Going for the CCNP

2

Comments

  • tomtom1tomtom1 Member Posts: 375
    Still searching for some switches while the Bryant material is underway. Is the SWITCH simplified any good?
  • fredrikjjfredrikjj Member Posts: 879
    tomtom1 wrote: »
    Is the SWITCH simplified any good?

    Some people think that it's great, and some people don't. I've read it, and I don't think that it lives up to the hype. I've also read the official certification guide which I find to be a better textbook overall due to better language and a greater emphasis on actually teaching you the material. At times Switch Simplfied reads like a configuration guide, and that's not really what I'm looking for in a textbook. My recommendation would be to read the OCG and supplement with the 3560 configuration guide as you are practicing your hands on skills.
  • tomtom1tomtom1 Member Posts: 375
    fredrikjj wrote: »
    Some people think that it's great, and some people don't. I've read it, and I don't think that it lives up to the hype. I've also read the official certification guide which I find to be a better textbook overall due to better language and a greater emphasis on actually teaching you the material. At times Switch Simplfied reads like a configuration guide, and that's not really what I'm looking for in a textbook. My recommendation would be to read the OCG and supplement with the 3560 configuration guide as you are practicing your hands on skills.

    Coming from the guy who found the ROUTE OCG not dry, haha. I've ordered the switch OCG and now the only thing I need are a few decent switches. Hoping to pick them up somewhere next week.
  • tomtom1tomtom1 Member Posts: 375
    FloOz wrote: »
    I'd go with 4x 3560s. It'll be pricey but it will pay off if you do go for your CCIE. I would check with your employer if they have any extra gear lying around.

    I've got 3 of those and judging by this command (sh ver didn't give me memory info) they have 32 MB of RAM which means they will run IOS 15.

    SW02#show file systems
    File Systems:

    Size(b) Free(b) Type Flags Prefixes
    * 32514048 17094656 flash rw flash:
    524288 523212 nvram rw nvram:

    Managed to pick these up for 350 for all 3 so I'm happy about the price to say the least :)

    The OCG should arrive today or next week.

    Edit: Yup, IOS 15 works like a charm:


    Switch Ports Model SW Version SW Image




    * 1 26 WS-C3560-24TS 15.0(1)SE C3560-IPSERVICESK9-M
  • tomtom1tomtom1 Member Posts: 375
    Made some first few steps into the SWITCH area today which was mostly review from the CCNA studies, but at the same time stuff I had to refresh on to form a solid basis. I will be using this thread to cover some notes / scenario's that I'm testing.

    Dynamic trunking protocol (DTP)


    Dynamic Desirable = default. DTP frames are being sent and the port is actively trying to form a trunked link. It will become a trunked link when the remote end is either trunk, dynamic auto or dynamic desirable.
    SW01(config-if)#sw mod dynamic desirable
    
    Dynamic Auto = DTP frames are being sent and received. If the remote end is either trunked or dynamic desirable a trunk link is formed.
    SW01(config-if)#sw mod dynamic auto
    
    Trunked = The link is set into a permanent trunking state. The remote end does not have to agree on the negotiation.
    SW01(config-if)#sw mod trunk
    
    Access = The link is set into a permanent access state. The remote end does not have to agree on the negotiation.
    SW01(config-if)#sw mod access
    
    No negotiation = A fixed link type (either access or trunk) must be configured on both ends
    SW01(config-if)#switchport nonegotiate
    


    On modes where DTP frames are being sent (all but nonegotiate) DTP packets will be sent out with a default interval of 30 seconds.You can check this by using show dtp:
    SW01#show dtp
    Global DTP information
    [B]    Sending DTP Hello packets every 30 seconds[/B]
        Dynamic Trunk timeout is 300 seconds
        5 interfaces using DTP
    

    When both 802.1Q and ISL are supported on both ends, ISL will be the preferred option. All active VLANs (1 - 4091) will be allowed on the trunk by default.

    Some extra debug information can be shown by running the command show interface <interface name> switchport, which shows the current status of the link, either by hardcoding it as an access or trunked port or by dynamically negotiating a trunked link:
    SW01#show interfaces gigabitEthernet 0/1 switchport
    Name: Gi0/1
    Switchport: Enabled
    [B]Administrative Mode: dynamic auto[/B]
    Operational Mode: down
    Administrative Trunking Encapsulation: negotiate
    [B]Negotiation of Trunking: On[/B]
    Access Mode VLAN: 1 (default)
    Trunking Native Mode VLAN: 1 (default)
    Administrative Native VLAN tagging: enabled
    Voice VLAN: none
    Administrative private-vlan host-association: none 
    Administrative private-vlan mapping: none 
    Administrative private-vlan trunk native VLAN: none
    Administrative private-vlan trunk Native VLAN tagging: enabled
    Administrative private-vlan trunk encapsulation: dot1q
    Administrative private-vlan trunk normal VLANs: none
    Administrative private-vlan trunk associations: none
    Administrative private-vlan trunk mappings: none
    Operational private-vlan: none
    Trunking VLANs Enabled: ALL
    Pruning VLANs Enabled: 2-1001
    Capture Mode Disabled
    Capture VLANs Allowed: ALL
    
    
    Protected: false
    Unknown unicast blocked: disabled
    Unknown multicast blocked: disabled
    Appliance trust: none
    
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    Just want to pick up an earlier comment on configuring routing protocols - configuring under the process is largely considered the legacy operation now.

    Also, try EIGRP Named Mode icon_smile.gif that will expand horizons a bit! Don't waste too much on it though - I don't know if it's on the ROUTE blueprint!!
  • tomtom1tomtom1 Member Posts: 375
    VLAN Trunking protocol VTP


    The VLAN trunking protocol is designed to propagate the VLAN database (vlan.dat stored on flash:) from a switch operating in VTP server mode to VTP clients in the same management domain. In order for this process to work, the switches have to be:


    -> Running trunked (either ISL or 802.1q) links
    -> Running the same version of VTP (either 1,2 or 3)
    -> Be in the same VTP management domain (case sensitive)


    The entire concept of VTP is based upon the revision number of a switch’s VLAN database:

    SW01#show vtp status | i Revision
    


    When VTP is enabled, the switch will send out a summary packet every 5 minutes. This packet contains the VTP management domain name and the configuration revision. When a remote switch receives this package, it checks the VTP domain name against its locally configured VTP domain name. If no match is found, the packet is ignored. If the VTP domain name is the same, the switch checks the revision number. If the revision number in the advertisement is equal or lower, the packet is ignored. If the revision number in the packet is higher, a request is sent.


    A VTP enabled switch can be in one of 3 modes:


    Server - A VTP server switch has the possibility to edit the VLAN database by either adding, removing or modifying VLANs. This information is propagated to the other VTP enabled switches in the same management domain.
    Client - A VTP client has a readonly copy of the database. When trying to edit the VLAN database on a VTP client, an error message is thrown:

    SW02(config)#vlan 200
    VTP VLAN configuration not allowed when device is in CLIENT mode.
    




    Transparent - A VTP transparent switch has the possibility to edit the VLAN database by either adding, removing or modifying VLANs. This information is not propagated to the other switches When VTP version 2 is enabled, it does forward VTP packets it receives on to other trunked links.


    You can check the configuration revision, the domain name and the version of VTP running by issuing the command
    SW02#sh vtp status
    VTP Version capable             : 1 to 3
    VTP version running             : 1
    VTP Domain Name                 : CCNP
    VTP Pruning Mode                : Disabled
    VTP Traps Generation            : Disabled
    Device ID                       : 001c.575e.bf80
    Configuration last modified by 192.168.1.211 at 3-1-93 06:15:02
    
    
    Feature VLAN:
    --------------
    VTP Operating Mode                : Client
    Maximum VLANs supported locally   : 1005
    Number of existing VLANs          : 10
    Configuration Revision            : 6
    MD5 digest                        : 0xDC 0xF4 0x1E 0xBD 0x43 0xE3 0x88 0xB1 
                                        0x2B 0xFF 0x2A 0xD8 0x49 0x84 0x3A 0xC6 
    
    Configure a VTP domain name and set the mode

    SW02(config)#vtp domain CCNP
    Changing VTP domain name from switch to CCNP
    
    SW02(config)#vtp mode client
    Setting device to VTP Client mode for VLANS.
    

    VTP Versions
    The default VTP version running on switches is VTP version 1. VTP version 2 differs on a few points from VTP version 1.

    1) VTP Version 2 enabled Token Ring support
    2) VTP Version 2 does a consistency check on VLAN names / VLAN ID's based on information based on the information in the VTP advertisements.
    3) VTP switches operating in transparent mode pass VTP information on to other switching. This is helpful in situations like this:



    In VTP version 2 the VTP switch operating in transparant mode passes the VTP information to the switch connected to it running in VTP client mode. You can change the VTP version in global configuration mode:
    SW03(config)#vtp version 2
    
    VTP.png 14.3K
  • tomtom1tomtom1 Member Posts: 375
    gorebrush wrote: »
    Just want to pick up an earlier comment on configuring routing protocols - configuring under the process is largely considered the legacy operation now.

    Also, try EIGRP Named Mode icon_smile.gif that will expand horizons a bit! Don't waste too much on it though - I don't know if it's on the ROUTE blueprint!!

    I've already got the ROUTE part down, but I'll take a look at this. Never come across it before, so I'll definitely check it out. Also thanks for the advice on the 32 meg RAM in the switches for IOS 15.
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    The irony is of course is that my 3750's run 12.2(52)SE supports VTP v3
  • tomtom1tomtom1 Member Posts: 375
    ​STP 802.1d
    Spanning tree BPDU’s are sent out every 2 seconds. The root ID consists of the priority and the mac address of the switch.

    Root port: Port closed to the root bridge, used to reach to root bridge.
    Designated port: In forwarding mode on one side, on blocking in the other
    Blocking: Not actively forwarding traffic, blocked by STP.


    Only one end of a link is blocked. The other end of the link is a designated port in forwarding state. The end with the higher mac address has the port in blocking mode.


    To set the bridge priority in a PVST instance (i.e. VLAN 1). When PVST is running, the priority consits of 32768 + sys-id-ext (VLAN ID). For VLAN 1 the bridge priority is 32769

    SW01(config)#spanning-tree vlan 1 priority 4096
    


    Classic spanning tree (802.1d) port status


    Listening - 15 seconds listening for BPDU’s on the network. Traffic is not being forwarded.
    Learning - 15 seconds learning entries for the mac-address-table. Traffic is not being forwarding.
    Forwarding - The port is up and actively forwarding traffic.
    Blocking - The port is blocking


    When the convergence has to occur and the port is in blocking state, 20 seconds of timers (max-age) has to expire before the port is being set into listening mode. This could cause the outage to be a maximum of 50 seconds with classic spanning tree protocol.


    Because of the slow convergence of classic STP (802.1d) due to the max age, listening and learning delays. Portfast solves one of these problems, by making the port skip both the listening and learning state, by going directly into a forwarding state. Portfast should only be configured on edge ports, ports that connect to an endpoint and cannot form L2 switching loops.

    SW01(config-if)#spanning-tree portfast
    


    Because of the slow convergence of classic STP (802.1d) due to the max age, listening and learning delays. Portfast solves one of these problems, by making the port skip both the listening and learning state, by going directly into a forwarding state. Portfast should only be configured on edge ports, ports that connect to an endpoint and cannot form L2 switching loops.


    Uplinkfast is a Cisco proprietary feature that allows faster link recovery upon failure of the root port. When uplinkfast is enabled, the root ports and the blocking ports are set into a uplink group. When the root port fails, the blocking port is put into FWD (forwarding) mode and the listening and learning timers are skipped. This allows for faster convergence. Uplinkfast is enabled globally.

    SW02(config)#spanning uplinkfast
    


    Root guard is a STP security feature that kicks in when a superior BPDU is received on an interface. Without root guard, a rogue switch could take control of the STP domain and become the root bridge. When root guard is enabled (per interface basis) every downstream BPDU is discarded and the port is set into an root inconsistent port state. Root guard is configured on a per interface basis with the following command:

    SW02(config-if)#spanning guard root
    

    BPDU guard is a STP security feature that is used in combination with portfast. When BPDU’s are received on a port that is configured with PortFast the switch knows that there isn’t an end device connected to that port. If BPDU guard is configured, this kicks in and the port is set into an error disabled state. The link and line protocol both go down. BPDU guard is enabled per interface with:

    SW02(config-if)#spanning bpduguard enable
    *Mar  1 19:02:33.162: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/2 with BPDU Guard enabled. Disabling port.
    *Mar  1 19:02:33.162: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/2, putting Fa0/2 in err-disable state
    *Mar  1 19:02:34.177: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
    
  • tomtom1tomtom1 Member Posts: 375
    Etherchanneling:
    Cisco currently has 2 Etherchanneling protocols built into IOS.

    1) PaGP (Port aggregation protocol)
    2) LACP (Link Aggregation Control Protocol)

    The PaGP protocol is Cisco proprietary and knows 3 modes:
    Auto - Will wait for a PaGP packet from the remote switch.
    Desirable - Will be actively trying to form a PaGP channel with a remote switch. PaGP packets will be sent.
    On - Disables both PaGP and LACP negotiations, builds a static Etherchannel.

    The LACP protocol is industry standard (802.3ad) and also knows 3 modes:
    Active - The switch is actively trying to form an LACP Channel and is sending LACP packets.
    Passive - The switch is waiting for a LACP packet from the remote switch.
    On - Disables both PaGP and LACP negotiations, builds a static Etherchannel.

    SW01(config-if)#channel-group 2 mode ?
      active     Enable LACP unconditionally
      auto       Enable PAgP only if a PAgP device is detected
      desirable  Enable PAgP unconditionally
      on         Enable Etherchannel only
      passive    Enable LACP only if a LACP device is detected
    

    To put a physical interface in a Port-Channel with the mode set to on, which means a static Etherchannel.
    SW01(config-if-range)#channel-group 2 mode on
    
  • tomtom1tomtom1 Member Posts: 375
    Allright, port security was on the menu today. Port security is a security measure implemented to stop MAC spoofing and could help in limiting the number of MAC addresses on a interface or even allow only certain MAC addresses to send frames on a interface.

    Port security can't be enabled on:
    -> Trunk port (switchport mode trunk, or ports operating in DTP mode auto or desirable)
    -> Interfaces which are a member of port-channels
    -> SPAN destination ports

    Port-security violation modes:
    -> Protect (drop incoming frames)
    -> Reject (drop incoming frames, generate a syslog message and send a SNMP trap)
    -> Shutdown (put the port into err-disabled). Default

    Port-Security maximum
    When enabled, port security by default allows for a maximum of one (1) MAC address on a secure port. This mac-address can be either dynamically learned or statically configured. You can increase the number of secure mac-address on a interface by using the following command:
    switchport port-security maximum
    

    Port-security mac-address
    Port security can learn mac-address via 2 ways:
    1) Statically configured on the interface
    2) Dynamically learned by looking at the source mac-address on incoming frames

    By configuring the switchport with statically configured secure mac-addresses, you put a hard limit on the mac-addresses allowed to connect on a interface. If the source MAC address of incoming frames does not match the one configured, the configured violation occurs.

    Configure a static mac-address with port security like this
    switchport port-security mac-address aaaa.aaaa.aaaa
    

    You can also configure sticky mac-addresses with port-security. Sticky mac-address are dynamically learned but once learned, are saved in the configuration so they don't have to be relearned when the switch reboots. Configure sticky mac-addresses:
    switchport port-security mac-address sticky
    

    Port-security aging
    By default, port-security does not age out entries learned (timer set to 0). You can configure aging in 2 types:

    1) Absolute (Specifiy a "hard" timer for when a secure mac-address will age out
    2) Inactivity (Specifiy a timer for when a secure mac-address will age out once no traffic from that source mac-address has been seen).

    Configure port-security aging:
    switchport port-security aging time 10
    switchport port-security aging type absolute
    

    A nice gotcha
    Consider the following configuration:
    SW02#sh run int fa0/16
    Building configuration...
    
    
    Current configuration : 201 bytes
    !
    interface FastEthernet0/16
     switchport access vlan 200
     switchport mode access
     switchport port-security maximum 2
     switchport port-security
     switchport port-security mac-address 6003.08a2.beea
    

    One of the 2 maximum mac-address has been statically configured. This means that a second mac-address on the same interface can be dynamically learned, still be allowed to connect to the network and send frames.

    Verification commands
    show port-security
    show port-security interface fa0/16
    
  • tomtom1tomtom1 Member Posts: 375
    Got some work done on PVLANs yesterday. Luckily I was already a bit known with the material from VMware's implementation in the distributed vSwitch, so the concepts were already clear. Anyhow, another summary:

    PVLAN's basically are VLANs within VLANs.

    PVLAN Types:
    Primary, which can also be referred to as the promiscuous VLAN.
    Secondary, which can either be isolated or community.

    PVLAN "modes":
    Promiscuous: This is mainly used with default gateways (such as routers or firewalls) but ports in promiscuous mode can communicate to other ports in the promiscuous VLAN, as well as isolated and community ports.
    Community: Ports or hosts placed in a community PVLAN can communicate with hosts / ports in the same community VLAN and the promiscuous VLAN. PVLAN-Community ports cannot communicate with hosts / ports in other community PVLANs and isolated ports.
    Isolated: Ports or host in an isolated PVLAN can only communicate with the promiscuous VLAN.

    One small gotcha
    One thing I ran into. PVLANs can only be configured with a VTP switch in transparent or off mode.
    SW02(config-vlan)#private-vlan primary
    %Private VLANs can only be configured when VTP is in transparent/off mode.
    

    Fix:
    SW02(config)#vtp mode off
    


    VLAN Configuration:
    SW03(config)#vlan 500
    SW03(config-vlan)#name PVLAN-PRIMARY
    SW03(config-vlan)#private-vlan primary 
    SW03(config-vlan)#vlan 501
    SW03(config-vlan)#name PVLAN-COMMUNITY
    SW03(config-vlan)#private-vlan community 
    SW03(config-vlan)#vlan 502
    SW03(config-vlan)#name PVLAN-ISOLATED 
    SW03(config-vlan)#private-vlan isolated 
    SW03(config-vlan)#vlan 500
    SW03(config-vlan)#private-vlan association 501,502
    
    

    Port Configuration for a host in the community PVLAN:
    SW03(config-vlan)#int fa0/11
    SW03(config-if)#switchport mode private-vlan host
    SW03(config-if)#switchport private-vlan host-association 500 501
    

    Port Configuration for a host in the promiscuous PVLAN:
    SW03(config-if)#int fa0/12
    SW03(config-if)#switchport mode private-vlan promiscuous 
    SW03(config-if)#switchport private-vlan mapping 500 501,502
    

    Verification commands:
    SW03#sh vlan private-vlan
    
    SW03#sh int fa0/11 sw | be private
    
  • JeanMJeanM Member Posts: 1,117
    Nice job on passing CCNP route on first attempt!
    2015 goals - ccna voice / vmware vcp.
  • tomtom1tomtom1 Member Posts: 375
    JeanM wrote: »
    Nice job on passing CCNP route on first attempt!

    Thanks!

    Question to you CCNP / CCIE candidates out there concerning DTP. I've learned that the default port mode should be dynamic desirable. When I run a command to verify DTP status, I noticed my default is different. For example:
    SW03#sh int fa0/7 sw | i dynamic
    Administrative Mode: dynamic auto
    
    
    SW03#sh run int fa0/7
    Building configuration...
    
    
    Current configuration : 33 bytes
    !
    interface FastEthernet0/7
    End
    
    
    SW03#sh ver | i 15.0 
    Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(1)SE, RELEASE SOFTWARE (fc1)
    *    1 26    WS-C3560-24TS      15.0(1)SE             C3560-IPSERVICESK9-M     
    


    Do you know if this default was changed in between versions?
  • FloOzFloOz Member Posts: 1,614 ■■■■□□□□□□
    3560s default is dynamic auto
    3550s default is dynamic desirable
  • tomtom1tomtom1 Member Posts: 375
    FloOz wrote: »
    3560s default is dynamic auto
    3550s default is dynamic desirable

    Weird that something like this would differ between models rather than IOS versions. Anyhow, got the OCG in yesterday and already picked up somethings that gave me just a little bit more detail.

    1) When auto negotiation on a switchport fails they fall back to a half-duplex mode.
    2) A nice command regarding Etherchanneling
    test etherchannel load-balance interface Port-Channel1 mac  10dd.b1ea.bcf5  0008.9bdc.4ddd
    

    It tells you, based on the load-balancing algorithm (sh etherchannel load-balance) which port of your channel would be used when a source mac address of 10dd.b1ea.bcf5 and a destination mac address of 0008.9bdc.4ddd is used (in my case).
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    Dynamic desirable is truly a horrible default!
  • tomtom1tomtom1 Member Posts: 375
    gorebrush wrote: »
    Dynamic desirable is truly a horrible default!

    I know, prefer dynamic auto, but strange that it would differ. On your 3750's, default is dynamic desirable?
  • tomtom1tomtom1 Member Posts: 375
    Slowly started my way into the redundancy protocols. First one up is HSRP.

    HSRP
    The Cisco proprietary Hot Standby Router Protocol is one of multiple ways to provide first-hop redundancy on a segment. Why would you want this? See the topology below:



    Hosts in the LAN subnet can either use R1 or R2 as a default gateway to reach the internet. However, consider the impact when R1 is used as a default gateway and R1 fails. The hosts would not be able to reach the internet and manual intervention (the reconfiguration of the hosts in the subnet - edit the default gateway to point to R2) could be one of the steps required to restore connection towards the internet.

    This is where HSRP steps in. HSRP uses a virtual MAC and IP address to provide what is known as a virtual router. All hosts use the MAC and IP address of the virtual router to forward traffic (in the topology the virtual router will be the default gateway in the hosts on the LAN subnet). The router which is consider active for a HSRP group will respond to both the virtual MAC and IP address. A router in a HSRP group can either be active (forwarding traffic) or standby (waiting to become active).

    HSRP packets are multicast to 224.0.0.2. The HSRP MAC address range is 00-00.0c-07.ac-xx. The xx refers to the HSRP group number in hexadecimal.

    Configuration of HSRP
    R1(config-if)#standby 1 ip 10.0.0.3
    R2(config-if)#standby 1 ip 10.0.0.3
    

    Once HSRP is configured, the priority (default 100) will decide who will be the active and who will be the standby HSRP router. If there is a tie, the highest IP address on the HSRP interface will be chosen. In my example, R2 will be the HSRP active router (since it has 10.0.0.2 as IP address) and R1 the HSRP standby router.

    Preempt
    Since the highest HSRP priority is a deciding factor for the HSRP election, once would expect by setting the higher priority on the standby router, the standby router would become active.
    R2(config-if)# standby 1 priority 110
    

    This is not the case, unless preempt is enabled. Preempt allows to actively take over from active routers configured with a lower priority.
    R2(config-if)# standby 1 preempt
    

    3 routers
    When 3 routers on a shared segment (Ethernet for example) share a HSRP virtual IP address (i.e. the standby <id>) command is configured on all 3 routers, 1 router will become active (highest IP address when priority is a tie) and 1 will become standby. The third router will remain in the listen state, actively waiting to become either active or standby when the other routers fail.

    HSRP verification commands
    sh standby
    sh standby brief
    debug standby
    
  • tomtom1tomtom1 Member Posts: 375
    Did some SWITCH practice questions on the Cisco Website (link). It appears I know my stuff so far rather OK, but I need to revisit:
    • STP mode MST
    • STP Loopguard
    • STP BPDU Guard
    Htting the lab and books! icon_study.gif
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    I used to dislike switching, but one day I think during my studies a lightbulb went off and I can tackle most switch tasks with ease.

    Spanning Tree and VLAN's are up there with my favourite topics.
  • tomtom1tomtom1 Member Posts: 375
    Something I'm not quite getting. Perhaps someone can clarify:

    You configure QOS like this:
    SW02(config)#mls qos
    SW02(config)#int fa0/9
    SW02(config-if)#mls qos trust cos
    SW02(config-if)#mls qos trust device cisco-phone
    

    What we do here is enable QOS, and trust the L2 information in the COS field (classes 0-7). We make the trust conditional for a cisco-phone.

    Which would mean the cisco-phone connected to fa0/9 is able to modify the L2 header and provide COS information in the COS field, correct? The PC connected to the cisco-phone is untrusted and gets it's COS field set to 0 (best effort) by default.

    So, what does this command do:
    SW02(config-if)#sw priority extend trust SW02(config-if)#sw priority extend cos 
    

    If we set the extend to trust, we trust the cisco-phone? But didn't we do that already with mls qos trust cos and mls qos trust device cisco-phone. Or is my thinking wrong here? What if the PC requires the abillity to do some kind of COS / TOS flagging?

    Thanks for the replies.
  • tomtom1tomtom1 Member Posts: 375
    Anybody got an idea about this?
  • hananaliabrohananaliabro Member Posts: 5 ■□□□□□□□□□
    dear sir.. will i get job in dubai without experience..
    or dubai companies may hire freshers ccnp holders. ??

    plz reply me..
  • tomtom1tomtom1 Member Posts: 375
    tomtom1 wrote: »
    Something I'm not quite getting. Perhaps someone can clarify:

    Got it sorted out. With the following commands (example), we configure QoS and trust the L2 COS value when the device connected to the other end is cisco phone.
    SW03(config-if)#mls qos trust cos
    SW03(config-if)#mls qos trust device cisco-phone
    

    With the switchport priority extend command, we have 2 options. Either set the value of the COS (example) to something we trust, of trust the PC attached to the cisco phone to send QOS information.
    SW03(config-if)#switchport priority extend cos 2
    SW03(config-if)#switchport priority extend trust 
    
  • tomtom1tomtom1 Member Posts: 375
    Managed to do some labbing over the weekend. One interesting detail I picked up about Etherchanneling protocols. When the port configuration is edited on the port-channel level (i.e. adding of a VLAN), the physical interfaces belonging to the port-channel get the new config too. It was to be expected, but still nice to see it works.

    I also ordered the Boson CCNP Switch practice exam which has some great labs and they really told me to reread the DTP stuff again. I did that and I feel I'm slowly getting ready for the exam. Date is set on July 25th.
  • tomtom1tomtom1 Member Posts: 375
    Knocked the SWITCH out this morning with an 850/1000. I think the planning + QOS sections could use a bit more work, but hey, a pass is a pass :) I will start TSHOOT next weekend.
  • lrblrb Member Posts: 526
    Nice work man! I think if you are still comfortable with the ROUTE material you should take the TSHOOT soon :)
  • tomtom1tomtom1 Member Posts: 375
    Took a few hours to recreate (parts of) the TSHOOT topology only to find some typing errors (FastEthernet0/0 where it should be FastEthernet0/1), which was a nice way to really hone my troubleshooting skills by accidentally misconfiguring stuff :). The IPv4 stuff wasn't all that hard (some multi area OSPF, NAT / PAT and basic BGP) but my IPv6 skill still needs much more work. I'm most definitely not comfortable with OSPF v3 and RIPng. That will dictate most of my studying for this week.
Sign In or Register to comment.