R&S Quick Notes – Switching

With the insane amount of theory to go through before the big day comes, it is only normal for a couple of items to get lost in the masses. On top of that, regardless of the material you used to study, you are bound to come across a couple small things that you have not seen before. Apart from my 400 pages of everything there is to know for the R&S, I took the time to compile, format and index a book of my CCIE R&S short notes. While compiling all my notes,  labbing,  and reading the Cisco DOC and other blogs, that I made shorter list of the most important tid-bits and any beeg gothas to look out for on the big day.

Hope these help some of you :)

Switching Notes

  • If different VTP domain names between 2 switches, you cant use DTP. Must use manual trunking.
  • When configuring 802.1x, DO NOT forget to add “aaa authentication login default none”, else you might lock the switch and forfeit any points related to that switch.
  • Always confirm your MD5 to be same when configuring VTP PASSWORDS, with “sh vtp status”
  • To enable WCCP on a 3550, you have to change the SDM template to ‘extended-match’
  • STP Timers question-1: Change the STP timers when a port initially comes up to 44 sec.  Answer: Blocking is always 20 sec, (44-20 = 24/2) each listening and learning timers should be configured at 12 sec.
  • STP Timers question-2: Change the STP timers, that in the event of convergence, delay should be no more than 20 sec. Answer: (20/2) each listening and learning timers should be configured at 10 sec.
  • MAC-ACL’s will only match NON-IP traffic. 3560 sees IPv6 traffic as IP-traffic, but 3550 sees IPv6 traffic as NON-IP-traffic, so a 3550 can use a MAC-ACL for IPv6 traffic.
  • Ethertypes used with MAC-ACL’s not on DOC-CD/CMD-Help :

– 0x0806 : IP ARP
– 0x0800 : IPv4
– 0x86DD : IPv6
– 0x4242 : CST (Common Spanning Tree)
– 0xAAAA : All Cisco proprietary (VTP, STP, CDP, DTP, UDLD, PAgP)
– 0xFFFF : all NON-IP

  • VLAN-ACL’s: ONLY a ACL-Permit performs the “forward”/”drop” function in the access-map. A ACL-deny will be ignored. So to deny traffic with VLAN ACL’s, permit the traffic and use a “drop” action in the access-map.
  • Storm-Control: Multicast amount must be equal or greater that the broadcast amount.
  • Uplinkfast used when a direct link failure is detected.
  • Backbonefast – used to determine indirect link failure.
  • Root Bridge Election: 1-Lowest Bridge-ID (Priority [32768 ] + Sys-Id-Ext[=vlan]) & 2-Lowest MAC
  • Root Port Election: 1-Lowest cost to Root, 2-Lowest upstream Bridge-ID, 3-Lowest Port-ID (Port Priority + Port Number)
  • Influencing local Root Port election – change the Port Cost.
  • Influencing the Root Port of directly connected downstream switch – change the Port Priority.

IP OSPF mtu-ignore alternative

I came across the a command I think would make a great CCIE lab question.

Assume you busy with the lab, and previously a task in the switching section required you to do a dot1q tunnel where you had to change the SYSTEM-MTU on SW1 to 1504.  No beegy.
But you now at the OSPF section, where you have to setup ospf between R1 and SW1, BUT with the following restriction:
(you are not allowed to use the mtu-ignore command)

The usual fix on R1’s interface is prohibited
#interface Fa0/0
#ip ospf mtu-ignore

Hmmm, now what? R1 wont form an adjacency with SW1, due to a MTU mismatch. We obviously cant change the SYSTEM-MTU on SW1, cause that would break a previous question.

Typical behaviour when you have a OSPF MTU mismatch, is a neighbor finite state getting to EXSTART, retrying and eventually giving up.
We can see this on R1 if we do a “debug ip ospf adj”


Continue reading “IP OSPF mtu-ignore alternative”

Per-Port Per-Vlan alternative

I had a interesting issue yesterday. I needed to classify a client Internet traffic with specific DSCP values to bypass our Net-Caches. The first problem I ran into, the client was basically directly connected to our core infrastructure, sitting behind a Fortigate Firewall, so no place for DSCP classification. The fortigate’s outside interface connects to a 3750 shared-hosting switch and that connects into our core. An unsual setup.

At first I thought, it should be easy enough to classify the clients traffic on Per-Port, Per-Vlan basis. Only to find out the 3750 has a standard Image, one that doesn’t support “match vlan”. Keep in mind about 80 odd clients are connected through to switch via different vlans, so an image upgrade was not a option.

A very basic diagram of the setup:


To get around the above issue, I configured a nested policy and tied it to the SVI interface for their vlan, thus only doing classification for this client and no-one else.

Continue reading “Per-Port Per-Vlan alternative”

Troubleshooting Vlan Issues

There are many ways to troubleshoot VLAN issues, and although this article is not meant to replace the understanding of conventional switching and vlan issues, and how to troubleshoot them, this approach will certainly come in handy.

I make use this a lot in our large data centres, and it is often enough to isolate the problem to a single link or trunk.

For illustration purposes, suppose the following really basic scenario:



Router1’s Ethernet interface can’t ping R4’s Ethernet inteface in subnet 10.1.0/24.


Continue reading “Troubleshooting Vlan Issues”