VLANs and traffic shapping

Similar Messages

• Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

  Hello at all,
  is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
  All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
  To be more detailed:
  At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
  Thank you,
  Christian

  Hi Christian.
  This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
  "From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
  In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
  FlexConnect VLAN Central Switching Summary
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
  •If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
  •If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
  Enjoy your weekend & I am sure you will be able to get this working.
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Is Cisco Nexus 5596UP support vlan base Policing and traffic shaping on code NX OS version: 5.1(3)N1(1)

  Is Cisco Nexus 5596UP support vlan base Policing and traffic shaping on code NX OS version: 5.1(3)N1(1)
  where i couldn't see any police command under the policy map 

  I have tested this issue on another 5548UP with L3 running the same NX-OS version and get the same problem. Show CDP from the switch is not discovering devices, but the neightbors can see the 5K in question. Reboot sometimes will fix it, but not always. I suspect a problem with the software since that doesn't happen in NX-OS 5.2. The one I am using is
  Software
    BIOS:      version 3.6.0
    loader:    version N/A
    kickstart: version 5.1(3)N2(1)
    system:    version 5.1(3)N2(1)

• Deploying vlan and limiting traffic from not reaching network core

  Folks:
  I am reading CCNP Switch 642-813 official Certification Guide (isbn=978-1-58720-243-8) and I’m a little confused as to the following on page.71 –
  “You should not allow VLANs to extend beyond the Layer 2 domain of the distribution switch. In other words, the VLAN should not reach across the network’s core and into another switch block. The idea again is to keep broadcasts and unnecessary traffic movement out of the core block”.
  Can anyone offer a different way of stating this or offer a picture or a diagram? I am having a hard time visualizing what this is trying to say – is this refereeing to two different switch blocks/stacks on either side of a switch core if I were to the draw the topology flat?
  Thanks
  JJ

  JJ
  This is referring to the 3 tier design where you have a separate access layer/distribution layer and core layer.
  So imagine a campus where you have multiple buildings and a main site. All the other buildings connect to the main site and to get from one building to another they go via the main site.
  The main site would have a pair of core switches and a pair of distribution switches + access layer switches. The other buildings would have a distribution pair of switches and access layer switches. Each buildings distribution switches would connect back to the core switches usually with L3 links. In the past you used L2 links but with L3 switching you now generally route, or more precisely, L3 switch through the core.
  What that extract from your book is saying is that each building has it's own vlans and they are routed on the distribution switches in each building. Only traffic destined for a vlan or more specifically a subnet that is not within the building should be sent to the core switches which then route them to the correct place.
  What you shouldn't do is have a vlan in a building that also extends to the core and possibly to other buildings. This is because a vlan is a broadcast domain so a broadcast in a vlan would be sent to all hosts in that vlan. So if you allow a vlan to extend through the core you are allowing broadcasts from one building to go through the core to other buildings.
  The core switches should be left to L3 switch traffic between buildings and pretty much nothing else.
  There is usually no need to extend vlans to or across the core  ie. each set of vlans is terminated on the distribution switches so broadcasts are contained within each building or again more specifically within each vlan within the building.
  One other thing to note is that if you have a single building with maybe just a WAN connection the 3 tier design is not necessarily the best way to go and a common solution is a collapsed core where the core and dsitribution switches are the same physical switches. It saves on cost and within a single building there is often very little need for a high speed core.
  I have used the terms route and L3 switch interchangeabley here but technically all L3 capable switches route in hardware so to be precise it is L3 switching.
  Finally the above about a single building setup does not refer to a DC where the rules are somewhat different.
  Hope that helps and i haven't confused you more.
  Feel free to ask further if needed.
  Jon

• NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

  I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
  The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
  Here is my current hardware configuration:
  1) one PIX 501 50-user 3des.
  2.) two Dell 3024
  3.) one Aironet 1100(g) AP.
  Current LAN Network: 10.35.35.0
  (internal employees only, static VPN tunneled to remote HQ network)
  Current Wireless SSID's:
  SSID1=PRIVATESSID
  SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
  Current WAN: one T1 connection.
  WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
  #1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
  #1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
  #1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
  #2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
  Question 1:
  I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
  What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
  Question Two:
  I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
  Question Three
  If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
  Any help you can provide would be very much appreciated.

  Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
  q1
  Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
  q2
  This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
  You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
  q3
  If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
  3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

• Setting Up VLAN and QoS for VOIP on SG200-18

  We recently purchased the SG200-18 smart switch to replace a Netgear unmanaged switch. We're moving our phone service to VOIP through our local ISP as well. 
  I've currently got the VOIP phone plugged into Port 17 on the SG200-18 (it's a Grandstream cordless VOIP phone).
  I want to put the VOIP phone on a separate VLAN from the rest of the network and optimize the QoS settings so that the VOIP phone has exceptional audio quality even during intense network traffic.
  Here's my questions:
  1. Do I need to adjust anything on the type of port for Port 17 (since it looks like some form of Combo port)?
  2. How do I go about isolating the VOIP phone on it's own VLAN (I'm seeing VLAN and Voice VLAN settings, not sure which one to use; I tried setting a VLAN and broke Internet connectivity to the phone until I went in and removed it)?
  3. Do I need to adjust any QoS settings on the switch to better optimize the VOIP phone?
  A couple of additional questions about the GS200-18 in general:
  1. Do I need to adjust any of the System Time Settings on the switch? I'm in Central Time.
  2. Do I need to adjust any of the Green Ethernet/Energy Saving settings or should I stick with the defaults?
  Also, a couple of "getting started" side questions to Cisco:
  1. I've registered a My Cisco account. What do I need to do to register my switch with Cisco and associate it with my My Cisco account?
  2. What are the benefits of taking out a Cisco Small Business Support Contract, and about how much would it cost on the SG200-18 (I ordered it from Provantage)? I'm curious to see if it's worth the money.
  Here's my "specs":
  Switch: SG200-18
  VOIP phone: Grandstream DP715 and 710 expandable handsets
  Plugged into: Port 17 on the SG200-18
  ISP: Local ISP (Direclynx)
  Connection type: 3M down/500k up DSL, moving to a wireless connection coming up which will give us faster speeds
  VOIP backend provider: VOIP Innovations
  Router: Apple Airport Extreme AC model (I run all Macs and iOS devices and OS X Server on the network, so using the Apple router makes setup easier, since it doesn't QoS, trying to QoS and VLAN at the switch level)
  Thanks everyone!

  Hello,
  Lots of different questions here so I'll try to make sure I don't miss anything.
  1. Do I need to adjust anything on the type of port for Port 17 (since it looks like some form of Combo port)?
     The way the combo ports work is you can either use the SFP slot for a fiber connection or the copper ethernet port, but not both at the same time.  Other then that they just function as normal network ports.
  2. How do I go about isolating the VOIP phone on it's own VLAN (I'm seeing VLAN and Voice VLAN settings, not sure which one to use; I tried setting a VLAN and broke Internet connectivity to the phone until I went in and removed it)?
     It sounds like you created the VLAN correctly and assigned the phone, however there wasn't anything doing any routing for that VLAN.  You would need to have a VLAN capable router or a layer 3 switch so that something would act as the default gateway for the voice VLAN and route the traffic for you.  Since there was nothing like this your phone lost it's connectivity to the internet when you placed it in the new VLAN.  I don't think the Airport is VLAN capable, but we will come back to that.
  3. Do I need to adjust any QoS settings on the switch to better optimize the VOIP phone?
     Once you have a seperate VLAN setup for the phone properly you only have to tell the switch what your Auto Voice VLAN is going to be and it will automatically apply recommended QoS settings for the Voice VLAN and prioritize the voice traffic.  There are ways to do this manually and even with the phone in the same VLAN however the are considerably more complicated.
  1. Do I need to adjust any of the System Time Settings on the switch? I'm in Central Time.
     The system time isn't always very important.  You can set the correct time zone, however you should know the switch does not have a battery in it to keep track of time, so if/when it reboots or loses power the clock will reset.  If you would like the switch to maintain accurate time you should setup an NTP server so the time is automatically updated from the internet.  The switch will keep your timezone settings once you save them.  Time is mostly important for logging and things like that, so you can configure it if you like but it is not necessary.
  2. Do I need to adjust any of the Green Ethernet/Energy Saving settings or should I stick with the defaults?
     Green ethernet simply reduces the power usage of the switch slightly, so unless you are having odd issues where ports are disconnecting, I would just leave them at the defaults.
  1. I've registered a My Cisco account. What do I need to do to register my switch with Cisco and associate it with my My Cisco account?
     There isn't really a way to associate your Small Business devices with your Cisco account.  If you ever call in for technical support we will use your Cisco account and your serial number to create a support case, but even then they aren't linked together.  If you decide to buy a support contract, that will be linked to your switch's S/N and your Cisco ID, so in a way that would associate them together.  Devices being associated with Cisco accounts is something more common with Enterprise equipment, and mainly has to do with technical support cases.
  2. What are the benefits of taking out a Cisco Small Business Support Contract, and about how much would it cost on the SG200-18 (I ordered it from Provantage)? I'm curious to see if it's worth the money.
     There are a few advantages to a Support Contact.  Your switch comes with a Limited Lifetime warranty that includes 1 year of technical support and return to factory hardware.  With a service contract you get 3 years of technical support and next business day Advanced Replacement of the switch if it need to be replaced.  I just did a quick google search, and it looks like a contract (part #CON-SBS-SVC2) costs about $50.
  So there are a few other things to consider however.
  As a frame of reference the average VOIP call uses about 64 - 128 kbps max.
  Since you don't have a VLAN capable router or a layer 3 switch, a separate voice VLAN may not be an option.   You also mention that the Apple Airport does not do QoS, meaning we will only be prioritizing the voice traffic while it is on the switch.  When it is passed off to the Airport to be routed out to the internet all of the QoS settings will be lost, and normal network traffic will get the same priority as voice, since that is all up to the Airport.
  With one phone the hassle of getting more equipment and setting up advanced QoS isn't really worth it, especially if the link to the internet isn't going to be participating in QoS.
  One last thing I wanted to mention is you are switching to a wireless internet connection.  I would ask them how their latency and jitter is, as these two network statistics greatly effect voice quality, and usually wireless performs worse when it comes to voice traffic.
  I hope this information helps, if you have any more questions just let me know.
  Thank you for choosing Cisco,
  Christopher Ebert - Network Support Engineer 
  Cisco Small Business Support Center

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Only system vlans forward traffic on 1000v

  I am trying to migrate to a Nexus 1000v vDS but only VM's in the system VLAN can forward traffic. I do not want to make my voice vlan a system VLAN but that is the only way I can get a VM in that VLAN to work properly. I have a host with its vmk in the L3Control port group. From the VSM, a show module shows the VEM 3 with an "ok" status. I currently only have 1 NIC under the vDS control. My VM's using the VM_Network port group work fine and can forward traffic normally. When I put a VM in the Voice_Network port group I lose communication with it. If I add vlan 5 as a system vlan to my Uplink port profile then the VM's in the Voice_Network work properly. I thought you shouldn't create system vlans for each vlan and only use it for critical management functions so I would rather not make it a system vlan. Below is my n1k config. The upstream switch is a 2960X with the "switchport mode trunk" command. Am I missing something that is not allowing VLAN 5 to communicate over the Uplink port profile?
  port-profile type ethernet Unused_Or_Quarantine_Uplink
    vmware port-group
    shutdown
    description Port-group created for Nexus1000V internal usage. Do not use.
    state enabled
  port-profile type vethernet Unused_Or_Quarantine_Veth
    vmware port-group
    shutdown
    description Port-group created for Nexus1000V internal usage. Do not use.
    state enabled
  port-profile type vethernet VM_Network
    vmware port-group
    switchport mode access
    switchport access vlan 1
    no shutdown
    system vlan 1
    max-ports 256
    description VLAN 1
    state enabled
  port-profile type vethernet L3-control-vlan1
    capability l3control
    vmware port-group L3Control
    switchport mode access
    switchport access vlan 1
    no shutdown
    system vlan 1
    state enabled
  port-profile type ethernet iSCSI-50
    vmware port-group "iSCSI Uplink"
    switchport mode trunk
    switchport trunk allowed vlan 50
    switchport trunk native vlan 50
    mtu 9000
    channel-group auto mode active
    no shutdown
    system vlan 50
    state enabled
  port-profile type vethernet iSCSI-A
    vmware port-group
    switchport access vlan 50
    switchport mode access
    capability iscsi-multipath
    no shutdown
    system vlan 50
    state enabled
  port-profile type vethernet iSCSI-B
    vmware port-group
    switchport access vlan 50
    switchport mode access
    capability iscsi-multipath
    no shutdown
    system vlan 50
    state enabled
  port-profile type ethernet Uplink
    vmware port-group
    switchport mode trunk
    switchport trunk allowed vlan 1,5
    no shutdown
    system vlan 1
    state enabled
  port-profile type vethernet Voice_Network
    vmware port-group
    switchport mode access
    switchport access vlan 5
    no shutdown
    max-ports 256
    description VLAN 5
    state enabled

  Below is the output you requested. Thank you.
  ~ # vemcmd show card
  Card UUID type  2: 4c4c4544-004c-5110-804a-b9c04f564831
  Card name: synergvm5
  Switch name: synergVSM
  Switch alias: DvsPortset-0
  Switch uuid: 7d e9 0d 50 b3 3b 25 47-64 14 61 c0 3f c0 7b d9
  Card domain: 4094
  Card slot: 3
  VEM Tunnel Mode: L3 Mode
  L3 Ctrl Index: 49
  L3 Ctrl VLAN: 1
  VEM Control (AIPC) MAC: 00:02:3d:1f:fe:02
  VEM Packet (Inband) MAC: 00:02:3d:2f:fe:02
  VEM Control Agent (DPA) MAC: 00:02:3d:4f:fe:02
  VEM SPAN MAC: 00:02:3d:3f:fe:02
  Primary VSM MAC : 00:50:56:aa:70:b9
  Primary VSM PKT MAC : 00:50:56:aa:70:bb
  Primary VSM MGMT MAC : 00:50:56:aa:70:ba
  Standby VSM CTRL MAC : 00:50:56:aa:70:b6
  Management IPv4 address: 172.30.2.64
  Management IPv6 address: 0000:0000:0000:0000:0000:0000:0000:0000
  Primary L3 Control IPv4 address: 172.30.100.1
  Secondary VSM MAC : 00:00:00:00:00:00
  Secondary L3 Control IPv4 address: 0.0.0.0
  Upgrade : Default
  Max physical ports: 32
  Max virtual ports: 216
  Card control VLAN: 1
  Card packet VLAN: 1
  Control type multicast: No
  Card Headless Mode : No
         Processors: 16
    Processor Cores: 8
  Processor Sockets: 2
    Kernel Memory:   62904468
  Port link-up delay: 5s
  Global UUFB: DISABLED
  Heartbeat Set: True
  PC LB Algo: source-mac
  Datapath portset event in progress : no
  Licensed: Yes
  ~ # vemcmd show port
    LTL   VSM Port  Admin Link  State  PC-LTL  SGID  Vem Port  Type
     24     Eth3/8     UP   UP    FWD       0          vmnic7
     49      Veth1     UP   UP    FWD       0            vmk1
     50      Veth2     UP   UP    FWD       0        XP-Voice.eth0
     51      Veth3     UP   UP    FWD       0        synergPresence.eth0
  ~ # vemcmd show port vlans
                            Native  VLAN   Allowed
    LTL   VSM Port  Mode    VLAN    State* Vlans
     24     Eth3/8   T          1   FWD    1
     49      Veth1   A          1   FWD    1
     50      Veth2   A          1   FWD    1
     51      Veth3   A          5   FWD    5
  * VLAN State: VLAN State represents the state of allowed vlans.
  ~ # vemcmd show bd
  Number of valid BDS: 10
  BD 1, vdc 1, vlan 1, swbd 1, 5 ports, ""
  Portlist:
  BD 2, vdc 1, vlan 3972, swbd 3972, 0 ports, ""
  Portlist:
  BD 3, vdc 1, vlan 3970, swbd 3970, 0 ports, ""
  Portlist:
  BD 4, vdc 1, vlan 3969, swbd 3969, 2 ports, ""
  Portlist:
        8
        9
  BD 5, vdc 1, vlan 3968, swbd 3968, 3 ports, ""
  Portlist:
        1  inban
        5  inband port securit
       11
  BD 6, vdc 1, vlan 3971, swbd 3971, 2 ports, ""
  Portlist:
       14
       15
  BD 7, vdc 1, vlan 5, swbd 5, 1 ports, ""
  Portlist:
       51  synergPresence.eth0
  BD 8, vdc 1, vlan 50, swbd 50, 0 ports, ""
  Portlist:
  BD 9, vdc 1, vlan 77, swbd 77, 0 ports, ""
  Portlist:
  BD 10, vdc 1, vlan 199, swbd 199, 0 ports, ""
  Portlist:
  ~ #

• Traffic Shape in ethernet - C3750Metro

  I have a scenario where, one hub site which is connected to metro ether MAN at 1Gbps and spoke sites are connected to metro ether MAN at 100Mbps, in these remote sites variable bandwidths are agreed with service provider: 20Mbps, 40Mbps, etc.
  I only want to configure "traffic shape" in my Catalysts because if I don't, these Catalyst use max. speed to transmit (100Mbps when 20Mbps is only permitted) and the network drops my excess traffic.
  I don't want to configure anymore (different QoS for differents services, etc.)
  Which is the best, and more elegant, way to do it?
  Thanks.

  access-list 1 permit any
  class-map match_metro
  match access-group 1
  policy-map match_metro
  class metro_class
  police 20000000 2000000 exceed-action drop
  interface whatever
  service-policy input match_metro
  This is a just a sample config to achieve what you want, you should check the following link for a more thorough explanation.
  Traffic shaping allows you to shape output traffic (egress traffic) on a per-physical port basis. Ucode monitors output traffic to verify that it conforms to the rate configured on the switch router. When excess traffic comes into the switch, the output side of the processor interface applies back pressure and queues the excess traffic in the switch fabric.
  http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a0080476087.html

• Help config vlan and inter routing vlan on 2 switches SF300-24 ???

  Dear Cisco!
  now we have 2 switches: SF300-24
  on one SF300-24 we config it at layer 3 mode with VLAN configuration same as following
  VLAN ID 2 (ports: 2 -6) have ip interface  192.168.2.254/24
  VLAN ID 3 (ports: 7 - 10) have ip interface  192.168.3.254/24
  VLAN ID 4 (ports 11- 15 ) have ip interface  192.168.4.254/24
  and VLAN 1 default have IP address: 192.168.1.200
  DHCP relay  - DHCP server 192.168.3.1
                     - DHCP relay: VLAN2; VLAN3; VLAN4
  ip route: 0.0.0.0   0.0.0.0  192.168.3.1
  all ports of VLAN2, VLAN3, VLAN4 set access mode.
  and another SF300-24
  was configed at layer 2. We config VLAN ID 2 ̣̣̣have ports  2 -6; VLAN ID 3 ports 7 -10; VLAN ID 4 port 11-15 ,too.
  And we use port 26 on 2 switches SF300-24 is trunk mode then we connect both SF300-24 switches.
  But on SF300-24 layer 2 cann't inderstand VLAN from Sf300-24 layer 3!!!
  Could you please help me check this situation?
  How to config VLAN on 2 switches SF300-24 Layer 3 and SF300-24 layer 2?
  Thanks!
  See you soon!

  Son Nquyen,
  First i would upgrade to 1.1.8 since the 1.0.0.27 was beta code.
  Next when when connecting both switches together each port will need set via Trunk mode with proper native vlan and tagged vlan traffic. What's the configuration of your trunk ports on each switch?
  Thanks,
  Jasbryan.

• VLAN and Networking

  Hi,
  we have HP Blade server, where i have created the VLAN and added to the server profile, all traffic for that particular VLAN is tagged on Blade (Virtual Interconnect) and passed to network switch. the port on switch is configured as trunk port.
  I want to know that, when i configure the network on Oracle VM server, do i have to select the Network Segment inside VLAN, as untagged or Tagged ?
  thanks,

  Hi Erik,
  Can you get a sniffer of the LAN when this happens?
  Administration -> Diagnostics -> Packet Trace
  Recreate the issue and please post the trace here.
  Could you also send me your config?
  Thanks
  Steven

• Inter-VLAN routing, Auto-Voice VLAN and IP Address-Helper

  Hope that somebody can help me with the setup in the screenshot. 
  Planning to use Auto-Voice VLAN and Smartports to configure VOIP
  LLDP-MED will be enabled on the switch to detect the IP phones so they will be moved to the Voice VLAN (If not the first 6 signs will be added to the OID table). The Voice VLAN ID will be 2 >> Voice VLAN will be automatically enabled once a device is recognized as a IP phone right? 
  Workstations will be connected to the Cisco switch, VLAN data will be untagged and will remain on the native VLAN.
  Smartports will be used to configure the ports (Macro's) >> Should configure the ports as trunks as assigns the correct VLANs right?
  But how do i configure the IP Helper-Address? Do i have to create the Voice VLAN on both switches and then run the command "IP Helper Address" to specify a DHCP server? From what i've been reading it's required, when using Inter-VLAN routing, to configure the VLAN interface with an IP address. But it's going to give problems when both switches are connected to eachother and both have the same VLAN configured including the same IP address assigned to their VLAN interface?
  Normal data should pass  the ASA firewall, VOIP traffic should go through the Vigor modem to a hosted VOIP provider. The best way, i assume, is to configure 2 separate scopes on the DHCP server?
  Still confused on how to set it up, hope that someone can point me in the right direction

  If you're sending voice to only the Vigor modem then there is no need for a trunk between the SF-300 and the Vigor modem. You can just set that to an untag packet for the VLAN 2 between that switch and the Vigor modem.
  On the 'edge' SF300 where the IP phone/PC is it is obviously going to interoute there and of course the phone port is tagged and PC port is untagged.
  For the IP helper, it uses UDP-RELAY and it should be enabled on the port itself and enabled on the global configuration. You may also need option 82. Also keep in mind, depending how your DHCP server works, it may need option 82 configured as well or at least a route to understand the subnets in the layer 3 environment to get traffic across the VLANS.

• Private Vlan and Switchport Protected

  Dear All,
  My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
  How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
  Thanks.
  C.K.

  Hi C.k.,
  I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
  Try that and let us know.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
  HTH,
  -amit singh

• Traffic Shapping on ESW500 switches

  Hello all,
  I am faily new on the traffic shapping / bandwith control department, and have been asked by a client to be able to do some traffic shapping in their main office.
  I've read some documents on the ESW500 switches and wanted to make sure that my understanding of the technology and product is right.
  My client wants to prioritize bandwith per port depending on the bandwith usage needed. Some users needs a lot of bandwith for critical applications while others
  uses a lot of bandwith for not so critical applications...
  From what I've read, I should be able to replace his switch with an ESW500 switch and do some traffic shaping. He has a pretty basic setup with about 30 computers connected to a switch which is connected to a router. As mentionned, if I replace the switch with an ESW500 switch, will I be able to limit per port bandwith usage both inbound and outbound?
  Is there also some kind of monitoring tool I could use to see how much bandwith used per port (not required but would be a nice to have feature).
  Thanks!
  Matt

  Hello Matt, I hope this finds you doing well.
  The amount of bandwidth you need is directly related to the performance you require.  What performance do you require? 
  Here is one example (for voice)
  150 msec one way delay
  Less than 20 msec jitter
  Less than 1% packet loss 
  With requirements for this, you will have to have the right amount of bandwidth per call and queueing control, or else the call not sound right or may even be dropped.
  Another example might be for Microsoft's RDP:
  Some web posts mention that 30kps is needed, and some say 100kbps is acceptable.
  So this is a bandwidth target, lets say 100kbps per user for this example.  If you have 10 concurrent sessions, then this is a max amount of bandwidth needed around 1Mbps.  With statistical multiplexing, you should not need this much, since not all clients will burst or use the max amount of bandwidth at the same time.  You can probably get by with less ...
  The point I am making with this, is once you know how much bandwidth you need, then you can begin to engineer your network so that critical applications are able to function and user productivity is kept high. User productivity is so very key, and it is very good to see you looking into this as you are Matt.  Good stuff Matt.
  Do the application vendors have suggestions for you for how much bandwidth their apps require?
  If the application vendors do not know how much is needed, then using Cisco devices, you can define the performance you require and the Cisco device will respond with the required bandwith per queue.  This is called 'corvil bandwidth' or bandwidth estimation. Using this bandwidth amount, you can configure your QoS settings on all your devices.
  Here is a link and I would suggest to poke around some:
  http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_bndwidth_est.html
  Application performance is an end to end perspective and consideration.  You need intelligence at the edge, core, and remote edge.
  You can also look at the interface statistics to understand what an end user is using when accessing an application.  This can be an inaccurate method, but it might help you in your understanding.
  With all of this said, most folks do not notice a lot of congestion on the LAN or from one LAN port to another LAN port.  Usually problems occur at bottlenecks and uplinks.  Where are the bottlenecks in your network?
  Once you know where these are, then you can apply a QoS policy to protect the important traffic and ensure application performance meets your needs.  What are your needs?  See the above for some thoughts.
  Does this make sense?
  The ESW is a great switch, and QoS can be easily configured to meet your needs.  I think a harder question is ... what are your needs?
  Here is a link for the ESW switch.  Click on resources to find the docs provided with this switch:
  http://www.cisco.com/cisco/web/solutions/small_business/products/routers_switches/esw_500/index.html
  HTH,
  Andrew Lee Lissitz

• ME 3400 minimum traffic shape rate

  Hi
  I just implement traffic shape for output traffic on interface FastEthernet:
  policy-map megann-10M-out
  class class-default
  shape average 10485500
  int fa0/5
  switch-2(config-if)#service-policy output megann-10M-out
  QoS: Configuration failed. The configured rate is not achievable in hw within 1% of configuration.
  Closest value(s) are: 11111120 bps, 5882368 bps
  What is "1% of configuration"? It's not an 1% of interface rate?

  Hello,
  this is somewhat odd and looks like only predefined rates are achievable with shaping. The command reference does not mention this at all
  http://www.cisco.com/en/US/products/ps6580/products_command_reference_chapter09186a008051341a.html#wp5979557
  but gives an example with 10000000. Maybe you can try this value?
  I understand the message like this: you are not within 1% of the rate 11111120 bps with your configured value. Have you tried to configure shaping to this rate?
  Hope this helps! Please rate all posts.
  Regards, Martin