SVI Policy Configuration

Here are the main points to keep in mind:

  • The configuration requires a nested policy-map
  • The policy-map applied to the SVI references another policy map that actually does the policing
  • Do not forget to enable vlan-based QoS on the appropriate range of ports
  • In the parent policy-map, you must perform some action (besides calling another policy map)

In order to configure policing on a Switched Virtual Interface (SVI or VLAN interface), here is a sample configuration:

Notice we set the DSCP value in the parent policy map in order to  meet the requirement of “performing some action!” Also remember, both of the sample configurations above require mls qos configured globally on the device.

Share this!

Switching Misc. 1

To authenticate 802.1x clients:
SW1(config)# dot1x system-auth-control
SW1(config)# aaa new-model
SW1(config)# aaa authentication dot1x default group radius
SW1(config)# radius-server host 150.100.220.100 key ipexpert
  • When a PC doesn’t support EAP, it can be placed in a guest-vlan:
    dot1x guest-vlan 200
  • When the authentication is failed:
    dot1x auth-fail vlan 100

Port-security table won’t survive a reload unless using “sticky” parameter.


switchport protected: The ports cannot communicate even with other ports in the same VLAN


Assign a static switching table entry
SW1(config)# mac-address-table {dynamic | static | secure} mac-addr {vlan vlan-id} {interface int1 [int2 … int15] [protocol {ip | ipx | assigned}]

If the destination port is a trunk, you must also specify the destination VLAN number vlan-id.

Set the switching table aging time:
SW1(config)# mac-address-table aging-time seconds [vlan vlan-id]

For VLAN number vlan-id (2 to 1001), entries are aged out of the switching table after seconds (0, 10 to 1,000,000 seconds; default 300 seconds). A value of 0 disables the aging process. The VLAN number is optional. If not specified, the aging time is modified for all VLANs.

Optimize the port as a connection to a single host
SW1(config-if)# switchport host

Several options are set for the port: STP PortFast is enabled, trunk mode is disabledEtherChannel is disabled, and no dot1q trunking is allowed.

Share this!

VTP

CDP v2 advertises VTP domain too. To disable this, no cdp  advertise-v2

VTP version can’t be changed on Client mode.

VTP Pruning is only implemented on VTP Server nodes.

VTP Pruning eligible-list is configured on TRUNK interfaces (switchport trunk pruning … )

VLANs which are not mentioned in the pruning eligible-list, will be never pruned.

VTP pruning can be only modified in server mode.

VTP pruning is propagated to clients too.

VTP mode can’t be server when existing VLANs exists.

Version-dependent transparent mode

In VTP version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Because only one domain is supported

in the Supervisor engine software, VTP version 2 forwards VTP messages in transparent mode without checking the version.

Share this!

802.1Q Tunneling (Q-in-Q)

interface FastEthernet0/1
 switchport access vlan 100
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 no cdp enable

The access VLAN which is here called Tunnel-Tag, must exist in the transit path.

In a scenario where EtherChannel is implemented between two 802.1q customers and there are more than 1 switch in the transit path, and each CE switch has for example 3 different links to CE node, each PE-to-CE should be assigned to a different VLAN.

Also, the transit path should be in form of TRUNK links, and informed of the Tunnel-Tag VLANs.

Share this!