-
Catalyst 6500 Series Software Configuration Guide, 8.7
-
Index
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching
-
Configuring Ethernet VLAN Trunks
-
Configuring EtherChannel
-
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring InterVLAN Routing
-
Configuring CEF for PFC2/PFC3
-
Configuring MLS
-
Configuring Access Control
-
Configuring NDE
-
Configuring GVRP
-
Configuring MVRP
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Checking Status and Connectivity
-
Configuring Online Diagnostics
-
Administering the Switch
-
Configuring Redundancy
-
Configuring NSF with SSO MSFC Redundancy
-
Modifying the Switch Boot Configuration
-
Working with the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring CDP
-
Configuring UDLD
-
Configuring DHCP Snooping and IP Source Guard
-
Configuring NTP
-
Configuring Broadcast Suppression
-
Configuring Layer 3 Protocol Filtering
-
Configuring the IP Permit List
-
Configuring Port Security
-
Configuring Switch Access Using AAA
-
Configuring 802.1x Authentication
-
Configuring MAC Authentication Bypass
-
Configuring Web-Based Proxy Authentication
-
Tracking Host Aging
-
Configuring Network Admission Control
-
Configuring Unicast Flood Blocking
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN, RSPAN and the Mini Protocol Analyzer
-
Using Switch TopN Reports
-
Configuring Multicast Services
-
Configuring QoS
-
Configuring Automatic QoS
-
Configuring ASLB
-
Configuring the Switch Fabric Module
-
Configuring a VoIP Network
-
Configuring MSFC IOS Features
-
Acronyms
-
Table Of Contents
Working with Configuration Files
Working with the Configuration Files on the Switch
Creating and Using Configuration File Guidelines
Downloading the Configuration Files to the Switch Using TFTP
Preparing to Download a Configuration File Using TFTP
Configuring the Switch Using a File on a TFTP Server
Configuring the Switch Using a File on a Flash Device
Uploading the Configuration Files to a TFTP Server
Preparing to Upload a Configuration File to a TFTP Server
Uploading a Configuration File to a TFTP Server
Copying the Configuration Files Using SCP or rcp
Downloading the Configuration Files from an rcp or SCP Server
Preparing to Download a Configuration File Using rcp or SCP
Configuring the Switch Using a File on an rcp or SCP Server
Uploading Configuration Files to an rcp or SCP Server
Preparing to Upload a Configuration File to an rcp or SCP Server
Uploading a Configuration File to an rcp or SCP Server
Comparing the Configuration Files
Creating the Configuration Checkpoint Files for Configuration Rollback
Working with the Configuration Files on the MSFC
Uploading the Configuration File to a TFTP Server
Uploading the Configuration File to the Supervisor Engine Flash PC Card
Downloading the Configuration File from a Remote Host
Downloading the Configuration File from the Supervisor Engine Flash PC Card
Working with Configuration Files
This chapter describes how to work with the switch configuration files on the Catalyst 6500 series switches.
Note
For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
Note
This chapter consists of these sections:
•
•
Working with the Configuration Files on the Switch
These sections describe how to work with the configuration files on the switch:
•
•
•
•
•
•
•
•
•
Note
Creating and Using Configuration File Guidelines
Creating configuration files can help you configure your switch. The configuration files can contain some or all the commands that are needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration so that they have identical module and port configurations.
This section describes the guidelines for creating a configuration file:
•
•
If the passwords already exist, you cannot enter the set password and set enablepass commands because the password verification will fail. If you enter the passwords in the configuration file, the switch mistakenly attempts to execute the passwords as commands as it executes the file.
•
Include a blank line after each occurrence of these commands in a configuration file:
–
–
–
–
Creating a Configuration File
When creating a configuration file, you must list the commands in a logical way so that the system can respond appropriately. To create a configuration file, perform these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
This example shows an example configuration file. This file could be used to set the Domain Name System (DNS) configuration on multiple switches.
begin!#dnsset ip dns server 172.16.10.70 primaryset ip dns server 172.16.10.140set ip dns enableset ip dns domain corp.comendDownloading the Configuration Files to the Switch Using TFTP
You can configure the switch using the configuration files that you create or download from another switch. In addition, you can store the configuration files on the flash devices on the hardware that supports the flash file system, and you can configure the switch using a configuration that is stored on a flash device.
These sections describe how to configure the switch using the configuration files that are downloaded from a TFTP server or that are stored on a flash device:
•
•
•
Preparing to Download a Configuration File Using TFTP
Before you begin downloading a configuration file using TFTP, do the following:
•
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpbootMake sure that the /etc/services file contains this line:
tftp 69/udp
Note
•
•
•
Configuring the Switch Using a File on a TFTP Server
To configure the switch using a configuration file that is downloaded from a TFTP server, perform these steps:
Step 1
Step 2
Step 3
The configuration file downloads and the commands are executed as the file is parsed line by line.
This example shows how to configure the switch using a configuration file that is downloaded from a TFTP server:
Console> (enable) copy tftp configIP address or name of remote host []? 172.20.52.3Name of file to copy from []? dns-config.cfgConfigure using tftp:dns-config.cfg (y/n) [n]? y/Finished network download. (134 bytes)>>>> set ip dns server 172.16.10.70 primary172.16.10.70 added to DNS server table as primary server.>> set ip dns server 172.16.10.140172.16.10.140 added to DNS server table as backup server.>> set ip dns enableDNS is enabled>> set ip dns domain corp.comDefault DNS domain name set to corp.comConsole> (enable)Configuring the Switch Using a File on a Flash Device
To configure a switch using a configuration file that is stored on a flash device in the flash file system, perform these steps:
Step 1
Step 2
Step 3
The commands are executed as the file is parsed line by line.
This example shows how to configure the switch using a configuration file that is stored on a flash device:
Console> (enable) copy slot0:dns-config.cfg configConfigure using slot0:dns-config.cfg (y/n) [n]? yFinished network download. (134 bytes)>>>> set ip dns server 172.16.10.70 primary172.16.10.70 added to DNS server table as primary server.>> set ip dns server 172.16.10.140172.16.10.140 added to DNS server table as backup server.>> set ip dns enableDNS is enabled>> set ip dns domain corp.comDefault DNS domain name set to corp.comConsole> (enable)Uploading the Configuration Files to a TFTP Server
These sections describe how to upload the running configuration or a configuration file that is stored on a flash device to a TFTP server:
•
•
Preparing to Upload a Configuration File to a TFTP Server
Before you attempt to upload a configuration file to a TFTP server, do the following:
•
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpbootMake sure that the /etc/services file contains this line:
tftp 69/udp
Note
•
•
•
Uploading a Configuration File to a TFTP Server
To upload a configuration file from a switch to a TFTP server for storage, perform these steps:
Step 1
Step 2
The file is uploaded to the TFTP server.
This example shows how to upload the running configuration to a TFTP server for storage:
Console> (enable) copy config tftpIP address or name of remote host []? 172.20.52.3Name of file to copy to []? cat6000_config.cfgUpload configuration to tftp:cat6000_config.cfg, (y/n) [n]? y............................................./Configuration has been copied successfully.Console> (enable)Copying the Configuration Files Using SCP or rcp
This section describes how to copy the files using SCP or rcp:
rcp Overview
Remote copy protocol (rcp) provides another method of downloading, uploading, and copying the configuration files between the remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, rcp uses Transmission Control Protocol (TCP), which is connection oriented.
To use rcp to copy the files, the server from or to which you will be copying the files must support rcp. The rcp copy commands rely on the rsh server (or daemon) on the remote system. To copy the files using rcp, you do not need to create a server for file distribution, as you do with TFTP. You need only to have access to a server that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file. If the destination file does not exist, rcp creates it for you.
SCP Overview
The Secure Copy (SCP) provides a secure method for copying the crypto image files. SCP relies on Secure Shell (SSH) and allows you to copy a crypto file to and from the system through an encrypted channel.
Downloading the Configuration Files from an rcp or SCP Server
These sections describe how to download a configuration file from an rcp or SCP server to the running configuration or to a flash device:
•
•
Preparing to Download a Configuration File Using rcp or SCP
Before you begin downloading a configuration file using rcp or SCP, do the following:
•
•
•
•
Configuring the Switch Using a File on an rcp or SCP Server
To configure a Catalyst 6500 series switch using a configuration file that is downloaded from an rcp or SCP server, perform these steps:
Step 1
Step 2
Step 3
The configuration file downloads and the commands are executed as the file is parsed line by line.
This example shows how to configure a Catalyst 6500 series switch using a configuration file that is downloaded from a server:
Console> (enable) copy rcp configIP address or name of remote host []? 172.20.52.3Name of file to copy from []? dns-config.cfgConfigure using rcp:dns-config.cfg (y/n) [n]? y/Finished network download. (134 bytes)>>>> set ip dns server 172.16.10.70 primary172.16.10.70 added to DNS server table as primary server.>> set ip dns server 172.16.10.140172.16.10.140 added to DNS server table as backup server.>> set ip dns enableDNS is enabled>> set ip dns domain corp.comDefault DNS domain name set to corp.comConsole> (enable)Uploading Configuration Files to an rcp or SCP Server
These sections describe how to upload the running configuration or a configuration file that is stored on a flash device to an rcp or SCP server:
•
•
Preparing to Upload a Configuration File to an rcp or SCP Server
Before you attempt to upload a configuration file to an rcp or SCP server, do the following:
•
•
•
Uploading a Configuration File to an rcp or SCP Server
To upload a configuration file from a switch to an rcp or SCP server for storage, perform these steps:
Step 1
Step 2
The file is uploaded to the server.
This example shows how to upload the running configuration on a Catalyst 6500 series switch to an rcp server for storage:
Console> (enable) copy config rcpIP address or name of remote host []? 172.20.52.3Name of file to copy to []? cat6000_config.cfgUpload configuration to rcp:cat6000_config.cfg, (y/n) [n]? y............................................./Configuration has been copied successfully.Console> (enable)This example shows how to upload the running configuration on a Catalyst 6500 series switch to an SCP server for storage:
Console> (enable) copy scp flash scpIP address or name of remote host []? 172.20.52.3Name of file to copy from []? cat6000-sup720cvk9.8-3-1.binUsername for scp[bob]?Password for User bob[]:CCC/File has been copied successfully.Clearing the Configuration
To clear the configuration on the entire switch, perform this task in privileged mode:
This example shows how to clear the configuration for the entire switch:
Console> (enable) clear config allThis command will clear all configuration in NVRAM.This command will cause ifIndex to be reassigned on the next system startup.Do you want to continue (y/n) [n]? y.....................................System configuration cleared.Console> (enable)To clear the configuration on an individual module, perform this task in privileged mode:
Note
This example shows how to clear the configuration on an individual module:
Console> (enable) clear config 2This command will clear module 2 configuration.Do you want to continue (y/n) [n]? y.............................Module 2 configuration cleared.Console> (enable)To clear the configuration on an individual module port, perform this task in privileged mode:
Comparing the Configuration Files
You can compare the configuration files that are stored on the system to determine the differences between the configuration files or to check if changes have been made to the system configuration. To compare the configuration files, perform this task in privileged mode:
Compare the differences between the configuration files.
show config differences {all file | context val | file | ignorecase}
This example shows how to compare the differences between two different configuration files:
Console> (enable) show config differences 1.cfg 2.cfg--- bootflash:1.cfg+++ bootflash:2.cfg@@ -8,1 +8,1 @@-#version 8.2(0.11-Eng)DEL+#VERSION 8.2(0.11-eNG)del@@ -11,1 +11,1 @@-set config mode text auto-save interval 1+SET CONFIG MODE TEXT AUTO-SAVE INTERVAL 1Console> (enable)This example shows how to compare the differences between the configuration files but to ignore the differences in uppercase or lowercase characters:
Console> (enable) show config differences ignorecase 1.cfg 2.cfgFiles bootflash:1.cfg and bootflash:2.cfg are identicalConsole> (enable)Creating the Configuration Checkpoint Files for Configuration Rollback
You can roll back the current switch configuration file to a previously saved configuration file (also known as a "checkpoint" file) if the current file produces undesirable system results. This rollback feature provides a command to set multiple configuration "checkpoint" files. If you no longer want the current configuration file to run on the switch, you can return to one of these configuration checkpoint files quickly and with the least possible disturbance to switch functionality.
Follow these guidelines when creating the configuration checkpoint files:
•
•
•
•
•
•
•
To create a configuration checkpoint file, perform this task in privileged mode:
Create a configuration checkpoint file.
set config checkpoint [name name]
[device device]Verify the configuration checkpoint filename.
show config checkpoints
This example shows how to create a configuration checkpoint file and verify that it has been created:
Console> (enable) set config checkpointConfiguration checkpoint CKP0_0722040905 creation successful.Console> (enable) show config checkpointsCheckpoint File id Date========== ======= ====CKP0_0722040905 bootflash:CKP0_07220409058.4(0.79)COC Thu Jul 22 2000, 09:05:31Console> (enable)To roll the current configuration file back to a previously created configuration checkpoint file, perform this task in privileged mode:
Roll the current configuration file back to a configuration checkpoint file.
set config rollback name
To clear all the configuration checkpoint files or a particular configuration checkpoint file, perform this task in privileged mode:
This example shows how to clear all configuration checkpoint files and to verify that they have been cleared:
Console> (enable) clear config checkpoint allAll configuration checkpoints cleared.Console> (enable) show config checkpointsNo Checkpoints defined.Console> (enable)Working with the Configuration Files on the MSFC
These sections describe how to work with the configuration files on the Multilayer Switch Feature Card (MSFC):
•
•
•
•
The configuration information resides in two places when the MSFC is operating: the default (permanent) configuration in NVRAM and the running (temporary) memory in RAM. The default configuration always remains available; NVRAM retains the information even when the power is shut down. The current information is lost if the system power is shut down. The current configuration contains all the nondefault configuration information that you added by entering the configure command or the setup command facility, or by editing the configuration file.
The copy running-config startup-config command adds the current configuration to the default configuration in NVRAM, so that it is saved if power is shut down. Whenever you make changes to the system configuration, enter the copy running-config startup-config command to save the new configuration.
If you replace the MSFC, you need to replace the entire configuration. If you upload (copy) the configuration file to a remote server before removing the MSFC, you can retrieve it later and write it into NVRAM on the new MSFC. If you do not upload the configuration file, you need to enter the configure command to reenter the configuration information after you install the new MSFC.
Saving and retrieving the configuration file is not necessary if you are temporarily removing an MSFC that you are going to reinstall; the lithium batteries retain the configuration in memory. This procedure requires the privileged-level access to the EXEC command interpreter, which usually requires a password.
Uploading the Configuration File to a TFTP Server
Before you upload the running configuration to the TFTP file server, ensure the following:
•
•
•
•
To store information on a remote host, enter the privileged write network EXEC command. This command prompts you for the destination host address and a filename and then displays the instructions for confirmation. When you confirm the instructions, the MSFC sends a copy of the currently running configuration to the remote host. The system default is to store the configuration in a file called by the name of the MSFC with -confg appended. You can either accept the default filename by pressing Return at the prompt, or enter a different name before pressing Return.
To upload the currently running configuration to a remote host, perform these steps:
Step 1
Step 2
Step 3
Step 4
Router# write netRemote host []?Step 5
Router# write netRemote host []? servernameTranslating "servername"...domain server (1.1.1.1) [OK]Step 6
Name of configuration file to write [Router-confg]?Write file Router-confg on host 1.1.1.1? [confirm]Writing Router-confg .....Step 7
Write file Router-confg on host 1.1.1.1? [confirm]Writing Router-confg: !!!! [ok]While the MSFC copies the configuration to the remote host, it displays a series of exclamation points (! ! !) or periods (. . .). The ! ! ! and [ok] indicate that the operation is successful. A display of . . . [timed out] or [failed] indicates a failure, which would probably be due to a network fault or the lack of a writable, readable file on the remote file server.
Step 8
If the display indicates that the process failed (with the series of . . . as shown in the following example):
Writing Router-confg .....your configuration was not saved. Repeat the preceding steps, or select a different remote file server and repeat the preceding steps.
If you are unable to copy the configuration to a remote host successfully, contact your network administrator.
Uploading the Configuration File to the Supervisor Engine Flash PC Card
To upload the configuration file to the supervisor engine Flash PC card, perform this task:
Downloading the Configuration File from a Remote Host
After you install the new MSFC, you can retrieve the saved configuration and copy it to NVRAM. Enter configuration mode and specify that you want to configure the MSFC from the network. The system prompts you for a host name and address, the name of the configuration file that is stored on the host, and confirmation to reboot using the remote file.
To download the currently running configuration from a remote host, perform these steps:
Step 1
Note
Step 2
Step 3
Router# configure networkStep 4
Host or network configuration file [host]?Step 5
IP address of remote host [255.255.255.255]? 1.1.1.1Step 6
Name of configuration file [router-confg]?Step 7
Configure using router-confg from 1.1.1.1? [confirm]Booting router-confg from 1.1.1.1: ! ! [OK - 874/16000 bytes]While the MSFC retrieves and boots from the configuration on the remote host, the console display indicates whether or not the operation was successful. A series of !!!! and [OK] (as shown in the preceding example) indicate that the operation was successful. A series of . . . and [timed out] or [failed] indicate a failure (which would probably be due to a network fault or an incorrect server name, address, or filename). This example shows a failed attempt to boot from a remote server:
Booting Router-confg ..... [timed out]Step 8
If the display indicates that the process failed, verify the name or address of the remote server and the filename, and repeat the preceding steps. If you are unable to retrieve the configuration, contact your network administrator.
Step 9
Step 10
Downloading the Configuration File from the Supervisor Engine Flash PC Card
To download the configuration file from the supervisor engine Flash PC card, perform this task:
Working with Profile Files
A profile file allows you to have a customized configuration as the default configuration on the switch. The profile file allows you to load a custom default configuration that enables or disables certain features at bootup or when a new module is installed. With the profile files, you can eliminate the features or processes that may pose security risks (for example, disabling CDP or turning off auto-trunking on a port) to your switch.
A profile file that has most of the security risks disabled is also known as a "lockdown" profile. A lockdown profile changes the functionality of the switch from enabling access to preventing access by default. When a lockdown profile is applied, you must manually enable the features that were disabled by the profile file.
Building Profile Files
The profile file format is similar to the format of a configuration file. You can either create a new profile file or edit a system-generated configuration file.
Caution
If you choose to create the profile files by editing a system-generated configuration file, most of the required notations will already be in the file. The keywords that are currently supported are ALL_MODULES, ALL_PORTS, ALL_MODULE_PORTS, and ALL_VLANS. Do not create a profile file using the output that results from entering the copy config all command as a template because the output includes default configuration information, which increases the size and processing time of the file.
To designate the system profile file that you want to use, perform this task in privileged mode:
This example shows how to designate the device name and the profile filename:
Console> (enable) set system profile bootflash:test.cfgSystem is set to be configured with profile file bootflash:test.cfg.Console> (enable)This example shows how to disable the system profile loading on a specified module:
Console> (enable) set system profile disable 2System profile loading is disabled for module 2.Console> (enable)This example shows a sample lockdown profile file. You can use an exact copy of this file if you want to use what would be considered a typical lockdown profile file as your default configuration. You can also change the file and use the altered version of the file if the parameters of this lockdown profile file does not meet your needs.
begin!# ***** DEFAULT PROFILE *****!!################################### Lockdown Profile version 1.0.3 ###################################!# set system prompt (edit as needed)set prompt locked_down>!# system attributes to be customized (edit as needed)set system name locked_downset system contact locked_downset system location locked_down!# set a strong banner (edit as needed)set banner motd ^Access to this device or the attached networks is prohibitedwithout express permission from the network administrator.Violators will be prosecuted to the fullest extent of both civiland criminal law.^!!## vtp mode off, enable password and dummy domain (edit as needed)set vtp domain locked_downset vtp mode offset vtp passwd locked_down!# default VLAN is "Quarantine" (edit as needed)set vlan 999 name Quarantine!# Management VLAN is "Management" (edit as needed)set vlan 1000 name Management# Alternate management vlan is "OtherMgmt" (edit as needed)set vlan 1001 name OtherMgmt!# sc0 and sc1 off (edit as needed)set interface sc0 downset interface sc0 1000set interface sc1 downset interface sc1 1001!# default port status is disabledset port disable ALL_PORTS!# default cdp status is disabledset cdp disable ALL_PORTS!# default STP status is with BPDU guard enabledset spantree portfast bpdu-guard ALL_PORTS enable!# default PAgP/LACP status is disabledset port channel ALL_PORTS mode off!# Default DTP status is disabled, no allowed vlans and dot1q-all-tagged mode on.# Warning: A max of 128 trunks can have non-default configuration in CatOS 8.4# Warning: Edit port list as needed.set trunk ALL_PORTS off noneset dot1q-all-tagged enable!# default is CPU rate limiters enabledset rate-limit l2pdu enable!# default SSH version is 2set ssh mode v2!# default VLAN is "Quarantine" (edit as needed)set vlan 999 ALL_PORTS!# Enable image checksum verification by defaultset image-verification enable!# Set a more aggressive default logout timeoutset logout 10### Anti-spoofing ACL#!! Deny any packets from the RFC 1918, IANA reserved, ranges,! multicast as a source, and loopback netblocks to block! attacks from commonly spoofed IP addresses.Note that the following ACLs might not be up to date.! Refer to www.iana.org/assignments/ipv4-address-space for a current list.!! Bogons!set security acl ip Anti-spoofing deny ip 0.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 1.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 2.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 5.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 7.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 10.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 23.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 27.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 31.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 36.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 37.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 39.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 42.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 49.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 50.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 77.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 78.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 79.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 92.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 93.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 94.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 95.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 96.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 97.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 98.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 99.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 100.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 101.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 102.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 103.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 104.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 105.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 106.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 107.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 108.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 109.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 110.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 111.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 112.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 113.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 114.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 115.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 116.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 117.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 118.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 119.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 120.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 121.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 122.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 123.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 127.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 169.254.0.0 0.0.255.255 any logset security acl ip Anti-spoofing deny ip 172.16.0.0 0.15.255.255 any logset security acl ip Anti-spoofing deny ip 173.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 174.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 175.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 176.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 177.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 178.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 179.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 180.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 181.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 182.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 183.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 184.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 185.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 186.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 187.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 192.0.2.0 0.0.0.255 any logset security acl ip Anti-spoofing deny ip 192.168.0.0 0.0.255.255 any logset security acl ip Anti-spoofing deny ip 197.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 223.0.0.0 0.255.255.255 any logset security acl ip Anti-spoofing deny ip 224.0.0.0 31.255.255.255 any log# Add here a specific list of permits as neededset security acl ip Anti-spoofing deny any any log!# Set protection to VLAN list (edit as needed)# You can use ALL_VLANS but that will# take some time to finish.# Use the "show security acl" cmd to verify when# the ACL mapping process is completed.commit security acl allset security acl map Anti-spoofing ALL_VLANS!!end
