How upgrade a module C3Kx-SM10G

First download on Cisco web site the tarball associate to your version.

Example :

# sh version | i System image
System image file is "flash:/c3750e-universalk9-mz.152-1.E3.bin"

Upload the tarball on your flash or upgrade directly by ftp. Here, we use this file : c3kx-sm10g-tar.152-1.E3.tar

After use this command :

switch#archive download-sw /leave-old-sw flash:/c3kx-sm10g-tar.152-1.E3.tar
examining image...
extracting info (99 bytes)
extracting c3kx-sm10g-mz.152-1.E3/info (501 bytes)
extracting info (99 bytes)
Stacking Version Number: 1.51
System Type: 0x00010002
 Ios Image File Size: 0x017AEA00
 Total Image File Size: 0x017AEA00
 Minimum Dram required: 0x08000000
 Image Suffix: sm10g-152-1.E3
 Image Directory: c3kx-sm10g-mz.152-1.E3
 Image Name: c3kx-sm10g-mz.152-1.E3.bin
 Image Feature: IP|LAYER_3|MIN_DRAM_MEG=128
 FRU Module Version: 03.05.03.IND3
Updating FRU Module on switch 2...
All software images installed.

Reload your switch and your module will be ok.


How simplify the configuration on your Cisco Nexus 5K

Port profiles can reduce errors and apply the same configurations.

You create a port-profile and inherit it on your interface. Don’t forget the max-port  on your port-profile if you apply on a lot interface.

port-profile type ethernet FREE
max-port 1024
state enable
port-profile type ethernet ACCESS_PORT
max-port 1024
switchport mode access
spanning-tree port type edge
no cdp enable
no shutdown
state enable

After you can use your port-profile and add you Vlan ID for example. You reduce the number of line and use each time your interface with the same commands.

interface eth101/1/1
inherit port-profile ACCESS_PORT
switchport access vlan 100

You can use this command to display the complete configuration :

sh run int eth101/1/1 expand-port-profile


Network architecture

In this test, we used an ASA5505 as gateway, a Cisco 3750 for the switching and ESXi.


We used 4 Vlans. Vlan110 as primary and 111 to 113 as secondary.

We created a distributed switch on the vCenter and created the private vlans.


DVSwitch PVLAN Settings


PortGroup List


PortGroup Settings

On this plateform, SRV1, SRV2 and SRV4 can communicate together and with her gateway and the SVI, but can’t with SRV3, SRV5, SRV6 and SRV7.

SRV6 and SRV7 can communicate together and with her gateway and the SVI, but can’t with this other SRV.

Finally SRV3 and SRV5 are totally isolated and can only communicate with the gateway and the SVI.

Limitation: With a 3750, you can’t trunk the promiscuous port to a router or firewall tag with 802.1q

With a Nexus some commands have been added.

# switchport private-vlan ?
 association Private vlan trunk association
 host-association Set the private VLAN host association
 mapping Set the private VLAN access/trunk promiscuous mapping
 trunk Set the private vlan trunking configuration

Now you can trunk your promiscuous port :

# switchport private-vlan mapping trunk ?
 <1-3967,4048-4093> Primary private VLAN

Now we will try to use PVLAN in promicuous and add a Nexus 3548 with the following version : 6.0(2)A7(1). Before this version, I can’t enable the feature private-vlan.


The main difference is the capacity to trunk on the promiscuous port.

interface Ethernet1/1
 speed 1000
 switchport mode private-vlan trunk promiscuous
 spanning-tree port type edge trunk
 duplex full
 switchport private-vlan mapping trunk 300 301
 switchport private-vlan mapping trunk 200 201-202
 switchport private-vlan mapping trunk 110 111-113
 no shutdown

Here we have three primary vlans (110, 200 and 300) trunked to the firewall.

ASA5510# sh run interface
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address
interface Ethernet0/1
 no nameif
 security-level 100
 no ip address
interface Ethernet0/1.110
 vlan 110
 nameif INSIDE
 security-level 100
 ip address
interface Ethernet0/1.200
 vlan 200
 nameif INSIDE200
 security-level 100
 ip address
interface Ethernet0/1.300
 vlan 300
 nameif INSIDE300
 security-level 100
 ip address

Now in the following design, we transport the Private-vlan through a 3750 and we transform the private-vlan isolated 113 to a normal vlan 10. But you can also just terminated with private-vlan.


The SRV7 can ping every other servers and the gateway (SRV1 to SRV6), but SRV1 to 6 can’t ping themself except the SRV7.


Bind – IPv6 PTR delegation

Network : 2001:db8::/32

We will delegate 2001:db8:1::/48 to another NS :

$TTL    86400

@       IN      SOA (

1      ; Serial

28800   ; Refresh every 8 hours

7200      ; Retry after 2 hour

604800    ; Expire after 7 days

86400     ; Default ttl is 1 day



@                       IN      NS   ; SOA for 2001:db8::/32

$ORIGIN   IN      NS            ; SOA delegate for 2001:db8:1::/48

IPv6 tools – sipcalc

Tools to manipulate IPv6 addresses : sipcalc

Install in debian 7.x :

apt-get install sipcalc

Usage :

sipcalc -h

sipcalc 1.1.5

Usage: sipcalc [OPTIONS]... <[ADDRESS]... [INTERFACE]... | [-]>

Global options:

-a, --all All possible information.

-d, --resolve Enable name resolution.

-h, --help Display this help.

-I, --addr-int=INT Added an interface.

-n, --subnets=NUM Display NUM extra subnets (starting from

the current subnet). Will display all subnets

in the current /24 if NUM is 0.

-u, --split-verbose Verbose split.

-v, --version Version information.

-4, --addr-ipv4=ADDR Add an ipv4 address.

-6, --addr-ipv6=ADDR Add an ipv6 address.

IPv4 options:

-b, --cidr-bitmap CIDR bitmap.

-c, --classfull-addr Classfull address information.

-i, --cidr-addr CIDR address information. (default)

-s, --v4split=MASK Split the current network into subnets

of MASK size.

-w, --wildcard Display information for a wildcard

(inverse mask).

-x, --classfull-bitmap Classfull bitmap.

IPv6 options:

-e, --v4inv6 IPv4 compatible IPv6 information.

-r, --v6rev IPv6 reverse DNS output.

-S, --v6split=MASK Split the current network into subnets

of MASK size.

-t, --v6-standard Standard IPv6. (default)

Address must be in the "standard" dotted quad format.

Netmask can be given in three different ways:

- Number of bits    [/nn]

- Dotted quad       [nnn.nnn.nnn.nnn]

- Hex               [0xnnnnnnnn | nnnnnnnn]

Interface must be a valid network interface on the system.

If this options is used an attempt will be made to gain the address

and netmask from the specified interface.

Replacing address/interface with '-' will use stdin for reading further


Example :

#sipcalc 2001:db8::

-[ipv6 : 2001:db8::] - 0


Expanded Address - 2001:0db8:0000:0000:0000:0000:0000:0000

Compressed address - 2001:db8::

Subnet prefix (masked) - 2001:db8:0:0:0:0:0:0/128

Address ID (masked) - 0:0:0:0:0:0:0:0/128

Prefix address - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Prefix length - 128

Address type - Aggregatable Global Unicast Addresses

Network range - 2001:0db8:0000:0000:0000:0000:0000:0000 -


Very nice for IPv6 reverse :

# sipcalc -r 2001:db8::1
-[ipv6 : 2001:db8::1] - 0

Reverse DNS (	-

Very useful if you want subnet for point-to-point subnet /126 :

#sipcalc -S 126 2001:db8:0:1::/64

-[ipv6 : 2001:db8:0:1::/64] - 0

[Split network]
Network                 - 2001:0db8:0000:0001:0000:0000:0000:0000 -
Network                 - 2001:0db8:0000:0001:0000:0000:0000:0004 -
Network                 - 2001:0db8:0000:0001:0000:0000:0000:0008 -
Network                 - 2001:0db8:0000:0001:0000:0000:0000:000c -
Network                 - 2001:0db8:0000:0001:0000:0000:0000:0010 -