PvLAN on 3850

08/02/2016

Cisco in their wisdom of offering the 3850 series decided to only offer protected edge ports on the 3850 switches. However, around later versions they have offered proper PvLAN functionality.

 

Advertisements

PvLAN and crazy thoughts.

08/02/2016

one thing crossed my mind whilst looking at using PvLANs on a pair of Cisco 3750 switches to meet a specific requirement in a network. Add in a HP C7000 to the mix and a pinch of 2960’s then you start to think and or try out some crazy ideas.

its a great way to learn a little bit more or cement your understanding!

  1. Can I have a port in an access vLAN and allow it to communicate with another device in an isolated vLAN?     No! The isolated PvLAN port is as its name says, isolated. Devices connected can only communicate with a promiscuous port.
  2. Okay, can I do this with a community vLAN, by having a device on an access port defined using the same vLAN ID as the community? No! That won’t work either. However, you could obviously make it a community port.
  3. What about if I trunk to switches running with same PvLAN configurations. Can I trunk the two switches just using a normal .1Q vLAN trunk port? Yes!
  4. Cool, so if I trunk in the same way to a 2960 from the 3750 and then place a port in an access vLAN matching either the primary or secondary PvLAN then I can plug my devices into it and they’ll work? No! Again the PvLAN configuration will stop this from working.
  5. what can I do? You could look at the Cisco 4500 series switches. These have new features which is a promiscuous trunk port and or an isolated trunk port.

Well it’s not the answer I wanted but was fun trying.

 

 


Layer3 switch ACL on SVI

27/01/2015

This is the best explanation that I’ve come across for the direction of flow when applying an acl INBOUND/OUTBOUND on an SVI. This is not my making and snaffled from here: https://supportforums.cisco.com/discussion/12043016/pls-explain-svi-acl-source-and-destination-direction all credit goes to Peter Paluch.

SVI Directions


DHCP SnOoping –

12/05/2014

Turn DHCP snooping on,  it will collate a database of IP/MAC/Interface/etc. for all DHCP requests it sees. You can also statically add addresses for devices with static IP’s.

 

# conf t

# ip dhcp snooping

# ip dhcp snooping vlan 1

# ip dhcp snooping verify mac-address

# int fa0/1

# ip dhcp snooping vlan 1

# ip dhcp snooping trust


PVLAN Example – 3560 – 12.2(46)

11/05/2014

vtp mode transparent
!
!
vlan 111
name PVLAN-111-PRIMARY
private-vlan primary
private-vlan association 222,333
!
vlan 222
name PVLAN-222-COMMUNITY
private-vlan community
!
vlan 333
name PVLAN-333-ISOLATED
private-vlan isolated
!
!
interface FastEthernet0/1
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
!
interface FastEthernet0/2
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
!
interface FastEthernet0/3
Description * * ISOLATED * *
switchport private-vlan host-association 111 333
switchport mode private-vlan host
!
interface FastEthernet0/4
Description * * PVLAN-PROMISCUOUS * *
switchport private-vlan mapping 111 222,333
switchport mode private-vlan promiscuous
!

#
# show vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
111 222 community Fa0/1, Fa0/2, Fa0/3, Fa0/8
111 333 isolated Fa0/4, Fa0/8

#
#show vlan private-vlan type

Vlan Type
—- —————–
111 primary
222 community
333 isolated

#


Switch Macro to migrate onto a new vlan interface

05/05/2014

As part of a network migration between one ISP and another. We had to find a way to update remote switch configurations with little fuss and ensuring if anything went wrong then the network would revert back to its previous state. Open the door to Macros’ The following was used on Cisco 3560 series switches.

!
vlan d
vlan 200
name OBS-NETMAN
exit
!
!
macro name OBS-NETMAN-IP
do reload in 30
interface Vlan100
shutdown
interface vlan200
ip address 10.100.17.2 255.255.255.240
no shutdown @
!

wr me

!
!
# the migrations run:
conf t
macro global apply OBS-NETMAN-IP
!

If access was not available then after 30 minutes the switch would reload and pick up its old configuration. Please note in this case we were at least 500 miles away from the closest site and up to 5000 miles away from the farthest. The benefit of the macro is that it continues to run even though you may have just “shutdown” the interface you had a terminal session to.


Cisco Router and Avaya Phone VPN example

02/04/2013

!
!
!
ip local pool IPADDR_VPN_POOL x.x.x.x x.x.x.x
!
aaa new-model
!
aaa authentication login LETMEIN_GROUPx local
aaa authentication login userauthen local
aaa authorization network LETMEIN_GROUPx local
!
username AVAYAx1 password 0 xxxx1
username AVAYAx2 password 0 xxxx2
username AVAYAx3 password 0 xxxx3
username AVAYAx4 password 0 xxxx4
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group LETMEIN_GROUPx
key $x$x$
pool IPADDR_VPN_POOL
pfs
!
crypto ipsec transform-set MYTSET_3DESx esp-3des esp-md5-hmac
!
crypto ipsec security-association lifetime seconds 86400
!
crypto dynamic-map dynmap2 20
set transform-set MYTSET
set pfs group2
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
!
!
interface XXX/XXX
ip address X.X.X.X X.X.X.X
!
crypto map clientmap

crypto map clientmap 20 ipsec-isakmp dynamic dynmap2
!