Can a Catalyst switch terminate a QinQ (double vlan tagged) connection on an SVI?

Similar Messages

• HT1695 Anyone else having issues with not being able to get wifi on their iPhone 4S? I can't even switch the wifi button to try and connect to my wifi at home but my iPad still uses the wifi just fine.

  I can't even switch the wifi button to try and connect to my wifi at home but my iPad still uses the wifi just fine.

  Thank you, I am trying to last option now. Resetting my network settings and if that still doesn't work ill have to go in to the apple store. Hopefully I won't need a new phone because I'm already at my limit with replacements on my AppleCare even though the issue with the phones 3 out of 4 times wasn't my fault and I can't afford to buy another phone.

• Can MPLS aware Netflow ver. 9 be enabled on the catalyst switches 6500

  HI, I'm working for KOREA TELECOM, and currently providing MPLS VPN.
  We're planning to provide our customer with traffic report using NetFlow..
  I read some documents which reads Netflow ver.9 can be enabled on Cisco GSR 12000 Series, but no mention about catalyst switches. So, I ' m curious about that Netflow ver 9 can be activated on catalyst 6500 series.. because the point where switch is located already have mpls encapsulated packet ( mpls vpn packet).
  Thank you , in advance.

  NetFlow is now integral to Cisco 6500. A configuration we recommend is as below:
  mls netflow     // This enables NetFlow on the Supervisor.
  mls nde sender version 7
  mls aging long 64  // This breaks up long-lived flows into (roughly) one-minute segments.
  mls aging normal 32  // This ensures that flows that have finished are exported in a timely manner.
  mls flow ip interface-full
  mls nde interface
  The  next two commands will help to enable NetFlow data export for  bridged  traffic which is optional. You can specify the list of VLANs  here to  enable bridged traffic.
  ip flow ingress layer2-switched vlan
  ip flow export layer2-switched vlan
  Apart from this, NetFlow has to be enabled on the MSFC using the below commands.
  ip flow egress       // This command has to be executed on all the L3/VLAN interfaces.
  ip flow-export destination {hostname|ip_address} 9996  // The hostname or IP address of the flow server
  ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback0
  ip flow-export version 9
  ip flow-cache timeout active 1
  snmp-server ifindex persist
  The new Cisco Flexible NetFlow actually allows for export of MPLS specific information (I believe it is stack lables) in addition to information on IP Address, port, etc. But you will need a tool that can support these additional fields. Otherwise you can view IP, port, protocol, etc related information from MPLS links.
  Regards,
  Don Thomas Jacob
  ManageEngine NetFlow Analyzer

• Can SG300 connect with Catalyst Switch on PVST+ mode ?

    Our customer use catalyst switch that spanning tree be PVST+ mode.I take SG300 connect with this catalyst switch.Does it support ?If it support,how to config on SG 300 ?

  PVST+ work with will all available spanning tree versions on the SG 300.  The SG 300 can support "classic" STP, MST and RSTP.
  See this discssion for specifics on the interaction between the STP versions https://supportforums.cisco.com/thread/162644
  Regards,
  T.

• Can you tell the IP address of a device attached to a 6500 Catalyst Switch

  I have devices attached to a Catalyst switch, and I wanted to find out which device is attached where by checking the IP address of a specific device attached to a port. The ARP tables don't show any devices. Anyone know a quick/dirty way to do this?

  The arp table on your switch does not show this as the switch does not talk to devices directly and thus does not need this information. Do this:
  - From the switch ping devices you want to find where attached to.
  - type "sh arp" on the switch. This time it will contain the information you need.
  Similar to this:
  switch6500> (enable) sh arp
  ARP Aging time = 1200 sec
  + - Permanent Arp Entries
  * - Static Arp Entries
  10.0.0.1 at xx-xx-xx-xx-xx-xx port 1/1 on vlan 15
  10.0.0.30 at yy-yy-yy-yy-yy-yy port 1/1 on vlan 15
  switch6500> (enable) ping 10.0.0.20
  ----10.0.0.20 PING Statistics----
  5 packets transmitted, 5 packets received, 0% packet loss
  round-trip (ms) min/avg/max = 1/1/1
  switch6500> (enable) sh arp
  ARP Aging time = 1200 sec
  + - Permanent Arp Entries
  * - Static Arp Entries
  10.0.0.1 at xx-xx-xx-xx-xx-xx port 1/1 on vlan 15
  10.0.0.30 at yy-yy-yy-yy-yy-yy port 1/1 on vlan 15
  10.0.0.20 at zz-zz-zz-zz-zz-zz port 3/22 on vlan 15
  switch6500> (enable)

• I don't understand correlation between ACL and dACL. If dACL is downloaded to the Catalyst switch what is the status of the ACL

  Understanding  ISE and dACL.
   I don't understand correlation between ACL and dACL.
   If dACL is downloaded to the Catalyst switch what is the status of the ACL attached to physical port. Is dACL appended to the existing ACL? When I typed ‘sh ip access-list int fa0/1’ I can see only dACL for access domain and dACL for voice domain appended to the previous dACL and no ACL lines.
   Regards,
  Vice

  Hi,
  Downloadable ACLs (dACL) are applied from your RADIUS server based on authentication and authorization policies.  It overrides any standard interface ACL.
  Standard interface ACLs are in place to limit traffic on the port before 802.1x or MAB authentication.
  When an authenticated session terminates on the interface the standard ACL will be re-applied until the next authentication.

• The difference between VTP server and transparent mode on Catalyst Switch.

  Hello 
  I have a question about the difference between VTP server mode and VTP transparent mode on general catalyst switch.
  Basically VTP server mode can create and modify VLAN configuration but  actually there is not any VLAN configuration through running-config, is it true?  When I checked it on Cat3550, certainly there is not VLAN configuration on VTP server mode. But VTP transparent can create VLAN and configuration but does not synchronize with other switch VLAN status. I appreciate any related information and reason of the VTP server mode specification, thank you very much.
  [VTP Transparent mode]
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Transparent
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *omit
  vlan 99
   name TEST-VLAN
  [VTP Server mode]
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Server
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *no VLAN like above configuration on VTP transparent mode.
  Best Regards,
  Masanobu Hiyoshi

  Hi mhiyoshi,
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Transparent
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *omit
  vlan 99
   name TEST-VLAN
  The above out put indicates that Vlan is created and then mode changed to transparent. i.e why revision no is 0.
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Server
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *no VLAN like above configuration on VTP transparent mode.
  This indicates that vlan never created in server mode nor learnt from another switch as revision no is 0

• The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

  Hello
  I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
  Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
  PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
  Is it possible to integrate into Cisco Router such as Cisco 891F ?
  In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
  I think there might be any unsupported feature on Cisco 891F.
  I appreciate any information. thank you very much in advance.
  Best Regards,
  Masanobu Hiyoshi

  Many time in interviews asked comaprison between cisco  routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
  Ummmm ... The most common question I get is "what is the difference between a router and a switch".
  However, if you get a question like this, then my impression to this line of questioning are:
  1.  The candidate they are looking for has in-depth knowledge of routers and switches.  And I mean IN-DEPTH!;
  2.  They are not looking for a candidate.  They just want to stroke their ego.  There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger.  And if you do happen to know the answer, then and there, then expect a tougher follow-up question. 

• TCP delay on catalyst switch

  i experienced a TCP delay on catalyst 4506, avoid the problem when i replaced 4506's with dummy unmanaged switches.
  i used two PCs(PC 1 and PC 2) and two 4506 switches (S1 and S2)
  PC 1 is connected to S1 (fast ethernet port)
  PC 2 is connected to S2 (fast ethernet port)
  S1 is connected to S2 (SFP gigabit ethernet port)
  -I started continuous UDP,TCP,MULTICAST and PING from PC1 to PC2
  -I unplugged link between Switch 1 and Switch 2
  all communication stopped.
  -I plugged link between Switch 1 and Switch 2
  -UDP,MULTICAST and PING started immediately but TCP started with approximately 15 seconds delay. :-(
  I repeated same procedure with unmanaged dummy switches instead of 4506, there wasnt 15 seconds delay. TCP showed up in 1 second.
  How can I avoid TCP delay on catalyst switches? Probably some tuning with configuration would do the job?
  tx for helping

  hi gp and thank you very much for responding to this unusual problem.
  - switch ports to the PCs are configured as portfast.
  - switch ports between two catalyst switches are not configured (default)
  - i didnt use the 'switchport access' command since they are default layer 2 interfaces. would 'switchport access vlan 1' command make any difference?
  - i looked at the port status and confirmed connection is 100 mbps full duplex.
  unusual issue is; ping, udp, multicast shows up in a very short time after I re-plug the uplink. that proves all ports are in forwarding state. only TCP shows up with delay, which doesnt occur on 200 $ unmanaged switch??
  thanks in advance for any suggestions

• Differences between MSFC1 and MSFC2 in Catalyst switches

  Hi,
  Want to know the differences between MSFC1 and MSFC2 in Catalyst switches.

  Hi,
  There is not much difference between MSFC1 and MSFC2, the main difference is how the MSFCs send the hardware programming to the PFC. The MSFC1 uses MLS to program the hardware by using the first packet of the traffic. While the MSFC2 uses CEF-based MLS to program the PFC so that the supervisor can make the hardware switching of the packet. NOtice the difference if the MSFC1 needs to see the first packet while the MSFC2, in theory will not need to see a first packet as it uses the CEF routing table to program the PFC2. Now, the kicker, if MSFC2 in sup1A , all this CEF-based MLS is not used since it needs PFC2 to be able to do this. Sup1A does not come with PFC2 only Sup2 comes with PFC2. The MSFCs gives the Cat6K a L3 ability and it's important but the switching performance of the switch depends on the PFC.
  Here is a link on MSFC2 data sheet:
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet09186a00800887fd.html
  Please rate helpful posts.

• Trying to make a photobook but can't get pages to open by double clicking. Photos from Iphoto 9.6. Help anybody?

  Trying to make a photobook but can't get pages to open by double clicking. Photos from Iphoto 9.6. Help anybody?

  What do you mean? Are you not able to switch from "All pages" view of the book to a single page view by double-clicking a selected page? Or what is the problem?
  Or can you not open the book at all from the source list?

• Dacl on ACS 5.1 and Catalyst switch 3560

  Dear all
  I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
  This authrization profile is used on access policy.
  I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
  Steps:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11025  The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
  11003  Returned RADIUS Access-Reject
  DACL:
  deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
  permit ip any any log
  Thanks on advance,

  Dear Tiago
  I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
  Dec 13,10 10:29:00.513 AM
  00-23-AE-7A-58-A6
  00-23-AE-7A-58-A6
  Default Network Access
  Lookup
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  22056 Subject not found in the applicable identity store(s).
  Dec 13,10 10:28:29.186 AM
  #ACSACL#-IP-Guest-4cfcc14d
  Dot1x-3560-Switch
  1.2.3.4
  TESTACS
  Dec 13,10 10:28:28.726 AM
  acstest
  00-23-AE-7A-58-A6
  Default Network Access
  PEAP (EAP-MSCHAPv2)
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  Thanks,

• Best Pactice for Connecting ASA to Catalyst Switch with Mulitple VLANs

  Hi all,
  Have the following network topology that was in place when I started the job (See attached pdf).  Am thinking it might be better if I could eliminate the Cisco 2811 router and connect directly from the ASA to my 12 port fiber switch (192.168.7.1).  In my thinking this would eliminate an unnecessary piece of equipment and also give me a gig link to my ASA as opposed to the 100 meg link I have now with the old router.  The 12 port fiber has links to most of my IDFs and is acting as my VLAN gateway for all inter VLAN routing.
  Is my current topology ideal or would I be better served to remove router and connect directly to the 3750G-12s Fiber switch or my Master Switch (192.168.7.4)?  Only thing I don’t like about direct connect to Master switch is that it takes scheduling a major outage for me to reboot it.  However, if that is best practice in this case, I can live with it.
  It appears the 12 port fiber cannot have IP addresses  assigned directly to Ports, only to VLANs.  So would I have to create a separate vlan for my ASA and assign IPs to the vlan on each end of the connection?
  I have read some suggestions that say it is better to terminate all VLANs on the ASA.  So as I understand that would require creating subinterfaces on my ASA LAN port and assigning each subinterface to its own VLAN  Inter VLAN routing would then be controlled by ASA.
  Does not seem practical to me as I have about 15 VLANs total.  Not showing everything in the drawing.
  Guess my main question is “What is best practice for topology and routing in my scenario?”

  Hi Mcreilly,
  You should be able to assign an ip address on cat6k sup720 if you are running native ios on sup 720.
  If you are running catos then you will not be able to do that and you can have it configured as trunk and connect to the router.Also I do not think that you need subinterfaces on router and trunk on switch because your cat6k with sup720 must be doing intervlan routing between vlans.
  You can just connect it on some port on any vlan and same subnet ip address which you have it on msfc for that vlan you can assign on the router interface and anybody want to go out via t3 link will get routes on sup720 and move out via router vlan.
  For suppose you do not want the router to be part of existing vlan you can create one vlan on cat6k sup720 and assign one port to that new vlan and connect the royter to that new vlan port and then create logical interface on msfc for that new vlan and assign an ip address range on that logical vlan and same subnet ip address range you can assign on router physical interface.
  Any one from other vclan get routed on sup 720 msfc and will move out via the vlan on which you have connected the router.
  because you have only one router you will not be able to maintain box level redundancy by which i mean if the router goes down t3 will be unreachable.
  HTH
  Ankur

• Cryptographic IOS versions on Catalyst Switches

  1. Where can one find the differences between Catalyst switch IOS with cryptographic features and without cryptographic features?
  2. In order to access Cat switches over SSH and HTTPS, do we require Cryptographic versions of the Cat IOS?
  3. What does "k9" stands for in IOS names? e.g. "3560-ipservicesk9"
  Thanks

  Hi
  Answer to Q1 :
  Best plase to compare the Catos and IOS is
  www.cisco.com/go/fn
  there you can search by ios names or platforms or features and compare images.
  Answer to Q2 :
  Yes you need Cryptographic version
  Answer to Q3 :
  K9 stand for Cryptographic version if you have ipservicesk9 you can do SSH in the feature navigator if you search the ios without K9 you will find this :
  IP SERVICES W/O Crypto
  that means this catos does not support Cryptographic.
  Best Regards Bahman Mozaffari.
  Please Rate if Helpful.

• Can't open folders or emails by double clicking mouse

  I can't open folders or emails by double clicking my mouse. I was using a corded Apple mouse, so I switched to a Logitech cordless optical mouse, still can't open them. I can open my folder with command O, but not email. Any suggestions?

  This worked for me: I trashed my mouse prefs, then restarted, then -- goto System Prefs --> Keyboard/Mouse --> Mouse --> Double-Click Speed: Now move the speed a minimum of one notch below FAST.
  Yesterday I installed a Logitech MX Revolution, cordless mouse and lost the ability to double click with it and with my Mighty Mouse. Resetting the double click speed below FAST miraculously reset.
  All seems OK now.