Page 1 Cisco 7600 Series Router Cisco IOS Software Configuration Guide Release 12.2(18)SXF and Rebuilds and Earlier Releases Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-4266-08...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
Page 3: Table Of Contents
Configuring the Router for the First Time Default Configuration Configuring the Router Using the Setup Facility or the setup Command Using Configuration Mode Checking the Running Configuration Before Saving Saving the Running Configuration Settings Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 4 Supervisor Engine 32 Ports Configuring the Supervisor Engine 2 and the Switch Fabric Module Using the Slots on a Supervisor Engine 2 Understanding How the Switch Fabric Module Works Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 5 Configuration Mode Restrictions NSF Configuration Tasks Configuring SSO Configuring Multicast MLS NSF with SSO Verifying Multicast NSF with SSO Configuring CEF NSF Verifying CEF NSF Configuring BGP NSF Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 6 Using the Interface Command Configuring a Range of Interfaces Defining and Using Interface-Range Macros Configuring Optional Interface Features Configuring Ethernet Interface Speed and Duplex Mode Configuring Jumbo Frame Support Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 7 Flex Links Default Configuration Flex Links Configuration Guidelines and Restrictions Configuring Flex Links Monitoring Flex Links Configuring EtherChannels Understanding How EtherChannels Work EtherChannel Feature Overview Understanding How EtherChannels Are Configured Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 8 VLAN Default Configuration VLAN Configuration Guidelines and Restrictions Configuring VLANs VLAN Configuration Options Creating or Modifying an Ethernet VLAN Assigning a Layer 2 LAN Interface to a VLAN Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 9 Cisco IP Phone Power Configurations Other Cisco IP Phone Features Default Cisco IP Phone Support Configuration Cisco IP Phone Support Configuration Guidelines and Restrictions Configuring Cisco IP Phone Support Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 10 MST Configuration Guidelines and Restrictions Specifying the MST Region Configuration and Enabling MST Configuring the Root Bridge Configuring a Secondary Root Bridge Configuring Port Priority Configuring Path Cost Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 11 Common Spanning Tree MST Instances MST Configuration Parameters MST Regions Message Age and Hop Count Default STP Configuration STP and MST Configuration Guidelines and Restrictions Configuring STP Enabling STP Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 12 Understanding How Root Guard Works Understanding How Loop Guard Works Enabling PortFast Enabling PortFast BPDU Filtering Enabling BPDU Guard Enabling UplinkFast Enabling BackboneFast Enabling EtherChannel Guard Enabling Root Guard Enabling Loop Guard Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 13 PFC3BXL or PFC3B Mode VPN Switching Operation MPLS VPN Guidelines and Restrictions PFC3BXL or PFC3B Mode MPLS VPN Supported Commands Configuring MPLS VPN MPLS VPN Sample Configuration Any Transport over MPLS AToM Load Balancing Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 14 Configuring IPv6 Multicast PFC3 and DFC3 Layer 3 Switching Features that Support IPv6 Multicast IPv6 Multicast Guidelines and Restrictions New or Changed IPv6 Multicast Commands Configuring IPv6 Multicast Layer 3 Switching Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 15 Enabling IP Multicast Layer 3 Switching on Layer 3 Interfaces Configuring the Replication Mode Enabling Local Egress Replication Configuring the Layer 3 Switching Global Threshold Enabling Installation of Directly Connected Subnets Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 16 Configuring MLDv2 Snooping Enabling MLDv2 Snooping Configuring a Static Connection to a Multicast Receiver Configuring a Multicast Router Port Statically Configuring the MLD Snooping Query Interval Enabling Fast-Leave Processing Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 17 Default PIM Snooping Configuration PIM Snooping Configuration Guidelines and Restrictions Configuring PIM Snooping Enabling PIM Snooping Globally Enabling PIM Snooping in a VLAN Disabling PIM Snooping Designated-Router Flooding Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 18 VACL Configuration Overview Defining a VLAN Access Map Configuring a Match Clause in a VLAN Access Map Sequence Configuring an Action Clause in a VLAN Access Map Sequence Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 19 Overview of DHCP Snooping Trusted and Untrusted Sources DHCP Snooping Binding Database Packet Validation DHCP Snooping Option-82 Data Insertion Overview of the DHCP Snooping Database Agent Default Configuration for DHCP Snooping Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 20 Configuring the DAI Interface Trust State Applying ARP ACLs for DAI Filtering Configuring ARP Packet Rate Limiting Enabling DAI Error-Disabled Recovery Enabling Additional Validation Configuring DAI Logging Displaying DAI Information DAI Configuration Samples Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 21 Policy Map Class Command Restrictions Supported Granularity for CIR and PIR Rate Values Supported Granularity for CIR and PIR Token Bucket Sizes IP Precedence and DSCP Values Configuring PFC QoS Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 22 Configuring PFC3BXL or PFC3B Mode MPLS QoS Terminology PFC3BXL or PFC3B Mode MPLS QoS Features MPLS Experimental Field Trust Classification Policing and Marking Preserving IP ToS EXP Mutation MPLS DiffServ Tunneling Modes Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 23 Configuring the Egress PE Router—Customer Facing Interface Configuring Uniform Mode Configuring the Ingress PE Router—Customer Facing Interface Configuring the Ingress PE Router—P Facing Interface Configuring the Egress PE Router—Customer Facing Interface Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 24 Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States Supported Topologies Default 802.1X Port-Based Authentication Configuration 802.1X Port-Based Authentication Guidelines and Restrictions Configuring 802.1X Port-Based Authentication Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 25 Configuring Secure MAC Address Aging on a Port Displaying Port Security Settings Configuring CDP Understanding How CDP Works Configuring CDP Enabling CDP Globally Displaying the CDP Global Configuration Enabling CDP on a Port Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 26 NDE on the MSFC NDE on the PFC Default NDE Configuration NDE Configuration Guidelines and Restrictions Configuring NDE Configuring NDE on the PFC Configuring NDE on the MSFC Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 27 Enabling SNMP IfIndex Persistence Globally Disabling SNMP IfIndex Persistence Globally Enabling and Disabling SNMP IfIndex Persistence on Specific Interfaces Clearing SNMP IfIndex Persistence Configuration from a Specific Interface Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 28 Displaying the Top N Utility Reports Clearing Top N Utility Reports Using the Layer 2 Traceroute Utility Understanding the Layer 2 Traceroute Utility Usage Guidelines Using the Layer 2 Traceroute Utility Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 29 TestConditionalLearn TestTrap TestBadBpdu TestProtocolMatchChannel TestCapture TestStaticEntry PFC Layer 3 Forwarding Engine Tests TestFibDevices TestIPv4FibShortcut TestIPv6FibShortcut TestMPLSFibShortcut TestNATFibShortcut TestL3Capture2 TestAclPermit TestAclDeny TestNetflowShortcut TestQoS DFC Layer 3 Forwarding Engine Tests Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 30 Exhaustive Memory Tests TestFibTcamSSRAM TestAsicMemory TestAclQosTcam TestNetflowTcam TestQoSTcam IPSEC Services Modules Tests TestIPSecClearPkt TestHapiEchoPkt TestIPSecEncryptDecryptPkt Stress Tests TestTrafficStress TestEobcStressPing Critical Recovery Tests TestL3HealthMonitoring TestTxPathMonitoring TestSynchedFabChannel General Tests ScheduleSwitchover Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 31 Contents TestFirmwareDiagStatus Acronyms A P P E N D I X N D E X Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 32: Related Documentation
Preface This preface describes who should read the Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX, how it is organized, and its document conventions. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html...
Page 33 Internetwork Design Guide – – Internetwork Troubleshooting Guide Configuration Builder Getting Started Guide – The Cisco IOS Configuration Guides and Command References are located at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuratio n_guides_list.html For information about MIBs, go to this URL: • http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Conventions...
Page 34: Obtaining Documentation And Submitting A Service Request
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 35: Product Overview
Supported Hardware and Software For complete information about the chassis, modules, and software features supported by the Cisco 7600 series routers, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720,...
Page 36: Configuring Embedded Ciscoview Support
Router(config)# snmp-server community string rw Configures the SNMP password for read/write operation. The default password for accessing the router web page is the enable-level password of the router. Note Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 37: Displaying Embedded Ciscoview Information
Chapter 1 Product Overview Software Features Supported in Hardware by the PFC and DFC For more information about web access to the router, refer to “Using the Cisco Web Browser” in the IOS Configuration Fundamentals Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf005.html...
Page 38 When you configure NAT and NDE on an interface, the PFC3 sends all traffic in fragmented – packets to the MSFC3 to be processed in software. (CSCdz51590) To configure NAT, refer to the Cisco IOS IP Configuration Guide, Release 12.2, “IP Addressing and Services,” “Configuring IP Addressing,” “Configuring Network Address Translation,” at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX...
Page 39 To configure GRE Tunneling and IP in IP Tunneling, refer to these publications: http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/icflogin.html http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoip.html To configure the tunnel tos and tunnel ttl commands, refer to this publication: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 40 The MSFC3 supports tunnels configured with egress features on the tunnel interface. Examples – of egress features are output Cisco IOS ACLs, NAT (for inside to outside translation), TCP intercept, CBAC, and encryption. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html...
Page 41: Command-Line Interfaces
Cisco IOS Release 12.2SX. For complete syntax and usage information for the commands used in this chapter, see these Note publications: The Cisco IOS Master Command List, Release 12.2SX at this URL: • http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html The Release 12.2 publications at this URL: •...
Page 42: Accessing The Cli
Electronic Industries Alliance (EIA) and Telecommunications Industry Association (TIA). Perform initial configuration over a connection to the EIA/TIA-232 console interface. See the Cisco 7600 Series Router Module Installation Guide for console interface cable connection procedures. To make a console connection, perform this task:...
Page 43: Performing Command Line Processing
Press Esc B Moves the cursor back one word. Press Esc F Moves the cursor forward one word. 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 44: Performing History Substitution
Fundamentals Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. To get a list of the commands in a given mode, type a question mark (?) at the system prompt.
Page 45: Displaying A List Of Cisco Ios Commands And Syntax
The Cisco IOS command interpreter, called the EXEC, interprets and executes the commands you enter. You can abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. For example, you can abbreviate the show command to sh and the configure terminal command to config t.
Page 46: Securing The Cli
For more information about TACACS+, see “Configuring TACACS+” at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html For more information about Kerberos, see “Configuring Kerberos” at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html • Configuring a secure connection with SSH or HTTPS Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 47: Rom-Monitor Command-Line Interface
Once you are in ROM-monitor mode, the prompt changes to rommon 1>. Enter a question mark (?) to see the available ROM-monitor commands. For more information about the ROM-monitor commands, see the Cisco IOS Master Command List, Release 12.2SX. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX...
Page 48 Chapter 2 Command-Line Interfaces ROM-Monitor Command-Line Interface For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 49: Configuring The Router For The First Time
C H A P T E R Configuring the Router for the First Time This chapter contains information about how to initially configure the Cisco 7600 series router, which supplements the administration information and procedures in these publications: • Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html...
Page 50: Default Configuration
You can run the setup facility by entering the setup command at the enable prompt (#). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 51: Configuring The Global Parameters
Step 1 to the user EXEC prompt ( Router> The following display appears after you boot the Cisco 7600 series router (depending on your configuration, your display might not exactly match the example): System Bootstrap, Version 6.1(2) Copyright (c) 1994-2000 by cisco Systems, Inc.
Page 52 The first two sections of the configuration script (the banner and the installed hardware) appear only at initial system startup. On subsequent uses of the setup command facility, the setup script begins with the following System Configuration Dialog. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 53 This example of a yes response (displayed during the setup command facility) shows a router with some interfaces already configured: Current interface summary Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES TFTP administratively down down Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 54 The enable and enable secret passwords need to be different for effective security. You can enter the same password for both enable and enable secret during the setup script, but you receive a warning message indicating that you should enter a different password. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 55: Cisco Ios Configuration Fundamentals Configuration Command Reference, Release 12.2, At
Step 8 Configure SNMP Network Management? [yes]: Community string [public]: For complete SNMP information and procedures, refer to these publications: Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2, “Cisco IOS System • Management,” “Configuring SNMP Support,” at this URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html Cisco IOS Configuration Fundamentals Configuration Command Reference, Release 12.2, at...
Page 56: Configuring Interfaces
Class B network is 172.20.0.0, 29 subnet bits; mask is /29 Repeat this step for each interface you need to configure. Proceed to Step 3 to check and verify your configuration parameters. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 57 48 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 381K bytes of non-volatile configuration memory. 16384K bytes of Flash internal SIMM (Sector size 512K). Configuration register is 0x2 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 58: Using Configuration Mode
Chapter 3 Configuring the Router for the First Time Configuring the Router For detailed interface configuration information, refer to the Cisco IOS Interface Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_2/interface/configuration/guide/finter_c.html Using Configuration Mode If you prefer not to use the setup facility, you can configure the router from configuration mode as follows: Connect a console terminal to the console interface of your supervisor engine.
Page 59: Saving The Running Configuration Settings
Reviewing the Configuration To display information stored in NVRAM, enter the show startup-config EXEC command. The display should be similar to the display from the show running-config EXEC command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-11 OL-4266-08...
Page 60: Configuring A Default Gateway
171.10.5.10 on the router with a subnet mask and IP address 172.20.3.35 of the forwarding router: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip route 171.10.5.10 255.255.255.255 172.20.3.35 Router(config)# end Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-12 OL-4266-08...
Page 61 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-13 OL-4266-08...
Page 62: Configuring A Bootp Server
-- time offset (seconds) ts -- time servers <information deleted> ######################################################################### # Start of individual host entries ######################################################################### Router: tc=netcisco0: ha=0000.0ca7.ce00: ip=172.31.7.97: dross: tc=netcisco0: ha=00000c000139: ip=172.31.7.26: <information deleted> Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-14 OL-4266-08...
Page 63: Protecting Access To Privileged Exec Commands
Router(config)# enable secret [level level ] { password | encryption-type encrypted-password } encryption method. (If enable password and enable secret commands are both set, users must enter the enable secret password.) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-15 OL-4266-08...
Page 64: Setting Or Changing A Line Password
To set the TACACS+ protocol to determine whether or not a user can access privileged EXEC mode, perform this task: Command Purpose Sets the TACACS-style user ID and password-checking Router(config)# enable use-tacacs mechanism for the privileged EXEC mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-16 OL-4266-08...
Page 65: Encrypting Passwords
3-19. Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC mode and privileged EXEC mode. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 66 Logging In to a Privilege Level To log in at a specified privilege level, perform this task: Command Purpose Router# enable level Logs into a specified privilege level. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-18 OL-4266-08...
Page 67: Recovering A Lost Enable Password
For example, in ProComm, the Alt-B keys generate the Break signal. In a Windows terminal session, you press the Break or Ctrl and Break keys simultaneously. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-19...
Page 68: Modifying The Supervisor Engine Startup Configuration
ROM-monitor mode. From ROM-monitor mode, you can manually load a software image from bootflash or a Flash PC card. For complete syntax and usage information for the ROM monitor commands, refer to the Cisco IOS Note Master Command List, Release 12.2SX publication.
Page 69: Configuring The Software Configuration Register
3-3) 0x0040 Causes system software to ignore NVRAM contents 0x0080 bit enabled 0x0100 Break disabled 0x0200 Use secondary bootstrap 0x0400 Internet Protocol (IP) broadcast with all zeros Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-21 OL-4266-08...
Page 70 0 or slot 1 on the supervisor engine. If you set the boot field to any bit pattern other than 0 or 1, the system uses the resulting number to form a filename for booting over the network. You must set the boot field for the boot functions you require. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-22 OL-4266-08...
Page 71: Modifying The Supervisor Engine Startup Configuration
Step 5 Reboots to make your changes take effect. Router# reload To modify the configuration register while the router is running Cisco IOS, follow these steps: Step 1 Enter the enable command and your password to enter privileged level as follows: Router>...
Page 72: Specifying The Startup System Image
• Flash Memory Configuration Process, page 3-25 • The descriptions in the following sections applies to both the bootflash device and to removable flash Note memory cards. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-24 OL-4266-08...
Page 73: Config_File Environment Variable
Flash Memory Configuration Process To configure your router to boot from flash memory, follow these steps: Copy a system image to flash memory using TFTP or rcp (refer to the Cisco IOS Configuration Step 1 Fundamentals Configuration Guide, Release 12.2, “Cisco IOS File Management,” “Loading and Maintaining System Images,”...
Page 74: Controlling Environment Variables
CONFIG_FILE variable = BOOTLDR variable = Configuration register is 0x2102 Router# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 3-26 OL-4266-08...
Page 75: Configuring A Supervisor Engine 720
C H A P T E R Configuring a Supervisor Engine 720 This chapter describes how to configure a Supervisor Engine 720 in a Cisco 7600 series router. This chapter contains these sections: • Using the Bootflash or Bootdisk on a Supervisor Engine 720, page 4-2 Using the Slots on a Supervisor Engine 720, page 4-2 •...
Page 76: Using The Bootflash Or Bootdisk On A Supervisor Engine 720
The Supervisor Engine 720 has two CompactFlash Type II slots. The CompactFlash Type II slots support CompactFlash Type II Flash PC cards sold by Cisco Systems, Inc. The keywords for the slots on the active Supervisor Engine 720 are disk0: and disk1:. The keywords for the slots on a redundant Supervisor Engine 720 are slavedisk0: and slavedisk1:.
Page 77: Configuring And Monitoring The Switch Fabric Functionality
In this mode, all traffic passes between the local bus and the supervisor engine bus. Table 4-1 shows the switching modes used with fabric-enabled and nonfabric-enabled modules installed. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 78: Configuring The Switch Fabric Functionality
The switch fabric functionality supports a number of show commands for monitoring purposes. A fully automated startup sequence brings the module online and runs the connectivity diagnostics on the ports. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 79 Fabric module is not required for system to operate Modules are allowed to operate in bus mode Truncated mode is allowed Module Slot Switching Mode Crossbar dCEF dCEF dCEF Crossbar dCEF Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 80 This example shows how to display the fabric utilization of all modules: Router# show fabric utilization all Lo% Percentage of Low-priority traffic. Hi% Percentage of High-priority traffic. slot channel speed Ingress Lo% Egress Lo% Ingress Hi% Egress Hi% Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 81: Http://Www.cisco.com/En/Us/Products/Hw/Routers/Ps368/Tsd_Products_Support_Series_Home.html
DDR sync Fabric errors: slot channel sync buffer timeout Router# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 82 Chapter 4 Configuring a Supervisor Engine 720 Configuring and Monitoring the Switch Fabric Functionality Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 83: Configuring A Supervisor Engine 32
C H A P T E R Configuring a Supervisor Engine 32 This chapter describes how to configure a Supervisor Engine 32 in a Cisco 7600 series router. This chapter contains these sections: • Flash Memory on a Supervisor Engine 32, page 5-2 Supervisor Engine 32 Ports, page 5-2 •...
Page 84: Supervisor Engine 32 Ports
WS-SUP32-10GE ports 1 and 2 are 10 Gigabit Ethernet ports that accept XENPAKs and port 3 is a 10/100/1000 Mbps RJ-45 port. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 85: Configuring The Supervisor Engine 2 And The Switch Fabric Module
Release 12.2(18)SXE and rebuilds of Release 12.2(18)SXE do not support Supervisor Engine 2. Note • For complete syntax and usage information for the commands used in this chapter, refer to the Cisco • IOS Master Command List, Release 12.2SXat this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 86: Understanding How The Switch Fabric Module Works
Forwarding Decisions for Layer 3-Switched Traffic Either a PFC2 or a Distributed Feature Card (DFC) makes the forwarding decision for Layer 3-switched traffic as follows: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 87: Switching Modes
2. Displayed as fabric mode in show commands. Configuring the Switch Fabric Module These section describe configuring the Switch Fabric Module: Configuring the Switching Mode, page 6-4 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 88: Configuring The Switching Mode
Switch Fabric Module installed, perform this task: Command Purpose Configures fabric-required mode, which prevents switching Router(config)# fabric required modules from operating without a switch fabric module. Clears fabric-required mode. Router(config)# no fabric required Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 89: Configuring An Lcd Message
Displaying Fabric Channel Switching Modes, page 6-7 • Displaying the Fabric Status, page 6-8 • Displaying the Fabric Utilization, page 6-8 • Displaying Fabric Errors, page 6-8 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 90 Chapter 6 Configuring the Supervisor Engine 2 and the Switch Fabric Module Monitoring the Switch Fabric Module The Switch Fabric Module does not require any user configuration. Note Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 91: Displaying The Module Information
This example shows how to display the fabric channel switching mode of all modules: Router# show fabric switching-mode all bus-only mode is allowed Module Slot Switching Mode DCEF DCEF No Interfaces DCEF Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 92: Displaying The Fabric Status
Displaying Fabric Errors To display fabric errors of one or all modules, perform this task: Command Purpose Displays fabric errors. Router# show fabric errors [ slot_number | all] Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 93 Router# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 94 Chapter 6 Configuring the Supervisor Engine 2 and the Switch Fabric Module Monitoring the Switch Fabric Module Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 6-10 OL-4266-08...
Page 95 Supervisor Engine Redundancy This chapter describes how to configure supervisor engine redundancy using Cisco nonstop forwarding (NSF) with stateful switchover (SSO). For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 96: Configuring Nsf With Sso Supervisor Engine Redundancy
Cisco 7600 series routers support fault resistance by allowing a redundant supervisor engine to take over if the primary supervisor engine fails. Cisco NSF works with SSO to minimize the amount of time a network is unavailable to its users following a switchover while continuing to forward IP packets.
Page 97: Nsf Operation
NSF Operation Cisco NSF always runs with SSO and provides redundancy for Layer 3 traffic. NSF works with SSO to minimize the amount of time that a network is unavailable to its users following a switchover. The main purpose of NSF is to continue forwarding IP packets following a supervisor engine switchover.
Page 98: Multicast Mls Nsf With Sso
NSF-capable device in environments where neighbor devices are not NSF-aware. Cisco NSF supports the BGP, OSPF, IS-IS, and EIGRP protocols For NSF operation, the routing protocols depend on CEF to continue forwarding packets while the Note routing protocols rebuild the routing information.
Page 99 OSPF neighbors. Once this exchange is complete, the NSF-capable device uses the routing information to remove stale routes, update the RIB, and update the FIB with the new forwarding information. The OSPF protocols are then fully converged. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 100 If the neighbor routers on a network segment are not NSF-aware, you must use the Cisco configuration option. The Cisco IS-IS configuration transfers both protocol adjacency and link-state information from the active to the redundant supervisor engine. An advantage of Cisco configuration is that it does not rely on NSF-aware neighbors.
Page 101 NSF restarts with stale information. Cisco IS-IS Configuration Using the Cisco configuration option, full adjacency and LSP information is saved, or checkpointed, to the redundant supervisor engine. Following a switchover, the newly active supervisor engine maintains its adjacencies using the check-pointed data, and can quickly rebuild its routing tables.
Page 102: Nsf Benefits And Restrictions
HSRP and SSO can coexist but both features work independently. Traffic that relies on HSRP may switch to the HSRP standby in the event of a supervisor switchover. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 103: Supervisor Engine Configuration Synchronization
SSO can coexist but both features work independently. Traffic that relies on VRRP may switch to the VRRP standby in the event of a supervisor switchover. Multiprotocol Label Switching (MPLS) is not suported with Cisco NSF with SSO; however, MPLS •...
Page 104: Redundancy Configuration Guidelines And Restrictions
Hardware Configuration Guidelines and Restrictions For redundant operation, the following guidelines and restrictions must be met: Cisco IOS running on the supervisor engine and the MSFC supports redundant configurations where • the supervisor engines and MSFC routers are identical. If they are not identical, one will boot first and become active and hold the other supervisor engine and MSFC in a reset condition.
Page 105: Configuration Mode Restrictions
Verifying BGP NSF, page 7-14 • Configuring OSPF NSF, page 7-15 • Verifying OSPF NSF, page 7-15 • Configuring IS-IS NSF, page 7-16 • Verifying IS-IS NSF, page 7-17 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-11 OL-4266-08...
Page 106: Configuring Sso
Configuring Multicast MLS NSF with SSO Note The commands in this section are optional and can be used to customize your configuration. For most users, the default settings are adequate. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-12 OL-4266-08...
Page 107: Verifying Multicast Nsf With Sso
To verify that CEF is NSF-capable, enter the show cef state command: router# show cef state CEF Status [RP] CEF enabled/running dCEF enabled/running CEF switching enabled/running CEF default capabilities: Always FIB switching: Default CEF switching: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-13 OL-4266-08...
Page 108: Configuring Bgp Nsf
Verify that “bgp graceful-restart” appears in the BGP configuration of the SSO-enabled router by Step 1 entering the show running-config command: Router# show running-config router bgp 120 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-14 OL-4266-08...
Page 109: Configuring Ospf Nsf
To verify OSPF NSF, follow these steps: Verify that ‘nsf’ appears in the OSPF configuration of the SSO-enabled device by entering the show Step 1 running-config command: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-15 OL-4266-08...
Page 110: Configuring Is-Is Nsf
Step 4 (Optional) Specifies the minimum time between Router(config-router)# nsf interval [ minutes ] NSF restart attempts. The default time between consecutive NSF restart attempts is 5 minutes. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-16 OL-4266-08...
Page 111: Verifying Is-Is Nsf
<...Output Truncated...> If the NSF configuration is set to cisco, enter the show isis nsf command to verify that NSF is enabled Step 2 on the device. Using the Cisco configuration, the display output will be different on the active and redundant RPs.
Page 112 L1 NSF ACK requested:FALSE L1 NSF CSNP requested:FALSE NSF L2 Restart state:Running NSF L2 Restart retransmissions:0 Maximum L2 NSF Restart retransmissions:3 L2 NSF ACK requested:FALSE L2 NSF CSNP requested:FALSE Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-18 OL-4266-08...
Page 113: Configuring Eigrp Nsf
NSF converge timer is 120s Automatic network summarization is in effect Maximum path: 4 Routing for Networks: Routing Information Sources: Gateway Distance Last Update Distance: internal 90 external 170 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-19 OL-4266-08...
Page 114: Synchronizing The Supervisor Engine Configurations
Enter this command to copy a file to the bootflash: device on a redundant MSFC: Router# copy source_device : source_filename slavebootflash: target_filename For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 7-20 OL-4266-08...
Page 115: Configuring Rpr And Rpr+ Supervisor Engine Redundancy
Supervisor Engine Redundancy This chapter describes how to configure supervisor engine redundancy using route processor redundancy (RPR) and RPR+. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note • IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 116: Understanding Rpr And Rpr
• Supervisor Engine Redundancy Overview Cisco 7600 series routers support fault resistance by allowing a redundant supervisor engine to take over if the primary supervisor engine fails. Cisco 7600 series routers support these redundancy modes: RPR—Supports a switchover time of 2 or more minutes.
Page 117: Rpr+ Operation
After you configure the router through SNMP, copy the running-config file to the startup-config file on the active supervisor engine to trigger synchronization of the startup-config file on the redundant supervisor engine and with RPR+, reload the redundant supervisor engine and MSFC. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 118: Supervisor Engine Redundancy Guidelines And Restrictions
Supervisor engine switchover takes place after the failed supervisor engine completes a core dump. • A core dump can take up to 15 minutes. To get faster switchover time, disable core dump on the supervisor engines. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 119: Rpr+ Guidelines And Restrictions
All Automatic Protection System (APS) state information • Both supervisor engines must run the same version of Cisco IOS software. If the supervisor engines are not running the same version of Cisco IOS software, the redundant supervisor engine comes online in RPR mode.
Page 120: Configuration Mode Restrictions
Configures RPR or RPR+. When this command is Router(config-red)# mode { rpr | rpr-plus} entered, the redundant supervisor engine is reloaded and begins to work in RPR or RPR+ mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 121: Synchronizing The Supervisor Engine Configurations
To display the redundancy states, perform this task: Command Purpose Displays the redundancy states. Router# show redundancy states This example shows how to display the redundancy states: Router# show redundancy states Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 122: Performing A Fast Software Upgrade
RF debug mask = 0x0 Router# Performing a Fast Software Upgrade The fast software upgrade (FSU) procedure supported by RPR allows you to upgrade the Cisco IOS image on the supervisor engines without reloading the system. Note If you are performing a first-time upgrade to RPR from EHSA, you must reload both supervisor engines.
Page 123: Copying Files To An Msfc
Copying Files to an MSFC Command Purpose Step 1 Copies the new Cisco IOS image to the disk0: device or Router# copy source_device : source_filename {disk0 the disk1: device on the active supervisor engine. | disk1}: target_filename Copies the new Cisco IOS image to the bootflash: Router# copy source_device : source_filename device on the active supervisor engine.
Page 124 Configuring RPR and RPR+ Supervisor Engine Redundancy Copying Files to an MSFC For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 8-10 OL-4266-08...
Page 125 C H A P T E R Configuring Interfaces This chapter describes how to configure interfaces on the Cisco 7600 series routers. This chapter consists of these sections: • Understanding Interface Configuration, page 9-2 Using the Interface Command, page 9-2 •...
Page 126: Configuring Interfaces
– For WAN interfaces, refer to the configuration note for the WAN module. Note Slot number—The slot in which the module is installed. On the Cisco 7600 series router, slots are • numbered starting with 1, from top to bottom.
Page 127 EXEC prompt, as shown in the following example: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet 5/5 Router(config-if)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 128: Configuring A Range Of Interfaces
With releases earlier than Release 12.2(18)SXD, the no interface range command does not support • VLAN interfaces. • With Release 12.2(18)SXD and later releases, the no interface range command supports VLAN interfaces. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 129 If you exit interface-range configuration mode while the commands are being executed, some commands may not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting interface-range configuration mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 130: Defining And Using Interface-Range Macros
Router(config-if)# Configuring Optional Interface Features These sections describe optional interface features: Configuring Ethernet Interface Speed and Duplex Mode, page 9-7 • • Configuring Jumbo Frame Support, page 9-10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 131: Configuring Ethernet Interface Speed And Duplex Mode
Speed and Duplex Mode Configuration Guidelines You usually configure Ethernet port speed and duplex mode parameters to auto and allow the Cisco 7600 series router to negotiate the speed and duplex mode between ports. If you decide to configure the port speed and duplex modes manually, consider the following information: If you set the Ethernet port speed to auto, the router automatically sets the duplex mode to auto.
Page 132 Link negotiation does not negotiate port speed. On Gigabit Ethernet ports, link negotiation exchanges flow-control parameters, remote fault information, and duplex information. Link negotiation is enabled by default. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 133 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:33, output never, output hang never Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 134: Configuring Jumbo Frame Support
A jumbo frame is a frame larger than the default Ethernet size. You enable jumbo frame support by configuring a larger-than-default maximum transmission unit (MTU) size on a port or VLAN interface and configuring the global LAN port MTU size. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 9-10 OL-4266-08...
Page 135 Configuring a nondefault MTU size on a Gigabit Ethernet port permits ingress packets of any size larger than 64 bytes and limits egress traffic to the global LAN port MTU size. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 9-11...
Page 136 Displays the running configuration. Router# show running-config interface [{gigabitethernet | tengigabitethernet} slot/port ] type = ethernet, fastethernet, gigabitethernet, tengigabitethernet, or ge-wan When configuring the MTU size, note the following information: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 9-12 OL-4266-08...
Page 137: Configuring Ieee 802.3X Flow Control
Configuring IEEE 802.3x Flow Control Gigabit Ethernet and 10-Gigabit Ethernet ports on the Cisco 7600 series routers use flow control to stop the transmission of frames to the port for a specified time; other Ethernet ports use flow control to respond to flow-control requests.
Page 138: Configuring The Port Debounce Timer
Enabling the port debounce timer causes link down detections to be delayed, resulting in loss of traffic during the debouncing period. This situation might affect the convergence and reconvergence of some Layer 2 and Layer 3 protocols. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 9-14 OL-4266-08...
Page 139 Router(config)# interface fastethernet 5/12 Router(config-if)# link debounce Router(config-if)# end This example shows how to display the port debounce timer settings: Router# show interfaces debounce | include enable Fa5/12 enable 3100 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 9-15 OL-4266-08...
Page 140: Adding A Description For An Interface
LEDs before continuing. For module LED descriptions, refer to the Cisco 7600 Series Router Installation Guide. When a module has been removed or installed, the Cisco 7600 series router stops processing traffic for the module and scans the system for a configuration change. Each interface type is verified against the system configuration, and then the system runs diagnostics on the new module.
Page 141: Monitoring And Maintaining Interfaces
To clear the interface counters shown with the show interfaces command, perform this task: Command Purpose Clears interface counters. Router# clear counters {{vlan vlan_ID } | { type slot/port } | {port-channel channel_ID }} Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 9-17 OL-4266-08...
Page 142: Resetting An Interface
Router(config-if)# no shutdown type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet This example shows how to shut down Fast Ethernet port 5/5: Router(config)# interface fastethernet 5/5 Router(config-if)# shutdown Router(config-if)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 9-18 OL-4266-08...
Page 143: Checking The Cable Status Using The Tdr
TDR can test cables up to a maximum length of 115 meters. Note • See the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, • Supervisor Engine 32, and Supervisor Engine 2 for information about which modules support the TDR.
Page 144 Chapter 9 Configuring Interfaces Checking the Cable Status Using the TDR Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 9-20 OL-4266-08...
Page 145: Configuring Lan Ports For Layer 2 Switching
The configuration tasks in this chapter apply to LAN ports on LAN switching modules and to the LAN ports on the supervisor engine. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 146: Understanding Layer 2 Ethernet Switching
Ethernet bandwidth doubles. Switching Frames Between Segments Each LAN port on a Cisco 7600 series router can connect to a single workstation or server, or to a hub through which workstations or servers connect to the network.
Page 147: Understanding Vlan Trunks
Chapter 10 Configuring LAN Ports for Layer 2 Switching Understanding How Layer 2 Switching Works Understanding VLAN Trunks These sections describe VLAN trunks on the Cisco 7600 series routers: Trunking Overview, page 10-3 • • Encapsulation Types, page 10-3 Trunking Overview For information about VLANs, see Chapter 14, “Configuring VLANs.”...
Page 148: Layer 2 Lan Port Modes
DTP, use the nonegotiate keyword to cause the LAN port to become a trunk but not generate DTP frames. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-4 OL-4266-08...
Page 149: Default Layer 2 Lan Interface Configuration
When configuring Layer 2 LAN ports, follow these guidelines and restrictions: The following switching modules do not support ISL encapsulation: • – WS-X6502-10GE – WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF – WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-5 OL-4266-08...
Page 150: Configuring Lan Interfaces For Layer 2 Switching
802.1Q cloud separating the Cisco switches is treated as a single broadcast segment between all switches connected to the non-Cisco 802.1q cloud through 802.1q trunks. Make certain that the native VLAN is the same on all of the 802.1q trunks connecting the Cisco –...
Page 151: Configuring A Lan Port For Layer 2 Switching
To avoid potential issues while changing the role of a port using the switchport command, shut down the interface before applying the switchport command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-7 OL-4266-08...
Page 152: Configuring A Layer 2 Switching Port As A Trunk
To support the switchport mode trunk command, you must configure the encapsulation as either • ISL or 802.1Q. The following switching modules do not support ISL encapsulation: • WS-X6502-10GE – WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF – – WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-8 OL-4266-08...
Page 153 Before entering the switchport mode trunk command, you must configure the encapsulation (see • “Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section on page 10-8). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-9 OL-4266-08...
Page 154 Command Purpose (Optional) Configures the 802.1Q native VLAN. Router(config-if)# switchport trunk native vlan vlan_ID Reverts to the default value (VLAN 1). Router(config-if)# no switchport trunk native vlan Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-10 OL-4266-08...
Page 155 You can remove VLAN 1. If you remove VLAN 1 from a trunk, the trunk interface continues to send • and receive management traffic, for example, Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), and DTP in VLAN 1.
Page 156 The default list of VLANs allowed to be pruned contains all VLANs. • Network devices in VTP transparent mode do not send VTP Join messages. On Cisco 7600 series routers • with trunk connections to network devices in VTP transparent mode, configure the VLANs used by the transparent-mode network devices or that need to be carried across the transparent-mode network devices as pruning ineligible.
Page 157 Fa5/8 1-1005 Port Vlans allowed and active in management domain Fa5/8 1-6,10,20,50,100,152,200,300,303-305,349-351,400,500,521,524,570,801-8 02,850,917,999,1002-1005 Port Vlans in spanning tree forwarding state and not pruned Fa5/8 1-6,10,20,50,100,152,200,300,303-305,349-351,400,500,521,524,570,801-8 02,850,917,999,1002-1005 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-13 OL-4266-08...
Page 158: Configuring A Lan Interface As A Layer 2 Access Port
End with CNTL/Z. Router(config)# interface fastethernet 5/6 Router(config-if)# shutdown Router(config-if)# switchport Router(config-if)# switchport mode access Router(config-if)# switchport access vlan 200 Router(config-if)# no shutdown Router(config-if)# end Router# exit Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-14 OL-4266-08...
Page 159: Configuring A Custom Ieee 802.1Q Ethertype Field Value
For example, a trunk port that is configured with a custom EtherType field value does not recognize the standard 0x8100 EtherType field value on 802.1Q-tagged frames and cannot put the frames into the VLAN to which they belong. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 10-15 OL-4266-08...
Page 160 VLAN. If you misconfigure a custom EtherType field value, frames might be placed into the wrong VLAN. See the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, • Supervisor Engine 32, and Supervisor Engine 2 for a list of the modules that support custom IEEE 802.1Q EtherType field values.
Page 161: Configuring Flex Links
This chapter describes how to configure Flex Links on the Cisco 7600 series router. Release 12.2(18)SXF and later releases support Flex Links. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX, at this URL:...
Page 162: Configuring Flex Links
(EtherChannel logical interfaces) as Flex Links, and you can configure a port channel and a physical interface as Flex Links, with either the port channel or the physical interface as the active link. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 11-2 OL-4266-08...
Page 163: Configuring Flex Links
Router# show interface switchport backup Router Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------------------------ FastEthernet1/1 FastEthernet1/2 Active Up/Backup Standby FastEthernet1/3 FastEthernet2/4 Active Up/Backup Standby Port-channel1 GigabitEthernet7/1 Active Up/Backup Standby Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 11-3 OL-4266-08...
Page 164: Monitoring Flex Links
1. type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 11-4 OL-4266-08...
Page 165: Configuring Etherchannels
This chapter describes how to configure EtherChannels on the Cisco 7600 series router Layer 2 or Layer 3 LAN ports. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 166: Etherchannel Feature Overview
You can form an EtherChannel with up to eight compatibly configured LAN ports on any module in a Cisco 7600 series router. All LAN ports in each EtherChannel must be the same speed and must all be configured as either Layer 2 or Layer 3 LAN ports.
Page 167 A LAN port in auto mode cannot form an EtherChannel with another LAN port that is also in auto • mode, because neither port will initiate negotiation. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 12-3 OL-4266-08...
Page 168 You can configure an additional 8 standby ports (total of 16 ports associated with the EtherChannel). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 12-4 OL-4266-08...
Page 169: Understanding Port Channel Interfaces
To avoid configuration problems, observe these guidelines and restrictions: The commands in this chapter can be used on all LAN ports in Cisco 7600 series routers, including • the ports on the supervisor engine and a redundant supervisor engine.
Page 170 EtherChannel Feature Configuration Guidelines and Restrictions • When you add a member port that does not support ISL trunking to an EtherChannel, Cisco IOS software automatically adds a switchport trunk encapsulation dot1q command to the port-channel interface to prevent configuration of the EtherChannel as an ISL trunk. The switchport trunk encapsulation dot1q command is inactive when the EtherChannel is not a trunk.
Page 171: Configuring Etherchannels
Assigns an IP address and subnet mask to the Router(config-if)# ip address ip_address mask EtherChannel. Step 3 Exits configuration mode. Router(config-if)# end Step 4 Verifies the configuration. Router# show running-config interface port-channel group_number Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 12-7 OL-4266-08...
Page 172: Configuring Channel Groups
You cannot put Layer 2 LAN ports into a manually created port channel interface. For Cisco IOS to create port channel interfaces for Layer 2 EtherChannels, the Layer 2 LAN ports •...
Page 173 Router# show running-config interface fastethernet 5/6 Building configuration... Current configuration: interface FastEthernet5/6 no ip address switchport switchport access vlan 10 switchport mode access channel-group 2 mode desirable Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 12-9 OL-4266-08...
Page 174: Configuring The Lacp System Priority And System Id
Step 3 Verifies the configuration. Router# show lacp sys-id This example shows how to configure the LACP system priority: Router# configure terminal Router(config)# lacp system-priority 23456 Router(config)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 12-10 OL-4266-08...
Page 175: Configuring Etherchannel Load Balancing
Router# configure terminal Router(config)# port-channel load-balance src-dst-ip Router(config)# end Router(config)# This example shows how to verify the configuration: Router# show etherchannel load-balance Source XOR Destination IP address Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 12-11 OL-4266-08...
Page 176: Configuring The Etherchannel Min-Links Feature
Router(config)# interface port-channel 1 Router(config-if)# port-channel min-links 2 Router(config-if)# end For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 12-12 OL-4266-08...
Page 177: Configuring Vtp
This chapter describes how to configure the VLAN Trunking Protocol (VTP) on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 178: Understanding The Vtp Domain
(CLI) or Simple Network Management Protocol (SNMP). By default, the Cisco 7600 series router is in VTP server mode and is in the no-management domain state until the router receives an advertisement for a domain over a trunk link or you configure a management domain.
Page 179: Understanding Vtp Advertisements
Configuring VTP Understanding How VTP Works Cisco 7600 series routers automatically change from VTP server mode to VTP client mode if the router Note detects a failure while writing configuration to NVRAM. If this happens, the router cannot be returned to VTP server mode until the NVRAM is functioning.
Page 180: Understanding Vtp Pruning
Switch 1. Switch 1 floods the broadcast, and every network device in the network receives it, even though Switches 3, 5, and 6 have no ports in the Red VLAN. You enable pruning globally on the Cisco 7600 series router (see the “Enabling VTP Pruning” section on page 13-7).
Page 181: Vtp Default Configuration
• Before installing a redundant supervisor engine, enter the no vtp file command to return to the default configuration. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 13-5 OL-4266-08...
Page 182: Configuring Vtp
• • Network devices in VTP transparent mode do not send VTP Join messages. On Cisco 7600 series routers with trunk connections to network devices in VTP transparent mode, configure the VLANs that are used by the transparent-mode network devices or that need to be carried across trunks as pruning ineligible.
Page 183: Enabling Vtp Pruning
This example shows how to enable VTP pruning in the management domain with any release: Router# vtp pruning Pruning switched ON This example shows how to verify the configuration: Router# show vtp status | include Pruning VTP Pruning Mode: Enabled Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 13-7 OL-4266-08...
Page 184 Router# vtp version 2 V2 mode enabled. Router# This example shows how to verify the configuration: Router# show vtp status | include V2 VTP V2 Mode: Enabled Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 13-8 OL-4266-08...
Page 185 This example shows how to configure the router as a VTP client: Router# configuration terminal Router(config)# vtp mode client Setting device to VTP CLIENT mode. Router(config)# exit Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 13-9 OL-4266-08...
Page 186 Summary advertisements received Subset advertisements received Request advertisements received Summary advertisements transmitted : 997 Subset advertisements transmitted : 13 Request advertisements transmitted : 3 Number of config revision errors Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 13-10 OL-4266-08...
Page 187 Summary advts received from non-pruning-capable device ---------------- ---------------- ---------------- --------------------------- Fa5/8 43071 42766 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 13-11 OL-4266-08...
Page 188 Chapter 13 Configuring VTP Configuring VTP Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 13-12 OL-4266-08...
Page 189: Configuring Vlans
Configuring VLANs This chapter describes how to configure VLANs on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 190: Vlan Overview
20-2). Cisco 7600 series routers support 4096 VLANs in accordance with the IEEE 802.1Q standard. These VLANs are organized into several ranges; you use each range slightly differently. Some of these VLANs are propagated to other switches in the network when you use the VLAN Trunking Protocol (VTP). The extended-range VLANs are not propagated, so you must configure extended-range VLANs manually on each network device.
Page 191: Configurable Vlan Parameters
• Note Cisco 7600 series routers do not support Inter-Switch Link (ISL)-encapsulated Token Ring frames. When a Cisco 7600 series router is configured as a VTP server, you can configure Token Ring VLANs from the router. Token Ring TrBRF VLANs...
Page 192 Ring Ring For source routing, the Cisco 7600 series router appears as a single bridge between the logical rings. The TrBRF can function as a source-route bridge (SRB) or a source-route transparent (SRT) bridge running either the IBM or IEEE STP. If an SRB is used, you can define duplicate MAC addresses on different logical rings.
Page 193 TrCRFs through the backup TrCRF. When the ISL connection is reestablished, all but one port in the backup TrCRF is disabled. Figure 14-4 illustrates the backup TrCRF. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-5 OL-4266-08...
Page 194: Vlan Default Configuration
Range VLAN ID 1002 1–1005 VLAN name “fddi-default” — 802.10 SAID 101002 1–4294967294 MTU size 1500 1500–18190 Ring number 1–4095 Parent VLAN 0–1005 Translational bridge 1 0–1005 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-6 OL-4266-08...
Page 195 Table 14-6 Token Ring (TrBRF) VLAN Defaults and Ranges Parameter Default Range VLAN ID 1005 1–1005 VLAN name “trnet-default” — 802.10 SAID 101005 1–4294967294 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-7 OL-4266-08...
Page 196: Vlan Configuration Guidelines And Restrictions
VLANs in VLAN database mode. See the “VLAN Configuration Options” section on page 14-9. Before you can create a VLAN, the Cisco 7600 series router must be in VTP server mode or VTP • transparent mode. For information on configuring VTP, see Chapter 13, “Configuring VTP.”...
Page 197: Vlan Configuration Options
Note VLANs support a number of parameters that are not discussed in detail in this section. For complete information, refer to the Cisco IOS Master Command List, Release 12.2SX publication. VLAN Configuration Options These sections describe the VLAN configuration options: VLAN Configuration in Global Configuration Mode, page 14-9 •...
Page 198: Creating Or Modifying An Ethernet Vlan
Updates the VLAN database and returns to privileged Router(config-vlan)# end EXEC mode. Router(vlan)# exit Step 4 Verifies the VLAN configuration. Router# show vlan [id | name] vlan Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-10 OL-4266-08...
Page 199 ---- -------------------------------- --------- --------------------- VLAN0003 active VLAN Type SAID Parent RingNo BridgeNo Stp Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- ------ ------ enet 100003 1500 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-11 OL-4266-08...
Page 200: Assigning A Layer 2 Lan Interface To A Vlan
Enter the descending keyword to allocate internal VLAN from 4094 and down. • This example shows how to configure descending as the internal VLAN allocation policy: Router# configure terminal Router(config)# vlan internal allocation policy descending Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-12 OL-4266-08...
Page 201: Configuring Vlan Translation
Translations Number of Number of VLAN Translation Product Number Ports Port Groups Port Group Port Group Trunk-Type Support WS-SUP720-3BXL 1–2 802.1Q WS-SUP720-3B WS-SUP720 WS-SUP32-10GE 1, 2–3 802.1Q Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-13 OL-4266-08...
Page 202 802.1Q WS-X6548-RJ-21 1–48 802.1Q To configure a port as a trunk, see the “Configuring a Layer 2 Switching Port as a Trunk” section on Note page 10-8. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-14 OL-4266-08...
Page 203 Selects the LAN port to configure. Router(config)# interface type slot/port Step 2 Enables VLAN translation. Router(config-if)# switchport vlan mapping enable Disables VLAN translation. Router(config-if)# no switchport vlan mapping enable Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-15 OL-4266-08...
Page 204: Mapping 802.1Q Vlans To Isl Vlans
802.1Q VLANs in the range 1 through 1001 and 1006 through 4094 are automatically mapped to the corresponding ISL VLAN. 802.1Q VLAN numbers corresponding to reserved VLAN numbers must be mapped to an ISL VLAN in order to be recognized and forwarded by Cisco network devices. These restrictions apply when mapping 802.1Q VLANs to ISL VLANs: You can configure up to eight 802.1Q-to-ISL VLAN mappings on the Cisco 7600 series router.
Page 205: Saving Vlan Information
To copy the file (binary), use the copy vlan.dat tftp command. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-17 OL-4266-08...
Page 206 Chapter 14 Configuring VLANs Configuring VLANs Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 14-18 OL-4266-08...
Page 207: Configuring Private Vlans
Configuring Private VLANs This chapter describes how to configure private VLANs on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 208: Private Vlan Domains
Layer 2 level. Community VLANs—Ports within a community VLAN can communicate with each other but • cannot communicate with ports in other communities at the Layer 2 level. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-2 OL-4266-08...
Page 209: Private Vlan Ports
In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-3 OL-4266-08...
Page 210: Ip Addressing Scheme With Private Vlans
VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-4...
Page 211: Private Vlans Across Multiple Routers
Private VLANs and Unicast, Broadcast, and Multicast Traffic, page 15-6 • Private VLANs and SVIs, page 15-6 • See also the “Private VLAN Configuration Guidelines and Restrictions” section on page 15-6. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-5 OL-4266-08...
Page 212: Private Vlan Configuration Guidelines And Restrictions
The guidelines for configuring private VLANs are described in the following sections: Secondary and Primary VLAN Configuration, page 15-7 • Private VLAN Port Configuration, page 15-9 • Limitations with Other Features, page 15-9 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-6 OL-4266-08...
Page 213: Secondary And Primary Vlan Configuration
VLAN port sticky ARP entries do not age out. For information about configuring sticky ARP, see the “Configuring Sticky ARP” section on page 36-34. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-7 OL-4266-08...
Page 214 Layer 3 VLAN interface of the primary VLAN. (See Chapter 33, “Configuring Network Security”.) Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to • the associated isolated and community VLANs. Do not apply Cisco IOS ACLs to isolated or community VLANs. Cisco IOS ACL configuration •...
Page 215: Limitations With Other Features
• if received from the ISL VLANs. With releases earlier than Release 12.2(18)SXE, you cannot configure port security on ports that are • in a private VLAN. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-9 OL-4266-08...
Page 216 A promiscuous private VLAN port – In releases where CSCsb44185 is resolved, a port that has been configured with the switchport – mode dynamic auto or switchport mode dynamic desirable command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-10 OL-4266-08...
Page 217: Configuring A Vlan As A Private Vlan
| primary} Clears the private VLAN configuration. Router(config-vlan)# no private-vlan {community | isolated | primary} These commands do not take effect until you exit Note VLAN configuration submode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-11 OL-4266-08...
Page 218: Associating Secondary Vlans With A Primary Vlan
Clears all secondary VLAN associations. Router(config-vlan)# no private-vlan association Step 3 Exits VLAN configuration mode. Router(config-vlan)# end Step 4 Verifies the configuration. Router# show vlan private-vlan [type] Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-12 OL-4266-08...
Page 219: Mapping Secondary Vlans To The Layer 3 Vlan Interface Of A Primary Vlan
Clears the mapping between the secondary VLANs and Router(config-if)# [no] private-vlan mapping the primary VLAN. Step 3 Exits configuration mode. Router(config-if)# end Step 4 Verifies the configuration. Router# show interface private-vlan mapping Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-13 OL-4266-08...
Page 220: Configuring A Layer 2 Interface As A Private Vlan Host Port
Configures the Layer 2 port as a private VLAN host port. Router(config-if)# switchport mode private-vlan {host | promiscuous} Clears private VLAN port configuration. Router(config-if)# no switchport mode private-vlan Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-14 OL-4266-08...
Page 221: Configuring A Layer 2 Interface As A Private Vlan Promiscuous Port
Layer 2 interface before you can enter additional switchport commands with keywords. Required only if you have not entered the switchport • command already for the interface. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-15 OL-4266-08...
Page 222 Administrative private-vlan host-association: none ((Inactive)) Administrative private-vlan mapping: 202 (VLAN0202) 303 (VLAN0303) 440 (VLAN0440) Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-16 OL-4266-08...
Page 223: Monitoring Private Vlans
------- --------- ----------------- ------------------------------------------ isolated Fa2/0/1, Gi3/0/1, Gi3/0/2 community Fa2/0/11, Gi3/0/1, Gi3/0/4 non-operational For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-17 OL-4266-08...
Page 224 Chapter 15 Configuring Private VLANs Monitoring Private VLANs Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 15-18 OL-4266-08...
Page 225: Configuring Cisco Ip Phone Support
Configuring Cisco IP Phone Support This chapter describes how to configure support for Cisco IP phones on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL:...
Page 226: Cisco Ip Phone Connections
The Cisco IP phone transmits voice traffic with Layer 3 IP precedence and Layer 2 CoS values, which are both set to 5 by default. The sound quality of a Cisco IP phone call can deteriorate if the voice traffic is transmitted unevenly.
Page 227: Cisco Ip Phone Data Traffic
Untrusted mode—All traffic in 802.1Q or 802.1p frames received through the access port on the • Cisco IP phone is marked with a configured Layer 2 CoS value. The default Layer 2 CoS value is 0. Untrusted mode is the default.
Page 228: Other Cisco Ip Phone Features
Cisco IP phones may have different power requirements. The supervisor engine initially allocates the configured default of 7 W (167 mA at 42 V) to the Cisco IP phone. When the correct amount of power is determined from the CDP messaging with the Cisco IP phone, the supervisor engine reduces or increases the allocated power.
Page 229: Default Cisco Ip Phone Support Configuration
– If the Cisco IP phone uses untagged frames and the device uses 802.1p frames If the Cisco IP phone uses 802.1Q frames and the voice VLAN is the same as the access VLAN – The Cisco IP phone and a device attached to the Cisco IP phone cannot communicate if they are in •...
Page 230: Configuring Voice Traffic Support
When configuring the way in which the Cisco IP phone transmits voice traffic, note the following information: Enter a voice VLAN ID to send CDP packets that configure the Cisco IP phone to transmit voice • traffic in 802.1Q frames, tagged with the voice VLAN ID and a Layer 2 CoS value (the default is 5).
Page 231: Configuring Data Traffic Support
To send CDP packets that configure the Cisco IP phone to trust tagged traffic received from a device • connected to the access port on the Cisco IP phone, do not enter the cos keyword and CoS value. To send CDP packets that configure the Cisco IP phone to mark tagged ingress traffic received from •...
Page 232: Configuring Inline Power Support
This example shows how to configure Fast Ethernet port 5/1 to send CDP packets that tell the Cisco IP phone to configure its access port as untrusted and to mark all tagged traffic received from a device connected to the access port on the Cisco IP phone with CoS 3:...
Page 233 Configuring Cisco IP Phone Support Configuring Cisco IP Phone Support For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 16-9 OL-4266-08...
Page 234 Chapter 16 Configuring Cisco IP Phone Support Configuring Cisco IP Phone Support Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 16-10 OL-4266-08...
Page 235: Configuring Ieee 802.1Q Tunneling
C H A P T E R Configuring IEEE 802.1Q Tunneling This chapter describes how to configure IEEE 802.1Q tunneling on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 236 VLAN 40 VLAN 40 802.1Q trunk port 802.1Q trunk port 802.1Q trunk port Customer B Customer B Trunk VLANs 1 to 200 VLANs 1 to 200 Asymmetric link Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 17-2 OL-4266-08...
Page 237: Q Tunneling Configuration Guidelines And Restrictions
Use asymmetrical links to put traffic into a tunnel or to remove traffic from a tunnel. • Configure tunnel ports only to form an asymmetrical link. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 17-3 OL-4266-08...
Page 238 – QoS cannot detect the received CoS value in the 802.1Q 2-byte Tag Control Information field. On an asymmetrical link, the Cisco Discovery Protocol (CDP) reports a native VLAN mismatch if • the VLAN of the tunnel port does not match the native VLAN of the 802.1Q trunk. The 802.1Q tunnel feature does not require that the VLANs match.
Page 239 If the service provider does not want the customer to see its routers, CDP should be disabled on the • 802.1Q tunnel port as follows: Router(config-if)# no cdp enable Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 17-5 OL-4266-08...
Page 240: Configuring 802.1Q Tunneling
The vlan dot1q tag native command is a global command that configures the router to tag native VLAN traffic, and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 17-6 OL-4266-08...
Page 241 Router(config)# vlan dot1q tag native Router(config)# end Router# show vlan dot1q tag native For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 17-7 OL-4266-08...
Page 242 Chapter 17 Configuring IEEE 802.1Q Tunneling Configuring 802.1Q Tunneling Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 17-8 OL-4266-08...
Page 243: Configuring Layer 2 Protocol Tunneling
Configuring Layer 2 Protocol Tunneling This chapter describes how to configure Layer 2 protocol tunneling on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 244: Configuring Support For Layer 2 Protocol Tunneling
An ingress edge router rewrites the destination MAC address of the PDUs received on a Layer 2 tunnel port with the Cisco proprietary multicast address (01-00-0c-cd-cd-d0). The PDU is then flooded to the native VLAN of the Layer 2 tunnel port. If you enable Layer 2 protocol tunneling on a port, PDUs of an enabled protocol are not sent out.
Page 245 When the shutdown threshold is exceeded, the port is put in errdisable state. If a shutdown threshold is not specified, the value is 0 (shutdown threshold disabled). Note Refer to the Cisco IOS Master Command List, Release 12.2SX for more information about the l2ptguard keyword for the following commands: • errdisable detect cause •...
Page 246 This example shows how to clear Layer 2 protocol tunneling port counters: Router# clear l2protocol-tunnel counters Router# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 18-4 OL-4266-08...
Page 247: Configuring Standard-Compliant Ieee Mst
Chapter 20, “Configuring STP and Prestandard IEEE 802.1s MST,” describes the prestandard MST implementation supported in releases earlier than Release 12.2(18)SXF. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco • IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 248: Mst Overview
The MST configuration controls to which MST region each router belongs. The configuration includes the name of the region, the revision number, and the MST VLAN-to-instance assignment map. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-2...
Page 249: Ist, Cist, And Cst
For more information, see the “Spanning Tree Operation Within an MST Region” section on page 19-4 and the “Spanning Tree Operations Between MST Regions” section on page 19-4. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-3 OL-4266-08...
Page 250 1 (A) is also the CIST root. The CIST regional root for region 2 (B) and the CIST regional root for region 3 (C) are the roots for their respective subtrees within the CIST. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-4...
Page 251 MST region. Remember that an MST region looks like a single router to the CIST. The CIST external root path cost is the root path cost calculated between these virtual routers and routers that do not belong to any region. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-5 OL-4266-08...
Page 252: Hop Count
Boundary Ports In the Cisco prestandard implementation, a boundary port connects an MST region to one of these STP regions: A single spanning tree region running RSTP •...
Page 253: Standard-Compliant Mst Implementation
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP-compatible mode.
Page 254 BPDUs it sends and that router B is the designated, not root bridge. As a result, router A blocks (or keeps blocking) its port, thus preventing the bridging loop. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-8...
Page 255: Understanding Rstp
Port Roles and the Active Topology, page 19-10 • Rapid Convergence, page 19-11 • Synchronization of Port Roles, page 19-12 Bridge Protocol Data Unit Format and Processing, page 19-13 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-9 OL-4266-08...
Page 256: Port Roles And The Active Topology
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-10...
Page 257: Rapid Convergence
You can override the default setting that is controlled by the duplex setting by using the spanning-tree link-type interface configuration command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-11 OL-4266-08...
Page 258: Synchronization Of Port Roles
When the routers connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 19-5. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-12 OL-4266-08...
Page 259: Bridge Protocol Data Unit Format And Processing
RSTP flag fields. Table 19-3 RSTP BPDU Flags Function Topology change (TC) Proposal 2–3: Port role: Unknown Alternate port or backup port Root port Designated port Learning Forwarding Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-13 OL-4266-08...
Page 260: Processing Superior Bpdu Information
An inferior BPDU is a BPDU with root information (such as higher switch ID or higher path cost) that is inferior to what is currently stored for the port. If a designated port receives an inferior BPDU, it immediately replies with its own information. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-14 OL-4266-08...
Page 261: Topology Changes
Configuring Port Priority, page 19-21 (optional) • • Configuring Path Cost, page 19-22 (optional) • Configuring the Switch Priority, page 19-23 (optional) • Configuring the Hello Time, page 19-24 (optional) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-15 OL-4266-08...
Page 262: Default Mst Configuration
MST regions must contain the CST root, and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-16 OL-4266-08...
Page 263: Specifying The Mst Region Configuration And Enabling Mst
0 to 65535. Step 6 Verifies your configuration by displaying the pending Router(config-mst)# show pending configuration. Step 7 Applies all changes, and return to global configuration Router(config)# exit mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-17 OL-4266-08...
Page 264 Router(config-mst)# name region1 Router(config-mst)# revision 1 Router(config-mst)# show pending Pending MST configuration Name [region1] Revision Instances configured 2 Instance Vlans Mapped -------- --------------------- 1-9,21-4094 10-20 ------------------------------- Router(config-mst)# exit Router(config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-18 OL-4266-08...
Page 265: Configuring The Root Bridge
With the router configured as the root bridge, do not manually configure the hello time, forward-delay Note time, and maximum-age time with the spanning-tree mst hello-time, spanning-tree mst forward-time, and spanning-tree mst max-age global configuration commands. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-19 OL-4266-08...
Page 266: Configuring A Secondary Root Bridge
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-20 OL-4266-08...
Page 267: Configuring Port Priority
Enters global configuration mode. Router# configure terminal Step 2 (Optional) Specifies an interface to configure, and enters Router(config)# interface {{ type slot/port } | {port-channel number }} interface configuration mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-21 OL-4266-08...
Page 268: Configuring Path Cost
Enters global configuration mode. Router# configure terminal Step 2 (Optional) Specifies an interface to configure, and enters Router(config)# interface {{ type slot/port } | {port-channel number }} interface configuration mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-22 OL-4266-08...
Page 269: Configuring The Switch Priority
Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance_id root primary and the spanning-tree mst instance_id root secondary global configuration commands to modify the switch priority. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-23 OL-4266-08...
Page 270: Configuring The Hello Time
These messages mean that the router is alive. For seconds, the range is 1 to 10; the default is 2. Step 3 Returns to privileged EXEC mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-24 OL-4266-08...
Page 271: Configuring The Forwarding-Delay Time
(Optional) Saves your entries in the configuration file. Router# copy running-config startup-config To return the router to its default setting, use the no spanning-tree transmit hold-count global configuration command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-25 OL-4266-08...
Page 272: Specifying The Link Type To Ensure Rapid Transitions
RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 19-11. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-26 OL-4266-08...
Page 273: Designating The Neighbor Type
Router# show spanning-tree mst interface interface_id Step 6 (Optional) Saves your entries in the configuration file. Router# copy running-config startup-config type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-27 OL-4266-08...
Page 274: Restarting The Protocol Migration Process
Displays MST information for the specified interface. show spanning-tree mst interface interface_id For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 19-28 OL-4266-08...
Page 275: Configuring Stp And Prestandard Ieee 802.1S Mst
Release 12.2(18)SXF and later releases. This chapter describes the prestandard MST implementation supported in releases earlier than Release 12.2(18)SXF. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco •...
Page 276: Understanding How Stp Works
LAN segment or a switched LAN of multiple segments. Cisco 7600 series routers use STP (the IEEE 802.1D bridge protocol) on all VLANs. By default, a single instance of STP runs on each configured VLAN (provided you do not manually disable STP). You can enable and disable STP on a per-VLAN basis.
Page 277 1024 STP MAC Address Allocation Cisco 7600 series router chassis have either 64 or 1024 MAC addresses available to support software features such as STP. To view the MAC address range on your chassis, enter the show catalyst6000 chassis-mac-address command.
Page 278: Understanding Bridge Protocol Data Units
STP uses this information to elect the root bridge for the Layer 2 network, to elect the root port leading to the root bridge, and to determine the designated port for each Layer 2 segment. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-4 OL-4266-08...
Page 279: Stp Protocol Timers
By changing the STP port priority on the fiber-optic port to a higher priority (lower numerical value) than the root port, the fiber-optic port becomes the new root port. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-5...
Page 280: Stp Port States
Each Layer 2 LAN port on a Cisco 7600 series router using STP exists in one of the following five states: Blocking—The Layer 2 LAN port does not participate in frame forwarding.
Page 281 Forwarding state When you enable STP, every port in the Cisco 7600 series router, VLAN, and network goes through the blocking state and the transitory states of listening and learning at power up. If properly configured, each Layer 2 LAN port stabilizes to the forwarding or blocking state.
Page 282: Blocking State
Receives BPDUs and directs them to the system module. • Does not transmit BPDUs received from the system module. • • Receives and responds to network management messages. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-8 OL-4266-08...
Page 283: Listening State
Receives BPDUs and directs them to the system module. • Receives, processes, and transmits BPDUs received from the system module. • Receives and responds to network management messages. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-9 OL-4266-08...
Page 284: Learning State
Receives BPDUs and directs them to the system module. • Receives, processes, and transmits BPDUs received from the system module. • Receives and responds to network management messages. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-10 OL-4266-08...
Page 285: Forwarding State
• Receives BPDUs and directs them to the system module. • Processes BPDUs received from the system module. • Receives and responds to network management messages. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-11 OL-4266-08...
Page 286: Disabled State
Does not receive BPDUs for transmission from the system module. STP and IEEE 802.1Q Trunks 802.1Q trunks impose some limitations on the STP strategy for a network. In a network of Cisco network devices connected through 802.1Q trunks, the network devices maintain one instance of STP for each VLAN allowed on the trunks.
Page 287: Rstp Port Roles
• Designated—A forwarding port elected for every switched LAN segment. • Alternate—An alternate path to the root bridge to that provided by the current root port. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-13 OL-4266-08...
Page 288: Rstp Port States
Understanding How Prestandard IEEE 802.1s MST Works These sections describe Multiple Spanning Tree (MST): IEEE 802.1s MST Overview, page 20-15 • MST-to-PVST Interoperability, page 20-16 • Common Spanning Tree, page 20-18 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-14 OL-4266-08...
Page 289: Ieee 802.1S Mst Overview
MST region and the same as CST outside an MST region. The STP, RSTP, and MSTP together elect a single bridge as the root of the CIST. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-15...
Page 290: Mst-To-Pvst Interoperability
For private VLANs (PVLANs), secondary VLANs must be mapped to the same instance as the – primary. MST-to-PVST Interoperability A virtual bridged LAN may contain interconnected regions of single spanning tree (SST) and MST bridges. Figure 20-8 shows this relationship. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-16 OL-4266-08...
Page 291 Configure the root for all VLANs inside the MST region as shown in this example: • Router# show spanning-tree mst interface gigabitethernet 1/1 GigabitEthernet1/1 of MST00 is root forwarding Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-17 OL-4266-08...
Page 292: Common Spanning Tree
Common Spanning Tree CST (802.1Q) is a single spanning tree for all the VLANs. In a Cisco 7600 series router running PVST+, the VLAN 1 spanning tree corresponds to CST. In a Cisco 7600 series router running MST, IST (instance 0) corresponds to CST.
Page 293: Mst Regions
IST port. The IST port at the boundary can take up any port role except a backup port role. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-19...
Page 294: Message Age And Hop Count
The message age and maximum age timer settings in the RST portion of the BPDU remain the same throughout the region, and the same values are propagated by the region’s designated ports at the boundary. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-20 OL-4266-08...
Page 295: Default Stp Configuration
MST database gets reinitialized for any incremental change (such as adding new VLANs to instances or moving VLANs across instances). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-21 OL-4266-08...
Page 296: Configuring Stp
STP is enabled by default on VLAN 1 and on all newly created VLANs. Note You can enable STP on a per-VLAN basis. The Cisco 7600 series router maintains a separate instance of STP for each VLAN (except on VLANs on which you disable STP).
Page 297 You must have at least one interface that is active in VLAN 200 to create a VLAN 200 spanning tree. In this example, two interfaces are active in VLAN 200. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-23...
Page 298: Enabling The Extended System Id
Extended system ID is enabled. Configuring the Root Bridge Cisco 7600 series routers maintain a separate instance of STP for each active VLAN. A bridge ID, consisting of the bridge priority and the bridge MAC address, is associated with each instance. For each VLAN, the network device with the highest-priority (lowest-numerical) bridge ID becomes the root bridge for that VLAN.
Page 299 Note To preserve a stable STP topology, we recommend that you avoid configuring the hello time, forward delay time, and maximum age time manually after configuring the Cisco 7600 series router as the root bridge. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX...
Page 300 Step 2 Exits configuration mode. Router(config)# end This example shows how to configure the Cisco 7600 series router as the root bridge for VLAN 10, with a network diameter of 4: Router# configure terminal Router(config)# spanning-tree vlan 10 root primary diameter 4...
Page 301: Configuring Stp Port Priority
---------------- ---- --- --------- -------- -------------------------------- VLAN0001 Back BLK 200000 160.196 VLAN0006 Back BLK 200000 160.196 VLAN0198 Back BLK 200000 160.196 VLAN0199 Back BLK 200000 160.196 VLAN0200 Back BLK 200000 160.196 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-27 OL-4266-08...
Page 302: Configuring Stp Port Cost
STP uses the port cost value when the LAN interface is configured as an access port and uses VLAN port cost values when the LAN interface is configured as a trunk port. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-28...
Page 303 This example shows how to verify the configuration: Router# show spanning-tree vlan 200 interface fastEthernet 4/4 Interface Role Sts Cost Prio.Nbr Status ---------------- ---- --- --------- -------- -------------------------------- Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-29 OL-4266-08...
Page 304: Configuring The Bridge Priority Of A Vlan
1 through 4094, except reserved VLANs (see Table 14-1 49152 | 53248 | 57344 | 61440} on page 14-2). Reverts to the default bridge priority value. Router(config)# no spanning-tree vlan vlan_ID priority Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-30 OL-4266-08...
Page 305 Router# configure terminal Router(config)# spanning-tree vlan 200 hello-time 7 Router(config)# end Router# This example shows how to verify the configuration: Router# show spanning-tree vlan 200 bridge Hello Max Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-31 OL-4266-08...
Page 306: Configuring The Maximum Aging Time For A Vlan
Reverts to the default maximum aging time. Router(config)# no spanning-tree vlan vlan_ID max-age Step 2 Exits configuration mode. Router(config)# end Step 3 Router# show spanning-tree vlan vlan_ID bridge Verifies the configuration. [detail] Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-32 OL-4266-08...
Page 307: Enabling Rapid-Pvst
EXEC command. Configuring Prestandard IEEE 802.1s MST Release 12.2SX supports MST. These sections describe how to configure MST: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-33 OL-4266-08...
Page 308: Enabling Mst
Enter configuration commands, one per line. End with CNTL/Z. Router(config)# spanning-tree mode mst Router(config)# spanning-tree mst configuration Router(config-mst)# show current Current MST configuration Name Revision Instance Vlans mapped Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-34 OL-4266-08...
Page 309: Displaying Mst Configurations
Displays information about a specific MST instance. Router# show spanning-tree mst instance-id [ detail ] Step 4 Displays information for a given port. Router# show spanning-tree mst interface interface name [ detail ] Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-35 OL-4266-08...
Page 310 Router(config-mst)# instance 1 vlan 1-10 Router(config-mst)# name cisco Router(config-mst)# revision 1 Router(config-mst)# ^Z Router# show spanning-tree mst configuration Name [cisco] Revision Instance Vlans mapped -------- --------------------------------------------------------------------- 11-4094 1-10 ------------------------------------------------------------------------------- Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-36 OL-4266-08...
Page 311 :disable (default) Bpdus (MRecords) sent 2, received 364 Instance Role Sts Cost Prio.Nbr Vlans mapped -------- ---- --- --------- -------- ------------------------------- Back BLK 1000 160.196 1-10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-37 OL-4266-08...
Page 312 Pathcost method used is long Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- MST00 MST01 ---------------------- -------- --------- -------- ---------- ---------- 2 msts Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-38 OL-4266-08...
Page 313: Configuring Mst Instance Parameters
Role Sts Cost Prio.Nbr Status ---------------- ---- --- --------- -------- -------------------------------- Fa4/4 Back BLK 1000 160.196 Fa4/5 Desg FWD 200000 128.197 Fa4/48 Boun FWD 200000 128.240 P2p Bound(STP) Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-39 OL-4266-08...
Page 314: Configuring Mst Instance Port Parameters
EXEC command. Use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command to restart the protocol migration process on a specific interface. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-40 OL-4266-08...
Page 315 This example shows how to restart protocol migration: Router# clear spanning-tree detected-protocols interface fastEthernet 4/4 Router# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-41 OL-4266-08...
Page 316 Chapter 20 Configuring STP and Prestandard IEEE 802.1s MST Configuring Prestandard IEEE 802.1s MST Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 20-42 OL-4266-08...
Page 317: Configuring Optional Stp Features
C H A P T E R Configuring Optional STP Features This chapter describes how to configure optional STP features. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note • IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 318: Understanding How Portfast Works
PortFast port receives a BPDU, it immediately loses its operational PortFast status. In that case, PortFast BPDU filtering is disabled on this port and STP resumes sending BPDUs on this port. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-2...
Page 319: Understanding How Uplinkfast Works
Switch B over link L1 and to Switch C over link L2. The Layer 2 LAN interface on Switch C that is connected directly to Switch B is in the blocking state. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-3...
Page 320: Understanding How Backbonefast Works
STP rules. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-4...
Page 321 This switchover takes approximately 30 seconds, twice the Forward Delay time if the default Forward Delay time of 15 seconds is set. Figure 21-4 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-5 OL-4266-08...
Page 322: Understanding How Etherchannel Guard Works
Added switch Understanding How EtherChannel Guard Works EtherChannel guard detects a misconfigured EtherChannel where interfaces on the Cisco 7600 series router are configured as an EtherChannel while interfaces on the other device are not, or not all the interfaces on the other device are in the same EtherChannel.
Page 323: Understanding How Root Guard Works
Enabling loop guard on a root router has no effect but provides protection when a root router becomes a nonroot router. When using loop guard, follow these guidelines: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-7 OL-4266-08...
Page 324: Enabling Portfast
Step 2 Enables PortFast on a Layer 2 access port connected to a Router(config-if)# spanning-tree portfast single workstation or server. Step 3 Enables PortFast. Router(config-if)# spanning-tree portfast default Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-8 OL-4266-08...
Page 325 Portfast BPDU Filter is disabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is long Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-9 OL-4266-08...
Page 326: Enabling Portfast Bpdu Filtering
BPDU filtering is set to default on each port. This example shows how to enable PortFast BPDU filtering on the port and verify the configuration in PVST+ mode: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-10...
Page 327 Number of transitions to forwarding state:1 The port is in the portfast mode by portfast trunk configuration Link type is point-to-point by default Bpdu filter is enabled BPDU:sent 0, received 0 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-11 OL-4266-08...
Page 328: Enabling Bpdu Guard
UplinkFast increases the bridge priority to 49152 and adds 3000 to the STP port cost of all Layer 2 LAN interfaces on the Cisco 7600 series router, decreasing the probability that the router will become the root bridge. UplinkFast cannot be enabled on VLANs that have been configured for bridge priority. To enable...
Page 329: Enabling Backbonefast
Exits configuration mode. Router(config)# end Step 3 Router# show spanning-tree vlan vlan_ID Verifies that BackboneFast is enabled. This example shows how to enable BackboneFast: Router# configure terminal Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-13 OL-4266-08...
Page 330: Enabling Etherchannel Guard
To manually return a port to service, enter a shutdown and then a no shutdown command for the interface. Enabling Root Guard To enable root guard, perform this task: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-14 OL-4266-08...
Page 331: Enabling Loop Guard
Bpdu filter is enabled Loop guard is enabled by default on the port BPDU:sent 0, received 0 To enable loop guard on a port, perform this task: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-15 OL-4266-08...
Page 332 Loop guard is enabled on the port BPDU:sent 0, received 0 Router# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 21-16 OL-4266-08...
Page 333: Configuring Layer 3 Interfaces
C H A P T E R Configuring Layer 3 Interfaces This chapter contains information about how to configure Layer 3 interfaces on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to these...
Page 334: Layer 3 Interface Configuration Guidelines And Restrictions
Use bridge groups on VLAN interfaces, sometimes called fall-back bridging, to bridge nonrouted protocols. Bridge groups on VLAN interfaces are supported in software on the MSFC. Cisco 7600 series routers do not support the IEEE bridging protocol for bridge groups. Configure •...
Page 335 Router# configure terminal Step 3 Selects an interface and enters subinterface configuration Router(config)# interface {{ type slot / port . subinterface } | {port-channel mode. port_channel_number . subinterface }} Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 22-3 OL-4266-08...
Page 336: Configuring Ipv4 Routing And Addresses
MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC. Any options in Cisco IOS ACLs that provide filtering in a PBR route-map that would cause –...
Page 337 Chapter 22 Configuring Layer 3 Interfaces Configuring IPv4 Routing and Addresses To configure PBR, refer to the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, “Classification,” “Configuring Policy-Based Routing,” at this URL: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_C onfiguration_Guide_Chapter.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX...
Page 338 Hardware is Cat6K 100Mb Ethernet, address is 0050.f0ac.3058 (bia 0050.f0ac.3058) Internet address is 172.20.52.106/29 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 22-6 OL-4266-08...
Page 339 WCCP Redirect outbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled IP multicast multilayer switching is disabled IP mls switching is enabled Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 22-7 OL-4266-08...
Page 340: Configuring Ipx Routing And Network Numbers
The MSFC supports IPX with fast switching. Note For complete information and procedures, refer to these publications: • Cisco IOS AppleTalk and Novell IPX Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/atipx/configuration/guide/fatipx_c.html • Cisco IOS AppleTalk and Novell IPX Command Reference, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/atipx/command/reference/fatipx_r.html...
Page 341: Configuring Appletalk Routing, Cable Ranges, And Zones
Router# copy running-config startup-config Configuring AppleTalk Routing, Cable Ranges, and Zones For complete information and procedures, refer to these publications: Cisco IOS AppleTalk and Novell IPX Configuration Guide, Release 12.2, at this URL: • http://www.cisco.com/en/US/docs/ios/12_2/atipx/configuration/guide/fatipx_c.html Cisco IOS AppleTalk and Novell IPX Command Reference, Release 12.2, at this URL: •...
Page 342: Configuring Other Protocols On Layer 3 Interfaces
Router# copy running-config startup-config Configuring Other Protocols on Layer 3 Interfaces Refer to these publications for information about configuring other protocols on Layer 3 interfaces: Cisco IOS Apollo Domain, VINES, DECnet, ISO CLNS, and XNS Configuration Guide, • Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/apollo/configuration/guide/fapolo_c.html...
Page 343 (UDLR) on the Cisco 7600 series router. Release 12.2(18)SXE and later releases support UDE and UDLR. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html These sections describe UDE and UDLR: •...
Page 344: Supported Hardware
Supported Hardware On Cisco 7600 series routers, UDE and UDLR are supported on the interfaces of these switching modules: WS-X6704-10GE 4-port 10-Gigabit Ethernet •...
Page 345: Understanding Udlr
Configuring UDE These sections describe how to configure UDE: UDE Configuration Guidelines, page 23-4 • Configuring Hardware-Based UDE, page 23-4 • Configuring Software-Based UDE, page 23-5 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 23-3 OL-4266-08...
Page 346 Unidirectional links do not support ARP. Configuring Hardware-Based UDE There are no software configuration procedures required to support hardware-based UDE. Install a unidirectional transceiver to implement hardware-based UDE. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 23-4 OL-4266-08...
Page 347 Enable port unidirectional mode will automatically disable port udld. You must manually ensure that the unidirectional link does not create a spanning tree loop in the network. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 23-5 OL-4266-08...
Page 348: Configuring Udlr
You must configure source and destination IPv4 addresses on UDLR back-channel tunnel interfaces. The UDLR back-channel tunnel default mode is GRE. • UDLR back-channel tunnels do not support IPv6 or MPLS. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 23-6 OL-4266-08...
Page 349 10 Gigabit Ethernet port 1/2 is a receive-only UDE port. – The UDLR back-channel tunnel is configured as send-only and is associated with 10 Gigabit – Ethernet port 1/2. ARP and NHRP are enabled. – Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 23-7 OL-4266-08...
Page 350 ! Configure OSPF. router ospf <pid> network 10.0.0.0 0.255.255.255 area 0 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 23-8 OL-4266-08...
Page 351: Pfc3Bxl And Pfc3B Mode Mpls Label Switching
For complete syntax and usage information for the commands used in this chapter, refer to these Note publications: • The Cisco IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html The Release 12.2 publications at this URL: • http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuratio n_guides_list.html...
Page 352: Understanding Mpls
PFC3BXL or PFC3B mode supports Layer 3 Multiprotocol Label Switching (MPLS) virtual private networks (VPNs), and Layer 2 Ethernet over MPLS (EoMPLS), with quality of service (QoS) and security. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-2 OL-4266-08...
Page 353 Routing protocol generates a routing information base (RIB) that is used for forwarding IP and MPLS data packets. For Cisco Express Forwarding (CEF), necessary routing information from the RIB is extracted and built into a forwarding information base (FIB). The label distribution protocol (LDP) obtains routes from the RIB and distributes the label across a label switch path to build a label forwarding information base (LFIB) in each of the LSRs and LERs.
Page 354 Packet recirculation occurs only on a particular packet flow; other packet flows are not affected.The rewrite of the packet occurs on the modules; the packets are then forwarded back to the PFC3BXL or PFC3B for additional processing. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-4 OL-4266-08...
Page 355: Supported Hardware Features
Configuration of MPLS switching is supported on VLAN interfaces with the mpls ip command. • Supported Cisco IOS Features The following Cisco IOS software features are supported in PFC3BXL or PFC3B mode: Multi-VPN Routing and Forwarding (VRF) for CE Routers (VRF Lite) is supported with the Note following features: IPv4 forwarding between VRFs interfaces, IPv4 ACLs, and IPv4 HSRP.
Page 356 MPLS virtual private networks (VPNs)—This feature allows you to deploy scalable IPv4 Layer 3 • VPN backbone services over a Cisco IOS network. See this publication: http://www.cisco.com/en/US/docs/ios/12_0st/12_0st21/feature/guide/fs_vpn.html MPLS VPN Carrier Supporting Carrier (CSC)—This feature enables one MPLS VPN-based service •...
Page 357: Mpls Guidelines And Restrictions
24-13. MPLS Guidelines and Restrictions When configuring PFC3BXL or PFC3B MPLS, follow these guidelines and restrictions: PFC3BXL or PFC3B mode supports up to 8 load-shared paths. Cisco IOS releases for other • platforms support only 8 load-shared paths. PFC3BXL or PFC3B mode supports MTU checking and fragmentation.
Page 358: Configuring Mpls
Chapter 24 Configuring PFC3BXL and PFC3B Mode Multiprotocol Label Switching PFC3BXL and PFC3B Mode MPLS Label Switching Configuring MPLS For information about configuring MPLS, see the Multiprotocol Label Switching on Cisco Routers publication at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/switch/configuration/guide/xcftagc_ps1835_TSD_Product s_Configuration_Guide_Chapter.html MPLS Per-Label Load Balancing The following sections provide information on basic MPLS, MLPS Layer 2 VPN, and MPLS Layer 3 VPN load balancing.
Page 359 MPLS, flags: 0x1000008418 label0: 0, exp: 0, ovr: 0 label1: 0, exp: 0, ovr: 0 label2: 50, exp: 0, ovr: 0 op: PUSH_LABEL2 packets: 112344419, bytes: 7190042816 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-9 OL-4266-08...
Page 360: Pfc3Bxl Or Pfc3B Mode Vpn Switching
PFC3BXL or PFC3B Mode VPN Switching Operation The IP VPN feature for MPLS allows a Cisco IOS network to deploy scalable IP Layer 3 VPN backbone services to multiple sites deployed on a shared infrastructure while also providing the same access or security policies as a private network.
Page 361: Mpls Vpn Guidelines And Restrictions
For information about these commands, see these publications: http://www.cisco.com/en/US/docs/ios/12_2/switch/command/reference/fswtch_r.html Configuring MPLS VPN For information on configuring MPLS VPN, refer to the MPLS Virtual Private Networks feature module at this URL: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-11 OL-4266-08...
Page 362: Mpls Vpn Sample Configuration
22 interface POS9/0/0 description FlexWAN link to CE1 ip vrf forwarding blues ip address 10.19.9.1 255.255.255.252 encapsulation ppp pos scramble-atm pos flag c2 22 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-12 OL-4266-08...
Page 363: Any Transport Over Mpls
Additional AToM types are planned in future releases. PFC3BXL or PFC3B mode supports both hardware-based EoMPLS as well as OSM-, FlexWAN, or FlexWAN2-based EoMPLS. For more information, see this publication: http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html#Ethern et_over_MPLS Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-13 OL-4266-08...
Page 364: Understanding Eompls
EoMPLS supports VLAN packets that conform to the IEEE 802.1Q standard. The 802.1Q • specification establishes a standard method for inserting VLAN membership information into Ethernet frames. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-14 OL-4266-08...
Page 365 This command has been replaced with the xconnect command. You can use the xconnect command to configure EoMPLS circuits. The AToM control word is not supported. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-15 OL-4266-08...
Page 366: Configuring Eompls
A system can have both an OSM or FlexWAN configuration and PFC3BXL or PFC3B mode • configuration enabled at the same time. Cisco supports this configuration but does not recommend it. Unless the uplinks to the MPLS core are through OSM or FlexWAN-enabled interfaces, OSM or FlexWAN-based EoMPLS connections will not be active;...
Page 367 To display a single line for each VLAN, naming the VLAN, status, and ports, enter the show vlan • brief command. Router# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------- default active VLAN0002 active Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-17 OL-4266-08...
Page 368 Pop tag 37.0.0.0/8 GE3/3 34.0.0.2 11.11.11.11/32 GE3/3 34.0.0.2 Pop tag 12.12.12.12/32 GE3/3 34.0.0.2 Router# The output shows the following data: – Local tag—Label assigned by this router. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-18 OL-4266-08...
Page 369 The AToM control word is not supported. • • Ethernet packets with hardware-level cyclic redundancy check (CRC) errors, framing errors, and runt packets are discarded on input. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-19 OL-4266-08...
Page 370 Traffic-Generator no ip address logging event link-status speed nonegotiate router# show run int g7/11.2000 Building configuration... Current configuration : 112 bytes interface GigabitEthernet7/11.2000 encapsulation dot1Q 2000 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-20 OL-4266-08...
Page 371 When an PE router receives an LDP Hello message from another PE router, it considers that router and the specified label space to be “discovered.” Router# show mpls ldp discovery Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-21 OL-4266-08...
Page 372 Bytes tag switched— Number of bytes switched out with this incoming label. – – Outgoing interface—Interface through which packets with this label are sent. Next Hop—IP address of neighbor that assigned the outgoing label. – Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-22 OL-4266-08...
Page 373 Status ------------- -------------------- --------------- ---------- ---------- Eth VLAN 2 11.11.11.11 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-23 OL-4266-08...
Page 374 Chapter 24 Configuring PFC3BXL and PFC3B Mode Multiprotocol Label Switching Any Transport over MPLS Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 24-24 OL-4266-08...
Page 375: Configuring Ipv4 Multicast Vpn Support
Cisco 7600 series routers. Release 12.2(18)SXE and later releases support MVPN when the router is operating in PFC3B mode or PFC3BXL mode. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html This chapter contains these sections: •...
Page 376: Mvpn Overview
MVPN is a standards-based feature that transmits IPv4 multicast traffic across an MPLS VPN cloud. MVPN on Cisco 7600 series routers uses the existing PFC hardware support for IPv4 multicast traffic to forward multicast traffic over VPNs at wire speeds. MVPN adds support for IPv4 multicast traffic over Layer 3 IPv4 VPNs to the existing IPv4 unicast support.
Page 377 MDT. Each PE router maintains a PIM relationship with the other PE routers over the default MDT, as well as a PIM relationship with its directly attached PE routers. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-3 OL-4266-08...
Page 378 (PE1) receives the request. Figure 25-2 shows how the PE router forwards the request to the CE router associated with the multicast source (CE1a). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-4 OL-4266-08...
Page 379: Multicast Tunnel Interfaces
The MTI is automatically created when an MVRF is configured. The BGP peering address is assigned as the MTI interface source address, and the PIM protocol is automatically enabled on each MTI. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-5...
Page 380: Pe Router Routing Table Support For Mvpn
Note • Unlike other tunnel interfaces that are commonly used on Cisco routers, the MVPN MTI is classified as a LAN interface, not a point-to-point interface. The MTI interface is not configurable, but you can use the show interface tunnel command to display its status.
Page 381: Mvpn Configuration Guidelines And Restrictions
PFC3BXL mode. Supervisor Engine 2 does not support MVPN. • All PE routers in the multicast domain need to be running a Cisco IOS software image that supports the MVPN feature. There is no requirement for MVPN support on the P and CE routers.
Page 382: Configuring Mvpn
MVRF is configured. This change in replication mode automatically purges all forwarding entries in the hardware, temporarily forcing the router into software switching until the table entries can be rebuilt. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-8 OL-4266-08...
Page 383: Configuring A Multicast Vpn Routing And Forwarding Instance
Configuring the Route-Target Extended Community, page 25-11 • Configuring the Default MDT, page 25-11 • Configuring Data MDTs (Optional), page 25-12 • Enabling Data MDT Logging, page 25-12 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-9 OL-4266-08...
Page 384 This example show how to configure 55:1111 as the route distinguisher and verify the configuration: Router(config-vrf)# rd 55:1111 Router(config-vrf)# do show ip vrf blue Name Default RD Interfaces blue 55:1111 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-10 OL-4266-08...
Page 385 To configure the default MDT, perform this task: Command or Action Purpose Configures the default MDT. Router(config-vrf)# mdt default group_address Deletes the default MDT. Router(config-vrf)# no mdt default Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-11 OL-4266-08...
Page 386 MDTs by increasing the size of the wildcard bitmask that is used in the mdt data command. Disables data MDT logging. Router(config-vrf)# no log-reuse Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-12 OL-4266-08...
Page 387: Sample Configuration
Router# show ip pim mdt MDT Group Interface Source * 227.1.0.1 Tunnel1 Loopback0 BIDIR01 * 227.2.0.1 Tunnel2 Loopback0 BIDIR02 * 228.1.0.1 Tunnel3 Loopback0 SPARSE01 * 228.2.0.1 Tunnel4 Loopback0 SPARSE02 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-13 OL-4266-08...
Page 388 2.0.0.0/32 is subnetted, 1 subnets 2.2.2.2 is directly connected, Loopback2 3.0.0.0/32 is subnetted, 1 subnets 3.3.3.3 [200/0] via 3.1.1.3, 00:20:09 21.0.0.0/8 is directly connected, GigabitEthernet3/16 22.0.0.0/8 [200/0] via 3.1.1.3, 00:20:09 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-14 OL-4266-08...
Page 389: Configuring Multicast Vrf Routing
In addition, BGP extended communities must be enabled (using the neighbor send-community both or neighbor send-community extended command) to support the use of MDTs in the network. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-15...
Page 390 Router(config)# no ip pim vrf vrf_name register-source This example show how to configure a PIM VRF register message source address: Router(config)# ip pim vrf blue register-source loopback 3 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-16 OL-4266-08...
Page 391 IP address for the TCP connection. remote-as ASN—(Optional) Autonomous system number of the MSDP peer. This is for • display-only purposes. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-17 OL-4266-08...
Page 392 The valid range is from 1 to the value of the limit parameter. This example show how to configure the maximum number of multicast routes: Router(config)# ip multicast vrf blue route-limit 200000 20000 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-18 OL-4266-08...
Page 393 104.1.1.2 ip pim vrf vpn201 rp-address 192.200.1.1 ip pim vrf vpn202 rp-address 192.200.2.1 ip pim vrf vpn249 rp-address 192.200.49.6 ip pim vrf vpn250 rp-address 192.200.50.6 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-19 OL-4266-08...
Page 394: Configuring Interfaces For Multicast Routing To Support Mvpn
Step 1 Enters global configuration mode. Router# configure terminal Step 2 Router(config)# interface type { slot/port | Enters interface configuration mode for the specified number } interface. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-20 OL-4266-08...
Page 395 Disables IPv4 VRF forwarding. Router(config-if)# no ip vrf forwarding [ vrf_name ] This example shows how to configure the interface for VRF blue forwarding: Router(config-if)# ip vrf forwarding blue Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-21 OL-4266-08...
Page 396: Sample Configurations For Mvpn
MVPN Router boot system flash slot0: logging snmp-authfail ip subnet-zero no ip domain-lookup ip host tftp 223.255.254.238 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-22 OL-4266-08...
Page 397 209.255.255.14 255.255.255.255 interface Loopback10 ip vrf forwarding mvpn-cus1 ip address 210.101.255.14 255.255.255.255 interface Loopback11 ip vrf forwarding mvpn-cus1 ip address 210.111.255.14 255.255.255.255 ip pim sparse-dense-mode Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-23 OL-4266-08...
Page 398: Mvpn Configuration With Default And Data Mdts
226.2.2.1 mdt data 226.2.2.128 0.0.0.7 ip vrf v3 rd 3:3 route-target export 3:3 route-target import 3:3 mdt default 226.3.3.1 mdt data 226.3.3.128 0.0.0.7 ip vrf v4 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-24 OL-4266-08...
Page 399 155.255.255.33 255.255.255.255 ip pim sparse-mode interface Loopback44 no ip address interface Loopback111 ip vrf forwarding v1 ip address 1.1.1.1 255.255.255.252 ip pim sparse-dense-mode ip ospf network point-to-point Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-25 OL-4266-08...
Page 400 155.0.0.0 0.255.255.255 area 155 network 157.155.1.0 0.0.0.255 area 0 router ospf 33 vrf v3 router-id 155.255.255.33 log-adjacency-changes network 155.255.255.33 0.0.0.0 area 155 router ospf 1 log-adjacency-changes Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-26 OL-4266-08...
Page 401 185.255.255.11 connect-source Loopback11 ip msdp vrf v1 cache-sa-state ip access-list standard MCAST.ANYCAST.CE permit 2.2.2.2 ip access-list standard MCAST.ANYCAST.PE permit 1.1.1.1 ip access-list standard MCAST.BOUNDARY.VRF.v1 deny 226.192.1.1 permit any Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-27 OL-4266-08...
Page 402 1 permit 226.1.1.1 access-list 2 deny 226.1.1.1 access-list 2 permit any For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 25-28 OL-4266-08...
Page 403: Configuring Ip Unicast Layer 3 Switching
C H A P T E R Configuring IP Unicast Layer 3 Switching This chapter describes how to configure IP unicast Layer 3 switching on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to these...
Page 404: Understanding How Layer 3 Switching Works
When a packet is Layer 3 switched from a source in one subnet to a destination in another subnet, the Cisco 7600 series router performs a packet rewrite at the egress port based on information learned from the MSFC so that the packets appear to have been routed by the MSFC.
Page 405 When Host A initiates an HTTP file transfer to Host C, Hardware Layer 3 switching uses the information in the local forwarding information base (FIB) and adjacency table to forward packets from Host A to Host C. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 26-3 OL-4266-08...
Page 406: Default Hardware Layer 3 Switching Configuration
Follow these guidelines and restrictions when configuring hardware Layer 3 switching: Hardware Layer 3 switching supports the following ingress and egress encapsulations: • – Ethernet V2.0 (ARPA) – 802.3 with 802.2 with 1 byte control (SAP1) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 26-4 OL-4266-08...
Page 407: Configuring Hardware Layer 3 Switching
The Layer 3 switching packet count is updated approximately every five seconds. Note Cisco IOS CEF and dCEF are permanently enabled. No configuration is required to support hardware Layer 3 switching. With a PFC (and DFCs, if present), hardware Layer 3 switching uses per-flow load balancing based on IP source and destination addresses.
Page 408: Displaying Hardware Layer 3 Switching Statistics
03:49:31 Adjacency statistics are updated approximately every 60 seconds. Note For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 26-6 OL-4266-08...
Page 409: Layer 3 Switching
Layer 3 Switching With Release 12.2(18)SXE and later releases, the PFC3 and DFC3 provide hardware support for IPv6 multicast traffic. Use these publications to configure IPv6 multicast on Cisco 7600 series routers: The Cisco IOS IPv6 Configuration Library, “Implementing IPv6 Multicast”: •...
Page 410: Features That Support Ipv6 Multicast
SSM mapping for IPv6—See this publication: • http://www.cisco.com/en/US/docs/ios/12_2t/ipv6/ipv6_vgf.html IPv6 Multicast Guidelines and Restrictions These guidelines and restrictions apply to IPv6 multicast support on Cisco 7600 series routers: With Release 12.2(18)SXE and later releases, the PFC3 and DFC3 provide hardware support for the • following: Completely switched IPv6 multicast flows –...
Page 411: New Or Changed Ipv6 Multicast Commands
ISATAP tunnels with embedded 6to4 tunnels – New or Changed IPv6 Multicast Commands Refer to the Cisco IOS Master Command List, Release 12.2SX for information about these IPv6 multicast commands, which are new or changed in Release 12.2(18)SXE: ipv6 mfib hardware-switching •...
Page 412: Verifying Mfib Clients
This example shows how to display the MFIB clients running on the PFC3 and any DFC3s: Router# show ipv6 mrib client | include slot slot 1 mfib ipv6 rp agent:15 (connection id 3) slot 6 mfib ipv6 rp agent:15 (connection id 4) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 27-4 OL-4266-08...
Page 413: Displaying The Switching Capability
Router# show platform software ipv6-multicast capability | include Current Current System HW Replication Mode : Ingress Note Enter the no ipv6 mfib hardware-switching replication-mode ingress command to enable replication mode auto detection. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 27-5 OL-4266-08...
Page 414: Displaying The Replication Mode Auto Detection Status
IPv6 Multicast FIB SC summary on Slot[1]: Shortcut Type Shortcut count ---------------------------+-------------- (*, G/128) (*, G/m) IPv6 Multicast Netflow SC summary on Slot[6]: Shortcut Type Shortcut count ---------------------------+-------------- (S, G) (*, G) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 27-6 OL-4266-08...
Page 415: Displaying The Netflow Hardware Forwarding Count
(*, G/128) (*, G/m) The (*, G/128) value is a hardware bridge entry count. Note • The (*, G/m) value is a hardware bridge/drop entry count. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 27-7 OL-4266-08...
Page 416: Displaying The Shared And Well-Known Hardware Adjacency Counters
StarG (spt == INF) adjacency StarG (spt != INF) adjacency For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 27-8 OL-4266-08...
Page 417 C H A P T E R Configuring IPv4 Multicast Layer 3 Switching This chapter describes how to configure IPv4 multicast Layer 3 switching on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to these...
Page 418: Multicast Layer 3 Switching Cache
The Policy Feature Card (PFC) provides Layer 3 switching for IP multicast flows using the hardware replication table and hardware Cisco Express Forwarding (CEF), which uses the forwarding information base (FIB) and the adjacency table on the PFC. In systems with Distributed Forwarding Cards (DFCs), IP multicast flows are Layer 3 switched locally using Multicast Distributed Hardware Switching (MDHS).
Page 419: Layer 3-Switched Multicast Packet Rewrite
After the PFC performs the packet rewrite, the packet is (conceptually) formatted as follows: Frame Header IP Header Data FCS Destination Source Destination Source Checksum Group G1 MAC MSFC MAC Group G1 IP Source A IP n–1 calculation2 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-3 OL-4266-08...
Page 420: Partially And Completely Switched Flows
The RPT flag (R bit) is not set. – The SPT flag (T bit) is not set. – The Prune-flag (P bit) is not set. – Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-4 OL-4266-08...
Page 421: Non-Rpf Traffic Processing
(non-PIM DR) must drop this traffic because it has arrived on the wrong interface and fails the RPF check. Traffic that fails the RPF check is called non-RPF traffic. The Cisco 7600 series router processes non-RPF traffic in hardware on the PFC by filtering (dropping) or rate limiting the non-RPF traffic.
Page 422 NetFlow entry handles all packets for that source and group, sending packets only to bridged ports and not to the MSFC. To support the PIM assert mechanism, the PFC periodically forwards a percentage of the non-RPF flow packets to the MSFC. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-6 OL-4266-08...
Page 423: Multicast Boundary
For information on configuring IPv4 bidirectional PIM, see the “Configuring IPv4 Bidirectional PIM” section on page 28-23. Default IPv4 Multicast Layer 3 Switching Configuration Table 28-1 shows the default IP multicast Layer 3 switching configuration. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-7 OL-4266-08...
Page 424 A (*,G) entry is not hardware switched if at least one (S,G) entry has an RPF different from the (*,G) • entry’s RPF and the (S,G) is not hardware switched. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-8 OL-4266-08...
Page 425: Unsupported Features
Displaying the IPv4 Multicast Routing Table, page 28-21 • Displaying IPv4 Multicast Layer 3 Switching Statistics, page 28-22 • Displaying IPv4 Bidirectional PIM Information, page 28-25 • Using IPv4 Debug Commands, page 28-27 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-9 OL-4266-08...
Page 426: Source-Specific Multicast With Igmpv3, Igmp V3Lite, And Urd
You must enable IP multicast routing globally before you can enable IP multicast Layer 3 switching on Layer 3 interfaces. For complete information and procedures, refer to these publications: Cisco IOS IP and IP Routing Configuration Guide, Release 12.2, at this URL: • http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/fipr_c.html •...
Page 427: Enabling Ip Multicast Layer 3 Switching On Layer 3 Interfaces
You must enable PIM on all participating Layer 3 interfaces before IP multicast Layer 3 switching will function. For information on configuring PIM on Layer 3 interfaces, see the “Enabling IPv4 PIM on Layer 3 Interfaces” section on page 28-10. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-11 OL-4266-08...
Page 428: Configuring The Replication Mode
If you configure forced egress mode in a system that has fabric-enabled modules that are not capable of Note egress replication, you must make sure that these modules are not sourcing or receiving multicast traffic. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-12 OL-4266-08...
Page 429 Number of complete hardware-switched flows:2 Directly connected subnet entry install is enabled Current mode of replication is Ingress Auto-detection of replication mode is enabled Consistency checker is enabled Router (config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-13 OL-4266-08...
Page 430: Enabling Local Egress Replication
Step 2 Router # reload Reloads the system. Step 3 Displays the configured replication mode. Router# show mls ip multicast capability Router# show mls cef ip multicast detail Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-14 OL-4266-08...
Page 431: Configuring The Layer 3 Switching Global Threshold
One (subnet/mask, 224/4) is installed per PIM-enabled interface. To view FIB entries, enter the show mls ip multicast connected command. To enable installation of directly connected subnets, perform this task: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-15 OL-4266-08...
Page 432: Specifying The Flow Statistics Message Interval
To enable shortcut-consistency checking, perform this task: Command Purpose Enables shortcut-consistency checking. Router(config)# mls ip multicast consistency-check Router(config)# no mls ip multicast consistency-check num Restores the default. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-16 OL-4266-08...
Page 433: Configuring Acl-Based Filtering Of Rpf Failures
This example shows how to display RPF failure rate-limiting information: Router# show mls ip multicast summary 10004 MMLS entries using 1280464 bytes of memory Number of partial hardware-switched flows:4 Number of complete hardware-switched flows:10000 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-17 OL-4266-08...
Page 434: Configuring Multicast Boundary
The show ip pim interface count command displays the IP multicast Layer 3 switching enable state on IP PIM interfaces and the number of packets received and sent on the interface. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-18...
Page 435 Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.13 224.0.0.10 Outgoing access list is not set Inbound access list is not set Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-19 OL-4266-08...
Page 436 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-20 OL-4266-08...
Page 437: Displaying The Ipv4 Multicast Routing Table
The RPF-MFD flag indicates that the flow is completely switched by the hardware. The H flag indicates Note the flow is switched by the hardware on the outgoing interface. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-21 OL-4266-08...
Page 438: Displaying Ipv4 Multicast Layer 3 Switching Statistics
(10.1.0.11, 224.2.2.11) Incoming interface: Vlan10, Packets switched: 0 Hardware switched outgoing interfaces: MFD installed: Vlan10 (10.1.0.10, 224.2.2.10) Incoming interface: Vlan10, Packets switched: 2744 Hardware switched outgoing interfaces: MFD installed: Vlan10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-22 OL-4266-08...
Page 439: Configuring Ipv4 Bidirectional Pim
Disables IPv4 bidirectional PIM globally on the router. Router(config)# no ip pim bidir-enable This example shows how to enable IPv4 bidirectional PIM on the router: Router(config)# ip pim bidir-enable Router(config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-23 OL-4266-08...
Page 440: Configuring The Rendezvous Point For Ipv4 Bidirectional Pim Groups
Router(config)# no mls ip multicast bidir gm-scan-interval This example shows how to set the IPv4 bidirectional PIM RP RPF scan interval: Router(config)# mls ip multicast bidir gm-scan-interval 30 Router(config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-24 OL-4266-08...
Page 441: Displaying Ipv4 Bidirectional Pim Information
GigabitEthernet2/1, Bidir-Upstream/Sparse-Dense, 00:00:04/00:00:00,H Vlan30, Forward/Sparse-Dense, 00:00:04/00:02:55, H (*, 225.1.4.1), 00:00:00/00:02:59, RP 3.3.3.3, flags:BC Bidir-Upstream:GigabitEthernet2/1, RPF nbr 10.53.1.7, RPF-MFD Outgoing interface list: GigabitEthernet2/1, Bidir-Upstream/Sparse-Dense, 00:00:00/00:00:00,H Vlan30, Forward/Sparse-Dense, 00:00:00/00:02:59, H Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-25 OL-4266-08...
Page 442 State:H - Hardware Switched, I - Install Pending, D - Delete Pending, Z - Zombie RP Address State State 60.0.0.60 Vl131 60.0.0.60 Vl151 60.0.0.60 Vl415 60.0.0.60 Gi4/16 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-26 OL-4266-08...
Page 443: Using Ipv4 Debug Commands
VLAN, the multicast group address, or the multicast traffic source. For an example of the show mls ip multicast statistics command, see the “Displaying IPv4 Multicast Layer 3 Switching Statistics” section on page 28-22. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-27 OL-4266-08...
Page 444: Redundancy For Multicast Traffic
PIM is configured on all the Layer 3 links associated with the unicast routing protocol. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 28-28 OL-4266-08...
Page 445 IPv6 multicast traffic on the Cisco 7600 series routers. Release 12.2(18)SXE and later releases support MLDv2 snooping on all versions of the PFC3. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 446: Understanding How Mldv2 Snooping Works
Understanding the MLDv2 Snooping Querier, page 29-7 MLDv2 Snooping Overview MLDv2 snooping allows Cisco 7600 series routers to examine MLDv2 packets and make forwarding decisions based on their content. You can configure the router to use MLDv2 snooping in subnets that receive MLDv2 queries from either MLDv2 or the MLDv2 snooping querier.
Page 447: Explicit Host Tracking
The list of sources for each group reported by the hosts • • The router filter mode of each group • For each group, the list of hosts requesting the source Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-3 OL-4266-08...
Page 448: Mldv2 Snooping Proxy Reporting
MLDv2 snooping learning. Multicast group membership lists can consist of both static and MLDv2 snooping-learned settings. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-4 OL-4266-08...
Page 449 29-2. Because the forwarding table directs MLDv2 messages only to the router, the message is not flooded to other ports. Any known multicast traffic is forwarded to the group and not to the router. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-5 OL-4266-08...
Page 450: Leaving A Multicast Group
MLDv2 snooping removes the interface from its Layer 2 forwarding table entry for the specified multicast group. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-6 OL-4266-08...
Page 451: Understanding The Mldv2 Snooping Querier
MLDv2 reports to establish appropriate forwarding. You can enable the MLDv2 snooping querier on all the Cisco 7600 series routers in the VLAN, but for each VLAN that is connected to switches that use MLDv2 to report interest in IP multicast traffic, you must configure at least one router as the MLDv2 snooping querier.
Page 452: Default Mldv2 Snooping Configuration
MLDv2 message formats are almost identical to IGMPv3 messages. • IPv6 multicast for Cisco IOS software uses MLD version 2. This version of MLD is fully • backward-compatible with MLD version 1 (described in RFC 2710). Hosts that support only MLD version 1 interoperate with a router running MLD version 2.
Page 453: Enabling The Mldv2 Snooping Querier
QoS does not support MLDv2 packets when MLDv2 snooping is enabled. • You can enable the MLDv2 snooping querier on all the Cisco 7600 series routers in the VLAN that • support it. One router is elected as the querier.
Page 454: Configuring Mldv2 Snooping
Step 1 Selects a VLAN interface. Router(config)# interface vlan vlan_ID Step 2 Enables MLDv2 snooping. Router(config-if)# ipv6 mld snooping Disables MLDv2 snooping. Router(config-if)# no ipv6 mld snooping Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-10 OL-4266-08...
Page 455: Configuring A Multicast Router Port Statically
Step 1 Selects the VLAN interface. Router(config)# interface vlan vlan_ID Step 2 Configures a static connection to a multicast router. Router(config-if)# ipv6 mld snooping mrouter interface type slot/port Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-11 OL-4266-08...
Page 456: Configuring The Mld Snooping Query Interval
Router(config-if)# ipv6 mld snooping last-member-query-interval 1000 Router(config-if)# exit Router# show ipv6 mld interface vlan 200 | include last MLD snooping last member query response interval is 1000 ms Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-12 OL-4266-08...
Page 457: Enabling Fast-Leave Processing
Clears the configuration. Router(config-if)# no ipv6 mld snooping ssm-safe-reporting This example shows how to SSM safe reporting: Router(config)# interface vlan 10 Router(config-if)# ipv6 mld snooping ssm-safe-reporting Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-13 OL-4266-08...
Page 458: Configuring Explicit Host Tracking
Router(config)# interface vlan 25 Router(config-if)# ipv6 mld snooping report-suppression Router(config-if)# end Router# Router# show ipv6 mld interface vlan 25 | include report-suppression MLD snooping report-suppression is enabled Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-14 OL-4266-08...
Page 459: Displaying Mldv2 Snooping Information
This example shows how to display a total count of MAC address entries for a VLAN: Router# show mac-address-table multicast 1 count Multicast MAC Entries for vlan 1: Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-15 OL-4266-08...
Page 460 10.1.1.1/226.2.2.2 Gi1/2:Vl25 16.27.2.3 00:01:47 00:00:50 10.2.2.2/226.2.2.2 Gi1/2:Vl25 16.27.2.3 00:01:47 00:00:50 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 29-16 OL-4266-08...
Page 461: Understanding How Igmp Snooping Works
This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping for IPv4 multicast traffic on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 462: Igmp Snooping Overview
IGMP snooping learning. Multicast group membership lists can consist of both static and IGMP snooping-learned settings. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-2 OL-4266-08...
Page 463 30-2. Because the forwarding table directs IGMP messages only to the CPU, the message is not flooded to other ports. Any known multicast traffic is forwarded to the group and not to the CPU. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-3 OL-4266-08...
Page 464 If the leave message was from the only remaining interface with hosts interested in the group and IGMP snooping does not receive an IGMP Join in response to the general Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-4...
Page 465: Understanding Igmp Version 3 Support
Understanding IGMP Version 3 Support These sections describe IGMP version 3 support: • IGMP Version 3 Support Overview, page 30-6 • IGMPv3 Fast-Leave Processing, page 30-6 Proxy Reporting, page 30-6 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-5 OL-4266-08...
Page 466 When you enable IGMP version 3 snooping on a Cisco 7600 series router, the system maintains IGMP version 3 states based on messages it receives for a particular group in a particular VLAN and...
Page 467: Default Igmp Snooping Configuration
Learned automatically through PIM or IGMP packets method Fast-Leave Processing Disabled IGMPv3 Explicit Host Tracking Enabled IGMPv3 SSM Safe Reporting Disabled; deprecated in Release 12.2(18)SXE and later releases Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-7 OL-4266-08...
Page 468: Igmp Snooping Configuration Guidelines And Restrictions
To support Cisco Group Management Protocol (CGMP) client devices, configure the Multilayer • Switch Feature Card (MSFC) as a CGMP server. Refer to the Cisco IOS IP and IP Routing Configuration Guide, Release 12.2, “IP Multicast,” “Configuring IP Multicast Routing,” at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfmulti.html...
Page 469: Enabling The Igmp Snooping Querier
(see the “Enabling the IGMP Snooping Querier” section on page 30-9). IGMP snooping allows Cisco 7600 series routers to examine IGMP packets and make forwarding decisions based on their content. These sections describe how to configure IGMP snooping: Enabling IGMP Snooping, page 30-10 •...
Page 470: Enabling Igmp Snooping
IGMP snooping fast-leave is disabled and querier is disabled IGMP snooping explicit-tracking is enabled on this interface IGMP snooping last member query interval on this interface is 1000 ms Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-10 OL-4266-08...
Page 471: Configuring The Igmp Snooping Query Interval
When both IGMP fast-leave processing and the IGMP query interval are configured, fast-leave Note processing takes precedence. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-11 OL-4266-08...
Page 472: Enabling Igmp Fast-Leave Processing
Release 12.2(18)SXD3 and later releases support SSM mapping. Note • Do not configure SSM mapping in a VLAN that supports IGMPv3 multicast receivers. • To configure SSM mapping, refer to this publication: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtssmma.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-12 OL-4266-08...
Page 473: Configuring Igmpv3 Explicit Host Tracking
Router(config-if)# ip igmp snooping explicit-tracking Router(config-if)# end Router# show ip igmp snooping explicit-tracking vlan 25 Source/Group Interface Reporter Filter_mode ------------------------------------------------------------------------ 10.1.1.1/226.2.2.2 Vl25:1/2 16.27.2.3 INCLUDE 10.2.2.2/226.2.2.2 Vl25:1/2 16.27.2.3 INCLUDE Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-13 OL-4266-08...
Page 474: Displaying Igmp Snooping Information
This example shows how to display a total count of MAC address entries for a VLAN: Router# show mac-address-table multicast 1 count Multicast MAC Entries for vlan 1: Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-14 OL-4266-08...
Page 475: Displaying Igmp Snooping Statistics
To display IGMP snooping statistics, perform this task: Command Purpose Displays IGMP snooping information on a VLAN Router# show ip igmp snooping statistics interface vlan_ID interface. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-15 OL-4266-08...
Page 476 Gi1/2:Vl25 16.27.2.3 00:01:47 00:00:50 10.2.2.2/226.2.2.2 Gi1/2:Vl25 16.27.2.3 00:01:47 00:00:50 Router# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 30-16 OL-4266-08...
Page 477 This chapter describes how to configure protocol independent multicast (PIM) snooping on the Cisco 7600 series routers. Release 12.2(17a)SX and later releases support PIM snooping. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL:...
Page 478 Configuring PIM Snooping Understanding How PIM Snooping Works To use PIM snooping, you must enable IGMP snooping on the Cisco 7600 series router. IGMP snooping Note restricts multicast traffic that exits through the LAN ports to which hosts are connected. IGMP snooping does not restrict traffic that exits through the LAN ports to which one or more multicast routers are connected.
Page 479 PIM snooping enabled. In the figure, the switches forward the data traffic only to the router that needs to receive it (Router A). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 31-3...
Page 480: Default Pim Snooping Configuration
PIM snooping and IGMP snooping can be enabled at the same time in a VLAN. Either RGMP or • PIM snooping can be enabled in a VLAN but not both. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 31-4 OL-4266-08...
Page 481: Enabling Pim Snooping Globally
Step 1 Selects a VLAN interface. Router(config)# interface vlan vlan_ID Step 2 Enables PIM snooping. Router(config-if)# ip pim snooping Disables PIM snooping. Router(config-if)# no ip pim snooping Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 31-5 OL-4266-08...
Page 482: Disabling Pim Snooping Designated-Router Flooding
Verifies the configuration. Router# show running-config | include dr-flood This example shows how to disable PIM snooping designated-router flooding: Router(config)# no ip pim snooping dr-flood Router(config)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 31-6 OL-4266-08...
Page 483 Chapter 31 Configuring PIM Snooping Configuring PIM Snooping For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 31-7 OL-4266-08...
Page 484 Chapter 31 Configuring PIM Snooping Configuring PIM Snooping Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 31-8 OL-4266-08...
Page 485: Understanding How Rgmp Works
The RGMP hello message tells the Cisco 7600 series router not to send multicast data to the router unless an RGMP join message has also been sent to the Cisco 7600 series router from that router. When an RGMP join message is sent, the router is able to receive multicast data.
Page 486: Default Rgmp Configuration
Default RGMP Configuration To stop receiving multicast data, a router must send an RGMP leave message to the Cisco 7600 series router. To disable RGMP on a router, the router must send an RGMP bye message to the Cisco 7600 series router.
Page 487: Enabling Rgmp On Layer 3 Interfaces
Because multiple IP multicast addresses can map to one MAC address (see RFC 1112), RGMP cannot differentiate between the IP multicast groups that might map to a MAC address. The capability of the Cisco 7600 series router to constrain traffic is limited by its –...
Page 488 Chapter 32 Configuring RGMP Enabling RGMP on Layer 3 Interfaces Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 32-4 OL-4266-08...
Page 489: Configuring Network Security
C H A P T E R Configuring Network Security This chapter contains network security information unique to the Cisco 7600 series routers, which supplements the network security information and procedures in these publications: • Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html...
Page 490: Configuring Tcp Intercept
Configuring Unicast RPF Check, page 33-3 • Understanding PFC3 Unicast RPF Check Support For a complete explanation of how Unicast RPF check works, refer to the Cisco IOS Security Configuration Guide, Release 12.2, “Other Security Features,” “Configuring Unicast Reverse Path Forwarding” at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrpf.html...
Page 491: Understanding Pfc2 Unicast Rpf Check Support
With loose-method Unicast RPF check (also known as exist-only method), the PFC3 supports up to eight reverse-path interfaces (the Cisco IOS software is limited to eight reverse paths in the routing table). There are four methods of performing Unicast RPF check in Cisco IOS: Strict Unicast RPF check •...
Page 492 This example shows how to enable Unicast RPF strict check mode on Gigabit Ethernet port 4/2: Router(config)# interface gigabitethernet 4/2 Router(config-if)# ip verify unicast source reachable-via rx Router(config-if)# end Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 33-4 OL-4266-08...
Page 493 (these packets always pass the Unicast RPF check). This example shows how to configure multiple path RPF check: Router(config)# mls ip cef rpf multipath punt Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 33-5 OL-4266-08...
Page 494 Router(config-if)# ip verify unicast source reachable-via any allow-self-ping Router(config-if)# end For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 33-6 OL-4266-08...
Page 495: Understanding Cisco Ios Acl Support
Chapter 35, “Configuring VLAN ACLs”). • Each type of ACL (IP, IPX, and MAC) filters only traffic of the corresponding type. A Cisco IOS • MAC ACL never matches IP or IPX traffic. The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are •...
Page 496: Hardware And Software Acl Support
IP accounting for an ACL access violation on a given port is supported by forwarding all denied • packets for that port to the MSFC for software processing without impacting other flows. The PFC does not provide hardware support for Cisco IOS IPX ACLs. Cisco IOS IPX ACLs are • supported in software on the MSFC.
Page 497: Configuring Ipv6 Address Compression
Do not enable the compression mode if you have noncompressible address types in your network. A list of compressible address types and the address compression method are listed in Table 34-1. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 34-3 OL-4266-08...
Page 498 Router(config)# mls ipv6 acl compress address unicast Router(config)# This example shows how to turn off address compression for IPv6 addresses: Router(config)# no mls ipv6 acl compress address unicast Router(config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 34-4 OL-4266-08...
Page 499: Optimized Acl Logging With A Pfc
To provide OAL support for denied packets, enter the mls rate-limit unicast ip icmp unreachable • acl-drop 0 command. • OAL and the mls verify ip length minimum command are incompatible. Do not configure both. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 34-5 OL-4266-08...
Page 500: Configuring Oal
Displaying OAL Information, page 34-7 • Clearing Cached OAL Entries, page 34-7 • For complete syntax and usage information for the commands used in this section, refer to the Cisco Note • IOS Master Command List, Release 12.2SX. To provide OAL support for denied packets, enter the mls rate-limit unicast ip icmp unreachable •...
Page 501: Guidelines And Restrictions For Using Layer 4 Operators In Acls
These sections describe guidelines and restrictions when configuring ACLs that include Layer 4 port operations: Determining Layer 4 Operation Usage, page 34-8 • Determining Logical Operation Unit Usage, page 34-8 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 34-7 OL-4266-08...
Page 502: Determining Layer 4 Operation Usage
LOU • For example, this ACL would use a single LOU to store two different operator-operand couples: ... Src gt 10 ..Dst gt 10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 34-8 OL-4266-08...
Page 503 LOU 4 stores “range 11 13” (range needs the entire LOU) For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 34-9 OL-4266-08...
Page 504 Chapter 34 Understanding Cisco IOS ACL Support Guidelines and Restrictions for Using Layer 4 Operators in ACLs Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 34-10 OL-4266-08...
Page 505: Configuring Vlan Acls
C H A P T E R Configuring VLAN ACLs This chapter describes how to configure VLAN ACLs (VACLs) on Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 506: Bridged Packets
VACLs can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface.
Page 507: Routed Packets
Figure 35-2 Applying VACLs on Routed Packets Routed Output IOS ACL Input IOS ACL MSFC VACL Bridged Bridged VACL Supervisor Engine Host B Host A (VLAN 20) (VLAN 10) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 35-3 OL-4266-08...
Page 508: Multicast Packets
Configuring a Match Clause in a VLAN Access Map Sequence, page 35-6 • Configuring an Action Clause in a VLAN Access Map Sequence, page 35-7 • Applying a VLAN Access Map, page 35-8 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 35-4 OL-4266-08...
Page 509: Vacl Configuration Overview
Configuring a Capture Port, page 35-9 • VACL Configuration Overview VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC Layer-named ACLs (see the “Configuring MAC ACLs” section on page 41-67) and VLAN access maps. VLAN access maps can be applied to VLANs or to WAN interfaces for VACL capture. VACLs attached to WAN interfaces support only standard and extended Cisco IOS IP ACLs.
Page 510: Configuring A Match Clause In A Vlan Access Map Sequence
When configuring a match clause in a VLAN access map sequence, note the following information: You can select one or more ACLs. • VACLs attached to WAN interfaces support only standard and extended Cisco IOS IP ACLs. • Use the no keyword to remove a match clause or specified ACLs in the clause.
Page 511: Configuring An Action Clause In A Vlan Access Map Sequence
VACLs applied to WAN interfaces support only the forward capture action. VACLs applied to WAN interfaces do not support the drop, forward, or redirect actions. Forwarded packets are still subject to any configured Cisco IOS security ACLs. • The capture action sets the capture bit for the forwarded packets so that ports with the capture •...
Page 512: Applying A Vlan Access Map
VACLs and VLANs. 1. type = pos, atm, or serial 2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 35-8 OL-4266-08...
Page 513: Vlan Access Map Configuration And Verification Examples
“Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section on page 10-8 and the “Configuring the Layer 2 Trunk Not to Use DTP” section on page 10-9). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 35-9 OL-4266-08...
Page 514 A VACL is not active if the VLAN does not have an interface. Router# show vlan filter VLAN Map mordred: Configured on VLANs: 2,4-6 Active on VLANs: 2,4-6 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 35-10 OL-4266-08...
Page 515: Configuring Vacl Logging
This example shows how to configure global VACL logging in hardware: Router(config)# vlan access-log maxflow 800 Router(config)# vlan access-log ratelimit 2200 Router(config)# vlan access-log threshold 4000 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 35-11 OL-4266-08...
Page 516 Chapter 35 Configuring VLAN ACLs Configuring VACL Logging For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 35-12 OL-4266-08...
Page 517: Configuring Denial Of Service Protection
This chapter contains information on how to protect your Cisco 7600 series router against Denial of Service (DoS) attacks. The information covered in this chapter is unique to the Cisco 7600 series routers, and it supplements the network security information and procedures in the “Configuring Network...
Page 518: Security Acls
Understanding How DoS Protection Works The following sections contain an overview of the DoS protection on the Cisco 7600 series router and describe some types of DoS attack scenarios: DoS Protection with a PFC2, page 36-2 •...
Page 519: Qos Acls
CPU utilization for five seconds: 99%/90%; one minute: 48%; five minutes: 25% Router# 2w0d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor Down: Dead timer expired Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-3 OL-4266-08...
Page 520 1w6d: %OSPF-5-ADJCHG: Process 100, Nbr 6.6.6.122 on Vlan46 from FULL to DOWN, Neighbor Down: Dead timer expired Router# show ip eigrp neighbors IP-EIGRP neighbors for process 200 Router# Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-4 OL-4266-08...
Page 521: Arp Throttling
Router(config-if)# storm-control broadcast level 20 The Cisco 7600 series router supports broadcast storm control on all LAN ports and multicast and unicast storm control on Gigabit Ethernet ports. When two or three suppression modes are configured simultaneously, they share the same level settings.
Page 522 PFC2 and PFC3 (all types). Configuring many sources and destinations for active intercept mode may overrun the CPU, so it is recommended that only critical servers be protected with active intercept mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-6 OL-4266-08...
Page 523 1 to 2147483 seconds. Changes the time the software will manage a Router(config)# ip tcp intercept connection-timeout seconds connection after no activity; valid values are from 1 to 2147483 seconds. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-7 OL-4266-08...
Page 524 Both the ingress and egress values will be the same, as they both share the same rate-limiter register. If the ACL bridge ingress/egress rate limiting is disabled, the Layer 3 redirect rate limit results are converted to the bridge result. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-8 OL-4266-08...
Page 525 This example shows how to rate limit the rate at which this traffic is sent to the MSFC to 20000 pps and a burst of 60: Router(config)# mls rate-limit unicast cef glean 20000 60 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-9 OL-4266-08...
Page 526 Check, page 36-12 Traffic Storm Control, page 36-13 • Network Under SYN Attack, page 36-13 • ARP Policing, page 36-14 • Recommended Rate-Limiter Configuration, page 36-14 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-10 OL-4266-08...
Page 527 ACL and drops the packet before it causes damage. When the Cisco 7600 series router is used with a Cisco Intrusion Detection Module (CIDM), you can dynamically install the security ACL as a response to the detection of the attack by the sensing engine.
Page 528 When you enable the unicast reverse path forwarding (uRPF) check, packets that lack a verifiable source IP address, such as spoofed IP source addresses, are discarded. Cisco Express Forwarding (CEF) tables are used to verify that the source addresses and the interfaces on which they were received are consistent with the FIB tables on the supervisor engine.
Page 529 Router(config-if)# storm-control broadcast level 20 The Cisco 7600 series router supports broadcast storm control on all LAN ports and multicast and unicast storm control on Gigabit Ethernet ports. When two or three suppression modes are configured simultaneously, they share the same level settings.
Page 530 • Do not use a rate limiter on VACL logging unless you configure VACL logging. • Disable redirects because a platform that supports hardware forwarding, such as the Cisco 7600 • series router, reduces the need for redirects. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX...
Page 531 Ingress or egress ACL-bridged packet cases share a single rate-limiter register. If the feature is turned on, ingress and egress ACLs use the same rate-limiter value. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-15 OL-4266-08...
Page 532 The TTL failure rate limiter is not supported for IPv6 multicast. This example shows how to rate limit the TTL failures to 70000 pps with a burst of 150: Router(config)# mls rate-limit all ttl-failure 70000 150 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-16 OL-4266-08...
Page 533 This example shows how to rate limit the rate at which this traffic is sent to the MSFC to 20000 pps and a burst of 60: Router(config)# mls rate-limit unicast cef glean 20000 60 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-17 OL-4266-08...
Page 534 This example shows how to rate limit packets failing the MTU failures from being sent to the MSFC to 10000 pps with a burst of 10: Router(config)# mls rate-limit all mtu 10000 10 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-18 OL-4266-08...
Page 535 (including BPDUs, DTP, PAgP, CDP, STP, and VTP packets) destined for the supervisor engine and not the MSFC CPU. You cannot enable the Layer 2 PDU rate limiter if the Cisco 7600 series router is operating in truncated mode. The router uses truncated mode for traffic between fabric-enabled modules when there are both fabric-enabled and nonfabric-enabled modules installed.
Page 536 Rate Limiter Traffic Classes to be Rate Limited Connected Directly connected source traffic Default-drop * (*, G/m) SSM * (*, G/m) SSM non-rpf Route-control * (*, FF02::X/128) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-20 OL-4266-08...
Page 537: Dos Protection Default Configuration
This example shows how to enable dynamic sharing for the route control rate limiter: Router(config)# mls rate-limit multicast ipv6 route-cntl share auto DoS Protection Default Configuration Table 36-3 shows the DoS protection default configuration for the PFC3 hardware-based rate limiters. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-21 OL-4266-08...
Page 538: Dos Protection Configuration Guidelines And Restrictions
Security ACLs need to be configured on all external interfaces that require protection. Use the – interface range command to configure a security ACL on multiple interfaces. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-22 OL-4266-08...
Page 539 Do not use the CEF receive limiter if CoPP is being used. The CEF receive limiter will override the • CoPP traffic. Rate limiters override the CoPP traffic. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-23 OL-4266-08...
Page 540: Monitoring Packet Drop Statistics
Session 1 --------- Source Ports: RX Only: None TX Only: None Both: None Source VLANs: RX Only: None TX Only: None Both: Destination Ports: Gi9/1 Filter VLANs: None Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-24 OL-4266-08...
Page 541 Total ip packets with TOS changed Total ip packets with COS changed Total non ip packets COS changed Total packets dropped by ACL : 33 Total packets dropped by Policing Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-25 OL-4266-08...
Page 542: Displaying Rate-Limiter Information
Codes dynamic sharing: H - owner (head) of the group, g - guest of the group Rate Limiter Type Status Packets/s Burst Sharing --------------------- ---------- --------- ----- ------- MCAST NON RPF MCAST DFLT ADJ 100000 Not sharing Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-26 OL-4266-08...
Page 543 IP ERRORS RL# 7: Used ACL VACL LOG 2000 RL# 8: Rsvd for capture Layer2 Rate Limiters: RL# 9: Reserved RL#10: Reserved RL#11: Free RL#12: Free Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-27 OL-4266-08...
Page 544: Understanding How Control Plane Policing Works
Understanding How Control Plane Policing Works Understanding How Control Plane Policing Works The control plane policing (CoPP) feature increases security on the Cisco 7600 series router by protecting the MSFC from unnecessary or DoS traffic and giving priority to important control plane and management traffic.
Page 545: Configuring Copp
CoPP service policies to be directly attached to the control plane. For information on how to define the traffic classification criteria, refer to the “Defining Traffic Classification” section on page 36-32. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-29 OL-4266-08...
Page 546 When defining the service policy, the police policy-map action is the only supported action. When applying the service policy to the control plane, the input direction is only supported. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-30...
Page 547: Monitoring Copp
20 permit tcp host 47.1.1.1 eq bgp host 10.9.9.9 30 permit tcp host 10.86.183.120 host 10.9.9.9 eq bgp (1 match) 40 permit tcp host 10.86.183.120 eq bgp host 10.9.9.9 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-31 OL-4266-08...
Page 548: Traffic Classification Overview
Reporting—Traffic used for generating network performance statistics for the purpose of reporting. For example, using Cisco IOS IP service level agreements (SLAs) to generate ICMP with different DSCP settings in order to report on response times within different QoS data classes.
Page 549: Traffic Classification Guidelines
Router(config)# access-list 121 remark CoPP Important traffic This example shows how to permit return traffic from TACACS host: Router(config)# access-list 121 permit tcp host 1.1.1.1 host 10.9.9.9 established Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-33 OL-4266-08...
Page 550: Configuring Sticky Arp
MAC address. With sticky ARP enabled, the router learns the ARP entries and does not accept modifications received through ARP broadcasts. If you attempt to override Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-34...
Page 551 Configuring Denial of Service Protection Configuring Sticky ARP the sticky ARP configuration, you will receive an error message. For a complete description of the system error messages, refer to the Cisco 7600 Series Router Cisco IOS System Message Guide at this URL: http://www.cisco.com/en/US/docs/ios/12_2sx/system/messages/122sxsms.html Note Release 12.2(18)SXF and later releases support sticky ARP configurability.
Page 552 Chapter 36 Configuring Denial of Service Protection Configuring Sticky ARP Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 36-36 OL-4266-08...
Page 553: Configuring Dhcp Snooping
The DHCP snooping feature requires PFC3 and Release 12.2(18)SXE and later releases. The PFC2 Note • does not support DHCP snooping. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco • IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 554: Overview Of Dhcp Snooping
IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-2 OL-4266-08...
Page 555: Packet Validation
DHCP server do not reside on the same IP network or subnet, a DHCP relay agent is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-3 OL-4266-08...
Page 556 Length of the circuit ID type – Remote ID suboption fields • Suboption type – Length of the suboption type – Remote ID type – Length of the circuit ID type – Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-4 OL-4266-08...
Page 557: Overview Of The Dhcp Snooping Database Agent
Each entry in the file is tagged with a checksum that is used to validate the entries whenever the file is read. The <initial-checksum> entry on the first line helps distinguish entries associated with the latest write from entries that are associated with a previous write. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-5 OL-4266-08...
Page 558: Default Configuration For Dhcp Snooping
DHCP snooping Disabled DHCP snooping information option Enabled DHCP option-82 on untrusted port feature Disabled DHCP snooping limit rate None DHCP snooping trust Untrusted DHCP snooping vlan Disabled Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-6 OL-4266-08...
Page 559: Dhcp Snooping Configuration Guidelines
With Release 12.2(18)SXF5 and later releases, the DHCP snooping database stores at least 8,000 • bindings. When DHCP snooping is enabled, these Cisco IOS DHCP commands are not available on the router: • ip dhcp relay information check global configuration command –...
Page 560: Minimum Dhcp Snooping Configuration
Minimum DHCP Snooping Configuration The minimum configuration steps for the DHCP snooping feature are as follows: Define and configure the DHCP server. For DHCP server configuration information, refer to “Configuring DHCP” in the Cisco IOS IP and IP Routing Configuration Guide at: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html Enable DHCP snooping on at least one VLAN.
Page 561: Enabling Dhcp Snooping Globally
ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-9...
Page 562: Enabling Dhcp Option-82 Data Insertion
Disables the DHCP option-82 on untrusted port feature. Router(config)# no ip dhcp snooping information option allow-untrusted Step 2 Verifies the configuration. Router(config)# do show ip dhcp snooping Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-10 OL-4266-08...
Page 563: Enabling Dhcp Snooping Mac Address Verification
This example shows how to enable DHCP snooping MAC address verification: Router(config)# ip dhcp snooping verify mac-address Router(config)# do show ip dhcp snooping | include hwaddr Verification of hwaddr field is enabled Router(config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-11 OL-4266-08...
Page 564: Enabling Dhcp Snooping On Vlans
Router(config)# do show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10-12,15 DHCP snooping is operational on following VLANs: none Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-12 OL-4266-08...
Page 565: Configuring The Dhcp Trust State On Layer 2 Lan Interfaces
Router(config)# interface FastEthernet 5/12 Router(config-if)# no ip dhcp snooping trust Router(config-if)# do show ip dhcp snooping | begin pps Interface Trusted Rate limit (pps) ------------------------ ------- ---------------- FastEthernet5/12 unlimited Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-13 OL-4266-08...
Page 566: Configuring Dhcp Snooping Rate Limiting On Layer 2 Lan Interfaces
Router# show ip dhcp snooping database [detail] database agent and statistics associated with the transfers. (Optional) Clears the statistics associated with the database Router# clear ip dhcp snooping database statistics agent. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-14 OL-4266-08...
Page 567: Configuration Examples For The Database Agent
Last Succeded Time : None Last Failed Time : 17:14:25 UTC Sat Jul 7 2001 Last Failed Reason : Unable to access URL. Total Attempts Startup Failures : Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-15 OL-4266-08...
Page 568 The total counter set may indicate the number of bindings that have been ignored since the last clear. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-16 OL-4266-08...
Page 569 Successful Transfers : Failed Transfers : Successful Reads Failed Reads Successful Writes Failed Writes Media Failures Router# Router# show ip dhcp snoop bind MacAddress IpAddress Lease(sec) Type VLAN Interface Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-17 OL-4266-08...
Page 570: Displaying A Binding Table
VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:02:B3:3F:3B:99 55.5.5.2 6943 dhcp-snooping FastEthernet6/10 Table 37-2 describes the fields in the show ip dhcp snooping binding command output. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-18 OL-4266-08...
Page 571 VLAN number of the client interface Interface Interface that connects to the DHCP client host For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-19 OL-4266-08...
Page 572 Chapter 37 Configuring DHCP Snooping Configuring DHCP Snooping Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 37-20 OL-4266-08...
Page 573: Configuring Dynamic Arp Inspection
Cisco 7600 series router. The PFC3 supports DAI with Release 12.2(18)SXE and later releases. The PFC2 does not support DAI. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html This chapter consists of these sections: •...
Page 574: Understanding Arp
DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-2 OL-4266-08...
Page 575: Interface Trust States And Network Security
Router A and Router B is untrusted, the ARP packets from Host 1 are dropped by Router B. Connectivity between Host 1 and Host 2 is lost. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-3 OL-4266-08...
Page 576: Rate Limiting Of Arp Packets
“Configuring ARP Packet Rate Limiting” section on page 38-9. Relative Priority of ARP ACLs and DHCP Snooping Entries DAI uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-4 OL-4266-08...
Page 577: Logging Of Dropped Packets
The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-5 OL-4266-08...
Page 578: Dai Configuration Guidelines And Restrictions
These sections describe how to configure DAI: Enabling DAI on VLANs, page 38-7 • Configuring the DAI Interface Trust State, page 38-8 • Applying ARP ACLs for DAI Filtering, page 38-8 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-6 OL-4266-08...
Page 579: Enabling Dai On Vlans
Router(config)# do show ip arp inspection vlan 10-12,15 | begin Vlan Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- Enabled Inactive Enabled Inactive Enabled Inactive Enabled Inactive Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-7 OL-4266-08...
Page 580: Configuring The Dai Interface Trust State
-------------- Fa5/12 Trusted None Applying ARP ACLs for DAI Filtering Note See the Cisco IOS Master Command List, Release 12.2SX, for information about the arp access-list command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-8 OL-4266-08...
Page 581: Configuring Arp Packet Rate Limiting
When DAI is enabled, the router performs ARP packet validation checks, which makes the router vulnerable to an ARP-packet denial-of-service attack. ARP packet rate limiting can prevent an ARP-packet denial-of-service attack. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-9 OL-4266-08...
Page 582 Router(config-if)# ip arp inspection limit rate 20 burst interval 2 Router(config-if)# do show ip arp inspection interfaces | include Int|--|5/14 Interface Trust State Rate (pps) Burst Interval --------------- ----------- ---------- -------------- Fa5/14 Untrusted Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-10 OL-4266-08...
Page 583: Enabling Dai Error-Disabled Recovery
If an ip arp inspection validate command enables src and dst mac validations, and a second ip arp inspection validate command enables IP validation only, the src and dst mac validations are disabled as a result of the second command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-11 OL-4266-08...
Page 584 Router(config)# ip arp inspection validate src-mac dst-mac ip Router(config)# do show ip arp inspection | include abled$ Source Mac Validation : Enabled Destination Mac Validation : Enabled IP Address Validation : Enabled Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-12 OL-4266-08...
Page 585: Configuring Dai Logging
Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip arp inspection log-buffer entries 64 Router(config)# do show ip arp inspection log | include Size Total Log Buffer Size : 64 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-13 OL-4266-08...
Page 586 {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Step 3 Verifies the configuration. Router(config)# do show running-config | include ip arp inspection vlan vlan_range Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-14 OL-4266-08...
Page 587: Displaying Dai Information
Displays the configuration and the operating state of DAI for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with DAI enabled (active). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-15 OL-4266-08...
Page 588: Dai Configuration Samples
ARP packets that have dynamically assigned IP addresses. For configuration information, see Chapter 37, “Configuring DHCP Snooping.” This configuration does not work if the DHCP server is moved from Router A to a different location. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-16 OL-4266-08...
Page 589 Verify the bindings: Step 4 RouterA# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:02:00:02:00:02 1.1.1.2 4993 dhcp-snooping FastEthernet6/4 RouterA# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-17 OL-4266-08...
Page 590 --------- ------- ---------- ---------- Vlan DHCP Permits ACL Permits Source MAC Failures ---- ------------ ----------- ------------------- Vlan Dest MAC Failures IP Validation Failures ---- ----------------- ---------------------- RouterA# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-18 OL-4266-08...
Page 591 Untrusted Fa3/7 Untrusted <output truncated> RouterB# Step 4 Verify the list of DHCP snooping bindings: RouterB# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-19 OL-4266-08...
Page 592 --------- ------- ---------- ---------- Vlan DHCP Permits ACL Permits Source MAC Failures ---- ------------ ----------- ------------------- Vlan Dest MAC Failures IP Validation Failures ---- ----------------- ---------------------- RouterB# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-20 OL-4266-08...
Page 593: Sample Two: One Switch Supports Dai
RouterA(config)# interface fastethernet 6/3 RouterA(config-if)# no ip arp inspection trust RouterA(config-if)# end Switch# show ip arp inspection interfaces fastethernet 6/3 Interface Trust State Rate (pps) --------------- ----------- ---------- Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-21 OL-4266-08...
Page 594 Dest MAC Failures IP Validation Failures ---- ----------------- ---------------------- Switch# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 38-22 OL-4266-08...
Page 595: Configuring Traffic Storm Control
Configuring Traffic Storm Control This chapter describes how to configure the traffic storm control feature on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL:...
Page 596 A higher threshold allows more packets to pass through. Traffic storm control on the Cisco 7600 series routers is implemented in hardware. The traffic storm control circuitry monitors packets passing from a LAN interface to the switching bus. Using the...
Page 597: Default Traffic Storm Control Configuration
When multicast suppression is enabled on the listed modules, do not configure traffic storm control on STP-protected ports that need to receive BPDUs. Except on the listed modules, traffic storm control does not suppress BPDUs. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 39-3 OL-4266-08...
Page 598: Enabling Traffic Storm Control
On these modules, these levels suppress all traffic: • WS-X6704-10GE: 0.33 percent or less – WS-X6724-SFP 10Mbps ports: 0.33 percent or less – WS-X6748-SFP 100Mbps ports: 0.03 percent or less – Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 39-4 OL-4266-08...
Page 599: Displaying Traffic Storm Control Settings
Router# show interfaces counters storm-control [module slot_number ] type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 39-5 OL-4266-08...
Page 600 You must the storm-control keyword to display the discard count. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 39-6 OL-4266-08...
Page 601: Unknown Unicast And Multicast Flood Blocking
This chapter describes how to configure the unknown unicast flood blocking (UUFB) and unknown multicast flood blocking (UMFB) features on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL:...
Page 602: Configuring Uufb
Router(config-if)# do show interface fastethernet 5/12 switchport | include Unknown Unknown unicast blocked: enabled For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 40-2 OL-4266-08...
Page 603: Configuring Pfc Qos
This chapter describes how to configure quality of service (QoS) as implemented on the Policy Feature Card (PFC) and Distributed Forwarding Cards (DFCs) on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 604: Understanding How Pfc Qos Works
Understanding How PFC QoS Works The term “PFC QoS” refers to QoS on the Cisco 7600 series router. PFC QoS is implemented on various router components in addition to the PFC and any DFCs. These sections describe how PFC QoS works: Port Types Supported by PFC QoS, page 41-2 •...
Page 605 Configuring PFC QoS Understanding How PFC QoS Works Cisco 7600 series routers do not support all of the MQC features (for example, Committed Access Rate Note (CAR)) for traffic that is Layer 3 switched or Layer 2 switched in hardware. Because queuing is implemented in the port ASICs, Cisco 7600 series routers do not support MQC-configured queuing.
Page 606 Ingress PFC QoS can be applied to LAN-port ingress traffic. Ingress LAN-port traffic can be Layer-2 or Layer-3 switched by the PFC3 or routed in software – by the MSFC. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-4 OL-4266-08...
Page 607 Ingress PFC2 QoS can be applied to OSM-port ingress traffic. – OSM-port ingress traffic can be Layer-3 switched by the PFC2 or routed in software by the – MSFC2. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-5 OL-4266-08...
Page 608: Component Overview
Ingress LAN Port PFC QoS Features, page 41-7 • • PFC and DFC QoS Features, page 41-9 • PFC QoS Egress Port Features, page 41-13 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-6 OL-4266-08...
Page 609 These sections provide an overview of the ingress port QoS features: Flowchart of Ingress LAN Port PFC QoS Features, page 41-8 • Port Trust, page 41-9 • • Ingress Congestion Avoidance, page 41-9 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-7 OL-4266-08...
Page 610 Ingress CoS mutation is supported only on 802.1Q tunnel ports. Note • Release 12.2(18)SXF5 and later releases support the ignore port trust feature. • DSCP-based queue mapping is supported only on WS-X6708-10GE ports. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-8 OL-4266-08...
Page 611 Supported Policy Feature Cards, page 41-10 • Supported Distributed Forwarding Cards, page 41-10 • • PFC and DFC QoS Feature List and Flowchart, page 41-10 • Internal DSCP Values, page 41-12 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-9 OL-4266-08...
Page 612 Supported Policy Feature Cards The policy feature card (PFC) is a daughter card that resides on the supervisor engine. The PFC provides QoS in addition to other functionality. The following PFCs are supported on the Cisco 7600 series routers: PFC2 on the Supervisor Engine 2 •...
Page 613 DSCP, otherwise port CoS is mapped to initial internal DSCP Note DSCP transparency feature makes writing the egress DSCP value into the Layer 3 ToS byte optional. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-11 OL-4266-08...
Page 614 Policy marking and policing on the PFC can change the initial internal DSCP value to a final internal DSCP value, which is then used for all subsequently applied QoS features. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-12...
Page 615 Egress ToS Byte, page 41-15 • Egress PFC QoS Interfaces, page 41-15 • Egress ACL Support for Remarked DSCP, page 41-15 • Marking on Egress OSM Ports, page 41-16 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-13 OL-4266-08...
Page 616 With Release 12.2(18)SXF5 and later releases, you can configure WS-X6708-10GE ports to use the final Note internal DSCP value for egress LAN port classification and congestion avoidance (see the “Configuring DSCP-Based Queue Mapping” section on page 41-100). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-14 OL-4266-08...
Page 617 (either LAN ports configured as Layer 3 interfaces or VLAN interfaces). You configure egress ACL support for remarked DSCP on ingress Layer 3 interfaces (either LAN ports configured as Layer 3 interfaces or VLAN interfaces). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-15 OL-4266-08...
Page 618 Layer 3 features (for example, ingress Cisco IOS ACLs, policy based routing (PBR), etc.) before being processed by egress PFC QoS. The Layer 3 features configured on an interface where egress ACL support for remarked DSCP is configured might redirect or drop the packets that have been processed by ingress PFC QoS, which would prevent them from being processed by egress PFC QoS.
Page 619: Understanding Classification And Marking
Configuring PFC QoS Understanding How PFC QoS Works Understanding Classification and Marking The following sections describe where and how classification and marking occur on the Cisco 7600 series routers: • Classification and Marking at Trusted and Untrusted Ingress Ports, page 41-17 •...
Page 620 OSM port trust states that can be used by the PFC to set IP precedence or DSCP values and the CoS value. You can configure the trust state of each ingress OSM port as follows: Untrusted (default) • Trust IP precedence • Trust DSCP • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-18 OL-4266-08...
Page 621 CoS value. • Aggregate and microflow policers—PFC QoS can use policers to either mark or drop both conforming and nonconforming traffic. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-19 OL-4266-08...
Page 622 Policing does not buffer out-of-profile packets. As a result, policing does not affect transmission delay. In contrast, traffic shaping works by buffering out-of-profile traffic, which moderates the traffic bursts. (PFC QoS does not support shaping.) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-20 OL-4266-08...
Page 623 PFC or ingress DFC. Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-21 OL-4266-08...
Page 624 PFC QoS applies a marked-down DSCP value. To avoid inconsistent results, ensure that all traffic policed by the same aggregate policer has the same Note trust state. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-22 OL-4266-08...
Page 625: Understanding Port-Based Queue Types
Understanding Port-Based Queue Types Port-based queue types are determined by the ASICs that control the ports. The following sections describe the queue types, drop thresholds, and buffers that are supported on the Cisco 7600 series router LAN modules: Ingress and Egress Buffers and Layer 2 CoS-Based Queues, page 41-23 •...
Page 626 Chapter 41 Configuring PFC QoS Understanding How PFC QoS Works The Cisco 7600 series router LAN modules support the following types of scheduling algorithms between queues: • Shaped round robin (SRR)—SRR allows a queue to use only the allocated bandwidth.
Page 627 8q8t indicates eight standard queues, each with eight thresholds, each configurable as either WRED-drop or tail-drop. • 1p1q4t indicates: – One strict-priority queue – One standard queue with four configurable tail-drop thresholds. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-25 OL-4266-08...
Page 628 WRED-drop or tail-drop 1p7q4t indicates the following: • One strict-priority queue – Seven standard queues, each with four thresholds, each threshold configurable as either – WRED-drop or tail-drop Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-26 OL-4266-08...
Page 629 Total Buffer Ingress Egress Modules Thresholds Scheduler Thresholds Scheduler Size Buffer Size Buffer Size WS-X6524-100FX-MM 1p1q0t — 1p3q1t DWRR 1,116 KB 28 KB 1,088 KB WS-X6548-RJ-21 WS-X6548-RJ-45 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-27 OL-4266-08...
Page 630 Queue Drop Queue Total Buffer Ingress Egress Modules Thresholds Scheduler Thresholds Scheduler Size Buffer Size Buffer Size WS-X6816-GBIC 1p1q4t — 1p2q2t 512 KB 73 KB 439 KB Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-28 OL-4266-08...
Page 631 WS-X6704-10GE with DFC3 8q8t 1p7q8t DWRR 16 MB 2 MB 14 MB WS-X6704-10GE with CFC 1q8t — WS-X6502-10GE 1p1q8t — 1p2q1t DWRR 64.2 MB 256 KB 64 MB WS-X6501-10GEX4 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-29 OL-4266-08...
Page 632: Pfc Qos Default Configuration
DSCP 40–47 = CoS 5 DSCP 48–55 = CoS 6 DSCP 56–63 = CoS 7 Marked-down DSCP from DSCP map Marked-down DSCP value equals original DSCP value (no markdown) Policers None Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-30 OL-4266-08...
Page 633: Default Values With Pfc Qos Enabled
Intermediate queues: 0% Highest priority: 20% Transmit-Queue Limit s Feature Default Value 2q2t Low priority: 80% High priority: 20% 1p2q2t Low priority: 70% High priority: 15% Strict priority 15% Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-31 OL-4266-08...
Page 634 The following tables list the default drop-thresholds values and CoS mappings for different queue types: • 1q2t Receive Queues, page 41-33 1q4t Receive Queues, page 41-34 • • 1p1q4t Receive Queues, page 41-34 1p1q0t Receive Queues, page 41-35 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-32 OL-4266-08...
Page 635 Standard receive queue Threshold 1 0, 1, 2, 3, and 4 Tail-drop WRED-drop Not supported Threshold 2 5, 6, and 7 Tail-drop 100% (not configurable) WRED-drop Not supported Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-33 OL-4266-08...
Page 636 2 and 3 Tail-drop WRED-drop Not supported Threshold 3 Tail-drop WRED-drop Not supported Threshold 4 6 and 7 Tail-drop 100% WRED-drop Not supported Strict-priority receive queue Tail-drop 100% (nonconfigurable) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-34 OL-4266-08...
Page 637 Threshold 6 Tail-drop Disabled; 90% WRED-drop Enabled; 60% low, 90% high Threshold 7 Tail-drop Disabled; 100% WRED-drop Enabled;70% low, 100% high Strict-priority receive queue Tail-drop 100% (nonconfigurable) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-35 OL-4266-08...
Page 638 6 and 7 Tail-drop WRED-drop Not supported Threshold 6 None Tail-drop WRED-drop Not supported Threshold 7 Tail-drop 100% WRED-drop Not supported Threshold 8 None Tail-drop 100% WRED-drop Not supported Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-36 OL-4266-08...
Page 639 Tail-drop 100% WRED-drop Not supported Standard receive queue 2 Threshold 1 (high priority) Tail-drop 100% WRED-drop Not supported Thresholds 2–8 CoS None Tail-drop 100% WRED-drop Not supported Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-37 OL-4266-08...
Page 640 Threshold 3 None DSCP Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Threshold 4 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-38 OL-4266-08...
Page 641 Threshold 3 None DSCP Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Threshold 4 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-39 OL-4266-08...
Page 642 Threshold 3 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Threshold 4 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-40 OL-4266-08...
Page 643 Threshold 3 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Threshold 4 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-41 OL-4266-08...
Page 644 Default Value Standard transmit queue 1 Threshold 1 0 and 1 (low priority) Tail-drop WRED-drop Not supported Threshold 2 2 and 3 Tail-drop 100% WRED-drop Not supported Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-42 OL-4266-08...
Page 645 4 and 6 (high priority) Tail-drop Not supported WRED-drop 40% low, 70% high Threshold 2 Tail-drop Not supported WRED-drop 70% low, 100% high Strict-priority transmit queue Tail-drop 100% (nonconfigurable) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-43 OL-4266-08...
Page 646 Disabled; 100% WRED-drop Enabled; 70% low, 100% high Thresholds 2–8 CoS None Tail-drop Disabled; 100% WRED-drop Enabled; 70% low, 100% high Strict-priority transmit queue Tail-drop 100% (nonconfigurable) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-44 OL-4266-08...
Page 647 Threshold 3 None DSCP Tail-drop Disabled; 100% WRED-drop Enabled; 70% low, 100% high Threshold 4 None DSCP None Tail-drop Disabled; 100% WRED-drop Enabled; 70% low, 100% high Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-45 OL-4266-08...
Page 648 Threshold 3 None DSCP Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Threshold 4 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-46 OL-4266-08...
Page 649 Threshold 3 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Threshold 4 None DSCP None Tail-drop Enabled; 100% WRED-drop Disabled; 100% low, 100% high Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-47 OL-4266-08...
Page 650 WRED-drop Enabled; 40% low, 70% high Threshold 2 Tail-drop Disabled; 100% WRED-drop Enabled; 70% low, 100% high Thresholds 3–8 CoS None Tail-drop Disabled; 100% WRED-drop Enabled; 70% low, 100% high Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-48 OL-4266-08...
Page 651 WRED-drop Enabled; 70% low, 100% high Standard transmit queue 3 Threshold 1 6 and 7 (high priority) Tail-drop Disabled; 100% WRED-drop Enabled; 70% low, 100% high Strict-priority transmit queue Tail-drop 100% (nonconfigurable) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-49 OL-4266-08...
Page 652: Pfc Qos Configuration Guidelines And Restrictions
Supported Granularity for CIR and PIR Rate Values, page 41-55 • Supported Granularity for CIR and PIR Token Bucket Sizes, page 41-55 • • IP Precedence and DSCP Values, page 41-56 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-50 OL-4266-08...
Page 653: General Guidelines
• • PFC QoS does not rewrite the payload ToS byte in tunnel traffic. • PFC QoS filters only by ACLs, dscp values, or IP precedence values. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-51 OL-4266-08...
Page 654 COS or DSCP marking of packets. If you are using QoS and your switching modules are capable of egress replication, enter the mls ip multicast replication-mode ingress command to force ingress replication. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-52 OL-4266-08...
Page 655: Pfc3 Guidelines
• traffic on the Layer 3 interface, both ingress and egress, to be processed in software on the MSFC2. To configure NBAR, refer to this publication: http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-53 OL-4266-08...
Page 656: Class Map Command Restrictions
Policy Map Class Command Restrictions PFC QoS does not support these policy map class commands: bandwidth • • priority queue-limit • random-detect • set qos-group • • service-policy Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-54 OL-4266-08...
Page 657: Supported Granularity For Cir And Pir Rate Values
131072 (128 KB) 4194305 to 8388608 (8 MB) 262144 (256 KB) 8388609 to 16777216 (16 MB) 524288 (512 KB) 16777217 to 33554432 (32 MB) 1048576 (1 MB) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-55 OL-4266-08...
Page 658: Ip Precedence And Dscp Values
8 7 6 5 4 3 1. MSb = most significant bit Configuring PFC QoS These sections describe how to configure PFC QoS on the Cisco 7600 series routers: Enabling PFC QoS Globally, page 41-57 • Enabling Ignore Port Trust, page 41-58 •...
Page 659: Enabling Pfc Qos Globally
This example shows how to verify the configuration: Router# show mls qos QoS is enabled globally Microflow QoS is enabled globally QoS global counters: Total packets: 544393 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-57 OL-4266-08...
Page 660: Enabling Ignore Port Trust
This example shows how to enable ignore port trust and verify the configuration: Router# configure terminal Router(config)# mls qos marking ignore port-trust Router(config)# end Router# show mls qos | include ignores Policy marking ignores port_trust Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-58 OL-4266-08...
Page 661: Configuring Dscp Transparency
Router# configure terminal Router(config)# no mls qos rewrite ip dscp Router(config)# end Router# show mls qos | include rewrite QoS ip packet dscp rewrite disabled globally Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-59 OL-4266-08...
Page 662: Enabling Microflow Policing Of Bridged Traffic
Router(config-if)# no mls qos bridged Step 3 Exits configuration mode. Router(config-if)# end Step 4 Verifies the configuration. Router# show mls qos type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-60 OL-4266-08...
Page 663: Enabling Vlan-Based Pfc Qos On Layer 2 Lan Ports
This example shows how to enable VLAN-based PFC QoS on Fast Ethernet port 5/42: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet 5/42 Router(config-if)# mls qos vlan-based Router(config-if)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-61 OL-4266-08...
Page 664: Enabling Egress Acl Support For Remarked Dscp
This example shows how to enable egress ACL support for remarked DSCP on Fast Ethernet port 5/36: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet 5/36 Router(config-if)# platform ip features sequential Router(config-if)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-62 OL-4266-08...
Page 665: Creating Named Aggregate Policers
The normal_burst_bytes parameter sets the CIR token bucket size. • The maximum_burst_bytes parameter sets the PIR token bucket size. When configuring the size of a token bucket, note the following information: • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-63 OL-4266-08...
Page 666 (which is the case if you do not enter the maximum_burst_bytes parameter), the exceed-action policed-dscp-transmit keywords cause PFC QoS to mark traffic down as defined by the policed-dscp max-burst markdown map. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-64 OL-4266-08...
Page 667: Configuring A Pfc Qos Policy
Verifying Policy Map Configuration, page 41-81 • Attaching a Policy Map to an Interface, page 41-81 • PFC QoS policies process both unicast and multicast traffic. Note Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-65 OL-4266-08...
Page 668 With a PFC2 or PFC3, PFC QoS supports time-based Cisco IOS ACLs. – Except for MAC ACLs and ARP ACLs, refer to the Cisco IOS Security Configuration Guide, – Release 12.2, “Traffic Filtering and Firewalls,” at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html...
Page 669: Configuring Mac Acls
Enables protocol-independent MAC ACL filtering on the Router(config-if)# mac packet-classify interface. Disables protocol-independent MAC ACL filtering on the Router(config-if)# no mac packet-classify interface. type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-67 OL-4266-08...
Page 670 To enable VLAN-based QoS filtering in MAC ACLs, perform this task: Command Purpose Enables VLAN-based QoS filtering in MAC ACLs. Router(config)# mac packet-classify use vlan Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-68 OL-4266-08...
Page 671 For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0). You can enter an EtherType and an EtherType mask as hexadecimal values. • Entries without a protocol parameter match any protocol. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-69 OL-4266-08...
Page 672 The PFC2 applies IP ACLs to ARP traffic. Note • • The PFC3 does not apply IP ACLs to ARP traffic. With a PFC3, you cannot apply microflow policing to ARP traffic. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-70 OL-4266-08...
Page 673: Configuring A Class Map
Creating a Class Map To create a class map, perform this task: Command Purpose Creates a class map. Router(config)# class-map class_name Router(config)# no class-map class_name Deletes a class map. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-71 OL-4266-08...
Page 674 PFC QoS does not support the match cos, match classmap, match destination-address, match input-interface, match qos-group, and match source-address class map commands. Cisco 7600 series routers do not detect the use of unsupported commands until you attach a policy •...
Page 675 Does not support source-based or destination-based Note microflow policing. Clears configured DSCP values from the class map. Router (config-cmap)# no match ip dscp dscp_value1 [ dscp_value2 [ dscp_valueN ]] Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-73 OL-4266-08...
Page 676: Configuring A Policy Map
Creating a Policy Map To create a policy map, perform this task: Command Purpose Creates a policy map. Router(config)# policy-map policy_name Deletes the policy map. Router(config)# no policy-map policy_name Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-74 OL-4266-08...
Page 677 In Release 12.2(18)SXE and later releases, the set ip dscp and set ip precedence commands are saved in the configuration file as set dscp and set precedence commands. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-75...
Page 678 Router(config-pmap-c)# no set {dscp dscp_value | precedence ip_precedence_value } Releases earlier than Release 12.2(18)SXE support the set ip dscp and set ip precedence policy map Note class commands. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-76 OL-4266-08...
Page 679 Configures the policy map class to use a previously defined Router(config-pmap-c)# police aggregate aggregate_name named aggregate policer. Clears use of the named aggregate policer. Router(config-pmap-c)# no police aggregate aggregate_name Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-77 OL-4266-08...
Page 680 You can enter the flow keyword to define a microflow policer (you cannot apply microflow policing • to ARP traffic). When configuring a microflow policer, note the following information: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-78 OL-4266-08...
Page 681 For TCP traffic, configure the token bucket size as a multiple of the TCP window size, with a – minimum value at least twice as large as the maximum size of the traffic being policed. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-79 OL-4266-08...
Page 682 The default violate action is equal to the exceed action. – You can enter the policed-dscp-transmit keyword to cause all matched out-of-profile traffic to be marked down as specified in the markdown map. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-80 OL-4266-08...
Page 683 Attaches a policy map to the interface. Router(config-if)# service-policy [input | output] policy_map_name Removes the policy map from the interface. Router(config-if)# no service-policy [input | output] policy_map_name Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-81 OL-4266-08...
Page 684 This example shows how to attach the policy map named pmap1 to Fast Ethernet port 5/36: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet 5/36 Router(config-if)# service-policy input pmap1 Router(config-if)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-82 OL-4266-08...
Page 685: Configuring Egress Dscp Mutation On A Pfc
You can enter multiple commands to map additional DSCP values to a mutated DSCP value. • You can enter a separate command for each mutated DSCP value. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-83 OL-4266-08...
Page 686 This example shows how to attach the egress DSCP mutation map named mutmap1 to Fast Ethernet port 5/36: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet 5/36 Router(config-if)# mls qos dscp-mutation mutmap1 Router(config-if)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-84 OL-4266-08...
Page 687: Configuring Ingress Cos Mutation On Ieee 802.1Q Tunnel Ports
EtherChannel. If any member port of the second EtherChannel Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-85...
Page 688 Router(config)# end Router# This example shows how to verify the map configuration: Router(config)# show mls qos maps cos-mutation COS mutation map testmap cos-in ------------------------------------ cos-out : Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-86 OL-4266-08...
Page 689: Configuring Dscp Value Maps
Mapping Received IP Precedence Values to Internal DSCP Values, page 41-88 Configuring DSCP Markdown Values, page 41-89 • Mapping Internal DSCP Values to Egress CoS Values, page 41-90 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-87 OL-4266-08...
Page 690 Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# mls qos map ip-prec-dscp 0 1 2 3 4 5 6 7 Router(config)# end Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-88 OL-4266-08...
Page 691 You can enter a separate command for each marked-down DSCP value. • Configure marked-down DSCP values that map to CoS values consistent with the markdown penalty. Note Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-89 OL-4266-08...
Page 692 Reverts to the default map. Router(config)# no mls qos map dscp-cos Step 2 Exits configuration mode. Router(config)# end Step 3 Verifies the configuration. Router# show mls qos maps Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-90 OL-4266-08...
Page 693: Configuring The Trust State Of Ethernet Lan And Osm Ports
By default, all ports are untrusted. You can configure the port trust state on all Ethernet LAN ports and OSM ports. On non-Gigabit Ethernet 1q4t/2q2t ports, you must repeat the trust configuration in a class map. Note Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-91 OL-4266-08...
Page 694 Router(config-if)# mls qos trust cos Router(config-if)# end Router# This example shows how to verify the configuration: Router# show queueing interface gigabitethernet 1/1 | include trust Trust state: trust COS Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-92 OL-4266-08...
Page 695: Configuring The Ingress Lan Port Cos Value
These sections describe configuring standard-queue drop threshold percentages: Configuring a Tail-Drop Receive Queue, page 41-94 • Configuring a WRED-Drop Transmit Queue, page 41-95 • Configuring a WRED-Drop and Tail-Drop Receive Queue, page 41-96 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-93 OL-4266-08...
Page 696 Configuring a Tail-Drop Receive Queue These port types have only tail-drop thresholds in their receive-queues: 1q2t • 1p1q4t • 2q8t • 1q8t • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-94 OL-4266-08...
Page 697 Configures the low WRED-drop thresholds. Router(config-if)# wrr-queue random-detect min-threshold queue_id thr1% [ thr2% ] Reverts to the default low WRED-drop thresholds. Router(config-if)# no wrr-queue random-detect min-threshold [ queue_id ] Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-95 OL-4266-08...
Page 698 = fastethernet, gigabitethernet, or tengigabitethernet Configuring a WRED-Drop and Tail-Drop Transmit Queue These port types have both WRED-drop and tail-drop thresholds in their transmit queues: 1p3q1t (transmit) • 1p3q8t (transmit) • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-96 OL-4266-08...
Page 699 Transmit queues [type = 1p2q2t]: Queue Id Scheduling Num of thresholds ----------------------------------------- WRR low WRR high Priority queue random-detect-max-thresholds ---------------------------------- 40[1] 70[2] 40[1] 70[2] <...Output Truncated...> Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-97 OL-4266-08...
Page 700 This example shows how to verify the configuration: Router# show queueing interface gigabitethernet 2/1 Transmit queues [type = 2q2t]: <...Output Truncated...> queue tail-drop-thresholds -------------------------- 60[1] 100[2] 40[1] 100[2] Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-98 OL-4266-08...
Page 701: Mapping Qos Labels To Queues And Drop Thresholds
The standard queue thresholds can be configured as either tail-drop or WRED-drop thresholds on these port types: – 1p1q8t (receive) – 1p3q1t (transmit) – 1p3q8t (transmit) 1p7q1t (transmit) – Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-99 OL-4266-08...
Page 702 These sections describe how to configure ingress DSCP-based queue mapping: Enabling DSCP-Based Queue Mapping, page 41-100 • Mapping DSCP Values to Standard Receive-Queue Thresholds, page 41-101 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-100 OL-4266-08...
Page 703 You can enter multiple commands to map additional DSCP values to the queue and threshold. • You must enter a separate command for each queue and threshold. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-101 OL-4266-08...
Page 704 32 34 35 36 37 38 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 40 46 <...Output Truncated...> Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-102 OL-4266-08...
Page 705 10-Gigabit Ethernet port 6/1 port 6/1: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface tengigabitethernet 6/1 Router(config-if)# wrr-queue dscp-map 1 1 0 1 Router(config-if)# end Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-103 OL-4266-08...
Page 706 Reverts to the default mapping. Router(config-if)# no priority-queue dscp-map Step 3 Exits configuration mode. Router(config-if)# end Step 4 Verifies the configuration. Router# show queueing interface tengigabitethernet slot/port Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-104 OL-4266-08...
Page 707 Router(config-if)# no rcv-queue cos-map Step 3 Exits configuration mode. Router(config-if)# end Step 4 Verifies the configuration. Router# show queueing interface type slot/port type = fastethernet, gigabitethernet, or tengigabitethernet Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-105 OL-4266-08...
Page 708 Router# This example shows how to verify the configuration: Router# show queueing interface fastethernet 5/36 | begin queue thresh cos-map queue thresh cos-map --------------------------------------- <...Output Truncated...> Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-106 OL-4266-08...
Page 709 <...Output Truncated...> Transmit queues [type = 1p2q2t]: <...Output Truncated...> queue thresh cos-map --------------------------------------- Receive queues [type = 1p1q4t]: <...Output Truncated...> queue thresh cos-map --------------------------------------- <...Output Truncated...> Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-107 OL-4266-08...
Page 710 Router# This example shows how to verify the configuration: Router# show queueing interface fastethernet 5/36 | begin queue thresh cos-map queue thresh cos-map --------------------------------------- <...Output Truncated...> Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-108 OL-4266-08...
Page 711: Allocating Bandwidth Between Standard Transmit Queues
Queue 2—250 Mbps • Queue 3—500 Mbps • Note The actual bandwidth allocation depends on the granularity that the port hardware applies to the configured percentages or weights. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-109 OL-4266-08...
Page 712 Router(config-if)# end Router# This example shows how to verify the configuration: Router# show queueing interface gigabitethernet 1/2 | include bandwidth WRR bandwidth ratios: 3[queue 1] 1[queue 2] Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-110 OL-4266-08...
Page 713: Setting The Receive-Queue Size Ratio
Router(config-if)# end Router# This example shows how to verify the configuration: Router# show queueing interface fastethernet 2/2 | include queue-limit queue-limit ratios: 75[queue 1] 15[queue 2] Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-111 OL-4266-08...
Page 714: Configuring The Transmit-Queue Size Ratio
Valid values are from 1 to 100 percent, except on 1p2q1t egress LAN ports, where valid values for • the high priority queue are from 5 to 100 percent. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-112 OL-4266-08...
Page 715: Common Qos Scenarios
This is the basic port configuration: Access Layer switchport mode access switchport access vlan 10 switchport voice vlan 110 Distribution and Core Interswitch Links switchport mode trunk Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-113 OL-4266-08...
Page 716: Classifying Traffic From Pcs And Ip Phones In The Access Layer
For more information on QoS guidelines, refer to RFC 2597 and RFC 2598 as well as the various QoS design guides published by Cisco Systems, Inc. Do not enable PFC QoS globally and leave all other PFC QoS configuration at default values. When •...
Page 717 CLASSIFY-VOICE match access-group name CLASSIFY-VOICE class-map match-all CLASSIFY-VOICE-SIGNAL match access-group name CLASSIFY-VOICE-SIGNAL class-map match-all CLASSIFY-PC-SAP match access-group name CLASSIFY-PC-SAP class-map match-all CLASSIFY-OTHER match access-group name CLASSIFY-OTHER Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-115 OL-4266-08...
Page 718 Port QoS is enabled To ensure that the class map configuration is correct, enter this command: Router# show class-map Class Map match-all CLASSIFY-OTHER (id 1) Match access-group name CLASSIFY-OTHER Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-116 OL-4266-08...
Page 719: Accepting The Traffic Priority Value On Interswitch Links
QoS policies to the different traffic types. The configuration was done with the MQC QoS policy syntax, which allows you to apply different marking or trust actions to the different traffic classes arriving on a port. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-117 OL-4266-08...
Page 720: Prioritizing Traffic On Interswitch Links
Three regular queues supporting Weighted-Round Robin scheduling (3q), each with eight WRED thresholds (8t, not discussed here) Cisco 7600 series router Ethernet modules also have input queue structures, but these are used less often, and because there probably will not be congestion within the switch fabric, this example does not include them.
Page 721 CoS-to-queue mapping, which shows the queue to which each of the eight CoS values is mapped: Router# show queueing interface gigabitethernet 5/1 | begin cos-map queue thresh cos-map --------------------------------------- Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-119 OL-4266-08...
Page 722 On the Cisco 7600 series router, the scheduling algorithms used on the LAN switching modules are strict priority (SP) queueing and weighted round robin (WRR) queueing. These algorithms determine the order, or the priority, that the various queues on a port are serviced.
Page 723: Using Policers To Limit The Amount Of Traffic From A Pc
Rate limiting is a useful way of ensuring that a particular device or traffic class does not consume more bandwidth than expected. On the Cisco 7600 series router Ethernet ports, the supported rate-limiting method is called policing. Policing is implemented in the PFC hardware with no performance impact. A policer operates by allowing the traffic to flow freely as long as the traffic rate remains below the configured transmission rate.
Page 724 Attach the policy map to the appropriate interface using the service-policy input command: interface FastEthernet5/1 service-policy input IPPHONE-PC To monitor the policing operation, use these commands: show policy-map interface fastethernet 5/1 show class-map show mls qos ip fastethernet 5/1 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-122 OL-4266-08...
Page 725: Pfc Qos Glossary
IP header. IP precedence ranges between zero and seven. Layer 3 IPv4 packet Version Offset TTL Proto FCS IP-SA IP-DA Data length (1 byte) 3 bits for IP precedence • Labels—See labels. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-123 OL-4266-08...
Page 726 DSCP is defined by the six most significant bits of the ToS. DSCP values can range from 0 to 63. Weight—ratio of bandwidth allocated to a queue. • For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 41-124 OL-4266-08...
Page 727 This chapter describes how to configure PFC3BXL or PFC3B mode Multiprotocol Label Switching (MPLS) quality of service (QoS) on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note •...
Page 728 Marking is the process of setting a Layer 3 DSCP value in a packet. Marking is also the process of • choosing different values for the MPLS EXP field to mark packets so that they have the priority that they require during periods of congestion. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-2 OL-4266-08...
Page 729: Pfc3Bxl Or Pfc3B Mode Mpls Qos Features
Traffic classification is the primary component of class-based QoS provisioning. The PFC3BXL or PFC3B make classification decisions Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-3 OL-4266-08...
Page 730: Policing And Marking
The PFC3BXL or PFC3B uses MPLS DiffServ tunneling modes. Tunneling provides QoS transparency from one edge of a network to the other edge of the network. See the “MPLS DiffServ Tunneling Modes” section on page 42-32 for information. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-4 OL-4266-08...
Page 731: Pfc3Bxl Or Pfc3B Mode Mpls Qos Overview
• P1—Label switch router (LSR) within the core of the network of the service provider P2—LSR within the core of the network of the service provider • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-5 OL-4266-08...
Page 732: Lers At The Input Edge Of An Mpls Network
At the output interface, the labeled packets are differentiated by class for marking or policing. For LAN interfaces, egress classification is still based on IP, not on MPLS. The labeled packets (marked by EXP) are sent to the core MPLS network. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-6 OL-4266-08...
Page 733: Lsrs In The Core Of An Mpls Network
The MPLS EXP bits allow you to specify the QoS for an MPLS packet. The IP precedence and DSCP Note bits allow you to specify the QoS for an IP packet. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-7 OL-4266-08...
Page 734: Understanding Pfc3Bxl Or Pfc3B Mode Mpls Qos
After exiting the tunnel egress, queueing is based on preserved 802.1p CoS if 1p tag has been • tunnelled in the EoMPLS header (VC type 4); otherwise, queuing is based on the CoS derived from the QoS decision. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-8 OL-4266-08...
Page 735: Lers At The Ip Edge (Mpls, Mpls Vpn)
IP using match commands for IP precedence, IP DSCP, and IP ACLs. Egress policies do not classify traffic on the imposed EXP value nor on a marking done by an ingress policy. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-9...
Page 736 EXP value in the topmost label. If the egress port is a trunk,the LAN ports and the OSM GE-WAN ports copy the egress CoS into the egress 802.1Q field. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-10 OL-4266-08...
Page 737 For incoming MPLS packets on the PE-to-CE ingress, the PFC3BXL or PFC3B supports MPLS classification only. Ingress IP policies are not supported. PE-to-CE traffic from the MPLS core is classified or policed on egress as IP. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-11 OL-4266-08...
Page 738: Mpls Vpn
For aggregate VPN labels, the EXP propagation in recirculation case may not be supported because MPLS adjacency does not know which egress interface the final packet will use. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-12...
Page 739: Lsrs At The Mpls Core
The PFC3BXL or PFC3B mode MPLS QoS ingress and egress policies for MPLS traffic classify traffic Note on the EXP value in the received topmost label when you enter the match mpls experimental command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-13 OL-4266-08...
Page 740 The set mpls experimental imposition, police, and police with set imposition commands PFC3BXL or PFC3B mode MPLS QoS at the egress of P1 or P2 supports matching with the mpls experimental topmost command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-14 OL-4266-08...
Page 741: Pfc3Bxl Or Pfc3B Mpls Qos Default Configuration
EXP 2 = DSCP 16 EXP 3 = DSCP 24 EXP 4 = DSCP 32 EXP 5 = DSCP 40 EXP 6 = DSCP 48 EXP 7 = DSCP 56 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-15 OL-4266-08...
Page 742: Mpls Qos Commands
MPLS to IP edge QoS Preserve the exposed IP DSCP MPLS QoS Commands PFC3BXL or PFC3B MPLS QoS on the Cisco 7600 series routers supports the following MPLS QoS commands: match mpls experimental topmost • set mpls experimental imposition •...
Page 743: Pfc3Bxl Or Pfc3B Mode Mpls Qos Restrictions And Guidelines
Popping one label when QoS is queuing only, the EXP value is based on the underlying EXP – value. • EXP value is irrelevant to MPLS-to-IP disposition. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-17 OL-4266-08...
Page 744: Enabling Qos Globally
Exits configuration mode. Router(config)# end Step 3 Verifies the configuration. Router# show mls qos This example shows how to enable QoS globally: Router(config)# mls qos Router(config)# end Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-18 OL-4266-08...
Page 745 CoS. This example shows how to enable queueing-only mode: Router# configure terminal Router(config)# mls qos queueing-only Router(config)# end Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-19 OL-4266-08...
Page 746: Configuring A Class Map To Classify Mpls Packets
Step 2 Specifies the packet characteristics that will be Router(config-cmap)# match mpls experimental topmost value matched to the class. Step 3 Exits class-map configuration mode. Router(config-cmap)# exit Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-20 OL-4266-08...
Page 747 (* - shared aggregates, Mod - switch module) Int Mod Dir Class-map DSCP Trust Fl AgForward-By AgPoliced-By ------------------------------------------------------------------------------- Fa3/27 exp3 dscp Default 3466140423 Router# show policy-map interface fastethernet 3/27 FastEthernet3/27 Service-policy input: exp3 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-21 OL-4266-08...
Page 748: Configuring The Mpls Packet Trust State On Ingress Ports
You can use the no mls qos mpls trust exp command to apply port or policy trust to MPLS packets in the same way that you apply them to Layer 2 packets. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-22...
Page 749: Restrictions And Usage Guidelines
QoS policy-map class configuration mode. To disable the setting, use the no form of this command. The set mpls experimental imposition command replaces the set mpls experimental command. Note Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-23 OL-4266-08...
Page 750 3 Router# show class-map iptcp Class Map match-all iptcp (id 62) Match access-group Router# show access-l 101 Extended IP access list 101 10 permit tcp any any Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-24 OL-4266-08...
Page 751 DSCP. To set the pushed label entry value to a value different from the default value during label • imposition, use the set mpls experimental imposition command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-25 OL-4266-08...
Page 752 (per source, destination, protocol, source port, and destination port). For additional information on aggregate and microflow policing, see the “Policers” section on page 41-20. To configure traffic policing, use the police command. For information on this command, see the Cisco IOS Master Command List, Release 12.2SX. Command Purpose Step 1 Creates a policy map.
Page 753 R7# show mls qos ip QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module) Int Mod Dir Class-map DSCP Trust Fl AgForward-By AgPoliced-By ------------------------------------------------------------------------------- Fa3/27 iptcp Vl300 Default 3468161522 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-27 OL-4266-08...
Page 754: Displaying A Policy Map
Router# show mls qos mpls QoS Summary [MPLS]: (* - shared aggregates, Mod - switch module) Int Mod Dir Class-map DSCP Trust Fl AgForward-By AgPoliced-By ------------------------------------------------------------------------------- Fa3/27 exp3 dscp Default 3466140423 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-28 OL-4266-08...
Page 755: Configuring Pfc3Bxl Or Pfc3B Mode Mpls Qos Egress Exp Mutation
These sections describe how to configure PFC3BXL or PFC3B mode MPLS QoS egress EXP mutation: Configuring Named EXP Mutation Maps, page 42-30 • • Attaching an Egress EXP Mutation Map to an Interface, page 42-30 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-29 OL-4266-08...
Page 756 = ethernet, fastethernet, gigabitethernet, or tengigabitethernet This example shows how to attach the egress EXP mutation map named mutemap2: Router(config)# interface fastethernet 3/26 Router(config-if)# mls qos exp-mutation mutemap2 Router(config-if)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-30 OL-4266-08...
Page 757: Configuring Exp Value Maps
Router# show mls qos maps This example shows how to configure a named egress-DSCP to egress-EXP map: Router(config)# mls qos map dscp-exp 20 25 to 3 Router(config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-31 OL-4266-08...
Page 758: Short Pipe Mode
The presence of an egress IP policy (based on the customer’s PHB marking and not on the provider’s Note PHB marking) automatically implies the Short Pipe mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-32 OL-4266-08...
Page 759: Uniform Mode
PHB of a packet, that change must be propagated to all encapsulation markings. The propagation is performed by a router only when a PHB is added or exposed due to label imposition or Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-33...
Page 760 Because the IP precedence bits are 3, the BGP label and the IGP label also contain 3 because in Uniform Note mode, the labels always are identical. The packet is treated uniformly in the IP and MPLS networks. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-34 OL-4266-08...
Page 761: Mpls Diffserv Tunneling Restrictions And Usage Guidelines
To set the EXP value, the ingress LAN or OSM port must be untrusted. FlexWAN ports do not have the trust concept, but, as with traditional Cisco IOS routers, the ingress ToS is not changed (unless a marking policy is configured).
Page 762: Configuring Ingress Pe Router—P Facing Interface
Router(config-if)# service-policy input set-MPLS-PHB Configuring Ingress PE Router—P Facing Interface This procedure classifies packets based on their MPLS EXP field and provides appropriate discard and scheduling treatments. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-36 OL-4266-08...
Page 763: Configuration Example
Router(config-c-map)# match mpls experimental 4 Router(config)# policy-map output-qos Router(config-p-map)# class MPLS-EXP-4 Router(config-p-map-c)# bandwidth percent 40 Router(config-p-map)# class class-default Router(config-p-map-c)# random-detect Router(config)# interface pos 4/1 Router(config-if)# service-policy output output-qos Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-37 OL-4266-08...
Page 764: Configuring The P Router—Output Interface
Router(config-c-map)# match mpls experimental 4 Router(config)# policy-map output-qos Router(config-p-map)# class MPLS-EXP-4 Router(config-p-map-c)# bandwidth percent 40 Router(config-p-map)# class class-default Router(config-p-map-c)# random-detect Router(config)# interface pos 2/1 Router(config-if)# service-policy output output-qos Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-38 OL-4266-08...
Page 765 Router(config-c-map)# match ip precedence 4 Router(config)# policy-map output-qos Router(config-p-map)# class IP-PREC-4 Router(config-p-map-c)# bandwidth percent 40 Router(config-p-map)# class class-default Router(config-p-map-c)# random-detect Router(config)# interface GE-WAN 3/2.32 Router(config-if)# service-policy output output-qos Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-39 OL-4266-08...
Page 766: Configuring Uniform Mode
Step 10 Attaches the policy map created in step to the interface as Router(config-if)# service-policy input policy_map_name an input service policy. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-40 OL-4266-08...
Page 767: Configuring The Ingress Pe Router—P Facing Interface
Attaches a QoS policy to an interface and specifies that Router(config-if)# service-policy output name policies should be applied on packets leaving the interface. Note The bandwidth command and random-detect command are not supported on LAN ports. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-41 OL-4266-08...
Page 768 Router(config-if)# service-policy output name policies should be applied on packets coming into the interface. The bandwidth command and random-detect command are not supported on LAN ports. Note Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-42 OL-4266-08...
Page 769 Router(config)# interface GE-WAN 3/2.32 Router(config-if) mpls propagate-cos Router(config-if)# service-policy output output-qos For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-43 OL-4266-08...
Page 770 Chapter 42 Configuring PFC3BXL or PFC3B Mode MPLS QoS Configuring Uniform Mode Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 42-44 OL-4266-08...
Page 771: Configuring Pfc Qos Statistics Data Export
Configuring PFC QoS Statistics Data Export This chapter describes how to configure PFC QoS statistics data export on Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL:...
Page 772: Pfc Qos Statistics Data Export Default Configuration
Router# show mls qos statistics-export info This example shows how to enable PFC QoS statistics data export globally and verify the configuration: Router# configure terminal Router(config)# mls qos statistics-export Router(config)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-2 OL-4266-08...
Page 773 When enabled on a port, PFC QoS statistics data export contains the following fields, separated by the delimiter character: Export type (“1” for a port) • Slot/port • Number of ingress packets • Number of ingress bytes • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-3 OL-4266-08...
Page 774 PFC or DFC slot number • Number of in-profile bytes • • Number of bytes that exceed the CIR • Number of bytes that exceed the PIR • Time stamp Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-4 OL-4266-08...
Page 775 Direction (“in”) – Slot/port – Number of in-profile bytes Number of bytes that exceed the CIR – Number of bytes that exceed the PIR – Time stamp – Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-5 OL-4266-08...
Page 776 This example shows how to set the PFC QoS statistics data export interval and verify the configuration: Router# configure terminal Router(config)# mls qos statistics-export interval 250 Router(config)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-6 OL-4266-08...
Page 777 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-7 OL-4266-08...
Page 778 QoS Statistics Data Export is enabled on following ports: --------------------------------------------------------- FastEthernet5/24 QoS Statistics Data export is enabled on following shared aggregate policers: ----------------------------------------------------------------------------- aggr1M QoS Statistics Data Export is enabled on following class-maps: --------------------------------------------------------------- class3 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-8 OL-4266-08...
Page 779 QoS Statistics Data Export is enabled on following class-maps: --------------------------------------------------------------- class3 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-9 OL-4266-08...
Page 780 Chapter 43 Configuring PFC QoS Statistics Data Export Configuring PFC QoS Statistics Data Export Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 43-10 OL-4266-08...
Page 781: Configuring The Cisco Ios Firewall Feature Set
C H A P T E R Configuring the Cisco IOS Firewall Feature Set This chapter describes how to configure the Cisco IOS firewall feature set on the Cisco 7600 series routers. This chapter contains these sections: • Cisco IOS Firewall Feature Set Support Overview, page 44-1 Cisco IOS Firewall Guidelines and Restrictions, page 44-2 •...
Page 782: Cisco Ios Firewall Guidelines And Restrictions
Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS). Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with the ip audit command. Cisco IOS Firewall Guidelines and Restrictions...
Page 783: Additional Cbac Configuration
If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC on a Cisco 7600 series router permits the FTP traffic only through ACLs deny_ftp_a and deny_ftp_b. To permit the traffic...
Page 784 Configuring the Cisco IOS Firewall Feature Set Additional CBAC Configuration For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 44-4 OL-4266-08...
Page 785: Configuring Network Admission Control
C H A P T E R Configuring Network Admission Control This chapter describes how to configure Network Admission Control (NAC) on Cisco 7600 series routers. With a PFC3, Release 12.2(18)SXF2 and later releases support NAC. For complete syntax and usage information for the commands used in this chapter, refer to these...
Page 786: Nac Overview
• Unless otherwise noted, the term switch refers to Cisco 7600 series routers. Because NAC as described in this chapter is a Layer 2 feature, the term switch is used for Cisco 7600 routers. • Release 12.2(18)SXF does not support NAC Layer 2 IEEE 802.1x.
Page 787: Nac Device Roles
The Cisco Trust Agent software is also referred to as the posture agent or the antivirus client. Switch (edge switches)—This is the network access device that provides validation services and •...
Page 788: Aaa Down Policy
The AAA down policy is a method of allowing a host to remain connected to the network if the AAA server is not available. Typical deployments of NAC use Cisco Secure ACS to validate the client posture and to pass policies back to the Network Access Device (NAD). If the AAA server cannot be reached when the posture validation occurs, instead of rejecting the user (that is, not providing the access to the network), an administrator can configure a default AAA down policy that can be applied to the host.
Page 789 If the host is in the exception list, the switch applies the user-configured NAC policy to the host. If EoU bypass is enabled, the switch sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host. The switch inserts a RADIUS AV pair to the request to specify that the request is for a nonresponsive host.
Page 790 The switch can use the EoU bypass feature to speed up posture validation of hosts that are not using the Cisco Trust Agent. If EoU bypass is enabled, the switch does not contact the host to request the antivirus condition. Instead, the switch sends a request to the Cisco Secure ACS that includes the IP address, MAC address, service type, and EAPoUDP session ID of the host.
Page 791 Audit Servers End devices that do not run a Cisco Trust Agent (CTA) will not be able to provide credentials when challenged by Network Access Devices. These devices are described as agentless or nonresponsive. The NAC architecture has been extended to incorporate audit servers. An audit server is a third-party server that can probe, scan, and determine security compliance of a host without the need for presence of Cisco trust agent on the host.
Page 792 If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to the switch, the switch applies the policy to traffic from the host connected to a switch port. If the policy applies to the traffic, the switch forwards the traffic.
Page 793 Hold Timer The hold timer prevents a new EAPoUDP session from immediately starting after the previous attempt to validate the session fails. This timer is used only when the Cisco Secure ACS sends a Accept-Reject message to the switch. The default value of the hold timer is 180 seconds (3 minutes).
Page 794 When a host becomes inactive, the switch ends the host session. For Catalyst 3750, 3560, 3550, 2970, 2960, 2955, 2950, and 2940 switches and for Cisco EtherSwitch service modules, the limit to remove inactive entries is 512. For Cisco 7600 series routers and Catalyst 4000 and 6000 switches, the limit is 2048.
Page 795 NAC Layer 2 IP Validation and Redundant Supervisor Engines On Cisco 7600 series routers with redundant supervisor engines, when RPR mode redundancy is configured, a switchover causes the loss of all information about currently postured hosts. When SSO mode redundancy is configured, a switchover triggers a reposturing of all currently postured hosts.
Page 796: Configuring Nac
• • Layer 2 IP is not allowed if the parent VLAN of the port has VACL capture or Cisco IOS firewall (CBAC) is configured. LAN Port IP (LPIP) ARP traffic redirected to the CPU cannot be spanned using the SPAN feature.
Page 797: Configuring Nac Layer 2 Ip Validation
Step 3 Enables the rate limiting of the IP admission traffic to the Router(config)# mls ratelimit layer2 ip ip-admission pps ( burst ) CPU. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-13 OL-4266-08...
Page 798 Step 11 Enables the IP device tracking table. Router(config)# ip device tracking To disable the IP device tracking table, use the no device tracking global configuration command. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-14 OL-4266-08...
Page 799 The range is from 30 to 300 seconds. The default is 30 seconds. Step 17 (Optional) Enables EAPoUDP system logging events. Router(config)# eou logging Step 18 Returns to privileged EXEC mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-15 OL-4266-08...
Page 800 Router(config)# aaa authentication eou default group radius Router(config)# radius-server host admin key rad123 Router(config)# radius-server vsa send authentication Router(config)# ip device tracking probe count 2 Router(config)# eou logging Router(config)# end Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-16 OL-4266-08...
Page 801: Configuring Eapoudp
Step 3 Defines network access attributes for the identity policy. Router(config-identity-policy)# access-group access_group Step 4 Creates an identity profile, and enters identity-profile Router(config)# identity profile eapoudp configuration mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-17 OL-4266-08...
Page 802: Configuring A Nac Aaa Down Policy
To not authorize the specified IP device and remove the specified policy from the device, use the no device {authorize | not-authorize} {ip-address ip_address | mac-address mac_address | type cisco ip phone} [policy policy_name] interface configuration command. This example shows how to configure the identity profile and policy:...
Page 803 • for a response before resending the ARP probe. The range is from 30 to 300 seconds. The default is 30 seconds. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-19 OL-4266-08...
Page 804 Router(# copy running-config startup-config The following example illustrates how to apply a AAA down policy: Router# config t Enter configuration commands, one per line. End with CNTL/Z. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-20 OL-4266-08...
Page 805 Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Auth-proxy name AAA_DOWN eapoudp list not specified auth-cache-time 60 minutes Identity policy name global_policy for AAA fail policy Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-21 OL-4266-08...
Page 806: Monitoring And Maintaining Nac
| ip ip_address | mac mac_address } tracking table. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 45-22 OL-4266-08...
Page 807: Configuring Ieee 802.1X Port-Based Authentication
This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL:...
Page 808: Device Roles
The Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server, version 3.0. RADIUS uses a client-server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 809: Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. Figure 46-2 shows a message exchange initiated by the client using the One-Time-Password (OTP) authentication method with a RADIUS server. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-3 OL-4266-08...
Page 810: Ports In Authorized And Unauthorized States
EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-4...
Page 811: Supported Topologies
Figure 46-3 Wireless LAN Example Authentication Catalyst switch server Access point (RADIUS) Cisco Router Wireless clients Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-5 OL-4266-08...
Page 812: Default 802.1X Port-Based Authentication Configuration
The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but • it is not supported on these port types: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-6 OL-4266-08...
Page 813: Configuring 802.1X Port-Based Authentication
If authentication fails at any point in this cycle, the authentication process stops, and no other authentication methods are attempted. To configure 802.1X port-based authentication, perform this task: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-7 OL-4266-08...
Page 814 Router(config)# interface fastethernet 5/1 Router(config-if)# dot1x port-control auto Router(config-if)# end This example shows how to verify the configuration: Router# show dot1x all Dot1x Info for interface FastEthernet5/1 ---------------------------------------------------- Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-8 OL-4266-08...
Page 815: Configuring Router-To-Radius-Server Communication
For hostname or ip_address, specify the host name or IP address of the remote RADIUS server. • Specify the key string on a separate command line. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-9 OL-4266-08...
Page 816: Enabling Periodic Reauthentication
If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands. For more information, refer to the Cisco IOS Security Configuration Guide, Release 12.2, publication and the Cisco IOS Security Command Reference, Release 12.2, publication at this URL:...
Page 817: Manually Reauthenticating The Client Connected To A Port
Initializing authentication disables any existing authentication before authenticating the client connected Note to the port. To initialize the authentication for the client connected to a port, perform this task: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-11 OL-4266-08...
Page 818: Changing The Quiet Period
You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-12 OL-4266-08...
Page 819: Setting The Router-To-Client Retransmission Time For Eap-Request Frames
= ethernet, fastethernet, gigabitethernet, or tengigabitethernet This example shows how to set the router-to-client retransmission time for the EAP-request frame to 25 seconds: Router(config-if)# dot1x timeout supp-timeout 25 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-13 OL-4266-08...
Page 820: Setting The Router-To-Client Frame Retransmission Number
EAP-request/identity frame to the client before restarting the authentication process. The range is 1 to 10; the default is 2. Returns to the default retransmission number. Router(config-if)# no dot1x max-req Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-14 OL-4266-08...
Page 821: Enabling Multiple Hosts
Command Purpose Step 1 Selects an interface to configure. Router(config)# interface type slot/port Step 2 Resets the configurable 802.1X parameters to the default Router(config-if)# dot1x default values. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 46-15 OL-4266-08...
Page 822: Displaying 802.1X Status
EXEC command. To display the 802.1X administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command. For detailed information about the fields in these displays, refer to the Cisco IOS Master Command List, Release 12.2SX.
Page 823: Configuring Port Security
Configuring Port Security This chapter describes how to configure the port security feature. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 824: Port Security With Dynamically Learned And Static Mac Addresses
To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-2...
Page 825: Default Port Security Configuration
Enter the clear port-security dynamic global configuration command to clear all dynamically • learned secure addresses. See the Cisco IOS Master Command List, Release 12.2SX, for complete syntax information. Port security learns unauthorized MAC addresses with a bit set that causes traffic to them or from •...
Page 826 Enabling Port Security with Sticky MAC Addresses on a Port, page 47-10 • Configuring a Static Secure MAC Address on a Port, page 47-11 • Configuring Secure MAC Address Aging on a Port, page 47-12 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-4 OL-4266-08...
Page 827: Enabling Port Security
Router(config-if)# switchport Router(config-if)# switchport mode trunk Router(config-if)# switchport nonegotiate Router(config-if)# switchport port-security Router(config-if)# do show port-security interface fastethernet 5/36 | include Port Security Port Security : Enabled Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-5 OL-4266-08...
Page 828: Configuring The Port Security Violation Mode On A Port
Step 3 Verifies the configuration. Router(config-if)# do show port-security interface type slot/port | include violation_mode type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet violation_mode = protect, restrict, or shutdown Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-6 OL-4266-08...
Page 829: Configuring The Port Security Rate Limiter
Configuring the Port Security Rate Limiter Note • The PFC2 does not support the port security rate limiter. The truncated switching mode does not support the port security rate limiter. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-7 OL-4266-08...
Page 830 Router(config)# mls rate-limit layer2 port-security 1000 Router(config)# end This example shows how to verify the configuration: Router# show mls rate-limit | include PORTSEC LAYER_2 PORTSEC 1000 Not sharing Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-8 OL-4266-08...
Page 831: Configuring The Maximum Number Of Secure Mac Addresses On A Port
End with CNTL/Z. Router(config)# interface fastethernet 3/12 Router(config-if)# switchport port-security maximum 64 Router(config-if)# do show port-security interface fastethernet 5/12 | include Maximum Maximum MAC Addresses : 64 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-9 OL-4266-08...
Page 832: Enabling Port Security With Sticky Mac Addresses On A Port
This example shows how to enable port security with sticky MAC addresses on Fast Ethernet port 5/12: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet 5/12 Router(config-if)# switchport port-security mac-address sticky Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-10 OL-4266-08...
Page 833: Configuring A Static Secure Mac Address On A Port
Router(config-if)# switchport port-security mac-address 1000.2000.3000 Router(config-if)# end Router# show port-security address Secure Mac Address Table ------------------------------------------------------------ Vlan Mac Address Type Ports ---- ----------- ---- ----- 1000.2000.3000 SecureConfigured Fa5/12 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-11 OL-4266-08...
Page 834: Configuring Secure Mac Address Aging On A Port
End with CNTL/Z. Router(config)# interface fastethernet 5/12 Router(config-if)# switchport port-security aging type inactivity Router(config-if)# do show port-security interface fastethernet 5/12 | include Type Aging Type : Inactivity Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-12 OL-4266-08...
Page 835: Displaying Port Security Settings
The maximum allowed number of secure MAC addresses for each interface – – The number of secure MAC addresses on the interface – The number of security violations that have occurred – The violation mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-13 OL-4266-08...
Page 836 Total Addresses in System: 10 Max Addresses limit in System: 128 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 47-14 OL-4266-08...
Page 837: Configuring Cdp
Understanding How CDP Works CDP is a protocol that runs over Layer 2 (the data link layer) on all Cisco routers, bridges, access servers, and switches. CDP allows network management applications to discover Cisco devices that are neighbors of already known devices, in particular, neighbors running lower-layer, transparent protocols.
Page 838: Enabling Cdp Globally
Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled Router# For additional CDP show commands, see the “Monitoring and Maintaining CDP” section on page 48-3. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 48-2 OL-4266-08...
Page 839: Enabling Cdp On A Port
Displays information about a specific neighbor. The display Router# show cdp entry entry_name [protocol | version] can be limited to protocol or version information. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 48-3 OL-4266-08...
Page 840 JAB03130104 Fas 5/8 WS-C4003 2/47 JAB03130104 Fas 5/9 WS-C4003 2/48 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 48-4 OL-4266-08...
Page 841: Configuring Udld
This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 842: Udld Aggressive Mode
Layer 1. The Cisco 7600 series router periodically transmits UDLD packets to neighbor devices on LAN ports with UDLD enabled. If the packets are echoed back within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the LAN port is shut down.
Page 843: Default Udld Configuration
Displaying UDLD Neighbor Interfaces, page 49-5 • Resetting Disabled LAN Interfaces, page 49-5 • Enabling UDLD Globally To enable UDLD globally on all fiber-optic LAN ports, perform this task: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 49-3 OL-4266-08...
Page 844: Enabling Udld On Individual Lan Interfaces
Note This command is only supported on fiber-optic LAN ports. Step 3 Verifies the configuration. Router# show udld type slot/number type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 49-4 OL-4266-08...
Page 845: Configuring The Udld Probe Message Interval
To reset all LAN ports that have been shut down by UDLD, perform this task: Command Purpose Resets all LAN ports that have been shut down by UDLD. Router# udld reset Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 49-5 OL-4266-08...
Page 846 Chapter 49 Configuring UDLD Configuring UDLD For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 49-6 OL-4266-08...
Page 847 C H A P T E R Configuring NetFlow This chapter describes how to configure NetFlow statistics collection on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to these...
Page 848: Netflow Overview
Release 12.2(18)SXF and later releases support NetFlow for multicast IP. For additional information about NetFlow for multicast IP, refer to the NetFlow Multicast Support document, available in this document: Cisco IOS NetFlow Configuration Guide. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-2 OL-4266-08...
Page 849: Flow Masks
IP address, so the NetFlow table can become very large. See the “NetFlow Configuration Guidelines and Restrictions” section on page 50-5 for information about NetFlow table capacity. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-3 OL-4266-08...
Page 850 Pay attention to response messages. If the Feature Manager turns off hardware assist for a feature, • you need to ensure that feature processing does not overload the RP processor. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-4 OL-4266-08...
Page 851: Default Netflow Configuration
If the NetFlow table utilization exceeds the recommended utilization levels, there is an increased • probability that there will be insufficient room to store statistics. Table 50-3 lists the recommended maximum utilization levels. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-5 OL-4266-08...
Page 852: Configuring Netflow On The Pfc
Table 50-4 Summary of PFC NetFlow commands Command Purpose mls netflow Enables NetFlow on the PFC. mls flow ip Sets the minimum flow mask. mls aging Sets the configurable aging parameters. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-6 OL-4266-08...
Page 853: Setting The Minimum Ip Mls Flow Mask
Reverts to the default IP MLS flow mask (null). Router(config)# no mls flow ip This example shows how to set the minimum IP MLS flow mask: Router(config)# mls flow ip destination Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-7 OL-4266-08...
Page 854 Configures the MLS aging time for a NetFlow table entry. Router(config)# mls aging {fast [threshold { 1-128 } | time { 1-128 }] | long 64-1920 | normal 32-4092 } Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-8 OL-4266-08...
Page 855 236 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-9 OL-4266-08...
Page 856: Configuring Netflow On The Msfc
• Configuring NetFlow Aggregation on the MSFC, page 50-11 Enabling NetFlow for Ingress-Bridged IP Traffic, page 50-12 • • Enabling NetFlow for Multicast IP Traffic, page 50-13 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-10 OL-4266-08...
Page 857 NetFlow for the interface. In releases prior to Release 12.2(18)SXF, NetFlow is enabled by default. Configuring NetFlow Aggregation on the MSFC For information on configuring NetFlow aggregation on the MSFC, refer to the following documentation: Cisco IOS netFlow Configuration Guide. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-11 OL-4266-08...
Page 858 This example shows how to enable NetFlow for ingress-bridged IP traffic in VLAN 200: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip flow ingress layer2-switched vlan 200 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-12 OL-4266-08...
Page 859 NetFlow multicast support with Release 12.2(18)SXF and later 12.2SX releases. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-13 OL-4266-08...
Page 860 Chapter 50 Configuring NetFlow Configuring NetFlow Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 50-14 OL-4266-08...
Page 861: Configuring Nde
NDE Configuration Guidelines and Restrictions, page 51-10 • • Configuring NDE, page 51-10 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-1 OL-4266-08...
Page 862: Nde Overview
Release 12.2(18)SXF and later releases support NetFlow version 9, described in this document: Cisco IOS NetFlow Configuration Guide. NetFlow version 9 record formats are described in this document: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-2 OL-4266-08...
Page 863: Nde On The Pfc
NetFlows. Therefore, the destination interface for traffic returned from the web server has a client interface instead of the cache interface or the ANCS interface. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-3...
Page 864 Current seconds since 0000 UTC 1970 12–15 unix_nsecs Residual nanoseconds since 0000 UTC 1970 16–19 flow_sequence Sequence counter of total flows seen 20–23 reserved Unused (zero) bytes Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-4 OL-4266-08...
Page 865 4. In PFC3BXL or PFC3B mode, for ICMP traffic, contains the ICMP code and type values. 5. Always zero for hardware-switched flows. 6. Populated in PFC3BXL or PFC3B mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-5 OL-4266-08...
Page 866 4. In PFC3BXL or PFC3B mode, for ICMP traffic, contains the ICMP code and type values. 5. Always zero for hardware-switched flows. 6. Populated with Release 12.2(17b)SXA and later releases in PFC3BXL or PFC3B mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-6 OL-4266-08...
Page 867 • NetFlow Traffic Sampling NetFlow traffic sampling provides NetFlow data for a subset of traffic forwarded by a Cisco router or switch by analyzing only one randomly selected packet out of n sequential packets (n is a user-configurable parameter) from the traffic that is processed by the router or switch. NetFlow traffic...
Page 868 • The statistics are exported. • On Cisco 6500 series switches, NetFlow traffic sampling is supported only on the MSFC for software switched packets. For more information on configuring NetFlow traffic sampling, see the Cisco IOS NetFlow Configuration Guide. NetFlow Flow Sampling NetFlow flow sampling does not limit the number of packets that are analyzed by NetFlow.
Page 869 1 in 128 4096 1 in 256 4096 1 in 512 4096 1 in 1024 4096 1 in 2048 8192 1 in 4096 16384 1 in 8192 32768 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-9 OL-4266-08...
Page 870: Default Nde Configuration
You must enable NDE on the MSFC to support NDE on the PFC. • When you configure NAT and NDE on an interface, the PFC sends all fragmented packets to the • MSFC to be processed in software. (CSCdz51590) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-10 OL-4266-08...
Page 871: Configuring Nde On The Pfc
This example shows how to enable NDE from the PFC: Router(config)# mls nde sender This example shows how to enable NDE from the PFC and configure NDE version 5: Router(config)# mls nde sender version 5 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-11 OL-4266-08...
Page 872 The valid values for the packet-based export interval are from 8,000 through 16,000. • With a PFC3, to export any data, you must also configure sampled NetFlow on a Layer 3 interface. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-12 OL-4266-08...
Page 873: Configuring Nde On The Msfc
Router(config)# no ip flow-export source When configuring the MSFC NDE source Layer 3 interface, note the following information: • You must select an interface configured with an IP address. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-13 OL-4266-08...
Page 874 Configuring Netflow Flow Sampling In 12.2(18)SXF and later releases, the MSFC supports NetFlow sampling for software-routed traffic. For additional information, see the following document: Cisco IOS NetFlow Configuration Guide. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-14 OL-4266-08...
Page 875: Displaying The Nde Address And Port Configuration
10.34.12.245 (9999) Exporting flows from 10.6.58.7 (55425) Version: 7 Include Filter not configured Exclude Filter is: source: ip address 11.1.1.0, mask 255.255.255.0 Total Netflow Data Export Packets are: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-15 OL-4266-08...
Page 876: Configuring Nde Flow Filters
To display the configuration of the NDE flow filters you configure, use the show mls nde command described in the “Displaying the NDE Configuration” section on page 51-18. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-16 OL-4266-08...
Page 877 This example shows how to configure a host flow filter to export only flows to destination host 172.20.52.37: Router(config)# mls nde flow include destination 172.20.52.37 255.255.255.225 Router(config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-17 OL-4266-08...
Page 878: Displaying The Nde Configuration
IPWRITE_OUTPUT_FAILED = 0 IPWRITE_MTU_FAILED = 0 IPWRITE_ENCAPFIX_FAILED = 0 Netflow Aggregation Enabled For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 51-18 OL-4266-08...
Page 879 12.2(18)SXE and later releases support ERSPAN (see the “ERSPAN Guidelines and Restrictions” section on page 52-12). For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note • IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 880: Local Span, Rspan, And Erspan Overview
Figure 52-1 Example SPAN Configuration Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on port 10 E6 E7 Network analyzer Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-2 OL-4266-08...
Page 881 Switch D (data center) Layer 2 trunk Probe Intermediate switch Switch C (distribution) Layer 2 trunk Layer 2 trunk Source switch(es) Switch B Switch A (access) B1 B2 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-3 OL-4266-08...
Page 882: Monitored Traffic
These sections describe the traffic that local SPAN, RSPAN, and ERSPAN can monitor: • Monitored Traffic Direction, page 52-5 Monitored Traffic, page 52-5 • • Duplicate Traffic, page 52-5 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-4 OL-4266-08...
Page 883: Local Span, Rspan, And Erspan Sources
A source VLAN is a VLAN monitored for traffic analysis. VLAN-based SPAN (VSPAN) uses a VLAN as the SPAN source. All the ports in the source VLANs become source ports. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-5...
Page 884: Local Span, Rspan, And Erspan Destination Ports
Note Before enabling SPAN, carefully evaluate the SPAN source traffic rates, and consider the performance implications and possible oversubscription points, which include these: SPAN destination • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-6 OL-4266-08...
Page 885: Feature Incompatiblities
Guard, UplinkFast, BackboneFast, EtherChannel Guard, Root Guard, Loop Guard) – VLAN trunk protocol (VTP) Dynamic trunking protocol (DTP) – – IEEE 802.1Q tunneling SPAN destination ports can participate in IEEE 802.3Z Flow Control. Note Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-7 OL-4266-08...
Page 886: Local Span, Rspan, And Erspan Session Limits
RSPAN and ERSPAN — — — 1 RSPAN VLAN 1 IP address destination session sources Destinations per session 1 RSPAN VLAN 1 IP address Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-8 OL-4266-08...
Page 887 — With releases earlier than Release 12.2(18)SXD Release 12.2(18)SXD and later releases RSPAN destination session source — — 1 RSPAN VLAN Destinations per session 1 RSPAN VLAN Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-9 OL-4266-08...
Page 888: Local Span, Rspan, And Erspan Guidelines And Restrictions
Local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions do not copy locally • sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-10 OL-4266-08...
Page 889: Vspan Guidelines And Restrictions
Networks impose no limit on the number of RSPAN VLANs that the networks carry. • Intermediate network devices might impose limits on the number of RSPAN VLANs that they can • support. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-11 OL-4266-08...
Page 890: Erspan Guidelines And Restrictions
Module in slot 1 has 2 type(s) of ASICs ASIC Name Count Version HYPERION (6.0) Hyperion version 2.0 and higher supports ERSPAN. Supervisor engine 2 does not support ERSPAN. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-12 OL-4266-08...
Page 891 You configure the same address in both the source and destination sessions with the ip address command. The ERSPAN ID differentiates the ERSPAN traffic arriving at the same destination IP address from • various different ERSPAN source sessions. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-13 OL-4266-08...
Page 892: Configuring Destination Port Permit Lists (Optional)
Router(config)# monitor permit-list destination interface gigabitethernet 5/1-4, gigabitethernet 6/1 This example shows how to verify the configuration: Router(config)# do show monitor permit-list SPAN Permit-list :Admin Enabled Permit-list ports :Gi5/1-4,Gi6/1 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-14 OL-4266-08...
Page 893: Configuring Local Span
To tag the monitored traffic as it leaves a destination port, you must configure the destination port to trunk unconditionally before you configure it as a destination (see the “Configuring a Destination Port as an Unconditional Trunk” section on page 52-24). Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-15 OL-4266-08...
Page 894: Configuring Rspan
Configures the VLAN as an RSPAN VLAN. Router(config-vlan)# remote-span Clears the RSPAN VLAN configuration. Router(config-vlan)# no remote-span Step 4 Updates the VLAN database and returns to privileged Router(config-vlan)# end EXEC mode. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-16 OL-4266-08...
Page 895 In the no monitor session range command, do not enter spaces before or after the dash. If Note you enter multiple ranges, do not enter spaces before or after the commas. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-17 OL-4266-08...
Page 896 In lists, you must enter a space before and after the comma. In ranges, you must enter a space Note before and after the dash. interface_range is interface type slot/first_port - last_port. • mixed_interface_list is, in any order, single_interface , interface_range , ... • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-18 OL-4266-08...
Page 897: Configuring Erspan
(Optional) Describes the ERSPAN source session. Router(config-mon-erspan-src)# description session_description Step 4 (Default) Inactivates the ERSPAN source session. Router(config-mon-erspan-src)# shutdown Activates the ERSPAN source session. Router(config-mon-erspan-src)# no shutdown Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-19 OL-4266-08...
Page 898 You can enter 240 characters after the description command. Note ERSPAN_source_span_session_number can range from 1 to 66. • single_interface is interface type slot/port; type is ethernet, fastethernet, gigabitethernet, or • tengigabitethernet. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-20 OL-4266-08...
Page 899 Router(config-mon-erspan-src)# source interface gigabitethernet 4/1 Router(config-mon-erspan-src)# destination Router(config-mon-erspan-src-dst)# ip address 10.1.1.1 Router(config-mon-erspan-src-dst)# origin ip address 20.1.1.1 Router(config-mon-erspan-src-dst)# erspan-id 101 For additional examples, see the “Configuration Examples” section on page 52-27. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-21 OL-4266-08...
Page 900 When configuring monitor sessions, note the following information: ERSPAN_destination_span_session_number can range from 1 to 66. • single_interface is interface type slot/port; type is ethernet, fastethernet, gigabitethernet, or • tengigabitethernet. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-22 OL-4266-08...
Page 901 Router(config)# monitor session 3 type erspan-destination Router(config-erspan-dst)# destination interface gigabitethernet 2/1 Router(config-erspan-dst)# source Router(config-erspan-dst-src)# ip address 10.1.1.1 Router(config-erspan-dst-src)# erspan-id 101 For additional examples, see the “Configuration Examples” section on page 52-27. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-23 OL-4266-08...
Page 902: Configuring Source Vlan Filtering For Local Span And Rspan
Configures the port to trunk unconditionally. Router(config-if)# switchport mode trunk Step 6 Configures the trunk not to use DTP. Router(config-if)# switchport nonegotiate type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-24 OL-4266-08...
Page 903: Configuring Destination Trunk Port Vlan Filtering
GigabitEthernet1/1 description SPAN destination interface for VLAN 10 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10 switchport mode trunk switchport nonegotiate Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-25 OL-4266-08...
Page 904: Verifying The Configuration
This example shows how to verify the configuration of session 2: Router# show monitor session 2 Session 2 ------------ Type : Remote Source Session Source Ports: RX Only: Fa3/1 Dest RSPAN VLAN: Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-26 OL-4266-08...
Page 905: Configuration Examples
Router(config)# monitor session 8 destination interface fastethernet 1/2 , 2/3 This example shows the configuration of ERSPAN source session 12: monitor session 12 type erspan-source description SOURCE_SESSION_FOR_VRF_GRAY source interface Gi8/48 rx destination erspan-id 120 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-27 OL-4266-08...
Page 906 13 type erspan-destination destination interface Gi6/1 source erspan-id 130 ip address 10.11.1.1 For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 52-28 OL-4266-08...
Page 907: Configuring Snmp Ifindex Persistence
This chapter describes how to configure the SNMP ifIndex persistence feature on Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 908: Enabling Snmp Ifindex Persistence Globally
Globally disables SNMP ifIndex persistence. Router(config)# no snmp-server ifindex persist In the following example, SNMP ifIndex persistence is disabled for all interfaces: router(config)# no snmp-server ifindex persist Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 53-2 OL-4266-08...
Page 909: Enabling And Disabling Snmp Ifindex Persistence On Specific Interfaces
Clears any interface-specific SNMP ifIndex persistence Router(config-if)# snmp ifindex clear configuration for the specified interface and returns to the global configuration setting. Step 3 Exits interface configuration mode. Router(config-if)# exit Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 53-3 OL-4266-08...
Page 910 3/1 router(config-if)# snmp ifindex clear router(config-if)# exit For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 53-4 OL-4266-08...
Page 911: Understanding How Power Management Works
This chapter describes the power management and environmental monitoring features in the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 912: Enabling Or Disabling Power Redundancy
In systems with redundant power supplies, both power supplies must be of the same wattage. The Note Cisco 7600 series routers allow you to use both AC-input and DC-input power supplies in the same chassis. For detailed information on supported power supply configurations, refer to the Cisco 7600 Series Router Installation Guide.
Page 913: Powering Modules Off And On
Enters global configuration mode. Router# configure terminal Step 2 Powers a module on. Router(config)# power enable module slot_number Powers a module off. Router(config)# no power enable module slot_number Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 54-3 OL-4266-08...
Page 914: Viewing System Power Status
2 power-input 2: AC low<<< new power-supply 2 power-input 3: AC high<<< new power-supply 2 power-output: low (mode 1)<<< high for highest mode only power-supply 2 power-output-fail: OK Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 54-4 OL-4266-08...
Page 915: Power Cycling Modules
1300 W power supplies, you might have configuration limitations depending on the size of chassis and type of modules installed. For information about power consumption, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, Supervisor Engine 32, and Supervisor Engine Determining System Hardware Capacity With Release 12.2(18)SXF and later releases, you can determine the system hardware capacity by...
Page 916 144 bits (IP mcast, IPv6) 32768 detail: Protocol Used %Used IPv4 MPLS IPv6 IPv4 mcast IPv6 mcast Adjacency usage: Total Used %Used 1048576 Forwarding engine load: Module peak-pps peak-time Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 54-6 OL-4266-08...
Page 917 Source sessions: 2 maximum, 0 used Type Used Local RSPAN source ERSPAN source Service module Destination sessions: 64 maximum, 0 used Type Used RSPAN destination ERSPAN destination (max Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 54-7 OL-4266-08...
Page 918: Determining Sensor Temperature Threshold
This example shows how to determine sensor temperature thresholds: Router> show environment alarm threshold Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 54-8 OL-4266-08...
Page 919 #1 for EARL 1 inlet temperature: (sensor value > 50) is system minor alarm threshold #2 for EARL 1 inlet temperature: (sensor value > 65) is system major alarm Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 54-9 OL-4266-08...
Page 920: Understanding How Environmental Monitoring Works
9 cooling requirement: 30 cfm Router# show environment status backplane: operating clock count: 2 operating VTT count: 3 fan-tray 1: fan-tray 1 type: WS-9SLOT-FAN fan-tray 1 fan-fail: OK VTT 1: Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 54-10 OL-4266-08...
Page 921: Understanding Led Environmental Indications
Minor alarms are for informational purposes only, giving you notice of a problem that could turn critical if corrective action is not taken. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 54-11...
Page 922 Note Refer to the Cisco 7600 Series Router Module Installation Guide for additional information on LEDs, including the supervisor engine SYSTEM LED. Table 54-2 Environmental Monitoring for Supervisor Engine and Switching Modules...
Page 923: Understanding How Online Diagnostics Work
This chapter describes how to configure the generic online diagnostics (GOLD) on the Cisco 7600 series routers. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX, at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html...
Page 924: Configuring Online Diagnostics
This example shows how to set the bootup online diagnostic level: Router(config)# diagnostic bootup level complete Router(config)# This example shows how to display the bootup online diagnostic level: Router(config)# do show diagnostic bootup level Router(config)# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-2 OL-4266-08...
Page 925: Configuring On-Demand Online Diagnostics
Disable all health-monitoring tests before running this test by using the no diagnostic monitor module 1 test all command. The EOBC connection is disrupted during this test and will cause the health-monitoring tests to fail and take recovery action. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-3 OL-4266-08...
Page 926: Scheduling Online Diagnostics
| all}] {on mm dd yyyy hh : mm } | {daily take when errors are found. hh : mm } | {weekly day_of_week hh : mm } Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-4 OL-4266-08...
Page 927: Running Online Diagnostic Tests
These sections describe how to run online diagnostic tests after they have been configured: • Starting and Stopping Online Diagnostic Tests, page 55-6 Displaying Online Diagnostic Tests and Test Results, page 55-7 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-5 OL-4266-08...
Page 928: Starting And Stopping Online Diagnostic Tests
00:48:14:Running OnDemand Diagnostics [Iteration #2] ... 00:48:14:%DIAG-SP-6-TEST_RUNNING:Module 1:Running TestNewLearn{ID=5} ... 00:48:14:%DIAG-SP-6-TEST_OK:Module 1:TestNewLearn{ID=5} has completed successfully Router# This example shows how to stop a diagnostic test: Router# diagnostic stop module 1 Router# Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-6 OL-4266-08...
Page 929: Displaying Online Diagnostic Tests And Test Results
24) TestQoSTcam ---------------------> M**D****I** not configured 25) TestL3VlanMet -------------------> M**N****I** not configured 26) TestIngressSpan -----------------> M**N****I** not configured 27) TestEgressSpan ------------------> M**N****I** not configured 28) TestNetflowInlineRewrite --------> C*PD****I** not configured Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-7 OL-4266-08...
Page 930 20) TestEgressSpan ------------------> . 21) TestIPv6FibShortcut -------------> . 22) TestMPLSFibShortcut -------------> . 23) TestNATFibShortcut --------------> . 24) TestAclPermit -------------------> . 25) TestAclDeny ---------------------> . 26) TestQoSTcam ---------------------> . Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-8 OL-4266-08...
Page 931 First test failure time -----> n/a Last test failure time ------> n/a Last test pass time ---------> n/a Total failure count ---------> 0 Consecutive failure count ---> 0 ________________________________________________________________________ Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-9 OL-4266-08...
Page 932: Performing Memory Tests
Turn off all background health monitoring tests using the no diagnostic monitor module 1 test all • command. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 55-10 OL-4266-08...
Page 933 This chapter describes how to use the Top N utility on the Cisco 7600 series routers. Release 12.2(18)SXE and later releases support the Top N utility. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL:...
Page 934: Understanding Top N Utility Operation
These sections describe how to use the Top N Utility: Enabling Top N Utility Report Creation, page 56-3 • Displaying the Top N Utility Reports, page 56-3 • Clearing Top N Utility Reports, page 56-4 • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 56-2 OL-4266-08...
Page 935: Enabling Top N Utility Report Creation
If a port’s type changes from Layer 2 to Layer 3 during the polling interval. • If a port’s type changes from Layer 3 to Layer 2 during the polling interval. • Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 56-3 OL-4266-08...
Page 936: Clearing Top N Utility Reports
04:00:06: %TOPN_COUNTERS-5-DELETED: TopN report 4 deleted by the console This example shows how to remove a report number 4: Router# clear top counters interface report 4 04:52:12: %TOPN_COUNTERS-5-KILLED: TopN report 4 killed by the console Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 56-4 OL-4266-08...
Page 937 Using the Top N Utility Using the Top N Utility For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 56-5 OL-4266-08...
Page 938 Chapter 56 Using the Top N Utility Using the Top N Utility Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 56-6 OL-4266-08...
Page 939 This chapter describes how to use the Layer 2 traceroute utility. Release 12.2(18)SXE and later releases support the Layer 2 traceroute utility. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Master Command List, Release 12.2SX at this URL:...
Page 940: Usage Guidelines
Usage Guidelines When using the Layer 2 traceroute utility, follow these guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For the Layer 2 • traceroute utility to function properly, do not disable CDP. If any devices in the Layer 2 path are transparent to CDP, the Layer 2 traceroute utility cannot identify these devices on the path.
Page 941 Router# traceroute mac ip { source_ip_address | Uses IP addresses to trace the path that packets take through source_hostname } { destination_ip_address | the network. destination_hostname } [detail] Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 57-3 OL-4266-08...
Page 942 Po120 [auto, auto] => Gi8/12 [full, 1000M] Destination 0001.0000.0304 found on AGNI[WS-C6509] (2.1.1.11) Layer 2 trace completed. Router# For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX 57-4 OL-4266-08...
Page 943 PFC Layer 3 Forwarding Engine Tests, page A-14 • DFC Layer 3 Forwarding Engine Tests, page A-19 • Replication Engine Tests, page A-24 • Fabric Tests, page A-26 • • Exhaustive Memory Tests, page A-28 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 944 Five consecutive failures causes a supervisor engine to switchover (or reset), if you are testing the supervisor engine, or in the module powering down when testing a module. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 945 Hardware support DFC-equipped modules. Per-Port Tests The per-port tests consist of the following tests: TestNonDisruptiveLoopback, page A-4 TestLoopback, page A-4 TestActiveToStandbyLoopback, page A-5 TestTransceiverIntegrity, page A-5 TestNetflowInlineRewrite, page A-5 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 946 Error disable a port if the loopback test fails on the port. Reset Corrective action the module if all of the ports fail. Hardware support All modules including supervisor engines. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 947 ASIC. The test packet will undergo a NetFlow table lookup to obtain the rewrite information. The VLAN and the source and destination MAC addresses are rewritten when the packet reaches the targeted port. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 948 This test runs by default during bootup or after a reset or OIR. Release 12.1(13)E, 12.2(14)SX. Corrective action None. See the system message guide for more information. Hardware support All modules including supervisor engines. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 949 Layer 2 learning functionality. This test can also be used Recommendation as a health monitoring test. Default This test runs by default during bootup or after a reset or OIR. Release 12.1(13)E, 12.2(14)SX. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 950 This test runs by default during bootup or after a reset or OIR. Release 12.1(13)E, 12.2(14)SX. Corrective action None. See the system message guide for more information. Hardware support Supervisor engines only. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 951 DFC-enabled module. The “don't learn” feature is verified during diagnostic packet lookup by the Layer 2 forwarding engine. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 952 Layer 2 forwarding engine. For DFC-enabled Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-10...
Page 953 Trap feature of the Layer 2 forwarding engine is working properly. When running the test on the supervisor engine, the diagnostic packet is sent from the supervisor engine’s inband port and performs Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-11...
Page 954 This test runs by default during bootup or after a reset or OIR. Default Off. Release 12.1(13)E, 12.2(14)SX. Corrective action None. See the system message guide for more information. Hardware support DFC-enabled modules. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-12 OL-4266-08...
Page 955 Disruptive/Nondisruptive Tree Protocol). Recommendation Schedule during downtime. Default Off. Release 12.1(13)E, 12.2(14)SX. Corrective action None. See the system message guide for more information. Hardware support DFC-enabled modules. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-13 OL-4266-08...
Page 956 FIB TCAM entry installed on the TCAM device. This is not an exhaustive TCAM device test; only one entry is installed on each TCAM device. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-14...
Page 957 One diagnostic IPV6 FIB and adjacency entry is installed and a diagnostic IPv6 packet is sent to make sure the diagnostic packet is forwarded according to rewritten MAC and VLAN information. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-15 OL-4266-08...
Page 958 IP address. Table A-27 TestNATFibShortcut Test Attributes Attribute Description Disruptive/Nondisruptive Nondisruptive. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-16 OL-4266-08...
Page 959 This test runs by default during bootup or after a reset or OIR. Release 12.1(13)E, 12.2(14)SX. Corrective action None. See the system message guide for more information. Hardware support Supervisor engines and DFC-enabled modules. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-17 OL-4266-08...
Page 960 The TestQoS test verifies whether or not the QoS input and output TCAM is functional by programming the QoS input and output TCAM so that the ToS value of the diagnostic packet is changed to reflect either input or output. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-18 OL-4266-08...
Page 961 TCAM device test. Only one entry is installed on each TCAM device. Compared to the IPv4FibShortcut and IPv6FibShortcut tests, the TestFibDevices test tests all FIB and Note adjacency devices using IPv4 or IPv6 packets, depending on your configuration. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-19 OL-4266-08...
Page 962 One diagnostic IPv6 FIB and adjacency entry is installed and a diagnostic IPv6 packet is sent to make sure that the diagnostic packet is forwarded according to rewritten MAC and VLAN information. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-20 OL-4266-08...
Page 963 IP address. One diagnostic NAT FIB and adjacency entry is installed and a diagnostic packet is sent to make sure the diagnostic packet is forwarded according to the rewritten IP address. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-21 OL-4266-08...
Page 964 Layer 3 forwarding engine to make sure it hits the ACL TCAM entry and gets permitted and forwarded correctly. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-22...
Page 965 QoS input and output TCAM so that the ToS value of the diagnostic packet is changed to reflect either input or output. Table A-41 TestQoS Test Attributes Attribute Description Disruptive for looped-back ports. The disruption is typically Disruptive/Nondisruptive less than one second. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-23 OL-4266-08...
Page 966 VLANs. After the diagnostic packet is sent out from the supervisor engine’s inband port, the test verifies that two packets are received back in the inband port on the two VLANs configured in the replication engine. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-24 OL-4266-08...
Page 967 The TestEgressSpan test verifies that the egress SPAN replication functionality of the rewrite engine for both SPAN queues is working properly. Table A-45 TestEgressSpan Test Attributes Attribute Description Disruptive for both SPAN sessions. Disruption is typically Disruptive/Nondisruptive less than one second. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-25 OL-4266-08...
Page 968 This test runs by default during bootup or after a reset or OIR. Release 12.1(13)E, 12.2(14)SX. Corrective action Supervisor engines crash to ROMMON; SFMs reset. Hardware support Supervisor Engine 720 and SFM. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-26 OL-4266-08...
Page 969 A fabric switchover may be triggered, depending on Corrective action the type of failure. Hardware support All fabric-enabled modules. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-27 OL-4266-08...
Page 970 Hardware support WS-X6704-10GE module. Exhaustive Memory Tests The exhaustive memory tests include the following tests: TestFibTcamSSRAM, page A-29 TestAsicMemory, page A-29 TestAclQosTcam, page A-30 TestNetflowTcam, page A-30 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-28 OL-4266-08...
Page 971 The supervisor engine must be rebooted after running Recommendation this test. Default Off. Release 12.2(17a)SX. Corrective action Not applicable. Hardware support All modules including supervisor engines. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-29 OL-4266-08...
Page 972 Default Off. Release 12.2(18)SXD. Corrective action Not applicable. Hardware support All modules including supervisor engines. TestQoSTcam The TestQoSTcam test performs exhaustive memory tests for QoS TCAM devices. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-30 OL-4266-08...
Page 973 The supervisor engine must be rebooted after running Recommendation this test. Default Off. Release 12.2(18)SXD. Corrective action Not applicable. Hardware support All modules including supervisor engines. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-31 OL-4266-08...
Page 974 Run this test on-demand. This test cannot be run from Recommendation on-demand CLI. Default Release 12.2(18)SXE2. Corrective action None. See the system message guide for more information. Hardware support VPN service module. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-32 OL-4266-08...
Page 975 Use this test to qualify hardware before installing it in your Recommendation network. Default Off. Release 12.2(18)SXF. Corrective action Not applicable. Hardware support Supervisor Engine 720 and Supervisor Engine 32. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-33 OL-4266-08...
Page 976 Disruptive. Disruption is typically less than one second. Duration of the disruption depends on the configuration of looped-back port (for example, Spanning Tree Protocol). Disruptive/Nondisruptive Forwarding and port functions are disrupted during the test. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-34 OL-4266-08...
Page 977 Do not turn off. Use as a health-monitoring test. Default Release 12.1(13)E, 12.2(14)SX. Corrective action None. See the system message guide for more information. Hardware support All fabric-enabled modules. Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-35 OL-4266-08...
Page 978 None. See the system message guide. Hardware support All modules, including supervisor engines. For additional information (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX A-36 OL-4266-08...
Page 979 Bisync BSTUN Block Serial Tunnel broadcast and unknown server bridge-group virtual interface content-addressable memory committed access rate circuit card assembly Cisco Discovery Protocol Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 980 Department of Defense denial of service dot1q 802.1Q DRAM dynamic RAM DRiP Dual Ring Protocol DSAP destination service access point DSCP differentiated services code point DSPU downstream SNA Physical Units Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 981 Intrusion Detection System Module IOS File System IGMP Internet Group Management Protocol IGRP Interior Gateway Routing Protocol ILMI Integrated Local Management Interface Internet Protocol interprocessor communication Internetwork Packet Exchange Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 982 MSDP Multicast Source Discovery Protocol MSFC Multilayer Switching Feature Card Multilayer Switch Module multiple spanning tree maximum transmission unit MVAP multiple VLAN access port Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 983 Policy Feature Card Pragmatic General Multicast physical sublayer policy information base protocol independent multicast Point-to-Point Protocol PRID Policy Rule Identifiers PVST+ Per VLAN Spanning Tree+ QoS device manager QoS manager Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 984 SMDS Software Management and Delivery Systems software MAC filter Standby Monitor Present SMRP Simple Multicast Routing Protocol Station Management SNAP Subnetwork Access Protocol SNMP Simple Network Management Protocol Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 985 Virtual Network System VLAN virtual LAN VMPS VLAN Membership Policy Server virtual private network VPN routing and forwarding VLAN Trunking Protocol VVID voice VLAN ID wide area network Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 986 Appendix A Acronyms Table A-1 List of Acronyms (continued) Acronym Expansion WCCP Web Cache Communications Protocol weighted fair queueing WRED weighted random early detection weighted round-robin Xerox Network System Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08...
Page 987 ARP ACL ARP spoofing AToM audience abbreviating commands authentication access control entries and lists See also port-based authentication access-enable host timeout (not supported) Authentication, Authorization, and Accounting Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-1 OL-4266-08...
Page 988 Cisco IOS Unicast Reverse Path Forwarding bridge protocol data units CiscoView see BPDUs CIST bridging CIST regional root broadcast storms See MSTP see traffic-storm control CIST root See MSTP Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-2 OL-4266-08...
Page 989 8 to 10 traffic classification register defining changing settings guidelines Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-3 OL-4266-08...
Page 990 VLAN overview deficit weighted round robin reading from a TFTP file (example) denial of service protection DHCP snooping increased bindings limit 7, 15 See DoS protection Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-4 OL-4266-08...
Page 991 Layer 2 PDU rate limiters 10, 19 DHCP snooping binding database Layer 2 protocol tunneling rate limiters 10, 19 displaying MTU failure rate limiters ARP ACLs multicast directyly connected rate limiters Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-5 OL-4266-08...
Page 992 Embedded CiscoView interface port-channel (command) enable command 10, 23 lacp system-priority enable mode command example enable sticky secure MAC address Layer 2 enabling configuring IP MMLS Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-6 OL-4266-08...
Page 993 MSTP See switch fabric module forward-delay time, STP fabric switching-mode allow dcef-only command on Supervisor Engine 720 frame distribution Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-7 OL-4266-08...
Page 994 Layer 2 modes IEEE 802.1Q Ethertype number specifying custom parameters, configuring IEEE 802.1s interface-destination-source-ip flow mask See MST interface port-channel IEEE 802.1w command example See MST interface port-channel (command) Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-8 OL-4266-08...
Page 995 See IP MMLS 12, 13, 15, 3, 4 ip-full flow mask ip multicast-routing command ip http server enabling IP multicast ip-interface-full flow mask IP phone IP MLS configuring Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-9 OL-4266-08...
Page 996 LERs 2, 6, 7 trunk Link Failure defaults detecting unidirectional interface modes link negotiation show interfaces 12, 13, 7, 12 link redundancy switching See Flex Links Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-10 OL-4266-08...
Page 997 MPLS report basic configuration MLD snooping core query interval DiffServ Tunneling Modes configuring egress MLDv2 experimental field enabling guidelines and restrictions leave processing ingress enabling Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-11 OL-4266-08...
Page 998 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-12 OL-4266-08...
Page 999 MTU size (default) non-responsive hosts multicast native VLAN IGMP snooping and NBAR 1, 53 MLDv2 snooping and NetFlow statistics configuration, displaying non-RPF displaying configuration overview enabling PIM snooping Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-13 OL-4266-08...
Page 1000 NSF with SSO does not support IPv6 multicast traffic. TACACS+ NVRAM TACACS+ (caution) saving settings encrypting (caution) recovering lost enable passwords path cost MSTP online diagnostics Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX IN-14 OL-4266-08...

This manual is also suitable for:

7613 7606 7609-s 7600 series

Cisco 7604 Configuration Manual

Table of Contents

Product Overview

Command-Line Interfaces

Configuring the Router for the First Time

Configuring a Supervisor Engine 720

Configuring a Supervisor Engine 32

Configuring the Supervisor Engine 2 and the Switch Fabric Module

Configuring NSF with SSO Supervisor Engine Redundancy

Configuring RPR and RPR+ Supervisor Engine Redundancy

Configuring Interfaces

Configuring LAN Ports for Layer 2 Switching

Configuring Flex Links

Configuring Etherchannels

Configuring VTP

Configuring Vlans

Configuring Private Vlans

Configuring Cisco Ip Phone Support

Configuring Ieee 802.1Q Tunneling

Configuring Layer 2 Protocol Tunneling

Configuring Standard-Compliant Ieee Mst

Configuring Optional Stp Features

Configuring Layer 3 Interfaces

Configuring Ude

Configuring Ipv4 Multicast Vpn Support

Configuring Ip Unicast Layer 3 Switching

Quick Links

Chapters

Related Manuals for Cisco 7604

Summary of Contents for Cisco 7604