PvLAN on 3850


Cisco in their wisdom of offering the 3850 series decided to only offer protected edge ports on the 3850 switches. However, around later versions they have offered proper PvLAN functionality.



PvLAN and crazy thoughts.


one thing crossed my mind whilst looking at using PvLANs on a pair of Cisco 3750 switches to meet a specific requirement in a network. Add in a HP C7000 to the mix and a pinch of 2960’s then you start to think and or try out some crazy ideas.

its a great way to learn a little bit more or cement your understanding!

  1. Can I have a port in an access vLAN and allow it to communicate with another device in an isolated vLAN?     No! The isolated PvLAN port is as its name says, isolated. Devices connected can only communicate with a promiscuous port.
  2. Okay, can I do this with a community vLAN, by having a device on an access port defined using the same vLAN ID as the community? No! That won’t work either. However, you could obviously make it a community port.
  3. What about if I trunk to switches running with same PvLAN configurations. Can I trunk the two switches just using a normal .1Q vLAN trunk port? Yes!
  4. Cool, so if I trunk in the same way to a 2960 from the 3750 and then place a port in an access vLAN matching either the primary or secondary PvLAN then I can plug my devices into it and they’ll work? No! Again the PvLAN configuration will stop this from working.
  5. what can I do? You could look at the Cisco 4500 series switches. These have new features which is a promiscuous trunk port and or an isolated trunk port.

Well it’s not the answer I wanted but was fun trying.



Layer3 switch ACL on SVI


This is the best explanation that I’ve come across for the direction of flow when applying an acl INBOUND/OUTBOUND on an SVI. This is not my making and snaffled from here: https://supportforums.cisco.com/discussion/12043016/pls-explain-svi-acl-source-and-destination-direction all credit goes to Peter Paluch.

SVI Directions

DHCP SnOoping –


Turn DHCP snooping on,  it will collate a database of IP/MAC/Interface/etc. for all DHCP requests it sees. You can also statically add addresses for devices with static IP’s.


# conf t

# ip dhcp snooping

# ip dhcp snooping vlan 1

# ip dhcp snooping verify mac-address

# int fa0/1

# ip dhcp snooping vlan 1

# ip dhcp snooping trust

PVLAN Example – 3560 – 12.2(46)


vtp mode transparent
vlan 111
private-vlan primary
private-vlan association 222,333
vlan 222
private-vlan community
vlan 333
private-vlan isolated
interface FastEthernet0/1
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
interface FastEthernet0/2
Description * * PVLAN-COMMUNITY * *
switchport private-vlan host-association 111 222
switchport mode private-vlan host
interface FastEthernet0/3
Description * * ISOLATED * *
switchport private-vlan host-association 111 333
switchport mode private-vlan host
interface FastEthernet0/4
Description * * PVLAN-PROMISCUOUS * *
switchport private-vlan mapping 111 222,333
switchport mode private-vlan promiscuous

# show vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
111 222 community Fa0/1, Fa0/2, Fa0/3, Fa0/8
111 333 isolated Fa0/4, Fa0/8

#show vlan private-vlan type

Vlan Type
—- —————–
111 primary
222 community
333 isolated


Switch Macro to migrate onto a new vlan interface


As part of a network migration between one ISP and another. We had to find a way to update remote switch configurations with little fuss and ensuring if anything went wrong then the network would revert back to its previous state. Open the door to Macros’ The following was used on Cisco 3560 series switches.

vlan d
vlan 200
macro name OBS-NETMAN-IP
do reload in 30
interface Vlan100
interface vlan200
ip address
no shutdown @

wr me

# the migrations run:
conf t
macro global apply OBS-NETMAN-IP

If access was not available then after 30 minutes the switch would reload and pick up its old configuration. Please note in this case we were at least 500 miles away from the closest site and up to 5000 miles away from the farthest. The benefit of the macro is that it continues to run even though you may have just “shutdown” the interface you had a terminal session to.

Cisco Router and Avaya Phone VPN example


ip local pool IPADDR_VPN_POOL x.x.x.x x.x.x.x
aaa new-model
aaa authentication login LETMEIN_GROUPx local
aaa authentication login userauthen local
aaa authorization network LETMEIN_GROUPx local
username AVAYAx1 password 0 xxxx1
username AVAYAx2 password 0 xxxx2
username AVAYAx3 password 0 xxxx3
username AVAYAx4 password 0 xxxx4
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group LETMEIN_GROUPx
key $x$x$
crypto ipsec transform-set MYTSET_3DESx esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dynmap2 20
set transform-set MYTSET
set pfs group2
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
interface XXX/XXX
ip address X.X.X.X X.X.X.X
crypto map clientmap

crypto map clientmap 20 ipsec-isakmp dynamic dynmap2