Table Of Contents
Using the Catalyst 6500/7600 Device Manager
Getting Started with DM 6500/7600
Key Features in DM 6500/7600
Starting DM 6500/7600
Navigating in DM 6500/7600
What Does the Home Page Show Me?
What Does the Switch Page Show Me?
What Does the Services Page Show Me?
Understanding the DM 6500/7600 Desktop
Understanding the Action Buttons
Saving Startup Configurations
Editing Preferences
Refreshing DM 6500/7600
Understanding Your User Role
What's Next?
System Settings (Switch > System)
Configuring Global Settings
System Pane
Protocols Pane
Editing System Settings
Editing Protocol Settings
Configuring CDP Settings
Configuring Cisco IOS Banners
Displaying a Summary of Your DHCP Pools
Viewing DHCP Pool Status
Configuring Time and NTP Broadcasts
Editing Date and Time Settings
Editing NTP Servers and Peers
Displaying a Summary of Global STP Settings
Ports/Interface Management (Switch > Ports)
Configuring All Ports/Interfaces
Editing Port/Interface Attributes
Configuring a Group of Physical Ports Using the Port Wizard
Selecting Ports
Configuring Ports
Configuring VLAN for Ports
Port Wizard Summary
Configuring Access Ports
Editing and Restarting Access Ports
Configuring Trunk Ports
Editing and Restarting Trunk Ports
Configuring Routed Ports
Editing and Restarting Routed Ports
Configuring SVIs
Editing and Restarting SVIs
Adding an SVI
Configuring Tunnel Interfaces
Editing and Restarting Tunnel Interfaces
Adding a Tunnel Interface
Configuring Loopback Interfaces
Editing and Restarting Loopback Interfaces
Adding a Loopback Interface
Viewing Other Interfaces
Understanding Interface Ranges
Adding Interface Ranges
Editing Interface Ranges
Viewing Interface Range Details
Editing Ports/Interfaces Within an Interface Range
VLAN and VTP Management (Switch > VLANs)
Configuring VLANs
Creating and Configuring a VLAN Using the VLAN Wizard
Creating a Single Ethernet VLAN
Creating Multiple Ethernet VLANs
Editing Ethernet VLANs
Configuring Layer 2 VLANs
Creating a Single Layer 2 Ethernet VLAN
Creating Multiple Layer 2 Ethernet VLANs
Editing Layer 2 Ethernet VLANs
Configuring Layer 3 VLANs
Creating a Single Layer 3 Ethernet VLAN
Creating Multiple Layer 3 Ethernet VLANs
Editing Layer 3 Ethernet VLANs
Deleting VLANs
Viewing Service VLANs
Configuring VTP Information
Editing VTP Information
Spanning Tree Settings (Switch > Spanning Tree)
Configuring STP Settings for All VLANs
Editing STP Settings for a VLAN or VLANs
Configuring STP Settings for a Specific VLAN
Editing STP Settings for a Specific VLAN
Configuring STP Settings for All Ports
Editing STP Settings for a Port or Ports
Configuring STP Settings for a Specific Port
Editing STP Settings For a Specific Port
Displaying VPN Routing and Forwarding Instances (Switch > VRFs)
Service Module Configuration (Services > Flows)
Viewing Service Modules and VLAN Connections Using the Services Topology Map
Nonrecommended Service Module Configurations
VLAN Connection Shortcut Menu
Adding VLANs/Interfaces
Adding VLAN/Interface Connections Between Service Modules
VLAN Connection Parameters
Viewing and Configuring Virtual Firewalls (Contexts)
Viewing Contexts
Adding Interfaces to Virtual Firewalls
Editing Interfaces on Virtual Firewalls
Service Module Setup Wizards
Which Wizard Should I Use?
Firewall-Inside Scenario
Firewall-Outside Scenario
Using the Firewall-Inside Setup Wizard
Selecting a Service Module
Configuring the Core Network Connection
Configuring the MSFC-Firewall VLAN
Configuring the Inside Network Connection
Summary
Saving the Configuration
Using the Firewall-Outside Setup Wizard
Selecting a Service Module
Configuring the Internet Connection
Configuring the Firewall-MSFC VLAN
Configuring the Inside Network Connection
Configuring the Core Network Connection
Summary
Delivering the Configuration to the Switch/Module
Firewall Service Module Setup
Configuring the Firewall Module
Service Details
Configuring VLAN Groups
Adding a VLAN Group
Editing a VLAN Group
Entering a VLAN Range
Configuring VLANs in a VLAN Group
Adding a VLAN to a VLAN Group
Editing a VLAN in a VLAN Group
Security Context Overview
Configuring Firewall Contexts
Adding a Context
Editing a Context
Firewall Context Details
Allocate VLAN
Edit Allocated VLAN
Configuring Firewall Interfaces
Adding a Firewall Module Interface
Editing a Firewall Module Interface
Using the Catalyst 6500/7600 Device Manager
This section describes the Catalyst 6500/7600 Device Manager (DM 6500/7600) tool that is embedded in Security Manager. Topics in this section explain tasks that you can accomplish with DM 6500/7600 and are organized in three thematic sections, as follows:
Getting Started with DM 6500/7600
DM 6500/7600 enables you to set up, configure, and monitor devices in the Cisco Catalyst 6500 and 7600 families. DM 6500/7600 simplifies device, VLAN, port, and service module configuration by allowing you to perform all these operations with one tool.
You use wizards and dialog boxes to make your configurations; DM 6500/7600 then designs best-practice command line interface (CLI) configurations based on your selections. You can view the CLI configurations that DM 6500/7600 generates, then deploy them to the device or save them for future editing.
More importantly, DM 6500/7600 shows you a graphical view of LANs configured across service modules. In addition to these features, DM 6500/7600 shows you a device summary and allows you to perform basic configuration tasks globally or for individual VLANs, ports, and spanning trees.
Note 
DM 6500/7600 supports the deployment of native Cisco IOS commands only.
This section includes the following topics:
•Key Features in DM 6500/7600
•Starting DM 6500/7600
•Navigating in DM 6500/7600
•Starting DM 6500/7600
•Saving Startup Configurations
•Editing Preferences
•Refreshing DM 6500/7600
•Understanding Your User Role
•What's Next?
Key Features in DM 6500/7600
The following table describes the key features of DM 6500/7600.
Table 14-2 Key Features
Feature
|
Description
|
Basic switch, port, VLAN, spanning tree, and SVI configuration
|
DM 6500/7600 provides functions for port, VLAN, spanning tree, and SVI configuration.
|
Initial service module setup
|
DM 6500/7600 provides functions for the initial configuration of the Firewall Services Module (FWSM).
DM 6500/7600 also provides deployment templates, based on Cisco-recommended configurations, that perform VLAN setup between service modules, including any configurations required for traffic flow across them.
|
Graphical and wireless service visualization
|
DM 6500/7600 provides a topology map that displays VLAN connectivity between service modules and allows you to perform certain configuration tasks on service modules.
|
Related Topics
•Starting DM 6500/7600
•Navigating in DM 6500/7600
Starting DM 6500/7600
To start DM 6500/7600 from the Security Manager GUI, do either of the following:
•Right-click a Catalyst device, then select Catalyst Device Manager from the shortcut menu.
•Select a Catalyst device, then select Tools > Catalyst Device Manager.
Navigating in DM 6500/7600
Before you begin using DM 6500/7600, you must understand the basic operation of the user interface, including the login procedure and user interface elements. See the following sections for more information:
•What Does the Home Page Show Me?
•What Does the Switch Page Show Me?
•What Does the Services Page Show Me?
•Understanding the DM 6500/7600 Desktop
•Understanding the Action Buttons
What Does the Home Page Show Me?
The home page is the first screen that comes up when DM 6500/7600 is started. It gives a quick overview of the services running on the device and a snapshot of the overall health of the system. It displays high-level system information; any service modules, ports, VLANs, and spanning trees DM 6500/7600 has discovered; and the status of each service module installed (see Figure 14-1).
Figure 14-1 DM 6500/7600 Home Page Components and Descriptions
|
|
Location
|
Description
|
1
|
System Overview tab
|
Provides high-level information about the device and shows the following information:
•Hostname—The hostname of the device.
•Serial Number—The serial number of the device.
•Description—A brief description of the device.
•Model—The model type of the device.
•IOS version—The Cisco IOS image version the device is running.
•Image—The name of the image running on the device.
•Last Update—A time stamp for the most recent discovery.
Note DM 6500/7600 does not show information in real time. Updates occur only when discovery occurs.
The supervisor pane displays the percentage of CPU, memory, and flash used by the supervisor card.
|
2
|
Switch Dashboard tab
|
Provides information about ports, VLANs, and spanning trees discovered by the device, such as the number of access ports and the number of Layer 2 VLANs.
Click the link for any switch object to open the corresponding page for that object.
|
3
|
Services Dashboard tab
|
Provides information about the service modules on the device. Click the link for any service to open the corresponding page for that service module.
If there are no service modules installed, a No Service Modules link appears. See No Service Modules Installed.
|
4
|
Module Status tab
|
Provides an overview of installed service modules and provides a table that displays the following information:
•Slot—The slot to which the service module is attached.
•Status—Status of the service module. A  icon indicates that the module is operationally up; a  icon indicates that the module is operationally down.
•Description—A brief description of the service module.
•Serial Number—The serial number of the service module.
•Model—The model type of the service module.
•Software Version—The Cisco IOS version running on the service module.
|
Related Topics
•Navigating in DM 6500/7600
•What Does the Switch Page Show Me?
•What Does the Services Page Show Me?
•Understanding the DM 6500/7600 Desktop
No Service Modules Installed
If no service modules are installed, the No Services available link is displayed on the Services Dashboard.
To view available Cisco service modules, see http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_models_home.html.
For more information on the types of data that DM 6500/7600 can display for each service module, see Firewall Service Module Setup.
Related Topics
•Navigating in DM 6500/7600
•What Does the Switch Page Show Me?
•What Does the Services Page Show Me?
•Understanding the DM 6500/7600 Desktop
What Does the Switch Page Show Me?
The Switch page allows you to view and configure Layer 2 and Layer 3 switch features, such as port, VLAN, VRF, and spanning tree features. You can also edit your global settings from the Switch page (see Figure 14-2).
Figure 14-2 DM 6500/7600 Switch Page
Related Topics
•Navigating in DM 6500/7600
•What Does the Home Page Show Me?
•What Does the Services Page Show Me?
•Understanding the DM 6500/7600 Desktop
What Does the Services Page Show Me?
The Services page allows you to view and configure services running on the device. This page provides summary information about service modules. The Services page also provides a graphical view of VLANs across service modules and setup wizards that enable you to configure the services on the device (see Figure 14-3).
Figure 14-3 DM 6500/7600 Services Page
Related Topics
•Navigating in DM 6500/7600
•What Does the Home Page Show Me?
•What Does the Switch Page Show Me?
•Understanding the DM 6500/7600 Desktop
Understanding the DM 6500/7600 Desktop
This section describes the main GUI elements of the DM 6500/7600 application.
Figure 14-4 DM 6500/7600 GUI Elements
|
|
Location
|
Description
|
1
|
Menu bar
|
Provides File, Edit, View, and Help options.
•File
–File > Save—Saves the configuration to the Security Manager database.
–File > Save and Exit—Saves the configuration running on the device and on the service modules as the startup configuration, then quits DM 6500/7600. See Saving Startup Configurations.
–File > Quit Without Saving—Logs you out of DM 6500/7600 and closes the application window.
•Edit
–Edit > Preferences—Displays the Preferences dialog box, from which you can edit application preferences. See Editing Preferences.
•View
–View > Home—Displays the Home page. See What Does the Home Page Show Me?.
–View > Switch —Displays the Switch page. See What Does the Switch Page Show Me?.
–View > Services—Displays the Services page. See What Does the Services Page Show Me?.
–View > Refresh—Collects the most recent device information from the Security Manager database, then updates the DM 6500/7600 data. See Refreshing DM 6500/7600.
•Help
–Help > Help Topics—Displays online help.
|
|
|
|
Location
|
Description
|
2
|
Task bar
|
Provides the following buttons:
•Home—Displays the home page. See What Does the Home Page Show Me?.
•Switch—Displays the Switch page for Layer 2 and Layer 3 switching. See What Does the Switch Page Show Me?.
•Services—Displays the Services page for Layer 4 and higher services. See What Does the Services Page Show Me?.
•Refresh—Collects the most recent device information and updates the display of information in DM 6500/7600.
•Save—Saves configuration to the Security Manager database.
•Help—Displays context-sensitive help.
|
3
|
Page
|
DM 6500/7600 working area in which you perform tasks.
|
4
|
Pane
|
One part of a divided page or dialog box.
|
5
|
Status bar
|
Provides the following information:
•Application user and privilege level.
•Icon showing the security level of the connection.
•Time stamp showing the last time Security Manager collected data.
|
6
|
Selector
|
Hierarchy of the groups and objects available in the Switch or Services page that allows you to access specific functions for a switch or service object. See Selector.
|
7
|
Left-most pane
|
Contains buttons, on the Switch or Services page, that allow you to access switch or services functions.
|
Related Topics
•Navigating in DM 6500/7600
•What Does the Home Page Show Me?
•What Does the Switch Page Show Me?
•What Does the Services Page Show Me?
•Selector
•Understanding the Action Buttons
Selector
The selector is a tree that appears on most Switch and Services pages. Figure 14-5 shows what the selector looks like when folders, subfolders, and objects are displayed. Not all selectors contain all these elements.
Figure 14-5 Selector
|
|
Location
|
Description
|
1
|
Group folder
|
Displays a group of objects. Click the plus (+) symbol to see the contents of this folder.
|
2
|
Subgroup folder
|
Displays a subgroup of objects. Click the plus (+) symbol to see the contents of this folder.
|
3
|
Selector handle
|
Click the handle to open and close the selector, or click the handle and drag it to resize it.
|
4
|
Object
|
Displays the individual entity contained in the group or subgroup. Click an object to open the page for that object.
|
Understanding the Action Buttons
This section describes the action buttons that commonly appear in DM 6500/7600 dialog boxes and wizards. For a description of the wizard buttons, see Table 14-3; for a description of the dialog box buttons, see Table 14-4.
Table 14-3 Wizard Buttons
Button
|
Action
|
Back
|
Takes you to the previous page.
|
Next
|
Takes you to the next page.
|
Finish
|
Takes you to the wizard summary page.
|
Cancel
|
Exits the wizard without making any changes.
|
Help
|
Displays context-sensitive online help.
|
Table 14-4 Dialog Box Buttons
Button
|
Action
|
OK
|
Saves your changes.
|
Cancel
|
Exits the dialog box without making any changes.
|
Help
|
Displays context-sensitive online help.
|
Note Some dialog boxes may contain additional buttons not described in this table.
Saving Startup Configurations
You can save your device and service module configuration as the startup configuration.
Procedure
Step 1 Select File > Save > Save to Cisco Security Manager Database. A warning dialog box appears, asking if you want to continue.
Step 2 To continue, click Yes. DM 6500/7600 saves the configuration as your startup configuration.
Editing Preferences
Procedure
Step 1 Select Edit > Preferences. The Preferences dialog box appears.
Step 2 Edit the appropriate values:
GUI Element
|
Action
|
Show CLI Preview for Wizards check box
|
Select this checkbox if you want DM 6500/7600 to display the CLI commands to be delivered to the device after you have completed a wizard.
|
Confirm before Exiting check box
|
Select this check box if you want DM 6500/7600 to ask you to confirm that you want to exit the application. By default, this check box is selected.
If you want DM 6500/7600 to confirm your intentions every time you exit from DM 6500/7600, select the Always display this dialog box before exiting check box.
|
Refreshing DM 6500/7600
At any time, you can refresh displayed information in DM 6500/7600 by synchronizing with the latest device and service module information in the Security Manager database.
Note You can specify that DM 6500/7600 refresh after you deliver commands to the device. See Editing Preferences.
Procedure
Step 1 Click Refresh in the task bar or select View > Refresh.
Step 2 A dialog box appears, asking if you want to proceed with the refresh. To continue, click Yes. The most recent device information is collected and is populated in DM 6500/7600.
Understanding Your User Role
DM 6500/7600 can be used by three types of users: Network Operations, Security Operations, and Super Admin. DM 6500/7600 is structured so that functions specific to each type of user are consolidated in a single place in the application. For example, all Layer 2 and Layer 3 switch features are grouped under the Switch tab, and all services running on the device are grouped under the Services tab. Network Operations users will typically use the functions on the Switch page, while Security Operations users will typically use the functions on the Services page. Certain features are available only to a specific type of user:
•Network Operations users are typically responsible for configuring, maintaining, and managing connectivity between Layer 2 and 3 devices. Network Operations users can perform Layer 2 and 3 configuration functions but do not have access to Layer 4 and higher functions such as configuring security devices.
•Security Operations users are typically responsible for configuring, maintaining, and managing security devices such as SSL and firewalls. Security Operations users can configure the security on service blades and apply policies to them.
•Super Admin users have access to all DM 6500/7600 functionality. For example, these users can create VLANs on the supervisor, have access to service blade configurations, and can inspect and edit firewall VLAN interfaces.
What's Next?
If your main task is to manage port, VLAN, and spanning tree configurations, then almost all of your operations can be performed using the Switch tab. If your main task is to manage and configure service modules on the device, then your operations can be performed using the Services tab.
System Settings (Switch > System)
The System pages allow you to view and edit global switch settings. For example, you can see what Cisco IOS image the switch is using or what protocols are enabled. You can also configure and apply global Cisco Discovery Protocol (CDP), Cisco IOS banner, clock, Network Time Protocol (NTP), and Spanning Tree Protocol (STP) settings to the switch.
The following topics are described in this section:
•Configuring Global Settings
•Configuring CDP Settings
•Configuring Cisco IOS Banners
•Displaying a Summary of Your DHCP Pools
•Configuring Time and NTP Broadcasts
•Displaying a Summary of Global STP Settings
Configuring Global Settings
Two types of information shown are on the Global Settings page (see Figure 14-6):
•System—Displays specific switch and Cisco IOS image information.
•Protocol—Displays protocols on the device.
Figure 14-6 Global Settings Page
System Pane
The System pane shows the following fields.
Note Fields between Cisco IOS Version and MSFC Flash show information that is normally displayed when you issue the CLI # sh version command.
Field
|
Description
|
Hostname
|
Configured network name of the switch.
|
Description
|
Description given to the switch.
|
Domain Name
|
Domain name associated with the switch. An example of a domain name is cisco.com, but your domain name might end with a different suffix, such as .org or .net.
|
Model
|
Model number of device.
|
Default Gateway
|
IP address of the Layer 3 interface that is acting as a router for traffic generated by the switch. It is recommended that you set a default gateway if you are accessing the switch from different networks.
Note If the ip route 0.0.0.0 0.0.0.0 cmd is found in the running configuration, that overrides what is shown in this default gateway field.
|
Up Since
|
Date and time at which the device became operational.
|
Cisco IOS Version
|
Cisco IOS image version the device is running.
|
Serial Number
|
Serial number of the switch.
|
Config Register
|
Configuration register setting value.
|
Boot Variable
|
Image file from which the switch can boot at startup.
|
System Image File
|
Name of system image file.
|
Processor Memory (RP)
|
Total memory on the switch.
|
Supervisor Flash
|
Total Supervisor Flash memory installed on the switch.
|
MSFC Flash
|
Total MSFC Flash memory installed on the switch.
|
Protocols Pane
The Protocols pane shows the following fields.
Field
|
Description
|
HTTP
|
Whether HTTP server is enabled or disabled on the device.
|
Global CDP
|
Whether the ability of the device to advertise its existence to other devices and receive information about other devices on the same LAN is enabled or disabled.
Cisco Discovery Protocol (CDP) is a media- and protocol-independent, device-discovery protocol that runs on all Cisco-manufactured equipment, including routers, access servers, bridges, and switches.
Caution When enabled, CDP can consume switch memory by causing it to send out a high number of discovery packets.
|
DHCP Snooping
|
Whether DHCP snooping is enabled or disabled on the device. This field is displayed only when the Supervisor Engine 720 is installed on the device.
Enable DHCP snooping so that wireless clients, or mobile nodes, can gain access to an untrusted wireless network.
|
Related Topics
•Configuring CDP Settings
•Configuring Cisco IOS Banners
•Configuring Time and NTP Broadcasts
Editing System Settings
The System pane displays specific switch and Cisco IOS image information. You can edit the hostname, domain name, and default gateway values.
Procedure
Step 1 Click Switch in the task bar, click Global Settings in the left-most pane, then select System from the selector.
Step 2 Click Edit in the System pane.
Step 3 Edit the appropriate values.
Field
|
Description
|
Hostname
|
Configured network name of the switch.
|
Domain Name
|
Domain name associated with the switch. An example of a domain name is cisco.com, but your domain name might end with a different suffix, such as .org or .net.
|
Default Gateway
|
IP address of the Layer 3 interface that is acting as a router for traffic generated by the switch. It is recommended that you set a default gateway if you are accessing the switch from different networks.
Caution If the wrong gateway is entered, the device may disconnect from DM 6500/7600.
|
Step 4 Click OK
Related Topics
•Configuring CDP Settings
•Configuring Cisco IOS Banners
•Configuring Time and NTP Broadcasts
Editing Protocol Settings
The Protocol pane displays what protocols are enabled. You can edit all values in this pane.
Procedure
Step 1 Click Switch in the task bar, click Global Settings in the left-most pane, then select System from the selector.
Step 2 Click Edit in the Protocols pane.
Step 3 Edit the appropriate values.
GUI Element
|
Action/Description
|
DHCP Snooping check box
|
Enables or disables DHCP snooping on the device. This option is available only when the Supervisor Engine 720 is installed on the device.
Enable DHCP snooping so that wireless clients, or mobile nodes, can gain access to an untrusted wireless network.
|
HTTP check box
|
Enables or disables the HTTP server on the device.
|
Global CDP check box
|
Enables or disables the ability of the device to advertise its existence to other devices and receive information about other devices on the same LAN.
Cisco Discovery Protocol (CDP) is a media- and protocol-independent, device-discovery protocol that runs on all Cisco-manufactured equipment, including routers, access servers, bridges, and switches.
Caution When enabled, CDP can consume switch memory by causing it to send out a high number of discovery packets.
|
Step 4 Click OK.
Related Topics
•Configuring CDP Settings
•Configuring Cisco IOS Banners
•Configuring Time and NTP Broadcasts
Configuring CDP Settings
Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your switch uses. CDP is media- and protocol-independent, and runs on all Cisco-manufactured equipment, including routers, bridges, access servers, and switches. Using CDP, a device can advertise its existence to other devices and receive information about other devices on the same LAN.
The CDP page displays CDP settings and CDP Neighbors.
Procedure
Step 1 Click Switch in the task bar, click Global Settings in the left-most pane, then select CDP from the selector.
Step 2 Click Edit, then edit the relevant values.
GUI Element
|
Action
|
CDP Timer (in seconds) field
|
Enter the frequency (in seconds) of transmission of CDP updates.
|
CDP Holdtime (in seconds) field
|
Enter the amount of time (in seconds) a receiving device should hold the information sent by your device before discarding it.
|
Send CDP V2 Advertisements check box
|
Select to enable CDP V2 advertisements. CDP Version 2 (CDPv2) is the most recent release of the protocol and provides more intelligent device tracking features.
|
Step 3 Click OK.
Step 4 Click OK, then click Save.
The CDP Neighbors table shows all CDP neighbors connected to the switch. The following table describes the details displayed.
Table 14-6 CDP Neighbors
Column
|
Description
|
Device ID
|
Configured ID (name), MAC address, or serial number of the neighbor device.
|
Local Interface
|
Number and type of the local interface (port).
|
Holdtime
|
The remaining amount of time, in seconds, the current device will hold the CDP advertisement from a transmitting router before discarding it.
|
Capability
|
Capability code discovered on the device. This is the type of the device listed in the CDP Neighbors table. Possible values are:
•Router (R)
•Transparent bridge (T)
•Source-routing bridge (B)
•Switch (S)
•Host (H)
•IGMP device (I)
•Repeater (r)
|
Platform
|
Product number of the device.
|
Port ID
|
Protocol and port number of the device.
|
Related Topics
•Configuring Global Settings
•Configuring Cisco IOS Banners
•Configuring Time and NTP Broadcasts
Configuring Cisco IOS Banners
The Banner page shows Cisco IOS banner information. Banners are informational messages that can be displayed to users.
Procedure
Step 1 Click Switch in the task bar, click Global Settings in the left-most pane, then select Banner from the selector.
Step 2 Click Edit, then enter the banner information.
Banner Type
|
Description
|
Exec Banner
|
Configures the system to display a banner whenever an EXEC process is initiated. For example, this banner will be displayed to users who are connected to the system through Telnet, after they have entered their username and password but before the user EXEC mode prompt is displayed.
|
Login Banner
|
Configures the system to display a banner before the username and password login prompts. This banner is displayed after the Message-of-the-Day banner appears and before the login prompts.
|
Incoming Terminal Line Banner
|
Configures the system to display a banner when there is an incoming connection to a terminal line from a host on the network. This banner is useful for providing instructions to users of these types of connections.
|
Message-of-the-Day Banner
|
Configures the system to display a Message-of-the-Day banner. This banner is displayed at login and is useful for sending messages that affect all network users (such as impending system shutdowns).
|
Step 3 Click OK.
Step 4 Click OK, then click Save.
Related Topics
•Configuring Global Settings
•Configuring CDP Settings
•Configuring Time and NTP Broadcasts
Displaying a Summary of Your DHCP Pools
Dynamic Host Configuration Protocol (DHCP) provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them. DHCP also consists of a protocol for delivering host-specific configuration parameters from a DHCP server to a host.
A DHCP address pool contains the range of available IP addresses that the DHCP server might assign to DHCP clients. You can view a high-level summary of the DHCP pools in your network.
Click Switch in the task bar, click Global Settings in the left-most pane, then select DHCP from the selector to display the main DHCP Pools page.
The following information is displayed.
GUI Element
|
Description
|
DHCP Pools pane
|
Pool Name column
|
Name of the DHCP pool.
|
Network column
|
IP network from which the DHCP server allocates IP addresses. This network defines the pool of IP addresses available within the DHCP pool.
|
Network Mask column
|
Subnet mask address for the DHCP pool.
|
Interface Name column
|
Interface associated with the DHCP pool. DHCP clients entering this interface are assigned IP addresses from the associated DHCP pool.
|
Details Pane
|
DHCP Pool Name field
|
Name of the DHCP pool
|
Network field
|
IP network from which the DHCP server allocates IP addresses. This network defines the pool of IP addresses available within this DHCP pool.
|
Mask field
|
Subnet mask address for this DHCP pool.
|
Domain Name field
|
Domain name associated with the DHCP client. An example of a domain name is cisco.com, but your domain name might end with a different suffix, such as .org or .net.
|
Default Route field
|
Addresses of the default gateways for this DHCP pool.
|
DNS Servers field
|
Domain Name System (DNS) IP servers available to the DHCP client.
|
WINS Servers field
|
Windows Internet Naming Service (WINS) servers available to the DHCP client.
|
Lease Time field
|
The date and time that the IP address assigned by the DCHP server expires.
|
Excluded Addresses pane
|
IP addresses excluded from the pool of available IP addresses. These excluded IP addresses are not allocated to DHCP clients.
The list of excluded IP addresses can be a single IP address or a range of IP addresses.
|
From this page, you can view detailed status information for a specific DHCP pool. See Viewing DHCP Pool Status.
Related Topics
•Configuring Global Settings
•Configuring CDP Settings
•Configuring Cisco IOS Banners
•Configuring Time and NTP Broadcasts
Viewing DHCP Pool Status
You can learn the current status of any DHCP pool in your network.
Procedure
Step 1 Click Switch in the task bar, click Global Settings in the left-most pane, then select DHCP from the selector.
Step 2 Select a DCHP pool from the DHCP Pools pane, then click Pool Status.
The DHCP Pool Status dialog box displays the following information.
Column
|
Description
|
IP Address
|
IP address allocated to the DHCP pool.
|
Client ID
|
MAC address of the DCHP client to which this IP address is allocated.
|
Lease Expiration
|
Time and date that the allocated IP address expires.
|
Related Topic
•Displaying a Summary of Your DHCP Pools
Configuring Time and NTP Broadcasts
You can configure date, time, and Network Time Protocol (NTP) settings using the Clock page. The Clock page shows system time zone, clock, and calendar information. It also shows NTP Servers and Peers information. NTP sends and receives unicast packets with peers, by default. However, broadcasts can be used if several NTP peers are located on a common network. For clock and NTP configuration guidelines, see the relevant section in Catalyst 6500 Family IOS Software Configuration Guide.
Related Topics
•Editing Date and Time Settings
•Editing NTP Servers and Peers
Editing Date and Time Settings
Procedure
Step 1 Click Switch in the task bar, click Global Settings in the left-most pane, then select Clock from the selector.
Step 2 Click Edit in the Date/Time pane.
Step 3 Edit the appropriate values.
GUI Element
|
Action
|
Update Calendar using Network Time Protocol
|
Select this option if you want NTP to update the calendar. NTP is designed to time-synchronize a network of machines. An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network.
NTP is extremely efficient: no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another.
|
Month
|
Enter the numeric month.
|
Day
|
Enter the numeric day.
|
Year
|
Enter the year as a 4-digit number.
|
Hour
|
Enter the current hour.
|
Minute
|
Enter the current minutes.
|
Second
|
Enter the current seconds.
|
Time Zone ID
|
Enter the local time zone to be displayed. The time zone is set to the abbreviated zone name (EST, PST, CDT). This name is only used for display purposes and can be any common zone name. The actual displayed time is defined by an offset in hours and minutes from Greenwich Mean Time .
|
Hours Offset from GMT
|
Enter the offset in hours from Greenwich Mean Time.
|
Minutes Offset from GMT
|
Enter the offset in minutes from Greenwich mean time.
|
Enable Daylight Saving Time
|
Select this option to enable Daylight Saving Time.
|
DST Time Zone ID
|
Enter the name of the zone (using from 1 to 32 characters) to be displayed when Daylight Saving Time time is in effect.
|
Step 4 Click Save.
Related Topic
•Editing NTP Servers and Peers
Editing NTP Servers and Peers
A system's NTP association can be a peer association (the system will either synchronize to another system or allow another system to synchronize to it), or it can be a server association (only this system synchronizes to the other system, and not the other way around).
If you want to form an NTP association with another system:
Step 1 Click Add from the NTP Servers or NTP Peers pane.
Step 2 Enter the IP address of the system to associate.
Step 3 Click OK, then click Save.
To edit the IP address or delete a system association:
Step 1 Select the IP address row to edit from the NTP Servers or NTP Peers pane.
Step 2 Do one of the following:
•Click Edit to edit the IP address, enter the address, then click OK.
•Click Delete to remove the system association.
Step 3 Click Save.
Related Topic
•Editing Date and Time Settings
Displaying a Summary of Global STP Settings
To display information about global Spanning-Tree Protocol (STP) settings, click Switch in the task bar, click Global Settings in the left-most pane, then select Spanning Tree from the selector.
STP is a Layer 2 (L2) link management protocol that is designed to run on bridges and switches. STP provides path redundancy while preventing undesirable loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations.
When you create fault-tolerant internetworks, you must have a loop-free path between all nodes in a network. The STP algorithm calculates the best loop-free path throughout a switched Layer 2 network.
For more information on STP options, see the Catalyst 6500 Family IOS Software Configuration Guide.
GUI Element
|
Description
|
STP Mode
|
Any one of these STP modes might be the global selection:
•PVST—Per-VLAN Spanning Tree (PVST) maintains a spanning tree instance for each configured VLAN in the network. PVST uses InterSwitch Link (ISL) trunking and allows a VLAN trunk to be forwarded for some VLANs while blocking for other VLANs. Because PVST treats each VLAN as a separate network, it can load-balance traffic by forwarding some VLANs on one trunk and other VLANs on another trunk without causing a spanning tree loop.
•Rapid PVST—Rapid Per-VLAN Spanning Tree provides faster spanning tree convergence after a topology change. The standard configuration also includes features equivalent to Cisco PortFast, UplinkFast, and BackboneFast, for faster network reconvergence.
•MST—Multiple Spanning Tree allows several VLANs to be mapped to a reduced number of spanning tree instances.
|
Ether Channel Guard
|
If enabled, detects a misconfigured EtherChannel where interfaces on the switch are configured as an EtherChannel.
|
Extended System ID
|
If enabled, allows extended VLANs. For more information on extended VLANs, see the relevant section in Catalyst 6500 Family IOS Software Configuration Guide.
|
PortFast
|
If enabled, causes a port to enter the spanning tree forwarding state immediately, bypassing the listening and learning states.
|
BPDU Guard
|
If enabled, causes the spanning tree to shut down PortFast-configured interfaces that receive BPDUs, instead of putting them into the spanning-tree blocking state.
|
BPDU Filter
|
If enabled, ports with BPDU filter will not send BPDUs and will drop all received BPDUs.
|
Loop Guard
|
If enabled, verifies whether a root port or an alternate root port is receiving BPDUs. If the port is not receiving BPDUs, the loop guard feature puts the port into an inconsistent state until it starts receiving BPDUs again.
|
UplinkFast
|
If enabled, increases the path cost of all ports on the switch, making it unlikely that the switch will become the root switch.
Note When enabled, UplinkFast affects all VLANs on the switch.
|
BackboneFast
|
If enabled, BackboneFast is initiated when a root port or blocked port on a switch receives inferior BPDUs from its designated bridge.
|
UDLD
|
Unidirectional Link Detection (UDLD) is a Layer 2 protocol that works with Layer 1 mechanisms to determine the physical status of a link.
|
VLAN Allocation Policy
|
Depending on the global setting, VLANs are allocated in either ascending or descending order.
|
VLAN dot1q Tagging Native
|
If native tagging is the global selection, the switch forwards all frames from 802.1Q trunks with 802.1Q tagging. This includes traffic in the native VLAN (default VLAN), and admits only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN.
You can enter this command on any switch that must support 802.1Q tunneling with 802.1Q trunks. The equivalent CLI command is # set dot1q-all-tagged enable.
For more information, see the relevant section in the Catalyst 6500 Family IOS Software Configuration Guide.
|
Related Topics
•Configuring Global Settings
•Configuring CDP Settings
•Configuring Cisco IOS Banners
•Displaying a Summary of Your DHCP Pools
•Configuring Time and NTP Broadcasts
Ports/Interface Management (Switch > Ports)
DM 6500/7600 provides configuration of both physical ports and logical interfaces. In this section, both physical ports and logical interfaces are referred to as interfaces.
DM 6500/7600 supports these interface types:
•Ethernet
•Fast Ethernet
•Gigabit Ethernet
•Ten Gigabit Ethernet
•Switched Virtual Interface (SVI)
Topics in this section contain information about:
•Configuring All Ports/Interfaces
•Configuring a Group of Physical Ports Using the Port Wizard
•Configuring Access Ports
•Configuring Trunk Ports
•Configuring Routed Ports
•Configuring SVIs
•Configuring Tunnel Interfaces
•Configuring Loopback Interfaces
•Viewing Other Interfaces
•Understanding Interface Ranges
Configuring All Ports/Interfaces
You can view all ports and interfaces that exist on the device. Click Switch in the task bar, click Ports in the left-most pane, then select Ports/Interfaces from the selector to display the Ports/Interfaces page (see Figure 14-7).
Note To easily configure a group of physical ports, use the Port Setup wizard. See Configuring a Group of Physical Ports Using the Port Wizard.
Figure 14-7 Ports/Interfaces Page
This page provides a table displaying the following information.
Column
|
Description
|
Name
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
|
Description
|
Enter a description of the interface to help you remember its function.
|
Admin Status
|
Administrative status of the interface, either up or down.
|
Oper Status
|
Line protocol status of the port (whether or not port is passing packets).
|
Mode
|
Configuration mode (access, trunk, or routed) for physical ports.
|
Hardware Type
|
Port hardware type. This field applies only to physical ports.
|
Note All columns are sortable.
Related Topics
•Configuring a Group of Physical Ports Using the Port Wizard
•Configuring Access Ports
•Configuring Trunk Ports
•Configuring Routed Ports
•Configuring SVIs
•Viewing Other Interfaces
Editing Port/Interface Attributes
From the Ports/Interfaces page you can edit port/interface description, administrative status, and mode settings.
Procedure
Step 1 Click Switch in the task bar, click Ports from the left-most pane, then select Ports/Interfaces from the selector.
Step 2 From the table, select the port to edit. To select multiple ports, press the Ctrl key as you select each port to edit.
Step 3 Click Edit, then edit the appropriate values.
GUI Element
|
Action/Description
|
Name field
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
This field cannot be edited.
|
Description field
|
Enter a description of the interface to help you remember its function.
|
Admin Status list
|
Administrative status of the interface, either up or down.
|
Mode list
|
Select the port mode:
•Access
•Trunk
•Routed
|
Step 4 Click OK.
Step 5 Click Save.
Configuring a Group of Physical Ports Using the Port Wizard
You can configure a group of physical ports as access, trunk, or routed ports using the Port wizard. The wizard will walk you through VLAN configuration, spanning tree configuration, and so forth, based on the type of ports selected. The wizard shows appropriate default values based on Cisco recommended best practice configurations.
Note When you use the wizard, it clears the configurations of selected ports (a default interface command is issued) and those ports are reconfigured to use the new wizard configuration.
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Ports/Interfaces from the selector. The Ports/Interfaces page appears.
Step 2 Click Setup Wizard.
Selecting Ports
In the ports selection page of the wizard, you define the ports to configure.
Procedure
Step 1 Enter ports to configure, by doing one of the following:
•To manually enter ports, click the Enter Port Range option. You can enter either of the following:
–One or more ports, separated by commas (for example, Fa3/10, Fa3/12).
–A range of ports (for example, Fa3/10-14).
•To select from available ports, click Select Ports. See Port Selector.
Step 2 (Optional) Enter a shortcut name for the group of ports you are configuring. This creates an interface range macro for the selected ports. This allows you to later view this group of ports by clicking the macro from the Custom View folder. See Understanding Interface Ranges.
Note Although an interface range macro is created, DM 6500/7600 applies the configuration defined by the wizard to each port separately. You can see this if you have set DM 6500/7600 to display the CLI commands to be delivered to the device, using the Deliver Configuration to Switch dialog box. For information on setting this option, see Editing Preferences.
Port Selector
The Port Selector appears in various wizards. It allows you to browse and select ports for configuration. The following table describes how to use the Port Selector.
GUI Element
|
Action/Description
|
Available Ports column
|
The table in the Available Ports column displays all physical ports that are available and supported on this switch. It displays ports that are associated with the selected port connection mode.
From the table, select the port to configure. To select multiple ports, press the Ctrl key as you select random ports or press the Shift key as you select contiguous ports to configure.
Note If the destination port mode is Routed, you can select only one port at a time to add to the Selected Port(s) column.
Depending on what type of port you select, the Available Ports column may contain the following columns:
•Name—Indicates the name assigned to a port.
•Type—Indicates the hardware type of a port.
•VLAN—Indicates the VLAN with which a port is associated. This field is displayed only when the Access port connection mode is selected.
•Allowed VLANs—Indicates the range of valid VLAN values for a port. This field is displayed only when the Trunk port connection mode is selected.
•IP Address—Indicates the IP address of a port. This field is displayed only when the Routed port connection mode is selected.
|
Add>> button
|
With ports selected in the Available Ports column, click to add selected ports to the Selected Port(s) column.
|
<<Remove button
|
With ports selected in the Selected Port(s) table, click to remove selected ports from that table.
|
Clear All button
|
Click to remove all ports listed in the Selected Port(s) table and put them back in the Available Ports table.
|
Selected Port(s) column
|
Displays all selected ports. With either Access or Trunk port mode selected, the ports listed here are assigned to the VLAN specified in the VLAN field.
The Name field indicates the name of a selected port.
Note IP address and network mask values can be seen when you pass your mouse over the port.
|
Routed Port Details Dialog Box
This dialog box appears from the Port Selector when a selected destination port mode is routed and the IP address and network mask details are not available. The following information appears.
Field
|
Action/Description
|
Port Name
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
|
IP Address
|
Enter the port IP address.
|
Net Mask
|
Enter a network mask or select one from the list.
|
Configuring Ports
On the basic ports configuration page of the wizard, you define the following port parameters.
Note Depending on the capabilities of the port, many of the parameters and values described may not be available.
GUI Element
|
Description/Action
|
Connection Mode radio buttons
|
Select the type of port connection to establish:
•Switch-to-Host—Creates a connection between the switch and a host.
•Switch-to-Switch—Creates a connection between two switches.
•Switch-to-Router—Creates a connection between a switch and a router.
Note The term Switch refers to the Cisco Catalyst 6500 series switch.
|
Port Mode list
|
Select the port configuration type:
•Access
•Trunk (not available when connection mode is Switch-to-Router)
•Routed (not available when connection mode is Switch-to-Switch)
|
Description field
|
Enter a description of the interface to help you remember its function.
|
MTU (bytes) field
|
(Optional) Enter the maximum packet size.
Note Access or trunk ports can have a value of 1500 or 9216. Routed ports have a valid range from 1500 to 9216.
|
Flow Control: Send list
|
Select one of the following:
•Off—The port does not send flow-control frames to the neighboring port.
•On—The port sends flow-control frames to the neighboring port.
|
Flow Control: Receive list
|
Select one of the following:
•Off—The port does not use flow control, regardless of whether flow control is requested by the neighboring port.
•On—The port uses flow control dictated by the neighboring port.
|
Admin Status list
|
Administrative status of the interface, either up or down.
|
Speed (Mbps) list
|
(Optional) Select how fast the interface transmits information:
•10—Transmits at 10 Mbps.
•100—Transmits at 100 Mbps.
•auto—Enables the autonegotiation capability.
|
Duplex list
|
Select duplex operation:
•Half—Sends and receives data, but not at the same time.
•Full—Sends and receives data at the same time.
Note If speed is set to auto, both speed and duplex are autonegotiated.
|
UDLD list
|
Select Unidirectional Link Detection mode:
•Enabled—Enables UDLD in normal mode.
•Aggressive—Enables UDLD in aggressive mode. Overrides the setting of the global UDLD.
•Disabled—Disables UDLD.
UDLD is a Layer 2 protocol that works with Layer 1 mechanisms to determine the physical status of a link. At Layer 1, auto-negotiation takes care of physical signaling and fault detection.
UDLD performs tasks that auto-negotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected ports. When you enable both auto-negotiation and UDLD, Layer 1 and 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols.
|
Enable CDP check box
|
Select to enable CDP, or deselect to disable CDP.
|
Configuring VLAN for Ports
In the access port configuration page of the wizard, you define VLAN information for selected ports. Depending on the type of configuration mode that you chose in Step 2 of this wizard (see Configuring Ports), you will now do one of the following:
•Access Port Configuration
•Trunk Port Configuration
•Routed Port Configuration
Access Port Configuration
For access port configuration mode, you configure the access VLAN.
GUI Element
|
Action/Description
|
Assign Ports to VLAN pane
|
Access VLAN list
|
Click  , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
•Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
•Clear VLAN—Clears all VLANs in the field.
|
Port Security pane
|
Port Security check box
|
Select to enable port security options or deselect to disable port security options. For port security configuration guidelines, see the relevant section in Catalyst 6500 Family IOS Software Configuration Guide.
|
Max Num MAC Address field
|
Enter the maximum number of secure MAC addresses. The range is 1-1025.
|
Violation Policy list
|
Select the violation policy type:
•Protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
•Restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value, and causes the security violation counter to increment.
•Shutdown—Immediately puts the interface into the error-disabled state and sends an SNMP trap notification.
|
Spanning Tree Parameters pane
|
Port Fast list
|
From the list, select one of the following:
•Enabled
•Disabled
•Global
This option causes a port to immediately enter the spanning-tree forwarding state, bypassing the listening and learning states.
|
BPDU Guard list
|
From the list, select one of the following:
•Enabled
•Disabled
•Global
This option causes the spanning tree to shut down PortFast-configured interfaces that receive BPDUs, instead of putting them into the spanning-tree blocking state.
|
BPDU Filter list
|
From the list, select one of the following:
•Enabled
•Disabled
•Global
This option forces an interface to become a designated port to protect the current root status and prevent surrounding switches from becoming the root switch.
|
Create VLAN Dialog Box
This dialog box appears after you click Create VLAN in any of several other dialog boxes. This dialog box allows you to create a VLAN. Enter the following information and click OK.
GUI Field
|
Action/Description
|
VLAN ID
|
Enter the ID number of the VLAN.
|
VLAN Name
|
Enter the name of the VLAN.
|
Media Type
|
Type of VLAN.
|
VLAN Selector
This dialog box displays VLANs that you can select. Select a VLAN from the table, then click OK.
Column
|
Description
|
VLAN ID
|
Number (ID) of the VLAN.
|
Name
|
Name of the VLAN.
|
Access Ports
|
Access ports assigned to the VLAN.
|
Trunk Ports
|
Trunk ports assigned to the VLAN.
|
Services
|
Services associated to the VLAN.
|
Trunk Port Configuration
For trunk ports, configure the following trunk parameters:
GUI Element
|
Action
|
Trunk Parameters
|
Trunk Mode list
|
Select one of the following trunk modes:
•Static—Puts the port into permanent trunking mode and negotiates to convert the link into a trunk link. The LAN port becomes a trunk port even if the neighboring port does not accept the change.
•Dynamic-Auto—Allows the port to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to trunk or desirable mode.
•Dynamic-Desirable—Makes the port actively attempt to convert the link to a trunk link.
|
Dynamic Trunk Protocol (DTP) Negotiate check box
|
Select to enable DTP negotiation, or deselect to disable DTP negotiation.
This option is available only if trunk mode is static. If trunk mode is Dynamic-Desirable or Dynamic-Auto, DTP negotiation has to be turned on.
DTP manages trunk auto-negotiation on ports. DTP supports auto-negotiation of both ISL and 802.1Q trunks.
|
Trunk Encapsulation list
|
Select one of the following:
•dot1q—Specifies 802.1Q encapsulation on the trunk link.
•isl—Specifies ISL encapsulation on the trunk link. 10-Gigabit Ethernet ports do not support ISL encapsulation.
|
Assign VLANs
|
Allowed VLANs field
|
Do one of the following:
•Enter one of the following:
–One or more VLANs, separated by commas (for example, 111,600).
–A range of VLANs (for example, 1-4094).
•Click , then select one of the following:
–Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
–Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
–Clear VLAN—Clears all VLANs in the field.
|
Pruning Eligible VLANs field
|
Do one of the following:
•Enter one of the following:
–One or more VLANs, separated by commas (for example, 111,600).
–A range of VLANs (for example, 2-1001).
•Click , then select one of the following:
–Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
–Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
–Clear VLAN—Clears all VLANs in the field.
|
Native VLANs list
|
Click , then select one of the following:
–Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
–Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
–Clear VLAN—Clears all VLANs in the field.
|
Spanning Tree Parameters
|
Port Fast list
|
Select one of the following:
•Enabled
•Disabled
•Global
This option causes a port to immediately enter the spanning-tree forwarding state, bypassing the listening and learning states.
|
BPDU Guard list
|
Select one of the following:
•Enabled
•Disabled
•Global
This option causes the spanning tree to shut down PortFast-configured interfaces that receive BPDUs, instead of putting them into the spanning-tree blocking state.
|
BPDU Filter list
|
Select one of the following:
•Enabled
•Disabled
•Global
This option forces an interface to become a designated port to protect the current root status and prevent surrounding switches from becoming the root switch.
|
Root Guard list
|
Select one of the following:
•Disabled
•Enabled
When enabled, the root guard feature provides a way to enforce the placement of a root bridge in a network.
|
Routed Port Configuration
For routed ports, you see the following parameters.
Column
|
Action/Description
|
Name
|
Name of the port being configured.
|
IP Address
|
Double-click the cell and enter the IP address.
|
Mask
|
Double-click the cell, then select a mask from the list.
|
Port Wizard Summary
From this page, you can view a summary of the configured settings.
Note Your port configuration changes will clear all previous configurations when you click Save.
Click OK, then click Save.
Configuring Access Ports
An access port is a switching port that is used to connect host machines or servers. An access port belongs to and carries the traffic of only one VLAN. Traffic is received and sent in native formats with no VLAN tagging. You can view all access ports on the switch.
Click Switch in the task bar, click Ports in the left-most pane, then select Access Ports from the selector.
The Access Ports page displays the following:
•Access Ports pane—Contains a table that shows general information about each access port.
Column
|
Description
|
Name
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
|
Description
|
Enter a description of the interface to help you remember its function.
|
Admin Status
|
Administrative status of the port/interface.
|
Oper Status
|
Line protocol status of the port (whether or not the port is passing packets).
|
Access VLAN
|
VLAN ID associated with the port.
|
Hardware Type
|
Hardware configuration type.
|
Note All columns are sortable.
•Details pane—Shows detailed information about a single selected port. When multiple ports are selected, the Details pane will not show any values. See Editing and Restarting Access Ports for descriptions of each field.
Editing and Restarting Access Ports
Note You cannot restart a port from any of the Interface Range dialog boxes.
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Access Ports from the selector. The Access Ports page displays all access ports and related access port parameters in a table.
Step 2 From the table, select the port to edit. To select multiple ports, press the Ctrl key as you select each port to edit.
Step 3 To change port settings, click Edit. The Edit Access Port or the Multi Port Edit dialog box appears.
Note•If you are editing multiple ports, all values in the parameter fields are empty. Any values or configuration changes you enter are applied to all selected ports. Any values that you do not enter or change will remain at their previous configuration setting.
•The single edit ports dialog box and the multiple edit ports dialog box may have different parameters available.
•Depending on the capabilities of the selected ports, many of the parameters and values described may not be available.
GUI Element
|
Action/Description
|
Name field
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
This field cannot be edited.
|
Description field
|
Enter a description of the interface to help you remember its function.
|
Admin Status list
|
Select the administrative status of the interface:
•up
•down
|
Access VLAN list
|
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
•Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
•Clear VLAN—Clears all VLANs in the field.
|
Port Security list or check box
|
Multiple Port Edit Mode—From the list, select one of the following:
•Enabled
•Disabled
Single Port Edit Mode—Select the check box to enable security options and deselect to disable security options.
For port security configuration guidelines, see the relevant section in Catalyst 6500 Family IOS Software Configuration Guide.
|
Max MAC Addresses field
|
Enter the maximum number of secure MAC addresses. The range is 1-1025.
|
Violation Policy list
|
Select type of violation policy:
•Protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
•Restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value, and causes the security violation counter to increment.
•Shutdown—Immediately puts the interface into the error-disabled state and sends an SNMP trap notification.
|
Speed list
|
Select how fast the interface transmits:
•10—Transmits at 10 Mbps.
•100—Transmits at 100 Mbps.
•auto—Enables the autonegotiation capability.
|
Duplex list
|
Select duplex operation:
•Half—Sends and receives data, but not at the same time.
•Full—Sends and receives data at the same time.
Note If speed is set to auto, both speed and duplex are auto-negotiated.
|
MTU (bytes) list
|
Select the maximum packet size. Valid values are 1500 or 9216.
|
Link Negotiation list
|
Multiple Edit Mode—Select to enable or disable link negotiation.
|
UDLD list
|
Select UDLD mode:
•Enabled—Enables UDLD in normal mode.
•Aggressive—Enables UDLD in aggressive mode. Overrides the setting of the global UDLD.
•Disabled—Disables UDLD.
|
Enable CDP check box
|
Single Edit Mode—Select to enable CDP, and deselect to disable CDP.
|
CDP list
|
Multiple Edit Mode—From the list, select one of the following:
•Enabled
•Disabled
|
Flow Control: Send list
|
Select one of the following:
•Off—The port does not send flow-control frames to the neighboring port.
•On—The port sends flow-control frames to the neighboring port.
|
Flow Control: Receive list
|
Select one of the following:
•Off—The port does not use flow control, regardless of whether flow control is requested by the neighboring port.
•On—The port uses flow control dictated by the neighboring port.
|
Related Topics
•Configuring a Group of Physical Ports Using the Port Wizard
•Configuring Trunk Ports
•Configuring Routed Ports
•Understanding Interface Ranges
Configuring Trunk Ports
A trunk port is a switching port operating at Layer 2 to carry multiple VLAN traffic. Traffic is tagged with a VLAN number to differentiate traffic from each VLAN. A trunk port is used to connect switches to switches or to connect switches to routers. The Trunk Ports page displays all trunk ports and related trunk port parameters in a table.
You can view all trunk ports on the switch. Click Switch in the task bar, click Ports in the left-most pane, then select Trunk Ports from the selector. The Trunk Ports page is displayed. This page displays the following:
•Trunk Ports table—Shows general information about each trunk port.
Column
|
Description
|
Name
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
|
Description
|
Enter a description of the interface to help you remember its function.
|
Admin Status
|
Administrative status of the port/interface.
|
Oper Status
|
Line protocol status of the port (whether or not port is passing packets).
|
Trunk Mode
|
Type of trunk mode assigned to the port.
|
Encapsulation
|
Encapsulation type.
|
Allowed VLANs
|
VLANs allowed on the port.
|
Hardware Type
|
Hardware configuration type.
|
•Details pane—Shows detailed information about a single selected port. When multiple ports are selected, the Details pane will not show any values. See Editing and Restarting Trunk Portsfor descriptions of each field.
Editing and Restarting Trunk Ports
Note You cannot restart a port from any of the Interface Range dialog boxes.
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Trunk Ports from the selector. The Trunk Ports page displays all trunk ports and related trunk port parameters in a table.
Step 2 From the table, select the port to edit. To select multiple ports, press the Ctrl key as you select each port to edit.
Step 3 To change port settings, click Edit. The Edit Trunk Port or Edit Multiple Ports dialog box appears.
For more information on trunk configuration, see the relevant section in Catalyst 6500 Family IOS Software Configuration Guide.
Note Depending on the capabilities of the selected ports, many of the parameters and values described may not be available.
GUI Element
|
Action
|
Name field
|
Name of the selected trunk ports.
This field cannot be edited.
|
Description field
|
Enter a description of the port to help you remember its function.
|
Admin Status list
|
Select the administrative status of the port:
•up
•down
|
Trunk Mode list
|
Select one of the following trunk modes:
•Static—Puts the port into permanent trunking mode and negotiates to convert the link into a trunk link. The LAN port becomes a trunk port even if the neighboring port does not accept the change.
•Dynamic-Auto—Allows the port to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to Trunk or Desirable mode.
•Dynamic-Desirable—Makes the port actively attempt to convert the link to a trunk link.
|
Encapsulation list
|
Select one of the following:
•dot1q—Specifies 802.1Q encapsulation on the trunk link.
•isl—Specifies ISL encapsulation on the trunk link. 10-Gigabit Ethernet ports do not support ISL encapsulation.
•negotiate—Specifies that the port will negotiate with the neighboring port to become an ISL (preferred) or 802.1Q trunk, depending on the configuration and capabilities of the neighboring port.
|
DTP Negotiation check box
|
Single Port Edit Mode—Select to enable Dynamic Trunk Protocol (DTP) negotiation or deselect to disable DTP negotiation.
DTP manages trunk auto-negotiation on ports. DTP supports auto-negotiation of both ISL and 802.1Q trunks.
|
DTP Negotiation list
|
Multiple Port Edit Mode—Select one of the following:
•On—Enables DTP negotiation.
•Off—Disables DTP negotiation.
|
Allowed VLANs field
|
Designate which VLANs are allowed on the trunk. Do one of the following:
•Enter VLAN IDs. You can enter multiple VLANs separated by a comma, or a range of VLANs. For example: 12,17,12 or 2-200. Valid range is 1-4094.
•Click , then select one of the following:
–Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
–Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
–Clear VLAN—Clears all VLANs in the field.
|
Prune VLANs field
|
Designate VLANs that are eligible for pruning. Do one of the following:
•Enter VLAN IDs. You can enter multiple VLANs separated by a comma, or a range of VLANs. For example: 12,17,12 or 2-200. Valid range is 2-1001.
•Click , then select one of the following:
–Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
–Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
–Clear VLAN—Clears all VLANs in the field.
|
Native VLAN field
|
Designate native VLANs. Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
•Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
•Clear VLAN—Clears all VLANs in the field.
|
Speed list
|
Select how fast the interface transmits:
•10—Transmits at 10 Mbps.
•100—Transmits at 100 Mbps.
•auto—Enables the autonegotiation capability.
|
Duplex list
|
Select duplex operation:
•Half—Sends and receives data, but not at the same time.
•Full—Sends and receives data at the same time.
Note If speed is set to auto, both speed and duplex are auto-negotiated.
|
MTU (bytes) list
|
Enter the maximum packet size. Valid values are 1500 or 9216.
|
Link Negotiation list
|
Multiple Port Edit Mode—Select one of the following:
•Enabled—Enables link negotiation.
•Disabled—Disables link negotiation.
|
UDLD list
|
Select UDLD mode:
•Enabled—Enables UDLD in normal mode.
•Aggressive—Enables UDLD in aggressive mode. Overrides the setting of the global UDLD.
•Disabled—Disables UDLD.
|
Enable CDP check box
|
Single Port Edit Mode—Select check box to enable CDP, and deselect to disable CDP.
|
CDP list
|
Multiple Port Edit Mode—Select one of the following:
•Enabled—Enables CDP.
•Disabled—Disables CDP.
|
Flow Control: Send list
|
Select one of the following:
•Off—The port does not send flow-control frames to the neighboring port.
•On—The port sends flow-control frames to the neighboring port.
|
Flow Control: Receive list
|
Select one of the following:
•Off—The port does not use flow control, regardless of whether flow control is requested by the neighboring port.
•On—The port uses flow control dictated by the neighboring port.
|
Related Topics
•Configuring a Group of Physical Ports Using the Port Wizard
•Configuring Access Ports
•Configuring Routed Ports
•Understanding Interface Ranges
Configuring Routed Ports
A routed port is a physical port that acts like a port on a router. A routed port is not associated with a particular VLAN, and it behaves like a regular router interface. You can configure a routed port with a Layer 3 routing protocol.
You can view all routed ports on the switch. Click Switch in the task bar, click Ports in the left-most pane, then select Routed Ports from the selector. The Routed Ports page displays the following:
•Routed Ports table—Shows general information about each routed port.
Column
|
Description
|
Name
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
|
Description
|
Description of the port.
|
Admin Status
|
Administrative status of the port.
|
Oper Status
|
Line protocol status of the port (whether or not the port is passing packets).
|
IP Address
|
IP address of port.
|
Mask
|
Network mask assigned to the port.
|
Hardware Type
|
Hardware configuration type.
|
Note All columns are sortable.
•Details pane—Shows detailed information about a single selected port. When multiple ports are selected, the Details pane will not show any values. See Editing and Restarting Routed Ports for descriptions of each field.
Editing and Restarting Routed Ports
Note You cannot restart a port from any of the Interface Range dialog boxes.
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Routed Ports from the selector. The Routed Ports page displays all trunk ports and related trunk port parameters in a table.
Step 2 From the table, select the port to edit. To select multiple ports, press the Ctrl key as you select each port to edit.
Step 3 To change port settings, click Edit. The Edit Routed Port or the Edit Multiple Port dialog box appears.
Edit the relevant values.
Note Depending on the capabilities of the selected ports, many of the parameters and values described may not be available.
GUI Element
|
Action
|
Name field
|
Name of the selected ports.
This field cannot be edited.
|
Description field
|
Enter a description of the port to help you remember its function.
|
Admin Status list
|
Select the administrative status of the port:
•up
•down
|
IP Address field
|
Single Edit Mode—Enter the IP address of the port.
|
Clear IP Address list
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous IP address value on all selected ports.
•yes—Clears previous IP address value on all selected ports.
|
Mask field
|
Single Edit Mode—Either select the appropriate mask from the list or enter a value.
|
Helper IP Addresses field
|
Single Edit Mode—Specify a helper IP address for the selected routed port. See Selecting Helper IP Addresses.
|
Clear Helper IP Addresses field
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous IP address values on all selected ports.
•yes—Clears previous IP address values on all selected ports.
|
Speed list
|
Select how fast the port transmits:
•10—Transmits at 10 Mbps.
•100—Transmits at 100 Mbps.
•auto—Enables the autonegotiation capability.
|
Duplex list
|
Select duplex operation:
•Half—Sends and receives data, but not at the same time.
•Full—Sends and receives data at the same time.
Note If speed is set to auto, both speed and duplex are autonegotiated.
|
MTU (1500-9216 bytes) field
|
Single Edit Mode—Enter the maximum packet size. Valid values are 1500 to 9216.
|
MTU (bytes) field
|
Multiple Edit Mode—Enter the maximum packet size. Valid values are 1500 to 9216.
|
Link Negotiation list
|
Multiple Edit Mode—Select one of the following:
•Enabled—Enables link negotiation.
•Disabled—Disables link negotiation.
|
UDLD list
|
Select UDLD mode:
•Enabled—Enables UDLD in normal mode.
•Aggressive—Enables UDLD in aggressive mode. Overrides the setting of the global UDLD.
•Disabled—Disables UDLD.
|
Enable CDP check box
|
Single Edit Mode—Select to enable CDP, and deselect to disable CDP.
|
CDP list
|
Multiple Port Edit Mode—Select one of the following:
•Enabled—Enables CDP.
•Disabled—Disables CDP.
|
Flow Control: Send list
|
Select one of the following:
•Off—The port does not send flow-control frames to the neighboring port.
•On—The port sends flow-control frames to the neighboring port.
|
Flow Control: Receive list
|
Select one of the following:
•Off—The port does not use flow control, regardless of whether flow control is requested by the neighboring port.
•On—The port uses flow control dictated by the neighboring port.
|
Related Topics
•Configuring a Group of Physical Ports Using the Port Wizard
•Configuring Access Ports
•Configuring Trunk Ports
•Understanding Interface Ranges
Selecting Helper IP Addresses
From this dialog box, you can assign a helper IP address to an interface or port. A helper IP address converts the DHCP requests from broadcast to unicast directed to the DHCP server.
Procedure
Step 1 Click 
to open the Helper IP Addresses dialog box.
Step 2 Do one of the following:
–If the IP address you want to select is listed, select it and proceed to Step 3.
–If the IP address you want to select is not listed, click Add to open the Add IP Address window. See Adding an IP Address.
Step 3 Click OK.
Adding an IP Address
Procedure
Step 1 From the Helper IP Addresses dialog box, click Add.
Step 2 Enter the appropriate IP address, then click OK.
Configuring SVIs
A switched virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. An SVI is created to enable routing between VLANs and to provide IP host connectivity to the switch.
You can view all routed ports on the switch. Click Switch in the task bar, click Ports in the left-most pane, then select Switched Virtual Interfaces from the selector. This page displays the following:
Column
|
Description
|
Name
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
|
Description
|
Description of the interface.
|
Admin Status
|
Administrative status of the port/interface.
|
Oper Status
|
Line protocol status of the port (whether or not port is passing packets).
|
IP Address
|
IP address of port.
|
Mask
|
Network mask of port.
|
Helper IP Addresses
|
Helper IP addresses configured for the SVI.
A helper IP address converts the DHCP requests from broadcast to unicast directed to the DHCP server.
|
MTU
|
Maximum packet size.
|
Editing and Restarting SVIs
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Switch Virtual Interfaces from the selector.
The Switch Virtual Interfaces page displays all switch virtual interfaces and related SVI VLAN parameters in a table.
Step 2 To edit interfaces, do the following:
a. From the table, select the VLAN to edit.
To select multiple VLANs, press the Ctrl key as you select each port.
b. Click Edit.
The Edit SVI or the Edit Multiple Port dialog box appears.
Note You can also get to the Edit SVI dialog box directly from the Services > Flows page.
Edit the appropriate values.
GUI Element
|
Action
|
Switched Virtual Interface field
|
Single Edit Mode—Name of the selected SVI.
This field cannot be edited.
|
Name field
|
Multiple Edit Mode—Names of the selected SVIs.
This field cannot be edited.
|
Description field
|
Enter a description of the interface to help you remember its function.
|
Admin Status list
|
Select the administrative status of the interface, either up or down.
|
IP Address field
|
Single Edit Mode—Enter IP address of interface.
|
Clear IP Address list
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous IP address value on all selected interfaces.
•yes—Clears previous IP address value on all selected interfaces.
|
Mask field
|
Single Edit Mode—Either select the appropriate mask from the list or enter a value.
|
Helper IP Addresses field
|
Single Edit Mode—Specify a helper IP address for the selected SVI. See Selecting Helper IP Addresses.
|
Clear Helper Addresses field
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous IP address values on all selected interfaces.
•yes—Clears previous IP address values on all selected interfaces.
|
MTU (64-9216 bytes) field
|
Single Edit Mode—Enter the maximum packet size. Valid values are 64 to 9216.
|
MTU (bytes) field
|
Multiple Edit Mode—Enter the maximum packet size. Valid values are 64 to 9216.
|
Related Topics
•Configuring SVIs
•Adding an SVI
Adding an SVI
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Switched Virtual Interfaces from the selector. The Switched Virtual Interfaces page displays all switch virtual interfaces and related SVI VLAN parameters in a table.
Note You can also get to the Add SVI dialog box from the Flows page.
Step 2 Click Add.
Step 3 Define the appropriate values.
GUI Element
|
Action
|
Interface VLAN Number list
|
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box and allows you to select available VLANs.
•Create VLAN—Opens the Create VLAN Dialog Box and allows you to create a VLAN.
•Clear VLAN—Clears all VLANs in the field.
|
Description field
|
Enter a description of the interface to help you remember its function.
|
Admin Status list
|
Select the administrative status of the interface:
•up
•down
|
IP Address field
|
Enter IP address of port.
|
Mask field
|
Either select the appropriate mask from the list or enter a value.
|
Helper IP Addresses field
|
Specify a helper IP address for the new SVI. See Selecting Helper IP Addresses.
|
MTU (64-9216 bytes) field
|
Enter the maximum packet size. Valid values are 64 to 9216.
|
Related Topics
•Configuring SVIs
•Editing and Restarting SVIs
Configuring Tunnel Interfaces
Tunneling provides a way to encapsulate arbitrary packets inside a transport protocol. This feature is implemented as a virtual interface to provide a simple interface for configuration. The tunnel interface is not tied to specific "passenger" or "transport" protocols, but rather, it is an architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme. Because tunnels are point-to-point links, you must configure a separate tunnel for each link.
Note DM 6500/7600 supports both point-to-point and point-to-multipoint encapsulation.
To view the tunnel interfaces configured on the switch, click Switch in the task bar, click Ports in the left-most pane, then select Tunnel Interfaces from the selector. The Tunnel Interfaces page is displayed. This page displays the following:
•Tunnel Interfaces table—Shows general information about each tunnel interface. All columns are sortable.
Column
|
Description
|
Tunnel Name
|
Name of the tunnel interface.
|
IP Address/Mask
|
IP address/mask of the tunnel interface.
|
Encapsulation
|
Encapsulation type used. There are two possible values:
•Point-to-Point GRE
•Point-to-Multipoint GRE
|
Source
|
Source of the tunnel interface. This value is either an IP address, local interface name, SVI, or loopback interface.
|
Destination
|
Destination of the tunnel interface.
Note This object is applicable only when the encapsulation type for the tunnel interface is point-to-point GRE.
|
Admin Status
|
Current administrative status of the tunnel interface.
|
Oper Status
|
Current operational status of the tunnel interface.
|
•Details pane—Shows detailed information about a single selected tunnel interface. When multiple tunnel interfaces are selected, the Details pane will not show any values. See Editing and Restarting Tunnel Interfaces for descriptions of each field.
Editing and Restarting Tunnel Interfaces
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Tunnel Interfaces from the selector.
The Tunnel Interfaces page displays all tunnel interfaces and related parameters in a table.
Step 2 To edit interfaces, do the following:
a. From the table, select the interface to edit.
To select multiple interfaces, press the Ctrl key as you select each interface.
b. Click Edit.
The Edit Tunnel or the Edit Multiple Tunnels dialog box appears. Edit the appropriate values.
GUI Element
|
Description/Action
|
Interface tab
|
Tunnel Interface Number field
|
Single Edit Mode—Name of the selected tunnel interface.
This field cannot be edited.
|
Name field
|
Multiple Edit Mode—Name of the selected tunnel interfaces.
This field cannot be edited.
|
IP Address field
|
Single Edit Mode—Edit the IP address of the selected tunnel interface.
|
Clear IP Address list
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous IP address value on all selected interfaces.
•yes—Clears previous IP address value on all selected interfaces.
|
Mask field
|
Single Edit Mode—Either select the appropriate mask from the list or enter a value.
|
Helper IP Addresses field
|
Single Edit Mode—Specify a helper IP address for the selected tunnel interface. See Selecting Helper IP Addresses.
|
Clear Helper Addresses list
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous IP address values on all selected interfaces.
•yes—Clears previous IP address values on all selected interfaces.
|
Description field
|
Edit the description of the selected tunnel interface.
|
Bandwidth (kilobits) field
|
Edit the amount of bandwidth available to the selected tunnel interface.
Valid values range from 1 to 10000000.
|
MTU (bytes) field
|
Edit the maximum packet size that the selected tunnel interface can handle.
Valid values range from 68 to 1000000.
|
Admin Status field
|
Edit the administrative status of the selected tunnel interface.
|
Encapsulation tab
Select either the Point-to-Point GRE or Point-to-Multipoint GRE radio button.
|
Source/Destination tab
|
Source section
|
Specify the source IP address of the tunnel between the switch and the access point.
Select one of the following radio buttons:
•Loopback Interface—Specifies a loopback interface as the tunnel source. The loopback interface is a software-only virtual interface that emulates an interface that is always up. Click , then select one of the following:
–Select Loopback Interface—Opens a dialog box containing loopback interfaces. Select a loopback interface and click OK.
–Create Loopback Interface—Opens the Add Loopback Interface dialog box, from which you can create a new loopback interface. See Adding a Loopback Interface.
•Port—Specifies a port as the tunnel source. click to open the Port Selector. See Port Selector.
•SVI—Specifies a SVI as the tunnel source. click and select one of the following:
–Select SVI Interface—Opens the Select SVI Interface dialog box and allows you to select an available SVI.
–Create SVI Interface—Opens the Adding an SVI dialog box and allows you to create a SVI.
•IP Address—Specifies an IP address as the tunnel source. Then, in the IP address field, enter the IP address of the tunnel source.
|
Destination section
|
Select one of the following radio buttons and enter the appropriate value:
•IP Address
•Hostname
Note These radio buttons are disabled when the tunnel is configured for Point-to-Multipoint GRE encapsulation.
|
Mobility tab
The objects in this tab are disabled when the tunnel is configured for Point-to-Point GRE encapsulation.
|
Use this tunnel for mobile clients check box
|
Select to designate this tunnel for use by the clients that belong to the selected wireless network.
|
Network ID field
|
Single Edit Mode—Enter the network ID of the selected wireless network.
|
Clear Network ID list
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous network ID value on all selected tunnel interfaces.
•yes—Clears previous network ID value on all selected tunnel interfaces.
|
Allow Broadcast in the tunnel check box
|
Select to enable the transmission of broadcast messages on the tunnel interface.
|
Allow Mobile Nodes with Static IP Address check box
|
Select to grant client machines with static IP addresses access to the wireless network.
|
Snoop DHCP requests check box
|
Select to enable DHCP snooping, which maintains the connection between wireless client machine IDs and their corresponding IP addresses.
|
Keepalive tab
The objects in this tab are disabled when the tunnel is configured for Point-to-Multipoint GRE encapsulation.
|
Enable keepalives over the tunnel check box
|
Select to enable the transmission of keepalive messages on the tunnel interface.
|
Keepalive Period (seconds) field
|
Edit the amount of time that must pass before a keepalive message is sent over the tunnel interface.
|
Keepalive Retries field
|
Edit the number of keepalive messages that are sent before the tunnel is shut down.
|
Related Topics
•Configuring Tunnel Interfaces
•Adding a Tunnel Interface
Adding a Tunnel Interface
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Tunnel Interfaces from the selector.
The Tunnel Interfaces page displays all tunnel interfaces and related parameters in a table.
Step 2 Click Add, then enter the appropriate values.
GUI Element
|
Action
|
Interface tab
|
Tunnel Interface Number field
|
Enter the name of the new tunnel interface.
|
IP Address field
|
Enter the IP address of the new tunnel interface.
|
Mask field
|
Either select the appropriate mask from the list or enter a value.
|
Helper IP Addresses field
|
Specify a helper IP address for the new tunnel interface. See Selecting Helper IP Addresses.
|
Description field
|
Enter the description of the new tunnel interface.
|
Bandwidth (kilobits) field
|
Enter the amount of bandwidth (in kilobits) available to the new tunnel interface.
Valid values range from 1 to 10000000.
|
MTU (bytes) field
|
Enter the maximum packet size that the new tunnel interface can handle.
Valid values range from 68 to 1000000.
|
Admin Status list
|
Select the administrative status of the new tunnel interface.
|
Encapsulation tab
Select either the Point-to-Point GRE or Point-to-Multipoint GRE radio button.
|
Source/Destination tab
|
Source section
|
Specify the source IP address of the tunnel between the switch and the access point.
Select one of the following radio buttons:
•Loopback Interface—Specifies a loopback interface as the tunnel source. The loopback interface is a software-only virtual interface that emulates an interface that is always up. Click , then select one of the following:
–Select Loopback Interface—Opens a dialog box containing loopback interfaces. Select a loopback interface and click OK.
–Create Loopback Interface—Opens the Add Loopback Interface dialog box, from which you can create a new loopback interface. See Adding a Loopback Interface.
•Port—Specifies a port as the tunnel source. Click to open the Port Selector. See Port Selector.
•SVI—Specifies a SVI as the tunnel source. Click and select one of the following:
–Select SVI Interface—Opens the Select SVI Interface dialog box and allows you to select an available SVI.
–Create SVI Interface—Opens the Adding an SVI dialog box and allows you to create a SVI.
•IP Address—Specifies an IP address as the tunnel source. Then, in the IP address field, enter the IP address of the tunnel source.
|
Destination section
|
Select one of the following radio buttons and enter the appropriate value:
•IP Address
•Hostname
Note These radio buttons are disabled when the tunnel is configured for Point-to-Multipoint GRE encapsulation.
|
Mobility tab
The objects in this tab are disabled when the tunnel is configured for Point-to-Point GRE encapsulation.
|
Use this tunnel for mobile clients check box
|
Select to designate this tunnel for use by the clients that belong to the new wireless network.
|
Network ID field
|
Enter the network ID of the new wireless network.
|
Allow Broadcast in the tunnel check box
|
Select to enable the transmission of broadcast messages on the tunnel interface.
|
Allow Mobile Nodes with Static IP Address check box
|
Select to grant client machines with static IP addresses access to the wireless network.
|
Snoop DHCP requests check box
|
Select to enable DHCP snooping, which maintains the connection between wireless client machine IDs and their corresponding IP addresses.
|
Keepalive tab
The objects in this tab are disabled when the tunnel is configured for Point-to-Multipoint GRE encapsulation.
|
Enable keepalives over the tunnel check box
|
Select to enable the transmission of keepalive messages on the tunnel interface.
|
Keepalive Period (seconds) field
|
Enter the amount of time that must pass before a keepalive message is sent over the tunnel interface.
|
Keepalive Retries field
|
Enter the number of keepalive messages that are sent before the tunnel is shut down.
|
Related Topics
•Configuring Tunnel Interfaces
•Editing and Restarting Tunnel Interfaces
Configuring Loopback Interfaces
A loopback interface is a virtual interface that allows Border Gateway Protocol (BGP) and remote source-route bridging (RSRB) sessions to stay up even if the outbound interface is down. You can use the loopback interface as the termination address for BGP sessions, for RSRB connections, or to establish a Telnet session from the device's console to its auxiliary port when all other interfaces are down.
To view the loopback interfaces configured on the switch, click Switch in the task bar, click Ports in the left-most pane, then select Loopback Interfaces from the selector.
The Loopback Interfaces page displays general information about each loopback interface.
Column
|
Description
|
Name
|
Name of the loopback interface.
|
Description
|
Description of the loopback interface.
|
IP Address/Mask
|
IP address and subnet mask of the loopback interface.
|
Helper IP Addresses
|
Helper IP addresses associated with the loopback interface.
|
Admin Status
|
Current administrative status of the loopback interface.
|
Oper Status
|
Current operational status of the loopback interface.
|
Note All columns are sortable.
Editing and Restarting Loopback Interfaces
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Loopback Interfaces from the selector. The Loopback Interfaces page displays all loopback interfaces and related parameters in a table.
Step 2 Select the interface to edit from the table. To select multiple interfaces, press the Ctrl key as you select each interface to edit.
Step 3 Click Edit to edits loopback interface settings. The Edit Loopback Interface or the Edit Multiple Ports dialog box appears.
Edit the appropriate values:
GUI Element
|
Description/Action
|
Loopback Interface field
|
Single Edit Mode—Name of the selected loopback interface.
This field cannot be edited.
|
Name field
|
Multiple Edit Mode—Names of the selected loopback interfaces.
This field cannot be edited.
|
Description field
|
Edit the description of the selected loopback interfaces.
|
IP Address field
|
Single Edit Mode—Edit the IP address of the selected loopback interface.
|
Mask list
|
Single Edit Mode—Either select the appropriate mask from the list or enter a value.
|
Helper IP Addresses field
|
Single Edit Mode—Specify a helper IP address for the selected loopback interface. See Selecting Helper IP Addresses.
|
Admin Status list
|
Edit the administrative status of the selected loopback interfaces.
|
Clear IP Address list
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous IP address value on all selected interfaces.
•yes—Clears previous IP address value on all selected interfaces.
|
Clear Helper Addresses list
|
Multiple Edit Mode—Select one of the following:
•no—Leaves previous IP address values on all selected interfaces.
•yes—Clears previous IP address values on all selected interfaces.
|
Related Topics
•Configuring Loopback Interfaces
•Adding a Loopback Interface
Adding a Loopback Interface
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Loopback Interfaces from the selector. The Loopback Interfaces page displays all loopback interfaces and related parameters in a table.
Step 2 Click Add.
Step 3 Enter the appropriate values:
GUI Element
|
Action
|
Loopback Interface Number field
|
Enter the name of the new loopback interface.
|
Description field
|
Enter a description of the new loopback interface.
|
IP Address field
|
Enter the IP address of the new loopback interface.
|
Mask list
|
Either select the appropriate mask from the list or enter a value.
|
Helper IP Addresses field
|
Specify a helper IP address for the new loopback interface. See Selecting Helper IP Addresses.
|
Admin Status list
|
Select the appropriate administrative status from the list.
|
Related Topics
•Configuring Loopback Interfaces
•Editing and Restarting Loopback Interfaces
Viewing Other Interfaces
To view all other ports and interfaces on your device that are not access, routed, trunk, SVI, or non-Ethernet, click Switch in the task bar, click Ports in the left-most pane, then select Other Interfaces from the selector. These interfaces are not configurable through DM 6500/7600.
The following information is displayed in a table.
Column
|
Description
|
Name
|
Name of interface.
|
Description
|
Enter a description of the interface to help you remember its function.
|
Admin Status
|
Administrative status of the interface, either up or down.
|
Oper Status
|
Line protocol status of the port (whether or not port is passing packets).
|
Mode
|
Configuration mode.
|
Hardware Type
|
Hardware configuration type.
|
With a port or interface selected, the Details pane displays the information listed in the previous table as fields. It also displays the following information.
Field
|
Description
|
IP Address
|
IP address configured for the port or interface.
|
Mask
|
Network mask for the port or interface.
|
Helper IP Addresses
|
Helper IP address configured for the port or interface.
A helper IP address converts the DHCP requests from broadcast to unicast directed to the DHCP server.
|
Understanding Interface Ranges
The Interface Ranges feature allows you to name and customize a view so that only the ports/interfaces that you have selected are displayed. Before you begin to use the Interface Ranges feature, you must define a macro. A macro is a range of interfaces that you select and define. The Interface Ranges page lists the macros that you create.
Click Switch in the task bar, click Ports in the left-most pane, then select Interface Ranges from the selector.
The Interface Ranges page displays all interface ranges with the following information.
Column
|
Description
|
Name
|
Interface range (macro) name.
|
Interfaces
|
List of interfaces belonging to the interface range.
|
Related Topics
•Adding Interface Ranges
•Viewing Interface Range Details
Adding Interface Ranges
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Interface Ranges from the selector.
Step 2 Click Add under the Interface Ranges table.
Step 3 Enter the name of the interface range to create in the Interface Range Name field.
Step 4 Use the Port Selector to select ports to add to the interface range. See Port Selector.
Note Only Ethernet-type ports and SVIs can be added.
Step 5 (Optional) From the Switched Virtual Interfaces field, click , then select the VLAN interfaces to add to the interface range. See Switched Virtual Interface Selector.
Step 6 Click OK.
Related Topics
•Understanding Interface Ranges
•Editing Interface Ranges
•Viewing Interface Range Details
•Editing Ports/Interfaces Within an Interface Range
Switched Virtual Interface Selector
This dialog box appears after you click from the Switched Virtual Interfaces field when adding or editing an interface range. A list of all switched virtual interfaces is displayed in a table.
Step 1 Select an interface to add to the interface range. To add multiple interfaces, press the Ctrl key as you select each interface to add.
Step 2 Click OK.
Related Topics
•Adding Interface Ranges
•Editing Interface Ranges
Editing Interface Ranges
Procedure
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Interface Ranges from the selector.
Step 2 With an interface range selected, click Edit under the Interface Ranges table.
Step 3 Use the Port Selector to add or remove ports from the selected interface range. See Port Selector.
Note Only Ethernet-type ports and SVIs can be added.
Step 4 (Optional) From the Switched Virtual Interfaces field, click , then select the VLAN interfaces to add to the interface range. See Switched Virtual Interface Selector.
Step 5 Click OK.
Related Topics
•Understanding Interface Ranges
•Adding Interface Ranges
•Viewing Interface Range Details
•Editing Ports/Interfaces Within an Interface Range
Viewing Interface Range Details
You can view all interfaces or view information about the specific interfaces that belong to an interface range.
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Interface Ranges from the selector.
Step 2 Expand the Interface Ranges folder, then select an interface range.
The Interface Range: Macro page displays the following:
•Interfaces table—Shows general information about each interface.
Column
|
Description
|
Name
|
Interface type and the number of the connector or interface card. For example, fastethernet 5/1 means Fast Ethernet, slot 5, interface 1.
|
Description
|
Description of the interface.
|
Admin Status
|
Administrative status of the interface, either up or down.
|
Oper Status
|
Line protocol status of the port (whether or not port is passing packets).
|
Mode
|
Type of port (access, routed, or trunk).
|
Hardware Type
|
Hardware configuration type.
|
•Details pane—Shows detailed information about a single selected port/interface. When multiple ports/interfaces are selected, the Details pane will not show any values. For descriptions of each field, see the appropriate sections:
–Editing and Restarting Access Ports
–Editing and Restarting Trunk Ports
–Editing and Restarting Routed Ports
–Editing and Restarting SVIs
Related Topics
•Understanding Interface Ranges
•Adding Interface Ranges
•Editing Interface Ranges
•Editing Ports/Interfaces Within an Interface Range
Editing Ports/Interfaces Within an Interface Range
Step 1 Click Switch in the task bar, click Ports in the left-most pane, then select Interface Ranges from the selector.
Step 2 Expand the Interface Ranges folder.
Step 3 Select an interface range. The Interface Range: Macro page is displayed.
Step 4 Select the port/interface to edit.
Step 5 Click Edit. Edit the appropriate values. For more information on the fields specific to the port/interface you selected, see the appropriate sections:
•Editing and Restarting Access Ports
•Editing and Restarting Trunk Ports
•Editing and Restarting Routed Ports
•Editing and Restarting SVIs
Related Topics
•Understanding Interface Ranges
•Adding Interface Ranges
•Editing Interface Ranges
•Viewing Interface Range Details
VLAN and VTP Management (Switch > VLANs)
DM 6500/7600 provides comprehensive Virtual LAN (VLAN) configuration, VLAN port assignment, and VLAN Trunking Protocol (VTP) domain management.
VLANs are groups of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments.
VTP is a Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain, which reduces the need to configure the same VLAN everywhere.
For more information about configuring VLANs, see the relevant section in Catalyst 6500 Family IOS Software Configuration Guide.
Topics in this section contain information about:
•Configuring VLANs
•Configuring Layer 2 VLANs
•Configuring Layer 3 VLANs
•Deleting VLANs
•Viewing Service VLANs
•Configuring VTP Information
Configuring VLANs
You can view information about all VLANs on the device.
Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs from the selector to display the VLANs page (see Figure 14-8).
Figure 14-8 VLAN Page
This page provides a table displaying the following information:
Column
|
Description
|
VLAN ID
|
Number (ID) of the VLAN.
|
Name
|
Name of the VLAN.
|
Status
|
Status (active or suspend) of the VLAN.
|
Type
|
Type of VLAN (Layer 2 or Layer 3).
You create a Layer 3 VLAN when you configure an SVI on a VLAN for inter-VLAN routing.
|
Access Ports
|
Number of access ports assigned to the VLAN.
|
Trunk Ports
|
Number of trunk ports the VLAN is allowed on.
|
Media
|
Type of VLAN.
|
Note This page displays information for all VLANs; however, DM 6500/7600 supports only Ethernet and nonprivate VLANs.
From the main VLANs page, you can access functions to do the following:
•Create or edit an Ethernet VLAN from the VLAN Setup wizard. See Creating and Configuring a VLAN Using the VLAN Wizard.
•Create a single Ethernet VLAN. See Creating a Single Ethernet VLAN.
•Create multiple Ethernet VLANs. See Creating Multiple Ethernet VLANs.
•Edit a single Ethernet VLAN. See Editing Ethernet VLANs.
•Delete an Ethernet VLAN. See Deleting VLANs.
Related Topics
•Configuring Layer 2 VLANs
•Configuring Layer 3 VLANs
•Viewing Service VLANs
•Configuring VTP Information
Creating and Configuring a VLAN Using the VLAN Wizard
You can use the VLAN Setup wizard to create a VLAN. The wizard will walk you through access and trunk port assignment, spanning tree configuration, and Switched Virtual Interface (SVI) creation for Layer 3 VLANs. The wizard shows appropriate default values based on Cisco recommended best practice configurations.
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs from the selector. The VLANs page appears.
Step 2 Click Setup Wizard.
Creating a VLAN
In Step 1 of the VLAN Setup wizard, you configure VLAN information, including SVI details and spanning tree information, for a new or existing VLAN by defining the following fields.
GUI Element
|
Action/Description
|
VLAN Creation pane
|
VLAN ID field
|
Specify the number (ID) of the VLAN.
Click to open the Enter VLAN dialog box. See Enter VLAN Dialog Box.
|
VLAN Name field
|
Specify the name of the VLAN.
|
Status list
|
Select the state (active or suspend) of the VLAN.
|
Media Type field
|
Type (ethernet) of VLAN. You cannot edit this field.
|
SVI pane
|
SVI check box
|
Select this check box to create an SVI to create a Layer 3 VLAN for inter-VLAN routing.
|
Description field
|
Brief description of the SVI.
|
Admin Status list
|
Select the admin status (up or down).
|
IP Address field
|
Enter the IP address of the SVI.
|
Mask list/field
|
Specify the subnet mask address of the SVI. Select a value from the list or enter a value in the field.
|
Spanning Tree Configuration pane
|
State list
|
Select the state (enabled or disabled) of STP on the VLAN.
|
Configure this Switch as Root check list
|
Specify if you want to make this the root switch (yes or no).
|
Note To create a Layer 3 VLAN, configure an SVI for this VLAN; to create a Layer 2 VLAN, do not configure an SVI.
Enter VLAN Dialog Box
GUI Element
|
Action/Description
|
VLAN ID field
|
Enter the number (ID) of the VLAN.
|
Note You cannot create a VLAN while VTP is in client mode. See Editing VTP Information.
Assigning Access Ports to the VLAN
In Step 2 of the VLAN Setup wizard, you can assign access ports to the VLAN . This page provides the Port Selector. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
Assigning Trunk Ports to the VLAN
In Step 3 of the VLAN Setup wizard, you can specify trunk ports on which the VLAN is allowed. This page provides the Port Selector. See Port Selector.
Note All ports selected from the Port Selector will become trunk ports.
VLAN Summary
The VLAN summary page of the wizard shows you the information that you entered.
Click OK, then click Save.
Creating a Single Ethernet VLAN
Note You cannot create a VLAN while VTP is in client mode. See Editing VTP Information.
Procedure
Step 1 Click Switch in the task bar, click VLAN in the left-most pane, then select VLANs from the selector.
Step 2 Click Add, then select Single VLAN. The Add VLAN dialog box appears.
Step 3 Edit the appropriate values.
GUI Element
|
Action/Description
|
VLAN ID field
|
Specify the number (ID) of the VLAN.
Click to open the Enter VLAN dialog box. See Enter VLAN Dialog Box.
|
VLAN Name field
|
Specify the name of the VLAN.
|
Status list
|
Select the status (active or suspend) of the VLAN.
|
Media Type field
|
Type (ethernet) of VLAN. You cannot edit this field.
|
Access Ports field
|
Specify the access ports assigned to this VLAN.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
|
Trunk Ports field
|
Specify the trunk ports the VLAN is allowed on.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become Trunk Ports.
|
SVI pane
|
SVI check box
|
Select this check box to create an SVI to create a Layer 3 VLAN for inter-VLAN routing.
|
Description field
|
Enter a brief description of the SVI.
|
Admin Status list
|
Select the admin status (up or down) of the SVI.
|
IP Address field
|
Enter the IP address of the SVI.
|
Mask list/field
|
Specify the subnet mask address of the SVI. Select a value from the list or enter a value in the field.
|
Note To create a Layer 3 VLAN, configure an SVI for this VLAN; to create a Layer 2 VLAN, do not configure an SVI.
Step 4 Click OK, then click Save.
Related Topics
•Creating and Configuring a VLAN Using the VLAN Wizard
•Creating Multiple Ethernet VLANs
•Editing Ethernet VLANs
Creating Multiple Ethernet VLANs
Note You cannot create a VLAN while VTP is in client mode. See Editing VTP Information.
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs from the selector.
Step 2 Click Add, then select Multiple VLANs. The Add Multiple VLANs dialog box appears.
Step 3 Edit the appropriate values.
GUI Element
|
Action/Description
|
VLANs field
|
Enter the range of values (VLAN numbers) of the VLANs to be created.
Click to open the Enter VLAN Range dialog box. See Enter VLAN Range Dialog Box.
|
Media Type field
|
Type (ethernet) of VLAN. You cannot edit this field.
|
Status list
|
Select the status (active or suspend) of the VLANs. The status is applied to all VLANs in the range you specified.
|
Assign Ports and Configure SVI table
|
VLAN ID column
|
Number (ID) of the VLAN. You cannot edit this field.
|
Name column
|
Double-click the entry in the Name column and enter the name of the VLAN.
|
Access Ports column
|
Displays the access ports assigned to this VLAN.
You can assign access ports to this VLAN. In the Access Ports column, click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
|
All Trunk Ports column
|
A check mark  in this column indicates that the VLAN is allowed on all trunk ports.
To specify assigned trunk ports, click the Edit Trunk Ports button.
|
Selected Trunk Ports column
|
Specifies on which trunk ports the VLAN is allowed if the VLAN is not allowed on every trunk port.
If the VLAN is allowed on every trunk port (if a check mark appears in the All Trunk Ports column), the Select Ports column is not populated with any data.
To specify assigned trunk ports to a VLAN, select the corresponding row in the table and click the Edit Trunk Ports button.
|
IP Address column
|
Double-click the entry in the IP address sub-column and enter the IP address of the SVI.
|
Mask column
|
Double-click the entry in the Mask sub-column and specify the subnet mask address of the SVI. Select a value from the list or enter a value in the field.
The Admin Status is set to up for the SVI you create.
Note If you enter an IP address and subnet mask, an SVI is created to make this a Layer 3 VLAN. If you do not enter any values, an SVI is not created and the VLAN that is created is a Layer 2 VLAN.
|
Edit Trunk Ports button
|
Click to select the trunk ports the VLAN is allowed on.
Click Edit Trunk Ports to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become trunk ports.
|
\
Note To create Layer 3 VLANs, configure an SVI for these VLANs; to create Layer 2 VLANs, do not configure an SVI.
Step 4 Click OK, then click Save.
Enter VLAN Range Dialog Box
GUI Element
|
Action/Description
|
VLAN Range field
|
Enter the values (IDs) of VLANs. For example, to create VLAN 96, 100, 101, and 102, enter: 96, 100-102.
|
Related Topics
•Creating and Configuring a VLAN Using the VLAN Wizard
•Creating a Single Ethernet VLAN
•Editing Ethernet VLANs
Editing Ethernet VLANs
Procedure
Note You can edit only Ethernet VLANs.
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs from the selector.
Step 2 From the table, select the VLAN to edit.
Step 3 Click Edit or double-click the VLAN, then edit the appropriate values.
GUI Element
|
Action/Description
|
VLAN ID field
|
Number (ID) of the VLAN. You cannot edit this field.
|
VLAN Name field
|
Enter the name of the VLAN.
|
Status list
|
Select the status (enable or suspend) of the VLAN.
|
Type list
|
Select the VLAN type (Layer 2 VLAN or Layer 3 VLAN).
If you change a Layer 2 VLAN to a Layer 3 VLAN, an SVI is created for the Layer 3 VLAN. If you change a Layer 3 VLAN to a Layer 2 VLAN, the SVI for the Layer 3 VLAN is removed.
|
Step 4 Click OK, then click Save.
Related Topics
•Creating and Configuring a VLAN Using the VLAN Wizard
•Creating a Single Ethernet VLAN
•Creating Multiple Ethernet VLANs
Configuring Layer 2 VLANs
You can view information about your Layer 2 VLANs.
Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Layer 2 VLANs from the selector.
The Layer 2 VLANs page displays the following information:
Column
|
Description
|
VLAN ID
|
Number (ID) of the VLAN.
|
Name
|
Name of the VLAN.
|
Status
|
Status (active or suspend) of the VLAN.
|
Access Ports
|
Access ports assigned to the VLAN.
|
Trunk Ports
|
Trunk ports the VLAN is allowed on.
|
Note The Layer 2 VLANs page displays Ethernet and nonprivate VLANs.
From this page, you can access functions to do the following:
•Create a single Layer 2 Ethernet VLAN. See Creating a Single Layer 2 Ethernet VLAN.
•Create multiple Layer 2 Ethernet VLANs. See Creating Multiple Layer 2 Ethernet VLANs.
•Edit a single Layer 2 Ethernet VLAN. See Editing Layer 2 Ethernet VLANs.
•Delete a Layer 2 Ethernet VLAN. See Deleting VLANs.
Related Topics
•Configuring VLANs
•Configuring Layer 3 VLANs
•Viewing Service VLANs
•Configuring VTP Information
Creating a Single Layer 2 Ethernet VLAN
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Layer 2 VLANs from the selector.
Step 2 Click Add, select Single VLAN, then edit the appropriate values.
GUI Element
|
Action/Description
|
VLAN ID field
|
Specify the number (ID) of the VLAN.
Click to open the Enter VLAN dialog box. See Enter VLAN Dialog Box.
|
VLAN Name field
|
Specify the name of the VLAN.
|
Status list
|
Select the status (active or suspend) of the VLAN.
|
Media Type field
|
Type (Ethernet) of VLAN. You cannot edit this field.
|
Access Ports field
|
Specify the access ports assigned to this VLAN.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
|
Trunk Ports field
|
Specify the trunk ports the VLAN is allowed on.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become trunk ports.
|
Step 3 Click OK, then click Save.
Related Topics
•Creating Multiple Layer 2 Ethernet VLANs
•Editing Layer 2 Ethernet VLANs
Creating Multiple Layer 2 Ethernet VLANs
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Layer 2 VLANs from the selector.
Step 2 Click Add, select Multiple VLANs, then edit the appropriate values.
GUI Element
|
Action/Description
|
VLANs field
|
Enter the range of values (VLAN numbers) of the VLANs to be created.
Click to open the Enter VLAN Range dialog box. See Enter VLAN Range Dialog Box.
|
Media Type field
|
Type (Ethernet) of VLAN. You cannot edit this field.
|
Status list
|
Select the status (active or suspend) of the VLANs. The status is applied to all VLANs in the range you specified.
|
Assign Ports table
|
VLAN ID column
|
Number (ID) of the VLAN. You cannot edit this field.
|
Name column
|
Double-click the entry in the Name column and enter the name of the VLAN.
|
Access Ports column
|
Specify the access ports assigned to this VLAN.
In the Access Ports column, click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
|
Allowed on column
|
Contains the following sub-columns:
•All Trunk Ports—A check mark in this column indicates that the VLAN is allowed on all trunk ports.
To specify assigned trunk ports, click the Edit Trunk Ports button.
•Selected Trunk Ports—Specifies on which trunk ports the VLAN is allowed if the VLAN is not allowed on every trunk port.
If the VLAN is allowed on every trunk port (if a check mark appears in the All Trunk Ports column), the Select Ports column is not populated with any data.
To specify assigned trunk ports to a VLAN, select the corresponding row in the table and click the Edit Trunk Ports button.
|
Edit Trunk Ports button
|
Specify the trunk ports the VLAN is allowed on.
Click Edit Trunk Ports to open the Port Selector dialog box. For more information, see Port Selector.
Note All ports selected from the Port Selector will become trunk ports.
|
Step 3 Click OK, then click Save.
Related Topics
•Creating a Single Layer 2 Ethernet VLAN
•Editing Layer 2 Ethernet VLANs
Editing Layer 2 Ethernet VLANs
Procedure
Note You can edit only Ethernet VLANs.
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Layer 2 VLANs from the selector.
Step 2 From the table, select the Layer 2 VLAN to edit.
Step 3 Click Edit or double-click the VLAN. The Edit Layer 2 VLAN dialog box appears.
Step 4 Edit the appropriate values.
GUI Element
|
Action/Description
|
VLAN ID field
|
Number (ID) of the VLAN. You cannot edit this field.
|
VLAN Name field
|
Enter the name of the VLAN.
|
Status list
|
Select the status (active or suspend) of the VLAN.
|
Media Type field
|
Type (ethernet) of VLAN. You cannot edit this field.
|
Access Ports field
|
Specify the access ports assigned to the Layer 2 VLAN.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
|
Trunk Ports field
|
Specify the trunk ports the Layer 2 VLAN is allowed on.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become trunk ports.
|
Step 5 Click OK, then click Save.
Related Topics
•Creating a Single Layer 2 Ethernet VLAN
•Creating Multiple Layer 2 Ethernet VLANs
Configuring Layer 3 VLANs
You can view information about your Layer 3 VLANs.
Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Layer 3 VLANs from the selector.
The Layer 3 VLANs page displays the following information:
GUI Element
|
Action/Description
|
VLAN ID
|
Number (ID) of the VLAN.
|
Name
|
Name of the VLAN.
|
Status
|
Status (active or suspend) of the VLAN.
|
Access Ports
|
Number of access ports assigned to the VLAN.
|
Trunk Ports
|
Number of trunk ports the VLAN is allowed on.
|
IP Address
|
IP address of the VLAN interface.
|
Mask
|
Subnet mask of the VLAN interface.
|
Note The Layer 3 VLANs page displays Ethernet and nonprivate VLANs and the IP address and subnet mask address of existing SVIs.
From this page, you can access functions to do the following:
•Create a single Layer 3 Ethernet VLAN. See Creating a Single Layer 3 Ethernet VLAN.
•Create multiple Layer 3 Ethernet VLANs. See Creating Multiple Layer 3 Ethernet VLANs.
•Edit a single Layer 3 Ethernet VLAN. See Editing Layer 3 Ethernet VLANs.
•Delete a Layer 3 Ethernet VLAN. See Deleting VLANs.
Related Topics
•Configuring VLANs
•Configuring Layer 2 VLANs
•Deleting VLANs
•Viewing Service VLANs
•Configuring VTP Information
Creating a Single Layer 3 Ethernet VLAN
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Layer 3 VLANs from the selector.
Step 2 Click Add, select Single VLAN, then edit the appropriate values.
GUI Element
|
Action/Description
|
VLAN ID field
|
Specify the number (ID) of the VLAN.
Click to open the Enter VLAN dialog box. See Enter VLAN Dialog Box.
|
VLAN Name field
|
Specify the name of the VLAN.
|
Status list
|
Select the status (active or suspend) of the VLAN.
|
Media Type field
|
Type (ethernet) of VLAN. You cannot edit this field.
|
Access Ports field
|
Specify the access ports assigned to this VLAN.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
|
Trunk Ports field
|
Specify the trunk ports the VLAN is allowed on.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become trunk ports.
|
SVI pane
|
SVI check box
|
Select this check box to create an SVI to create a Layer 3 VLAN for inter-VLAN routing.
|
Description field
|
Enter a brief description of the SVI.
|
Admin Status list
|
Select the admin status (up or down) of the SVI.
|
IP Address field
|
Enter the IP address of the SVI.
|
Mask list/field
|
Specify the subnet mask address of the SVI. Select a value from the list or enter a value in the field.
|
Step 3 Click OK, then click Save.
Related Topics
•Creating Multiple Layer 3 Ethernet VLANs
•Editing Layer 3 Ethernet VLANs
Creating Multiple Layer 3 Ethernet VLANs
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Layer 3 VLANs from the selector.
Step 2 Click Add, select Multiple VLANs, then edit the appropriate values.
GUI Element
|
Action/Description
|
VLANs field
|
Enter the range of values (VLAN numbers) of the VLANs to be created.
Click to open the Enter VLAN Range dialog box. See Enter VLAN Range Dialog Box.
|
Media Type field
|
Type (ethernet) of VLAN. You cannot edit this field.
|
Status list
|
Select the status (active or suspend) of the VLANs. The status is applied to all VLANs in the range you specified.
|
Assign Ports and Configure SVI table
|
VLAN ID column
|
Number (ID) of the VLAN. You cannot edit this field.
|
Name column
|
Double-click the entry in the Name column and enter the name of the VLAN.
|
Access Ports column
|
Specify the access ports assigned to this VLAN.
In the Access Ports column, click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
|
Allowed on column
|
Contains the following sub-columns:
•All Trunk Ports—A check mark in this column indicates that the VLAN is allowed on all trunk ports.
To specify assigned trunk ports, click the Edit Trunk Ports button.
•Selected Trunk Ports—Specifies on which trunk ports the VLAN is allowed if the VLAN is not allowed on every trunk port.
If the VLAN is allowed on every trunk port (if a check mark appears in the All Trunk Ports column), the Select Ports column is not populated with any data.
To specify assigned trunk ports to a VLAN, select the corresponding row in the table and click the Edit Trunk Ports button.
|
SVI Details column
|
Contains the following sub-columns:
•IP Address—Double-click the entry in the IP address sub-column and enter the IP address of the SVI.
•Mask—Double-click the entry in the Mask sub-column and specify the subnet mask address of the SVI. Select a value from the list or enter a value in the field.
The Admin Status is set to up for the SVI you create.
Note Even if you do not enter values for these sub-columns, an SVI is created to make all the VLANs in the specified range Layer 3 VLANs. If you specify these values, an SVI is created with the IP address and subnet mask address you entered.
|
Edit Trunk Ports button
|
Specify the trunk ports the VLAN is allowed on.
Click Edit Trunk Ports to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become trunk ports.
|
Step 3 Click OK, then click Save.
Related Topics
•Creating a Single Layer 3 Ethernet VLAN
•Editing Layer 3 Ethernet VLANs
Editing Layer 3 Ethernet VLANs
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Layer 3 VLANs from the selector.
Step 2 From the table, select the Layer 3 VLAN to edit.
Step 3 Click Edit or double-click the VLAN. The Edit Layer 3 VLAN dialog box appears.
Step 4 Edit the appropriate values.
GUI Element
|
Action/Description
|
VLAN ID field
|
Number (ID) of the VLAN. You cannot edit this field.
|
VLAN Name field
|
Enter the name of the VLAN.
|
Status list
|
Select the status (active or suspend) of the VLAN.
|
Media Type field
|
Type (ethernet) of VLAN. You cannot edit this field.
|
Access Ports field
|
Specify the access ports assigned to this Layer 3 VLAN.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become access ports.
|
Trunk Ports field
|
Specify the trunk ports the Layer 3 VLAN is allowed on.
Click to open the Port Selector dialog box. See Port Selector.
Note All ports selected from the Port Selector will become trunk ports.
|
SVI Details pane
|
Description field
|
Enter a brief description of the SVI.
|
Admin Status list
|
Select the admin status (up or down) of the SVI.
|
IP Address field
|
Enter the IP address of the SVI.
|
Mask field/list
|
Specify the subnet mask address of the SVI. Select a value from the list or enter a value in the field.
|
Step 5 Click OK, then click Save.
Related Topics
•Creating a Single Layer 3 Ethernet VLAN
•Creating Multiple Layer 3 Ethernet VLANs
Deleting VLANs
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then, select one of the following:
•VLANs
•VLANs > Layer 2 VLANs
•VLANs > Layer 3 VLANs
Step 2 Select, from the table, the VLAN to delete.
Step 3 Click Delete, then click Yes when you are prompted to confirm the deletion.
Related Topics
•Configuring VLANs
•Configuring Layer 2 VLANs
•Configuring Layer 3 VLANs
Viewing Service VLANs
Service VLANs are VLANs assigned to service modules, such as CVDM-SSLSM and Firewall modules. You can view details about your service VLANs.
Click Switch in the task bar, click VLANs in the left-most pane, then select VLANs > Service VLANs from the selector.
The Service VLANs page displays the following information:
Column
|
Description
|
VLAN ID
|
Number (ID) of the VLAN.
|
Name
|
Name of the VLAN.
|
Services
|
Service modules on which the VLAN is configured.
|
Related Topics
•Configuring VLANs
•Configuring Layer 2 VLANs
•Configuring Layer 3 VLANs
•Configuring VTP Information
Configuring VTP Information
You can view details about your VTP.
Click Switch in the task bar, click VLANs in the left-most pane, then select VTP from the selector.
The VLAN Trunking Protocol (VTP) page displays the following information:
Field
|
Description
|
Mode
|
Mode in which the VTP is running (client, server, or transparent).
VTP client maintains a list of all VLANs but cannot add, delete, or rename VLANs. VTP server maintains a list of all VLANs and can add, delete, and rename VLANs.
|
Domain Name
|
Domain name of the VTP.
|
Password
|
Your VTP password.
|
V2 Mode
|
VTP version (V1 or V2). If you are using Token Ring VLANs, use V2 VTPs; otherwise, you can use V1 or V2 VTPs.
|
Pruning
|
When enabled, eliminates any unnecessary traffic created and broadcast by VTP.
|
From this page, you can edit your VTP information. See Editing VTP Information.
For more information about configuring VTP, see the relevant section in Catalyst 6500 Family IOS Software Configuration Guide.
Related Topics
•Configuring VLANs
•Configuring Layer 2 VLANs
•Configuring Layer 3 VLANs
•Viewing Service VLANs
Editing VTP Information
Procedure
Step 1 Click Switch in the task bar, click VLANs in the left-most pane, then select VTP from the selector.
Step 2 Click Edit. The Edit VTP dialog box appears.
Step 3 Edit the appropriate values.
GUI Element
|
Action/Description
|
Mode list
|
Select the mode in which the VTP is running (client, server, or transparent).
VTP client maintains a list of all VLANs but cannot add, delete, or rename VLANs. VTP server maintains a list of all VLANs and can add, delete, and rename VLANs.
|
Domain Name field
|
Enter the VTP domain name.
|
Password field
|
Enter your VTP password.
|
V2 mode list
|
Select the status of VTP version 2 (enabled or disabled).
If you are using Token Ring VLANs, use V2 VTPs; otherwise, you can use V1 or V2 VTPs.
|
Pruning list
|
Select the pruning status (enabled or disabled) on VTP.
When enabled, pruning eliminates any unnecessary traffic created and broadcast by VTP.
|
Step 4 Click OK, then click Save.
Related Topic
•Configuring VTP Information
Spanning Tree Settings (Switch > Spanning Tree)
DM 6500/7600 allows you to view and configure VLAN and port spanning tree protocol (STP) settings. STP is a link management protocol that provides path redundancy while preventing undesirable loops in the network. For a Layer 2 Ethernet or Token Ring network to function properly, only one active path can exist between two stations. STP operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.
For more information about configuring STP, see the relevant section in Catalyst 6500 Family IOS Software Configuration Guide.
Topics in this section contain information about:
•Configuring STP Settings for All VLANs
•Configuring STP Settings for a Specific VLAN
•Configuring STP Settings for All Ports
•Configuring STP Settings for a Specific Port
Configuring STP Settings for All VLANs
You can view your STP settings for all VLANs. Click Switch in the task bar, click Spanning Tree in the left-most pane, then select VLANs in the selector to display the Spanning Tree page (see Figure 14-9).
Figure 14-9 STP Page
This page provides a table that displays the following information:
Column
|
Description
|
VLAN
|
Number (ID) of the VLAN.
|
STP Status
|
Status (enabled or disabled) of STP on the VLAN.
|
Primary Root
|
Specifies if the VLAN is on a primary root switch (yes or no).
|
Blocking column
|
Number of blocking ports.
Ports in the blocking state do not participate in frame forwarding. A switch always enters the blocking state after switch initialization.
|
Listening column
|
Number of listening ports.
Ports enter the listening state when STP determines that the port should participate in frame forwarding. Ports enter the listening state from the blocking state. Learning is disabled in the listening state.
|
Learning column
|
Number of learning ports.
Ports in the learning state prepare to participate in frame forwarding. Ports enter the learning state from the listening state.
|
Forwarding column
|
Number of forwarding ports.
Ports in the forwarding state forward frames. Ports enter the forwarding state from the learning state.
|
STP Active column
|
Total number of blocking, listening, learning, and forwarding VLANs.
|
|
Note DM 6500/7600 supports only PVST and Rapid PVST STP modes. You can change your STP mode from the Global Settings page (see Configuring Global Settings). However, if you select MST as the STP mode, then DM 6500/7600 does not populate any STP data.
You can edit your STP settings for a VLAN or VLANs from this page. See Editing STP Settings for a VLAN or VLANs.
Related Topics
•Configuring STP Settings for a Specific VLAN
•Configuring STP Settings for All Ports
•Configuring STP Settings for a Specific Port
Editing STP Settings for a VLAN or VLANs
Procedure
Step 1 Click Switch in the task bar, click Spanning Tree in the left-most pane, then select VLANs from the selector.
Step 2 From the table, select the VLAN to edit. To select multiple VLANs, press the Ctrl key as you select each VLAN to edit.
Step 3 Click Edit The Edit STP Settings dialog box appears.
Step 4 Edit the appropriate values.
GUI Element
|
Action/Description
|
VLAN Range field
|
Values (IDs) of the VLAN(s) that to edit. You cannot edit this field.
|
Enable STP list
|
Select to enable STP (yes or no) on the VLAN or VLANs.
|
Root Configuration list
|
Select the root configuration (Primary, Secondary, or Not Root).
|
Step 5 Click OK, then click Save.
Related Topics
•Configuring STP Settings for All VLANs
Configuring STP Settings for a Specific VLAN
You can view the STP settings for a particular VLAN.
Step 1 Click Switch in the task bar, click Spanning Tree from the left-most pane, then select VLANs from the selector.
Step 2 From the selector, select the VLAN for which to view STP settings.
The following information is displayed:
GUI Element
|
Description
|
STP Summary pane
|
VLAN field
|
Number (ID) of the VLAN.
|
Protocol field
|
Protocol.
|
STP Status field
|
Status (enabled or disabled) of STP.
|
Root Switch field
|
Specifies if the switch is a root (yes or no).
The STP root switch is the logical center of the STP topology in a switched network.
|
Root Cost field
|
Also called Root Path Cost—the cumulative cost of all links to the root bridge.
In a BPDU, this is the value transmitted in the cost field. In a bridge, this value is calculated by adding the receiving port's path cost to the value contained in the BPDU.
|
Root Port field
|
Specifies the port that is closest to the root bridge. Every nonroot bridge must select one root port.
|
Bridge Priority field
|
Priority value of the bridge. The value can be from 1 to 65535.
|
MAC Address field
|
MAC address of this switch.
|
Hello Time field
(seconds)
|
Determines how often the root switch broadcasts its hello message to other switches.
|
Max Age field
(seconds)
|
Measures the age of the received protocol information recorded for a port and ensures that this information is discarded when its age limit exceeds the value of the maximum age parameter recorded by the switch. The timeout value is the maximum age parameter of the switches.
|
Forward Delay field
(seconds)
|
Monitors the time spent by a port in the learning and listening states. The timeout value is the forward delay parameter of the switches.
|
Root Bridge pane
|
Bridge Priority field
|
Priority value of the root bridge. The value can be from 1 to 65535.
|
MAC Address field
|
MAC address of the root bridge.
|
Hello Time field
(seconds)
|
Determines how often the switch broadcasts its hello message to other switches.
|
Max Age field
(seconds)
|
Measures the age of the received protocol information recorded for a port and ensures that this information is discarded when its age limit exceeds the value of the maximum age parameter recorded by the switch. The timeout value is the maximum age parameter of the switches.
|
Forward Delay field
|
Monitors the time spent by a port in the learning and listening states. The timeout value is the forward delay parameter of the switches.
|
Ports table
|
Interface column
|
Names of the access and trunk ports associated with this VLAN.
|
Role column
|
STP-assigned role; STP works by assigning roles to switches and ports to ensure that there is only one path through the switched network at any one time. The roles assigned are root bridge, root port, designated port, and nondesignated port.
There is only one root bridge in any loop and only one designated port in any one segment. On the root bridge, all ports are designated. The selection of the root bridge is based on either an assigned number or an arbitrary number such as a MAC address.
|
Status column
|
Status (blocking, learning, listening, or forwarding) of the port on this VLAN.
|
Cost column
|
Port cost value; ports with lower port costs are more likely to be chosen to forward frames.
|
Priority column
|
Port priority value; the port with the lowest priority value forwards frames for all VLANs.
|
Number column
|
Port number; if all ports have the same port priority value, STP puts the port with the lowest port number in the forwarding states and blocks other ports.
|
Link Type column
|
Link type on the port (Shared or Point-to-point):
•Shared indicates that the link is a shared segment and can contain more than one device.
•Point-to-point indicates that the link is a point-to-point link to another device.
|
From this page, you can edit your STP settings for a VLAN. See Editing STP Settings for a Specific VLAN.
Related Topics
•Configuring STP Settings for All VLANs
•Configuring STP Settings for All Ports
•Configuring STP Settings for a Specific Port
Editing STP Settings for a Specific VLAN
Procedure
Step 1 Click Switch in the task bar, click Spanning Tree from the left-most pane, then select VLANs from the selector.
Step 2 From the selector, select the VLAN for which to edit STP settings.
Step 3 In the STP Summary pane, click Edit.
Step 4 Edit the appropriate values in the Edit STP Settings dialog box.
GUI Element
|
Action/Description
|
VLAN Number field
|
Number (ID) of the VLAN. You cannot edit this field.
|
Enable STP check box
|
Click the check box to enable STP on the VLAN.
|
Root Config radio button
|
Specify the configuration of the root. Do one of the following:
•Select via Macro, then select the root type (Primary, Secondary, Not Root) from the Root Type list.
Macro looks at the bridge priority value of all other switches and compares it to the value of this switch; to make this switch the root switch, Macro gives this switch a lower value to force it to become the root.
•Select via Bridge Priority, then do one of the following to specify the bridge priority:
–If Extended System ID is enabled, the Bridge Priority list is shown; select the bridge priority value from this list.
–If Extended System ID is disabled, enter any bridge priority value from 1 to 65535 in the Bridge Priority field.
The switch becomes the root when its bridge priority value is the lowest value.
If the bridge priority value of this switch is the same as the bridge priority value of another switch, the switch with the lower MAC address becomes the root switch.
|
Step 5 Click OK, then click Save.
Related Topics
•Configuring STP Settings for a Specific VLAN
Configuring STP Settings for All Ports
You can view your STP settings for all ports.
Click Switch in the task bar, click Spanning Tree in the left-most pane, then select Ports from the selector.
The following information is displayed:
Column
|
Description
|
Port Name
|
Name of the port.
|
PortFast
|
Indicates the status of PortFast (Enabled, Disabled, or Global) on the port.
PortFast causes a port to immediately enter the spanning-tree forwarding state, bypassing the listening and learning states.
|
VLANs
|
Contains the following sub-columns:
•Blocking VLANs—Number of VLANs on which the port is blocking.
•Listening VLANs—Number of VLANs on which the port is listening.
•Learning VLANs—Number of VLANs on which the port is learning.
•Forwarding VLANs—Number of VLANs on which the port is forwarding.
|
You can edit your STP settings for a port or ports from this page. See Editing STP Settings for a Port or Ports.
Related Topics
•Configuring STP Settings for All VLANs
•Configuring STP Settings for a Specific VLAN
•Configuring STP Settings for a Specific Port
Editing STP Settings for a Port or Ports
Procedure
Step 1 Click Switch in the task bar, select Spanning Tree in the left-most pane, then select Ports from the selector.
Step 2 From the table, select the port to edit. To select multiple ports, press the Ctrl key as you select each ports to edit.
Step 3 Click Edit. The Edit STP Settings dialog box appears.
Step 4 Edit the appropriate values.
GUI Element
|
Action/Description
|
Port(s) field
|
Name of the port(s) to edit. You cannot edit this field.
|
Enable PortFast list
|
Select the status of PortFast (Enabled, Disabled, or Global) on the port.
PortFast causes a port to immediately enter the spanning-tree forwarding state, bypassing the listening and learning states.
|
Step 5 Click OK, then click Save.
Related Topics
•Configuring STP Settings for All Ports
Configuring STP Settings for a Specific Port
You can view the STP settings for a particular port.
Step 1 Click Switch in the task bar, click Spanning Tree in the left-most pane, then select Ports from the selector.
Step 2 Select the port for which to view STP settings.
The following information is provided:
GUI Element
|
Description
|
STP Summary pane
|
Name field
|
Name of the port.
|
Port Cost field
|
Port cost value; ports with lower port costs are more likely to be chosen to forward frames. If the port does not have a port cost value in the device running configuration, default is displayed.
|
Port Priority field
|
Port priority value; the port with the lowest priority value forwards frames for all VLANs. If the port does not have a port priority value, default is displayed.
|
Link Type field
|
Link type on the port (Shared, Point-to-point, or Default):
•Shared indicates that the link is a shared segment and can contain more than one device.
•Point-to-point indicates that the link is a point-to-point link to another device.
|
PortFast field
|
Status (Enabled, Disabled, or Global) or PortFast.
PortFast causes a port to immediately enter the spanning-tree forwarding state, bypassing the listening and learning states.
|
BPDU Guard field
|
Status (Enabled, Disabled, or Global) of BPDU guarding.
When enabled, BPDU guard causes STP to shut down PortFast-configured interfaces that receive BPDUs, instead of putting them into the spanning-tree blocking state.
|
BPDU Filter field
|
Status (Enabled, Disabled, or Global) of BPDU filtering.
When enabled, the BPDU filter allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system.
|
Guard field
|
Type of guard enabled on the port. Values can be:
•Loop—Verifies whether or not a root port or an alternate root port receives BPDUs. If the port is not receiving BPDUs, the loop guard feature puts the port into an inconsistent state until it starts receiving BPDUs again.
•Root—Forces a Layer 2 LAN interface to become a designated port; if any device accessible through the interface becomes the root bridge, root guard puts the interface into the blocked state.
•None—No guarding is enabled on the port.
|
STP VLAN Summary table
|
VLAN Number column
|
Number (ID) of the VLAN to which the port belongs.
|
Status column
|
Status (blocking, learning, listening, or forwarding) of the port on this VLAN.
|
Role column
|
STP-assigned role; STP works by assigning roles to switches and ports to ensure that there is only one path through the switched network at any one time. The roles assigned are root bridge, root port, designated port, and nondesignated port.
There is only one root bridge in any loop and only one designated port in any one segment. On the root bridge, all ports are designated. The selection of the root bridge is based on either an assigned number or an arbitrary number such as a MAC address.
|
Cost column
|
Cost value on this VLAN; ports with lower port-VLAN costs are more likely to be chosen to forward frames. This value takes precedence over the global port cost value (displayed in the STP Summary Pane).
|
Priority column
|
Port priority value on this VLAN; the port with the lowest priority value forwards frames for all VLANs. This value takes precedence over the global port priority value (displayed in the STP Summary Pane).
|
You can edit your STP settings for a port from this page. See Editing STP Settings For a Specific Port.
Related Topics
•Configuring STP Settings for All VLANs
•Configuring STP Settings for a Specific VLAN
•Configuring STP Settings for All Ports
Editing STP Settings For a Specific Port
Procedure
Step 1 Click Switch in the task bar, click Spanning Tree in the left-most pane, then select Ports from the selector. Then, from the selector, select the port for which to configure STP settings.
Step 2 From the STP Summary field, click Edit. The Edit STP Settings dialog box appears.
Step 3 Edit the appropriate values.
GUI Element
|
Action/Description
|
Port Cost field
|
Enter the port cost value.
Ports with lower port costs are more likely to be chosen to forward frames.
|
Port Priority list
|
Select the port priority value.
The port with the lowest priority value forwards frames for all VLANs.
|
Link Type list
|
Select the link type on the port (Shared, Point-to-point, or Default):
•Shared indicates that the link is a shared segment and can contain more than one device.
•Point-to-point indicates that the link is a point-to-point link to another device.
|
PortFast list
|
Select the status of PortFast (Enabled, Disabled, or Global) on the port.
When enabled, PortFast causes a switch or trunk port to immediately enter the STP forwarding state, bypassing the listening and learning states.
|
BPDU Guard list
|
Select the status of BPDU guard (Enabled, Disabled, or Global) on the port.
When enabled, BPDU guard causes STP to shut down PortFast-configured interfaces that receive bridge protocol data units (BPDUs), instead of putting them into the spanning-tree blocking state.
|
BPDU Filter list
|
Select the status of BPDU filter (Enabled, Disabled, or Global) on the port.
When enabled, BPDU filter allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system.
|
STP Guard list
|
Select the type of STP guard (None, Root, Loop, or Global).
•Loop—Verifies whether or not a root port or an alternate root port receives BPDUs. If the port is not receiving BPDUs, the loop guard feature puts the port into an inconsistent state until it starts receiving BPDUs again.
•Root—Forces a Layer 2 LAN interface to become a designated port; if any device accessible through the interface becomes the root bridge, root guard puts the interface into the blocked state.
•None—No guarding is enabled on the port.
|
Step 4 Click OK, then click Save.
Related Topics
•Configuring STP Settings for a Specific Port
Displaying VPN Routing and Forwarding Instances (Switch > VRFs)
To display information about the VPN Routing and Forwarding (VRF) instances on a switch, select Switch > VRFs.
A VRF instance consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. VRF instances convert routers into multiple virtual routers by creating a separate forwarding table for each VPN.
Service Module Configuration (Services > Flows)
Topics in this section contain information about:
•Adding VLANs/Interfaces
•Adding VLAN/Interface Connections Between Service Modules
•Viewing and Configuring Virtual Firewalls (Contexts)
Viewing Service Modules and VLAN Connections Using the Services Topology Map
You can view a graphical display of all service modules and the VLANs that span across them by clicking Services in the task bar and clicking Flows in the left-most pane. The Flows page displays the Services Topology map (see Figure 14-10).
Figure 14-10 Flows Page
Note When DM 6500/7600 detects a firewall module that supports virtual firewalls (contexts) and you have provided the correct credentials, you will see a Module View tab and a Virtual Firewall View tab. The Services Topology map is displayed in the Module View tab. See Viewing and Configuring Virtual Firewalls (Contexts).
From the Services Topology map, you can do the following:
•View a graphical representation of all modules and VLANs that span across them:
–Service modules are labeled and represented by various icons.
–VLANs are labeled and represented by solid lines.
–If there are more than five connecting VLANs, they are represented by one thick, solid line. To view the individual VLAN IDs for an aggregate VLAN, place your mouse over the thick line.
–Service module icons and VLANs can be moved to get a better view of what is on your device.
•Easily identify and fix potential security holes. For example, you might see a VLAN directly connecting an MSFC icon and a CSM icon, thus bypassing a firewall. You can then use one of the service module wizards to fix the security hole. See Service Module Setup Wizards.
•View information and perform tasks using the VLAN Connection Shortcut Menu. You can edit or delete the selected VLAN connection.
•View all VLAN and interface information about the selected VLAN connection or service module in a tabular format (under the topology map). For a description of the provided information, see the relevant service module section in Firewall Service Module Setup.
•Zoom in, zoom out, and print the topology map by clicking on the magnifying glass and print icons.
Related Topics
•Adding VLANs/Interfaces
•Adding VLAN/Interface Connections Between Service Modules
•Viewing and Configuring Virtual Firewalls (Contexts)
Nonrecommended Service Module Configurations
When DM 6500/7600 discovers service module configurations on the switch that are not recognized as recommended configurations, the Non-Recommended Configurations dialog box appears.
Step 1 Remove the module configurations that DM 6500/7600 lists in the Non-Recommended Configurations dialog box.
Step 2 Start one of the service module wizards. See Service Module Setup Wizards to understand your options.
Related Topic
•VLAN Connection Shortcut Menu
VLAN Connection Shortcut Menu
The VLAN connection shortcut menu allows you to quickly edit or delete a VLAN connection.
Procedure
Step 1 Click Services in the task bar, then click Flows in the left-most pane.
Step 2 Right-click a VLAN connection from the Services Topology Map or from the Virtual Firewall View tab. See Viewing and Configuring Virtual Firewalls (Contexts).
Step 3 Select Edit or Delete. If deleting a VLAN connecting a firewall context, see Delete VLAN Connection Warning Dialog Box.
Step 4 Enter the appropriate information. For parameter descriptions, see VLAN Connection Parameters.
Delete VLAN Connection Warning Dialog Box
This dialog box appears if you are deleting a VLAN connecting a firewall context. Select one of the following:
•Delete VLAN link only for selected context—This option removes only this VLAN for the selected context.
•Delete VLAN links for all firewall contexts—This option deletes the selected VLAN link for all contexts.
Caution Selecting the second option prevents traffic from flowing to all the contexts that share this VLAN.
Related Topics
•Adding VLAN/Interface Connections Between Service Modules
•Viewing Contexts
Adding VLANs/Interfaces
You can use the Services Topology Map to add a VLAN/interface on a Firewall Services Module (FWSM). See also Firewall Service Module Setup.
Procedure
Step 1 Click Services in the task bar, then click Flows in the left-most pane.
Step 2 Select a service module icon from the Services Topology Map. If you select a firewall module that supports contexts, you can select a context from the selector to view associated interface information. A table showing VLAN and interface information about the selected service module appears.
Step 3 Click Add.
Step 4 To enter the appropriate information, see Configuring the Firewall Module.
Related Topics
•Adding VLAN/Interface Connections Between Service Modules
•VLAN Connection Parameters
Adding VLAN/Interface Connections Between Service Modules
Use this procedure if a VLAN connection exists between modules.
Procedure
Step 1 Click Services in the task bar, then click Flows in the left-most pane.
Step 2 Select an existing VLAN connection from the Services Topology Map. A table showing VLAN information appears.
Step 3 Click Add.
Step 4 Enter the appropriate information. See VLAN Connection Parameters.
Related Topics
•Adding VLANs/Interfaces
•VLAN Connection Parameters
VLAN Connection Parameters
The VLAN Connection dialog box appears when adding or editing a VLAN connection between service modules.
Note•To delete a VLAN connection, select the VLAN and click Delete. You will be warned before deleting the connection. Click Yes to continue.
•When editing or deleting aggregate VLANs, a table of VLANs appears instead. Select the VLAN to edit, then click Edit or Delete.
GUI Element
|
Action
|
Select VLAN list
|
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box.
•Create VLAN—Opens the Create VLAN dialog box.
Note This option is only available when you are adding a VLAN connection.
|
MSFC: Slot X
|
Interface field
|
Enter the name for the interface.
|
IP Address field
|
Enter the IP address of the VLAN on the interface.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
|
Firewall: Slot X
|
Context list
|
Enter the context associated with this interface.
Click , then select one of the following:
•Select Context—Opens the Select Firewall Context dialog box. See Select Firewall Context.
•Create Context—Opens the Create Firewall Context dialog box. See Create Firewall Context.
Note the following:
•This field is displayed only when Multiple Mode is active.
•New contexts can be created only after the Admin context has first been created.
See Security Context Overview.
|
Interface field
|
Enter a name for the interface.
|
IP Address field
|
Enter the IP address of the VLAN on the interface.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
|
Security Level (0-100) field
|
Indicates the security level set for the interface. Higher values indicate higher security levels.
|
VLAN Group list
|
Specify the VLAN group associated with the selected VLAN. See Select VLAN Group.
|
Related Topics
•Adding VLANs/Interfaces
•Adding VLAN/Interface Connections Between Service Modules
Viewing and Configuring Virtual Firewalls (Contexts)
You can partition a single firewall module into multiple virtual firewalls, also known as security contexts. Each context is an independent system, with its own configuration and policies. Multiple contexts are equivalent to having multiple standalone firewalls.
When DM 6500/7600 detects a firewall module that supports contexts and you have entered the correct credentials, a Module View tab and a Virtual Firewall View tab are displayed in the Flows page.
The Module View tab serves the same functionality as the Services Topology Map. The difference is that the Module View tab can display contexts when a firewall service module icon is selected. See Configuring Firewall Contexts.
The Virtual Firewall View tab lists all contexts within a firewall module and allows you to edit and configure context information. See Viewing Contexts.
Note You cannot create virtual firewalls using the Virtual Firewall View. To create virtual firewalls, see Configuring Firewall Contexts.
Viewing Contexts
Click Services in the task bar, click Flows from the left-most pane, then select the Virtual Firewall View tab to display the Virtual Firewall View.
From the Virtual Firewall View you can do the following:
•Visually trace VLAN connectivity between contexts and other service modules using the context topology map.
•Edit or delete a selected VLAN connection. See VLAN Connection Shortcut Menu.
•View all VLAN and interface information about the selected context, service module, or VLAN connection in a tabular format (under the context topology map). For a description of the provided information, see the relevant service module section in Firewall Service Module Setup.
•Edit or add interfaces by clicking a firewall context from the selector or from the context topology map, selecting an interface from the Interfaces table, and clicking Add or Edit. For field descriptions, see Configuring Firewall Contexts.
•Move service module icons and VLANs to get a better view of what is on your device.
Note VPN Routing and Forwarding (VRF) icons will also be displayed if any VRFs have been configured on the device.
•Zoom in, zoom out, or print the topology map by clicking on the magnifying glass and print icons.
Note You cannot create virtual firewalls using the Virtual Firewall View. To create virtual firewalls, see Configuring Firewall Contexts.
Adding Interfaces to Virtual Firewalls
You can add interfaces from either the Virtual View tab or the firewall module interface overview page. See Adding a Firewall Module Interface.
Procedure
Step 1 Click Services in the task bar, click Flows from the left-most pane, then select the Virtual Firewall View tab.
Step 2 Do one of the following:
•Click a firewall context icon from the topology map.
•Click a firewall context from the selector.
Step 3 Click Add under the Interface table. The Add Firewall Interface dialog box appears. For field descriptions, see Adding a Firewall Module Interface.
Related Topics
•Viewing Contexts
•Editing Interfaces on Virtual Firewalls
Editing Interfaces on Virtual Firewalls
You can edit interfaces from either the Virtual View tab or the firewall module interface overview page. See Editing a Firewall Module Interface.
Procedure
Step 1 Click Services in the task bar, click Flows from the left-most pane, then select the Virtual Firewall View tab.
Step 2 Do one of the following:
•Click a firewall context icon from the topology map.
•Click a firewall context from the selector.
Step 3 Click Edit under the Interface table.
The Edit Firewall Interface dialog box appears. For field descriptions, see Editing a Firewall Module Interface.
Related Topics
•Viewing Contexts
•Adding Interfaces to Virtual Firewalls
Service Module Setup Wizards
DM 6500/7600 provides wizards that simplify the process of service module setup. Each wizard is tailored for a scenario that network administrators face when setting up service modules.
This section contains the following topics:
•Which Wizard Should I Use?
•Using the Firewall-Inside Setup Wizard
•Using the Firewall-Outside Setup Wizard
Which Wizard Should I Use?
After reading the following descriptions, determine which wizard best suits your application and refer to the information for that wizard.
Firewall-Inside Scenario
This scenario is typically used in the intranet data center. Placing the Multilayer Switch Feature Card (MSFC) outside the FWSM makes it possible for the MSFC to perform routing toward the core. The FWSM provides routing to the border routers and the demilitarized zone (DMZ).
Before you launch the Firewall-Inside setup wizard, you must first enter the credentials for the firewall module. To do so, select Edit > Credentials, then enter the appropriate information.
To access this wizard, click Services in the task bar, click Setup from the left-most pane, select Firewall-Inside from the list of setup templates, and click Launch Setup Wizard. See Using the Firewall-Inside Setup Wizard.
Firewall-Outside Scenario
This scenario is typically used in the Internet data center. Placing the FWSM outside the MSFC allows the MSFC to face the core.
Before you launch the Firewall-Outside setup wizard, you must first enter the credentials for the firewall module. To do so, select Edit > Credentials, then enter the appropriate information.
To access this wizard, click Services in the task bar, click Setup from the left-most pane, select Firewall-Outside from the list of setup templates, and click Launch Setup Wizard. See Using the Firewall-Outside Setup Wizard.
Using the Firewall-Inside Setup Wizard
The wizard consists of three steps:
1. (Optional) Configure the connection to the core network.
2. Configure a VLAN to transfer data between the MSFC and firewall.
3. (Optional) Assign switch ports to the VLAN associated with the firewall's inside network.
Step 2 is the only mandatory step in the wizard. However, to enable the pinging of traffic from the core network to the inside network, you must complete all of the steps.
Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.
Selecting a Service Module
After you launch the setup wizard, DM 6500/7600 checks for the presence of two or more modules of the same type on your device. If multiple instances of the same module type are found, the Service Blade Selection page appears. For every module type that has more than one instance installed, select from the list the module the wizard should configure.
Click Next to proceed to the next page of the setup wizard.
Configuring the Core Network Connection
To configure the connection to the core network, enter the information specified in Table 14-7.
Note This step is optional. To proceed to the next page of the wizard, click Next.
Table 14-7 Core Network Connection Configuration: GUI Reference
GUI Element
|
Action
|
Connection Mode radio button
|
Select the appropriate port connection mode in this field. By default, Routed mode is selected.
|
Ports Selector
|
Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector.
|
Configure VLAN for Selected Ports pane 1
|
VLAN list
|
Specify the VLAN to which the selected ports belong.
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector.
•Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN—Clears the VLAN that is specified in this field.
|
|
|
IP Address field
|
Enter the IP address of the Switched Virtual Interface (SVI).
|
Mask field
|
Enter the subnet mask that corresponds to the SVI's IP address. You can either type a value or select a value from the list.
|
Routed Port Details
This dialog box appears anytime you add a port to the Selected Ports column that does not have an IP address and subnet mask specified.
Table 14-8 Routed Port Details: GUI Reference
GUI Element
|
Action/Description
|
Port Name field
|
Name of the selected port.
|
IP Address field
|
Enter the IP address of the port you want to add to the Selected Ports column.
|
Net Mask field
|
Enter the subnet mask to which the port's IP address belongs. You can either type a value or select a value from the list.
|
Configuring the MSFC-Firewall VLAN
To configure the VLAN connection between the MSFC and firewall modules, enter the information specified in Table 14-9.
Table 14-9 MSFC-Firewall VLAN Configuration: GUI Reference
GUI Element
|
Action/Description
|
VLAN Connecting MSFC and Firewall list
|
Specify the VLAN that connects the MSFC and firewall modules.
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector.
•Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN—Clears the VLAN that is specified in this field.
|
MSFC: Slot X pane
|
Interface field
|
Enter the name for this interface.
|
IP Address field1
|
Enter the IP address of the VLAN on this interface.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
|
Firewall: Slot X pane
|
Context list
|
Enter the context associated with this interface.
Click , then select one of the following:
•Select Context—Opens the Select Firewall Context dialog box. See Select Firewall Context.
•Create Context—Opens the Create Firewall Context dialog box. See Create Firewall Context.
Note the following:
•This field is displayed only when Multiple Mode is active for the firewall module.
•New contexts can be created only after the Admin context has been created.
See Security Context Overview.
|
Interface field
|
Enter a name for this interface, making sure that it is not the name of an interface that is already configured on this device.
|
IP Address field1
|
Enter the IP address of the VLAN on this interface.
Note This field is not displayed when the firewall module is running in transparent mode.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
Note This field is not displayed when the firewall module is running in transparent mode.
|
Security Level field
|
Indicates the security level set for the interface. Higher values indicate higher security levels.
•The value 100 indicates that this is an inside interface.
•The value 0 indicates that this in an outside interface.
|
VLAN Group field
|
Specify the VLAN group associated with the selected VLAN. See Select VLAN Group.
|
Gateway pane
|
Use MSFC as Default Gateway radio button
|
Select to set the MSFC as the default gateway. To specify a module other than the MSFC as the default gateway, click the Gateway radio button.
|
Gateway radio button
|
Select, then enter, the IP address of the default gateway.
|
Select VLAN Group
This dialog box lists the VLAN groups that are configured on the device, as well as the VLANs associated with each group.
Table 14-10 Select VLAN Group: GUI Reference
GUI Element
|
Description
|
VLAN Group column
|
Indicates the numerical identifier assigned to a VLAN group.
|
VLANs column
|
Indicates the VLANs that belong to a particular VLAN group.
|
Assigned column
|
When checked, indicates that this VLAN group is assigned to the firewall.
|
Select Firewall Context
This dialog box lists the contexts that are configured on the module. Select a context, then click OK to continue.
Table 14-11 Select Firewall Context: GUI Reference
GUI Element
|
Description
|
Context column
|
Indicates the name of a context.
|
Description column
|
Provides the description of a context.
|
Config URL column
|
Indicates the configuration URL for a context.
|
Create Firewall Context
In this dialog box, you can create a firewall context on a module. Enter the information specified in Table 14-12, then click OK to continue.
Table 14-12 Create Firewall Context: GUI Reference
GUI Element
|
Action
|
Name field
|
Enter the name of the context.
|
Description field
|
Enter a description of the context.
|
Config URL field
|
Enter the configuration URL for the context.
You can download a context from either a server (FTP, TFTP, HTTP, or HTTPS) or the local disk. The URL syntax for each is as follows:
•server type://server/path/filename
•disk://path/filename
where server type is the type of server, server is the IP address of the appropriate server, path is the directory that contains the context file, and filename is the name of the context file.
Please note the following:
•The URL you specify must be accessible from the Admin context.
•The Admin context file must be stored on the local disk.
•It is recommended that you append the context filename with the .cfg extension.
|
Configuring the Inside Network Connection
To configure the connection to the inside network, enter the information specified in Table 14-13.
Note This step is optional. To proceed to the next page of the wizard, click Next.
Table 14-13 Inside Network Connection Configuration: GUI Reference
GUI Element
|
Action/Description
|
Connection Mode radio button
|
Select the appropriate port connection mode.
|
Ports Selector
|
Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector.
|
Configure VLAN for Selected Ports pane
|
VLAN list
|
Specify the VLAN to which the selected ports belong.
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector.
•Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN—Clears the VLAN that is specified in this field.
|
Firewall Interface pane
|
Context field
|
Name of the selected context.
|
Interface field
|
Enter a name for this interface.
|
IP Address field
|
Enter the IP address of the VLAN on this interface.
Note This field is not displayed when the firewall module is running in transparent mode.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
Note This field is not displayed when the firewall module is running in transparent mode.
|
Security Level (0-100) field
|
Indicates the security level set for the interface. Higher values indicate higher security levels.
•The value 100 indicates that this is an inside interface.
•The value 0 indicates that this in an outside interface.
|
VLAN Group list
|
Specify the VLAN group associated with the selected VLAN. See Select VLAN Group.
|
Permit ping traffic from Core to inside network check box
|
Check to enable the pinging of traffic from the core network to the inside network.
|
Summary
From this page, you can view a summary of the settings entered for the service modules configured by this wizard. You have the option of saving the corresponding CLI commands by clicking Finish.
Saving the Configuration
From this page, you can view the CLI commands (which reflect the settings entered in this wizard) that will be saved. There could be some undelivered CLI commands from the last time this wizard was used. In this case, you will be informed that the CLI commands displayed in this window are a combination of commands generated by the wizard and commands generated in another session.
After completing the wizard, the graphical view is updated to display the newly configured VLANs. You can now configure new VLANs directly from this view.
Table 14-14 Configuration Delivery: GUI Reference
GUI Element
|
Action
|
Save to File button
|
Click to save the CLI commands generated by this wizard as a text file.
|
Close button
|
Click to save the CLI commands generated by the wizard to the Security Manager database.
|
Using the Firewall-Outside Setup Wizard
The wizard consists of four steps:
1. (Optional) Configure the connection to the Internet.
2. Assign a VLAN to transfer data between the firewall and the MSFC.
3. (Optional) Assign switch ports to the VLAN associated with the firewall's inside network.
4. (Optional) Assign switch ports to the VLAN associated with the core network.
Step 2 is the only mandatory step in the wizard.
Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.
Selecting a Service Module
See Selecting a Service Module.
Configuring the Internet Connection
To configure the connection to the Internet, enter the information specified in Table 14-15.
Note This step is optional. To proceed to the next page of the wizard, click Next.
Table 14-15 Internet Connection Configuration: GUI Reference
GUI Element
|
Action/Description
|
Connection Mode radio button
|
Select the appropriate port connection mode.
|
Ports Selector
|
Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector.
|
Configure VLAN for Selected Ports pane
|
VLAN list
|
Specify the VLAN to which the selected ports belong.
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector.
•Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN—Clears the VLAN that is specified in this field.
|
Firewall Interface pane
|
Context list
|
Enter the context associated with this interface.
Click , then select one of the following:
•Select Context—Opens the Select Firewall Context dialog box. See Select Firewall Context.
•Create Context—Opens the Create Firewall Context dialog box. See Create Firewall Context.
Note the following:
•This field is displayed only when Multiple Mode is active.
•New contexts can be created only after the Admin context has been created.
See Security Context Overview.
|
Interface field
|
Enter a name for this interface.
|
IP Address field
|
Enter the IP address of the VLAN on this interface.
Note This field is not displayed when the firewall module is running in transparent mode.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
Note This field is not displayed when the firewall module is running in transparent mode.
|
Security Level field
|
Indicates the security level set for the interface. Higher values indicate higher security levels.
•The value 100 indicates that this is an inside interface.
•The value 0 indicates that this in an outside interface.
|
VLAN Group list
|
Specify the VLAN group associated with the selected VLAN. See Select VLAN Group.
|
Configuring the Firewall-MSFC VLAN
To configure the VLAN connection between the firewall and MSFC modules, enter the information specified in Table 14-16.
Table 14-16 Firewall/MSFC VLAN Configuration: GUI Reference
GUI Element
|
Action/Description
|
VLAN Connecting Firewall and MSFC list
|
Specify the VLAN that connects the firewall and MSFC modules.
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector.
•Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN—Clears the VLAN that is specified in this field.
|
Firewall: Slot X pane
|
Context list
|
Enter the context associated with this interface.
Click , then select one of the following:
•Select Context—Opens the Select Firewall Context dialog box. See Select Firewall Context.
•Create Context—Opens the Create Firewall Context dialog box. See Create Firewall Context.
Note the following:
•This field is displayed only when Multiple Mode is active.
•New contexts can be created only after the Admin context has been created.
See Security Context Overview.
|
Interface field
|
Enter a name for this interface, making sure that it is not the name of an interface that is already configured on the device.
|
IP Address field1
|
Enter the IP address of the VLAN on this interface.
Note This field is not displayed when the firewall module is running in transparent mode.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
Note This field is not displayed when the firewall module is running in transparent mode.
|
Security Level (0-100) field
|
Indicates the security level set for the interface. Higher values indicate higher security levels.
•The value 100 indicates that this is an inside interface.
•The value 0 indicates that this is an outside interface.
|
VLAN Group list
|
Specify the VLAN group associated with the selected VLAN. See Select VLAN Group.
|
MSFC: Slot X pane
|
Interface field
|
Enter the name for this interface.
|
IP Address field1
|
Enter the IP address of the VLAN on this interface.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
|
Configuring the Inside Network Connection
See Configuring the Inside Network Connection.
Configuring the Core Network Connection
To configure the connection to the core network, enter the information specified in Table 14-17.
Note This step is optional. To proceed to the next page of the wizard, click Next.
Table 14-17 Core Network Connection Configuration: GUI Reference
GUI Element
|
Action
|
Connection Mode radio button
|
Select the appropriate port connection mode in this field. By default, Routed mode is selected.
|
Ports Selector
|
Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector.
|
Configure VLAN for Selected Ports pane 1
|
VLAN list
|
Specify the VLAN to which the selected ports belong.
Click , then select one of the following:
•Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector.
•Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN—Clears the VLAN that is specified in this field.
|
|
|
IP Address field
|
Enter the IP address of the Switched Virtual Interface (SVI).
|
Mask field
|
Enter the subnet mask that corresponds to the SVI's IP address. You can either type a value or select a value from the list.
|
Summary
See Summary.
Delivering the Configuration to the Switch/Module
See Saving the Configuration.
Firewall Service Module Setup
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other; for example, by keeping a human resources network separate from a more generalized user network. If you have network resources that must be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ includes only the public servers, an attack there affects only the servers and does not affect the other inside networks.
You can also control outside access by inside users (for example, access to the Internet) by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external authentication, authorization, and accounting (AAA) server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and the DMZ, while behind the firewall, allows limited access to outside users. Because the Firewall Services Module (FWSM) allows you to configure many interfaces with varied security policies, including inside interfaces, DMZs, and even outside interfaces, these terms are used in a general sense only.
Configuring the Firewall Module
To access the firewall module overview page (see Figure 14-11), click Services in the task bar, click Firewall from the left-most pane, then click Firewall: Slot X from the selector.
Figure 14-11 Firewall Page
From the firewall module overview page, you can:
•View module and service detail information.
•Manage the VLAN groups configured on the device. See Configuring VLAN Groups.
The following table describes the information provided on the Firewall module overview page:
GUI Element
|
Action/Description
|
Module Details pane
|
Descriptor field
|
Textual identifier of this module.
|
Model field
|
Model number of this module.
|
Slot Number field
|
Device slot in which this module is located.
|
Status field
|
Current status of this module.
|
Software Version field
|
Software version of this module.
|
Hardware Version field
|
Hardware version of this module.
|
Firmware Version field
|
Firmware version of this module.
|
Serial Number field
|
Serial number of this module.
|
Total Memory field
|
Total memory available on this module.
|
Total Flash field
|
Total flash memory available on this module.
|
Service Details pane
|
This pane lists applicable service detail information. See Service Details.
|
VLAN Groups pane - root node selected
|
When the root node is selected in the VLAN Groups selector, this pane lists the VLAN groups that are configured on this device. See Configuring VLAN Groups.
|
VLAN Groups pane - VLAN group selected
|
When a VLAN group is selected in the VLAN Groups selector, this pane lists the VLANs associated with that VLAN group. See Configuring VLANs in a VLAN Group.
|
Service Details
The following table lists the information provided in the Service Details pane:
GUI Element
|
Action/Description
|
Host Name field
|
Name of this module.
|
Domain Name field
|
Name of the domain to which the host belongs.
|
PDM Version field
|
Version of PDM installed on this module.
|
CPU Usage field
|
Percentage of CPU resources being used by this module.
|
Memory Usage field
|
Percentage of flash memory being used by this module.
|
Number of Firewall Interfaces field
|
Number of firewall interfaces configured on this module.
Note This field is available only in single mode.
|
Number of Firewall Contexts field
|
Number of firewall contexts configured on this module.
Note This field is available only in multiple mode.
|
Number of Assigned VLANs field
|
Number of VLANs assigned on this module.
|
HTTP Server field
|
Indicates whether the HTTP server is enabled on this module.
Note This field is available only in single mode.
|
Configuring VLAN Groups
When the root node is selected in the VLAN Groups selector, the information in the following table is displayed:
GUI Element
|
Action/Description
|
VLAN Groups selector
|
Displays the VLAN groups that are configured on the device.
|
VLAN Group column
|
Numerical identifier for this VLAN group.
|
VLAN IDs column
|
VLANs that belong to this VLAN group.
|
Assigned column
|
Indicates whether this VLAN Group has been assigned to the firewall module.
|
VLAN Group button
|
With a VLAN group in the table selected, click, then select, one of the following:
•Assign—To assign this VLAN group to the firewall module.
•Unassign—To unassign this VLAN group from the firewall module.
|
Add button
|
Click to add a VLAN group. See Adding a VLAN Group.
|
Edit button
|
Click to edit the selected VLAN group. See Editing a VLAN Group.
|
Delete button
|
Click to delete the selected VLAN group.
|
Related Topics
•Adding a VLAN Group
•Editing a VLAN Group
•Entering a VLAN Range
•Selecting a VLAN Group
Adding a VLAN Group
Procedure
Step 1 Click Services in the task bar, then click Firewall from the left-most pane.
Step 2 In the VLAN Groups pane, with the root node selected in the VLAN Groups selector, click Add. The Add VLAN Group dialog box appears.
Step 3 Enter the information specified in the following table:
GUI Element
|
Action/Description
|
Group ID field
|
Enter the numerical identifier for the VLAN group.
|
Assign this Group to Firewall: Slot X check box
|
Select to assign this VLAN group to the selected firewall module.
|
Add VLANs to Group pane
|
Selected VLANs field
|
Indicates the VLANs to be added to the VLAN group. Do one of the following:
•Click to open the Enter VLAN Range dialog box. See Entering a VLAN Range.
•In the Add column, select the check box for the VLANs to add to the VLAN group.
|
VLAN ID column
|
Numerical identifier for a VLAN.
|
Add column
|
Select the check box for the VLANs to add to the VLAN group.
|
Related Topics
•Configuring VLAN Groups
•Editing a VLAN Group
•Entering a VLAN Range
•Selecting a VLAN Group
Editing a VLAN Group
Procedure
Step 1 Click Services in the task bar, then click Firewall from the left-most pane.
Step 2 In the VLAN Groups pane, with the root node selected in the VLAN Groups selector, do one of the following:
•Select a VLAN group in the VLAN Group column, then click Edit.
•Double-click a VLAN group in the VLAN Group column.
The Edit VLAN Group dialog box appears.
Step 3 Edit the information specified in the following table:
GUI Element
|
Action/Description
|
Group ID field
|
Numerical identifier for the selected VLAN group. This field cannot be edited.
|
Assign this Group to Firewall: Slot X check box
|
Select to assign this VLAN group to the selected firewall module.
|
Add VLANs to Group pane
|
Selected VLANs field
|
Indicates the VLANs that belong to the selected VLAN group. To make changes, do one of the following:
•Click to open the Enter VLAN Range dialog box. See Entering a VLAN Range.
•In the Add column, select or deselect the check box for the VLANs to add to or remove from the selected VLAN group.
|
VLAN ID column
|
Numerical identifier for the VLAN. This field cannot be edited.
|
Add column
|
Select the check box for the VLANs to add to or remove from the selected VLAN group.
|
Related Topics
•Configuring VLAN Groups
•Adding a VLAN Group
•Entering a VLAN Range
•Selecting a VLAN Group
Entering a VLAN Range
Procedure
Step 1 Click Services in the task bar, then click Firewall from the left-most pane.
Step 2 In the VLAN Groups pane, do one of the following:
•With the root node selected in the VLAN Groups selector, click Add. The Add VLAN Group dialog box appears.
•Select a VLAN group in the VLAN Group column, then click Edit. The Edit VLAN Group dialog box appears.
Note To open the Edit VLAN Group dialog box, you can also double-click a VLAN group in the VLAN Group column.
Step 3 In the Add VLANs to Group pane, click . The Enter VLAN Range dialog box appears.
Step 4 In the VLAN Range field, enter the VLANs to add, then click OK.
For example, to add VLANs 22 through 27 and VLAN 35 to a VLAN group, you would enter 22-27,35.
Related Topics
•Configuring VLAN Groups
•Adding a VLAN Group
•Editing a VLAN Group
•Selecting a VLAN Group
Selecting a VLAN Group
This dialog box lists the VLAN groups that are configured on the device, as well as the VLANs associated with each group. Select a VLAN group, then click OK to continue.
Related Topics
•Configuring VLAN Groups
•Adding a VLAN Group
•Editing a VLAN Group
•Entering a VLAN Range
Configuring VLANs in a VLAN Group
When a VLAN group is selected in the VLAN Groups selector, the information in the following table is displayed:
GUI Element
|
Action/Description
|
VLAN Groups selector
|
Displays the VLAN groups that are configured on the device.
|
Misconfigured VLAN graphic: 
|
Indicates that the VLAN is configured incorrectly on this device.
|
VLAN ID column
|
Numerical identifier for this VLAN.
|
VLAN Name column
|
Name of this VLAN.
|
Ports column
|
Ports that belong to this VLAN in Access and/or Trunk mode.
|
Add button
|
Click to add a VLAN to the selected VLAN group. See Adding a VLAN to a VLAN Group.
|
Edit button
|
Click to edit the selected VLAN. See Editing a VLAN in a VLAN Group.
|
Delete button
|
Click to delete the selected VLAN.
|
Related Topics
•Adding a VLAN to a VLAN Group
•Editing a VLAN in a VLAN Group
Adding a VLAN to a VLAN Group
Procedure
Step 1 Click Services in the task bar, then click Firewall from the left-most pane.
Step 2 Select a VLAN group in the VLAN Groups selector, then click Add. The VLAN Group X: Add VLAN dialog box appears.
Step 3 Enter the information specified in the following table:
GUI Element
|
Action
|
VLAN ID field
|
Specify the VLAN to be added to the selected VLAN group.
Click , then select one of the following:
•Select VLAN: Opens the VLAN Selector dialog box. See VLAN Selector.
•Create VLAN: Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN: Clears the VLAN that is specified in this field.
|
Port Assignment pane
|
Access Ports field
|
Specify the access ports associated with this VLAN.
Click to open the Port Selector dialog box. See Port Selector.
|
Trunk Ports field
|
Specify the trunk ports associated with this VLAN.
Click to open the Port Selector dialog box. See Port Selector.
|
Related Topics
•Configuring VLANs in a VLAN Group
•Editing a VLAN in a VLAN Group
Editing a VLAN in a VLAN Group
Procedure
Step 1 Click Services in the task bar, then click Firewall from the left-most pane.
Step 2 Select a VLAN group in the VLAN Groups selector.
Step 3 In the VLAN Groups pane, do one of the following:
•With a VLAN selected in the VLAN ID column, click Edit.
•Double-click a VLAN in the VLAN ID column.
The VLAN Group X: Edit VLAN dialog box appears.
Step 4 Edit the information specified in the following table:
GUI Element
|
Action/Description
|
VLAN ID field
|
Numerical identifier for the selected VLAN. This field cannot be edited.
|
Port Assignment pane
|
Access Ports
|
Edit the access ports associated with this VLAN.
Click to open the Port Selector dialog box. See Port Selector.
|
Trunk Ports
|
Edit the trunk ports associated with this VLAN.
Click to open the Port Selector dialog box. See Port Selector.
|
Related Topics
•Configuring VLANs in a VLAN Group
•Adding a VLAN to a VLAN Group
Security Context Overview
You can partition a single FWSM into multiple virtual firewalls, known as security contexts. Each context is an independent system, with its own security policy, interfaces, and administrators. Multiple contexts are equivalent to having multiple standalone firewalls.
The FWSM runs in one of two modes: single mode or multiple mode. In single mode, any changes that you make affect the entire module. In multiple mode, a number of contexts are configured with only one having administrative privileges at any given time: the Admin context. Unlike in single mode, the changes made to a context in multiple mode apply only to that context.
Note You cannot enable or disable multiple mode from within DM 6500/7600. For instructions on how to do so, refer to the documentation provided with your firewall module.
Related Topics
•Configuring Firewall Contexts
•Firewall Context Details
Configuring Firewall Contexts
The Contexts overview page displays the firewall contexts configured on this module. Keep in mind that context management is only available in multiple mode.
To access this page, click Services in the task bar, click Firewall from the left-most pane, then select Contexts from the selector.
The following table describes the information provided on this page:
GUI Element
|
Action/Description
|
Name column
|
Name of the context.
|
Description column
|
Description of the context.
|
Config URL column
|
Configuration URL for the context.
|
Allocated VLANs column
|
Number of VLANs allocated to the context.
|
Add button
|
Click to add a context. See Adding a Context.
|
Edit button
|
Click to edit the selected context. See Editing a Context.
|
Delete button
|
Click to delete the selected context.
|
Related Topics
•Adding a Context
•Editing a Context
Adding a Context
Procedure
Step 1 Click Services in the task bar, click Firewall from the left-most pane, then select Contexts from the selector.
Step 2 In the Contexts pane, click Add. The Add Firewall Context dialog box appears.
Step 3 Enter the information specified in the following table:
GUI Element
|
Action/Description
|
Name field
|
Enter the name of the context.
|
Config URL field
|
Enter the configuration URL for the context.
You can download a context from either a server (FTP, TFTP, HTTP, or HTTPS) or the local disk. The URL syntax for each is as follows:
•server type://server/path/filename
•disk://path/filename
where server type is the type of server, server is the IP address of the appropriate server, path is the directory that contains the context file, and filename is the name of the context file.
Please note the following:
•The URL you specify must be accessible from the Admin context.
•The Admin context file must be stored on the local disk.
•It is recommended that you append the context filename with the .cfg extension.
|
Description field
|
Enter a description of the context.
|
Make This Firewall Context the Admin Context check box
|
Select to designate this context as the Admin context.
|
Allocate VLANs to Context pane
|
VLAN ID column
|
Numerical identifier of the VLAN. This field cannot be edited.
|
Allocate check box
|
Select to allocate the selected VLAN to the context.
|
Alias column
|
Enter the alias for the VLAN.
|
VLAN Group column
|
Specify the VLAN group to which the VLAN belongs.
Click to open the Select VLAN Group dialog box. See Selecting a VLAN Group.
|
Add button
|
Click to open the Enter VLAN Range dialog box.
|
Related Topics
•Configuring Firewall Contexts
•Editing a Context
Entering a VLAN Range
GUI Element
|
Action
|
VLAN Range field
|
Enter the VLANs to add to the Allocate VLANs to Context table.
For example, to add VLAN 22 through VLAN 27, you would enter 22-27 in this field.
|
Start Alias field
|
Enter the alias for these VLANs.
|
Editing a Context
Procedure
Step 1 Click Services in the task bar, click Firewall from the left-most pane, then select Contexts from the selector.
Step 2 With a context selected in the Contexts pane, click Edit. The Edit Firewall Context dialog box appears.
Note The Edit Firewall Context dialog box also appears if you double-click a context.
Step 3 Edit the information specified in the following table:
GUI Element
|
Action/Description
|
Name field
|
Name of the selected context. This field cannot be edited.
|
Config URL field
|
Configuration URL for the selected context. This field cannot be edited.
|
Description field
|
Edit the description of the selected context.
|
Make This Firewall Context the Admin Context check box
|
Select to designate this context as the Admin context. This option is not available if the selected context is already the Admin context.
|
Allocate VLANs to Context pane
|
VLAN ID column
|
Numerical identifier of the VLAN. This field cannot be edited.
|
Allocate check box
|
Select to allocate the selected VLAN to this context.
|
Alias column
|
Edit the alias for the VLAN.
|
VLAN Group column
|
Edit the VLAN group to which the VLAN belongs.
Click to open the Select VLAN Group dialog box. See Selecting a VLAN Group.
|
Related Topics
•Configuring Firewall Contexts
•Adding a Context
Firewall Context Details
The Firewall Contexts Details page displays the parameters for the selected firewall context. To access this page, click Services in the task bar, click Firewall from the left-most pane, then select a context from the selector.
The following table describes the information provided on this page:
GUI Element
|
Action/Description
|
Context Name field
|
Name of the selected context.
|
Config URL field
|
Configuration URL for the selected context.
|
Admin field
|
Indicates whether the selected context is configured as the admin context.
|
Description field
|
Description of the selected context.
|
Host Name field
|
Host name of the selected context.
|
Domain Name field
|
Domain name of the selected context.
|
Number of Firewall Interfaces field
|
Number of firewall interfaces configured for the selected context.
|
Number of Allocated VLANs field
|
Number of VLANs allocated to the selected context.
|
HTTP Server field
|
Indicates whether the HTTP server is enabled for the selected context.
|
Misconfigured VLAN graphic:
|
Indicates that the VLAN is configured incorrectly on this device.
|
VLAN ID column
|
Numerical identifier for this VLAN.
|
VLAN Name column
|
Name of this VLAN.
|
Alias column
|
Alias for this VLAN.
|
Add button
|
Click to launch the Add Allocate VLAN dialog box.
|
Edit button
|
Click to launch the Edit Allocate VLAN dialog box.
|
Delete button
|
Click to delete the selected VLAN.
|
Related Topics
•Allocate VLAN
•Edit Allocated VLAN
Allocate VLAN
Procedure
Step 1 Click Services in the task bar, click Firewall from the left-most pane, then select a context from the selector.
Step 2 From the bottom half of the window, click Add. The Add Allocated VLAN dialog box appears.
Step 3 Edit the information specified in the following table:
GUI Element
|
Action
|
VLAN ID list
|
Specify the VLAN to be allocated to the selected context.
Click , then select one of the following:
•Select VLAN: Opens the VLAN Selector dialog box. See VLAN Selector.
•Create VLAN: Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN: Clears the VLAN that is specified in this field.
|
Alias field
|
Enter the alias for this VLAN.
|
VLAN Group field
|
Specify the VLAN group to which this VLAN belongs.
Click to open the Select VLAN Group dialog box. See Selecting a VLAN Group.
|
Related Topics
•Firewall Context Details
•Edit Allocated VLAN
Edit Allocated VLAN
Procedure
Step 1 Click Services in the task bar, click Firewall from the left-most pane, then select a context from the selector.
Step 2 With a VLAN selected, click Edit in the bottom half of the window. The Edit Allocate VLAN dialog box appears.
Step 3 Edit the information specified in the following table.
GUI Element
|
Action/Description
|
VLAN ID field
|
Numerical identifier of the selected VLAN. This field cannot be edited.
|
Alias field
|
Edit the alias for the selected VLAN.
|
VLAN Group field
|
Edit the VLAN group to which this VLAN belongs.
Click to open the Select VLAN Group dialog box. See Selecting a VLAN Group.
|
Related Topics
•Firewall Context Details
•Allocate VLAN
Configuring Firewall Interfaces
The Interfaces overview page displays the firewall interfaces configured on this module. Although this page looks the same in both single and multiple modes, keep in mind that:
•The information provided on the single mode page applies to the firewall module as a whole.
•The information provided on the multiple mode page applies only to the selected context.
Note For more information on single and multiple modes, see Security Context Overview.
To access this page, click Services in the task bar, click Firewall from the left-most pane, then select Interfaces (for either the module in single mode or the selected context in multiple mode) from the selector.
The following table describes the information provided on this page:
GUI Element
|
Action/Description
|
Misconfigured VLAN graphic:
|
Indicates that the VLAN is configured incorrectly on this device.
|
VLAN ID column
|
Corresponding VLAN for an interface.
|
VLAN Name column
|
Name of the corresponding VLAN for an interface.
|
Interface Name column
|
Name of an interface.
|
IP Address/Mask column
|
IP address/mask of an interface.
|
Security Level (0-100) column
|
Security level set for the interface. Higher values indicate higher security levels.
•The value 100 indicates that this is an inside interface.
•The value 0 indicates that this in an outside interface.
|
Add button
|
Click to add an interface. See Adding a Firewall Module Interface.
|
Edit button
|
Click to edit the selected interface. See Editing a Firewall Module Interface.
|
Delete button
|
Click to delete the selected interface.
|
Related Topics
•Adding a Firewall Module Interface
•Editing a Firewall Module Interface
Adding a Firewall Module Interface
Procedure
Step 1 Click Services in the task bar, click Firewall from the left-most pane, then select Interfaces (for either the module in single mode or the selected context in multiple mode) from the selector.
Step 2 Click Add. The Add Firewall Interface dialog box appears.
Step 3 Enter the information specified in the following table.
GUI Element
|
Action
|
VLAN ID list
|
Specify the VLAN associated with the interface.
Click , then select one of the following:
•Select VLAN: Opens the VLAN Selector dialog box. See VLAN Selector.
Note If you select a VLAN that has not already been assigned to this module, DM 6500/7600 assigns this VLAN to a VLAN group for you.
•Create VLAN: Opens the Create VLAN dialog box. See Create VLAN Dialog Box.
•Clear VLAN: Clears the VLAN that is specified in this field.
|
Interface Name field
|
Enter the name of the interface.
|
IP Address field
|
Enter the IP address of the interface.
|
Mask field
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
|
VLAN Group field
|
Specify the VLAN group associated with the interface.
Click to open the Select VLAN Group dialog box. See Selecting a VLAN Group.
|
Security Level (0-100) field
|
Enter the security level for the interface. Higher values indicate higher security levels.
•The value 100 indicates that this is an inside interface.
•The value 0 indicates that this in an outside interface.
|
Related Topics
•Configuring Firewall Interfaces
•Editing a Firewall Module Interface
Editing a Firewall Module Interface
Procedure
Step 1 Click Services in the task bar, click Firewall from the left-most pane, then select Interfaces (for either the module in single mode or the selected context in multiple mode) from the selector.
Step 2 With an interface selected, click Edit. The Edit Firewall Interface dialog box appears.
Note The Edit Firewall Interface dialog box also appears if you double-click an interface.
Edit the information specified in the following table:
GUI Element
|
Action/Description
|
VLAN ID field
|
VLAN associated with the selected interface. This field cannot be edited.
|
Interface Name field
|
Name of the selected interface. This field cannot be edited.
|
IP Address field
|
Edit the IP address of the selected interface.
|
Mask field
|
Edit the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
|
VLAN Group field
|
Edit the VLAN group associated with the selected interface.
Click to open the Select VLAN Group dialog box. See Selecting a VLAN Group.
|
Security Level (0-100) field
|
Edit the security level for the selected interface. Higher values indicate higher security levels.
•The value 100 indicates that this is an inside interface.
•The value 0 indicates that this in an outside interface.
|
Related Topics
•Configuring Firewall Interfaces
•Adding a Firewall Module Interface
Feedback
