ASA Modular Policy Framework - Global vs. Interface

Similar Messages

• ASA 5505 - Cannot ping outside natted interface

  Hello,
  I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network
  Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.
  Thank you in advance
  the config are:
  : Saved
  ASA Version 8.2(1)
  hostname ciscoasa
  domain-name domain
  enable password ********** encrypted
  passwd ************ encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 172.88.188.122 255.255.255.248
  interface Vlan3
  no forward interface Vlan2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name domain
  same-security-traffic permit intra-interface
  access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp
  access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3
  access-list outside_in extended permit tcp any host 172.88.188.123 eq www
  access-list outside_in extended permit icmp any any
  access-list outside_in extended permit icmp any any echo-reply
  access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any
  access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any
  access-list inside_out extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu backup 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  global (outside) 1 172.88.188.128
  nat (inside) 1 192.168.1.0 255.255.255.0
  static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
  static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
  static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255
  route outside 0.0.0.0 0.0.0.0 172.88.188.121 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd lease 1048575
  dhcpd auto_config outside
  dhcpd address 192.168.1.100-192.168.1.200 inside
  dhcpd dns 8.8.8.8 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:865943aa325eb75812628fec3b1e7249
  : end

  You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
  Hairpinning would look like this in your scenario.
  same-security-traffic permit intra-interface
  global (inside) 1 interface
  static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
  static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
  static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

• Applying Metric and Policy Settings globally

  Hi,
  I wish to remove some Metric and Policy Settings globally.
  Example: I want to remove monitoring for percentage of space left in tablespaces. Instead, I want to make all tablespaces auto-extensible and only monitor disk space.
  I don't want to go into the configuration of each and every database in order to do this. There must be a way to globally remove out-of-box configurations and globally add a custom configured one, or is that not true?
  Thank you for any insights!
  Maria

  It disappears only because there is a drop down at the top that says to filter "metrics with thresholds" just switch that to "All metrics" and you will see the blank ones again. As for the disabling a collection. A collection is used for many metrics. When you go to disable a metric collection, by clicking on the link for "Every 15 minutes" (for example). It will list all of the metrics that you will no longer collect data for.
  Again, I would suggest not stopping the collection, and simply blanking out the thesholds. Thats the way it was designed.
  Eg. Disabling Archive space used collection will disable the following other metrics:
  Archive Area Used (%)
  Archive Area Used (KB)
  Dump Area Directory
  Dump Area Used (%)
  Dump Area Used (KB)
  Free Archive Area (KB)
  Free Dump Area (KB)
  Total Archive Area (KB)
  Total Dump Area (KB)

• Tcode for global idoc interface parameters

  hi,
    can any one say me the tcode for global idoc interface parameters.

  Hi,
  Welcome to SDN.
  check this link might help you.
  tcodes for ALE
  Regards,
  Amit
  Reward all helpful replies.

• ASA rpf-check DROP, ASA checking NAT in the incorrect interface

  Hi
  My current architecture is :
  Internet <--> FW <--> ASA <--> LAN
                        FW <--> ASA
  we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
  the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
  the "vpn" interface is used to grant access to our LANs from remote Offices
  let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
  below the current configuration :
  interface GigabitEthernet0/0
    nameif inside
   security-level 100
   ip address 192.168.1.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address 192.168.11.2 255.255.255.0
  interface GigabitEthernet0/2
   nameif vpn
   security-level 0
   ip address 192.168.12.2 255.255.255.0
  object-group network Inside_LANs
   network-object 192.168.3.0 255.255.255.0
   network-object 192.168.4.0 255.255.255.0
   network-object 192.168.5.0 255.255.255.0
  access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo 
  access-list Inside-to-outside extended permit udp any host TimeServer eq ntp 
  access-list Inside-to-outside extended permit ip object-group Inside_LANs any 
  global (outside) 1 interface
  global (outside) 2 192.168.11.60 netmask 255.255.255.255
  nat (inside) 1 access-list Inside-to-outside
  nat (inside) 2 192.168.6.0 255.255.255.0
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255 
  route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
  route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
  our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
  example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.13
  Phase: 5
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match udp inside any inside host TimeServer eq 123
      dynamic translation to pool 1 (No matching global)
      translate_hits = 0, untranslate_hits = 0
  Additional Information:
  example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.10
  Phase: 6
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
    match ip inside host 192.168.2.10 outside any
      static translation to 192.168.11.10
      translate_hits = 76643, untranslate_hits = 188597
  Additional Information:
  example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.4.40
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match ip inside 192.168.4.0 255.255.255.0 vpn any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 1, untranslate_hits = 0
  Additional Information:
  example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.6.30
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 2 192.168.6.0 255.255.255.0
    match ip inside 192.168.6.0 255.255.255.0 vpn any
      dynamic translation to pool 2 (No matching global)
      translate_hits = 117, untranslate_hits = 0
  Additional Information:
  our questions :
  1) why ASA don't check the reverse path route before checking the NAT ?
   if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
  2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
  when ASA check a server with static NAT it find  a match in the outside interface but even so it discard it and the connection Work. (example 2)
  when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
  3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
  why ASA checking the global NAT even if it's not the correct interface ?
  Why it's working for static NAT and not working for the dynamic one ?
  Thanks a lot

  Hi,
  It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
  But to me the situation in its current form looks the following.
  Example 1
  To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
  Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
  Example 2
  This seems to be working as expected also.
  According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
  Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
  Example 3 and 4
  These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
  In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
  Hope this helps :)
  - Jouni

• BIS and Sender Policy Framework

  I have a user that is using a BlackBerry Curve and is setup with At&t BIS service and has no problems receiving messages. The company this person works for has a SPF policy ( http://en.wikipedia.org/wiki/Sender_policy_framework ) that restricts which servers can send out as the the domain. The company will not modify their SPF record to include RIM's or the carriers servers and connecting the user to our BES service is unfortunately not an option. Our SMTP server is listed as a valid sender in this domains SPF policy.
  Is there any way to specify a specific SMTP server for a device that is using the BIS service?
  Thanks in advance!!!

  Hi,
  Interface  service policies take precedence over the global service policy for a  given feature. For example, if you have a global policy with FTP  inspection, and an interface policy with TCP normalization, then both  FTP inspection and TCP normalization are applied to the interface.  However, if you have a global policy with FTP inspection, and an  interface policy with FTP inspection, then only the interface policy FTP  inspection is applied to that interface.
  Here is a doc for detailed study:
  http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/mpf.html
  Hope this clears out your doubt.
  Thanks,
  Varun

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• ASA access from inside to outside interface

  Hi
  We need to make acces on our ASA device from inside network to outside interface.
  The situation is next:
  We have public external ip address and we need to access it from our inside network.
  Can you please tell me if it is possible to do this?
  Thank you.

  That's right, the solution is named Hairpinning aka U-turn.
  The dynamic rule was the one suggested in my first reply:
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface           *Assume you are using number one

• ASA 8.2(1) Global and NAT statements, natting certain internal hosts

  Hi, I have what I believe will be an easy question, but I cannot find the answer and cannot afford to test it on our production ASA.
  I am running an ASA firewall, we are performing PAT with one Public IP Address for all inside traffic accessing the Internet.  We need to implement a solution where whenever two or three internal hosts/servers access the Internet, they need to appear to come from a unique public IP, different than the current Global IP for all other internal traffic.  I understand I could Nat thier Internal IP Address to a public IP, but I don't need each server to have it's own public IP, I'd like for all of them to share one.
  Thoughts on how to accomplish this?  Thanks!

  Hi,
  To my understanding you would just create a new Dynamic PAT configuration using different NAT ID for these hosts.
  Though when you create a separate Dynamic PAT for some hosts with a new NAT ID you will have to make sure that this NAT ID has a rule towards any interface they had before.
  In a very basic setup there should only be Dynamic PAT between your "inside" and "outside" interfaces (presumed thats what they are called on your firewall)
  This would mean that if you had for example a network 10.10.10.0/24 and you performed Dynamic PAT for that network using the "outside" interface IP address you would then configure the following
  global (outside) 1 interface
  nat (inside) 1 10.10.10.0 255.255.255.0
  So the above is probably the type of configuration you have at the moment?
  For the 2/3 hosts you have that need a different PAT IP address you could probably configure something like this (1.1.1.1 is just an example IP instead of the actual public IP address that is different from the interface IP address)
  global (outside) 2 1.1.1.1
  nat (inside) 2 10.10.10.1
  nat (inside) 2 10.10.10.2
  nat (inside) 2 10.10.10.3
  If the original ID 1 NAT rule had "global" statements for some other interface then you would most likely need ID 2 configurations for those too. Though generally Dynamic PAT is only performed towards other external networks which usually means only the "outside" interface.
  Without seeing the configurations I dont think I can say much more.
  Naturally "packet-tracer" is an excellent command to confirm what what NAT/PAT is applied for a hosts connection.
  For example if you wanted to test host 10.10.10.1 applied ASA configurations/rules towards some external hosts you could issue this command
  packet-tracer input inside udp 10.10.10.1 12345 8.8.8.8 53
  This should tell you what NAT translation is performed for this traffic (it simulates a destination port UDP/53 connection towards 8.8.8.8). Naturally you can also confirm things through firewall logs and the translation table of the device.
  Active translations on the firewall you can show with the command
  show xlate
  It does have a lot of additional parameters after the "xlate" if you want to have more specific output
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• Group Policy Management | No such interface supported

  Running Windows Server 2008 R2 as a Domain Controller and when I open Group Policy Management, click on a GPO, then click on the Settings tab, it pops up an error message that says "No such interface supported".  I've found several articles
  that talk about registering .dll files and I've done that and nothing.  I've uninstalled GPMC and reinstalled and that didn't fix anything.  Can anyone help resolve this?

  Hi Jason,
  Before going further, do we have other domain controllers? If yes, does GPMC work correctly on these domain controller? GPMC reports the error "No Such interface supported" normally is due to a missing or corrupted Windows component.
  Besides, do we update the server to the latest? If not, we can update the server to the latest and then reinstall the GPMC to see if the issue persists.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards
  Frank Shen

• EDN not available throws runtimeFault - Fault Policy Framework unable to catch it

  Hi Team,
  I have been working on some error handling scenarios for EDN .
  From my observation if BPEL is used to publish the event, BPEL Fault policy cannot catch EDN errors (e.g., EDN unavailable) but BPEL catch activity can catch it.
  Steps performed :
  1. Create a BPEL to publish the event to EDN.
  2.Create fault policy to catch  BPEL runtime fault .
  3.Go to weblogic console to change EDNdatasource target to get "EDN datasource not available error".
  4.Test your BPEL.
  My requirement is to retry such faults and invoke human intervention after retry failure using BPEL.
  Please let me know how to achieve this

  Follow the oracle documentation
  - http://docs.oracle.com/cd/E28271_01/dev.1111/e10224/bp_faults.htm#BABIGGIB
  *The fault management framework catches all faults (business and runtime) for an invoke activity.*
  Hope that helps.
  P.S. The fault management framework main purpose is to define a enterprise wide standard policies to handle the faults that will be applied to various/all composite. Hence your specific fault that is specific to a composite should not creep into to fault management framework as this is not the enterprise standard i.e., every composite may have to handle the invalid variable, based on where it occurred and for what variable it occurred.

• Manage ASA via VPN on its outside interface

  I have a few ASAs in region offices, and connected to headquater ASA via IPsec P2P VPNs through internet.  VPN is setup on outside interfaces of those ASAs.  Now my trouble is to manage those region offices' ASAs from headquater network.  I cannot directly connecte to any those remote ASAs, I have to logon a remote switch behine them then logon the remote ASA.  My syslog and network management servers are all in headquater network, none of them can talk to remote ASAs, unless I let them do it on public IPs.
  How can I manage(snmp, syslog, etc) a remote ASA through the IPsec VPN tunnel setup on its outside interface?
  I am thinking add the outside interface public IP into the ACL for VPN Phase 2 crypto map.  Will it work?
  Cisco Supermen have an idea?
  Thanks a lot.

  I am by no means any Superman, but i think i can help
  You can actually configure all the SSH, SNMP, Syslog using the ASA inside interface, and that would be part of the interesting crypto ACL traffic (assuming that the crypto ACL includes the ASA inside interface subnet).
  Eg:
  For SSH:
  ssh inside
  For Syslog:
  logging host inside
  For SNMP:
  snmp host inside
  Plus, you would also need to configure: management-access inside on all your regional offices ASA.
  Hope that helps.

• BPEL 10.1.3.5: Fault policy framework: has retryCount a maximum of 50?

  Hello,
  i configured the fault policy with the folllowing values:
  <Action id="ora-retry">
  <retry>
  <retryCount>60</retryCount>
  <retryInterval>1</retryInterval>
  </retry>
  </Action>
  But when i look at the audit-tab in the BPEL-Console, i see only 50 retries, until the action fails.
  Has retryCount a maximum of 50 retries?
  Best regards and thanks for your help
  Friedrich

  Hi again.
  Has anyone been able to use any kind of Xpath function inside a policy file? If so, could you please share the code fragment including the namespace declarations and the conditions?
  Does anyone know if Fault Management Framework at least support the use of Xpath functions?
  Thanks.
  Denis

• "mpls ip" global vs interface level command

  What is the purpose of "mpls ip" global command? I think just enabling mpls on an interface by using "mpls ip" should be sufficient, but then what is the purpose of the global level command?

  Usage Guidelines
  Globally enabling MPLS forwarding does not enable it on the interfaces. You must enable MPLS forwarding on the interfaces separately.
  MPLS forwarding of packets along normally routed paths (also called dynamic label switching) is enabled by this command. For a given interface to perform dynamic label switching, this switching function must be enabled.
  The no form of this command stops dynamic label switching for all the interfaces regardless of the interface configuration; it also stops distribution of labels for dynamic label switching. However, the no form of this command does not affect the sending of labeled packets through the LSP tunnels.
  link:
  http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_3/command/reference/cpt93_cr/cpt93_cr_chapter_010.html#wp1254011620
  HTH

• Global vs interface switch command

  Hello, If I have a command globally which applies on all switch ports but then I want to configure one port with a different command not apply the global command on the switch. When i configure that port will it take effect the new command configure for that port and disregard the global command that was apply on the other ports?

  Well without testing and not knowing more details about what command you wish to try - I think that more specific (in this case interface command) will take precedence above global one...
  Plese do some testing - in this particular case it's about 5min job...
  BR,
  Dragan