ASK THE EXPERTS:LAN Switching - Page 2

ciscomoderator · ‎07-29-2011

With Matt Blanshard and Jane Gao

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to ask your toughest layer 2 questions to two of the technical leaders of the San Jose LAN Switching team, Matt Blanshard and Jane Gao. Learn more about Spanning Tree, VTP, Trunking, Resilient Ethernet Protocol, IGMP Snooping, Private VLANS, Q-in-Q Tunneling, QoS, various switching platforms including all desktop switches, Metro Ethernet switches, 4500 and 6500 switches, Blade Center switches, and Nexus 7000 switches.

Matt Blanshard began his Cisco career as an intern in 2007. He is now a technical leader at the Cisco Technical Assistance Center on the LAN Switching team. He holds a bachelor's degree from the University of Phoenix in computer science, and has CCNA certification.

Jane Gao is a technical leader in the Lan Switching Technical Assistance Center (TAC) team in San Jose. She has been working with LAN switching technologies and supporting Cisco switching platforms Jane's Bio since 2009. Ms. Gao was previously a technical leader in the Wireless TAC team in San Jose. Prior to joining Cisco Ms. Gao was working in software development. She has a Master of Science degree in Computer Science from DePaul University in Chicago.

Remember to use the rating system to let Matt and Jane know if you have received an adequate response.

They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Lan Switching and Routing discussion forum shortly after the event. This event lasts through August 12, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

huangedmc · ‎07-31-2011

hi,

I have two questions.

First one pertains to Security (VACL), and second pertains to QoS.

1.

When configuring a VACL, there is an option to match frames based on LSAP values.

Where in the DocCD can I find what the supported values are?

For example, if I were to allow/disallow spanning-tree, how can I find out what values to insert into the permit statement?

mac access-list extended STP

permit any any lsap 0x???? 0x0

=======================

2. Cat QoS

Would you recommend configuring an expedite/priority queue for EF/VoIP, or only reserve bandwidth for it?

In another word, between the follow two options, which one would you recommend, and why:

a:

interface fa0/1

priority-queue out

b:

interface fa0/1

srr-queue bandwidth shape 4 0 0 0

We normally do the former, w/ priority-queue, but is there any chance of starving out the other three queues?

Should we remove the priority-queue, and only shape queue 1 instead?

Matthew Blanshard · ‎08-01-2011

Hello,

When using a VACL with the current architecture of our switches it won't block STP packets because they are reserved packets and ignore ingress ACL's. If you want to block those you will need to configure spanning-tree bpdufilter on the port.

For the qos question, we always recommend configuring the priority-queue out. When you have that combined with a shaper it's a strict priority queue and is shaped to keep from starving the other queue's.

-Matt

huangedmc · ‎08-01-2011

hi Matt,

Thanks for the response.

STP was just used as an example.

I may need to match things other than STP.

Do you happen to know where I can find a list of the supported LSAP values that can be used in a VACL?

Also you were probably thinking about the priority queue in an MQC policy on routers when you replied.

Is the recommendation still to configure a priority-queue on a switch?

According to this document, when expedite queue is configured, it supercedes the SRR shape configuration.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/command/reference/cli1.html#wp3281502

“The expedite queue is a priority queue, and it is serviced until empty before the other queues are serviced.”

“If the egress expedite queue is enabled, it overrides the SRR shaped and shared weights for queue 1.”

thanks,

Kevin

huangedmc · ‎08-09-2011

hi Matt & Jane,

Has either one of you had a chance to look over my follow-up questions to Matt's response?

thx

boeckelr · ‎07-31-2011

Hi Matt and Jane,

I have a question about creating a SPAN port on a Cisco 871. I understand the commands needed to accomplish this.

My problem lies with trying to use my WAN port (FastEthernet4) as the source of the SPAN port - the cli won't accept "FastEthernet4". I can use "FastEthernet3" or 2 or 1.....but not 4, which is the WAN interface that connects to my DSL modem.

This is what I type: "monitor session 1 source interrface FastEthernet4" - and like I said, the cli won't accept it.

Am I doing something wrong? Somehow I remember that I had this problem a few years ago, but I cant remember how or if I was able to solve it.

I am using IOS 12.4-11T. My DSL assigns a dynamic IP address, and I use "IP negotiated". I also tried using "Dialer0" as the interface, but it wouldnt work either.

It doesnt make sense to me that I would be unable to use SPAN to monitor the WAN interface...out of all of the interfaces, this seems like one of the most important ones to use SPAN with. Also, my ASA5505 is able to use its WAN interface as a source for SPAN.

Any ideas?

Thanks,

Mike

Matthew Blanshard · ‎08-01-2011

Hello Mike,

Unfortunately SPAN is a lan feature and is not available on anything but the switch ports.

-Matt

Akhtar Samo · ‎08-01-2011

Hi Matt and Jane,

What Spanning tree enhancements are in plan to improve convergence times. Currently STP convergence is noticeable when running rapid PVST. Any suggestions or design recommendation to make sub-second STP convergence in Data Centers??

Regards,

Akhtar

Matthew Blanshard · ‎08-01-2011

Hello Akhtar,

There is a new IEEE draft out called trill which is the next step in STP replacement. Cisco's implementation of that is called fabricpath and uses ISIS and eliminates the need for traditional STP. When using trill/fabricpath reconvergence/recovery from link loss/device crash is very short, in the several hundred millisecond range (200-300 or less).

At this point though not much is being done to enhance regular STP any longer, especially since it's standards based and not much modification can be done to it.

-Matt

Matthew Hall · ‎08-01-2011

Hi Matt and Jane,

First off thanks for taking your time to answer a few questions. I'll jump right into it. Obviously the catalyst platforms do not support the full functionality of the "show policy-map interface" command and I understand they may never due to various platform limitations. My question concerns whether or not there are more diagnostics in the works to allow us to see policy hits and or at least true marking. As it stands currently I have to use a sniffer or hackish loopback setups with a "transit vlan" and "show mls qos interface statistics" in order to see what the final marking of traffic inbound to a particular port is.

The following setup allows me to troubleshoot. "show mls qos interface 3 statistics" shows me inbound markings coming from the client, "show mls qos interface 1 statistics" shows me actual markings after the policy-map on inteface 3 has been applied.

Port 1 : client vlan 100 (the vlan all of my real, non-test clients are in)

Port 2 : transit vlan 101

Port 3 : transit vlan 101

Switch ports:

---------------------

| 1 | 2 | 3 |

---------------------

| | |

------- ---------- Client PC

I have more and more customers utilizing catalyst switches exclusively now that metro ethernet has become more common and this is increasingly become a trouble shooting barrier for me in these setups. Am I just missing soemthing, is there another existing way to do this?

Thanks

Zizhen Gao · ‎08-02-2011

Hi Matthew,

You are right that there are limitations on the command "show policy-map interface" for some platforms, it's unsupported on some or supported with certain limitations on others.

Can you please let us know what platform(s) you are mostly interested in? We may have different set of commands for QoS statistics depending on the platforms. But sniffer capture is one of the common tools we use in TAC for troubleshooting when there's any doubt on the commands counter outputs as well.

regards

Jane

Matthew Hall · ‎08-05-2011

Primarily the 3750x and 3560x series.

Zizhen Gao · ‎08-11-2011

Matthew,

In that case what you've mentioned above is pretty much what we can do.

regards

Jane

wkiefer · ‎08-01-2011

Hello Jane and Matt,

I have a question about the 2960C switches. We have a need to terminate a single mode fiber from an isp and change that to multi mode to connect to our network. Is it possible to use something like the 2960C with SFP ports to make this switch? I'm thinking we could use the gbic for single mode to connect to the isp and use the gbic for multi mode to connect to our network. Will this work.

I have been told by some people that the SFP Ports on the 2960C are only Uplink Ports and as such would not work for this situation and other people have told me this will work fine. Othe people have told me I would need a 3750 to be able to do this.

In your opinion what would be the best way to handle this. We would like to use something like an 8-port switch to do this, so we could branch off to another router later if needed...

Thanks for your time..

Matthew Blanshard · ‎08-01-2011

Hello Warren,

You would be able to use a 2960C for this. Just create a layer 2 vlan and make both ports an access port on the 2960C. Alternatively you could look at using a media convertor to convert between single mode and multi-mode fiber as an alternate solution as well.

-Matt

Peter Paluch · ‎08-01-2011

Hello Jane and Matt,

I would like to ask about the exact usage of DHCP Relay Option 82 in DHCP Snooping and the exact mechanism of how a DHCP Snooping-enabled switch forwards a server's response to a client.

Originally, I thought that the Option 82 is the only and definitive indicator for a switch where should a server's response be forwarded, as the Option 82 contains both the MAC address and the Port ID of the switch that originally received the client's request. However, after debugging, it turned out that the DHCP Snooping behaves in a more complex way, and here are my observations/questions:

If a DHCP response containing the Option 82 arrives to a different switch than the one that inserted the Option 82, the receiving switch will claim in debugs that it does not recognize the Option 82 - obviously because it does not contain its MAC address. In such a case, does the switch continue processing the response, or does it throw it away completely?
The switch may try to forward the response to the client using either the chaddr field, the destination MAC address or using the Option 82, depending on which address can be exactly found in the CAM table. Is this the precise order of preference, i.e. first try chaddr, then - if not found - try destination MAC address, and if still not found, use the DHCP Option 82?
How would the previous step change if Option 82 was not present or did not correspond to the receiving switch?
Is it correct to assume that if neither the chaddr nor the destination MAC are found in the CAM, and the Option 82 is not present or does not correspond to the particular switch, the server's response will be dropped?

Thank you very much!

Best regards,

Peter

Ask the Experts :LAN Switching