Per-Port Per-Vlan alternative

I had a interesting issue yesterday. I needed to classify a client Internet traffic with specific DSCP values to bypass our Net-Caches. The first problem I ran into, the client was basically directly connected to our core infrastructure, sitting behind a Fortigate Firewall, so no place for DSCP classification. The fortigate’s outside interface connects to a 3750 shared-hosting switch and that connects into our core. An unsual setup.

At first I thought, it should be easy enough to classify the clients traffic on Per-Port, Per-Vlan basis. Only to find out the 3750 has a standard Image, one that doesn’t support “match vlan”. Keep in mind about 80 odd clients are connected through to switch via different vlans, so an image upgrade was not a option.

A very basic diagram of the setup:


To get around the above issue, I configured a nested policy and tied it to the SVI interface for their vlan, thus only doing classification for this client and no-one else.

Continue reading “Per-Port Per-Vlan alternative”


Troubleshooting Vlan Issues

There are many ways to troubleshoot VLAN issues, and although this article is not meant to replace the understanding of conventional switching and vlan issues, and how to troubleshoot them, this approach will certainly come in handy.

I make use this a lot in our large data centres, and it is often enough to isolate the problem to a single link or trunk.

For illustration purposes, suppose the following really basic scenario:



Router1’s Ethernet interface can’t ping R4’s Ethernet inteface in subnet 10.1.0/24.


Continue reading “Troubleshooting Vlan Issues”

Output-101: Cisco 3560 feature set upgrade

Error: The image in the archive which would be used to upgrade
Error: system number 1 does not support the same feature set.

Cisco it seems included this sanity check,as of 12.2(35), to prevent you from accidentally changing the feature set during a IOS upgrade, not a nice thing to happen on a production switch, when things go belly up.

You will get the above error when upgrading the IOS and changing the feature set. IE  if you upgrade the image from IPBASE 12.2(35)SE5 to ADVIPSERVICESK9 12.2(25)SEE4.

So to bypass this, you can add the /allow-feature-upgrade parameter, to the  archive download-sw command.

Example :

#archive download-sw /overwrite /allow-feature-upgrade tftp:

If you need more info on how to upgrade the IOS on a Cisco 3560, visit Cisco.