From here to expert level.: December 2014

Wednesday, December 24, 2014

Auto Smartport macro mini scenario.

What is a smartport macro?

Let's assume that you have some devices and you plan to connect it to your network, you have some switch ports where you are going to plug this devices. You also have some configuration for this kind of device and any time you plug this device on an appropriate port this this configuration should be applied after link-up. Of cource after link-down you wish the configuration to be deleted from this port.

In everyday scenario this devices are switches, routers, IPphones, access points, IPcameras, printers, laptops or desktops and any devices that have an Ethernet network adapter.

Smartport macros allow you to achieve the goal.

For a little lab we have a simple scenario.

Scenario 1:

" There are some access cisco-switches with default configuration that we should connect to our network in our offices around the world. You need to configure interfaces where you are going to plug these devices and here are some smartport macros that can really help you."

How it works:

Smartport macro

Device Classifier (DC) enabled by default. DC helps you to recognize a device. Every device can have parameters such a CDP TLVs or LLDP TLVs or you can use 802.1x to authenticate some device. Any Ethernet device have a MAC-address.

There are some built-in cisco device classifications based on CDP TLVs such as :

SWITCH_1#sh macro auto device ?
access-point    Display auto configuration information for the autonomous
                  access point
ip-camera       Display auto configuration information for the video
                  surveillance camera
lightweight-ap Display auto configuration information for the light weight
                  access point
media-player    Display auto configuration information for the digital media
                  player
phone           Display auto configuration information for the phone device
router          Display auto configuration information for the router device
switch          Display auto configuration information for the switch device
|               Output modifiers
<cr>

To recognize and classify non-Cisco devices you can use LLDP's TLVs, 802.1x messages or user-defined MAC-address groups (for devices which doesn't support 802.1x and LLDP such as printers).

Let's return to our scenario.

In our case the SWITCH classifier is that we need!

SWITCH_1#sh macro auto device switch
Device:switch
Default Macro:CISCO_SWITCH_AUTO_SMARTPORT
Current Macro:CISCO_SWITCH_AUTO_SMARTPORT
Configurable Parameters:NATIVE_VLAN
Defaults Parameters:NATIVE_VLAN=1
Current Parameters:No Parameters

You see that there is a parameter named as NATIVE_VLAN and macro.

It is very interesting what exactly configuration this macro include:

SWITCH_1#show parser macro name cisco-switch
Macro name : cisco-switch
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
# Do not apply to EtherChannel/Port Group
switchport trunk encapsulation dot1q

# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan

# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL

# Hardcode trunk
switchport mode trunk

# Configure qos to trust this interface
auto qos voip trust

# 802.1w defines the link as pt-pt for rapid convergence
spanning-tree link-type point-to-point

By default NATIVE_VLAN=1 but you can change this:

SWITCH_1(config)#macro auto device switch ?

LINE Provide optional parameters of form [Parameters name=value]
<cr>
SWITCH_1(config)#macro auto device switch NATIVE_VALN=7 <-----Here you should be careful: parameter's value is case sensitive (mistake will cause missing this string of config

Verify it:
SWITCH_1#show macro auto device switch
Device:switch
Default Macro:CISCO_SWITCH_AUTO_SMARTPORT
Current Macro:CISCO_SWITCH_AUTO_SMARTPORT
Configurable Parameters:NATIVE_VLAN
Defaults Parameters:NATIVE_VLAN=1
Current Parameters:NATIVE_VALN=7

Now you need apply this macro to appropriate interfaces:

By default autosmartport macro processing is disabled globally, but enabled per port

If you do not want every port to be configured by autosmartport macro you should disable it per port:

SWITCH_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SWITCH_1(config)#int range gi 1/0/1-28 <---cause all interfaces
SWITCH_1(config-if-range)# no macro auto processing <-----disable processing smartport macro per interface
SWITCH_1(config-if-range)#exit

As you could see above there are some default profiles and you can specify what profile can or can not be applied on a port

SWITCH_1(config-if)#macro auto control device switch <----with this command smartport macro will be applied only when appropriate CDP TLV value will be "switch" but not "router" or "IPphone"

SWITCH_1(config)#macro auto global processing <----globally enable processing

After plugging your device and waiting at least one CDP massage receive:

*Mar 23 00:00:48.628: %AUTOSMARTPORT-5-INSERT: Device Switch detected on interface GigabitEthernet1/0/27, executed CISCO_SWITCH_EVENT
*Mar 23 00:00:49.501: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/27, changed state to down
*Mar 23 00:00:52.378: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/27, changed state to up

SWITCH_1#sh run int gi 1/0/27
Building configuration...

Current configuration : 318 bytes
!
interface GigabitEthernet1/0/27
switchport trunk encapsulation dot1q
switchport trunk native vlan 7
switchport mode trunk
speed nonegotiate
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
macro description CISCO_SWITCH_EVENT
macro auto control device switch
end

Here you can see CSICO_SWITCH_EVENT related with macro description.

Use show shell trigger command and show shell function to see relation between trigger , macro and parameters:

SWITCH_1#sh shell trigger | b CISCO_SWITCH_EVENT
Trigger Id: CISCO_SWITCH_EVENT
Trigger description: Switch device event to apply port configuration
Trigger environment: Parameters that can be set in the shell - $NATIVE_VLAN=(1), The value in the parenthesis is a default value
Trigger mapping function: CISCO_SWITCH_AUTO_SMARTPORT

SWITCH_1#sh shell functions CISCO_SWITCH_AUTO_SMARTPORT
function CISCO_SWITCH_AUTO_SMARTPORT () {
    if [[ $LINKUP -eq YES ]]; then
        conf t
            interface $INTERFACE
                macro description $TRIGGER
                auto qos voip trust
                switchport trunk encapsulation dot1q
                switchport trunk native vlan $NATIVE_VLAN
                switchport trunk allowed vlan ALL
                switchport mode trunk
            exit
        end
    else
         conf t
             interface $INTERFACE
                 no macro description
                 no auto qos voip trust
                 no switchport mode trunk
                 no switchport trunk encapsulation dot1q
                 no switchport trunk native vlan $NATIVE_VLAN
                 no switchport trunk allowed vlan ALL
             exit
         end
    fi
}

SWITCH_1#

Scenario 2

Suppose you disabled CDP for security purposes or your access switches, laptops or another devices are not CISCO-devices not LLDP-capable devices:

You can configure mac address group to be a trigger event:

SWITCH_1(config)#macro auto mac-address-group ?
WORD Auto Smart Ports MAC address-group name

SWITCH_1(config)#macro auto mac-address-group MY_ACCESS_SWITCHES
SWITCH_1(config-addr-grp-mac)#mac-address list 0012.d986.ae83 <----------------------mac address of your device

SWITCH_1#sh macro auto address-group
MAC Address Group Configuration:

Group Name OUI MAC ADDRESS
--------------------------------------------------------------
MY_ROUTERS 0001.0001.0001

MY_ACCESS_SWITCHES 0012.D986.AE83

CISCO_DMP_EVENT 0023.AC
000F.44

You can make per-interface control how to classify devices:

SWITCH_1(config-if)#macro auto control ?

detection Enable device detection based on methods like cdp or lldp
device     Enable macro auto execution for devices
trigger    Enable macro auto execution for configured triggers

SWITCH_1(config-if)#macro auto control detection mac-address ?
cdp   Enable cdp based auto configuration
lldp Enable lldp based auto configuration
<cr>

SWITCH_1(config-if)#macro auto control detection mac-address
SWITCH_1(config-if)#do sh run int gi 1/0/27
Building configuration...

Current configuration : 102 bytes
!
interface GigabitEthernet1/0/27
speed nonegotiate
macro auto control detection mac-address
end

SWITCH_1(config-if)#do sh mac add dyn int gi 1/0/27
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0012.d986.ae83    DYNAMIC     Gi1/0/27
Total Mac Addresses for this criterion: 1

Verify mac-address-group we created
SWITCH_1#sh macro auto ?
address-group Display configured address groups
device         Display device macro information
event          macro event related commands
global         Display global macro information
interface      Display interface auto smart port status

SWITCH_1#sh macro auto address-group
MAC Address Group Configuration:

Group Name                      OUI         MAC ADDRESS
--------------------------------------------------------------
MY_ROUTERS                                  0001.0001.0001

MY_ACCESS_SWITCHES 0012.D986.AE83

CISCO_DMP_EVENT 0023.AC
000F.44

Now we have a trigger (mac-access-group) configured and we cen configure user defined macro.

For our scenario we changed the text of default CISCO_SWITCH_AUTO_SMARTPORT and mapped it to mac-address-group trigger:

SWITCH_1(config)#macro auto execute MY_ACCESS_SWITCHES ?
LINE     Input Macro Parameters [parameter_name=value] (e.g. VOICE_VLAN=100);
           or to define a new macro use { macro commands }
builtin Display builtin shell functions <----you can use built-in macros
remote   path to remote shell function <----- you can specify remote path for macro function

You can save your macro.txt on a remote server and load it when you need:

SWITCH_1(config)#macro auto execute MY_ACCESS_SWITCHES remote ?
flash1: URL of the shell function
flash:   URL of the shell function
ftp:     URL of the shell function
http:    URL of the shell function
https:   URL of the shell function
nvram:   URL of the shell function
rcp:     URL of the shell function
scp:     URL of the shell function
tftp:    URL of the shell function

SWITCH_1(config)#macro auto execute MY_ACCESS_SWITCHES remote tftp://IP_ADDRESS/macro.txt
We will use localy defined macro for our scenario:

Do not forget to specify parameters. In our case it is a [NATIVE_VLAN=7] without brackets and separated by spaces:

SWITCH_1(config)#macro auto execute MY_ACCESS_SWITCHES NATIVE_VLAN=7 {
>    if [[ $LINKUP -eq YES ]]; then
>        conf t
>            interface $INTERFACE
>                macro description $TRIGGER
>                auto qos voip trust
>                                description << ACCESS SWITCH >>   <-- user-defined description
>                                mac access-group ALL_ARP in <---user-defined ACL
>                switchport trunk encapsulation dot1q
>                switchport trunk native vlan $NATIVE_VLAN
>                switchport trunk allowed vlan ALL
>                switchport mode trunk
>            exit
>        end
>    else
>         conf t
>             interface $INTERFACE
>                 no macro description
>                 no auto qos voip trust
>                                 no description << ACCESS SWITCH >>
>                                 no mac access-group ALL_ARP in
>                 no switchport mode trunk
>                 no switchport trunk encapsulation dot1q
>                 no switchport trunk native vlan $NATIVE_VLAN
>                 no switchport trunk allowed vlan ALL
>             exit
>         end
>    fi
>}

As result we have:

*Mar 23 03:27:15.649: %SYS-5-CONFIG_I: Configured from console by vty0
*Mar 23 03:27:16.144: %AUTOSMARTPORT-5-INSERT: Device with mac-address 0012.d986.ae83 detected on interface GigabitEthernet1/0/27, executed MY_ACCESS_SWITCHES
*Mar 23 03:27:16.798: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/27, changed state to down
*Mar 23 03:27:19.676: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/27, changed state to up

SWITCH_1(config)#do sh run int gi 1/0/27
Building configuration...

Current configuration : 389 bytes
!
interface GigabitEthernet1/0/27
description << ACCESS SWITCH >>
switchport trunk encapsulation dot1q
switchport trunk native vlan 7
switchport mode trunk
speed nonegotiate
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
macro description MY_ACCESS_SWITCHES
macro auto control detection mac-address
mac access-group ALL_ARP in
end

After disconecting the device we have a message:

*Mar 23 03:33:04.464: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to down
*Mar 23 03:33:05.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/27, changed state to down
*Mar 23 03:33:06.452: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/27, changed state to down
*Mar 23 03:33:07.929: %AUTOSMARTPORT-5-REMOVE: Device removed on interface GigabitEthernet1/0/27, executed MY_ACCESS_SWITCHES to remove the configuration

Verify:

SWITCH_1(config)#do sh run int gi 1/0/27
interface GigabitEthernet1/0/27
speed nonegotiate
macro auto control detection mac-address
end

It is very interesting feature and can help you to get rid of many problems related installation of your equipment in remote offices.

Useful commands:

sh macro auto device [<name>]
show parser macro name [<name>]
show shell triggers
show shell functions
show macro auto interface [<if-number>]
show parser macro brief
show macro auto address-group
show parser macro description [<if-id>]

Q&A section:

Q: What helps to map device classifier to interface configuration?

A: Trigger event.

Q: What is the difference between auto and static smartport macros?

A: When static smartport macros applied to interface, switch does not delete configuration after link-down event.

Q: What is the most common triggers are based on?

A: The most common triggers are based on CDP.

Q: Can you configure mac-address based trigger on a switch?

A: Mac adders based trigger configured on a switch by macro auto mac-address-group command

Q: What are the default cisco device classification profiles you know?

A: switch, router, access-point, ip-camera, media-player

Q: What command allows you to change default parameters of macros?

A: Macro auto device switch parameter_value=<value> command.

Q: Can you store user-defined macro on the remote serve?

A: You can specify a remote server where you can store user-defined macros

Q: What command display macro with it's CLI commands ?

A: show parser macro [name<name>]

Q: What command enables autosmartport macro globally?

A: macro auto global processing

Q: What command displays information about triggers and macros?

A: show shell [triggers|functions]

Q: What is the purpose of macro auto control command?

A: To specify when the switch applies an auto smartports macro based on the detection method, device type, or trigger.

Q: what command verifies "switch" autosmartport macro default and current parameters?

A: show macro auto device switch

Q: Write a command which specify that when switch will be plugged in to the port you should use "switch" auto smartport macro with default parameter (NATIVE_VALAN) eq 7

A: macro auto device switch NATIVE_VLAN=7

used links:
Auto smartports configuration guide for Csico IOS Release 15.0(1)SE

Best regards.

Kravets Dmitriy

Saturday, December 20, 2014

Cisco smartport macros

Found some links from blogs:
- techlanguageblog
- firstdigest.com
- techrepublic.com
- ccietalk.com

Links from cisco.com from conf.guides for different platforms :
- Catalyst 2950
- Catalyst 3750
- Catalyst 4500
- Catalyst 6500

Forums:
- ieoc.com
- ieoc.com

Some youtube videos:

- OSPF passive interface default with smartport macro
- Example of autosmartport configuration

Here you can find a some practice with autosmartport macro.

Best regards.
Kravets Dmitriy

Thursday, December 11, 2014

Traffic filtering with VLAN map.

Here some info that I found on Cisco.com on configuration gudes for Catalyst6500 series and Catalyst3750 switches.

1.1 All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps.
1.2 IP traffic is not access controlled by MAC VLAN maps with matching Ethertype 0x0800

2.1 Each VLAN access map can consist of one or more map sequences; each sequence has a match clause and an action clause. The match clause specifies IP or MAC ACLs for particular type traffic filtering and the action clause specifies the action to be taken when a match occurs.

3.1 When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences.
3.2 When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence of VLAN map.

4.1 If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet does not match any of the entries within the map.
4.2 If there is no match clause for that type of packet (no "match ip address" or no "match mac address" command in any clause), the default is to forward the packet.

5.1 VACLs have an implicit deny at the end of the map.

6.1 If an empty or undefined ACL is specified in a VACL, any packets will match the ACL, and the associated action is taken.
-It means you can specify any VLAN map clause without specifyed ACL, but with specifyed action, all traffic that meet this clause will be forwarded.

7.1 You can enforce VLAN maps only on packets going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch.
-It means you can not filter traffic that generates two neighboring switches such as CDP/VTP/DTP/PAGP

Topology for our little lab:

Let's test connectivity from R2

Connectivity test_1:

R2#ping 10.1.1.1

!!!!!

R2#ping 172.20.1.1

!!!!!

R2#ping 172.20.2.1

!!!!!

R2#ping 172.20.3.1

!!!!!

We begin our lab from configuring necessary ACLs:

Empty MAC and IP ACLc:

SWITCH_2(config)#mac access-list ex MAC_EMPTY

SWITCH_2(config)#ip access-list extended IP_EMPTY

MAC ACL for matching ARP packet

SWITCH_2(config)#mac access-list extended ALL_ARP

SWITCH_2(config-ext-macl)#permit any any 0x806 0x0

IP acl for matching R1's IP addresses

SWITCH_2(config)#ip access-list extended R1_IP

SWITCH_2(config-ext-nacl)#10 permit ip 172.20.3.0 0.0.0.255 any

SWITCH_2(config-ext-nacl)#20 permit ip 10.0.0.0 0.255.255.255 any

SWITCH_2(config-ext-nacl)#30 permit ip 172.20.2.0 0.0.0.255 any

SWITCH_2(config-ext-nacl)#40 deny ip 172.20.1.0 0.0.0.255 any

Verify created ACL's:

SWITCH_2(config)#do sh access-list

Extended IP access list IP_EMPTY

Extended IP access list R1_IP

10 permit ip 172.20.3.0 0.0.0.255 any

20 permit ip 10.0.0.0 0.255.255.255 any

30 permit ip 172.20.2.0 0.0.0.255 any

40 deny ip 172.20.1.0 0.0.0.255 any

Extended MAC access list ALL_ARP

permit any any 0x806 0x0

Extended MAC access list MAC_EMPTY

Ther is no any filters on VLAN 12 (see topology):

SWITCH_2(config)#do sh vlan filter

SWITCH_2(config)#

Configure VLAN map as written in 2.1

Configure VLAN map TEST-MAP without any ACL and actions and apply this map to VLAN12:

SWITCH_2(config)#vlan access-map TEST-MAP ?

<0-65535> Sequence to insert to/delete from existing vlan access-map entry

<cr>

SWITCH_2(config)#vlan access-map TEST-MAP 10

SWITCH_2(config-access-map)#exit

SWITCH_2(config)#vlan filter TEST-MAP vlan-list 12

SWITCH_2(config)#end

Verify applyed VLAN map on a VLAN12

SWITCH_2#sh vlan filter

VLAN Map TEST-MAP is filtering VLANs:

SWITCH_2#

SWITCH_2#sh vlan access-map

Vlan access-map "TEST-MAP" 10

Match clauses:

Action:

forward

SWITCH_2#

As you can see above - the default action is "forward" (see 6.1)

Connectivity test_2:

Let's test connectivity from R2:

R2#ping 10.1.1.1

!!!!!

R2#ping 172.20.1.1

!!!!!

R2#ping 172.20.2.1

!!!!!

R2#ping 172.20.3.1

!!!!!

Now apply only empty MAC ACL to clause 10 of our VLAN map:

SWITCH_2(config)#vlan access-map TEST-MAP 10

SWITCH_2(config-access-map)#match mac address MAC_EMPTY

SWITCH_2(config-access-map)#exit

SWITCH_2(config)#do sh vlan access TEST-MAP

Vlan access-map "TEST-MAP" 10

Match clauses:

mac address: MAC_EMPTY

Action:

forward

Connectivity test_3:

R2#ping 10.1.1.1

!!!!!

R2#ping 172.20.1.1

!!!!!

R2#ping 172.20.2.1

!!!!!

R2#ping 172.20.3.1

!!!!!

As show us connectivity test_3 empty MAC ACL doesnt filter any taaffic (see 6.1 ACL MAC_EMPTY)

Let's add to our VLAN map MAC ACL matching ARPs:

SWITCH_2#conf t

SWITCH_2(config)#vlan access-map TEST-MAP 9

SWITCH_2(config-access-map)#match mac address ALL_ARP

SWITCH_2(config-access-map)#action drop

SWITCH_2(config-access-map)#exit

SWITCH_2(config)#do sh vlan access-map

Vlan access-map "TEST-MAP" 9

Match clauses:

mac address: ALL_ARP

Action:

drop

Vlan access-map "TEST-MAP" 10

Match clauses:

mac address: MAC_EMPTY

Action:

forward

Connectivity test_4:

R2#ping 10.1.1.1

!!!!!

Look at the ARP table on both routers and clear ARP on R1:

R2#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 84 0000.0000.0002 ARPA FastEthernet0/0

Internet 10.1.1.2 - 0000.0000.0001 ARPA FastEthernet0/0

R1#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 - 0000.0000.0002 ARPA FastEthernet0/0

Internet 10.1.1.2 84 0000.0000.0001 ARPA FastEthernet0/0

R1#clear ip arp 10.1.1.2

R1#

R1#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 - 0000.0000.0002 ARPA FastEthernet0/0

Connectivity test_5:

R2#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Now add static ARP entry to both routers and test connectivity again:

R1(config)#arp 10.1.1.2 0000.0000.0001 ARPA

R2(config)#arp 10.1.1.1 0000.0000.0002 ARPA

R2(config)#end

Connectivity test_6:

R2#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/44/92 ms

Connectivity test_5 shows us that our ARP filter works well and test_6 shows us that IP traffic wasn't filtered by our VLAN map that's why all IP packets are forwarded after addinf static ARP entry (see 4.2)

Next we will delete empty clause 10 and add IP ACL to our VLAN map:

SWITCH_2(config)#no vlan access-map "TEST-MAP" 10

SWITCH_2(config)# vlan access-map "TEST-MAP" 10

SWITCH_2(config-access-map)#match ip address R1_IP

SWITCH_2(config-access-map)#action forward

SWITCH_2(config-access-map)#exit

SWITCH_2(config)#do sh vlan access-map

Vlan access-map "TEST-MAP" 9

Match clauses:

mac address: ALL_ARP

Action:

drop

Vlan access-map "TEST-MAP" 10

Match clauses:

ip address: R1_IP

Action:

forward

Connectivity test_7:

R2#ping 10.1.1.1

!!!!!

R2#ping 172.20.1.1

.....

R2#ping 172.20.2.1

!!!!!

R2#ping 172.20.3.1

!!!!!

Connectivity test_7 shows us explicit drop (see 5.1) and denied traffic addressed to 172.20.1.1 caused by ACL R1_IP's deny entry. (see 4.1 and ACL R1_IP)

Now let me show you 3.1 and 3.2 in action.

In clause 10 wee change action to "drop":

SWITCH_2(config)#vlan access-map "TEST-MAP" 10

SWITCH_2(config-access-map)#action drop

conncetivity test_8

R2#ping 10.1.1.1

.....

R2#ping 172.20.3.1

.....

R2#ping 172.20.2.1

.....

R2#ping 172.20.1.1

.....

As you see all packets to addresses permited by IP ACL R1_IP were administratively dropped by action "drop" of our VLAN map and packets sent to 172.20.1.1 were dropped by implicit deny of our map.

Configure empty caluse 15 to permit all packets that was not filtered before and send pings:

SWITCH_2(config)#vlan access-map "TEST-MAP" 15

Connectivity test_9

R2#ping 172.20.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.20.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Test_9 didn't show connectivity because ICMP request was sent from address 10.1.1.2 (we can see it from debugging_1):

debugging_1:

R2#deb ip packet

IP packet debugging is on

R2#ping 172.20.1.1 rep 1

*Mar 10 07:54:02.344: IP: tableid=0, s=10.1.1.2 (local), d=172.20.1.1 (FastEthernet0/0), routed via FIB

*Mar 10 07:54:02.348: IP: s=10.1.1.2 (local), d=172.20.1.1 (FastEthernet0/0), len 100, sending.

Success rate is 0 percent (0/1)

Configure interface Lo4 with ip address 172.20.1.2/32 on R2 and add static route to this address on R1 and see the result:

R2#conf t

R2(config)#int lo4

R2(config-if)#ip add

R2(config-if)#ip address 172.20.1.2 255.255.255.255

R1#conf t

R1(config)#ip route 172.20.1.2 255.255.255.255 10.1.1.2

Connectivity test_10:

R2#ping 172.20.1.1 source 172.20.1.2 <----------<<<< (specify a source address for not to be filtered by our VLAN MAP see IP ACL R1_IP )

Packet sent with a source address of 172.20.1.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/37/80 ms

As i said in the beginning of this little lab, you can not filter IP traffic by MAC VLAN map with specifying ethertype 0x0800. You also can not filter traffic between two switches such as CDP/VTP/PAGP. It is not necesary to reapply VLAN map filter every time you reconfigured it, at least I did not reconfigured it while labbing.

All that was shown and mentioned above you can test by yourself.

Any comments will be usefull.

Best regards!

Dmitriy Kravets.

Wednesday, December 3, 2014

Private-vlan with VTPv3 and spaning tree.

There are documentation where you can find a full configuration guide for setting up private-vlan. The first step of official guide is "seting VTP to transparent mode" because private-vlan doesn't supported by VTP versions 1 and 2.
Here you can see an example of configuring private-vlan with VTPv3. Also i decided to check an existence of the single spanning tree instance for primary and secondary rpivate VLANs.

Let's see topology: here we have four real Catalyst3750 swthces with MSTP in SWITCH_2 and PVST+ on SWITCH_3, SWITCH_4 and SWITCH_1.
SWITCH_2 is a root for entire topology. VLAN 10 manually "pruned" from trunk between SWITCH_1 and SWITCH_2 and has different from VLAN8 layer 2 topology.
We have two GNS3 routers R1 and R2 for testing connectivity in private-vlan. Router R2 connected to "Community" port, router R1 connected to "promiscous" port.

Configure router interfaces

R1#sh ip inter bri | e ass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up

R2#sh ip inter bri | e ass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.2 YES manual up up

Check our spanning-tree topology for VLANs 8 and 10:

SWITCH_1#sh span root | i VLAN0010|VLAN0008
VLAN0008 0 0012.d994.fd80 4 10 20 15 Gi1/0/25
VLAN0010 0 0012.d994.fd80 8 10 20 15 Gi1/0/27

SWITCH_2#sh span vl 10 | i Desg
Gi1/0/3 Desg FWD 20000 128.3 P2p Bound(PVST)
Gi1/0/11 Desg FWD 20000 128.11 P2p Bound(PVST)

SWITCH_2#sh span vl 8 | i Desg
Gi1/0/3 Desg FWD 20000 128.3 P2p Bound(PVST)
Gi1/0/11 Desg FWD 20000 128.11 P2p Bound(PVST)
Gi1/0/12 Desg FWD 20000 128.12 P2p Bound(PVST)

SWITCH_2#sh span root

Root Hello Max Fwd
MST Instance Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
MST0 0 0012.d994.fd80 0 10 20 15

SWITCH_4#sh span root | i VLAN0010|VLAN0008
VLAN0008 0 0012.d994.fd80 4 10 20 15 Gi1/0/11
VLAN0010 0 0012.d994.fd80 4 10 20 15 Gi1/0/11

SWITCH_3#sh span root | i VLAN0010|VLAN0008
VLAN0008 0 0012.d994.fd80 4 10 20 15 Gi1/0/27
VLAN0010 0 0012.d994.fd80 4 10 20 15 Gi1/0/27

We have configured VTPv3 and primary server mode on a SWITCH_3 and vlan 8 and 10 config on a server:

SWITCH_3#sh run vl 8
Building configuration...

Current configuration:
!
vlan 8
name test_private_primary
private-vlan primary
private-vlan association 9-10
end

SWITCH_3#sh run vl 10
Building configuration...

Current configuration:
!
vlan 10
name community_1
private-vlan community
end

Verifying VTP version 3:

SWITCH_3#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : MY_VTP
VTP Pruning Mode : Enabled
VTP Traps Generation : Disabled
Device ID : b8be.bfb1.f200

Feature VLAN:
--------------
VTP Operating Mode : Primary Server
Number of existing VLANs : 16
Number of existing extended VLANs : 0
Configuration Revision : 25
Primary ID : b8be.bfb1.f200
Primary Description : SWITCH_3
MD5 digest : 0xB8 0xF3 0xB2 0x8E 0x70 0x24 0xF4 0x65
0x86 0x89 0x18 0x4C 0x95 0x99 0xD1 0x1C

VTPv3 support Private-vlan, let's check Private-VLAN configuration on our switches:
Private-vlan operation requiered at least one promiscous port on a switch. We have a promiscous interface vlan 8 on a switch_3:

interface Vlan8
ip address 10.1.1.88 255.255.255.0
private-vlan mapping 9-10
end

Verify configured promiscous SVI:

SWITCH_3#sh inter priva mapping
Interface Secondary VLAN Type
--------- -------------- -----------------
vlan8 9 isolated
vlan8 10 community

Interfaces Gi1/0/13 configured to Routers:

SWITCH_3#sh int gi 1/0/13 switchport | i private
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative private-vlan host-association: 8 (test_private_primary) 10 (community_1)
-----output omitted------
Operational private-vlan:
8 (test_private_primary) 10 (community_1)
SWITCH_3#

SWITCH_1#sh int gi 1/0/13 switchport | i private
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative private-vlan host-association: 8 (test_private_primary) 9 (private_ISOLATED)
Administrative private-vlan mapping: 8 (test_private_primary) 9 (private_ISOLATED) 10 (community_1) 11 (community_2)
-----output omitted------
Operational private-vlan:
8 (test_private_primary) 9 (private_ISOLATED) 10 (community_1)

Verify VLANs 8 and 10 are configured as a private VLANS:

SWITCH_3#sh vl private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
8 9 isolated
8 10 community Gi1/0/13

SWITCH_1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
8 9 isolated Gi1/0/13
8 10 community Gi1/0/13

SWITCH_2#sh vl private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
8 9 isolated
8 10 community

SWITCH_4#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
8 9 isolated
8 10 community

Verify connectivity absence in private VLAN:

R1#ping 10.1.1.2 r 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
..........
Success rate is 0 percent (0/10)

Add manually VLAN 10 to trunk interface gi 1/0/12 on a SWITCH_2:

SWITCH_2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SWITCH_2(config)#int gi 1/0/12
SWITCH_2(config-if)#swi tru all vl add 10

Remove manually VLAN 10 to trunk interface gi 1/0/12
SWITCH_2(config-if)#swi tru all vl rem 10

As you can see connectivity between two routers after we added VLAN 10:
R1#ping 10.1.1.2 r 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
...............Added vlan to trunk --->!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!..................... <-----removed VLAN from trunk

Let's make shure we have conncetivity in VLAN_8 and VLAN_10 without configured private-vlan.
Changing switchport mode to access on interfaces to routers:
Remooving config from VLAN 8 and 10

SWITCH_3(config-vlan)#vl 8
SWITCH_3(config-vlan)#no private-vlan primary
SWITCH_3(config-vlan)#no private-vlan association 9-10

SWITCH_3(config-vlan)#vl 10
SWITCH_3(config-vlan)#no private-vlan community

Seting interfaces to R1 and R2 to access mode: first access VLAN_8

SWITCH_1(config)#int gi 1/0/13

SWITCH_1(config-if)#swi mo acc
SWITCH_1(config-if)#swi acc vl 8

SWITCH_3(config)#int gi 1/0/13

SWITCH_3(config-if)#swi mo acc
SWITCH_3(config-if)#swi acc vl 8

waiting a couple minute....

... and then set up access VLAN_10
SWITCH_1(config-if)#swi ac vl 10
SWITCH_1(config-if)#exit
SWITCH_1(config)#int gi 1/0/13

SWITCH_3(config-vlan)#int gi 1/0/13
SWITCH_3(config-if)#swi mo acc
SWITCH_3(config-if)#swi acc vl 10
SWITCH_3(config-if)#exit

After all manipulation we return all configuration as we have it in the beginning - Vlan_8 private primary, VLAN_10 private secondary.

Below you can see a connectivity test that was carried out, while we have configured VLANs

R1#ping 10.1.1.2 r 1000000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
...............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!..........................................................
....no pings while changing VLAN to access_8...............!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
---output omitted---
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!

R1#ping 10.1.1.2 r 1000000
Type escape sequence to abort.
Sending 1000000, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!no pings while changing VLAN to access_10.
.................!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
---output omitted---
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!no pings when changed to switchport mode private.
......................................................................