Configure interface vlan on switch 3524 XL

Hi all,
I have an old switch C3524 running image "C3500XL-c3h2s-mz-120.5.2-xu". I had successfully created vlan 120 but when I config "interface vlan 120" as follows:
swicth # conf t
switch(config-subif)#interface vlan 120
switch(config-subif)#ip address 172.10.10.1 255.255.255.0
switch(config-subif)#no shut
then show run does not see this interface. Show vlan indicates vlan 120 is active.
Please help. thank you.

you're right. I just shut down interface vlan 10 (interface vlan 1 is down already) then interface vlan 120 comes up. Question is: if I need to configure several ports: some in vlan 10 and some in vlan 120 then should I have interface vlan 10 up too ?
Thank you very much.

Similar Messages

Passive interface vlan 50

Hi
i need to know with detail what does it mean this command"passive interface vlan 50"?;description;usefulllink it is very much appreciated.
10xs
ali

Hi Ali,
"passive-interface" router configuration command is applied to stop sending routing updates on an interface.
It behaves different for different routing protocol like for EIGRP the passive-interface command disables the transmission and receipt of EIGRP hello packets on an interface so the neighborship will not form on that interface which is configured as passive interface.
In OSPF, hello packets are not sent on an interface that is specified as passive. Hence, the router will not be able to discover any neighbors, and none of the OSPF neighbors will be able to see the router on that network.
But for RIP and IGRP it does not send the routing updates out on that interface which is configured as passive but still that interface will be advertised out from other interfaces.
Have a look at this link for more details
http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide09186a008008784e.html#wp11573
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt2/1cfindep.htm#wp1019396
Now depending upon the routing protocol you have configured interface vlan 50 will not advertise the routes out from the interface vlan 50 and if you have configured eigrp or ospf it will not form any neighborship with peer on interface vlan 50.
HTH, if yes please rate the post.
Ankur

Nexus, configure sync and Interface VLAN

We have a pair of Nexus 5548's. Not everything is dual-homed. For example,
only one of them has a 10-gig link to our main office (along with a 100 meg
link elsewhere). I'd like to set up a switch profile between these switches
so I can set up vPC's with our UCS fabric interconnects as well as a pair of
Fex Modules we have.
As it stands, we have SVI's on each switch, with hsrp between them, so the
secondary switch takes over as gateway if the primary fails.
Is it possible (and if so, best practice) after creating a switch profile,
and then going into configure sync mode to create SVI's (eg `interface vlan x`)
so that the SVI's are shared between the two switches, rather than creating
an SVI on each using hsrp in the event one of the switches fails?
Also, again, can we leave some ports out of the dual switch profile, if not
everything is dual-homed?

That is correct. It is that easy. Don't forget that te physical port has to be configured as a layer 2 port (switchport).
You could create sub interfaces under the GigE interface if you were to configure that same physical interface as a layer 3 port (no switchport).
Hope this helps,

Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
Note that the host 6500 is running native IOS 12.2(18)SXE.
Thanks for any assistance.

A tranparent firewall is a fairly good comparison.
Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
So you have the following pairs:
10/510, 11/511, 12/512, etc...
300/800, 301/801, 302/802, etc....
You set up the sensor port to trunk all 40 vlans:
set trunk 5/7 10-20,300-310,510-520,800-810
(Then clear all other vlans off that trunk to keep things clean)
In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.

WLC 5508 , AP client dhcp address different from WLAN interface VLAN subnet?

Hope the title makes sense, here's my situation: I have multiple businesses on 1 WLC 5508, there's a LAG to my core switch with seperate interfaces for each, broken up by vlans.
My question is: if i have a WLAN setup to use interface "Company A" which is vlan 10 with an ip of 10.0.1.5 which then points to 10.0.1.10 for dhcp.
Can the WLAN client connecting to the Company A WLAN use an IP in a different IP range?(192.168.1.10?) can the wlc route? from the perspective of the DHCP server where doers the request come from? (10.0.1.5?)
Can the DHCP server 10.0.10.10 on vlan 10 respond back with and ip on a different subnet to assign to the client to use and still be fully fonctioning? would the default gateway for the client need to be 10.0.1.5? So the clients ip would be 192.168.1.10 /24 with a gateway of 10.0.1.5 (ip adress fo vlan10 interface on WLC) And if multiple clients on the same subnet wanted to talk to each other woudl the WLC know how to route them to each other without passing through the default gateway?
Sorry if this is confusing I'm having a bit of a hard time explaining it in works, i can try and draw somethign up if it makes more sense.
thanks
Eric

I think if you want these clients to stick to a WLAN configured on a VLAN that has a different IP addressing you could configure your VLAN with the normal IP addressing then add on the SVI the 2nd IP_Class_default_gateway.
E.G.
Vlan 10
interface vlan 10
ip address 10.0.10.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
Clients that receive IP address from 192.168.1.0/24 network will be able to reach 192.168.1.1 and all traffic will pass right.

Configuring rate-limit in switch 6500

Good morning gentlemen
Consider a 6509E (supervisor 720 3B) switch with many interface VLANs configured, one of each related to each customer. Each interface VLAN had configured a rate-limit input and output configured representing the maximum bandwidth permitted for the customer.
I could configured that way using the old IOS s72033-ipservicesk9_wan-mz.122-18.SXF7.
Last weekend I had to upgrade that IOS to s72033-ipservicesk9_wan-mz.122-33.SXJ7. All rate-limits in VLAN interfaces disappeared, probably not supported in this new version.
Now, what's you recommendation to perform the same in this IOS version?...I only found the policy-map/service-policy way.
Follow my questions:
1 - "mls qos" is globally disabled. Should I configure globally or by interface VLAN?... Expected any impact?
I believe that only need "police" for QOS. No need for any other kind of QOS.
2 - Should I enable "mls qos vlan-based" for each physical layer 2 port connected to that switch related to each interface vlan with police?
Expected only one physical port (or port-channel) for each customer (and each VLAN) connected to a switch.
Thank you and regards
Christian

Interesting that I have just upgraded the IOS to the last version 12 release.
I think that for the reason that we are facing high CPU usage for "IP Input" process, something related to mls/cef is not tunned.
Anyone has any idea regarding the configuration presented?
Regards
Christian

How to configure a cisco 2960 switch to support two routers(data and voice), please give me any suggestions

HI, I need to configure a 2960 switch at a client site. They have routers already been installed on site, one is for data traffic another is for voice. I have created two vlans on switch for data and voice. Now I couldn't get any idea what would be the default gateway on switch.
Please give me any suggestions.

HI Leo,
Many thanks for your reply.
But there are two up-links going from Gi 0/1 and Gi 0/2. I have configured the S/W like below,
interface GigabitEthernet0/1
description UPLINK TO Data router
switchport access vlan 100
switchport mode access
interface GigabitEthernet0/2
description UPLINK TO voice router
switchport access vlan 100
switchport mode access
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan60
ip address 192.168.1.253 255.255.255.0
ip helper address 192.168.1.1
no ip route-cache
interface Vlan100
ip address 172.16.1.253 255.255.255.0
ip helper address 172.16.1.1
no ip route-cache
I have used IP helper address, but I am getting some connecting issues on PCs and IP phones. Please suggest me, Can I manage it with two uplinks with different IP addresses.
Thanks in advance.

Standard Configuration Reqd to improve Switch/LAN performance

Hello Friends,
I have Six Catalyst 2955 Switches on which RSTP is running (Just "spanning-tree mode rapid-pvst" runs)...now I want to ask what are the other standard things (like IGMP snooping etc) needed to configure switches to improve performance (no need to improve security)..I have only 20 PCs LAN connected to these Six Switches.
Pls. help me....I will really appreciate.
Regards,
Shahid

Shahid,
hereby an example of a (similar) configuration of a L2 switch.
Maybe it can act as an example
Paul De Valck
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname
enable secret
! Summertime definition (Brussels)
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
! automatic restart of ports after a port error
errdisable recovery cause all
errdisable recovery interval 180
ip subnet-zero
vtp mode trans
vlan 4
name Admininstrative_VLAN
exit
no ip domain-lookup
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
interface Vlan4
descr Aministrative VLAN for switch management
ip address 10.40.2.251 255.255.255.248
no ip route-cache
no shut
ip default-gateway 10.40.2.254
ip http server
logging history size 50
! syslog servers
logging 10.32.1.40
logging 10.192.1.40
! limit snmp access
access-list 1 permit 10.40.0.0 0.0.3.255
access-list 1 permit 10.192.1.32 0.0.0.31
access-list 1 permit 172.31.0.0 255.255.0.0
! snmp access
snmp-server community
snmp-server community RW 1
snmp-server queue-length 100
snmp-server location Brussels Main Office
! SNMP traps
snmp-server enable traps
snmp-server host 10.192.1.38
snmp-server host 10.32.1.38
! Console & Telnet login
line con 0
session-timeout 10
exec-timeout 7 0
password
login
line vty 0 15
session-timeout 10
exec-timeout 7 0
password
login
! time synchronisation with ntp server
ntp server 10.32.1.38 prefer
ntp server 10.192.1.38
end

Loopback interface on catalyset switches

Hello,
I need to know if I can configure loopback interfaces on L2 switches (2950) and if yes , in which IOS
Thanks
Moamen

Hello,
for admin, I need to create loopback interface and use it as the admin IP to reach the switch
I know that the admin ip configured under interface vlan1
but I'm asking because I have a switch that has the int loopback in his menu when using
conf t# int ?
I can found loopback , but I can't configured it
switch(config)#interface ?
Async Async interface
BVI Bridge-Group Virtual Interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Lex Lex interface
Loopback Loopback interface<<<<<
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Tunnel Tunnel interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan Catalyst Vlans
range interface range command
System image file is "flash:c2950-i6q4l2-mz.121-22.EA3"
but when I'm trying to configure it the switch refused
Thanks & BR
Moamen

Configure Private VLAN on 3750 & 2960

Hi All,
( R ) ------ [ 3750 ] ------- [ 2960 A ]
|------------ [ 2960 B ]
I had these VLAN on the 3750 & 2960:
- Vlan 8 (mgnt Vlan), Vlan 17, Vlan 34, Vlan 35
Basically I had already configure switchport protected on all the port on the 2960 except the uplink to 3750.
2960 Configure
On uplink to 3750
switchport mode trunk
On end device port
switchport trunk native vlan 35
switchport trunk allowed vlan 34,35
switchport mode trunk
switchport protected
spanning-tree portfast
How do I go about configure private VLAN on the 3750?
3750 Configure
On downlink to 2960
switchport mode trunk
Interface vlan8
ip address 10.8.0.1 255.255.255.0
Interface vlan17
ip address 10.17.0.1 255.255.255.0
Interface vlan34
ip address 10.34.0.1 255.255.255.0
Interface vlan35
ip address 10.35.0.1 255.255.255.0
What I want to achieve is to send all the VLAN 8, 17, 34, 35 from 2960 to 3750 and 3750 to 2960. But at the same time prevent 2960 A client from talking to 2960 B client on VLAN 35?

I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.
But you can configure with private vlan.
let's say client A is in port f0/1 and client B in port f0/2
Parent (main) VLAN is 100 and child is 999
You would configure the VLANs in ALL switches.
vlan 999
private-vlan isolated
vlan 100
private-vlan primary
private-vlan association 999
Now you would need to configure the ports.
int range f0/1 - 2
switchport mode private-vlan host
switchport private-vlan host-association 100 999
If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.
interface vlan 100
private-vlan mapping 999
That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).
If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.
wrote too much, if this answers your question let me know, or we can create a practical scenario for it.

Interface vlan - ACL - pinging issues.

I'm trying to understand why an ACL which is applied to an interface vlan is affecting the traffic for a different interface vlan.
Both vlans are configured on the same device and there's a trunk connecting the "access" switch to the "distribution" switch.
so, what we have is:
UD-1 UD-1B
UA
Int vlan are configured in both UDs and the vlan is allowed in the trunk that connects the UD to the UA.
There's an ACL blocking traffic to the int vlan 225 ip that is configured in the UA, but there's no ACL on the vlan 185 (the same IP that Im trying to ping).
So , why is this happening?
configs:
UD-1A:
interface Vlan185
ip address 10.8.185.3 255.255.255.0
interface Vlan225
ip address 10.18.225.3 255.255.255.0
ip access-group ud1 in
int gi1/1
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
UD-1B
interface Vlan185
ip address 10.8.185.4 255.255.255.0
interface Vlan225
ip address 10.18.225.4 255.255.255.0
ip access-group al_rpf_sre_ud1_pro in
interface GigabitEthernet4/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface Vlan185
ip address 10.8.185.7 255.255.255.0
ip access-group ro in
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
so, when I ping 10.8.185.7
I get:
GMT-3: ICMP: dst (10.8.185.7) administratively prohibited unreachable rcv from 10.8.185.4
%SEC-6-IPACCESSLOGDP: list ud1 denied icmp 10.8.185.7 (GigabitEthernet1/1) -> 10.18.232.58 (0/0), 3 packets
anybody?

Hello Paresh,
thanks for replying.
But, actually I dont think this is what happening.
Because 10.18.232.58 comes from an uplink - core router, which enters from a different interface.
Let me give you the configs:
uplinks:
interface GigabitEthernet3/1
no switchport
ip address 10.18.192.26 255.255.255.252
And the core are doing load-balancing to reach the UA.
So, icmp packets are arriving from these 2 interfaces, the uplink gi3/1 (router port) and from the link that connects the UA switch.
so, pinging from the BC you have 2 ways to get to the UA, from UD1 and UD1-B, when it reaches UD1-B it goes to the vlan (ie. goes down to the UA and up to UD1A).
Not sure if this is helping.
If you need any other info let me know.
this is killing me.

Disabling ''igmp snooping'' in a VLAN (no interface VLAN) on Catalyst 6500

Can please some help?
On 4948 or 3560 I can disable igmp snooping in a specific VLAN:
sw4948(config)#no ip igmp snooping vlan ?
<1-1001>     Vlan number
<1006-4094> Vlan number
sw4948(config)#no ip igmp snooping vlan 10 ?
explicit-tracking           Enable IGMP explicit host tracking
immediate-leave             Enable IGMPv2 immediate leave processing
last-member-query-interval Last member query interval
mrouter                     Configure an L2 port as a multicast router port
static                      Configure an L2 port as a member of a group
<cr>
BUT, in 6509-E this command is not enabled:
sw6509(config-if)#no ip igmp snooping ?
access-group IGMP group access group
limit         IGMP limit
I have just found on my 6509 that I can disable igmp snooping in a SVI interface (Interface VLAN)
sw6509(config)#int vlan 20
sw6509(config-if)#no ip igmp snooping ?
access-group                IGMP group access group
fast-leave                  Enable IGMP fast leave processing
last-member-query-interval Configure IGMP leave query timeout
limit                       IGMP limit
minimum-version             Minimum IGMP version
mrouter                     Configure an L2 port as a multicast router port
querier                     Enable IGMP querier processing
report-suppression          Force a report suppression
ssm-safe-reporting          Enable SSM Safe Reporting
static                      Configure an L2 port as a member of a group
<cr>
My current 6509-E IOS version is:
System image file is "sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH8b.bin"
Do I need to upgrade my IOS version?... or how can I disable ''igmp snooping'' per specific VLAN (no Interface VLAN)?
Any help would be apreciated !
Regards
guruiz

Hi Guruiz,
So, to disable igmp snooping in some VLANs in the 6509, do I need to disable it globally?
Would it be the only way?
That appears to be the only way. If you have an SVI for the vlan you want to run Multicast in, then simply enable PIM and not worry about IGMP snooping. I think, the reason you don't see this command under the layer-2 vlan is because most of the time the 6500 is used as layer-2/layer-3 and not just layer-2.
How could "no ip igmp snooping" applied globally impact my 6509 switch?
It will impact only the vlans that are running Multicast. In general, ip IGMP snooping is used when you have a flat vlan and no SVI. If you have multiple vlans and are running Multicast between them, then you can just enable PIM.
HTH

[switchport port-security mac ] on [interface VLAN n?]

Hello,
did anyone tried to use the command [switchport port-security mac-address n?] on [interface VLAN n?] ? (for example in a 2950).
I don't have the material to make that test, and I am not sure if it works or not.
Many thanks!

Hi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar

Policy-map input on an interface VLAN

Hi there,
I have a problem with a policy-map on an interface VLAN on my Cisco 6509-E.
The switch has the IOS Version 12.2(33)SXI10, RELEASE SOFTWARE (fc2).
I have configured this policy-map:
policy-map PM-10Mbit
class class-default
   police cir 10000000 bc 1875000 be 3750000    conform-action transmit     exceed-action drop     violate-action drop
I bind this map on a physical interface
interface GigabitEthernet2/2
description <removed>
ip vrf forwarding <removed>
ip address <removed>
ip access-group <removed> out
service-policy input PM-10Mbit
service-policy output PM-10Mbit
and get this result:
show policy-map interface
GigabitEthernet2/2
Service-policy input: PM-10Mbit
    class-map: class-default (match-any)
      Match: any
      police :
        10000000 bps 1875000 limit 1875000 extended limit
      Earl in slot 5 :
        6428065284 bytes
        5 minute offered rate 14696 bps
        aggregate-forwarded 6294160565 bytes action: transmit
        exceeded 133904719 bytes action: drop
        aggregate-forward 584 bps exceed 0 bps
Service-policy output: PM-10Mbit
    class-map: class-default (match-any)
      Match: any
      police :
        10000000 bps 1875000 limit 1875000 extended limit
      Earl in slot 4 :
        10335145381 bytes
        5 minute offered rate 21536 bps
        aggregate-forwarded 10142894661 bytes action: transmit
        exceeded 192250720 bytes action: drop
        aggregate-forward 128 bps exceed 0 bps
      Earl in slot 5 :
        263335780 bytes
        5 minute offered rate 176 bps
        aggregate-forwarded 263335780 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 448 bps exceed 0 bps
But when I bind it on an interface VLAN i see no incoming traffic:
show policy-map interface
Vlan1012
Service-policy input: PM-100Mbit
    class-map: class-default (match-any)
      Match: any
      police :
        100000000 bps 18750000 limit 18750000 extended limit
      Earl in slot 4 :
        0 bytes
        30 second offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 5 :
        0 bytes
        30 second offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
Service-policy output: PM-100Mbit
    class-map: class-default (match-any)
      Match: any
      police :
        100000000 bps 18750000 limit 18750000 extended limit
      Earl in slot 4 :
        1005376843668 bytes
        30 second offered rate 33016448 bps
        aggregate-forwarded 1005362388151 bytes action: transmit
        exceeded 14455517 bytes action: drop
        aggregate-forward 30943792 bps exceed 0 bps
      Earl in slot 5 :
        1828318775 bytes
        30 second offered rate 1296 bps
        aggregate-forwarded 1828318775 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 1272 bps exceed 0 bps
Is this a bug or am I doing something wrong here?

Hello
As I understand it , this is command is required in mls qos because on a SVI ( L3 vlan interface) runs in a vlan-based mode which differs from normal L3 routed interfaces which run in interface mode.
As per cisco ="In VLAN-based mode, the policy map that is attached to the Layer 2 interface is ignored, and QoS is driven by the policy map that is attached to the corresponding VLAN interface."
Lastly regards
Try matching on all traffic incoming on the trunk interface on that switch for it to successfully police incoming traffic:
class-map V102
match input-interface x/x
Policy-map POLICE
class V102
Police xxxx xxxx
res
Paul

FWSM - Sharing interface Vlan

Hi guys,
I am trying to share two vlans in two different contexts but when I try to add the same vlan in the second context I receive this message: “Interface Vlan15 cannot be allocated to context. Interface is allocated to another context in a different failover group”. I have seen same example where you can share the same vlans; so I don’t know where is my fail.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/exampl_f.html#wp1029314
thanks.

It sounds like what you're asking is about the concept of switched virtual interfaces - "interface vlan 10", for instance, is a switched virtual interface. This is different than a VLAN in that a VLAN is a logical network segment, a broadcast domain, whereas an SVI is a logical interface.
If SW2 is a layer 3 switch, you don't HAVE to have the SVI configured there. You could operate both SW1 and SW2 entirely as layer 2 devices, configure an interface on R1 to handle the inter-VLAN traffic, and configure the links from SW1-SW2 and SW2-R1 as trunks.
But that wastes the l3 capability of the switch. The idea is that you don't need to involve a router. When you have a vlan (layer 2), it has no way to communicate with other vlans (layer 2). That's where an SVI on a layer 3 switch, or an interface on a router (router-on-a-stick) using dot1q encapsulation comes in. It gives your devices in that VLAN something to point to as a gateway, something for routable traffic to address. So, think of a VLAN as a self contained network, and an SVI as the door that allows it to talk to everything else.
Also, in practice, assigning each discrete switch an IP address for management traffic makes things much easier - how else can you telnet/SSH into it? Beats having to use the console all the time!
HTH

Configure interface vlan on switch 3524 XL

Similar Messages

Maybe you are looking for