Private-vlan trunk promiscuous to ASA FW

Unanswered Question
Mar 11th, 2008


Can anybody answer me if I have understand private-vlan promiscuous trunk ports for the CAT 4500 switch.

Lets say you have a dmz switch with different dmz vlans. Some of the vlans are standard vlans and some are private-vlans. The routing between all the vlans are done in an ASA that are connected to a trunk port to the switch.

Lets say you have these vlans

Standard vlan.

10 IP

20 IP


vlan 30 Primary IP

vlan 300 Community

vlan 400 Community

vlan 40 Primary IP

vlan 400 Community

vlan 401 Community

ASA Has a trunk port with subinterfaces for vlans 10,20,30,40 and ip 10.X.X.1/24 on all interfaces.

The switch is configured with this

interface fastethernet 5/2

switchport mode private-vlan trunk promiscuous

switchport private-vlan trunk allowed vlan 10,20,30,40

switchport private-vlan mapping trunk 30 300,301

switchport private-vlan mapping trunk 40 400,401

The question?

Will the ASA be promiscuous for the private-vlans and can it also handle the standard vlans. Can the traffic between the different ip subnets be forwarded (if permitted acl in asa exists)?

But the secondary community private-vlans under same primary vlan should not talk to each other.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aghaznavi Mon, 03/17/2008 - 07:17

You can enable promiscuous mode in your ASA device. If ASA runs advanced IPS software that provides further security inspection either in inline mode or promiscuous mode.

huvsga Mon, 03/17/2008 - 07:47

Ok thanks for your reply!

But the question I ask for isn't for IPS or IDS functions. I mean promiscuous for private-vlan solution. I know that a vlan interface on a switch can be promiscuous for a private vlan, and because that interface can talk to all hosts in the private-vlan and you can provide routing between subnets.

Here I want the ASA to be promiscuous for the private vlans and provide routing between the different subnets.

Is that possible?

huvsga Fri, 05/02/2008 - 01:48

No I haven't. Would be nice if someone could explain this.

fareed_farooqui Tue, 05/05/2009 - 04:27

I have the exact same issue/query..

Could one of the NetPro Gurus please look at this..


dario.didio Tue, 05/05/2009 - 05:36


Yes this is possible like you have configured in your example.

Normally, a promiscuous port belongs only to 1 VLAN, the primary VLAN. This Primary VLAN is then mapped to the secondary VLAN(s). This way for example, a router belongs to the primary VLAN and is default gateway for the devices in all the secondary VLANs, without knowledge of them.

Imagine a multilayer switch and an access switch. the multilayer switch is default gw for vlans 10,20,30 and has no knowledge of PVLANs. On the access switch, VLANs 10,20 and 30 are primary PVLANs mapped to respectively 101,102 - 201,202 and 301,302. The access switch would now need 3 separate connections towards the core switch because he needs a promiscuous port (to translate the primary to secondary VLANs), but a promiscuous port can only belong to 1 VLAN. additionally, there is also a management VLAN on the access switch, so a fourth connection is needed to transport the normal VLANs between core and access.

This is why the feature promiscuous trunk was added. a promiscuous trunk port is a port that can carry

- multiple primary VLANs

- standerd VLANs

If we use a promiscuous trunk in our previous example (where we needed 4 connections between core and access) we now only need 1.

The trunk is configured as promiscuous, allowing the 3 primary VLANs and the management VLAN. the primary VLANs are mapped to their secondary VLANs usng the

switchport private-vlan mapping trunk 10 100,101


Note that this feature is not supported on most devices, only C4500 and C4948.



fareed_farooqui Tue, 05/05/2009 - 06:17

Thanks for the explanation Dario..

I have a 3750 WS-C3750G-48TS with c3750-ipbasek9-mz.122-40.SE running on it and I cant seem to find the commands to make a promiscious trunk

switchport mode private-vlan trunk promiscuous


switchport private-vlan mapping trunk 10 100,101

Is Do you think upgrading to a newer ios or would suffice..


dario.didio Tue, 05/05/2009 - 06:45


like said in my previous post, this feature is only supported on C4500, C4948 and ME4900.

It is not supported on C3750.



huvsga Tue, 05/05/2009 - 22:50

Thanks for the explanation. That was what I looked for. My cat4500:s is in production network and I haven't been able get some time to try. But now I will.

Thanks again!


This Discussion