Professional Documents
Culture Documents
Technical Training
Catalyst 6500 Supervisor 720 using Native IOS 12.2SX
Carl Solder
Technical Marketing Engineer
Internetworking Systems Business Unit
© 2004, Cisco Systems, Inc. All rights reserved. 1
Before we start…
Cisco Systems
NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE..
This is a training module that forms part of a complete Catalyst 6500 training materials.
It is designed to provide an introduction to the topic in question, review the
configuration commands and provide sample configurations…
This update is based on a Catalyst 6500 running the Supervisor 720 with the 12.2SX
version of IOS code…
NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE.. NOTE..
Catalyst 6513
Catalyst 6509 13 slot chassis
9 slot chassis
Advanced Features
IPV4 and IPV6 CEF Based Switching
IPV6 Tunneling
IPV4 NAT and PAT in hardware
MPLS P/PE, VPN and TE
GRE and IP in IP Tunneling
WCCP V2
Supports 256K+ IPV4 routes
SUPERVISOR 720 Hardware Features Supports 128K+ IPV6 routes
Ingress/Egress Policing
Integrated 720-Gbps Switch Fabric User Based Rate Limiting
Integrated Policy Feature Card Hardware based classification
Integrated Multilayer Switch Feature Card Multipath URPF
Supports two external compact flash slots Bi-Directional PIM
Supports three external GE ports (2 active) Port Access Control lists
Supports Classic, Fabric and High Capacity modules and more…
RP supports..
SP supports…
The MSFC3 supports both the Switch Processor (SP) and
Route Processor (RP)…
Spanning Tree
Component Route Proc Switch Proc VLAN Trunking Protocol
SDRAM (Default/Max) 512Mb/1Gb 512Mb/1Gb CDP
Bootflash 64Mb 64Mb Pushing FIB to PFC,DFC
and more…
NVRAM 2Mb 2Mb
© 2004, Cisco Systems, Inc. All rights reserved.
12
Supervisor 720 PFC3
Cisco Systems
Policy Feature Card (PFC) is a standard daughter card on the Supervisor 720
IPV4 CEF
IPV6 CEF
IPV6 Tunneling
PFC3 IPV4 NAT and PAT
MPLS VPN
MPLS P/PE
MPLS TE
GRE Tunneling
IP in IP Tunneling
Feature PFC3a PFC3b WCCP V2
256K IPV4 Routes
Routes (IPV4) 256Kb 800K 128K IPV6 Routes
Number of ACL’s 512 4000 User Based Microflow Policing
ACE Counters No Yes Ingress and Egress Policing
Port Access Control Lists
MPLS Baseline Adds EoMPLS, IP
Multipath URPF
options, etc…
Bi Directional PIM
© 2004, Cisco Systems, Inc. All rights reserved.
13
Supervisor 720 Switch Fabric
Cisco Systems
Integrated 720-Gbps Switch
Switch Fabric Fabric on the Supervisor 720
IPV6 Addressing
ICMP for IPV6
DNS for IPV6
V6 MTU Path Discovery
SSH for IPV6
IPV6 HARDWARE FEATURES IPV6 Telnet
128K FIB entries IPV6 Traceroute
IPV6 Load Sharing up to 16 paths dCEF for IPV6
Etherchannel hash across 48 bits RIP for IPV6
IPV6 Policing/Netflow/Classification IS-IS for IPV6
STD and EXT V6 ACL’s OSPF V3 for IPV6
IPV6 QoS lookups BGP for IPV6
IPV6 Multicast
V6 to V4 Tunneling
IPV6 Edge over MPLS (6PE) IPV6 function located
on PFC3
© 2004, Cisco Systems, Inc. All rights reserved.
16
Supervisor 720 Hardware Features
Route Processor Rate Limiters
Cisco Systems
Data
Rate Limiters applied to…
Input and Output ACL traffic
CEF Receive Traffic
CEF Glean Traffic
MTU Failures
ICMP Redirect
VACL Logging
L3 Security Feature traffic MSFC
TTF failures
RPF Failures Supervisor 720
GRE Tunnel
GRE Performance is up to
10Mpps centralized and
up to 25Mpps de-centralized
Egress Policer
O
I Data Data
Data Data U
N
Policing T Data
Data Data P
Engine P
U Data
Data Data U
T
T
Data
NAT
Sup720 Supports.. L3 Addressing information
Software Translation setup, then changed
Hardware-based IPV4 NAT & PAT
Up to 20 Mpps on the Sup720 L4 Addressing
PAT information changed
Unicast Reverse Path Forwarding (uRPF) Check mitigates problems caused by spoofed or
malformed IP source addresses. uRPF will drop packets whose source address is not in the
local forwarding tables.
Destination-Only IP (default)
Source-Destination IP
Full-flow (Src IP, Dst IP, Protocol, Src Port, Dst Port) Microflow policing uses full flow
This new facility increases the capacity of Sup720 to store more entries in its Netflow
table… Allows different features that use the Netflow table to use different masks (i.e. IOS
SLB, NDE, TCP Intercept, Reflexive ACL’s, WCCP and CBAC)
© 2004, Cisco Systems, Inc. All rights reserved.
22
Traffic Management Only Available
User-Based Rate Limiting with a Sup720
Cisco Systems
(*,G) Receiver
Classic
6000, 6100, 6200, 6300, 6400, & 6600 Series Modules; CSM, IDS/NAM (Original), FlexWAN
Forwarding
Tables 32-Gbps Switch Bus
32 32
MSFC
Classic CEF256 32 dCEF256 32
Linecard Linecard Linecard
PFC
Fabric
Arbitration
dCEF720 aCEF720 CEF720
Linecard 8 Linecard 8 8 Linecard
Net MGMT
NMP 20 20 20 20 20 20
Crossbar
Supervisor
© 2004, Cisco Systems, Inc. All rights reserved.
28
Processors
Component Comparison
Cisco Systems
Sup2/ Sup720/
Component MSFC2 MSFC3
SP 250 MHz SP 600 MHz
CPU Speed
RP 300 MHz RP 600 MHz
SP 128MB/512MB SP 512MB/1GB
ECC SDRAM
default/maximum RP 128MB/512MB RP 512MB/1GB
SP 32MB SP 64MB
Bootflash
RP 16MB RP 64MB
SP 512KB SP 2MB
NVRAM
RP 512KB RP 2MB
Now dCEF
modules
are
supported
in the 3 slot
chassis!
Slot 1 Module
Slot 2 Module
Slot 3 Module
Slot 4 Module
Slot 5 Supervisor 720 or Module
Slot 6 Supervisor 720 or Module
Slot 1 Module
Slot 2 Module
Slot 3 Module
Slot 4 Module
Slot 5 Supervisor 720 or Module
Slot 6 Supervisor 720 or Module
Slot 7 Module
Slot 8 Module
Slot 9 Module
Slot 1 Module
Slot 2 Module
Slot 3 Module
Slot 4 Module
Slot 5 Module
Slot 6 Module
Slot 7 Supervisor 720 or Module
Slot 8 Supervisor 720 or Module
Slot 9 Module
Slot 10 Module
Slot 11 Module
Slot 12 Module
Slot 13 Module
交换矩阵
Cisco Systems
• Integrated Fabric
A SFM must be removed
9-slot
when using a Sup720 Slot 1 Slot 9
• Fabric channels run at
20 Gbps
Slot 2 Slot 8
Full Duplex, so 20 Gbps in /
20 Gbps out per channel
Two fabric channels Slot 3 Slot 7
allocated to each slot
40 Gbps/slot with dual
fabric channels Slot 4 Slot 6
jeraymon3 Does this switch fabric have the same fabric channel allocations in the 6513 as the SFM2?
Jeff Raymond (jeraymon), 3/9/2003
Supervisor 720
Switch Fabric - Channel Allocation
Cisco Systems
• Two Channels per slot:
3 slot chassis (6503, 7603)
Slot 1
6513
6 slot chassis (6506, 7606) Slot 13
Slot 2
9 slot chassis (6509, 7609)
• 13 Slot chassis fabric Slot 3
channel allocation is the Slot 12
Slot 4
same as the SFM2
Slots 1 thru 8 receive a single Slot 5
fabric channel Slot 11
Slot 6
Slots 9 thru 13 receive dual
fabric channels Slot 7
Slot 10
• Fabric channels for xCEF256 Slot 8
modules will auto-sync to 8
Gbps
aCEF 20 20 Integrated
Engines Integrated DFC3
20 Switch Fabric 20
8
8
16 Gbps Switching Bus 8
Switch Processor
Route Processor
© 2004, Cisco Systems, Inc. All rights reserved.
39
IOS Architecture
Switch Processor (SP)
Cisco Systems
Both the RP and SP perform distinct functions during both the booting of the operating system
and the ongoing operation of the switch…
MSFC3
SP RP
SP BOOTFLASH RP BOOTFLASH
SP DRAM RP DRAM
FILESYSTEM DESCRIPTION
bootflash: Flash that is owned by the RP
slavebootflash: Flash memory owned by a redundant supervisor
sup-bootflash: Flash that is owned by the SP
disk0: The first compact flash slot on the Supervisor
slavedisk0: 1st CF slot on redundant Supervisor
disk1: The second compact flash slot on the Supervisor
slavedisk1: 2nd CF slot on a Redundant Supervisor
startup-config: Startup configuration located in NVRAM
running-config: Running configuration located in DRAM
nvram: The second compact flash slot on the Supervisor
slavenvram: NVRAM on a Redundant Supervisor
© 2004, Cisco Systems, Inc. All rights reserved.
46
File Management Commands
Cisco Systems
Files stored on the file subsystems can be viewed using the “DIR” command…
6500# dir sup-bootflash:
Directory of sup-bootflash:/
The current default file system can be seen using the following …
6500# pwd
disk0:
The current default file system can be changed to another file system as follows …
6500# cd sup-bootflash:
6500# pwd
sup-bootflash:/
6500#
65536000 bytes total (38188344 bytes free) Shows deleted file in brackets [ ]
6500# undelete 2 sup-bootflash: UNDELETE COMMAND
6500# dir sup-bootflash:
Directory of sup-bootflash:/
As can be seen in the final dir /all command, the config1 file is no longer located in this file
system…
© 2004, Cisco Systems, Inc. All rights reserved.
51
File Management Commands
Boot Command
Cisco Systems
To boot a native IOS image, the image can be loaded from one of two locations – either the
SUP-Bootflash, or from one of the two compact flash slots on the front panel of the
supervisor…
64Mb of SUP-Bootflash is
provided to hold IOS
images…
The “BOOT SYSTEM FLASH” command can be used to identify the IOS image on the
compact flash slot that the switch should use to boot… on switch bootup you should see
the following…
System Bootstrap, Version 7.7(1)
Copyright (c) 1994-2003 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 524288 Kbytes of main memory
Using a standard VT100 terminal emulator, the following default settings are required to
connect into the switch…
Feature Setting
Speed 9600 baud
Data bits 8
Parity None
Stop bits 2
Commands can be issued as abbreviations as long as they don’t conflict with another
command in the same category
Switch# sh cl
% Ambiguous command: "sh cl"
Switch# sh cl? >> CL clashes with other commands
class-map clns clock cls
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
<snip>
STEP ONE…
System Bootstrap, Version 7.1(1)
Copyright (c) 1994-2001 by cisco Systems, Inc.
c6k_sup2 processor with 131072 Kbytes of main memory
STEP TWO…
rommon 1 > confreg
do you wish to change the configuration? y/n [n]: Enter “y” here
STEP THREE…
STEP FOUR…
do you wish to change the configuration? y/n [n]: n
The switch bypasses any enable password as the configuration was ignored
on startup..
Next, the startup configuration can be loaded into the running configuration
as follows..
After copying the startup config in the running config – enter configuration
mode and reset the enable password as required
Supervisor 720
DISK0:
DISK1:
© 2004, Cisco Systems, Inc. All rights reserved.
76
Configuring a Supervisor 720
Compact Flash Slots
Cisco Systems
Contents of compact flash in these slots can be viewed by using the “DIR” command shown
as follows…
Supervisor 720
Port 1
SFP
6500(config)#interface g5/2
6500(config-if)#media-type ?
rj45 Use RJ45 connector
sfp Use SFP connector
<cr>
If the 10/100/1000 port is active, the SFP port can be reactivated (shutting down the RJ45 port)
by using one of the following…
Switch Fabric
Mode Description
Used for traffic between non fabric enabled modules and for
BUS traffic between a non fabric and a fabric enabled linecard…
BUS
BUS
The mode of operation being used by the switch fabric module can also be inspected using the
following command…
The utilization of the Switch Fabric can be inspected by using the following command…
Fabric errors:
slot channel sync buffer timeout
1 0 0 0 0
2 0 0 0 0
3 0 0 0 0
5 0 0 0 0
6500#
Supervisor Engine
Supervisor MSFC
Layer 3 VLAN
SVI SVI
Interface
Linecard
Shutdown Shutdown
This example shows 5 Gigabit Ethernet interfaces being enabled at the same time…
© 2004, Cisco Systems, Inc. All rights reserved.
92
Interface Range Macro
Cisco Systems
If a group of interfaces is configured on a regular basis, it might be more pertinent to define a
macro that associates a name with that group of interfaces. This way, the entrance into range
configuration mode can be made much easier…
S INT G1/1
W
I INT G1/2 6500(config)# define interface-range admin g1/1 - 4
6500(config)# interface range macro admin
T INT G1/3 6500(config-if-range)#
C
H INT G1/4
The four gigabit interfaces have been associated with the
“admin” macro…
SWITCH A SWITCH B
SWITCH A SWITCH B
6500(config-if)# duplex ?
full Force full duplex operation
half Force half-duplex operation
SWITCH A SWITCH B
10/100/1000 Port
Full Auto
Duplex Duplex
ON UP GE GE ON UP
OFF DOWN GE GE ON UP
ON UP GE GE OFF DOWN
OFF UP GE GE OFF UP
6500(config-if)# speed ?
1000 Force 1000 Mbps operation
nonegotiate Do not negotiate speed
Speed negotiate DISABLES link negotiation no speed negotiate ENABLES link negotiation
© 2004, Cisco Systems, Inc. All rights reserved.
97
Understanding Jumbo Frames…
Cisco Systems
Jumbo Frame support allows an Ethernet port to switch an Ethernet packet larger than the
default maximum size of 1518 bytes … It is configured by specifying a global MTU size and a
per port (or per VLAN ) MTU size…
1548 Bytes
HDR DATA
9216 Bytes
Note - Jumbo frame support across different vendor platforms differs slightly in the jumbo
frame size that they support…
WS-X6148-GE-TX WS-X6548-GE-TX
The Voice enabled versions of these linecards also do not support Jumbo Frames
Some modules only support a maximum of 8192 byte frames and include the following…
WS-X6516-GE-TX running at 100Mb and
· WS-X6148-RJ-45, WS-X6148-RJ-45V, WS-X6148-RJ21, WS-X6148-RJ21V
· WS-X6248-RJ-45, WS-X6248-TEL, WS-X6248A-RJ-45, WS-X6248A-TEL
· WS-X6348-RJ-45, WS-X6348-RJ45V, WS-X6348-RJ-21, WX-X6348-RJ21V
© 2004, Cisco Systems, Inc. All rights reserved.
99
Configuring Jumbo Frames…
Cisco Systems
The size of the frame on INGRESS is compared to the global LAN MTU size – ingress packets
larger than this value are dropped …
1
Data Ingress PFC Egress
2
MTU=“A” MTU=“B” MTU=“C”
2
If MTU of “C” is >= MTU “A” AND packets
“DO NOT FRAGMENT bit SET, then DROP
packet…
© 2004, Cisco Systems, Inc. All rights reserved.
101
Configuring Jumbo Frames…
Port MTU configuration
Cisco Systems
Non Default MTU sizes can be configured on Ethernet ports – if this is configured, there are
some rules for how packets are switched…
Sender Receiver
6500(config-if)# flowcontrol ?
receive Configure receiving flow operation
send Configure sending flow operation
Sender Receiver
2
GE 1
GE
GE
Switch
GE
GE 3
Switch
GE
Enabling the port debounce timer causes link up and link down detections to be
delayed, resulting in loss of traffic during the debounce period. This situation might
affect the convergence and reconvergence of some Layer 2 and Layer 3 protocols.
© 2004, Cisco Systems, Inc. All rights reserved.
108
Monitoring Interfaces
Cisco Systems
Show interface displays a number of statistics about the running operation of that interface…
6500(config)# switchport
6500(config)# switchport
Use of the switchport is used to turn the interface into a Layer 2 interface…
Using the “no switchport” command erases ALL layer 2 configuration for this port and
reverts the port back to a Layer 3 port
Using the “ACCESS” mode converts the switchport into a Layer 2 access port
© 2004, Cisco Systems, Inc. All rights reserved.
115
Configuring Access Mode
Cisco Systems
The output below shows the switchport status of Gigabit Ethernet Port 1/12
6500(config-if)# switchport
6500(config-if)# switchport mode access
6500# show interface g1/12 switchport
Name: Gi1/12
Switchport: Enabled
Administrative Mode: static access Port defined as an access port
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
6500(config-if)# switchport
6500(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
6500(config-if)#
As data is switched across the VLAN trunk port, it is “colored” or tagged by the port thus
identifying it to the receiving switch as belonging to a particular VLAN…
ISL was the original Cisco specification for “tagging” an Ethernet packet with a VLAN tag..
ISL can support VLAN numbers in the range of 1 to 1024
IEEE 802.1Q
IEEE 802.1Q is a standards based specification for “tagging” the Ethernet packet with a
VLAN tag – 802.1Q can support VLAN numbers in the range of 1 - 4094
© 2004, Cisco Systems, Inc. All rights reserved.
120
Understanding Trunk Mode
Cisco Systems
Some of the Catalyst 6500 modules do not support ISL – these modules include…
The Voice enabled versions of these linecards also do not support Jumbo Frames
WS-X6148-GE-TX WS-X6548-GE-TX
WS-X6501-10GEX4
WS-X6502-10GE
© 2004, Cisco Systems, Inc. All rights reserved.
121
Trunk Mode Encapsulation Types
Cisco Systems
When a layer 2 interface is defined as a Trunk port it must have its encapsulation type defined
– that is if it going to be an ISL trunk or an IEEE 802.1Q trunk – this is achieved by setting the
trunk encapsulation type on the interface as follows…
SWITCH A
SWITCH A SWITCH B
Trunk Port
Encapsulation mode
set to negotiate on
both ends
802.3 port
The Native VLAN is also used by the Switch to carry specific protocol traffic like Cisco
Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAGP)
and Dynamic Trunking Protocol (DTP), …
CDP
DTP
© 2004, Cisco Systems, Inc. All rights reserved.
124
802.1Q Native VLAN
Cisco Systems
The default Native VLAN is always VLAN 1 when the switch first boots up – but can be
changed via a configuration command…
S
VLAN 1 Native VLAN
The Native VLAN can be
W T
VLAN 10
defined as any valid I R
U
VLAN number that is not VLAN 22
in the reserved range of T N
VLAN’s K
C VLAN 137
The full list of options with this command are displayed below
The full list of options with this command are displayed below
6500(config-if)# switchport trunk pruning vlan ?
add add VLANs to the current list
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
The Ethertype field with this feature can be modified to suit any custom
Ethertype the customer wishes to use.
For custom Ethertype to work, all ports in the path of the packet must be configured to
support this custom Ethertype…
Catalyst 6500
RPR
RPR+ provides
failover generally
RPR and RPR+ requires
within 2 to 4 minutes
Sup720-A BOTH supervisors to be
the SAME and both must
Sup720-B run the SAME IOS
RPR+ image…
RPR+ provides
failover generally
within 30 t 60
seconds PSU PSU
RPR+ has all RPR features plus the following enhancements Catalyst 6500
- Reduces switchover time on failover to between 30 and 60
seconds
- Installed linecards are not reloaded
- Support of OIR for redundant Supervisor
- Manual user initiated switchover to the redundant Sup720-A
supervisor
Sup720-B
Other Important Points
Static Routes are maintained across a switchover
FIB tables are cleared on switchover
CAM Tables are cleared on switchover
Other state information (i.e. Netflow records) are not PSU PSU
maintained on switchover
6500# conf t
Enter configuration commands, one per line. End with CNTL/Z.
6500(config)# redundancy
6500(config-red)# mode ?
rpr Route Processor Redundancy
rpr-plus Route Processor Redundancy Plus
RPR RPR+
6500(config-red)# mode rpr 6500(config-red)# mode rpr-plus
client count = 11
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 0
keep_alive threshold = 18
RF debug mask = 0x0
Physical View
Multiple ports are
defined as being Catalyst 6500 Catalyst 6500
part of an
Etherchannel
group
Logical View
Subsystems running
Catalyst 6500 Catalyst 6500
on the switch only
see one logical link
A maximum of 64
From 2 to 8 physical links can An Etherchannel bundle can
Etherchannel groups can be
exist in a single Etherchannel exist across modules and
defined in a 6500 chassis at
group on the Catalyst 6500… non contiguous ports…
any one point in time…
ETHERCHANNEL RESTRICTIONS
1. An Etherchannel Group Number must be in the range of 1 to 256
2. All ports in the target Etherchannel group MUST be in the same VLAN
3. If one physical link in the target Etherchannel group is a TRUNK, then all other ports must be
configured as trunks carrying the same VLAN information
4. Any defined broadcast limits must be the same across all ports in an Etherchannel group
5. An LACP Etherchannel group cannot support any physical links in half duplex mode
P P L L
A A A A
G G C C
P P P P
P L
A A
Switch Switch
G C
P P
Mode Description
ON Forces a port to be placed in a channel unconditionally. The channel
will only be created if another switch port is connected and it is also
configured in “ON” mode. When this condition occurs, no negotiation
of the channel is performed by the local Etherchannel protocol
AUTO PAGP mode that will negotiate with another PAGP port ONLY if it
receives a PAGP packet – this port will not initiate PAGP
communications.
DESIRABLE PAGP mode that causes port to initiate PAGP negotiation for a
channel with another PAGP port.
ACTIVE LACP mode that causes port to initiate LACP negotiation for a
channel with another LACP port.
PASSIVE LACP mode that will negotiate an LACP channel only if it receives
another LACP packet.
© 2004, Cisco Systems, Inc. All rights reserved.
146
Etherchannel Overview
Load Balancing Options…
Cisco Systems
How does the switch determine which physical link in the Etherchannel bundle to use to
forward the data? Answer – It uses a polymorphic algorithm taking key fields from the header
of the packet to generate a hash to a physical link in the Etherchannel group…
It is good practice to ensure the port is layer 2 by removing any ip address previously
defined on the port
If LACP is used, a system priority can be assigned – the priority can be from 1 to 65536 – the
default is 65536 – The command is applied as follows…
6500 (config) # lacp system-priority priority
If LACP is used, a port priority can be assigned to the port - – the priority can be from 1 to
65536 – the default is 65536 – The command is applied as follows…
6500 (config-if) # lacp port-priority priority
The “number” defined in the “interface port-channel” command above should match the
“number used in the “channel-group” command – this binds the Logical SVI to physical
ports…
Group: 271
----------
Group state = L2
Ports: 6 Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol: -
<snip>
Port-channel: Po271
------------
VTP VTP
Switch B
Switch A Switch D
Switch C
VTP VTP
VLAN 10
For example, information for VLAN 10 defined on Switch A will be propagated via VTP updates
to other switches in the same VTP domain,… Switch B, C and D will all end up adding VL:AN 10
to their local VLAN database
© 2004, Cisco Systems, Inc. All rights reserved.
165
VTP Domain
Cisco Systems
The VTP domain consists of a group of adjacent connected switches that are part of the same
VTP management domain. A switch can only belong to one VTP domain at any one time – A
switch will drop any VTP updates received from switches in other VTP Domains…
All links joining up switches in a VTP domain must be defined as trunks to exchange VTP
updates…
© 2004, Cisco Systems, Inc. All rights reserved.
166
VTP Domain
Assuming a VTP Domain identity
Cisco Systems
The VTP domain can be added through configuration or can be learnt from an adjacent VTP
switch…
A new switch will default o having no VTP domain – in this mode, when it receives its first VTP
update from an adjacent switch, it will become part of the VTP domain identified in the update…
VTP VTP
Switch A Switch C Switch B
The only way to change the VTP domain is to use the CLI to change the domain to another …
VTP
VTP Client VTP Client
Transparent
ISL/802.1q VLAN ID
ATM Emulated LAN (if applicable)
VTP
Bridge Priority without extended system-id Bridge Priority with extended system-id
configured… configured…
STD
VLAN Standard Ethernet layer 2 port can be placed in any VLAN
1-1001
EXTD
INTERNAL VLAN ALLOCATION
VLAN POLICY
1006
to ……
4094 4091 Allocation policy of descending
4092 indicates the VLAN’s allocated to layer 3
4093 interfaces will be assigned from 4094
4094 and downwards…
© 2004, Cisco Systems, Inc. All rights reserved.
178
Understanding VLAN’s
VLAN Port Types
Cisco Systems
Switch Ports defined as an access port are placed in a VLAN. They can only belong to one
VLAN at a time. Special Switch Ports can be defined as a VLAN Trunk Port which I designed to
carry traffic from multiple VLAN’s… Trunk ports tend to be defined for links to other switches
or routers…
VLAN 20 VLAN 20
VLAN 30 VLAN 30
VLAN 20 VLAN 20
VLAN 30 VLAN 30
© 2004, Cisco Systems, Inc. All rights reserved.
181
Understanding VLAN’s
VLAN Tagging – 802.1Q
Cisco Systems
802.1Q is an IEEE standard for VLAN Tagging - It is a “one level” tagging mechanism inserting
a single tag within the Ethernet frame… Unlike ISL, it supports the full 4096 VLAN numbers…
VLAN 20 VLAN 20
VLAN 30 VLAN 30
© 2004, Cisco Systems, Inc. All rights reserved.
182
Understanding VLAN’s
Mapping Dot1Q to ISL VLAN’s
Cisco Systems
There may be occasions where a user group is split across a Dot1Q network an ISL network –
in this case, to allow communication between the two disparate groups, VLAN mapping must
take place on a switch that bridges the two networks…
Dot1Q ISL
SWITCH
Map Table
The switch will maintain a map table that maps a Dot1Q VLAN to an
ISL VLAN…
ISL Dot1Q
© 2004, Cisco Systems, Inc. All rights reserved.
183
Understanding VLAN’s
Mapping Dot1Q to ISL VLAN’s Rules
Cisco Systems
Dot1Q ISL
SWITCH
6500(config-vlan)# mtu ?
<576-18190> Value of VLAN Maximum Tranmission Unit
6500(config-vlan)# name ?
WORD The ascii name for the VLAN
6500(config-vlan)# state
active VLAN Active State
suspend VLAN Suspended State
VLAN Usage
---- --------------------
1006 online diag vlan0
1007 online diag vlan1
1008 online diag vlan2
1009 online diag vlan3
1010 online diag vlan4
1011 online diag vlan5
1012 PM vlan process (trunk tagging)
1013 L3 multicast partial shortcuts for VPN 0
1014 vrf_0_vlan
1016 GigabitEthernet5/1
1018 GigabitEthernet1/1
1019 GigabitEthernet1/13
In this example above, it can be seen that the allocation policy is “Ascending”, that being
the internal VLAN’s have been allocated from 1006 and upwards…
© 2004, Cisco Systems, Inc. All rights reserved.
193
Configuring VLAN’s
Internal VLAN Allocation Policy
Cisco Systems
If the Internal VLAN allocation policy needs to be changed, then the following command can
be used…
1006
1007
1008
1009
…..
6500(config)# vlan internal allocation policy ?
ascending Allocate internal VLAN in ascending order
descending Allocate internal VLAN in descending order
Next the interface can be enabled as a Trunk port – first the VLAN trunk encapsulation
must be defined…
For the purposes of this exercise, we will assume a Dot1Q trunk has been defined…
Assuming we want the trunk to initiate negotiation – we would choose the “dynamic” option –
dynamic specifies a further sub category of auto and desirable to specify to finish off the
configuration of the trunk port
VLAN’s can also be configured to be pruned from the trunk using the following command
An optional command is the ability to change the default native vlan from 1 to another
number for this trunk. The native VLAN can be changed using the following command…
Vlan Id : 1
L2 Unicast Packets : 37602
L2 Unicast Octets : 3701591
L3 Input Unicast Packets : 12025
L3 Input Unicast Octets : 12597999
L3 Output Unicast Packets : 13855
L3 Output Unicast Octets : 1662068
L3 Output Multicast Packets : 0
L3 Output Multicast Octets : 0
L3 Input Multicast Packets : 0
L3 Input Multicast Octets : 0
L2 Multicast Packets : 1942
L2 Multicast Octets : 124312
<snip>
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
3000 enet 103000 1500 - - - - - 0 0
6500#
Linecard
Private VLAN
The above example shows a single private VLAN with 3 distinct “secondary VLAN’s” within its
framework…
© 2004, Cisco Systems, Inc. All rights reserved.
207
What is a Private VLAN…
Elements of a Private VLAN
Cisco Systems
A Private VLAN contains four elements – the Private VLAN itself – the secondary VLAN’s known
as the Community VLAN and Isolated VLAN – and the Promiscuous Port…
Promiscuous Port
Private VLAN
To add a switch port into a Private VLAN, the switchport must be added into either a
Community VLAN or an Isolated VLAN…
Promiscuous Port
Community VLAN A Community VLAN B
Ports in Community VLAN A can Ports in different Community
talk to any other ports in the VLAN’s cannot communicate
same Community VLAN without going through the
Promiscuous Port
© 2004, Cisco Systems, Inc. All rights reserved.
209
What is a Private VLAN…
The Isolated VLAN
Cisco Systems
The Isolated VLAN defines a set of ports that CANNOT communicate at layer 2 with any other
port within the Private VLAN (either another Community VLAN port or a port in the same
ISOLATED VLAN – to communicate with other ports it must go through the promiscuous port…
Promiscuous Port
Isolated VLAN A Community VLAN B
Ports in Isolated VLAN A cannot
Orange Ports in Isolated VLAN A communicate with other
CANNOT talk to any other Orange secondary VLAN’s without going
Ports in the same Isolated VLAN through the Promiscuous Port
ACL Rules
Promiscuous
Port
Switch
Community VLAN A
S
W
I
Community VLAN B
T
C
H
Isolated VLAN E
6500(config)#vlan 342
6500(config-vlan)#private-vlan primary
Private VLANs can only be configured when VTP is in transparent mode.
PRIMARY VLAN
VLAN 1 VLAN’s 2 to 1001 VLAN 1002-1005 VLAN’s > 1006
VSPAN
SPAN port ALLOWED – VLAN based SPAN on Primary,
Isolated or Community VLAN’s…
Private
Switch VLAN
1 2 3 4 ……… 12 13 25
1 3 5
If this port is If this port is If this port is
defined as a defined as a defined as a
trunk, then… destination promiscuous
SPAN port, port, then…
then…
2 These ports 4 These ports 6 These ports
cannot be cannot be cannot be
added into a added into a added into a
private VLAN… private VLAN… private VLAN…
6500(config)#vlan 342
6500(config-vlan)#private-vlan primary
Enter global configuration mode – use the VLAN command to create the VLAN – after entering
VLAN configuration mode – enter the private-vlan primary command to configure primary
VLAN…
The defined primary VLAN can be viewed using the show command above…
6500(config)#vlan 350
6500(config-vlan)#private-vlan community
6500(config)#vlan 360
6500(config-vlan)#private-vlan isolated
The defined VLAN’s can be viewed using the show command below…
**NOTE** - For each secondary VLAN, a primary VLAN number now appears in the immediate
column to the left – indicating the association has been completed…
© 2004, Cisco Systems, Inc. All rights reserved.
220
Private VLAN…
Associating a second Isolated VLAN
Cisco Systems
As indicated earlier, only one Isolated VLAN can be associated with a primary VLAN – trying to
add a second Isolated VLAN will result in the following error…
The error message above highlights that the system is rejecting the request to add in the
second isolated vlan…
VLAN 351
Ingress Layer 3 SVI 342
Switched Traffic VLAN 352
VLAN 360
Customer Customer
Network “A” Network “B”
Service Provider
Network
Layer 2 Network
VLAN 10 VLAN 10
Customer Customer
VLAN 20 Network VLAN 3515 Network VLAN 20
A A
VLAN 30 VLAN 30
Service Provider
Network (Layer 2)
VLAN 10 VLAN 10
Customer Customer
VLAN 20 Network VLAN 3516 Network VLAN 20
B B
VLAN 30 VLAN 30
Packet Format
Packet Format
ETHERTYPE TAG
This tag adds the VLAN ID for which the port is a part of – in this
case, the VLAN ID would be 35….
© 2004, Cisco Systems, Inc. All rights reserved.
231
Understanding 802.1Q Tunnels
Dot1Q Tunnel Frame Format
Cisco Systems
When the frame is sent from the Distribution Switch into the service provider network, it
traverses an 802.1Q tunnel port, so the VLAN tag of the service provider is inserted into the
frame…
Flow of traffic
Access Port Trunk Port Tunnel Port
Access Distribution
Host Switch Switch
VLAN 35 VLAN 3515
Access Distribution
Host
Switch Switch
VLAN 1 VLAN 3515
6500(config)#vlan dot1q ?
tag tag parameters
- The Layer 3 packet within the Layer 2 frame cannot be identified in tunnel traffic.
- Layer 3 and higher parameters cannot be identified in tunnel traffic (for example, Layer 3
destination and source addresses).
- Because the Layer 3 addresses cannot be identified within the packet, tunnel traffic cannot be
routed.
- The switch can provide only MAC-layer filtering for tunnel traffic (VLAN IDs and source and
destination MAC addresses).
- The switch can provide only MAC-layer access control and QoS for tunnel traffic.
- QoS cannot detect the received CoS value in the 802.1Q 2-byte Tag Control Information field
© 2004, Cisco Systems, Inc. All rights reserved.
234
Understanding 802.1Q Tunnels
Configuration Guidelines
Cisco Systems
When configuring Dot1Q Tunneling, be aware of the following guidelines……
Layer 2
CTP Network
Edge Edge
Switch Switch
VTP
Layer 2 Network
STP
STP
Layer 2
CDP Network
CDP VTP
Edge Edge
Switch Switch
VTP
Layer 2 Network
Access Distribution
Host L2 Network
Switch Switch
In the example above, the policy on the Distribution switch is to allow CDP packets
through but not VTP or STP packets…
S S
W P Total Bandwidth P W
I O O I
T R PDU Limit R T
C T T C
H H
A shutdown threshold can also be configured which will put the interface into an ERRDISABLE
state if the volume of PDU’s goes above the stated shutdown threshold
To tag traffic from the Native VLAN – use the following command …
6500(config-if)#l2protocol-tunnel cdp
Enabling CDP Tunneling
6500(config-if)#l2protocol-tunnel vtp
Enabling VTP Tunneling
6500(config-if)#l2protocol-tunnel stp
Enabling STP Tunneling
Port Protocol
Shutdown Drop Status
Threshold Threshold
(cdp/stp/vtp) (cdp/stp/vtp)
------- ----------- ---------------- ---------------- ----------
Gi1/3 cdp stp --- ----/----/---- ----/----/---- down
6500(config-if)#l2protocol-tunnel drop-threshold ?
<1-4096> Packets/sec rate beyond which protocol packets will be dropped
cdp Cisco Discovery Protocol
stp Spanning Tree Protocol
vtp Vlan Trunking Protocol
Drop thresholds per PDU type can be configured as in the following examples…
6500(config-if)#l2protocol-tunnel drop-threshold vtp 100
Shutdown thresholds per PDU type can be configured as in the following examples…
6500(config-if)#l2protocol-tunnel shutdown-threshold vtp 120
When host connects to switchport, the When host connects to switchport, the
switch moves the port through all STP states switch moves the port straight to forwarding
before activating port state – eliminates 30 second delay
© 2004, Cisco Systems, Inc. All rights reserved.
254
STP Extensions
Portfast BPDU Guard
Cisco Systems
When Portfast is enabled, inadvertently connecting the port into another switch could
compromise the loop free topology – as a Portfast port can still receive and forward BPDU’s –
answer is to use BPDU Guard which will shut down a Portfast port if a BPDU is received…
Portfast
BPDU
Portfast
1 2 3
F F
Switch Switch Switch Switch Switch Switch
F F F
F F F F F
F B F B F
1 2 3
F F
Switch Switch Switch Switch Switch Switch
F F
F F F Inferior F F F
BPDU
F B F B F F
Portfast can also be enabled globally for all access ports as follows
VLAN0024
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000b.45e3.8080
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Switch - Discarding
- Learning
- Forwarding
RSTP Port State STP Port State Operational Status Port in Active
Topology ?
Discarding Blocking Enabled No
Discarding Listening Enabled No
Learning Learning Enabled Yes
Forwarding Forwarding Enabled Yes
Discarding Disabled Enabled No
Designated Port
This port type is an active forwarding port that
Switch points away from the STP Root to the edge of the
STP Root network
Root Port
This port is an active forwarding port pointing
back towards the STP Root
Switch Switch
Backup Port
A non forwarding port that backs up a Designated
Port
Switch Switch Alternate Port
A non forwarding port that backs up a Root Port
Disabled Port
An inactive port
© 2004, Cisco Systems, Inc. All rights reserved.
275
New RSTP BPDU Format
Cisco Systems
RSTP introduces a slight change to the BPDU format used by 802.1D…
Protocol ID (2 Bytes)
Version (1 Byte = “1”) Bit 0 – Topology Change
Message Type (1 Byte) Bit 1 – Proposal
Flags (1 Byte) Bit 2-3 – Port Role
00 – Unknown
Root ID (8 Bytes)
01 – Alternate or Backup Port
Path Cost (4 Bytes)
10 – Root Port
Bridge ID (8 Bytes) 11 – Designated Port
Port ID (2 Bytes) Bit 4 - Learning
Message Age (2 Bytes) Bit 5 - Forwarding
Maximum Age (2 Bytes) Bit 6 - Agreement
Hello Time (2 Bytes) Bit 7 - Topology Change ACK
Forwarding Delay (2 Bytes)
Version 1 Length (1 Byte)
RSTP BPDU
Switch A Switch B
RSTP Enabled 802.1D Enabled 802.1D BPDU
Agreement 4
1 Initiating switch A sends proposal to switch B indicating its bridge priority and port
role
2 Switch B inspects the proposal and ensures proposal does not conflict with its own port
roles
3 Switch B places port into a state of forwarding
4 Switch B sends agreement back to switch A
5 Switch A places port into forwarding state
© 2004, Cisco Systems, Inc. All rights reserved.
278
RSTP with PVST+
Cisco Systems
Per VLAN Spanning Tree (PVST+) allows the definition of a spanning tree instance per VLAN –
Normal PVST+ mode relies on the use of the older 802.1D STP to reconverge the STP domain
in the case of a link failure – Rapid PVST allows the use of 802.1w with Cisco’s PVST providing
for much faster convergence
Switch
Each STP instance uses the 802.1w algorithm to reconverge the network in case of a link failure
Switch Switch
VLAN A VLAN B
The problem with running a single instance of STP is that any blocked link is unable to actively
participate in the forwarding of data – thus it becomes a wasted resource…
Switch Switch
In this mode, each VLAN has its own active forwarding path, so all links can be utilized for
forwarding data – however, each link still provides a backup path for their respective VLAN…
Each STP instance sees its own set of forwarding paths and backup links..
© 2004, Cisco Systems, Inc. All rights reserved.
282
MST Region
Cisco Systems
An MST Region defines a boundary within which a single instance of Spanning Tree operates –
there can be multiple regions that exist on a switch at one time… Up to 16 instances can run
on a switch identified by the numbers 0 through 15
Switch
VLAN 3 VLAN 10 VLAN 43 VLAN 29 VLAN 77
MST Region Instance 0 is mandatory and is always present – other instances are optional –
each instance typically maps to a VLAN or set of VLAN’s
MST Region A
Edge Port
An edge port is one that connects to a non
Switch Switch Host bridging device – a port that connects to a
hub is also considered an edge port
Boundary Port
A Boundary Port is one that connects to a
Switch Switch Host designated bridge that belongs to a single
spanning tree instance or another MST
instance
MST Region B
Switch
© 2004, Cisco Systems, Inc. All rights reserved.
284
MST Configuration
Cisco Systems
Configuration of MST is built around three parts…
Each MST Instance needs Each MST Instance needs A configuration table
to be configured with a a revision number (16 bits) identifying the VLAN’s
name up to 32 bytes in identifying the revision of mapped to this MST
length the current configuration instance
6500(config-mst)#
6500(config-mst)#
<snip>
6500#
VLAN 10 VLAN 20
MAC - A MAC - D
MAC - B
Switch MAC - E
MAC - C
MAC - F
VLAN 10 VLAN 20
MAC - A MAC - D
MAC - B
Switch MAC - E
MAC - C
MAC - F
Host B will respond to the TCP SYN with a SYN ACK – this acknowledges that it received the
SYN request – at this stage, Host B holds a temporary entry in memory indicating its about to
startup a TCP session…
2
Host A Host B
TCP SYN ACK Packet
Host A responds to Host B’s TCP SYN ACK with a TCP ACK – now the session is ready to
start and data can flow between the two hosts…
3
Host A Host B
TCP ACK Packet
© 2004, Cisco Systems, Inc. All rights reserved.
300
TCP Flow in more detail
TCP SYN Packet
Cisco Systems
Host A Host B
TCP SYN Packet
If Host A were to keep sending TCP SYN requests to Host B (known as SYN Flooding), it
could ultimately cause Host B to consume all its memory resources for holding state
information about impending TCP sessions and possibly compromise the operation of that
host…
Server
Imaginary
client
Issuing fake
TCP SYN’s Switch
Without TCP Intercept, TCP sessions can flow freely between hosts
TCP Intercept
Server
Intercept
this client
Imaginary client
Switch
This allows the TCP Intercept code to drop subsequent SYN requests from unreachable
hosts thus protecting the server from flooding
This mode actively intercepts incoming SYN TCP SYN requests are allowed to pass
requests and waits for ACK – when ACK through, and watched until session
received, it sends original SYN to established. If no session within 30
destination and joins two half connections seconds, TCP reset sent to originator.
Server
Imaginary client
Switch
By default, the software drops the oldest connections, but it an be changed to drop
random connections…
© 2004, Cisco Systems, Inc. All rights reserved.
308
TCP Intercept Drop Mode Thresholds
Cisco Systems
Internally the TCP Intercept feature uses a high and low threshold to determine when to start
and stop its aggressive drop behavior for incomplete sessions…
FWD Table
Network B
Network D
URPF does a reverse path lookup for packets to ensure their source IP addresses are known
and installed in the local forwarding table – packets with unknown IP source addresses are
dropped
© 2004, Cisco Systems, Inc. All rights reserved.
310
Multipath URPF Check
Cisco Systems
The Sup720 can perform multi-path URPF checks in hardware. If a network can be reached in
through more than one interface, a multi-path forwarding entry is entered into the forwarding
table. The URPF feature can look up two paths for the same source network in hardware.
10.1.1.1
10.1.1.2
10.1.1.1
10.1.1.2
Four methods
Strict Unicast Reverse Path Forwarding Check
Strict Unicast Reverse Path Forwarding Check with allow default
Loose Unicast Reverse Path Forwarding Check
Loose Unicast Reverse Path Forwarding Check with allow default
10.1.1.1 10.2.1.1
10.5.1.0/24 Switch 192.168.1.0/24
INT G1/1 INT G3/1
Data
10.1.1.1 10.2.1.1
10.5.1.0/24 Switch 192.168.1.0/24
INT G1/1 INT G3/1
Data
10.1.1.1
10.5.1.0/24 10.2.1.1
Data INT G1/1 192.168.1.0/24
Switch INT G3/1
10.5.1.1
Rest of Network
INT G2/1
MSFC
MSFC
Default time for TCP Intercept in “Watch” mode is to wait for 30 seconds – this time can be
changed as follows…
6500(config)# ip tcp intercept watch-timeout ?
<1-2147483> Timeout in seconds
Default time for TCP Intercept in “Intercept” mode to maintain an inactive session is 24 hours
– this default time can be changed as follows
6500(config)# ip tcp intercept connection-timeout ?
<1-2147483> Timeout in seconds
If the Interface group option is chosen above, then the interface group needs to be configured
as follows
6500(config)# mls ip cef rpf interface-group ?
<0-3> interface group number
Actual interfaces need to be assigned to the interface group and could be done as shown in
the following example (assuming its being applied on a GE interface
6500(config)# mls ip cef rpf interface-group 0 gigabitEthernet ?
<1-6> GigabitEthernet interface number
ACL Rules
Subnet A Subnet B
VACL applied to traffic bridged within a VLAN Use if PERMIT and DENY
statements on L2, L3 and L4
header information to
VACL determine what is passed
Switch and dropped…
VLAN 10 VLAN 20
Packet Routed
MSFC
L2 Interface L2 Interface
1 Input VACL 4 Output VACL
© 2004, Cisco Systems, Inc. All rights reserved.
332
VLAN Access Map
Cisco Systems
A VLAN Access Map defines the VACL and is applied to a VLAN interface – its configuration is
used to define a match statement (matching incoming traffic against a given ACL list) and
action statement (what to do with the packet)…
VLAN Access vlan access-map RULE1 1
Map Example match blah blah
action blah blah
Switch
VACL Capture Network Analysis
Module
Capture Port
Intrusion Detection
Destination Module
At the conclusion of building the VLAN access map- you are placed into VLAN access
map configuration mode
6500(config-access-map)# match ip ?
address Match IP address to access control.
Here the example is matching against a previously defined ACL numbered 101, indicating
its an IP extended ACL…
With capture statement, you can optionally define the VLAN’s allowed to be sent to this port
© 2004, Cisco Systems, Inc. All rights reserved.
341
January 2004
Catalyst 6500
Technical Training
CHAPTER 20: RP Rate Limiters
MSFC
Route Processor
1 2
The Network MSFC Routing Tables
3
3 4
2 5
Linecard Linecard
1
6
© 2004, Cisco Systems, Inc. All rights reserved.
346
RP Rate Limiters
Why Rate Limiters
Cisco Systems
ACL Output
RP
Host A
Interfaces
IP Errors IP Features
When some IP Features are
IP Frames with errors inherent in enabled – they are processed by
the packet – like checksum errors the RP – traffic processed by
or length errors are sent to the features like NBAR, accounting,
RP for processing IPSec, etc are protected by this
rate limiter
RP RP
L2 Protocol Tunnel
Layer 2 Protocol Tunneling requires RP processing – this RP Rate limiter protects against high
loads of L2PT traffic…
TTL (Time to Live) is a means to stop IP packets perpetually being forwarded. On its
journey from source to destination, a packets TTL value is decremented by 1. For IP
Packets with a TTL set to 1 requires RP processing
Connected
MSFC
This rate limits packets from
directly connected Multicast RP
Sources
Partial
FIB Miss
Multicast packets with no
FIB entries are punted to the
RP for processing Multicast Source
The port security feature is used to restrict input to an interface on the 6500 by limiting and
identifying MAC addresses of the workstations that are allowed to access the port
MAC Switch
Port 1 A
A table is maintained by the switch
identifying which MAC addresses can
Port 2
G access which local switch ports
Switch Switch
Switch
6500(config-if)# switchport
6500(config-if)# switchport mode access
The actual MAC address you want to secure on the port can be defined as follows
6500(config-if)# switchport port-security mac-address ?
H.H.H 48 bit mac address
Use the aging feature to remove and add hosts without manually deleting the existing secure
MAC addresses while still limiting the number of secure addresses on a port
Broadcast
2 B
Broadcast Broadcast
A Switch 3 C
1
Broadcast
4 D
High volumes of this traffic can impact bandwidth availability and impact network performance
– so a way to limit this traffic type is required
© 2004, Cisco Systems, Inc. All rights reserved.
375
Understanding Storm Control
Cisco Systems
Traffic Storm Control allows the definition of a set amount of “storm” traffic to be forwarded out
a target port. The switch monitors outgoing “storm” traffic at 1 second intervals comparing the
volume of storm traffic with the configured level that this port can forward. Traffic in excess of
the configured limit is dropped…
Data Data
Data Data Switch Data Data Data
Data Data
D
Data Data within limit is forwarded
Flow of data R
O
Data
Data
P
P
Data
D
Data
Number Threshold
Of
Packets
Or
Bytes
0 1 2 3 4 Time
© 2004, Cisco Systems, Inc. All rights reserved.
377
Understanding Storm Control
Cisco Systems
There are certain linecards that do not support Storm control – for these modules, this feature
was not implemented in the Port ASIC hardware – these modules include
WS-X6148-GETX WS-X6548-GETX
Can be applied on all LAN Can only be applied on Can only be applied on
ports Gigabit Ethernet Ports Gigabit Ethernet Ports
All three types of suppression can be configured on the same port at the same time
6500(config-if)# storm-control ?
broadcast Broadcast address storm control
multicast Multicast address storm control
unicast Unicast address storm control
Port TotalSuppDiscards
Gi1/9 1033
Port TotalSuppDiscards
Gi1/9 12
Port TotalSuppDiscards
Gi1/9 204
6500#
Policy Feature
Card
Data PFC
Data
Data Switch
Data
Priority
Note: The Class of Service field is located within the VLAN tag (ISL or 802.1Q)
Ethernet Header
1 0 1 0 0 0 0 0
IPV4 Header
IPV4 Header
IP Precedence has been in use for many years
Uses first 3 most significant bits of ToS field
2^^3 (2 to the power of 3) yields 8 different priorities
0 is lowest priority
7 is highest priority
© 2004, Cisco Systems, Inc. All rights reserved.
393
Understanding PFC QoS
The basics – ToS and DSCP
Cisco Systems
Differentiated Services Code Point (DSCP) uses 6 bits in the ToS to represent the priority of
the packet – this provides a more granular form of prioritization over what IP Precedence
offers…
1 0 1 0 0 0 0 0
IPV4 Header
IPV4 Header
DSCP is a more recent innovation
Uses first 6 most significant bits of ToS field
2^^6 (2 to the power of 6) yields 64 different priorities
0 is lowest priority
63 is highest priority
© 2004, Cisco Systems, Inc. All rights reserved.
394
QoS in the Catalyst 6500
Cisco Systems
QoS processing occurs in three different places in the Catalyst 6500 – these are highlighted
below…
1 3
© 2004, Cisco Systems, Inc. All rights reserved.
395
Understanding Ingress QoS
The Elements - Setting Trust
Cisco Systems
When an incoming packet is already marked with a priority, the switch must decide whether
to keep this setting or change it – it determines this based on the ports trust setting
Trust settings define what to do with the priority setting in the incoming packet
NOTE: The value of the CoS and ToS may differ on egress depending on map settings
The concept of maps are discussed later
Switch
EXTENDED Trust set to mark down CoS value to 0 (in fact the marked down
value can be any value the administrator chooses
Default CoS = 0
Default CoS = 2
Trusted Port Trusted ports that are not Dot1Q trunk ports
will also use the default port CoS
Untrusted Port
© 2004, Cisco Systems, Inc. All rights reserved.
398
Understanding Ingress QoS
The Elements – Ingress Priority to DSCP Maps
Cisco Systems
The switch uses an “Internal DSCP” value to assign service levels to the frame as it transits
the switch. This internal DSCP is derived from the ingress CoS or IP Precedence value and
uses a CoS to DSCP map to derive that value…
If Trust CoS – Use CoS to DSCP Map If Trust IPPREC – Use IPPREC to DSCP Map
Frames marked
with CoS=5
placed into SP Input Port
Queue if one is Normal Queue
present Drop
SP Queue
Threshold 2
Data
Normal Queue Drop
Threshold 1
Frames with
other CoS values
are placed into
the Normal Within Normal queue, drop thresholds are used to
Queue indicate which CoS tagged packets can be dropped
once the queue has filled beyond a certain threshold
Mark Probability
Drop
Rate
Threshold Threshold
1 2 As soon as Threshold 2 is hit –
As soon as Threshold 1 is hit – CoS 2 and 3 packets randomly
packets randomly dropped dropped – but will drop more
based on CoS 0, 1 values CoS 1,0 than 2,3
© 2004, Cisco Systems, Inc. All rights reserved.
403
Understanding Ingress QoS
Scheduling – CoS to Threshold mapping
Cisco Systems
After ingress packets are placed into a queue, the congestion avoidance mechanism (Tail
Drop or WRED) will use a CoS to threshold map to determine what frames are eligible to be
dropped when a threshold is breached.
Ingress Port
CoS <> Threshold Map
CoS Value Queue Threshold
Threshold 2 0 1 1
Threshold 1 1 1 1
Queue 2 2 1 2
Data 3 1 2
4 2 1
Threshold 2
5 2 1
Threshold 1 6 2 2
Queue 1 7 2 2
Burst bytes
Burst Burst
Rate bytes
Zero bytes T1 T2 T3 T4
The 6500 has a fixed time interval of 1/4000th of a second – this is hardware enforced
© 2004, Cisco Systems, Inc. All rights reserved.
406
Understanding PFC QoS
The Elements - Policing
Cisco Systems
Token Bucket replenishment is an important part of the policing equation –the number of
tokens that are replaced in the bucket is calculated as follows…
3 4 Depth
1 PFC 2 4
The depth of the token
bucket is equal to the
T BURST in bits per second
T T
T T
1 BURST defines the number of T T 3
packets that can arrive in a given T T The replenishment rate of
time interval T T the token bucket is
2 calculated by dividing the
The number of packets that can Token
RATE in bits per second
be sent within a given time Bucket
by the interval
interval is known as the RATE
RATE BURST
This command example states a policed rate of 100Mb/sec – the rest is calculated as follows…
1
1
REPLENISHMENT RATE every 1/4000th of a second
= RATE / Interval = 100,000,000 / 4000 = 25,000 tokens
T T every 1/4000th of a second
2
T T
T T 2
Bucket Depth = BURST = 26,000 tokens
Token
Bucket
© 2004, Cisco Systems, Inc. All rights reserved.
408
Understanding PFC QoS
Policing example
Cisco Systems
Assume arrival rate is 1GE/sec (full line rate on a GE port)
Arrival rate of packets per interval in bits per second = 1000,000,000 / 4000 = 250,000
Assume constant arrival rate of 64 byte packets
Excess tokens discarded
Use Policer from previous page
As more time intervals pass, the statistical forwarded average gets a lot closer to the stated
rate
© 2004, Cisco Systems, Inc. All rights reserved.
409
Understanding PFC QoS
Types of Policers - Aggregate
Cisco Systems
The Sup720 supports the Aggregate policer which can be applied on a port, a group of ports,
a VLAN or a group of VLAN’s – when applied to multiple ports or VLAN’s, the policed rate for
all traffic across those ports is limited to the stated policed rate…
Aggregate 1 Aggregate 2
Switch
An AGGREGATE applies a policing rule to a PORT (i.e. Aggregate 1) or VLAN (i.e. Aggregate 2)
it policing all the traffic coming into the Port or VLAN and applies the policed rate to that
traffic
Egress
Traffic
INPUT OUTPUT
Switch
NOTE: Egress policers can only be applied to VLAN’s or Routed Interfaces due to the fact that
when the egress policing function is performed, the physical egress port is not known – the
only known factor is the VLAN ID (found in the internal header) – Both a VLAN interface and a
routed interface have a VLAN Identifier (Routed interfaces have an internal VLAN assigned to
them)
© 2004, Cisco Systems, Inc. All rights reserved.
413
Understanding PFC QoS
Types of Policers – User Based Rate Limiting
Cisco Systems
Three types of Global Flow Masks that can be stored on Sup1a/2 in the Netflow table…
Destination-Only IP (default)
Source-Destination IP
Full-flow (Src IP, Dst IP, Protocol, Src Port, Dst Port) Microflow policing uses full flow
This new facility increases the capacity of Sup720 to store more entries in its Netflow
table… Allows different features that use the Netflow table to use different masks (i.e. IOS
SLB, NDE, TCP Intercept, Reflexive ACL’s, WCCP and CBAC)
© 2004, Cisco Systems, Inc. All rights reserved.
414
Understanding PFC QoS
Types of Policers – User Based Rate Limiting
Cisco Systems
Policy Map
Policy Map can contain
The application of a policy
up to 255 class maps
map to an interface is done
Class Map using the “SERVICE
Switch POLICY” command – this
Refers to a set of Interface
classification criteria for binds the Policy map and
the following action its classification and action
criteria criteria to the interface
Policing/Trust actions
Action settings for trust
and policing
Policy Map
Policy Map
With Port Based QoS, Policy maps are With VLAN Based QoS, the Policy map is
applied to a physical switch interface – the applied to the VLAN interface and traffic
Policy Map manages traffic only on that through all associated Switch ports is
switchport managed by that Policy Map
© 2004, Cisco Systems, Inc. All rights reserved.
418
Understanding Egress QoS
Queue Structures
Cisco Systems
The Queue structures used on egress ports are categorized as follows…
CoS
Threshold 2 4,5,6,7 CoS 0, 1, 2, 3 CoS 4, 5, 6, 7
Drop
CoS Rate
Threshold 1
0,1,2,3
Threshold Threshold
1 2
Transmit Queue
Egress Port
© 2004, Cisco Systems, Inc. All rights reserved.
422
Understanding Egress QoS
Preserving Received ToS Byte
Cisco Systems
During normal switch operation, the internal DSCP is used to derive the egress ToS byte – in
some cases based on mappings and trust settings, the egress ToS can change from the
original ingress ToS – this feature allows the ingress ToS to remain intact in the egress frame
Switch
Switch
D1 D2 0 1 2 3 4 5 6 7 8 9
0 00 01 02 03 04 05 06 07 08 09
DSCP = D1D2 1 10 11 12 13 14 15 16 17 04 19
i.e. if DSCP = 34 2 20 21 22 23 24 16 26 27 28 29
D1 = 3, D2 = 4
3 30 31 32 08 34 35 36 37 38 39
4 40 41 42 43 44 45 46 47 48 49
Egress DSCP 5 50 51 52 53 54 55 56 57 58 59
Mutation Map
6 60 61 62 63
© 2004, Cisco Systems, Inc. All rights reserved.
424
Cisco Systems
The settings that take effect when QoS is enabled are detailed at the following URL
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/qos.htm#1369514
© 2004, Cisco Systems, Inc. All rights reserved.
426
Configuring PFC QoS
Preserving Incoming ToS
Cisco Systems
To preserve the incoming ToS on the egress packet, IP DSCP rewrite must be disabled from
its default enabled state - this is done in global configuration mode as follows
If the port is set to Untrusted, it will use the default Port CoS to tag the packet – the Default
Port CoS will initially be set to Zero – if this value needs to be changed, it can be achieved
using the following command
The CoS value used for this trust setting is unique to that interface – other extended trust
values can be set for other interfaces
By default, Microflow policing is enabled for routed (Layer 3 switched) traffic only – Microflow
policing can also be enabled for bridged traffic (this is disabled by default) and can be
enabled in interface VLAN configuration mode as follows
First chose the name that will be applied to this policer (in this case call it XYZ)… then define
the stated rate in bits per second that will be allowed
NOTE: The configuration parameters used for this example do not reflect any stated
guidelines from Cisco – rather they are used just to show how a named aggregate is built
Specify the maximum burst value (which defines the depth of the 2nd token bucket) as follows
6500(config)# mls qos aggregate-policer XYZ 100000000 10000 ?
<1000-31250000> Maximum burst bytes
conform-action action when rate is not exceeded
pir PIR
violate-action action when rate violated
<cr>
Specify the confirm action – that is what the policer should do with in profile traffic within the
stated rate
Then optionally specify the action to be taken when the PIR is exceeded as follows
6500(config)# $m-action transmit exceed-action policed-dscp-transmit ?
violate-action action when rate violated
<cr>
6500# conf t
Enter configuration commands, one per line. End with CNTL/Z.
6500(config)# class-map ?
WORD class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
In this example, the class map ABC123 has been created – this command puts the
administrator into class map configuration mode - following this, a series of match statements
must be defined to classify traffic associated with this class map
Once the class map has been defined, the policy map can be created as follows
6500(config)# policy-map ?
WORD policy-map name
This command places the administrator into the policy map configuration mode
Entering the class name places the administrator into a further sub class configuration
mode – from this mode, a variety of class related actions can be configured – the actions
highlighted in blue above are not supported in PFC hardware
© 2004, Cisco Systems, Inc. All rights reserved.
438
Configuring PFC QoS
Defining Policy Maps
Cisco Systems
One class map action that is normally configured is the “SET” command – examples of this are
shown below
6500(config-pmap-c)# set ?
atm-clp Set ATM CLP bit to 1
cos Set IEEE 802.1Q/ISL class of service/user priority
dscp Set DSCP in IP(v4) and IPv6 packets
ip Set IP specific values
mpls Set MPLS specific values
precedence Set precedence in IP(v4) and IPv6 packets
qos-group Set QoS Group
6500(config-pmap-c)# set ip ?
dscp Set IP DSCP (DiffServ CodePoint)
precedence Set IP precedence
With the “SET IP“ command, packets can have their ToS bits reset according to the value set
in this class map – this is referred to as MARKING…
Trust states for ports can also be set using the policy map – within the class map set of
actions, the “TRUST” keyword can be used to set trust for the port – this is applied as follows
within the class map
6500(config-pmap-c)# trust ?
cos trust value for the class
dscp trust value for the class
ip-precedence trust value for the class
A policer can also be defined within the class map by using the Police command as follows
6500(config-pmap-c)# police 50000000 13000 26000 pir 100000000conform
transmit exceed policed violate-action drop
This example sets a rate of 50Mb for transmit traffic, an extra 50 Mb over and above that will
be marked down, and anything in excess of 100Mb to be dropped…
© 2004, Cisco Systems, Inc. All rights reserved.
441
Configuring PFC QoS
Egress DSCP Mutation
Cisco Systems
The internal DSCP can be mutated using an Egress DSCP Mutation map – Up to 15 mutation
maps can be created and any of these can be applied to an interface that is supported by the
PFC… The following shows the command build to the final syntax
6500(config)# mls qos map dscp-mutation ?
WORD dscp-mutation map name
This example attaches the egress DSCP mutation map ABC789 to VLAN interface 300
His command allows the specification of 8 DSCP values which are mapped directly to the CoS
values 0 through 7
His command allows the specification of 8 DSCP values which are mapped directly to the IP
Precedence values 0 through 7
<snip>
<snip>
<snip>
<snip>
Up to 8 threshold values can be set for the 1p3q8t and 1p7q8t transmit queue types
Both min and max values can be set with this command
© 2004, Cisco Systems, Inc. All rights reserved.
454
Configuring PFC QoS
Mapping CoS values to Standard RCV Queue Thresholds
Cisco Systems
On ingress, the CoS value on the incoming packet can be used to map the frame to a receive
threshold – a default map exists, but can be changed using the command below
In this example, the CoS value of 4 has been mapped to Threshold 2 in Queue 2
In this example, the CoS value of 3 has been mapped to the Strict Priority queue on both the
receive and transmit side for this interface
The value to be used is a weight that ranges from 0 to 255 – in the example above an 80-40 (or
2-1) weight has been used to apportion bandwidth between the two queues – this means
Queue 2 will get twice the bandwidth that Queue 1 has.
In this example, Queue 1 gets 65% of the buffer space and Queue 2 gets 35% of the buffer space
Switch Switch
Linecard #1 Linecard #1
Linecard #2 Linecard #2
Linecard #3 Linecard #3
Linecard #4 Linecard #4
Sup720 Sup720
Sup720 Sup720
Linecard #7 Linecard #7
Linecard #8 Selective Modules can Linecard #8
Linecard #9 be shutdown Linecard #9
In this example, module
PSU PSU 2 and 7 are shutdown PSU PSU
#1 #2 while others continue to #1 #2
operate normally
Catalyst 6509 Catalyst 6509
© 2004, Cisco Systems, Inc. All rights reserved.
464
Show Power
Cisco Systems
The power status of the 6500 can be viewed using the following command
Any environmental alarms that have been triggered can be viewed as follows
6500# show environment alarm ?
status show alarm status
thresholds show alarm thresholds
| Output modifiers
<cr>