|
|
The commands shown in this chapter apply to the Catalyst 8540 MSR, Catalyst 8510 MSR, and LightStream 1010. Where an entire command or certain attributes of a command have values specific to a particular switch, an exception is indicated by the following callouts:
To filter ATM signalling call failures based on the incoming interface of the call, use the incoming-port ATM signalling diagnostics configuration command. To return the incoming port to the default, use the no form of this command.
incoming-port atm card/subcard/port
card/subcard/port | Specifies the card, subcard, and port number of the ATM interface. The card number is displayed using the show interface command. The subcard number can be either |
0
ATM signalling diagnostics configuration
The default 0 means the incoming interface is not considered during filtering.
The following example configures ATM 0/1/1 so all previous records collected on the incoming port are purged.
Switch# configure terminal Switch(config)# controller atm 0/0/0 Switch(config-if)# atm signalling diagnostics 1 Switch(cfg-atmsig-diag)# incoming-port atm 0/1/1
To configure an interface type and enter interface configuration mode, use the interface global configuration command.
interface type card/subcard/portTo configure a subinterface, use the interface global configuration command.
interface type card/subcard/port.vpt#
type | Type of interface to be configured. Refer to Table 9-1 for a list of keywords. |
number | Integer used to identify the interface. |
card | Interface card number. These are the numbers are assigned at the factory at the time of installation or when added to a system, and can be displayed with the show interface command. |
subcard | Backplane slot number. The value can be 0 or 1. The slots are numbered from left to right. |
port | Port number of the interface. |
.vpt# | Virtual path tunnel number for the subinterface on physical ATM ports. |
.subinterface# | Subinterface number in the range 1 to 4294967293. The number that precedes the periods (.) must match the number where this subinterface belongs. |
multipoint | Specifies a multipoint subinterface. This option only applies to the route processor interface ATM 0. |
point-to-point | Specifies a point-to-point subinterface. The default is multipoint. This option only applies to the route processor interface ATM 0. |
Global configuration
Multiple subinterfaces can be configured on a single route processor interface.
The route processor and Ethernet interfaces address is 0 in the ATM switch router environment.
Multiple subinterfaces for VP tunneling can be configured on a single ATM interface (other than a route processor interface). VP tunnels are useful when you want to run signalling, ILMI, and possibly PNNI routing between two switches that are not directly connected to each other. Prior to configuring the subinterface, a permanent virtual path must be configured on the ATM interface using the atm pvp command. Then the subinterface for the VP tunnel can be created, specifying the VPI used to define the PVP as the subinterface number.
| Keyword | Interface Type |
|---|---|
async | Auxiliary port line used as an asynchronous interface. |
atm | ATM interface. |
bvi | Bridge-group virtual interface. |
cbr | CBR interface. |
cable | CMTS interface. |
dialer | Dialer interface. |
ethernet | Ethernet IEEE 802.3 interface. |
group-async | Master asynchronous interface. |
lex | Lex interface. |
loopback | Software-only loopback interface that emulates an interface that is always running. It is a virtual interface supported on all platforms. The interface number is the number of the loopback interface you want to create or configure. There is no limit on the number of loopback interfaces you can create. |
null | Null interface. |
port-channel | Ethernet channel of interfaces. |
serial | Serial interface. |
tunnel | Tunnel interface, used to declare a TSP tunnel interface. The tunnel interface number is in the range of 0 to 65535. |
virtual-template | Virtual template interface. |
virtual-tokenring | Virtual Token Ring interface. |
vlan | Catalyst 5000 VLAN interface. |
The following example begins configuration of the ATM interface on card 0, subcard 0, and port 1 using the interface global configuration command.
Switch# configure terminal Switch(config)# interface atm 0/0/1 Switch(config-if)#
The following example creates a VP tunnel with VPI 50 on card 0, subcard 0, and port 1, and enters the subinterface configuration mode for the VP tunnel using the interface global configuration command.
Switch(config)# interface atm 0/0/1 Switch(config-if)# atm pvp 50 Switch(config-if)# interface atm 0/0/1.50 Switch(config-subif)#
The following example begins configuration of the route processor interface using the interface global configuration command.
Switch(config)# interface atm 0 Switch(config-if)#
The following example creates a point-to-point subinterface on the SAP port and enters the subinterface configuration mode using the interface global configuration command.
Switch(config)# interface atm 0.1 point-to-point Switch(config-subif)#
The following example begins configuration of the Ethernet interface on the ATM switch router using the interface global configuration command.
Switch(config)# interface ethernet 0 Switch(config-if)#
The following command begins configuration of a CBR interface using the interface global configuration command.
Switch(config)# interface cbr 1/1/1 Switch(config-if)#
The following example illustrates using the interface tunnel command to declare a TSP tunnel interface with interface number 2100.
Switch(config)# interface tunnel 2100
To set a primary or secondary IP address for an interface, use the ip address interface configuration command. To remove an IP address or disable IP processing, use the no form of this command.
ip address ip-address mask [secondary]
ip-address | IP address. |
mask | Mask for the associated IP subnet. |
secondary | Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address. |
No IP address is defined for the interface.
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0. An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the switch always use the primary IP address. Therefore, all switches on a segment should share the same primary network number.
Hosts can determine subnet masks using the ICMP Mask Request message. Switches respond to this request with an ICMP Mask Reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the switch detects another host using one of its IP addresses, it prints an error message on the console.
The optional keyword secondary allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.
Secondary IP addresses can be used in a variety of situations. The following are the most common applications:
In the following example, 131.108.1.27 is the primary address and 192.31.7.17 and 192.31.8.17 are secondary addresses for main Ethernet 0 interface.
Switch# configure terminal Switch(config)# interface ethernet 0 Switch(config-if)# ip address 131.108.1.27 255.255.255.0 Switch(config-if)# ip address 192.31.7.17 255.255.255.0 secondary Switch(config-if)# ip address 192.31.8.17 255.255.255.0 secondary
To define a broadcast address for an interface, use the ip broadcast-address interface configuration command. To restore the default IP broadcast address, use the no form of this command.
ip broadcast-address [ip-address]
ip-address | IP broadcast address for a network. |
Default address is 255.255.255.255 (all ones).
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0.
The following example specifies an IP broadcast address of 172.10.50.4.
Switch# configure terminal
Switch(config)# ip broadcast-address 172.10.50.4
To enable the translation of directed broadcasts to physical broadcasts, use the ip directed-broadcast interface configuration command. To return the directed broadcast to the default, use the no form of this command.
ip directed-broadcast [access-list-number]
access-list-number | Number of the access list. If specified, a broadcast must pass the access list to be forwarded. If not specified, all broadcasts are forwarded. |
Enabled with no list specified.
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0. This feature is enabled only for those protocols configured using the ip forward-protocol global configuration command. An access list might be specified to control which broadcasts are forwarded. When an access list is specified, only those IP packets permitted by the access list are eligible to be translated from directed broadcasts to physical broadcasts.
The following example enables forwarding of IP directed broadcasts on the main Ethernet 0 interface.
Switch# configure terminalSwitch(config)#interface ethernet 0Switch(config-if)#ip directed-broadcast
To set the MTU size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.
ip mtu bytes
bytes | MTU in bytes. |
Minimum is 128 bytes; maximum depends on the interface medium.
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0. If an IP packet exceeds the MTU set for the interface of the switch, the switch fragments the packet.
All devices on a physical medium must have the same protocol MTU in order to operate.
The following example sets the maximum IP packet size for the first interface to 300 bytes.
Switch# configure terminal Switch(config)# interface ethernet 0 Switch(config-if)# ip mtu 300
To enable proxy ARP on an interface, use the ip proxy-arp interface configuration command. To disable proxy ARP on the interface, use the no form of this command.
ip proxy-arpThis command has no arguments or keywords.
Enabled
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0.
The following example enables proxy ARP on Ethernet interface 0.
Switch# configure terminalSwitch(config)#interface ethernet 0Switch(config-if)#ip proxy-arp
Use the ip rarp-server interface configuration command to allow the switch to act as a RARP server. To return the RARP server to the default, use the no form of this command.
ip rarp-server ip-address
ip-address | IP address that is to be provided in the source protocol address field of the RARP response packet. Normally, this is set to whatever address you configure as the primary address for the interface. |
Disabled
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0. This feature makes diskless booting of clients possible between network subnets where the client and server are on separate subnets.
RARP server support can be configured on a per-interface basis so the switch does not interfere with RARP traffic on subnets that do not need RARP assistance from the switch.
The switch answers incoming RARP requests only if both of the following two conditions are met:
Use the show ip arp EXEC command to display the contents of the IP ARP cache.
Sun Microsystems makes use of RARP-based and UDP-based network services to facilitate network-based booting of SunOS on their workstations. By bridging RARP packets and using both the ip helper-address interface configuration command and the ip forward-protocol global configuration command, the switch should be able to perform the necessary packet switching to enable booting of Sun workstations across subnets. However, some Sun workstations assume that the sender of the RARP response, in this case the switch, is the host that the client can contact to TFTP-load the bootstrap image. This causes the workstations to fail to boot.
By using the ip rarp-server feature, the switch can be configured to answer these RARP requests, and the client machine should be able to reach its server by having its TFTP requests forwarded through the switch that acts as the RARP server.
To establish static routes, use the ip route global configuration command. To remove static routes, use the no form of this command.
ip route destination-prefix destination-prefix-mask [interface-type card/subcard/port]
destination-prefix | IP address of the target network or subnet. |
destination-prefix-mask | Address mask for the destination address. |
interface-type | Interface type, specified as atm, atm-p, cbr, ethernet, or null. |
card/subcard/port | Identifier of the interface specified by interface-type. |
forward-addr | Forwarding router's IP address. |
metric | Distance metric for this route, in the range of 1 to 255. |
permanent | Specifies this route as a permanent route. |
tag-value | Sets the tag value for this route, in the range of 1 to 4294967295. |
No IP route is specified.
Global configuration
This command does not apply to the route processor interface main ATM 0.
In the following example, an administrative distance of 110 was chosen. In this case, packets for network 10.0.0.0 are routed to the switch at 131.108.3.4 if dynamic information with an administrative distance less than 110 is not available.
Switch# configure terminal Switch(config)# ip route 10.0.0.0 255.0.0.0 131.108.3.4 110
In the following example, packets for network 131.108.0.0 are routed to the switch at 131.108.6.6.
Switch(config)# ip route 131.108.0.0 255.255.0.0 131.108.6.6
To add a basic security option to all outgoing packets, use the ip security add interface configuration command. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.
ip security addThis command has no arguments or keywords.
Disabled when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0. If an outgoing packet does not have a security option present, this interface configuration command adds one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the switch. Because this action is performed after all the security tests have been passed, this label is either the same as or is in the range of the interface.
The following example adds a basic security option to each packet leaving main Ethernet interface 0.
Switch# configure terminal Switch(config)# interface ethernet 0 Switch(config-if)# ip security add
To attach AESOs to an interface, use the ip security aeso interface configuration command. To disable AESOs on an interface, use the no form of this command.
ip security aeso source compartment-bits
source | AESO source. This can be an integer from 0 through 255. |
compartment-bits | Compartment bits, in hexadecimal. |
Disabled
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0. Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.
Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.
Configuring any per-interface extended IPSO information automatically enables ip security extended-allowed (disabled by default).
In the following example, the extended security option source is defined as 5, and the compartment bits are set to 5.
Switch# configure terminal Switch(config)# interface ethernet 0 Switch(config-if)# ip security aeso 5 5
ip security eso-info
ip security eso-max
To set the level of classification and authority on the interface, use the ip security dedicated interface configuration command. To reset the interface to the default classification and authorities, use the no form of this command.
ip security dedicated level authority [authority...]
level | Degree of sensitivity of information. The level keywords are listed in Table 9-2. |
authority | Organization that defines the set of security levels that is used in a network. The authority keywords are listed in Table 9-3. |
Disabled
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0.
All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface has this label attached.
The following definitions apply to the descriptions of the IPSO in this section:
| Level Keyword | Bit Pattern |
|---|---|
Reserved4 | 0000 0001 |
TopSecret | 0011 1101 |
Secret | 0101 1010 |
Confidential | 1001 0110 |
Reserved3 | 0110 0110 |
Reserved2 | 1100 1100 |
Unclassified | 1010 1011 |
Reserved1 | 1111 0001 |
| Authority Keyword | Bit Pattern |
|---|---|
Genser | 1000 0000 |
Siop-Esi | 0100 0000 |
DIA | 0010 0000 |
NSA | 0001 0000 |
DOE | 0000 1000 |
The following example sets a confidential level with Genser authority.
Switch# configure terminal Switch(config)# ip security dedicated confidential Genser
To specify the maximum sensitivity level for an interface, use the ip security eso-max interface configuration command. To return to the default, use the no form of this command.
ip security eso-max source compartment-bits
source | ESO source. This is an integer from 1 through 255. |
compartment-bits | Compartment bits, in hexadecimal. |
Disabled
Interface configuration
This command only applies to the interfaces on the route processor card: main Ethernet 0 or main ATM 0.
This command is used to specify the minimum sensitivity level for a particular interface. Before the per interface compartment information for a particular NLESO source can be configured, the
ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on the interface, these extended security options should be resent at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of nine of these NLESO sources appear in the IP header of a packet.
In the following example, the specified ESO source is 240, and the compartment bits are specified as 500.
Switch# configure terminal Switch(config)# interface ethernet 0 Switch(config-if)# ip security eso-max 240 500
To alter the TCP maximum read size for Telnet or rlogin, use the ip tcp chunk-size global configuration command. To restore the default value, use the no form of this command.
ip tcp chunk-size characters
characters | Maximum number of characters that Telnet or rlogin can read in one read instruction. |
0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.
Global configuration
Do not use this command unless you understand why you need to change the default value.
The following example sets the maximum TCP read size to 64000 bytes.
Switch# configure terminal Switch(config)# ip tcp chunk-size 64000
To alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax global configuration command. To restore the default value, use the no form of this command.
ip tcp queuemax packets
packets | Outgoing queue size of TCP packets. |
The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.
Global configuration
Changing the default value only changes the queue that has a TTY associated with the connection.
The following example sets the maximum TCP outgoing queue to 10 packets.
Switch(config)# ip tcp queuemax 10
To set a period of time the switch waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time global configuration command. To restore the default time, use the no form of this command.
ip tcp synwait-time seconds
seconds | Time in seconds the switch waits while attempting to establish a TCP connection. It can be an integer from 5 to 300 seconds. The default is 30 seconds. |
30 seconds
Global configuration
If your network contains PSTN DDR, it is possible that the call setup time exceeds 30 seconds. This amount of time is not sufficient in networks that have dialup asynchronous connections because it affects your ability to Telnet over the interface (from the switch) if the interface must be brought up. If you have this type of network, you might want to set this value to the UNIX value of 75.
Because this is a host parameter, it does not pertain to traffic going through the switch, just for traffic originating at the switch. Because UNIX has a fixed 75-second timeout, hosts are unlikely to see this problem.
The following example configures the switch to continue attempting to establish a TCP connection for 180 seconds.
Switch(config)# ip tcp synwait-time 180
Posted: Mon Aug 16 14:43:17 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.