Downstream switches inherit timers from the root (of each VLAN)
debug spanning-tree event // root port, cost, state, TCN
- BPDUgurad blocks incoming BPDUs.
- BPDUfilter blocks outgoing BPDUs.
bpdufilter default and
bpduguard default work in conjunction with
spanning-tree guard loop is similar to UDLD, but users STP BPDU keepalive.
show spanning-tree mst [detail]
In MST, load-balancing with cost/port-priority is the same as CST, PVST.
spanning-tree mst 1 cost 1
spanning-tree mst 2 port-p 0
All switches in the L2 transit path should know about the RSPAN remote-vlan, and the interconnections should be trunk. Remember to remove pruning for RSPAN VLAN from trunks.
IPphone tags voice traffic with CoS 5.
switchport priority extended cos 1
show mls qos interface f0/1
switchport voice vlan dot1p instructs the IP-phone to apply VLAN0 and CoS 5, so both Voice & Data share the same VLAN.
switchport voice vlan automatically applies portfast.
mls qos trust device cisco–ipphone means only trust CoS if received from IP-phone which is detected by CDP.
switchport backup interface Fa0/16
switchport backup interface Fa0/16 preemption mode forced
switchport backup interface Fa0/16 preemption delay 20
Fallback Bridging is the concept of bridging non-routed protocols between SVIs or native L3 router interfaces on switches. Similar to CBR and IRB on routers.
bridge 1 protocol vlan-bridge
- PVLAN requires Transparent VTP mode.
- Whenever a task asks us to optimize a switch for memory or routing, it means “sdm prefer routing“
- Macros do not accept “interface range”!
- When filtering traffic using mac-access-list remember to allow Spanning-tree and ARP stuff!
standby use-bia : not using the vMAC
standby version 2 : Uses 188.8.131.52 for inter-router communications instead of 184.108.40.206
standby 1 ip 220.127.116.11
standby 1 priority : default is 100
standby 1 : not default
standby 1 track 1 decrement // same as standby 1 track Serial0/1/0 20
Remember to add static arp for hosts when filtering ARP in LAB exam. (
Policy-maps do indeed have the ability to be nested inside other policy maps. When we engage in this nesting behavior, we refer to the policy as a hierarchical policy. This is typically done to configure multiple treatments to QoS. For example – we might want to traffic-shape all traffic to 3 MB; and then inside that 3 MB shaped traffic, guarantee Web traffic at least 1 MB of bandwidth.
Remember, we use a service-policy (normally done with interfaces) to assign the QoS policies that we define inside the policy-map.
With the nesting of policy maps, there are some restrictions that you should be aware of. For example:
set command is not supported on the child policy
priority command can be used in either the parent or the child policy, but not both
fair-queue command cannot be used in the parent
Here is an example of nesting policy maps:
match protocol http
Verifying your policy-map, is very simple thanks to the following show commands:
show policy-map interface int_name
A two-way community acts like a regular community but has the additional aspect of allowing access control lists to check traffic going to and from (two ways) the VLAN and provides enhanced security within a private VLAN.
To configure PVLAN, VTP should be in transparent mode.
- Create primary private-vlan
- Create isolated/community VLAN
- Associating isolated/community VLANs to primary
- Configure spanning-tree mode and associating ports to PVLANs
- Mapping PVLANs under the primary VLAN interface
- To verify:
show interface [primary PVLAN] private-vlan mapping
IPExpert, Vol.1, 2.28
You must configure VTP to transparent mode before you can create a private VLAN.
Private VLANs are configured in the context of a single switch and cannot have members on other switches. Private VLANs also carry TLVs that are not known to all types of Cisco switches.
SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan primary
SWITCH(config)# vlan secondary_number
SWITCH(vlan-config)# private-vlan [isolated | community]
SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan association secondary_number_list [add secondary_number_list]
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport mode private-vlan host
SWITCH(config-if)# switchport mode private-vlan host-association primary_number secondary_number
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport mode private-vlan promiscuous
SWITCH(config-if)# switchport mode private-vlan mapping primary_number secondary_number
SWITCH(config)# interface primary_number
SWITCH(config-if)# ip address address mask
SWITCH(config-if)# private-vlan mapping primary_number secondary_number
show vlan private-vlan type
show interface private-vlan mapping
show interface type mod/port switchport
How to block cisco.com/go/support using QoS matching DNS name, while allowing the web access to the host like cisco.com:
class-map match-all TEST
match protocol http host "*cisco.com\/support*"
service-policy output NBAR
How to read the output of CoS-DSCP map
Switch# show mls qos maps dscp-cos
d1 : d2 9
0 : 00 00 00 00 00 00 00 00 01 01
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 03 03 03 03 03 03
3 : 03 03 04 04 04 04 04 04 04 04
4 : 05 05 05 05 05 05 05 05 06 06
5 : 06 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07
d1 is digit-one of the dscp, d2 is digit-two of the dscp. The intersection of the two digits gives the cos value for that particular dscp value.
e.g. for dscp 46, we can see the cos value is 05, while dscp 48 has cos 06 and dscp 64 is not shown as it is invalid.
Q: When I set
priority-list 1 queue-limit 5 45 66 80 (I am setting the priority queue to 5 packets) I would think I would want this to be my highest #. In short I don’t think I understand this concept. If I set the priority queue to 80, then my priority traffic could accept 80 packets before it moves to the next queue. I would think this would be a good thing. I am sure I am not seeing this the right way. Can somebody explain please?
A: The queue-limit is simply how many packets each queue will hold. That is, the size of the queue.
With priority queuing, the scheduler will always try to empty the higher queues first before moving to the next-highest.
Ex. empty the high queue first, then medium queue, then normal queue and then finally low queue.
That’s why texts often mention the possibility of queue starvation.
When you have congestion on the interface, (which is the only situation you would engage the software queues) you would want your high priority traffic sent first.
You can set the limit (size) to whatever you want, but if you classify your traffic incorrectly, or rather too “loose”, putting too much into the high priority queue, you would end up servicing this queue all the time.
Tail drop should occur when you can’t “buffer” any more data, yes.
PQ is a double edged sword in my opinion.
Here are the main points to keep in mind:
- The configuration requires a nested policy-map
- The policy-map applied to the SVI references another policy map that actually does the policing
- Do not forget to enable vlan-based QoS on the appropriate range of ports
- In the parent policy-map, you must perform some action (besides calling another policy map)
In order to configure policing on a Switched Virtual Interface (SVI or VLAN interface), here is a sample configuration:
CAT2(config)#int range fa0/1 – 5
CAT2(config-if-range)#mls qos vlan-based
CAT2(config)#access-list 100 permit udp any any range 16384 32767
CAT2(config-cmap)#match access-group 100
CAT2(config-cmap)#match input-interface fa0/1 - fa0/5
CAT2(config-pmap-c)#police 256000 8000 exceed-action drop
CAT2(config-pmap-c)#set dscp 46
CAT2(config)#int vlan 100
CAT2(config-if)#service-policy input VLAN
Notice we set the DSCP value in the parent policy map in order to meet the requirement of “performing some action!” Also remember, both of the sample configurations above require mls qos configured globally on the device.