IPX Vol.1 Switching Notes

Downstream switches inherit timers from the root (of each VLAN)

  • BPDUgurad blocks incoming BPDUs.
  • BPDUfilter blocks outgoing BPDUs.
  • bpdufilter default and bpduguard default work in conjunction with portfast default.
  • spanning-tree guard loop  is similar to UDLD, but users STP BPDU keepalive.
show spanning-tree mst [detail]
In MST, load-balancing with cost/port-priority is the same as CST, PVST.
interface f0/0
spanning-tree mst 1 cost 1
spanning-tree mst 2 port-p 0

All switches in the L2 transit path should know about the RSPAN remote-vlan, and the interconnections should be trunk. Remember to remove pruning for RSPAN VLAN from trunks.

IPphone tags voice traffic with CoS 5.

switchport voice vlan dot1p instructs the IP-phone to apply VLAN0 and CoS 5, so both Voice & Data share the same VLAN.

switchport voice vlan  automatically applies portfast.

mls qos trust device ciscoipphone means only trust CoS if received from IP-phone which is detected by CDP.

Fallback Bridging is the concept of bridging non-routed protocols between SVIs or native L3 router interfaces on switches. Similar to CBR and IRB on routers.

bridge 1 protocol vlan-bridge
interface f0/1
 bridge 1
  • PVLAN requires Transparent VTP mode.
  • Whenever a task asks us to optimize a switch for memory or routing, it means “sdm prefer routing“
  • Macros do not accept “interface range”!
  • When filtering traffic using mac-access-list remember to allow Spanning-tree and ARP stuff!


  • standby use-bia  : not using the vMAC
  • standby version 2  : Uses for inter-router communications instead of
standby 1 ip
standby 1 priority  : default is 100
standby 1  : not default
standby 1 track 1 decrement  // same as  standby 1 track Serial0/1/0 20

Remember to add static arp for hosts when filtering ARP in LAB exam. (show arp)

Share this!

Nested Policy-map

Policy-maps do indeed have the ability to be nested inside other policy maps. When we engage in this nesting behavior, we refer to the policy as a hierarchical policy. This is typically done to configure multiple treatments to QoS. For example – we might want to traffic-shape all traffic to 3 MB; and then inside that 3 MB shaped traffic, guarantee Web traffic at least 1 MB of bandwidth.

Remember, we use a service-policy (normally done with interfaces) to  assign the QoS policies that we define inside the policy-map.

With the nesting of policy maps, there are some restrictions that you should be aware of. For example:

  • The set command is not supported on the child policy
  • The priority command can be used in either the parent or the child policy, but not both
  • The fair-queue command cannot be used in the parent

Here is an example of nesting policy maps:

Verifying your policy-map, is very simple thanks to the following show commands:

show policy-map
show policy-map interface int_name
Share this!

Private VLAN

  • Members of an isolated VLAN can only communicate with the promiscuous ports mapped
  • Members of a community VLAN can communicate with members of the same community and the promiscuous ports.

A two-way community acts like a regular community but has the additional aspect of allowing access control lists to check traffic going to and from (two ways) the VLAN and provides enhanced security within a private VLAN.

To configure PVLAN, VTP should be in transparent mode.

  1. Create primary private-vlan
  2. Create isolated/community VLAN
  3. Associating isolated/community VLANs to primary
  4. Configure spanning-tree mode and associating ports to PVLANs
  5. Mapping PVLANs under the primary VLAN interface
  6. To verify: show interface [primary PVLAN] private-vlan mapping

IPExpert, Vol.1, 2.28

You must configure VTP to transparent mode before you can create a private VLAN.
Private VLANs are configured in the context of a single switch and cannot have members on other switches. Private VLANs also carry TLVs that are not known to all types of Cisco switches.


SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan primary
SWITCH(config)# vlan secondary_number
SWITCH(vlan-config)# private-vlan [isolated | community]
SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan association secondary_number_list [add secondary_number_list]
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport
SWITCH(config-if)# switchport mode private-vlan host
SWITCH(config-if)# switchport mode private-vlan host-association primary_number secondary_number
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport
SWITCH(config-if)# switchport mode private-vlan promiscuous
SWITCH(config-if)# switchport mode private-vlan mapping primary_number secondary_number
SWITCH(config)# interface primary_number
SWITCH(config-if)# ip address address mask
SWITCH(config-if)# private-vlan mapping primary_number secondary_number
show vlan private-vlan type
show interface private-vlan mapping
show interface type mod/port switchport
Share this!

QoS Misc. 1 Q/A

How to block cisco.com/go/support using QoS matching DNS name, while allowing the web access to the host like cisco.com:

How to read the output of CoS-DSCP map

d1 is digit-one of the dscp, d2 is digit-two of the dscp. The intersection of the two digits gives the cos value for that particular dscp value.
e.g. for dscp 46, we can see the cos value is 05, while dscp 48 has cos 06 and dscp 64 is not shown as it is invalid.

Priority Queuing

Q: When I set priority-list 1 queue-limit 5 45 66 80 (I am setting the priority queue to 5 packets) I would think I would want this to be my highest #. In short I don’t think I understand this concept. If I set the priority queue to 80, then my priority traffic could accept 80 packets before it moves to the next queue. I would think this would be a good thing. I am sure I am not seeing this the right way.  Can somebody explain please?

A: The queue-limit is simply how many packets each queue will hold. That is, the size of the queue.
With priority queuing, the scheduler will always try to empty the higher queues first before moving to the next-highest.
Ex. empty the high queue first, then medium queue, then normal queue and then finally low queue.
That’s why texts often mention the possibility of queue starvation.
When you have congestion on the interface, (which is the only situation you would engage the software queues) you would want your high priority traffic sent first.
You can set the limit (size) to whatever you want, but if you classify your traffic incorrectly, or rather too “loose”, putting too much into the high priority queue, you would end up servicing this queue all the time.
Tail drop should occur when you can’t “buffer” any more data, yes.
PQ is a double edged sword in my opinion.

Share this!

SVI Policy Configuration

Here are the main points to keep in mind:

  • The configuration requires a nested policy-map
  • The policy-map applied to the SVI references another policy map that actually does the policing
  • Do not forget to enable vlan-based QoS on the appropriate range of ports
  • In the parent policy-map, you must perform some action (besides calling another policy map)

In order to configure policing on a Switched Virtual Interface (SVI or VLAN interface), here is a sample configuration:

Notice we set the DSCP value in the parent policy map in order to  meet the requirement of “performing some action!” Also remember, both of the sample configurations above require mls qos configured globally on the device.

Share this!