6. The Layer 2 LAN port enters the forwarding state from the learning state. Figure 28-6 Interface 2 in Forwarding State A Layer 2 LAN port in the forwarding state performs as follows: •Forwards frames received from the attached segment. •Forwards frames switched from another port for forwarding. •Incorporates end station location information into its address database. •Receives BPDUs and directs them to the system module. •Processes BPDUs received from the system module. •Receives and responds to network management messages. A Layer 2 LAN port in the disabled state does not participate in frame forwarding or STP, as shown in Figure 28-7. A Layer 2 LAN port in the disabled state is virtually nonoperational. Figure 28-7 Interface 2 in Disabled State A disabled Layer 2 LAN port performs as follows: •Discards frames received from the attached segment. •Discards frames switched from another port for forwarding. •Does not incorporate end station location into its address database. (There is no learning, so there is no address database update.) •Does not receive BPDUs. •Does not receive BPDUs for transmission from the system module. 802.1Q trunks impose some limitations on the STP strategy for a network. In a network of Cisco network devices connected through 802.1Q trunks, the network devices maintain one instance of STP for each VLAN allowed on the trunks. However, non-Cisco 802.1Q network devices maintain only one instance of STP for all VLANs allowed on the trunks. When you connect a Cisco network device to a non-Cisco device through an 802.1Q trunk, the Cisco network device combines the STP instance of the 802.1Q VLAN of the trunk with the STP instance of the non-Cisco 802.1Q network device. However, all per-VLAN STP information is maintained by Cisco network devices separated by a cloud of non-Cisco 802.1Q network devices. The non-Cisco 802.1Q cloud separating the Cisco network devices is treated as a single trunk link between the network devices. Interoperability with non-Cisco 802.1Q network devices is an extension of PVST known as PVST+. For more information on 802.1Q trunks, see Chapter 17 "Configuring LAN Ports for Layer 2 Switching." The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the 802.1D spanning tree). These section describes how the RSTP works: •Port Roles and the Active Topology •Rapid Convergence •Synchronization of Port Roles •Bridge Protocol Data Unit Format and Processing •Topology Changes •Rapid-PVST The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active topology. The RSTP builds upon the 802.1D STP to select the switch with the highest switch priority (lowest numerical priority value) as the root bridge as described in the "Election of the Root Bridge" section. The RSTP then assigns one of these port roles to individual ports: •Root port—Provides the best path (lowest cost) when the switch forwards packets to the root bridge. •Designated port—Connects to the designated switch, which incurs the lowest path cost when forwarding packets from that LAN to the root bridge. The port through which the designated switch is attached to the LAN is called the designated port. •Alternate port—Offers an alternate path toward the root bridge to that provided by the current root port. •Backup port—Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree. A backup port can exist only when two ports are connected in a loopback by a point-to-point link or when a switch has two or more connections to a shared LAN segment. •Disabled port—Has no role within the operation of the spanning tree. A port with the root or a designated port role is included in the active topology. A port with the alternate or backup port role is excluded from the active topology. In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in 802.1D). The port state controls the operation of the forwarding and learning processes. Table 28-3 provides a comparison of 802.1D and RSTP port states.
To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: •Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command, the edge port immediately transitions to the forwarding state. An edge port is the same as a Port Fast-enabled port, and you should enable it only on ports that connect to a single end station. •Root ports—If the RSTP selects a new root port, it blocks the old root port and immediately transitions the new root port to the forwarding state. •Point-to-point links—If you connect a port to another port through a point-to-point link and the local port becomes a designated port, it negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology. As shown in Figure 28-8, switch A is connected to switch B through a point-to-point link, and all of the ports are in the blocking state. Assume that the priority of switch A is a smaller numerical value than the priority of switch B. Switch A sends a proposal message (a configuration BPDU with the proposal flag set) to switch B, proposing itself as the designated switch. After receiving the proposal message, switch B selects as its new root port the port from which the proposal message was received, forces all nonedge ports to the blocking state, and sends an agreement message (a BPDU with the agreement flag set) through its new root port. After receiving switch B's agreement message, switch A also immediately transitions its designated port to the forwarding state. No loops in the network are formed because switch B blocked all of its nonedge ports and because there is a point-to-point link between switches A and B. When switch C is connected to switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology. As the network converges, this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree. The switch learns the link type from the port duplex mode: a full-duplex port is considered to have a point-to-point connection and a half-duplex port is considered to have a shared connection. You can override the default setting that is controlled by the duplex setting by using the spanning-tree link-type interface configuration command. Figure 28-8 Proposal and Agreement Handshaking for Rapid Convergence When the switch receives a proposal message on one of its ports and that port is selected as the new root port, the RSTP forces all other ports to synchronize with the new root information. The switch is synchronized with superior root information received on the root port if all other ports are synchronized. An individual port on the switch is synchronized if: •That port is in the blocking state. •It is an edge port (a port configured to be at the edge of the network). If a designated port is in the forwarding state and is not configured as an edge port, it transitions to the blocking state when the RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 28-9. Figure 28-9 Sequence of Events During Rapid Convergence These sections describe bridge protocol data unit (BPDU) format and processing: •BPDU Format and Processing Overview •Processing Superior BPDU Information •Processing Inferior BPDU Information The RSTP BPDU format is the same as the 802.1D BPDU format except that the protocol version is set to 2. A new 1-byte Version 1 Length field is set to zero, which means that no Version 1 protocol information is present. Table 28-4 describes the RSTP flag fields.
The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate TCN BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port. A superior BPDU is a BPDU with root information (such as lower switch ID or lower path cost) that is superior to what is currently stored for the port. If a port receives a superior BPDU, the RSTP triggers a reconfiguration. If the port is proposed and is selected as the new root port, RSTP forces all the other ports to synchronize. If the BPDU received is an RSTP BPDU with the proposal flag set, the switch sends an agreement message after all of the other ports are synchronized. If the BPDU is an 802.1D BPDU, the switch does not set the proposal flag and starts the forward-delay timer for the port. The new root port requires twice the forward-delay time to transition to the forwarding state. If the superior information received on the port causes the port to become a backup port or an alternate port, RSTP sets the port to the blocking state and sends an agreement message. The designated port continues sending BPDUs with the proposal flag set until the forward-delay timer expires, at which time the port transitions to the forwarding state. An inferior BPDU is a BPDU with root information (such as higher switch ID or higher path cost) that is inferior to what is currently stored for the port. If a designated port receives an inferior BPDU, it immediately replies with its own information. These are the differences between the RSTP and the 802.1D in handling spanning tree topology changes: •Detection—Unlike 802.1D in which any transition between the blocking and the forwarding state causes a topology change, only transitions from the blocking to the forwarding state cause a topology change with RSTP (only an increase in connectivity is considered a topology change). State changes on an edge port do not cause a topology change. When an RSTP switch detects a topology change, it deletes the learned information on all of its nonedge ports except on those from which it received the TC notification. •Notification—The RSTP does not use TCN BPDUs, unlike 802.1D. However, for 802.1D interoperability, an RSTP switch processes and generates TCN BPDUs. •Acknowledgement—When an RSTP switch receives a TCN message on a designated port from an 802.1D switch, it replies with an 802.1D configuration BPDU with the TCA bit set. However, if the TC-while timer (the same as the TC timer in 802.1D) is active on a root port connected to an 802.1D switch and a configuration BPDU with the TCA set is received, the TC-while timer is reset. This method of operation is only required to support 802.1D switches. The RSTP BPDUs never have the TCA bit set. •Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. •Protocol migration—For backward compatibility with 802.1D switches, RSTP selectively sends 802.1D configuration BPDUs and TCN BPDUs on a per-port basis. When a port is initialized, the migrate-delay timer is started (specifies the minimum time during which RSTP BPDUs are sent), and RSTP BPDUs are sent. While this timer is active, the switch processes all BPDUs received on that port and ignores the protocol type. If the switch receives an 802.1D BPDU after the port migration-delay timer has expired, it assumes that it is connected to an 802.1D switch and starts using only 802.1D BPDUs. However, if the RSTP switch is using 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired, it restarts the timer and starts using RSTP BPDUs on that port. Rapid-PVST uses the existing configuration for PVST+; however, Rapid-PVST uses RSTP to provide faster convergence. Independent VLANs run their own RSTP instance. Dynamic entries are flushed immediately on a per-port basis upon receiving a topology change. UplinkFast and BackboneFast configurations are ignored in Rapid-PVST mode; both features are included in RSTP. In Cisco IOS Release 12.2(33)SXI and later releases, Rapid-PVST mode supports unidirectional link failure detection as described in the "Detecting Unidirectional Link Failure" section. These sections describe MST: •MST Overview •MST Regions •IST, CIST, and CST •Hop Count •Boundary Ports •Standard-Compliant MST Implementation •Interoperability with IEEE 802.1D-1998 STP MST maps multiple VLANs into a spanning tree instance, with each instance having a spanning tree topology independent of other spanning tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning tree instances required to support a large number of VLANs. MST improves the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other instances (forwarding paths). The most common initial deployment of MST is in the backbone and distribution layers of a Layer 2 switched network. This deployment provides the kind of highly available network that is required in a service-provider environment. MST provides rapid spanning tree convergence through explicit handshaking, which eliminates the 802.1D forwarding delay and quickly transitions root bridge ports and designated ports to the forwarding state. MST improves spanning tree operation and maintains backward compatibility with these STP versions: •Original 802.1D spanning tree •Existing Cisco-proprietary Multiple Instance STP (MISTP) •Existing Cisco per-VLAN spanning tree plus (PVST+) •Rapid per-VLAN spanning tree plus (rapid PVST+) For information about PVST+ and rapid PVST+, see the preceding sections in this chapter. For information about other spanning tree features such as Port Fast, UplinkFast, and root guard, see Chapter 29 "Configuring Optional STP Features." Note•IEEE 802.1w defined the Rapid Spanning Tree Protocol (RSTP) and was incorporated into IEEE 802.1D. •IEEE 802.1s defined MST and was incorporated into IEEE 802.1Q. For switches to participate in MST instances, you must consistently configure the switches with the same MST configuration information. A collection of interconnected switches that have the same MST configuration comprises an MST region as shown in Figure 28-10. The MST configuration controls to which MST region each switch belongs. The configuration includes the name of the region, the revision number, and the MST VLAN-to-instance assignment map. A region can have one or multiple members with the same MST configuration; each member must be capable of processing RSTP bridge protocol data units (BPDUs). There is no limit to the number of MST regions in a network, but each region can support up to 65 spanning tree instances. Instances can be identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning tree instance at a time. These sections describe internal spanning tree (IST), common and internal spanning tree (CIST), and common spanning tree (CST): •IST, CIST, and CST Overview •Spanning Tree Operation Within an MST Region •Spanning Tree Operations Between MST Regions •IEEE 802.1s Terminology Unlike other spanning tree protocols, in which all the spanning tree instances are independent, MST establishes and maintains IST, CIST, and CST spanning trees: •An IST is the spanning tree that runs in an MST region. Within each MST region, MST maintains multiple spanning tree instances. Instance 0 is a special instance for a region, known as the IST. All other MST instances are numbered from 1 to 4094. The IST is the only spanning tree instance that sends and receives BPDUs. All of the other spanning tree instance information is contained in MSTP records (M-records), which are encapsulated within MST BPDUs. Because the MST BPDU carries information for all instances, the number of BPDUs that need to be processed to support multiple spanning tree instances is significantly reduced. All MST instances within the same region share the same protocol timers, but each MST instance has its own topology parameters, such as root bridge ID, root path cost, and so forth. By default, all VLANs are assigned to the IST. An MST instance is local to the region; for example, MST instance 1 in region A is independent of MST instance 1 in region B, even if regions A and B are interconnected. •A CIST is a collection of the ISTs in each MST region. •The CST interconnects the MST regions and single spanning trees. The spanning tree computed in a region appears as a subtree in the CST that encompasses the entire switched domain. The CIST is formed by the spanning tree algorithm running among switches that support the 802.1w, 802.1s, and 802.1D standards. The CIST inside an MST region is the same as the CST outside a region. For more information, see the "Spanning Tree Operation Within an MST Region" section and the "Spanning Tree Operations Between MST Regions" section. The IST connects all the MST switches in a region. When the IST converges, the root of the IST becomes the CIST regional root (called the IST master before the implementation of the 802.1s standard) as shown in Figure 28-10. The CIST regional root is also the CIST root if there is only one region in the network. If the CIST root is outside the region, one of the MST switches at the boundary of the region is selected as the CIST regional root. When an MST switch initializes, it sends BPDUs that identify itself as the root of the CIST and the CIST regional root, with both of the path costs to the CIST root and to the CIST regional root set to zero. The switch also initializes all of its MST instances and claims to be the root for all of them. If the switch receives superior MST root information (lower switch ID, lower path cost, and so forth) than currently stored for the port, it relinquishes its claim as the CIST regional root. During initialization, a region might have many subregions, each with its own CIST regional root. As switches receive superior IST information from a neighbor in the same region, they leave their old subregions and join the new subregion that contains the true CIST regional root, which causes all subregions to shrink except for the one that contains the true CIST regional root. For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root. If there are multiple regions or 802.1D switches within the network, MST establishes and maintains the CST, which includes all MST regions and all 802.1D STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. The IST connects all the MST switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions. Figure 28-10 shows a network with three MST regions and an 802.1D switch (D). The CIST regional root for region 1 (A) is also the CIST root. The CIST regional root for region 2 (B) and the CIST regional root for region 3 (C) are the roots for their respective subtrees within the CIST. Figure 28-10 MST Regions, CIST Regional Roots, and CST Root Only the CST instance sends and receives BPDUs, and MST instances add their spanning tree information into the BPDUs to interact with neighboring switches and compute the final spanning tree topology. Because of this, the spanning tree parameters related to BPDU transmission (for example, hello time, forward time, max-age, and max-hops) are configured only on the CST instance but affect all MST instances. Parameters related to the spanning tree topology (for example, switch priority, port VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MST switches use Version 3 BPDUs or 802.1D STP BPDUs to communicate with 802.1D switches. MST switches use MST BPDUs to communicate with MST switches. Some MST naming conventions used in the prestandard implementation have been changed to include identification of some internal and regional parameters. These parameters are used only within an MST region, compared to external parameters that are used throughout the whole network. Because the CIST is the only spanning tree instance that spans the whole network, only the CIST parameters require the external qualifiers and not the internal or regional qualifiers. •The CIST root is the root bridge for the CIST, which is the unique instance that spans the whole network. •The CIST external root path cost is the cost to the CIST root. This cost is left unchanged within an MST region. Remember that an MST region looks like a single switch to the CIST. The CIST external root path cost is the root path cost calculated between these virtual switches and switches that do not belong to any region. •The CIST regional root was called the IST master in the prestandard implementation. If the CIST root is in the region, the CIST regional root is the CIST root. Otherwise, the CIST regional root is the closest switch to the CIST root in the region. The CIST regional root acts as a root bridge for the IST. •The CIST internal root path cost is the cost to the CIST regional root in a region. This cost is only relevant to the IST, instance 0. Table 28-5 compares the IEEE standard and the Cisco prestandard terminology.
MST does not use the message-age and maximum-age information in the configuration BPDU to compute the spanning tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism. By using the spanning-tree mst max-hops global configuration command, you can configure the maximum hops inside the region and apply it to the IST and all MST instances in that region. The hop count achieves the same result as the message-age information (triggers a reconfiguration). The root bridge of the instance always sends a BPDU (or M-record) with a cost of 0 and the hop count set to the maximum value. When a switch receives this BPDU, it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the BPDU and ages the information held for the port. The message-age and maximum-age information in the RSTP portion of the BPDU remain the same throughout the region, and the same values are propagated by the region-designated ports at the boundary. In the Cisco prestandard implementation, a boundary port connects an MST region to one of these STP regions: •A single spanning tree region running RSTP •A single spanning tree region running PVST+ or rapid PVST+ •Another MST region with a different MST configuration A boundary port also connects to a LAN, the designated switch of which is either a single spanning tree switch or a switch with a different MST configuration. There is no definition of a boundary port in the 802.1s standard. The 802.1Q-2002 standard identifies two kinds of messages that a port can receive: internal (coming from the same region) and external. When a message is external, it is received only by the CIST. If the CIST role is root or alternate, or if the external BPDU is a topology change, it could have an impact on the MST instances. When a message is internal, the CIST part is received by the CIST, and each MST instance receives its respective M-record. The Cisco prestandard implementation treats a port that receives an external message as a boundary port, which means a port cannot receive a mix of internal and external messages. An MST region includes both switches and LANs. A segment belongs to the region of its designated port. Therefore, a port in a different region from the designated port for a segment is a boundary port. This definition allows two ports internal to a region to share a segment with a port belonging to a different region, creating the possibility of receiving both internal and external messages on a port. The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP-compatible mode. Note If there is an 802.1D STP switch on the segment, messages are always considered external. The other change from the prestandard implementation is that the CIST regional root bridge ID field is now inserted where an RSTP or legacy 802.1s switch has the sender switch ID. The whole region performs like a single virtual switch by sending a consistent sender switch ID to neighboring switches. In this example, switch C would receive a BPDU with the same consistent sender switch ID of root, whether or not A or B is designated for the segment. The standard-compliant MST implementation includes features required to meet the standard, as well as some of the desirable prestandard functionality that is not yet incorporated into the published standard. These sections describe the standard-compliant MST implementation: •Changes in Port-Role Naming •Spanning Tree Interoperation Between Legacy and Standard-Compliant Switches •Detecting Unidirectional Link Failure The boundary role was deleted from the final MST standard, but this boundary concept is maintained in the standard-compliant implementation. However, an MST instance (MSTI) port at a boundary of the region might not follow the state of the corresponding CIST port. The following two situations currently exist: •The boundary port is the root port of the CIST regional root—When the CIST instance port is proposed and is synchronized, it can send back an agreement and move to the forwarding state only after all the corresponding MSTI ports are synchronized (and thus forwarding). The MSTI ports now have a special master role. •The boundary port is not the root port of the CIST regional root—The MSTI ports follow the state and role of the CIST port. The standard provides less information, and it might be difficult to understand why an MSTI port can be alternately blocking when it receives no BPDUs (M-records). In this situation, although the boundary role no longer exists, when you enter the show commands, they identify a port as boundary in the type column of the output. Because automatic detection of prestandard switches can fail, you can use an interface configuration command to identify prestandard ports. A region cannot be formed between a standard and a prestandard switch, but they can interoperate before using the CIST. Only the capability of load balancing over different instances is lost in this specific situation. The CLI displays different flags depending on the port configuration when the port receives prestandard BPDUs. A syslog message also appears the first time a switch receives a prestandard BPDU on a port that has not been configured for prestandard BPDU transmission. Figure 28-11 illustrates a standard-compliant switch connected to a prestandard switch. Assume that A is the standard-compliant switch and B is a prestandard switch, both configured to be in the same region. A is the root bridge for the CIST, and so B has a root port (BX) on segment X and an alternate port (BY) on segment Y. If segment Y flaps, and the port on BY becomes the alternate before sending out a single prestandard BPDU, AY cannot detect that a prestandard switch is connected to Y and continues to send standard BPDUs. The port BY is fixed in a boundary, and no load balancing is possible between A and B. The same problem exists on segment X, but B might transmit topology changes. Figure 28-11 Standard-Compliant and Prestandard Switch Interoperation Note We recommend that you minimize the interaction between standard and prestandard MST implementations. Using the dispute mechanism included in the IEEE 802.1D-2004 RSTP standard, the switch checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops. When a designated port detects a conflict, it keeps its role, but reverts to a discarding (blocking) state because disrupting connectivity in case of inconsistency is preferable to opening a bridging loop. Figure 28-12 illustrates a unidirectional link failure that typically creates a bridging loop. Switch A is the root bridge, and its BPDUs are lost on the link leading to switch B. RSTP and MST BPDUs include the role and state of the sending port. With this information, switch A can detect that switch B does not react to the superior BPDUs it sends and that switch B is the designated, not root bridge. As a result, switch A blocks (or keeps blocking) its port, thus preventing the bridging loop. Figure 28-12 Detecting Unidirectional Link Failure A switch running MST supports a built-in protocol migration feature that enables it to interoperate with 802.1D switches. If this switch receives an 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only 802.1D BPDUs on that port. An MST switch also can detect that a port is at the boundary of a region when it receives an 802.1D BPDU, an MST BPDU (Version 3) associated with a different region, or an RSTP BPDU (Version 2). However, the switch does not automatically revert to the MST mode if it no longer receives 802.1D BPDUs because it cannot detect whether the 802.1D switch has been removed from the link unless the 802.1D switch is the designated switch. A switch might also continue to assign a boundary role to a port when the switch to which this switch is connected has joined the region. To restart the protocol migration process (force the renegotiation with neighboring switches), use the clear spanning-tree detected-protocols privileged EXEC command. If all the 802.1D switches on the link are RSTP switches, they can process MST BPDUs as if they are RSTP BPDUs. Therefore, MST switches send either a Version 0 configuration and topology change notification (TCN) BPDUs or Version 3 MST BPDUs on a boundary port. A boundary port connects to a LAN, the designated switch of which is either a single spanning tree switch or a switch with a different MST configuration. These sections describe how to configure STP on VLANs: •Default STP Configuration •Enabling STP •Enabling the Extended System ID •Configuring the Root Bridge •Configuring a Secondary Root Bridge •Configuring STP Port Priority •Configuring STP Port Cost •Configuring the Bridge Priority of a VLAN •Configuring the Hello Time •Configuring the Forward-Delay Time for a VLAN •Configuring the Maximum Aging Time for a VLAN •Enabling Rapid-PVST Note The STP commands described in this chapter can be configured on any LAN port, but they are in effect only on LAN ports configured with the switchport keyword. Table 28-6 shows the default STP configuration.
Note STP is enabled by default on VLAN 1 and on all newly created VLANs. You can enable STP on a per-VLAN basis. The switch maintains a separate instance of STP for each VLAN (except on VLANs on which you disable STP). To enable STP on a per-VLAN basis, perform this task:
This example shows how to enable STP on VLAN 200: Note Because STP is enabled by default, entering a show running command to view the resulting configuration does not display the command you entered to enable STP. This example shows how to verify the configuration: Note You must have at least one interface that is active in VLAN 200 to create a VLAN 200 spanning tree. In this example, two interfaces are active in VLAN 200. Note•The extended system ID is enabled permanently on chassis that support 64 MAC addresses. •In Release 12.2(33)SXJ1 and later releases, the extended system ID is always enabled in VSS mode. You can enable the extended system ID on chassis that support 1024 MAC addresses (see the "Understanding the Bridge ID" section). To enable the extended system ID, perform this task:
Note When you enable or disable the extended system ID, the bridge IDs of all active STP instances are updated, which might change the spanning tree topology. This example shows how to enable the extended system ID: This example shows how to verify the configuration: The switches supported by Cisco IOS Release 12.2SX maintain a separate instance of STP for each active VLAN. A bridge ID, consisting of the bridge priority and the bridge MAC address, is associated with each instance. For each VLAN, the network device with the lowest bridge ID becomes the root bridge for that VLAN. To configure a VLAN instance to become the root bridge, enter the spanning-tree vlan vlan_ID root command to modify the bridge priority from the default value (32768) to a significantly lower value. When you enter the spanning-tree vlan vlan_ID root command, the switch checks the bridge priority of the current root bridges for each VLAN. With the extended system ID enabled, the switch sets the bridge priority for the specified VLANs to 24576 if this value will cause the switch to become the root for the specified VLANs. With the extended system ID enabled, if any root bridge for the specified VLANs has a bridge priority lower than 24576, the switch sets the bridge priority for the specified VLANs to 4096 less than the lowest bridge priority. (4096 is the value of the least significant bit of a 4-bit bridge priority value; see Table 28-1.) Note The spanning-tree vlan vlan_ID root command fails if the value required to be the root bridge is less than 1. With the extended system ID enabled, if all network devices in, for example, VLAN 20 have the default priority of 32768, entering the spanning-tree vlan 20 root primary command on the switch sets the bridge priority to 24576, which causes the switch to become the root bridge for VLAN 20. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of bridge hops between any two end stations in the Layer 2 network). When you specify the network diameter, the switch automatically selects an optimal hello time, forward delay time, and maximum age time for a network of that diameter, which can significantly reduce the STP convergence time. You can use the hello keyword to override the automatically calculated hello time. Note To preserve a stable STP topology, we recommend that you avoid configuring the hello time, forward delay time, and maximum age time manually after configuring the switch as the root bridge. To configure the switch as the root bridge, perform this task:
This example shows how to configure the switch as the root bridge for VLAN 10, with a network diameter of 4: When you configure a switch as the secondary root, the STP bridge priority is modified from the default value (32768) so that the switch is likely to become the root bridge for the specified VLANs if the primary root bridge fails (assuming the other network devices in the network use the default bridge priority of 32768). With the extended system ID is enabled, STP sets the bridge priority to 28672. You can run this command on more than one switch to configure multiple backup root bridges. Use the same network diameter and hello time values as you used when configuring the primary root bridge. To configure the switch as the secondary root bridge, perform this task:
This example shows how to configure the switch as the secondary root bridge for VLAN 10, with a network diameter of 4: If a loop occurs, STP considers port priority when selecting a LAN port to put into the forwarding state. You can assign higher priority values to LAN ports that you want STP to select first and lower priority values to LAN ports that you want STP to select last. If all LAN ports have the same priority value, STP puts the LAN port with the lowest LAN port number in the forwarding state and blocks other LAN ports. The possible priority range is 0 through 240 (default 128), configurable in increments of 16. Cisco IOS uses the port priority value when the LAN port is configured as an access port and uses VLAN port priority values when the LAN port is configured as a trunk port. To configure the STP port priority of a Layer 2 LAN interface, perform this task:
This example shows how to configure the STP port priority of Gigabit Ethernet port 1/4: This example shows how to verify the configuration of Gigabit Ethernet port 1/4: Gigabit Ethernet port 1/4 is a trunk. Several VLANs are configured and active as shown in the example. The port priority configuration applies to all VLANs on this interface. Note The show spanning-tree interface command only displays information if the port is connected and operating. If this condition is not met, enter a show running-config interface command to verify the configuration. This example shows how to configure the VLAN port priority of Gigabit Ethernet port 1/4: The configuration entered in the example only applies to VLAN 200. All VLANs other than 200 still have a port priority of 160. This example shows how to verify the configuration: You also can display spanning tree information for VLAN 200 using the following command: The STP port path cost default value is determined from the media speed of a LAN interface. If a loop occurs, STP considers port cost when selecting a LAN interface to put into the forwarding state. You can assign lower cost values to LAN interfaces that you want STP to select first and higher cost values to LAN interfaces that you want STP to select last. If all LAN interfaces have the same cost value, STP puts the LAN interface with the lowest LAN interface number in the forwarding state and blocks other LAN interfaces. The possible cost range is 0 through 200000000 (the default is media specific). STP uses the port cost value when the LAN interface is configured as an access port and uses VLAN port cost values when the LAN interface is configured as a trunk port. To configure the STP port cost of a Layer 2 LAN interface, perform this task:
This example shows how to change the STP port cost of Gigabit Ethernet port 1/4: This example shows how to verify the configuration: This example shows how to configure the port priority at an individual port VLAN cost for VLAN 200: This example shows how to verify the configuration: Note In the following output other VLANs (VLAN 1 for example) have not been affected by this configuration. Note The show spanning-tree command only displays information for ports that are in link-up operative state and are appropriately configured for DTP. If these conditions are not met, you can enter a show running-config command to confirm the configuration. Note Be careful when using this command. For most situations, we recommend that you enter the spanning-tree vlan vlan_ID root primary and the spanning-tree vlan vlan_ID root secondary commands to modify the bridge priority. To configure the STP bridge priority of a VLAN, perform this task:
This example shows how to configure the bridge priority of VLAN 200 to 33792 when the extended system ID is disabled: This example shows how to verify the configuration: Note Be careful when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan_ID root primary and spanning-tree vlan vlan_ID root secondary commands to modify the hello time. To configure the STP hello time of a VLAN, perform this task:
This example shows how to configure the hello time for VLAN 200 to 7 seconds: This example shows how to verify the configuration: To configure the STP forward delay time for a VLAN, perform this task:
This example shows how to configure the forward delay time for VLAN 200 to 21 seconds: This example shows how to verify the configuration: To configure the STP maximum aging time for a VLAN, perform this task:
This example shows how to configure the maximum aging time for VLAN 200 to 36 seconds: This example shows how to verify the configuration: Rapid-PVST uses the existing PVST+ framework for configuration and interaction with other features. It also supports some of the PVST+ extensions. To enable Rapid-PVST mode on the switch, enter the spanning-tree mode rapid-pvst command in privileged mode. To configure the switch in Rapid-PVST mode, see the "Configuring STP" section. Rapid connectivity is established only on point-to-point links. Spanning tree views a point-to-point link as a segment connecting only two switches running the spanning tree algorithm. Because the switch assumes that all full-duplex links are point-to-point links and that half-duplex links are shared links, you can avoid explicitly configuring the link type. To configure a specific link type, enter the spanning-tree linktype command. A switch running both MSTP and RSTP supports a built-in protocol migration process that enables the switch to interoperate with legacy 802.1D switches. If this switch receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only 802.1D BPDUs on that port. An MSTP switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, or an MST BPDU (version 3) associated with a different region, or an RST BPDU (version 2). However, the switch does not automatically revert to the MSTP mode if it no longer receives 802.1D BPDUs because it cannot determine whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. A switch also might continue to assign a boundary role to a port when the switch to which it is connected has joined the region. To restart the protocol migration process (force the renegotiation with neighboring switches) on the entire switch, you can use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, enter the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. These sections describe how to configure MST: •Default MST Configuration •MST Configuration Guidelines and Restrictions •Specifying the MST Region Configuration and Enabling MST (required) •Configuring the Root Bridge (optional) •Configuring a Secondary Root Bridge (optional) •Configuring STP Port Priority (optional) •Configuring Path Cost (optional) •Configuring the Switch Priority (optional) •Configuring the Hello Time (optional) •Configuring the Transmit Hold Count (optional) •Configuring the Maximum-Aging Time (optional) •Configuring the Maximum-Hop Count (optional) •Specifying the Link Type to Ensure Rapid Transitions (optional) •Designating the Neighbor Type (optional) •Restarting the Protocol Migration Process (optional) Table 28-7 shows the default MST configuration.
When configuring MST, follow these guidelines and restrictions: •The 802.1s MST standard allows up to 65 MST instances. You can map an unlimited number of VLANs to an MST instance. •PVST+, rapid PVST+, and MST are supported, but only one version can be active at any time. •VTP does not propagate the MST configuration. You must manually configure the MST configuration (region name, revision number, and VLAN-to-instance mapping) on each switch within the MST region through the command-line interface (CLI) or SNMP. •For load balancing across redundant paths in the network to work, all VLAN-to-instance mapping assignments must match; otherwise, all traffic flows on a single link. •All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud. For this to occur, the CIST regional root of the MST cloud must be the root of the CST. If the MST cloud consists of multiple MST regions, one of the MST regions must contain the CST root, and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud. •Partitioning the network into a large number of regions is not recommended. However, if this situation is unavoidable, we recommend that you partition the switched LAN into smaller LANs interconnected by non-Layer 2 devices. •Adding or removing VLANs to an existing MST instance will trigger spanning tree recalculation for that MST instance, and the traffic of all the VLANs for that MST instance will be disrupted. For two or more switches to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same MST name. A region can have one member or multiple members with the same MST configuration; each member must be capable of processing RSTP BPDUs. There is no limit to the number of MST regions in a network, but each region can only support up to 65 spanning tree instances. You can assign a VLAN to only one spanning tree instance at a time. To specify the MST region configuration and enable MST, perform this task:
To return to defaults, do the following: •To return to the default MST region configuration, use the no spanning-tree mst configuration global configuration command. •To return to the default VLAN-to-instance map, use the no instance instance_id [vlan vlan_range] MST configuration command. •To return to the default name, use the no name MST configuration command. •To return to the default revision number, use the no revision MST configuration command. •To reenable PVST+, use the no spanning-tree mode or the spanning-tree mode pvst global configuration command. This example shows how to enter MST configuration mode, map VLANs 10 to 20 to MST instance 1, name the region region1, set the configuration revision to 1, display the pending configuration, apply the changes, and return to global configuration mode: The switch maintains a spanning tree instance for the group of VLANs mapped to it. A switch ID, consisting of the switch priority and the switch MAC address, is associated with each instance. For a group of VLANs, the switch with the lowest switch ID becomes the root bridge. To configure a switch to become the root bridge, use the spanning-tree mst instance_id root global configuration command to modify the switch priority from the default value (32768) to a significantly lower value so that the switch becomes the root bridge for the specified spanning tree instance. When you enter this command, the switch checks the switch priorities of the root bridges. Because of extended system ID support, the switch sets its own priority for the specified instance to 24576 if this value will cause this switch to become the root bridge for the specified spanning tree instance. If any root bridge for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 28-1.) If your network consists of switches that both do and do not support the extended system ID, it is unlikely that the switch with the extended system ID support will become the root bridge. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. The root bridge for each spanning tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning tree primary root bridge. Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network diameter (that is, the maximum number of Layer 2 hops between any two end stations in the Layer 2 network). When you specify the network diameter, the switch automatically sets an optimal hello time, forward-delay time, and maximum-age time for a network of that diameter, which can significantly reduce the convergence time. You can use the hello keyword to override the automatically calculated hello time. Note With the switch configured as the root bridge, do not manually configure the hello time, forward-delay time, and maximum-age time with the spanning-tree mst hello-time, spanning-tree mst forward-time, and spanning-tree mst max-age global configuration commands. To configure a switch as the root bridge, perform this task:
To return the switch to its default setting, use the no spanning-tree mst instance_id root global configuration command. When you configure a switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root bridge for the specified instance if the primary root bridge fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root bridge. You can execute this command on more than one switch to configure multiple backup root bridges. Use the same network diameter and hello-time values that you used when you configured the primary root bridge with the spanning-tree mst instance_id root primary global configuration command. To configure a switch as the secondary root bridge, perform this task:
To return the switch to its default setting, use the no spanning-tree mst instance_id root global configuration command. If a loop occurs, MST uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last. If all interfaces have the same priority value, MST puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. To configure the MST port priority of an interface, perform this task:
Note The show spanning-tree mst interface interface_id privileged EXEC command displays information only if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance_id port-priority interface configuration command. The MST path cost default value is derived from the media speed of an interface. If a loop occurs, MST uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. If all interfaces have the same cost value, MST puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. To configure the MST cost of an interface, perform this task:
Note The show spanning-tree mst interface interface_id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance_id cost interface configuration command. You can configure the switch priority so that it is more likely that a switch is chosen as the root bridge. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance_id root primary and the spanning-tree mst instance_id root secondary global configuration commands to modify the switch priority. To configure the switch priority, perform this task:
To return the switch to its default setting, use the no spanning-tree mst instance_id priority global configuration command. You can configure the interval between the generation of configuration messages by the root bridge by changing the hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance_id root primary and the spanning-tree mst instance_id root secondary global configuration commands to modify the hello time. To configure the hello time for all MST instances, perform this task:
To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. To configure the forwarding-delay time for all MST instances, perform this task:
To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. To configure the transmit hold count for all MST instances, perform this task:
To return the switch to its default setting, use the no spanning-tree transmit hold-count global configuration command. To configure the maximum-aging time for all MST instances, perform this task:
To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. To configure the maximum-hop count for all MST instances, perform this task:
To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the "Rapid Convergence" section. By default, the link type is controlled from the duplex mode of the interface: a full-duplex port is considered to have a point-to-point connection; a half-duplex port is considered to have a shared connection. If you have a half-duplex link physically connected point-to-point to a single port on a remote switch running MST, you can override the default setting of the link type and enable rapid transitions to the forwarding state. To override the default link-type setting, perform this task:
To return the port to its default setting, use the no spanning-tree link-type interface configuration command. A topology could contain both prestandard and 802.1s standard compliant devices. By default, ports can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs. When there is a mismatch between a device and its neighbor, only the CIST runs on the interface. You can choose to set a port to send only prestandard BPDUs. The prestandard flag appears in all the show commands, even if the port is in STP compatibility mode. To override the default link-type setting, perform this task:
To return the port to its default setting, use the no spanning-tree mst prestandard interface configuration command. A switch running MST supports a built-in protocol migration feature that enables it to interoperate with 802.1D switches. If this switch receives an 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only 802.1D BPDUs on that port. An MST switch also can detect that a port is at the boundary of a region when it receives an 802.1D BPDU, an MST BPDU (Version 3) associated with a different region, or an RST BPDU (Version 2). However, the switch does not automatically revert to the MST mode if it no longer receives 802.1D BPDUs because it cannot detect whether the 802.1D switch has been removed from the link unless the 802.1D switch is the designated switch. A switch also might continue to assign a boundary role to a port when the switch to which it is connected has joined the region. To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface_id privileged EXEC command. To display the spanning-tree status, use one or more of the privileged EXEC commands that are described in Table 28-8.
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 16 This preface describes who should read the Cisco IOS Software Configuration Guide, Release 12.2SX , and its document conventions. This guide is for experienced network administrators who are responsible for configuring and maintaining the switches supported in Cisco IOS Release 12.2SX. The following publications are available for Cisco IOS Release 12.2SX: •Catalyst 6500 Series Switch Installation Guide •Catalyst 6500 Series Switch Module Installation Guide •Cisco IOS Master Command List •Catalyst 6500 Series Switch Cisco IOS System Message Guide, Release 12.2SX •Release Notes for Cisco IOS Release 12.2SX •Cisco IOS Configuration Guides and Command References: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html •For information about MIBs, go to this URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml This document uses the following conventions:
Notes use the following conventions: Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication. Cautions use the following conventions: For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 17 This chapter describes how to configure the port security feature. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding Port Security •Default Port Security Configuration •Port Security Guidelines and Restrictions •Configuring Port Security •Displaying Port Security Settings These sections describe port security: •Port Security with Dynamically Learned and Static MAC Addresses •Port Security with Sticky MAC Addresses •Port Security with IP Phones You can use port security with dynamically learned and static MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port. A security violation occurs in either of these situations: •When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode. •If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode. Note After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation. See the "Configuring the Port Security Violation Mode on a Port" section for more information about the violation modes. After you have set the maximum number of secure MAC addresses on a port, port security includes the secure addresses in the address table in one of these ways: •You can statically configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command. •You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. •You can statically configure a number of addresses and allow the rest to be dynamically configured. If the port has a link-down condition, all dynamically learned addresses are removed. Following bootup, a reload, or a link-down condition, port security does not populate the address table with dynamically learned MAC addresses until the port receives ingress traffic. A security violation occurs if the maximum number of secure MAC addresses have been added to the address table and the port receives traffic from a MAC address that is not in the address table. You can configure the port for one of three violation modes: protect, restrict, or shutdown. See the "Configuring Port Security" section. To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device. Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition. If you enter a write memory or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file and the port does not have to learn addresses from ingress traffic after bootup or a restart. Figure 62-1 shows an application in which a device connects to the switch through the data port of an IP phone. Figure 62-1 Device Connected Through IP Phone Because the device is not directly connected to the switch, the switch cannot physically detect a loss of port link if the device is disconnected. Later Cisco IP phones send a Cisco Discovery Protocol (CDP) host presence type length value (TLV) to notify the switch of changes in the attached device's port link state. With Cisco IOS Release 12.2(33)SXI and later releases, the switch recognizes the host presence TLV. Upon receiving a host presence TLV notification of a link down on the IP phone's data port, port security removes from the address table all static, sticky, and dynamically learned MAC addresses. The removed addresses are added again only when the addresses are learned dynamically or configured. Table 62-1 shows the default port security configuration for an interface.
When configuring port security, follow these guidelines: •With the default port security configuration, to bring all secure ports out of the error-disabled state, enter the errdisable recovery cause psecure-violation global configuration command, or manually reenable the port by entering the shutdown and no shut down interface configuration commands. •Enter the clear port-security dynamic global configuration command to clear all dynamically learned secure addresses. See the Cisco IOS Master Command List for complete syntax information. •Port security learns unauthorized MAC addresses with a bit set that causes traffic to them or from them to be dropped. The show mac-address-table command displays the unauthorized MAC addresses, but does not display the state of the bit. (CSCeb76844) •To preserve dynamically learned sticky MAC addresses and configure them on a port following a bootup or a reload and after the dynamically learned sticky MAC addresses have been learned, you must enter a write memory or copy running-config startup-config command to save them in the startup-config file. •Port security supports private VLAN (PVLAN) ports. •Port security supports IEEE 802.1Q tunnel ports. •Port security does not support Switch Port Analyzer (SPAN) destination ports. •Port security does not support EtherChannel port-channel interfaces. •With Cisco IOS Release 12.2(33)SXH and later releases, you can configure port security and 802.1X port-based authentication on the same port. With releases earlier than Cisco IOS Release 12.2(33)SXH: –If you try to enable 802.1X port-based authentication on a secure port, an error message appears and 802.1X port-based authentication is not enabled on the port. –If you try to enable port security on a port configured for 802.1X port-based authentication, an error message appears and port security is not enabled on the port. •Port security supports nonnegotiating trunks. –Port security only supports trunks configured with these commands: switchport –If you reconfigure a secure access port as a trunk, port security converts all the sticky and static secure addresses on that port that were dynamically learned in the access VLAN to sticky or static secure addresses on the native VLAN of the trunk. Port security removes all secure addresses on the voice VLAN of the access port. –If you reconfigure a secure trunk as an access port, port security converts all sticky and static addresses learned on the native VLAN to addresses learned on the access VLAN of the access port. Port security removes all addresses learned on VLANs other than the native VLAN. Note Port security uses the VLAN ID configured with the switchport trunk native vlan command for both IEEE 802.1Q trunks and ISL trunks. •Take care when you enable port security on the ports connected to the adjacent switches when there are redundant links running between the switches because port security might error-disable the ports due to port security violations. •Flex Links and port security are not compatible with each other. These sections describe how to configure port security: •Enabling Port Security •Configuring the Port Security Violation Mode on a Port •Configuring the Port Security Rate Limiter •Configuring the Maximum Number of Secure MAC Addresses on a Port •Enabling Port Security with Sticky MAC Addresses on a Port •Configuring a Static Secure MAC Address on a Port •Configuring Secure MAC Address Aging on a Port These sections describe how to enable port security: •Enabling Port Security on a Trunk •Enabling Port Security on an Access Port Port security supports nonnegotiating trunks. To enable port security on a trunk, perform this task:
This example shows how to configure Fast Ethernet port 5/36 as a nonnegotiating trunk and enable port security: To enable port security on an access port, perform this task:
This example shows how to enable port security on Fast Ethernet port 5/12: To configure the port security violation mode on a port, perform this task:
When configuring port security violation modes, note the following information: •protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. •restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment. •shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification. Note•To bring a secure port out of the error-disabled state, enter the errdisable recovery cause violation_mode global configuration command, or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. •To protect the CPU against overutilization, when you configure the protect or restrict violation modes, configure the packet drop rate limiter (see the "Configuring the Port Security Rate Limiter" section). This example shows how to configure the protect security violation mode on Fast Ethernet port 5/12: This example shows how to configure the restrict security violation mode on Fast Ethernet port 5/12: Note The truncated switching mode does not support the port security rate limiter. Port security examines all traffic received by secure ports to detect violations or to recognize and secure new MAC addresses. When the shutdown violation mode is configured, traffic cannot enter the secure port after a violation has been detected, which removes the possibility that violations might cause excessive CPU load. When the protect or restrict violation modes are configured, port security continues to process traffic after a violation occurs, which might cause excessive CPU load. Configure the port security rate limiter to protect the CPU against excessive load when the protect or restrict violation modes are configured. To configure the port security rate limiter, perform this task:
When configuring the port security rate limiter, note the following information: •For the rate_in_pps value: –The range is 10 through 1,000,000 (entered as 1000000). –There is no default value. –The lower the value, the more the CPU is protected. The rate limiter is applied to traffic both before and after a security violation occurs. Configure a value high enough to permit nonviolating traffic to reach the port security feature. –Values lower than 1,000 (entered as 1000) should offer sufficient protection. •For the burst_size value: –The range is 1 through 255. –The default is 10. –The default value should provide sufficient protection. This example shows how to configure the port security rate limiter: This example shows how to verify the configuration: To configure the maximum number of secure MAC addresses on a port, perform this task:
When configuring the maximum number of secure MAC addresses on a port, note the following information: •The range for number_of_addresses is 1 to 4,097. •Port security supports trunks. –On a trunk, you can configure the maximum number of secure MAC addresses both on the trunk and for all the VLANs on the trunk. –You can configure the maximum number of secure MAC addresses on a single VLAN or a range of VLANs. –For a range of VLANs, enter a dash-separated pair of VLAN numbers. –You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN numbers. This example shows how to configure a maximum of 64 secure MAC addresses on Fast Ethernet port 5/12: To enable port security with sticky MAC addresses on a port, perform this task:
When enabling port security with sticky MAC addresses, note the following information: •When you enter the switchport port-security mac-address sticky command: –All dynamically learned secure MAC addresses on the port are converted to sticky secure MAC addresses. –Static secure MAC addresses are not converted to sticky MAC addresses. –Secure MAC addresses dynamically learned in a voice VLAN are not converted to sticky MAC addresses. –New dynamically learned secure MAC addresses are sticky. •When you enter the no switchport port-security mac-address sticky command, all sticky secure MAC addresses on the port are converted to dynamic secure MAC addresses. •To preserve dynamically learned sticky MAC addresses and configure them on a port following a bootup or a reload, after the dynamically learned sticky MAC addresses have been learned, you must enter a write memory or copy running-config startup-config command to save them in the startup-config file. This example shows how to enable port security with sticky MAC addresses on Fast Ethernet port 5/12: To configure a static secure MAC address on a port, perform this task:
When configuring a static secure MAC address on a port, note the following information: •You can configure sticky secure MAC addresses if port security with sticky MAC addresses is enabled (see the "Enabling Port Security with Sticky MAC Addresses on a Port" section). •The maximum number of secure MAC addresses on the port, configured with the switchport port-security maximum command, defines how many secure MAC addresses you can configure. •If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are learned dynamically. •Port security is supported on trunks. –On a trunk, you can configure a static secure MAC address in a VLAN. –On a trunk, if you do not configure a VLAN for a static secure MAC address, it is secure in the VLAN configured with the switchport trunk native vlan command. This example shows how to configure a MAC address 1000.2000.3000 as secure on Fast Ethernet port 5/12 and verify the configuration: When the aging type is configured with the absolute keyword, all the dynamically learned secure addresses age out when the aging time expires. When the aging type is configured with the inactivity keyword, the aging time defines the period of inactivity after which all the dynamically learned secure addresses age out. Note Static secure MAC addresses and sticky secure MAC addresses do not age out. These sections describe how to configure secure MAC address aging on a port: •Configuring the Secure MAC Address Aging Type on a Port •Configuring Secure MAC Address Aging Time on a Port You can configure the secure MAC address aging type on a port. To configure the secure MAC address aging type on a port, perform this task:
This example shows how to set the aging type to inactivity on Fast Ethernet port 5/12: To configure the secure MAC address aging time on a port, perform this task:
This example shows how to configure 2 hours (120 minutes) as the secure MAC address aging time on Fast Ethernet port 5/1: To display port security settings, enter this command:
When displaying port security settings, note the following information: •Port security supports the vlan keyword only on trunks. •Enter the address keyword to display secure MAC addresses, with aging information for each address, globally for the switch or per interface. •The display includes these values: –The maximum allowed number of secure MAC addresses for each interface –The number of secure MAC addresses on the interface –The number of security violations that have occurred –The violation mode. This example displays output from the show port-security command when you do not enter an interface: This example displays output from the show port-security command for a specified interface: This example displays the output from the show port-security address privileged EXEC command: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 18 Cisco TrustSec is an umbrella term for security improvements to Cisco network devices based on the capability to strongly identify users, hosts and network devices within a network. TrustSec provides topology independent and scalable access controls by uniquely classifying data traffic for a particular role. TrustSec ensures data confidentiality and integrity by establishing trust among authenticated peer and encrypting links with those peers. To configure Cisco Trustsec on the Cisco Catalyst 6500 Series switches, see the publication, "Cisco TrustSec Switch Configuration Guide" at the following URL: http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html Release Notes for Cisco TrustSec 1.0 General Availability 2010 Release are at the following URL: http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/cts1_0.html Additional information on the Cisco TrustSec Solution, including overviews, datasheets, and case studies, is available at: http://www.cisco.com/en/US/netsol/ns1051/index.html Table 1 lists the TrustSec features to be eventually implemented on TrustSec-enabled network devices. Successive general availability releases of TrustSec will expand the number of network devices supported and the number of TrustSec features supported per device. See the section, "Hardware Supported" for information on which TrustSec features are implemented.
Table 2 lists the TrustSec features supported by platform on the release date of Cisco IOS 12.2(33) SXI4.
Page 19 This chapter describes how to use the AutoSecure function. Release 12.2(33)SXH and later releases support the AutoSecure function. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding AutoSecure •Configuring AutoSecure •AutoSecure Configuration Example You can easily secure the switch without understanding all the security capabilities of the switch by using the AutoSecure feature. AutoSecure is a simple security configuration process that disables nonessential system services and enables a basic set of recommended security policies to ensure secure networking services. The following sections describe how AutoSecure works: •Benefits of AutoSecure •Securing the Management Plane •Securing the Forwarding Plane •AutoSecure Guidelines and Restrictions AutoSecure provides a variety of mechanisms to enhance security of the switch. AutoSecure automates a thorough configuration of security features of the switch. AutoSecure disables certain features that are enabled by default that could be exploited for security holes. You can execute AutoSecure in either of two modes, depending on your individual needs: •Interactive mode—Prompts with options to enable and disable services and other security features, suggesting a default setting for each option. •Noninteractive mode—Automatically executes the recommended Cisco default settings. AutoSecure provides the following mechanisms to improve the security of access to the switch: •You can specify a required minimum password length, which can eliminate weak passwords that are prevalent on most networks, such as "lab" and "cisco." To configure a minimum password length, use the security passwords min-length command. •You can cause a syslog message to be generated after the number of unsuccessful login attempts exceeds the configured threshold. To configure the number of allowable unsuccessful login attempts (the threshold rate), use the security authentication failure rate command. System logging messages capture any subsequent changes to the AutoSecure configuration that are applied on the running configuration. As a result, a more detailed audit trail is provided when AutoSecure is executed. AutoSecure provides protection for the switch management interfaces (the management plane) and the data routing and switching functions (the forwarding plane, described in the "Securing the Forwarding Plane" section.) Securing the management plane is done by turning off certain global and interface services that can be potentially exploited for security attacks and turning on global services that help minimize the threat of attacks. Secure access and secure logging are also configured for the switch. The following sections define how AutoSecure helps to secure the management plane: •Disables Global Services •Disables Per-Interface Services •Enables Global Services •Secures Access to the Switch •Enhances Logging for Security AutoSecure will disable the following global services on the switch without prompting the user: •Finger—Collects information about the system (reconnaissance) before an attack. •PAD—Enables all packet assembler and disassembler (PAD) commands and connections between PAD devices and access servers. •Small servers—Causes TCP and User Datagram Protocol (UDP) diagnostic port attacks: a sender transmits a volume of fake requests for UDP diagnostic services on the switch, consuming all CPU resources. •Bootp server—Bootp is an insecure protocol that can be exploited for an attack. •HTTP server—Without secure-HTTP or authentication embedded in the HTTP server with an associated ACL, the HTTP server is insecure and can be exploited for an attack. (If you must enable the HTTP server, you will be prompted for the proper authentication or access list.) Note If you are using Security Device Manager (SDM), you must manually enable the HTTP server using the ip http server command. •Identification service—An unsecure protocol (defined in RFC 1413) that allows an external host to query a TCP port for identification. An attacker can access private information about the user from the ID server. •CDP—If a large number of Cisco Discovery Protocol (CDP) packets are sent to the switch, the available memory of the switch can be consumed, which causes the switch to crash. Note NM applications that use CDP to discover network topology will not be able to perform discovery. •NTP—Without authentication or access control, Network Time Protocol (NTP) is insecure and can be used by an attacker to send NTP packets to crash or overload the switch. If you require NTP, you must configure NTP authentication using Message Digest 5 (MD5) and the ntp access-group command. If NTP is enabled globally, disable it on all interfaces on which it is not needed. •Source routing—Source routing is provided only for debugging purposes, and should be disabled in all other cases. Otherwise, packets may avoid some of the access control mechanisms of the switch. AutoSecure will disable the following per-interface services on the switch without prompting the user: •ICMP redirects—Disabled on all interfaces. Does not add a useful functionality to a correctly configured network, but could be used by attackers to exploit security holes. •ICMP unreachables—Disabled on all interfaces. Internet Control Management Protocol (ICMP) unreachables are a known method for some ICMP-based denial of service (DoS) attacks. •ICMP mask reply messages—Disabled on all interfaces. ICMP mask reply messages can give an attacker the subnet mask for a particular subnetwork in the internetwork. •Proxy-arp—Disabled on all interfaces. Proxy-arp requests are a known method for DoS attacks because the available bandwidth and resources of the switch can be consumed in an attempt to respond to the repeated requests sent by an attacker. •Directed broadcast—Disabled on all interfaces. Potential cause of SMURF attacks for DoS. •Maintenance Operations Protocol (MOP) service—Disabled on all interfaces. AutoSecure will enable the following global services on the switch without prompting the user: •The service password-encryption command—Prevents passwords from being visible in the configuration. •The service tcp-keepalives-in and service tcp-keepalives-out commands—Ensures that abnormally terminated TCP sessions are removed. AutoSecure will make the following options available for securing access to the switch: •If a text banner does not exist, you will be prompted to add a banner. This feature provides the following sample banner: •The login and password (preferably a secret password, if supported) are configured on the console, AUX, vty, and tty lines. The transport input and transport output commands are also configured on all of these lines. (Telnet and secure shell (SSH) are the only valid transport methods.) The exec-timeout command is configured on the console and AUX as 10. •When the image on the device is a crypto image, AutoSecure enables SSH and secure copy (SCP) for access and file transfer to and from the switch. The timeout seconds and authentication-retries integer options for the ip ssh command are configured to a minimum number. (Telnet and FTP are not affected by this operation and remain operational.) •If the user specifies that the switch does not use Simple Network Management Protocol (SNMP), one of the following functionalities will occur: –In interactive mode, the user is asked whether to disable SNMP regardless of the values of the community strings, which act like passwords to regulate access to the agent on the switch. –In noninteractive mode, SNMP will be disabled if the community string is public or private. Note After AutoSecure has been enabled, tools that use SNMP to monitor or configure a device will be unable to communicate with the device using SNMP. •If authentication, authorization, and accounting (AAA) is not configured, AutoSecure configures local AAA. AutoSecure will prompt the user to configure a local username and password on the switch. AutoSecure provides the following logging options, which allow you to identify and respond to security incidents: •Sequence numbers and time stamps for all debug and log messages. This option is useful when auditing logging messages. •Logging messages for login-related events. For example, the message "Blocking Period when Login Attack Detected" will be displayed when a login attack is detected and the switch enters quiet mode. (Quiet mode means that the switch will not allow any login attempts using Telnet, HTTP, or SSH.) •The logging console critical command, which sends system logging (syslog) messages to all available TTY lines and limits messages based on severity. •The logging buffered command, which copies logging messages to an internal buffer and limits messages logged to the buffer based on severity. •The logging trap debugging command, which allows all commands with a severity higher than debugging to be sent to the logging server. To minimize the risk of attacks on the switch forwarding plane, AutoSecure provides the following functions: •Cisco Express Forwarding (CEF)—AutoSecure enables CEF or distributed CEF (dCEF) on the switch whenever possible. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF operates more predictably than other modes when presented with large volumes of traffic addressed to many destinations. Switches configured for CEF perform better under SYN attacks than switches using the traditional cache. Note CEF consumes more memory than a traditional cache. •If strict Unicast Reverse Path Forwarding (uRPF) is available, it can be configured on the switch to help mitigate problems that are caused by the introduction of forged (spoofed) IP source addresses. uRPF discards IP packets that lack a verifiable IP source address. •Hardware rate limiting—AutoSecure will enable hardware rate-limiting of the following types of traffic without prompting the user: –IP errors –RPF failures –ICMP no-route messages –ICMP acl-drop messages –IPv4 multicast FIB miss messages –IPv4 multicast partially switch flow messages AutoSecure will provide the option for hardware rate-limiting of the following types of traffic: –ICMP redirects –TTL failures –MTU failures –IP unicast options –IP multicast options –Ingress and egress ACL bridged packets Note Rate-limiting of ingress and egress ACL bridged packets can interfere with ACL logging and can increase session setup rates for hardware accelerated features such as NAT, Layer 3 WCCP, and TCP intercept. When configuring AutoSecure, follow these guidelines and restrictions: •Because there is no command to undo configuration changes made by AutoSecure, always save your running configuration before configuring AutoSecure. •The AutoSecure configuration can be configured at run time or setup time. If any related configuration is modified after AutoSecure has been enabled, the AutoSecure configuration may not be fully effective. •After AutoSecure has been enabled, tools that use SNMP to monitor or configure a device will be unable to communicate with the device using SNMP. •If your device is managed by a network management (NM) application, securing the management plane could turn off some services such as HTTP server and disrupt the NM application support. •If you are using Security Device Manager (SDM), you must manually enable the HTTP server using the ip http server command. •NM applications that use CDP to discover network topology will not be able to perform discovery. These sections describe how to configure AutoSecure: •Using the AutoSecure Command •Configuring Additional Security •Verifying AutoSecure The auto secure command guides you through a semi-interactive session (also known as the AutoSecure session) to secure the management and forwarding planes. You can use this command to secure just the management plane or the forwarding plane; if neither option is selected in the command line, you can choose to configure one or both planes during the session. This command also allows you to go through all noninteractive configuration portions of the session before the interactive portions. The noninteractive portions of the session can be enabled by selecting the optional no-interact keyword. The AutoSecure session will request the following information from you: •Is the device going to be connected to the Internet? •How many interfaces are connected to the Internet? •What are the names of the interfaces connected to the Internet? •What will be your local username and password? •What will be the switch hostname and domain name? At any prompt you may enter a question mark (?) for help or Ctrl-C to abort the session. In interactive mode, you will be asked at the end of the session whether to commit the generated configuration to the running configuration of the switch. In noninteractive mode, the changes will be automatically applied to the running configuration. Note There is no undo command for configuration changes made by AutoSecure. You should always save the running configuration before executing the auto secure command. To execute the AutoSecure configuration process, beginning in privileged EXEC mode, perform this task:
For an example of the AutoSecure session, see the "AutoSecure Configuration Example" section. After completing the AutoSecure configuration, you can further enhance the security of management access to your switch by performing this task:
The following example shows how to configure the switch for a minimum password length of 10 characters and a threshold of 3 password failures in one minute. The example also shows how to set a hidden local password. To verify that the AutoSecure feature has executed successfully, perform this task:
The following example is a sample AutoSecure session. After you execute the auto secure command, the feature will automatically prompt you with a similar response unless you enable the no-interact keyword. (For information on which features are disabled and which features are enabled, see the "Securing the Management Plane" section and the "Securing the Forwarding Plane" section.) Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 20 This chapter describes how to use the automatic quality of service (QoS) configuration feature. Release 12.2(33)SXH and later releases support the automatic quality of service (QoS) configuration feature. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding AutoQoS •Using AutoQoS AutoQoS is a macro that applies the recommended Architecture for Voice, Video, and Integrated Data (AVVID) QoS settings to a port. These sections describe how autoQoS works: •AutoQoS Support for a Cisco IP Phone •AutoQoS Support for Cisco IP Communicator •AutoQoS Support for Marked Traffic Cisco IP phones are usually connected directly to ports. Optionally, you can attach a PC to the phone and use the phone as a hop to the switch. The traffic that comes from the phone can be marked with an 802.1Q or 802.1p tag. The tag contains a VLAN ID and CoS value. When you configure the port to trust the CoS value that comes from the phone, the switch uses the CoS value to prioritize the phone traffic. There is a three-port switch built into Cisco IP phones that forwards the traffic that comes from the PC, the phone, and the switch port. Cisco IP phones have trust and classification capabilities that you need to configure (see the "Configuring Cisco IP Phone Support" section). AutoQoS supports Cisco IP phones with the auto qos voip cisco-phone interface configuration command. When you enter the auto qos voip cisco-phone interface configuration command on a port that is configured to support an IP phone and to which an IP phone is connected, the autoQoS feature does the following: •If QoS was not already enabled, enables QoS globally. •If VLAN-based QoS was configured for the port, reverts to the default port-based QoS (done for all ports on switching modules with 1p1q0t/1p3q1t ports). •Sets the port trust state to trust CoS. •Creates and applies a trust-CoS QoS policy to ports on switching modules with non-Gigabit Ethernet 1q4t/2q2t ports, which do not support port trust. The Cisco IP Communicator program runs on a PC and emulates a Cisco IP phone. The Cisco IP Communicator marks its voice traffic with a DSCP value instead of a CoS value. When you configure the port to trust the DSCP value that comes from the Cisco IP Communicator, the switch uses the DSCP value to prioritize the Cisco IP Communicator traffic. AutoQoS supports the Cisco IP Communicator program with the auto qos voip cisco-softphone interface configuration command. When you enter the auto qos voip cisco-softphone interface configuration command on a port that is connected to a device running the Cisco IP Communicator program, the autoQoS feature does the following: •If QoS was not already enabled, enables QoS globally. •If VLAN-based QoS was configured for the port, reverts to the default port-based QoS (done for all ports on switching modules with 1p1q0t/1p3q1t ports). •If a trust state was configured for the port, reverts to the default untrusted state. •Creates and applies ingress policers to trust DSCP 46 and remark DSCP 26 packets to DSCP 24. Packets with other DSCP values or out-of-profile packets are remarked with DSCP 0. Ports that connect to the interior of your network might receive traffic that has already been marked with QoS labels that are consistent with your network QoS policies, and which do not need to be changed. You can use the QoS trust feature to process the marked traffic using the received QoS values. AutoQoS supports marked traffic with the auto qos voip trust interface configuration command. When you enter the auto qos voip trust interface configuration command, the autoQoS feature does the following: •If QoS was not already enabled, enables QoS globally. •If VLAN-based QoS was configured for the port, reverts to the default port-based QoS (done for all ports on switching modules with 1p1q0t/1p3q1t ports). •If the port is configured with the switchport command, sets the port trust state to trust CoS. •If the port is not configured with the switchport command, sets the port trust state to trust DSCP. •Creates and applies a trust-CoS or trust-DSCP QoS policy to ports on switching modules with non-Gigabit Ethernet 1q4t/2q2t ports, which do not support port trust. These sections describe how to use autoQoS: •AutoQoS Configuration Guidelines and Restrictions •Configuring AutoQoS These sections provide the configuration guidelines and restrictions for autoQoS: •AutoQoS generates commands for the port and adds the generated commands to the running configuration. •The generated QoS commands are applied as if you were entering them from the CLI. An existing configuration might cause the application of the generated commands to fail or an existing configuration might be overridden by the generated commands. These actions occur without warning. If the generated commands are successfully applied, any configuration that was not overridden remains in the running configuration. Any commands that were overridden might still exist in the startup-config file. •Some of the generated commands are the type of PFC QoS commands that are applied to all ports controlled by a port ASIC. When one of these commands is applied, PFC QoS displays the messages caused by application of the command to all the ports controlled by the port ASIC. Depending on the module, these commands are applied to as many as 48 ports. See the "Number of port groups" and "Port ranges per port group" listed for each module in the Release Notes for Cisco IOS Release 12.2SX. •You might not be able to configure support for Cisco IP phones and the other autoQoS options on ports that are controlled by the same port ASIC because of conflicting port trust state requirements. •If application of the generated commands fails, the previous running configuration is restored. •Enable autoQoS before you configure other QoS commands. If necessary, you can modify the QoS configuration after the autoQoS configuration completes. •AutoQoS cannot attach a policy map to an interface if there is already a policy map attached. •Do not modify a policy map or class map that includes AUTOQOS in its name. •You cannot configure autoQoS on the following: –Port-channel interfaces –VLAN interfaces (also known as switch virtual interfaces or SVIs) –Tunnel interfaces –Loopback interfaces –Subinterfaces on any type of interface AutoQoS generates commands that are appropriate for the QoS port architecture of the port on which you enter an auto qos voip command. For each of the different auto qos voip commands, autoQoS generates different QoS commands for each of these QoS port architectures: •1p1q0t/1p3q1t •1p1q4t/1p2q2t •1p1q4t/1p3q8t •1p1q8t/1p2q1t •1q2t/1p2q2t •1q2t/1p3q8t •1q4t/2q2t •1q8t/1p3q8t •1q8t/1p7q8t •2q8t/1p3q8t •8q4t/1p7q4t •8q8t/1p7q8t The procedures in the following sections include the commands that you need to enter to display the generated commands, but the specific commands that autoQoS generates are not listed in this document. These sections describe how to configure autoQoS: •Configuring AutoQoS Support for a Cisco IP Phone •Configuring AutoQoS Support for Cisco IP Communicator •Configuring AutoQoS Support for Marked Traffic Note Complete the configuration procedures in the "Configuring Cisco IP Phone Support" section before you configure autoQoS for a Cisco IP phone. To configure autoQoS for a Cisco IP phone, perform this task:
When configuring autoQoS for a Cisco IP phone, note the following information: •To disable autoQoS on an interface, use the no auto qos voip interface configuration command. Note The no auto qos voip interface configuration command does not disable QoS globally or delete the received CoS to internal DSCP map created by autoQoS. •You might see messages that instruct you to configure other ports to trust CoS. You must do so to enable the autoQoS generated commands. This example shows how to enable autoQoS on Fast Ethernet interface 1/1: To configure autoQoS for Cisco IP Communicator, perform this task:
When configuring autoQoS for Cisco IP Communicator, note the following information: •To disable autoQoS on an interface, use the no auto qos voip interface configuration command. Note The no auto qos voip interface configuration command does not disable QoS globally or delete the policy, class, and DSCP markdown maps created by autoQoS. •You cannot configure support for Cisco IP Communicator on ports that are configured with the switchport keyword. •PFC QoS supports 1023 aggregate policers and each use of the auto qos voip cisco-softphone command on a port uses two aggregate policers. This example shows how to enable autoQoS on Fast Ethernet interface 1/1: To configure autoQoS for marked traffic, perform this task:
When configuring autoQoS to trust marked traffic, note the following information: •To disable autoQoS on an interface, use the no auto qos voip interface configuration command. Note The no auto qos voip interface configuration command does not disable QoS globally or delete the received CoS to internal DSCP map created by autoQoS. •For ports configured with the switchport command, you might see messages that instruct you to configure other ports to trust CoS. You must do so to enable the autoQoS generated commands. This example shows how to enable autoQoS on Fast Ethernet interface 1/1: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 21 This chapter describes how to configure quality of service (QoS) as implemented on the Policy Feature Card (PFC) and Distributed Forwarding Cards (DFCs) in Cisco IOS Release 12.2SX. Note•For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html •For information about Auto-QoS, see Chapter 44 "Using AutoQoS." •For information about QoS and MPLS, see Chapter 45 "Configuring MPLS QoS." •QoS in Cisco IOS Release 12.2SX (PFC QoS) uses some Cisco IOS modular QoS CLI (MQC). Because PFC QoS is implemented in hardware, it supports only a subset of the MQC syntax. •The PFC3 does not support Network-Based Application Recognition (NBAR). •With releases earlier than Release 12.2(33)SXJ3, do not use the default DSCP-based queue mapping for 8q4t ingress queues unless you configure supporting bandwidth and queue limits (CSCts82932). Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter contains these sections: •Understanding PFC QoS •PFC QoS Default Configuration •PFC QoS Configuration Guidelines and Restrictions •Configuring PFC QoS •Common QoS Scenarios •PFC QoS Glossary The term "PFC QoS" refers to QoS in Cisco IOS Release 12.2SX. PFC QoS is implemented on various switch components in addition to the PFC and any DFCs. These sections describe how PFC QoS works: •Port Types Supported by PFC QoS •Overview •Component Overview •Understanding Classification and Marking •Understanding Port-Based Queue Types The PFC does not provide QoS for FlexWAN module ports. See this publication for information about FlexWAN module QoS features: http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexwan-config-guide.html In all releases, PFC QoS supports LAN ports. LAN ports are Ethernet ports on Ethernet switching modules. Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped. QoS makes network performance more predictable and bandwidth utilization more effective. QoS selects (classifies) network traffic, uses or assigns QoS labels to indicate priority, makes the packets comply with the configured resource usage limits (polices the traffic and marks the traffic), and provides congestion avoidance where resource contention exists. PFC QoS classification, policing, marking, and congestion avoidance is implemented in hardware on the PFC, DFCs, and in LAN switching module port Application Specific Integrated Circuits (ASICs). Note Cisco IOS Release 12.2SX does not support all of the MQC features (for example, Committed Access Rate (CAR)) for traffic that is Layer 3 switched or Layer 2 switched in hardware. Because queuing is implemented in the port ASICs, Cisco IOS Release 12.2SX does not support MQC-configured queuing. Figure 43-1 shows an overview of QoS processing in a switch supported by Cisco IOS Release 12.2SX. Figure 43-1 PFC QoS Feature Processing Overview The PFC QoS features are applied in this order: 1. Ingress port PFC QoS features: –Port trust state—In PFC QoS, trust means to accept as valid and use as the basis of the initial internal DSCP value. Ports are untrusted by default, which sets the initial internal DSCP value to zero. You can configure ports to trust one of three types of received QoS values: CoS, IP precedence, or DSCP. –Layer 2 CoS remarking—PFC QoS applies Layer 2 CoS remarking, which marks the incoming frame with the port CoS value, in these situations: —If the traffic is not in an ISL, 802.1Q, or 802.1p frame. —If a port is configured as untrusted. –Congestion avoidance—If you configure an Ethernet LAN port to trust CoS or DSCP, QoS classifies the traffic on the basis of its Layer 2 CoS value or its Layer 3 DSCP value and assigns it to an ingress queue to provide congestion avoidance. Layer 3 DSCP-based queue mapping is available only on WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports. 2. PFC and DFC QoS features: –Internal DSCP—On the PFC and DFCs, QoS associates an internal DSCP value with all traffic to classify it for processing through the system. There is an initial internal DSCP based on the traffic trust state and a final internal DSCP. The final internal DSCP can be the same as the initial value or an MQC policy map can set it to a different value. –MQC policy maps—MQC policy maps can do one or more of these operations: —Change the trust state of the traffic (bases the internal DSCP value on a different QoS label) —Set the initial internal DSCP value (only for traffic from untrusted ports) —Mark the traffic —Police the traffic 3. Egress Ethernet LAN port QoS features: –Layer 3 DSCP marking with the final internal DSCP (optional) –Layer 2 CoS marking mapped from the final internal DSCP –Layer 2 CoS-based and Layer 3 DSCP-based congestion avoidance. (Layer 3 DSCP-based queue mapping is available only on WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports.) These figures provide more detail about the relationship between QoS and the switch components: •Figure 43-2, Traffic Flow and PFC QoS Features with a PFC3 •Figure 43-3, PFC QoS Features and Component Overview Figure 43-2 shows traffic flow and PFC QoS features with a PFC3. Figure 43-2 Traffic Flow and PFC QoS Features with a PFC3 Figure 43-2 shows how traffic flows through the PFC QoS features with PFC3: •Traffic can enter on any type of port and exit on any type of port. •DFCs implement PFC QoS locally on switching modules. •For FlexWAN module traffic: –Ingress FlexWAN QoS features can be applied to FlexWAN ingress traffic. –Ingress FlexWAN traffic can be Layer 3-switched by the PFC3 or routed in software by the route processor (RP). –Egress PFC QoS is not applied to FlexWAN ingress traffic. –Egress FlexWAN QoS can be applied to FlexWAN egress traffic. •For LAN-port traffic: –Ingress LAN port QoS features can be applied to LAN port ingress traffic. –Ingress PFC QoS can be applied to LAN port ingress traffic. –Ingress LAN port traffic can be Layer 2- or Layer 3-switched by the PFC3 or routed in software by the RP. –Egress PFC QoS and egress LAN port QoS can be applied to LAN port egress traffic. Figure 43-3 PFC QoS Features and Component Overview These sections provide more detail about the role of the following components in PFC QoS decisions and processes: •Ingress LAN Port PFC QoS Features •PFC and DFC QoS Features •PFC QoS Egress Port Features These sections provide an overview of the ingress port QoS features: •Flowchart of Ingress LAN Port PFC QoS Features •Port Trust •Ingress Congestion Avoidance Figure 43-4 shows how traffic flows through the ingress LAN port PFC QoS features. Figure 43-4 Ingress LAN Port PFC QoS Features Note•Ingress CoS mutation is supported only on 802.1Q tunnel ports. •DSCP-based queue mapping is supported only on WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports. In PFC QoS, trust means to accept as valid and use as the basis of the initial internal DSCP value. You can configure ports as untrusted or you can configure them to trust these QoS values: •Layer 2 CoS –A port configured to trust CoS is called a trust CoS port. –Traffic received through a trust CoS port or configured by a policy map to trust CoS is called trust CoS traffic. Note Not all traffic carries a CoS value. Only ISL, 802.1Q, and 802.1P traffic carries a CoS value. PFC QoS applies the port CoS value to any traffic that does not carry a CoS value. On untrusted ports, PFC QoS applies the port CoS value to all traffic, overwriting any received CoS value. •IP precedence –A port configured to trust IP precedence is called a trust IP precedence port. –Traffic received through a trust IP precedence port or configured by a policy map to trust IP precedence is called trust IP precedence traffic. •DSCP –A port configured to trust DSCP is called a trust DSCP port. –Traffic received through a trust DSCP port or configured by a policy map to trust DSCP is called trust DSCP traffic. Traffic received through an untrusted port is called untrusted traffic. PFC QoS implements congestion avoidance on trust CoS ports. On a trust CoS port, QoS classifies the traffic on the basis of its Layer 2 CoS value and assigns it to an ingress queue to provide congestion avoidance. You can configure WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE trust DSCP ports to use received DSCP values for congestion avoidance. See the "Ingress Classification and Marking at Trust CoS LAN Ports" section for more information about ingress congestion avoidance. These sections describe PFCs and DFCs as they relate to QoS: •Supported Policy Feature Cards •Supported Distributed Forwarding Cards •PFC and DFC QoS Feature List and Flowchart •Internal DSCP Values •Port-Based PFC QoS and VLAN-Based PFC QoS •Session-Based PFC QoS The policy feature card (PFC) is a daughter card on the supervisor engine. The PFC provides QoS in addition to other functionality. The following PFCs are supported in Cisco IOS Release 12.2SX: •PFC3A on the Supervisor Engine 720 •PFC3B on the Supervisor Engine 720 and Supervisor Engine 32 •PFC3BXL on the Supervisor Engine 720 •PFC3C on the Cisco ME 6500 Series Ethernet switches and the Supervisor Engine 720-10GE •PFC3CXL on the Supervisor Engine 720-10GE The PFC sends a copy of the QoS policies to the distributed forwarding card (DFC) to provide local support for the QoS policies, which enables the DFCs to support the same QoS features that the PFC supports. These DFCs are supported on the Catalyst 6500 series switches: •For use on dCEF256 and CEF256 modules with a Supervisor Engine 720: –WS-F6K-DFC3A –WS-F6K-DFC3B –WS-F6K-DFC3BXL •For use on CEF720 modules with a Supervisor Engine 720: –WS-F6700-DFC3A –WS-F6700-DFC3B –WS-F6700-DFC3BXL •For use on CEF720 modules with Supervisor Engine 720 and Supervisor Engine 720-10GE: –WS-F6700-DFC3CXL –WS-F6700-DFC3C Table 43-1 lists the QoS features supported on the different versions of PFCs and DFCs.
Figure 43-5 shows how traffic flows through the QoS features on the PFC and DFCs. Figure 43-5 QoS Features on the PFC and DFCs Note The DSCP transparency feature makes writing the egress DSCP value into the Layer 3 ToS byte optional. During processing, PFC QoS represents the priority of all traffic (including non-IP traffic) with an internal DSCP value. Initial Internal DSCP Value On the PFC, before any marking or policing takes place, PFC QoS derives the initial internal DSCP value as follows: •For untrusted traffic, when ignore port trust is not enabled, PFC QoS sets the initial internal DSCP value to zero for both tagged and untagged untrusted traffic. •For untrusted traffic, when ignore port trust is enabled, PFC QoS does the following: –For IP traffic, PFC QoS uses the received DSCP value as the initial internal DSCP value. –For traffic without a recognizable ToS byte, PFC QoS maps the port CoS value to the initial internal DSCP value. •For trust CoS traffic, when ignore port trust is enabled, PFC QoS does the following: –For IP traffic, PFC QoS uses the received DSCP value as the initial internal DSCP value. Note For trust CoS traffic, when ignore port trust is enabled, PFC QoS does not use the received CoS value in tagged IP traffic. When ignore port trust is disabled, PFC QoS uses the received CoS value in tagged IP traffic. –For tagged traffic without a recognizable ToS byte, PFC QoS maps the received CoS value to the initial internal DSCP value. –For untagged traffic without a recognizable ToS byte, PFC QoS maps the port CoS value to the initial internal DSCP value. •For trust IP precedence traffic, PFC QoS does the following: –For IP traffic, PFC QoS maps the received IP precedence value to the initial internal DSCP value. –For tagged traffic without a recognizable ToS byte, PFC QoS maps the received CoS value to the initial internal DSCP value. –For untagged traffic without a recognizable ToS byte, PFC QoS maps the port CoS value to the initial internal DSCP value. •For trust DSCP traffic, PFC QoS, PFC QoS does the following: –For IP traffic, PFC QoS uses the received DSCP value as the initial internal DSCP value. –For tagged traffic without a recognizable ToS byte, PFC QoS maps the received CoS value to the initial internal DSCP value. –For untagged traffic without a recognizable ToS byte, PFC QoS maps the port CoS value to the initial internal DSCP value. For trust CoS traffic and trust IP precedence traffic, PFC QoS uses configurable maps to derive the initial internal 6-bit DSCP value from CoS or IP precedence, which are 3-bit values. Final Internal DSCP Value Policy marking and policing on the PFC can change the initial internal DSCP value to a final internal DSCP value, which is then used for all subsequently applied QoS features. You can configure each ingress LAN port for either physical port-based PFC QoS (default) or VLAN-based PFC QoS and attach a policy map to the selected interface. On ports configured for port-based PFC QoS, you can attach a policy map to the ingress LAN port as follows: •On a nontrunk ingress LAN port configured for port-based PFC QoS, all traffic received through the port is subject to the policy map attached to the port. •On a trunking ingress LAN port configured for port-based PFC QoS, traffic in all VLANs received through the port is subject to the policy map attached to the port. On a nontrunk ingress LAN port configured for VLAN-based PFC QoS, traffic received through the port is subject to the policy map attached to the port's VLAN. On a trunking ingress LAN port configured for VLAN-based PFC QoS, traffic received through the port is subject to the policy map attached to the traffic's VLAN. In Cisco IOS Software Release 12.2(33)SXI and later releases, you can configure the dynamic delivery of a policy map to an interface by the AAA server when a user authenticates on that interface. This feature allows per-user or per-session QoS at the interface level, so that a user who connects by different interfaces at different times will always receive the same QoS treatment. For each user of session-based QoS, you must set these attribute-value (AV) pairs on the AAA server by using RADIUS cisco-av-pair vendor-specific attributes (VSAs): •cisco-avpair = "ip:sub-policy-In=in_policy_name" •cisco-avpair = "ip:sub-policy-Out=out_policy_name" The in_policy_name and out_policy_name arguments are the names of the ingress and egress QoS policy maps to be applied to an interface when a user authenticates on that interface. The policy maps will be removed from the interface when the user logs off and the session is terminated. For session-based QoS configuration information, see the "Configuring Dynamic Per-Session Attachment of a Policy Map" section. These sections describe PFC QoS egress port features: •Flowchart of PFC QoS Egress LAN Port Features •Egress CoS Values •Egress DSCP Mutation •Egress ToS Byte •Egress PFC QoS Interfaces •Egress ACL Support for Remarked DSCP Figure 43-6 shows how traffic flows through the QoS features on egress LAN ports. Figure 43-6 Egress LAN Port Scheduling, Congestion Avoidance, and Marking For all egress traffic, PFC QoS uses a configurable map to derive a CoS value from the final internal DSCP value associated with the traffic. PFC QoS sends the derived CoS value to the egress LAN ports for use in classification and congestion avoidance and to be written into ISL and 802.1Q frames. Note You can configure WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports to use the final internal DSCP value for egress LAN port classification and congestion avoidance (see the "Configuring DSCP-Based Queue Mapping" section). You can configure 15 egress DSCP mutation maps to mutate the internal DSCP value before it is written in the egress ToS byte. You can attach egress DSCP mutation maps to any interface on which PFC QoS supports egress QoS. Note If you configure egress DSCP mutation, PFC QoS does not derive the egress CoS value from the mutated DSCP value. Except when DSCP transparency is enabled, PFC QoS creates a ToS byte for egress IP traffic from the final internal or mutated DSCP value and sends it to the egress port to be written into IP packets. For trust DSCP and untrusted IP traffic, the ToS byte includes the original two least-significant bits from the received ToS byte. The internal or mutated DSCP value can mimic an IP precedence value (see the "IP Precedence and DSCP Values" section). You can attach an output policy map to a Layer 3 interface (either a LAN port configured as a Layer 3 interface or a VLAN interface) to apply a policy map to egress traffic. Note•Output policies do not support microflow policing. •You cannot apply microflow policing to ARP traffic. •You cannot set a trust state in an output policy. Note Egress ACL support for remarked DSCP is also known as packet recirculation. The PFC3 supports egress ACL support for remarked DSCP, which enables IP precedence-based or DSCP-based egress QoS filtering to use any IP precedence or DSCP policing or marking changes made by ingress PFC QoS. Without egress ACL support for remarked DSCP, egress QoS filtering uses received IP precedence or DSCP values; it does not use any IP precedence or DSCP changes made by ingress PFC QoS as the result of policing or marking. The PFC3 provides egress PFC QoS only for Layer 3-switched and routed traffic on egress Layer 3 interfaces (either LAN ports configured as Layer 3 interfaces or VLAN interfaces). You configure egress ACL support for remarked DSCP on ingress Layer 3 interfaces (either LAN ports configured as Layer 3 interfaces or VLAN interfaces). On interfaces where egress ACL support for remarked DSCP is configured, the PFC3 processes each QoS-filtered IP packet twice: once to apply ingress PFC QoS and once to apply egress PFC QoS. After packets have been processed by ingress PFC QoS and any policing or marking changes have been made, the packets are processed again on the ingress interface by any configured Layer 2 features (for example, VACLs) before being processed by egress PFC QoS. On an interface where egress ACL support for remarked DSCP is configured, if a Layer 2 feature matches the ingress-QoS-modified IP precedence or DSCP value, the Layer 2 feature might redirect or drop the matched packets, which prevents them from being processed by egress QoS. After packets have been processed by ingress PFC QoS and any policing or marking changes have been made, the packets are processed on the ingress interface by any configured Layer 3 features (for example, ingress Cisco IOS ACLs, policy-based routing (PBR), etc.) before being processed by egress PFC QoS. The Layer 3 features configured on an interface where egress ACL support for remarked DSCP is configured might redirect or drop the packets that have been processed by ingress PFC QoS, which would prevent them from being processed by egress PFC QoS. The following sections describe where and how classification and marking occur in Cisco IOS Release 12.2SX: •Classification and Marking at Trusted and Untrusted Ingress Ports •Classification and Marking on the PFC Using Service Policies and Policy Maps •Classification and Marking on the RP The trust state of an ingress port determines how the port marks, schedules, and classifies received Layer 2 frames, and whether or not congestion avoidance is implemented. These are the port trust states: •Untrusted (default) •Trust IP precedence •Trust DSCP •Trust CoS Ingress LAN port classification, marking, and congestion avoidance can use Layer 2 CoS values and do not set Layer 3 IP precedence or DSCP values. You can configure WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports to use received DSCP values for ingress LAN port classification and congestion avoidance (see the "Configuring DSCP-Based Queue Mapping" section). Ingress LAN port classification, marking, and congestion avoidance on other ports use Layer 2 CoS values only. The following sections describe classification and marking at trusted and untrusted ingress ports: •Classification and Marking at Untrusted Ingress Ports •Ingress Classification and Marking at Trusted Ports PFC QoS Layer 2 remarking marks all frames received through untrusted ports with the port CoS value (the default is zero). To map the port CoS value that was applied to untrusted ingress traffic to the initial internal DSCP value, configure a trust CoS policy map that matches the ingress traffic. You should configure ports to trust only if they receive traffic that carries valid QoS labels. QoS uses the received QoS labels as the basis of initial internal DSCP value. After the traffic enters the switch, you can apply a different trust state to traffic with a policy map. For example, traffic can enter the switch through a trust CoS port, and then you can use a policy map to trust IP precedence or DSCP, which uses the trusted value as the basis of the initial internal DSCP value, instead of the QoS label that was trusted at the port. These sections describe classification and marking at trusted ingress ports: •Ingress Classification and Marking at Trust CoS LAN Ports •Ingress Classification and Marking at Trust IP Precedence Ports •Ingress Classification and Marking at Trust DSCP Ports Ingress Classification and Marking at Trust CoS LAN Ports You should configure LAN ports to trust CoS only if they receive traffic that carries valid Layer 2 CoS. When an ISL frame enters the switch through a trusted ingress LAN port, PFC QoS accepts the three least significant bits in the User field as a CoS value. When an 802.1Q frame enters the switch through a trusted ingress LAN port, PFC QoS accepts the User Priority bits as a CoS value. PFC QoS Layer 2 remarking marks all traffic received in untagged frames with the ingress port CoS value. On ports configured to trust CoS, PFC QoS does the following: •PFC QoS maps the received CoS value in tagged trust CoS traffic to the initial internal DSCP value. •PFC QoS maps the ingress port CoS value applied to untagged trusted traffic to the initial internal DSCP value. •PFC QoS enables the CoS-based ingress queues and thresholds to provide congestion avoidance. See the "Understanding Port-Based Queue Types" section for more information about ingress queues and thresholds. Ingress Classification and Marking at Trust IP Precedence Ports You should configure ports to trust IP precedence only if they receive traffic that carries valid Layer 3 IP precedence. For traffic from trust IP precedence ports, PFC QoS maps the received IP precedence value to the initial internal DSCP value. Because the ingress port queues and thresholds use Layer 2 CoS, PFC QoS does not implement ingress port congestion avoidance on ports configured to trust IP precedence. PFC does not mark any traffic on ingress ports configured to trust IP precedence. Ingress Classification and Marking at Trust DSCP Ports You should configure ports to trust DSCP only if they receive traffic that carries valid Layer 3 DSCP. You can enable DSCP-based ingress queues and thresholds on WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports to provide congestion avoidance (see the "Configuring DSCP-Based Queue Mapping" section). The ingress port queues and thresholds on other ports use only Layer 2 CoS. For traffic from trust DSCP ports, PFC QoS uses the received DSCP value as the initial internal DSCP value. PFC QoS does not mark any traffic on ingress ports configured to trust received DSCP. PFC QoS supports classification and marking with service policies that attach one policy map to these interface types to apply ingress PFC QoS: •Each ingress port (except FlexWAN interfaces) •Each EtherChannel port-channel interface •Each VLAN interface Note•With releases earlier than Release 12.2(33)SXI, VSS mode does not support ingress service policies on Layer 2 ports. •With Release 12.2(33)SXI and later releases, VSS mode supports ingress service policies on Layer 2 ports. You can attach one policy map to each Layer 3 interface (except FlexWAN interfaces) to apply egress PFC QoS. Each policy map can contain multiple policy-map classes. You can configure a separate policy-map class for each type of traffic handled by the interface. There are two ways to configure filtering in policy-map classes: •Access control lists (ACLs) •Class-map match commands for IP precedence and DSCP values Policy-map classes specify actions with the following optional commands: •Policy-map set commands—For untrusted traffic or if ignore port trust is enabled, PFC QoS can use configured IP precedence or DSCP values as the final internal DSCP value. The "IP Precedence and DSCP Values" section shows the bit values for IP precedence and DSCP. •Policy-map class trust commands—PFC QoS applies the policy-map class trust state to matched ingress traffic, which then uses the trusted value as the basis of its initial internal DSCP value, instead of the QoS label that was trusted at the port (if any). In a policy map, you can trust CoS, IP precedence, or DSCP. Note A trust CoS policy map cannot restore received CoS in traffic from untrusted ports. Traffic from untrusted ports always has the port CoS value. •Aggregate and microflow policers—PFC QoS can use policers to either mark or drop both conforming and nonconforming traffic. PFC QoS sends IP traffic to the RP with the final internal DSCP values. CoS is equal to IP precedence in all traffic sent from the RP to egress ports. Figure 43-7 RP Marking Note Traffic that is Layer 3 switched on the PFC does not go through the RP and retains the CoS value assigned by the PFC. These sections describe policers: •Overview of Policers •Aggregate Policers •Microflow Policers Policing allows you to rate limit incoming and outgoing traffic so that it adheres to the traffic forwarding rules defined by the QoS configuration. Sometimes these configured rules for how traffic should be forwarded through the system are referred to as a contract. If the traffic does not adhere to this contract, it is marked down to a lower DSCP value or dropped. Policing does not buffer out-of-profile packets. As a result, policing does not affect transmission delay. In contrast, traffic shaping works by buffering out-of-profile traffic, which moderates the traffic bursts. (PFC QoS does not support shaping.) The PFC3 supports ingress and egress PFC QoS, which includes ingress and egress policing. Traffic shaping is supported on some WAN modules. Note Policers can act on ingress traffic per-port or per-VLAN. For egress traffic, the policers can act per-VLAN only. You can create policers to do the following: •Mark traffic •Limit bandwidth utilization and mark traffic PFC QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all flows in matched traffic. For example, if you configure an aggregate policer to allow 1 Mbps for all TFTP traffic flows on VLAN 1 and VLAN 3, it limits the TFTP traffic for all flows combined on VLAN 1 and VLAN 3 to 1 Mbps. •You define per-interface aggregate policers in a policy map class with the police command. If you attach a per-interface aggregate policer to multiple ingress ports, it polices the matched traffic on each ingress port separately. •You create named aggregate policers with the mls qos aggregate-policer command. If you attach a named aggregate policer to multiple ingress ports, it polices the matched traffic from all the ingress ports to which it is attached. •Aggregate policing works independently on each DFC-equipped switching module and independently on the PFC, which supports any non-DFC-equipped switching modules. Aggregate policing does not combine flow statistics from different DFC-equipped switching modules. You can display aggregate policing statistics for each DFC-equipped switching module and for the PFC and any non-DFC-equipped switching modules supported by the PFC. •Each PFC or DFC polices independently, which might affect QoS features being applied to traffic that is distributed across the PFC and any DFCs. Examples of these QoS feature are: –Policers applied to a port channel interface. –Policers applied to a switched virtual interface. –Egress policers applied to either a Layer 3 interface or an SVI. Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC. Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates. PFC QoS applies the bandwidth limit specified in a microflow policer separately to each flow in matched traffic. For example, if you configure a microflow policer to limit the TFTP traffic to 1 Mbps on VLAN 1 and VLAN 3, then 1 Mbps is allowed for each flow in VLAN 1 and 1 Mbps for each flow in VLAN 3. In other words, if there are three flows in VLAN 1 and four flows in VLAN 3, the microflow policer allows each of these flows 1 Mbps. You can configure PFC QoS to apply the bandwidth limits in a microflow policer as follows: •You can create microflow policers with up to 63 different rate and burst parameter combinations. •You create microflow policers in a policy map class with the police flow command. •You can configure a microflow policer to use only source addresses, which applies the microflow policer to all traffic from a source address regardless of the destination addresses. •You can configure a microflow policer to use only destination addresses, which applies the microflow policer to all traffic to a destination address regardless of the source addresses. •For MAC-Layer microflow policing, PFC QoS considers MAC-Layer traffic with the same protocol and the same source and destination MAC-Layer addresses to be part of the same flow, including traffic with different EtherTypes. You can configure MAC ACLs to filter IPX traffic. Note With Release 12.2(33)SXI4 and later releases, when appropriate for the configuration of the policer, microflow policers use the interface-full flow mask, which can reduce flowmask conflicts. Releases earlier than Release 12.2(33)SXI4 use the full flow mask. •By default, microflow policers only affect traffic routed by the RP. To enable microflow policing of other traffic, including traffic in bridge groups, enter the mls qos bridged command. •You cannot apply microflow policing to ARP traffic. •You cannot apply microflow policing to IPv6 multicast traffic. You can include both an aggregate policer and a microflow policer in each policy map class to police a flow based on both its own bandwidth utilization and on its bandwidth utilization combined with that of other flows. Note If traffic is both aggregate and microflow policed, then the aggregate and microflow policers must both be in the same policy-map class and each must use the same conform-action and exceed-action keyword option: drop, set-dscp-transmit, set-prec-transmit, or transmit. For example, you could create a microflow policer with a bandwidth limit suitable for individuals in a group, and you could create a named aggregate policer with bandwidth limits suitable for the group as a whole. You could include both policers in policy map classes that match the group's traffic. The combination would affect individual flows separately and the group aggregately. For policy map classes that include both an aggregate and a microflow policer, PFC QoS responds to an out-of-profile status from either policer and, as specified by the policer, applies a new DSCP value or drops the packet. If both policers return an out-of-profile status, then if either policer specifies that the packet is to be dropped, it is dropped; otherwise, PFC QoS applies a marked-down DSCP value. Note To avoid inconsistent results, ensure that all traffic policed by the same aggregate policer has the same trust state. Policing uses the Layer 2 frame size. You specify the bandwidth utilization limit as a committed information rate (CIR). You can also specify a higher peak information rate (PIR). Packets that exceed a rate are "out of profile" or "nonconforming." In each policer, you specify if out-of-profile packets are to be dropped or to have a new DSCP value applied to them (applying a new DSCP value is called "markdown"). Because out-of-profile packets do not retain their original priority, they are not counted as part of the bandwidth consumed by in-profile packets. If you configure a PIR, the PIR out-of-profile action cannot be less severe than the CIR out-of-profile action. For example, if the CIR out-of-profile action is to mark down the traffic, then the PIR out-of-profile action cannot be to transmit the traffic. For all policers, PFC QoS uses a configurable global table that maps the internal DSCP value to a marked-down DSCP value. When markdown occurs, PFC QoS gets the marked-down DSCP value from the table. You cannot specify marked-down DSCP values in individual policers. Note•Policing with the conform-action transmit keywords supersedes the ingress LAN port trust state of matched traffic with trust DSCP or with the trust state defined by a trust policy-map class command. •By default, the markdown table is configured so that no markdown occurs: the marked-down DSCP values are equal to the original DSCP values. To enable markdown, configure the table appropriately for your network. •When you apply both ingress policing and egress policing to the same traffic, both the input policy and the output policy must either mark down traffic or drop traffic. PFC QoS does not support ingress markdown with egress drop or ingress drop with egress markdown. Port-based queue types are determined by the ASICs that control the ports. The following sections describe the queue types, drop thresholds, and buffers that are supported on the LAN switching modules: •Ingress and Egress Buffers and Layer 2 CoS-Based Queues •Ingress Queue Types •Egress Queue Types •Module to Queue Type Mappings The Ethernet port ASICs have buffers that are divided into a fixed number of queues. When congestion avoidance is enabled, PFC QoS uses the traffic's Layer 2 CoS value to assign traffic to the queues. The buffers and queues store frames temporarily as they transit the switch. PFC QoS allocates the port ASIC memory as buffers for each queue on each port. The Ethernet ports support the following types of queues: •Standard queues •Strict-priority queues The Ethernet ports support the following types of scheduling algorithms between queues: •Shaped round robin (SRR)—SRR allows a queue to use only the allocated bandwidth. •Deficit weighted round robin (DWRR)—DWRR keeps track of any lower-priority queue under-transmission caused by traffic in a higher-priority queue and compensates in the next round. •Weighted Round Robin (WRR)—WRR does not explicitly reserve bandwidth for the queues. Instead, the amount of bandwidth assigned to each queue is user configurable. The percentage or weight allocated to a queue defines the amount of bandwidth allocated to the queue. •Strict-priority queueing—Strict priority queueing allows delay-sensitive data such as voice to be dequeued and sent before packets in other queues are dequeued, giving delay-sensitive data preferential treatment over other traffic. The switch services traffic in the strict-priority transmit queue before servicing the standard queues. After transmitting a packet from a standard queue, the switch checks for traffic in the strict-priority queue. If the switch detects traffic in the strict-priority queue, it suspends its service of the standard queue and completes service of all traffic in the strict-priority queue before returning to the standard queue. The Ethernet ports provide congestion avoidance with these types of thresholds within a queue: •Weighted Random Early Detection (WRED)—On ports with WRED drop thresholds, frames with a given QoS label are admitted to the queue based on a random probability designed to avoid buffer congestion. The probability of a frame with a given QoS label being admitted to the queue or discarded depends on the weight and threshold assigned to that QoS label. For example, if CoS 2 is assigned to queue 1, threshold 2, and the threshold 2 levels are 40 percent (low) and 80 percent (high), then frames with CoS 2 will not be dropped until queue 1 is at least 40 percent full. As the queue depth approaches 80 percent, frames with CoS 2 have an increasingly higher probability of being discarded rather than being admitted to the queue. Once the queue is over 80 percent full, all CoS 2 frames are dropped until the queue is less than 80 percent full. The frames the switch discards when the queue level is between the low and high thresholds are picked out at random, rather than on a per-flow basis or in a FIFO manner. This method works well with protocols such as TCP that can adjust to periodic packet drops by backing off and adjusting their transmission window size. •Tail-drop thresholds—On ports with tail-drop thresholds, frames with a given QoS label are admitted to the queue until the drop threshold associated with that QoS label is exceeded; subsequent frames of that QoS label are discarded until the threshold is no longer exceeded. For example, if CoS 1 is assigned to queue 1, threshold 2, and the threshold 2 watermark is 60 percent, then frames with CoS 1 will not be dropped until queue 1 is 60 percent full. All subsequent CoS 1 frames will be dropped until the queue is less than 60 percent full. With some port types, you can configure the standard receive queue to use both a tail-drop and a WRED-drop threshold by mapping a CoS value to the queue or to the queue and a threshold. The switch uses the tail-drop threshold for traffic carrying CoS values mapped only to the queue. The switch uses WRED-drop thresholds for traffic carrying CoS values mapped to the queue and a threshold. All LAN ports of the same type use the same drop-threshold configuration. Note You can enable DSCP-based queues and thresholds on WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports (see the "Configuring DSCP-Based Queue Mapping" section). The combination of multiple queues and the scheduling algorithms associated with each queue allows the switch to provide congestion avoidance. Figure 43-8 illustrates the drop thresholds for a 1q4t ingress LAN port. Drop thresholds in other configurations function similarly. Figure 43-8 Receive Queue Drop Thresholds To see the queue structure of a LAN port, enter the show queueing interface {ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port | include type command. The command displays one of the following architectures: •1q2t indicates one standard queue with one configurable tail-drop threshold and one nonconfigurable tail-drop threshold. •1q4t indicates one standard queue with four configurable tail-drop thresholds. •1q8t indicates one standard queue with eight configurable tail-drop thresholds. •2q8t indicates two standard queues, each with eight configurable tail-drop thresholds. •8q4t indicates eight standard queues, each with four thresholds, each configurable as either WRED-drop or tail-drop. Note With releases earlier than Release 12.2(33)SXJ3, do not use the default DSCP-based queue mapping for 8q4t ingress queues unless you configure supporting bandwidth and queue limits (CSCts82932). •8q8t indicates eight standard queues, each with eight thresholds, each configurable as either WRED-drop or tail-drop. •1p1q4t indicates: –One strict-priority queue –One standard queue with four configurable tail-drop thresholds. •1p1q0t indicates: –One strict-priority queue –One standard queue with no configurable threshold (effectively a tail-drop threshold at 100 percent). •1p1q8t indicates the following: –One strict-priority queue –One standard queue with these thresholds: —Eight thresholds, each configurable as either WRED-drop or tail-drop —One nonconfigurable (100 percent) tail-drop threshold To see the queue structure of an egress LAN port, enter the show queueing interface {ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port | include type command. The command displays one of the following architectures: •2q2t indicates two standard queues, each with two configurable tail-drop thresholds. •1p2q2t indicates the following: –One strict-priority queue –Two standard queues, each with two configurable WRED-drop thresholds •1p3q1t indicates the following: –One strict-priority queue –Three standard queues with these thresholds: —One threshold configurable as either WRED-drop or tail-drop —One nonconfigurable (100 percent) tail-drop threshold •1p2q1t indicates the following: –One strict-priority queue –Two standard queues with these thresholds: —One WRED-drop threshold —One nonconfigurable (100 percent) tail-drop threshold •1p3q8t indicates the following: –One strict-priority queue –Three standard queues, each with eight thresholds, each threshold configurable as either WRED-drop or tail-drop •1p7q2t indicates the following: –One strict-priority queue –Seven standard queues, each with two thresholds, each threshold configurable as either WRED-drop or tail-drop •1p7q4t indicates the following: –One strict-priority queue –Seven standard queues, each with four thresholds, each threshold configurable as either WRED-drop or tail-drop •1p7q8t indicates the following: –One strict-priority queue –Seven standard queues, each with eight thresholds, each threshold configurable as either WRED-drop or tail-drop The following tables show the module to queue structure mapping: •Table 43-2—Supervisor Engine Module QoS Queue Structures •Table 43-3—10-Gigabit Ethernet Modules •Table 43-4—Gigabit and 10/100/1000 Ethernet Modules •Table 43-5—Ethernet and Fast Ethernet Module Queue Structures
Note To disable the Supervisor Engine 720-10GE Gigabit Ethernet ports, enter shutdown interface configuration mode commands for the Supervisor Engine 720-10GE Gigabit Ethernet ports, and then enter the mls qos 10g-only global configuration command, which disables the Gigabit Ethernet ports on the Supervisor Engine 720-10GE.
These sections describe the PFC QoS default configuration: •PFC QoS Global Settings •Default Values with PFC QoS Enabled •Default Values with PFC QoS Disabled The following global PFC QoS settings apply:
These sections list the default values that apply when PFC QoS is enabled: •Receive-Queue Limits •Transmit-Queue Limits •Bandwidth Allocation Ratios •Default Drop-Threshold Percentages and CoS Value Mappings Note The ingress LAN port trust state defaults to untrusted with QoS enabled.
The following tables list the default drop-thresholds values and CoS mappings for different queue types: •1q2t Receive Queues •1q4t Receive Queues •1p1q4t Receive Queues •1p1q0t Receive Queues •1p1q8t Receive Queues •1q8t Receive Queues •2q8t Receive Queues •8q4t Receive Queues •8q8t Receive Queues •2q2t Transmit Queues •1p2q2t Transmit Queues •1p3q8t Transmit Queues •1p7q2t Receive Queues •1p7q4t Transmit Queues •1p7q8t Transmit Queues •1p3q1t Transmit Queues •1p2q1t Transmit Queues Note The receive queue values shown are the values in effect when the port is configured to trust CoS or DSCP. When the port is untrusted, the receive queue values are the same as when QoS is globally disabled.
Note With releases earlier than Release 12.2(33)SXJ3, do not use the default DSCP-based queue mapping for 8q4t ingress queues unless you configure supporting bandwidth and queue limits (CSCts82932).
When configuring PFC QoS, follow these guidelines and restrictions: •General Guidelines •Class Map Command Restrictions •Policy Map Command Restrictions •Policy Map Class Command Restrictions •Supported Granularity for CIR and PIR Rate Values •Supported Granularity for CIR and PIR Token Bucket Sizes •IP Precedence and DSCP Values •PFC QoS cannot be applied to IGMP, MLD, or PIM traffic. •Configure the same trust mode on all ports supported by an ASIC. Mismatched trust modes cause inconsistent bandwidth and queue-limit ratios. •With a Supervisor Engine 720-10GE that is using 10G mode, only one port per-ASIC is available because the 1-Gigabit uplinks are shutdown, making the behavior similar to that of WS-X6708-10GE. •When you configure a port on a Supervisor Engine 720-10GE as a member of the VSL, the mls qos trust cos command is automatically added to the port configuration. •The match ip precedence and match ip dscp commands filter only IPv4 traffic. •The match precedence and match dscp commands filter IPv4 and IPv6 traffic. •The set ip dscp and set ip precedence commands are saved in the configuration file as set dscp and set precedence commands. •PFC QoS supports the set dscp and set precedence policy map class commands for IPv4 and IPv6 traffic. •The flowmask requirements of QoS, NetFlow, and NetFlow data export (NDE) might conflict, especially if you configure microflow policing. •With egress ACL support for remarked DSCP and VACL capture both configured on an interface, VACL capture might capture two copies of each packet, and the second copy might be corrupt. •You cannot configure egress ACL support for remarked DSCP on tunnel interfaces. •Egress ACL support for remarked DSCP supports IP unicast traffic. •Egress ACL support for remarked DSCP is not relevant to multicast traffic. PFC QoS applies ingress QoS changes to multicast traffic before applying egress QoS. •NetFlow and NetFlow data export (NDE) do not support interfaces where egress ACL support for remarked DSCP is configured. •When egress ACL support for remarked DSCP is configured on any interface, you must configure an interface-specific flowmask to enable NetFlow and NDE support on interfaces where egress ACL support for remarked DSCP is not configured. Enter either the mls flow ip interface-destination-source or the mls flow ip interface-full global configuration mode command. •Interface counters are not accurate on interfaces where egress ACL support for remarked DSCP is configured. •You cannot apply microflow policing to IPv6 multicast traffic. •You cannot apply microflow policing to traffic that has been permitted by egress ACL support for remarked DSCP. •Traffic that has been permitted by egress ACL support for remarked DSCP cannot be tagged as MPLS traffic. (The traffic can be tagged as MPLS traffic on another network device.) •When you apply both ingress policing and egress policing to the same traffic, both the input policy and the output policy must either mark down traffic or drop traffic. PFC QoS does not support ingress markdown with egress drop or ingress drop with egress markdown. (CSCea23571) •If traffic is both aggregate and microflow policed, then the aggregate and microflow policers must both be in the same policy-map class and each must use the same conform-action and exceed-action keyword option: drop, set-dscp-transmit, set-prec-transmit, or transmit. •You cannot configure PFC QoS features on tunnel interfaces. •PFC QoS does not rewrite the payload ToS byte in tunnel traffic. •PFC QoS filters only by ACLs, dscp values, or IP precedence values. •For these commands, PFC QoS applies identical configuration to all LAN ports controlled by the same application-specific integrated circuit (ASIC): –rcv-queue cos-map –wrr-queue cos-map •Except for WS-X6716-10T, WS-X6716-10GE, WS-X6708-10GE, WS-X6704-10GE, WS-X6748-SFP, WS-X6724-SFP, WS-X6748-GE-TX modules, PFC QoS applies identical configuration to all LAN ports controlled by the same application-specific integrated circuit (ASIC) for these commands: –rcv-queue random-detect –rcv-queue queue-limit –wrr-queue queue-limit –wrr-queue bandwidth –priority-queue cos-map –wrr-queue threshold –rcv-queue threshold –wrr-queue random-detect –wrr-queue random-detect min-threshold –wrr-queue random-detect max-threshold •Configure these commands only on physical ports. Do not configure these commands on logical interfaces: –priority-queue cos-map –wrr-queue cos-map –wrr-queue random-detect –wrr-queue random-detect max-threshold –wrr-queue random-detect min-threshold –wrr-queue threshold –wrr-queue queue-limit –wrr-queue bandwidth –rcv-queue cos-map –rcv-queue bandwidth –rcv-queue random-detect –rcv-queue random-detect max-threshold –rcv-queue random-detect min-threshold –rcv-queue queue-limit –rcv-queue cos-map –rcv-queue threshold Note IP multicast switching using egress packet replication is not compatible with QoS. In some cases, egress replication can result in the incorrect COS or DSCP marking of packets. If you are using QoS and your switching modules are capable of egress replication, enter the mls ip multicast replication-mode ingress command to force ingress replication. •All versions of the PFC3 support QoS for IPv6 unicast and multicast traffic. •To display information about IPv6 PFC QoS, enter the show mls qos ipv6 command. •The QoS features implemented in the port ASICs (queue architecture and dequeuing algorithms) support IPv4 and IPv6 traffic. •The PFC3 supports IPv6 named extended ACLs and named standard ACLs. •The PFC3 supports the match protocol ipv6 command. •Because of conflicting TCAM lookup flow key bit requirements, you cannot configure IPv6 DSCP-based filtering and IPv6 Layer 4 range-based filtering on the same interface. For example: –If you configure both a DSCP value and a Layer 4 "greater than" (gt) or "less than" (lt) operator in an IPv6 ACE, you cannot use the ACL for PFC QoS filtering. –If you configure a DSCP value in one IPv6 ACL and a Layer 4 "greater than" (gt) or "less than" (lt) operator in another IPv6 ACL, you cannot use both ACLs in different class maps on the same interface for PFC QoS filtering. •You can apply aggregate and microflow policers to IPv6 traffic, but you cannot apply microflow policing to IPv6 multicast traffic. •With egress ACL support for remarked DSCP configured, the PFC3 does not provide hardware-assistance for these features: –Cisco IOS reflexive ACLs –TCP intercept –Network Address Translation (NAT) •You cannot apply microflow policing to ARP traffic. •The PFC3 does not apply egress policing to traffic that is being bridged to the RP. •The PFC3 does not apply egress policing or egress DSCP mutation to multicast traffic from the RP. •With a PFC3A, PFC QoS does not rewrite the ToS byte in bridged multicast traffic. •The PFC3 supports up to 1023 configurable aggregate policers, but some PFC QoS commands other than the police command will be included in this count. By default, any policy using a set or trust command will be included in the aggregate policer count. You can disable the addition of the set or trust commands to the aggregate policer count by entering the no mls qos marking statistics command, but you will then be unable to collect statistics for the classmaps associated with these commands. You can view the aggregate policer count in the QoS Policer Resources section of the output of the show platform hardware capacity qos command. •PFC QoS supports a single match command in class-map match-all class maps, except that the match protocol command can be configured in a class map with the match dscp or match precedence command. •PFC QoS supports multiple match commands in class-map match-any class maps. •PFC QoS does not support these class map commands: –match cos –match classmap –match destination-address –match input-interface –match qos-group –match source-address PFC QoS does not support these policy map commands: •class class_name destination-address •class class_name input-interface •class class_name protocol •class class_name qos-group •class class_name source-address PFC QoS does not support these policy map class commands: •bandwidth •priority •queue-limit •random-detect •set qos-group •service-policy PFC QoS has the following hardware granularity for CIR and PIR rate values:
Within each range, PFC QoS programs the PFC with rate values that are multiples of the granularity values. PFC QoS has the following hardware granularity for CIR and PIR token bucket (burst) sizes:
Within each range, PFC QoS programs the PFC with token bucket sizes that are multiples of the granularity values.
These sections describe how to configure PFC QoS in Cisco IOS Release 12.2SX: •Enabling PFC QoS Globally •Enabling Ignore Port Trust •Configuring DSCP Transparency •Enabling Queueing-Only Mode •Enabling Microflow Policing of Bridged Traffic •Enabling VLAN-Based PFC QoS on Layer 2 LAN Ports •Enabling Egress ACL Support for Remarked DSCP •Creating Named Aggregate Policers •Configuring a PFC QoS Policy •Configuring Egress DSCP Mutation •Configuring Ingress CoS Mutation on IEEE 802.1Q Tunnel Ports •Configuring DSCP Value Maps •Configuring the Trust State of Ethernet LAN Ports •Configuring Trusted Boundary with Cisco Device Verification •Configuring the Ingress LAN Port CoS Value •Configuring Standard-Queue Drop Threshold Percentages •Mapping QoS Labels to Queues and Drop Thresholds •Allocating Bandwidth Between Standard Transmit Queues •Setting the Receive-Queue Size Ratio •Configuring the Transmit-Queue Size Ratio Note PFC QoS processes both unicast and multicast traffic. To enable PFC QoS globally, perform this task:
This example shows how to enable PFC QoS globally: This example shows how to verify the configuration: The ignore port trust feature allows an ingress policy to apply a configured IP precedence or DSCP value to any traffic, rather than only to untrusted traffic. To enable ignore port trust, perform this task:
Note For untrusted traffic, when ignore port trust is enabled, PFC QoS does the following: •For IP traffic, PFC QoS uses the received DSCP value as the initial internal DSCP value. •For traffic without a recognizable ToS byte, PFC QoS maps the port CoS value to the initial internal DSCP value. This example shows how to enable ignore port trust and verify the configuration: Note•In addition to support for other IP traffic, PFC3C and PFC3CXL mode support the no mls qos rewrite ip dscp command for these traffic types: –MPLS traffic –Traffic in IP in IP tunnels –Traffic in GRE tunnels •In addition to support for other IP traffic, PFC3B and PFC3BXL mode support the no mls qos rewrite ip dscp command for these traffic types: –Except on PE routers, MPLS traffic –Traffic in IP in IP tunnels –Traffic in GRE tunnels •PFC3A mode does not support the no mls qos rewrite ip dscp command for MPLS traffic, traffic in IP in IP tunnels, and traffic in GRE tunnels. To enable DSCP transparency, which preserves the received Layer 3 ToS byte, perform this task:
When you preserve the received Layer 3 ToS byte, QoS uses the marked or marked-down CoS value for egress queueing and in egress tagged traffic. This example shows how to preserve the received Layer 3 ToS byte and verify the configuration: To enable queueing-only mode on the switch, perform this task:
When you enable queueing-only mode, the switch does the following: •Disables marking and policing globally •Configures all ports to trust Layer 2 CoS Note The switch applies the port CoS value to untagged ingress traffic and to traffic that is received through ports that cannot be configured to trust CoS. This example shows how to enable queueing-only mode: By default, microflow policers affect only routed traffic. To enable microflow policing of bridged traffic on specified VLANs, perform this task:
This example shows how to enable microflow policing of bridged traffic on VLANs 3 through 5: This example shows how to verify the configuration: Note You can attach policy maps to Layer 3 interfaces for application of PFC QoS to egress traffic. VLAN-based or port-based PFC QoS on Layer 2 ports is not relevant to application of PFC QoS to egress traffic on Layer 3 interfaces. By default, PFC QoS uses policy maps attached to LAN ports. For ports configured as Layer 2 LAN ports with the switchport keyword, you can configure PFC QoS to use policy maps attached to a VLAN. Ports not configured with the switchport keyword are not associated with a VLAN. To enable VLAN-based PFC QoS on a Layer 2 LAN port, perform this task:
This example shows how to enable VLAN-based PFC QoS on Fast Ethernet port 5/42: This example shows how to verify the configuration: Note Configuring a Layer 2 LAN port for VLAN-based PFC QoS preserves the policy map port configuration. The no mls qos vlan-based port command reenables any previously configured port commands. To enable egress ACL support for remarked DSCP on an ingress interface, perform this task:
When configuring egress ACL support for remarked DSCP on an ingress interface, note the following information: •To enable egress ACL support for remarked DSCP only for the traffic filtered by a specific standard, extended named, or extended numbered IP ACL, enter the IP ACL name or number. •If you do not enter an IP ACL name or number, egress ACL support for remarked DSCP is enabled for all IP ingress IP traffic on the interface. This example shows how to enable egress ACL support for remarked DSCP on Fast Ethernet port 5/36: To create a named aggregate policer, perform this task:
When creating a named aggregate policer, note the following information: •Aggregate policing works independently on each DFC-equipped switching module and independently on the PFC, which supports any non-DFC-equipped switching modules. Aggregate policing does not combine flow statistics from different DFC-equipped switching modules. You can display aggregate policing statistics for each DFC-equipped switching module and for the PFC and any non-DFC-equipped switching modules supported by the PFC. •Each PFC or DFC polices independently, which might affect QoS features being applied to traffic that is distributed across the PFC and any DFCs. Examples of these QoS feature are: –Policers applied to a port channel interface. –Policers applied to a switched virtual interface. –Egress policers applied to either a Layer 3 interface or an SVI. Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC. Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates. •You can apply aggregate policers to IPv6 traffic. •Policing uses the Layer 2 frame size. •See the "PFC QoS Configuration Guidelines and Restrictions" section for information about rate and burst size granularity. •The valid range of values for the CIR bits_per_second parameter is as follows: –Minimum—32 kilobits per second, entered as 32000 –Maximum with Release 12.2(33)SXH1 and earlier—10 gigabits per second, entered as 10000000000 –Maximum with Release 12.2(33)SXH2 and later—64 gigabits per second, entered as 64000000000 •The normal_burst_bytes parameter sets the CIR token bucket size. •The maximum_burst_bytes parameter sets the PIR token bucket size. •When configuring the size of a token bucket, note the following information: –Because the token bucket must be large enough to hold at least one frame, configure the token bucket size to be larger than the maximum size of the traffic being policed. –For TCP traffic, configure the token bucket size as a multiple of the TCP window size, with a minimum value at least twice as large as the maximum size of the traffic being policed. –The maximum_burst_bytes parameter must be set larger than the normal_burst_bytes parameter –To sustain a specific rate, set the token bucket size to be at least the rate value divided by 2000. Note To provide compatibility with QoS as implemented in the Catalyst operating system, Release 12.2(33)SXI and later releases support 1 byte as the minimum token bucket size, entered as 1. –With Release 12.2(33)SXI and later releases, the minimum token bucket size is 1 byte, entered as 1. –With releases earlier than Release 12.2(33)SXI, the minimum token bucket size is 1000 bytes, entered as 1000. –The maximum token bucket size is 512 megabytes, entered as 512000000. •The valid range of values for the pir bits_per_second parameter is as follows: –Minimum—32 kilobits per second, entered as 32000 (the value cannot be smaller than the CIR bits_per_second parameters) –Maximum with Release 12.2(33)SXH1 and earlier—10 gigabits per second, entered as 10000000000 –Maximum with Release 12.2(33)SXH2 and later—64 gigabits per second, entered as 64000000000 •(Optional) You can specify a conform action for matched in-profile traffic as follows: –The default conform action is transmit, which sets the policy map class trust state to trust DSCP unless the policy map class contains a trust command. –To set PFC QoS labels in untrusted traffic, enter the set-dscp-transmit keyword to mark matched untrusted traffic with a new DSCP value or enter the set-prec-transmit keyword to mark matched untrusted traffic with a new IP precedence value. The set-dscp-transmit and set-prec-transmit keywords are only supported for IP traffic. PFC QoS sets egress ToS and CoS from the configured value. –Enter the drop keyword to drop all matched traffic. Note When you configure drop as the conform action, PFC QoS configures drop as the exceed action and the violate action. •(Optional) For traffic that exceeds the CIR, you can specify an exceed action as follows: –The default exceed action is drop, except with a maximum_burst_bytes parameter (drop is not supported with a maximum_burst_bytes parameter). Note When the exceed action is drop, PFC QoS ignores any configured violate action. –Enter the policed-dscp-transmit keyword to cause all matched out-of-profile traffic to be marked down as specified in the markdown map. Note When you create a policer that does not use the pir keyword and the maximum_burst_bytes parameter is equal to the normal_burst_bytes parameter (which is the case if you do not enter the maximum_burst_bytes parameter), the exceed-action policed-dscp-transmit keywords cause PFC QoS to mark traffic down as defined by the policed-dscp max-burst markdown map. •(Optional) For traffic that exceeds the PIR, you can specify a violate action as follows: –To mark traffic without policing, enter the transmit keyword to transmit all matched out-of-profile traffic. –The default violate action is equal to the exceed action. –Enter the policed-dscp-transmit keyword to cause all matched out-of-profile traffic to be marked down as specified in the markdown map. –For marking without policing, enter the transmit keyword to transmit all matched out-of-profile traffic. Note When you apply both ingress policing and egress policing to the same traffic, both the input policy and the output policy must either mark down traffic or drop traffic. PFC QoS does not support ingress markdown with egress drop or ingress drop with egress markdown. This example shows how to create a named aggregate policer with a 1-Mbps rate limit and a 10-MB burst size that transmits conforming traffic and marks down out-of-profile traffic: This example shows how to verify the configuration: The output displays the following: •The AgId parameter displays the hardware policer ID. •The policy maps that use the policer are listed in the square brackets ([]). These sections describe PFC QoS policy configuration: •PFC QoS Policy Configuration Overview •Configuring MAC ACLs •Configuring ARP ACLs for QoS Filtering •Configuring a Class Map •Verifying Class Map Configuration •Configuring a Policy Map •Verifying Policy Map Configuration •Attaching a Policy Map to an Interface •Configuring Dynamic Per-Session Attachment of a Policy Map Note PFC QoS policies process both unicast and multicast traffic. Note To mark traffic without limiting bandwidth utilization, create a policer that uses the transmit keywords for both conforming and nonconforming traffic. These commands configure traffic classes and the policies to be applied to those traffic classes and attach the policies to ports: •access-list (Optional for IP traffic. You can filter IP traffic with class-map commands.): –PFC QoS supports these ACL types:
–The PFC3 supports IPv6 named extended ACLs and named standard ACLs. –The PFC3 supports ARP ACLs. Note —The PFC3 does not apply IP ACLs to ARP traffic. –The PFC3 does not support IPX ACLs. With the PFC3, you can configure MAC ACLs to filter IPX traffic. –PFC QoS supports time-based Cisco IOS ACLs. –Except for MAC ACLs and ARP ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2, "Traffic Filtering and Firewalls," at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html –See Chapter 47 "Configuring Network Security," for additional information about ACLs in Cisco IOS Release 12.2SX. •class-map (optional)—Enter the class-map command to define one or more traffic classes by specifying the criteria by which traffic is classified. •policy-map—Enter the policy-map command to define the following: –Policy map class trust mode –Aggregate policing and marking –Microflow policing and marking •service-policy—Enter the service-policy command to attach a policy map to an interface. These sections describe MAC ACL configuration: •Configuring Protocol-Independent MAC ACL Filtering •Enabling VLAN-Based MAC QoS Filtering •Configuring MAC ACLs Note You can use MAC ACLs with VLAN ACLs (VACLs). For more information, see Chapter 51 "Configuring Port ACLs and VLAN ACLs." Note PFC3A mode does not support protocol-independent MAC ACL filtering. Protocol-independent MAC ACL filtering applies MAC ACLs to all ingress traffic types (for example, IPv4 traffic, IPv6 traffic, and MPLS traffic, in addition to MAC-layer traffic). You can configure these interface types for protocol-independent MAC ACL filtering: •VLAN interfaces without IP addresses •Physical LAN ports configured to support EoMPLS •Logical LAN subinterfaces configured to support EoMPLS Ingress traffic permitted or denied by a MAC ACL on an interface configured for protocol-independent MAC ACL filtering is processed by egress interfaces as MAC-layer traffic. You cannot apply egress IP ACLs to traffic that was permitted or denied by a MAC ACL on an interface configured for protocol-independent MAC ACL filtering. To configure protocol-independent MAC ACL filtering, perform this task:
When configuring protocol-independent MAC ACL filtering, note the following information: •Do not configure protocol-independent MAC ACL filtering on VLAN interfaces where you have configured an IP address. •Do not configure protocol-independent MAC ACL filtering with microflow policing when the permitted traffic would be bridged or Layer 3 switched in hardware by the PFC. •Protocol-independent MAC ACL filtering supports microflow policing when the permitted traffic is routed in software by the RP. This example shows how to configure VLAN interface 4018 for protocol-independent MAC ACL filtering and how to verify the configuration: This example shows how to configure Gigabit Ethernet interface 6/1 for protocol-independent MAC ACL filtering and how to verify the configuration: This example shows how to configure Gigabit Ethernet interface 3/24, subinterface 4000, for protocol-independent MAC ACL filtering and how to verify the configuration: You can globally enable or disable VLAN-based QoS filtering in MAC ACLs. VLAN-based QoS filtering in MAC ACLs is disabled by default. To enable VLAN-based QoS filtering in MAC ACLs, perform this task:
To disable VLAN-based QoS filtering in MAC ACLs, perform this task:
You can configure named ACLs that filter IPX, DECnet, AppleTalk, VINES, or XNS traffic based on MAC addresses. You can configure MAC ACLs that do VLAN-based filtering or CoS-based filtering or both. You can globally enable or disable VLAN-based QoS filtering in MAC ACLs (disabled by default). To configure a MAC ACL, perform this task:
When configuring an entry in a MAC-Layer ACL, note the following information: •The PFC3 supports the ipx-arpa and ipx-non-arpa keywords. •Cisco IOS Release 12.2SX supports the vlan and cos keywords. •The vlan and cos keywords are not supported in MAC ACLs used for VACL filtering. •The vlan keyword for VLAN-based QoS filtering in MAC ACLs can be globally enabled or disabled and is disabled by default. •You can enter MAC addresses as three 2-byte values in dotted hexadecimal format. For example, 0030.9629.9f84. •You can enter MAC address masks as three 2-byte values in dotted hexadecimal format. Use 1 bits as wildcards. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0). •You can enter an EtherType and an EtherType mask as hexadecimal values. •Entries without a protocol parameter match any protocol. •ACL entries are scanned in the order you enter them. The first matching entry is used. To improve performance, place the most commonly used entries near the beginning of the ACL. •An implicit deny any any entry exists at the end of an ACL unless you include an explicit permit any any entry at the end of the list. •All new entries to an existing list are placed at the end of the list. You cannot add entries to the middle of a list. •This list shows the EtherType values and their corresponding protocol keywords: –0x0600—xns-idp—Xerox XNS IDP –0x0BAD—vines-ip—Banyan VINES IP –0x0baf—vines-echo—Banyan VINES Echo –0x6000—etype-6000—DEC unassigned, experimental –0x6001—mop-dump—DEC Maintenance Operation Protocol (MOP) Dump/Load Assistance –0x6002—mop-console—DEC MOP Remote Console –0x6003—decnet-iv—DEC DECnet Phase IV Route –0x6004—lat—DEC Local Area Transport (LAT) –0x6005—diagnostic—DEC DECnet Diagnostics –0x6007—lavc-sca—DEC Local-Area VAX Cluster (LAVC), SCA –0x6008—amber—DEC AMBER –0x6009—mumps—DEC MUMPS –0x0800—ip—Malformed, invalid, or deliberately corrupt IP frames –0x8038—dec-spanning—DEC LANBridge Management –0x8039—dsm—DEC DSM/DDP –0x8040—netbios—DEC PATHWORKS DECnet NETBIOS Emulation –0x8041—msdos—DEC Local Area System Transport –0x8042—etype-8042—DEC unassigned –0x809B—appletalk—Kinetics EtherTalk (AppleTalk over Ethernet) –0x80F3—aarp—Kinetics AppleTalk Address Resolution Protocol (AARP) This example shows how to create a MAC-Layer ACL named mac_layer that denies dec-phase-iv traffic with source address 0000.4700.0001 and destination address 0000.4700.0009, but permits all other traffic: Note•The PFC3 does not apply IP ACLs to ARP traffic. •You cannot apply microflow policing to ARP traffic. You can configure named ACLs that filter ARP traffic (EtherType 0x0806) for QoS. To configure an ARP ACL for QoS filtering, perform this task:
When configuring an entry in an ARP ACL for QoS filtering, note the following information: •This publication describes the ARP ACL syntax that is supported in hardware by the PFC3. Any other ARP ACL syntax displayed by the CLI help when you enter a question mark ("?") is not supported and cannot be used to filter ARP traffic for QoS. •ACLs entries are scanned in the order you enter them. The first matching entry is used. To improve performance, place the most commonly used entries near the beginning of the ACL. •An implicit deny ip any mac any entry exists at the end of an ACL unless you include an explicit permit ip any mac any entry at the end of the list. •All new entries to an existing list are placed at the end of the list. You cannot add entries to the middle of a list. This example shows how to create an ARP ACL named arp_filtering that only permits ARP traffic from IP address 1.1.1.1: These sections describe class map configuration: •Creating a Class Map •Class Map Filtering Guidelines and Restrictions •Configuring Filtering in a Class Map To create a class map, perform this task:
When configuring class map filtering, follow these guidelines and restrictions: •PFC QoS supports a single match command in class-map match-all class maps, except that the match protocol command can be configured in a class map with the match dscp or match precedence command. •PFC QoS supports multiple match commands in class-map match-any class maps. •When multiple match access-group ACLs are included in a match-any class map, and one ACL contains a deny ip any any entry, all match criteria after the deny ip any any entry (either in the same ACL or in different ACLs) will not be installed in the TCAM. In the following example, ACLs acl4 and acl5 will not be installed because they follow acl3, which contains a deny ip any any entry: You can use either of the following workarounds to avoid this issue: –Move the deny ip any any entry to the end of the ACL and move that ACL to the end of the class map. –Configure all ACLs that must follow the deny ip any any entry into different class maps. •The PFC3 supports the match protocol ipv6 command. •Because of conflicting TCAM lookup flow key bit requirements, you cannot configure IPv6 DSCP-based filtering and IPv6 Layer 4 range-based filtering on the same interface. For example: –If configure both a DSCP value and a Layer 4 greater than (gt) or less than (lt) operator in an IPv6 ACE, you cannot use the ACL for PFC QoS filtering. –If configure a DSCP value in one IPv6 ACL and a Layer 4 greater than (gt) or less than (lt) operator in another IPv6 ACL, you cannot use both ACLs in different class maps on the same interface for PFC QoS filtering. •The IPv6 address matching against Layer 4 ports is ignored if the IPv6 address in the ACE is not compressible. The IPv6 source and destination addresses are matched, but the configured source or destination UDP or TCP ports will be ignored. To force Layer 4 port matching, use the mls ipv6 acl compress address unicast command. •PFC QoS supports the match protocol ip command for IPv4 traffic. •PFC QoS does not support the match cos, match classmap, match destination-address, match input-interface, match qos-group, and match source-address class map commands. •Cisco IOS Release 12.2SX does not detect the use of unsupported commands until you attach a policy map to an interface. •Filtering based on IP precedence or DSCP for egress QoS uses the received IP precedence or DSCP. Egress QoS filtering is not based on any IP precedence or DSCP changes made by ingress QoS. Note This chapter includes the following ACL documentation: •Configuring MAC ACLs •Configuring ARP ACLs for QoS Filtering Other ACLs are not documented in this publication. See the references under access-list in the "PFC QoS Policy Configuration Overview" section. To configure filtering in a class map, perform one of these tasks:
To verify class map configuration, perform this task:
This example shows how to create a class map named ipp5 and how to configure filtering to match traffic with IP precedence 5: This example shows how to verify the configuration: You can attach only one policy map to an interface. Policy maps can contain one or more policy map classes, each with different policy map commands. Configure a separate policy map class in the policy map for each type of traffic that an interface receives. Put all commands for each type of traffic in the same policy map class. PFC QoS does not attempt to apply commands from more than one policy map class to matched traffic. These sections describe policy map configuration: •Creating a Policy Map •Policy Map Class Configuration Guidelines and Restrictions •Creating a Policy Map Class and Configuring Filtering •Configuring Policy Map Class Actions To create a policy map, perform this task:
When you configuring policy map classes, follow the guidelines and restrictions: •PFC QoS does not support the class class_name destination-address, class class_name input-interface, class class_name qos-group, and class class_name source-address policy map commands. •PFC QoS supports the class default policy map command. •PFC QoS does not detect the use of unsupported commands until you attach a policy map to an interface. To create a policy map class and configure it to filter with a class map, perform this task:
When configuring policy map class actions, note the following information: •Policy maps can contain one or more policy map classes. •Put all trust-state and policing commands for each type of traffic in the same policy map class. •PFC QoS only applies commands from one policy map class to traffic. After traffic has matched the filtering in one policy map class, QoS does apply the filtering configured in other policy map classes. •For hardware-switched traffic, PFC QoS does not support the bandwidth, priority, queue-limit, or random-detect policy map class commands. You can configure these commands because they can be used for software-switched traffic. •PFC QoS does not support the set qos-group policy map class commands. •PFC QoS supports the set ip dscp and set ip precedence policy map class commands for IPv4 traffic. –You can use the set ip dscp and set ip precedence commands on non-IP traffic to mark the internal DSCP value, which is the basis of the egress Layer 2 CoS value. –The set ip dscp and set ip precedence commands are saved in the configuration file as set dscp and set precedence commands. •PFC QoS supports the set dscp and set precedence policy map class commands for IPv4 and IPv6 traffic. •You cannot do all three of the following in a policy map class: –Mark traffic with the set commands –Configure the trust state –Configure policing In a policy map class, you can either mark traffic with the set commands or do one or both of the following: –Configure the trust state –Configure policing Note When configure policing, you can mark traffic with policing keywords. These sections describe policy map class action configuration: •Configuring Policy Map Class Marking •Configuring the Policy Map Class Trust State •Configuring Policy Map Class Policing Configuring Policy Map Class Marking When the ignore port trust feature is enabled, PFC QoS supports policy map class marking for all traffic with set policy map class commands. In all releases, PFC QoS supports policy map class marking for untrusted traffic with set policy map class commands. To configure policy map class marking, perform this task:
Configuring the Policy Map Class Trust State Note You cannot attach a policy map that configures a trust state with the service-policy output command. To configure the policy map class trust state, perform this task:
When configuring the policy map class trust state, note the following information: •Enter the no trust command to use the trust state configured on the ingress port (this is the default). •With the cos keyword, PFC QoS sets the internal DSCP value from received or ingress port CoS. •With the dscp keyword, PFC QoS uses received DSCP. •With the ip-precedence keyword, PFC QoS sets DSCP from received IP precedence. Configuring Policy Map Class Policing When you configure policy map class policing, note the following information: •PFC QoS does not support the set-qos-transmit policer keyword. •PFC QoS does not support the set-dscp-transmit or set-prec-transmit keywords as arguments to the exceed-action keyword. •PFC QoS does not detect the use of unsupported keywords until you attach a policy map to an interface. These sections describe configuration of policy map class policing: •Using a Named Aggregate Policer •Configuring a Per-Interface Policer Note Policing with the conform-action transmit keywords sets the port trust state of matched traffic to trust DSCP or to the trust state configured by a trust command in the policy map class. Using a Named Aggregate Policer To use a named aggregate policer, perform this task:
Configuring a Per-Interface Policer To configure a per-interface policer, perform this task:
When configuring a per-interface policer, note the following information: •Aggregate policing works independently on each DFC-equipped switching module and independently on the PFC, which supports any non-DFC-equipped switching modules. Aggregate policing does not combine flow statistics from different DFC-equipped switching modules. You can display aggregate policing statistics for each DFC-equipped switching module and for the PFC and any non-DFC-equipped switching modules supported by the PFC. •Each PFC or DFC polices independently, which might affect QoS features being applied to traffic that is distributed across the PFC and any DFCs. Examples of these QoS feature are: –Policers applied to a port channel interface. –Policers applied to a switched virtual interface. –Egress policers applied to either a Layer 3 interface or an SVI. Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC. Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates. •When you apply both ingress policing and egress policing to the same traffic, both the input policy and the output policy must either mark down traffic or drop traffic. PFC QoS does not support ingress markdown with egress drop or ingress drop with egress markdown. •You can apply aggregate and microflow policers to IPv6 traffic. •Policing uses the Layer 2 frame size. •See the "PFC QoS Configuration Guidelines and Restrictions" section for information about rate and burst size granularity. •You can enter the flow keyword to define a microflow policer (you cannot apply microflow policing to ARP traffic). When configuring a microflow policer, note the following information: –You can enter the mask src-only keywords to base flow identification only on source addresses, which applies the microflow policer to all traffic from each source address. PFC QoS supports the mask src-only keywords for both IP traffic and MAC traffic. –You can enter the mask dest-only keywords to base flow identification only on destination addresses, which applies the microflow policer to all traffic to each source address. PFC QoS supports the mask dest-only keywords for both IP traffic and MAC traffic. –By default and with the mask full-flow keywords, PFC QoS bases IP flow identification on source IP address, destination IP address, the Layer 3 protocol, and Layer 4 port numbers. –PFC QoS considers MAC-Layer traffic with the same protocol and the same source and destination MAC-Layer addresses to be part of the same flow, including traffic with different EtherTypes. –Microflow policers do not support the maximum_burst_bytes parameter, the pir bits_per_second keyword and parameter, or the violate-action keyword. Note The flowmask requirements of microflow policing, NetFlow, and NetFlow data export (NDE) might conflict. •The valid range of values for the CIR bits_per_second parameter is as follows: –Minimum—32 kilobits per second, entered as 32000 –Maximum with Release 12.2(33)SXH1 and earlier—10 gigabits per second, entered as 10000000000 –Maximum with Release 12.2(33)SXH2 and later—64 gigabits per second, entered as 64000000000 •The normal_burst_bytes parameter sets the CIR token bucket size. •The maximum_burst_bytes parameter sets the PIR token bucket size (not supported with the flow keyword). •When configuring the size of a token bucket, note the following information: –Because the token bucket must be large enough to hold at least one frame, configure the token bucket size to be larger than the maximum size of the traffic being policed. –For TCP traffic, configure the token bucket size as a multiple of the TCP window size, with a minimum value at least twice as large as the maximum size of the traffic being policed. –The maximum_burst_bytes parameter must be set larger than the normal_burst_bytes parameter. –To sustain a specific rate, set the token bucket size to be at least the rate value divided by 2000. Note To provide compatibility with QoS as implemented in the Catalyst operating system, Release 12.2(33)SXI and later releases support 1 byte as the minimum token bucket size, entered as 1. –With Release 12.2(33)SXI and later releases, the minimum token bucket size is 1 byte, entered as 1. –With releases earlier than Release 12.2(33)SXI, the minimum token bucket size is 1000 bytes, entered as 1000. –The maximum token bucket size is 512 megabytes, entered as 512000000. •The valid range of values for the pir bits_per_second parameter (not supported with the flow keyword) is as follows: –Minimum—32 kilobits per second, entered as 32000 (the value cannot be smaller than the CIR bits_per_second parameters) –Maximum with Release 12.2(33)SXH1 and earlier—10 gigabits per second, entered as 10000000000 –Maximum with Release 12.2(33)SXH2 and later—64 gigabits per second, entered as 64000000000 •(Optional) You can specify a conform action for matched in-profile traffic as follows: –The default conform action is transmit, which sets the policy map class trust state to trust DSCP unless the policy map class contains a trust command. –To set PFC QoS labels in untrusted traffic, you can enter the set-dscp-transmit keyword to mark matched untrusted traffic with a new DSCP value or enter the set-prec-transmit keyword to mark matched untrusted traffic with a new IP precedence value. The set-dscp-transmit and set-prec-transmit keywords are only supported for IP traffic. PFC QoS sets egress ToS and CoS from the configured value. –You can enter the drop keyword to drop all matched traffic. –Ensure that aggregate and microflow policers that are applied to the same traffic each specify the same conform-action behavior. •(Optional) For traffic that exceeds the CIR, you can specify an exceed action as follows: –For marking without policing, you can enter the transmit keyword to transmit all matched out-of-profile traffic. –The default exceed action is drop, except with a maximum_burst_bytes parameter (drop is not supported with a maximum_burst_bytes parameter). Note When the exceed action is drop, PFC QoS ignores any configured violate action. –You can enter the policed-dscp-transmit keyword to cause all matched out-of-profile traffic to be marked down as specified in the markdown map. Note When you create a policer that does not use the pir keyword and the maximum_burst_bytes parameter is equal to the normal_burst_bytes parameter (which is the case if you do not enter the maximum_burst_bytes parameter), the exceed-action policed-dscp-transmit keywords cause PFC QoS to mark traffic down as defined by the policed-dscp max-burst markdown map. •(Optional—Not supported with the flow keyword) for traffic that exceeds the PIR, you can specify a violate action as follows: –For marking without policing, you can enter the transmit keyword to transmit all matched out-of-profile traffic. –The default violate action is equal to the exceed action. –You can enter the policed-dscp-transmit keyword to cause all matched out-of-profile traffic to be marked down as specified in the markdown map. This example shows how to create a policy map named max-pol-ipp5 that uses the class-map named ipp5, which is configured to trust received IP precedence values and is configured with a maximum-capacity aggregate policer and with a microflow policer: To verify policy map configuration, perform this task:
This example shows how to verify the configuration: To attach a policy map to an interface, perform this task:
When attaching a policy map to an interface, note the following information: •Do not attach a service policy to a port that is a member of an EtherChannel. •PFC QoS supports the output keyword only on Layer 3 interfaces (either LAN ports configured as Layer 3 interfaces or VLAN interfaces).You can attach both an input and an output policy map to a Layer 3 interface. •VLAN-based or port-based PFC QoS on Layer 2 ports is not relevant to policies attached to Layer 3 interfaces with the output keyword. •Policies attached with the output keyword do not support microflow policing. •You cannot attach a policy map that configures a trust state with the service-policy output command. •Filtering based on IP precedence or DSCP in policies attached with the output keyword uses the received IP precedence or DSCP values. Filtering based on IP precedence or DSCP in policies attached with the output keyword is not based on any IP precedence or DSCP changes made by ingress QoS. •Aggregate policing works independently on each DFC-equipped switching module and independently on the PFC, which supports any non-DFC-equipped switching modules. Aggregate policing does not combine flow statistics from different DFC-equipped switching modules. You can display aggregate policing statistics for each DFC-equipped switching module and for the PFC and any non-DFC-equipped switching modules supported by the PFC. •Each PFC or DFC polices independently, which might affect QoS features being applied to traffic that is distributed across the PFC and any DFCs. Examples of these QoS feature are: –Policers applied to a port channel interface. –Policers applied to a switched virtual interface. –Egress policers applied to either a Layer 3 interface or an SVI. Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC. Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates. •When you apply both ingress policing and egress policing to the same traffic, both the input policy and the output policy must either mark down traffic or drop traffic. PFC QoS does not support ingress markdown with egress drop or ingress drop with egress markdown. This example shows how to attach the policy map named pmap1 to Fast Ethernet port 5/36: This example shows how to verify the configuration: To configure and enable per-session QoS, perform these steps: Step 1 Define the ingress and egress QoS policy maps to be assigned when users are authenticated. Step 2 Configure identity policies to specify the policy maps to be assigned. Step 3 In the user profiles on the RADIUS server, configure the Cisco vendor-specific attributes (VSAs) to specify which ingress and egress QoS policy maps will be assigned to each user. To define the policy maps and associate them with an identity policy, follow these steps:
To remove the identity policy from the switch, use the no identity policy policy_name command. After the policy maps have been defined on the switch, configure the Cisco AV pair attributes in each user profile on the RADIUS server using the policy map names: •cisco-avpair = "ip:sub-policy-In=in_policy_name" •cisco-avpair = "ip:sub-policy-Out=out_policy_name" To set the Cisco AV pair attributes on the RADIUS server, perform the following task:
This example shows the configuration in the user file on the RADIUS server: This example shows the output of the show epm session summary command when a session is active: This example shows the output of the show epm session ip ip_addr command when a session is active on the interface with IP address 192.0.2.1: These sections describe how to configure egress DSCP mutation: •Configuring Named DSCP Mutation Maps •Attaching an Egress DSCP Mutation Map to an Interface To configure a named DSCP mutation map, perform this task:
When configuring a named DSCP mutation map, note the following information: •You can enter up to 8 DSCP values that map to a mutated DSCP value. •You can enter multiple commands to map additional DSCP values to a mutated DSCP value. •You can enter a separate command for each mutated DSCP value. This example shows how to map DSCP 30 to mutated DSCP value 8: This example shows how to verify the configuration: Note In the DSCP mutation map displays, the marked-down DSCP values are shown in the body of the matrix; the first digit of the original DSCP value is in the column labeled d1 and the second digit is in the top row. In the example shown, DSCP 30 maps to DSCP 08. To attach an egress DSCP mutation map to an interface, perform this task:
This example shows how to attach the egress DSCP mutation map named mutmap1 to Fast Ethernet port 5/36: IEEE 802.1Q tunnel ports configured to trust received CoS support ingress CoS mutation (see the "Applying Ingress CoS Mutation Maps to IEEE 802.1Q Tunnel Ports" section for the list of supported modules). When you configure ingress CoS mutation on an IEEE 802.1Q tunnel port that you have configured to trust received CoS, PFC QoS uses the mutated CoS value instead of the received CoS value in the ingress drop thresholds and for any trust CoS marking and policing. These sections describe how to configure ingress CoS mutation: •Ingress CoS Mutation Configuration Guidelines and Restrictions •Configuring Ingress CoS Mutation Maps •Applying Ingress CoS Mutation Maps to IEEE 802.1Q Tunnel Ports When configuring ingress CoS mutation, follow these guidelines and restrictions: •Ports that are not configured as IEEE 802.1Q tunnel ports do not support ingress CoS mutation. •Ports that are not configured to trust received CoS do not support ingress CoS mutation. •Ingress CoS mutation does not change the CoS value carried by the customer frames. When the customer traffic exits the 802.1Q tunnel, the original CoS is intact. •The WS-X6704-10GE, WS-X6748-SFP, WS-X6724-SFP, and WS-X6748-GE-TX switching modules support ingress CoS mutation. •Ingress CoS mutation configuration applies to all ports in a port group. The port groups are: –WS-X6704-10GE—4 ports, 4 port groups, 1 port in each group –WS-X6748-SFP—48 ports, 4 port groups: ports 1-12, 13-24, 25-36, and 37-48 –WS-X6724-SFP—24 ports, 2 port groups: ports 1-12 and 13-24 –WS-X6748-GE-TX—48 ports, 4 port groups: ports 1-12, 13-24, 25-36, and 37-48 •To avoid ingress CoS mutation configuration failures, only create EtherChannels where all member ports support ingress CoS mutation or where no member ports support ingress CoS mutation. Do not create EtherChannels with mixed support for ingress CoS mutation. •If you configure ingress CoS mutation on a port that is a member of an EtherChannel, the ingress CoS mutation is applied to the port-channel interface. •You can configure ingress CoS mutation on port-channel interfaces. •With ingress CoS mutation configured on a port-channel interface, the following occurs: –The ingress CoS mutation configuration is applied to the port groups of all member ports of the EtherChannel. If any member port cannot support ingress CoS mutation, the configuration fails. –If a port in the port group is a member of a second EtherChannel, the ingress CoS mutation configuration is applied to the second port-channel interface and to the port groups of all member ports of the second EtherChannel. If any member port of the second EtherChannel cannot support ingress CoS mutation, the configuration fails on the first EtherChannel. If the configuration originated on a nonmember port in a port group that has a member port of the first EtherChannel, the configuration fails on the nonmember port. –The ingress CoS mutation configuration propagates without limit through port groups, member ports, and port-channel interfaces, regardless of whether or not the ports are configured to trust CoS or are configured as IEEE 802.1Q tunnel ports. •An EtherChannel where you want to configure ingress CoS mutation must not have member ports that are in port groups containing member ports of other EtherChannels that have member ports that do not support ingress CoS mutation. (This restriction extends without limit through all port-group-linked member ports and port-channel-interface-linked ports.) •A port where you want to configure ingress CoS mutation must not be in a port group that has a member port of an EtherChannel that has members that do not support ingress CoS mutation. (This restriction extends without limit through all port-group-linked member ports and port-channel-interface-linked ports.) •There can be only be one ingress CoS mutation configuration applied to all port-group-linked member ports and port-channel-interface-linked ports. To configure an ingress CoS mutation map, perform this task:
This example shows how to configure a CoS mutation map named testmap: This example shows how to verify the map configuration: To attach an ingress CoS mutation map to an IEEE 802.1Q tunnel port, perform this task:
This example shows how to attach the ingress CoS mutation map named testmap to Gigabit Ethernet port 1/1: These sections describe how DSCP values are mapped to other values: •Mapping Received CoS Values to Internal DSCP Values •Mapping Received IP Precedence Values to Internal DSCP Values •Configuring DSCP Markdown Values •Mapping Internal DSCP Values to Egress CoS Values To configure the mapping of received CoS values to the DSCP value that PFC QoS uses internally on the PFC, perform this task:
This example shows how to configure the received CoS to internal DSCP map: This example shows how to verify the configuration: To configure the mapping of received IP precedence values to the DSCP value that PFC QoS uses internally on the PFC, perform this task:
This example shows how to configure the received IP precedence to internal DSCP map: This example shows how to verify the configuration: To configure the mapping of DSCP markdown values used by policers, perform this task:
When configuring a DSCP markdown map, note the following information: •You can enter the normal-burst keyword to configure the markdown map used by the exceed-action policed-dscp-transmit keywords. •You can enter the max-burst keyword to configure the markdown map used by the violate-action policed-dscp-transmit keywords. Note When you create a policer that does not use the pir keyword, and the maximum_burst_bytes parameter is equal to the normal_burst_bytes parameter (which occurs if you do not enter the maximum_burst_bytes parameter), the exceed-action policed-dscp-transmit keywords cause PFC QoS to mark traffic down as defined by the policed-dscp max-burst markdown map. •To avoid out-of-sequence packets, configure the markdown maps so that conforming and nonconforming traffic uses the same queue. •You can enter up to 8 DSCP values that map to a marked-down DSCP value. •You can enter multiple commands to map additional DSCP values to a marked-down DSCP value. •You can enter a separate command for each marked-down DSCP value. Note Configure marked-down DSCP values that map to CoS values consistent with the markdown penalty. This example shows how to map DSCP 1 to marked-down DSCP value 0: This example shows how to verify the configuration: Note In the Policed-dscp displays, the marked-down DSCP values are shown in the body of the matrix; the first digit of the original DSCP value is in the column labeled d1 and the second digit is in the top row. In the example shown, DSCP 41 maps to DSCP 41. To configure the mapping of the DSCP value that PFC QoS uses internally on the PFC to the CoS value used for egress LAN port scheduling and congestion avoidance, perform this task:
When configuring the internal DSCP to egress CoS map, note the following information: •You can enter up to 8 DSCP values that PFC QoS maps to a CoS value. •You can enter multiple commands to map additional DSCP values to a CoS value. •You can enter a separate command for each CoS value. This example shows how to configure internal DSCP values 0, 8, 16, 24, 32, 40, 48, and 54 to be mapped to egress CoS value 0: This example shows how to verify the configuration: Note In the Dscp-cos map display, the CoS values are shown in the body of the matrix; the first digit of the DSCP value is in the column labeled d1 and the second digit is in the top row. In the example shown, DSCP values 41 through 47 all map to CoS 05. By default, all ports are untrusted. You can configure the port trust state on all Ethernet LAN ports. Note On non-Gigabit Ethernet 1q4t/2q2t ports, you must repeat the trust configuration in a class map. To configure the trust state of a port, perform this task:
When configuring the trust state of a port, note the following information: •To apply a non-default trust configuration only when a Cisco IP phone is attached to the port, see the "Configuring Trusted Boundary with Cisco Device Verification" section. •To configure QoS on an attached IP phone, see the "Configuring Cisco IP Phone Support" section. •With no other keywords, the mls qos trust command is equivalent to mls qos trust dscp. •You can use the mls qos trust dscp command to enable DSCP-based receive-queue drop thresholds on WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports (see the "Configuring DSCP-Based Queue Mapping" section). To avoid dropping traffic because of inconsistent DSCP values when DSCP-based queue mapping is enabled, configure ports with the mls qos trust dscp command only when the received traffic carries DSCP values that you know to be consistent with network policy. •The mls qos trust cos command enables CoS-based receive-queue drop thresholds. To avoid dropping traffic because of inconsistent CoS values, configure ports with the mls qos trust cos command only when the received traffic is ISL or 802.1Q frames carrying CoS values that you know to be consistent with network policy. •You can configure IEEE 8021.Q tunnel ports configured with the mls qos trust cos command to use a mutated CoS value instead of the received CoS value ("Configuring Ingress CoS Mutation on IEEE 802.1Q Tunnel Ports" section). •Use the no mls qos trust command to set the port state to untrusted. This example shows how to configure Gigabit Ethernet port 1/1 with the trust cos keywords: This example shows how to verify the configuration: Release 12.2(33)SXI1 and later releases support the trusted boundary with Cisco device verification feature, which configures Ethernet LAN ports to use CDP to detect whether or not a Cisco IP phone is attached to the port. •If CDP detects a Cisco IP phone, QoS applies a configured mls qos trust dscp, mls qos trust ip-precedence, or mls qos trust cos interface command. •If CDP does not detect a Cisco IP phone, QoS ignores any configured nondefault trust state. To configure trusted boundary with Cisco device verification, perform this task:
When configuring trusted boundary with Cisco device verification, note the following information: •CDP must be enabled on the port to use trusted boundary with Cisco device verification. •To configure QoS on an attached IP phone, see the "Configuring Cisco IP Phone Support" section. This example shows how to configure trusted boundary with Cisco device verification on Gigabit Ethernet port 1/1: This example shows how to verify the configuration on a port configured to trust CoS, but that does not have a Cisco IP phone attached: Note Whether or not PFC QoS uses the CoS value applied with the mls qos cos command depends on the trust state of the port and the trust state of the traffic received through the port. The mls qos cos command does not configure the trust state of the port or the trust state of the traffic received through the port. To use the CoS value applied with the mls qos cos command as the basis of internal DSCP: •On a port that receives only untagged ingress traffic, configure the ingress port as trusted or configure a trust CoS policy map that matches the ingress traffic. •On a port that receives tagged ingress traffic, configure a trust CoS policy map that matches the ingress traffic. You can configure the CoS value that PFC QoS assigns to untagged frames from ingress LAN ports configured as trusted and to all frames from ingress LAN ports configured as untrusted. To configure the CoS value for an ingress LAN port, perform this task:
This example shows how to configure the CoS value 5 on Fast Ethernet port 5/24 and verify the configuration: These sections describe configuring standard-queue drop threshold percentages: •Configuring a Tail-Drop Receive Queue •Configuring a WRED-Drop Transmit Queue •Configuring a WRED-Drop and Tail-Drop Receive Queue •Configuring a WRED-Drop and Tail-Drop Transmit Queue •Configuring 1q4t/2q2t Tail-Drop Threshold Percentages Note•Enter the show queueing interface {ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port | include type command to see the queue structure of a port. •1p1q0t ports have no configurable thresholds. •1p3q1t (transmit), 1p2q1t (transmit), 1p7q2t (receive), and 1p1q8t (receive) ports also have nonconfigurable tail-drop thresholds. When configuring thresholds, note the following information: •Queue number 1 is the lowest-priority standard queue. •Higher-numbered queues are higher priority standard queues. •Receive-queue parameters can be configured only on trusted ports. •When configuring minimum and maximum threshold values, you cannot configure minimum values to be larger than maximumvalues. When you configure multiple-threshold standard queues, note the following information: •The first percentage that you enter sets the lowest-priority threshold. •The second percentage that you enter sets the next highest-priority threshold. •The last percentage that you enter sets the highest-priority threshold. •The percentages range from 1 to 100. A value of 10 indicates a threshold when the buffer is 10-percent full. •Always set highest-numbered threshold to 100 percent. When configuring the WRED-drop thresholds, note the following information: •Each WRED-drop threshold has a low-WRED and a high-WRED value. •Low-WRED and high-WRED values are a percentage of the queue capacity (the range is from 1 to 100). •The low-WRED value is the traffic level under which no traffic is dropped. The low-WRED value must be lower than the high-WRED value. •The high-WRED value is the traffic level above which all traffic is dropped. •Traffic in the queue between the low- and high-WRED values has an increasing chance of being dropped as the queue fills. These port types have only tail-drop thresholds in their receive-queues: •1q2t •1p1q4t •2q8t •1q8t To configure the drop thresholds, perform this task:
This example shows how to configure the receive-queue drop thresholds for Gigabit Ethernet port 1/1: This example shows how to verify the configuration: These port types have only WRED-drop thresholds in their transmit queues: •1p2q2t (transmit) •1p2q1t (transmit)
These port types have both WRED-drop and tail-drop thresholds in their receive queues: •8q4t (receive) •8q8t (receive) •1p7q2t (receive) •1p1q8t (receive) To configure the drop thresholds, perform this task:
These port types have both WRED-drop and tail-drop thresholds in their transmit queues: •1p3q1t (transmit) •1p3q8t (transmit) •1p7q8t (transmit) To configure the drop thresholds, perform this task:
This example shows how to configure the low-priority transmit queue high-WRED-drop thresholds for Gigabit Ethernet port 1/1: This example shows how to verify the configuration: On 1q4t/2q2t ports, the receive- and transmit-queue drop thresholds have this relationship: •Receive queue 1 (standard) threshold 1 = transmit queue 1 (standard low priority) threshold 1 •Receive queue 1 (standard) threshold 2 = transmit queue 1 (standard low priority) threshold 2 •Receive queue 1 (standard) threshold 3 = transmit queue 2 (standard high priority) threshold 1 •Receive queue 1 (standard) threshold 4 = transmit queue 2 (standard high priority) threshold 2 To configure tail-drop threshold percentages for the standard receive and transmit queues on 1q4t/2q2t LAN ports, perform this task:
When configuring the receive- and transmit-queue tail-drop thresholds, note the following information: •You must use the transmit queue and threshold numbers. •The queue_id is 1 for the standard low-priority queue and 2 for the standard high-priority queue. •The percentages range from 1 to 100. A value of 10 indicates a threshold when the buffer is 10-percent full. •Always set threshold 2 to 100 percent. •Ethernet and Fast Ethernet 1q4t ports do not support receive-queue tail-drop thresholds. This example shows how to configure receive queue 1/threshold 1 and transmit queue 1/threshold 1 for Gigabit Ethernet port 2/1: This example shows how to verify the configuration: These sections describe how to map QoS labels to queues and drop thresholds: Note Enter the show queueing interface {ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port | include type command to see the queue structure of a port. These sections describe how to map QoS labels to queues and drop thresholds: •Queue and Drop Threshold Mapping Guidelines and Restrictions •Configuring DSCP-Based Queue Mapping •Configuring CoS-Based Queue Mapping When mapping QoS labels to queues and thresholds, note the following information: •When SRR is enabled, you cannot map any CoS values or DSCP values to strict-priority queues. •Queue number 1 is the lowest-priority standard queue. •Higher-numbered queues are higher priority standard queues. •You can map up to 8 CoS values to a threshold. •You can map up to 64 DSCP values to a threshold. •Threshold 0 is a nonconfigurable 100-percent tail-drop threshold on these port types: –1p1q0t (receive) –1p1q8t (receive) –1p3q1t (transmit) –1p2q1t (transmit) •The standard queue thresholds can be configured as either tail-drop or WRED-drop thresholds on these port types: –1p1q8t (receive) –1p3q1t (transmit) –1p3q8t (transmit) –1p7q1t (transmit) These sections describe how to configure DSCP-based queue mapping: •Configuring Ingress DSCP-Based Queue Mapping •Mapping DSCP Values to Standard Transmit-Queue Thresholds •Mapping DSCP Values to the Transmit Strict-Priority Queue Note•DSCP-based queue mapping is supported on WS-X6708-10GE, WS-X6716-10GE, WS-X6716-10T, and Supervisor Engine 720-10GE ports. •To configure DSCP-based queue mapping on Supervisor Engine 720-10GE ports, you must enter shutdown interface configuration mode commands for the Supervisor Engine 720-10GE Gigabit Ethernet ports, and then enter the mls qos 10g-only global configuration command, which disables the Gigabit Ethernet ports on the Supervisor Engine 720-10GE. To enable DSCP-based queue mapping, perform this task:
This example shows how to enable DSCP-based queue mapping on 10-Gigabit Ethernet port 6/1: This example shows how to verify the configuration: Ingress DSCP-to-queue mapping is supported only on ports configured to trust DSCP. These sections describe how to configure ingress DSCP-based queue mapping: •Enabling DSCP-Based Queue Mapping •Mapping DSCP Values to Standard Receive-Queue Thresholds Configuring the Port to Trust DSCP To configure the port to trust DSCP perform this task:
This example shows how to configure 10-Gigabit Ethernet port 6/1 to trust received DSCP values: This example shows how to verify the configuration: Mapping DSCP Values to Standard Receive-Queue Thresholds To map DSCP values to the standard receive-queue thresholds, perform this task:
When mapping DSCP values, note the following information: •You can enter up to 8 DSCP values that map to a queue and threshold. •You can enter multiple commands to map additional DSCP values to the queue and threshold. •You must enter a separate command for each queue and threshold. This example shows how to map the DSCP values 0 and 1 to threshold 1 in the standard receive queue for 10-Gigabit Ethernet port 6/1: Note The receive queue mapping is shown in the second "queue thresh dscp-map" displayed by the show queueing interface command. This example shows how to verify the configuration: To map DSCP values to standard transmit-queue thresholds, perform this task:
When mapping DSCP values, note the following information: •You can enter up to 8 DSCP values that map to a queue and threshold. •You can enter multiple commands to map additional DSCP values to the queue and threshold. •You must enter a separate command for each queue and threshold. This example shows how to map the DSCP values 0 and 1 to standard transmit queue 1/threshold 1 for 10-Gigabit Ethernet port 6/1: Note The eighth queue is the strict priority queue in the output of the show queueing interface command. This example shows how to verify the configuration: To map DSCP values to the transmit strict-priority queue, perform this task:
When mapping DSCP values to the strict-priority queue, note the following information: •The queue number is always 1. •You can enter up to 8 DSCP values to map to the queue. •You can enter multiple commands to map additional DSCP values to the queue. This example shows how to map DSCP value 7 to the strict-priority queue on 10 Gigabit Ethernet port 6/1: Note The strict priority queue is queue 8 in the output of the show queueing interface command. This example shows how to verify the configuration: These sections describe how to configure CoS-based queue mapping: •Mapping CoS Values to Standard Receive-Queue Thresholds •Mapping CoS Values to Standard Transmit-Queue Thresholds •Mapping CoS Values to Strict-Priority Queues •Mapping CoS Values to Tail-Drop Thresholds on 1q4t/2q2t LAN Ports To map CoS values to the standard receive-queue thresholds, perform this task:
This example shows how to map the CoS values 0 and 1 to threshold 1 in the standard receive queue for Gigabit Ethernet port 1/1: This example shows how to verify the configuration: To map CoS values to standard transmit-queue thresholds, perform this task:
This example shows how to map the CoS values 0 and 1 to standard transmit queue 1/threshold 1 for Fast Ethernet port 5/36: This example shows how to verify the configuration: To map CoS values to the receive and transmit strict-priority queues, perform this task:
When mapping CoS values to the strict-priority queues, note the following information: •The queue number is always 1. •You can enter up to 8 CoS values to map to the queue. •When used, the priority-queue cos-map command changes both ingress and egress priority queue CoS mapping. This example shows how to map CoS value 7 to the strict-priority queues on Gigabit Ethernet port 1/1: This example shows how to verify the configuration: Note Enter the show queueing interface {ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port | include type command to see the queue structure of a port. On 1q4t/2q2t LAN ports, the receive- and transmit-queue tail-drop thresholds have this relationship: •Receive queue 1 (standard) threshold 1 = transmit queue 1 (standard low priority) threshold 1 •Receive queue 1 (standard) threshold 2 = transmit queue 1 (standard low priority) threshold 2 •Receive queue 1 (standard) threshold 3 = transmit queue 2 (standard high priority) threshold 1 •Receive queue 1 (standard) threshold 4 = transmit queue 2 (standard high priority) threshold 2 To map CoS values to tail-drop thresholds, perform this task:
When mapping CoS values to a tail-drop threshold, note the following information: •Use the transmit queue and threshold numbers. •Queue 1 is the low-priority standard transmit queue. •Queue 2 is the high-priority standard transmit queue. •There are two thresholds in each queue. •Enter up to 8 CoS values to map to the threshold. This example shows how to map the CoS values 0 and 1 to standard transmit queue 1/threshold 1 for Fast Ethernet port 5/36: This example shows how to verify the configuration: The switch transmits frames from one standard queue at a time using one of these dequeuing algorithms, which use percentages or weights to allocate relative bandwidth to the queues as they are serviced sequentially: •Shaped round robin (SRR)—SRR allows a queue to use only the allocated bandwidth. Supported as an option on 1p3q8t ports and on 1p7q4t ports. •Deficit weighted round robin (DWRR)—DWRR keeps track of any lower-priority queue under-transmission caused by traffic in a higher-priority queue and compensates in the next round. DWRR is the dequeuing algorithm on 1p3q1t, 1p2q1t, 1p3q8t, 1p7q4t, and 1p7q8t ports. Note You configure DWRR ports with the same commands that you use on WRR ports. •Weighted round robin (WRR)—WRR allows a queue to use more than the allocated bandwidth if the other queues are not using any, up to the total bandwidth of the port. WRR is the dequeuing algorithm on all other ports. •See the "Module to Queue Type Mappings" section for information about the modules that support these algorithms. You can enter percentages or weights to allocate bandwidth. The higher the percentage or weight that is assigned to a queue, the more transmit bandwidth is allocated to it. If you enter weights, the ratio of the weights divides the total bandwidth of the queue. For example, for three queues on a Gigabit Ethernet port, weights of 25:25:50 provide this division: •Queue 1—250 Mbps •Queue 2—250 Mbps •Queue 3—500 Mbps Note The actual bandwidth allocation depends on the granularity that the port hardware applies to the configured percentages or weights. To allocate bandwidth between standard transmit queues, perform this task:
This example shows how to allocate a 3-to-1 bandwidth ratio for Gigabit Ethernet port 1/2: This example shows how to verify the configuration: You can set the size ratio between the standard receive queues on 2q8t, 8q4t, and 8q8t ports and between the strict-priority and standard receive queues on 1p1q0t or 1p1q8t ports. To set the size ratio between the receive queues, perform this task:
When setting the receive-queue size ratio, note the following information: •The rcv-queue queue-limit command configures ports on a per-ASIC basis. •Estimate the mix of differing priority traffic on your network (for example, 80 percent standard traffic and 20 percent strict-priority traffic). •Use the estimated percentages as queue weights. •Valid values are from 1 to 100 percent, except on 1p1q8t ports, where valid values for the strict priority queue are from 3 to 100 percent. This example shows how to set the receive-queue size ratio for Fast Ethernet port 2/2: This example shows how to verify the configuration: To configure the transmit-queue size ratio, perform this task:
When configuring the transmit-queue size ratio between transmit queues, note the following information: •The wrr-queue queue-limit command is not supported on 1p3q1t ports. •For ports that have an egress strict priority queue: –You can enter the priority-queue queue-limit interface command to set the size of the egress strict priority queue on these switching modules: —WS-X6502-10GE (1p2q1t) •Estimate the mix of low priority-to-high priority traffic on your network (for example, 80 percent low-priority traffic and 20 percent high-priority traffic). •Use the estimated percentages as queue weights. •You must enter weights for all the standard transmit queues on the interface (2, 3, or 7 weights). •Valid values are from 1 to 100 percent, except on 1p2q1t egress LAN ports, where valid values for the high priority queue are from 5 to 100 percent. This example shows how to set the transmit-queue size ratio for Gigabit Ethernet port 1/2: This example shows how to verify the configuration: This section provides sample configurations for some common QoS scenarios. If you already know how to configure PFC QoS for your network or if you need specific configuration information, see the other sections of this chapter. The scenarios in this section are based on a sample network that is described in the "Sample Network Design Overview" section. This section uses this sample network to describe some regularly used QoS configurations. These sections describe some common QoS scenarios: •Sample Network Design Overview •Classifying Traffic from PCs and IP Phones in the Access Layer •Accepting the Traffic Priority Value on Interswitch Links •Prioritizing Traffic on Interswitch Links •Using Policers to Limit the Amount of Traffic from a PC This sample network is based on a traditional campus network architecture that uses Catalyst 6500 series switches in the access, distribution, and core layers. The access layer provides 10/100 Ethernet service to desktop users. The network has Gigabit Ethernet links from the access layer to the distribution layer and Gigabit or 10-Gigabit Ethernet links from the distribution layer to the core layer. This is the basic port configuration: Access Layer Distribution and Core Interswitch Links These are the three traffic classes in the sample network: •Voice •High-priority application traffic •Best-effort traffic The QoS configuration described in this section identifies and prioritizes each of these traffic classes. Note If your network requires more service levels, PFC QoS supports up to 64 traffic classes. These QoS scenarios describe the following three fundamental QoS configurations, which are often a general part of QoS deployment: •Classifying traffic from PCs and IP phones in the access layer •Accepting the traffic priority value on interswitch links between layers •Prioritizing traffic on interswitch links between layers These QoS scenarios assume that the network carries only IP traffic and use the IP DSCP values to assign traffic priority. These QoS scenarios do not directly use IP type of service (ToS) or Ethernet 802.1p class of service (CoS). IP packets can carry a priority value, which can be set at various points within the network topology. Best-practice design recommendations are to classify and mark traffic as close to the source of the traffic as possible. If traffic priorities are set correctly at the edge, then intermediate hops do not have to perform detailed traffic identification. Instead, they can administer QoS policies based on these previously set priority values. This approach simplifies policy administration. Note•You should develop a QoS deployment strategy for assigning packet priorities to your particular network traffic types and applications. For more information on QoS guidelines, see RFC 2597 and RFC 2598 as well as the various QoS design guides published by Cisco Systems, Inc. •Do not enable PFC QoS globally and leave all other PFC QoS configuration at default values. When you enable PFC QoS globally, it uses its default values. These are two problems that exist with the PFC QoS default configuration: –With PFC QoS globally enabled, the default trust state of the Ethernet ports in the system is untrusted. The untrusted port state sets the QoS priority of all traffic flowing through the switch to the port CoS value (zero by default): all traffic will be zero-priority traffic. –With PFC QoS globally enabled, the port buffers are allocated into CoS-based queues and only part of the buffer is available for zero-priority traffic: zero-priority traffic has less buffer available than when PFC QoS is disabled. These problems with the PFC QoS default configuration can have a negative effect on network performance. The access layer switches have a PC daisy-chained to an IP phone on a 100 Mbps link. This section describes how to classify voice traffic from the phone and data traffic from the PC so that they have different priorities. This is the QoS classification scheme for the traffic arriving on an access layer port: •Voice traffic: DSCP 46 (highest priority) •Voice signaling traffic: DSCP 24 (medium priority) •PC SAP traffic: DSCP 25 (medium priority) •All other PC traffic: DSCP 0 (best effort) This classification strategy provides a way to support three different classes of service on the network: •High priority for voice traffic •Medium priority for voice signaling and important application traffic •Low priority for the remaining traffic You can alter this model to fit other network environments. PFC QoS can trust received priorities or assign new priorities by applying a QoS policy to the traffic. You configure a QoS policy using the Modular QoS CLI (MQC). In the access switches, the traffic is identified using ACLs, which differentiate the various traffic types entering the port. Once identified, a QoS policy marks the traffic with the appropriate DSCP value. These assigned DSCP values will be trusted when the traffic enters the distribution and core switches. The port on the access switch where the phone and PC are attached has been configured for a voice VLAN (VLAN 110), which is used to separate the phone traffic (subnet 10.1.110.0/24) from the PC traffic (10.1.10.0/24). The voice VLAN subnet uniquely identifies the voice traffic. The UDP and TCP port numbers identify the different applications. This is the access port access control list (ACL) configuration: Identify the Voice Traffic from an IP Phone (VVLAN) Identify the Voice Signaling Traffic from an IP Phone (VVLAN) Identify the SAP Traffic from the PC (DVLAN) The next step in configuring the QoS policy is to define the class maps. These class maps associate the identifying ACLs with the QoS actions that you want to perform (marking, in this case). This is the syntax for the class maps: After you create the class maps, create a policy map that defines the action of the QoS policy so that it sets a particular DSCP value for each traffic type or traffic class. This example creates one policy map (called IPPHONE-PC), and all the class maps are included in that single policy map, with an action defined in each class map. This is the syntax for the policy map and class maps: At this point, the QoS policy defined in the policy map still has not taken effect. After you configure a policy map, you must apply it to an interface for it to affect traffic. You use the service-policy command to apply the policy map. Remember that an input service policy can be applied to either a port or to VLAN interfaces, but that an output service policy can only be applied to VLAN interfaces (only the PFC3 supports output policies). In this example, you apply the policy as an input service-policy to each interface that has a PC and IP phone attached. This example uses port-based QoS, which is the default for Ethernet ports. A QoS policy now has been successfully configured to classify the traffic coming in from both an IP phone and a PC. To ensure that the policy maps are configured properly, enter this command: To ensure that the port is using the correct QoS mode, enter this command: To ensure that the class map configuration is correct, enter this command: To monitor the byte statistics for each traffic class, enter this command: The previous section described how to configure the marking operation. This section describes how the upstream devices will use the packet marking. You must decide whether the incoming traffic priority should be honored or not. To implement the decision, you configure the trust state of the port. When traffic arrives on a port that is set not to trust incoming traffic priority settings, the priority setting of the incoming traffic is rewritten to the lowest priority (zero). Traffic that arrives on an interface that is set to trust incoming traffic priority settings retains its priority setting. Examples of ports on which it might be valid to trust incoming priority settings are ports that are connected to IP phones and other IP voice devices, video devices, or any device that you trust to send frames with a valid predetermined priority. If you know that appropriate marking is completed when traffic first enters the network, you may also want to set uplink interfaces to trust the incoming priority settings. Configure ports that are connected to workstations or any devices that do not send all traffic with a predetermined valid priority as untrusted (the default). In the previous example, you configured QoS to properly mark the voice, SAP, and other best effort traffic at the access layer. This example configures QoS to honor those values as the traffic passes through other network devices by configuring the interswitch links to trust the packet DSCP values. The previous example had several different traffic classes entering a port and selectively applied different QoS policies to the different traffic types. The configuration was done with the MQC QoS policy syntax, which allows you to apply different marking or trust actions to the different traffic classes arriving on a port. If you know that all traffic entering a particular port can be trusted (as is the case on access-distribution or distribution-core uplink ports), you can use the port trust configuration. Using port trust does not provide any support for different traffic types entering a port, but it is a much simpler configuration option. This is the command syntax for port trust: With ports configured to trust received DSCP, the DSCP value for the traffic leaving the switch will be the same as the DSCP value for the traffic entering the trusted ports. After you have configured the trust state, you can use the following commands to verify that the setting has taken effect: This section describes how the switches operate using trusted values. One of the most fundamental principles of QoS is to protect high-priority traffic in the case of oversubscription. The marking and trusting actions described in the "Classifying Traffic from PCs and IP Phones in the Access Layer" section and the "Accepting the Traffic Priority Value on Interswitch Links" section prepare the traffic to handle oversubscription, but they do not provide different levels of service. To achieve differing levels of service, the networking device must have an advanced scheduling algorithm to prioritize traffic as it sends traffic from a particular interface. This scheduling function is responsible for transmitting the high-priority traffic with greater frequency than the low-priority traffic. The net effect is a differentiated service for the various traffic classes. These two concepts are fundamental to the provision of differentiated service for various traffic classes: •Assigning the traffic to a particular queue •Setting the queue scheduling algorithm Once QoS has been enabled, default values are applied for both of these features. For many networks, these default values are sufficient to differentiate the network traffic. For other networks, theses values might need to be adjusted to produce the desired result. Only in rare cases should there be a need for significant changes from the default settings for these features. The Ethernet ports support a variety of queue structures, ranging from a single queue up to an eight-queue architecture. You can compare the queue structure to a group of traffic lanes used to service different traffic types. For example, the police get prioritized treatment when driving down the freeway so that they can get to accidents or crime scenes quickly. In an analogous way, the voice traffic on an IP network requires the same prioritized treatment. The switch uses the queue structure to provide these lanes of differentiated service. The exact queue type is specific to the Ethernet module that you are working with. This example uses a module that has four transmit queues, described as 1p3q8t, which indicates: •One strict priority queue (1p) •Three regular queues supporting Weighted-Round Robin scheduling (3q), each with eight WRED thresholds (8t, not discussed here) The Ethernet ports also have input queue structures, but these are used less often, and because there probably will not be congestion within the switch fabric, this example does not include them. To assign traffic to these queues, you need to configure a mapping of priority values to queues. QoS uses the DSCP-to-CoS map to map the 64 possible outgoing DSCP values to the eight possible 802.1p values, and then uses a CoS-to-queue map to map the CoS values to queues. When the packet enters the switch, QoS is either configured to classify and mark the packet with a configured DSCP value (as in the "Classifying Traffic from PCs and IP Phones in the Access Layer" section) or to trust the packet's incoming DSCP value (as in the "Accepting the Traffic Priority Value on Interswitch Links" section). These options determine the packet's priority as it leaves the switch. This example shows how to display the DSCP-to-CoS mapping: The example marked the voice traffic with a DSCP value of 46. You can use the command output to translate DSCP 46 to CoS 5. You can use the command output to translate the other marked DSCP values to CoS values. You can make changes to this mapping table to suit the needs of your particular network. Only minor changes are typically necessary; this example does not make any changes. For queueing purposes, the configuration derives a CoS value from the outgoing DSCP value. This CoS value is used for queue assignment even if the outgoing port is an access port (that is, not a trunk port). However, there will be no 802.1q VLAN tag transmitted on the network if the outgoing port is an access port. Map each derived CoS value to the queue structure. This example shows how to display the default CoS-to-queue mapping, which shows the queue to which each of the eight CoS values is mapped: You want voice traffic mapped to the strict priority queue, which is queue 4 on 1p3q8t ports. The example maps the DSCP 46 voice traffic to CoS 5, which means that you want the CoS 5 traffic to be mapped to the strict priority queue, and you can use the output of the show queueing interface command to verify that CoS 5 traffic is mapped to the strict priority queue. This is a list of the queue mappings for all of the traffic types in this example:
Traffic that is transmitted through the switch is directed to these different queues (or "traffic lanes") based on priority. Because there are more CoS values (zero through seven) than egress queues (three per interface in this example), there are drop thresholds in each standard (that is, nonstrict priority) queue. When more than one CoS value is assigned to a given queue, different drop thresholds can be assigned to these CoS values to distinguish between the different priorities. The thresholds specify the maximum percentage of the queue that traffic with a given CoS value can use before additional traffic with that CoS value is dropped. The example only uses three QoS values (high, medium, and low), so you can assign each CoS value to a separate queue and use the default 100-percent drop thresholds. You can change the DSCP-to-CoS and CoS-to-queue mapping to suit the needs of your particular network. Only minor changes are typically necessary, and this example includes no changes. If your network requires different mapping, see the "Mapping CoS Values to Standard Transmit-Queue Thresholds" section. Now you understand how traffic is assigned to the available queues on the output ports of the switch. The next concept to understand is how the queue weights operate, which is called the queue scheduling algorithm. The scheduling algorithms used on the Ethernet ports are strict priority (SP) queueing and weighted round robin (WRR) queueing. These algorithms determine the order, or the priority, that the various queues on a port are serviced. The strict priority queueing algorithm is simple. One queue has absolute priority over all of the other queues. Whenever there is a packet in the SP queue, the scheduler will service that queue, which ensures the highest possibility of transmitting the packet and the lowest possible latency in transmission even in periods of congestion. The strict priority queue is ideal for voice traffic because voice traffic requires the highest priority and lowest latency on a network, and it also is a relatively low-bandwidth traffic type, which means that voice traffic is not likely to consume all available bandwidth on a port. You would not want to assign a high-bandwidth application (for example, FTP) to the strict priority queue because the FTP traffic could consume all of the bandwidth available to the port, starving the other traffic classes. The WRR algorithm uses relative weights that are assigned to the WRR queues. If there are three queues and their weights are 100:150:200 (which are the default settings), then queue 1 gets only 22 percent of the available bandwidth, queue 2 gets 33 percent, and queue 3 gets 45 percent. With WRR, none of the queues are restricted to these percentages. If queue 2 and queue 3 do not have any traffic, queue 1 can use all available bandwidth. In this example, queue 1 has a lower priority than queue 2, and queue 2 has a lower priority than queue 3. The low-priority traffic (phone-other and PC-other) maps to queue 1, and the medium-priority traffic (voice-signaling and PC-SAP) maps to queue 2. The strict-priority queue does not require any configuration after traffic has been mapped to it. The WRR queues have a default bandwidth allocation that might be sufficient for your network; if it is not, then you can change the relative weights to suit your traffic types (see the "Allocating Bandwidth Between Standard Transmit Queues" section). The best way to verify that the switch is handling oversubscription is to ensure that there is minimal packet drop. Use the show queueing interface command to determine where that packet loss is happening. This command displays the number of dropped packets for each queue. Rate limiting is a useful way of ensuring that a particular device or traffic class does not consume more bandwidth than expected. On the Ethernet ports, the supported rate-limiting method is called policing. Policing is implemented in the PFC hardware with no performance impact. A policer operates by allowing the traffic to flow freely as long as the traffic rate remains below the configured transmission rate. Traffic bursts are allowed, provided that they are within the configured burst size. Any traffic that exceeds the configured rate and burst can be either dropped or marked down to a lower priority. The benefit of policing is that it can constrain the amount of bandwidth that a particular application consumes, which helps ensure quality of service on the network, especially during abnormal network conditions such as a virus or worm attack. This example focuses on a basic per-interface aggregate policer applied to a single interface in the inbound direction, but you can use other policing options to achieve this same result. The configuration of a policer is similar to the marking example provided in the "Classifying Traffic from PCs and IP Phones in the Access Layer" section because policing uses the same ACL and MQC syntax. The syntax in that example created a class-map to identify the traffic and then created a policy-map to specify how to mark the traffic. The policing syntax is similar enough that we can use the marking example ACL and modify the marking example class map by replacing the set dscp command with a police command. This example reuses the CLASSIFY-OTHER class-map to identify the traffic with a modified IPPHONE-PC policy map to police the matched traffic to a maximum of 50 Mbps, while continuing to mark the traffic that conforms to this rate. The class maps and the ACL and class-map commands that are used to identify the "other" traffic are included below for reference; no changes have been made. •ACL commands: •Class map commands: The difference between this policer configuration and the marking configuration is the policy-map action statements. The marking example uses the set dscp command to mark the traffic with a particular DSCP value. This policing example marks the CLASSIFY-OTHER traffic to a DSCP value of zero and polices that traffic to 50 Mbps. To do this, replace the set dscp command with a police command. The police command allows a marking action to take place: it marks all traffic below the 50 Mbps limit to DSCP 0 and drops any traffic above the 50 Mbps threshold. This is the modified IPPHONE-PC policy map, which includes the police command: These are the police command parameters: •The 50000000 parameter defines the committed information rate (CIR) for traffic allowed in this traffic class. This example configures the CIR to be 50 Mbps. •The 1562500 parameter defines the CIR burst size for traffic in this traffic class; this example uses a default maximum burst size. Set the CIR burst size to the maximum TCP window size used on the network. •The conform action keywords define what the policer does with CLASSIFY-OTHER packets transmitted when the traffic level is below the 50-Mbps rate. In this example, set-dscp-transmit default applies DSCP 0 to those packets. •The exceed action defines what the policer does with CLASSIFY-OTHER packets transmitted when the traffic level is above the 50 Mbps CIR. In this example, exceed action drop drops those packets. This is a basic example of a single rate per-interface aggregate policer. The PFC3 also support a dual-rate policer for providing both CIR and peak information rate (PIR) granularity. Attach the policy map to the appropriate interface using the service-policy input command: To monitor the policing operation, use these commands: This section defines some of the QoS terminology used in this chapter: •Buffers—A storage area used for handling data in transit. Buffers are used in internetworking to compensate for differences in processing speed between network devices. Bursts of data can be stored in buffers until they can be handled by slower processing devices. Sometimes referred to as a packet buffer. •Class of service (CoS) is a Layer 2 QoS label carried in three bits of either an ISL, 802.1Q, or 802.1p header. CoS values range between zero and seven. •Classification is the process used for selecting traffic to be marked for QoS. •Congestion avoidance is the process by which PFC QoS reserves ingress and egress LAN port capacity for Layer 2 frames with high-priority Layer 2 CoS values. PFC QoS implements congestion avoidance with Layer 2 CoS value-based drop thresholds. A drop threshold is the percentage of queue buffer utilization above which frames with a specified Layer 2 CoS value is dropped, leaving the buffer available for frames with higher-priority Layer 2 CoS values. •Differentiated Services Code Point (DSCP) is a Layer 3 QoS label carried in the six most-significant bits of the ToS byte in the IP header. DSCP ranges between 0 and 63. •Frames carry traffic at Layer 2. Layer 2 frames carry Layer 3 packets. •IP Precedence is a Layer 3 QoS label carried in the three most-significant bits of the ToS byte in the IP header. IP precedence ranges between zero and seven. •Labels—See QoS labels. •Marking is the process of setting a Layer 3 DSCP value in a packet; in this publication, the definition of marking is extended to include setting Layer 2 CoS values. Marking changes the value of a label. •Packets carry traffic at Layer 3. •Policing is limiting bandwidth used by a flow of traffic. Policing is done on the PFC and Distributed Forwarding Cards (DFCs). Policing can mark or drop traffic. •Queues—Queues are allocations of buffer space used to temporarily store data on a port. •QoS labels—PFC QoS uses CoS, DSCP, and IP Precedence as QoS labels. QoS labels are prioritization values carried in Layer 3 packets and Layer 2 frames. •Scheduling is the assignment of Layer 2 frames to a queue. PFC QoS assigns frames to a queue based on Layer 2 CoS values. •Shaped round robin (SRR) is a dequeuing algorithm. •Threshold—Percentage of queue capacity above which traffic is dropped. •Type of service (ToS) is a one-byte field that exists in an IP version 4 header that is used to specify the priority value applied to the packet. The ToS field consists of eight bits. The first three bits specify the IP precedence value, which can range from zero to seven, with zero being the lowest priority and seven being the highest priority. The ToS field can also be used to specify a DSCP value. DSCP is defined by the six most significant bits of the ToS. DSCP values can range from 0 to 63. •Weight—Ratio of bandwidth allocated to a queue. Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 22 This chapter describes how to configure Multiprotocol Label Switching (MPLS) quality of service (QoS) in Cisco IOS Release 12.2SX. Note•For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html •MPLS QoS extends to MPLS traffic the PFC QoS features described in Chapter 43 "Configuring PFC QoS." •This chapter provides supplemental information on MPLS QoS features. Be sure that you understand the PFC QoS features before you read this chapter. •All policing and marking available for MPLS QoS are managed from the modular QoS command-line interface (CLI). The modular QoS CLI (MQC) is a command-line interface that allows you to define traffic classes, create and configure traffic policies (policy maps), and then attach those traffic policies to interfaces. A detailed description of the modular QoS CLI can be found in the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/fqos_c.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter contains these sections: •Terminology •MPLS QoS Features •MPLS QoS Overview •MPLS QoS •Understanding MPLS QoS •MPLS QoS Default Configuration •MPLS QoS Commands •MPLS QoS Restrictions and Guidelines •Configuring MPLS QoS •MPLS DiffServ Tunneling Modes •Configuring Short Pipe Mode •Configuring Uniform Mode This section defines some MPLS QoS terminology: •Class of Service (CoS) refers to three bits in either an Inter-Switch Link (ISL) header or an 802.1Q header that are used to indicate the priority of the Ethernet frame as it passes through a switched network. The CoS bits in the 802.1Q header are commonly referred to as the 802.1p bits. To maintain QoS when a packet traverses both Layer 2 and Layer 3 domains, the type of service (ToS) and CoS values can be mapped to each other. •Classification is the process used for selecting traffic to be marked for QoS. •Differentiated Services Code Point (DSCP) is the first six bits of the ToS byte in the IP header. DSCP is only present in an IP packet. •E-LSP is a label switched path (LSP) on which nodes infer the QoS treatment for MPLS packets exclusively from the experimental (EXP) bits in the MPLS header. Because the QoS treatment is inferred from the EXP (both class and drop precedence), several classes of traffic can be multiplexed onto a single LSP (use the same label). A single LSP can support up to eight classes of traffic because the EXP field is a 3-bit field. The maximum number of classes would be less after reserving some values for control plane traffic or if some of the classes have a drop precedence associated with them. •EXP bits define the QoS treatment (per-hop behavior) that a node should give to a packet. It is the equivalent of the DiffServ Code Point (DSCP) in the IP network. A DSCP defines a class and drop precedence. The EXP bits are generally used to carry all the information encoded in the IP DSCP. In some cases, however, the EXP bits are used exclusively to encode the dropping precedence. •Frames carry traffic at Layer 2. Layer 2 frames carry Layer 3 packets. •IP precedence is the three most significant bits of the ToS byte in the IP header. •QoS tags are prioritization values carried in Layer 3 packets and Layer 2 frames. A Layer 2 CoS label can have a value ranging between zero for low priority and seven for high priority. A Layer 3 IP precedence label can have a value ranging between zero for low priority and seven for high priority. IP precedence values are defined by the three most significant bits of the 1-byte ToS byte. A Layer 3 DSCP label can have a value between 0 and 63. DSCP values are defined by the six most significant bits of the 1-byte IP ToS field. •LERs (label edge routers) are devices that impose and dispose of labels upon packets; also referred to as Provider Edge (PE) routers. •LSRs (label switching routers) are devices that forward traffic based upon labels present in a packet; also referred to as Provider (P) routers. •Marking is the process of setting a Layer 3 DSCP value in a packet. Marking is also the process of choosing different values for the MPLS EXP field to mark packets so that they have the priority that they require during periods of congestion. •Packets carry traffic at Layer 3. •Policing is limiting bandwidth used by a flow of traffic. Policing can mark or drop traffic. QoS enables a network to provide improved service to selected network traffic. This section explains the following MPLS QoS features, which are supported in an MPLS network: •MPLS Experimental Field •Trust •Classification •Policing and Marking •Preserving IP ToS •EXP Mutation •MPLS DiffServ Tunneling Modes Setting the MPLS experimental (EXP) field value satisfies the requirement of service providers who do not want the value of the IP precedence field modified within IP packets transported through their networks. By choosing different values for the MPLS EXP field, you can mark packets so that packets have the priority that they require during periods of congestion. By default, the IP precedence value is copied into the MPLS EXP field during imposition.You can mark the MPLS EXP bits with an MPLS QoS policy. For received Layer 3 MPLS packets, the PFC usually trusts the EXP value in the received topmost label. None of the following have any effect on MPLS packets: •Interface trust state •Port CoS value •Policy-map trust command For received Layer 2 MPLS packets, the PFC can either trust the EXP value in the received topmost label or apply port trust or policy trust to the MPLS packets for CoS and egress queueing purposes. Classification is the process that selects the traffic to be marked. Classification accomplishes this by partitioning traffic into multiple priority levels, or classes of service. Traffic classification is the primary component of class-based QoS provisioning. The PFC makes classification decisions based on the EXP bits in the received topmost label of received MPLS packets (after a policy is installed). See the "Configuring a Class Map to Classify MPLS Packets" section for information. Policing causes traffic that exceeds the configured rate to be discarded or marked down to a higher drop precedence. Marking is a way to identify packet flows to differentiate them. Packet marking allows you to partition your network into multiple priority levels or classes of service. The MPLS QoS policing and marking features that you can implement depend on the received traffic type and the forwarding operation applied to the traffic. See "Configuring a Policy Map" section for information. The PFC automatically preserves the IP ToS during all MPLS operations including imposition, swapping, and disposition.You do not need to enter a command to save the IP ToS. You can configure a named egress EXP mutation map to mutate the internal DSCP-derived EXP value before it is used as the egress EXP value. You can attach egress EXP mutation maps to these interface types: •LAN port subinterfaces •Layer 3 VLAN interfaces •Layer 3 LAN ports You cannot attach EXP mutation maps to these interface types: •Layer 2 LAN ports (ports configured with the switchport command) •FlexWAN ports or subinterfaces For configuration information, see the"Configuring MPLS QoS Egress EXP Mutation" section. The PFC uses MPLS DiffServ tunneling modes. Tunneling provides QoS transparency from one edge of a network to the other edge of the network. See the "MPLS DiffServ Tunneling Modes" section for information. MPLS QoS enables network administrators to provide differentiated types of service across an MPLS network. Differentiated service satisfies a range of requirements by supplying for each transmitted packet the service specified for that packet by its QoS. Service can be specified in different ways, for example, using the IP precedence bit settings in IP packets. When you send IP packets from one site to another, the IP precedence field (the first three bits of the DSCP field in the header of an IP packet) specifies the QoS. Based on the IP precedence marking, the packet is given the treatment configured for that quality of service. If the service provider network is an MPLS network, then the IP precedence bits are copied into the MPLS EXP field at the edge of the network. However, the service provider might want to set QoS for an MPLS packet to a different value determined by the service offering. In that case, the service provider can set the MPLS EXP field. The IP header remains available for the customer's use; the QoS of an IP packet is not changed as the packet travels through the MPLS network. For more information, see the "MPLS DiffServ Tunneling Modes" section. This section describes how MPLS QoS works. Figure 45-1 shows an MPLS network of a service provider that connects two sites of a customer network. Figure 45-1 MPLS Network Connecting Two Sites of a Customer's IP Network The network is bidirectional, but for the purpose of this document the packets move left to right. In Figure 45-1, the symbols have the following meanings: •CE1—Customer equipment 1 •PE1—Service provider ingress label edge router (LER) •P1—Label switch router (LSR) within the core of the network of the service provider •P2—LSR within the core of the network of the service provider •PE2—service provider egress LER •CE2—Customer equipment 2 Note PE1 and PE2 are at the boundaries between the MPLS network and the IP network. These sections describe LER and LSR operation in an MPLS network. •LERs at the Input Edge of an MPLS Network •LSRs in the Core of an MPLS Network •LERs at the Output Edge of an MPLS Network Note The QoS capabilities at the input interface differ depending on whether the input interface is a LAN port or a port adapter on a FlexWAN or Enhanced FlexWAN module. This section is for LAN ports. For information on a FlexWAN or Enhanced FlexWAN module, see the FlexWAN and Enhanced FlexWAN Installation and Configuration Note. Note Incoming labels are aggregate or nonaggregate. The aggregate label indicates that the arriving MPLS or MPLS VPN packet must be switched through an IP lookup to find the next hop and the outgoing interface. The nonaggregate label indicates that the packet contains the IP next hop information. This section describes how edge LERs can operate at either the ingress or the egress side of an MPLS network. At the ingress side of an MPLS network, LERs process packets as follows: 1. Layer 2 or Layer 3 traffic enters the edge of the MPLS network at the edge LER (PE1). 2. The PFC receives the traffic from the input interface and uses the 802.1p bits or the IP ToS bits to determine the EXP bits and to perform any classification, marking, and policing. For classification of incoming IP packets, the input service policy can also use access control lists (ACLs). 3. For each incoming packet, the PFC performs a lookup on the IP address to determine the next-hop router. 4. The appropriate label is pushed (imposition) into the packet, and the EXP value resulting from the QoS decision is copied into the MPLS EXP field in the label header. 5. The PFC forwards the labeled packets to the appropriate output interface for processing. 6. The PFC also forwards the 802.1p bits or the IP ToS bits to the output interface. 7. At the output interface, the labeled packets are differentiated by class for marking or policing. For LAN interfaces, egress classification is still based on IP, not on MPLS. 8. The labeled packets (marked by EXP) are sent to the core MPLS network. This section describes how LSRs used at the core of an MPLS network process packets: 1. Incoming MPLS-labeled packets (and 802.1p bits or IP ToS bits) from an edge LER (or other core device) arrive at the core LSR. 2. The PFC receives the traffic from the input interface and uses the EXP bits to perform classification, marking, and policing. 3. The PFC3 performs a table lookup to determine the next-hop LSR. 4. An appropriate label is placed (swapped) into the packet and the MPLS EXP bits are copied into the label header. 5. The PFC forwards the labeled packets to the appropriate output interface for processing. 6. The PFC also forwards the 802.1p bits or the IP ToS bits to the output interface. 7. The outbound packet is differentiated by the MPLS EXP field for marking or policing. 8. The labeled packets (marked with EXP) are sent to another LSR in the core MPLS network or to an LER at the output edge. Note Within the service provider network, there is no IP precedence field for the queueing algorithm to use because the packets are MPLS packets. The packets remain MPLS packets until they arrive at PE2, the provider edge router. At the egress side of an MPLS network, LERs process packets as follows: 1. MPLS-labeled packets (and 802.1p bits or IP ToS bits) from a core LSR arrive at the egress LER (PE2) from the MPLS network backbone. 2. The PFC pops the MPLS labels (disposition) from the packets. Aggregate labels are classified using the original 802.1p bits or the IP ToS bits. Nonaggregate labels are classified with the EXP value by default. 3. For aggregate labels, the PFC performs a lookup on the IP address to determine the packet's destination; the PFC then forwards the packet to the appropriate output interface for processing. For non-aggregate labels, forwarding is based on the label. By default, non-aggregate labels are popped at the penultimate-hop router (next to last), not the egress PE router. 4. The PFC also forwards the 802.1p bits or the IP ToS bits to the output interface. 5. The packets are differentiated according to the 802.1p bits or the IP ToS bits and treated accordingly. Note The MPLS EXP bits allow you to specify the QoS for an MPLS packet. The IP precedence and DSCP bits allow you to specify the QoS for an IP packet. MPLS QoS supports IP QoS. For MPLS packets, the EXP value is mapped into an internal DSCP so that the PFC can apply non-MPLS QoS marking and policing. For both the ingress and egress policies, MPLS QoS marking and policing decisions are made on a per-interface basis at an ingress PFC. The ingress interfaces are physical ports, subinterfaces, or VLANs. The QoS policy ACLs are programmed in QoS TCAM separately for ingress and egress lookup. The ternary content addressable memory (TCAM) egress lookup takes place after the IP forwarding table (FIB) and NetFlow lookups are completed. The results of each QoS TCAM lookup yield an index into RAM that contains policer configuration and policing counters. Additional RAM contains the microflow policer configuration; the microflow policing counters are maintained in the respective NetFlow entries that match the QoS ACL. The results of ingress and egress aggregate and microflow policing are combined into a final policing decision. The out-of-profile packets can be either dropped or marked down in the DSCP. This section describes MPLS QoS for the following: •LERs at the EoMPLS Edge •LERs at the IP Edge (MPLS, MPLS VPN) •LSRs at the MPLS Core Note The following sections see QoS features for LAN ports and FlexWAN ports. For details about how the different features work, see the appropriate documentation. This section summarizes the Ethernet over MPLS (EoMPLS) QoS features that function on the LERs. EoMPLS QoS support is similar to IP-to-MPLS QoS: •For EoMPLS, if the port is untrusted, the CoS trust state is automatically configured for VC type 4 (VLAN mode), not for VC type 5 (port mode). 802.1q CoS preservation across the tunnel is similar. •Packets received on tunnel ingress are treated as untrusted for EoMPLS interfaces, except for VC Type 4 where trust CoS is automatically configured on the ingress port and policy marking is not applied. •If the ingress port is configured as trusted, packets received on an EoMPLS interface are never marked by QoS policy in the original IP packet header (marking by IP policy works on untrusted ports). •802.1p CoS is preserved from entrance to exit, if available through the 802.1q header. •After exiting the tunnel egress, queueing is based on preserved 802.1p CoS if 1p tag has been tunnelled in the EoMPLS header (VC type 4); otherwise, queuing is based on the CoS derived from the QoS decision. For Ethernet to MPLS, the ingress interface, MPLS QoS, and egress interface features are similar to corresponding features for IP to MPLS. For more information, see these sections: •Classification for IP-to-MPLS •Classification for IP-to-MPLS Mode MPLS QoS •Classification at IP-to-MPLS Ingress Port •Classification at IP-to-MPLS Egress Port For MPLS to Ethernet, the ingress interface, MPLS QoS, and egress interface features are similar to corresponding features for MPLS to IP except for the case of EoMPLS decapsulation where egress IP policy cannot be applied (packets can be classified as MPLS only). For more information, see these sections: •Classification for MPLS-to-IP •Classification for MPLS-to-IP MPLS QoS •Classification at MPLS-to-IP Ingress Port •Classification at MPLS-to-IP Egress Port. This section provides information about QoS features for LERs at the ingress (CE-to-PE) and egress (PE-to-CE) edges for MPLS and MPLS VPN networks. Both MPLS and MPLS VPN support general MPLS QoS features. See the "MPLS VPN" section for additional MPLS VPN-specific QoS information. The PFC provides the following MPLS QoS capabilities at the IP-to-MPLS edge: •Assigning an EXP value based on the mls qos trust or policy-map command •Marking an EXP value using a policy •Policing traffic using a policy This section provides information about the MPLS QoS classification that the PFC supports at the IP-to-MPLS edge. Additionally, this section provides information about the capabilities provided by the ingress and egress interface modules. The PFC ingress and egress policies for IP traffic classify traffic on the original received IP using match commands for IP precedence, IP DSCP, and IP ACLs. Egress policies do not classify traffic on the imposed EXP value nor on a marking done by an ingress policy. After the PFC applies the port trust and QoS policies, it assigns the internal DSCP. The PFC then assigns the EXP value based on the internal DSCP-to-EXP global map for the labels that it imposes. If more than one label is imposed, the EXP value is the same in each label. The PFC preserves the original IP ToS when the MPLS labels are imposed. The PFC assigns the egress CoS based on the internal DSCP-to-CoS global map. If the default internal DSCP-to-EXP and the internal DSCP-to-CoS maps are consistent, then the egress CoS has the same value as the imposed EXP. If the ingress port receives both IP-to-IP and IP-to-MPLS traffic, classification should be used to separate the two types of traffic. For example, if the IP-to-IP and IP-to-MPLS traffic have different destination address ranges, you can classify traffic on the destination address, and then apply IP ToS policies to the IP-to-IP traffic and apply a policy (that marks or sets the EXP value in the imposed MPLS header) to the IP-to-MPLS traffic. See the following two examples: •A PFC policy to mark IP ToS sets the internal DSCP—If it is applied to all traffic, then for IP-to-IP traffic, the egress port will rewrite the CoS (derived from the internal DSCP) to the IP ToS byte in the egress packet. For IP-to-MPLS traffic, the PFC will map the internal DSCP to the imposed EXP value. •A PFC policy to mark MPLS EXP sets the internal DSCP—If it is applied to all traffic, then for IP-to-IP traffic, the egress port rewrites the IP ToS according to the ingress IP policy (or trust). The CoS is mapped from the ToS. For IP-to-MPLS traffic, the PFC will map the internal DSCP to the imposed EXP value. MPLS QoS at the ingress to PE1supports: •Matching on IP precedence or DSCP values or filtering with an access group •The set mpls experimental imposition and police commands MPLS QoS at the egress of PE1 supports the match mpls experimental topmost command. Classification for IP-to-MPLS is the same as for IP-to-IP. LAN port classification is based on the received Layer 2 802.1Q CoS value. FlexWAN interfaces classify based on information in the received Layer 3 IP header. LAN port classification is based on the received EXP value and the egress CoS values is mapped from that value. FlexWAN interfaces classify traffic when you use the match mpls experimental command to match on the egress CoS as a proxy for the EXP value. The match mpls experimental command does not match on the EXP value in the topmost label. If the egress port is a trunk, the LAN ports copy the egress CoS into the egress 802.1Q field. MPLS QoS supports these capabilities at the MPLS-to-IP edge: •Option to propagate EXP value into IP DSCP on exit from an MPLS domain per egress interface •Option to use IP service policy on the MPLS-to-IP egress interface This section provides information about the MPLS-to-IP MPLS QoS classification. Additionally, this section provides information about the capabilities provided by the ingress and egress modules. The PFC assigns the internal DSCP (internal priority that the PFC assigns to each frame) based on the QoS result. The QoS result is affected by the following: •Default trust EXP value •Label type (per-prefix or aggregate) •Number of VPNs •Explicit NULL use •QoS policy There are three different classification modes: •Regular MPLS classification—For nonaggregate labels, in the absence of MPLS recirculation, the PFC classifies the packet based on MPLS EXP ingress or egress policy. The PFC queues the packet based on COS derived from EXP-to-DSCP-to-CoS mapping. The underlying IP DSCP is either preserved after egress decapsulation, or overwritten from the EXP (through the EXP-to-DSCP map). •IP classification for aggregate label hits in VPN CAM—The PFC does one of the following: –Preserves the underlying IP ToS –Rewrites the IP ToS by a value derived from the EXP-to-DSCP global map –Changes the IP ToS to any value derived from the egress IP policy In all cases, egress queueing is based on the final IP ToS from the DSCP-to-CoS map. •IP classification with aggregate labels not in VPN CAM—After recirculation, the PFC differentiates the MPLS-to-IP packets from the regular IP-to-IP packets based on the ingress reserved VLAN specified in the MPLS decapsulation adjacency. The reserved VLAN is allocated per VRF both for VPN and non-VPN cases. The ingress ToS after recirculation can be either the original IP ToS value, or derived from the original EXP value. The egress IP policy can overwrite this ingress ToS to an arbitrary value. Note For information about recirculation, see the "Recirculation" section. For incoming MPLS packets on the PE-to-CE ingress, the PFC supports MPLS classification only. Ingress IP policies are not supported. PE-to-CE traffic from the MPLS core is classified or policed on egress as IP. MPLS QoS at the ingress to PE2 supports matching on the EXP value and the police command. MPLS QoS at the egress of PE2 supports matching on IP precedence or DSCP values or filtering with an access group and the police command. LAN port classification is based on the EXP value. FlexWAN interfaces classify traffic using the match mpls experimental command. The match mpls experimental command matches on the EXP value in the received topmost label. Note The egress classification queuing is different for LAN and WAN ports. Classification for MPLS-to-IP is the same as it is for IP-to-IP. The LAN interface classification is based on the egress CoS. The FlexWAN interfaces classify traffic on information in the transmitted IP header. If the egress port is a trunk, the LAN ports copy the egress CoS into the egress 802.1Q field. Note For MPLS to IP, egress IP ACL or QoS is not effective on the egress interface if the egress interface has MPLS IP (or tag IP) enabled. The exception is a VPN CAM hit, in which case the packet is classified on egress as IP. The information in this section also applies to an MPLS VPN network. The following PE MPLS QoS features are supported for MPLS VPN: •Classification, policing, or marking of CE-to-PE IP traffic through the VPN subinterface •Per-VPN QoS (per-port, per-VLAN, or per-subinterface) For customer edge (CE)-to-PE traffic, or for CE-to-PE-to-CE traffic, the subinterface support allows you to apply IP QoS ingress or egress policies to subinterfaces and to physical interfaces. Per-VPN policing is also provided for a specific interface or subinterface associated with a given VPN on the CE side. In situations when there are multiple interfaces belonging to the same VPN, you can perform per-VPN policing aggregation using the same shared policer in the ingress or egress service policies for all similar interfaces associated with the same PFC. For aggregate VPN labels, the EXP propagation in recirculation case may not be supported because MPLS adjacency does not know which egress interface the final packet will use. Note For information on recirculation, see the "Recirculation" section. The PFC propagates the EXP value if all interfaces in the VPN have EXP propagation enabled. The following PE MPLS QoS features are supported: •General MPLS QoS features for IP packets •Classification, policing, or marking of CE-to-PE IP traffic through the VPN subinterface •Per-VPN QoS (per-port, per-VLAN, or per-subinterface) This section provides information about MPLS QoS features for LSRs at the core (MPLS-to-MPLS) for MPLS and MPLS VPN networks. Ingress features, egress interface, and PFC features for Carrier Supporting Carrier (CsC) QoS features are similar to those used with MPLS to MPLS described in the next section. A difference between CsC and MPLS to MPLS is that with CsC labels can be imposed inside the MPLS domain. MPLS QoS at the MPLS core supports the following: •Per-EXP policing based on a service policy •Copying the input topmost EXP value into the newly imposed EXP value •Optional EXP mutation (changing of EXP values on an interface edge between two neighboring MPLS domains) on the egress boundary between MPLS domains •Microflow policing based on individual label flows for a particular EXP value •Optional propagation of topmost EXP value into the underlying EXP value when popping the topmost label from a multi-label stack. The following section provides information about MPLS-to-MPLS MPLS QoS classification. Additionally, the section provides information about the capabilities provided by the ingress and egress modules. For received MPLS packets, the PFC ignores the port trust state, the ingress CoS, and any policy-map trust commands. Instead, the PFC trusts the EXP value in the topmost label. Note The MPLS QoS ingress and egress policies for MPLS traffic classify traffic on the EXP value in the received topmost label when you enter the match mpls experimental command. MPLS QoS maps the EXP value to the internal DSCP using the EXP-to-DSCP global map. What the PFC does next depends on whether it is swapping labels, imposing a new label, or popping a label: •Swapping labels—When swapping labels, the PFC preserves the EXP value in the received topmost label and copies it to the EXP value in the outgoing topmost label. The PFC assigns the egress CoS using the internal DSCP-to-CoS global map. If the DSCP global maps are consistent, then the egress CoS is based on the EXP in the outgoing topmost label. The PFC can mark down out-of-profile traffic using the police command's exceed and violate actions. It does not mark in-profile traffic, so the conform action must be transmitted and the set command cannot be used. If the PFC is performing a markdown, it uses the internal DSCP as an index into the internal DSCP markdown map. The PFC maps the result of the internal DSCP markdown to an EXP value using the internal DSCP-to-EXP global map. The PFC rewrites the new EXP value to the topmost outgoing label and does not copy the new EXP value to the other labels in the stack. The PFC assigns the egress CoS using the internal DSCP-to-CoS global map. If the DSCP maps are consistent, then the egress CoS is based on the EXP value in the topmost outgoing label. •Imposing an additional label—When imposing a new label onto an existing label stack, the PFC maps the internal DSCP to the EXP value in the imposed label using the internal DSCP-to-EXP map. It then copies the EXP value in the imposed label to the underlying swapped label. The PFC assigns the egress CoS using the internal DSCP-to-CoS global map. If the DSCP maps are consistent, the egress CoS is based on the EXP value in the imposed label. The PFC can mark in-profile and mark down out-of-profile traffic. After it marks the internal DSCP, the PFC uses the internal DSCP-to-EXP global map to map the internal DSCP to the EXP value in the newly imposed label. The PFC then copies the EXP in the imposed label to the underlying swapped label. The PFC assigns the egress CoS using the internal DSCP-to-CoS global map. Therefore, the egress CoS is based on the EXP in the imposed label. •Popping a label—When popping a label from a multi-label stack, the PFC preserves the EXP value in the exposed label. The PFC assigns the egress CoS using the internal DSCP-to-CoS global map. If the DSCP maps are consistent, then the egress CoS is based on the EXP value in the popped label. •If EXP propagation is configured for the egress interface, the PFC maps the internal DSCP to the EXP value in the exposed label using the DSCP-to-EXP global map. The PFC assigns the egress CoS using the internal DSCP-to-CoS global map. If the DSCP maps are consistent, the egress CoS is based on the EXP value in the exposed label. MPLS QoS at the ingress to P1 or P2 supports the following: •Matching with the match mpls experimental topmost command •The set mpls experimental imposition, police, and police with set imposition commands MPLS QoS at the egress of P1 or P2 supports matching with the match mpls experimental topmost command. LAN port classification is based on the egress CoS from the PFC. FlexWAN interfaces classify traffic using the match mpls experimental command. The match mpls experimental command matches on the EXP value in the received topmost label. LAN port classification is based on the egress CoS value from the PFC. FlexWAN interfaces classify traffic using the match mpls experimental command. The match mpls experimental command matches on the egress CoS; it does not match on the EXP in the topmost label. If the egress port is a trunk, the LAN ports copy the egress CoS into the egress 802.1Q field. This section describes the MPLS QoS default configuration. The following global MPLS QoS settings apply:
•match mpls experimental topmost •set mpls experimental imposition •police •mls qos map exp-dscp •mls qos map dscp-exp •mls qos map exp-mutation •mls qos exp-mutation •show mls qos mpls •no mls qos mpls trust exp Note For information about supported non-MPLS QoS commands, see "Configuring PFC QoS" section. The following commands are not supported: •set qos-group •set discard-class When configuring MPLS QoS, follow these guidelines and restrictions: •For IP-to-MPLS or EoMPLS imposition when the received packet is an IP packet: –When QoS is disabled, the EXP value is based on the received IP ToS. –When QoS is queuing only, the EXP value is based on the received IP ToS. •For EoMPLS imposition when the received packet is a non-IP packet: –When QoS is disabled, the EXP value is based on the ingress CoS. –When QoS is queuing only, the EXP value is based on the received IP ToS. •For MPLS-to-MPLS operations: –Swapping when QoS is disabled, the EXP value is based on the original EXP value (in the absence of EXP mutation). –Swapping when QoS is queuing only, the EXP value is based on the original EXP value (in the absence of EXP mutation). –Imposing additional label when QoS is disabled, the EXP value is based on the original EXP value (in the absence of EXP mutation). –Imposing an additional label when QoS is queuing only, the EXP value is based on the original EXP value (in the absence of EXP mutation). –Popping one label when QoS is disabled, the EXP value is based on the underlying EXP value. –Popping one label when QoS is queuing only, the EXP value is based on the underlying EXP value. •EXP value is irrelevant to MPLS-to-IP disposition. •The no mls qos rewrite ip dscp command is incompatible with MPLS. The default mls qos rewrite ip dscp command must remain enabled in order for the PFC to assign the correct EXP value for the labels that it imposes. •The no mls qos mpls trust exp command allows you to treat MPLS packets simiarly to Layer 2 packets for CoS and egress queueing purposes by applying port trust or policy trust instead of the default EXP value. These sections describe how to configure MPLS QoS: •Enabling QoS Globally •Enabling Queueing-Only Mode •Configuring a Class Map to Classify MPLS Packets •Configuring the MPLS Packet Trust State on Ingress Ports •Configuring a Policy Map •Displaying a Policy Map •Configuring MPLS QoS Egress EXP Mutation •Configuring EXP Value Maps Before you can configure QoS on the PFC, you must enable the QoS functionality globally using the mls qos command. This command enables default QoS conditioning of traffic. When the mls qos command is enabled, the PFC assigns a priority value to each frame. This value is the internal DSCP. The internal DSCP is assigned based on the contents of the received frame and the QoS configuration. This value is rewritten to the egress frame's CoS and ToS fields. To enable QoS globally, perform this task:
This example shows how to enable QoS globally: This example shows how to verify the configuration: To enable queueing-only mode, perform this task:
When you enable queueing-only mode, the router does the following: •Disables marking and policing globally •Configures all ports to trust Layer 2 CoS Note The switch applies the port CoS value to untagged ingress traffic and to traffic that is received through ports that cannot be configured to trust CoS. This example shows how to enable queueing-only mode: If QoS is disabled (no mls qos) for the PFC, the EXP value is determined as follows: •For IP-to-MPLS or EoMPLS imposition when the received packet is an IP packet: –When QoS is disabled (no mls qos), the EXP value is based on the received IP ToS. –When QoS is queuing only (mls qos queueing-only), the EXP value is based on the received IP ToS. •For EoMPLS imposition when the received packet is a non-IP packet: –When QoS is disabled, the EXP value is based on the ingress CoS. –When QoS is queuing only, the EXP value is based on the received IP ToS. •For MPLS-to-MPLS operations: –Swapping when QoS is disabled, the EXP value is based on the original EXP value (in the absence of EXP mutation). –Swapping when QoS is queuing only, the EXP value is based on the original EXP value (in the absence of EXP mutation). –Imposing an additional label when QoS is disabled, the EXP value is based on the original EXP value (in the absence of EXP mutation). –Imposing additional label when QoS is queuing only, the EXP value is based on the original EXP value (in the absence of EXP mutation). –Popping one label when QoS is disabled, the EXP value is based on the underlying EXP value. –Popping one label when QoS is queuing only, the EXP value is based on the underlying EXP value. •EXP value is irrelevant to MPLS-to-IP disposition. You can use the match mpls experimental topmost command to define traffic classes inside the MPLS domain by packet EXP values. This allows you to define service policies to police the EXP traffic on a per-interface basis by using the police command. To configure a class map, perform this task beginning in global configuration mode:
This example shows that all packets that contain MPLS experimental value 3 are matched by the traffic class named exp3: The following restrictions and guidelines apply when classifying MPLS packets: •The match mpls experimental command specifies the name of an EXP field value to be used as the match criterion against which packets are checked to determine if they belong to the class specified by the class map. •To use the match mpls experimental command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use the match mpls experimental command to configure its match criteria. •If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands. You can use the no mls qos mpls trust exp command to apply port or policy trust to MPLS packets in the same way that you apply them to Layer 2 packets. To configure the MPLS packet trust state of an ingress port, perform this task:
This example shows how to set the trusted state of MPLS packets to untrusted so that the incoming MPLS packets operate like incoming Layer 2 packets. The following restrictions and guidelines apply when using the no mls qos mpls trust exp command to configure the MPLS packet trust state on input ports: •This command affects both Layer 2 and Layer 3 packets; use this command only on interfaces with Layer 2 switched packets. •The no mls qos mpls trust exp command affects ingress marking; it does not affect classification. You can attach only one policy map to an interface. Policy maps can contain one or more policy map classes, each with different policy map commands. Configure a separate policy map class in the policy map for each type of traffic that an interface receives. Put all commands for each type of traffic in the same policy map class. MPLS QoS does not attempt to apply commands from more than one policy map class to matched traffic. To set the value of the MPLS EXP field on all imposed label entries, use the set mpls experimental imposition command in QoS policy-map class configuration mode. To disable the setting, use the no form of this command. Note The set mpls experimental imposition command replaces the set mpls experimental command.
The following example sets the MPLS EXP imposition value according to the DSCP value defined in the MPLS EXP value 3: This example shows how to verify the configuration: When setting the EXP value on all imposed labels, follow these guidelines and restrictions: •Use the set mpls experimental imposition command during label imposition. This command sets the MPLS EXP field on all imposed label entries. •The set mpls experimental imposition command is supported only on input interfaces (imposition). •The set mpls experimental imposition command does not mark the EXP value directly; instead, it marks the internal DSCP that is mapped to EXP through the internal DSCP-to-EXP global map. •It is important to note that classification (based on the original received IP header) and marking (done to the internal DSCP) do not distinguish between IP-to-IP traffic and IP-to-MPLS traffic. The commands that you use to mark IP ToS and mark EXP have the same result as when you mark the internal DSCP. •To set the pushed label entry value to a value different from the default value during label imposition, use the set mpls experimental imposition command. •You optionally can use the set mpls experimental imposition command with the IP precedence, DSCP field, or QoS IP ACL to set the value of the MPLS EXP field on all imposed label entries. •When imposing labels onto the received IP traffic with the PFC, you can mark the EXP field using the set mpls experimental imposition command. For more information on this command, see the Cisco IOS Switching Services Command Reference, Release 12.3 located at this URL: http://www.cisco.com/en/US/docs/ios/mpls/command/reference/mp_s1.html#set_mpls_experimental_imposition Policing is a function in the PFC hardware that provides the ability to rate limit a particular traffic class to a specific rate. The PFC supports aggregate policing and microflow policing. Aggregate policing meters all traffic that ingresses into a port, regardless of different source, destination, protocol, source port, or destination port. Microflow policing meters all traffic that ingresses into a port, on a per flow (per source, destination, protocol, source port, and destination port). For additional information on aggregate and microflow policing, see the "Policers" section. To configure traffic policing, use the police command. For information on this command, see the Cisco IOS Master Command List.
This is an example of creating a policy map with a policer: This is an example of verifying the configuration: The following restrictions and guidelines apply when using the police command to configure a policy map: •With MPLS, the exceed-action action command and the violate-action action command work similarly to IP usage. The packet may get dropped or the EXP value is marked down. For information on how these actions affect IP-to-IP traffic, see the "Configuring a Policy Map" section. •With MPLS, the set-dscp transmit action command and the set-prec-transmit action command set the internal DSCP that is mapped into the CoS bits, which affects queueing, however, they do not change the EXP value, except for imposition. •When swapping labels for received MPLS traffic with the PFC, you can mark down out-of-profile traffic using the police command exceed-action policed-dscp-transmit and violate-action policed-dscp-transmit keywords. The PFC does not mark in-profile traffic; when marking down out-of-profile traffic, the PFC marks the outgoing topmost label. The PFC does not propagate the marking down through the label stack. •With MPLS, the flow key is based on the label and EXP value; there is no flowmask option. Otherwise, flow key operation is similar to IP-to-IP. See the "Configuring a Policy Map" section. •You can use the police command to set the pushed label entry value to a value different from the default value during label imposition. •When imposing labels onto the received IP traffic with the PFC, you can mark the EXP field using the conform-action set-mpls-exp-imposition-transmit keywords. •During IP-to-MPLS imposition, IP ToS marking is not supported. If you configure a policy to mark IP ToS, the PFC marks the EXP value. You can display a policy map with an interface summary for MPLS QoS classes or with the configuration of all classes configured for all service policies on the specified interface. To display an MPLS QoS policy map class summary, perform this task:
This example shows how to display an MPLS QoS policy map class summary: To display the configuration of all classes configured for all service policies on the specified interface, perform this task:
This example shows the configurations for all classes on Fast Ethernet interface 3/27: You can configure a named egress EXP mutation map to mutate the internal DSCP-derived EXP value before it is used as the egress EXP value. You can attach a named egress EXP mutation map to any interface on which PFC QoS supports egress QoS. These sections describe how to configure MPLS QoS EXP mutation: •Configuring Named EXP Mutation Maps •Attaching a Named EXP Mutation Map to an Egress Interface To configure a named EXP mutation map, perform this task:
When configuring a named EXP mutation map, note the following information: •You can configure 7 named EXP mutation maps. •You can enter up to eight EXP values that map to a mutated EXP value. •You can enter multiple commands to map additional EXP values to a mutated EXP value. •You can enter a separate command for each mutated EXP value. •You can attach named EXP mutation maps to any interface on which PFC QoS supports egress QoS. To attach an EXP mutation map to an egress interface, perform this task:
This example shows how to attach the egress EXP mutation map named mutemap2: These sections describe how EXP values are mapped to other values: •Configuring the Ingress-EXP to Internal-DSCP Map •Configuring the Egress-DSCP to Egress-EXP Map To configure the ingress-EXP to internal-DSCP map, perform this task:
This example shows how to configure the ingress-EXP to internal-DSCP map: This example shows how to verify the configuration: To configure the egress-DSCP to egress-EXP map, perform this task:
This example shows how to configure the egress-DSCP to egress-EXP map: Tunneling provides QoS the ability to be transparent from one edge of a network to the other edge of the network. A tunnel starts where there is label imposition. A tunnel ends where there is label disposition; that is, where the label is removed from the stack, and the packet goes out as an MPLS packet with a different per-hop behavior (PHB) layer underneath or as an IP packet with the IP PHB layer. For the PFC, there are two ways to forward packets through a network: •Short Pipe mode—In Short Pipe mode, the egress PE router uses the original packet marking instead of the marking used by the intermediate provider (P) routers. EXP marking does not propagate to the packet ToS byte. For a description of this mode, see the "Short Pipe Mode" section. For the configuration information, see the "Configuring Short Pipe Mode" section. •Uniform mode—In Uniform mode, the marking in the IP packet may be manipulated to reflect the service provider's QoS marking in the core. This mode provides consistent QoS classification and marking throughout the network including CE and core routers. EXP marking is propagated to the underlying ToS byte. For a description, see the "Uniform Mode" section. For the configuration procedure, see the "Configuring Uniform Mode" section. Both tunneling modes affect the behavior of edge and penultimate label switching routers (LSRs) where labels are put onto packets and removed from packets. They do not affect label swapping at intermediate routers. A service provider can choose different types of tunneling modes for each customer. For additional information, see "MPLS DiffServ Tunneling Modes" at this URL: http://www.cisco.com/en/US/docs/ios-xml/ios/mp_te_diffserv/configuration/15-mt/mp-diffserv-tun-mode.html. Short pipe mode is used when the customer and service provider are in different DiffServ domains. It allows the service provider to enforce its own DiffServ policy while preserving customer DiffServ information, which provides a DiffServ transparency through the service provider network. QoS policies implemented in the core do not propagate to the packet ToS byte. The classification based on MPLS EXP value ends at the customer-facing egress PE interface; classification at the customer-facing egress PE interface is based on the original IP packet header and not the MPLS header. Note The presence of an egress IP policy (based on the customer's PHB marking and not on the provider's PHB marking) automatically implies the Short Pipe mode. Figure 45-2 Short Pipe Mode Operation with VPNs Short Pipe mode functions as follows: 1. CE1 transmits an IP packet to PE1 with an IP DSCP value of 1. 2. PE1 sets the MPLS EXP field to 5 in the imposed label entries. 3. PE1 transmits the packet to P1. 4. P1 sets the MPLS EXP field value to 5 in the swapped label entry. 5. P1 transmits the packet to P2. 6. P2 pops the IGP label entry. 7. P2 transmits the packet to PE2. 8. PE2 pops the BGP label. 9. PE2 transmits the packet to CE2, but does QoS based on the IP DSCP value. For additional information, see "MPLS DiffServ Tunneling Modes" at this URL: http://www.cisco.com/en/US/docs/ios-xml/ios/mp_te_diffserv/configuration/15-mt/mp-diffserv-tun-mode.html The following restriction applies to Short Pipe mode: Short Pipe mode is not supported if the MPLS-to-IP egress interface is EoMPLS (the adjacency has the end of marker (EOM) bit set). In Uniform mode, packets are treated uniformly in the IP and MPLS networks; that is, the IP precedence value and the MPLS EXP bits always correspond to the same PHB. Whenever a router changes or recolors the PHB of a packet, that change must be propagated to all encapsulation markings. The propagation is performed by a router only when a PHB is added or exposed due to label imposition or disposition on any router in the packet's path. The color must be reflected everywhere at all levels. For example, if a packet's QoS marking is changed in the MPLS network, the IP QoS marking reflects that change. Figure 45-3 Uniform Mode Operation The procedure varies according to whether IP precedence bit markings or DSCP markings are present. The following actions occur if there are IP precedence bit markings: 1. IP packets arrive in the MPLS network at PE1, the service provider edge router. 2. A label is copied onto the packet. 3. If the MPLS EXP field value is recolored (for example, if the packet becomes out-of-rate because too many packets are being transmitted), that value is copied to the IGP label. The value of the BGP label is not changed. 4. At the penultimate hop, the IGP label is removed. That value is copied into the next lower level label. 5. When all MPLS labels have been removed from the packet that is sent out as an IP packet, the IP precedence or DSCP value is set to the last changed EXP value in the core. The following is an example when there are IP precedence bit markings: 1. At CE1 (customer equipment 1), the IP packet has an IP precedence value of 3. 2. When the packet arrives in the MPLS network at PE1 (the service provider edge router), the IP precedence value of 3 is copied to the imposed label entries of the packet. 3. The MPLS EXP field in the IGP label header might be changed within the MPLS core (for example, at P1) by a mark down. Note Because the IP precedence bits are 3, the BGP label and the IGP label also contain 3 because in Uniform mode, the labels always are identical. The packet is treated uniformly in the IP and MPLS networks. The following restriction applies to the Uniform mode: If the egress IP ACLs or service policies are configured on the MPLS-to-IP exit point, the Uniform mode is always enforced because of recirculation. The MPLS DiffServ tunneling restrictions and usage guidelines are as follows: •One label-switched path (LSP) can support up to eight classes of traffic (that is, eight PHBs) because the MPLS EXP field is a 3-bit field. •MPLS DiffServ tunneling modes support E-LSPs. An E-LSP is an LSP on which nodes determine the QoS treatment for MPLS packet exclusively from the EXP bits in the MPLS header. The following features are supported with the MPLS differentiated service (DiffServ) tunneling modes: •MPLS per-hop behavior (PHB) layer management. (Layer management is the ability to provide an additional layer of PHB marking to a packet.) •Improved scalability of the MPLS layer management by control on managed customer edge (CE) routers. •MPLS can tunnel a packet's QoS (that is, the QoS is transparent from edge to edge). With QoS transparency, the IP marking in the IP packet is preserved across the MPLS network. •The MPLS EXP field can be marked differently and separately from the PHB marked in the IP precedence or DSCP field. The following sections describe how to configure the Short Pipe mode: •Ingress PE Router—Customer Facing Interface •Configuring Ingress PE Router—P Facing Interface •Configuring the P Router—Output Interface •Configuring the Egress PE Router—Customer Facing Interface Note•The steps that follow show one way, but not the only way, to configure Short Pipe mode. •The Short Pipe mode on the egress PE (or PHP) is automatically configured when you attach to the interface an egress service policy that includes an IP class. This procedure configures a policy map to set the MPLS EXP field in the imposed label entries. To set the EXP value, the ingress LAN port must be untrusted. FlexWAN ports do not have the trust concept, but, as with traditional Cisco IOS routers, the ingress ToS is not changed (unless a marking policy is configured). For MPLS and VPN, the ingress PE supports all ingress PFC IP policies. For information about the classification for PFC IP policies based on IP ACL/DSCP/precedence, see Chapter 43 "Configuring PFC QoS." To configure a policy map to set the MPLS EXP field in the imposed label entries, perform this task:
This example shows how to configure a policy map to set the MPLS EXP field in the imposed label entries: This procedure classifies packets based on their MPLS EXP field and provides appropriate discard and scheduling treatments. Note QoS features shown here are available only with FlexWAN and Enhanced FlexWAN modules. To classify packets based on their MPLS EXP field and provide appropriate discard and scheduling treatments, perform this task:
Note The bandwidth command and random-detect command are not supported on LAN ports. This example shows how to classify packets based on their MPLS EXP field and provide appropriate discard and scheduling treatments: Note QoS features shown here are available only with FlexWAN and Enhanced FlexWAN modules. To classify packets based on their MPLS EXP field and provide appropriate discard and scheduling treatments, perform this task:
Note The bandwidth command and random-detect command are not supported on LAN ports. This example shows how to classify packets based on their MPLS EXP field and provide appropriate discard and scheduling treatments: Note QoS features shown here are available only with FlexWAN and Enhanced FlexWAN modules. To classify a packet based on its IP DSCP value and provide appropriate discard and scheduling treatments, perform this task:
Note The bandwidth command and random-detect command are not supported on LAN ports. This example shows how to classify a packet based on its IP DSCP value and provide appropriate discard and scheduling treatments: This section describes how to configure the following: •Configuring the Ingress PE Router—Customer Facing Interface •Configuring the Ingress PE Router—P Facing Interface •Configuring the Egress PE Router—Customer Facing Interface Note The steps that follow show one way, but not the only way, to configure the Uniform mode. For Uniform mode, setting the trust state to IP precedence or IP DSCP allows the PFC to copy the IP PHB into the MPLS PHB. Note This description applies to PFC QoS for LAN ports. For information about FlexWAN and Enhanced FlexWAN QoS, see the FlexWAN and Enhanced FlexWAN Modules Installation and Configuration Guide at this URL: http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexwan-config-guide.html. To configure a policy map to set the MPLS EXP field in imposed label entries, perform this task:
This example shows how to configure a policy map to set the MPLS EXP field in imposed label entries: To classify packets based on their MPLS EXP field and provide appropriate discard and scheduling treatments, perform this task:
Note The bandwidth command and random-detect command are not supported on LAN ports. This example shows how to classify packets based on their MPLS EXP field and provide appropriate discard and scheduling treatments: To configure the egress PE router at the customer-facing interface, perform this task:
Note The bandwidth command and random-detect command are not supported on LAN ports. This example shows how to configure the egress PE router at the customer-facing interface: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 23 This chapter describes how to configure the private hosts feature in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Understanding Private Hosts •Configuration Guidelines and Limitations •Configuring Private Hosts The sections that follow provide more detail about the following private hosts concepts: •Private Hosts Overview •Isolating Hosts in a VLAN •Restricting Traffic Flow (Using Private Hosts Port Mode and PACLs) •Port ACLs Service providers typically deliver triple-play services (voice, video, and data) using three different VLANs over a single physical interface for each end user. The service infrastructure would be simpler and more scalable if the service provider could deploy a single set of VLANs to multiple end users for the same set of services, but the service provider must be able to isolate traffic between the users (hosts) at Layer 2. The private hosts feature provides this isolation, allowing VLAN sharing among multiple end users. The private hosts feature provides these key benefits: •Isolates traffic among hosts (subscribers) that share the same VLAN ID. •Reuses VLAN IDs across different subscribers, which improves VLAN scalability by making better use of the 4096 VLANs allowed. •Prevents media access control (MAC) address spoofing to prevent denial of service (DOS) attacks. The private hosts feature uses protocol-independent port-based access control lists (PACLs) to provide Layer 2 isolation between hosts on trusted ports within a strictly Layer 2 domain. The PACLs isolate the hosts by imposing Layer 2 forwarding constraints on the switch ports. By isolating the hosts, a service provider can use a single set of VLANs to deliver the same set of broadband or metro Ethernet services to multiple end users while ensuring that none of the hosts in the VLAN can communicate directly with each other. For example, VLAN 10 can be used for voice traffic, VLAN 20 for video traffic, and VLAN 30 for data traffic. When the switch is used as a Digital Subscriber Line Access Multiplexer (DSLAM) gigabit Ethernet aggregator, the DSLAM is connected to the switch through a trunk port that can carry data for multiple VLANs. The service provider uses a single physical port and a single set of VLANs to deliver the same set of services to different end users (isolated hosts). A separate VLAN is used for each service (voice, video, and data). Figure 25-1 shows an example of triple-play services being delivered from the switch to multiple end users attached to a DSLAM. In the figure, note the following: •A single trunk link between the switch and the DSLAM carries traffic for all three VLANs. •Virtual circuits (VCs) deliver the VLAN traffic from the DSLAM to individual end users. Figure 25-1 VC to VLAN Mapping
The private hosts feature uses PACLs to restrict the type of traffic that is allowed to flow through each of the ports configured for private hosts. A port's mode (specified when you enable private hosts on the port) determines what type of PACL is applied to the port. Each type of PACL restricts the traffic flow for a different type of traffic (for example, from content servers to isolated hosts, from isolated hosts to servers, and traffic between isolated hosts). The following list describes the port modes used by the private hosts feature (see Figure 25-2): •Isolated—Ports connected to the DSLAMs that the end users (isolated hosts) are connected to. The hosts on the VLANs on these ports need to be isolated from each other. Hosts connected through these ports are allowed to pass unicast traffic to upstream devices only. •Promiscuous—Ports that face the core network or the Broadband Remote Access Server (BRAS) devices and multicast servers that are providing the broadband services. •Mixed—Ports that interconnect switches. These ports can function as either isolated ports or promiscuous ports, depending on Spanning Tree Protocol (STP) topology changes. These ports allow unicast traffic to upstream devices (such as a BRAS or multicast server) only. The private hosts feature restricts traffic flow in these ways: •Broadcast traffic at the ingress of the service provider network is redirected to BRAS and multicast servers (such as video servers). •All unicast traffic between access switches (switches connected to each other) is blocked except for traffic directed toward a BRAS or a multicast server. •The unknown unicast flood blocking (UUFB) feature is used to block unknown unicast traffic on DSLAM-facing ports. Figure 25-2 shows the different types of port modes (isolated, promiscuous, and mixed) used in a private hosts configuration. Figure 25-2 Private Hosts Port Types (Modes)
The private hosts feature creates several types of port ACLs (PACLs) to impose Layer 2 forwarding constraints on switch ports. The software creates PACLs for the different types of private hosts ports based on the MAC addresses of the content servers providing broadband services and the VLAN IDs of the isolated hosts to deliver those services to. You specify the mode in which each private hosts port is to operate and the software applies the appropriate PACL to the port based on the port's mode (isolated, promiscuous, or mixed). The following are examples of the different types of PACLs that are used by the private hosts feature. Isolated Hosts PACL This example shows a PACL for isolated ports: Promiscuous Port PACL This example shows a PACL for promiscuous ports: Mixed Port PACL This example shows a PACL for mixed ports: •General Restrictions •ACL Guidelines •VLANs on the Trunk Port •Interaction with Other Features •Spoofing Protection •Multicast Operation When you configure the private hosts feature, observe the following guidelines and limitations: •The SIP-400 and Enhanced FlexWAN modules do not support private hosts. •Private hosts and private VLANs cannot both be configured on the same port (interface). Both features can coexist on the switch, but the features must be configured on different ports. •Private hosts is an end-to-end feature. You must enable the feature on all of the switches between the DSLAMs and an upstream device such as a BRAS or a multicast server. •Only trusted ports can be configured as isolated ports. •The private hosts feature is supported on Layer 2 interfaces that are configured as trunking switch ports (802.1Q or ISL trunk ports). •The private hosts feature is supported on port-channel interfaces (EtherChannel, Fast EtherChannel, and Gigabit EtherChannel). You must enable private hosts on the port-channel interface; you cannot enable the feature on member ports. •DAI and DHCP snooping cannot be enabled on a private hosts port unless all of the VLANs on the port are configured for snooping. The following configuration guidelines and limitations apply to access control lists (ACLs): •This release of the private hosts feature uses protocol-independent MAC ACLs. Do not apply IP-based ACLs to any port configured for private hosts or you will defeat the private hosts feature (because the switch will not be able to apply a private hosts MAC ACL to the port). •You can configure the following interface types for protocol-independent MAC ACL filtering: –VLAN interfaces with no IP address –Physical LAN ports that support EoMPLS –Logical LAN subinterfaces that support EoMPLS •Protocol-independent MAC ACL filtering applies MAC ACLs to all ingress traffic types (for example, IPv4 traffic, IPv6 traffic, and MPLS traffic, in addition to MAC-layer traffic). •Ingress traffic that is permitted or denied by a protocol-independent MAC ACL is processed by egress interfaces as MAC-layer traffic. You cannot apply egress IP ACLs to traffic permitted or denied by a MAC ACL on an interface configured for protocol-independent MAC ACL filtering. •Do not configure protocol-independent MAC ACL filtering on VLAN interfaces where you have configured an IP address. •Do not configure protocol-independent MAC ACL filtering with microflow policing when the permitted traffic would be bridged or Layer 3 switched in hardware by the PFC3. •Protocol-independent MAC ACL filtering supports microflow policing when the permitted traffic is routed in software by the route processor (RP). •Do not apply any VACLs or RACLs to a port configured for private hosts. To prevent any existing VLAN ACLs (VACLs) and routing ACLs (RACLs) from interfering with a PACL, configure the access-group mode prefer port command on the port. The following guidelines and limitations apply to VLANs: •You can enable IGMP snooping on VLANs that use trunk ports configured for private hosts. •You cannot enable IP multicast on a VLAN that uses a trunk port that is configured for private hosts. •Because PACLs operate in override mode on trunk ports, you cannot apply VLAN-based features to switch ports. •The Multicast VLAN Registration (MVR) feature can coexist with private hosts as long as the multicast source exists on a promiscuous port. The private hosts feature interacts with other features that are configured on the switch as follows: •Private hosts do not affect Layer 2-based services such as MAC limiting, unicast flood protection (UFP), or unknown unicast flood blocking (UUFB). •The private hosts features does not affect IGMP snooping. However, if IGMP snooping is globally disabled, IGMP control packets will be subject to ACL checks. To permit IGMP control packets, the private hosts software adds a multicast permit statement to the PACLs for isolated hosts. This operation occurs automatically and no user intervention is required. •Port security can be enabled on isolated ports to provide added security to those ports. •When enabled on promiscuous or mixed-mode ports, the port security feature may restrict a change in source port for an upstream device (such as a BRAS or a multicast server). •When enabled on an access port, 802.1X is not affected by the private hosts feature. The private hosts feature prevents MAC address spoofing but does not validate the customer MAC or IP address. To prevent MAC address spoofing, the private hosts feature does the following: •Uses a static MAC address for a BRAS or a multicast server. •Disables learning in the Layer 2 forwarding table. •Alerts the switch software when a BRAS or multicast server moves from one source port to another. The software then validates the move and updates the Layer 2 forwarding table. Multicast traffic that originates from an upstream device (such as a BRAS or a multicast server) is always permitted. In addition, the private hosts PACLs are not applied to multicast control packets (such as IGMP query and join requests). This operation allows isolated hosts to participate in multicast groups, respond to IGMP queries, and receive traffic from any groups of interest. Multicast traffic that originates from a host is dropped by the private hosts PACLs. However, if other hosts need to receive multicast traffic originating from a host, the private hosts feature adds a multicast permit entry to the PACLs. The following sections provide information about configuring the private hosts feature in Cisco IOS Release 12.2SX: •Configuration Summary •Detailed Configuration Steps •Configuration Examples •Enabling Index Learning on Isolated Mode Ports The following is a summary of the steps to configure the private hosts feature. Detailed configuration instructions are provided in the next section. 1. Determine which switch ports (interfaces) to use for the private hosts feature. –You can configure the feature on switch ports (802.1Q or ISL trunk ports) –You can configure the feature on port-channel interfaces. Private hosts must be enabled on the port-channel interface; you cannot enable the feature on member ports. 2. Configure each port (interface) for normal, non-private hosts service. Configure the access-group mode prefer port command on the port. You can configure the VLANs at this step or later. 3. Determine which VLAN or set of VLANs will be used to deliver broadband services to end users. The private hosts feature will provide Layer 2 isolation among the hosts in these VLANs. 4. Identify the MAC addresses of all of the BRASs and multicast servers that are being used to provide broadband services to end users (isolated hosts). Note If a server is not connected directly to the switch, determine the MAC address of the core network device that provides access to the server. 5. (Optional) If you plan to offer different types of broadband service to different sets of isolated hosts, create multiple MAC and VLAN lists. –Each MAC address list identifies a server or set of servers providing a particular type of service. –Each VLAN list identifies the isolated hosts to deliver that service to. 6. Configure promiscuous ports and specify a MAC and VLAN list to identify the server and receiving hosts for a particular type of service. Note You can specify multiple MAC and VLAN combinations to allow different types of services to be delivered to different sets of hosts. For example, the BRAS at xxxx.xxxx.xxxx could be used to deliver a basic set of services over VLANs 20, 25, and 30, and the BRAS at yyyy.yyyy.yyyy could be used to deliver a premium set of services over VLANs 5, 10, and 15. 7. Globally enable private hosts. 8. Enable private hosts on individual ports (interfaces) and specify the mode in which the port is to operate. To determine port mode, you need to know if the port faces upstream (toward content servers or core network), faces downstream (toward DSLAMs), or is connected to another switch (typically, in a ring topology). See the "Restricting Traffic Flow (Using Private Hosts Port Mode and PACLs)" section. After you enable the feature on individual ports, the switch is ready to run the private hosts feature. The private hosts software uses the MAC and VLAN lists you defined to create the isolated, promiscuous, and mixed-mode PACLs for your configuration. The software then applies the appropriate PACL to each private hosts port based on the port's mode. To configure the private hosts feature, perform the following steps. These steps assume that you have already configured the Layer 2 interfaces that you plan for private hosts. Note You can configure private hosts only on trunking switch ports (802.1Q or ISL trunk ports) or EtherChannel ports. In addition, you must enable private hosts on all of the switches between the DSLAMs and upstream devices.
The following example creates a MAC address list and a VLAN list and isolates the hosts in VLANs 10, 12, 15, and 200 through 300. The BRAS-facing port is made promiscuous and two host-connected ports are made isolated: The following example shows the interface configuration of a private hosts isolated port: The following example shows the interface configuration of a private hosts promiscuous port: By default, MAC address movement (index learning) is disabled between isolated-mode ports. When wireless access points are connected to isolated-mode ports, a wireless user can make an initial connection, but with the default private hosts configuration (index learning disabled), the MAC address of the wireless user will not be learned on any other isolated-mode ports, which prevents connection through any other wireless access point that is connected to an isolated-mode port. To allow wireless users to move from one wireless access point to another, enable index learning on isolated mode ports, which enables MAC address movement between isolated-mode ports. To enable index learning on the switch, perform this task:
This example shows how to enable index learning on the switch: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum Page 24 EnergyWise is a Cisco energy management architecture that provides a common approach to configuring, reporting and managing the power consumed by Cisco switches and attached devices. With Cisco EnergyWise, power can be managed on a network, sub-network or network element level.
EnergyWise configuration procedures for the Catalyst 6500 Series are documented in the "Cisco EnergyWise Configuration Guide, EnergyWise Phase 2" located at the following URL: http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2/ios/configuration/guide/ew_v2.html Additional Cisco EnergyWise documents, such as White Papers, Data Sheets, FAQs, andare located at the following URL: http://www.cisco.com/en/US/products/ps10195/ Cisco EnergyWise Orchestrator configuration guides are located at the following URL: http://www.cisco.com/en/US/products/ps10195/products_installation_and_configuration_guides_list.html Page 25
This chapter describes how to use the command-line interface (CLI) to configure Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet LAN ports for Layer 2 switching in Cisco IOS Release 12.2SX. The configuration tasks in this chapter apply to LAN ports on switching modules and to the LAN ports on the supervisor engine and Cisco ME 6500 Series Ethernet switches. Note ● For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html This chapter consists of these sections: These sections describe how Layer 2 switching works in Cisco IOS Release 12.2SX: These sections describe Layer 2 Ethernet switching: Layer 2 Ethernet ports on Cisco switches support simultaneous, parallel connections between Layer 2 Ethernet segments. Switched connections between Ethernet segments last only for the duration of the packet. New connections can be made between different segments for the next packet. Cisco switches that support Layer 2 Ethernet ports solve congestion problems caused by high-bandwidth devices and by a large number of users by assigning each device (for example, a server) to its own 10-, 100-, or 1000-Mbps collision domain. Because each LAN port connects to a separate Ethernet collision domain, servers in a properly configured switched environment achieve full access to the bandwidth. Because collisions cause significant congestion in Ethernet networks, an effective solution is full-duplex communication. Normally, Ethernet operates in half-duplex mode, which means that stations can either receive or transmit. In full-duplex mode, two stations can transmit and receive at the same time. When packets can flow in both directions simultaneously, the effective Ethernet bandwidth doubles. Each Layer 2 Ethernet port can connect to a single workstation or server, or to a hub through which workstations or servers connect to the network. On a typical Ethernet hub, all ports connect to a common backplane within the hub, and the bandwidth of the network is shared by all devices attached to the hub. If two stations establish a session that uses a significant level of bandwidth, the network performance of all other stations attached to the hub is degraded. To reduce degradation, the switch considers each LAN port to be an individual segment. When stations connected to different LAN ports need to communicate, the switch forwards frames from one LAN port to the other at wire speed to ensure that each session receives full bandwidth. To switch frames between LAN ports efficiently, the switch maintains an address table. When a frame enters the switch, it associates the MAC address of the sending network device with the LAN port on which it was received. The MAC address table is built by using the source MAC address of the frames received. When the switch receives a frame for a destination MAC address not listed in its address table, it floods the frame to all LAN ports of the same VLAN except the port that received the frame. When the destination station replies, the switch adds its relevant source MAC address and port ID to the address table. The switch then forwards subsequent frames to a single LAN port without flooding to all LAN ports. In PFC3C and PFC3CXL mode, the MAC address table can store at 96,000 address entries (for other PFC3 modes, 64,000 address entries) without flooding any entries. The switch uses an aging mechanism, defined by a configurable aging timer, so if a MAC address remains inactive for a specified number of seconds, it is removed from the address table. With distributed switching, each DFC-equipped switching module learns MAC addresses, maintains a MAC address table, and ages table entries. By enabling MAC address table synchronization over the Ethernet Out of Band Channel (EOBC), you can configure the switch to allow sharing and synchronization of the address tables among all DFCs and supervisor engines in the switch, eliminating the need for flooding by a DFC for an address that is active on another DFC. In VSS mode or when a WS-6708-10G switching module is present in the system, MAC synchronization is automatically enabled. Otherwise, MAC synchronization must be enabled manually by entering the mac-address-table synchronize command. You can configure the switch to maintain a history of dynamic additions and removals of address table entries associated with a particular LAN port. The change history can be sent as an SNMP trap notification or it can be read manually from the SNMP MIB. These sections describe VLAN trunks in Cisco IOS Release 12.2SX:
Note For information about VLANs, see Chapter23, “Configuring VLANs” A trunk is a point-to-point link between the switch and another networking device. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network. Two trunking encapsulations are available on all Ethernet ports:
Note The following switching modules do not support ISL encapsulation: • WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF
You can configure a trunk on a single Ethernet port or on an EtherChannel. For more information about EtherChannel, see Chapter19, “Configuring EtherChannels” Ethernet trunk ports support several trunking modes (see Table 17-2). You can specify whether the trunk uses ISL or 802.1Q encapsulation, and if the encapsulation type is autonegotiated. Note You can configure LAN ports to negotiate the encapsulation type. You cannot configure WAN interfaces to negotiate the encapsulation type. The Dynamic Trunking Protocol (DTP) manages trunk autonegotiation on LAN ports. DTP supports autonegotiation of both ISL and 802.1Q trunks. To autonegotiate trunking, the LAN ports must be in the same VTP domain. Use the trunk or nonegotiate keywords to force LAN ports in different domains to trunk. For more information on VTP domains, see Chapter22, “Configuring VTP” Table 17-1 lists the Ethernet trunk encapsulation types.
The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected LAN ports determine whether a link becomes an ISL or 802.1Q trunk. Table 17-2 lists the Layer 2 LAN port modes and describes how they function on LAN ports.
Note DTP is a point-to-point protocol. However, some internetworking devices might forward DTP frames improperly. To avoid this problem, ensure that LAN ports connected to devices that do not support DTP are configured with the access keyword if you do not intend to trunk across those links. To enable trunking to a device that does not support DTP, use the nonegotiate keyword to cause the LAN port to become a trunk but not generate DTP frames. Table 17-3 shows the Layer 2 LAN port default configuration.
When configuring Layer 2 LAN ports, follow these guidelines and restrictions:
– WS-X6502-10GE – WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF – WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF
– When connecting Cisco switches through an 802.1q trunk, make sure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning tree loops might result. – Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on every VLAN in the network can cause spanning tree loops. We recommend that you leave spanning tree enabled on the native VLAN of an 802.1Q trunk. If this is not possible, disable spanning tree on every VLAN in the network. Make sure your network is free of physical loops before disabling spanning tree. – When you connect two Cisco switches through 802.1Q trunks, the switches exchange spanning tree BPDUs on each VLAN allowed on the trunks. The BPDUs on the native VLAN of the trunk are sent untagged to the reserved IEEE 802.1d spanning tree multicast MAC address (01-80-C2-00-00-00). The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd). – Non-Cisco 802.1Q switches maintain only a single instance of spanning tree (the Mono Spanning Tree, or MST) that defines the spanning tree topology for all VLANs. When you connect a Cisco switch to a non-Cisco switch through an 802.1Q trunk, the MST of the non-Cisco switch and the native VLAN spanning tree of the Cisco switch combine to form a single spanning tree topology known as the Common Spanning Tree (CST). – Because Cisco switches transmit BPDUs to the SSTP multicast MAC address on VLANs other than the native VLAN of the trunk, non-Cisco switches do not recognize these frames as BPDUs and flood them on all ports in the corresponding VLAN. Other Cisco switches connected to the non-Cisco 802.1q cloud receive these flooded BPDUs. This allows Cisco switches to maintain a per-VLAN spanning tree topology across a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single broadcast segment between all switches connected to the non-Cisco 802.1q cloud through 802.1q trunks. – Make certain that the native VLAN is the same on all of the 802.1q trunks connecting the Cisco switches to the non-Cisco 802.1q cloud. – If you are connecting multiple Cisco switches to a non-Cisco 802.1q cloud, all of the connections must be through 802.1q trunks. You cannot connect Cisco switches to a non-Cisco 802.1q cloud through ISL trunks or through access ports. Doing so causes the switch to place the ISL trunk port or access port into the spanning tree “port inconsistent” state and no traffic will pass through the port. These sections describe how to configure Layer 2 switching in Cisco IOS Release 12.2SX: Note Use the default interface {ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port command to revert an interface to its default configuration. To configure a LAN port for Layer 2 switching, perform this task:
After you enter the switchport command, the default mode is switchport mode dynamic desirable. If the neighboring port supports trunking and is configured to allow trunking, the link becomes a Layer 2 trunk when you enter the switchport command. By default, LAN trunk ports negotiate encapsulation. If the neighboring port supports ISL and 802.1Q encapsulation and both ports are set to negotiate the encapsulation type, the trunk uses ISL encapsulation (10-Gigabit Ethernet ports do not support ISL encapsulation). Note When using the switchport command, if a port configured for Layer 3 is now configured for Layer 2, the configuration for Layer 3 is retained in the memory but not in the running configuration and is applied to the port whenever the port switches back to Layer 3. Also, if a port configured for Layer 2 is now configured for Layer 3, the configuration for Layer 2 is retained in the memory but not in the running configuration and is applied to the port whenever the port switches back to Layer 2. To restore the default configuration of the port in the memory and in the running configuration, use the default interface command. To avoid potential issues while changing the role of a port using the switchport command, shut down the interface before applying the switchport command. With Release 12.2(33)SXF and later releases, to enable the out-of-band MAC address table synchronization feature, perform this task:
When configuring out-of-band MAC address table synchronization, note the following information:
– A WS-6708-10G switching module is installed in the switch. – The switch is part of a virtual switch system (VSS) running Cisco IOS Release 12.2(33)SXI4 or a later release.
This example shows how to enable out-of-band MAC address table synchronization: Note ● Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
With Release 12.2(33)SXH and later releases, to configure the MAC address table notification feature, perform this task:
When configuring the notification parameters, note the following information:
This example shows how to configure the SNMP notification of dynamic additions to the MAC address table of addresses on the Fast Ethernet ports 5/7 and 5/8. Notifications of changes will be sent no more frequently than 5 seconds, and up to 25 changes can be stored and sent in that interval: These sections describe configuring a Layer 2 switching port as a trunk: Note ● Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the Layer 2 switching port as an ISL or 802.1Q trunk, perform this task:
When configuring the Layer 2 switching port as an ISL or 802.1Q trunk, note the following information:
– WS-X6502-10GE – WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF – WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section. Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section. To configure the Layer 2 trunk to use DTP, perform this task:
When configuring the Layer 2 trunk to use DTP, note the following information:
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section. Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section. To configure the Layer 2 trunk not to use DTP, perform this task:
When configuring the Layer 2 trunk not to use DTP, note the following information: Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section. Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section. To configure the access VLAN, perform this task:
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section. Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section. To configure the 802.1Q native VLAN, perform this task:
When configuring the native VLAN, note the following information:
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section. Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section. To configure the list of VLANs allowed on a trunk, perform this task:
When configuring the list of VLANs allowed on a trunk, note the following information:
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section. Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section. To configure the list of prune-eligible VLANs on the Layer 2 trunk, perform this task:
When configuring the list of prune-eligible VLANs on a trunk, note the following information:
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section. To complete Layer 2 trunk configuration, perform this task:
To verify Layer 2 trunk configuration, perform this task:
This example shows how to configure the Fast Ethernet port 5/8 as an 802.1Q trunk. This example assumes that the neighbor port is configured to support 802.1Q trunking: This example shows how to verify the configuration: To configure a LAN port as a Layer 2 access port, perform this task:
This example shows how to configure the Fast Ethernet port 5/6 as an access port in VLAN 200: This example shows how to verify the configuration: You can configure a custom EtherType field value on a port to support network devices that do not use the standard 0x8100 EtherType field value on 802.1Q-tagged or 802.1p-tagged frames. To configure a custom value for the EtherType field, perform this task:
When configuring a custom EtherType field value, note the following information:
This example shows how to configure the EtherType field value to 0x1234: Page 26 This chapter contains network security information unique to Cisco IOS Release 12.2SX, which supplements the network security information and procedures in these publications: •Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html •Cisco IOS Security Command Reference, Release 12.2, at this URL http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html Note For complete syntax and usage information for the commands used in this chapter, see these publications: •The Cisco IOS Master Command List, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html •The Release 12.2 publications at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum This chapter consists of these sections: •Configuring MAC Address-Based Traffic Blocking •Configuring TCP Intercept •Configuring Unicast Reverse Path Forwarding Check To block all traffic to or from a MAC address in a specified VLAN, perform this task:
This example shows how to block all traffic to or from MAC address 0050.3e8d.6400 in VLAN 12: TCP intercept flows are processed in hardware. For configuration procedures, see the Cisco IOS Security Configuration Guide, Release 12.2, "Traffic Filtering and Firewalls," "Configuring TCP Intercept (Preventing Denial-of-Service Attacks)," at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfdenl.html These sections describe configuring unicast reverse path forwarding check (unicast RPF check): •Understanding PFC3 Unicast RPF Check Support •Unicast RPF Check Guidelines and Restrictions •Configuring Unicast RPF Check The unicast RPF check verifies that the source address of received IP packets is reachable. The unicast RPF check discards IP packets that lack a verifiable IP source prefix (route), which helps mitigate problems that are caused by traffic with malformed or forged (spoofed) IP source addresses. For unicast RPF check without ACL filtering, the PFC3 provides hardware support for the RPF check of traffic from multiple interfaces. For unicast RPF check with ACL filtering, the PFC determines whether or not traffic matches the ACL. The PFC sends the traffic denied by the RPF ACL to the route processor (RP) for the unicast RPF check. Packets permitted by the ACL are forwarded in hardware without a unicast RPF check. These sections describe the unicast RPF check guidelines and restrictions: •General Unicast RPF Check Guidelines and Restrictions •Unicast RPF Check Configuration Guidelines and Restrictions When configuring unicast RPF check, follow these guidelines and restrictions: •The PFC does not provide hardware support for the unicast RPF check for policy-based routing (PBR) traffic. (CSCea53554) •Unicast RPF does not provide complete protection against spoofing. Spoofed packets can enter a network through unicast RPF-enabled interfaces if an appropriate return route to the source IP address exists. •The switch applies the same unicast RPF mode to all interfaces where unicast RPF check is configured. Any change that you make in the unicast RPF mode on any interfaces is applied to all interfaces where the unicast RPF check is configured. •The "allow default" options of the unicast RPF modes do not offer significant protection against spoofing. –Strict unicast RPF Check with Allow Default—Received IP traffic that is sourced from a prefix that exists in the routing table passes the unicast RPF check if the prefix is reachable through the input interface. If a default route is configured, any IP packet with a source prefix that is not in the routing table passes the unicast RPF check if the ingress interface is a reverse path for the default route. –Loose unicast RPF Check with Allow Default—If a default route is configured, any IP packet passes the unicast RPF check. •Avoid configurations that overload the route processor with unicast RPF checks. –Do not configure unicast RPF to filter with an ACL. –Do not configure the global unicast RPF "punt" check mode. Although the software supports up to 16 reverse-path interfaces, implement these limits in your configuration: •Unicast RPF Strict Mode—The unicast RPF strict mode provides the greatest security against spoofed traffic. If, on all unicast RPF-check enabled interfaces, the switch receives valid IP traffic through interfaces that are reverse paths for the traffic, then strict mode is an option in these circumstances: –If, on a maximum of 24 interfaces, divided into four groups of six interfaces each, the switch receives valid IP packets that have up to six reverse-path interfaces per source prefix, configure the unicast RPF strict mode with the mls ip cef rpf multipath interface-group command. This option requires you to identify the source prefixes and the interfaces that serve as reverse paths for the source prefixes and to configure interface groups for those reverse path interfaces. All of the reverse-path interfaces for each source prefix must be in the same interface group. You can configure four interface groups, with each group containing up to six reverse-path interfaces. There is no limit on the number of source prefixes that an interface group can support. To ensure that no more than six reverse-path interfaces exist in the routing table for each prefix, enter the maximum-paths 6 command in config-router mode when configuring OSPF, EIGRP, or BGP. IP traffic with one or two reverse-path interfaces that is received on uPPF-check enabled interfaces outside the interface groups passes the unicast RPF check if the ingress interface and at most one other interface are reverse paths. With maximum paths set to six, IP traffic with more than two reverse-path interfaces that is received on uPPF-check enabled interfaces outside the interface groups always pass the unicast RPF check. –If, on any number of interfaces, the switch receives valid IP packets that have one or two reverse path interfaces per source prefix, configure the unicast RPF strict mode with the mls ip cef rpf multipath pass command. To ensure that no more than two reverse-path interfaces exist in the routing table for each prefix, enter the maximum-paths 2 command in config-router mode when configuring OSPF, EIGRP, or BGP. •Unicast RPF Loose Mode with the Pass Global Mode—The unicast RPF loose mode provides less protection than strict mode, but it is an option on switches that receive valid IP traffic on interfaces that are not reverse paths for the traffic. The unicast RPF loose mode verifies that received traffic is sourced from a prefix that exists in the routing table, regardless of the interface on which the traffic arrives. These sections describe how to configure unicast RPF check: •Configuring the Unicast RPF Check Mode •Configuring the Multiple-Path Unicast RPF Check Mode •Enabling Self-Pinging There are two unicast RPF check modes: •Strict check mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address is reachable through the input port. •Exist-only check mode, which only verifies that the source IP address exists in the FIB table. Note The most recently configured mode is automatically applied to all ports configured for unicast RPF check. To configure unicast RPF check mode, perform this task:
When configuring the unicast RPF check mode, note the following information: •Use the rx keyword to enable strict check mode. •Use the any keyword to enable exist-only check mode. •Use the allow-default keyword to allow use of the default route for RPF verification. •Use the list option to identify an access list. –If the access list denies network access, spoofed packets are dropped at the port. –If the access list permits network access, spoofed packets are forwarded to the destination address. Forwarded packets are counted in the interface statistics. –If the access list includes the logging action, information about the spoofed packets is sent to the log server. Note When you enter the ip verify unicast source reachable-via command, the unicast RPF check mode changes on all ports in the switch. This example shows how to enable unicast RPF exist-only check mode on Gigabit Ethernet port 4/1: This example shows how to enable unicast RPF strict check mode on Gigabit Ethernet port 4/2: This example shows how to verify the configuration: To configure the multiple-path unicast RPF check mode, perform this task:
When configuring multiple path RPF check, note the following information: •punt mode (default)—The PFC3 performs the unicast RPF check in hardware for up to two interfaces per prefix. Packets arriving on any additional interfaces are redirected (punted) to the RP for unicast RPF check in software. •pass mode—The PFC3 performs the unicast RPF check in hardware for single-path and two-path prefixes. Unicast RPF check is disabled for packets coming from multipath prefixes with three or more reverse-path interfaces (these packets always pass the unicast RPF check). •interface-group mode—The PFC3 performs the unicast RPF check in hardware for single-path and two-path prefixes. The PFC3 also performs the unicast RPF check for up to four additional interfaces per prefix through user-configured multipath unicast RPF check interface groups. Unicast RPF check is disabled for packets coming from other multipath prefixes that have three or more reverse-path interfaces (these packets always pass the unicast RPF check). This example shows how to configure punt as the multiple path RPF check mode: To configure multiple-path unicast RPF interface groups, perform this task:
This example shows how to configure interface group 2: With unicast RPF check enabled, by default the switch cannot ping itself. To enable self-pinging, perform this task:
This example shows how to enable self-pinging: Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html Participate in the Technical Documentation Ideas forum |