Q: It is possible to map the private VLAN to both our access and voice SVIs?
A: No. You are creating "In theory" a bridge between two main VLANs.
Q: Is it possible to have our access and voice "layer 2" VLAN statements associated with the same private VLAN?
A: This is like haveing the same VLAN name on two different networks. The private VLAN scope is within its main VLAN. Technically it would not make the private VLAN part of two main VLANs but it might be against the allowed configuration to have the same name for two private VLANs on the same switch. I am not sure but logically it would be confusing.
Q: Can I assign the physical ports to have multiple private VLAN associations?
A: I cant think of a reason for doing so except for the 'P' port which you will need to do on at least one port/SVI.
Check this link for a great explaination on private VLANs.
Best practice wise - should I let the router or the ASA handle NAT
(Overloading)?
In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).
In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.
I can ping the 172.16.2.2
interface but not 172.16.2.1
from a pc
connected to one of the layer 2 switches (proves intervlan routing is
working -- i have a 172.20.100.8
address on the PC). Why can't I ping
172.16.2.1
from a PC but I can from the Layer 3 Switch?
The ASA 172.16.2.2
is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27
. The echo-reply is actually being forwarded to the Router 172.16.1.1
via the default route.
And most of all -- Why can't I get out to the Internet from the Layer 3 switch?
Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.
Your ASA configuration:
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?
You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.
ASA static routing example:
route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2
Further reading: ASA static routing
Your Cisco Router's configuration:
ip route 0.0.0.0 0.0.0.0 200.200.200.200
Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200
?
Router static routing example:
ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10
Further reading: ISR static routing
I cannot get an ip address right now from the DHCP server (Windows).
Any insight into why?
Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.
From what I can gather from your topology and configuration, the subnets 172.19.3.0/24
, 172.19.12.0/28
and 172.20.100.0/27
should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.
You can remove the ip helper-address
syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.
interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27
Best Answer
It doesn't matter what layer-3 routing you put on your switch, SPAN and RSPAN only work at layer-2, not on layer-3 interfaces, e.g. your SVIs.
The obvious solution is to change the access ports to trunk ports, and only allow the single VLAN which you currently have as the access VLAN on the trunk ports, and make that VLAN the native (non-tagged) VLAN. You should disable DTP by using the
switchport nonegotiate
command on your trunks so that DTP negotiation is disabled. This is like having an access port on a trunk. You say you can't do that because you don't control the core switch, and that really makes your question off-topic here because questions about networks which you do not control are explicitly off-topic here. I don't really see the need to change the core switch to use a trunk as I have described, unless this is really layer-3, not layer-2.I think the real problem will be trying to send a lot of SPAN traffic over a single 100 Mb interface toward the core switch will cause real problems with the rest of the network.
One option available on some switch models is ERSPAN, which was only available on a very few device models (65xx, ASR1xxx, Nexus), but Cisco recently released newer code versions for some 3xxx and 4xxx switch models. Without a specific model, I can't say for sure if your particular switches support this new code.
ERSPAN will encapsulate SPAN into a GRE tunnel so that the SPAN traffic may be routed via layer-3, which is not possible with SPAN or RSPAN.
Chapter: Configuring ERSPAN