Home » Cisco Manuals » Hubs & Switches » Cisco NME-16ES-1G » Manual Viewer

Cisco NME-16ES-1G User Guide - Page 94

Classifying, Policing, and Marking Traffic by Using Policy Maps, class, access-group

UPC - 882658036101

Add to My Manuals
Save this manual to your list of manuals

Page 94 highlights

Configuration Tasks 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Classifying, Policing, and Marking Traffic by Using Policy Maps A policy map specifies which traffic class to act on. Actions can include trusting the CoS or DSCP values in the traffic class; setting a specific DSCP value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile (marking). A separate policy-map class can exist for each type of traffic received through an interface. You can attach only one policy map per interface in the input direction. Beginning in privileged EXEC mode, follow these steps to create a policy map: Step 1 Step 2 Step 3 Command configure terminal access-list access-list-number {deny | permit} {source source-wildcard | host source | any} or access-list access-list-number {deny | permit | remark} protocol {source source-wildcard | host source | any}[operator port] {destination destination-wildcard | host destination | any} [operator port] policy-map policy-map-name Step 4 class class-map-name [access-group acl-index-or-name] Purpose Enters global configuration mode. Creates an IP standard or extended ACL for IP traffic, repeating the command as many times as necessary. For more information, see the "Classifying Traffic by Using ACLs" section on page 91. Note Deny statements are not supported for QoS ACLS. See the "Classification Based on QoS ACLs" section on page 32 for more details. Creates a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no policy maps are defined. The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed. Defines a traffic classification, and enter policy-map class configuration mode. By default, no policy map class maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2. Note In a policy map, the class named class-default is not supported. The switch does not filter traffic based on the policy map defined by the class class-default policy-map configuration command. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 94

Section	Page
16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series	1
Feature Overview	2
Layer 2 Ethernet Interfaces	2
Switch Virtual Interfaces	5
Routed Ports	5
VLAN Trunk Protocol	5
EtherChannel	7
802.1x Port-Based Authentication	8
Spanning Tree Protocol	12
Cisco Discovery Protocol	24
Switched Port Analyzer	24
Network Security with ACLs	25
Quality of Service	29
Maximum Number of VLAN and Multicast Groups	35
IP Multicast Support	35
IGMP Snooping	35
Global Storm-Control	38
Per-Port Storm-Control	40
Port Security	40
Ethernet Switching in Cisco AVVID Architecture	40
Stacking	41
Flow Control	41
Using Flow-Control Keywords	41
Fallback Bridging	42
Benefits	43
Restrictions	43
Related Features and Technologies	44
Related Documents	44
Supported Platforms	45
Supported Standards, MIBs, and RFCs	45
Prerequisites	46
Configuration Tasks	46
Configuring Layer 2 Interfaces	47
Configuring a Range of Interfaces	47
Defining a Range Macro	48
Verifying Configuration of a Range of Interfaces	48
Configuring Layer 2 Optional Interface Features	48
Interface Speed and Duplex Configuration Guidelines	48
Configuring the Interface Speed	49
Configuring the Interface Duplex Mode	49
Verifying Interface Speed and Duplex Mode Configuration	49
Configuring a Description for an Interface	50
Configuring an Ethernet Interface as a Layer 2 Trunk	50
Verifying an Ethernet Interface as a Layer 2 Trunk	51
Configuring an Ethernet Interface as a Layer 2 Access	52
Verifying an Ethernet Interface as a Layer 2 Access	52
Configuring VLANs	52
Configuring VLANs	53
Verifying the VLAN Configuration.	53
Deleting a VLAN from the Database	53
Verifying VLAN Deletion	54
Configuring VLAN Trunking Protocol	54
Configuring the VTP Server	54
Configuring a VTP Client	55
Disabling VTP (VTP Transparent Mode)	55
Configuring VTP version 2	55
Verifying VTP	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Verifying Layer 2 EtherChannels	57
Configuring EtherChannel Load Balancing	58
Verifying EtherChannel Load Balancing	58
Removing an Interface from an EtherChannel	59
Configuring Removing an EtherChannel	59
Verify Removing an EtherChannel	59
Configuring 802.1x Authentication	59
Understanding the Default 802.1x Configuration	60
Enabling 802.1x Authentication	61
Configuring the Switch-to-RADIUS-Server Communication	62
Enabling Periodic Reauthentication	63
Changing the Quiet Period	64
Changing the Switch-to-Client Retransmission Time	64
Setting the Switch-to-Client Frame-Retransmission Number	65
Enabling Multiple Hosts	66
Resetting the 802.1x Configuration to the Default Values	66
Displaying 802.1x Statistics and Status	66
Configuring Spanning Tree	67
Enabling Spanning Tree	67
Verify Spanning Tree	67
Configuring Spanning Tree Port Priority	68
Verify Spanning Tree Port Priority	68
Configuring Spanning Tree Port Cost	68
Verifying Spanning Tree Port Cost	69
Configuring the Bridge Priority of a VLAN	69
Verifying the Bridge Priority of a VLAN	70
Configuring the Hello Time	70
Configuring the Forward-Delay Time for a VLAN	70
Configuring the Maximum Aging Time for a VLAN	70
Configuring the Root Bridge	71
Configuring BackboneFast	71
Disabling Spanning Tree	72
Verifying that Spanning Tree is Disabled	72
Configuring MAC Table Manipulation - Port Security	72
Enabling Known MAC Address Traffic	73
Verifying the MAC Address Secure Configuration	73
Creating a Static or Dynamic Entry in the MAC Address Table	73
Verifying the MAC Address Table	74
Configuring Aging Timer-timer	74
Verifying the Aging Timer	74
Configuring Cisco Discovery Protocol	74
Enabling Cisco Discovery Protocol	75
Verifying the CDP Global Configuration	75
Enabling CDP on an Interface	75
Verifying the CDP Interface Configuration	75
Verifying CDP Neighbors	76
Monitoring and Maintaining CDP	76
Configuring Switched Port Analyzer	76
Specifying the Switched Port Analyzer Session	77
Configuring SPAN Destinations	77
Removing Sources or Destinations from a SPAN Session	77
Configuring Network Security with ACLs	78
Unsupported Features	78
Creating Standard and Extended IP ACLs	78
ACL Numbers	79
Creating a Numbered Standard ACL	80
Creating a Numbered Extended ACL	80
Creating Named Standard and Extended ACLs	83
Including Comments About Entries in ACLs	85
Applying the ACL to an Interface	85
Displaying ACLs	86
Configuring Quality of Service (QoS)	86
Understanding the Default QoS Configuration	87
Configuring Classification Using Port Trust States	87
Configuring the Trust State on Ports and SVIs within the QoS Domain	87
Configuring the CoS Value for an Interface	89
Configuring a QoS Policy	90
Classifying Traffic by Using ACLs	91
Classifying Traffic by Using Class Maps	93
Classifying, Policing, and Marking Traffic by Using Policy Maps	94
Configuring CoS Maps	96
Configuring the CoS-to-DSCP Map	96
Configuring the DSCP-to-CoS Map	96
Displaying QoS Information	97
Configuring Power Management on the Interface	98
Verifying Power Management on the Interface	98
Configuring IP Multicast Layer 3 Switching	98
Enabling IP Multicast Routing Globally	99
Enabling IP PIM on Layer 3 Interfaces	99
Verifying IP Multicast Layer 3 Hardware Switching Summary	100
Verifying the IP Multicast Routing Table	101
Configuring IGMP Snooping	102
Enabling or Disabling IGMP Snooping	102
Enabling IGMP Immediate-Leave Processing	103
Statically Configuring an Interface to Join a Group	103
Configuring a Multicast Router Port	104
Configuring Global Storm-Control	104
Enabling Global Storm-Control	105
Verifying Global Storm-Control	105
Configuring Per-Port Storm-Control	106
Enabling Per-Port Storm-Control	106
Disabling Per-Port Storm-Control	107
Configuring Separate Voice and Data Subnets	107
Voice Traffic and VVID	108
Configuring a Single Subnet for Voice and Data	108
Verifying Switchport Configuration	109
Configuring Ethernet Ports to Support Cisco IP Phones with Multiple Ports	109
IP Addressing	109
Managing the Ethernet Switch Network Module	109
Adding Trap Managers	110
Verifying Trap Managers	110
Configuring IP Information	110
Assigning IP Information to the Switch	110
Specifying a Domain Name and Configuring the DNS	111
Configuring Voice Ports	112
Configuring a Port to Connect to a Cisco 7960 IP phone	113
Disabling Inline Power on a Ethernet switch network module	113
Verifying Inline Power Configuration	114
Enabling Switch Port Analyzer	114
Managing the ARP Table	114
Managing the MAC Address Tables	115
Understanding MAC Addresses and VLANs	115
Changing the Address Aging Time	116
Configuring the Aging Time	116
Verifying Aging-Time Configuration	116
Removing Dynamic Addresses	116
Verifying Dynamic Addresses	117
Adding Secure Addresses	117
Verifying Secure Addresses	117
Configuring Static Addresses	118
Verifying Static Addresses	118
Clearing all MAC Address Tables	119
Configuring Intrachassis Stacking	119
Verifying Intra-chassis Stacking	119
Configuring Flow Control on Gigabit Ethernet Ports	119
Configuring Layer 3 Interfaces	120
Configuring Fallback Bridging	121
Understanding the Default Fallback Bridging Configuration	121
Creating a Bridge Group	121
Preventing the Forwarding of Dynamically Learned Stations	122
Configuring the Bridge Table Aging Time	123
Filtering Frames by a Specific MAC Address	124
Adjusting Spanning-Tree Parameters	124
Monitoring and Maintaining the Network	129
Configuration Examples for the 16- and 36-Port Ethernet Switch Module	130
Range of Interface Examples	130
Single Range Configuration Example	130
Multiple Range Configuration Example	131
Range Macro Definition Example	131
Optional Interface Feature Examples	131
Interface Speed Example	132
Setting the Interface Duplex Mode Example	132
Adding a Description for an Interface Example	132
Configuring an Ethernet Interface as a Layer 2 Trunk Example	132
VLAN Configuration Example	132
VTP Examples	133
VTP Server Example	133
VTP Client Example	133
Disabling VTP (VTP Transparent Mode) Example	133
VTP version 2 Example	133
EtherChannel Load Balancing Example	134
Layer 2 EtherChannels Example	134
EtherChannel Load Balancing Example	134
Removing an EtherChannel Example	134
802.1x Authentication Examples	134
Enabling 802.1x Authentication Example	135
Configuring the Switch-to-RADIUS-Server Communication Example	135
Enabling Periodic Re-Authentication Example	135
Changing the Quiet Period Example	135
Changing the Switch-to-Client Retransmission Time Example	135
Setting the Switch-to-Client Frame-Retransmission Number Example	135
Enabling Multiple Hosts Example	135
Spanning Tree Examples	136
Spanning-Tree Interface and Spanning-Tree Port Priority Example	136
Spanning-Tree Port Cost Example	136
Bridge Priority of a VLAN	137
Hello Time Example	137
Forward-Delay Time for a VLAN Example	137
Maximum Aging Time for a VLAN Example	137
BackboneFast Example	138
Spanning Tree Examples	138
Spanning Tree Root Example	138
Mac Table Manipulation Examples	138
Cisco Discovery Protocol (CDP) Example	138
Switched Port Analyzer (SPAN) Source Examples	139
SPAN Source Configuration Example	139
SPAN Destinations Example	139
Removing Sources or Destinations from a SPAN Session Example	139
Network Security and ACL Configuration Examples	139
Creating Numbered Standard and Extended ACLs Example	139
Creating Named Standard and Extended ACLs Example	140
Including Comments About Entries in ACLs Example	141
Applying the ACL to an Interface Example	141
Displaying Standard and Extended ACLs Example	141
Displaying Access Groups Example	142
Compiling ACLs Example	143
QoS Configuration Examples	144
Classifying Traffic by Using ACL Example	144
Classifying Traffic by Using Class Maps Example	144
Classifying, Policing, and Marking Traffic by Using Policy Maps Example	144
Configuring the CoS-to-DSCP Map Example	145
Configuring the DSCP-to-CoS Map Example	145
Displaying QoS Information Example	145
IGMP Snooping Example	145
Storm-Control Example	147
Ethernet Switching Examples	148
Subnets for Voice and Data Example	148
Inter-VLAN Routing Example	148
Single Subnet Configuration Example	149
Ethernet Ports on IP Phones with Multiple Ports Example	149
Intrachassis Stacking Example	150
Flow Control on Gigabit Ethernet Ports Example	151
Configuring Layer 3 Interfaces Example	153
Fallback Bridging Example	155
Creating a Bridge Group Example	155
Preventing the Forwarding of Dynamically Learned Stations Example	155
Configuring the Bridge Table Aging Time Example	155
Filtering Frames by a Specific MAC Address Example	155
Adjusting Spanning-Tree Parameters Examples	155
Command Reference	157
aaa authentication dot1x	159
class	161
class-map	163
debug dot1x	165
debug eswilp	166
debug ip igmp snooping	167
debug spanning-tree	168
deny (access-list configuration)	170
dot1x default	173
dot1x max-req	174
dot1x multiple-hosts	175
dot1x port-control	176
dot1x re-authenticate	178
dot1x re-authentication	179
dot1x timeout quiet-period	180
dot1x timeout re-authperiod	181
dot1x timeout tx-period	182
ip access-group	183
ip access-list	185
ip igmp snooping	187
ip igmp snooping vlan	189
ip igmp snooping vlan immediate-leave	190
ip igmp snooping vlan mrouter	192
ip igmp snooping vlan static	194
match (class-map configuration)	196
mls qos cos	198
mls qos map	200
mls qos trust	202
permit (access-list configuration)	204
police	207
policy-map	209
service-policy	211
show access-lists	212
show class-map	214
show dot1x	216
show ip access-lists	220
show ip igmp snooping	222
show ip igmp snooping mrouter	224
show mls masks	225
show mls qos interface	227
show mls qos maps	228
show policy-map	230
show spanning-tree	232
show storm-control	235
spanning-tree backbonefast	237
storm-control	238
switchport	240

Match case Limit results 1 per page

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series

Configuration Tasks

Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ

Classifying, Policing, and Marking Traffic by Using Policy Maps

A policy map specifies which traffic class to act on. Actions can include trusting the CoS or DSCP values

in the traffic class; setting a specific DSCP value in the traffic class; and specifying the traffic bandwidth

limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile

(marking).

A separate policy-map class can exist for each type of traffic received through an interface. You can

attach only one policy map per interface in the input direction.

Beginning in privileged EXEC mode, follow these steps to create a policy map:

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

access-list

access-list-number

{

deny

permit

} {

source

source-wildcard

host

source

any

}

access-list

access-list-number

{

deny

permit

remark

}

protocol

{

source

source-wildcard

host

source

any

}

[

operator

port

]

{

destination

destination-wildcard

host

destination

any}

[

operator

port

]

Creates an IP standard or extended ACL for IP traffic, repeating the

command as many times as necessary.

For more information, see the

“Classifying Traffic by Using ACLs”

section on page 91

Note

Deny statements are not supported for QoS ACLS. See the

“Classification Based on QoS ACLs” section on page 32

for

more details.

Step 3

policy-map

policy-map-name

Creates a policy map by entering the policy map name, and enter

policy-map configuration mode.

By default, no policy maps are defined.

The default behavior of a policy map is to set the DSCP to 0 if the

packet is an IP packet and to set the CoS to 0 if the packet is tagged. No

policing is performed.

Step 4

class

class-map-name

[

access-group

acl-index-or-name

]

Defines a traffic classification, and enter policy-map class

configuration mode.

By default, no policy map class maps are defined.

If a traffic class has already been defined by using the

class-map

global

configuration command, specify its name for

class-map-name

in this

command.

For

access-group

acl-index-or-name

, specify t

number or name of the

ACL created in Step 2.

Note

In a policy map, the class named class-default is not supported.

The switch does not filter traffic based on the policy map

defined by the

class class-default

policy-map configuration

command.