Software Guide
Page 11
...Cisco IOS ACLs 3 VACLs 3 Applying Cisco IOS ACLs and VACLs on VLANs 7 Bridged Packets 7 Routed Packets 7 Multicast Packets 8 Using Cisco IOS ACLs in your Network 9 Hardware and Software Handling of Cisco IOS ACLs with PFC 10 Hardware and Software Handling of Cisco IOS ACLs with PFC2 12 Using VACLs with Cisco IOS ACLs 15 Guidelines for Configuring Cisco IOS... in Flash Memory 45 Moving the VACL and QoS ACL Configuration Back to NVRAM 46 Redundancy Synchronization Support 46 Interacting with High Availability 46 Configuring Policy-Based Forwarding 46 Understanding How Policy-Based Forwarding Works ...
...Cisco IOS ACLs 3 VACLs 3 Applying Cisco IOS ACLs and VACLs on VLANs 7 Bridged Packets 7 Routed Packets 7 Multicast Packets 8 Using Cisco IOS ACLs in your Network 9 Hardware and Software Handling of Cisco IOS ACLs with PFC 10 Hardware and Software Handling of Cisco IOS ACLs with PFC2 12 Using VACLs with Cisco IOS ACLs 15 Guidelines for Configuring Cisco IOS... in Flash Memory 45 Moving the VACL and QoS ACL Configuration Back to NVRAM 46 Redundancy Synchronization Support 46 Interacting with High Availability 46 Configuring Policy-Based Forwarding 46 Understanding How Policy-Based Forwarding Works ...
Software Guide
Page 44
...you can type in a given mode, type a question mark (?) at global configuration mode. From global configuration mode, you can configure IOS to support direct Telnet access to a command category displays a list of protocol-specific modes. Table 2-5 lists and describes the most commonly used when ... are not saved across switch reboots. MSFC Command-Line Interface These sections describe the MSFC CLI: • Cisco IOS Command Modes, page 2-8 • Cisco IOS Command-Line Interface, page 2-10 Note In addition to you depend on the switch, you begin in the "Accessing the MSFC from the ...
...you can type in a given mode, type a question mark (?) at global configuration mode. From global configuration mode, you can configure IOS to support direct Telnet access to a command category displays a list of protocol-specific modes. Table 2-5 lists and describes the most commonly used when ... are not saved across switch reboots. MSFC Command-Line Interface These sections describe the MSFC CLI: • Cisco IOS Command Modes, page 2-8 • Cisco IOS Command-Line Interface, page 2-10 Note In addition to you depend on the switch, you begin in the "Accessing the MSFC from the ...
Software Guide
Page 52
... variable. Preparing to Configure the IP Address and Default Gateway Chapter 3 Configuring the Switch IP Address and Default Gateway If no reply is the main Cisco IOS software image with a BOOTP or RARP-obtained IP address, the information learned from BOOTP or RARP is the name of the desired image on the... on the MSFC bootflash. If you must stay on the supervisor engine Flash PC card, you reset or power cycle a switch with full multiprotocol routing support.
... variable. Preparing to Configure the IP Address and Default Gateway Chapter 3 Configuring the Switch IP Address and Default Gateway If no reply is the main Cisco IOS software image with a BOOTP or RARP-obtained IP address, the information learned from BOOTP or RARP is the name of the desired image on the... on the MSFC bootflash. If you must stay on the supervisor engine Flash PC card, you reset or power cycle a switch with full multiprotocol routing support.
Software Guide
Page 200
...to the primary VLAN. You get an error message if you map a Cisco IOS ACL to a primary VLAN, the Cisco IOS ACL automatically maps to the associated isolated and community VLANs. • You cannot map Cisco IOS ACLs to an isolated or community VLAN. • You cannot use ...policy-based routing (PBR) on a private VLAN interface. mod/ports Verify the primary private VLAN configuration. Configuring Private VLANs Chapter 11 Configuring VLANs • IGMP snooping and multicast shortcuts are not supported in ...
...to the primary VLAN. You get an error message if you map a Cisco IOS ACL to a primary VLAN, the Cisco IOS ACL automatically maps to the associated isolated and community VLANs. • You cannot map Cisco IOS ACLs to an isolated or community VLAN. • You cannot use ...policy-based routing (PBR) on a private VLAN interface. mod/ports Verify the primary private VLAN configuration. Configuring Private VLANs Chapter 11 Configuring VLANs • IGMP snooping and multicast shortcuts are not supported in ...
Software Guide
Page 214
...Note This section is for users who are virtual interfaces. VLAN interfaces on the MSFC are familiar with Cisco IOS software and have some experience configuring Cisco IOS routing. MSFC supports up to that host. These sections describe how to 256 VLAN interfaces. 12-2 Catalyst 6000 Family Software.... For more information, see Chapter 11, "Configuring VLANs." 2. Create and configure VLAN interfaces for which receives the traffic on the VLAN 10 interface. Switch A forwards the packet directly to Host B, without sending it to route traffic. Configure a VLAN interface for each VLAN for...
...Note This section is for users who are virtual interfaces. VLAN interfaces on the MSFC are familiar with Cisco IOS software and have some experience configuring Cisco IOS routing. MSFC supports up to that host. These sections describe how to 256 VLAN interfaces. 12-2 Catalyst 6000 Family Software.... For more information, see Chapter 11, "Configuring VLANs." 2. Create and configure VLAN interfaces for which receives the traffic on the VLAN 10 interface. Switch A forwards the packet directly to Host B, without sending it to route traffic. Configure a VLAN interface for each VLAN for...
Software Guide
Page 217
...Cisco IOS Configuration Fundamentals Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_c/fcprt3/fcd305.htm Auto State Feature The auto state feature shuts down (or brings up) Layer 3 interfaces/subinterfaces on the MSFC and the Multilayer Switch Module... prevented from communicating directly by default. WCCP Layer 2 Redirection Note Supervisor Engine 1 with the Policy Feature Card (PFC) supports this feature with Release 12.1(2)E or later releases. Follow these guidelines when using Layer 2 redirection. WCCP Layer 2 redirection ...
...Cisco IOS Configuration Fundamentals Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_c/fcprt3/fcd305.htm Auto State Feature The auto state feature shuts down (or brings up) Layer 3 interfaces/subinterfaces on the MSFC and the Multilayer Switch Module... prevented from communicating directly by default. WCCP Layer 2 Redirection Note Supervisor Engine 1 with the Policy Feature Card (PFC) supports this feature with Release 12.1(2)E or later releases. Follow these guidelines when using Layer 2 redirection. WCCP Layer 2 redirection ...
Software Guide
Page 224
...that match a complete forwarding information base (FIB) entry (see the "Understanding the FIB" section on the MSFC2 to support IP, IP multicast, and IPX traffic. Cisco IOS CEF is permanently enabled on Supervisor Engine 2. CEF for PFC2 is addressed at the CLI or used for NDE. CEF ...02 Understanding How Layer 3 Switching Works Chapter 13 Configuring CEF for PFC2 Understanding IP Multicast Rewrite Received IP multicast packets are enhanced to support CEF for PFC2. CEF and PIM on the MSFC2 are (conceptually) formatted as follows: Frame Header Destination Group G1 MAC Source MSFC2...
...that match a complete forwarding information base (FIB) entry (see the "Understanding the FIB" section on the MSFC2 to support IP, IP multicast, and IPX traffic. Cisco IOS CEF is permanently enabled on Supervisor Engine 2. CEF for PFC2 is addressed at the CLI or used for NDE. CEF ...02 Understanding How Layer 3 Switching Works Chapter 13 Configuring CEF for PFC2 Understanding IP Multicast Rewrite Received IP multicast packets are enhanced to support CEF for PFC2. CEF and PIM on the MSFC2 are (conceptually) formatted as follows: Frame Header Destination Group G1 MAC Source MSFC2...
Software Guide
Page 234
...traffic that is switched by CEF for PFC2 on the MSFC2. To enable IP multicast routing globally on the MSFC. No configuration is required to support CEF for IP multicast: • Enabling IP Multicast Routing Globally, page 13-14 • Enabling IP PIM on an MSFC2 Interface, page 13... routing globally. Router(config)# ip multicast-routing This example shows how to the "IP Multicast" section of the Cisco IOS IP and IP Routing Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt3/index.htm Enabling IP Multicast Routing Globally You must ...
...traffic that is switched by CEF for PFC2 on the MSFC2. To enable IP multicast routing globally on the MSFC. No configuration is required to support CEF for IP multicast: • Enabling IP Multicast Routing Globally, page 13-14 • Enabling IP PIM on an MSFC2 Interface, page 13... routing globally. Router(config)# ip multicast-routing This example shows how to the "IP Multicast" section of the Cisco IOS IP and IP Routing Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt3/index.htm Enabling IP Multicast Routing Globally You must ...
Software Guide
Page 261
...Note In systems with redundant MSFCs, the IP PIM interface configuration must be enabled on an IPX MLS-enabled interface. • IPX EIGRP-To support MLS on EIGRP interfaces you enable IP MMLS, IP accounting for the flow is in the flow that are multilayer switched. • For source ... with the tc_value greater than the default (16). Enter the ipx maximum-hop tc_value global configuration command on the MSFC, with Other Features Other IOS software features affect IPX MLS as follows: • IPX accounting-IPX accounting cannot be the same on both the active and redundant MSFCs. ...
...Note In systems with redundant MSFCs, the IP PIM interface configuration must be enabled on an IPX MLS-enabled interface. • IPX EIGRP-To support MLS on EIGRP interfaces you enable IP MMLS, IP accounting for the flow is in the flow that are multilayer switched. • For source ... with the tc_value greater than the default (16). Enter the ipx maximum-hop tc_value global configuration command on the MSFC, with Other Features Other IOS software features affect IPX MLS as follows: • IPX accounting-IPX accounting cannot be the same on both the active and redundant MSFCs. ...
Software Guide
Page 297
...type of these sections: • Understanding How ACLs Work, page 16-1 • Hardware Requirements, page 16-2 • Supported ACLs, page 16-2 • Applying Cisco IOS ACLs and VACLs on the Catalyst 6000 family switches. Note For complete syntax and usage information for details. This chapter consists... C H A P T E R Configuring Access Control This chapter describes how to configure access control lists (ACLs) on VLANs, page 16-7 • Using Cisco IOS ACLs in your Network, page 16-9 • Using VACLs with Cisco IOS ACLs, page 16-15 • Using VACLs in your supervisor engine.
...type of these sections: • Understanding How ACLs Work, page 16-1 • Hardware Requirements, page 16-2 • Supported ACLs, page 16-2 • Applying Cisco IOS ACLs and VACLs on the Catalyst 6000 family switches. Note For complete syntax and usage information for details. This chapter consists... C H A P T E R Configuring Access Control This chapter describes how to configure access control lists (ACLs) on VLANs, page 16-7 • Using Cisco IOS ACLs in your Network, page 16-9 • Using VACLs with Cisco IOS ACLs, page 16-15 • Using VACLs in your supervisor engine.
Software Guide
Page 298
... These sections describe the ACLs supported by which switching engine daughter card is configured on the supervisor engine. During this process, the switch can be configured on . Standard and extended Cisco IOS ACLs are used to a number of features such as follows: • Cisco IOS ACLs: - A VACL is as ...Policy Feature Card (PFC) and MSFC or MSFC2 - PFC2 Note The QoS feature set supported on your switch is determined by the Catalyst 6000 family switches: • QoS ACLs, page 16-2 • Cisco IOS ACLs, page 16-3 • VACLs, page 16-3 QoS ACLs You can either enter ...
... These sections describe the ACLs supported by which switching engine daughter card is configured on the supervisor engine. During this process, the switch can be configured on . Standard and extended Cisco IOS ACLs are used to a number of features such as follows: • Cisco IOS ACLs: - A VACL is as ...Policy Feature Card (PFC) and MSFC or MSFC2 - PFC2 Note The QoS feature set supported on your switch is determined by the Catalyst 6000 family switches: • QoS ACLs, page 16-2 • Cisco IOS ACLs, page 16-3 • VACLs, page 16-3 QoS ACLs You can either enter ...
Software Guide
Page 299
...ACL that is used with features that are not defined by multiple features, Cisco IOS software examines it multiple times. Cisco IOS software examines ACLs that are forwarded out to the next hop, Cisco IOS examines all interfaces for a given direction. When a single ACL is ... sections describe VACLs: • VACL Overview, page 16-3 • ACEs Supported in Cisco IOS software also use ACLs globally. Chapter 16 Configuring Access Control Supported ACLs Cisco IOS ACLs Cisco IOS ACLs are strictly for security packet filtering and redirecting traffic to specific physical switch...
...ACL that is used with features that are not defined by multiple features, Cisco IOS software examines it multiple times. Cisco IOS software examines ACLs that are forwarded out to the next hop, Cisco IOS examines all interfaces for a given direction. When a single ACL is ... sections describe VACLs: • VACL Overview, page 16-3 • ACEs Supported in Cisco IOS software also use ACLs globally. Chapter 16 Configuring Access Control Supported ACLs Cisco IOS ACLs Cisco IOS ACLs are strictly for security packet filtering and redirecting traffic to specific physical switch...
Software Guide
Page 305
... VACL (Not supported on PFC2) Host B (VLAN 20) Host D (VLAN 20) 26965 Using Cisco IOS ACLs in your Network Figure 16-3 Applying ACLs on Multicast Packets Routed Input IOS ACL Bridged VACL Catalyst 6500 Series Switch with PFC" section on page 16-10. To configure Cisco IOS ACLs, see the "Unsupported ...27 and the "VACL Configuration Guidelines" section on the router to the router instead of Cisco IOS ACLs with MSFC MSFC Host A (VLAN 10) Host C (VLAN 10) Bridged IOS ACL for output VLAN for Cisco IOS ACLs and VACLs must be the same on both MSFCs. 78-13315-02 Catalyst 6000 ...
... VACL (Not supported on PFC2) Host B (VLAN 20) Host D (VLAN 20) 26965 Using Cisco IOS ACLs in your Network Figure 16-3 Applying ACLs on Multicast Packets Routed Input IOS ACL Bridged VACL Catalyst 6500 Series Switch with PFC" section on page 16-10. To configure Cisco IOS ACLs, see the "Unsupported ...27 and the "VACL Configuration Guidelines" section on the router to the router instead of Cisco IOS ACLs with MSFC MSFC Host A (VLAN 10) Host C (VLAN 10) Bridged IOS ACL for output VLAN for Cisco IOS ACLs and VACLs must be the same on both MSFCs. 78-13315-02 Catalyst 6000 ...
Software Guide
Page 307
.... • IP accounting for an ACL access violation on a given interface is supported by forwarding all denied packets for that when reflexive ACLs are supported in the hardware. Chapter 16 Configuring Access Control Using Cisco IOS ACLs in your Network • NAT, page 16-12 • Unicast RPF ...Check, page 16-12 • Bridge-Groups, page 16-12 Security Cisco IOS ACLs The IP and IPX security Cisco IOS ACLs with the...
.... • IP accounting for an ACL access violation on a given interface is supported by forwarding all denied packets for that when reflexive ACLs are supported in the hardware. Chapter 16 Configuring Access Control Using Cisco IOS ACLs in your Network • NAT, page 16-12 • Unicast RPF ...Check, page 16-12 • Bridge-Groups, page 16-12 Security Cisco IOS ACLs The IP and IPX security Cisco IOS ACLs with the...
Software Guide
Page 308
... occurs in the hardware. WCCP HTTP requests subject to the CPU. Under heavy traffic conditions, this could cause high CPU utilization. Bridge-Groups Cisco IOS bridge-group ACLs are handled in the software; When a route map contains multiple "match" clauses, all interfaces regardless of DOS attacks, these...With ACL-based unicast RPF, packets denied by these packets will most likely match the deny ACE and be met before a packet is not supported. However, for route maps containing both "match ip address" and "match length," all packets received on the PFC. For route maps that...
... occurs in the hardware. WCCP HTTP requests subject to the CPU. Under heavy traffic conditions, this could cause high CPU utilization. Bridge-Groups Cisco IOS bridge-group ACLs are handled in the software; When a route map contains multiple "match" clauses, all interfaces regardless of DOS attacks, these...With ACL-based unicast RPF, packets denied by these packets will most likely match the deny ACE and be met before a packet is not supported. However, for route maps containing both "match ip address" and "match length," all packets received on the PFC. For route maps that...
Software Guide
Page 309
... does not account for hardware-forwarded flows. This process significantly degrades system performance. Chapter 16 Configuring Access Control Using Cisco IOS ACLs in the hardware. The forwarding rate for software-forwarded flows is not supported. • IPX standard input and output ACLs are handled in the hardware. • IP accounting for that require...
... does not account for hardware-forwarded flows. This process significantly degrades system performance. Chapter 16 Configuring Access Control Using Cisco IOS ACLs in the hardware. The forwarding rate for software-forwarded flows is not supported. • IPX standard input and output ACLs are handled in the hardware. • IP accounting for that require...
Software Guide
Page 310
...conditions imposed by these match clauses must be any other modes of -service attack. If a connection is not required (and not supported) on the route map. Policy Routing Policy routing-required flows are handled in hardware. For route maps that connection attempts from TCP ... successfully, the following applies: a. WCCP HTTP requests subject to protect TCP servers from unreachable hosts never reach the server. Using Cisco IOS ACLs in your Network Chapter 16 Configuring Access Control Reflexive ACLs ICMP packets are handled in the software; TCP Intercept The TCP ...
...conditions imposed by these match clauses must be any other modes of -service attack. If a connection is not required (and not supported) on the route map. Policy Routing Policy routing-required flows are handled in hardware. For route maps that connection attempts from TCP ... successfully, the following applies: a. WCCP HTTP requests subject to protect TCP servers from unreachable hosts never reach the server. Using Cisco IOS ACLs in your Network Chapter 16 Configuring Access Control Reflexive ACLs ICMP packets are handled in the software; TCP Intercept The TCP ...
Software Guide
Page 311
...get access controlled after the translation because of Cisco IOS ACLs and VACLs. Under heavy traffic conditions, this could cause high CPU utilization. You can define Cisco IOS ACLs on packets before NAT translation. Bridge-Groups Cisco IOS bridge-group ACLs are handled in the ...Guide-Releases 6.3 and 6.4 16-15 These sections describe Cisco IOS ACL and VACL configuration guidelines and guidelines for Layer 4 operations: • Guidelines for Configuring Cisco IOS ACLs and VACLs on the PFC2. a packet is not supported. Chapter 16 Configuring Access Control Using VACLs with VACLs:...
...get access controlled after the translation because of Cisco IOS ACLs and VACLs. Under heavy traffic conditions, this could cause high CPU utilization. You can define Cisco IOS ACLs on packets before NAT translation. Bridge-Groups Cisco IOS bridge-group ACLs are handled in the ...Guide-Releases 6.3 and 6.4 16-15 These sections describe Cisco IOS ACL and VACL configuration guidelines and guidelines for Layer 4 operations: • Guidelines for Configuring Cisco IOS ACLs and VACLs on the PFC2. a packet is not supported. Chapter 16 Configuring Access Control Using VACLs with VACLs:...
Software Guide
Page 323
...enforced in the hardware; Unsupported Features This section lists ACL-related features that specify a source node number or socket numbers are not supported when specifying the IPX flow. 78-13315-02 Catalyst 6000 Family Software Configuration Guide-Releases 6.3 and 6.4 16-27 IPX extended ...access lists that are not supported or have limited support on the Catalyst 6000 family switches. • Non-IP version 4/non-IPX Cisco IOS ACLs-The following types of Cisco IOS security ACLs cannot be enforced on the switch in the hardware - Extended...
...enforced in the hardware; Unsupported Features This section lists ACL-related features that specify a source node number or socket numbers are not supported when specifying the IPX flow. 78-13315-02 Catalyst 6000 Family Software Configuration Guide-Releases 6.3 and 6.4 16-27 IPX extended ...access lists that are not supported or have limited support on the Catalyst 6000 family switches. • Non-IP version 4/non-IPX Cisco IOS ACLs-The following types of Cisco IOS security ACLs cannot be enforced on the switch in the hardware - Extended...
Software Guide
Page 640
...Access rights define the SNMP objects that a user is performed with an algorithm called CBC-DES (DES-56). This protocol supports centralized and distributed network management strategies and includes improvements in an unauthorized manner. A set of object identifiers (OIDs) that... auth, and priv. A view name (not to manage configurations, statistics collection, performance, and security. in the group. Currently, Cisco IOS supports three security models: SNMPv1, SNMPv2c, and SNMPv3. SNMP Terminology Chapter 36 Configuring SNMP Table 36-1 SNMP Terminology (continued) Term community ...
...Access rights define the SNMP objects that a user is performed with an algorithm called CBC-DES (DES-56). This protocol supports centralized and distributed network management strategies and includes improvements in an unauthorized manner. A set of object identifiers (OIDs) that... auth, and priv. A view name (not to manage configurations, statistics collection, performance, and security. in the group. Currently, Cisco IOS supports three security models: SNMPv1, SNMPv2c, and SNMPv3. SNMP Terminology Chapter 36 Configuring SNMP Table 36-1 SNMP Terminology (continued) Term community ...