Home » Cisco Manuals » Bridges & Routers » Cisco NM-8B-U » Manual Viewer

Cisco NM-8B-U User Guide - Page 25

Network Security with ACLs, Traffic Types, SPAN Traffic

UPC - 074632001001

Add to My Manuals
Save this manual to your list of manuals

Page 25 highlights

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Trunk interfaces can be configured as source interfaces and mixed with nontrunk source interfaces; however, the destination interface never encapsulates. Traffic Types Ingress SPAN (Rx) copies network traffic received by the source interfaces for analysis at the destination interface. Egress SPAN (Tx) copies network traffic transmitted from the source interfaces. Specifying the configuration option both copies network traffic received and transmitted by the source interfaces to the destination interface. SPAN Traffic Network traffic, including multicast, can be monitored using SPAN. Multicast packet monitoring is enabled by default. In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination interface. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination interface d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination interface d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different). Note Monitoring of VLANs is not supported. SPAN Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring SPAN: • Enter the no monitor session session number command with no other parameters to clear the SPAN session number. • EtherChannel interfaces can be SPAN source interfaces; they cannot be SPAN destination interfaces. • If you specify multiple SPAN source interfaces, the interfaces can belong to different VLANs. • Monitoring of VLANs is not supported • Only one SPAN session may be run at any given time. • Outgoing CDP and BPDU packets will not be replicated. • SPAN destinations never participate in any spanning tree instance. SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the SPAN destination are from the SPAN source. • Use a network analyzer to monitor interfaces. • You can have one SPAN destination interface. • You can mix individual source interfaces within a single SPAN session. • You cannot configure a SPAN destination interface to receive ingress traffic. • When enabled, SPAN uses any previously entered configuration. • When you specify source interfaces and do not specify a traffic type (Tx, Rx, or both), both is used by default. Network Security with ACLs Network security on your Ethernet switch network module can be implemented using access control lists (ACLs), which are also referred to in commands and tables as access lists. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 25

Section	Page
16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series	1
Feature Overview	2
Layer 2 Ethernet Interfaces	2
Switch Virtual Interfaces	5
Routed Ports	5
VLAN Trunk Protocol	5
EtherChannel	7
802.1x Port-Based Authentication	8
Spanning Tree Protocol	12
Cisco Discovery Protocol	24
Switched Port Analyzer	24
Network Security with ACLs	25
Quality of Service	29
Maximum Number of VLAN and Multicast Groups	35
IP Multicast Support	35
IGMP Snooping	35
Global Storm-Control	38
Per-Port Storm-Control	40
Port Security	40
Ethernet Switching in Cisco AVVID Architecture	40
Stacking	41
Flow Control	41
Using Flow-Control Keywords	41
Fallback Bridging	42
Benefits	43
Restrictions	43
Related Features and Technologies	44
Related Documents	44
Supported Platforms	45
Supported Standards, MIBs, and RFCs	45
Prerequisites	46
Configuration Tasks	46
Configuring Layer 2 Interfaces	47
Configuring a Range of Interfaces	47
Defining a Range Macro	48
Verifying Configuration of a Range of Interfaces	48
Configuring Layer 2 Optional Interface Features	48
Interface Speed and Duplex Configuration Guidelines	48
Configuring the Interface Speed	49
Configuring the Interface Duplex Mode	49
Verifying Interface Speed and Duplex Mode Configuration	49
Configuring a Description for an Interface	50
Configuring an Ethernet Interface as a Layer 2 Trunk	50
Verifying an Ethernet Interface as a Layer 2 Trunk	51
Configuring an Ethernet Interface as a Layer 2 Access	52
Verifying an Ethernet Interface as a Layer 2 Access	52
Configuring VLANs	52
Configuring VLANs	53
Verifying the VLAN Configuration.	53
Deleting a VLAN from the Database	53
Verifying VLAN Deletion	54
Configuring VLAN Trunking Protocol	54
Configuring the VTP Server	54
Configuring a VTP Client	55
Disabling VTP (VTP Transparent Mode)	55
Configuring VTP version 2	55
Verifying VTP	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Verifying Layer 2 EtherChannels	57
Configuring EtherChannel Load Balancing	58
Verifying EtherChannel Load Balancing	58
Removing an Interface from an EtherChannel	59
Configuring Removing an EtherChannel	59
Verify Removing an EtherChannel	59
Configuring 802.1x Authentication	59
Understanding the Default 802.1x Configuration	60
Enabling 802.1x Authentication	61
Configuring the Switch-to-RADIUS-Server Communication	62
Enabling Periodic Reauthentication	63
Changing the Quiet Period	64
Changing the Switch-to-Client Retransmission Time	64
Setting the Switch-to-Client Frame-Retransmission Number	65
Enabling Multiple Hosts	66
Resetting the 802.1x Configuration to the Default Values	66
Displaying 802.1x Statistics and Status	66
Configuring Spanning Tree	67
Enabling Spanning Tree	67
Verify Spanning Tree	67
Configuring Spanning Tree Port Priority	68
Verify Spanning Tree Port Priority	68
Configuring Spanning Tree Port Cost	68
Verifying Spanning Tree Port Cost	69
Configuring the Bridge Priority of a VLAN	69
Verifying the Bridge Priority of a VLAN	70
Configuring the Hello Time	70
Configuring the Forward-Delay Time for a VLAN	70
Configuring the Maximum Aging Time for a VLAN	70
Configuring the Root Bridge	71
Configuring BackboneFast	71
Disabling Spanning Tree	72
Verifying that Spanning Tree is Disabled	72
Configuring MAC Table Manipulation - Port Security	72
Enabling Known MAC Address Traffic	73
Verifying the MAC Address Secure Configuration	73
Creating a Static or Dynamic Entry in the MAC Address Table	73
Verifying the MAC Address Table	74
Configuring Aging Timer-timer	74
Verifying the Aging Timer	74
Configuring Cisco Discovery Protocol	74
Enabling Cisco Discovery Protocol	75
Verifying the CDP Global Configuration	75
Enabling CDP on an Interface	75
Verifying the CDP Interface Configuration	75
Verifying CDP Neighbors	76
Monitoring and Maintaining CDP	76
Configuring Switched Port Analyzer	76
Specifying the Switched Port Analyzer Session	77
Configuring SPAN Destinations	77
Removing Sources or Destinations from a SPAN Session	77
Configuring Network Security with ACLs	78
Unsupported Features	78
Creating Standard and Extended IP ACLs	78
ACL Numbers	79
Creating a Numbered Standard ACL	80
Creating a Numbered Extended ACL	80
Creating Named Standard and Extended ACLs	83
Including Comments About Entries in ACLs	85
Applying the ACL to an Interface	85
Displaying ACLs	86
Configuring Quality of Service (QoS)	86
Understanding the Default QoS Configuration	87
Configuring Classification Using Port Trust States	87
Configuring the Trust State on Ports and SVIs within the QoS Domain	87
Configuring the CoS Value for an Interface	89
Configuring a QoS Policy	90
Classifying Traffic by Using ACLs	91
Classifying Traffic by Using Class Maps	93
Classifying, Policing, and Marking Traffic by Using Policy Maps	94
Configuring CoS Maps	96
Configuring the CoS-to-DSCP Map	96
Configuring the DSCP-to-CoS Map	96
Displaying QoS Information	97
Configuring Power Management on the Interface	98
Verifying Power Management on the Interface	98
Configuring IP Multicast Layer 3 Switching	98
Enabling IP Multicast Routing Globally	99
Enabling IP PIM on Layer 3 Interfaces	99
Verifying IP Multicast Layer 3 Hardware Switching Summary	100
Verifying the IP Multicast Routing Table	101
Configuring IGMP Snooping	102
Enabling or Disabling IGMP Snooping	102
Enabling IGMP Immediate-Leave Processing	103
Statically Configuring an Interface to Join a Group	103
Configuring a Multicast Router Port	104
Configuring Global Storm-Control	104
Enabling Global Storm-Control	105
Verifying Global Storm-Control	105
Configuring Per-Port Storm-Control	106
Enabling Per-Port Storm-Control	106
Disabling Per-Port Storm-Control	107
Configuring Separate Voice and Data Subnets	107
Voice Traffic and VVID	108
Configuring a Single Subnet for Voice and Data	108
Verifying Switchport Configuration	109
Configuring Ethernet Ports to Support Cisco IP Phones with Multiple Ports	109
IP Addressing	109
Managing the Ethernet Switch Network Module	109
Adding Trap Managers	110
Verifying Trap Managers	110
Configuring IP Information	110
Assigning IP Information to the Switch	110
Specifying a Domain Name and Configuring the DNS	111
Configuring Voice Ports	112
Configuring a Port to Connect to a Cisco 7960 IP phone	113
Disabling Inline Power on a Ethernet switch network module	113
Verifying Inline Power Configuration	114
Enabling Switch Port Analyzer	114
Managing the ARP Table	114
Managing the MAC Address Tables	115
Understanding MAC Addresses and VLANs	115
Changing the Address Aging Time	116
Configuring the Aging Time	116
Verifying Aging-Time Configuration	116
Removing Dynamic Addresses	116
Verifying Dynamic Addresses	117
Adding Secure Addresses	117
Verifying Secure Addresses	117
Configuring Static Addresses	118
Verifying Static Addresses	118
Clearing all MAC Address Tables	119
Configuring Intrachassis Stacking	119
Verifying Intra-chassis Stacking	119
Configuring Flow Control on Gigabit Ethernet Ports	119
Configuring Layer 3 Interfaces	120
Configuring Fallback Bridging	121
Understanding the Default Fallback Bridging Configuration	121
Creating a Bridge Group	121
Preventing the Forwarding of Dynamically Learned Stations	122
Configuring the Bridge Table Aging Time	123
Filtering Frames by a Specific MAC Address	124
Adjusting Spanning-Tree Parameters	124
Monitoring and Maintaining the Network	129
Configuration Examples for the 16- and 36-Port Ethernet Switch Module	130
Range of Interface Examples	130
Single Range Configuration Example	130
Multiple Range Configuration Example	131
Range Macro Definition Example	131
Optional Interface Feature Examples	131
Interface Speed Example	132
Setting the Interface Duplex Mode Example	132
Adding a Description for an Interface Example	132
Configuring an Ethernet Interface as a Layer 2 Trunk Example	132
VLAN Configuration Example	132
VTP Examples	133
VTP Server Example	133
VTP Client Example	133
Disabling VTP (VTP Transparent Mode) Example	133
VTP version 2 Example	133
EtherChannel Load Balancing Example	134
Layer 2 EtherChannels Example	134
EtherChannel Load Balancing Example	134
Removing an EtherChannel Example	134
802.1x Authentication Examples	134
Enabling 802.1x Authentication Example	135
Configuring the Switch-to-RADIUS-Server Communication Example	135
Enabling Periodic Re-Authentication Example	135
Changing the Quiet Period Example	135
Changing the Switch-to-Client Retransmission Time Example	135
Setting the Switch-to-Client Frame-Retransmission Number Example	135
Enabling Multiple Hosts Example	135
Spanning Tree Examples	136
Spanning-Tree Interface and Spanning-Tree Port Priority Example	136
Spanning-Tree Port Cost Example	136
Bridge Priority of a VLAN	137
Hello Time Example	137
Forward-Delay Time for a VLAN Example	137
Maximum Aging Time for a VLAN Example	137
BackboneFast Example	138
Spanning Tree Examples	138
Spanning Tree Root Example	138
Mac Table Manipulation Examples	138
Cisco Discovery Protocol (CDP) Example	138
Switched Port Analyzer (SPAN) Source Examples	139
SPAN Source Configuration Example	139
SPAN Destinations Example	139
Removing Sources or Destinations from a SPAN Session Example	139
Network Security and ACL Configuration Examples	139
Creating Numbered Standard and Extended ACLs Example	139
Creating Named Standard and Extended ACLs Example	140
Including Comments About Entries in ACLs Example	141
Applying the ACL to an Interface Example	141
Displaying Standard and Extended ACLs Example	141
Displaying Access Groups Example	142
Compiling ACLs Example	143
QoS Configuration Examples	144
Classifying Traffic by Using ACL Example	144
Classifying Traffic by Using Class Maps Example	144
Classifying, Policing, and Marking Traffic by Using Policy Maps Example	144
Configuring the CoS-to-DSCP Map Example	145
Configuring the DSCP-to-CoS Map Example	145
Displaying QoS Information Example	145
IGMP Snooping Example	145
Storm-Control Example	147
Ethernet Switching Examples	148
Subnets for Voice and Data Example	148
Inter-VLAN Routing Example	148
Single Subnet Configuration Example	149
Ethernet Ports on IP Phones with Multiple Ports Example	149
Intrachassis Stacking Example	150
Flow Control on Gigabit Ethernet Ports Example	151
Configuring Layer 3 Interfaces Example	153
Fallback Bridging Example	155
Creating a Bridge Group Example	155
Preventing the Forwarding of Dynamically Learned Stations Example	155
Configuring the Bridge Table Aging Time Example	155
Filtering Frames by a Specific MAC Address Example	155
Adjusting Spanning-Tree Parameters Examples	155
Command Reference	157
aaa authentication dot1x	159
class	161
class-map	163
debug dot1x	165
debug eswilp	166
debug ip igmp snooping	167
debug spanning-tree	168
deny (access-list configuration)	170
dot1x default	173
dot1x max-req	174
dot1x multiple-hosts	175
dot1x port-control	176
dot1x re-authenticate	178
dot1x re-authentication	179
dot1x timeout quiet-period	180
dot1x timeout re-authperiod	181
dot1x timeout tx-period	182
ip access-group	183
ip access-list	185
ip igmp snooping	187
ip igmp snooping vlan	189
ip igmp snooping vlan immediate-leave	190
ip igmp snooping vlan mrouter	192
ip igmp snooping vlan static	194
match (class-map configuration)	196
mls qos cos	198
mls qos map	200
mls qos trust	202
permit (access-list configuration)	204
police	207
policy-map	209
service-policy	211
show access-lists	212
show class-map	214
show dot1x	216
show ip access-lists	220
show ip igmp snooping	222
show ip igmp snooping mrouter	224
show mls masks	225
show mls qos interface	227
show mls qos maps	228
show policy-map	230
show spanning-tree	232
show storm-control	235
spanning-tree backbonefast	237
storm-control	238
switchport	240

Match case Limit results 1 per page

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series

Feature Overview

Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ

Trunk interfaces can be configured as source interfaces and mixed with nontrunk source interfaces;

however, the destination interface never encapsulates.

Traffic Types

Ingress SPAN (Rx) copies network traffic received by the source interfaces for analysis at the destination

interface. Egress SPAN (Tx) copies network traffic transmitted from the source interfaces. Specifying

the configuration option

both

copies network traffic received and transmitted by the source interfaces to

the destination interface.

SPAN Traffic

Network traffic, including multicast, can be monitored using SPAN. Multicast packet monitoring is

enabled by default. In some SPAN configurations, multiple copies of the same source packet are sent to

the SPAN destination interface. For example, a bidirectional (both ingress and egress) SPAN session is

configured for sources a1 and a2 to a destination interface d1. If a packet enters the switch through a1

and gets switched to a2, both incoming and outgoing packets are sent to destination interface d1; both

packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be

different).

Note

Monitoring of VLANs is not supported.

SPAN Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring SPAN:

•

Enter the

no monitor session

session number

command with no other parameters to clear the SPAN

session number.

•

EtherChannel interfaces can be SPAN source interfaces; they cannot be SPAN destination interfaces.

•

If you specify multiple SPAN source interfaces, the interfaces can belong to different VLANs.

•

Monitoring of VLANs is not supported

•

Only one SPAN session may be run at any given time.

•

Outgoing CDP and BPDU packets will not be replicated.

•

SPAN destinations never participate in any spanning tree instance. SPAN includes BPDUs in the

monitored traffic, so any BPDUs seen on the SPAN destination are from the SPAN source.

•

Use a network analyzer to monitor interfaces.

•

You can have one SPAN destination interface.

•

You can mix individual source interfaces within a single SPAN session.

•

You cannot configure a SPAN destination interface to receive ingress traffic.

•

When enabled, SPAN uses any previously entered configuration.

•

When you specify source interfaces and do not specify a traffic type (

, or

both

is used

by default.

Network Security with ACLs

Network security on your Ethernet switch network module can be implemented using access control lists

(ACLs), which are also referred to in commands and tables as access lists.