Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentCatalyst 6880-X
31323334353637383940
Access Layer April 2014
30
Step 3: Enable QoS by applying the access edge QoS macro that was defined in the platform configuration
procedure. This macro generates a QoS configuration appropriate for the platform.
macro apply AccessEdgeQoS
All client-facing interfaces allow for an untrusted PC and/or a trusted Cisco IP phone to be connected to the
switch and automatically set QoS parameters. When a Cisco IP Phone is connected, trust is extended to the
phone, and any device that connects to the phone will be considered untrusted and all traffic from that device
will be remarked to best-effort or class of service (CoS) 0.
When you apply this macro, device-specific QoS using is applied and a service policy
is imposed on the interface. An example policy application to the interface may look
like:
service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
In this case, the policy-map called by the service-policy comes preconfigured in the
software running on the platform. Detailed examples of the final configurations can be
found in the Campus Wired LAN Configuration Files Guide.
Tech Tip
Step 4: If the access switch is a Cisco Catalyst 3750-X, 3560-X, 2960-X, or 2960-S, increase the buffers for
the default queue. This modification of the global QoS settings improves the ability to handle high bandwidth
bursty traffic in the dafault queue, by overriding one of the settings previously applied using the AccessEdgeQoS
macro. In global configuration mode, add the following command:
mls qos queue-set output 1 threshold 3 100 100 100 3200
Next, configure port security on the interface.
Step 5: Configure 11 MAC addresses to be active on the interface at one time; additional MAC addresses are
considered to be in violation, and their traffic will be dropped.
switchport port-security maximum 11
switchport port-security
The number of MAC addresses allowed on each interface is specific to the organization. However, the popularity
of virtualization applications, IP phones, and passive hubs on the desktop drives the need for the number to be
larger than one might guess at first glance. This design uses a number that allows flexibility in the organization
while still protecting the network infrastructure.
Step 6: Set an aging time to remove learned MAC addresses from the secured list after 2 minutes of inactivity.
switchport port-security aging time 2
switchport port-security aging type inactivity
The timeout you choose is an arbitrary time. You may tune the time to fit your environment. Using aggressive
timers can impact the switch CPU, so use caution when lowering this from the default value defined on your
switch.
Step 7: Configure the restrict option to drop traffic from MAC addresses that are in violation, but do not shut
down the port. This configuration ensures that an IP phone can still function on this interface when there is a port
security violation.
switchport port-security violation restrict