Catalyst 6500 Training

Catalyst 6500
Technical Training
Catalyst 6500 Supervisor 720 using Native IOS 12.2SX
Carl Solder
Technical Marketing Engineer
Internetworking Systems Business Unit
© 2004, Cisco Systems, Inc. All rights reserved. 1
Before we start…
Cisco Systems
NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE..
This is a training module that forms part of a complete Catalyst 6500 training materials.
It is designed to provide an introduction to the topic in question, review the
configuration commands and provide sample configurations…
This update is based on a Catalyst 6500 running the Supervisor 720 with the 12.2SX
version of IOS code…
NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE..
© 2004, Cisco Systems, Inc. All rights reserved.

2
Contents
Cisco Systems
• CHAPTER 1: Introduction to the Catalyst 6500
• CHAPTER 2: IOS Architecture on the Supervisor 720
• CHAPTER 3: Command Line Interface (CLI)
• CHAPTER 4: First Time Configuration and Password Recovery
• CHAPTER 5: Configuring the Supervisor 720
• CHAPTER 6: Configuring Interfaces
• CHAPTER 7: Configuring Layer 2 Interfaces
• CHAPTER 8: Route Processor Redundancy
• CHAPTER 9: Understanding and Configuring Etherchannel
• CHAPTER 10: VLAN Trunking Protocol
• CHAPTER 11: Virtual LAN’s (VLAN’s)
• CHAPTER 12: Private Virtual LAN’s (PVLAN’s)
• CHAPTER 13: 802.1Q Tunneling
• CHAPTER 14: Spanning Tree

3
Contents(cont.)
Cisco Systems
• CHAPTER 15: IGMP Snooping

• CHAPTER 16: PIM Snooping
• CHAPTER 17: Understanding and Configuring RGMP
• CHAPTER 18: Network Security
• CHAPTER 19: Understandings and Configuring VACL’s
• CHAPTER 20: RP Rate Limiters
• CHAPTER 21: Port Security
• CHAPTER 22: Storm Control
• CHAPTER 23: Cisco Discovery Protocol
• CHAPTER 24: UDLD
• CHAPTER 25: SPAN and RSPAN
• CHAPTER 26: PFC QoS
• CHAPTER 27: Power Management and Environment Monitoring

4
January 2004
Catalyst 6500
Technical Training
CHAPTER 1: Introduction to the Catalyst 6500

Cisco Systems
CHAPTER 1.1 – Introduction to the Catalyst 6500

6
Catalyst 6500 Family
Cisco Systems
Catalyst 6503 Catalyst 6506

3 slot chassis 6 slot chassis
Catalyst 6513
Catalyst 6509 13 slot chassis
9 slot chassis
Catalyst 6509-NEBS Catalyst 6509-NEBS-A

NEBS Compliant 9 slot chassis 9 slot chassis
7
Catalyst 6500 Supervisors
Cisco Systems
The Catalyst 6500 has three Supervisor options on offer
with each providing a different architectural backplane
configuration for line cards to connect into…
Supervisor 1A Supervisor 2 Supervisor 720 (NEW)
32Gb backplane supporting 256Gb backplane supporting 720Gb backplane supporting

hardware accelerated Layer 2 hardware accelerated Layer 2 hardware accelerated Layer 2
and 3, QoS and Security and 3, QoS and Security and 3, QoS and Security
policies up to 15Mpps… policies up to 210Mpps… policies up to 400Mpps…
Supervisor Options for the Catalyst 6500

8
Catalyst 6500 Linecards
Cisco Systems
The Catalyst 6500 has a family of linecards to suit all network needs…
10/100 TX and 100 Fiber 10/100/1000 TX GE SFP

L
C
I
A
N
T GE GBIC 10GE WAN
E
C
6
A
5 Optical Switch Modules Inline Power ATM
R
0
D
0
S
9
Catalyst 6500 Service Modules
Cisco Systems
Service Modules represent the next generation of intelligent modules for the Catalyst 6500. Each
module provides a high performance option, scalable and feature rich deployment options…
Firewall Module VPN Module Intrusion Detection
Content Switching SSL Network Management
Communications Media Content Services MWAN

10
Supervisor 720
Cisco Systems
Advanced Features
IPV4 and IPV6 CEF Based Switching
IPV6 Tunneling
IPV4 NAT and PAT in hardware
MPLS P/PE, VPN and TE
GRE and IP in IP Tunneling
WCCP V2
Supports 256K+ IPV4 routes
SUPERVISOR 720 Hardware Features Supports 128K+ IPV6 routes
Ingress/Egress Policing
Integrated 720-Gbps Switch Fabric User Based Rate Limiting
Integrated Policy Feature Card Hardware based classification
Integrated Multilayer Switch Feature Card Multipath URPF
Supports two external compact flash slots Bi-Directional PIM
Supports three external GE ports (2 active) Port Access Control lists
Supports Classic, Fabric and High Capacity modules and more…

11
Supervisor 720 MSFC3
Cisco Systems
Multilayer Switch Feature Card (MSFC) is a standard daughter card on the Supervisor 720
RP supports..
Running routing protocols

Address Resolution
Running ICMP
MSFC3 Manage Virtual interfaces
IOS configuration
and more…
SP supports…
The MSFC3 supports both the Switch Processor (SP) and
Route Processor (RP)…
Spanning Tree
Component Route Proc Switch Proc VLAN Trunking Protocol
SDRAM (Default/Max) 512Mb/1Gb 512Mb/1Gb CDP
Bootflash 64Mb 64Mb Pushing FIB to PFC,DFC
and more…
NVRAM 2Mb 2Mb
12
Supervisor 720 PFC3
Cisco Systems
Policy Feature Card (PFC) is a standard daughter card on the Supervisor 720
IPV4 CEF
IPV6 CEF
IPV6 Tunneling
PFC3 IPV4 NAT and PAT
MPLS VPN
MPLS P/PE
MPLS TE
GRE Tunneling
IP in IP Tunneling
Feature PFC3a PFC3b WCCP V2
256K IPV4 Routes
Routes (IPV4) 256Kb 800K 128K IPV6 Routes
Number of ACL’s 512 4000 User Based Microflow Policing
ACE Counters No Yes Ingress and Egress Policing
Port Access Control Lists
MPLS Baseline Adds EoMPLS, IP
Multipath URPF
options, etc…
Bi Directional PIM
13
Supervisor 720 Switch Fabric
Cisco Systems
Integrated 720-Gbps Switch
Switch Fabric Fabric on the Supervisor 720
Clocks Fabric Channels at

either 20-Gbps or 8-Gbps
depending on connected
linecard
CEF256 and dCEF256

Slot Fabric Channels on 6503, 6506, 6513 Fabric connect in at 8-Gbps per
6509, 6509-NEBS, 6509-NEBSA Channels fabric channel
3 slot 6 slot 9 slot 13 Slot
Slot 1-3 2 per slot 2 per slot 2 per slot 1 per slot CEF720 and dCEF720
connect in at 20-Gbps per
Slot 4-6 - 2 per slot 2 per slot 1 per slot
fabric channel
Slot 7-8 - - 2 per slot 1 per slot
Slot 9 - - 2 per slot 2 per slot
Slot 9-13 - - - 2 per slot
14
Supervisor 720 Performance
Cisco Systems
IPV6 Centralized Forwarding

V6 to V6 20Mpps
V4 to V6 Tunneling 10Mpps
V6 to V4 Tunneling 10Mpps
IPV6 dCEF Forwarding
V6 to V6 25Mpps
IPV4 Centralized Forwarding dCEF (Up to) V4 to V6 Tunneling 16Mpps
L2/L3/L4 Switching 30Mpps 48Mpps V6 to V4 Tunneling 16Mpps
ACL’s 30Mpps 48Mpps IPV4 Centralized Forwarding
Netflow 30Mpps 48Mpps MPLS 20-30Mpps
Policing 30Mpps 48Mpps
Marking 30Mpps 48Mpps
Performance numbers relate to
GRE 10Mpps 25Mpps the Supervisor 720 for IPV4 and
NAT 20Mpps 48Mpps IPV6 where displayed…
PAT 12Mpps 25Mpps

15
Supervisor 720 Hardware Features
IPV6
Cisco Systems
IPV6 SOFTWARE FEATURES
IPV6 Addressing
ICMP for IPV6
DNS for IPV6
V6 MTU Path Discovery
SSH for IPV6
IPV6 HARDWARE FEATURES IPV6 Telnet
128K FIB entries IPV6 Traceroute
IPV6 Load Sharing up to 16 paths dCEF for IPV6
Etherchannel hash across 48 bits RIP for IPV6
IPV6 Policing/Netflow/Classification IS-IS for IPV6
STD and EXT V6 ACL’s OSPF V3 for IPV6
IPV6 QoS lookups BGP for IPV6
IPV6 Multicast
V6 to V4 Tunneling
IPV6 Edge over MPLS (6PE) IPV6 function located
on PFC3
16
Route Processor Rate Limiters
Cisco Systems
While switching in hardware operates at millions of

pps, the Route Processor supports processing rates
in the ‘000’s packets per second,. RP Rate limiters
have been introduced to limit the impact of traffic
flooding to the RP and swamping the CPU….
Data
Rate Limiters applied to…
Input and Output ACL traffic
CEF Receive Traffic
CEF Glean Traffic
MTU Failures
ICMP Redirect
VACL Logging
L3 Security Feature traffic MSFC
TTF failures
RPF Failures Supervisor 720

17
Generic Route Encapsulation
Cisco Systems
Generic Route Encapsulation and IP-in-IP Tunneling

is now supported in the PFC3 at hardware
accelerated speeds….
GRE Tunnel
GRE Performance is up to
10Mpps centralized and
up to 25Mpps de-centralized

18
Egress Policing
Cisco Systems
Egress Policing is now supported on egress….

Application of egress policer can be performed on a
routed (layer 3 port) or a VLAN switched Virtual
interface (SVI) – cannot be applied to a layer 2 port…
Egress Policer
O
I Data Data
Data Data U
N
Policing T Data
Data Data P
Engine P
U Data
Data Data U
T
T
Data

19
Network/Port Address Translation (NAT/PAT)
Cisco Systems
10.1.1.1 203.16.10.1 Data 201.1.14.22 203.16.10.1 Data
NAT
Sup720 Supports.. L3 Addressing information
Software Translation setup, then changed
Hardware-based IPV4 NAT & PAT
Up to 20 Mpps on the Sup720 L4 Addressing
PAT information changed
10.1.1.1 203.16.10.1 3010 80 Data 194.1.20.3 203.16.10.1 2001 80 Data

20
Multipath Unicast RPF (URPF)
Cisco Systems
Source IP: 10.1.10.5

Destination: 10.2.20.34
Source IP: 10.200.1.64

Destination: 10.2.20.34 6500 Routing Table
Prefix Next Hop Interface
10.1.0.0/16 10.1.1.1 gig 3/1
10.2.0.0/16 10.2.1.1 gig 3/2
Unicast Reverse Path Forwarding (uRPF) Check mitigates problems caused by spoofed or
malformed IP source addresses. uRPF will drop packets whose source address is not in the
local forwarding tables.

21
User Based Rate Limiting (UBRL)
Cisco Systems
Three types of Global Flow Masks that can be stored on Sup1a/2 in the Netflow table…
Destination-Only IP (default)
Source-Destination IP
Full-flow (Src IP, Dst IP, Protocol, Src Port, Dst Port) Microflow policing uses full flow
BUT ONLY ONE GLOBAL FLOWMASK CAN BE INSTALLED IN THE

SYSTEM AT ANY ONE TIME
NOW… Sup720 supports
1. Up to 2 flow masks in the system

2. Source only and destination only flow
masks in the PFC3
This new facility increases the capacity of Sup720 to store more entries in its Netflow
table… Allows different features that use the Netflow table to use different masks (i.e. IOS
SLB, NDE, TCP Intercept, Reflexive ACL’s, WCCP and CBAC)
22
Traffic Management Only Available
User-Based Rate Limiting with a Sup720
Cisco Systems
Traffic from Dorms Traffic from Internet

Ingress Microflow policer Ingress Microflow policer
Applied to user ports(s) Applied to uplink ports
Source-only Flow mask Dest-only Flow mask
Use ACL to limit the scope of source IP Use ACL to limit the scope of
addresses to intended users destination IP addresses to intended
users

23
Bi Directional PIM
Cisco Systems
Support for Bi-Directional PIM in Hardware was announced on the Supervisor 720 and is available
on IOS. This feature adds the same capability on CatOS…
(*,G) (*,G) Source

RP (*,G)
(*,G)
(*,G) Receiver
Bidir-PIM has unconditional forwarding of source traffic

toward the RP upstream on the shared tree, but no
registering process for sources as in PIM-SM. These
modifications are necessary and sufficient to allow
forwarding of traffic in all routers solely based on the (*,
G) multicast routing entries. This feature eliminates any
source-specific state and allows scaling capability to an
arbitrary number of sources.
24
MPLS
Cisco Systems
MPLS applies to any Ethernet port on
the following linecards…
Classic Ethernet Line Cards
CEF256 Ethernet Line Cards

MPLS HARDWARE FEATURES
dCEF256 Ethernet Line Cards
Up to 1000 MPLS VPN’s
MPLS VPN (RFC2457) on ANY Ethernet aCEF720 Ethernet Line Cards
port
MPLS Multicast VPN dCEF720 Ethernet Line Cards
MPLS Label Switch Router (LSR)
MPLS Label Edge Router (LER)
MPLS Traffic Engineering (TE)
MPLS Ethernet over MPLS (EoMPLS)
on PFC3b MPLS function located
DSCP to EXP Mapping on PFC3
25
Cisco Systems
CHAPTER 1.2 – Catalyst 6500 Architecture

26
Module Terminology Update
Cisco Systems
Classic
6000, 6100, 6200, 6300, 6400, & 6600 Series Modules; CSM, IDS/NAM (Original), FlexWAN
CEF256 (Single Fabric Channel) (Ethernet-based CEF256 can be upgrade to DFCx)

6500 Series, Optical Services Modules, Firewall, SSL, VPN, CMM, NAM-1, NAM-2, IDS-2
dCEF256 (Dual Fabric Channels)

6816 Module
aCEF720 (Dual Fabric Channels*)

6704 Module (*some future modules will a single fabric channel)
dCEF720 (Dual Fabric Channels)

6802 Module

27
Catalyst 6500 Architecture
with Supervisor 720
Cisco Systems
Forwarding
Tables 32-Gbps Switch Bus
32 32
MSFC
Classic CEF256 32 dCEF256 32
Linecard Linecard Linecard
PFC
Fabric
Arbitration
dCEF720 aCEF720 CEF720
Linecard 8 Linecard 8 8 Linecard
Net MGMT
NMP 20 20 20 20 20 20
Crossbar
Supervisor
28
Processors
Component Comparison
Cisco Systems
Sup2/ Sup720/
Component MSFC2 MSFC3
SP 250 MHz SP 600 MHz
CPU Speed
RP 300 MHz RP 600 MHz
SP 128MB/512MB SP 512MB/1GB
ECC SDRAM
default/maximum RP 128MB/512MB RP 512MB/1GB
SP 32MB SP 64MB
Bootflash
RP 16MB RP 64MB
SP 512KB SP 2MB
NVRAM
RP 512KB RP 2MB

29
Supervisor 720
Slot Requirements – 3 Slot Chassis
Cisco Systems
Slot 1 Supervisor 720 or Module

Slot 3 Module
Now dCEF
modules
are
supported
in the 3 slot
chassis!

30
Supervisor 720
Cisco Systems
Slot 1 Module
Slot 2 Module
Slot 3 Module
Slot 4 Module

31
Supervisor 720
Cisco Systems
Slot 1 Module
Slot 2 Module
Slot 3 Module
Slot 4 Module
Slot 7 Module
Slot 8 Module
Slot 9 Module

32
Supervisor 720
Cisco Systems
Slot 1 Module
Slot 2 Module
Slot 3 Module
Slot 4 Module
Slot 5 Module
Slot 6 Module
Slot 9 Module
Slot 10 Module
Slot 11 Module
Slot 12 Module
Slot 13 Module

33
jeraymon3
交换矩阵
Cisco Systems
• Integrated Fabric
A SFM must be removed
9-slot
when using a Sup720 Slot 1 Slot 9
• Fabric channels run at
20 Gbps
Slot 2 Slot 8
Full Duplex, so 20 Gbps in /
20 Gbps out per channel
Two fabric channels Slot 3 Slot 7
allocated to each slot
40 Gbps/slot with dual
fabric channels Slot 4 Slot 6
• Total Switching Capacity

= 720 Gbps (Full Duplex
Operation)
34
Slide 34
jeraymon3 Does this switch fabric have the same fabric channel allocations in the 6513 as the SFM2?
Jeff Raymond (jeraymon), 3/9/2003
Supervisor 720
Switch Fabric - Channel Allocation
Cisco Systems
• Two Channels per slot:
3 slot chassis (6503, 7603)
Slot 1
6513
6 slot chassis (6506, 7606) Slot 13
Slot 2
9 slot chassis (6509, 7609)
• 13 Slot chassis fabric Slot 3
channel allocation is the Slot 12
Slot 4
same as the SFM2
Slots 1 thru 8 receive a single Slot 5
fabric channel Slot 11
Slot 6
Slots 9 thru 13 receive dual
fabric channels Slot 7
Slot 10
• Fabric channels for xCEF256 Slot 8
modules will auto-sync to 8
Gbps

35
All numbers are presented
Catalyst 6500 Architecture in non-full duplex math
(engineering math) for
With Supervisor 720 consistency
Cisco Systems
Supervisor 30–400 Mpps

MSFC3 Routing Table Forwarding
Engine 720
Performance
Hardware Fwd
PFC3 Tables
aCEF720 Series dCEF720 Series
20
aCEF 20 20 Integrated
Engines Integrated DFC3
20 Switch Fabric 20
8
8
16 Gbps Switching Bus 8
Classic Series CEF256 Series dCEF256 Series

Optional Integrated
DFC3 DFC3
36
January 2004
Catalyst 6500
Technical Training
CHAPTER 2: IOS Architecture on the Supervisor 720

Cisco Systems
CHAPTER 2.1 – IOS Architecture

38
IOS Architecture
Cisco Systems
The Multilayer Switch Feature Card (MSFC3) on the Supervisor 720 contains both the Route
Processor (RP) and the Switch Processor (SP)…
Both the RP and the SP have their

SP Bootflash RP Bootflash own set of Flash memory
(referred to as bootflash)
Switch Processor
Route Processor
39
IOS Architecture
Switch Processor (SP)
Cisco Systems
Both the RP and SP perform distinct functions during both the booting of the operating system
and the ongoing operation of the switch…
MSFC3 The Switch Processor is physically located

on the MSFC
Logically considered as the Network

Switch Management Processor (NMP)
Processor
(SP) Dedicated CPU, DRAM, Flash and NVRAM
- The SP owns the switch at initial boot up

before handing over to the RP
- The SP runs all layer 2 operations like VTP,
Route Spanning Tree, Chassis and Power
Processor Management, etc
(RP) - Supports other Layer 2 features like CDP,
SPAN, Broadcast Suppression,
Etherchannel, etc
40
IOS Architecture
Route Processor (RP)
Cisco Systems
Both the RP and SP perform distinct functions during both the booting of the operating system
and the ongoing operation of the switch…
MSFC3 The Route Processor is physically located on

the MSFC
Logically considered as the MSFC

Switch
Processor Dedicated CPU, DRAM, Flash and NVRAM
(SP)
-The RP runs the Layer 3 routing protocols
like OSPF, EIGRP, BGP, etc
- Other layer 3 features like IPX and
Appletalk
Route
- Manages the user interface (CLI)
Processor
- All show and configuration commands are
(RP)
processed on the RP then sent to the SP for
execution

41
IOS Architecture
RP and SP Bootflash
Cisco Systems
The RP and the SP both have their own set of Bootflash…
SP Bootflash (64Mb) is used to store the boot image and is referred to as SUP-BOOTFLASH
during normal operation
RP Bootflash (64Mb) is referred to as BOOTFLASH during normal operation
MSFC3
SP RP
SP BOOTFLASH RP BOOTFLASH
6500# dir sup-bootflash:

Directory of sup-bootflash:/
1 -rw- 26672876 Sep 09 2003 23:13:50 s72033-ps-mz.122-14.SX1.bin
256417792 bytes total (229744640 bytes free)

42
IOS Architecture
RP and SP DRAM
Cisco Systems
The RP and the SP both have their own set of DRAM…
SP Bootflash (512Mb) is used to store the running configuration, the running IOS image, the
routing table, etc – the amount of SP and RP DRAM available can be seen using the following
commands…
MSFC3
SP RP
SP DRAM RP DRAM
6500# show version

<snip>
cisco Catalyst 6000 (R7000) processor with 458752K/65536K bytes of memory.
6500# remote command switch show version

<snip>
cisco Catalyst 6000 (R7000) processor with 458752K/65536K bytes of memory.

43
Cisco Systems
CHAPTER 2.2 – File Management

44
File Management
Cisco Systems
The IOS File System (IFS) provides for a single interface into all of the file systems on the
switch… The Supervisor 720 supports a number of those file systems and they can be seen in
the output of the following command…
6500# show file systems

File Systems:
Size(b) Free(b) Type Flags Prefixes

* 256417792 229744640 disk rw disk0:
- - disk rw disk1:
65536000 38191028 flash rw sup-bootflash:
24871548 0 opaque ro sup-microcode:
0 242043808 opaque wo sup-image:
129004 128388 nvram rw const_nvram:
1964024 1960429 nvram rw nvram:
- - opaque rw null:
- - opaque rw system:
- - network rw tftp:
65536000 65536000 flash rw bootflash:
- - network rw rcp:
- - network rw ftp:

45
File Management
Cisco Systems
Some of the major file systems that are used on the Supervisor 720 include…
FILESYSTEM DESCRIPTION
bootflash: Flash that is owned by the RP
slavebootflash: Flash memory owned by a redundant supervisor
sup-bootflash: Flash that is owned by the SP
disk0: The first compact flash slot on the Supervisor
slavedisk0: 1st CF slot on redundant Supervisor
disk1: The second compact flash slot on the Supervisor
slavedisk1: 2nd CF slot on a Redundant Supervisor
startup-config: Startup configuration located in NVRAM
running-config: Running configuration located in DRAM
nvram: The second compact flash slot on the Supervisor
slavenvram: NVRAM on a Redundant Supervisor
46
File Management Commands
Cisco Systems
Files stored on the file subsystems can be viewed using the “DIR” command…
1 -rw- 27344844 Jul 31 2003 10:03:54 s72033-pk9s-mz.122-14.SX.bin
The current default file system can be seen using the following …
6500# pwd
disk0:
The current default file system can be changed to another file system as follows …
6500# cd sup-bootflash:
6500# pwd
sup-bootflash:/

47
Cisco Systems
Information on specific files can be viewed as follows (filename of IOS shown in the
example)…
6500# dir disk0:

Directory of disk0:/
6500# show file info disk0:s72033-ps-mz.122-14.SX1.bin

disk0:s72033-ps-mz.122-14.SX1.bin:
type is image (elf) []
file size is 26672876 bytes, run size is 26837656 bytes
Runnable image, entry point 0x80020000, run from ram
6500#

48
Delete Command
Cisco Systems
Files can be deleted by using the delete command and referencing the file system/filename …


2 -rw- 2553 Nov 06 2003 01:30:17 config1
6500# delete sup-bootflash:config1 DELETE COMMAND

Delete filename [config1]?
Delete sup-bootflash:config1? [confirm]


49
Undelete Command
Cisco Systems
Files can also be UNDELETED by using the undelete command and referencing the file index
number on that file subsystem …
6500# dir /all sup-bootflash:


2 -rw- 2553 Nov 06 2003 01:30:17 [config1]
65536000 bytes total (38188344 bytes free) Shows deleted file in brackets [ ]
6500# undelete 2 sup-bootflash: UNDELETE COMMAND

2 -rw- 2553 Nov 06 2003 01:30:17 config1
File is undeleted

50
Squeeze Command
Cisco Systems
To permanently remove a deleted file from the file subsystem, the SQUEEZE command must
be used …
6500# delete sup-bootflash:config1

Delete filename [config1]?
Delete sup-bootflash:config1? [confirm]
6500# squeeze sup-bootflash: SQUEEZE COMMAND

All deleted files will be removed. Continue? [confirm]
Squeeze operation may take a while. Continue? [confirm]
Squeeze of sup-bootflash complete

6500# dir /all sup-bootflash:
As can be seen in the final dir /all command, the config1 file is no longer located in this file
system…
51
Boot Command
Cisco Systems
To boot a native IOS image, the image can be loaded from one of two locations – either the
SUP-Bootflash, or from one of the two compact flash slots on the front panel of the
supervisor…
64Mb of SUP-Bootflash is
provided to hold IOS
images…
Two CF type II slots are

provided to hold CF cards
– these slots hold CF
cards up to 512Mb in size
and can also support the
IBM Microdrive

52
Boot Command
Cisco Systems
Multiple boot commands can appear in the configuration file – the system will attempt to
load the image identified by the first “boot” command and move through the list until it finds
an image it can load…
6500# show running

Building configuration...
<snip>
boot system flash disk0:s72033-psv-mz.122-17a.SX1.bin
boot system flash sup-bootflash:s72033-psv-mz.122-17a.SX.bin
boot system flash disk0:s72033-ps-mz.122-14.SX1.bin
boot system flash sup-bootflash:s72033-pk9s-mz.122-14.SX.bin
<snip>
NOTE – If the system fails to find a

valid image from the “BOOT” list it
will revert to ROMMON mode

53
Configuring a Supervisor 720
Boot Command
Cisco Systems
IOS images can be stored on the compact flash and used to boot the switch,.. The command to
allow the switch to boot from compact flash is the “boot” command shown below…
6500# show running

Building configuration... Should be the first boot
<snip> statement in the list
boot system flash disk0:s72033-ps-mz.122-14.SX1.bin
boot system flash sup-bootflash:s72033-pk9s-mz.122-14.SX.bin
The “BOOT SYSTEM FLASH” command can be used to identify the IOS image on the
compact flash slot that the switch should use to boot… on switch bootup you should see
the following…
System Bootstrap, Version 7.7(1)
Copyright (c) 1994-2003 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 524288 Kbytes of main memory
Autoboot executing command: "boot disk0:s72033-ps-mz.122-14.SX1.bin"
Self decompressing the image :

################################################]

54
January 2004
Catalyst 6500
Technical Training
CHAPTER 3: Command Line Interface (CLI)

Cisco Systems
CHAPTER 3.1 – Accessing the CLI

56
Command Line Interface
Cisco Systems
Access the switch CLI is done using either the console port on the front of the Supervisor or
via Telnet…
The console port on the Supervisor 720 is

based on the EIA/TIA-232 specification…
The console port uses an RJ-45 connector

and requires the use of a “ROLLOVER”
cable…

57
Using the Console Port
Cisco Systems
Accessing the switch for the first tie will require using the console port to setup an initial
configuration on the switch…
Using a standard VT100 terminal emulator, the following default settings are required to
connect into the switch…
Feature Setting
Speed 9600 baud
Data bits 8
Parity None
Stop bits 2

58
Using Telnet
Cisco Systems
Before telnet can be used, some initial configuration must be performed on the switch – there
are 5 default virtual terminal (VTY) ports (up to 8 maximum) that are used for incoming telnet
sessions – thee must be configured to accept login and also must have a password assigned…
Switch> en >> Go into enable mode
Switch# conf t >> Go into configuration mode
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 4 >> Configure the VTY ports 0 thru 4
Switch(config-line)#login >> Login allowed on these ports
% Login disabled on line 1, until 'password' is set
Switch(config-line)#password cisco >> Login Password of cisco set
Switch(config-line)# ^Z
Switch#sh run | begin line vty 0 4 >> Show configuration

line vty 0 4
password cisco An IP Address must also be assigned to one of
login the local ports before you can telnet into the
! switch…
end

59
Using the Command Line
Cisco Systems
Commands are not case sensitive as can be seen in the following example…
Switch# sh clock
*23:05:29.376 UTC Wed Oct 29 2003
Switch# sh Clock
*23:05:33.352 UTC Wed Oct 29 2003
Switch# sh CloCK
*23:05:38.268 UTC Wed Oct 29 2003
Switch#
Commands can be issued as abbreviations as long as they don’t conflict with another
command in the same category
Switch# sh cl
% Ambiguous command: "sh cl"
Switch# sh cl? >> CL clashes with other commands
class-map clns clock cls
Switch# sh clo >>”clo” is now unique and can be run

*23:07:57.104 UTC Wed Oct 29 2003
Switch#

60
Keyboard Shortcuts
Cisco Systems
There are a number of keyboard shortcuts that can make using the CLI a more enjoyable
experience…
Keystroke Use of Shortcut

CTL-B or left arrow key Move cursor back one character
CTL-F or right arrow key Move cursor forward one character
CTL-A Move cursor to the beginning of the command line
CTL-E Move cursor to the end of the command line
ESC-B Move cursor back one word
ESC-F Move cursor forward one word
CTL-X Delete the content of the command line

61
Configuration Modes
Cisco Systems
Within the CLI, there are different CLI levels that enable different tasks to be displayed and
executed…
Mode Description Access Method CLI Prompt
EXEC Basic Access Initial login mode Switch>
Set operating Enter from EXEC mode

ENABLE parameters and issue using the “enable” Switch#
many show commands command
Global Configure global Enter from “enable”

Configuration features (i.e. not mode using “configure Switch(config)#
Mode interface specific) term”
Enter from global
Interface
Configure interface config mode using
Configuration Switch(config-if)#
specific features “interface type”
Mode
command
62
January 2004
Catalyst 6500
Technical Training
CHAPTER 4: First Time Configuration and Password Recovery

Cisco Systems
CHAPTER 4.1 – First Time Configuration

64
Cisco Systems
CHAPTER 4.2 – “Enable Password” Recovery

65
Recovering a Lost Enable Password
Cisco Systems
Recovering a lost enable password requires changing the configuration
register. This register is located in NVRAM and contains a 16 bit setting. One
of the bits can be reset to ignore the configuration when the switch starts
up…
16 bit Configuration Register
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Bit 8 (highlighted in red above – 0x0100) is used to

tell the switch whether to ignore the switch
configuration in NVRAM on startup.
A value of “1” indicates that the configuration should

be used – a value of “0” instructs the switch to
ignore the system configuration on startup…

66
Cisco Systems
The default configuration register value can be seen using the “show
version” command as follows…
6500# show version

Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-PS-M), Version 12.2(14)SX1, EARLY
DEPLOY)
TAC Support: http://www.cisco.com/tac
Compiled Tue 27-May-03 20:40 by ccai
Image text-base: 0x40008C10, data-base: 0x41ACE000
<snip>
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102

The “1” in 0x2102 indicates that the switch
should use the configuration in NVRAM at
startup…
67
Cisco Systems
The switch has two versions of software it uses to boot the switch with – the
ROM Monitor code and the final IOS binary image used to run the switch…
The ROM Monitor executes on power up, reset, or when a

ROM MONITOR fatal exception occurs… The config register is used to tell
the ROM Monitor where to load the IOS Binary image
IOS Binary from…
The ROM Monitor can be used to change the

Configuration Register…
On Switch startup, a “BREAK” key can be used to

interrupt the boot process and keep the switch in ROM
MONITOR mode…

68
Cisco Systems
Power on (or reload) the switch to initiate the boot-up sequence and use the
BREAK key to interrupt the process as follows…
STEP ONE…
System Bootstrap, Version 7.1(1)
c6k_sup2 processor with 131072 Kbytes of main memory
<<< <BREAK> key used here
monitor: command "boot" aborted due to user interrupt

rommon 1 > << ROMMON Prompt indicates switch in ROM Monitor

69
Cisco Systems
Next step you need to change the configuration register – you do this by
using the :”CONFREG” command to change bit 8 in the configuration
register as follows…
STEP TWO…
rommon 1 > confreg
Configuration Summary enabled are:

load rom after netboot fails
ignore system config info
console baud: 9600
boot: image specified by the boot system commands
or default to: cisco2-c6k_sup2
do you wish to change the configuration? y/n [n]: Enter “y” here

70
Cisco Systems
Accept all defaults to the prompts except when it asks about …
STEP THREE…
do you wish to change the configuration? y/n [n]: y

enable "diagnostic mode"? y/n [n]:
enable "use net in IP bcast address"? y/n [n]:
disable "load rom after netboot fails"? y/n [n]:
enable "use all zero broadcast"? y/n [n]:
enable "break/abort has effect"? y/n [n]:
disable "ignore system config info"? y/n [n]: Enter “y” here
change console baud rate? y/n [n]:
change the boot characteristics? y/n [n]:

71
Cisco Systems
When this has finished, enter “n” for modifying the configuration any further
and then use the “boot” command to boot the switch with the new
configuration register setting as follows …
STEP FOUR…
do you wish to change the configuration? y/n [n]: n
rommon 2 > boot
Self decompressing the image :

################################################]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
Switch continues to boot….

72
Cisco Systems
When the switch has booted, it will place you in EXEC mode. Enter enable
mode as follows
Switch> enable
Switch#
The switch bypasses any enable password as the configuration was ignored
on startup..
Next, the startup configuration can be loaded into the running configuration
as follows..
Switch# copy startup running

Destination filename [running-config]?
6500# enable
6500(config)# enable password ABC123
After copying the startup config in the running config – enter configuration
mode and reset the enable password as required

73
January 2004
Catalyst 6500
Technical Training
CHAPTER 5: Configuring the Supervisor 720

Cisco Systems
CHAPTER 5.1 – Configuring Supervisor 720

75
Compact Flash Slots
Cisco Systems
The Supervisor 720 has two compact flash II slots that are capable of supporting a CFII card or
the IBM compact flash microdrive… Compact flash cards used in these slots can be accessed
by the local Supervisor file management system – they are referenced as disk0: and disk1:
respectively…
Supervisor 720
DISK0:
DISK1:
76
Compact Flash Slots
Cisco Systems
Contents of compact flash in these slots can be viewed by using the “DIR” command shown
as follows…
NOTE – If no compact flash card is located in the

slot, then you will get an error using this command
6500# dir disk1:
%Error opening disk1:/ (No device available)
6500# dir disk0:

Directory of disk0:/

6500#

77
Front Ethernet Ports
Cisco Systems
The Supervisor 720 has three GE ports on the front panel – Port 1 is a Small Form Factor
Pluggable (SFP) – Port 2 consists of an SFP (active by default) and one 10/100/1000 RJ45 –
when the 10/100/1000 is activated, Port 2 SFP will be disabled
Supervisor 720
Port 2 SFP and

10/100/1000
Port 1
SFP

78
Front Ethernet Ports
Cisco Systems
The 10/100/1000 Port can be activated by choosing the RJ45 media type when in interface
configuration mode…
6500(config)#interface g5/2
6500(config-if)#media-type ?
rj45 Use RJ45 connector
sfp Use SFP connector
<cr>
If the 10/100/1000 port is active, the SFP port can be reactivated (shutting down the RJ45 port)
by using one of the following…
6500(config-if)# no media-type 6500(config-if)# media-type sfp

79
Switch Fabric Module
Cisco Systems
The Supervisor 720 has an integrated Switch Fabric Module providing 18 fabric channels that
are apportioned across each of the slots in the chassis. Each fabric channel can run at 8-Gbps
or 20-Gbps depending on the attached linecard (FDX numbers are 16-Gbps and 40-Gbps per
channel)…
Switch Fabric

80
Switch Fabric Module Modes
Cisco Systems
When transferring data between linecards, the SFM will operate in one of three modes – these
modes are determined by the combination of linecards installed in the chassis and which
module the traffic sourced from and destined to…
Mode Description
Used for traffic between non fabric enabled modules and for
BUS traffic between a non fabric and a fabric enabled linecard…
Used when only ALL fabric enabled linecards used in a

COMPACT chassis – this mode uses a compact from of DBus header
which optimizes centralized performance to 30Mpps
Used for traffic between fabric enabled linecards when a

TRUNCATED non fabric enabled linecard is installed in the chassis..

81
Enabling Truncated Mode
Cisco Systems
The switch can be configured to allow modules to use truncated mode as follows…
Classis Fabric Fabric

Module Module Module
BUS
6500(config)# fabric switching-mode allow ?

bus-mode Allow switching in bus mode for modules
truncated Truncated switching mode

82
Truncated Mode Threshold
Cisco Systems
When Truncated mode is enabled, a threshold can also be configured – this threshold
determines at what point truncated mode can be activated – the threshold is based on the
number of fabric enabled linecards that can be installed before truncated mode takes effect…
Classis Fabric Fabric

Module Module Module
BUS
6500(config)# fabric switching-mode allow truncated ?

threshold Default number of SFM-capable modules needed for truncated
switching

83
More Commands
Cisco Systems
The switch supports two slots for Supervisor engines. A CLI command is provided to allow the
administrator to inspect which of the Supervisor engines is the active engine…
6500# show fabric active

Active fabric card in slot 5
No backup fabric card in the system
The mode of operation being used by the switch fabric module can also be inspected using the
following command…
6500# show fabric switching-mode

Fabric module is not required for system to operate
Modules are allowed to operate in bus mode
Truncated mode is not allowed unless threshold is met
Threshold for truncated mode operation is 2 SFM-capable cards
Module Slot Switching Mode

1 Crossbar
2 Crossbar
3 Crossbar
5 DCEF

84
Cisco Systems
The status of the Switch Fabric can be inspected by using the following command…
6500# show fabric status

slot channel speed module fabric
status status
1 0 8G OK OK
2 0 8G OK OK
3 0 8G OK OK
5 0 20G OK OK
The utilization of the Switch Fabric can be inspected by using the following command…
6500# show fabric utilization

slot channel speed Ingress % Egress %
1 0 8G 28 0
2 0 8G 0 0
3 0 8G 0 25
5 0 20G 0 0

85
Cisco Systems
During troubleshooting, the Switch Fabric Module can be inspected for transmission errors –
the command to inspect for errors on the Switch fabric module is as follows….
6500# show fabric errors

Module errors:
slot channel crc hbeat sync DDR sync
1 0 0 0 0 0
2 0 0 0 0 0
3 0 0 0 0 0
5 0 0 0 0 0
Fabric errors:
slot channel sync buffer timeout
1 0 0 0 0
2 0 0 0 0
3 0 0 0 0
5 0 0 0 0
6500#

86
January 2004
Catalyst 6500
Technical Training
CHAPTER 6: Configuring Interfaces

Cisco Systems
CHAPTER 6.1 – Configuring Interfaces

88
Understanding Interfaces
Cisco Systems
Each Ethernet interface type uses nomenclature unique to its operating characteristics. Each
of the interface types is explained below…
6500(config)# interface ethernet x/y All ports referenced by X/Y indicate

the following
“X” is the slot number – slot

6500(config)# interface Fastthernet x/y
numbers start from 1 at the top for
of the chassis (horizontal mounted
linecards)
6500(config)# interface Gigabitethernet x/y
“Y” is the actual port number on
the linecard itself – port numbers
start from 1 from the left hand side
6500(config)# interface Tengigabitethernet x/y of the linecard
In this mode, only a single interface is configured at any one time

89
Shutting and Restarting Interfaces
Cisco Systems
When the switch powers up for the first time, it will revert all interfaces into shutdown mode –
interfaces need to be enabled before normal operation can begin…
6500(config)# interface g1/3
6500(config-if)# shutdown Places port in shutdown mode
Identifies port is shutdown
6500#show interface g1/3

GigabitEthernet1/3 is administratively down, line protocol is down (disabled)
Hardware is C6k 1000Mb 802.3, address is 000b.45e3.8080 (bia 000b.45e3.8080)

6500(config-if)# no shutdown Enables port
6500#show interface g1/3

GigabitEthernet1/3 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 000b.45e3.8080 (bia 000b.45e3.8080)

90
Configuring Interfaces
Cisco Systems
When running IOS, Ethernet ports can be configured with one of three interface types, Access,
Trunk or Router. Interfaces in IOS assume a different default behavior than those same ports
under CatOS in that they default to Layer 3 ports and are shutdown on initial startup.
Supervisor Engine
Supervisor MSFC
Layer 3 VLAN
SVI SVI
Interface
Linecard
Shutdown Shutdown
Access Trunk L3 Routed

Ports Port Ports

91
Interface Ranges
Cisco Systems
IOS allows a group of ports to be configured at the same time with the same CLI command.
This is achieved using the “range” command. Once the range command has been entered,
you will enter the interface range configuration mode and subsequent commands entered in
this mode will apply to the interface range just specified…
6500(config)#interface range gigabitEthernet 1/12 - 16

6500(config-if-range)#no shutdown
6500(config-if-range)#
1w4d: %LINK-3-UPDOWN: Interface GigabitEthernet1/12, changed state to up
6500(config-if-range)#
This example shows 5 Gigabit Ethernet interfaces being enabled at the same time…
92
Interface Range Macro
Cisco Systems
If a group of interfaces is configured on a regular basis, it might be more pertinent to define a
macro that associates a name with that group of interfaces. This way, the entrance into range
configuration mode can be made much easier…
6500(config)# define interface-range macro macro_name (vlan vlan_id – vlan_id ) | type

port/slot - port
S INT G1/1
W
I INT G1/2 6500(config)# define interface-range admin g1/1 - 4
6500(config)# interface range macro admin
T INT G1/3 6500(config-if-range)#
C
H INT G1/4
The four gigabit interfaces have been associated with the
“admin” macro…

93
Other Interface Configuration Options…
Cisco Systems
Port speed can be configured on multi speed ports including 10/100 and 10/100/1000 ports…
SWITCH A SWITCH B
10/100/1000 Port If speed is set to AUTO – then

duplex is also set to AUTO
Speed
setting
can be
modified
6500(config-if)# speed ?
10 Force 10 Mbps operation
auto Enable AUTO speed configuration

94
Other Interface Configuration Options…
Cisco Systems
Duplex setting can be configured on multi speed ports including 10/100 and 10/100/1000
ports… The duplex setting defines the ports transmission ability to send and receive
simultaneously (full duplex), or, to send OR receive (but not at the same time – also known as
half duplex)…
SWITCH A SWITCH B
10/100/1000 Port If speed is set to AUTO – then

duplex is also set to AUTO
Duplex
setting
can be
modified
6500(config-if)# duplex ?
full Force full duplex operation
half Force half-duplex operation

95
The Duplex Gotcha…
Cisco Systems
A well known problem occurs when one end is hard coded for Full Duplex and the other end
is coded for Auto negotiation of duplex setting…
SWITCH A SWITCH B
10/100/1000 Port
Full Auto
Duplex Duplex
In this scenario, the “AUTO” end will ALWAYS negotiate

to Half-Duplex, causing a Duplex mismatch resulting in
transmission errors…

96
Gigabit Ethernet Link Negotiation…
Cisco Systems
Gigabit Ethernet ports support a feature called link negotiation – while NOT negotiating
speed, this feature DOES exchange flow control parameters, duplex information and remote
fault information …
Link Negotiation Port Link Negotiation Port
ON UP GE GE ON UP
OFF DOWN GE GE ON UP
ON UP GE GE OFF DOWN
OFF UP GE GE OFF UP
6500(config-if)# speed ?
nonegotiate Do not negotiate speed
Speed negotiate DISABLES link negotiation no speed negotiate ENABLES link negotiation
97
Understanding Jumbo Frames…
Cisco Systems
Jumbo Frame support allows an Ethernet port to switch an Ethernet packet larger than the
default maximum size of 1518 bytes … It is configured by specifying a global MTU size and a
per port (or per VLAN ) MTU size…
1548 Bytes
HDR DATA Default MAX MTU Size
HDR DATA
9216 Bytes
Note - Jumbo frame support across different vendor platforms differs slightly in the jumbo
frame size that they support…

98
Jumbo Frame Support…
Cisco Systems
Two recently announced modules do not support Jumbo frames …
WS-X6148-GE-TX WS-X6548-GE-TX
The Voice enabled versions of these linecards also do not support Jumbo Frames
Some modules only support a maximum of 8192 byte frames and include the following…
WS-X6516-GE-TX running at 100Mb and
· WS-X6148-RJ-45, WS-X6148-RJ-45V, WS-X6148-RJ21, WS-X6148-RJ21V
· WS-X6248-RJ-45, WS-X6248-TEL, WS-X6248A-RJ-45, WS-X6248A-TEL
· WS-X6348-RJ-45, WS-X6348-RJ45V, WS-X6348-RJ-21, WX-X6348-RJ21V
99
Configuring Jumbo Frames…
Cisco Systems
The size of the frame on INGRESS is compared to the global LAN MTU size – ingress packets
larger than this value are dropped …
Data Switch Global LAN MTU is defined as follows…
Check incoming packet 6500(config)# system jumbo ?

MTU against Global LAN
<1500-9216> Jumbo mtu size in Bytes, default is 9216
MTU
THIS CHECK IS FOR 10Mb,

10/100Mb, 100Mb and 10GE
With Non Default MTU size, any frame over
GE Ports ARE DIFFERENT!! 64 bytes is accepted, BUT, GE ports DO
NOT check for oversized frames
100
PFC check for routed traffic
Cisco Systems
When the source and destination interfaces contain large enough MTU sizes, the PFC will
successfully layer 3 switch jumbo frames – IF the egress MTU is not large enough, and “Do
not Fragment bit” is NOT set, the packet is forwarded to MSFC for fragmentation, otherwise
its dropped…
1
If MTU of “C” is >= MTU “A” AND
packets “DO NOT FRAGMENT bit is
not set, then forward to MSFC for
fragmentation… MSFC
1
Data Ingress PFC Egress
2
MTU=“A” MTU=“B” MTU=“C”
2
If MTU of “C” is >= MTU “A” AND packets
“DO NOT FRAGMENT bit SET, then DROP
packet…
101
Port MTU configuration
Cisco Systems
Non Default MTU sizes can be configured on Ethernet ports – if this is configured, there are
some rules for how packets are switched…
Global LAN Port MTU = “Y”
MTU = “X” MTU = “Z”

Ingress Switch Egress
Port Type Port MTU Ingress Action Egress Action

10Mb, 10/100Mb Limits ingress packet to Permits switching any
Non Default Global LAN port MTU packet > 64 bytes
or 100Mb
Permits switching any Limits egress packet to
Gigabit Ethernet Non Default packet > 64 bytes Global LAN port MTU
10 Gigabit Limits ingress packet to Limits egress packet to
Non Default Global LAN port MTU Global LAN port MTU
Ethernet

102
IEEE 802.3z Flow Control
Cisco Systems
Flow control allows the switch to instruct an attached host (or switch) to stop transmission
for a specific period of time – This is supported on Gigabit Ethernet and Ten Gigabit Ethernet
ports
Sender can be Ethernet, Fast

Ethernet, Gigabit Ethernet or
10 Gigabit Ethernet port
1
Rx
Sender Receiver
Queue
3 2
Receiver can be Gigabit

Ethernet or 10 Gigabit
1 Receive queue fills up Ethernet port
2 Receiver sends 802.3z pause frame
3 Sender delays sending more data for a period of time
103
Cisco Systems
Flow control configuration requires setting options for both the sender and receiver as
follows
Sender Receiver
6500(config-if)# flowcontrol ?
receive Configure receiving flow operation
send Configure sending flow operation
6500(config-if)# flowcontrol receive ?

desired Allow but do not require flow-control packets on port
off Disable flow-control packets on port
on Enable flow-control packets on port
6500(config-if)# flowcontrol send ?

desired Allow but do not require flow-control packets on port
off Disable flow-control packets on port
on Enable flow-control packets on port

104
Display Flow Control Information
Cisco Systems
The State of flow control settings on each port can be shown as follows…
Sender Receiver
6500# show interfaces flowcontrol

Port Send FlowControl Receive FlowControl RxPause TxPause
admin oper admin oper
----- -------- -------- -------- -------- ------- -------
Gi1/1 desired desired off off 0 0
Gi1/2 desired off off off 0 0
Gi1/8 desired desired off off 0 0
<snip>

105
Port Debounce Timer
Cisco Systems
The system default time taken to notify the system of a link state change (i.e. port goes up or
down) can be changed on a per port basis using the Port Debounce Timer feature – be aware
that this feature can impact network re-convergence times depending on values configured…
2
GE 1
GE
GE
Switch
GE
GE 3
Switch
GE
1 Link state change occurs 3 Switch alerts neighbors of link state

change via routing protocol update
2 Switch waits for the debounce timer to expire

106
Port Debounce Timer
Cisco Systems
The default port debounce timer value differs based on whether the feature is enabled or
disabled – once enabled, the value for specific ports can be configured to a specific value
within a defined rage…
Port Type Debounce Disabled Debounce Enabled

10 Base FL 300 ms 3100ms
10/100 TX 300 ms 3100ms
100FX 300 ms 3100ms
10/100/1000TX 300 ms 3100ms
1000TX 300 ms 3100ms
Fiber GE 10 ms 100ms
10GE (WS-X6501) 300 ms 3100ms
10GE (WS-X6502) 300 ms 3100ms
10GE (WS-X6704) 1000 ms 3100ms

107
Port Debounce Timer
Configuration
Cisco Systems
Link Debounce can be simply enabled or a specific value (aside from the default) can be
configured for the port as follows…
6500(config-if)# link debounce ?

GE time Extended debounce time
<cr>
GE
GE
Switch 6500(config-if)# link debounce time ?
GE <100-5000> Extended debounce time value
GE
GE
Enabling the port debounce timer causes link up and link down detections to be
delayed, resulting in loss of traffic during the debounce period. This situation might
affect the convergence and reconvergence of some Layer 2 and Layer 3 protocols.
108
Monitoring Interfaces
Cisco Systems
Show interface displays a number of statistics about the running operation of that interface…
6500# show interface g1/5

GigabitEthernet1/5 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 0009.11f0.5284 (bia
0009.11f0.5284)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Auto-duplex, Auto Speed, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported,
1000Mbs
Clock mode is auto
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:22, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
<snip>

109
January 2004
Catalyst 6500
Technical Training
CHAPTER 7: Configuring Layer 2 Interfaces

Cisco Systems
CHAPTER 7.1 – Configuring Layer 2 Interfaces

111
Configuring a Layer 2 Interface
Cisco Systems
An Ethernet port can be configured as a Layer 2 port in one of two ways – either an ACCESS
port or a TRUNK port.
ACCESS PORT TRUNK PORT
An access port is typically used to Trunk ports are usually configured to

connect to an individual host (server, connected to another switch or a host
IP phone, host PC, etc… using a NIC supporting trunking…

112
Configuring a Layer 2 Interface
Cisco Systems
A Layer 2 Port is enabled in the following way…
6500(config)# switchport
6500(config)# switchport
Use of the switchport is used to turn the interface into a Layer 2 interface…
Using the “no switchport” command erases ALL layer 2 configuration for this port and
reverts the port back to a Layer 3 port

113
Layer 2 Interface Defaults
Cisco Systems
When an Interface is defined as a layer 2 port (using the switchport command), it assumes a
series of default settings…
Feature Default Value

Switchport Mode switchport mode dynamic desirable
Trunk encapsulation switchport trunk encapsulation negotiate
Allowed VLAN range 1 – 4094 except reserved VLANs
VLAN’s eligible for pruning 2 - 1001
Default Access VLAN VLAN 1
Native VLAN for 802.1Q VLAN 1
Spanning Tree Enabled for all VLAN’s
Spanning Tree Port Priority 128
100 for 10Mb ports, 19 for 10/100 and 100Mb ports, 4 for
Spanning Tree Port Cost
GE ports and 2 for 10GE ports

114
Configuring Layer 2 Mode
Cisco Systems
A Layer 2 Switchport has a number of modes which determine whether the port will act as an
Access or Trunk port. These modes include…
MODE DESCRIPTION
access A non trunking, non tagged single VLAN Layer 2 interface
trunk Set trunking VLAN Layer 2 interface settings
dynamic auto Converts the interface into a trunk link
dynamic desirable Interface that attempts to convert into a trunk link
dot1q-tunnel 802.1Q Tunnel Interface
private-vlan-host Port with valid PVLAN becomes active host private VLAN port
Port with valid PVLAN becomes active private VLAN
private-vlan-promiscuous
promiscuous port
nonegotiate Port is permanent trunk but does not generate DTP frames
Using the “ACCESS” mode converts the switchport into a Layer 2 access port
115
Configuring Access Mode
Cisco Systems
The output below shows the switchport status of Gigabit Ethernet Port 1/12
6500(config-if)# switchport
6500(config-if)# switchport mode access
6500# show interface g1/12 switchport
Name: Gi1/12
Switchport: Enabled
Administrative Mode: static access Port defined as an access port
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

116
Cisco Systems
An alternative way to setting the port as an access port is to do the following
6500(config-if)# switchport host
Switchport host will set the switchport

mode to Access
6500(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
6500(config-if)#

117
Setting the VLAN
Cisco Systems
Following the placement of the switchport into access mode, the port should be placed into a
VLAN other than its assigned default…

Name: Gi1/12
Switchport: Enabled
Administrative Mode: static access
Administrative Trunking Encapsulation:
negotiate
Access Mode VLAN: 1 (default) <<DEFAULT
6500(config-if)# switchport access vlan x
Where x is the VLAN that the port will be placed into

118
Understanding Trunk Mode
Cisco Systems
A Switchport defined as a trunk is one that can carry multiple traffic types each tagged with a
unique VLAN ID…
VLAN A Data Data VLAN A
VLAN B SWITCH Trunk Port SWITCH VLAN B
VLAN C Data VLAN C
As data is switched across the VLAN trunk port, it is “colored” or tagged by the port thus
identifying it to the receiving switch as belonging to a particular VLAN…

119
Cisco Systems
There are two types of VLAN trunking mechanisms that can be defined, 802.1Q and ISL… and
both involve adding additional fields to an Ethernet frame to identify it as belong to a
particular VLAN…
Inter Switch Link

ISL HEADER FCS
ENCAPSULATED FRAME 1 to 24.5 Kb
26 BYTES 4 BYTES
ISL was the original Cisco specification for “tagging” an Ethernet packet with a VLAN tag..
ISL can support VLAN numbers in the range of 1 to 1024
IEEE 802.1Q
DEST SRC ETH

TAG TYPE DATA FCS
ADDR ADDR TYPE
IEEE 802.1Q is a standards based specification for “tagging” the Ethernet packet with a
VLAN tag – 802.1Q can support VLAN numbers in the range of 1 - 4094
120
Cisco Systems
Some of the Catalyst 6500 modules do not support ISL – these modules include…
The Voice enabled versions of these linecards also do not support Jumbo Frames
WS-X6148-GE-TX WS-X6548-GE-TX
WS-X6501-10GEX4
WS-X6502-10GE
121
Trunk Mode Encapsulation Types
Cisco Systems
When a layer 2 interface is defined as a Trunk port it must have its encapsulation type defined
– that is if it going to be an ISL trunk or an IEEE 802.1Q trunk – this is achieved by setting the
trunk encapsulation type on the interface as follows…
6500(config-if)# switchport trunk encapsulation ?

dot1q Interface uses only 802.1q trunking encapsulation when trunking
isl Interface uses only ISL trunking encapsulation when trunking
negotiate Device will negotiate trunking encapsulation with peer on interface
SWITCH A
ISL Trunk Port Dot1Q Trunk Port
6500(config-if)# switchport trunk encapsulation isl
6500(config-if)# switchport trunk encapsulation dot1q

122
Trunk Mode Encapsulation Types
Cisco Systems
A trunk interface can also be configured to negotiate the encapsulation mode it will use with
its peer – this is achieved by using the “negotiate” keyword…
SWITCH A SWITCH B
Trunk Port
Encapsulation mode
set to negotiate on
both ends

negotiate Device will negotiate trunking encapsulation with peer on interface
If both ends are set to negotiate, the default will be set to

802.1Q if both ends are dot1Q capable
123
802.1Q Native VLAN
Cisco Systems
The IEEE committee defined the native VLAN to provide for connectivity to old 802.3 ports that
did not understand VLAN tags. A Native VLAN on a dot1Q trunk does not have and is not
associated with any VLAN tag …
Switch Trunk Port Switch
802.3 port
The Native VLAN is also used by the Switch to carry specific protocol traffic like Cisco
Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAGP)
and Dynamic Trunking Protocol (DTP), …
CDP
Switch VTP Switch
DTP
124
802.1Q Native VLAN
Cisco Systems
The default Native VLAN is always VLAN 1 when the switch first boots up – but can be
changed via a configuration command…
S
VLAN 1 Native VLAN
The Native VLAN can be
W T
VLAN 10
defined as any valid I R
U
VLAN number that is not VLAN 22
in the reserved range of T N
VLAN’s K
C VLAN 137
6500(config-if)# switchport trunk native vlan ?

<1-4094> VLAN ID of the native VLAN when this port is in trunking mode

125
Allowed VLAN’s on a Trunk Port
Cisco Systems
When a trunk port is defined, it can be defined to carry only specific VLAN’s…
Carry VLAN’s 1-100 and 150-175
6500(config-if)# switchport trunk allowed vlan add 1-100,150-175
The full list of options with this command are displayed below
6500(config-if)# switchport trunk allowed vlan ?

WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list

126
Pruned VLAN’s on a Trunk Port
Cisco Systems
When a trunk port is defined, VLAN’s defined on other switches and passed to a switch trunk
port can be eliminated from the trunking configuration – this is called VLAN pruning – the
switch gives you the ability to define a specific set of VLAN’s that are eligible for pruning…
Prune VLAN’s 300-400
6500(config-if)# switchport trunk pruning vlan add 300-400
The full list of options with this command are displayed below
6500(config-if)# switchport trunk pruning vlan ?
none no VLANs

127
Displaying Trunk Port Status
Cisco Systems
The status of the settings of the switchport can be viewed using the following command…

Name: Gi3/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Voice VLAN: none
Trunking VLANs Enabled: NONE

128
Custom Ethertype
Cisco Systems
Custom Dot1Q Ethertype is a feature allowing the Ethertype field to have any value. Its primary
use is changing the Ethertype value in dot1q tunnel packets from the standard 0x8100 which is
the default value used to indicate a Cisco dot1Q tunnel. Customization of this field will allow
interoperability with other vendors like Extreme who use a different Ethertype value for the
dot1Q tunnel feature
An Ethernet 802.1Q Tunnel Frame Format…
802.1Q Tunnel Tag
DA SA ETYPE Dot1Q ETYPE Dot1Q Length/ETYPE Data FCS

(6B) (6B) 8100 (2B) Tag (2B) 8001 (2B) Tag (2B) (2B) (0-1500B) (4B)
Original 802.1Q Tag
The Ethertype field with this feature can be modified to suit any custom
Ethertype the customer wishes to use.

129
Configuring Custom Ethertype
Cisco Systems
The Ethertype can be configured on Access Ports, Trunk ports or Dot1Q tunneled ports as
follows…
Switch Switch Switch Switch
6500)config-if)# switchport dot1q ethertype 0x8300
For custom Ethertype to work, all ports in the path of the packet must be configured to
support this custom Ethertype…
Custom Ethertype can be configured on the following modules…
WS-X6516-GBIC, WS-X6516A-GBIC, WS-X6516-GE-TX, WS-X6748-GE-TX, WS-X6724-

SFP, WS-X6704-10GE, WS-X6818-GBIC

130
January 2004
Catalyst 6500
Technical Training
CHAPTER 8: Route Processor Redundancy

Cisco Systems
CHAPTER 8.1 – Configuring RPR+

132
RPR and RPR+
Cisco Systems
The Catalyst 6500 supports failover between two supervisor 720’s installed in the switch – two
fault tolerant modes can be configured – Route Processor Redundancy (RPR) and Route
Processor Redundancy Plus (RPR+)…
Catalyst 6500
RPR
RPR+ provides
failover generally
RPR and RPR+ requires
within 2 to 4 minutes
Sup720-A BOTH supervisors to be
the SAME and both must
Sup720-B run the SAME IOS
RPR+ image…
RPR+ provides
failover generally
within 30 t 60
seconds PSU PSU

133
Route Processor Redundancy
Cisco Systems
When the switch boots, RPR runs between the two supervisors
Catalyst 6500 RPR Features

The first Supervisor to complete the boot process becomes
the active Supervisor
Clock synchronization occurs between Primary and Backup

Sup720-A every 60 seconds
Sup720-B When the redundant supervisor is booted, not all subsystems

become operational (i.e. MSFC and PFC are not active)
Startup configuration and configuration registers are

synchronized between supervisors
PSU PSU
GE ports on Redundant Supervisor ARE active

134
Route Processor Redundancy +
Cisco Systems
RPR+ enhances the operation of the base RPR feature -
RPR+ has all RPR features plus the following enhancements Catalyst 6500
- Reduces switchover time on failover to between 30 and 60
seconds
- Installed linecards are not reloaded
- Support of OIR for redundant Supervisor
- Manual user initiated switchover to the redundant Sup720-A
supervisor
Sup720-B
Other Important Points
Static Routes are maintained across a switchover
FIB tables are cleared on switchover
CAM Tables are cleared on switchover
Other state information (i.e. Netflow records) are not PSU PSU
maintained on switchover

135
Configuring RPR and RPR+
Cisco Systems
Configuration of RPR and RPR+ is achieved by entering into redundancy configuration mode,
then choosing the mode you wish the switch to run in…
6500# conf t
6500(config)# redundancy
6500(config-red)# mode ?
rpr Route Processor Redundancy
rpr-plus Route Processor Redundancy Plus
RPR RPR+
6500(config-red)# mode rpr 6500(config-red)# mode rpr-plus

136
Confirming RPR/RPR+ Status
Cisco Systems
The redundant configuration status of the switch can be viewed using the following…
6500# show redundancy states

my state = 13 -ACTIVE
peer state = 1 -DISABLED
Mode = Simplex Redundant State Configured
Unit = Primary
Unit ID = 5
Redundancy Mode (Operational) = Route Processor Redundancy Plus

Redundancy Mode (Configured) = Route Processor Redundancy Plus
Split Mode = Disabled
Manual Swact = Disabled Reason: Simplex mode
Communications = Down Reason: Simplex mode
client count = 11
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 0
keep_alive threshold = 18
RF debug mask = 0x0

137
Supervisor Synchronization
Cisco Systems
During normal operation, the primary Supervisor will synchronize its startup configuration and
configuration registers with the redundant Supervisor – manual synchronization can also be
performed as follows…
PRIMARY 6500(config)# redundancy

6500(config-red)# ?
SUPERVISOR Redundancy configuration commands:
Startup-Config exit Exit from redundancy configuration mode
main-cpu Enter main-cpu mode
Running-Config mode redundancy mode for this chassis
no Negate a command or set its defaults
Config-Register 6500(config-red)# main-cpu
6500(config-r-mc)# auto-sync ?
startup-config
REDUNDANT running-config
SUPERVISOR config-register
bootvar
Startup-Config
Running-Config
The specific element that needs to be synchronized can be
Config-Register specified in the above command…

138
Catalyst 6500
Technical Training
CHAPTER 9: Understanding and Configuring Etherchannel

Cisco Systems
CHAPTER 9.1 – Introduction to Etherchannel

140
Etherchannel Overview
Cisco Systems
An Etherchannel combines multiple physical links in the chassis into a single logical link. Ideal
for load sharing or link redundancy – can be used by both layer 2 and Layer 3 subsystems…
Physical View
Multiple ports are
defined as being Catalyst 6500 Catalyst 6500
part of an
Etherchannel
group
Logical View
Subsystems running
on the switch only
see one logical link
An Etherchannel can be defined on Ethernet, Fast Ethernet, Gigabit Ethernet or 10 Gigabit

Ethernet Ports
141
Some rules…
Cisco Systems
There are some limits to how many Etherchannel bundles that can be created in a chassis and
how many physical links can be in the same Etherchannel group…
Number of Etherchannel Number of physical links in Can an Etherchannel group

groups in a chassis an Etherchannel group cross modules
A maximum of 64
From 2 to 8 physical links can An Etherchannel bundle can
Etherchannel groups can be
exist in a single Etherchannel exist across modules and
defined in a 6500 chassis at
group on the Catalyst 6500… non contiguous ports…
any one point in time…

142
Some rules…
Cisco Systems
There are some other rules that must be adhered to for an Etherchannel to be successfully
created…
ETHERCHANNEL RESTRICTIONS
1. An Etherchannel Group Number must be in the range of 1 to 256
2. All ports in the target Etherchannel group MUST be in the same VLAN
3. If one physical link in the target Etherchannel group is a TRUNK, then all other ports must be
configured as trunks carrying the same VLAN information
4. Any defined broadcast limits must be the same across all ports in an Etherchannel group
5. An LACP Etherchannel group cannot support any physical links in half duplex mode
6. No port in the Etherchannel group can be defined as a SPAN port

143
Automating the creation of an Etherchannel…
Cisco Systems
There are two protocol options that can be used to automate the creation of an Etherchannel
group…
Port Aggregation Protocol Link Aggregation Control Protocol
P P L L
A A A A
G G C C
P P P P
Port Aggregation Protocol is a Cisco Link Aggregation Control Protocol is

proprietary protocol that can part of the IEEE 802.3ad specification
negotiate the creation of an for creating logical link from multiple
Etherchannel bundle between two physical links – both ends of the link
devices running PAGP… need to run LACP to automate
creation of Etherchannel groups…
144
Automating the creation of an Etherchannel…
Cisco Systems
Each end of the automation process must be running the same protocol. Using different
protocols at each end will not work… Also, links must share the same physical
characteristics…
P L
A A
Switch Switch
G C
P P
A switch running PAGP cannot set up Physical links in an Etherchannel

an Etherchannel group with a switch must share similar characteristics
running LACP. Etherchannel (i.e. defined in same VLAN, same
protocols at both ends must match in speed setting, same duplex setting,
order for an Etherchannel group to be etc)
successfully created

145
Port Modes…
Cisco Systems
Configuration of ports into an Etherchannel are based on pre defined Etherchannel modes
that are assigned as a default or modified via user configuration to an Ethernet port…
Mode Description
ON Forces a port to be placed in a channel unconditionally. The channel
will only be created if another switch port is connected and it is also
configured in “ON” mode. When this condition occurs, no negotiation
of the channel is performed by the local Etherchannel protocol
AUTO PAGP mode that will negotiate with another PAGP port ONLY if it
receives a PAGP packet – this port will not initiate PAGP
communications.
DESIRABLE PAGP mode that causes port to initiate PAGP negotiation for a
channel with another PAGP port.
ACTIVE LACP mode that causes port to initiate LACP negotiation for a
channel with another LACP port.
PASSIVE LACP mode that will negotiate an LACP channel only if it receives
another LACP packet.
146
Load Balancing Options…
Cisco Systems
How does the switch determine which physical link in the Etherchannel bundle to use to
forward the data? Answer – It uses a polymorphic algorithm taking key fields from the header
of the packet to generate a hash to a physical link in the Etherchannel group…
Flow of data Packet Header fields for Load Balancing
Source Layer 4 Port

Destination Layer 4 Port
Source and Destination Layer 4 Port
Data
Source IP Address
Destination IP Address
Switch A Source and Destination IP Address
Source MAC Address
The administrator can define what fields Destination MAC Address
in the header can be used as input to the Source and Destination MAC Address
algorithm used to determine the physical
link t transport the packet… Only one of these options can be used
at a time
147
Cisco Systems
CHAPTER 9.2 – Etherchannel Configuration

148
Etherchannel Configuration
Starting Etherchannel Configuration…
Cisco Systems
An Etherchannel in IOS can be defined as a Layer 2 Etherchannel or a Layer 3 Etherchannel…
Layer 2 Etherchannel Layer 3 Etherchannel
For a Layer 2 Etherchannel, physical For a Layer 3 Etherchannel, a Layer 3

ports are placed into an Etherchannel SVI is created, then, physical ports
group are placed into an Etherchannel group
which is bound to the L3 SVI..
SWITCH PORTS SWITCH PORTS
Layer 2 Etherchannel Group L3 SVI

Defined as “interface port-channel x”

149
Configuring Layer 2 Etherchannel…
Cisco Systems
From configuration mode, enter the interface configuration using the following command
where “type” is Ethernet, Fast Ethernet, Gigabit Ethernet or 10 Gigabit Ethernet
6500 (config) # interface type slot/port
It is good practice to ensure the port is layer 2 by removing any ip address previously
defined on the port
6500 (config-if) # no ip address
An optional command to define the Etherchannel protocol to be used – if this is not

specified, the port will default to using PAGP
6500 (config-if) # channel-protocol ( lacp | pagp )

150
Cisco Systems
This command places the port into a channel group identified by “number” and sets the
Etherchannel mode for this port
6500 (config) # channel-group number mode ( active | auto | desirable | passive |
on )
If LACP is used, a system priority can be assigned – the priority can be from 1 to 65536 – the
default is 65536 – The command is applied as follows…
6500 (config) # lacp system-priority priority
If LACP is used, a port priority can be assigned to the port - – the priority can be from 1 to
65536 – the default is 65536 – The command is applied as follows…
6500 (config-if) # lacp port-priority priority

151
Cisco Systems
To configure a layer 3 Etherchannel, the physical ports defined in the previous section are
associated with a special Layer 3 SVI (Switch Virtual Interface)
First define the Layer 3 SVI using the following notation
6500 (config) # interface port-channel number
Define the L2 port in the same channel group
6500 (config-if) # channel-group number mode ( active | auto | desirable | passive

| on )
The “number” defined in the “interface port-channel” command above should match the
“number used in the “channel-group” command – this binds the Logical SVI to physical
ports…

152
Cisco Systems
Following the definition of the “interface port-channel” command, normal layer 3
configuration parameters can be applied to this interface as with other layer 3 routed ports…
6500 (config) # interface port-channel number

6500 (config-if) # ip address ip_address subnet_mask
6500 (config-if) # other layer 3 parameters can be applied

153
Configuring Load Balancing Options…
Cisco Systems
The packet header fields that are used as input to the algorithm used to determine the
physical link that the data will be forwarded across can be chosen as follows…
6500 (config) # port-channel load-balance ( src-mac | dst-mac | src-dst-mac | src-ip

| dst-ip | src-dst-ip | src-port | dst-port | src-dst-port )
The Default is “src-dst-ip”
Layer 2 Layer 3 Layer 4

Use the SRC MAC Use the SRC IP Use the SRC Port
src-mac src-ip src-port
address address number
Use the DEST Use the DEST IP Use the DEST
dst-mac dst-ip dst-port
MAC address address Port number
Use SRC & DEST Use SRC & DEST Use SRC & DEST
src-dst-mac src-dst-ip src-dst-port
MAC address IP address Port number

154
Configuring a Layer 2 Etherchannel Example…
Cisco Systems
To configure a Layer 2 Etherchannel group, use the following process…
6500(config) interface f3/2

S 3/1 6500(config-if) no ip address
6500(config-if) channel-protocol lacp
W 6500(config-if) channel-group 10 mode active
I 3/2 6500(config-if) lacp system-priority 65536
T 6500(config-if) lacp port-priority 65536
C 6500(config-if) exit
3/3 6500(config) interface f3/4
H 6500(config-if) no ip address
3/4
P 6500(config-if) channel-group 10 mode active
6500(config-if) lacp system-priority 65536
O 6500(config-if) lacp port-priority 65536
R 3/5 6500(config-if) exit
T
S 3/6

155
Configuring a Layer 3 Etherchannel Example…
Cisco Systems
To configure a Layer 3 Etherchannel group, use the ports identified in red in the diagram is done
in the following process…
6500(config) interface f3/2
6500(config-if) no ip address
S 3/1 6500(config-if) channel-group 10 mode active
W 6500(config-if) lacp port-priority 65536
I 3/2 6500(config-if) exit
T 6500(config) interface f3/4
6500(config-if) no ip address
C 3/3 6500(config-if) channel-protocol lacp
H 6500(config-if) channel-group 10 mode active
3/4 6500(config-if) lacp port-priority 65536
P
6500(config-if) exit
O
R 3/5
A Layer 3 Etherchannel can be created by simply defining a
T Layer 3 port channel with the same group number as follows
S 3/6
6500(config) interface port-channel 10
6500(config-if) ip address 192.168.1.1 255.255.255.0

156
Etherchannel Show Commands…
Cisco Systems
This command displays the ports in the Etherchannel bundle…
6500 (config) # show interface port-channel ( port channel number ) etherchannel
6500# show int port-channel 271 etherchannel

Age of the Port-channel = 04d:21h:21m:42s
Logical slot/port = 14/1 Number of ports = 6
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = -
Ports in the Port-channel:
Index Load Port EC state

------+------+------+------------
0 41 Gi2/1 On/FEC
1 02 Gi2/2 On/FEC
2 04 Gi2/3 On/FEC
3 88 Gi2/4 On/FEC
4 10 Gi2/5 On/FEC
5 20 Gi2/6 On/FEC
Time since last port bundled: 04d:21h:21m:40s Gi2/6

157
Cisco Systems
This command displays the status of the Etherchannel bundle…
6500 (config) # show etherchannel summary
6500# show etherchannel summary

Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
Number of channel-groups in use: 1

Number of aggregators: 1
Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------
271 Po271(SU) - Gi2/1(P) Gi2/2(P) Gi2/3(P) Gi2/4(P)
Gi2/5(P) Gi2/6(P)

158
Cisco Systems
This command displays the a detailed update of the Etherchannel bundle…
6500 (config) # show etherchannel detail
6500# show etherchannel detail

Channel-group listing:
-----------------------
Group: 271
----------
Group state = L2
Ports: 6 Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol: -
<snip>

159
Cisco Systems
…continued from previous page
Ports in the group:

-------------------
Port: Gi2/1
------------
Port state = Up Mstr In-Bndl

Channel group = 271 Mode = On/FEC Gcchange = -
Port-channel = Po271 GC = - Pseudo port-channel = Po271
Port index = 0 Load = 0x41 Protocol = -
Age of the port in the current state: 04d:20h:57m:32s

<snip> - all ports in this bundle are listed here
Port: Gi2/6
------------
Port state = Up Mstr In-Bndl

Channel group = 271 Mode = On/FEC Gcchange = -
Port-channel = Po271 GC = - Pseudo port-channel = Po271
Port index = 5 Load = 0x20 Protocol = -
Age of the port in the current state: 04d:20h:57m:36s

160
Cisco Systems
…continued from previous page
Port-channels in the group:
----------------------
Port-channel: Po271
------------
Age of the Port-channel = 04d:20h:57m:39s

Logical slot/port = 14/1 Number of ports = 6
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = -
Ports in the Port-channel:
Index Load Port EC state

------+------+------+------------
0 41 Gi2/1 On/FEC
1 02 Gi2/2 On/FEC
2 04 Gi2/3 On/FEC
3 88 Gi2/4 On/FEC
4 10 Gi2/5 On/FEC
5 20 Gi2/6 On/FEC
Time since last port bundled: 04d:20h:57m:37s Gi2/6

161
Cisco Systems
An interface can be identified as part of an Etherchannel bundle by the following command…
6500 (config) # show interface type slot/port switchport

Name: Gi2/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po271) <<<
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Voice VLAN: none
Trunking VLANs Enabled: NONE

162
January 2004
Catalyst 6500
Technical Training
CHAPTER 10: VLAN Trunking Protocol

Cisco Systems
CHAPTER 10.1 – Understanding VTP

164
VLAN Trunking Protocol
Cisco Systems
VTP is a layer 2 protocols that enables switches to exchange and maintain consistent VLAN
information amongst a group of switches. VTP allows the creation, deletion and renaming of
VLAN’s for switches in the same VTP domain.
VTP VTP
Switch B
Switch A Switch D
Switch C
VTP VTP
VLAN 10
VTP Domain “Engineering”
For example, information for VLAN 10 defined on Switch A will be propagated via VTP updates
to other switches in the same VTP domain,… Switch B, C and D will all end up adding VL:AN 10
to their local VLAN database
165
VTP Domain
Cisco Systems
The VTP domain consists of a group of adjacent connected switches that are part of the same
VTP management domain. A switch can only belong to one VTP domain at any one time – A
switch will drop any VTP updates received from switches in other VTP Domains…

VTP Domain “Engineering” VTP Domain “Marketing”
All links joining up switches in a VTP domain must be defined as trunks to exchange VTP
updates…
166
VTP Domain
Assuming a VTP Domain identity
Cisco Systems
The VTP domain can be added through configuration or can be learnt from an adjacent VTP
switch…
VTP Switch C is added to the

Switch A Switch B Switch C network connecting via a trunk
port to Switch B…
A new switch will default o having no VTP domain – in this mode, when it receives its first VTP
update from an adjacent switch, it will become part of the VTP domain identified in the update…
Switch C becomes part of

Switch A Switch B Switch C VTP Domain
“Engineering”…

167
VTP Domain
Assuming a VTP Domain identity
Cisco Systems
If a new switch is placed in between two VTP domains, it will join the VTP domain identified by
the first VTP update it receives…
VTP VTP
Switch A Switch C Switch B
The only way to change the VTP domain is to use the CLI to change the domain to another …
Switch A Switch C Switch B

168
VTP Modes
Cisco Systems
VTP V1 and V2 in native IOS support three VTP modes – those being VTP Server, VTP
Client and VTP Transparent …
VTP Server could modify and store the VTP

VTP Server NVRAM database in NVRAM – Multiple servers in a
single domain could cause a problem
known as the bomb…
VTP Client CANNOT modify and CANNOT

VTP Client NVRAM store the VTP database in NVRAM
VTP Transparent NVRAM VTP Transparent ignores VTP Updates

169
VTP Modes
Cisco Systems
Each mode provides different capabilities and are summarized below …
VTP Server VTP Client VTP Client
VTP
VTP Client VTP Client
Transparent
Feature Server Client Transparent

Send VTP Messages Yes Yes No
Listen to VTP Messages Yes Yes No
Create VLAN’s Yes No Yes (locally significant only)
Delete VLAN’s Yes No Yes (locally significant only)
Rename VLAN’s Yes No Yes (locally significant only)
Remember VLAN’s Yes No Yes (locally significant only)
170
Understanding VTP Advertisements
Cisco Systems
Every switch in a VTP domain will send periodic VTP advertisements out each VLAN trunk
port to a reserved multicast address – information sent can be used by a receiving switch to
update their VLAN configuration…
VTP Global information included in VTP update

Switch A Switch B includes…
ISL/802.1q VLAN ID
ATM Emulated LAN (if applicable)
VTP
802.10 SAID (FDDI)

VTP Domain Name
VTP Configuration Revision Number
Switch C Switch D VLAN Configuration including max MTU
Frame Format

171
Cisco Systems
CHAPTER 10.2 – Configuring VTP

172
January 2004
Catalyst 6500
Technical Training
CHAPTER 11: Virtual LAN’s (VLAN’s)

Cisco Systems
CHAPTER 11.1 – Understanding VLAN’s

174
Understanding VLAN’s
VLAN Number Range
Cisco Systems
When a VLAN is created, it has to be assigned a valid number within a specified range.
Currently the VLAN number range is as follows…
VLAN # Range Usage VTP Support

0 Reserved System Use only N/A
1 Normal Cisco Default – Usable but cannot be deleted Yes
2 - 1001 Normal Can be created, used and deleted Yes
Defaults for Token Ring and FDDI – Cannot be
1002 - 1005 Normal Yes
deleted
For Ethernet VLAN’s only - Can be created, used

1006 - 4094 Extended No
and deleted
4095 Reserved System Use only N/A
NOTE: Configuring extended VLAN’s required additional configuration

175
Extended VLAN’s
Cisco Systems
Each VLAN consumes a MAC address (used by Spanning Tree to build a bridge ID). As the
switch only has 1024 MAC addresses, using extended VLAN’s (1006 – 4024) requires users to
enable the “extended system-id” feature – this enables switch to build a unique bridge ID for
all potential 4094 VLAN’s…
Normal Spanning Tree Bridge ID is built as follows…
Bridge Priority MAC Address
2 bytes – 16 bits 6 bytes – 48 bits
Bridge Priority without extended system-id Bridge Priority with extended system-id
configured… configured…
Bridge Priority Bridge Priority Extended System ID (VLAN)
2 bytes – 16 bits 4 bits 12 bits

176
Internal VLAN’s
Cisco Systems
The Catalyst 6500 uses a VLAN number internally to represent a layer 3 port – that being a
physical layer 3 port (like a FlexWAN or a routed Ethernet port) or a logical layer 3 port (like a
sub-interface on a FlexWAN port, etc)…
STD
VLAN Standard Ethernet layer 2 port can be placed in any VLAN
1-1001
VLAN interface can use any VLAN number

EXTD
VLAN
1006 A layer 3 Ethernet port or a FLEXWAN/OSM layer 3 port
each consumes 1 extended VLAN number
to
4094
A sub-interface consumes 1 extended VLAN number

177
Internal VLAN’s
Cisco Systems
Once an extended VLAN is consumed by a layer 3 port, it cannot be used for other purposes…
The switch can be configured to define the allocation policy – that is should extended VLAN
numbers be allocated bottom up (from 1006 up) or top down (from 4094 down)…
1006 Allocation policy of ascending indicates

STD 1007 the VLAN’s allocated to layer 3
VLAN 1008 interfaces will be assigned from 1006
1-1001 1009 and upwards…
…..
EXTD
INTERNAL VLAN ALLOCATION
VLAN POLICY
1006
to ……
4094 4091 Allocation policy of descending
4092 indicates the VLAN’s allocated to layer 3
4093 interfaces will be assigned from 4094
4094 and downwards…
178
VLAN Port Types
Cisco Systems
Switch Ports defined as an access port are placed in a VLAN. They can only belong to one
VLAN at a time. Special Switch Ports can be defined as a VLAN Trunk Port which I designed to
carry traffic from multiple VLAN’s… Trunk ports tend to be defined for links to other switches
or routers…
Port 2/1 – VLAN 20

Switch Switch
Access Ports Trunk Ports

179
VLAN Trunks - Tagging
Cisco Systems
A VLAN trunk will tag data with its VLAN number, so the destination switch will know which
VLAN to forward to packet to – There are two technologies supported in the Catalyst 6500 to
“tag” VLAN’s and they are ISL and 802.1Q – these are typically implemented in ASIC’s to
maximize performance
Trunk Port to carry traffic from Multiple VLAN’s
VLAN 20 VLAN 20
VLAN 10 Switch Switch VLAN 10
VLAN 30 VLAN 30
Individual VLAN’s running on Access Ports

180
VLAN Tagging – ISL
Cisco Systems
Inter Switch Link (ISL) was the first VLAN tagging mechanism released by Cisco. It is a “two
level” tagging mechanism as it prepends and appends tags both at the front and back of the
encapsulated frame… Its supports 1024 VLAN numbers
DA Type User SA LEN AAAA03 HSA VLAN BPDU INDEX RES
ISL Header 26 Bytes Data FCS 4 Bytes
Data Data Data
VLAN 20 VLAN 20
VLAN 30 VLAN 30
181
VLAN Tagging – 802.1Q
Cisco Systems
802.1Q is an IEEE standard for VLAN Tagging - It is a “one level” tagging mechanism inserting
a single tag within the Ethernet frame… Unlike ISL, it supports the full 4096 VLAN numbers…
User Priority CFI VLAN Number
DA SA ETH-TYPE TAG TYPE/LEN DATA
Data Data Data
VLAN 20 VLAN 20
VLAN 30 VLAN 30
182
Mapping Dot1Q to ISL VLAN’s
Cisco Systems
There may be occasions where a user group is split across a Dot1Q network an ISL network –
in this case, to allow communication between the two disparate groups, VLAN mapping must
take place on a switch that bridges the two networks…
Dot1Q ISL
SWITCH
Map Table

The switch will maintain a map table that maps a Dot1Q VLAN to an
ISL VLAN…

ISL Dot1Q
183
Mapping Dot1Q to ISL VLAN’s Rules
Cisco Systems
Dot1Q ISL
SWITCH
Rules for mapping Dot1Q VLAN’s to ISL VLAN’s

1. You can configure up to eight 802.1Q-to-ISL VLAN mappings on the Catalyst 6500 series
switch.
2. You can only map 802.1Q VLAN’s to Ethernet-type ISL VLAN’s.
3. Do not enter the native VLAN of any 802.1Q trunk in the mapping table.
4. When you map an 802.1Q VLAN to an ISL VLAN, traffic on the 802.1Q VLAN corresponding
to the mapped ISL VLAN is blocked. For example, if you map 802.1Q VLAN 1007 to ISL VLAN
200, traffic on 802.1Q VLAN 200 is blocked.
5. VLAN mappings are local to each Catalyst 6500 series switch. Make sure you configure the
same VLAN mappings on all appropriate network devices

184
Cisco Systems
CHAPTER 11.2 – Configuring VLAN’s

185
Configuring VLAN’s
Ethernet Default VLAN Configuration
Cisco Systems
The default VLAN configuration for Ethernet ports in the Catalyst 6500 are…
Parameter Default Range

VLAN ID 1 1-4094
“Default” for VLAN 1, “VLANvlan_id” for other

VLAN Name ---
VLAN’s
MTU Size 1500 576 - 18190

Translational Bridge 1 0 0 - 1005
Translational Bridge 2 0 0 - 1005
VLAN State Active Active/Suspend
Prune eligible for VLAN’s 2-1001, VLAN’s 1006-

Eligible for Pruning ---
4094 not eligible for pruning

186
VLAN Configuration Options
Cisco Systems
A VLAN can only be configured on a switch defined as a VTP Server or when it is in VTP
Transparent Mode – VTP Clients cannot configure VLAN’s… There are two ways to configure
VLAN’s – in Global Configuration Mode or VLAN Database Mode (which is being deprecated)
VLAN Database Mode

6500# vlan database
% Warning: It is recommended to configure VLAN from config mode,
as VLAN database mode is being deprecated. Please consult user
documentation for configuring VTP/VLAN in config mode.
6500(vlan)# vlan 320
VLAN 320 added:
Name: VLAN0320
Global Configuration Mode

6500# conf t
6500(config)# vlan 330
6500(config-vlan)#

187
Creating and Modifying
Cisco Systems
Once a VLAN has been created in global configuration mode, a range of options are then
presented to the user with which to modify the VLAN from its defaults..
6500(config-vlan)#?
VLAN configuration commands:
are Maximumn number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf Backup CRF mode of the VLAN
bridge Bridging characteristics of the VLAN
exit Apply changes, bump revision number, and exit mode
media Media type of the VLAN
mtu VLAN Maximum Transmission Unit
name Ascii name of the VLAN
parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span Configure as Remote SPAN VLAN
ring Ring number of FDDI or Token Ring type VLANs
said IEEE 802.10 SAID
shutdown Shutdown VLAN switching
state Operational state of the VLAN
ste Maximumn number of Spanning Tree Explorer hops for this VLAN
(or zero if none specified)
stp Spanning tree characteristics of the VLAN
tb-vlan1 ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2 ID number of the second translational VLAN for this VLAN (or
zero if none)

188
Creating and Modifying Extended VLAN’s
Cisco Systems
Creating an extended VLAN will not work without some additional configuration…

6500(config-vlan)#
% Failed to create VLANs 3000
Spanning-tree extend system-id need to be enabled.
To create an extended VLAN, the extended system-id feature must be enabled…
6500(config)# spanning-tree extend ?

system-id Extend system-id into priority portion of the bridge id (PVSTonly)
6500(config)# spanning-tree extend system-id
6d05h: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
Following enabling this feature, extended VLAN’s can be created…

6500(config-vlan)#

189
Creating and Modifying
Cisco Systems
The maximum MTU size for this VLAN can be specified as follows...
6500(config-vlan)# mtu ?
<576-18190> Value of VLAN Maximum Tranmission Unit
A name other than the default “VLANvlan_number” can be assigned as follows...
6500(config-vlan)# name ?
WORD The ascii name for the VLAN
Specify whether this VLAN is active or suspended...
6500(config-vlan)# state
active VLAN Active State
suspend VLAN Suspended State

190
Assigning VLAN’s to Switch Ports
Cisco Systems
Once the VLAN has been created, it can be assigned to an access port. First the port must first
be defined as a layer 2 port – this is done by issuing the switchport command as shown
below…

Next the VLAN can be assigned to this port as follows…

6500(config-if)# switchport access vlan ?
<1-4094> VLAN ID of the VLAN when this port is in access mode
6500(config-if)# switchport access vlan 330
6500(config-if)#
Interface G1/14 in the example above is now in VLAN 330

191
Assigning VLAN’s to Switch Ports
Cisco Systems
The VLAN assignment can be confirmed by using the following show command…
6500(config)# show interface g1/14 switchport

Name: Gi1/14
Switchport: Enabled
Administrative Mode: dynamic desirable
Negotiation of Trunking: On
Access Mode VLAN: 330 (VLAN0330) Port placed in VLAN 330
Voice VLAN: none
Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

192
Internal VLAN Allocation Policy
Cisco Systems
Internal VLAN usage on the switch can be viewed using the following command…
6500# show vlan internal usage
VLAN Usage
---- --------------------
1006 online diag vlan0
1012 PM vlan process (trunk tagging)
1013 L3 multicast partial shortcuts for VPN 0
1014 vrf_0_vlan
1016 GigabitEthernet5/1
In this example above, it can be seen that the allocation policy is “Ascending”, that being
the internal VLAN’s have been allocated from 1006 and upwards…
193
Internal VLAN Allocation Policy
Cisco Systems
If the Internal VLAN allocation policy needs to be changed, then the following command can
be used…
1006
1007
1008
1009
…..
6500(config)# vlan internal allocation policy ?
ascending Allocate internal VLAN in ascending order
descending Allocate internal VLAN in descending order
…… If the policy is changed, then the switch needs to be

4091 reloaded for the change to take effect
4092
4093
4094

194
Creating VLAN Trunks
Cisco Systems
A Switchport can be configured as a VLAN Trunk Port. It must first be defined as a layer 2 port
as follows…

Next the interface can be enabled as a Trunk port – first the VLAN trunk encapsulation
must be defined…

negotiate Device will negotiate trunking encapsulation with peer on
interface
For the purposes of this exercise, we will assume a Dot1Q trunk has been defined…

195
Cisco Systems
After the encapsulation type is chosen, the mode in which this trunk port is going to
operate must be defined..
6500(config-if)# switchport mode ?

access Set trunking mode to ACCESS unconditionally
dot1q-tunnel set trunking mode to TUNNEL unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
private-vlan Set the mode to private-vlan host or promiscuous
trunk Set trunking mode to TRUNK unconditionally
Assuming we want the trunk to initiate negotiation – we would choose the “dynamic” option –
dynamic specifies a further sub category of auto and desirable to specify to finish off the
configuration of the trunk port
6500(config-if)# switchport mode dynamic ?

auto Set trunking mode dynamic negotiation parameter to AUTO
desirable Set trunking mode dynamic negotiation parameter to DESIRABLE

196
Cisco Systems
By default the trunk will allow all VLAN’s to be carried across the link – this behavior can
be changed by specifying which VLAN’s are allowed..
6500(config-if)# switchport trunk allowed vlan ?

WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
all all VLANs
none no VLANs
VLAN’s can also be configured to be pruned from the trunk using the following command
6500(config-if)# switchport trunk pruning vlan ?

none no VLANs

197
Cisco Systems
If the port were to stop trunking, you can define the access vlan that the trunk port would
become a part of using the following command..

6500(config-if)# switchport access vlan ?
<1-4094> VLAN ID of the VLAN when this port is in access mode
6500(config-if)# switchport access vlan 500
6500(config-if)#
An optional command is the ability to change the default native vlan from 1 to another
number for this trunk. The native VLAN can be changed using the following command…
6500(config-if)# switchport trunk native vlan ?

<1-4094> VLAN ID of the native VLAN when this port is in trunking mode

198
Mapping 802.1Q VLAN’s to ISL VLAN’s
Cisco Systems
Dot1Q VLAN’s can be manually mapped to an ISL VLAN using the following command…
Specify the dot1q vlan below

6500(config)# vlan mapping dot1q ?
<1-4095> VLAN ID of the .1Q VLAN to map from/to on all incoming/outgoing .1Q trunks
Then the ISL keyword with the ISL VLAN

6500(config)# vlan mapping dot1q 3000 isl ?
<1-4094> VLAN ID of the ISL VLAN to map to/from on the local device
6500(config)# vlan mapping dot1q 3000 isl 200

199
Mapping 802.1Q VLAN’s to ISL VLAN’s
Cisco Systems
The results of the mapping can be viewed using the following command…
6500# show vlan mapping

General VLAN Translations:
Original VLAN Translated VLAN

------------- ---------------
802.1Q Trunk Remapped VLANs:

802.1Q VLAN ISL VLAN
----------- -----------
3000 200
6500#

200
Display VLAN’s
Cisco Systems
Information on VLAN’s can be shown using a range of show commands…
6500# show vlan ?

access-log VACL Logging
access-map VLAN access-map
brief VTP all VLAN status in brief
counters VLAN traffic counters for all VLANs
dot1q Display dot1q parameters
filter VLAN filter information
id VTP VLAN status by VLAN id
ifindex SNMP ifIndex
internal VLAN internal usage
mapping Show VLAN mappings
name VTP VLAN status by VLAN name
private-vlan Private VLAN information
remote-span Remote SPAN VLANs
summary VLAN summary information
| Output modifiers
<cr>

201
Display VLAN’s
Cisco Systems
6500# show vlan brief
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Gi1/2, Gi1/5, Gi1/6, Gi1/7
Gi1/8, Gi1/12, Gi1/14, Gi3/3
Gi3/4, Gi3/5, Gi3/6, Gi3/7
Gi4/1, Gi4/2, Gi4/3, Gi4/4
Gi4/5, Gi4/6, Gi4/8
101 VLAN0101 active Gi3/2
300 VLAN0300 active
310 marketing active
320 VLAN0320 active
330 VLAN0330 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
3000 VLAN3000 active
802.1Q Trunk Remapped VLANs:

802.1Q VLAN ISL VLAN
----------- -----------
3000 200

202
Display VLAN’s
Cisco Systems
VLAN counters for each VLAN can be displayed as follows…
6500# show vlan counters

* Multicast counters include broadcast packets
Vlan Id : 1
L2 Unicast Packets : 37602
L2 Unicast Octets : 3701591
L3 Input Unicast Packets : 12025
L3 Input Unicast Octets : 12597999
L3 Output Unicast Packets : 13855
L3 Output Unicast Octets : 1662068
L3 Output Multicast Packets : 0
L3 Output Multicast Octets : 0
L3 Input Multicast Packets : 0
L3 Input Multicast Octets : 0
L2 Multicast Packets : 1942
L2 Multicast Octets : 124312
<snip>

203
Display VLAN’s
Cisco Systems
6500# show vlan id 3000
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
3000 Engineering active Gi1/2, Gi1/5, Gi1/6, Gi1/7
Gi1/8, Gi1/12, Gi1/14, Gi3/3
Gi3/4, Gi3/5, Gi3/6, Gi3/7
Gi4/1, Gi4/2, Gi4/3, Gi5/2
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
3000 enet 103000 1500 - - - - - 0 0
Remote SPAN VLAN

----------------
Disabled
Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------
6500#

204
January 2004
Catalyst 6500
Technical Training
CHAPTER 12: Private Virtual LAN’s (PVLAN’s)

Cisco Systems
CHAPTER 12.1 – Understanding PVLAN’s

206
What is a Private VLAN…
Cisco Systems
A Private VLAN is a way to provide layer 2 isolation between target hosts in the same subnet…
The setup of a Private VLAN defines a primary VLAN within which all hosts reside, then defines
a set of secondary-VLAN’s that can be isolated from one another…
Linecard
Private VLAN
The above example shows a single private VLAN with 3 distinct “secondary VLAN’s” within its
framework…
207
Elements of a Private VLAN
Cisco Systems
A Private VLAN contains four elements – the Private VLAN itself – the secondary VLAN’s known
as the Community VLAN and Isolated VLAN – and the Promiscuous Port…
Promiscuous Port
Community VLAN A Community VLAN C Community VLAN B
Isolated VLAN E Community VLAN B Community VLAN D
Community VLAN A Community VLAN C Community VLAN F
Private VLAN
To add a switch port into a Private VLAN, the switchport must be added into either a
Community VLAN or an Isolated VLAN…

208
The Community VLAN
Cisco Systems
The Community VLAN defines a set of ports that can communicate at layer 2 with each other
(within the same Community VLAN) without hindrance – BUT – cannot communicate with ports
in other Community or Isolated VLAN’s without first going through the Promiscuous Port…
Promiscuous Port
Community VLAN A Community VLAN B

Ports in Community VLAN A can Ports in different Community
talk to any other ports in the VLAN’s cannot communicate
same Community VLAN without going through the
Promiscuous Port
209
The Isolated VLAN
Cisco Systems
The Isolated VLAN defines a set of ports that CANNOT communicate at layer 2 with any other
port within the Private VLAN (either another Community VLAN port or a port in the same
ISOLATED VLAN – to communicate with other ports it must go through the promiscuous port…
Promiscuous Port
Isolated VLAN A Community VLAN B

Ports in Isolated VLAN A cannot
Orange Ports in Isolated VLAN A communicate with other
CANNOT talk to any other Orange secondary VLAN’s without going
Ports in the same Isolated VLAN through the Promiscuous Port
Only ONE ISOLATED VLAN per Private VLAN Allowed

210
The Promiscuous Port
Cisco Systems
The Promiscuous Port exists to move traffic between ports in Community and/or Isolated
VLAN’s – it can use Access Control Lists (ACL’s) to identify which traffic can pass between
these VLAN’s…
ACL Rules
Promiscuous
Port
Community Community Isolated Community

VLAN ‘A’ VLAN ‘C’ VLAN ‘D’ VLAN ‘B’
Only one promiscuous port can serve a single Private VLAN

The promiscuous port can serve all the community and isolated VLAN’s in the Private VLAN
211
Private VLAN’s across the campus
Cisco Systems
Private VLAN’s can be carried between switches. , Community VLAN and Isolated VLAN’s to
other switches sharing the same private VLAN information…
Switch “A” Switch “B”
Switch
Trunks used to carry traffic from Private VLAN’s

212
Private VLAN Guidelines…
Private VLAN’s and VTP
Cisco Systems
In Native IOS, VTP does not support carrying Private VLAN information in its updates within its
VTP Domain - …
VTP Domain
Community VLAN A
S

W
I
Community VLAN B
T

C
H
Isolated VLAN E
6500(config)#vlan 342
6500(config-vlan)#private-vlan primary
Private VLANs can only be configured when VTP is in transparent mode.

213
Private VLAN’s and Reserved VLAN’s
Cisco Systems
Certain VLAN’s cannot be added into a Private VLAN - these VLAN’s include VLAN 1 and
VLAN’s 1002 through to 1005…
PRIMARY VLAN

VLAN 1 VLAN’s 2 to 1001 VLAN 1002-1005 VLAN’s > 1006

6500(config-vlan)# private-vlan association 1
Only VLAN 2..1001 is allowed to be configured as a private VLAN.
6500(config-vlan)# private-vlan association 1002
Only VLAN 2..1001 is allowed to be configured as a private VLAN.

214
Private VLAN’s and SPAN
Cisco Systems
There are certain restrictions when activating a port in a private VLAN as a SPAN port…
Destination NOT ALLOWED – a port in a private VLAN CANNOT be

SPAN port made a destination SPAN port…
Source ALLOWED – a port in a private VLAN CAN be made a

SPAN port source SPAN port…
VSPAN
SPAN port ALLOWED – VLAN based SPAN on Primary,
Isolated or Community VLAN’s…
Private
Switch VLAN

215
Private VLAN’s and 10/100 Modules
Cisco Systems
With the exception of the WS-X6548-RJ45 and WS-X6548-RJ21 – ports in port groupings of 1-12,
13-24, 25-36 and 37-48 have the following restrictions…
1 2 3 4 ……… 12 13 25
1 3 5
If this port is If this port is If this port is
defined as a defined as a defined as a
trunk, then… destination promiscuous
SPAN port, port, then…
then…
2 These ports 4 These ports 6 These ports
cannot be cannot be cannot be
added into a added into a added into a
private VLAN… private VLAN… private VLAN…

216
Cisco Systems
CHAPTER 12.2 – Configuring PVLAN’s

217
Private VLAN…
Configuring the Primary VLAN
Cisco Systems
The primary VLAN is configured as follows…
6500(config-vlan)#private-vlan primary
Enter global configuration mode – use the VLAN command to create the VLAN – after entering
VLAN configuration mode – enter the private-vlan primary command to configure primary
VLAN…
6500# show vlan private-vlan

------- --------- ----------------- ------------------------------------------
342 primary
The defined primary VLAN can be viewed using the show command above…

218
Private VLAN…
Configuring the Secondary VLAN’s
Cisco Systems
The Community VLAN is configured as follows…
6500(config-vlan)#private-vlan community
The Isolated VLAN is configured as follows…
6500(config-vlan)#private-vlan isolated
The defined VLAN’s can be viewed using the show command below…

------- --------- ----------------- ------------------------------------------
342 Primary
350 Community
360 Isolated

219
Private VLAN…
Associating Secondary VLAN’s with the Primary
Cisco Systems
Secondary VLAN’s need to be associated with a Primary VLAN before they can be assigned to
ports… Assignment is done as follows…
6500(config-vlan)#private-vlan association ?
WORD VLAN IDs of the private VLANs to be configured
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list
6500(config-vlan)#private-vlan association 350-352,360

6500(config-vlan)#^Z
3w3d: %SYS-5-CONFIG_I: Configured from console by console

------- --------- ----------------- ------------------------------------------
342 350 community
342 351 community
342 352 community
342 360 isolated
**NOTE** - For each secondary VLAN, a primary VLAN number now appears in the immediate
column to the left – indicating the association has been completed…
220
Private VLAN…
Associating a second Isolated VLAN
Cisco Systems
As indicated earlier, only one Isolated VLAN can be associated with a primary VLAN – trying to
add a second Isolated VLAN will result in the following error…

------- --------- ----------------- ------------------------------------------
342 350 community
342 351 community
342 352 community
342 360 isolated
361 isolated
6500# conf t
6500(config-vlan)#private-vlan association 361
Command rejected: invalid private vlan association between vlan342 and vlan361..
6500(config-vlan)#
The error message above highlights that the system is rejecting the request to add in the
second isolated vlan…

221
Private VLAN…
Associating to a Layer 3 VLAN interface
Cisco Systems
A set of secondary VLAN’s can be associated with the Layer 3 VLAN interface for the primary
VLAN – this allows ingress traffic to be layer 3 switched to ports in these secondary VLAN’s …

------- --------- ----------------- ------------------------------------------
342 350 community
342 351 community
342 352 community
342 360 isolated
6500# conf t
6500(config)#int vlan 342
6500(config-if)#private-vlan mapping ?
WORD Secondary VLAN IDs of the private VLAN SVI interface mapping
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list
6500(config-vlan)#private-vlan mapping 350-352,360

222
Private VLAN…
Associating to a Layer 3 VLAN interface
Cisco Systems
When a set of secondary VLAN’s have been mapped to the Layer 3 VLAN interface – the
mapped VLAN’s can be viewed using the following command …
6500#show interfaces private-vlan mapping

Interface Secondary VLAN Type
--------- -------------- -----------------
vlan342 350 community
vlan342 360 isolated
Switch VLAN 350
VLAN 351
Ingress Layer 3 SVI 342
Switched Traffic VLAN 352
VLAN 360

223
Private VLAN…
Configuring a Layer 2 host port in a Private VLAN
Cisco Systems
To add a layer 2 host port into a private VLAN, the following command must be used …
6500(config-if)# switchport mode private-vlan host
6500(config-if)# switchport private-vlan host-association 342 350
6500(config-if)# ^Z
Name: Gi1/3 This command adds port G1/3
Switchport: Enabled
Administrative Mode: private-vlan host
into the community VLAN 350
Operational Mode: up
Voice VLAN: none
Administrative private-vlan host-association: 342 (VLAN0342) 350 (VLAN0350)

224
Private VLAN…
Configuring a Layer 2 port as a Promiscuous port
Cisco Systems
To convert a layer 2 host port into a private VLAN promiscuous port, the following command
must be used …
6500(config-if)# switchport mode private-vlan promiscuous
6500(config-if)# switchport private-vlan mapping 342 350-352,360
6500(config-if)# ^Z
Name: Gi1/5
This command converts this port
Switchport: Enabled into a promiscuous port for
Administrative Mode: promiscuous PVLAN 342
Operational Mode: up
Voice VLAN: none
Administrative private-vlan mapping: 342 (VLAN0342) 350 (VLAN0350) 351 (VLAN035

225
January 2004
Catalyst 6500
Technical Training
CHAPTER 13: 802.1Q Tunneling

Cisco Systems
CHAPTER 13.1 – Understanding 802.1Q Tunneling

227
Understanding 802.1Q Tunnels
Introduction
Cisco Systems
Service Providers who join customer networks over a common Layer 2 network may find
overlapping VLAN numbers form different customers… problem is how to join these networks
together without mixing traffic from each customer?
VLAN’s 1-150 VLAN’s 1-200
Customer Customer
Network “A” Network “B”
Service Provider
Network
Layer 2 Network
VLAN’s 1-200 VLAN’s 1-150
Customer Network “B” Customer Network “A”

228
Introduction
Cisco Systems
Answer – Use a VLAN within a VLAN – otherwise known as 802.1Q Tunneling - this mode of
operation allows for an extra VLAN tag to be assigned to the frame as it traverses the service
provider network - this allows same VLAN’s from different customers to traverse the same L2
network…
VLAN 10 VLAN 10
Customer Customer
VLAN 20 Network VLAN 3515 Network VLAN 20
A A
VLAN 30 VLAN 30
Service Provider
Network (Layer 2)
VLAN 10 VLAN 10
Customer Customer
VLAN 20 Network VLAN 3516 Network VLAN 20
B B
VLAN 30 VLAN 30

229
Dot1Q Tunnel Frame Format
Cisco Systems
When the frame enters the Access switch, its structure adheres to the normal Ethernet
Standards…
Flow of traffic
Access Port Trunk Port Tunnel Port
Access Distribution
Host Switch Switch
VLAN 35
DEST MAC SRC MAC LEN/TYPE Data FCS
Packet Format
At this point there are no special tags added to the frame…

230
Cisco Systems
When the frame is sent from the Access switch to the Distribution Switch, it traverses an
802.1Q trunk, so the VLAN tag is inserted into the frame…
Flow of traffic
Access Distribution
Host Switch Switch
VLAN 35
DEST MAC SRC MAC 1Q LEN/TYPE Data FCS
Packet Format
ETHERTYPE TAG
This tag adds the VLAN ID for which the port is a part of – in this
case, the VLAN ID would be 35….
231
Cisco Systems
When the frame is sent from the Distribution Switch into the service provider network, it
traverses an 802.1Q tunnel port, so the VLAN tag of the service provider is inserted into the
frame…
Flow of traffic
Access Distribution
Host Switch Switch
VLAN 35 VLAN 3515
DEST MAC SRC MAC 1Q 1Q LEN/TYPE Data FCS
ETHERTYPE TAG At this point the

frame has been
This tag adds the Service Provider VLAN ID as the port connects into double tagged !!
their network – in this case, the VLAN ID would be 3515….
232
Native VLAN and Tunneling
Cisco Systems
The native VLAN in 802.1Q is not tagged – as a result, difficulties can arise in tunneling traffic
sourced from the native VLAN – recommendation is to invoke the “vlan dot1q tag native”
command to tag native VLAN egress traffic and drop untagged ingress native VLAN traffic…
Access Distribution
Host
Switch Switch
VLAN 1 VLAN 3515
6500(config)#vlan dot1q ?
tag tag parameters
6500(config)#vlan dot1q tag ?

native tag native vlan
6500(config)#vlan dot1q tag native

6500(config)#

233
Layer 3 and Tunneling
Cisco Systems
Dot1Q tunneling adds a second Dot1Q tag – as such, there are some restrictions in
accessing layer 3 information in the packet…
DEST MAC SRC MAC 1Q 1Q LEN/TYPE Data FCS
Double Tag Layer 3 Information embedded in

data portion of packet
- The Layer 3 packet within the Layer 2 frame cannot be identified in tunnel traffic.
- Layer 3 and higher parameters cannot be identified in tunnel traffic (for example, Layer 3
destination and source addresses).
- Because the Layer 3 addresses cannot be identified within the packet, tunnel traffic cannot be
routed.
- The switch can provide only MAC-layer filtering for tunnel traffic (VLAN IDs and source and
destination MAC addresses).
- The switch can provide only MAC-layer access control and QoS for tunnel traffic.
- QoS cannot detect the received CoS value in the 802.1Q 2-byte Tag Control Information field
234
Configuration Guidelines
Cisco Systems
When configuring Dot1Q Tunneling, be aware of the following guidelines……
- Dedicate one tunnel per VLAN

- CDP is automatically disabled on Tunnel Ports
- PortFast BPDU filtering is enabled automatically on tunnel ports
- If a Tunnel port is made part of an Etherchannel, then all Tunnel ports must share the
same tunneling configuration
- Jumbo frames can be tunneled as long as the final length (including double dot1Q tags)
does not exceed maximum MTU size
- The “VLAN Dot1Q tag native” command should be consistently applied across all
switches

235
Cisco Systems
CHAPTER 13.2 – Understanding Layer 2 Protocol Tunneling

236
Understanding Layer 2 Protocol Tunneling
Introduction
Cisco Systems
Customer networks separated by a service provider network might not be able to join their
networks together to consolidate Spanning Tree or VTP Domains – Packets that try to cross an
802.1Q tunneled network will see VTP and STP packets dropped at the edge switches
STP and VTP Updates cannot

traverse this network
STP
Layer 2
CTP Network
Edge Edge
Switch Switch
VTP

237
Introduction
Cisco Systems
Layer 2 Protocol Tunneling (L2PT) allows the propagation of specific layer 2 PDU’s (Protocol
Data Units) to be tunneled through a layer 2 network… The PDU’s that can be tunneled are VTP
(VLAN Trunking Protocol, STP (Spanning Tree) and CDP (Cisco Discovery Protocol)
Layer 2 Network
STP
STP
Layer 2
CDP Network
CDP VTP
Edge Edge
Switch Switch
VTP
Layer 2 Network

238
PDU Control
Cisco Systems
L2PT allows each of the PDU types to be individually configured to be switched or dropped at
the edge switch…
Access Distribution
Host L2 Network
Switch Switch
STP STP STP

CDP CDP CDP
VTP VTP VTP
In the example above, the policy on the Distribution switch is to allow CDP packets
through but not VTP or STP packets…

239
Drop and Shutdown Thresholds
Cisco Systems
To ensure that the PDU’s do not swamp the network, drop thresholds can be configured – this
sets a pre-defined level above which those PDU’s will be dropped…
Total Link Bandwidth
S S
W P Total Bandwidth P W
I O O I
T R PDU Limit R T
C T T C
H H
Available limit for PDU transmission

The rate (or drop threshold) is set as a packet per second rate
A shutdown threshold can also be configured which will put the interface into an ERRDISABLE
state if the volume of PDU’s goes above the stated shutdown threshold

240
Cisco Systems
CHAPTER 13.3 – Configuring 802.1Q Tunneling

241
Configuring 802.1Q Tunnels
Configure the tunnel and tag Native VLAN traffic
Cisco Systems
Configuration of an 802.1Q tunnel is achieved using the following command in interface
configuration mode…
6500(config-if)#switchport mode dot1q-tunnel ?

<cr>
6500(config-if)#switchport mode dot1q-tunnel
To tag traffic from the Native VLAN – use the following command …
6500(config)#vlan dot1q tag native?

<cr>
6500(config)#vlan dot1q tag native

242
Cisco Systems
CHAPTER 13.4 – Configuring Layer 2 Protocol Tunneling

243
Configuring Layer 2 Protocol Tunneling
Configure Protocols
Cisco Systems
Individual protocols data units can be enabled on a per interface basis as follows…
6500(config-if)#l2protocol-tunnel cdp
Enabling CDP Tunneling
6500(config-if)#l2protocol-tunnel vtp
Enabling VTP Tunneling
6500(config-if)#l2protocol-tunnel stp
Enabling STP Tunneling
6500# show l2protocol-tunnel summary

COS for Encapsulated Packets: 5
Drop Threshold for Encapsulated Packets: 0
Port Protocol
Shutdown Drop Status
Threshold Threshold
(cdp/stp/vtp) (cdp/stp/vtp)
------- ----------- ---------------- ---------------- ----------
Gi1/3 cdp stp --- ----/----/---- ----/----/---- down

244
Configure Drop Thresholds
Cisco Systems
Drop thresholds can be defined to limit the number of PDU packets per second on a Dot1Q
Tunnel interface… this is achieved using the following…
6500(config-if)#l2protocol-tunnel drop-threshold ?
<1-4096> Packets/sec rate beyond which protocol packets will be dropped
cdp Cisco Discovery Protocol
stp Spanning Tree Protocol
vtp Vlan Trunking Protocol
Drop thresholds per PDU type can be configured as in the following examples…
6500(config-if)#l2protocol-tunnel drop-threshold vtp 100
6500(config-if)#l2protocol-tunnel drop-threshold cdp 200
6500(config-if)#l2protocol-tunnel drop-threshold stp 50

245
Configure Shutdown Thresholds
Cisco Systems
A shutdown threshold can also be configured to place the interface into an ERRDISBLE
state if the stated configured threshold is exceeded… this is achieved using the
following…
6500(config-if)#l2protocol-tunnel shutdown-threshold ?
<1-4096> Packets/sec rate beyond which interface is put to err-disable
cdp Cisco Discovery Protocol
stp Spanning Tree Protocol
vtp Vlan Trunking Protocol
Shutdown thresholds per PDU type can be configured as in the following examples…
6500(config-if)#l2protocol-tunnel shutdown-threshold vtp 120
6500(config-if)#l2protocol-tunnel shutdown-threshold cdp 250
6500(config-if)#l2protocol-tunnel shutdown-threshold stp 60

246
January 2004
Catalyst 6500
Technical Training
CHAPTER 14: Spanning Tree

Cisco Systems
CHAPTER 14.1 – Understanding Spanning Tree

248
Cisco Systems
CHAPTER 14.2 – Configuring Spanning Tree

249
STP Configuration
Cisco Systems
STP can be enabled on a per VLAN basis as follows…
6500(config)# spanning-tree vlan ?

WORD vlan range, example: 1,3-5,7,9-11
Enabling Extended System ID…
6500(config)# spanning-tree extend ?

system-id Extend system-id into priority portion of the bridge id (PVST
only)
Setting the switch as the primary or secondary STP Root switch
6500(config)# spanning-tree vlan 300 root ?

primary Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
6500(config)# spanning-tree vlan 300 root primary

250
STP Configuration
Cisco Systems
STP port priority is set as follows…
6500(config-if)# spanning-tree port-priority ?

<0-240> port priority in increments of 16
STP Port Cost is set as follows…
6500(config-if)# spanning-tree cost ?

<1-200000000> port path cost
Setting the VLAN Bridge Priority
6500(config)# spanning-tree vlan 300 priority ?

<0-61440> bridge priority in increments of 4096

251
STP Configuration
Cisco Systems
STP hello time can be modified as follows…
6500(config)# spanning-tree vlan 300 hello-time ?

<1-10> number of seconds between generation of config BPDUs
STP forwarding delay for the VLAN can be set as follows…
6500(config)# spanning-tree vlan 300 forward-time ?

<4-30> number of seconds for the forward delay timer
Setting the VLAN Max Age setting
6500(config)# spanning-tree vlan 300 max-age ?

<6-40> maximum number of seconds the information in a BPDU is valid

252
Cisco Systems
CHAPTER 14.3 – Understanding STP Enhancements

253
STP Extensions
Portfast
Cisco Systems
To improve performance of the basic IEEE 802.1D STP Algorithm, Cisco introduced a number
of extensions… STP Portfast is one enhancement – designed to bypass STP Listening and
Learning states for an attached host – moving the port directly to a forwarding state
Before Portfast After Portfast

Port initializes Port initializes
Switch Switch
Blocking State
Portfast
Listening State 15 secs
Learning State 15 secs

Host Host
Forwarding Forwarding
When host connects to switchport, the When host connects to switchport, the
switch moves the port through all STP states switch moves the port straight to forwarding
before activating port state – eliminates 30 second delay
254
STP Extensions
Portfast BPDU Guard
Cisco Systems
When Portfast is enabled, inadvertently connecting the port into another switch could
compromise the loop free topology – as a Portfast port can still receive and forward BPDU’s –
answer is to use BPDU Guard which will shut down a Portfast port if a BPDU is received…
Switch-A Switch-A Switch-A
Portfast
With BPDU BPDU

Guard
Host Switch-B Switch-B
Switch is inadvertently moved Switch-A upon receiving the first

and uses the switchport setup as BPDU will shutdown the port –
a Portfast port thus protecting the integrity of
the STP Domain

255
STP Extensions
Portfast BPDU Filter
Cisco Systems
BPDU Filtering is a way to stop a Portfast port from sending or receiving BPDU’s. Any received
BPDU’s are simply dropped…
BPDU
Portfast
Switch-B Switch-A Switch-C

Portfast

BPDU refrained from being sent BPDU dropped
Host
BPDU Filtering can be applied globally or on a per port basis…

256
STP Extensions
Uplink Fast
Cisco Systems
Uplink Fast is designed to provide faster failover to a redundant link when a primary link fails –
this feature is of most use in wiring closet switches with redundant uplinks to the distribution
layer switch…
1 2 3
F F
Switch Switch Switch Switch Switch Switch
F F F
F F F F F
F B F B F
Switch Switch Switch
Primary link fails Uplink Fast forces failover in

1-3 seconds…

257
STP Extensions
Backbone Fast
Cisco Systems
Backbone Fast, like uplink fast, provides fast failover when an “indirect link failure” occurs.
Failover occurs when the switch receives an inferior BPDU from its designated bridge. An
inferior BPDU indicates that the designated bridge has lost its connection to the root bridge
1 2 3
F F
Switch Switch Switch Switch Switch Switch
F F
F F F Inferior F F F
BPDU
F B F B F F
Switch Switch Switch
Indirect link fails Switch ignores its

configured STP Max Age
and moves blocked port
to forwarding
258
STP Extensions
Root Guard
Cisco Systems
Root Guard is configured on the STP Root switch. It prevents a designated port from becoming
a root port or a blocked port. If a port on a root switch receives a superior BPDU, it moves the
port into a root inconsistent state, thus maintaining the local switch as the Root switch…
Port placed into

root inconsistent
Switch Switch state
STP Root STP Root
I want to
Superior
become the
BPDU
STP Root

259
STP Extensions
Loop Guard (LG)
Cisco Systems
If a uni directional link failure occurred on a point to point link, then Loop Guard can prevent a
loop from occurring. Loop guard detects root and non designated ports (blocked ports), and
ensures they keep receiving BPDU’s…
LG Loop guard is normally applied on point to point

Switch
Switch links ONLY
STP Root
F
F F Loop guard would normally be enabled on all
ports on non-root switches
F B
LG Loop guard could be enabled on a root switch if
Root guard were NOT enabled – if this was the
Switch case, it would have no effect until the switch
became a Non-Root Switch
Designated Port
Root Port
Non Designated (Blocked) Port
260
STP Extensions
Loop Guard (LG) Caveats
Cisco Systems
The configuration of Loop Guard has some caveats which are described below…
1. Cannot enable Loop guard on Portfast or Dynamic VLAN ports

2. Cannot enable Loop Guard on a root guard enabled switch
3. Loop guard does not affect Uplink fast or Backbone fast operation
4. LG must be enabled on point to point links only
5. STP always chooses first operation port in an etherchannel bundle – if loop guard
blocks first port, no BPDU’s will be sent over the channel even if other ports in
channel bundle are operational
6. Port Aggregation Protocol enforces uniform loop guard configuration on all ports in
the channel group

261
Cisco Systems
CHAPTER 14.4 – Configuring STP Extensions

262
Configuring STP Extensions
Cisco Systems
Portfast can be enabled on a per interface basis as follows
6500(config-if)# spanning-tree portfast ?

disable Disable portfast for this interface
trunk Enable portfast on the interface even in trunk mode
<cr>
6500(config-if)# spanning-tree portfast
6500(config-if)#
Portfast can also be enabled globally for all access ports as follows
6500(config)# spanning-tree portfast ?

bpdufilter Enable portfast bdpu filter on this switch
bpduguard Enable portfast bpdu guard on this switch
default Enable portfast by default on all access ports
6500(config)# spanning-tree portfast default
6500(config)#

263
Cisco Systems
Portfast BPDU Guard can be enabled on a global basis as follows

6500(config)# spanning-tree portfast bpduguard ?

default Enable bdpu guard by default on all portfast ports
Portfast BPDU Filter can be enabled on a global basis as follows

6500(config)# spanning-tree portfast bpdufilter ?

default Enable bdpu filter by default on all portfast ports
6500(config)# spanning-tree portfast bpdufilter default

264
Cisco Systems
Uplink fast is enabled on a global basis as follows
6500(config)# spanning-tree uplinkfast ?

max-update-rate Rate at which station address updates are sent
<cr>
6500(config)# spanning-tree uplinkfast max-update-rate ?
<0-32000> Maximum number of update packets per second
6500(config)# spanning-tree uplinkfast
6500(config)#
Backbone fast is enabled on a global basis as follows
6500(config)# spanning-tree backbonefast ?

<cr>
6500(config)# spanning-tree backbonefast

6500(config)#

265
Cisco Systems
Root guard can be enabled on a per interface basis as follows
6500(config-if)# spanning-tree guard ?
loop Set guard mode to loop guard on interface
none Set guard mode to none
root Set guard mode to root guard on interface
6500(config-if)# spanning-tree guard root ?

<cr>
6500(config-if)# spanning-tree guard root
Loop guard can be enabled on a per interface basis as follows

6500(config-if)# spanning-tree guard ?
loop Set guard mode to loop guard on interface
none Set guard mode to none
root Set guard mode to root guard on interface
6500(config-if)# spanning-tree guard loop ?

<cr>
6500(config-if)# spanning-tree guard loop

266
Cisco Systems
Some spanning tree show commands
6500# show spanning-tree ?

WORD bridge group list, example 1,3-5,7,9
active Report on active interfaces only
backbonefast Show spanning tree backbonefast status
blockedports Show blocked ports
bridge Status and configuration of this bridge
brief Brief summary of interface information
detail Detailed information
inconsistentports Show inconsistent ports
interface Spanning Tree interface status and configuration
mst Multiple spanning trees
pathcost Show Spanning pathcost options
root Status and configuration of the root bridge
summary Summary of port states
uplinkfast Show spanning tree uplinkfast status
vlan VLAN Switch Spanning Trees
| Output modifiers
<cr>

267
Cisco Systems
6500# show spanning-tree active brief
VLAN0024
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000b.45e3.8080
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 24)

Address 000b.45e3.8080
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Gi1/5 Desg FWD 4 128.5 P2p

268
Cisco Systems
6500# show spanning-tree interface g1/3 detail

Port 514 (GigabitEthernet1/3) of VLAN0210 is forwarding
Port path cost 4, Port priority 128, Port Identifier 128.514.
Designated root has priority 32869, address 000b.45e3.8080
Designated bridge has priority 32869, address 000b.45e3.8080
Designated port id is 128.514, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 252903, received 0
6500#

269
Cisco Systems
6500# show spanning-tree bridge brief
Hello Max Fwd

Vlan Bridge ID Time Age Dly
Protocol
---------------- --------------------------------- ----- --- --- ------
--
VLAN0024 32769 (32768,24) 000b.45e3.8080 2 20 15 ieee
VLAN0101 32869 (32768,101) 000b.45e3.8080 2 20 15 ieee
6500#

270
Cisco Systems
6500# show spanning-tree detail
VLAN0024 is executing the ieee compatible Spanning Tree protocol

Bridge Identifier has priority 32768, sysid 24, address 000b.45e3.8080
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 4 last change occurred 5d20h ago
from GigabitEthernet5/2
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300
Port 514 (GigabitEthernet5/2) of VLAN0024 is forwarding

Port path cost 4, Port priority 128, Port Identifier 128.514.
Designated root has priority 32869, address 000b.45e3.8080
Designated bridge has priority 32869, address 000b.45e3.8080
Designated port id is 128.514, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 253224, received 0
271
Cisco Systems
CHAPTER 14.5 – Understanding RSTP (802.1w)

272
Understanding RSTP
Cisco Systems
Rapid Spanning Tree (RSTP) significantly reduces the time taken for Spanning tree to converge
when a link failure occurs. Failover can occur in the sub second timeframe…
RSTP performs similar

F
functions to Cisco’s Uplink
Switch Switch Switch Switch fast and Backbone Ffast
F F
F F F RSTP is an extension of
802.1D
F B F
RSTP performs better with no
additional configuration
Switch Switch
RSTP can interoperate with
older 802.1D switches
Primary link fails RSTP fails over in sub-
second…

273
RSTP Port States
Cisco Systems
RSTP defines four port states for a port under spanning tree control …
New port states under RSTP are:
Switch - Discarding
- Learning
- Forwarding
RSTP Port State STP Port State Operational Status Port in Active
Topology ?
Discarding Blocking Enabled No
Discarding Listening Enabled No
Learning Learning Enabled Yes
Forwarding Forwarding Enabled Yes
Discarding Disabled Enabled No

274
RSTP Port Roles
Cisco Systems
RSTP defines a set of port roles for spanning tree ports, and these include …
Designated Port
This port type is an active forwarding port that
Switch points away from the STP Root to the edge of the
STP Root network
Root Port
This port is an active forwarding port pointing
back towards the STP Root
Switch Switch
Backup Port
A non forwarding port that backs up a Designated
Port
Switch Switch Alternate Port
A non forwarding port that backs up a Root Port
Disabled Port
An inactive port
275
New RSTP BPDU Format
Cisco Systems
RSTP introduces a slight change to the BPDU format used by 802.1D…
Protocol ID (2 Bytes)
Version (1 Byte = “1”) Bit 0 – Topology Change
Message Type (1 Byte) Bit 1 – Proposal
Flags (1 Byte) Bit 2-3 – Port Role
00 – Unknown
Root ID (8 Bytes)
01 – Alternate or Backup Port
Path Cost (4 Bytes)
10 – Root Port
Bridge ID (8 Bytes) 11 – Designated Port
Port ID (2 Bytes) Bit 4 - Learning
Message Age (2 Bytes) Bit 5 - Forwarding
Maximum Age (2 Bytes) Bit 6 - Agreement
Hello Time (2 Bytes) Bit 7 - Topology Change ACK
Forwarding Delay (2 Bytes)
Version 1 Length (1 Byte)

276
RSTP interoperation with 802.1D
Cisco Systems
RSTP can interoperate with legacy 802.1D, but in doing so loses its ability to provide sub
second reconvergence…
RSTP BPDU
Switch A Switch B
RSTP Enabled 802.1D Enabled 802.1D BPDU
1. Switch A sends RSTP BPDU’s

which Switch B drops
2. Switch B doesn’t get any valid

BPDU’s so it sends out its own
Switch A Switch B 802.1D BPDU’s
RSTP Enabled 802.1D Enabled
3. Switch A sees an 802.1D switch on
the network and reverts to 802.1D
mode

277
How RSTP Works
Cisco Systems
RSTP works by sending a proposal to the adjacent switch identifying the port role the local
switch wishes to place the port in – the adjacent switch must agree to this prior to the port
being placed into a forwarding state…
1 Proposal 2
3
5
Switch A Switch B
Agreement 4
1 Initiating switch A sends proposal to switch B indicating its bridge priority and port
role
2 Switch B inspects the proposal and ensures proposal does not conflict with its own port
roles
3 Switch B places port into a state of forwarding
4 Switch B sends agreement back to switch A
5 Switch A places port into forwarding state
278
RSTP with PVST+
Cisco Systems
Per VLAN Spanning Tree (PVST+) allows the definition of a spanning tree instance per VLAN –
Normal PVST+ mode relies on the use of the older 802.1D STP to reconverge the STP domain
in the case of a link failure – Rapid PVST allows the use of 802.1w with Cisco’s PVST providing
for much faster convergence
Switch
VLAN 10 VLAN 205 VLAN 377
STP Instance 1 STP Instance 2 STP Instance 3
Each STP instance uses the 802.1w algorithm to reconverge the network in case of a link failure

279
Cisco Systems
CHAPTER 14.6 – Understanding MST (802.1s)

280
Understanding MST
Cisco Systems
Multiple Spanning Tree (MST) as defined in 802.1s defines the ability to support multiple
instances of spanning tree over VLAN trunks – usually each instance is associated with a
VLAN – MST appears as a single bridge to adjacent Spanning Tree instances
Switch Switch
VLAN A forwarding path

VLAN B forwarding path
VLAN A backup path
VLAN B backup path
Switch
VLAN A VLAN B
The problem with running a single instance of STP is that any blocked link is unable to actively
participate in the forwarding of data – thus it becomes a wasted resource…

281
Understanding MST
Cisco Systems
Why MST? It allows redundant links that would otherwise be left inactive, to be utilized as the
active forwarding path by other STP instances running on the switch…
Switch Switch
VLAN A forwarding path

VLAN B forwarding path
VLAN A backup path
VLAN B backup path
Switch
ALL PATHS FORWARDING
VLAN A VLAN B
In this mode, each VLAN has its own active forwarding path, so all links can be utilized for
forwarding data – however, each link still provides a backup path for their respective VLAN…
Each STP instance sees its own set of forwarding paths and backup links..
282
MST Region
Cisco Systems
An MST Region defines a boundary within which a single instance of Spanning Tree operates –
there can be multiple regions that exist on a switch at one time… Up to 16 instances can run
on a switch identified by the numbers 0 through 15
Switch
VLAN 3 VLAN 10 VLAN 43 VLAN 29 VLAN 77
VLAN 22 VLAN 108 VLAN 252 VLAN 912
VLAN 147 VLAN 443 VLAN 782
MST Region 0 MST Region 1 MST Region 2 MST Region 5
MST Region Instance 0 is mandatory and is always present – other instances are optional –
each instance typically maps to a VLAN or set of VLAN’s

283
MST Region Components
Cisco Systems
An MST Region consists of a few different components – these include:
MST Region A
Edge Port
An edge port is one that connects to a non
Switch Switch Host bridging device – a port that connects to a
hub is also considered an edge port
Boundary Port
A Boundary Port is one that connects to a
Switch Switch Host designated bridge that belongs to a single
spanning tree instance or another MST
instance
MST Region B
Switch
284
MST Configuration
Cisco Systems
Configuration of MST is built around three parts…
MST Name MST Revision Number MST Config Table
MST MST MST MST

Region Region Region Region
Name Name Config Table

Rev = 3
? ?
Each MST Instance needs Each MST Instance needs A configuration table
to be configured with a a revision number (16 bits) identifying the VLAN’s
name up to 32 bytes in identifying the revision of mapped to this MST
length the current configuration instance

285
Cisco Systems
CHAPTER 14.7 – Configuring MST (802.1s)

286
RSTP/MSTP Configuration
Cisco Systems
Rapid PVST+ can be enabled as follows…
6500(config)# spanning-tree mode ?

mst Multiple spanning tree mode
pvst Per-Vlan spanning tree mode
rapid-pvst Per-Vlan rapid spanning tree mode
6500(config)# spanning-tree mode rapid-pvst ?
<cr>
The MST mode of operation can be enabled as follows…

6500(config)# spanning-tree mode ?
mst Multiple spanning tree mode
pvst Per-Vlan spanning tree mode
rapid-pvst Per-Vlan rapid spanning tree mode
6500(config)# spanning-tree mode mst ?
<cr>

287
Cisco Systems
MST Configuration mode can be entered into as follows…
6500(config)# spanning-tree mst ?
WORD MST instance range, example: 0-3,5,7-9
configuration Enter MST configuration submode
forward-time Set the forward delay for the spanning tree
hello-time Set the hello interval for the spanning tree
max-age Set the max age interval for the spanning tree
max-hops Set the max hops value for the spanning tree
6500(config)# spanning-tree mst configuration

6500(config-mst)#?
abort Exit region configuration mode, aborting changes
exit Exit region configuration mode, applying changes
instance Map vlans to an MST instance
name Set configuration name
private-vlan Set private-vlan synchronization
revision Set configuration revision number
show Display region configurations
6500(config-mst)#

288
Cisco Systems
MST Configuration Mode example is shown below
6500(config-mst)# name cisco
6500(config-mst)# instance ?
<0-15> MST instance id
6500(config-mst)# instance 3 ?
vlan Range of vlans to add to the instance mapping
6500(config-mst)# instance 3 vlan ?
LINE vlan range ex: 1-65, 72, 300 -200
6500(config-mst)# instance 3 vlan 300
6500(config-mst)# revision ?
<0-65535> Configuration revision number
6500(config-mst)# revision 444
6500(config-mst)# show pending
Pending MST configuration
Name [cisco]
Revision 444
Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-299,301-4094
3 300
-------------------------------------------------------------------------------
6500(config-mst)#

289
Cisco Systems
MST Show commands…
6500# show spanning-tree mst detail
###### MST00 vlans mapped: 1-299,301-4094

Bridge address 000b.45e3.8080 priority 32768 (32768 sysid 0)
Root this switch for CST and IST
Configured hello time 2, forward delay 15, max age 20, max hops 20
GigabitEthernet1/5 of MST00 is designated learning

Port info port id 128.5 priority 128 cost 20000
Designated root address 000b.45e3.8080 priority 32768 cost 0
Designated ist master address 000b.45e3.8080 priority 32768 cost 0
Designated bridge address 000b.45e3.8080 priority 32768 port id 128.5
Timers: message expires in 0 sec, forward delay 0, forward transitions 0
Bpdus sent 16, received 0
<snip>

290
Cisco Systems
MST Show commands…
6500# show spanning-tree mst 0
###### MST00 vlans mapped: 1-299,301-4094

Bridge address 000b.45e3.8080 priority 32768 (32768 sysid 0)
Root this switch for CST and IST
Configured hello time 2, forward delay 15, max age 20, max hops 20
Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Gi1/5 Desg FWD 20000 128.5 P2p
Gi1/6 Desg FWD 20000 128.6 P2p
Gi1/7 Desg FWD 20000 128.7 P2p
Gi1/8 Desg FWD 20000 128.8 P2p
Gi5/2 Desg FWD 20000 128.514 P2p
6500#

291
January 2004
Catalyst 6500
Technical Training
CHAPTER 15: IGMP Snooping

January 2004
Catalyst 6500
Technical Training
CHAPTER 16: PIM Snooping

January 2004
Catalyst 6500
Technical Training
CHAPTER 17: Understanding and Configuring RGMP

January 2004
Catalyst 6500
Technical Training
CHAPTER 18: Network Security

Cisco Systems
CHAPTER 18.1 – Network Security

296
Network Security
Cisco Systems
This section talks about three network security features on the 6500 that supplement other
security features found in the IOS software suite.
MAC Address Traffic Blocking TCP Intercept Unicast RPF Check
MAC A MAC B S I am S IP-A

W IP - A W
MAC C MAC D
I I IP-B
TCP SYN
MAC E MAC F T T
IP-Z
C C
MAC G MAC H IP-C
H H
TCP intercept is designed to URPF check helps mitigate

Limit which MAC addresses
limit the impact of TCP SYN problems caused by
can communicate with other
Flooding attacks – a form of malformed or spoofed IP
MAC addresses
denial of service addresses

297
MAC Address Traffic Blocking
Cisco Systems
The 6500 allows the blocking of ALL traffic to and/or from a MAC address to be dropped.
This action can be taken for a given MAC address within the framework of a VLAN…
VLAN 10 VLAN 20
MAC - A MAC - D
MAC - B
Switch MAC - E
MAC - C
MAC - F
Traffic to and from specific MAC addresses can be

dropped with the addition of a single command in the
switch

298
Configuring MAC Address Traffic Blocking
Cisco Systems
VLAN 10 VLAN 20
MAC - A MAC - D
MAC - B
Switch MAC - E
MAC - C
MAC - F
6500(config)# mac-address-table static 0000.0c12.3456 vlan ?

<1-4094> VLAN id of mac address table
6500(config)# mac-address-table static 0000.0c12.3456 vlan 101 ?

drop drop frames
interface interface
6500(config)# mac-address-table static 0000.0c12.3456 vlan 101 drop

299
Understanding a TCP Flow
Cisco Systems
A TCP session starts off with a three way handshake prior to the actual exchange of data
between the two end points. This is shown as follows…
Session initiation starts off with Host-A sending a TCP “SYN” packet – this indicates that Host-
A wishes to start a TCP session with Host B
1
Host A Host B
TCP SYN Packet
Host B will respond to the TCP SYN with a SYN ACK – this acknowledges that it received the
SYN request – at this stage, Host B holds a temporary entry in memory indicating its about to
startup a TCP session…
2
Host A Host B
TCP SYN ACK Packet
Host A responds to Host B’s TCP SYN ACK with a TCP ACK – now the session is ready to
start and data can flow between the two hosts…
3
Host A Host B
TCP ACK Packet
300
TCP Flow in more detail
TCP SYN Packet
Cisco Systems
TCP SYN Flag set to initiate

session with destination IP
Address

301
TCP SYN ACK Packet
Cisco Systems
TCP ACK Flag set to

acknowledge the TCP SYN (the
SYN flag is also set)

302
TCP ACK Packet
Cisco Systems
TCP ACK Flag set to

acknowledge the TCP SYN ACK

303
Problem with TCP Handshake
Cisco Systems
After the receiving host has responded with the TCP SYN ACK, it holds information in local
memory that a TCP session is about to start – until it receives the TCP ACK back from the
originating host, this memory is not freed up.
Host A Host B
TCP SYN Packet
TCP SYN Packet
TCP SYN Packet
TCP SYN Packet
If Host A were to keep sending TCP SYN requests to Host B (known as SYN Flooding), it
could ultimately cause Host B to consume all its memory resources for holding state
information about impending TCP sessions and possibly compromise the operation of that
host…
Need a way to rate limit impact of TCP SYN Flooding

304
Understanding TCP Intercept
Cisco Systems
TCP Intercept mitigates TCP SYN flooding by intercepting and validating TCP connection
requests. TCP Intercept is processed in hardware by the Catalyst 6500. The TCP Intercept
process uses Access Control lists to identify which TCP connection requests to intercept…
Server
Imaginary
client
Issuing fake
TCP SYN’s Switch
Without TCP Intercept, TCP sessions can flow freely between hosts

305
Understanding TCP Intercept
Cisco Systems
In Intercept mode, the TCP Intercept function intercepts the TCP SYN request and
establishes a connection to the client on behalf of the server… then it sets up a session with
the server (if the client exists) and knits the two sessions together…
TCP Intercept
Server
Intercept
this client
Imaginary client

Switch
This allows the TCP Intercept code to drop subsequent SYN requests from unreachable
hosts thus protecting the server from flooding

306
TCP Intercept Mode
Cisco Systems
TCP Intercept uses two modes of operation – “intercept” and “Watch”
TCP Intercept Mode TCP Watch Mode
This mode actively intercepts incoming SYN TCP SYN requests are allowed to pass
requests and waits for ACK – when ACK through, and watched until session
received, it sends original SYN to established. If no session within 30
destination and joins two half connections seconds, TCP reset sent to originator.

307
TCP Intercept Drop Mode
Cisco Systems
When the number of incomplete connections exceeds 1,100 or the number per second exceeds
1,100, - then the TCP Intercept process becomes more aggressive in dropping incomplete
sessions
Server
Imaginary client
Switch
By default, the software drops the oldest connections, but it an be changed to drop
random connections…
308
TCP Intercept Drop Mode Thresholds
Cisco Systems
Internally the TCP Intercept feature uses a high and low threshold to determine when to start
and stop its aggressive drop behavior for incomplete sessions…
This threshold is when TCP

Intercept starts aggressively
dropping incomplete sessions
– it changes its drop interval to
High Threshold
0.5 seconds
Low Threshold This threshold is when TCP

Intercept stops aggressively
dropping incomplete sessions
and reverts to normal – after
Incoming this the drop interval winds out
Sessions from 1, then 2, 4, 8 then 16
seconds
Incomplete sessions
309
Understanding Unicast RPF
Cisco Systems
A common denial of service attack is to spoof IP addresses in an attempt to gain access to a
host - Unicast Reverse Path Check can mitigate this attack
Network A Switch Network C
FWD Table
Network B
Network D
DST=C SRC=Y Data

Incorrect SRC Address – should be “B”
Packet is dropped
URPF does a reverse path lookup for packets to ensure their source IP addresses are known
and installed in the local forwarding table – packets with unknown IP source addresses are
dropped
310
Multipath URPF Check
Cisco Systems
The Sup720 can perform multi-path URPF checks in hardware. If a network can be reached in
through more than one interface, a multi-path forwarding entry is entered into the forwarding
table. The URPF feature can look up two paths for the same source network in hardware.
10.1.1.1
Network INT G1/1 10.2.1.1 Network

10.1.1.0/24 Switch 10.2.1.0/24
INT G1/2 INT G1/3
10.1.1.2
6500 Forwarding Table

10.1.1.3 INT G1/1
10.1.1.0 / 24
10.1.1.4 INT G1/2
10.2.1.0 / 24 10.2.1.2 INT G1/3
311
URPF Check Methods
Cisco Systems
There are four methods of performing URPF checks in the Sup720 and these include…
10.1.1.1
Network INT G1/1 10.2.1.1 Network

10.1.1.0/24 Switch 10.2.1.0/24
INT G1/2 INT G1/3
10.1.1.2
Four methods
Strict Unicast Reverse Path Forwarding Check
Strict Unicast Reverse Path Forwarding Check with allow default
Loose Unicast Reverse Path Forwarding Check
Loose Unicast Reverse Path Forwarding Check with allow default

312
URPF Check Methods
Strict URPF Check
Cisco Systems
The strict uRPF check method verifies that traffic received by the system is sourced from a
prefix that exists in the routing table, and that the prefix is reachable through the input
interface. Packets that do not meet this criteria are discarded. Strict uRPF check provides the
greatest level of protection against spoofed or invalid source IP addresses.
10.1.1.1 10.2.1.1
10.5.1.0/24 Switch 192.168.1.0/24
INT G1/1 INT G3/1
Data

If data has SRC address other than Prefix Next Hop Interface
10.5.1.x – then drop packet
10.5.1.0 / 24 10.1.1.2 INT G1/1
192.168.1.0 / 24 10.2.1.2 INT G3/1

313
URPF Check Methods
Strict URPF Check with Allow Default
Cisco Systems
Adds additional check over strict RPF in that if packets sourced from a prefix that does not exist
in the routing table is received and a valid default route exists, the packets pass the uRPF check
provided they are received on one of the reverse-path interfaces for the default route. If there is
no default route present, this mode behaves the same as the strict uRPF check method.
10.1.1.1
10.5.1.0/24 10.2.1.1
Data INT G1/1 192.168.1.0/24
Switch INT G3/1
10.5.1.1
Rest of Network
INT G2/1

10.5.1.0 / 24 10.1.1.2 INT G1/1
Drop packet if data has SRC 192.168.1.0 / 24 10.2.1.2 INT G3/1
address not mapped to interface or Default Route
default route 172.16.1.0 / 24 10.5.1.2 INT G2/1
314
URPF Check Methods
Loose URPF Check
Cisco Systems
Also known as exist-only checking, the loose uRPF check method verifies only that traffic
received by the system is sourced from a prefix that exists in the routing table, regardless of
the interface on which the traffic arrives. Packets that do not meet this criteria are discarded.
10.1.1.1 10.2.1.1
10.5.1.0/24 Switch 192.168.1.0/24
INT G1/1 INT G3/1
Data

Don’t worry about interfaces – drop Prefix Next Hop Interface
packet only if SRC address not
10.5.1.0 / 24 10.1.1.2 INT G1/1
found in local forwarding table
192.168.1.0 / 24 10.2.1.2 INT G3/1

315
URPF Check Methods
Loose URPF Check with Allow Default
Cisco Systems
As long as a default route exists, the behavior of the loose uRPF check with allow default
method is the same as not having uRPF check enabled at all—all traffic passes the uRPF
check. However, if no default route exists in the routing table, the behavior is the same as loose
uRPF check—if the source prefix does not exist, the traffic is discarded.
10.1.1.1
10.5.1.0/24 10.2.1.1
Data INT G1/1 192.168.1.0/24
Switch INT G3/1
10.5.1.1
Rest of Network
INT G2/1

10.5.1.0 / 24 10.1.1.2 INT G1/1
Drop packet if no default route 192.168.1.0 / 24 10.2.1.2 INT G3/1
exists and SRC address not found Default Route
in forwarding table 172.16.1.0 / 24 10.5.1.2 INT G2/1
316
URPF Check Mode
PUNT Mode
Cisco Systems
URPF operates in one of three modes when performing URPF checks – these are PUNT, PASS
and INTERFACE-GROUP. In Punt mode, URPF performs checks for up to 2 interfaces per
prefix - packets arriving on additional interfaces are punted to MSFC3 for processing
MSFC
Network 10.1.5.0 has three

3
potential paths to reach it
10.5.1.0 / 24 2
Switch
1 Packets arriving on the third and
subsequent interfaces from this
network will bypass the
hardware URPF check and be
6500 Forwarding Table PUNTED to the MSFC to have
Prefix Next Hop Interface the URPF check performed in
10.1.1.2 INT G1 / 1 software
10.5.1.0 / 24 10.1.2.2 INT G1 / 2
10.1.3.2 INT G1 / 3
317
URPF Check Mode
PASS Mode
Cisco Systems
The 6500 performs the Unicast PRF check in hardware for single-path and two-path prefixes.
Unicast RPF check is disabled for packets coming from multi-path prefixes with three or more
reverse-path interfaces (these packets always pass the Unicast RPF check).
MSFC
Packets from third and subsequent

3 interfaces do not go thru URPF check
10.5.1.0 / 24 2
Switch
1
These packets processed in hardware
with the URPF check

10.1.1.2 INT G1 / 1
10.5.1.0 / 24 10.1.2.2 INT G1 / 2
10.1.3.2 INT G1 / 3
318
URPF Check Mode
Interface Group Mode
Cisco Systems
Performs the Unicast PRF check in hardware for single-path and two-path prefixes and up to
four additional interfaces per prefix through user-configured multi-path Unicast PRF check
interface groups.
4 URPF Interface Group with admin defined

interface included in group
10.5.1.0 / 24 3
Switch URPF Interface Group
2
Group Interface
1
1 INT G1 / 4
URPF Check in hardware

performed on interfaces in the
interface group above
10.1.1.2 INT G1 / 1
10.5.1.0 / 24 10.1.2.2 INT G1 / 2
10.1.3.2 INT G1 / 3
319
Cisco Systems
CHAPTER 18.2 – Configuring TCP Intercept

320
Configuring TCP Intercept
Cisco Systems
After defining the access list to identify the target hosts, TCP intercept is enabled as follows
6500(config)# ip tcp intercept list ?

<100-199> Extended access list number for intercept
WORD Access list name for intercept
The TCP intercept mode is set as follows

6500(config)# ip tcp intercept mode ?
intercept Intercept connections
watch Watch connections
6500(config)# ip tcp intercept mode intercept ?

<cr>
6500(config)# ip tcp intercept mode watch ?

<cr>

321
Cisco Systems
TCP Intercept drop mode can be changed to suit local requirements as follows
6500(config)# ip tcp intercept drop-mode ?

oldest Drop oldest incomplete connection
random Drop random incomplete connection
Default time for TCP Intercept in “Watch” mode is to wait for 30 seconds – this time can be
changed as follows…
6500(config)# ip tcp intercept watch-timeout ?
<1-2147483> Timeout in seconds
Default time for TCP Intercept in “Intercept” mode to maintain an inactive session is 24 hours
– this default time can be changed as follows
6500(config)# ip tcp intercept connection-timeout ?
<1-2147483> Timeout in seconds

322
Drop Mode Thresholds
Cisco Systems
TCP Intercept drop mode will start aggressively dropping sessions after 1100 inactive sessions
– this threshold can be changed as follows
6500(config)# ip tcp intercept max-incomplete ?
high Specify high-watermark for clamping
low Specify low-watermark for clamping
6500(config)# ip tcp intercept max-incomplete high ?

<1-2147483647> Number of connections
6500(config)# ip tcp intercept max-incomplete low ?

6500(config)# ip tcp intercept one-minute ?

high Specify high-watermark for clamping
low Specify low-watermark for clamping
6500(config)# ip tcp intercept one-minute high ?

6500(config)# ip tcp intercept one-minute low ?


323
Cisco Systems
CHAPTER 18.3 – Configuring URPF

324
Configuring URPF
Cisco Systems
Strict URPF is enabled on a per interface basis as follows
6500(config-if)# ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
Loose URPF is enabled on a per interface basis as follows

6500(config-if)# ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
Allow Default option follows each of the above statements as follows…

6500(config-if)# ip verify unicast source reachable-via any allow-default
6500(config-if)# ip verify unicast source reachable-via rx allow-default

325
Configuring URPF
Cisco Systems
URPF Check Mode is configured as follows
6500(config)# mls ip cef rpf multipath ?

interface-group Use interface group for uRPF check
pass Prefixes with more than 2 uRPF interfaces pass uRPF check
punt Prefixes with more than 2 uRPF interfaces punt to software
If the Interface group option is chosen above, then the interface group needs to be configured
as follows
6500(config)# mls ip cef rpf interface-group ?
<0-3> interface group number
Actual interfaces need to be assigned to the interface group and could be done as shown in
the following example (assuming its being applied on a GE interface
6500(config)# mls ip cef rpf interface-group 0 gigabitEthernet ?
<1-6> GigabitEthernet interface number

326
January 2004
Catalyst 6500
Technical Training
CHAPTER 19: Understandings and Configuring VACL’s

Cisco Systems
CHAPTER 19.1 – Understanding VACL’s

328
Access Control Lists
Cisco Systems
Access Control Lists (ACL) were introduced in IOS in
routers as a means to define which packets were
permitted to be forwarded and which packets should Switch
be dropped

ACL Rules
Subnet A Subnet B
ACL’s were primarily used to permit or

deny the movement of traffic between
subnets – when applied in a switching
Switch environment, this type of ACL is
commonly referred to as a Router ACL
(RACL)…
ACL Rules
329
Understanding VACL’s
Cisco Systems
VLAN Access Control Lists (VACL) operate like a RACL, but are a means to apply access
control to packets bridged within a VLAN or routed between VLAN’s
VACL Switch VACL uses the same Access

Control Entry (ACE) format
used by normal Router
VLAN 10 VLAN 20 based ACL’s
VACL applied to traffic bridged within a VLAN Use if PERMIT and DENY
statements on L2, L3 and L4
header information to
VACL determine what is passed
Switch and dropped…
VLAN 10 VLAN 20
VACL applied to traffic bridged between VLAN’s

330
Understanding VACL’s
Cisco Systems
Unlike a Router ACL where it is applied on an inbound or outbound basis, VACL’s have no
sense of direction – they apply to traffic at both ingress and egress…
VACL Applied at Ingress VACL Applied at Egress

Packets arriving on L2 interface
have the VACL processed on
Switch ingress and egress
VACL Applied at Ingress VACL Applied at Egress
Packets arriving on L3 interface

have the VACL processed
Switch
L3 L3 before input RACL. Egress
VACL processed after Egress
Input RACL applied Output RACL applied RACL
after VACL at ingress before VACL on egress

331
Combining RACL and VACL
Cisco Systems
It is possible to combine the use of RACL and VACL at the same time for L3 switched packets
– in doing so it is important to understand the processing order in this situation…
Packet Routed
MSFC
L3 Input Interface L3 Output Interface

2 Input RACL Output RACL 3
Packet Bridged Packet Bridged
Data PFC Data
L2 Interface L2 Interface
1 Input VACL 4 Output VACL
332
VLAN Access Map
Cisco Systems
A VLAN Access Map defines the VACL and is applied to a VLAN interface – its configuration is
used to define a match statement (matching incoming traffic against a given ACL list) and
action statement (what to do with the packet)…
VLAN Access vlan access-map RULE1 1
Map Example match blah blah
action blah blah
MATCH is made against

- Standard IP ACL (number 1 to 99)
- Extended IP ACL (number 100 to 199)
Switch
- Extended Named ACL

ACTION options include
ACL Rules - Forward – Switch and forward Packet
- Drop – Do not forward packet
- Redirect – Switch to different interface
- Capture – Send copy of packet to capture port
333
VLAN Filter
Cisco Systems
The VLAN Filter is used to apply a defined VLAN Access Map to a VLAN or set of VLAN’s
SVI for SVI for SVI for SVI for

A VACL is active only when a Layer

SVI (Switched Virtual Interface) is
defined
When no active SVI is available,

the VLAN is put into administrative
down state and the VACL is
VACL RULE1 VACL RULE3 VACL RULE3 inactive…
VLAN Filter can apply a VACL to one or more VLAN’s

Each VLAN can only be associated with one VACL
334
VACL Capture
Cisco Systems
The VLAN Capture facility can be used to forward a copy of a packet to a “CAPTURE” port –
this is especially useful if you need to send a copy of a packet to a sniffer interface
Source The VACL Capture is especially useful for

forwarding packets for inspection by the IDS
module and analysis by the NAM module…
Switch
VACL Capture Network Analysis
Module
Capture Port
Intrusion Detection
Destination Module

335
Cisco Systems
CHAPTER 19.2 – Configuring VACL’s

336
Configuring VACL
Cisco Systems
First define the VLAN Access Map with a name and sequence number as follows
6500(config)# vlan access-map ?

WORD Vlan access map tag
6500(config)# vlan access-map RULE1 ?

<0-65535> Sequence to insert/delete/modify for vlan access-map entry
<cr>
6500(config)# vlan access-map RULE1 1 ?

<cr> Name of this VLAN Map
6500(config)# vlan access-map RULE1 1

6500(config-access-map)#
At the conclusion of building the VLAN access map- you are placed into VLAN access
map configuration mode
This is denoted by the 6500(config-access-map)# prompt on the CLI

337
Configuring VACL
Match Statement
Cisco Systems
Next, the match and action statements must be defined as follows
6500(config-access-map)# match ?
ip IP based match
mac MAC based match
6500(config-access-map)# match ip ?
address Match IP address to access control.
6500(config-access-map)# match ip address ?

<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
<cr>
6500(config-access-map)# match ip address 101

6500(config-access-map)#
Here the example is matching against a previously defined ACL numbered 101, indicating
its an IP extended ACL…

338
Configuring VACL
Action Statement
Cisco Systems
Then the ACTION statement should be configured as follows
6500(config-access-map)# action ?
drop Drop packets
forward Forward packets
redirect Redirect packets
6500(config-access-map)# action drop ?

log Log dropped packets
<cr>
6500(config-access-map)# action forward ?

capture Capture packets
<cr>
6500(config-access-map)# action forward capture ?

<cr>
6500(config-access-map)# action redirect ?

FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Port-channel Ethernet Channel of interfaces
6500(config-access-map)# action forward

339
Configuring VACL
VLAN Filter
Cisco Systems
After the VLAN Access Map has been defined, it needs to be applied to an VLAN interface
6500(config)# vlan filter ?

WORD VLAN map name
6500(config)# vlan filter RULE1 ?

vlan-list VLANs to apply filter to
6500(config)# vlan filter RULE1 vlan-list ?

<1-4094> VLAN id
6500(config)# vlan filter RULE1 vlan-list 300

6500(config)#
The VACL can also be applied to a range of VLAN’s as follows…

6500(config)# vlan filter RULE1 vlan-list 300 ?
, comma
<cr>
- hyphen
6500(config)# vlan filter RULE1 vlan-list 300 , 303-310

340
Configuring VACL
VACL Capture
Cisco Systems
First the VACL Capture needs to be set up to identify the packets to be forwarded to the
capture port as follows
6500(config)# vlan access-map CAP 1 Define Access Map

6500(config-access-map)# match ip address 101 Define Match criteria
6500(config-access-map)#action forward capture Set as capture
Next, define the target port as a capture port

6500(config-if)# switchport capture ?
6500(config-if)# switchport capture allowed vlan ?
all all VLANs
With capture statement, you can optionally define the VLAN’s allowed to be sent to this port
341
January 2004
Catalyst 6500
Technical Training
CHAPTER 20: RP Rate Limiters

Cisco Systems
CHAPTER 20.1 – Understanding RP Rate Limiters

343
Understanding the MSFC
Cisco Systems
The MSFC is a daughter card that sits on the Supervisor 720 base board – it houses the
Route Processor (RP) which provides many control plane functions for the switch – the RP is
an important component in the forwarding architecture of the switch…
MSFC
Route Processor

344
Understanding Packet Flow
Cisco Systems
The Supervisor 720 supports the CEF architecture for forwarding packets - the MSFC learns
about the network and builds its routing tables – it then builds a Forwarding Information
Base (FIB) and pushes this to the PFC
1 2
The Network MSFC Routing Tables
3
To switch a packet, the PFC 3 FIB

PFC will lookup the FIB
to work out where to 2 4
switch the packet Mostly, packet
switching is done in
Linecard Linecard Hardware BUT there are
exceptions…..
1
5
345
Understanding Packet Flow
Cisco Systems
In some instances, forwarding a packet requires it to be punted to the RP on the MSFC for
processing – the MSFC operates at a much lower forwarding rate than what can be achieved
in HW (PFC) – so there is potential for the MSFC to be oversubscribed…
Operates up to 500Kpps MSFC Routing Tables
3 4
Operates up to 30Mpps PFC FIB
2 5
Linecard Linecard
1
6
346
RP Rate Limiters
Why Rate Limiters
Cisco Systems

347
RP Rate Limiters
Why Rate Limiters
Cisco Systems
If the load on the RP becomes too high and is sustained, the impact on the operational
running of the switch could be significant
Fully loading the RP to 100% utilization can

RP MSFC
result in –
1. Routing protocols getting out of sync with the

rest of the network causing network flaps and
major network transitions
PFC
2. High load on the RP can cause the console to
lock up and make
3. Other RP based processes to cease operation

Linecard Linecard or run with unpredictable results

348
RP Rate Limiters
What is on offer
Cisco Systems
There are a set of Unicast and Multicast RP Rate Limiters available on the Supervisor 720 –
each rate limiter allows the administrator to define the number of packets for that particular
stream that are allowed to hit the RP on a per second basis – the rate limiters available are
Unicast RP Rate Limiters Multicast RP Rate Limiters

ACL Input ICMP Redirect FIB Miss
ACL Output ICMP Unreachable Partial
ACL VACL Log RPF Failure Connected
CEF Glean Layer 2 PDU
CEF Receive Layer 2 Protocol Tunneling
IP Errors TTL Failure
IP Features MTU Failure
Unicast RP Rate Limiters Multicast RP Rate Limiters

349
Unicast RP Rate Limiters
ACL
Cisco Systems
If the ACL processes is required to send a packet to the RP (i.e. for VACL Logging or if an
ICMP Unreachable message needs to be sent, etc), then this stream of packets from the CL
process can be rate limited.
ACL Input MSFC

Input ACL lookups requiring RP
punt to RP
ACL Output
Input ACL lookups requiring

PFC
punt to RP
ACL
ACL VACL Log
Input ACL lookups requiring

punt to RP INPUT ACL OUTPUT ACL
350
CEF
Cisco Systems
Two CEF Rate Limiters are available – CEF Glean and CEF Receive
CEF Glean CEF Receive
MSFC ARP Table

MSFC
RP
Host A
Interfaces
CEF Glean occurs when a directly

CEF Receive is for interfaces that belong to
connected host does not have an entry in
the RP itself – packets need to be punted to
the ARP Table, the RP has to ARP for the
the RP for processing
next hop MAC

351
IP
Cisco Systems
There are four IP RP Rate Limiters available – Errors, Features, ICMP and RPF Failure - each
are designed to rate limit traffic
IP Errors IP Features
When some IP Features are
IP Frames with errors inherent in enabled – they are processed by
the packet – like checksum errors the RP – traffic processed by
or length errors are sent to the features like NBAR, accounting,
RP for processing IPSec, etc are protected by this
rate limiter
IP ICMP IP RPF Failure
IP Packets requiring ICMP Packets that have failed (loose or

processing – both ICMP strict) RPF check, or for checks
unreachable and ICMP redirect on routes on third or subsequent
packets are rate limited by this interface are handled by this RP
option limiter

352
Layer 2
Cisco Systems
Layer 2 RP Rate limiters provide protection against the following…
RP RP
L2 Protocol Tunnel
Layer 2 Protocol Tunneling requires RP processing – this RP Rate limiter protects against high
loads of L2PT traffic…
Protocol Data Units also require

RP
processing by the RP and these include
packets like CDP, pause frames, etc – PDU Data
these can now rate limited

353
All
Cisco Systems
The ALL type of RP Rate Limiter projects against the following…
TTL (Time to Live) is a means to stop IP packets perpetually being forwarded. On its
journey from source to destination, a packets TTL value is decremented by 1. For IP
Packets with a TTL set to 1 requires RP processing
HDR Total Frag

Version TOS ID Flags TTL Protocol Other Fields
Length Length Offset
IPV4 Header
RP Where a packets MTU is greater than the

egress interface MTU – the RP is required
Data
to process this packet
Input Output -> MTU 1536 bytes

354
Multicast
Cisco Systems
There are three Multicast RP Rate Limiters available
Connected
MSFC
This rate limits packets from
directly connected Multicast RP
Sources
Partial
Rate limiting of packets

during partial SC state PFC FIB
FIB Miss
Multicast packets with no
FIB entries are punted to the
RP for processing Multicast Source

355
Cisco Systems
CHAPTER 20.2 – Configuring RP Rate Limiters

356
Configuring RP Rate Limiters
ALL
Cisco Systems
RP Rate Limiters for MTU and TTL can be configured as follows
6500(config)# mls rate-limit ?

all Rate Limiting for both Unicast and Multicast packets
layer2 layer2 protocol cases
multicast Rate limiting for Multicast packets
unicast Rate limiting for Unicast packets
6500(config)# mls rate-limit all ?

mtu-failure MTU failure cases
ttl-failure TTL failure cases
6500(config)# mls rate-limit all mtu-failure ?

<10-1000000> packets per second
6500(config)# mls rate-limit all ttl-failure ?


357
Layer 2
Cisco Systems
RP Rate Limiters for Layer 2 Protocol Tunneling and PDU packets can be configured as
follows
6500(config)# mls rate-limit ?

all Rate Limiting for both Unicast and Multicast packets
layer2 layer2 protocol cases
multicast Rate limiting for Multicast packets
unicast Rate limiting for Unicast packets
6500(config)# mls rate-limit layer2 ?

l2pt layer2 protocol tunnelling packets
pdu layer2 protocol data unit packets
6500(config) # mls rate-limit layer2 l2pt ?

6500(config)# mls rate-limit layer2 pdu ?


358
IP
Cisco Systems
RP Rate Limiters for IP Traffic including erroneous IP Packets, IP Features and RPF failure
checks, use the following
6500(config)# mls rate-limit unicast ip ?

errors packets with IP Checksum and length errors
features packets to layer3 software security features (Auth.Proxy, IPSEC,
Inspection)
icmp packets requiring ICMP messages from the RP
rpf-failure packets failing the RPF check
6500(config)# mls rate-limit unicast ip errors ?

6500(config)# mls rate-limit unicast ip features ?

6500(config)# mls rate-limit unicast ip rpf-failure ?

<0-0> no packets up to the RP

359
IP
Cisco Systems
RP Rate Limiters for Layer 2 Protocol Tunneling and PDU packets can be configured as
follows
6500(config)# mls rate-limit unicast ip icmp ?

redirect packets requiring ICMP redirect (same VLAN)
unreachable packets requiring ICMP unreachable message
6500(config)# mls rate-limit unicast ip icmp redirect ?

6500(config)# mls rate-limit unicast ip icmp unreachable ?

acl-drop dropped via ACLs
no-route dropped via FIB Miss case
6500(config)# mls rate-limit unicast ip icmp unreachable acl-drop ?

6500(config)# mls rate-limit unicast ip icmp unreachable no-route ?


360
CEF
Cisco Systems
RP Rate Limiters for CEF Glean and Receive packets can be configured as follows
6500(config)# mls rate-limit unicast ?

acl ACL BRIDGE results
cef CEF cases
ip IP packets
6500(config)# mls rate-limit unicast cef ?

glean Packets requiring ARP resolution
receive Packets falling in the Receive case
6500(config)# mls rate-limit unicast cef glean ?

6500(config)# mls rate-limit unicast cef receive ?


361
ACL
Cisco Systems
RP Rate Limiters for ACL packets can be configured as follows
6500(config)# mls rate-limit unicast acl ?

input Input ACL lookups requiring punt to RP
output Output ACL lookups requiring punt to RP
vacl-log Vlan ACL logging requiring punt to RP
6500(config)# mls rate-limit unicast acl input ?

6500(config)# mls rate-limit unicast acl output ?

6500(config)# mls rate-limit unicast acl vacl-log ?


362
Multicast
Cisco Systems
RP Rate Limiters for Multicast packets can be configured as follows
6500(config)# mls rate-limit multicast ?

connected Rate limiting of multicast packets from directly connected source
fib-miss Rate limiting of fib-missed multicast packets
partial Rate limiting of multicast packets during partial-SC state
6500(config)# mls rate-limit multicast connected ?

6500(config)# mls rate-limit multicast fib-miss ?

6500(config)# mls rate-limit multicast partial ?


363
January 2004
Catalyst 6500
Technical Training
CHAPTER 21: Port Security

Cisco Systems
CHAPTER 21.1 – Understanding Port Security

365
Understanding Port Security
Cisco Systems
The port security feature is used to restrict input to an interface on the 6500 by limiting and
identifying MAC addresses of the workstations that are allowed to access the port
MAC Switch
Port 1 A
A table is maintained by the switch
identifying which MAC addresses can
Port 2
G access which local switch ports
Port Security can be configured to perform

Port 3 C one of a series of actions on a port where
an invalid host tries to connect into the
network
Port 4 D

366
Cisco Systems
Port Security can be configured in one of the following modes…
Specific MAC Address MAC Address Limit
Switch Switch
Designed to specify specific AMC Designed to limit the number of MAC

addresses can connect to a particular addresses that can be supported on a
switch port single switch port

367
Action
Cisco Systems
When either the MAC address limit has been exceeded, or an invalid MAC address is detected
on a Port Security port, the port can be configured to perform a specific action – these actions
include…
Switch
Protect Restrict Shutdown

Used with MAC Address
limit – will drop packets
Same as Protect mode but Places the port into an
with unknown MAC until
also increments a Security error disabled state and
the # unknown devices
Violation Counter sends an SNMP trap
drops below the maximum
value

368
Cisco Systems
CHAPTER 21.2 – Configuring Port Security

369
Configuring Port Security
Cisco Systems
First the port must be in switchport access mode
Port Security is disabled by default – it can be enabled in interface configuration mode as

follows
6500(config-if)# switchport port-security ?

aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
6500(config-if)# switchport port-security

6500(config-if)#

370
Cisco Systems
The maximum number of MAC addresses that can be supported in port security mode on the
interface is set as follows
6500(config-if)# switchport port-security maximum ?

<1-1025> Maximum addresses
The actual MAC address you want to secure on the port can be defined as follows
6500(config-if)# switchport port-security mac-address ?
H.H.H 48 bit mac address
Use the aging feature to remove and add hosts without manually deleting the existing secure
MAC addresses while still limiting the number of secure addresses on a port
6500(config-if)# switchport port-security aging ?

time Port-security aging time
6500(config-if)# switchport port-security aging time ?

<1-1440> Aging time in minutes. Enter a value between 1 and 1440

371
Cisco Systems
The Port Security configuration can be viewed for an interface as follows
6500# show port-security interface g1/1

Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 000b.6010.17fc
Last Source Address : 000b.6010.17fc
Security Violation Count : 1

372
January 2004
Catalyst 6500
Technical Training
CHAPTER 22: Storm Control

Cisco Systems
CHAPTER 22.1 – Understanding Storm Control

374
Understanding Storm Control
Cisco Systems
Normal switch behavior is to forward Broadcast and Multicast traffic out all ports that are in the
same VLAN as the port that sent the original packet. Unicast traffic for unknown hosts is also
forwarded out all ports – this form of traffic is known as “Storm” traffic
Broadcast
2 B
Broadcast Broadcast
A Switch 3 C
1
Broadcast
4 D
High volumes of this traffic can impact bandwidth availability and impact network performance
– so a way to limit this traffic type is required
375
Cisco Systems
Traffic Storm Control allows the definition of a set amount of “storm” traffic to be forwarded out
a target port. The switch monitors outgoing “storm” traffic at 1 second intervals comparing the
volume of storm traffic with the configured level that this port can forward. Traffic in excess of
the configured limit is dropped…
Data Data
Data Data Switch Data Data Data
Data Data
D
Data Data within limit is forwarded
Flow of data R
O
Data
Data
P
P
Data
E Data outside limit is dropped

Data
D
Data

376
Cisco Systems
After the configured threshold has been reached within a 1 second interval, subsequent
“storm” packets are dropped for the remaining time in that interval – when the next interval
clocks over, storm packets are then forwarded unless they again reach the threshold for that 1
second interval …
Packets Dropped
Number Threshold
Of
Packets
Or
Bytes
0 1 2 3 4 Time
377
Cisco Systems
There are certain linecards that do not support Storm control – for these modules, this feature
was not implemented in the Port ASIC hardware – these modules include
WS-X6148-GETX WS-X6548-GETX
Classic linecard supporting 48 ports of auto- CEF256 linecard supporting 48 ports of

sensing 10/100/1000 auto-sensing 10/100/1000

378
Cisco Systems
Storm control suppression is specific to certain hardware – the following rules apply
Broadcast Suppression Multicast Suppression Unicast Suppression
Can be applied on all LAN Can only be applied on Can only be applied on
ports Gigabit Ethernet Ports Gigabit Ethernet Ports
All three types of suppression can be configured on the same port at the same time

379
Cisco Systems
CHAPTER 22.2 – Configuring Storm Control

380
Configuring Storm Control
Cisco Systems
Storm control suppression is configured in interface configuration mode as follows…
6500(config-if)# storm-control ?
broadcast Broadcast address storm control
multicast Multicast address storm control
unicast Unicast address storm control
6500(config-if)# storm-control broadcast ?

level Set storm suppression level on this interface
6500(config-if)# storm-control broadcast level ?

<0 - 100> Enter Integer part of storm suppression level
6500(config-if)# storm-control multicast level ?

6500(config-if)# storm-control unicast level ?


381
Configuring Storm Control
Cisco Systems
Statistics for Storm control suppression can be displayed as follows…
6500# show interface g1/9 counters broadcast
Port TotalSuppDiscards
Gi1/9 1033
6500# show interface g1/9 counters multicast
Gi1/9 12
6500# show interface g1/9 counters unicast
Gi1/9 204
6500#

382
January 2004
Catalyst 6500
Technical Training
CHAPTER 23: Cisco Discovery Protocol

January 2004
Catalyst 6500
Technical Training
CHAPTER 24: UDLD

January 2004
Catalyst 6500
Technical Training
CHAPTER 25: SPAN and RSPAN

January 2004
Catalyst 6500
Technical Training
CHAPTER 26: PFC QoS

Cisco Systems
CHAPTER 26.1 – Understanding PFC QoS

387
QoS on the Catalyst 6500
Cisco Systems
Actions at ingress Actions by Forwarding Actions at egress

Engine (PFC)
Classification/ Policing/ Queuing &

Rewrite
Scheduling Classification Scheduling
Scheduling – Queue Classification at Rewrite ToS header

And threshold based on Layer 2/3/4 via ACL
Incoming CoS Scheduling queue and threshold
Assign trust via ACL based on CoS Map
Received CoS can be
Overwritten if Police traffic based Each queue has configurable size and
Port is untrusted On byte or burst Threshold
(token bucket)
WRED and Tail Drop Congestion Mgmt
Exceed action on
Policer is drop or De-queue using WRR and Strict Priority
Mark down priority
Traffic Shaping on selected linecards

388
Understanding PFC QoS
Cisco Systems
The PFC is a daughter card that sits on the Supervisor 720 and provides classification, policing
and marking for packets it processes – all of these functions are performed in hardware
Policy Feature
Card

389
Other QoS Elements in Hardware
Cisco Systems
Each linecard also implements a series of QoS features – these features are designated
ingress and egress QoS in this presentation – all QoS features described in this presentation
are implemented in the port ASIC’s found on linecards - actual QoS features found on each
linecard are linecard dependant

390
The basics – CoS and ToS
Cisco Systems
Class of Service (CoS) and Type of Service (ToS) are a string of bits in the Ethernet and IP
header (respectively) that indicate the priority of a packet – it is this base information that the
PFC uses to derive a service level for the packet as it transits the switch…
Data PFC
Data
Data Switch
Data
Priority
Note: The Class of Service field is located within the VLAN tag (ISL or 802.1Q)

391
The basics – CoS in 802.1Q
Cisco Systems
The Class of Service (CoS) value is contained within the VLAN tag – there are two VLAN
tagging options available in the Switch – 802.1Q and ISL – 802.1Q (shown below) inserts a 4
byte field (type + tag) in the front portion of the Ethernet header – within the 2 byte tag field
are 3 priority bits which yield 8 priority levels…
3 bits 1 bit 12 bits
PRIORITY CFI VLAN ID
DEST SRC ETH

TAG TYPE DATA FCS
ADDR ADDR TYPE
6 Bytes 6 Bytes 2 Bytes 2 Bytes 2 Bytes Up to 1500 Bytes 4 Bytes
Ethernet Header

392
The basics – ToS and IP Precedence (IPPREC)
Cisco Systems
The Type of Service field is contained within the IPV4 header – the ToS field is 8 bits in length
of which 3 bits are used to indicate IP Precedence
1 0 1 0 0 0 0 0
IPV4 Header
Version ToS Flags/

Len ID TTL Proto FCS IP-SA IP-DA Data
Length 1 Byte offset
IPV4 Header
IP Precedence has been in use for many years
Uses first 3 most significant bits of ToS field
2^^3 (2 to the power of 3) yields 8 different priorities
0 is lowest priority
7 is highest priority
393
The basics – ToS and DSCP
Cisco Systems
Differentiated Services Code Point (DSCP) uses 6 bits in the ToS to represent the priority of
the packet – this provides a more granular form of prioritization over what IP Precedence
offers…
1 0 1 0 0 0 0 0
IPV4 Header
Version ToS Flags/

Len ID TTL Proto FCS IP-SA IP-DA Data
Length 1 Byte offset
IPV4 Header
DSCP is a more recent innovation
Uses first 6 most significant bits of ToS field
2^^6 (2 to the power of 6) yields 64 different priorities
0 is lowest priority
63 is highest priority
394
QoS in the Catalyst 6500
Cisco Systems
QoS processing occurs in three different places in the Catalyst 6500 – these are highlighted
below…
1 Ingress QoS is performed on the ingress

MSFC linecard port – features include port trust,
re-marking, classification, queue
scheduling and congestion avoidance
2 PFC QoS features include QoS ACL’s,
2 marking, classification and policing
PFC
3 Egress QoS is performed on the egress
linecard port – features include , queue
scheduling, congestion avoidance and in
some linecards, shaping.
Linecard Linecard
1 3
395
Understanding Ingress QoS
The Elements - Setting Trust
Cisco Systems
When an incoming packet is already marked with a priority, the switch must decide whether
to keep this setting or change it – it determines this based on the ports trust setting
Trust Setting Result

Un-trusted CoS/ToS set to zero
Switch Data Trust-CoS CoS/ToS maintained
Trust-IP Precedence CoS/ToS maintained
Trust-DSCP CoS/ToS maintained
Trust settings define what to do with the priority setting in the incoming packet
NOTE: The value of the CoS and ToS may differ on egress depending on map settings
The concept of maps are discussed later

396
The Elements - Setting Extended Trust
Cisco Systems
Extended Trust allows the switch to instruct an attached IP Phone to re-tag the CoS value of
packets from a downstream PC (attached to the phone). As a switchport with a phone
attached normally has trust setting enabled, this feature ensures that QoS priority integrity is
not compromised when a downstream device is connected to the network
TRUST set to TRUST IP-PRECEDENCE
Switch
EXTENDED Trust set to mark down CoS value to 0 (in fact the marked down
value can be any value the administrator chooses

397
Default Port CoS
Cisco Systems
When a port is set to UNTRUSTED, the switch port will assign the incoming packet a CoS
value based on a configured default CoS for the port – from this default CoS assignment, the
internal DSCP (see later slides) is derived
Default CoS = 0
Data Switch Data
Default CoS = 2
Trusted Port Trusted ports that are not Dot1Q trunk ports
will also use the default port CoS
Untrusted Port
398
The Elements – Ingress Priority to DSCP Maps
Cisco Systems
The switch uses an “Internal DSCP” value to assign service levels to the frame as it transits
the switch. This internal DSCP is derived from the ingress CoS or IP Precedence value and
uses a CoS to DSCP map to derive that value…
If Trust CoS – Use CoS to DSCP Map If Trust IPPREC – Use IPPREC to DSCP Map
Switch CoS DSCP IPPREC DSCP

Value Value Value Value
0 0 0 0
1 8 1 8
Data DSCP Data Data 2 16 2 16
3 24 3 24
4 32 4 32
Internal
5 40 5 40
DSCP
6 48 6 48
7 56 7 56
If TRUST-DSCP – then use ingress DSCP for Internal DSCP

399
The Elements – Input Queues
Cisco Systems
Input queue structures define the number of standard and strict priority queues available on
the linecard port – Input queue structures can differ across each of the Catalyst 6500
linecards – they can be categorized into the following…
Queue # Normal # Strict Priority # Thresholds per Tail Drop WRED

Structure Queues Queues normal queue
1q2t 1 0 2 Yes No
1q4t 1 0 4 Yes No
1q8t 1 0 8 Yes No
2q8t 2 0 8 Yes No
8q8t 8 0 8 Yes Yes
1p1q4t 1 1 4 Yes No
1p1q0t 1 1 0 Yes No
1p1q8t 1 1 8 Yes Yes
400
Scheduling – CoS to Queue mapping
Cisco Systems
Ingress packets are placed into a queue based on ingress CoS as follows
Frames marked
with CoS=5
placed into SP Input Port
Queue if one is Normal Queue
present Drop
SP Queue
Threshold 2
Data
Normal Queue Drop
Threshold 1
Frames with
other CoS values
are placed into
the Normal Within Normal queue, drop thresholds are used to
Queue indicate which CoS tagged packets can be dropped
once the queue has filled beyond a certain threshold

401
Congestion Avoidance – Tail Drop
Cisco Systems
Drop Thresholds are used to highlight which CoS Tagged packets can be dropped from the
queue when a threshold has been exceeded. Once a threshold has been reached, the Tail
drop mechanism will drop all incoming packets that have a CoS mapped to that Threshold
until queued packets drop below the threshold
Threshold 4 Drop ALL packets with CoS = 6 and 7
NOTE: Threshold NOTE: Threshold numbers are

numbers and CoS to configurable by the administrator
threshold maps differ
Receive Queue
across linecards
402
Congestion Avoidance – WRED
Cisco Systems
Weighted Random Early Discard (WRED) randomly starts to drop packets marked with a
particular CoS value when a threshold has been reached as opposed to Tail Drop which drops
ALL packets mapped to that threshold when its exceeded – WRED takes advantage of the
TCP windowing mechanism to gradually reduce the arrival rate of packets for a particular
flow…
CoS 0, 1 CoS 2,3
Mark Probability
Drop
Rate
Threshold Threshold
1 2 As soon as Threshold 2 is hit –
As soon as Threshold 1 is hit – CoS 2 and 3 packets randomly
packets randomly dropped dropped – but will drop more
based on CoS 0, 1 values CoS 1,0 than 2,3
403
Scheduling – CoS to Threshold mapping
Cisco Systems
After ingress packets are placed into a queue, the congestion avoidance mechanism (Tail
Drop or WRED) will use a CoS to threshold map to determine what frames are eligible to be
dropped when a threshold is breached.
Ingress Port
CoS <> Threshold Map
CoS Value Queue Threshold
Threshold 2 0 1 1
Threshold 1 1 1 1
Queue 2 2 1 2
Data 3 1 2
4 2 1
Threshold 2
5 2 1
Threshold 1 6 2 2
Queue 1 7 2 2

404
Scheduling Queues
Cisco Systems
Two types of Queues are found on ingress (end egress) ports – strict priority (SP) queue and a
normal queue – strict priority queues are like low latency queues (LLQ) – once data enters a SP
queue, scheduling of normal queues ceases in favor of transmitting data in the SP queue –
Note: SP queue is linecard specific
1 2 3
SP Queue SP Queue SP Queue
Queue 2 Queue 2 Queue 2
Queue 1 Queue 1 Queue 1
Data is send (round Data arrives in SP queue – If SP queue is empty,

robin) between Q1 and all normal queue continue transmitting
Q2 while SP queue is processing stops until SP packets from normal
empty queue is empty queues
405
The Elements - Policing
Cisco Systems
Policing is a process of limiting traffic to a prescribed rate. Policing allows the definition of a
RATE and a BURST. RATE defines the amount of traffic that is sent per given interval. Once
that amount has been sent, no more traffic is sent for that given interval. BURST defines the
amount of traffic that can be held in readiness for being sent. Traffic in excess of the burst can
be either dropped or have its priority setting reduced.
No more traffic to be received
Burst bytes
Burst Burst
Rate bytes
Zero bytes T1 T2 T3 T4
The 6500 has a fixed time interval of 1/4000th of a second – this is hardware enforced
406
The Elements - Policing
Cisco Systems
Token Bucket replenishment is an important part of the policing equation –the number of
tokens that are replaced in the bucket is calculated as follows…
3 4 Depth
1 PFC 2 4
The depth of the token
bucket is equal to the
T BURST in bits per second
T T
T T
1 BURST defines the number of T T 3
packets that can arrive in a given T T The replenishment rate of
time interval T T the token bucket is
2 calculated by dividing the
The number of packets that can Token
RATE in bits per second
be sent within a given time Bucket
by the interval
interval is known as the RATE

407
Policing example
Cisco Systems
Using the following policing config example, the token bucket depth and replenishment rate
can be calculated as follows…
police 100000000 26000 conform-action set-dscp-transmit exceed-action drop
RATE BURST
This command example states a policed rate of 100Mb/sec – the rest is calculated as follows…
1
1
REPLENISHMENT RATE every 1/4000th of a second
= RATE / Interval = 100,000,000 / 4000 = 25,000 tokens
T T every 1/4000th of a second
2
T T
T T 2
Bucket Depth = BURST = 26,000 tokens
Token
Bucket
408
Policing example
Cisco Systems
Assume arrival rate is 1GE/sec (full line rate on a GE port)
Arrival rate of packets per interval in bits per second = 1000,000,000 / 4000 = 250,000
Assume constant arrival rate of 64 byte packets
Excess tokens discarded
Use Policer from previous page
Number of Number of How many

Bits Tokens at Tokens at
Time bits that bits that packets
clocked in Start of end of
Interval are can be can be
interval interval interval
dropped sent sent?
T1 250,000 26,000 224,400 25.600 50 400
T2 250,000 25,400 224,912 25,088 49 912
T3 250,000 25,912 224,400 25,600 50 312
T4 250,000 25,312 224,688 25,088 49 224
And so on … … … … … …
As more time intervals pass, the statistical forwarded average gets a lot closer to the stated
rate
409
Types of Policers - Aggregate
Cisco Systems
The Sup720 supports the Aggregate policer which can be applied on a port, a group of ports,
a VLAN or a group of VLAN’s – when applied to multiple ports or VLAN’s, the policed rate for
all traffic across those ports is limited to the stated policed rate…
Aggregate 1 Aggregate 2
Switch
An AGGREGATE applies a policing rule to a PORT (i.e. Aggregate 1) or VLAN (i.e. Aggregate 2)
it policing all the traffic coming into the Port or VLAN and applies the policed rate to that
traffic

410
Types of Policers - Aggregate
Cisco Systems
The effect of the Aggregate is that all traffic coming into the ports associated with the
aggregate are policed down the stated rate
Total amount of output

Ingress Aggregate traffic is limited to the rate
Traffic Policer specified in the Aggregate
Egress
Traffic

411
Types of Policers - Microflow
Cisco Systems
The effect of the Microflow is that all flows coming into the ports associated with the
Microflow policer are policed down the stated rate
Each flow is limited to the

Ingress Microflow rate specified in the
Traffic Policer Microflow
Egress
Traffic
NOTE: A flow is defined by the Flow

Mask in use by the system
412
Egress Policing
Cisco Systems
The PFC3 on the Supervisor 720 now also supports egress policing – there are some caveats
in its use, namely an egress policer can only be applied to a VLAN or a routed interface..
INPUT OUTPUT
Switch
Flow of traffic Flow of traffic
Egress Policing Supports Aggregates ONLY!! Egress Policer
NOTE: Egress policers can only be applied to VLAN’s or Routed Interfaces due to the fact that
when the egress policing function is performed, the physical egress port is not known – the
only known factor is the VLAN ID (found in the internal header) – Both a VLAN interface and a
routed interface have a VLAN Identifier (Routed interfaces have an internal VLAN assigned to
them)
413
Types of Policers – User Based Rate Limiting
Cisco Systems
Three types of Global Flow Masks that can be stored on Sup1a/2 in the Netflow table…
Destination-Only IP (default)
Source-Destination IP
Full-flow (Src IP, Dst IP, Protocol, Src Port, Dst Port) Microflow policing uses full flow
BUT ONLY ONE GLOBAL FLOWMASK CAN BE INSTALLED IN THE

SYSTEM AT ANY ONE TIME
NOW… Sup720 supports
1. Up to 2 flow masks in the system

2. Source only and destination only flow
masks in the PFC3
This new facility increases the capacity of Sup720 to store more entries in its Netflow
table… Allows different features that use the Netflow table to use different masks (i.e. IOS
SLB, NDE, TCP Intercept, Reflexive ACL’s, WCCP and CBAC)
414
Types of Policers – User Based Rate Limiting
Cisco Systems
Inside Network Internet
Applied to user ports Applied to uplink ports

Source only Flow Destination only Flow
Traffic from Inside Traffic from Internet

access-list 101 permit ip 10.10.n.0 access-list 102 permit ip any 10.10.n.0
0.0.0.255 any 0.0.0.255
class-map Users-Outbound class-map Users-Inbound
match access-group 101 match access-group 102
policy-map Users-Outbound policy-map Users –Inbound
class Users-Outbound class Users-Inbound
police flow mask src-only ‘blah’ police flow mask dest-only ‘blah’
int range fast4/1-48 int gig 3/1
service-policy input Users-Outbound service-policy input Users-Inbound

415
MQC – Modular QoS CLI
Cisco Systems
The application of classification and policing criteria on an interface is done using MQC. MQC is
a modular framework for applying QoS, and defines a standard CLI for the application of QoS
across all IOS based platforms. MQC defines the use of the Policy and Class map for defining
QoS actions on the 6500…
Policy Map
Policy Map can contain
The application of a policy
up to 255 class maps
map to an interface is done
Class Map using the “SERVICE
Switch POLICY” command – this
Refers to a set of Interface
classification criteria for binds the Policy map and
the following action its classification and action
criteria criteria to the interface
Policing/Trust actions
Action settings for trust
and policing

416
Egress Map – DSCP to CoS
Cisco Systems
The “Internal DSCP” value is used to derive the egress ToS and CoS. Internal DSCP is
mapped directly to egress ToS – For CoS the switch uses a DSCP to CoS map to derive the
egress CoS
Switch DSCP CoS

value Value
0-7 0
8-15 1
CoS Data DSCP Data CoS Data 16-23 2
24-31 3
32-39 4
Internal
40-47 5
DSCP
48-55 6
56-63 7

417
VLAN Based QoS
Cisco Systems
By default, PFC uses policy maps assigned to LAN ports – Those ports defined as a
switchport can be told to use the Policy Map attached to its parent VLAN interface – this is
known as VLAN based QoS
Policy Map
Policy Map
With Port Based QoS, Policy maps are With VLAN Based QoS, the Policy map is
applied to a physical switch interface – the applied to the VLAN interface and traffic
Policy Map manages traffic only on that through all associated Switch ports is
switchport managed by that Policy Map
418
Understanding Egress QoS
Queue Structures
Cisco Systems
The Queue structures used on egress ports are categorized as follows…
Queue # Normal # Strict Priority # Thresholds per Tail Drop WRED

Structure Queues Queues normal queue
2q2t 2 0 2 Yes No
1p2q2t 2 1 2 No Yes
1p2q1t 2 1 1 Yes No

419
Congestion Avoidance
Cisco Systems
Egress ports use WRED and/or Tail Drop as a means to control congestion in the egress
queues – these are same mechanisms discussed earlier in the ingress queue section
TAIL DROP WRED
CoS
Threshold 2 4,5,6,7 CoS 0, 1, 2, 3 CoS 4, 5, 6, 7
Drop
CoS Rate
Threshold 1
0,1,2,3
Threshold Threshold
1 2
Transmit Queue

420
Queue Bandwidth Allocation
Cisco Systems
Normal egress queues are emptied in a round robin state, that means a certain number of
packets are sent from one queue before moving to another queue and so on. The number of
packets sent from each queue can be tuned by allocating a weight to the queue – this
determines which queues have a greater access to bandwidth than others
Strict Priority Queue
Queue 2 Bandwidth for

Queue 2
Queue 1 Bandwidth for

Queue 1
This scheduling technique is known as

Weighted Round Robin (WRR)
Egress Port
421
Transmit Queue Size
Cisco Systems
There is a fixed amount of buffering per egress port – this can be tuned so that one normal
queue has a greater share of the buffer memory than other normal queues – generally the
lower the amount of bandwidth available to a queue, the greater the allocation of buffer space
required…
In this example, Queue 2 has been

Strict Priority Queue
allocated less buffer space than Queue 1
Queue 2 This applies on 1p1q0t and 1p1q8t queues

Total
Buffer NOTE: Allocating buffer space between
Space queues DOES NOT APPLY to the Strict
Queue 1 Priority Queue – the SP queue has its own
allocated memory and this is not
changeable
Egress Port
422
Preserving Received ToS Byte
Cisco Systems
During normal switch operation, the internal DSCP is used to derive the egress ToS byte – in
some cases based on mappings and trust settings, the egress ToS can change from the
original ingress ToS – this feature allows the ingress ToS to remain intact in the egress frame
Without ToS Preservation
Switch
ToS=5 Data Internal DSCP=0 ToS=5 Data ToS=0 Data
Untrusted port with

default CoS=0
With ToS Preservation
Switch
ToS=5 Data Internal DSCP=0 ToS=5 Data ToS=5 Data
Untrusted port with ToS Maintained

default CoS=0
423
Egress DSCP Mutation
Cisco Systems
Rather than using the internal DSCP to derive the egress DSCP, an egress mutation map can
be used to derive the egress DSCP
Switch
DSCP=25 Data Internal DSCP=25 DSCP=25 Data DSCP=16 Data
D1 D2 0 1 2 3 4 5 6 7 8 9
0 00 01 02 03 04 05 06 07 08 09
DSCP = D1D2 1 10 11 12 13 14 15 16 17 04 19
i.e. if DSCP = 34 2 20 21 22 23 24 16 26 27 28 29
D1 = 3, D2 = 4
3 30 31 32 08 34 35 36 37 38 39
4 40 41 42 43 44 45 46 47 48 49
Egress DSCP 5 50 51 52 53 54 55 56 57 58 59
Mutation Map
6 60 61 62 63
424
Cisco Systems
CHAPTER 26.2 – Configuring PFC QoS

425
Configuring PFC QoS
Globally enabling QoS
Cisco Systems
Prior to configuring any QoS, the QoS engine must be enabled – this is achieved in global
configuration mode as follows…
6500# show mls qos
QoS is disabled globally
6500# conf t
6500(config)# mls qos ENABLES QOS
6500(config)#^Z
6500#
6500# show mls qos
QoS is enabled globally
Microflow policing is enabled globally
QoS ip packet dscp rewrite enabled globally
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
<snip>
The settings that take effect when QoS is enabled are detailed at the following URL
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/qos.htm#1369514
426
Configuring PFC QoS
Preserving Incoming ToS
Cisco Systems
To preserve the incoming ToS on the egress packet, IP DSCP rewrite must be disabled from
its default enabled state - this is done in global configuration mode as follows
6500# show mls qos

QoS is enabled globally Default State
QoS ip packet dscp rewrite enabled globally
<snip>
6500(config)# no mls qos rewrite ip dscp

6500(config)#^Z Command to disable ToS rewrite
6500#
6500# show mls qos
QoS is enabled globally
QoS ip packet dscp rewrite disabled globally

427
Configuring PFC QoS
Setting Ingress Trust
Cisco Systems
The trust setting of a port always defaults to UNRUSTED – this can be changed using the
following command
6500(config-if)# mls qos trust ?
cos cos keyword
dscp dscp keyword
extend extend keyword
ip-precedence ip-precedence keyword
<cr>
6500(config-if)# mls qos trust cos ?
<cr>
6500(config-if)# mls qos trust dscp ?
<cr>
6500(config-if)# mls qos trust ip-precedence ?
<cr>
If the port is set to Untrusted, it will use the default Port CoS to tag the packet – the Default
Port CoS will initially be set to Zero – if this value needs to be changed, it can be achieved
using the following command
6500(config-if)# mls qos cos ?

<0-7> class of service value between 0 and 7

428
Configuring PFC QoS
Setting Ingress Extended Trust
Cisco Systems
The extended trust setting of a port defines the CoS value that the attached IP Phone will use
to mark packets from a downstream PC
6500(config-if)# mls qos trust ?

cos cos keyword
dscp dscp keyword
extend extend keyword
ip-precedence ip-precedence keyword
<cr>
6500(config-if)# mls qos trust extend ?

cos New CoS value to use for packets from the device
<cr>
6500(config-if)# mls qos trust extend cos ?

<0-7> CoS value
The CoS value used for this trust setting is unique to that interface – other extended trust
values can be set for other interfaces

429
Configuring PFC QoS
Cisco Systems
Marking and policing on the PFC can be disabled globally – in this mode, all ports default to a
configuration of trust CoS, and will apply a default port CoS to all ingress packets on ports
not able to be set to trust CoS.
6500(config)# no mls qos queueing-only ?

<cr>
By default, Microflow policing is enabled for routed (Layer 3 switched) traffic only – Microflow
policing can also be enabled for bridged traffic (this is disabled by default) and can be
enabled in interface VLAN configuration mode as follows
6500(config)# interface vlan 300

6500(config-if)# mls qos ?
bridged bridged keyword
dscp-mutation mutation keyword
exp-mutation exp mutation keyword
loopback loopback cable between LAN and WAN port
6500(config-if)# mls qos bridged ?

<cr>

430
Configuring PFC QoS
Named Aggregate Policers
Cisco Systems
A named aggregate is an aggregate policer that is referenced within a policy map – it defines a
policed aggregate rate and burst – it contains action settings that define what to do with
packets that conform within the specified rate and what to do with packets that are outside the
stated burst values – they are created as follows
6500(config)# mls qos aggregate-policer ?

WORD aggregate policer name
6500(config)# mls qos aggregate-policer XYZ ?

<32000-4000000000> Bits per second
First chose the name that will be applied to this policer (in this case call it XYZ)… then define
the stated rate in bits per second that will be allowed

NOTE: The configuration parameters used for this example do not reflect any stated
guidelines from Cisco – rather they are used just to show how a named aggregate is built

431
Configuring PFC QoS
Cisco Systems
Then specify the normal burst value (which defines the depth of the token bucket) as follows
6500(config)# mls qos aggregate-policer XYZ 100000000 ?
<1000-31250000> Normal burst bytes
conform-action action when rate is not exceeded
pir PIR
violate-action action when rate violated
<cr>
6500(config)# mls qos aggregate-policer XYZ 100000000 10000 ?
Specify the maximum burst value (which defines the depth of the 2nd token bucket) as follows
6500(config)# mls qos aggregate-policer XYZ 100000000 10000 ?
<1000-31250000> Maximum burst bytes
pir PIR
<cr>
6500(config)# mls qos aggregate-policer XYZ 100000000 10000 20000 ?

432
Configuring PFC QoS
Cisco Systems
Specify the Peak Information Rate – that is the rate for the 2nd leaky bucket – this must be
greater than or equal to the first rate
6500(config)# mls qos aggregate-policer XYZ 100000000 10000 20000 pir ?
<32000-4000000000> Peak Information Rate - bits per second
Specify the confirm action – that is what the policer should do with in profile traffic within the
stated rate
6500(config)#$regate-policer XYZ 100000000 10000 20000 pir 150000000 ?

<cr>
6500(config)#$icer XYZ 100000000 10000 20000 pir 150000000 conform-action ?

drop drop packet
set-dscp-transmit set dscp and send it
set-mpls-exp-transmit set mpls exp and send it
set-prec-transmit rewrite packet precedence and send it
transmit transmit packet

433
Configuring PFC QoS
Cisco Systems
Specify the exceed action – this is the action to be taken when the normal rate has been
exceeded (but not the PIR rate)
6500(config)#$0000000 10000 20000 pir 150000000 conform-action transmit ?
exceed-action action when rate is exceeded
<cr>
6500(config)#$000 20000 pir 150000000 conform-action transmit exceed-action ?

drop drop packet
policed-dscp-transmit change dscp per policed-dscp map and send it
Then optionally specify the action to be taken when the PIR is exceeded as follows
6500(config)# $m-action transmit exceed-action policed-dscp-transmit ?
<cr>
6500(config)# $ransmit exceed-action policed-dscp-transmit violate-action ?

drop drop packet
policed-dscp-transmit change dscp per policed-dscp map and send it
434
Configuring PFC QoS
Defining Policy Maps
Cisco Systems
The process of creating a policy map is done by first creating the class map – a class map is
created as follows…
6500# conf t
6500(config)# class-map ?
WORD class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
6500(config)# class-map abc123 ?

<cr>
6500(config)# class-map abc123

6500(config-cmap)#
In this example, the class map ABC123 has been created – this command puts the
administrator into class map configuration mode - following this, a series of match statements
must be defined to classify traffic associated with this class map

435
Configuring PFC QoS
Cisco Systems
The match statement is used to identify what traffic this class will apply to…
6500(config-cmap)# match ?
access-group Access group
any Any packets
bgp-index BGP traffic index value
class-map Class map
cos IEEE 802.1Q/ISL class of service/user priority values
destination-address Destination address
fr-dlci Match on fr-dlci
input-interface Select an input interface to match
ip IP specific values
mpls Multi Protocol Label Switching specific values
not Negate this match result
protocol Protocol
qos-group Qos-group
source-address Source address

436
Configuring PFC QoS
Cisco Systems
For the purposes of this example, the “match any” statement is used
6500(config-cmap)# match any
Once the class map has been defined, the policy map can be created as follows
6500(config)# policy-map ?
WORD policy-map name
6500(config)# policy-map ABC456

6500(config-pmap)# ?
QoS policy-map configuration commands:
class policy criteria
description Policy-Map description
exit Exit from QoS policy-map configuration mode
no Negate or set default values of a command
rename Rename this policy-map
<cr>
This command places the administrator into the policy map configuration mode

437
Configuring PFC QoS
Cisco Systems
Typically the way forward is to enter the name of the class previously defined as follows
6500(config-pmap)# class ABC123
6500(config-pmap-c)# ?
QoS policy-map class configuration commands:
bandwidth Bandwidth
exit Exit from QoS class action configuration mode
fair-queue Enable Flow-based Fair Queuing in this Class
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping
<cr>
trust Set trust value for the class
Entering the class name places the administrator into a further sub class configuration
mode – from this mode, a variety of class related actions can be configured – the actions
highlighted in blue above are not supported in PFC hardware
438
Configuring PFC QoS
Cisco Systems
One class map action that is normally configured is the “SET” command – examples of this are
shown below
6500(config-pmap-c)# set ?
atm-clp Set ATM CLP bit to 1
cos Set IEEE 802.1Q/ISL class of service/user priority
dscp Set DSCP in IP(v4) and IPv6 packets
ip Set IP specific values
mpls Set MPLS specific values
precedence Set precedence in IP(v4) and IPv6 packets
qos-group Set QoS Group
6500(config-pmap-c)# set ip ?
dscp Set IP DSCP (DiffServ CodePoint)
precedence Set IP precedence
With the “SET IP“ command, packets can have their ToS bits reset according to the value set
in this class map – this is referred to as MARKING…

439
Configuring PFC QoS
Cisco Systems
The SET command can also be used to set the CoS value for incoming packets – an example is
shown below
6500(config-pmap-c)# set cos ?

<0-7> cos value
Trust states for ports can also be set using the policy map – within the class map set of
actions, the “TRUST” keyword can be used to set trust for the port – this is applied as follows
within the class map
6500(config-pmap-c)# trust ?
cos trust value for the class
dscp trust value for the class
ip-precedence trust value for the class

440
Configuring PFC QoS
Cisco Systems
A previously defined named aggregate can also be referenced within the class map as follows
6500(config)# policy-map ABC456

6500(config-pmap)# class ABC123
6500(config-pmap-c)# police ?
<32000-4000000000> Bits per second
aggregate Choose aggregate policer for current class
flow police each flow
6500(config-pmap-c)# police aggregate ?

WORD enter aggregate-policer name
6500(config-pmap-c)# police aggregate XYZ
A policer can also be defined within the class map by using the Police command as follows
6500(config-pmap-c)# police 50000000 13000 26000 pir 100000000conform
transmit exceed policed violate-action drop
This example sets a rate of 50Mb for transmit traffic, an extra 50 Mb over and above that will
be marked down, and anything in excess of 100Mb to be dropped…
441
Configuring PFC QoS
Egress DSCP Mutation
Cisco Systems
The internal DSCP can be mutated using an Egress DSCP Mutation map – Up to 15 mutation
maps can be created and any of these can be applied to an interface that is supported by the
PFC… The following shows the command build to the final syntax
6500(config)# mls qos map dscp-mutation ?
WORD dscp-mutation map name
6500(config)# mls qos map dscp-mutation ABC789 ?

<0-63> dscp values separated by spaces (up to 8 values total)
6500(config)# mls qos map dscp-mutation ABC789 8 ?

to to keyword
6500(config)# mls qos map dscp-mutation ABC789 8 16 to ?

<0-63> output dscp value
6500(config)# mls qos map dscp-mutation ABC789 8 16 to 24 ?

<cr>
6500(config)# mls qos map dscp-mutation ABC789 8 16 to 24

6500(config)#
This command converts an internal DSCP value of 8 or 16 into 24 in
the egress ToS byte
442
Configuring PFC QoS
Attaching the Egress DSCP Mutation to an Interface
Cisco Systems
The Egress DSCP Mutation Map can be attached to an interface in the following manner
6500(config-if)# mls qos dscp-mutation ?

WORD dscp-mutation map name
6500(config-if)# mls qos dscp-mutation ABC789 ?

<cr>
6500(config-if)# mls qos dscp-mutation ABC789

6500(config-if)#
This example attaches the egress DSCP mutation map ABC789 to VLAN interface 300

443
Configuring PFC QoS
Mapping received CoS to Internal DSCP
Cisco Systems
If a port is set to Trust CoS, the received CoS will be used to map to the internal DSCP, the
default map can be changed as follows
6500(config)# mls qos map cos-dscp ?

<0-63> dscp values separated by spaces (8 values total)
6500(config)# mls qos map cos-dscp 0 7 18 22 30 46 52 61

6500(config)#^Z
6500#show mls qos maps | begin Cos-dscp map
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
------------------------------------
dscp: 0 7 18 22 30 46 52 61
His command allows the specification of 8 DSCP values which are mapped directly to the CoS
values 0 through 7

444
Configuring PFC QoS
Mapping received IP Precedence to Internal DSCP
Cisco Systems
If a port is set to Trust IP Precedence, the received IP Precedence values will be used to map to
the internal DSCP, the default map can be changed as follows
6500(config)# mls qos map ip-prec-dscp ?

<0-63> dscp values separated by spaces (8 values total)
6500(config)# mls qos map ip-prec-dscp 0 10 13 26 37 46 53 60

6500(config)# ^Z
6500#
6500# show mls qos maps | begin IpPrecedence-dscp map
IpPrecedence-dscp map:
ipprec: 0 1 2 3 4 5 6 7
------------------------------------
dscp: 0 10 13 26 37 46 53 60
His command allows the specification of 8 DSCP values which are mapped directly to the IP
Precedence values 0 through 7

445
Configuring PFC QoS
Setting DSCP Markdown Values
Cisco Systems
When policers are configured, DSCP values can be marked down for out of profile traffic – this is
achieved using the “policed-dcsp-transmit” keyword – the map used to determine what dscp
values get marked down can be changed from the default – this is shown below
6500(config)# mls qos map policed-dscp ?
max-burst Maximum burst tos remap table.
normal-burst Normal burst tos remap table.
6500(config)# mls qos map policed-dscp normal-burst 24 to 16

6500# show mls qos map
Normal Burst Policed-dscp map: (dscp= d1d2)
d1 : d2 0 1 2 3 4 5 6 7 8 9
-------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 16 25 26 27 28 29
DSCP value of 24 is now marked
3 : 30 31 32 33 34 35 36 37 38 39 to be written as 16
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63

446
Configuring PFC QoS
Mapping Internal DSCP to egress CoS
Cisco Systems
The Internal DSCP is used to derive the egress CoS – the switch uses a default DSCP to CoS
map for this purpose – this map can be changed using the following command
6500(config)# mls qos map dscp-cos ?

6500(config)# mls qos map dscp-cos 12 22 to 3

6500#
6500# show mls qos map | begin Dscp-cos map
Dscp-cos map: (dscp= d1d2)
d1 : d2 0 1 2 3 4 5 6 7 8 9
-------------------------------------
0 : 00 00 00 00 00 00 00 00 01 01
1 : 01 01 03 01 01 01 02 02 02 02
2 : 02 02 03 02 03 03 03 03 03 03 DSCP value of 12 and 22 are now
3 : 03 03 04 04 04 04 04 04 04 04 marked to be written as CoS 3
4 : 05 05 05 05 05 05 05 05 06 06
5 : 06 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07

447
Configuring PFC QoS
Setting the Tail Drop Receive Queue
Cisco Systems
The Tail Drop threshold percentages can be changed from the defaults using the 1q2t
following command 1p1q4t
2q8t
6500(config-if)# rcv-queue threshold ? 1q8t
<1-1> enter queue id
6500(config-if)# rcv-queue threshold 1 ?

<1-100> enter threshold value #1
6500(config-if)# rcv-queue threshold 1 20 ?

6500(config-if)# rcv-queue threshold 1 20 40 ?

6500(config-if)# rcv-queue threshold 1 20 40 80 ?

6500(config-if)# rcv-queue threshold 1 20 40 80 100 ?

<cr>

448
Configuring PFC QoS
Setting the WRED Drop Transmit Threshold
Cisco Systems
Setting the WRED Drop thresholds for transmit queues requires setting values for 1p2q2t
both the minimum and maximum threshold – these values can be changed using 1p2q1t
configuration commands – the minimum threshold can be changed as follows
6500(config-if)# wrr-queue random-detect ?

max-threshold Max threshold for WRED
min-threshold Min threshold for WRED
6500(config-if)# wrr-queue random-detect min-threshold ?

6500(config-if)# wrr-queue random-detect min-threshold 1 ?

<1-100> enter percent of queue size between 1 and 100
6500(config-if)# wrr-queue random-detect min-threshold 1 50 ?

6500(config-if)# wrr-queue random-detect min-threshold 1 50 70 ?

<cr>

449
Configuring PFC QoS
Setting the WRED Drop Transmit Threshold
Cisco Systems
The maximum threshold can also be changed – an example of this can be seen 1p2q2t
below… 1p2q1t

6500(config-if)# wrr-queue random-detect max-threshold ?

6500(config-if)# wrr-queue random-detect max-threshold 1 ?

6500(config-if)# wrr-queue random-detect max-threshold 1 60 ?

6500(config-if)# wrr-queue random-detect max-threshold 1 60 100 ?

<cr>

450
Configuring PFC QoS
Changing WRED and Tail Drop Receive Queue Values
Cisco Systems
Certain line cards support both WRED and Tail Drop on their receive queues – these 8q8t
queue types are shown in the orange box to the right of this slide – they can be 1p1q8t
changed from their defaults as follows
The receive tail drop thresholds are first configured as follows
6500(config-if)# rcv-queue threshold ?

6500(config-if)# rcv-queue threshold 2 ?

<snip>
6500(config-if)# rcv-queue threshold 2 15 0 0 0 0 0 0 ?

6500(config-if)# rcv-queue threshold 2 15 0 0 0 0 0 0 85

6500(config-if)#

451
Configuring PFC QoS
Changing WRED and Tail Drop Receive Queue Values
Cisco Systems
The Receive WRED drop thresholds can be configured as follows 8q8t
1p1q8t
6500(config-if)# rcv-queue random-detect ?
6500(config-if)# rcv-queue random-detect 1 ?

6500(config-if)# rcv-queue random-detect 1 min-threshold ?

<snip>
6500(config-if)# rcv-queue random-detect 1 min-threshold 10 20 30 40 50

60 70 ?
Up to 8 threshold values can be set for these receive queue types

Both min and max values can be set with this command
452
Configuring PFC QoS
Changing WRED and Tail Drop Transmit Queue Values
Cisco Systems
Certain line cards support both WRED and Tail Drop on their transmit queues – these 1p3q1t
queue types are shown in the orange box to the right of this slide – they can be 1p3q8t
changed from their defaults as follows 1p7q8t
The transmit tail drop thresholds are first configured as follows
6500(config-if)# wrr-queue threshold ?

6500(config-if)# wrr-queue threshold 2 ?

<snip>
6500(config-if)# wrr-queue threshold 2 15 0 0 0 0 0 0 ?

6500(config-if)# wrr-queue threshold 2 15 0 0 0 0 0 0 85

6500(config-if)#

453
Configuring PFC QoS
Changing WRED and Tail Drop Transmit Queue Values
Cisco Systems
The Transmit WRED drop thresholds can be configured as follows 1p3q1t
1p3q8t
1p7q8t
6500(config-if)# wrr-queue random-detect 1 ?

6500(config-if)# wrr-queue random-detect 1 min-threshold ?

<snip>
6500(config-if)# wrr-queue random-detect 1 min-threshold 10 20 30 40 50

60 70 ?
Up to 8 threshold values can be set for the 1p3q8t and 1p7q8t transmit queue types
Both min and max values can be set with this command
454
Configuring PFC QoS
Mapping CoS values to Standard RCV Queue Thresholds
Cisco Systems
On ingress, the CoS value on the incoming packet can be used to map the frame to a receive
threshold – a default map exists, but can be changed using the command below
6500(config-if)# rcv-queue cos-map ?

<1-1> enter cos-map queue id
6500(config-if)# rcv-queue cos-map 1 ?

<1-4> enter cos-map threshold id
6500(config-if)# rcv-queue cos-map 1 2 ?

<0-7> cos values separated by spaces (up to 8 values total)
6500(config-if)# rcv-queue cos-map 1 2 0 3 ?

<cr>
In this example, CoS values of 0 and 3 are mapped to threshold 2 in Queue 1

455
Configuring PFC QoS
Mapping CoS values to Standard TX Queue Thresholds
Cisco Systems
Like the receive queues, the CoS to threshold mapping for the transmit queues can also be
modified – this can be achieved as follows
6500(config-if)# wrr-queue cos-map ?
<1-2> enter cos-map queue id
6500(config-if)# wrr-queue cos-map 1 ?

<1-2> enter cos-map threshhold id
6500(config-if)# wrr-queue cos-map 1 1 ?

6500(config-if)# wrr-queue cos-map 2 2 4 ?

<cr>
6500(config-if)# wrr-queue cos-map 2 2 4

6500(config-if)#
In this example, the CoS value of 4 has been mapped to Threshold 2 in Queue 2

456
Configuring PFC QoS
Mapping CoS values to Strict Priority Queues
Cisco Systems
When a strict priority queue exists, the default action is to map CoS value of 5 to the queue –
this can also be changed using the following command sequence…
6500(config-if)# priority-queue ?
cos-map Configure cos-map for a queue
6500(config-if)# priority-queue cos-map ?

<1-1> enter cos-map queue id (1)
6500(config-if)# priority-queue cos-map 1 ?

6500(config-if)# priority-queue cos-map 1 3 ?

<cr>
6500(config-if)# priority-queue cos-map 1 3

6500(config-if)#
In this example, the CoS value of 3 has been mapped to the Strict Priority queue on both the
receive and transmit side for this interface

457
Configuring PFC QoS
Allocating bandwidth between transmit queues
Cisco Systems
The amount of bandwidth for the transmit queues on a given interface can be changed to suit
local requirements – from its given defaults, use the following command sequence to initiate a
change…
6500(config-if)# wrr-queue bandwidth ?
<1-255> enter bandwidth weight
6500(config-if)# wrr-queue bandwidth 40 ?

<1-255> enter bandwidth weight
6500(config-if)# wrr-queue bandwidth 40 80 ?

<cr>
6500(config-if)# wrr-queue bandwidth 40 80
The value to be used is a weight that ranges from 0 to 255 – in the example above an 80-40 (or
2-1) weight has been used to apportion bandwidth between the two queues – this means
Queue 2 will get twice the bandwidth that Queue 1 has.

458
Configuring PFC QoS
Setting Transmit Queue Size Ratio
Cisco Systems
The amount of buffer space that can be allocated to each transmit queue on 1p2q2t type queue
ports can be changed from the default using the following configuration
6500(config-if)# wrr queue-limit ?

<1-100> enter queue size weight
6500(config-if)# wrr queue-limit 65 ?

<1-100> enter queue size weight
6500(config-if)# wrr queue-limit 65 35 ?

<cr>
In this example, Queue 1 gets 65% of the buffer space and Queue 2 gets 35% of the buffer space

459
January 2004
Catalyst 6500
Technical Training
CHAPTER 27: Power Management and Environment Monitoring

Cisco Systems
CHAPTER 27.1 – Understanding Power and Environmental

461
Understanding Power
Cisco Systems
All Catalyst 6500 chassis options support redundant power supplies. Power Supply options
include both AC and DC versions
For normal operation, both power supplies

should be the same wattage
The 6500 does support two power supplies with

different wattages – this scenario is targeted for
upgrade scenarios and is not recommended for
normal operation
The 6500 also supports an AC and DC power

supply installed at the same time, but again,
this is more designed for upgrade purposes
and NOT normal operation
Power Supply 1 Power Supply 2

462
Understanding Power Redundancy
Cisco Systems
The 6500 can utilize two power supplies to work in either combined or redundant mode
Redundant Mode Combined Mode
Switch Switch
50% 50% 83% 83%
Power Supply 1 Power Supply 2 Power Supply 1 Power Supply 2

In redundant mode, each power supply In combined mode, each power supply
operates at 50% capacity and provides the operates at 167% - if one fails, then the
same total power as a single power supply running supply provides 100% of its power
– if one fails, the backup reverts to capacity
providing 100% power

463
Understanding Power
Powering Modules On and Off and Power Cycling
Cisco Systems
The 6500 power management code allows individual modules to be powered on and off or
power cycled selectively – this is an important feature especially for some service modules
which require to be powered down prior to removing them from the chassis
Linecard #1 Linecard #1
Sup720 Sup720
Sup720 Sup720
Linecard #8 Selective Modules can Linecard #8
Linecard #9 be shutdown Linecard #9
In this example, module
PSU PSU 2 and 7 are shutdown PSU PSU
#1 #2 while others continue to #1 #2
operate normally
464
Show Power
Cisco Systems
The power status of the 6500 can be viewed using the following command
6500# show power

system power redundancy mode = combined
system power total = 3885.00 Watts (92.5 Amps @ 42V)
system power used = 774.90 Watts (18.45 Amps @ 42V)
system power available = 3110.10 Watts (74.05 Amps @ 42V)
Power-Capacity PS-Fan Output Oper
PS Type Watts A @42V Status Status State
---- ------------------ ------- ------ ------ ------ -----
1 WS-CAC-2500W 2331.00 55.50 OK OK on
2 WS-CAC-2500W 2331.00 55.50 OK OK on
Pwr-Requested Pwr-Allocated Admin Oper
Slot Card-Type Watts A @42V Watts A @42V State State
---- ------------------ ------- ------ ------- ------ ----- -----
1 WS-X6516-GE-TX 144.90 3.45 144.90 3.45 on on
5 WS-SUP720-BASE 315.00 7.50 315.00 7.50 on on
6 - - 315.00 7.50 - -
6500#

465
Cisco Systems
CHAPTER 27.2 – Environmentals

466
Understanding Environmentals
Cisco Systems
The Catalyst 6500 monitors key environment indicators in the chassis and these indicators can
be displayed using a set of special commands as follows
6500# show environment ?
alarm show environmental alarms
cooling show cooling parameters
status operational status of FRU
temperature temperature readings
| Output modifiers
<cr>
Any environmental alarms that have been triggered can be viewed as follows
6500# show environment alarm ?
status show alarm status
thresholds show alarm thresholds
| Output modifiers
<cr>
6500# show environment alarm

environmental alarms:
no alarms

467
Cisco Systems
Cooling information can also be displayed as follows
6500# show environment cooling ?

all selects all FRU-types
fan-tray specify fan-tray <number>
module specify module <slot>
| Output modifiers
<cr>
6500# show environment cooling fan-tray

fan-tray 1:
fan-tray 1 version: 2
fan-tray 1 fan-fail: OK
6500# show environment cooling module 1
module 1 cooling requirement: 30 cfm
6500#

468
Cisco Systems
Status information can also be displayed as follows
6500# show environment status ?
backplane specify backplane
clock specify clock <number>
earl specify earl <slot>
fan-tray specify fan-tray <number>
interface interface name
power-supply specify power-supply <number>
rp specify RP (MSFC) <slot>
supervisor specify supervisor <slot>
vdb specify vdb <slot>
vtt specify VTT <number>
| Output modifiers
<cr>
6500# show env stat vtt ?

<1-3> VTT number
6500# show env stat vtt 1
VTT 1:
VTT 1 OK: OK
VTT 1 outlet temperature: 29C

469
Cisco Systems
Temperature information can also be displayed as follows
6500# show environment temperature ?
backplane specify backplane
earl specify earl <slot>
rp specify RP (MSFC) <slot>
vdb specify vdb <slot>
vtt specify VTT <number>
| Output modifiers
<cr>
6500# show environment temperature module 1

module 1 outlet temperature: 36C
module 1 inlet temperature: 25C
6500#

470
Cisco Systems

471

Catalyst 6500 Training

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Catalyst 6500 Training

Uploaded by

Copyright:

Available Formats

Catalyst 6500

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.

• CHAPTER 15: IGMP Snooping

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved. 5

CHAPTER 1.1 – Introduction to the Catalyst 6500

© 2004, Cisco Systems, Inc. All rights reserved.

Catalyst 6503 Catalyst 6506

Catalyst 6509-NEBS Catalyst 6509-NEBS-A

Supervisor 1A Supervisor 2 Supervisor 720 (NEW)

32Gb backplane supporting 256Gb backplane supporting 720Gb backplane supporting

Supervisor Options for the Catalyst 6500

© 2004, Cisco Systems, Inc. All rights reserved.

10/100 TX and 100 Fiber 10/100/1000 TX GE SFP

Content Switching SSL Network Management

Communications Media Content Services MWAN

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.

Running routing protocols

Clocks Fabric Channels at

CEF256 and dCEF256

IPV6 Centralized Forwarding

© 2004, Cisco Systems, Inc. All rights reserved.

While switching in hardware operates at millions of

© 2004, Cisco Systems, Inc. All rights reserved.

Generic Route Encapsulation and IP-in-IP Tunneling

© 2004, Cisco Systems, Inc. All rights reserved.

Egress Policing is now supported on egress….

© 2004, Cisco Systems, Inc. All rights reserved.

10.1.1.1 203.16.10.1 Data 201.1.14.22 203.16.10.1 Data

10.1.1.1 203.16.10.1 3010 80 Data 194.1.20.3 203.16.10.1 2001 80 Data

© 2004, Cisco Systems, Inc. All rights reserved.

Source IP: 10.1.10.5

Source IP: 10.200.1.64

© 2004, Cisco Systems, Inc. All rights reserved.

BUT ONLY ONE GLOBAL FLOWMASK CAN BE INSTALLED IN THE

1. Up to 2 flow masks in the system

Traffic from Dorms Traffic from Internet

© 2004, Cisco Systems, Inc. All rights reserved.

(*,G) (*,G) Source

Bidir-PIM has unconditional forwarding of source traffic

Classic Ethernet Line Cards

CEF256 Ethernet Line Cards

CHAPTER 1.2 – Catalyst 6500 Architecture

© 2004, Cisco Systems, Inc. All rights reserved.

CEF256 (Single Fabric Channel) (Ethernet-based CEF256 can be upgrade to DFCx)

dCEF256 (Dual Fabric Channels)

aCEF720 (Dual Fabric Channels*)

dCEF720 (Dual Fabric Channels)

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.

Slot 1 Supervisor 720 or Module

Slot 2 Supervisor 720 or Module

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.

• Total Switching Capacity

© 2004, Cisco Systems, Inc. All rights reserved.

Supervisor 30–400 Mpps

Classic Series CEF256 Series dCEF256 Series

© 2004, Cisco Systems, Inc. All rights reserved. 37

(,G) (,G) Source