Skip to content

Archive

Category: Switching

One of the most confusing topics that i have read in my CCIE studies is 3560 Queuing and Scheduling.In 3550 queues are interface based however in 3560 queues are chassis based.

Because the total inbound bandwidth of all ports can exceed the bandwidth of the internal ring, ingress queues are located after the packet is classified, policed, and marked and before packets are forwarded into the switch fabric. Because multiple ingress ports can simultaneously send packets to an egress port and cause congestion, outbound queues are located after the internal ring.

In 3560 we have 2 input queues as shown in the diagram and 4 output queues per interface.Input queues are configured in global mode  by “mls qos srr-queue input [try ?]” .Only mapping DSCP or COS values to an egress queue and to a threshold id can be done in global config mode by “mls qos srr-queue output [try ?]” rest Egress queues can be configured under interface mode.

3560 has four hardware queues per interface and per queue has 3 threshold .Expedite Queue can be configured in Q1. Resulting in 4Q1P3T.Although by default.

COS 5 -> Queue 1
COS 0 -> Queue 2
COS 2/3 -> Queue 3
COS 4/5/6 -> Queue 4

Weighted Tail Drop

Both the ingress and egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications.

Each queue has three threshold values. The QOS label  determines which of the three threshold values is subjected to the frame. Of the three thresholds, two are configurable (explicit) and one is not (implicit).

Configuring Ingress Queue Characteristics:-

Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds

We can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped.

This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent:

Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6
Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26
Switch(config)# mls qos srr-queue input threshold 1 50 70

In this example, the DSCP values (0 to 6) are assigned the WTD threshold of 50 percent means that after filling 50% of the queue 1 threshold the packet will start dropping and will be dropped sooner than the DSCP values (20 to 26) assigned to the WTD threshold of 70 percent means the packets are not dropped till the queue 1 reaches 70% of threshold.

Allocating Buffer Space Between the Ingress Queues

We define the ratio (allocate the amount of space) with which to divide the ingress buffers between the two queues. The buffer and the bandwidth allocation control how much data can be buffered before packets are dropped.

This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2:

Switch(config)# mls qos srr-queue input buffers 60 40

Allocating Bandwidth Between the Ingress Queues

We need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode.

This example shows how to assign the ingress bandwidth to the queues. Priority queueing is disabled, and the shared bandwidth ratio allocated to queue 1 is 25/(25+75) and to queue 2 is 75/(25+75):

Switch(config)# mls qos srr-queue input priority-queue 2 bandwidth 0
Switch(config)# mls qos srr-queue input bandwidth 25 75

Configuring the Ingress Priority Queue

We should use the priority queue only for traffic that needs to be expedited (for example, voice traffic, which needs minimum delay and jitter).

This example shows how to assign the ingress bandwidths to the queues. Queue 1 is the priority queue with 10 percent of the bandwidth allocated to it. The bandwidth ratios allocated to queues 1 and 2 is 4/(4+4). SRR services queue 1 (the priority queue) first for its configured 10 percent bandwidth. Then SRR equally shares the remaining 90 percent of the bandwidth between queues 1 and 2 by allocating 45 percent to each queue:

Switch(config)# mls qos srr-queue input priority-queue 1 bandwidth 10
Switch(config)# mls qos srr-queue input bandwidth 4 4

Configuring Egress Queue Characteristics:-

Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set

This example shows how to map a port to queue-set 2. It allocates 40 percent of the buffer space to egress queue 1 and 20 percent to egress queues 2, 3, and 4. It configures the drop thresholds for queue 2 to 40 and 60 percent of the allocated memory, guarantees (reserves) 100 percent of the allocated memory, and configures 200 percent as the maximum memory that this queue can have before packets are dropped:

Switch(config)# mls qos queue-set output 2 buffers 40 20 20 20
Switch(config)# mls qos queue-set output 2 threshold 2 40 60 100 200
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# queue-set 2

Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID

We can prioritize traffic by placing packets with particular DSCPs or costs of service into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped.

This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2:

Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11

Configuring SRR Shaped Weights on Egress Queues

We can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue.

This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent:

Switch(config)# interface gigabitethernet0/1
Switch(config-if)# srr-queue bandwidth shape 8 0 0 0

Configuring SRR Shared Weights on Egress Queues

In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them. With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless.

This example shows how to configure the weight ratio of the SRR scheduler running on an egress port. Four queues are used, and the bandwidth ratio allocated for each queue in shared mode is 1/(1+2+3+4), 2/(1+2+3+4), 3/(1+2+3+4), and 4/(1+2+3+4), which is 10 percent, 20 percent, 30 percent, and 40 percent for queues 1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3.

Switch(config)# interface gigabitethernet0/1
Switch(config-if)# srr-queue bandwidth share 1 2 3 4

Configuring the Egress Expedite Queue

We can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues.

This example shows how to enable the egress expedite queue when the SRR weights are configured. The egress expedite queue overrides the configured SRR weights.

Switch(config)# interface gigabitethernet0/1
Switch(config-if)# srr-queue bandwidth shape 25 0 0 0 
Switch(config-if)# srr-queue bandwidth share 30 20 25 25 
Switch(config-if)# priority-queue out 
Switch(config-if)# end 

Limiting the Bandwidth on an Egress Interface

We can limit the bandwidth on an egress port. For example, if a customer pays only for a small percentage of a high-speed link, we can limit the bandwidth to that amount.

This example shows how to limit the bandwidth on a port to 80 percent:

Switch(config)# interface gigabitethernet0/1
Switch(config-if)# srr-queue bandwidth limit 80

Default Ingress Queue Configuration

Table 1 shows the default ingress queue configuration when QoS is enabled.

Table 1 Default Ingress Queue Configuration

Feature

Queue 1

Queue 2
Buffer allocation 90 percent 10 percent
Bandwidth allocation 1 4 4
Priority queue bandwidth 2 0 10
WTD drop threshold 1 100 percent 100 percent
WTD drop threshold 2 100 percent 100 percent
1 The bandwidth is equally shared between the queues. SRR sends packets in shared mode only.2 Queue 2 is the priority queue. SRR services the priority queue for its configured share before servicing the other queue.

Table 2 shows the default CoS input queue threshold map when QoS is enabled.

cos-input-q for L2-based marking queue.Shown by “sh mls qos map cos-inout-q”. Can be modified with

put COS 1 to Q1T2
mls qos srr-queue input cos-map queue 1 threshold 2 1

Table 2 Default CoS Input Queue Threshold Map

CoS Value

Queue ID-Threshold ID
0-4 1-1
5 2-1
6, 7 1-1

Table 3 shows the default DSCP input queue threshold map when QoS is enabled.

dscp-input-q for L3-based marking queue. Shown by “sh mls qos map dscp-input-q”. Can be modified by

put DSCP decimal 32 to Q2T3
mls qos srr-queue input dscp-map queue 1 threshold 3 32

Table 3 Default DSCP Input Queue Threshold Map

DSCP Value

Queue ID-Threshold ID
0-39 1-1
40-47 2-1
48-63 1-1

Default Egress Queue Configuration

Table 4 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.

Table 4 Default Egress Queue Configuration

Feature

Queue 1

Queue 2

Queue 3

Queue 4
Buffer allocation 25 percent 25 percent 25 percent 25 percent
WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent
WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent
Reserved threshold 50 percent 50 percent 50 percent 50 percent
Maximum threshold 400 percent 400 percent 400 percent 400 percent
SRR shaped weights (absolute) 1 25 0 0 0
SRR shared weights 2 25 25 25 25
1 A shaped weight of zero means that this queue is operating in shared mode.2 One quarter of the bandwidth is allocated to each queue.

Table 5 shows the default CoS output queue threshold map when QoS is enabled.

Table 5 Default CoS Output Queue Threshold Map

CoS Value

Queue ID-Threshold ID
0, 1 2-1
2, 3 3-1
4 4-1
5 1-1
6, 7 4-1

Table 6 shows the default DSCP output queue threshold map when QoS is enabled.

Table 6 Default DSCP Output Queue Threshold Map

DSCP Value

Queue ID-Threshold ID
0-15 2-1
16-31 3-1
32-39 4-1
40-47 1-1
48-63 4-1
As defaults are already set for proper functioning of ASICs for QoS Queuing, we only need to alter configurations of queues when we need to change something according to our need in hardware processing within 3560.

 

STP RootGuard Feature

§Root guard is useful in avoiding Layer 2 loops during network anomalies. The Root guard feature forces an interface to become a designated port to prevent surrounding switches from becoming root bridges.
§Root guard-enabled ports are forced to be designated ports. If the bridge receives superior STP BPDUs on a Root guard-enabled port, the port moves to a root-inconsistent STP state, which is effectively equivalent to the STP listening state, and the switch does not forward traffic out of that port. As a result, this feature enforces the position of the root bridge.
Here in the above picture:-
§Switches A and B comprise the core of the network. Switch A is the root bridge.
§Switch C is an access layer switch. When Switch D is connected to Switch C, it begins to participate in STP. If the priority of Switch D is 0 or any value lower than that of the current root bridge, Switch D becomes the root bridge.
§Having Switch D as the root causes the Gigabit Ethernet link connecting the two core switches to block, thus causing all the data to flow via a 100-Mbps link across the access layer. This is obviously a terrible outcome.
§After the root guard feature is enabled on a port, the switch does not enable that port to become an STP root port.
§Cisco switches log the following message when a root guard–enabled port receives a superior BPDU:

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77.

Moved to root-inconsistent state.

§The current design recommendation is to enable root guard on all access ports so that a root bridge is not established through these ports.
§In this configuration, Switch C blocks the port connecting to Switch D when it receives a superior BPDU. The port transitions to the root-inconsistent STP state. No traffic passes through the port while it is in root-inconsistent state.
§When Switch D stops sending superior BPDUs, the port unblocks again and goes through regular STP transition of listening and learning, and eventually to the forwarding state. Recovery is automatic; no intervention is required.

Enable Root Guard on Switches A, B, and C on the following ports:

•Switch A (Distribution/Core): Any access port
•Switch B (Distribution/Core): Any access port
•Switch C (Access): Any access port including the port connecting to Switch D

The configuration can be done:-

Switch(config)# interface FastEthernet 5/8

Switch(config-if)# spanning-tree guard root

Switch(config-if)# end

Switch# show running-config interface FastEthernet 5/8

Building configuration…

Current configuration: 67 bytes

!

interface FastEthernet5/8

switchport mode access

spanning-tree guard root

end

Important command to check the ports that are in Root-inconsistent state:-

Switch# show spanning-tree inconsistentports

Name   Interface   Inconsistency

——————–   ———————- ——————

VLAN0001   FastEthernet3/1   Port Type Inconsistent

VLAN0001   FastEthernet3/2   Port Type Inconsistent

VLAN1002   FastEthernet3/1   Port Type Inconsistent

VLAN1002   FastEthernet3/2   Port Type Inconsistent

Number of inconsistent ports (segments) in the system :4

•Ports in root inconsistent recover automatically with no human intervention after the port stop receiving superior BPDUs. The port goes through the listening state to the learning state, and eventually transitions to the forwarding state.

3560/3550 Recovery Procedure
————————————

Connect a PC to the console port of the switch,

Use a terminal emulation program such as Microsoft Windows HyperTerminal in order to establish the console session. These are the settings:

  • Bits per second: 9600
  • Data bits: 8
  • Parity: None
  • Stop bits: 1
  • Flow control: None

192-a.gif

Step-by-Step Recovery Procedure

Use this solution to solve the problem.

Note: A PC must be attached to the console port of the switch.

1.If the switch is in a continuous reboot, complete one of the procedures in this step.

Note: If the switch is not in a continuous reboot, but is already at the switch: prompt, proceed directly to Step 2.

  1. Proceed to Step 2.
    • Catalyst 2970, 3550, 3560 and 3750 series switches192-c.gif
  1. Unplug the power cord.
  2. Hold down the MODEbutton while you reconnect the power cable to the switch.The MODE button is on the left side of the front panel.
  3. Release the MODE button after the LED that is above Port 1x goes out.Note: The LED position can vary slightly, which depends on the model.

    You are now at the switch: prompt.

2.Issue the flash_init command and the load_helper command.

  • If the Flash has already initialized, you see this:
    switch: flash_init
      Initializing Flash...
      ...The flash is already initialized.
      switch:

    If the Flash has not initialized, you see this:

    switch: flash_init
    Initializing Flash...
    flashfs[0]: 21 files, 2 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 7741440
    flashfs[0]: Bytes used: 4499456
    flashfs[0]: Bytes available: 3241984
    flashfs[0]: flashfs fsck took 7 seconds.
    ...done initializing flash.
    Boot Sector Filesystem (bs:) installed, fsid: 3
    Parameter Block Filesystem (pb:) installed, fsid: 4

    Issue the load_helper command in order to load any boot helper images. Here is an example:

    switch: load_helper
    switch:

3.Issue the dir flash: command in order to view the contents of the Flash file system.

Determine if there are any Cisco IOS® image files or image directories in flash:. The Cisco IOS image files are .bin files, and the image directories are named with the image filename, excluding the .bin extension. If no Cisco IOS image files or image directories exist, you see this:

switch: dir flash:
Directory of flash:/
2    -rwx  5        <date>               private-config.text
3    -rwx  110       <date>               info
4    -rwx  976       <date>               vlan.dat
6    -rwx  286       <date>               env_vars
26   -rwx  1592      <date>               config.text
8    drwx  1088      <date>               html
19   -rwx  110       <date>               info.ver
4393472 bytes available (3347968 bytes used)
switch: !--- No Cisco IOS images or image directories exist in Flash. 

If your Flash directory looks like this, proceed directly to Step 4. Step 4 recovers the switch with an Xmodem file transfer.

If there is still an image in Flash, issue the boot command in order to try to recover the switch. Before you issue the boot command, verify where the Cisco IOS image is stored in the Flash directory. The location in which the image is stored can differ, which depends on your switch model.

  • Catalyst 2970, 3550, 3560, and 3750 Flash file systemThe organization of the Flash file system on a Catalyst 2970, 3550, 3560, and 3750 is a little different. You can store the Cisco IOS image file in the flash: directory. However, if you use the Cluster Management Suite (CMS) image in order to manage switches with a web interface, you can store the Cisco IOS image file in its own directory. Issue the dir flash:directory command in order to display the image file in this case.
    switch: dir flash:
    Directory of flash:/
    2    -rwx  976       <date>               vlan.dat
    3    -rwx  386       <date>               system_env_vars
    4    -rwx  5         <date>               private-config.text
    6    -rwx  1554      <date>               config.text
    24   drwx  192       <date>               c3550-i5q3l2-mz.121-13.EA1
     !--- You can store the Cisco IOS image file in its own directory. 
!--- Name the directory with the image name, but exclude the .bin extension. 
42   -rwx  33        <date>               env_vars
 !--- Output suppressed. 
switch: dir flash:c3550-i5q3l2-mz.121-13.EA1
 !--- Issue the dir flash:<directory> 
!--- command in order to view the Cisco IOS image file. 
Directory of flash:c3550-i5q3l2-mz.121-13.EA1/ 
25 drwx 832 <date> html 
40 -rwx 3993612 <date> c3550-i5q3l2-mz.121-13.EA1.bin 
!--- This is where the Cisco IOS image file is stored for a CMS image. 
41 -rwx 252 <date> info 
9992192 bytes available (6006784 bytes used) 
!--- This output is from a Catalyst 3550 switch. Output from a 
!--- Catalyst 2970, 3560, or 3750 varies slightly. 
switch:

Attempt to Boot the Image

After you have verified where the Cisco IOS image file resides, try to boot the image. Issue either the boot flash:filename command or the boot flash:directory/filename command.

  • Catalyst 3560

switch: boot flash:c3560-i5q3l2-mz.121-13.EA1/c3560-i5q3l2-mz.121-13.EA1.bin
!— This example uses the boot flash:<filename>/<directory> !— command on a 3550.
Loading “flash:c3560-i5q3l2-mz.121-13.EA1/c3560-i5q3l2-mz.121-13.EA1.bin”…####
#################################################

###############################
!— Output suppressed. !— This command syntax is the same for Catalyst 2970, 3560, and 3750 !— series switches.

If you issue the boot command and the result is in a successful bootup, either the default switch> prompt or the hostname> prompt displays.

Press RETURN to get started!
Switch>
 !--- The bootup was successful. 

Be sure to verify that you have configured the correct boot statement on the switch.

If you issue the boot command and the command does not result in a successful bootup, either the switch: prompt displays or you are stuck in a continuous reboot again. The only option to recover the switch is an Xmodem file transfer. Step 4 covers this file transfer.

4.If the boot command has failed or there is no valid image from which to boot in Flash, perform an Xmodem file transfer.

  1. A typical Xmodem file transfer can take up to 2 hours, which depends on the image size.

Note: Do not use a CMS image (.tar file). This image is a larger image and takes longer to transfer.

Issue the dir flash: command in order to compare the size of the image in bytes to the free space that remains in Flash. Here is an example:

switch: dir flash:
Directory of flash:/ 
!--- Output suppressed. 3132928 bytes available (4608512 bytes used)
!--- There are approximately 3 MB of Flash space available for 
a new image. 

If necessary, issue the delete command in order to delete any corrupt images that remain. Here is an example:

switch: delete flash:c2950-i6q4l2-mz.121-12c.EA1.bin
 !--- Issue the delete flash:<filename> !--- command in order to 
delete a Cisco IOS image.

Are you sure you want to delete “flash:c2950-i6q4l2-mz.121-12c.EA1.bin” (y/n)? y !— Enter y for yes if you want to delete the image. File “flash:c2950-i6q4l2-mz.121-12c.EA1.bin” deleted switch:

The next example shows an Xmodem procedure on a 2955 with the use of HyperTerminal. The procedure is the same for any of the Catalyst fixed configuration switches that this document covers.

  • Issue the copy xmodem: flash:filename command on the switch.Here is an example:
    switch: copy xmodem: flash:c2955-i6q4l2-mz.121-13.EA1.bin
    Begin the Xmodem or Xmodem-1K transfer now...
    CCC
  • From the top of the HyperTerminal window, choose Transfer > Send File.192-d.gif
  • Choose the Xmodem protocol in the Send File dialog box and click Browse in order to select the Cisco IOS image (.bin file) that you downloaded previously.192-e.gif

Click Sendin order to begin the Xmodem transfer.

192-f.gif

The Xmodem file transfer begins. This transfer can take up to 2 hours, which depends on the size of the image.

  • CCCCCCC………………………………………………………………. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………….. …………………………………………………………………..

          File “xmodem:” successfully copied to “flash:c2955-i6q4l2-mz.121-13.EA1.bin”!— If the Xmodem file transfer fails for some reason,restart the process. 

!--- If the Xmodem file transfer is successful, 
 you return to the !--- switch: prompt. 
switch:
  • Boot the new image that you just copied over with the Xmodem procedure.Issue the boot flash:filename command, as this example shows:
    switch: boot flash:c2955-i6q4l2-mz.121-13.EA1.bin
    Loading "flash:c2955-i6q4l2-mz.121-13.EA1.bin"...###############################
    ################################################################################
     !--- Output suppressed. 
    Press RETURN to get started!
    Switch>
     !--- The bootup was successful. 

    Be sure to verify that your boot statements are set correctly.

How to Speed Up Xmodem Recovery

When a user tries to recover the switch from a corrupted or missing IOS, the copy xmodem: flash:[IOS filename] command might not be displayed under the switch: prompt. The copy command might be displayed under the switch: prompt, but not the copy xmodem: command.

Complete these steps in order to speed up the Xmodem recovery:

  1. Set the baud rate to 115200 on the switch: prompt.
    switch: set BAUD 115200
     !--- The screen goes blank after you enter this command. 
  2. Restart HyperTerminal.
  3. Under COM PORT properties, select the bits per second as 115200. The switch: prompt is displayed.
  4. Start the Xmodem recovery.
  5. After the Xmodem recovery, set the BAUD rate back to 9600. If the set BAUD 9600 command does not bring the baud rate to 9600, issue the unset BAUD command in order to bring the baud rate to a default value of 9600 bps.

Verify

Complete these steps:

  1. Issue the show versioncommand in order to verify the current version of software that you run.Here is an example:

2955#show version

Cisco Internetwork Operating System Software IOS ™

C2955 Software (C2955-I6Q4L2-M),

Version 12.1(13)EA1, RELEASE SOFTWARE !— This is the current version of software.

  1. Issue the dir flash:filename command in order to display the Cisco IOS image (.bin file) on a Catalyst 2940, 2950 or 2955.
2950#dir flash: 
Directory of flash:/ 
3 -rwx 5 Mar 01 1993 00:12:55 private-config.text 
4 -rwx 2905856 Jan 01 1970 03:06:25 c2955-i6q4l2-mz.121-13.EA1.bin 
!--- The Cisco IOS image (.bin file) 
is stored in flash: !--- 
 on a Catalyst 2940, 2950 or 2955. !--- Output suppressed. 

If you run a CMS image on a Catalyst 2970, 3550, 3560, or 3750, you can store the Cisco IOS image in an image directory. Here is an example:

3550#dir flash:
Directory of flash:/
2  -rwx         976   Mar 01 1993 21:47:00  vlan.dat
4  -rwx           5   Mar 06 1993 23:32:04  private-config.text
6  -rwx        1554   Mar 06 1993 23:32:04  config.text
7  drwx         192   Mar 01 1993 00:14:02  c3550-i5q3l2-mz.121-13.EA1 
!--- Notice the "d" for directory in the permission statement. !---
 This is an image directory that is installed when you upgrade the !--- 
switch with a CMS image. !--- The Cisco IOS image (.bin file) is 
 inside this directory. 
5  -rwx     3823261   Mar 01 1993 00:46:01  c3550-i5q3l2-mz.121-12c.EA1.bin !--- This is another Cisco IOS image (.bin file). 
8  -rwx          33   Mar 01 1993 00:14:06  env_vars
9  -rwx         384   Mar 01 1993 00:14:06  system_env_vars
15998976 bytes total (6168576 bytes free)
 !--- This output is from a Catalyst 3550 switch. Output from a !---
 Catalyst 2970, 3560, or 3750 varies slightly. 
3550#

You may need to issue the dir flash:directory command on a Catalyst 3550 in order to display the Cisco IOS image (.bin file). Here is an example:

3550#dir flash:c3550-i5q3l2-mz.121-13.EA1
Directory of flash:/c3550-i5q3l2-mz.121-13.EA1/
23  drwx         832   Mar 01 1993 00:12:00  html
40  -rwx     3993612   Mar 01 1993 00:14:02  c3550-i5q3l2-mz.121-13.EA1.bin
41  -rwx         252   Mar 01 1993 00:14:02  info
15998976 bytes total (6168576 bytes free)
 !--- This output is from a Catalyst 3550 switch. Output from a !--- 
 Catalyst 2970, 3560, or 3750 varies slightly. 
3550#
  1. Issue the show bootcommand in order to verify that the boot statement is set correctly.Here is an example:
    Switch#show boot
    BOOT path-list:
     !--- No boot system statement is set in this case. !--- Output suppressed. 

Note: Boot statements do not display in the configuration or when you issue the show run command on any of the fixed configuration switches that this document covers. You must issue the show boot command in order to display boot statements.

If no boot statement is set or if the boot statement points to an old or missing version of software, configure the correct boot statement. Issue the boot system flash:filename command.

2955#configure terminal
2955(config)#boot system flash:c2955-i6q4l2-mz.121-13.EA1.bin
 !--- This is how to set a boot system statement on a 
Catalyst 2940, 2950, or 2955. 
2955(config)#end
2955#
2955#show boot
BOOT path-list:       flash:c2955-i6q4l2-mz.121-13.EA1.bin
 !--- Output suppressed. 

If you use a CMS image on a Catalyst 2970, 3550, 3560, or 3750, you can store the Cisco IOS image (.bin file) in its own image directory. Issue the boot system flash:directory/filename command. Here is an example:

    3550#configure terminal

3550(config)#boot system flash:c3550-i5q3l2-mz.121-13.EA1/c3550i5q3l2-mz.121-13.EA1.bin

!— This command should be on one line. !— This is how to set a boot system statement on a Catalyst !— 3550 if the Cisco IOS image (.bin file) is in its own image directory.
3550#end
3550#
3550#show boot
BOOT path-list: flash:c3550-i5q3l2-mz.121-13.EA1/c3550-i5q3l2-mz.121-13.EA1.bin!— Output suppressed.

Dot1x Authentication
————————–

Recently i have configured the Dot1x authentication in my network,
thought of posting on my blog.
It is a cool feature,with Dot1x authentication we can provide added security
at the access layer switches of the network,it uses username and password based
authentication,it takes the username and password list either from Radius server
or TACACs server.
First we need to issue the global command “aaa new-model” to enable AAA and it
is essential to enable Dot1x authentication.
Next we need to issue “aaa authentication login default none” here the”default”
group enables the aaa process for all interfaces and lines of the device.
Next we need to tell the router to use radius server username and password list
for Dot1x authentication,we can do this simply by issuing “aaa authentication dot1x
default group [radius|tacacs+]” command.
To define the radius-server or tacacs server parameters like host,key or anything
we can simply go into the radius-server or tacacs server in global configuration
mode,you can see the available commands by :-
SWITCH#[radius-server|tacacs-server] ?
Additionally,to force the router/switch to generate radius or tacacs packets from
a single interface instead of relying on the outgoing interface of routing table,
we can issue the command:-
SWITCH#ip [tacacs|radius] source-interface [name of the interface]

Now for the Dot1x part we need to enable this feature by issuing “dot1x system
auth-control” in global configuration mode(prior to 12.4(14)EA1 IOS release this
command was not required).
Next the Dot1x feature must be enabled on a per interface basis by the interface
level command:-
SWITCH(conf-if)#dot1x port-control [mode]
Here mode is of three types,Auto,Forced-authorized,or Forced-unauthorized.
Auto means Dot1x is enabled for username and password authentication
Forced-authorized is the default mode and indicates that authorization is not
required.
Forced-unauthorized dictates that client can never access the network through
this port.
NOTE:-In some switch IOS versions like here i am using  Version 12.2(55)SE,here
in interface configuration mode although the command”dot1x port-control auto” is
taken by the switch however it is showing me as “authentication port-control auto”
so better to use “authentication port-control [mode]” to define aur different
dot1x port-control modes,i think Cisco is decaying this command.

Also we need to issue the “switchport mode access” followed by the “switchport
access vlan [vlan number]” like here in the figure we are configuring Dot1x
authentication for the clients in Vlan2 and Vlan3.

At last we can check our configuration with the commands:-
SWITCH#show dot1x all
SWITCH#show aaa servers

QinQ Tunneling

————————

This is the method basically used by service providers to preserve Vlan-Ids and to segregate
traffic of different customers.It enables service providers to use a single VLAN to support
different customers who have a single or multiple VLANs need to connect across providers
network.

Few things to remember while configuring QinQ tunnel:-
A tunnel port must be defined and assigned to a VLAN,different customers must be assign to
different tunnel ports and different tunnel ports must be configured in different provider
VLANs to keep the traffic of different customers segregated.
When a given tunnel port receives customer traffic,it then adds a 2 Byte Ether-Type field
of 0x8100 followed by a 2 Byte field containing CoS and the VLAN and then this traffic
put into the VLAN to which the tunnel port is assigned.The Egress tunnel port strips off the
4 Bytes that was added by the ingress tunnel port and then transmits the traffic to the
customer device.You can recall the MPLS lable imposition and disposition to understand this
concept as i did.
When Dot1q tunneling is configured,a layer 2 protocol tunneling can also be configured,a
layer2 protocol tuneling allows layer2 PDU’s(Protocol Data Units) to be tunneled through
the network,the layer 2 protocols that can be tunneled are:-CDP,STP, and VTP and they need
to be configured or else they will NOT get propagated accross the tunnel.
Note:Dont forget to increase the system MTU to support atleast 1504 bytes”system-mtu 1504″
and then reload the switch to take effect.

Scenario:-

In this diagram, notice Customer A is sending VLANs 1 – 50 over the metro ethernet link to the Provider network,where it crosses the Provider network and is able to communicate on the other end with its remote switch.
Similarly Customer-B is sending VLANs 1 -100 over its metro ethernet links. Both the customer traffic kept separate with the use of the Q-in-Q.
The Provider Switch Ports connecting to the customer switch are configured as not trunk and the customer switches are configured as trunk ports, this is reason why the provider end of the switch is called as an asymmetric port, the provider port is configured as a tunnel port and not a trunk port. Also make note that the Provider Switch Port connecting to customer-A switch Port is configured in VLAN 25, this is also called as the Metro Ethernet Tag. Similarly the Metro Ethernet Tag for Customer-B is VLAN 50. Customers build standard 802.1 Q trunk ports and the provider builds a tunnel port with the VLAN tag, So the customer traffic is identified with this additional Q tag. Notice that the Metro VLAN tag is same for each of the same customer’s location and it is different for each customer identifying each customer’s location.
Provider Edge switches treat everything that comes in the tunnel port as untagged even if customer is sending tagged traffic and by default the Priority tag is set to 0.
Notice when 802.1Q trunks in Provider network are used, the native VLAN of these trunks cannot be the same as the native VLAN on any tunnel port to avoid double tagging of customer traffic.  Providers can use a native VLAN that is not being used by of the customers- beacuse this can cause issues later when some new customer or existing customer changes their VLAN which can match this Native VLAN, so the other two choices in Provider network will be to either use ISL trunks (possible only if Provider has all Cisco switches) or go ahead and tag the native vlan on all provider edge switches with command: “vlan dot1q tag native vlan”.

Few things to remember on Provider Tunnel Ports:-
1. Tunnel Ports cannot be routed
2. If SVI are used then only untagged frames (native vlan frames)  sent by the customer will be routed.
3. When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface,so we need to manually tunnel CDP.Also STP and VTP will not work we need to tunnel with the command “l2protocol-tunnel [cdp|vtp|stp]”

4.Layer 3 quality of service (QoS) ACLs and other QoS features related to Layer 3 information are not supported on tunnel ports. MAC-based QoS is supported on tunnel ports.

5.Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), and UniDirectional Link Detection (UDLD) are supported on IEEE 802.1Q tunnel ports.

Note: When using Q-in -Q increase the MTU on the frames, because of the addition of a new tag the ethernet frame size increases, so its recommended to increase the MTU of the ethernet frames by 1504 atleast “system-mtu 1504” and reload the switch to take effect the change.

Q-in-Q  Tunneling and L2TP Configuration.
Below is the Diagram we will utilize to configure a very simple Q-in-Q sample network.

Description C1-SW1 C1-SW2
Configuration of Customer Ports Connecting to Provider Edge Switches interface GigabitEthernet0/1
description To-Provider
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
end
interface GigabitEthernet0/1
description To-Provider
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
end
Customer Vlans VLANs 10,11,12,13,14,15,16 VLANs 10,11,12,13,14,15,16
Customer SVIs interface Vlan10
ip address 10.100.100.1 255.255.255.0
interface Vlan10
ip address 10.100.100.2 255.255.255.0
  P1-SW1 P1-SW2
Trunk Ports between Provider Switches interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
Only Vlan on trunk Vlan 15 Vlan 15
Q-in-Q and L2TP configuration of Provider Edge switches interface GigabitEthernet0/1
description To-Cust1
switchport access vlan 15
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
interface GigabitEthernet0/1
description To-Cust1
switchport access vlan 15
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable

 

Some of the things like pictures are copied from the internet due to non-availabilty of the appropriate tool , as i am sitting in my office right now,still i hope this will be informative.

Switchport Mode Private-Vlan
========================
Hi guys i am back was stuck in some office work.

As per the heading we are discussing Private-Vlans today,
First of all Why we use Private Vlans in our switches? ,
even before why we even use Vlans in our switches?

Vlan is a Virtual LAN(Local Area Network) as in the cisco environment the name
is the recipe,as we all know from our CCNA studies that switches have multiple
Collision domains but a single Broadcast domain,VLAN is a broadcast domain
created by switches,normally , it is router creating that broadcast domain.
So by creating Vlans we are splitting our single default broadcast domain into
multiple broadcast domain by different vlans that will further used by different
ports and by different group of peoples to communicate with each other.
Note:-We still need a layer 3 device to communicate between these vlans.

The private vlan further split this single broadcast domain used by a single
Vlan into multiple isolated broadcast subdomains , that is defined by primary
Vlan and its secondary Vlans.It simply means that even if you are in a single
vlan (broadcast domain) you may or may not talk to each other,example in a
shared ISP co-location ,offices, hotels , where two hotel rooms may be in a
same subnet and in a same Vlan but should not talk to each other directly.

The theory about the Private VLANS is not much complicated rather implementation
may be confusing because Cisco uses different terms in this section to describe
Vlans and Ports.
NOTE:-Switch must be in TRANSPARENT mode to configure PVLANS.

Initially the ports are defined used in PVLANS.
There are 3 types of ports.
1.Promiscuous Ports:-Can talk to any port in a VLAN.
2.Isolated Ports:-Can ONLY talk to Promiscuous ports.
3.Community Ports:-Can ONLY talk to promiscuous ports and ports within their
community,cannot even talk to other different community ports.

First we create our secondary PVLAN and defined as community or isolated.
Example:-
vlan 300
private-vlan [isolated/community]

Then the primary parent vlan is defined and the PVLANs are associated with the
primary vlan.
Example:-
vlan 18
private-vlan primary
private-vlan association 300

After that we configure the interfaces that either they talk to each other or not
talk to each other.If we want a port to talk to each other then we configure that
port as a Promiscuous port,else we configure is as Host port.Here Host option
defines that this port should be either Community Port or Isolated port.

Example:-Suppose we want to configure that SW1 Fa0/6 and SW2 Fa0/8 on vlan 18
cannot talk to each other while the Router1 connected to SW1 Fa0/4 can still talk
to each other and vice-versa.The sample topology will be found by clicking PVLAN,
the diagram is just for reference not made professionally, kindly tolerate :)

PVLAN

Here the configuration look like this.
On Both SW1 and SW2
——————-
vlan 300
private-vlan isolated

vlan 18
private-vlan primary
private-vlan association 300

On SW1:-
——
Interface FastEthernet0/4
switchport access vlan 18
switchport mode private-vlan promiscuous
switchport private-vlan mapping 3 300

Interface FastEthernet0/6
switchport access vlan 18
switchport mode private-vlan host
switchport private-vlan host-association 3 300

On SW2:-
——-
Interface FastEthernet0/8
switchport access vlan 18
switchport mode private-vlan host
switchport private-vlan host-association 3 300

We can check the configuration of PVLAN by:-
Show interface FastEthernet0/4 switchport | include private

For further studies on PVLAN  you can go here