Private VLAN and Trunking

Unanswered Question
Aug 24th, 2007

I am trying to accomplish a private VLAN solution on a 3750 switch, but I am running into a bit of trouble. I am using the 3750 as a layer 2 switch only. I have a trunk connection from g1/0/1 to a VMWare server that is passing me VLANs 800-809. I have mapped these 800-809 VLANs as private community vlans to primary VLAN 10. I have another trunk on port g1/0/24 that carries only VLAN 10 to an ASA 5550 that is providing the routing for VLAN 10 and its associated Private VLANs.

The idea is to have each VMWare Server in the Private 800-809 VLAN community so that the VMWare Servers cannot communicate with each other unless they are added to the same Private VLAN community.

The problem is that Private VLANs are carried by the trunk links. I need the private 800 vlans to be tagged as VLAN 10 when they arrive at the ASA.

This problem can be resolved by making the trunk link to the ASA a non-trunk link and configure the interface as a promiscuous port, but the aim is to use multiple subinterfaces on the ASA as DMZs on the 3750s.

I tried to map the private vlans to vlan 10 SVI as described in documentation, but that must only work if the SVI is used for actually routing the traffic.

Any help is appreciated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Edison Ortiz Fri, 08/24/2007 - 10:57

Any reason for not enabling routing on the 3750 ?

The last workaround you proposed seems feasible to me.

chris.grammer Fri, 08/24/2007 - 12:35

The problem with enabling routing is that this is a DMZ switch that has a L3 port for management. If I enable routing, then the L3 port will show up as a connected route and allow traffic to bypass the firewall.

The question comes down to this:

Is it possible to designate a promiscuous port as a VLAN carried by a trunk?

I think what I am looking for is called a "promiscuous trunk" that appears not to be supported on a 3750. There is not much information regarding private vlans. I think I have read everything on Cisco there is to read.

Edison Ortiz Fri, 08/24/2007 - 13:42

I would suggest another approach, may I ?

Scrap off all the secondary Vlans 800-809 and assign all servers on Vlan 10. On the switchports where the server are connected, enabled 'switchport protected'

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/cr/cli3.htm#wp1948678

This commands isolates the port from other ports in protected mode. Just leave the ASA without the protected configuration on its switchport.

chris.grammer Mon, 08/27/2007 - 06:30

This is a valid resolution to the problem. I had this in place as the original configuration, but I am looking for more flexibility. If, for instance, I have a cluster of servers that do need communication at L2, I could simply add them to the same community VLAN.

I researched this and have found that I need a switch that supports promiscuous Trunks (4500 or 6500).

Thanks very much for the responses!

Chris

jlaay-diode Tue, 10/16/2007 - 03:21

Hello Chris,

I 'm new at PVLANs.

However my client wants to use PVLAN to connect VMWARE ESX 3.01 hosts to one or two Cisco switches (supporting PVLAN) and then to a Juniper SSG-550 (later with two for redundancy). See attachment.

I 'm considering a Cisco switch 3560 or 3750.

I would like to put the promiscous ports on the uplink interfaces of the switches and trunk these to the Juniper SSG-550s.

Having read your post I 'm now not sure if this is possible with the considered switches.

Couls you enlighyten me on this subject, please.

With kind regards,

Jaap Laaij

The Netherlands

Actions

This Discussion