Cisco Switching/Routing :: 3560 Default QOS Trust Behavior On Access Point Changed
Oct 27, 2011
I've just been testing QOS on 3560 with version 15.0(1) and it seems the the default qos trust behavior on access ports has changed. By default the trust state of a port is not to trust anything, however rather than rewriting the DSCP value of the incoming packets and settign it to 0 the switch now seems to leave the DSCP value unchanged.
SW04-C3560(config)# do sh mls qos int g0/2
GigabitEthernet0/2
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
[Code]......
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
I have a 3560 with IP base that is acting as a true EIGRP stub router today. It advertises local routes to the upstream service provider router and receives a default route.
Now I want to connect a 3900 ISR as a voice gateway. The 3560 does not seem to be advertising any routes to the 3900. Ok the EIGRP stub doc says this:
Only specified routes are propagated from the remote (stub) router. The router responds to queries for summaries, connected routes, redistributed static routes, external routes, and internal routes with the message "inaccessible." A router that is configured as a stub will send a special peer information packet to all neighboring routers to report its status as a stub router.
# Any neighbor that receives a packet informing it of the stub status will not query the stub router for any routes, and a router that has a stub peer will not query that peer. The stub router will depend on the distribution router to send the proper updates to all peers.
I guess I don't understand why the stub advertises local routes to the upstream ISP router but does not seem to advertise routes to the 3900. Does the stub identify the ISP router as the distribution router somehow, thus differentiating it from the 3900? If so, how is this done?
show ip eigrp neighbor detail on the 3900:
EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num
A check out a network segment and want to know why SwA has a static route to SwB if SwA already has a Default GW to Core?
(SwA, SwB - Catalyst3560, Core - Catalyst4948)Note, there are distribute list on SwA - it does not has any OSPF route (exclude O*IA).
Does this mean when SwA send out packet with DA 10.5.64.0/26, Core will use only L2 switching (instead of L3)? Is this more effectively for Core Switch?
Pleace check my reasoning: 1. When use a static route: SwA receive packet from Vlan 20 with DA 10.5.64.0/26 it will strip out Dest. MAC and replace it with MAC of SwB. Core will switch this packet to SwB based on mac add. table (l2 switching)
2. When SwA has only Default gateway and receive packet from Vlan20 with DA 10.5.64.0/26 it replace Dest. MAC with Core MAC. Core receive this packet, lookup route table for 10.5.64.0 entry and forward packet base on this.
I'm trying to implement some best practices for ASA running on Software Release 8.2 and had a question about the default security-level behavior. Let's say I have 3 interfaces...
I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?
I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?
1 x 4500 and 1 x 3560?They are gateways of 8 Vlans?They are doing HSRP in each of those Vlans?The 4500 is the Active?There is a DHCP Pool for each of those Vlans on both gateways using "ip dhcp excluded-address" I ensured that the range of provided ips by each DHCP server will not be overlapped Obs.: Reducing the lease time, I ended with the calls bringing related problems.
OK, every thing is blue, every thing is fine.But the network diagram is realy complex(41 switchs, 89 uplinks), and depending of how is the network flow, one or other server answer first or latter.
For many reasons I would like that the secondary DHCP server would answer only if the primary DHCP server goes down.To me, the bigger reason is that DHCP database would be only in one DHCP server.But there is other reasons.
I passed by many frustrated solutions:Try to force a delay on the answer on one of the servers. - Impossible.Try to disable DHCP server, and, using EEM, enable it only if router became active in HSRP. - I couldn't do It.
What I'm thinking now is use the HSRP resource to resolve it.On both routers I would put a "ip helper-address" pointing to an Virtual_HSRP_IP.And depending on which router is the active, him will answer the request.
My first doubt is:Would it work?The second doubt is:Could I use the same Virtual_HSRP_IP that exists on that Vlan(see example 1),or I would need to point it to a Virtual_HSRP_IP in a different Vlan(see example 2)?
Example 1 ----------------------------------- | 4500 | ----------------------------------- interface Vlan1 ip address 10.10.0.2 255.255.0.0 ip helper-address 10.10.0.1 standby 1 ip 10.10.0.1
Switch .55 can ssh into Switch .57 but cannot ssh into Switch .56. Switch 56 can ssh into Switch 55 and ssh into Switch 57 Switch 57 can ssh into Switch 55 and ssh into Switch 56
The software on .56 is:
C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
I noticed on .56, when I do a show ip ssh I get: SSH Enabled - version 1.5. It doesn't say version 1.99 like the others even when I configure version 2. Is this a bug I am running into?
Document at url... is quite interesting,One of these goes about the behavior of a switch (2960-S and 3750G) when QoS is not enabled vs the one when QoS is simply enabled with "mls qos".What additional commands, beside "mls qos", would be needed so as to simulate as accurately as possible the switch's behavior when QoS is not enabled?
I have a question which i am unsure of, on the 6500 i know i can set mls qos trust to cos or dscp since I don't have any trunks configured on that switch that i want to trust cos most of my ports trust dscp instead. The question is will packets coming in or going out at L3 with the TOS bits set get placed in the correct in/out queue. For example if a packet comes in on a port with a mls qos trust dscp and has the TOS set to XX will this XX get mapped to the correct COS value based on the default dscp to cos map and end up going out the correct queue which handles that specific COS number?
I mainly asked this because i saw the following on the cisco site and again i am suing dscp trust and not cos.
Weighted Round Robin (WRR), Deficit Weighted Round Robin (DWRR) and Shaped Round Robin (SRR). WRED and all the Round Robin scheduling options use the priority tag (CoS) inside an Ethernet frame to provide enhanced buffer management and outbound scheduling.
I am reading through a QOS Document and they want me to trust the DSCP value from an IP phone (Siemens) but UN trust the PC DSCP value. How can I trust one thing but not the other? I am using a 2960 Cisco switch with IP base IOS.
i have Catalyst2950SI with iOS12.1, connect a wifi-access-point to f1/1(dot1q trunk port),and connect another L2SW to f1/2(dot1q trunk port),and IP phone, MobileCamera connects to wifi-access-point,IP phone has dscp=40 value on its own packet,but MobileCamera doesn't have any dscp value or cos.now, i wanna do QoS by that dscp, So i type as below,
We have QoS configured throughout the company, but the standard config we have applied across the 3750 switches only includes the below: We have IP phones (not cisco) attached that are marking with EF, and the PC is an untrusted end device (so needs to be by default marked as zero).Is the above enough to trust VOIP DSCP EF without resetting it to DSCP 0, or do I also need to add a trust line (i.e.: mls qos trust dscp)?
i would like to know the possibility to use mls qos trust dscp with service-policy in the IOS ver.12.2(25)SEE2.The specific version is not possible to configure like below.
Cat3750(config-if)#do sh run int f1/0/1 Building configuration...
I have some 2960 switches with Lan Lite ios in my infrastructure.And I try to configure them to support "trust device cisco-phone" and "switchport priority extend cos 0" on ports with cisco phones.But LAN Lite image does not support "mls qos trust device cisco-phone".can I use any workaround to trust cos of cisco phone and to remark PC traffic with cos 0?
I implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B Network A. 10.0.12.0/24 Network B 10.0.24.0/24
The configuration is interface Vlan1 description Data VLAN
we have a class based qos scheme (see attached file) on our 4500 series access switches and we have a access 3560-48 switch runing IOS Version 12.2(44)SE3 my question is can I use the same QOS scheme for the 3560 switch?
I have a couple of users who randomly can't get access to any resources. The port they connect to doesn't have port security, the have an IP phone and PC. IP phone is fine since it's always on the same port. There PC get's an IP from DHCP (DHCP is on a windows server) but they can't ping any devices nor can I ping the PC from the switch. I checked if there were any mac access filters applied on the switch (and there aren't any). The log doesn't show any events on the ports in question so I don't know if the switch is going or there is a config issue some. Doesn't happen to all users, just 1 or 2.v
My access switches LED is start blinking very fast suddenly,it has single up link from the Core switch.access switch is 3560.what can be the possible problem.
I have a cisco 876 with, c870-adventerprisek9-mz.124-6.T9.bin. I have configured a VLAN with ID 230, an SVI with IP 192.168.230.1/24 and I have assigned switch port fa 2 to it…
interface Vlan230 ip address 192.168.230.1 255.255.255.0 VLAN ISL Id: 230
i have 2 cisco 1522 series out door LAP connected to a 3560 POE switch which is not powering up, while ordering my dealer told that it will work with POE, and its go live stage, is there any way to upgrade switch with any IOS version where i can get enough power for 1522?
Im trying to access the switch to reset the password to factory defaults (please see switch output Astrix has removed customer identifying information for security purposes.) Each time I reboot the switch and try and access the password recover mode this same output below starts and im still not able to access the recovery area of the switch
cisco WS-C3560G-48PS (PowerPC405) processor (revision F0) with 122880K/8184K bytes of memory. Processor board ID FOC1133Y28Q
I am not sure if what I am trying to accomplish is possible. On my internal network I have the following VLANs setup (102, 104, 106) and they map one to one to a subnet (ie: 102 = 192.168.102.0/23, 104 = 192.168.104.0/24, etc).All interVLAN routing is done on a 3560 via vlan SVI. Connected to the 3560 via a routed port is a ASA 5510. The routed port has IP 192.168.100.1 and the ASA interface on the other side of that routed port has IP 192.168.100.2. I use 802.1x on the wired network to assign users (based on their department) into a specific VLAN. I want to extend this concept to Remote VPN access. Therefore I setup multiple Group Policies (policy is applied based on an LDAP attribute) where each policy defines a different DHCP scope. This has successfully allowed me to login wtih different users who get assigned to different Group policies and they obtain the correct DHCP IP address from the internal DHCP server (ie: an engineering person logins remotely and gets an IP in 192.168.102.0 range). However the issue (and as I was planning this out I knew this would come up) is that traffic can be routed out from the VPN client to its destination but there is no return path.
I have 3 3560 switches which are configured with trunks between them. They run vlan 10, 11 & 12. I have a 'core' switch (switch 1) of these 3 to which an MPLS router is connected on vlan12. I in addition have another switch hanging off the 'core' switch via a routed link (switch 4). I have EIGRP configured as a stub and as such the IP address on the routed link at the core switch end is of a /24 from v lan 1 on the other switch. This makes the route directly connected and therefore distributed via EIGRP stubs. Switch 1 is then exchanging routes with the MPLS router (via EIGRP).
The problem I have is that from any sub net on any switch (switch 1, 2 or 3) I can ping 192.168.13.1 (switch 4). When I try and ping switch 4 from over the MPLS I am unable to. If I trace to the switch I see it reaches the outside of the MPLS router, but is then unresponsive. The same applies if I try to ping switch 1 on 192.168.13.2. Any of the other IP addresses of switch 1 respond.
The MPLS network is a managed solution to which I have no access. I'm told that the MPLS provider is able to ping switch 1 & switch 4 on the 192.168.13.x addresses from a remote router (192.168.32.2). I have tried from a switch on the same L2 sub net (192.168.32.1) and I don't get a response.
From switch 4 I am able to ping the switch on 1 of it's interfaces (192.168.19.1), but not the interface I mentioned above 192.168.32.1. There are no access lists in place on the switches and no firewalls between the sites.
I am using a WRT310N. I have a Cisco ASA5505 as my firewall and don't need the routing capabilities of the WRT310N. So I just plug the LAN port on the WRT310N directly to my LAN switch. I just need the WRT310N to have an IP address for management. So I configure the LAN with an IP address, but there is no way to set the default gateway on the LAN. You can only set the default gateway on the WAN interface, which I don't use, since I am using this in an AP only type of configuration.
I'm new to networking and was looking for some assistance. First off im using packet tracer to diagram my senario as I will be receiving my equipment next week to deploy.
Hardware to be used:
1. 2 catalyst 3560 switches 2. all connect to a sonic wall router
I have two companies that work in the same office space. I need to keep these companies seperate on their own vlan. They will however need to share the phone system.(Packet tracer file uploaded to give those who have the time to see what I put together.) [code]
Im trying to access the switch to reset the password to factory defaults (please see switch output Astrix has removed customer identifying information for security purposes.) Each time I reboot the switch and try and access the password recover mode this same output below starts and im still not able to access the recovery area of the switch
cisco WS-C3560G-48PS (PowerPC405) processor (revision F0) with 122880K/8184K bytes of memory.
Processor board ID FOC1133Y28Q Last reset from power-on 1 Virtual Ethernet interface 52 Gigabit Ethernet interfaces The password-recovery mechanism is enabled.
