Layer3 switch ACL on SVI


This is the best explanation that I’ve come across for the direction of flow when applying an acl INBOUND/OUTBOUND on an SVI. This is not my making and snaffled from here: all credit goes to Peter Paluch.

SVI Directions


PVLAN Example – 3560 – 12.2(46)


vtp mode transparent
vlan 111
private-vlan primary
private-vlan association 222,333
vlan 222
private-vlan community
vlan 333
private-vlan isolated
interface FastEthernet0/1
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
interface FastEthernet0/2
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
interface FastEthernet0/3
Description * * ISOLATED * *
switchport private-vlan host-association 111 333
switchport mode private-vlan host
interface FastEthernet0/4
Description * * PVLAN-PROMISCUOUS * *
switchport private-vlan mapping 111 222,333
switchport mode private-vlan promiscuous

# show vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
111 222 community Fa0/1, Fa0/2, Fa0/3, Fa0/8
111 333 isolated Fa0/4, Fa0/8

#show vlan private-vlan type

Vlan Type
—- —————–
111 primary
222 community
333 isolated


Cisco Router and Avaya Phone VPN example


ip local pool IPADDR_VPN_POOL x.x.x.x x.x.x.x
aaa new-model
aaa authentication login LETMEIN_GROUPx local
aaa authentication login userauthen local
aaa authorization network LETMEIN_GROUPx local
username AVAYAx1 password 0 xxxx1
username AVAYAx2 password 0 xxxx2
username AVAYAx3 password 0 xxxx3
username AVAYAx4 password 0 xxxx4
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group LETMEIN_GROUPx
key $x$x$
crypto ipsec transform-set MYTSET_3DESx esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dynmap2 20
set transform-set MYTSET
set pfs group2
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
interface XXX/XXX
ip address X.X.X.X X.X.X.X
crypto map clientmap

crypto map clientmap 20 ipsec-isakmp dynamic dynmap2

Mandatory, Supported, Disabled


The black and white from Cisco defines that the use of Data Rates options to specify the rates at which data can be transmitted between the access point and the client.

The data rates are available:

• 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps

• 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps

For each data rate, choose one of these options:

Mandatory—Clients must support this data rate in order to associate to an access point on the controller. Why force 11Mbps on an SSID, if not only to enforce better performance.

Supported—Any associated clients that support this data rate may communicate with the access point using that rate. However, the clients are not required to be able to use this rate in order to associate.

Disabled—The clients specify the data rates used for communication.

The notes say the clients must support and not operate at this rate and the supported option identifies a not required. I think I will attempt to test the overall enforcement and remove any ambiguity. I know this is one that I’ve always assumed what the options mean…

More to follow

Wireless Aerial Coverage


The following link was one I found when investigating the use of 1131AG access points. The positioning on a ceiling is certainly better qualified after reviewing this document.



Update the 000-default file with the following details below to add basic authentication.

<VirtualHost *:80>

ServerAdmin webmaster@localhost

DocumentRoot /var/www

<Directory />

Options FollowSymLinks

AllowOverride None

order deny,allow


<Directory /var/www/>

Options Indexes FollowSymLinks MultiViews

AllowOverride none

order allow,deny

allow from all


ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

        <Directory “/usr/lib/cgi-bin”>

                AuthType Basic

                AuthName “CVS REPO”

                AuthUserFile /etc/apache2/.htpasswd

                AllowOverride All

                Require valid-user


The command below will allow you to create a new user and it will lead you through adding a password for that user.

network@S-ABD-RANCID:$ sudo htpasswd -c .htpasswd myuser

Cisco ASA, IPSEC bypass options (bozo)


To permit ANY packets that come from an IPsec tunnel without checking any ACLs such as the OUTIDE_ACCESS_IN The following example enables IPsec traffic through the ASA without checking ACLs:

hostname(config)# sysopt connection permit-vpn