-
Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.1E
-
Acronyms
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Supervisor Engine
-
Configuring EHSA Supervisor Engine Redundancy
-
Configuring RPR or RPR+ Supervisor Engine Redundancy
-
Interface Configuration Overview
-
Configuring Layer 2 Ethernet Interfaces
-
Configuring VTP
-
Configuring VLANs
-
Configuring Private VLANs
-
Configuring Cisco IP Phone Support
-
Configuring Layer 3 Ethernet Interfaces
-
Configuring Layer 3 and Layer 2 EtherChannel
-
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
-
Configuring Spanning Tree and IEEE 802.1s MST
-
Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast
-
Configuring IP Unicast Layer 3 Switching on Supervisor Engine 2
-
Configuring IP Multicast Layer 3 Switching
-
Configuring MLS
-
Configuring IPX MLS
-
Configuring IGMP Snooping
-
Configuring RGMP
-
Configuring Network Security
-
Configuring Denial of Service Protection
-
Configuring 802.1X Port-Based Authentication
-
Configuring Port Security
-
Configuring Layer 3 Protocol Filtering on Supervisor Engine 1
-
Configuring Broadcast Suppression
-
Configuring Cisco Discovery Protocol
-
Configuring UDLD
-
Configuring PFC QoS
-
Configuring NetFlow Data Export
-
Configuring SPAN
-
Configuring WCCP
-
Configuring the Switch Fabric Module
-
Configuring SNMP IfIndex Persistence
-
Power Management and Environmental Monitoring
-
Index
-
Table Of Contents
Configuring Layer 3 Protocol Filtering on Supervisor Engine 1
Understanding How Layer 3 Protocol Filtering Works
Configuring Layer 3 Protocol Filtering
Enabling Layer 3 Protocol Filtering
Configuring Layer 3 Protocol Filtering on a Layer 2 LAN Interface
Verifying Layer 3 Protocol Filtering Configuration
Configuring Layer 3 Protocol Filtering on Supervisor Engine 1
Note
Layer 3 protocol filtering is supported with Supervisor Engine 1. Layer 3 protocol filtering is not supported with Supervisor Engine 2.
This chapter describes how to configure Layer 3 protocol filtering on Layer 2 LAN ports on the Catalyst 6500 series switches.
Note
This chapter consists of these sections:
•
•
Understanding How Layer 3 Protocol Filtering Works
Layer 3 protocol filtering prevents specific Layer 3 protocol packets from being received or transmitted on a Layer 2 LAN port, which reduces the broadcast domain of specific protocols in a VLAN. For example, you can configure a Layer 2 LAN port in a VLAN to allow IP packets only, while another Layer 2 LAN port in the same VLAN allows both IP and Internetwork Packet Exchange (IPX) packets.
Layer 2 LAN trunk ports do not support protocol filtering. You can configure Layer 3 protocol filtering on a trunk, but the configuration is ignored while the port is a trunk.
Protocol filtering cannot be configured on Layer 3 interfaces—only nontrunk Layer 2 LAN ports support Layer 3 protocol filtering.
Layer 3 protocol filtering does not support the features available with standard and extended Cisco IOS ACLs.
Layer 2 protocols, such as Spanning Tree Protocol (STP) and Cisco Discovery Protocol (CDP), are not affected by Layer 3 protocol filtering. Layer 2 LAN ports that have port security enabled are members of all protocol groups.
You can configure a Layer 2 LAN port with any one of these modes for each protocol group: on, off, or auto. If the configuration is set to on, the port allows all traffic for that protocol. If the configuration is set to off, the port does not allow any traffic for that protocol.
If the configuration is set to auto, the Layer 2 LAN port initially does not allow any flood traffic to be transmitted from the port. After a packet is received on that port, the port will transmit traffic for that protocol group. Once in this state, the port reverts back to allowing flood traffic to be transmitted if no packets for that protocol have been received for 60 minutes. Layer 2 LAN ports are also removed from the protocol group when the supervisor engine detects that the link is down on the port.
If a host that supports both IP and IPX is connected to a Layer 2 LAN port configured as auto for IPX, but the host is transmitting only IP traffic, the port to which the host is connected will not transmit any flooded IPX traffic. However, if the host sends an IPX packet, the supervisor engine software detects the protocol traffic and the port begins transmitting flooded IPX traffic. If the host stops sending IPX traffic for more than 60 minutes, the port stops transmitting flooded IPX traffic.
By default, Layer 2 LAN ports are configured to on for all protocol groups. Typically, you should only configure a Layer 2 LAN port to auto for IP if an end station is directly connected to the port.
Protocol filters are configured according to groups of protocols, not specific protocols. There are four groups of protocols defined:
•
•
•
•
Configuring Layer 3 Protocol Filtering
These sections describe how to configure Layer 3 protocol filtering on Ethernet-type VLANs and on any type of Layer 2 LAN port:
•
•
•
Note
Enabling Layer 3 Protocol Filtering
To enable Layer 3 protocol filtering globally, perform this task:
Router(config)# protocol-filter
Enables Layer 3 protocol filtering globally.
Router(config)# no protocol-filter
Disables Layer 3 protocol filtering globally.
This example shows how to enable Layer 3 protocol filtering globally:
Router# configure terminalRouter(config)# protocol-filteringConfiguring Layer 3 Protocol Filtering on a Layer 2 LAN Interface
To configure Layer 3 protocol filtering on a Layer 2 LAN port, perform this task:
Step 1
Router(config)# interface {{type1 slot/port} | {port-channel number}}
Selects the interface to configure.
Step 2
Router(config-if)# switchport protocol {appletalk | ip | ipx | group} {on | off | auto}
Configures Layer 3 protocol filtering on the LAN port.
Router(config-if)# no switchport protocol {appletalk | ip | ipx | group}
Clears Layer 3 protocol filtering configuration on the LAN port.
1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
This example shows how to configure the protocol membership of Fast Ethernet port 5/8 to allow IPX packets only, and verify the configuration:
Router(config)# interface fastethernet 5/8Router(config-if)# switchport protocol appletalk offRouter(config-if)# switchport protocol ip offRouter(config-if)# switchport protocol ipx onVerifying Layer 3 Protocol Filtering Configuration
To verify Layer 3 protocol filtering configuration, perform this task:
Router# show protocol-filtering interface {{type1 slot/port} | {port-channel number}}
Verifies the interface filtering configuration.
1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
This example shows how to verify the Layer 3 protocol filtering configuration of Fast Ethernet port 5/8:
Router# show protocol-filtering interface fastethernet 5/8Interface IP Mode IPX Mode Group Mode Other Mode--------------------------------------------------------------------------Fa5/8 OFF ON OFF OFFRouter#
Note
