Cisco Catalyst 3750 - Acls and Bridged Packets; Acls and Routed Packets

To Next Page

To Previous Page

25-36

Catalyst 3750 Metro Switch Software Configuration Guide

78-15870-01

Chapter 25 Configuring Network Security with ACLs

Using VLAN Maps with Router ACLs

ACLs and Bridged Packets

Figure 25-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only

Layer 2 ACLs are applied to the input VLAN. Only non-IPv4, non-ARP packets can be fallback-bridged.

Figure 25-7 Applying ACLs on Bridged Packets

ACLs and Routed Packets

Figure 25-8 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied

in this order:

1. VLAN map for input VLAN

2. Input router ACL

3. Output router ACL

4. VLAN map for output VLAN

Figure 25-8 Applying ACLs on Routed Packets

Frame

Fallback bridge

VLAN 10

Host A

(VLAN 10)

Packet

101358

VLAN 20

Host B

(VLAN 20)

VLAN 10

map

VLAN 20

map

Frame

Routing function

VLAN 10

Host A

(VLAN 10)

Packet

101359

VLAN 20

Host B

(VLAN 20)

VLAN 10

map

Input

router

ACL

Output

router

ACL

VLAN 20

map

Main Page

Default Chapter3
- Table of Contents3
- Obtaining Documentation35
  - Ordering Documentation36
- Related Publications35
- Documentation Feedback36
- Obtaining Technical Assistance36
- Obtaining Additional Publications and Information37
- Features39
Chapter 1 Overview40
- Default Settings after Initial Switch Configuration46
- Network Configuration Examples49
- Where to Go Next54
Understanding Command Modes55
CHAPTER 2 C H a P T E R 2 Using the Command-Line Interface56
Understanding the Help System57
Understanding Abbreviated Commands58
Understanding no and Default Forms of Commands58
Using Command History59
- Changing the Command History Buffer Size59
Understanding CLI Error Messages59
- Recalling Commands60
- Disabling the Command History Feature60
Using Editing Features60
- Enabling and Disabling Editing Features61
- Editing Commands through Keystrokes61
- Editing Command Lines that Wrap62
Searching and Filtering Output of Show and more Commands63
Accessing the CLI63
- Accessing the CLI through a Console Connection or through Telnet64
- Accessing the CLI from a Browser64
Chapter 3 Assigning the Switch IP Address and Default Gateway65
- Understanding the Boot Process65
- Assigning Switch Information66
- Checking and Saving the Running Configuration74
- Modifying the Startup Configuration74
- Scheduling a Reload of the Software Image79
  - Configuring a Scheduled Reload79
  - Displaying Scheduled Reload Information80
Chapter 4 Configuring IE2100 CNS Agents81
- Understanding IE2100 Series Configuration Registrar Software81
- Understanding CNS Embedded Agents85
- Configuring CNS Embedded Agents86
- Displaying CNS Configuration92
- Managing the System Time and Date93
  - Understanding the System Clock94
  - Understanding Network Time Protocol94
Chapter 5 Administering the Switch94
- Configuring NTP96
  - Default NTP Configuration96
- Configuring NTP Authentication97
- Configuring NTP Associations98
- Configuring NTP Broadcast Service99
- Configuring NTP Access Restrictions100
- Configuring the Source IP Address for NTP Packets102
  - Configuring Time and Date Manually103
- Displaying the NTP Configuration103
  - Configuring a System Name and Prompt107
Table109
- Creating a Banner110
- Displaying the DNS Configuration110
- Managing the MAC Address Table112
  - Building the Address Table113
  - MAC Addresses and Vlans113
- Default MAC Address Table Configuration114
- Changing the Address Aging Time114
- Removing Dynamic Address Entries114
- Configuring MAC Address Notification Traps115
- Adding and Removing Static Address Entries116
- Displaying Address Table Entries117
  - Managing the ARP Table118
Chapter 6 Configuring SDM Templates119
- Understanding the SDM Templates119
- Configuring the Switch SDM Template120
- Displaying the SDM Templates122
CHAPTER 7 Configuring Switch-Based Authentication123
- Preventing Unauthorized Access to Your Switch123
- Protecting Access to Privileged EXEC Commands124
Controlling Switch Access with TACACS132
- Understanding TACACS132
- TACACS+ Operation134
- Configuring TACACS134
- Displaying the TACACS+ Configuration139
Controlling Switch Access with RADIUS139
- Understanding RADIUS140
- RADIUS Operation141
- Configuring RADIUS142
- Displaying the RADIUS Configuration153
Controlling Switch Access with Kerberos153
- Understanding Kerberos154
- Kerberos Operation156
- Configuring Kerberos157
Configuring the Switch for Local Authentication and Authorization158
Configuring the Switch for Secure Shell159
- Understanding SSH159
- Configuring SSH159
CHAPTER 8 Configuring 802.1X Port-Based Authentication162
- Understanding 802.1X Port-Based Authentication162
- Configuring 802.1X Authentication169
- Displaying 802.1X Statistics and Status179
CHAPTER 9 Configuring Interface Characteristics182
- Understanding Interface Types182
- Using Interface Configuration Mode186
- Configuring Ethernet Interfaces191
- Configuring Layer 3 Interfaces198
- Configuring the System MTU199
- Monitoring and Maintaining the Interfaces200
Chapter 10 Configuring Vlans203
- Understanding Vlans203
  - Supported Vlans205
  - VLAN Port Membership Modes205
- Configuring Normal-Range Vlans206
- Token Ring Vlans208
- Normal-Range VLAN Configuration Guidelines208
- VLAN Configuration Mode Options209
  - VLAN Configuration in Config-Vlan Mode209
  - VLAN Configuration in VLAN Database Configuration Mode209
- Saving VLAN Configuration209
- Default Ethernet VLAN Configuration210
- Creating or Modifying an Ethernet VLAN211
- Deleting a VLAN213
- Assigning Static-Access Ports to a VLAN213
Chapter 11 Configuring VTP237
- Understanding VTP237
- Configuring VTP240
- Default VTP Configuration242
- VTP Configuration Options243
  - VTP Configuration in Global Configuration Mode243
  - VTP Configuration in VLAN Database Configuration Mode243
- VTP Configuration Guidelines244
- Configuring a VTP Server245
- Configuring a VTP Client247
- Disabling VTP (VTP Transparent Mode)248
- Enabling VTP Version 2249
- Enabling VTP Pruning250
- Adding a VTP Client Switch to a VTP Domain251
  - Monitoring VTP252
    - Table252
Chapter 12 Configuring Voice VLAN253
- Understanding Voice VLAN253
  - Cisco IP Phone Voice Traffic254
  - Cisco IP Phone Data Traffic254
- Configuring Voice VLAN255
- Displaying Voice VLAN258
CHAPTER 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling260
- Understanding 802.1Q Tunneling260
- C H a P T E R 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling260
Configuring 802.1Q Tunneling262
- Default 802.1Q Tunneling Configuration262
- 802.1Q Tunneling Configuration Guidelines262
  - Native Vlans262
  - System MTU263
- 802.1Q Tunneling and Other Features264
- Configuring an 802.1Q Tunneling Port264
Configuring VLAN Mapping265
- Default VLAN Mapping Configuration266
- Mapping Customer Vlans to Service-Provider Vlans266
- Mapping Customer 802.1Q Traffic with VLAN Ids267
Understanding Layer 2 Protocol Tunneling268
Configuring Layer 2 Protocol Tunneling270
- Default Layer 2 Protocol Tunneling Configuration271
- Layer 2 Protocol Tunneling Configuration Guidelines271
- Configuring Layer 2 Tunneling272
Monitoring and Maintaining Tunneling and Mapping Status274
Understanding Spanning-Tree Features275
- Configuring STP276
- Understanding Spanning-Tree Features276
Chapter 14 Configuring STP276
- STP Overview276
- Spanning-Tree Topology and Bpdus277
- Bridge ID, Switch Priority, and Extended System ID278
- Spanning-Tree Interface States278
  - Blocking State279
  - Listening State280
  - Learning State280
  - Forwarding State280
  - Disabled State281
- How a Switch or Port Becomes the Root Switch or Root Port281
- Spanning Tree and Redundant Connectivity282
- Spanning-Tree Address Management282
- Accelerated Aging to Retain Connectivity282
- Spanning-Tree Modes and Protocols283
- Supported Spanning-Tree Instances284
  - Spanning-Tree Interoperability and Backward Compatibility284
  - STP and IEEE 802.1Q Trunks284
  - VLAN-Bridge Spanning Tree285
  - Configuring Spanning-Tree Features285
- Default Spanning-Tree Configuration285
- Spanning-Tree Configuration Guidelines286
- Changing the Spanning-Tree Mode287
- Disabling Spanning Tree288
- Configuring the Root Switch288
- Configuring a Secondary Root Switch290
- Configuring Port Priority291
- Configuring Path Cost292
- Configuring the Switch Priority of a VLAN293
- Configuring Spanning-Tree Timers294
  - Configuring the Hello Time294
  - Configuring the Forwarding-Delay Time for a VLAN295
  - Configuring the Maximum-Aging Time for a VLAN295
  - Displaying the Spanning-Tree Status296
    - Table296
Chapter 15 Configuring MSTP297
- Understanding MSTP298
- Understanding RSTP302
- Configuring MSTP Features307
- Default MSTP Configuration308
- MSTP Configuration Guidelines308
- Specifying the MST Region Configuration and Enabling MSTP309
- Configuring the Root Switch310
- Configuring a Secondary Root Switch312
- Configuring Port Priority313
- Configuring Path Cost314
- Configuring the Switch Priority315
- Configuring the Hello Time315
- Configuring the Forwarding-Delay Time316
- Configuring the Maximum-Aging Time317
- Configuring the Maximum-Hop Count317
- Specifying the Link Type to Ensure Rapid Transitions318
  - Displaying the MST Configuration and Status319
- Restarting the Protocol Migration Process318
Understanding Optional Spanning-Tree Features321
CHAPTER 16 Configuring Optional Spanning-Tree Features322
- Understanding Optional Spanning-Tree Features322
- Understanding Port Fast322
  - Configuring Optional Spanning-Tree Features322
- Understanding BPDU Guard323
- Understanding BPDU Filtering323
- Understanding Uplinkfast324
- Understanding Backbonefast325
- Understanding Root Guard327
  - Configuring Optional Spanning-Tree Features328
- Understanding Loop Guard328
- Default Optional Spanning-Tree Configuration329
- Optional Spanning-Tree Configuration Guidelines329
- Enabling Port Fast330
- Enabling BPDU Guard331
- Enabling BPDU Filtering332
- Enabling Uplinkfast for Use with Redundant Links333
- Enabling Backbonefast334
- Enabling Root Guard334
- Enabling Loop Guard335
  - Displaying the Spanning-Tree Status336
    - Table336
Chapter 17 Configuring IGMP Snooping and MVR338
- Leaving a Multicast Group340
- Immediate-Leave Processing341
Understanding IGMP Snooping338
- Joining a Multicast Group338
Configuring IGMP Snooping341
- Default IGMP Snooping Configuration341
- Enabling or Disabling IGMP Snooping342
- Setting the Snooping Method342
- Configuring a Multicast Router Port344
- Configuring a Host Statically to Join a Group345
- Enabling IGMP Immediate-Leave Processing346
Displaying IGMP Snooping Information346
Understanding Multicast VLAN Registration348
- Using MVR in a Multicast Television Application349
Configuring MVR350
- Default MVR Configuration350
- MVR Configuration Guidelines and Limitations351
- Configuring MVR Global Parameters351
- Configuring MVR Interfaces353
Displaying MVR Information354
Configuring IGMP Filtering355
- Default IGMP Filtering Configuration355
- Configuring IGMP Profiles355
- Applying IGMP Profiles356
- Setting the Maximum Number of IGMP Groups357
Displaying IGMP Filtering Configuration358
CHAPTER 18 Configuring Port-Based Traffic Control359
- Configuring Storm Control359
  - Understanding Storm Control359
Configuring Storm Control360
- C H a P T E R 18 Configuring Port-Based Traffic Control361
- Default Storm Control Configuration361
- Enabling Storm Control361
Configuring Protected Ports362
- Default Protected Port Configuration362
- Protected Port Configuration Guidelines363
- Configuring a Protected Port363
Configuring Port Blocking363
- Default Port Blocking Configuration363
- Blocking Flooded Traffic on an Interface364
Configuring Port Security364
- Understanding Port Security365
  - Secure MAC Addresses365
  - Security Violations366
- Default Port Security Configuration367
- Configuration Guidelines367
- Enabling and Configuring Port Security368
- Enabling and Configuring Port Security Aging371
Displaying Port-Based Traffic Control Settings372
Chapter 19 Configuring CDP373
- Understanding CDP373
- Configuring CDP374
- Monitoring and Maintaining CDP377
Chapter 20 Configuring UDLD379
- Understanding UDLD379
  - Modes of Operation379
  - Methods to Detect Unidirectional Links380
- Configuring UDLD382
- Displaying UDLD Status384
Chapter 21 Configuring SPAN and RSPAN385
- Understanding SPAN and RSPAN385
- Configuring SPAN and RSPAN393
- Displaying SPAN and RSPAN Status407
Chapter 22 Configuring RMON409
- Understanding RMON409
- Configuring RMON410
- Displaying RMON Status414
Chapter 23 Configuring System Message Logging415
- Understanding System Message Logging415
- Configuring System Message Logging416
  - System Log Message Format416
- Default System Message Logging Configuration417
  - Table417
- Disabling Message Logging418
- Setting the Message Display Destination Device418
- Synchronizing Log Messages419
- Enabling and Disabling Timestamps on Log Messages421
- Enabling and Disabling Sequence Numbers in Log Messages421
- Defining the Message Severity Level422
  - Limiting Syslog Messages Sent to the History Table and to SNMP423
- Configuring UNIX Syslog Servers424
Chapter 24 Configuring SNMP427
- Understanding SNMP427
- Configuring SNMP431
- Default SNMP Configuration432
- SNMP Configuration Guidelines432
- Disabling the SNMP Agent433
- Configuring Community Strings433
- Configuring SNMP Groups and Users434
- Configuring SNMP Notifications436
- Setting the Agent Contact and Location Information439
- Limiting TFTP Servers Used through SNMP439
- SNMP Examples440
  - Displaying SNMP Status441
Chapter 25 Configuring Network Security with Acls443
- Understanding Acls443
  - Supported Acls444
  - Handling Fragmented and Unfragmented Traffic447
- Configuring IP Acls448
- Creating Named MAC Extended Acls467
  - Applying a MAC ACL to a Layer 2 Interface468
- Configuring VLAN Maps469
- Using VLAN Maps with Router Acls476
  - Guidelines476
  - Examples of Router Acls and VLAN Maps Applied to Vlans477
- Displaying ACL Configuration480
Chapter 26 Configuring Qos481
- Understanding Qos482
- Understanding Hierarchical Qos499
- Configuring Auto-Qos509
- Displaying Auto-Qos Information517
- Configuring Standard Qos517
- Displaying Standard Qos Information555
- Configuring Hierarchical Qos556
- Displaying Hierarchical Qos Information581
- Understanding Etherchannels583
- Etherchannel Overview584
  - C H a P T E R 27 Configuring Etherchannels584
- Port-Channel Interfaces585
- Port Aggregation Protocol586
  - Pagp Modes586
  - Pagp Interaction with Other Features587
- Link Aggregation Control Protocol587
  - LACP Modes588
  - LACP Interaction with Other Features588
- Load Balancing and Forwarding Methods588
CHAPTER 27 Configuring Etherchannels590
- Default Etherchannel Configuration591
- Etherchannel Configuration Guidelines591
- Configuring Layer 2 Etherchannels592
- Configuring Layer 3 Etherchannels594
  - Creating Port-Channel Logical Interfaces594
  - Configuring the Physical Interfaces595
- Configuring Etherchannel Load Balancing597
- Configuring the Pagp Learn Method and Priority598
- Configuring LACP Hot-Standby Ports599
Chapter 28 Configuring IP Unicast Routing603
- Understanding IP Routing604
- Steps for Configuring Routing605
- Configuring IP Addressing606
- Enabling IP Unicast Routing619
- Configuring RIP620
- Configuring IGRP625
- Configuring OSPF630
- Configuring EIGRP639
- Configuring BGP645
- Configuring ISO CLNS Routing665
- Configuring Multi-VRF CE678
- Configuring Protocol-Independent Features688
- Monitoring and Maintaining the IP Network702
Chapter 29 Configuring HSRP703
- Understanding HSRP703
- Configuring HSRP705
- Displaying HSRP Configurations712
Chapter 30 Configuring MPLS and Eompls713
- Understanding MPLS Services713
- Understanding MPLS Vpns714
- Configuring MPLS Vpns718
- Understanding Eompls724
  - Interaction with Other Features725
  - Eompls Limitations726
- Enabling Eompls727
- Configuring MPLS and Eompls Qos730
  - Understanding MPLS Qos730
  - Enabling MPLS and Eompls Qos732
    - Default MPLS and Eompls Qos Configuration732
    - Setting the Priority of Packets with Experimental Bits732
- Monitoring and Maintaining MPLS and Eompls734
Chapter 31 Configuring IP Multicast Routing735
- Understanding Cisco's Implementation of IP Multicast Routing736
- Configuring IP Multicast Routing742
- Configuring Advanced PIM Features756
- Configuring Optional IGMP Features760
- Configuring Optional Multicast Routing Features765
- Configuring Basic DVMRP Interoperability Features770
- Configuring Advanced DVMRP Interoperability Features775
- Monitoring and Maintaining IP Multicast Routing783
Chapter 32 Configuring MSDP787
- Understanding MSDP787
  - MSDP Operation788
  - MSDP Benefits789
- Configuring MSDP790
- Monitoring and Maintaining MSDP805
Chapter 33 Configuring Fallback Bridging807
- Understanding Fallback Bridging807
- Configuring Fallback Bridging808
Chapter 34 Troubleshooting817
- Recovering from Corrupted Software by Using the XMODEM Protocol818
- Recovering from a Lost or Forgotten Password819
  - Procedure with Password Recovery Enabled820
  - Procedure with Password Recovery Disabled822
- Preventing Autonegotiation Mismatches823
- SFP Module Security and Identification824
- Using Ping824
  - Understanding Ping824
  - Executing Ping825
- Using Layer 2 Traceroute826
- Using IP Traceroute827
  - Understanding IP Traceroute827
  - Executing IP Traceroute828
- Using Debug Commands829
- Using the Show Platform Forward Command830
- Using the Crashinfo File833
Supported Mibs835
- MIB List835
- Using FTP to Access the MIB Files837
Appendix839
Working with the Cisco IOS File System, Configuration Files, and Software Images839
- Working with the Flash File System839
- Working with Configuration Files846
- Working with Software Images857
  - Image Location on the Switch857
  - Tar File Format of Images on a Server or Cisco.com857
Appendix871
Unsupported Commands in Cisco IOS Release12.1(14)AX871
- Access Control Lists871
  - Unsupported Privileged EXEC Commands871
  - Unsupported Global Configuration Commands871
- Arp871
- Hsrp874
Mpls879
Msdp879
- Unsupported Privileged EXEC Commands879
- Radius879
Snmp880
- Unsupported Global Configuration Commands880
- Spanning Tree880
  - Unsupported Interface Configuration Commands880
- Virtual Forwarding Infrastructure (VFI880
  - Unsupported Privileged EXEC Commands880
Vlan880
- Unsupported Vlan-Config Commands880
- Unsupported Privileged EXEC Commands881
- Unsupported User EXEC Commands881
Vtp881
I N D E X883

Cisco Catalyst 3750 - Acls and Bridged Packets; Acls and Routed Packets

Table of Contents

Other manuals for Cisco Catalyst 3750

Related product manuals