PvLAN on 3850

08/02/2016

Cisco in their wisdom of offering the 3850 series decided to only offer protected edge ports on the 3850 switches. However, around later versions they have offered proper PvLAN functionality.

 

Advertisements

PvLAN and crazy thoughts.

08/02/2016

one thing crossed my mind whilst looking at using PvLANs on a pair of Cisco 3750 switches to meet a specific requirement in a network. Add in a HP C7000 to the mix and a pinch of 2960’s then you start to think and or try out some crazy ideas.

its a great way to learn a little bit more or cement your understanding!

  1. Can I have a port in an access vLAN and allow it to communicate with another device in an isolated vLAN?     No! The isolated PvLAN port is as its name says, isolated. Devices connected can only communicate with a promiscuous port.
  2. Okay, can I do this with a community vLAN, by having a device on an access port defined using the same vLAN ID as the community? No! That won’t work either. However, you could obviously make it a community port.
  3. What about if I trunk to switches running with same PvLAN configurations. Can I trunk the two switches just using a normal .1Q vLAN trunk port? Yes!
  4. Cool, so if I trunk in the same way to a 2960 from the 3750 and then place a port in an access vLAN matching either the primary or secondary PvLAN then I can plug my devices into it and they’ll work? No! Again the PvLAN configuration will stop this from working.
  5. what can I do? You could look at the Cisco 4500 series switches. These have new features which is a promiscuous trunk port and or an isolated trunk port.

Well it’s not the answer I wanted but was fun trying.

 

 


Layer3 switch ACL on SVI

27/01/2015

This is the best explanation that I’ve come across for the direction of flow when applying an acl INBOUND/OUTBOUND on an SVI. This is not my making and snaffled from here: https://supportforums.cisco.com/discussion/12043016/pls-explain-svi-acl-source-and-destination-direction all credit goes to Peter Paluch.

SVI Directions


PVLAN Example – 3560 – 12.2(46)

11/05/2014

vtp mode transparent
!
!
vlan 111
name PVLAN-111-PRIMARY
private-vlan primary
private-vlan association 222,333
!
vlan 222
name PVLAN-222-COMMUNITY
private-vlan community
!
vlan 333
name PVLAN-333-ISOLATED
private-vlan isolated
!
!
interface FastEthernet0/1
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
!
interface FastEthernet0/2
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
!
interface FastEthernet0/3
Description * * ISOLATED * *
switchport private-vlan host-association 111 333
switchport mode private-vlan host
!
interface FastEthernet0/4
Description * * PVLAN-PROMISCUOUS * *
switchport private-vlan mapping 111 222,333
switchport mode private-vlan promiscuous
!

#
# show vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
111 222 community Fa0/1, Fa0/2, Fa0/3, Fa0/8
111 333 isolated Fa0/4, Fa0/8

#
#show vlan private-vlan type

Vlan Type
—- —————–
111 primary
222 community
333 isolated

#


Layer2 VLAN over Gre

27/10/2013

!
bridge irb
!

!
interface Tunnel1
 no ip address
 ip mtu 1340
 tunnel source Loopback1
 tunnel destination 2.2.2.2
 bridge-group 1
 bridge-group 1 spanning-disabled
!

 


Layer 2 over L2TP and IPSEC

27/10/2013

!
ip cef
!
!
pseudowire-class L2TP-L2
encapsulation l2tpv3
ip local interface FastEthernet0/0
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 2.2.2.2
!
!
crypto ipsec transform-set MY-IPSECGRE-SET esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MY-GRE-PROFILE
set transform-set MY-IPSECGRE-SET
!
!
interface Tunnel1
ip address 1.1.1.1 255.255.255.0
ip mtu 1300
ip tcp adjust-mss 1300
tunnel source 172.16.32.1
tunnel destination 172.16.32.5
tunnel path-mtu-discovery
tunnel protection ipsec profile MY-GRE-PROFILE
!
interface FastEthernet0/0
ip address 172.16.32.1 255.255.255.252
ip mtu 1360
ip policy route-map clear-df-bit
duplex full
speed auto
!
interface FastEthernet0/1
no ip address
duplex full
speed auto
no cdp enable
xconnect 172.16.32.5 100 pw-class L2TP-L2
!
ip route 0.0.0.0 0.0.0.0 172.16.32.2
!
!
access-list 111 permit tcp any any
!
route-map clear-df-bit permit 10
match ip address 111
set ip df 0
!


Cisco Router and Avaya Phone VPN example

02/04/2013

!
!
!
ip local pool IPADDR_VPN_POOL x.x.x.x x.x.x.x
!
aaa new-model
!
aaa authentication login LETMEIN_GROUPx local
aaa authentication login userauthen local
aaa authorization network LETMEIN_GROUPx local
!
username AVAYAx1 password 0 xxxx1
username AVAYAx2 password 0 xxxx2
username AVAYAx3 password 0 xxxx3
username AVAYAx4 password 0 xxxx4
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group LETMEIN_GROUPx
key $x$x$
pool IPADDR_VPN_POOL
pfs
!
crypto ipsec transform-set MYTSET_3DESx esp-3des esp-md5-hmac
!
crypto ipsec security-association lifetime seconds 86400
!
crypto dynamic-map dynmap2 20
set transform-set MYTSET
set pfs group2
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
!
!
interface XXX/XXX
ip address X.X.X.X X.X.X.X
!
crypto map clientmap

crypto map clientmap 20 ipsec-isakmp dynamic dynmap2
!