I have an ASA that I am trunking 3 DMZ networks over the same Gig link to a 6500 (catos) switch. I am looking to configure PVLAN on one of the DMZs, but I don't have any ports available on the ASA to move the DMZ to. The reason I would need to move it is because I cannot configure the trunk port as a PVLAN Promiscuous port.
I have an option that I wanted to post here to see if there are any reasons not to do it this way.
Currently the dmz is on vlan 100 being trunked to the ASA along with vlans 101 and 102. I am thinking that I can configure a PVLAN setup using vlan 50 as the primary PVLAN and vlan 51 as the secondary (isolated) PVLAN. I was thinking of moving all servers from the 100 VLAN to the 51 VLAN and then remove all ports from VLAN 100 except for 1. I would then connect the promiscuous access port with 50 and 51 PVLAN mapping to the single VLAN 100 port on the same switch. VLAN 100 is already being trunked to the ASA. This way I still have the PVLAN and still have connectivity to the ASA.
Does anyone know of a reason why this shouldn't be done?