Jonathan's CCNP Blog
Home
Syndicate
Main Page
 Photos
 CCNP
This Month
July 2009
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
Month Archive
September 2009
August 2009
July 2009
June 2009
May 2009
Year Archive
2009
2008
Login
User name:
Password:
Remember me 
Main Page
« Previous 30 days  |  Next 30 days »
Monday, July 13
View Article  Quick CatOS Configuration Guide
by sparky on Mon 13 Jul 2009 15:25 BST

Quick CatOS Configuration Guide

Platform: - Cisco 6509 catos
Author: -  Surender Singh

  1. Setting the IP address and default gateway of the switch
  1. # set int sc0 {ipaddress} {subnet mask}
  2. # set route default {ipaddress}
  1.  For setting the name of ports for each module.
  1. # set port name {mod-num/port-num} {name}
  1. For Setting the port Speed
  1. # set port speed {mod-num/port-num} auto
  1. For setting the port in half duplex or full duplex
  1. # set port duplex {mod-num/port-num} {half/full}
  1. For setting the ports for flow control for controlling the traffic or delay of traffic
  1. # set port flow control {mod-num/port-num} Send ON (the port will send Flow control to far end.)
  2. # set port flow control {mod-num/port-num} Receive ON (the port will require far end to send flow control)
  1. Port Negotiation before establishing a link

1) #  Set port negotiation {mod-num/port-num}{enable/disable}
2) #show port

  1. Clear config all will clear out all the config and all ports will collapse into VLAN1 which will cause instability. In order to avoid this all the ports are put into a blocking state.
  1. # set default port status
  1.  Configuring Ether Channels

In this all Ethernet links are grouped together to form one Ether Channel. A max of 8 Ether links can join a Admin Group. Port Aggression Protocol communicates by exchanging packets between the ports to establish a link; it adds the Ether channel to a spanning tree as one single bridge port to avoid loops.

  1. # set port channel {mod-num/port-num} {admin-group(1-1024}
  2. # set port chaneel {mod-num/port-num} { auto|desirable}

3) #set port channel all distribution {ipaddress|mac address} {source|destination}
4) # Show port channel

  1.  Configuring Spanning Tree Protocol (IEEE 802.1 d)

In a switched network only a single path must exist between two stations .Each vlan has its STP defined.
If multiple patches exists between two stations loops can occur.

STP spans the extended switch network and force certain redundant paths into a standby or blocked state if any of the link goes down then the blocked path comes into forwarding state .All switches participate in a STP by exchanging Bridge protocol data units .the BPDU contains information of the switch ,port mac-address, priority, cost. This is used to elect the root switch.

Enabling STP on VLAN

  1. # Set spantree enable {vlan_num}

Changing the port priority for putting it into forwarding state

  1. # set spantree port priority {mod-num/port-num} {priority}
  2.  # set spantree port vlan priority {mod-num/port-num} {priority} {vlan-num}

Changing the port cost

  1. #set spantree port cost {mod-num/port-num} {cost}
  2. #set spantree port vlan cost {mod-num/port-num} {cost} {vlan_num}

Configure a switch for root & secondary root

  1. #set spantree root {Vlans} dia 4
  2. #set spantree root secondary {Vlans} dia 5 hello 1

Disabling Spantree

  1. #set spantree disable

How Port Fast works

By enabling port fast the port does not wait for the STP to converge and always remain in the forwarding state

Portfast BPDU Guard

It can prevent loops by moving a non trunking port into the Errdisable state when a BPDU is received on that port. When this is enabled STP shuts down the port.

Configuring Spatree portfast
  1. #set spantree portfast {mod-num/port-num} enable
  2. #set spantree portfast bpdu-guard enable
  3. #set spantree uplinkfast enable(if the interface goes down between two switches ,uplink fast enables a blocked state interface directly into forwarding state).
  4. #set spantree backbonefast enable (it enables an indirect link into forwarding state).
  1. Configuring VTP
  1. #set VTP domain {name}
  2. #set VTP mode {server|client|transparent}
  3. #set VTP password
  4. #set VTP V2 enable
  5. #set VTP purn eligible {Vlan Range}
  6. #show trunks (verifies that appropriate Vlans are trunked)
  7. #show VTP statistics
  1. Configuring VLAN
  1. #set Vlan {Vlan number (2-1000)} name {name}

VLAN 1 is by default the inband (SC0) interface of a switch ,by which any switch can be accessed without going thru the router.

  1. #set Vlan {vlan number} {mod-num/port-num}

Valid range of Vlans for ISL is 1-1000; valid range for IEEE 802.1q is 0-4095

If non-Cisco devices r connected to Cisco devices thru 802.1q trunks, we must Map 802.1q Vlan numbers greater than 1000 to ISL Vlan numbers .802.1q vlan numbers in the range of 1-1000 r automatically mapped to ISL vlan .If greater than 1000 it has to be mapped manually to be recognized by Cisco switches. Upto 16 802.1q Vlans can be configured to ISL VLANs

  1. #SET Vlan Mapping dot1q {vlan number} ISL {Vlan number}
  1. Trunking (Important)

Configuring an ISL or dot1q trunk

  1. # set trunk {mod-num/port-num} {auto|desirable|ON|OFF} dot1q

Negotiation

  1. #set trunk {mod-num/port-num} desirable (mode) negotiate (dot1q or ISL) (assuming that the end port is in auto mode)

By default all Vlans are allowed when a trunk is set.
To disallow specific trunks

  1. #clear trunk {mod-num/port-num} {vlan range}
  2. # set trunk {mod-num/port-num} {vlan number or range}
  3. # sh trunk {mod-num/port-num}

Disabling Trunk port

  1. #set trunk {mod-num/port-num} OFF (turns trunking OFF on the port)
  2. #clear trunk {mod-num/port-num}  (puts the port its default trunking)
  1. GVRP: Generic attribute registration protocol
-------------------------
article courtesy of  www.knowurtech.com
Leave Comment  |  Permanent Link
View Article  VRF - Virtual Routing and Forwarding
by sparky on Mon 13 Jul 2009 09:54 BST
Virtual Routing and Forwarding

Virtual routing and forwarding (VRF) is a technology included in IP
(Internet Protocol) network routers that allows multiple instances of a
routing table to exist in a router and work simultaneously. This
increases functionality by allowing network paths to be segmented
without using multiple devices. Because traffic is automatically
segregated, VRF also increases network security and can eliminate the
need for encryption and authentication. Internet service providers
(ISPs) often take advantage of VRF to create separate virtual private
networks (VPNs) for customers; thus the technology is also referred to
as VPN routing and forwarding.

VRF acts like a logical router, but while a logical router may include
many routing tables, a VRF instance uses only a single routing table.
In addition, VRF requires a forwarding table that designates the next
hop for each data packet, a list of devices that may be called upon to
forward the packet, and a set of rules and routing protocols that
govern how the packet is forwarded. These tables prevent traffic from
being forwarded outside a specific VRF path and also keep out traffic
that should remain outside the VRF path.
Leave Comment  |  Permanent Link
View Article  Configuring VPN Routing and Forwarding
by sparky on Mon 13 Jul 2009 08:51 BST

Configuring a VRF

Doug Downer
11.01.2005


In a recent tip called Keeping it all separate with VRFs, I started talking about an increasingly common scenario which involves the requirement to separate customers on shared devices using VPN Routing and Forwarding (VRF) instances. VRFs allow us to logically separate L2 and L3 functions for customers which share common network devices. This separation also allows service providers the ability to separate customers on their backbone with other technologies such as MPLS. MPLS is not within the scope of this series so we'll stick to just the VRF for now. In this tip, I'll show you how to configure a VRF using the scenario we looked at before.

Scenario recap

We have been looking at a scenario involving the requirement for two customers (A and B) to be given Internet access from a service provider (you). Because of the relatively small size of the service provider and customer -- one shared network device was installed to support this requirement. At first glance this scenario allows for the networks of Customer A and Customer B to mix together. To prevent that, the service provider puts each customer within a VRF.

Creating the VRF

The actual configuration of a VRF is not a difficult task. There are two main components to a VRF: The route distinguisher and the route target. A route distinguisher (RD) is a number -- which doesn't actually have any real significance other than to help identify a VPN in a provider's network and allow for overlapping IP space. The RD is an 8-byte number with two parts: A 2-byte type field followed by a 6-byte value field. Without going into too much detail, the value field of the RD is most often represented as an autonomous system number (ASN 2 bytes) followed by an arbitrary number (4 bytes) or an IP address (4 bytes) followed by an arbitrary number (2 bytes). You can enter an RD in either of these formats:

16-bit AS number: your 32-bit number
For example, 101:3.

32-bit IP address: your 16-bit number
For example, 192.168.122.15:1.

The route target (RT) indicates the VPN membership of a route and allows VPN routes to be imported or exported into or out of your VRFs. The RT functions a little like a routing policy -- determining how routes are distributed throughout the particular VPN. Like the RD, the RT is 8 bytes in length and can be entered as:

16-bit AS number: your 32-bit number
For example, 101:3.

32-bit IP address: your 16-bit number
For example, 192.168.122.15:1.

Using the example scenario, let's configure two VRFs on the service provider router. Customer A will have an RD of 192.168.1.1:100 and Customer B will have an RD of 192.168.2.1:200

  • Customer A
    SP_Router(config)#interface loopback 1
    SP_Router(config-if)#description Loopback interface for Customer_A VRF
    SP_Router(config)#interface g0/0
    SP_Router(config-if)#description Connection to the Customer_A router
    SP_Router(config)#ip vrf Customer_A
    SP_Router(config-vrf)#rd 192.168.1.1:100
    SP_Router(config-vrf)#route-target import 192.168.1.255:100
    SP_Router(config-vrf)#route-target export 192.168.1.255:100

  • Customer B
    SP_Router(config)#interface loopback 2
    SP_Router(config-if)#description Loopback interface for Customer_B VRF
    SP_Router(config)#interface g0/1
    SP_Router(config-if)#description Connection to the Customer_B router
    SP_Router(config)#ip vrf Customer_B
    SP_Router(config-vrf)#rd 192.168.2.1:200
    SP_Router(config-vrf)#route-target import 192.168.2.255:200
    SP_Router(config-vrf)#route-target export 192.168.2.255:200

Assigning the interfaces

Once you have created the VRF you can begin to assign the particular interfaces and start to separate the customers. Notice I did not assign an IP address to the interfaces which are intended to be in the VRF. If you put the IP addresses on prior to putting the interface in the VRF, the IP address will be removed and cause you to have to re-IP the interfaces.

  • Customer A
    SP_Router(config)#interface lo1
    SP_Router(config-if)#ip vrf forwarding Customer_A
    SP_Router(config-if)#ip address 192.168.1.1 255.255.255.255
    SP_Router(config)#interface g0/0
    SP_Router(config-if)#ip vrf forwarding Customer_A
    SP_Router(config-if)#ip address 10.1.1.1 255.255.255.252

  • Customer B
    SP_Router(config)#interface lo2
    SP_Router(config-if)#ip vrf forwarding Customer_B
    SP_Router(config-if)#ip address 192.168.2.1 255.255.255.255
    SP_Router(config)#interface g0/1
    SP_Router(config-if)#ip vrf forwarding Customer_B
    SP_Router(config-if)#ip address 10.1.2.1 255.255.255.252

These configurations have modified our picture somewhat. The figure below shows what the things look like now:

You can verify your configurations by using the show ip vrf command:

SP_Router #show ip vrf
Name Default RD Interfaces
Customer_A 192.168.1.1:100 Loopback1


GigabitEthernet0/0
Customer_B 192.168.2.1:200 Loopback2
GigabitEthernet0/1

Once you have the proper interfaces within the correct VRF, you can begin to establish IP connectivity and routing between the customer routers and the service provider routers.

--------------------------------------

article courtesy of searchenterprisewan.com
Leave Comment  |  Permanent Link
Wednesday, July 1
View Article  Access Control Lists
by sparky on Wed 01 Jul 2009 15:12 BST

Cisco Access Control Lists (ACL)

By Joshua Erdman
Digital Foundation, inc.

The Cisco access control list (ACL) is probably the most commonly used object in the IOS. It is not only used for packet filtering (a type of firewall) but also for selecting types of traffic to be analyzed, forwarded, or influenced in some way.

Access Control List Types

Cisco ACLs are divided into types. Standard IP, Extended IP, IPX, Appletalk, etc. Here we will just go over the standard and extended access lists for TCP/IP.

As you create ACLs you assign a number to each list, however, each type of list is limited to an assigned range of numbers. This makes it very easy to determine what type of ACL you will be working with.

TCP/IP Access Lists

You can have up to 99 Standard IP Access Lists ranging in number from 1 to 99, the Extended IP Access Lists number range is assigned from 100 to 199. The most common use of the Extended IP access list to is create a packet filtering firewall. This is where you specify the allowed destinations of each packet from an allowed source.

Standard IP Access Lists

A Standard Access List only allows you to permit or deny traffic from specific IP addresses. The destination of the packet and the ports involved do not matter.

Here is an example:

access-list 10 permit 192.168.3.0 0.0.0.255

This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255

You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use inverse subnet masks. Also realize that by default, there is an implicit deny added to every access list. If you entered the command:
show access-list 10
The output would be:

access-list 10 permit 192.168.3.0 0.0.0.255
access-list 10 deny any

Extended IP Access Lists

Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very grangular and allows you to be very specific. If you intend to create a packet filtering firewall to protect your network it is an Extended ACL that you will need to create.

Typically you would allow outgoing traffic and incoming initiated traffic. In other words, you want your users to be able to connect to web servers on the internet for browsing but you do not want anyone on the Internet to be able to connect to your machines. This will require 2 ACLs. One to only limit our users on the company network to only use a web browser (so this will block outgoing FTP, e-mail, Kazaa, napster, online gaming, etc.) The other access-list will only allow incoming traffic from the Internet that has been initiated from a machine on the inside. This is called an established connection. Let's see what our access list would look like for starters:

Assumptions:
internal network: 63.36.9.0

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

ACL 101

As you can see, ACL 101 says to permit traffic originating from any address on the 63.36.9.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80 (which is the web port for HTTP). This is still only half of the solution. If you only use this access list you have totally accomplished limiting your users from doing nothing more on the internet than just be able to browse from website to website. However, you have taken no action on the incoming trafic. The Internet still has full access to all the IPs and all the ports. This leaves you vulnerable.

ACL 102

Since you only want your users to be able to browse the Internet, you must block all incoming traffic accept for the established connections in which the websites are replying to a computer on your network. Doing this is impossible unless you use the 'established' command.

Now that we are familiar with the 'established' command, ACL 102 simply states to permit established traffic from anywhere to all computers within our 63.36.9.0 network.

You may ask why access-list 102 does not read:

access-list 102 permit tcp any any established

In this situation this works just as good, but because it is not as specific, it is considered a hole or an area of vulnerability (especially if you ever got another block of IP addresses).

Activating an Access Control List

Now that you have created these ACLs they are useless until you declare them to be used in some way. As of right now they are an inactive list doing nothing. Our next article will cover applying ACLs on interfaces and how to specify if the ACL is for incoming or outgoing traffic on that interface.

We will apply our ACLs to the serial (T1) interface to protect our network and to limit our user's Internet access to just web browsing.

Before we do that, we need to add one more entry to access-list 101 to allow HTTPS for web browsing. If you have a clue about TCP/IP you know that web browsing (HTTP) is done on port 80 and that web browsing securely (HTTPS) is done on port 443. So we also need to open port 443 if any user is to be able to let's say place an online order or check their bank account. Typically, the web page where you enter your personal information should be secure and thus requires the use of HTTPS.

The line we add is very similar to the line that is already in access list 101. You probably already have it figured out by now:

access-list 101 tcp permit 63.36.9.0 0.0.0.255 any eq 443

Now that our ACLs are complete, here is how we apply them to an interface.

In or Out

We first must decide the traffic that we are filtering is going in or out. Our users trying to access websites on the Internet is a good example of traffic going OUT from our business. Receiving e-mails from the Internet is a good example of traffic coming IN to our business. But depending on the interface you want to apply the ACLs to, will determine the direction of the traffic.

Take for example a router with 2 interfaces. It has a serial port, ser0/0, (AKA T-1 connection) and an ethernet port, eth0/0. The Internet traffic coming IN to our office is going IN the ser0/0 interface, but is also going OUT the eth0/0 interface to reach the office network. See how that works?

Now you have all kinds of options as to where you put your restrictions on your serial ports or your ethernet ports and this is just with a simple example!

For now we will activate the access lists on the serial port so the point of views (POV) are the same. Traffic coming IN the office is also going IN the serial port and traffic going OUT of the office is going OUT that same serial port.

Applying Access Lists

Finally the instructions you all have been waiting for! Make sure you are in enabled mode. Then use the command below:

conf t
int ser0/0
access-group 101 out
access-group 102 in

See how you must be in configuration mode of the interface to apply an access-list? Remember that you can only apply ONE ACL in each direction of an interface.

Editing and adding ACLs

If you need to add more permissions, you must add to the ACL you have already created. Any lines you add will be appended to at the bottom of the list.

How I keep track of all the ACLs I use is by keeping each one in a separate text file. I then make changes to the text file then I delete the whole access-list from the router's memory (running-config) and then copy and paste the new list each time I make updates.

Clue: There is no way to remove a single line from an ACL. Instead it is better to copy the whole ACL into a text editor and remove the offending line. Then remove the whole ACL from the router's memory (see below) and then add the modified ACL.

Removing ACLs

To remove an ACL from the router, be sure you are in enabled mode. Then use the command:

no access-list <list number>

That is all there is to it.

Clue: When you delete an access-list that is currently being applied to an interface, all traffic that is to be filtered through the specified access list will be allowed until the access list is reinstated or a new access-list is specified in the access-group command.

Advanced ACLs'

We will create an ACL that allows the users in our office to access the internet using a range of common ports. As you can see in the example above, we have been just specifying individual ports.

Port Ranges

In the example you see the letters 'eq' before the port is declared. This is short for 'equal to'. Other ones include:

  • gt - Greater Than followed by the port number.
  • lt - Less Than followed by the port number
  • range - To specify an inclusive port range
    after the keyword range put in the first port in the range followed by a space and then the last port in the range.

Commenting

As your access lists grow and become more complex it is a great idea to add comments. Adding a comment is as simple as beginning the comment line with an exclamation point.

Filter Masks

First be sure that you brush up on your binary and read our article on TCP/IP Addressing and Calculating Subnet Masks. You must first have a good grasp of the use of binary to calculate subnet masks.

Using filter masks allow you to group IP Addresses together instead of having to specify each IP address individually. So for example, if you were to have five servers and all their addresses were 10.10.10.1 - 10.10.10.5 it is easy to grant or deny access to all 5 with only one line in the access list. If you have the addresses scattered you either have to make 5 separate entries or change the IPs of the servers.

The way you specify a group of IP addresses is very similar to how a subnet mask is used, except that the 1s and 0s are inversed. For example, all the web servers on our sample network fall in the subnet of 10.10.10.1 - 10.10.10.15 (if this was a subnet mask it would be: 255.255.255.240). We would never assign the servers this subnet mask because we want the workstations (using addresses 10.10.10.65-10.10.10.254) to talk directly to the servers. This prevents our router from being taxed. But now that we know the equivalent subnet mask for this ip block of servers, we can easily create the access-list filter mask, which is 0.0.0.15 As I mentioned earlier the filter mask is the opposite of the subnet mask. Here is how it looks in binary:

    128 64 32 16|8 4 2 1
SM    1  1  1  1|0 0 0 0=240
FM    0  0  0  0|1 1 1 1=15

Clue: If you put the servers and workstations on 2 different network blocks the router will have an insane amount of traffic to route. Definitely not a good idea.

With filter masks you can almost easily guess the correct value as long as the numbers in the filter mask are a power of 2 minus 1. IFor example, I know that my web servers aregrouped in the first 15 IP addresses. The smallest power of two that 15 can fit into is 16. Then subtract 1 and my filter mask is 0.0.0.15

Filter Masks in Access Lists

So if I wanted to permit all incoming web traffic requests to my web servers (To prevent any Internet access to Rogue web servers on employee's workstations). I would enter this line in the access list:

!Permit HTTP port 80 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 80

!Permit HTTPS port 443 traffic
access-list 102 permit tcp any 10.10.10.0 0.0.0.15 eq 443

Many, Many ACLs

When I last worked for an ISP we had several connections terminating into one router. To make things as secure as possible I made 2 access lists for each interface. One for incomming traffic and one for outgoing. Keeping track of all this quickly became a nightmare. What I did to help was to have a notepad text file for each access list. At the top of each access list was the function of each access list, a description of the lastest modifications, modification date and who made the modification.

--------------------------------

Article taken from - www.networkclue.com

Leave Comment  |  Permanent Link
View Article  Switch Port Analysising - SPAN
by sparky on Wed 01 Jul 2009 14:54 BST

Overview of SPAN

What is SPAN and why is it needed? The SPAN feature was introduced on switches because of a fundamental difference that switches have with hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub received the packet. After a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port.

For example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a sniffer to this hub. All other ports see the traffic between hosts A and B:

41a.gif

On a switch, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer does not see this traffic:

41b.gif

In this configuration, the sniffer only captures traffic that is flooded to all ports, such as:

  • Broadcast traffic

  • Multicast traffic with CGMP or Internet Group Management Protocol (IGMP) snooping disabled

  • Unknown unicast traffic

Unicast flooding occurs when the switch does not have the destination MAC in its content-addressable memory (CAM) table. The switch does not know where to send the traffic. The switch floods the packets to all the ports in the destination VLAN.

An extra feature is necessary that artificially copies unicast packets that host A sends to the sniffer port:

41c.gif

In this diagram, the sniffer is attached to a port that is configured to receive a copy of every packet that host A sends. This port is called a SPAN port. The other sections of this document describe how you can tune this feature very precisely in order to do more than just monitor a port.

SPAN Terminology

  • Ingress traffic—Traffic that enters the switch.

  • Egress traffic—Traffic that leaves the switch.

  • Source (SPAN) port —A port that is monitored with use of the SPAN feature.

  • Source (SPAN) VLAN —A VLAN whose traffic is monitored with use of the SPAN feature.

  • Destination (SPAN) port —A port that monitors source ports, usually where a network analyzer is connected.

  • Reflector Port —A port that copies packets onto an RSPAN VLAN.

  • Monitor port—A monitor port is also a destination SPAN port in Catalyst 2900XL/3500XL/2950 terminology.

41d.gif

  • Local SPAN—The SPAN feature is local when the monitored ports are all located on the same switch as the destination port. This feature is in contrast to Remote SPAN (RSPAN), which this list also defines.

  • Remote SPAN (RSPAN)—Some source ports are not located on the same switch as the destination port. RSPAN is an advanced feature that requires a special VLAN to carry the traffic that is monitored by SPAN between switches. RSPAN is not supported on all switches. Check the respective release notes or configuration guide to see if you can use RSPAN on the switch that you deploy.

  • Port-based SPAN (PSPAN)—The user specifies one or several source ports on the switch and one destination port.

  • VLAN-based SPAN (VSPAN)—On a particular switch, the user can choose to monitor all the ports that belong to a particular VLAN in a single command.

  • ESPAN—This means enhanced SPAN version. This term has been used several times during the evolution of the SPAN in order to name additional features. Therefore, the term is not very clear. Use of this term is avoided in this document.

  • Administrative source—A list of source ports or VLANs that have been configured to be monitored.

  • Operational source—A list of ports that are effectively monitored. This list of ports can be different from the administrative source. For example, a port that is in shutdown mode can appear in the administrative source, but is not effectively monitored.


Further details available at - http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
Leave Comment  |  Permanent Link