Per-Port Per-Vlan alternative

I had a interesting issue yesterday. I needed to classify a client Internet traffic with specific DSCP values to bypass our Net-Caches. The first problem I ran into, the client was basically directly connected to our core infrastructure, sitting behind a Fortigate Firewall, so no place for DSCP classification. The fortigate’s outside interface connects to a 3750 shared-hosting switch and that connects into our core. An unsual setup.

At first I thought, it should be easy enough to classify the clients traffic on Per-Port, Per-Vlan basis. Only to find out the 3750 has a standard Image, one that doesn’t support “match vlan”. Keep in mind about 80 odd clients are connected through to switch via different vlans, so an image upgrade was not a option.

A very basic diagram of the setup:


To get around the above issue, I configured a nested policy and tied it to the SVI interface for their vlan, thus only doing classification for this client and no-one else.

Continue reading “Per-Port Per-Vlan alternative”

Troubleshooting Vlan Issues

There are many ways to troubleshoot VLAN issues, and although this article is not meant to replace the understanding of conventional switching and vlan issues, and how to troubleshoot them, this approach will certainly come in handy.

I make use this a lot in our large data centres, and it is often enough to isolate the problem to a single link or trunk.

For illustration purposes, suppose the following really basic scenario:



Router1’s Ethernet interface can’t ping R4’s Ethernet inteface in subnet 10.1.0/24.


Continue reading “Troubleshooting Vlan Issues”