Cisco Catalyst X4232, Catalyst 4000, WS-X4232-L3 Installation And Configuration Note

Page 1

Contents

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Product Numbers: WS-X4232-L3(=)

This installation and configuration note describes how to install and configure the Catalyst 4000 Layer 3 Services module.

For a complete description of commands to configure Catalyst 4003 and 4006 switches, refer to the Software Configuration Guide and Command Reference publications for your switch. For complete switch hardware configuration and maintenance procedures, refer to the Catalyst 4003 and 4006 Switch Installation Guide. These documents are available on the Documentation CD-ROM, or in print.

This publication contains these sections:

• Software Requirements, page 2

• Features, page 2

• Configuring IOS Features, page 5

• Functional Description, page 6

• Front Panel Description, page 7

• Specifications, page 9

• Standards Compliance Specifications, page 10

• Gigabit Interface Converters, page 10

• Safety Overview, page 13

• Translated Safety Warnings, page 15

• Removing and Installing a Layer 3 Services Module, page 20

• Accessing the Layer 3 Services Module for the First Time, page 27

• Upgrading Images, page 32

• Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces, page 33

Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

78-10164-03

Page 2

Software Requirements

• Configuration Options, page 40

• Configuring the Layer 3 Services Module Gigabit Ethernet Interfaces, page 42

• Configuring the Module for InterVLAN Routing, page 44

• Configuring Access Control Lists, page 60

• Configuring Layer 3 QoS, page 67

• Configuring the Switching Database Manager, page 74

• Obtaining Documentation, page 77

• Obtaining Technical Assistance, page 78

Software Requirements

The software requirements for the Catalyst 4000 Layer 3 Services module are as follows:

• The Catalyst 4000 Layer 3 Services module requires Cisco IOS software version 12.0(7)W5(15d)

or later.

• The Catalyst 4000 supervisor engine requires Cisco Catalyst software version 5.5(1) or later. We

recommend that you run software version 6.1(1) or later.

Features

The Catalyst 4000 Layer 3 Services module provides multiprotocol switching and routing for the Catalyst 4000 family switches.

The 32 10/100 Ethernet interfaces on the module provide full Layer 2 feature support and are configurable from the Catalyst 4000 family switch supervisor engine. Refer to the Software Configuration Guide—Catalyst 4000 Family, 2980G, and 2948G Switches, Software Release 6.1 for information on feature support on the Catalyst 4000 family switches.

For configuration information for the standard IOS features supported on the Catalyst 4000 Layer 3 Services module, see the “Configuring IOS Features” section on page 5.

Table 1 lists the Cisco IOS features available for the Catalyst 4000 Layer 3 Services module.

Table 1 Cisco IOS Features for the Layer 3 Services Module

Layer 2 Bridging Features

Layer 2 transparent bridging

Layer 2 MAC learning, aging, and switching by hardware

Spanning Tree Protocol (IEEE 802.1D) on each bridge group

A maximum of 16 active bridge groups

Up to 4000 MAC addresses

24K CAM

is shared by Layer 2 entries, IP routing, IP multicast routing, and Novell IPX routing

VLAN Features

ISL

-based VLAN trunking on the front panel of Layer 3 Gigabit Ethernet ports only

802.1Q-based VLAN trunking on all Layer 3 Gigabit Ethernet and Layer 2 Fast Ethernet ports

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 3

Features

Table 1 Cisco IOS Features for the Layer 3 Services Module (continued)

Layer 3 Routing, Switching, and Forwarding Features

IP, IPX, and IP multicast routing and switching between Ethernet ports

CMF

Load balancing among equal cost paths based on source and destination IP and IPX addresses

Load balancing on a per-destination basis

CEF load balancing on Gigabit Ethernet ports using tunnel or universal load balancing algorithms

24K CAM is shared by Layer 2 entries, IP routing, IP multicast routing, and Novell IPX routing

Up to 18,000 IP routes

Up to 20,000 IP host entries

Up to 20,000 IPX routes

Up to 20,000 IPX host entries

Up to 12,000 IP multicast groups

RADIUS

server support

Supported Routing Protocols

AppleTalk

RIP

and RIP II

IGRP

EIGRP

Local Proxy ARP

BGP

OSPF

IPX RIP11 and EIGRP

PIM

—sparse and dense mode

Secondary addressing

Static routes

Gigabit EtherChannel Features

Bundling of up to two Gigabit Ethernet ports

Load sharing for bridge traffic based on MAC address

Load sharing based on source and destination IP and IPX addresses of unicast packets

ISL trunking supported on the external Gigabit EtherChannel

802.1Q trunking supported on the external and internal Gigabit EtherChannel

Two active GEC

port channels

Additional Protocols and Features

Layer 3 QoS

IP access lists standard and extended

IPX access lists standard

AppleTalk access lists

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 4

Features

Table 1 Cisco IOS Features for the Layer 3 Services Module (continued)

Additional Protocols and Features (continued)

SDM

BOOTP

CDP17 support on Ethernet ports

CGMP

DHCP

HSRP

ICMP

IGMP

server support

relay

IPX SAP and SAP23 filtering

SNMP

TAC ACS +

1. Contentment addressable memory

2. ISL=Inter-Switch Link

3. CMF=Constrained multicast flooding

4. RADIUS=Remote Authentication Dial-in User Service

5. RIP=Routing Information Protocol

6. IGRP=Interior Gateway Routing Protocol

7. EIGRP=Enhanced Interior Gateway Protocol

8. ARP=Address Resolution Protocol

9. BGP=Border Gateway Protocol

10. OSPF=Open Shortest Path First (Protocol)

11. IPX=Internet Packet Exchange

12. PIM=Protocol Independent Multicast

13. GEC=Gigabit EtherChannel

14. QoS=Quality of Service

15. SDM=Switching Database Manager

16. BOOTP=Bootstrap Protocol

17. CDP=Cisco Discovery Protocol

18. CGMP=Cisco Group Management Protocol

19. DHCP=Dynamic Host Configuration Protocol

20. HSRP=Hot Standby Router Protocol

21. ICMP=Internet Control Message Protocol

22. IGMP=Internet Group Management Protocol

23. SAP=Service Advertising Protocol

24. SNMP=Simple Network Management Protocol

25. TACACS+=Terminal Access Controller Access Control System Plus

Unsupported Features

The following major features are not supported on the Catalyst 4000 Layer 3 Services module:

• Multilayer Switching (MLS)

• IPX extended access lists

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 5

• Named IPX SAP access lists

• 48-bit MAC access lists

• 48-bit MAC extended access lists

• Integrated routing and bridging (IRB), and concurrent routing and bridging (CRB)

• ISL trunking on the internal Gigabit Ethernet ports

If a feature does not appear in the list of supported features in this document or in the list of supported features in the Release Notes for Catalyst 4000 Family Layer 3 Services Module, that feature is not supported on the Catalyst 4000 Layer 3 Services module.

Caution We do not recommend that you configure unsupported features, even if you can configure

them with the CLI.

Configuring IOS Features

Standard IOS feature configurations and commands are documented in the IOS configuration guides and command reference publications. Table 2 lists the standard IOS features supported on the Catalyst 4000 Layer 3 Services module. For information on configuring these features, refer to the online IOS documents listed with each feature.

Configuring IOS Features

Table 2 Documentation Sources for Supported IOS Features

Feature Sources URL

HSRP Network Protocols Configuration Guide,

Part 1

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_c/1cprt2/1cip.htm# xtocid1322018

AppleTalk and AppleTalk access lists

Standard IPX access lists

Standard and extended IP access lists

Using HSRP for Fault-Tolerant IP Routing (Internetworking Case Studies)

Network Protocols Command Reference, Part 1

Network Protocols Configuration Guide, Part 2

Network Protocols Command Reference, Part 2

Network Protocols Configuration Guide, Part 2

Network Protocols Command Reference, Part 2

Network Protocols Configuration Guide, Part 1

Network Protocols Command Reference, Part 1

http://www.cisco.com/univercd/cc/td/doc/cisintw k/ics/cs009.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_r/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np2_c/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np2_r/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np2_c/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np2_r/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_c/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios121/121cgcr/ip_r/index.htm

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 6

Functional Description

Table 2 Documentation Sources for Supported IOS Features (continued)

Feature Sources URL

IP RIP, RIP II, OSPF, EIGRP, IGRP, and BGP

IPX RIP and EIGRP Network Protocols Configuration Guide,

IP multicast, multilayer switching, and multicast access lists

Booting, system and file management, and basic configuration

Local proxy ARP Network Protocols Configuration Guide,

RADIUS server Security Configuration Guide http://www.cisco.com/univercd/cc/td/doc/product

Network Protocols Configuration Guide, Part 1

Network Protocols Command Reference, Part 1

Part 2

Network Protocols Command Reference, Part 2

Network Protocols Configuration Guide, Part 1

Network Protocols Command Reference, Part 1

Configuration Fundamentals Configuration Guide

Configuration Fundamentals Command Reference

Part 1

Network Protocols Command Reference, Part 1

Security Command Reference http://www.cisco.com/univercd/cc/td/doc/product

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_c/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_r/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np2_c/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np2_r/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_c/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_r/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/fun_c/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/fun_r/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_c/index.htm

http://www.cisco.com/univercd/cc/td/doc/product /software/ios120/12cgcr/np1_r/index.htm

/software/ios120/12cgcr/secur_c/scprt2/ index.htm

/software/ios120/12cgcr/np1_r/index.htm

Note The default TCAM size allocated for access lists by the Switching Database Manager is

1024. If your access list configurations exceed this default size, you can reconfigure the TCAM allocation. See the “Configuring the Switching Database Manager” section on page 74 for information on allocating TCAM space.

Note Access lists are supported on Gigabit Ethernet interfaces only on the Catalyst 4000 Layer

3 Services module.

Functional Description

The Catalyst 4000 Layer 3 Services module is a 32-port Layer 2 10/100 Ethernet module with a 4-port Gigabit Ethernet Layer 3 uplink module. The Catalyst 4000 Layer 3 Services module provides interVLAN routing for the Catalyst 4000 family switch and provides Layer 3 switching between the Gigabit Ethernet interfaces.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 7

Front Panel Description

The Catalyst 4000 Layer 3 Services module occupies a single slot in the chassis and has two internal full-duplex Gigabit Ethernet interfaces that connect directly to the Catalyst 4000 family switch backplane to provide routing capability to all Layer 2 switch ports in the switch. In addition, there are two external Layer 3 Gigabit Ethernet ports that provide a direct connection to external router or switch ports.

The 32 10/100 Ethernet interfaces are configured from the Catalyst 4000 switch supervisor engine. Refer to the software configuration guide for your switch for Layer 2 configuration information. The two external and two internal Gigabit Ethernet interfaces are configured from the Layer 3 services module console. To configure the Layer 3 services module for interVLAN routing, you also must configure the internal Layer 2 Gigabit Ethernet interfaces from the supervisor engine console.

You can group the two internal Gigabit Ethernet interfaces into two trunks or, one Gigabit EtherChannel, or you can configure them as independent interfaces (links). If trunked or channeled, the internal Gigabit Ethernet channel supports trunking using the IEEE 802.1Q protocol. You also can configure each Gigabit Ethernet interface (link) independently as a separate VLAN trunk or nontrunked routed interface.

Caution ISL is supported on the external Layer 3 Gigabit Ethernet ports only. The internal Layer 3

Gigabit Ethernet ports on the Catalyst 4000 Layer 3 Services module do not support ISL. Do not configure ISL on the internal Layer 3 ports.

Note The native VLAN can forward tagged and untagged traffic in microcode. This means that

Layer 2 and Layer 3 IP, IPX, and multicast traffic is forwarded in microcode.The native VLAN continues to be used for routing protocol traffic and for ARP, ping, CDP, and session-related packets, which are handled by the CPU.

Note The default native VLAN is VLAN 1. You must configure the native VLAN on the

Catalyst 4000 Layer 3 Services module and the Catalyst 4000 supervisor engine to match in order to handle CPU-related traffic.

Front Panel Description

Figure 1 shows the front panel of the Layer 3 services module. The features of the front panel are described in more detail in the following sections.

Figure 1 Front Panel of the Layer 3 Services Module

10/100-M

PLINK

10/100/1000

STA

L3 R

TIN

LINK

42584

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 8

Front Panel Description

LEDs

Table 3 describes the LEDs on the Catalyst 4000 Layer 3 Services module.

Table 3 LEDs on the Catalyst 4003 and 4006 Layer 3 Services Module

LED State Description

STATUS (module)

This LED displays the results of a series of self-tests and diagnostic tests performed by the switch.

Green All the tests pass.

Red A test other than an individual port test failed.

Orange System boot, self-test diagnostics running, or the

module is disabled.

LINK This LED displays the 10/100 management port status.

Green A signal is detected.

Off No signal is detected.

Port Number G1 and G2

These LEDs display individual Gigabit Ethernet port status.

Green A 1000-mbs link is detected.

Off No signal is detected.

Port Number

3–34

These LEDs display individual 10/100 Ethernet port status.

Green A 100-mbs link is detected.

Orange A 10-mbs link is detected.

Off No signal is detected.

1. Each port has an LED labeled with the port number associated with it. This is the link LED that indicates port status

Connectors

Table 4 lists the front panel connectors on the Catalyst 4000 Layer 3 Services module.

Table 4 Front Panel Connectors on the Catalyst 4003 and 4006 Layer 3 Services Module

Port Connector

Console RJ-45

10/100MGT RJ-45

10/100BASE-TX RJ-45

1000BASE-X SC

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 9

Specifications

Table 5 lists the specifications for the Catalyst 4000 Layer 3 Services module.

Table 5 Catalyst 4003 and 4006 Layer 3 Services Module Specifications

Specification Description

Dimensions (H x W x D) 1.18 x 15.51 x 16.34 in. (30 x 394 x 415 mm)

Weight Minimum: 3 lb. (1.36 kg)

Environmental conditions:

Maximum station-to-station cabling distance:

Frame processing Transparent bridging (IEEE 802.1d)

Network management Cisco Discovery Protocol, Ethernet MIB (RFC 1398), Interface Table

1. UTP = unshielded twisted-pair

2. FTP = foil twisted-pair

Maximum: 5 lb. (2.27 kg)

Operating

32 to 104°F (0 to 40°C)

temperature

Nonoperating

–40 to 167°F (–40 to 75°C)

temperature

Humidity 10 to 90%, noncondensing

10BASE-T Ethernet, Categories 3–5 UTP and 100-ohm FTP

Console: Categories

328 ft. (100 m), half or full duplex

328 ft. (100 m) 3–5 UTP and 100-ohm FTP

10/100BASE-TX

328 ft. (100 m), half or full duplex Ethernet: Category 5 UTP and 100-ohm FTP

1000BASE-X See Table 7

(RFC 1573), Bridge MIB (RFC 1493), Ethernet Repeater MIB

(RFC 1516), RMON MIB (RFC 1757), Cisco Workgroup MIB, and Cisco

VLAN Trunking Protocol

Specifications

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 10

Standards Compliance Specifications

When properly installed in the chassis, the Catalyst 4000 Layer 3 Services module complies with the standards listed in Table 6.

Table 6 Standards Compliance

Specification Description

Compliance: CE Marking

Safety UL

EMI

1. UL = Underwriters Laboratories

2. CSA = Canadian Standards Association

3. EN = Europäische Norm

4. IEC = International Electrotechnical Commission

5. TS = Technical Standard

6. AS/NZS = Australian/New Zealand Standard

7. EMI = electromagnetic interference

8. FCC = U.S. Federal Communications Commission

9. ICES = Interference-Causing Equipment Standard

10. UTP = unshielded twisted-pair

11. FTP = foil twisted-pair

12. VCCI = Voluntary Control Council for Information Technology Equipment

1950, CSA2-C22.2 No. 950, EN360950, IEC4950, TS5001, AS/NZS63260

CFR 47, Part 15, class A (FCC),8 ICES 003 class A, 9 EN55022, class A with

UTP,

EN55022, class B with FTP,11 CISPR 22, class A with UTP, CISPR 22, class B with FTP, AS/NZ 3548, class A with UTP, AS/NZ 3548, class B with FTP, VCCI, class A with UTP,

VCCI, class B with FTP, EN55024, CE marking.

Gigabit Interface Converters

A gigabit interface converter (GBIC), shown in Figure 2, is a hot-swappable I/O (transceiver) device that plugs into the module’s Gigabit Ethernet port, linking the port with the fiber-optic network. The following GBIC types are supported:

• 1000BASE-SX (WS-G5484)

• 1000BASE-LX/LH (WS-G5486)

• 1000BASE-ZX (WS-G5487)

Figure 2 Gigabit Interface Converter

Receiver Transmitter

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

11825

78-10164-03

Page 11

Note Cisco 1000BASE-LX/LH interfaces fully comply with the IEEE 802.3z 1000BASE-LX

standard. However, the higher optical quality of the 1000BASE-LX/LH allows them to reach 10 km over single-mode fiber (SMF), as compared to the 5 km specified in the standard.

Note Because of interoperability issues, Cisco does not support GBICs purchased from

third-party vendors.

GBIC Cabling Distances

Table 7 lists the recommended maximum station-to-station cabling distances for the supported types of GBICs.

Table 7 GBIC Station-to-Station Cabling Distances

Gigabit Interface Converters

Wavelength

GBIC

(nm) Fiber Type

SX 850 MMF

Core Size (microns)

Modal Bandwidth (MHz/km)

62.5 160 722 ft. (220 m)

62.5 200 902 ft. (275 m)

50.0 400 1640 ft. (500 m)

SMF

62.5

LX/LH 1300 MMF

50.0

9/10

SMF

9/10

ZX 1550 SMF

1. MMF=multimode fiber

2. SMF=single-mode fiber

3. A dispersion-shifted single-mode fiber-optic cable is required for 62.1 mi (100 km) distance

Note The minimum cabling distance for GBICs is 6.5 feet (2 meters).

500

400

500

Maximum Cable Distance

1804 ft. (550)

6.2 mi(10 km)

43.5 mi (70 km)

62.1 mi (100 km)

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 12

Gigabit Interface Converters

GBIC Optical Power Characteristics

Table 8 provides the optical power characteristics of the GBIC.

Table 8 GBIC Optical Power Characteristics

Parameter

Transmitter output power (min/max) 0/–9.5 dBm –3/–9.5 dBm 0/4.77 dBm

Receiver maximum input power 0 dBm –3 dBm –3 dBm

Receiver sensitivity –17 dBm –19 dBm –23 dBm

Channel insertion loss:

50/125 micron MMF 3.4 dBm 4.4 dBm N/A

62.5/125 micron MMF 3.2 dBm 6 dBm N/A

9/10 micron SMF n/a 6.5 dBm 21.5 dBm

GBIC Cabling Restrictions

You must observe the following optical-fiber cabling restrictions when using GBICs:

• The minimum cabling distance for 1000BASE-SX and 1000BASE-LX/LH GBICs is 6.5 feet

(2 meters).

• When using the 1000BASE-LX/LH GBIC with 62.5-micron diameter MMF, you must install a

mode-conditioning patch cord between the MMF fiber-optic network and the GBIC whenever the link distance is less than 100 meters or greater than 300 meters. For distances less than 100 meters, the mode-conditioning patch cord reduces the amount of optical power coupled into the MMF. For link distances greater than 300 meters, the mode-conditioning patch cord reduces differential mode delay by offsetting the laser light. The mode-conditioning patch cord (CAB-GELX-625 or equivalent) is required to comply with IEEE standards. The IEEE found that link distances could not be met with certain types of fiber-optic cable cores. The solution is to launch light from the laser at a precise offset from the center by using the mode-conditioning patch cord. At the output of the patch cord, the LX/LH GBIC is compliant with the IEEE 802.3z standard for 1000BASE-LX.

1000BASE-SX (WS-G5484)

1000BASE-LX/LH (WS-G5486)

1000BASE-ZX (WS-G5487)

• You must insert a 10-dB inline optical attenuator between the single-mode fiber-optic network and

the receiving port on the 1000BASE-ZX GBIC at each end of the link if the link length is less than

15.5 miles (25 km).

• You must insert a 5-dB inline optical attenuator between the single-mode fiber-optic network and

the receiving port on the 1000BASE-ZX GBIC at each end of the link if the link is greater than

15.5 miles (25 km), but less than 31 miles (50 km).

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 13

Safety Overview

Safety warnings appear throughout this publication in procedures that, if performed incorrectly, may harm you. A warning symbol precedes each warning statement.

Safety Overview

Warning

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device.

WaarschuwingDit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information (Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is ingesloten.

VaroitusTämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information -kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).

78-10164-03

Warning

AttentionCe symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d’avertissements figurant dans cette publication, consultez le document Regulatory Compliance and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.

WarnungDieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information (Informationen zu behördlichen Vorschriften und Sicherheit), das zusammen mit diesem Gerät geliefert wurde.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 14

Safety Overview

Warning

AvvertenzaQuesto simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nel documento Regulatory Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna questo dispositivo.

AdvarselDette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av deadvarslene som finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med denne enheten.

AvisoEste símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o documento Regulatory Compliance and Safety Information (Informação de Segurança e Disposições Reguladoras) que acompanha este dispositivo.

Warning

¡Advertencia!Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and Safety Information (Información sobre seguridad y conformidad con las disposiciones reglamentarias) que se acompaña con este dispositivo.

Varning!Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du varamedveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Se förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory Compliance and Safety Information (Efterrättelse av föreskrifter och säkerhetsinformation), vilket medföljer denna anordning.

Only trained and qualified personnel should be allowed to install or replace this equipment.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 15

Translated Safety Warnings

This section translates in multiple languages the warnings for the Catalyst 4000 Layer 3 Services module.

Warning Definition

Translated Safety Warnings

Warning

Waarschuwing

Varoitus

Attention

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the "Translated Safety Warnings" section in this document.

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het gedeelte “Translated Safety Warnings” (Vertalingen van veiligheidsvoorschriften) raadplegen in dit document.

Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät tämän asiakirjan "Translated Safety Warnings" (käännetyt turvallisuutta koskevat varoitukset).

Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d’avertissements figurant dans cette publication, consultez la section « Translated Safety Warnings » (Traduction des avis de sécurité) de ce document.

Warnung

78-10164-03

Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Abschnitt “Translated Safety Warnings” (Übersetzung der Warnhinweise) in diesem Dokument.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 16

Translated Safety Warnings

Avvertenza

Advarsel

Aviso

¡Advertencia!

Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nella documento “Translated Safety Warnings” (Traduzione delle avvertenze di sicurezza) nel presente documento.

Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i avsnittet "Translated Safety Warnings" [Oversatte sikkerhetsadvarsler] i dette dokumentet.

Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte a secção “Translated Safety Warnings” - “Traduções dos Avisos de Segurança” neste documento.

Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar la sección titulada “Translated Safety Warnings” que aparece en este documento.

Varning!

Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Om du vill se översättningar av de varningar som visas i denna publikation, se avsnittet "Translated Safety Warnings" [Översatta säkerhetsvarningar] i detta dokument.

Safety Information Referral Warning

Warning

Waarschuwing

Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system.

Lees de handleiding Voorbereiding en veiligheid van de locatie Handleiding voordat u het systeem installeert of gebruikt of voordat u onderhoud aan het systeem uitvoert. Deze handleiding bevat belangrijke beveiligingsvoorschriften waarvan u op de hoogte moet zijn voordat u met het systeem gaat werken.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 17

Translated Safety Warnings

Varoitus

Attention

Warnung

Avvertenza

Advarsel

Aviso

Ennen kuin asennat järjestelmän tai käytät tai huollat sitä, lue Asennuspaikan valmistelu-jaturvaopas -opasta. Tässä oppaassa on tärkeitä turvallisuustietoja, jotka tulisi tietää ennen järjestelmän käyttämistä.

Avant d'installer le système, de l'utiliser ou d'assurer son entretien, veuillez lire le Guide de sécurité et de préparation du site. Celui-ci présente des informations importantes relatives à la sécurité, dont vous devriez prendre connaissance.

Warnhinweis Bevor Sie das System installieren, in Betrieb setzen oder warten, lesen Sie die Anleitung zur Standortvorbereitung und Sicherheitshinweise. Dieses Handbuch enthält wichtige Informationen zur Sicherheit, mit denen Sie sich vor dem Verwenden des Systems vertraut machen sollten.

Prima di installare, mettere in funzione o effettuare interventi di manutenzione sul sistema, leggere le informazioni contenute nella documentazione sulla Guida alla sicurezza. Tale guida contiene importanti informazioni che è necessario acquisire prima di iniziare qualsiasi intervento sul sistema.

Før du installerer, tar i bruk eller utfører vedlikehold på systemet, må du lese Veiledning for stedsklargjøring og sikkerhet. Denne håndboken inneholder viktig informasjon om sikkerhet som du bør være kjent med før du begynner å arbeide med systemet.

Antes de instalar, funcionar com, ou prestar assistência ao sistema, leia o Guia de Preparação e Segurança do Local. Este guia contém informações de segurança importantes que deve conhecer antes de trabalhar com o sistema.

¡Advertencia!

Antes de instalar, manejar o arreglar el sistema, le aconsejamos que consulte la Guía de prevención y preparación de una instalación. Esta guía contiene importante información para su seguridad que debe saber antes de comenzar a trabajar con el sistema.

Varning!

Innan du installerar, använder eller utför service på systemet ska du läsa Förberedelser och säkerhet Handbok. Denna handbok innehåller viktig säkerhetsinformation som du bör känna till innan du arbetar med systemet.

Qualified Personnel Warning

Warning

Waarschuwing

Varoitus

Only trained and qualified personnel should be allowed to install or replace this equipment.

Installatie en reparaties mogen uitsluitend door getraind en bevoegd personeel uitgevoerd worden.

Ainoastaan koulutettu ja pätevä henkilökunta saa asentaa tai vaihtaa tämän laitteen.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 18

Translated Safety Warnings

Avertissement

Tout installation ou remplacement de l'appareil doit être réalisé par du personnel qualifié et compétent.

Achtung

Gerät nur von geschultem, qualifiziertem Personal installieren oder auswechseln lassen.

Avvertenza

Solo personale addestrato e qualificato deve essere autorizzato ad installare o sostituire questo apparecchio.

Advarsel

Aviso

Kun kvalifisert personell med riktig opplæring bør montere eller bytte ut dette utstyret.

Este equipamento deverá ser instalado ou substituído apenas por pessoal devidamente treinado e qualificado.

¡Atención!

Estos equipos deben ser instalados y reemplazados exclusivamente por personal técnico adecuadamente preparado y capacitado.

Varning

Denna utrustning ska endast installeras och bytas ut av utbildad och kvalificerad personal.

Blank Faceplate Installation Requirement Warning

Warning

Waarschuwing

Varoitus

Attention

Blank faceplates (filler panels) serve three important functions: they prevent exposure to hazardous voltages and currents inside the chassis; they contain electromagnetic interference (EMI) that might disrupt other equipment; and they direct the flow of cooling air through the chassis. Do not operate the system unless all cards and faceplates are in place.

Lege vlakplaten (vulpanelen) vervullen drie belangrijke functies: ze voorkomen blootstelling aan gevaarlijke voltages en elektrische stroom binnenin het chassis; ze beperken elektromagnetische storing hetgeen andere apparaten kan storen en ze leiden een stroom van koellucht door het chassis. Bedien het systeem niet tenzij alle kaarten en vlakplaten zich op hun plaats bevinden.

Tyhjillä kansilaatoilla (peitelevyillä) on kolme tehtävää: ne suojaavat vaarallisilta asennuspohjan sisäisiltä jännitteiltä ja virroilta; suojaavat sähkömagneettiselta häiriöltä (EMI), joka voi haitata muiden laitteiden toimintaa; ja ohjaavat jäähdytysilmavirran asennuspohjan läpi. Laitetta ei saa käyttää, jos kaikki kortit ja peitelevyt eivät ole paikoillaan.

Les caches blancs remplissent trois fonctions importantes : ils évitent tout risque de choc électrique à l'intérieur du châssis, ils font barrage aux interférences électromagnétiques susceptibles d'altérer le fonctionnement des autres équipements et ils dirigent le flux d'air de refroidissement dans le châssis. Il est vivement recommandé de vérifier que tous les caches et plaques de protection sont en place avant d'utiliser le système.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 19

Translated Safety Warnings

Warnung

Avvertenza

Advarsel

Aviso

¡Advertencia!

Unbeschriftete Aufspannplatten (Füllpaneelen) erfüllen drei wichtige Funktionen : sie schützen vor gefährlichen Spannungen und Elektrizität im Innern der Chassis; sie halten elektromagnetische Interferenzen (EMI) zurück, die andere Geräte stören könnten; und sie lenken die Kühlluft durch das Chassis. Nehmen Sie das System nur in Betrieb, wenn alle Karten und Aufspannplatten an vorgesehener Stelle odnungsgemäß installiert sind.

Le piastre di protezione (panelli di riempimento) hanno tre funzioni molto importanti:Impediscono di esporvi ai voltaggi e le tensioni elettriche pericolose del chassis; trattengono le interferenze elettromagnetiche (EMI) che possono scombussolare altri apparati; e avviano il flusso d'aria di raffreddamento attraverso il chassis. Non operate il sistema se le schede e i pannelli non sono in posizione.

Blanke ytterplater (deksler) har tre viktige funksjoner: De forhindrer utsettelse for farlig spenning og strøm inni kabinettet; de inneholder elektromagnetisk forstyrrelse (EMI) som kan avbryte annet utstyr, og de dirigerer luftavkjølingsstrømmen gjennom kabinettet. Betjen ikke systemet med mindre alle kort og ytterplater sitter på plass.

As placas em bruto (painéis de enchimento) desempenham três funções importantes: evitam a exposição a voltagens e correntes perigosas no interior do chassi; protegem de interferências electromagnéticas (IEM) passíveis de afectar outro equipamento; e orientam o fluxo do ar de refrigeração através do chassi. Não pôr o sistema a funcionar sem que todos os cartões e placas estejam no devido lugar.

Los platos en blanco (paneles de relleno) ofrecen tres funciones importantes: previenen la exposición a voltajes peligrosos y corrientes dentro del chasis; contienen interferencias electromagnéticas (EMI) que pueden interrumpir otros equipos; y dirigen el flujo de aire refrigerante a través del chasis. No opere el sistema a menos que todas las tarjetas y platos estén en su lugar.

Varning!

Tomma planskivor (fyllnadspaneler) fyller tre viktiga funktioner: de förhindrar utsättning för farliga spänningar och elströmmar inuti chassit; de förhindrar elektromagnetisk störning (EMI) som skulle kunna rubba annan utrustning; samt de riktar flödet av kylluft genom chassit. Använd inte systemet om inte alla kort och planskivor finns på plats.

Invisible Laser Radiation Warning (other versions available)

Warning

Waarschuwing

Because invisible laser radiation may be emitted from the aperture of the port when no cable is connected, avoid exposure to laser radiation and do not stare into open apertures.

Omdat er onzichtbare laserstraling uit de opening van de poort geëmitteerd kan worden wanneer er geen kabel aangesloten is, dient men om blootstelling aan laserstraling te vermijden niet in de open openingen te kijken.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 20

Removing and Installing a Layer 3 Services Module

Varoitus

Attention

Warnung

Avvertenza

Advarsel

Aviso

¡Advertencia!

Kun porttiin ei ole kytketty kaapelia, portin aukosta voi vuotaa näkymätöntä lasersäteilyä. Älä katso avoimiin aukkoihin, jotta et altistu säteilylle.

Etant donné qu’un rayonnement laser invisible peut être émis par l’ouverture du port quand aucun câble n’est connecté, ne pas regarder dans les ouvertures béantes afin d’éviter tout risque d’exposition au rayonnement laser.

Aus der Öffnung des Ports kann unsichtbare Laserstrahlung austreten, wenn kein Kabel angeschlossen ist. Kontakt mit Laserstrahlung vermeiden und nicht in offene Öffnungen blicken.

Poiché quando nessun cavo è collegato alla porta, da quest’ultima potrebbe essere emessa radiazione laser invisibile, evitare l’esposizione a tale radiazione e non fissare con gli occhi porte a cui non siano collegati cavi.

Usynlige laserstråler kan sendes ut fra åpningen på utgangen når ingen kabel er tilkoblet. Unngå utsettelse for laserstråling og se ikke inn i åpninger som ikke er tildekket.

Evite uma exposição à radiação laser e não olhe através de aberturas expostas, porque poderá ocorrer emissão de radiação laser invisível a partir da abertura da porta, quando não estiver qualquer cabo conectado.

Cuando no esté conectado ningún cable, pueden emitirse radiaciones láser invisibles por el orificio del puerto. Evitar la exposición a radiaciones láser y no mirar fijamente los orificios abiertos.

Varning!

Osynliga laserstrålar kan sändas ut från öppningen i porten när ingen kabel är ansluten. Undvik exponering för laserstrålning och titta inte in i ej täckta öppningar.

Removing and Installing a Layer 3 Services Module

The following sections describe how to remove and install modules, GBICs, and cables:

• Required Tools, page 21

• Removing Modules, page 21

• Installing the Layer 3 Services Module, page 22

• Installing a GBIC, page 24

• Attaching Interface Cables to the Layer 3 Services Module, page 26

Catalyst 4003 and 4006 switches support hot swapping, which lets you install, remove, replace, and rearrange modules without turning off the system power. When the system detects that a module has been installed or removed, it runs diagnostic and discovery routines automatically, acknowledges the presence or absence of the module, and resumes system operation with no operator intervention.

Warning

Only trained and qualified personnel should install, replace, or service this equipment.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 21

Removing and Installing a Layer 3 Services Module

Warning

Because invisible laser radiation may be emitted from the aperture of the port when no cable is connected, avoid exposure to laser radiation and do not stare into open apertures.

Required Tools

You will need these tools to install modules in the Catalyst 4003 and Catalyst 4006 switches:

• Number 1 and number 2 Phillips screwdrivers for the captive installation screws

• Antistatic mat or antistatic foam

• Wrist strap or other grounding device

Caution Whenever you handle modules, you should wear a wrist strap or use some other grounding

device to prevent ESD damage.

Removing Modules

You might need to remove a module from the switch chassis to make room for the Layer 3 services module. To remove a module from a Catalyst 4003 or Catalyst 4006 switch, perform these steps:

Step 1 Disconnect any network interface cables attached to the ports on the module you intend to remove.

Step 2 Using the Phillips screwdriver, loosen the two captive installation screws (see Figure 3.)

Figure 3 Ejector Levers and Captive Installation Screws

-X 4

-L 3

/10

0 /10

3 R

TIN

U LE

A TU

N S

0/10

-M G

U P

Captive installation screw

Ejector lever

42585

Step 3 Attach an ESD wrist strap to your wrist and to the Catalyst 4003 or Catalyst 4006 switch ESD wrist

strap connector.

Step 4 Grasp the left and right ejector levers and pivot both levers outward to release the module from the

backplane connector. Figure 3 shows a close-up of the right ejector lever.

Caution To prevent ESD damage, handle modules by the carrier edges only.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 22

Removing and Installing a Layer 3 Services Module

Step 5 Grasp the edge of the module front panel with one hand and place your other hand under the carrier to

support and guide it out of the slot. Do not touch the printed circuit boards or connector pins.

Step 6 Carefully pull the module straight out of the slot, keeping your other hand under the carrier to guide it.

Step 7 Place the module on an antistatic mat or antistatic foam, or immediately install it in another slot.

Step 8 If the slot is to remain empty, you must install a switching-module filler plate (Cisco part number

800-00292-01) to keep dust out of the chassis and to maintain proper airflow through the module compartment.

Warning

You have now completed the removal of a module from a Catalyst 4003 or Catalyst 4006 switch.

Installing the Layer 3 Services Module

All Catalyst 4003 and Catalyst 4006 modules are installed in horizontal chassis slots that are numbered from top to bottom. Supervisor engines are installed in slot 1; modules are installed in the remaining slots. Figure 4 shows an example of a supervisor engine and two modules installed in a Catalyst 4003 switch.

Figure 4 Module Placement in a Catalyst 4003 Switch

Redundant power supplies

Power Supply 1

Supervisor

engine

C A

U T

T H

I S

S S

E M

Y C O

T A

S E L

E C

R O

T A

T I C

S E

N S

I T

I V

D E

(slot 1)

Switching

modules

(slots 2 and 3)

Fan assembly

To install the Catalyst 4000 Layer 3 Services module in a Catalyst 4003 or Catalyst 4006 switch, perform these steps:

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Power Supply 2

100%

26216

78-10164-03

Page 23

Removing and Installing a Layer 3 Services Module

Step 1 Take the necessary precautions to prevent ESD damage.

Step 2 Choose a slot for the new module. Ensure that you have enough clearance to accommodate any

interface equipment that you will connect directly to the module ports. If possible, place modules between empty slots.

Step 3 Holding the module front panel with one hand, and placing your other hand under the carrier to

support the module, as shown in Figure 5, align the edges of the module carrier with the slot guides on the sides of the switch chassis and slide the module halfway into the chassis.

Figure 5 Catalyst 4003: Installing the Module in the Chassis

Power Supply 1

CAUTION

THIS ASSEM

BLY

NTAINS

ELECTR

OSTAT

IC-

SENSITIVE DEVICES

1 3

Power Supply 2

100%

1 3

26566

Step 4

Pivot the two module ejector levers out and away from the faceplate. The ejector levers are shown pivoted out in Figure 5.

Step 5 Carefully slide the module the rest of the way into the slot until the notches on both ejector levers

engage the chassis sides.

Step 6 Using the thumb and forefinger of each hand, simultaneously pivot in both ejector levers, as shown in

Figure 6, to fully seat the module in the backplane connector.

Caution Always use the ejector levers when installing or removing modules. A module that is only

partially seated in the backplane will cause the system to halt and reset.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 24

Removing and Installing a Layer 3 Services Module

Figure 6 Module Ejector Lever Operation

10/100/1000

STATUS

L3 ROUTING M

ODULE

10/100-M

OLE

LIN

PLIN

42586

Step 7 Use a screwdriver to tighten the captive installation screws on each end of the module faceplate.

You have now completed the installation of a module in to a Catalyst 4003 or Catalyst 4006 switch.

Installing a GBIC

This section describes how to install GBICs in the Catalyst 4000 Layer 3 Services module.

Handling a GBIC

When handling a GBIC, remember these facts:

• GBICs are static sensitive.

• GBICs are dust sensitive. When the GBIC is stored or when a fiber-optic cable is not plugged in,

• The most common source of contaminants in the optical bores is debris picked up on the ferrules

Ejector lever

Captive installation screw

always keep plugs in the GBIC optical bores.

of the optical connectors. Use an alcohol swab or Kim-Wipe to clean the ferrules of the optical connector.

Installing GBICs

GBICs are hot-swappable in the Catalyst 4000 Layer 3 Services module. GBICs have a lifetime of 100 to 500 removals and insertions, so to prevent premature failure of the GBIC, do not remove or insert the GBIC unnecessarily.

When removing or inserting a GBIC, always wear an ESD wrist strap connected to the Catalyst 4003 or Catalyst 4006 switch ESD wrist strap connector.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 25

Removing and Installing a Layer 3 Services Module

To install a GBIC, perform these steps:

Step 1 Remove the GBIC from its protective packaging.

Step 2 Verify that the GBIC is the correct type for your network by checking the part number: WS-G5484

(1000BASE-SX), WS-G5486 (1000BASE-LX/LH), or WS-G5487 (1000BASE-ZX).

Step 3 Grip the sides of the GBIC with your thumb and forefinger; insert the GBIC into the slot on the front

of the module (see Figure 7). GBICs are keyed to prevent incorrect insertion.

Note A maximum of 12 1000BASE-ZX GBICs are supported in a switch chassis.

Figure 7 Installing a GBIC in the Module

WS-X4232-L3

/1 0

0 /1

0 0

R O

N S

L E

1 0

G T

LINK

L E

UPLINK

T A

U S

42587

Plug

Step 4

Slide the GBIC through the flap covering the slot opening. Continue sliding the GBIC into the slot until you hear a click. The click indicates that the GBIC is locked in the slot.

Warning

Because invisible laser radiation may be emitted from the aperture of the port when no cable is connected, avoid exposure to laser radiation and do not stare into open apertures.

Step 5 When you are ready to attach the fiber-optic cable, remove the optical bore plug from the GBIC. Save

the plug for future use.

Note If you are connecting the 1000BASE-LX/LH (WS-G5486) GBICs to an MMF

network, you must install a mode-conditioning patch cord.

You have now completed the installation of a GBIC in to a Catalyst 4003 or Catalyst 4006 module.

Mode-Conditioning Patch Cord

When using the LX/LH GBIC with 62.5-micron diameter MMF, you must install a mode-conditioning patch cord (Cisco product number CAB-GELX-625 or equivalent) between the GBIC and the MMF cable on both the transmit and receive ends of the link. The patch cord is required for link distances greater than 984 feet (300 meters). For more information on the patch cord, see the Catalyst 4003 and 4006 Switch Installation Guide.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 26

Removing and Installing a Layer 3 Services Module

The patch cord is required to comply with IEEE standards. The IEEE found that link distances could not be met with certain types of fiber-optic cable due to a problem in the center of some fiber-optic cable cores. The solution is to launch light from the laser at a precise offset from the center by using the patch cord. At the output of the patch cord, the LX/LH GBIC is compliant with the IEEE 802.3z standard for 1000BASE-LX. For a detailed description of this problem, refer to the Catalyst 4003 and 4006 Switch Installation Guide.

Note We do not recommend using the LX/LH GBIC with MMF without a patch cord for very

short link distances (tens of meters) either. The result could be an elevated bit error rate (BER).

Attaching Interface Cables to the Layer 3 Services Module

This section describes how to connect the interface cables to the installed Catalyst 4003 and 4006 Layer 3 Services module.

Attaching the Console Port Interface Cable

A console serial port (RJ-45) lets you manage your system using standard console equipment.

For RJ-45 connectors, plug the interface cable connector into the receptacle on the module. Push in the connector until you hear a click; the click indicates that the connector is fully inserted and secured in the receptacle.

Attaching the 10/100 MGT Port Cable

The 10/100BASE-T port (RJ-45) supports remote console interfaces. This port is for network management only. This port is not a switching port. There is no connectivity between this port and the Gigabit Ethernet switching ports.

Attaching the GBIC Interface Cable

Warning

Because invisible laser radiation may be emitted from the aperture of the port when no cable is connected, avoid exposure to laser radiation and do not stare into open apertures.

To connect GBICs to the Gigabit Ethernet or Gigabit EtherChannel ports, perform these steps:

Step 1 Remove the plugs from the GBIC optical bores; store them for future use.

Step 2 Remove the plugs from the SC connector (see Figure 8) on the fiber-optic cable. Insert the connector

into the GBIC. When you plug the SC connector into the GBIC, make sure that both the transmitter and receiver fiber-optic cables are fully inserted into the SC connector.

Step 3 If you are using the LX/LH GBIC with MMF, install a patch cord between the GBIC and MMF cable.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 27

Figure 8 SC Type Connector

Keys

Light out

of fiber

Accessing the Layer 3 Services Module for the First Time

Cable

Light into

fiber

Receiver

Transmitter

Key slots

Receptacle

17110

Attaching the 10/100 Interface Cables

Accessing the Layer 3 Services Module for the First Time

This section explains how to access the Catalyst 4000 Layer 3 Services module, download an image to bootflash, download an image from the network, and perform an image recovery using Xmodem or Ymodem.

The Catalyst 4000 Layer 3 Services module is configured at the factory to automatically load a Cisco IOS image (router operating system software) the first time you insert the module into a Catalyst 4000 family switch. The module software configuration register, which determines where the Catalyst 4000 Layer 3 Services module loads the image from, is set at the factory to load the IOS image from bootflash (configuration register setting 0x2102). Table 9 shows the default configuration of the Catalyst 4000 Layer 3 Services module.

Table 9 Default Configuration of the Catalyst 4003 and 4006 Layer 3 Services Module

Feature Default Value

Host name Router

Interface configuration None

VLAN configuration

Password encryption Disabled

Break to console Ignore

1. You must configure VLAN 1 to be the default VLAN on both the Catalyst 4000 Layer 3 Services module and the Supervisor Engine

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

None

Page 28

Accessing the Layer 3 Services Module for the First Time

Accessing the Module Console

After the Catalyst 4000 Layer 3 Services module goes through power-on self-test diagnostics, and the front panel STATUS LED is green, you can access the Catalyst 4000 Layer 3 Services module console in these two ways:

• Connecting directly through the Catalyst 4000 Layer 3 Services module console port, or

• Entering the session mod num command at the Cat4000> prompt

When you access the Catalyst 4000 Layer 3 Services module for the first time, you need to configure the module is internal interfaces and then save the configuration to a file in NVRAM. From the router console, configure the two external Layer 3 ports for access to another device and configure the two internal ports as trunks, as an EtherChannel, or as independent links to connect through the backplane to the Layer 2 ports in the Catalyst 4000 switch.

Connecting Through the Module Console Port

The console port allows you to access the Catalyst 4000 Layer 3 Services module either locally (with a console terminal) or remotely (with a modem). The console port is an EIA/TIA-232 asynchronous, serial connection with an RJ-45 connector.

For complete console port cabling specifications and pinouts, refer to the Catalyst 4003 and 4006 Switch Installation Guide.

The console port mode switch allows you to connect a terminal to the Catalyst 4000 Layer 3 Services module using the console cable provided with a Catalyst 4000 family switch. You can also connect a modem to the console port using the cable and adapter provided with the switch.

Put the port mode switch in the “in” position (factory default position) to connect a terminal to the console port using the console cable and data terminal equipment (DTE) adapter (labeled “Terminal”). The console cable and the DTE adapter shipped with the switch.

Note You may need to use a paper clip or a small, pointed object to change the port mode switch

position.

Also, when the port mode switch is in the “in” position you can connect a modem to the console port using the console cable and data communications equipment (DCE) adapter (labeled “Modem”) that shipped with the switch.

Note You should not have to connect a terminal to the Catalyst 4000 Layer 3 Services module

console port. When your terminal is connected to the supervisor engine console port, use the session command to access the Catalyst 4000 Layer 3 Services module for router configuration.

Note You need the accessory kit that shipped with your Catalyst 4000 family switch. It contains

the cable and adapters to connect a terminal or modem to the console port.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 29

Connecting a Terminal

To connect a terminal to the console port using the cable and adapters provided with the Catalyst 4000 family switch, ensure that the console port mode switch is in the “in” position (factory default position). Connect to the port using the RJ-45-to-RJ-45 cable and RJ-45-to-DB-25 DTE adapter or RJ-45-to-DB-9 DTE adapter (labeled “Terminal”).

Check the documentation that came with your terminal to determine the baud rate. The baud rate of the terminal must match the default baud rate (9600 baud) of the console port.

Set up the terminal using the following specifications:

• 9600 baud

• 8 data bits

• No parity

• 1 stop bit

• No flow control

Connecting a Modem

Accessing the Layer 3 Services Module for the First Time

To connect a modem to the console port, ensure that the console port mode switch is in the “in” position (factory default position). Connect the modem to the port using the RJ-45-to-RJ-45 cable and the RJ-45-to-DB-25 DCE adapter (labeled “Modem”).

Configuring the Management Port

You can download an image to the Catalyst 4000 Layer 3 Services module through the 10/100 management interface by assigning it an IP address.

To configure an IP address on the management port and configure it for Telnet access, perform this procedure:

Purpose Command

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Router # enable Enter enable mode.

Router # configure terminal Enter global configuration mode. You can also abbreviate

Router (config)# enable

password password

Router (config) # enable secret password

Router (config-if) # interface type number

Router (config-if) #ip address

ip-address subnetmask

Router (config-if) #no shutdown Enable the interface.

The # prompt indicates enable mode.

the command to config terminal. The Router(config)# prompt indicates that you are in global configuration mode.

Set the enable password.

Enter an enable secret password. A user must enter the enable secret password to gain access to global configuration mode.

Enter interface configuration mode on the Ethernet interface.

Enter the IP address and IP subnet mask for the interface specified in Step 5.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 30

Accessing the Layer 3 Services Module for the First Time

Purpose Command

Step 8

Step 9

Step 10

Router (config-if) #exit Return to global configuration mode.

Router (config) #line vty line-number Enter line configuration mode for virtual terminal

Router (config-line) #password password

Step 11

Step 12

Router (config-line) #end Return to privileged EXEC mode.

Router #copy running-config

startup-config

This example shows you how to assign an IP address to the Catalyst 4000 Layer 3 Services module 10/100 management port:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface F1 Router(config-if)# ip address 131.108.1.27 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# exit Router(config)# line vty 0 Router(config-line)#password 7 Cisco Router(config-line)# end Router#copy running-config

connections. Commands entered in this mode control the operation of Telnet sessions to the Catalyst 4000 Layer 3 Services module.

Enter a password for Telnet sessions.

Save your configuration changes to NVRAM.

Note By default, the 10/100 management interface does not route data traffic. We recommend

that you not try to override this default configuration.

You can also download images and configuration files to the Catalyst 4000 Layer 3 Services module through one of the Gigabit Ethernet routing ports. If you choose to manage the Layer 3 Services module through a Gigabit Ethernet routing port, any IP address assigned to the corresponding interface can be used for network management purposes when the port is up.

SNMP Network Management

The supervisor engine reports one IP address assigned to the Layer 3 Services module that can be used for network management through the Cisco Stack MIB. If you are using CiscoView to manage your Catalyst 4000 switch, you can also manage the Catalyst 4000 Layer 3 Services module with this software.

If the 10/100 management interface is up and an IP address has been configured, the Layer 3 Services module selects the IP address assigned to the 10/100 management port. If the management port is down or an IP address has not been configured, the module randomly selects an IP address that has been assigned to one of the Gigabit Ethernet ports or port channels as the network management IP address, provided the interface associated with this IP address is up at the time of selection.

If the selected network management IP address is removed or the interface or subinterface associated with this IP address is shut down, the Layer 3 Services module selects another IP address as a replacement.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 31

Accessing the Layer 3 Services Module for the First Time

If all the interfaces are down or no IP address has been assigned to any interface or subinterface that is up, the IP address for network management is 0.0.0.0.

After each IP address selection or change of the IP address, the Layer 3 Services module sends an unsolicited message to the supervisor engine, which then populates the IP address attribute of the Cisco Stack MIB entry of the Catalyst 4000 Layer 3 Services module.

Recovering an Image Using Xmodem or Ymodem

Caution Use Xmodem to download a system image to the Catalyst 4000 Layer 3 Services module

only if all local images are damaged or erased. Xmodem will download and boot the downloaded system image. After the Catalyst 4000 Layer 3 Services module is up and running again, make sure that you download a valid image to bootflash before you reload the module.

You can download an image from a local or remote computer (such as a PC, UNIX workstation, or Macintosh) through the console port using the Xmodem or Ymodem protocol. Xmodem and Ymodem are common protocols used to transfer files and are included in applications such as Windows 3.1 (TERMINAL.EXE), Windows 95 (HyperTerminal), Windows NT 3.5x (TERMINAL.EXE), Windows NT 4.0 (HyperTerminal), and Linux UNIX freeware (minicom).

Xmodem and Ymodem downloads are slow. You can speed up the transfer by setting the console port speed to 57600 bps.

Perform Xmodem file transfers from the ROM monitor with the following command:

xmodem [-cys] [-c CRC-16] [-y ymodem-batch protocol]-s<speed> Set speed of download, where speed may be 1200|2400|4800|9600|19200|38400|57600]

The computer from which you transfer the supervisor engine software image must be running terminal emulation software that supports the Xmodem protocol.

Caution A modem connection from the telephone network to your console port introduces security

issues that you should consider before enabling the connection. For example, remote users can dial in to your modem and access configuration settings.

To transfer a file using Xmodem or Ymodem protocol, perform these steps:

Note You must establish network connectivity to the module to copy an image file from a TFTP

server to the flash devices.

Step 1 Place a Catalyst 4000 Layer 3 Services module software image on the computer’s hard drive. You can

download an image from Cisco.com. See “Cisco.com” section on page 79.

Step 2 On Windows 95 or 98, configure a HyperTerminal connection directly to COM1 with the following

settings: 9600 baud, 8 data bits, no parity, 1 stop bit, flow control Xon-Xoff.

Step 3 Use a cross-over cable to connect from COM1 to the AUX port on the Catalyst 4000 Layer 3 Services

module. Use a DB-9 connector at the PC to connect to a female RJ-45, then cross over the RF-45 to the Catalyst 4000 Layer 3 Services module.

Step 4 Boot the Catalyst 4000 Layer 3 Services module to the ROMMON prompt.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 32

Upgrading Images

Step 5 Use the HyperTerminal connect window to connect to the Catalyst 4000 Layer 3 Services module

Step 6 You are now ready to initiate the file transfer. At this point, the HyperTerminal session is set to

Step 7 Select the HyperTerminal Transfer drop-down menu from the main menu and select Send to send a file

Step 8 A menu appears which allows you to select the PC files to send and the transfer protocol to use. Click

Step 9 When the transfer is completed, a message appears requesting that you reset the link speed to 9600. Do

Step 10 From the HyperTerminal menu, select File> Properties> Configure and change the COM1 speed

ROMMON. Press <Enter> to get to the ROMMON prompt and enter the following information to initiate the file transfer connection:

xmodem -y -s57600

The ROMMON will return with a question asking whether you accept 57600 as the download speed. Press <Enter> to accept and proceed.

9600 baud, and the file transfer is requested at 57600 baud. To reset the session speed and reconnect the link, follow these steps:

a. From the HyperTerminal menu, select File> Properties, and then click the Configure button.

Change the COM1 speed to 57600 baud.

b. Close the COM1 Properties window and the HyperTerminal Properties window.

c. On the HyperTerminal tool bar, click the Disconnect icon and then the Connect icon. The link is

now set for 57600 baud.

from the PC to the Catalyst 4000 Layer 3 Services module.

the Browse button to select the file to transfer to the Catalyst 4000 Layer 3 Services module. Select the Ymodem transfer protocol.

not type “y” at this point even though it is requested by the message on the screen.

from 57600 to 9600. Close the COM1 Properties window and the HyperTerminal Properties window.

Step 11 On the HyperTerminal tool bar, click the Disconnect icon and then the Connect icon. When you are

ready to continue and the link speed has been changed back to 9600, press the Y key and the <Enter> key.

After you have completed this procedure, ROMMON boots the image that has been transferred. You may need to recover the bootflash by reformatting the IOS image after it has been loaded. To reform the bootflash use the ROMMON format bootflash command.

Upgrading Images

Network downloads take place over the out-of-band Ethernet management port or over the internal Gigabit Ethernet connections. To perform a network download over the internal Gigabit Ethernet connections, you must first configure and bring up these connections.

You can configure the Catalyst 4000 Layer 3 Services module to download its runtime image from a TFTP server and to load images to bootflash. No supervisor engine interaction is required for TFTP image downloads.

Note Before you can download an image, you must first configure the management port. See

“Configuring the Management Port” section on page 29.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 33

Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces

To download an image to bootflash, access the Catalyst 4000 Layer 3 Services module using the session command and enter the following command in privileged mode:

Router># copy tftp bootflash:

Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces

The Catalyst 4000 Layer 3 Services module supports two external and two internal Layer 3 Gigabit Ethernet interfaces, which run IOS software, and 32 10/100 Layer 2 ports, which are configurable from the supervisor engine.

You can map all Layer 2 ports on the Catalyst 4000 family switch with VLANs and trunks to the Layer 3 interfaces on the Catalyst 4000 Layer 3 Services module.

To configure the Layer 3 interfaces, you must first access the Catalyst 4000 Layer 3 Services module through a direct terminal connection or by entering the session command from the supervisor engine prompt. You must configure the internal Gigabit Ethernet ports from the supervisor engine to match their associated Layer 2 ports. To configure the Catalyst 4000 Layer 3 Services module, use the Layer 3 console. To configure the Layer 2 ports, use the switch console. This section provides information on how to configure both the external and internal Gigabit Ethernet ports.

You must configure and add Layer 2 ports to your VLANs before the Catalyst 4000 Layer 3 Services module can route traffic from the Layer 2 ports on the Catalyst 4000 family switch.

Understanding Key Features

This section describes the key features supported in Layer 3 switching software.

Distributed Hardware Forwarding

Layer 3-switching software uses a distributed architecture in which the control path and data path are relatively independent. The control path code, such as routing protocols, runs on the processor; the data packets are switched by the Ethernet interfaces and the switching fabric.

A microcoded application-specific integrated circuit (ASIC) handles all packet switching for the interfaces. The following are the main functions of the control layer between the routing protocol and the firmware data path microcode:

• Managing the internal data and control circuits for the packet forwarding and control functions

• Extracting the other routing and packet forwarding-related control information from the Layer 2

and Layer 3 bridging and routing protocols and the configuration data, and then conveying the information to the interfaces to control the data path

• Collecting the data path information, such as traffic statistics, sent from the interfaces to the

processor

• Handling certain data packets sent from the Ethernet interfaces to the processor

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 34

Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces

Cisco IOS Routing Protocols

Layer 3-switching software provides a comprehensive suite of routing protocols based on Cisco IOS software. The following networking protocols and routing protocols are supported on the Catalyst 4000 Layer 3 Services module.

Table 10 Supported Networking and Routing Protocols

Networking Protocol Supported Routing Protocols

IP RIP, RIP-2, OSPF, IGRP, EIGRP, PIM,

BGP

IPX IPX RIP, EIGRP

Many of the Cisco IOS routing protocol features, such as route redistribution and load balancing over equal cost paths (for OSPF and EIGRP), are supported. The methods used to configure these routing protocols is identical to the configuration methods currently employed on all Cisco routers.

Note Layer 2 entries, IP routing, IP multicast routing, and Novell IPX routing share the 32K CAM on the

Catalyst 4000 Layer 3 Services module.

Caution You will be unable to use IPX routing when you enable per-port shaping and policing on any port

of a Catalyst 4003 or 4006 Layer 3 Services module.

QoS-Based Forwarding

QoS includes technologies such as weighted round-robin scheduling, policing, and shaping, which help control bandwidth, network delay, jitter, and packet loss in congested networks. The QoS identifier provides specific treatment to traffic in different classes, so that each class receives different QoS.

The class to which the packets belong determines packet scheduling and discarding policies. For example, the overall service given to packets in the premium class will be better than that given to the standard class; the premium class is expected to experience lower loss rate or delay.

The switch router has QoS-based forwarding for IP traffic only. The implementation of QoS forwarding is based on local administrative policy and IP precedence. The mapping between the IP precedence field and the QoS field determines the delay priority of the packet.

For more information about QoS, see the “Configuring Layer 3 QoS” section on page 67

Caution You will be unable to use IPX routing when you enable per-port shaping and policing on any port

of a Catalyst 4003 or 4006 Layer 3 Services module.

Network Class Redundancy

The redundancy of Cisco IOS software provides key network features, such as HSRP, routing protocol convergence with RIP, OSPF, EIGRP, EtherChannel, and load sharing across equal cost Layer 3 paths and spanning trees (for Layer 2-based networks).

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 35

Remote Monitoring

Layer 3 switching software supports the first four Remote Monitoring (RMON) groups.

RMON is a network management protocol for gathering network information and monitoring traffic data within remote LAN segments from a central location. RMON allows you to monitor all nodes and their interaction on a LAN segment. RMON, used with the SNMP agent in the switch router, allows you to view both the traffic that flows through the router and segment traffic not necessarily destined for the switch router. Layer 3-switching software combines RMON alarms and events with existing MIBs so you can choose where monitoring will occur.

Refer to the Cisco IOS Configuration Fundamentals Configuration Guide for more information about RMON.

Cisco Discovery Protocol

CDP is a device-discovery protocol that is both media and protocol independent. CDP is available on all Cisco products, including routers, switches, bridges, and access servers. Using CDP, a device can advertise its existence to other devices and receive information about other devices on the same LAN. CDP enables Cisco products to exchange information with each other regarding their MAC addresses, IP addresses, and outgoing interfaces. CDP runs over the data link layer only, which allows two systems that support different network-layer protocols to learn about each other. Each device configured for CDP sends periodic messages to a multicast address. Each device advertises at least one address at which it can receive Simple Network Management Protocol (SNMP) messages.

Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces

Cisco Express Forwarding

Layer 3-switching software features CEF. CEF is advanced Layer 3 IP-switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions. Although you can use CEF in any part of a network, it is designed for high-performance, highly resilient Layer 3 IP-backbone switching.

CEF manages route distribution and forwarding by distributing routing information from the central processor to the individual Ethernet interfaces. This technology, used within the Internet, provides scalability in large campus core networks. CEF provides Layer 3 forwarding based on a topology map of the entire network, resulting in high-speed routing table lookups and forwarding.

One of the key benefits of CEF in Layer 3 switching is its routing convergence. Because the FIB is distributed to all interfaces, whenever a route goes away or is added, the FIB updates that information and provides it to the interfaces. Central processor interrupts are minimized. The interfaces receive the new topology very quickly and reconverge around a failed link based on the routing protocol being used.

Caution We recommend that you only issue any CEF load balancing configuration commands. Do not issue

any other CEF configuration commands. The CEF default settings should not be altered; doing so may adversely affect the performance of your system.

Load Balancing

A switch router that employs load balancing can distribute traffic over all its network ports that are the same distance from the destination address. Load balancing increases the utilization of network segments and increases effective network bandwidth.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 36

Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces

Layer 3-switching software uses source + destination-based load balancing, an enhanced version of the Cisco IOS software is per-destination load balancing. This method takes certain bits from the source and destination IP and IPX addresses and maps them into a path.

This method has these benefits:

• The traffic is distributed more effectively.

• There is almost no impact on the data path performance.

Layer 3-switching software supports load balancing on equal cost paths using the source and destination IP or IPX address. The Catalyst 4003 or 4006 Layer 3 Services module uses two equal cost paths. Per-packet load balancing is not supported.

Optionally, if you are load balancing a Gigabit Ethernet port you may configure the port to load balance using CEF.

CEF load balancing decisions are made on the ingress interface. Load distortions may occur across multiple switch routers when the same CEF load balancing algorithm is used on every switch router. You can resolve these distortions by selecting a specific CEF load balancing algorithm, such as tunnel or universal, based on your network environment. The tunnel and universal algorithms are available on Gigabit Ethernet ports only.

Hot Standby Router Protocol

The HSRP provides high network availability by routing IP traffic from hosts on Ethernet networks without relying on the availability of any single switch router. This feature is particularly useful for hosts that do not support a router discovery protocol and do not have the functionality to switch to a new router when their selected router reloads or loses power.

Devices that are running HSRP detect a failure by sending and receiving multicast User Datagram Protocol (UDP) “hello” packets. When HSRP detects that the designated active router has failed, the selected backup router assumes control of the HSRP group’s MAC and IP addresses. (You can also select a new standby router at that time.)

The chosen MAC address and IP addresses are unique and do not conflict with any others on the same network segment. The MAC address is selected from a pool of Cisco MAC addresses. Configure the last byte of the MAC address by configuring the HSRP group number. You also configure the unique virtual IP address. The IP address must be specified on a single router within the same group. When the HSRP is running, it selects an active router and instructs its device layer to listen on an additional (dummy) MAC address.

Layer 3-switching software supports HSRP over 10/100 Ethernet, Gigabit Ethernet, and GEC.

Gigabit EtherChannel

GEC allows grouping of gigabit ports into a single multigigabit logical EtherChannel link. GEC establishes a high-bandwidth connection between two Catalyst switch routers.

You can bundle up to two Gigabit Ethernet connections on the Catalyst 4000 Layer 3 Services module as one logical link, which can provide up to 4-Gb aggregate capacity. If a failure of any one link is detected, the packets are switched on the remaining active link in the GEC.

GEC uses a source-destination IP and IPX address load-balancing scheme for up to two ports in a channel group on the Catalyst 4003 and 4006 Layer 3 Services module. Each channel group has its own IP address.When you queue a packet to exit out of the port channel interface, the last two bits of the IP source and destination address determine which interface in the channel the packet takes.

As with all EtherChannel technologies, all links share the traffic load within the bundled ports.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 37

For more information about GEC, see the “Configuring the Layer 3 Gigabit Ethernet Ports” section on page 54.

Spanning Tree Protocol

STP is a bridge protocol that enables a learning bridge to dynamically work around loops in a network topology by creating a spanning tree. Bridges exchange BPDU messages with other bridges to detect loops and then remove the loops by shutting down selected bridge interfaces.

STP maintains a network of multiple bridges or switches. When the topology changes, the STP transparently reconfigures bridges and switches to avoid the creation of loops by placing ports in a forwarding or blocking state. Each bridge group has a separate instance of the STP.

STP parameters are set for each bridge group. For each spanning tree instance, you configure a set of global options with a set of port parameters. The port parameter list contains only ports that are members of a given bridge group. The Layer 3 switch routers support a maximum of 16 bridge groups, which run their own instance of spanning tree.

Virtual LANs

A VLAN configures switches and routers according to logical rather than physical topologies. Using VLANs, a network administrator can combine any collection of LAN segments within an internetwork into an autonomous user group, which appears as a single LAN. VLANs logically segment the network into different broadcast domains so that packets are switched only between ports within the VLAN. Typically, a VLAN corresponds to a particular subnet, although not necessarily.

Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces

For information about InterVLAN routing, see the “Configuring the Module for InterVLAN Routing” section on page 44.

IEEE 802.1Q VLAN Encapsulation

802.1Q VLAN encapsulation uses a one-level, packet tagging scheme to multiplex VLANs across a single physical link, while maintaining strict adherence to the individual VLAN domains. 802.1Q can have access ports or untagged ports where frames are assigned to VLANs based on a port VLAN identifier (PVID), or native VLAN for the port. It can also have trunked ports where some frames can be tagged and others untagged. 802.1Q uses Per VLAN Spanning Tree Plus (PVST+), mapping multiple spanning trees to the spanning tree of pure 802.1Q switches.

IEEE 802.1Q VLAN encapsulation is supported over the internal and external gigabit router ports. See

Figure 10 on page 41 as an example on how to set up VLAN encapsulation.

For more information about 802.1Q on internal VLAN trunks, see the “Configuring 802.1Q Layer 2 VLAN Trunks” section on page 51.

Inter-Switch Link VLAN Encapsulation

Layer 3-switching software also supports Inter-Switch Link (ISL) encapsulation over the external Gigabit Ethernet ports or if configured as a GEC. The Catalyst 4003 and 4006 Layer 3 Services module can be deployed in environments with the ISL trunking protocol and can route between external gigabit ports running ISL and internal gigabit ports running 802.1Q stations.

External ports support ISL, which use one PVST+ over ISL trunks.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 38

Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces

Switching Database Manager

Layer 3-switching software supports SDM. SDM resides on the central processor and its primary function is to maintain the Layer 3-switching database in ternary TCAM. SDM maintains the address entries contained in TCAM in an appropriate order. SDM manages TCAM space by partitioning protocol-specific switching information into multiple regions.

The key benefit of SDM in Layer 3 switching is its ability to configure the size of the protocol regions in TCAM. SDM enables exact-match and longest-match address searches, which result in high-speed forwarding.

For more information about SDM, see the “Configuring the Switching Database Manager” section on page 74.

Access Control Lists

ACLs allow you to filter packet flow into or out of switch router interfaces. ACLs are sometimes called filters. You can use ACLs to restrict network use by certain users or devices. ACLs are created for each protocol and applied on the interface either for inbound or outbound traffic. They can be configured for all routed network protocols (IP or Novell IPX) to filter packets for the protocol as they pass through a switch router. Only one ACL can be applied per protocol per (sub)interface in each direction.

When creating ACLs, you define criteria to apply to each packet processed by the switch router; the switch router decides whether to forward or block the packet based on whether or not the packet matches the criteria in your list. Packets that do not match any criteria in your list are automatically blocked by the implicit “deny all traffic” criteria statement at the end of every access list.

The specific instructions for creating ACLs and applying them to interfaces vary from protocol to protocol. Configuration of Layer 3-switching ACLs is identical to the configuration methods currently employed on all Cisco routers.

ACL functionality is built into Gigabit Ethernet ports of the Catalyst 4000 Layer 3 Services module. However, ACLs are not supported GEC. For more information on ACLs, see the “Configuring Access Control Lists” section on page 60.

Traffic that is switched by interface modules does not support ACL logging. However, ACL logging is supported for all traffic that goes to the CPU.

The enhanced Gigabit Ethernet interface module supports a TCAM size of 32K (32-bit) entries. The combined size of the protocol regions and access lists should not exceed your TCAM space. The default size of the access lists in a 32K TCAM is 512 (128-bit) entries. Before you configure the access list, make sure that TCAM has enough space to accommodate the access list.

IEEE 802.1Q VLAN Bridging

Layer 3-switching software supports 802.1Q bridging over Gigabit Ethernet and GEC. The Catalyst 4000 Layer 3 Services module can be deployed in environments with the 802.1Q trunking protocol and can bridge between ISL and 802.1Q stations.

Local Proxy ARP

The Local Proxy ARP feature allows the Catalyst 4000 Layer 3 Services module to respond to ARP requests for IP addresses within a subnet where normally no routing is required. With the local proxy ARP feature enabled, the Catalyst 4000 Layer 3 Services module responds to all ARP requests for IP

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 39

RADIUS Server

Overview of the Catalyst 4003 and 4006 Layer 3 Services Module Interfaces

addresses within the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where hosts are intentionally prevented from communicating directly by the configuration on the switch to which they are connected.

The local proxy ARP feature is disabled by default. Use the ip local-proxy-arp interface configuration command to enable the local proxy ARP feature on an interface. Use the no ip local-proxy-arp interface configuration command to disable the feature. ICMP redirects are disabled on interfaces where the local proxy ARP feature is enabled.

To use the local proxy ARP feature, the IP proxy ARP feature must be enabled. The IP proxy ARP feature is disabled by default. Refer to the Cisco IOS Release 12.0 Network Protocols Configuration Guide Part 1, “IP Addressing and Services,” “Configuring IP Addressing,” “Configure Address Resolution Methods,” at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt2/1cipadr.htm

The RADIUS feature is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.

Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all Cisco platforms. Refer to the Cisco IOS Release 12.0 Security Configuration Guide, “Security Server Protocols,” “Configuring RADIUS,” at: http://cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm

Overview of the Layer 2 Interfaces

Assuming the Layer 3 Services module resides in slot 2, the port numbering is 2/1 and 2/2 for the internal Gigabit Ethernet ports, and 2/3 through 2/34 for the external 10/100 ports. Ports 2/3 through 2/34 are directly accessible via the external RJ-45 connectors. Ports 2/1 and 2/2 are internal ports and have no external interfaces.

Note The 2/1 and 2/2 ports are internal WS-X4232-L3 ports. There are actually four Gigabit

Ethernet ports on the daughter card; two ports are external (G1 and G2) and two are internal (G3 and G4). You will configure the external ports using Cisco IOS Layer 3 software only and the internal ports using Cisco IOS Layer 3 and the Layer 2 Supervisor. You must use Cisco IOS to configure G3 and G4 and the supervisor to configure ports 2/1 and 2/2.

Overview of the Layer 3 Gigabit Ethernet Interfaces

To the Catalyst 4000 family switch, the Layer 3 Services module appears to be an external router connected to the switch through two internal full-duplex Gigabit Ethernet ports.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 40

Configuration Options

The port numbering for the external Gigabit Ethernet interfaces on the front panel is Gigabit Ethernet1 and Gigabit Ethernet2. The port numbering for the internal Gigabit Ethernet interfaces is Gigabit Ethernet3 and Gigabit Ethernet4.

If the Layer 3 Services module is installed in slot 2, port 2/1 on the Catalyst switch side is connected to interface Gigabit Ethernet3 on the Catalyst 4000 Layer 3 Services module side and port 2/2 to interface Gigabit Ethernet4.

Figure 9 shows the internal interface connections when the Layer 3 Services module is installed in slot 6 in a Catalyst 4003 switch.

Figure 9 Internal Interface Connections

Catalyst 4003 and 4006 switch backplane

2/1 2/2

Gig E-3 Gig E-4

Catalyst 4003 and 4006 Layer 3 Services module

Gig E-1 Gig E-2

Configuration Options

You have the option to configure the Catalyst 4000 Layer 3 Services module ports as trunks, as EtherChannels, or as independent links. This section provides an overview of these three configuration options. For detailed configuration information, see the “Configuring the Module for InterVLAN Routing” section on page 44.

Internal connnections

External connnections

49095

Option 1: Interfaces as Trunks (Recommended Option)

You can add Layer 2 ports to VLANs and group the VLANs into trunks. For the Layer 2 ports, you add the ports, from the switch console, to VLANs and then configure the trunks on the internal interfaces. When you enable trunking, you must configure a subinterface on the internal Layer 3 ports for each allowed VLAN configured on the Catalyst 4000 Layer 3 Services module trunk. The subinterface

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 41

Configuration Options

configuration is done on the internal Layer 3 ports from the Catalyst 4000 Layer 3 Services module console. The trunking option requires you to configure the internal Layer 2 interfaces from the supervisor engine console as well as the internal Layer 3 ports from the Layer 3 Services module console. See Figure 10 for a conceptual illustration of trunking.

Figure 10 Trunking

Trunk configuration

Vlans 3, 4, 5, ...X

Switch backplane

Gig3 trunk

Gig4

trunk

gig3.3

gig3.5

gig3.4

gig3.x

Switch backplane

gig4.7

gig4.6

gig4.2

WS-X4232-L3

Gig1 Gig2

Logical representations

Option 2: Interfaces as Gigabit EtherChannels

The EtherChannel option builds on the previous trunk configuration when you assign trunks to a shared EtherChannel. After you create the EtherChannel between the Catalyst 4000 Layer 3 Services module and a Catalyst 4000 family switch, the channel provides Layer 3 services to one or multiple VLAN interfaces.

By bundling the two Catalyst 4000 Layer 3 Services module Gigabit Ethernet interfaces into one logical port-channel interface, you create a shared connection for traffic from the Layer 2 ports to the Layer 3 ports. You can configure Layer 3 VLAN gateways by creating multiple subinterfaces on the same logical interface. Creating subinterfaces on one logical interface is less complicated than manually distributing VLANs among multiple physical and logical interfaces on the Catalyst 4000 Layer 3 Services module. See Figure 11 for a conceptual illustration of channeling.

Figure 11 Channeling

Channel configuration

WS-X4232-L3

51566

Switch backplane

Gig3

trunk

Channeling

gig3 and 4

Gig1 Gig2

78-10164-03

WS-X4232-L3

Vlans 3, 4, 5, ...X

Switch backplane

Gig4

trunk

Logical representations

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Port-channel 1.3

Port-channel 1.5

Port-channel 1.4

Port-channel 1.x

WS-X4232-L3

Logical port-channel interfaces

51611

Page 42

Configuring the Layer 3 Services Module Gigabit Ethernet Interfaces

Option 3: Interfaces as Independent Links

If your Catalyst 4000 switch has only a few VLANs, use the independent interface configuration option. When you are providing Layer 3 gateway services for only one or two VLANs, trunking is not necessary. The Catalyst 4000 Layer 3 Services module Gigabit Ethernet interface needs to be included only in the specific VLAN, just as you would include a host port. For example, if you need only two VLANs, configure these VLANs on the switch and add each to one of the internal interfaces. Access the Catalyst 4000 Layer 3 Services module console and add each Catalyst 4000 Layer 3 Services module interfaces to its respective VLAN. Assign an IP (or IPX) address to the corresponding Catalyst 4000 Layer 3 Services module routed interface (GigE3 or GigE4).

To provide Layer 3 gateway services for more than one VLAN on a Catalyst 4000 Layer 3 Services module Gigabit Ethernet interface, you must use VLAN trunking. You can use the 802.1Q VLAN trunking method to create the trunk between the Catalyst 4000 Layer 3 Services module interface and the switch.

Configuring the Layer 3 Services Module Gigabit Ethernet Interfaces

Note You cannot configure the internal Gigabit Ethernet interfaces as administratively down.

To configure a Catalyst 4000 Layer 3 Services module Gigabit Ethernet interface, follow these steps:

Step 1 Use the configure terminal EXEC command at the privileged EXEC prompt to enter global

configuration mode.

4232-L3> enable 4232-L3# configure terminal 4232-L3(config)#

Step 2 From the global configuration mode, enter the interface command, followed by the interface type (in

this case, Gigabit Ethernet) and its interface port ID.

4232-L3(config)# interface g3 4232-L3(interface-if)#

Step 3 Follow each interface command with the interface configuration commands required for your

particular interface.

The commands you enter define the protocols and applications that will run on the interface. The module collects and applies commands to the interface command until you enter another interface command, enter a command that is not an interface configuration command, or press Ctrl-Z to return to privileged EXEC mode.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 43

Configuring the Layer 3 Services Module Gigabit Ethernet Interfaces

Step 4 After an interface is configured, check its status by using the EXEC show command.

4232-L3# show interface g3 Gigabit Ethernet3 is up, line protocol is up Hardware is xpif_port, address is 0050.3e7b.e907 (bia 0050.3e7b.e907) Internet address is 11.0.0.2/8 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) Full-duplex, 1000Mb/s, GBIC connected, Force link-up ARP type:ARPA, ARP Timeout 04:00:00 Last input 03:27:17, output never, output hang never Last clearing of "show interface" counters never Queueing strategy:fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 945 packets input, 320796 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 watchdog, 927 multicast 0 input packets with dribble condition detected 943 packets output, 319527 bytes, 0 underruns(0/0/0) 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

Configuring an IP Address on a Gigabit Ethernet Interface

To configure an IP address on one of the external Gigabit Ethernet interfaces, perform the following task in global configuration mode:

Task Command

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Enter interface configuration mode to configure

Router (config-if) # interface type number

the Gigabit Ethernet interface.

Enter the IP address and IP subnet mask to be assigned to the interface.

Enable the interface (applies only to Gig1 and

Router (config-if) # ip address ip-address

subnet-mask

Router (config-if) # no shutdown

Gig2).

Return to global configuration mode. Repeat Steps

Router (config-if) # exit

1 through 3 to configure the other interfaces on the Catalyst 4000 Layer 3 Services module.

Return to privileged EXEC mode. Router (config) # Ctrl-Z

Copy your configuration changes to NVRAM. Router # copy running-config startup-config

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 44

Configuring the Module for InterVLAN Routing

Monitoring Operations on the Gigabit Ethernet Interfaces

To verify the settings after you have configured the Gigabit Ethernet interfaces, use the show interface command. The output from the show interface command shown below displays the interface status and global parameters and includes port speed and duplex operation:

Configuring the Module for InterVLAN Routing

These sections describe how to configure the Layer 3 Services module for interVLAN routing:

• Overview of InterVLAN Routing, page 44

• Configuration Overview, page 45

• Configuring Layer 2 Ethernet and Gigabit Ethernet Ports, page 46

• Configuring the Layer 3 Gigabit Ethernet Ports, page 54

Note Before you begin to configure the Catalyst 4000 Layer 3 Services module, acquire the

correct network addresses, such as IP addresses for the Catalyst 4000 Layer 3 Services module interfaces, from your system administrator, or consult your network plan to determine correct addresses.

Overview of InterVLAN Routing

Network devices in different VLANs cannot communicate with one another without a router to route traffic between the VLANs. In most network environments, VLANs are associated with individual networks or subnetworks.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 45

Configuring the Module for InterVLAN Routing

For example, in an IP network, each subnetwork is mapped to an individual VLAN. In an IPX network, each VLAN is mapped to an IPX network number.

VLANs help to control the size of the broadcast domain and keep local traffic local. However, when an end station in one VLAN needs to communicate with an end station in another VLAN, interVLAN communication is required. This communication is supported by interVLAN routing. You configure one or more routers to route traffic to the appropriate destination VLAN.

This example shows you how would configure VTP on the Catalyst 4000 switch ports, create two VLANs, and assign switch ports to those VLANs:

Console> (enable) set vtp mode server VTP domain modified Console> (enable) set vtp domain Corp_Net VTP domain Corp_Net modified Console> (enable) set vlan 100 Vlan 100 configuration successful Console> (enable) set vlan 200 Vlan 200 configuration successful Console> (enable) set vlan 100 3/1-12 VLAN 100 modified. VLAN 1 modified. VLAN Mod/Ports

---- ----------------------100 2/1-2

3/1-12

Console> (enable) set vlan 200 3/13-24 VLAN 200 modified. VLAN 1 modified. VLAN Mod/Ports

---- ----------------------200 2/1-2

3/13-24

Console> (enable)

Configuration Overview

Note The Catalyst 4000 Layer 3 Services module supports VLAN numbering from 1 to 1000.

Each internal and external Gigabit Ethernet interface can be configured with a maximum of 250 subinterfaces, each representing a VLAN interface.

You should view the Catalyst 4000 Layer 3 Services module as an external and internal router with two full-duplex Gigabit Ethernet interfaces. The recommended configuration is to trunk or channel the two Gigabit Ethernet interfaces. Another configuration option is to configure the interfaces independently. The following sections describe the three options and the autostate feature which powers the Catalyst 4000 Layer 3 Services module.

We recommend that you follow this sequence:

• Set the VTP domain for the Layer 2 ports. For information on how to do this, see the “Setting the

VTP Domain” section on page 46.

• Configure the Layer 2 ports. For more information, see the “Setting the Layer 2 Port Speed” section

on page 48, and the “Setting the Layer 2 Port Duplex Mode” section on page 49.

• Create VLANs. For more information, see the “Configuring VLANs” section on page 49.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 46

Configuring the Module for InterVLAN Routing

• Assign Layer 2 ports to VLANs. For more information, see the “Assigning Layer 2 Switch Ports to

a VLAN” section on page 50.

• As an option, you can configure the Layer 2 ports as trunks. For more information, see the

“Configuring 802.1Q Layer 2 VLAN Trunks” section on page 51.

• Optionally, configure the Layer 2 ports as an EtherChannel. For more information, see the

“Configuring EtherChannel” section on page 53.

Configuring Layer 2 Ethernet and Gigabit Ethernet Ports

The following sections briefly describe how to configure the Layer 2 Ethernet and Gigabit Ethernet ports for interVLAN routing from the supervisor engine console. For complete information on Layer 2 port configuration, refer to the Software Configuration Guide for your switch.

• Overview of the Layer 2 Interfaces, page 46

• Setting the VTP Domain, page 46

• Setting the Layer 2 Port Speed, page 48

• Setting the Layer 2 Port Duplex Mode, page 49

• Configuring VLANs, page 49

• Assigning Layer 2 Switch Ports to a VLAN, page 50

• Configuring 802.1Q Layer 2 VLAN Trunks, page 51

• Configuring EtherChannel, page 53

Note Both port speed and port duplex mode features default to auto (autonegotiation). To

customize the two features, you must set the port speed to 10 or 100 before you set the port duplex mode to half or full duplex. You cannot have one feature set to auto and the other feature set to a fixed value.

Overview of the Layer 2 Interfaces

The port numbering for the 10/100 ports is as follows: Assuming the Layer 3 Services module resides in slot 2, the port numbering is 2/1 and 2/2 for the internal Gigabit Ethernet ports and 2/3 through 2/34 for the external 10/100 ports. All Layer 2 ports in the Catalyst 4000 switch follow this port numbering convention.

Setting the VTP Domain

If the Catalyst 4000 Layer 3 Services module is installed in a new Catalyst 4000 family switch, you must set the VLAN Trunking Protocol (VTP) domain. You can configure the module to use VTP server mode, VTP client mode, or VTP transparent mode. Refer to the Software Configuration Guide for your switch for information about VTP. Setting the VTP domain is required to create VLANs.

VTP Server Mode

VTP server mode lets you change the VLAN configuration once and then have it propagate throughout the network.

To configure the switch as a VTP server, perform this task in privileged mode:

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 47

Step 1

Step 2

Step 3

Step 4

Configuring the Module for InterVLAN Routing

Task Comman d

Define the VTP domain name. Console> (enable) set vtp domain name

Place the switch in VTP server mode. Console> (enable) set vtp mode server

(Optional) Set a password for the VTP domain. Console> (enable) set vtp passwd passwd

Verify the VTP configuration. Console> (enable) show vtp domain

This example shows you how to configure the switch as a VTP server and verify the configuration:

Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode server VTP domain Lab_Network modified Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password

-------------------------------- ------------ ----------- ----------- ---------Lab_Network 1 2 server Vlan-count Max-vlan-storage Config Revision Notifications

---------- ---------------- --------------- ------------10 1023 40 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans

--------------- -------- -------- -------------------------

172.20.52.70 disabled disabled 2-1000 Console> (enable)

VTP Client Mode

Step 1

Step 2

Step 3

You cannot change the VLAN configuration on the switch when it is in VTP client mode. A switch in client mode receives VTP updates from a VTP server in the management domain and modifies its configuration accordingly.

To configure the switch as a VTP client, perform these tasks in privileged mode:

Task Comman d

Define the VTP domain name. Console> (enable) set vtp domain name

Place the switch in VTP client mode. Console> (enable) set vtp mode client

Verify the VTP configuration. Console> (enable) show vtp domain

This example shows you how to configure the switch as a VTP client and verify the configuration:

Console> (enable) set vtp domain Lab_Network VTP domain Lab_Network modified Console> (enable) set vtp mode client VTP domain Lab_Network modified Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password

-------------------------------- ------------ ----------- ----------- ---------Lab_Network 1 2 client Vlan-count Max-vlan-storage Config Revision Notifications

---------- ---------------- --------------- ------------10 1023 40 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans

--------------- -------- -------- -------------------------

172.20.52.70 disabled disabled 2-1000 Console> (enable)

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 48

Configuring the Module for InterVLAN Routing

VTP Transparent Mode

Configure the switch as VTP transparent to disable VTP on the switch. A VTP transparent switch does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch running VTP version 2 does forward received VTP advertisements out all of its trunk links.

To disable VTP on the switch, perform these tasks in privileged mode:

Task Comman d

Step 1

Place the switch in VTP transparent mode (disabling VTP on the switch).

Step 2

Verify the VTP configuration. Console> (enable) show vtp domain

This example shows you how to configure the switch as VTP transparent and verify the configuration:

Console> (enable) set vtp mode transparent VTP domain Lab_Net modified Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password

-------------------------------- ------------ ----------- ----------- ---------Lab_Net 1 2 Transparent Vlan-count Max-vlan-storage Config Revision Notifications

---------- ---------------- --------------- ------------10 1023 0 enabled Last Updater V2 Mode Pruning PruneEligible on Vlans

--------------- -------- -------- -------------------------

172.20.52.70 disabled disabled 2-1000 Console> (enable)

Console> (enable) set vtp mode transparent

Setting the Layer 2 Port Speed

You can configure the port speed on 10/100 Ethernet ports. Use the auto keyword to have the port autonegotiate speed and duplex mode with the neighboring port.

Caution Make sure the device on the other end of the link is also configured for autonegotiation or

a port speed or duplex mismatch will result.

Note If the port speed is set to auto on a 10/100-Mbps Fast Ethernet port, both speed and duplex

are autonegotiated.

To set the port speed for a 10/100-Mbps port, perform these tasks in privileged mode:

Task Command

Step 1

Step 2

Set the port speed of a 10/100-Mbps Fast Ethernet port.

Verify that the speed of the port is configured correctly.

Console> (enable) set port speed mod num/port num {10 | 100 | auto}

Console> (enable) show port [mod_num[/port_num]]

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 49

This example shows you how to set the port speed to 100 Mbps on port 2/4:

Console> (enable) set port speed 2/4 100 Port 2/4 speed set to 100 Mbps. Console> (enable)

This example shows you how to make port 2/4 autonegotiate speed and duplex with the neighbor port:

Console> (enable) set port speed 2/4 auto Port 2/4 speed set to auto-sensing mode. Console> (enable)

Setting the Layer 2 Port Duplex Mode

You can set the port duplex mode to full or half duplex for 10/100-Mbps Ethernet ports.

Note If the port speed is set to auto on a 10/100-Mbps Fast Ethernet port, both speed and duplex

are autonegotiated. You cannot change the duplex mode of ports configured for autonegotiation. For information on enabling and disabling autonegotiation on 10/100 Fast Ethernet ports, see the section “Setting the Layer 2 Port Speed”.

Configuring the Module for InterVLAN Routing

To set the duplex mode of a port, perform these tasks in privileged mode:

Task Command

Step 1

Set the port speed of a 10/100-Mbps Fast Ethernet port.

Step 2

Verify that the duplex mode of the port is configured correctly.

This example shows you how to set the duplex mode to half duplex on port 2/4:

Console> (enable) set port duplex 2/4 half Port 2/4 set to half-duplex. Console> (enable)

Configuring VLANs

After you have configured VTP and specified the Layer 2 interface speed and duplex parameters, you must create VLANs and assign the ports to the VLANs.

Creating an Ethernet VLAN

To create a new Ethernet VLAN, perform these tasks in privileged mode:

Console> (enable) set port duplex mod num/port num {full | half}

Console> (enable) show port [mod_num[/port_num]]

Task Comman d

Step 1

Step 2

78-10164-03

Create a new Ethernet VLAN. Console> (enable) set vlan vlan_num [name

Verify the VLAN configuration. Console> (enable) show vlan [vlan_num]

name] [said said] [mtu mtu] [translation vlan_num]

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 50

Configuring the Module for InterVLAN Routing

Note The default VLAN type is Ethernet; if you do not specify the VLAN type, the VLAN is

an Ethernet VLAN.

This example shows you how to create an Ethernet VLAN and verify the configuration:

Console> (enable) set vlan 4 name Engineering Vlan 4 configuration successful Console> (enable) show vlan 4 VLAN Name Status IfIndex Mod/Ports, Vlans

---- -------------------------------- --------- ------- -----------------------4 Engineering active 344 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ -----4 enet 100500 1500 - - - - - 0 0 VLAN AREHops STEHops Backup CRF

---- ------- ------- ---------Console> (enable)

To modify the VLAN parameters on an existing Ethernet VLAN, perform this task in privileged mode:

Task Comman d

Step 1

Step 2

Modify an existing Ethernet VLAN. set vlan vlan_num [name name] [state {active |

Verify the VLAN configuration. show vlan [vlan_num]

suspend}] [said said] [mtu mtu] [translation vlan_num]

Assigning Layer 2 Switch Ports to a VLAN

A VLAN created in a management domain remains unused until you assign one or more switch ports to the VLAN. If you specify a VLAN that does not exist, the VLAN is created and the specified ports are assigned to it.

To assign one or more switch ports to a VLAN, perform this task in privileged mode:

This example shows you how to assign switch ports to a VLAN and verify the assignment:

Task Comman d

Step 1

Step 2

Assign one or more switch ports to a VLAN. set vlan vlan_num mod_num/port_num

Verify the port VLAN membership. show vlan [vlan_num]

Console> (enable) set vlan 4 2/1 VLAN 4 modified. VLAN 1 modified. VLAN Mod/Ports

---- ----------------------4 2/1 Console> (enable) show vlan 4 VLAN Name Status IfIndex Mod/Ports, Vlans

---- -------------------------------- --------- ------- -----------------------4 Engineering active 59 2/1

show port [mod_num[/port_num]]

VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 51

Configuring the Module for InterVLAN Routing

4 enet 100500 1500 - - - - - 0 0

VLAN AREHops STEHops Backup CRF

---- ------- ------- ---------Console> (enable) show port 2/1 Port Name Status Vlan Level Duplex Speed Type

----- ------------------ ---------- ---------- ------ ------ ----- -----------2/1 notconnect 4 normal full 1000 1000BaseSX

Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex

----- -------- ----------------- ----------------- -------- -------- ------2/1 disabled No disabled 12

Port Status Channel Channel Neighbor Neighbor

----- ---------- --------- ----------- ------------------------- ---------2/1 notconnect auto not channel

Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize

----- ---------- ---------- ---------- ---------- --------2/1 - 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants

----- ---------- ---------- ---------- ---------- --------- --------- --------2/1 0 0 0 0 0 0 0

mode status device port

Last-Time-Cleared

--------------------------

Wed Jul 26 2000, 19:44:05 Console> (enable)

Configuring 802.1Q Layer 2 VLAN Trunks

A trunk is a point-to-point link between one device, such as a router or a switch, and another device. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network.

IEEE 802.1Q is an industry-standard trunking encapsulation that is available on all Ethernet ports.

You can configure a trunk on a single Ethernet port or on an EtherChannel bundle. For more information about EtherChannel, see the “Configuring EtherChannel” section on page 53.

Configuring an 802.1Q Trunk on Ethernet Ports

To configure an 802.1Q trunk, perform these tasks in privileged mode:

Task Comman d

Step 1

Step 2

Configure an 802.1Q trunk. Console> (enable) set trunk mod_num/port_num

Verify the trunking configuration. Console> (enable) show trunk

[on | desirable | auto | nonegotiate] dot1q

[mod_num/port_num]

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 52

Configuring the Module for InterVLAN Routing

This example shows you how to configure an 802.1Q trunk and how to verify the trunk configuration:

Console> (enable) set trunk 2/1 desirable dot1q Port(s) 2/1 trunk mode set to desirable. Port(s) 2/1 trunk type set to dot1q. Console> (enable) 07/02/1998,18:22:25:DTP-5:Port 2/1 has become dot1q trunk

Console> (enable) show trunk Port Mode Encapsulation Status Native vlan

-------- ----------- ------------- ------------ ---------- 2/1 desirable dot1q trunking 1

Port Vlans allowed on trunk

-------- -------------------------------------------------------------------- 2/1 1-1005, 1025-4094

Port Vlans allowed and active in management domain

-------- -------------------------------------------------------------------- 2/1 1,5,10-32,101-120,150,200,250,300,400,500,600,700,800,900,1000 Port Vlans in spanning tree forwarding state and not pruned

-------- -------------------------------------------------------------------- 2/1 5,10-32,101-120,150,200,250,300,400,500,600,700,800,900,1000 Console> (enable)

Defining the Allowed VLANs on a Trunk on Ethernet Ports

When you configure a trunk port, all VLANs are added to the allowed VLANs list for that trunk. However, you can remove VLANs from the allowed list to prevent traffic for those VLANs from passing over the trunk. You cannot remove VLAN 1, the default VLAN, from the allowed list.

Note When you first configure a port as a trunk, entering the set trunk command always adds

all VLANs to the allowed VLAN list for the trunk, even if you specify a VLAN range (any specified VLAN range is ignored). To modify the allowed VLANs list, use a combination of the clear trunk and set trunk commands to specify the allowed VLANs.

To define the allowed VLAN list for a trunk port, perform these tasks in privileged mode:

Task Comman d

Step 1

Step 2

Step 3

Remove VLANs from the allowed VLANs list for a trunk.

(Optional) Add specific VLANs to the allowed VLANs list for a trunk.

Console> (enable) clear trunk mod_num/port_num vlans

Console> (enable) set trunk mod_num/port_num

vlans

Verify the allowed VLAN list for the trunk. Console> (enable) show trunk

[mod_num/port_num]

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 53

This example shows you how to define the allowed VLANs list for trunk port 2/1 to allow VLANs 1–100 and VLANs 500–1005; it also shows you how to verify the allowed VLAN list for the trunk:

Console> (enable) set trunk 2/1 1-100,500-1005 Removing Vlan(s) 101-499 from allowed list. Port 2/1 allowed vlans modified to 1-100,500-1005. Console> (enable) show trunk 2/1 Port Mode Encapsulation Status Native vlan

-------- ----------- ------------- ------------ -----------

2/1 desirable isl trunking 1 Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------

2/1 1-100, 500-1005 Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------

2/1 1,521-524 Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------

2/1 1,521-524 Console> (enable)

Configuring EtherChannel

Configuring the Module for InterVLAN Routing

EtherChannel port bundles allow you to group multiple Ethernet ports into a single logical transmission path between the switch and a router, host, or another switch.

Depending on your hardware, you can form an EtherChannel with up to eight compatibly configured Fast or Gigabit Ethernet ports on the switch. In addition, on the Catalyst 4000 family switches, you can configure an EtherChannel using ports from multiple modules. All ports in an EtherChannel must be the same speed. Using the Catalyst 4000 Layer 3 Services module, you can configure a Gigabit EtherChannel with 2 internal or 2 external Gigabit Ethernet ports. To configure a Gigabit EtherChannel connection on the internal ports, you must configure both the internal Layer 2 ports from the supervisor engine console and the internal Layer 3 Gigabit Ethernet ports from the Catalyst 4003 and 4006 Layer 3 Services module console for a channel.

Both Fast and Gigabit EtherChannel bundles can be configured as trunk links. After a channel has been formed, configuring any port in the channel as a trunk applies the configuration to all ports in the channel. Identically configured trunk ports can be configured as an EtherChannel. For more information on EtherChannel, refer to the Software Configuration Guide for your switch.

Creating an EtherChannel

You create an EtherChannel port bundle by specifying the ports in the channel and the channeling mode. When you create an EtherChannel, an administrative group number is assigned automatically if one is not already assigned to the specified ports. In addition, a channel ID is assigned.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 54

Configuring the Module for InterVLAN Routing

To create an EtherChannel port bundle, perform this task in privileged mode:

Task Comman d

Step 1

If you are unsure which ports you can configure as an EtherChannel, display the EtherChannel capabilities for the module or switch you are configuring.

Step 2

Create an EtherChannel with the desired ports. Console> (enable) set port channel port_list

Console> (enable) show port capabilities [mod_num[/port_num]]

[admin_group] mode {on | off | desirable | auto} [silent | non-silent]

Note The silent and

non-silent keywords

function only with the auto and desirable modes.

Step 3

Verify the EtherChannel configuration. Console> (enable) show port channel [port_list]

This example shows you how to create an EtherChannel bundle and verify the configuration:

Console> (enable) set port channel 2/1-2 on Port(s) 2/1-2 are assigned to admin group 57. Port(s) 2/1-2 channel mode set to on. Console> (enable) show port channel Port Status Channel Admin Ch Mode Group Id

----- ---------- -------------------- ----- ----2/1 connected on 57 835 2/2 connected on 57 835

----- ---------- -------------------- ----- -----

Port Device-ID Port-ID Platform

----- ------------------------------- ------------------------- ---------------2/1 069003103(5500) 2/1 WS-C4000 2/2 069003103(5500) 2/2 WS-C4000

----- ------------------------------- ------------------------- ----------------

Console> (enable)

Configuring the Layer 3 Gigabit Ethernet Ports

After you have configured the internal Gigabit Ethernet interfaces from the supervisor engine console, enter the session command to access the Catalyst 4000 Layer 3 Services module prompt and configure the internal and external Layer 3 ports on the Catalyst 4000 Layer 3 Services module for interVLAN routing.

These sections describe how to configure the Gigabit Ethernet interfaces on the Catalyst 4000 Layer 3 Services module.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 55

Option 1: Configuring Interfaces as Trunks (Recommended Option)

This procedure shows you how to enable VLAN trunking on the two internal Gigabit Ethernet interfaces. Enabling VLAN trunking requires you to configure the internal Gigabit Ethernet interfaces from the supervisor engine console as well as from the Layer 3 Services module console. When you enable trunking, you configure a subinterface for each allowed VLAN configured on the Catalyst 4000 Layer 3 Services module trunk.

Perform the following steps to enable VLAN trunking on the interfaces (in this procedure, the Catalyst 4000 Layer 3 Services module is in slot 2):

Step 1 Use the set trunk mod_num/port_num command to enable trunking and specify the encapsulation type

on the interface from the supervisor engine prompt:

Cat4000> (enable) set vlan 5 2/1 Vlan 5 modified. Cat4000> (enable) set trunk 2/1 dot1Q 1-5 Port(s) 2/1 trunk mode set to nonegotiate. Port(s) 2/1 trunk type set to dot1Q. Cat4000> (enable) set vlan 6 2/2 Vlan 6 modified. Cat4000> (enable) set trunk 2/2 dot1Q 6-10 Port(s) 2/2 trunk mode set to nonegotiate. Port(s) 2/2 trunk type set to dot1Q. Cat4000> (enable)

Configuring the Module for InterVLAN Routing

Step 2 Use the session mod_num command to access the Layer 3 Services module console prompt:

Cat4000> (enable) session 2 Trying Router... Connected to Router. Escape character is `^]'.

router>

a. At the EXEC prompt, enter enable mode:

router> enable router#

b. At the privileged EXEC prompt, enter global configuration mode:

router# configure terminal router(config)#

Step 3 Use the interface command to configure subinterfaces for each VLAN at the Catalyst 4000 Layer 3

Services module console prompt.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 56

Configuring the Module for InterVLAN Routing

Note You are required to use the native keyword with the encapsulation command to

create the subinterface for the native VLAN. In this example, VLANs 1 and 6 are the native VLANs for each trunk.

router(config)# interface gigabitethernet3.1 router(config-subif)# encapsulation dot1Q 1 native router(config-subif)# exit router(config)# interface gigabitethernet3.2 router(config-subif)# encapsulation dot1Q 2 router(config-subif)# ip address ip_address subnet_mask router(config-subif)# exit router(config)# interface gigabitethernet3.3 router(config-subif)# encapsulation dot1Q 3 router(config-subif)# ip address ip_address subnet_mask router(config-subif)# exit router(config)# interface gigabitethernet3.4 router(config-subif)# encapsulation dot1Q 4 router(config-subif)# router(config-subif)# exit router(config)# interface gigabitethernet3.5 router(config-subif)# encapsulation dot1Q 5 router(config-subif)# router(config-subif)# exit router(config)# interface gigabitethernet4.6 router(config-subif)# encapsulation dot1Q 6 native router(config-subif)# router(config-subif)# exit router(config)# interface gigabitethernet4.7 router(config-subif)# encapsulation dot1Q 7 router(config-subif)# router(config-subif)# exit router(config)# interface gigabitethernet4.8 router(config-subif)# encapsulation dot1Q 8 router(config-subif)# router(config-subif)# exit router(config)# interface gigabitethernet4.9 router(config-subif)# encapsulation dot1Q 9 router(config-subif)# router(config-subif)# exit router(config)# interface gigabitethernet4.10 router(config-subif)# encapsulation dot1Q 10 router(config-subif)# router(config-subif)# end

ip address ip_address subnet_mask

Note You must configure a subinterface as a native VLAN for each physical interface,

otherwise the main interface (g3 or g4) will be assigned a native VLAN of 1. If the native VLANs do not match on both sides of the connection, packets will be lost.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 57

Option 2: Configuring Interfaces as Gigabit EtherChannels

This procedure shows you how to configure the two internal Gigabit Ethernet interfaces as Gigabit EtherChannel and then enable VLAN trunking on the channel. You can then configure subinterfaces on the channel interface. You configure a subinterface for each allowed VLAN configured on the Catalyst 4000 Layer 3 Services module trunk. For each subinterface, you specify the type of trunking (same as specified on the channel) and then assign an IP address and subnet mask (or IPX address).

Perform the following steps to configure the interfaces as channels (in this procedure, the Catalyst 4000 Layer 3 Services module is in slot 2):

Step 1 Use the set port channel mod/ports command to configure a Gigabit EtherChannel. Before you create

the channel, ensure that the ports you intend to channel (in this case, 2/1 and 2/2) belong to the same VLAN:

Cat4000> (enable) set port channel 2/1-2 mode on Ports 2/1-2 channel mode set to on. Cat4000> (enable)

Note The trunk mode in Steps 2 and 3, below, must match (auto, desirable, on, or off).

Configuring the Module for InterVLAN Routing

Step 2 Assign the port channel default VLAN to be the same as the 802.1Q native VLAN specified in Step

10:

Cat4000> (enable) set vlan 1 2/1-2 VLAN Mod/Ports

---- ----------------------1 2/1-4,2/6-48 3/1-6 Cat4000> (enable)

Step 3 Use the set trunk mod_num/port_num command to enable trunking and specify an encapsulation type

on the EtherChannel ports (specifying the encapsulation type on one of the EtherChannel ports enables trunking and enables the specified encapsulation on all ports in the channel):

Cat4000> (enable) set trunk 2/1 on dot1Q 1-10 Port(s) 2/1 trunk mode set to on Port(s) 2/1 trunk type set to dot1Q 1-10 Cat4000> (enable)

Step 4 Use the session mod_num command to access the Layer 3 Services module console prompt:

Cat4000> (enable) session 2 Trying Router... Connected to Router. Escape character is `^]'.

router>

a. At the EXEC prompt, enter enable mode:

router> enable router#

b. At the privileged EXEC prompt, enter global configuration mode:

router# configure terminal router(config)#

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 58

Configuring the Module for InterVLAN Routing

Step 5 Create an EtherChannel (portchannel) interface. The channel number can be from 1 to 64.

router(config)# interface port-channel channel_number

Step 6 Assign the g3 and g4 interfaces to the port channel:

router(config)# interface g3 router(config-if)# router(config-if)# router(config)#

Step 7 Repeat Step 6 on the remaining interface.

Step 8 Configure subinterfaces on the port channel interface, one for each allowed VLAN configured on the

Catalyst 4000 Layer 3 Services module trunk over which you want to route traffic. Specify the same type of encapsulation as in Step 3.

router(config)# interface port-channel channel_number.vlan_id router(config-subif)# router(config-subif)# router(config-subif)#

Step 9 Repeat Step 8 to create and configure additional subinterfaces on the port channel.

channel-group channel_number exit

encapsulation dot1Q vlan_id ip address ip_address subnet_mask exit

Note Be sure you assign the same native VLAN ID in Step 10 as you assigned in Step 2.

Step 10 Configure a subinterface for the native VLAN by specifying the native keyword with the

encapsulation command:

router(config)# interface port-channel channel_number.vlan_id router(config-subif)# router(config-subif)# router(config-subif)#

encapsulation dot1Q vlan_id native ip address ip_address subnet_mask exit

Option 3: Configuring Interfaces as Independent Links

This procedure shows you how to configure the internal Gigabit Ethernet interfaces to route between two VLANs. In this example, VLANs 4 and 5 are configured on a Catalyst 4000 family switch. Trunking is not enabled on any interface because there is only one VLAN on each physical interface. Perform the following steps to configure the interfaces independently (in this procedure the Catalyst 4000 Layer 3 Services module is in slot 2):

Step 1 Use the set vlan vlan_num mod_num/port_num command to add the two Catalyst 4000 Layer 3

Services module interfaces to a VLAN:

Console> (enable) set vlan 4 2/1 VLAN 4 modified. VLAN 1 modified. .. Console> (enable) set vlan 5 2/2 VLAN 5 modified. VLAN 1 modified.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 59

Configuring the Module for InterVLAN Routing

Step 2 Use the session mod_num command to access the Catalyst 4000 Layer 3 Services module prompt:

Console> (enable) session 2 Trying Router-2... Connected to Router-2. Escape character is `^]'.

router>

a. At the EXEC prompt, enter enable mode:

router> enable router#

b. At the privileged EXEC prompt, enter global configuration mode:

router# configure terminal router(config)#

Step 3 Assign an IP address and subnet mask (or IPX address) to the corresponding routed interface

(g3 and g4).

router(config)# interface g3 router(config-if)# ip address ip_address subnet_mask router(config-if)# exit router(config)# interface g4 router(config-if)# ip address ip_address subnet_mask router(config-if)# exit

Autostate Feature

The autostate feature shuts down (or brings up) Catalyst 4000 Layer 3 Services module interfaces or subinterfaces when the last external port on a VLAN goes down and when the first external port on the VLAN is brought up.

When the last external port on a VLAN goes down, all Catalyst 4000 Layer 3 Services module interfaces or subinterfaces on that VLAN are shut down by the autostate feature unless sc0 is on the VLAN or there is another module in the chassis. If the other module in the chassis has an interface or subinterface in the VLAN then the external port will stay up. When an Catalyst 4000 Layer 3 Services module interface goes down, the following message is reported to the console for each Catalyst 4000 Layer 3 Services module interface:

When the first external port on the VLAN is brought back up, all Catalyst 4000 Layer 3 Services module interfaces on that VLAN that were previously shut down are brought up. The following message is reported to the console for each Catalyst 4000 Layer 3 Services module interface:

Use the show autostate entries command to see what Catalyst 4000 Layer 3 Services module interfaces have been shut down or brought up by the autostate feature:

Router# show autostate entries Port-channel1.5 Port-channel1.6 Port-channel1.4 Router#

%AUTOSTATE-6-SHUT_DOWN

%AUTOSTATE-6-BRING_UP

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 60

Configuring Access Control Lists

It is important to note that the Catalyst 4000 family switch does not have knowledge of, or control over, the Catalyst 4000 Layer 3 Services module configuration (just as the Catalyst switch does not have knowledge of, or control over, external router configurations). Consequently, the autostate feature will not work on Catalyst 4000 Layer 3 Services module interfaces if the module is not properly configured. For example, consider the following Catalyst 4000 Layer 3 Services module trunk configuration:

interface GigabitEthernet3.200 encap dot1Q 200 . .

The Gigabit Ethernet 3.200 interface will not be affected by the autostate feature if any of the following configuration errors have been made:

• VLAN 200 is not configured on the switch supervisor engine

• Trunking is not configured on the corresponding Gigabit Ethernet switch port

• Trunking is configured, but VLAN 200 is not an allowed VLAN on that trunk

Configuring Access Control Lists

This section describes the access control list (ACL) features supported on the Catalyst 4000 Layer 3 Services module.

Understanding ACLs

You can filter packet flow into or out of theCatalyst 4000 Layer 3 Services module interfaces using ACLs. ACLs, which are sometimes called filters, allow you to restrict network use by certain users or devices. They are created for each protocol and are applied on the interface for either inbound or outbound traffic. They can be configured for all routed network protocols (IP or IPX) to filter packets for the protocol as they pass through a router. Only one ACL filter can be applied per direction per protocol per (sub)interface.

When you create ACLs, define criteria to apply to each packet processed by the switch router; the switch router decides whether to forward or block the packet based on whether or not the packet matches the criteria in your list. Packets that do not match criteria in your list are automatically blocked by the implicit “deny all traffic” criteria statement at the end of every ACL.

Traffic that is switched by interface modules do not support ACL logging. ACL logging is supported for all traffic that goes to the CPU.

Note The enhanced Gigabit Ethernet interface module supports TCAM sizes of 32K (32-bit)

entries. The combined size of the protocol regions and access lists should not exceed your TCAM space. The default size of the ACL in a 32K TCAM is 512 (128-bit) entries. Before you configure the access-list region in TCAM, make sure that TCAM has enough space to accommodate the access-list region. You can change the ACL CAM size when you are using SDM commands. If you are planning to support bigger ACLs, you must reclaim CAM space from other areas, such as IPX, IP, or bridging.

Keep the following restrictions in mind: When you are configuring ACLs on the Catalyst 4000 Layer 3 Services module,

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 61

IP ACLs

Configuring Access Control Lists

• ACLs are supported only on Gigabit Ethernet ports and corresponding Gigabit Ethernet

subinterfaces.

• ACLs are not supported on Bridge-Group Virtual Interface (BVI), Fast EtherChannel (FEC),

Gigabit EtherChannel (GEC), or Fast Ethernet interfaces.

• Reflexive and dynamic ACLs are not supported on the Catalyst 4000 Layer 3 Services module.

• Access violations accounting is not supported on the Catalyst 4000 Layer 3 Services module.

• ACL logging is supported only for packets going to the CPU. ACL logging is not supported for

switched packets.

The following styles of ACLs for IP are supported:

• Standard IP ACLs; these use source addresses for matching operations

• Extended IP ACLs; these use source and destination addresses for matching operations and optional

protocol type and port numbers for finer granularity of control

• Named ACLs; these use source addresses for matching operations

Note By default, the end of the ACL contains an implicit deny statement for everything if it did

Named IP ACLs

User Guidelines

not find a match before reaching the end. With standard ACLs, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.

After creating an ACL, you must apply it to an interface, as described in the “Applying the ACL to an Interface” section on page 64.

You can identify IP ACLs with an alphanumeric string, but it must contain at least one alphabetic character. Named IP ACLs allow you to configure more IP ACLs in a router than if you were to use numbered ACLs. If you identify your ACL with an alphabetic string instead of a numeric string, the mode and command syntax are slightly different.

Consider the following before configuring named ACLs:

• A standard ACL and an extended ACL cannot have the same name.

• Numbered ACLs are also available, as described in the section, “Creating Numbered Standard and

Extended IP ACLs, page 62.”

Follow these guidelines when you configure IP network access control:

• You can program ACL entries into TCAM.

• You do not have to enter a deny everything statement at the end of your ACL; it is implicit.

• You can enter ACL entries in any order without any performance impact.

• For every eight TCAM entries, the switch router uses one entry for TCAM management purposes.

• You must have unique ACL names across all protocols.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 62

Configuring Access Control Lists

• Do not set up conditions that result in packets getting lost. This situation can happen when a device

or interface is configured to advertise services on a network that has ACLs that deny these packets.

Creating IP ACLs

You can create numbered standard, extended, or named standard IP ACLs on the Catalyst 4000 Layer 3 Services module.

Creating Numbered Standard and Extended IP ACLs

You can create numbered standard and extended IP ACLs using source addresses, abbreviations, or by using a number.

To create a numbered standard IP ACL using a source address and wild card, perform the following task, in global configuration mode:

Task Comman d

Define a standard IP ACL using a source address and wildcard.

Router (config) # access-list access-list-number {deny | permit} source [source-wildcard]

To create a numbered standard IP ACL using abbreviations for all sources, perform the following task, in global configuration mode:

Task Comman d

Define a standard IP ACL using an abbreviation for the source and source mask of 0.0.0.0

255.255.255.255.

To create a numbered extended IP ACL using a number and defining access conditions, perform the following task in global configuration mode:

Task Comman d

Define an extended IP ACL number and the access conditions.

To create a numbered extended IP ACL using abbreviations for all sources, perform the following task in global configuration mode:

Task Comman d

Define an extended IP ACL using an abbreviation for a source and source wildcard of 0.0.0.0

255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0

255.255.255.255.

Router (config) # access-list access-list-number {deny | permit}

any

Router (config) # access-list access-list-number {deny | permit} protocol source source-wildcard

destination destination-wildcard [precedence precedence] [tos tos]

Router (config) # access-list access-list-number {deny | permit} protocol any any

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 63

To create a numbered extended IP ACL using abbreviations for both the source and destination, perform the following task in global configuration mode:

Task Comman d

Define an extended IP ACL using an abbreviation for a source and source wildcard of source 0.0.0.0, and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.

Creating Named Standard IP ACLs

To create a named standard IP ACL, perform the following procedure, beginning in global configuration mode:

Task Comman d

Step 1

Step 2

Step 3

Define a standard IP ACL, using an alphabetic name.

In access-list configuration mode, specify one or more conditions that are to be permitted or denied. This setting determines whether the packet is passed or dropped.

Exit access-list configuration mode. Router (config) # exit

Configuring Access Control Lists

Router (config) # access-list access-list-number {deny | permit} protocol host source host

destination

Router (config) # ip access-list standard name

Router (config) # deny {source [source-wildcard] | any} or Router (config) # permit {source [source-wildcard] | any}

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 64

Configuring Access Control Lists

Creating Named Extended IP ACLs

To create a named extended IP ACL, perform the following tasks, beginning in global configuration mode:

Task Comman d

Step 1

Step 2

Define an extended IP ACL, using an alphabetic name.

In access-list configuration mode, specify the conditions that are to be allowed or denied.

Router (config) # ip access-list extended name

Router (config) # {deny | permit} protocol

source source-wildcard destination destination-wildcard [precedence precedence]

[tos tos]

Define an extended IP ACL using an abbreviation for a source and source wildcard of 0.0.0.0

255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0

255.255.255.255.

Define an extended IP ACL using an abbreviation for a source and source wildcard of source 0.0.0.0 and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.

Applying the ACL to an Interface

After you create an ACL, you can apply it to one or more interfaces. ACLs can be applied on the inbound or outbound direction of an interface. When controlling access to an interface, you can use a name or number.

To control access to the IP interface, perform the following task in interface configuration mode:

Task Comman d

Control access to an interface. Router (config) # ip access-group

Router (config) # {deny | permit} protocol any

any

Router (config) # {deny | permit} protocol host source host destination

{access-list-number | name} {in | out}

If the ACL is applied on an interface in the inbound direction, the switch router performs one of the following operations:

• If a standard ACL is applied, the switch router compares the source IP address with the ACL.

• If an extended ACL is applied, the switch router compares the 5 tuple against the ACL.

If the comparison succeeds, the packet is permitted into the router and the switch router will make a decision to forward the packet to a particular interface. If the comparison fails, the packet will be dropped.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 65

IPX ACLs

Configuring Access Control Lists

If the ACL is applied on an interface in the outbound direction, the switch router performs one of the following operations:

• If a standard ACL is applied, the switch router compares the source IP address with the ACL.

• If an extended ACL is applied, the switch router compares the 5 tuple against the ACL.

If the comparison succeeds, the switch router will transmit the packet out of the interface. If the comparison fails, the packet will be dropped.

Note An ICMP Host Unreachable message is not sent by the Catalyst 4000 Layer 3 Services

module when a packet is discarded due to a deny ACL.

The following styles of ACLs for IPX are supported:

• Standard IPX ACLs

• Named IPX ACLs

To control access to IPX networks, you must create ACLs. Once you have created the ACLs you can then apply them to individual interfaces using filters, as described in the “Applying the IPX ACL to an Interface” section on page 66.

You can create ACLs using numbers or names; names are alphanumeric strings. If you use all numbers to identify your ACLs, you are limited to 100 ACLs per filter type. If you use alphanumeric names to identify your ACLs, you can have an unlimited number of ACLs.

Note In the Catalyst 4000 Layer 3 Services module, the processing performance does not

User Guidelines

Named IPX ACLs allow you to maintain security by using a separate and easily identifiable ACL for each user or interface. Also, named IPX ACLs restrict traffic based on the source network number. You can further restrict traffic by specifying a destination address and a source and destination address mask. Standard IPX ACLs use numbers (from 800 to 899) or alphanumeric strings to identify them.

In the Catalyst 4000 Layer 3 Services module, ACLs are applied to the Gigabit Ethernet interface. Only generic filters for inbound and outbound packets based on the contents of the IPX network header are supported.

depend on the number of ACEs in the ACL.

Follow these guidelines when you configure IPX network access control:

• You can program ACL entries into TCAM.

• You do not have to enter a deny everything statement at the end of your ACL; it is implicit.

• You can enter ACL entries in any order without any impact on performance. This is true for all

TCAM-based support for access lists.

• For every eight TCAM entries, the switch router uses one entry for TCAM management purposes.

• You must have unique ACL names across all protocols.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 66

Configuring Access Control Lists

• Do not set up conditions that result in packets getting lost. This situation can happen when a device

or interface is configured to advertise services on a network that has ACLs that deny these packets.

• IPX-extended ACL numbers 900 to 999 and the names that identify them are not supported on the

Catalyst 4000 Layer 3 Services module.

Creating IPX ACLs

You can create numbered or named IPX ACLs on the Catalyst 4000 Layer 3 Services module. You can use IPX ACLs as generic, routing, and broadcast filters.

Note The Catalyst 4000 Layer 3 Services module do not support the .source-node and source

node-mask command variables.

Creating IPX ACLs Using Numbers

To create IPX ACLs using numbers, perform the following task in global configuration mode:

Task Comman d

Create a standard IPX ACL using a number. Router (config) # access-list access-list-number

Creating IPX ACLs Using Names

To create a named standard IPX ACL, perform the following tasks in global configuration mode:

Task Comman d

Step 1

Step 2

Step 3

Define a standard IPX ACL using a name. Router (config) # ipx access-list standard name

In access-list configuration mode, specify one or more conditions that are to be allowed or denied. The condition determines whether the packet is passed or dropped.

Exit access-list configuration mode. Router (config) # exit

Applying the IPX ACL to an Interface

IPX ACLs determine which data packets to receive from or send to an interface, based on the packet’s source and destination addresses, IPX protocol type, and source and destination socket numbers.

To create an IPX ACL, create a standard or an extended access list as described in the “Creating IPX ACLs” section and then apply the ACL to an interface.

{deny | permit} source-network [destination-network [.destination-node [destination-node-mask]]]

Router (config) # {deny | permit} source-network [destination-network [.destination-node [destination-node-mask]]]

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 67

To apply an IPX ACL to an interface, perform the following task in interface configuration mode:

Task Comman d

Apply a generic filter to an interface. Router (config) # ipx access-group

Modifying ACL TCAM Size

You can change the TCAM size by entering the sdm access-list command. For more information on ACL TCAM sizes, see the “Configuring Access List Size in TCAM” section on page 77.

Note To increase the ACL TCAM size, you must decrease the TCAM size of another region,

such as IP, IPX, IP multicast, or bridging.

Caution You will need to increase the TCAM size if you see the following error message:

Warning:Programming TCAM entries failed

Please remove last ACL command to re-activate ACL operation.

!<ACL number or name> <IP or IPX> <INPUT_ACL or OUTPUT_ACL> from TCAM group for

!<interface>

Please see the documentation to see if TCAM space can be

increased on this platform to alleviate the problem.

Configuring Layer 3 QoS

{access-list-number | name} [in | out]

Note The TCAM error message is displayed in real time. It is not logged when the specific ACL

is applied to an interface.

Configuring Layer 3 QoS

This section describes the QoS features supported on Gigabit Ethernet interfaces of your Layer 3 Services module. For QoS configuration information on the 10/100 Ethernet switching ports, refer to the Software Configuration Guide for your switch.

This section includes the following subsections:

• Overview of Layer 3 Switching QoS, page 68

• Overview of Scheduling and WRR, page 68

• Configuring Precedence to WRR Scheduling, page 69

• Mapping QoS Scheduling at the Interface Level, page 70

• Configuring Per-Port Traffic Conditioning, page 70

• Configuring Per-Port Input Rate Limiting, page 71

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 68

Configuring Layer 3 QoS

Overview of Layer 3 Switching QoS

Extensive QoS features are built into the Layer 3 Services module architecture to ensure QoS policy enforcement and queuing of the ingress port and weighted round-robin (WRR) scheduling at the egress port.

QoS on the Gigabit Ethernet interfaces is based on IP precedence for partitioning traffic into multiple classes of service. IP precedence uses the three type-of-service (ToS) precedence bits in the IP header to specify class of service (CoS) assignment for each packet.

You can map IP precedence into adjacent technologies (for example, tag switching or ATM) to support end-to-end network QoS policies. This mapping enables you to establish service classes with no changes to existing applications and with no complicated network signaling requirements.

The system obtains IP precedence information from the IP header ToS field. For an incoming IP packet, the first two (most significant) bits of the ToS field determine the delay priority. The Gigabit Ethernet interfaces on the Catalyst 4000 Layer 3 Services module recognize four queue classes (Q-0 to Q-3), which are described in Table 11.

Table 11 Queue Classes

IP Precedence Bits Delay Priority

0 0 0 0 0 Q-0

0 0 1 0 0 Q-0

0 1 0 0 1 Q-1

0 1 1 0 1 Q-1

1 0 0 1 0 Q-2

1 0 1 1 0 Q-2

1 1 0 1 1 Q-3

1 1 1 1 1 Q-3

The Catalyst 4000 Layer 3 Services module can read the precedence field and switch the packet accordingly, but it cannot reclassify traffic. The edge router or switch is expected to set the precedence field according to its local policy.

The Layer 3 Services module queues packets based on the delay priority and the target next-hop interface.

Note You cannot apply QoS configurations to an EtherChannel, but you can configure QoS on

the individual EtherChannel member ports.

Queue Selected

Overview of Scheduling and WRR

Frame scheduling becomes more important when an outgoing interface is congested. To handle this situation, you can assign weights to each of the different queues. By assigning weights to the different queues, you can allocate bandwidth to higher priority applications (using IP precedence) while still

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 69

Configuring Layer 3 QoS

granting access to lower priority queues. The frame schedule provides each queue the bandwidth that is allotted to it. This mapping is configurable both at the system and interface levels (as described later in this section).

The four queues on any destination interface are configured to be part of the same CoS. Bandwidth is not explicitly reserved for these four queues. Each of the queues is assigned a different WRR-scheduling weight, which determines the way they share the interface bandwidth. The WRR weight is user configurable; you can assign a different WRR weight for each queue.

Tips The higher the WRR weight, the higher the effective bandwidth for that particular queue.

You can find the effective bandwidth (in Mbps) for a particular queue with the following formula:

(W/S) x B = n

Table 12 defines the values used in the bandwidth calculation formula.

Table 12 Bandwidth Calculation Values

W WRR weight of the specified queue

S Sum of the weight of all active queues on the outgoing interface

B Available bandwidth, in Mbps

n Effective bandwidth, in Mbps

For example, if W is 4, S is 15, and B is 100, the formula would be (4/15) x 100 = 26 Mbps, and the effective bandwidth for the specified queue in this example is 26 Mbps.

Configuring Precedence to WRR Scheduling

This section describes the Cisco IOS commands necessary to configure QoS mapping at the system and interface levels. The commands described in this section are unique to Catalyst 4000 Layer 3 Services module software.

The Catalyst 4000 Layer 3 Services module software enables QoS-based forwarding by default. If it is disabled, enter the following command to enable QoS forwarding:

# [no] qos switching

Use no version of this command to disable QoS switching on the entire system.

To configure QoS scheduling at the system level, perform the following tasks in global configuration mode:

Task Command

Step 1

Step 2

Set the mapping between IP precedence and the WRR weight. See the command syntax description in Table 13.

Return to privileged EXEC mode. Router (config) # Ctrl-Z

Router (config) # qos mapping

precedence

value wrr-weight weight

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 70

Configuring Layer 3 QoS

Use the following command syntax to configure QoS scheduling at the system level:

• value—The precedence value (0 to 3) is the higher 2 bits of the IP precedence field.

• weight—The WRR-scheduling weight (1 to 4). This parameter specifies the weight assigned to

traffic with the given precedence.

To set the precedence back to the default setting for the Catalyst 4000 Layer 3 Services module, use the no version of the qos mapping precedence command.

Table 13 shows the default WRR weights for IP precedence.

Table 13 Default WRR Weights for IP Precedence

IP Precedence WRR Weight

Mapping QoS Scheduling at the Interface Level

Configuring QoS mapping at the interface level overrides the system-level mapping. By using the qos mapping precedence wrr-weight command, you can assign different WRR-scheduling weights for

traffic destined to any particular interface.

To configure QoS scheduling at the interface level, perform the following tasks in interface configuration mode:

Task Command

Step 1

Step 2

Assign a different WRR-scheduling weight for a particular precedence traffic destined to an interface.

Return to privileged EXEC mode. Router (config) # Ctrl-Z

The QoS commands are applicable to both Gigabit Ethernet and Fast Ethernet interfaces.

To set the precedence back to the system-level default setting for the Catalyst 4000 Layer 3 Services module, use the no version of the qos mapping precedence wrr-weight command.

The destination interface parameter is optional. When the destination interface parameter is not specified, system-level QoS mapping is configured. If interface-specific QoS mapping is configured for a certain precedence, it takes priority over the system-level QoS mapping for that precedence.

Router (config) # qos mapping

destination dest-interface] precedence

[

value wrr-weight weight

Configuring Per-Port Traffic Conditioning

This section describes the Cisco IOS commands that you need to configure per-port QoS traffic conditioning at the interface level. The commands described in this section are unique to Layer 3 switching software. The Catalyst 4000 Layer 3 Services module supports per-port input rate limiting, output rate limiting, and traffic shaping.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 71

Configuring Layer 3 QoS

A token bucket is a formal definition of a rate of transfer. The mean rate determines the long-term average transmission rate, and the burst size determines how large traffic bursts can be sent before some traffic exceeds the contract.

Tokens are inserted into the bucket at the mean rate. The depth of the bucket is the burst size. Traffic arriving at the bucket when sufficient tokens are available is said to conform, and the corresponding number of tokens are removed from the bucket. If sufficient tokens are not available, then the traffic is said to be nonconforming.

The rate limiter and the shaper identify traffic violations in an identical manner. They differ, however, in the way they respond to traffic violations. The rate limiter drops the traffic that is not conforming to the traffic contract, whereas the shaper delays excess traffic using a buffer and drops traffic only when the buffer overflows.

Token bucket-based per-port traffic conditioning features support a minimum rate of 32 kbps and have a granularity of 32 kbps. The additional processing associated with these features may affect the peak data forwarding performance that limits the peak rate at which traffic conditioning may be applied.

The per-port traffic conditioning features cannot be enabled on any of the interfaces when IPX routing is enabled; IPX routing cannot be enabled when any of the per-port traffic conditioning features are enabled on any of the interfaces. Transitioning between IPX routing and per-port traffic conditioning involves dynamic downloading of new binaries to the network processor. We recommend that you perform this dynamic downloading under light traffic conditions.

Caution You can configure the Catalyst 4000 Layer 3 Services module to route using either

per-port traffic shaping or IPX, but not both. All standard QoS features support IPX routing.

Note Because traffic shaping and policing configurations apply to the physical interface, you

cannot configure per-port traffic conditioning features on subinterfaces.

Configuring Per-Port Input Rate Limiting

You can configure rate limiting on an input port on a per-physical port basis. The module monitors traffic rate to verify conformity with the configured policing parameters. If the input traffic rate on a port is nonconforming, the excess traffic is dropped. Input traffic that conforms to the policing parameters is passed through the port without any changes. Input rate limiting applies to all the input traffic and does not differentiate between various kinds of traffic, including traffic such as routing updates.

Rate limiting is applied to all input traffic and is not confined to IP Layer 3 traffic. However, high-priority traffic (such as routing updates or BPDUs) destined to the CPU is not subject to per-port input rate limiting.

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 72

Configuring Layer 3 QoS

Step 1

Step 2

Step 3

To configure per-port input rate limiting at the interface level, perform the following tasks, beginning in interface configuration mode:

Task Comman d

Assign different rate limits on a per-physical port basis. The first parameter specifies the mean rate, and the

Router (config-if) # rate-limit input {32000-100000000} {0-64000}

second parameter is the burst size.

Return to privileged EXEC mode. Router (config-if) # end

Display the interface configuration to verify changes. Router (config) # show run interface

{interface_name}

The per-port QoS traffic-conditioning commands are applicable to the Gigabit Ethernet interfaces.

To disable the input rate limiting, use the no version of the rate-limit input command.

The following example shows you how to configure per-port input rate limiting:

Router(config)# interface g3 Router(config-if)# rate-limit input 32000 100 Router(config-if)# end Router#

Configuring Per-port Shaping

The per-port shaping feature allows you to shape down the output of a port. The output traffic rate of the port is monitored by the module to verify the traffic that leaves the interface at the user-configured shaping rate. When excess traffic comes into the switch, back pressure is applied from the modules to switch fabric. Excess traffic gets queued in the switch fabric. If the switch fabric queues overflow, the traffic is dropped. The per-port shaping feature applies to the whole output traffic and does not differentiate between various kinds of traffic.

Note You cannot configure both per-port, output-side rate-limiting and shaping on an interface

at the same time.

To configure per-port traffic shaping at the interface level, perform the following tasks, beginning in interface configuration mode:

Task Comman d

Step 1

Step 2

Step 3

Assign different traffic shaping rate limits on a per-physical port basis. The first parameter specifies the mean rate, and the second parameter is the burst size.

Return to privileged EXEC mode. Router (config-if) # end

Display the interface configuration to verify changes. Router (config) # show run interface

Router (config-if) # traffic-shape rate {32000-100000000} {0-512000}

{interface_name}

The per-port QoS traffic-shaping commands are applicable to the Gigabit Ethernet interfaces.

To disable per-port traffic shaping, use the no version of the traffic-shape rate command.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 73

The following example shows you how to configure per-port traffic shaping:

Router(config)# interface g4 Router(config-if)# traffic-shape rate 32000 100 Router(config-if)# end Router#

Configuring Per-Port Output Rate Limiting

The per-port output rate limiting feature allows you to limit the traffic rate of a port. The module monitors the output traffic rate of the port and checks for non-conforming traffic. The non-conforming output traffic is dropped, and the conforming output traffic is sent out.

Caution When you enable per-port traffic shaping and rate limiting on a Gigabit Ethernet interface

on a Catalyst 4000 Layer 3 Services module, you will be unable to use IPX routing.

Note You cannot configure both per-port, output-side rate-limiting and shaping on an interface

at the same time.

Configuring Layer 3 QoS

Step 1

Step 2

Step 3

To configure per-port traffic rating at the interface level, perform the following tasks, beginning in interface configuration mode:

Task Comman d

Assign different rate limits on a per-physical port basis. Router (config-if) # rate-limit output

{32000-100000000} {0-64000}

Return to privileged EXEC mode. Router (config-if) # end

Display the interface configuration to verify changes. Router (config-if) # show run interface

{interface_name}

The per-port output rate-limiting commands are applicable to both Gigabit Ethernet and Fast Ethernet interfaces.

To disable per-port output rate-limiting, use the no version of the rate-limit output command.

The following example shows you how to configure per-port output rate-limiting:

Router(config)# interface g3 Router(config-if)# rate-limit output 32000 100 Router(config-if)# end Router#

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 74

Configuring the Switching Database Manager

Monitoring and Verifying the QoS Configuration

To verify the QoS configuration, perform the following tasks beginning in privileged EXEC mode:

Task Comman d

Step 1

Step 2

Step 3

Verify that QoS-based switching is enabled. Router # show qos switching

Display effective mapping at either the system level or interface level.

Display the input port QoS parameters Router # show epc port-qos interface interface

Router # show qos mapping [destination dest-interface]

input

Configuring the Switching Database Manager

This section describes the switching database manager (SDM) features supported on the Layer 3 Services module and how to configure them.

Overview of the SDM

Gigabit Ethernet interfaces use the forwarding engine and ternary content-addressable memory (TCAM) to implement Layer 3 switching. The SDM is the Layer 3 software subsystem that manages the Layer 3 switching information maintained in TCAM.

SDM in Layer 3 switching organizes the switching information in TCAM into protocol-specific regions and configures the size of these protocol regions. SDM enables exact-match and longest-match address searches, which result in high-speed forwarding.

The forwarding engine on the Gigabit Ethernet interfaces performs packet processing on multiple channels simultaneously and extracts the packet header information. It uses this packet header information to issue exact-match or longest-match address searches in the switching information stored in TCAM.

TCAM identifies the location index of the Layer 2 or Layer 3 address and conveys it to the forwarding engine. The forwarding engine uses this location index to derive information associated with each Layer 2 and Layer 3 address.

SDM Regions

SDM partitions TCAM space into multiple protocol-specific regions and interacts with the individual protocol control layers to store Layer 3 switching information. SDM consists of these two types of regions:

• Exact-match region—The exact-match region consists of Layer 3 entries for multiple protocol

regions, such as IP adjacencies and IPX node.

• Longest-match region—Each longest-match region consists of multiple buckets or groups of Layer

3 address entries organized in decreasing order by mask length. All entries within a bucket share the same mask value and key size. The buckets can change their size dynamically by borrowing address entries from neighboring buckets.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 75

Configuring the Switching Database Manager

TCAM space consists of 32K entries, and each entry is 32 bits wide. Because SDM is responsible for managing TCAM space, SDM partitions the TCAM space for each protocol region based on user configuration. Although the maximum size of all protocol regions is fixed, you can reconfigure the size of each protocol region. A change in the partition configuration takes effect only after the next system reboot.

Table 14 lists default partitioning for each protocol region in TCAM.

Table 14 Default Partitioning per TCAM Protocol Region

Protocol Region Lookup Type Key Size Default Size

ip-adjacency Exact-match 32 bits 2048

ipx-node Exact-match 64 bits 2048

ip-prefix Longest-match 32 bits 8192

ipx-network Exact-match 32 bits 4096

ip-mcast Longest-match 64 bits 3072

MAC-address Exact-match 64 bits 1024

access-list First-match 128 bits 1024

UDP-flooding Exact-match 64 bits 256

IPX Direct Exact-match 32 bits 224

Configuring SDM

This section describes how to configure SDM. This section includes the commands required to configure the autolearn feature in SDM and the commands required to configure the size of the SDM regions. The commands described in this section are unique to Layer 3 switching software.

Configuring SDM Regions

The protocol region size in SDM is represented by the number of 32-bit or 64-bit entries. The combined size of all the application regions should be calculated in terms of 32-bit TCAM entries and should not exceed 32K, which is the total TCAM size.

Note Although the size of the whole protocol region is configured by default, you can

reconfigure it. The reconfigured size of the protocol region is effective only after the next system reboot.

To configure the SDM size for each protocol region, perform the following tasks in global configuration mode:

Task Comman d

Step 1

Step 2

Set the name of the protocol region whose size you want to configure. You can enter the size as an absolute number of entries or as multiples of 1K (that is, 1024) entries.

Return to privileged EXEC mode. Router (config-if) # Ctrl-Z

Router (config-if) # sdm size region-name {num-entries | k-entries num-k-entries}

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 76

Configuring the Switching Database Manager

In the following example we configure 2048 entries for the IP-Prefix region:

4232-L3# configure terminal 4232-L3(config)# sdm size ip-prefix k-entries 2 4232-L3(config)# Ctrl-Z

The combined size entered for all the protocol regions should not exceed 32K, which is the total TCAM size. To display the supported size of SDM, use the show sdm size command from global configuration mode.

Router # show sdm size

Switching Database Region Sizes : IPX Direct Network :256 32-bit entries IP Adjacency :2048 32-bit entries IPX Node :1024 64-bit entries IP Prefix :2048 32-bit entries IPX Network :2048 32-bit entries IP Multicast :1024 64-bit entries MAC Addr :2048 64-bit entries Access List :1024 128-bit entries

The following output is an example of borrowing 1K, 32-bit entries from the IPX-network region and adding it to the ACL region as a 1280 128-bit entry:

Router # configure terminal Router (config)# sdm size ipx-network k-entries 1 Router (config)# sdm access-list 1280 Router (config)# end

After you reload the Catalyst 4000 Layer 3 Services module, the show sdm size command will display the SDM size:

Router # show sdm size Switching Database Region Sizes : IPX Direct Network :256 32-bit entries IP Adjacency :2048 32-bit entries IPX Node :1024 64-bit entries IP Prefix :2048 32-bit entries IPX Network :1024 32-bit entries IP Multicast :1024 64-bit entries MAC Addr :2048 64-bit entries Access List :1280 128-bit entries

The following example shows the IP-adjacency and IP-prefix protocol regions configured to the maximum size possible, as the other regions are configured to the minimum size possible in the 32K TCAM. The combined size for all the protocol regions should not exceed the 32K TCAM size.

Router# show sdm size Switching Database Region Sizes : IPX BVI Network :32 32-bit entries IP Adjacency :16240 32-bit entries IPX Node :32 64-bit entries IP Prefix :16240 32-bit entries IPX Network :32 32-bit entries IP Multicast :32 64-bit entries MAC Addr :32 64-bit entries Access List :512 128-bit entries

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 77

Configuring Access List Size in TCAM

The Catalyst 4000 Layer 3 Services module supports TCAM sizes of 32K. The combined size of the protocol regions and access lists should not exceed your TCAM space. The default size of the access lists region in a 32K TCAM is 1024 entries. You can use the sdm access-list command to partition the TCAM space for access lists to overwrite this default.

To partition the TCAM space for access lists, perform the following task in global configuration mode:

Task Comman d

Set the name of the protocol region for which you want to configure the size.

Before you configure the access-list region in TCAM, resize the other regions so that TCAM has enough space to accommodate the access-list region. Use the show sdm internal all-regions command to find out how much space is available in TCAM.

In the following example we configure 8192 entries for the access list region in TCAM:

Router# configure terminal Router(config)# sdm access-list 8192 Router(config)# end

Obtaining Documentation

Router (config-if) # sdm access-list

num-entries

Configuring SDM Autolearn

The SDM autolearn feature applies to longest-match type regions only, not exact-match regions. For a list of longest-match and exact-match regions, see Table 14.

In the longest-match regions, SDM groups entries into buckets based on their mask lengths. The size of each bucket in the protocol region depends on the number of same mask length entries SDM has learned. With autolearn enabled, SDM automatically saves the mask-length distribution (bucket size distribution). SDM uses this information to set up the bucket partitions after a system reset. If autolearn is not enabled, the size of each bucket will return to a predefined default size after a system reset. SDM will then have to reconfigure the bucket size when protocol entries are learned.

The autolearn feature is enabled by default. The no form of the sdm autolearn command disables the SDM autolearn feature. You can reenable autolearn by entering the sdm autolearn command from global configuration mode, as shown in this example:

4232-L3# configure terminal 4232-L3(config)# sdm autolearn 4232-L3(config)# Ctrl-Z

Obtaining Documentation

The following sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following URL:

http://www.cisco.com

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 78

Obtaining Technical Assistance

Translated documentation is available at the following URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

• Registered Cisco Direct Customers can order Cisco product documentation from the Networking

Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

• Registered Cisco.com users can order the Documentation CD-ROM through the online

Subscription Store:

http://www.cisco.com/go/subscription

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Cisco Systems Attn: Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Page 79

Cisco.com

Obtaining Technical Assistance

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to

• Streamline business processes and improve productivity

• Resolve technical issues with online support

• Download and test software packages

• Order Cisco learning materials and merchandise

• Register for online skill assessment, training, and certification programs

You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Inquiries to Cisco TAC are categorized according to the urgency of the issue:

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,

product installation, or basic product configuration.

• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably

impaired, but most business operations continue.

• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects

of business operations. No workaround is available.

• Priority level 1 (P1)—Your production network is down, and a critical impact to business

operations will occur if service is not restored quickly. No workaround is available.

Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:

http://www.cisco.com/register/

78-10164-03

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

Page 80

Obtaining Technical Assistance

If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Si t e .

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.

This document is to be used in conjunction with the Software Configuration Guide and the Command Reference publications for your switch.

AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, FrameShare, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, ScriptBuilder, ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and Discover All That’s Possible are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, GigaStack, IOS, IP/TV, LightStream, MICA, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0110R)

Installation and Configuration Note for the Catalyst 4000 Layer 3 Services Module

78-10164-03

Cisco Catalyst X4232, Catalyst 4000, WS-X4232-L3 Installation And Configuration Note

Specifications and Main Features

Frequently Asked Questions

User Manual