Private Vlan:Promiscuous port trunk

Unanswered Question
Aug 3rd, 2009
User Badges:

Hi,


I have ASA firewall. The Interface is trunk containing 2 vlans (vlan100 vlan 200). That interface is connected to 3750 switch. On the 3750 switch, the vlan 100 and 200 are configured as private vlans which has some isolated and community ports. How can i make the switch interface connected to ASA to support private vlan in Promiscuous state as well as dot1q trunk?


FW-G0/0-----G1/0/1-3750Switch


FW-G0/0.100 vlan

FW-G0/0.200 vlan


SW G1/0/1 ??? trunk and promiscious

SW G1/0/2 pvlan 100 community 101

SW G1/0/3 pvlan 100 community 101

SW G1/0/4 pvlan 200 community 201

SW G1/0/5 pvlan 200 community 201

SW G1/0/6 pvlan 200 community 202

etc



is it possible?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Peter Paluch Mon, 08/03/2009 - 09:49
User Badges:
  • Cisco Employee,

Hello,


I am afraid this will probably not be possible on 3750 series.


What you need is a functionality that replaces the tag of the secondary VLAN with the tag of the appropriate primary VLAN when a frame goes out that trunk. Without this functionality, the frame will always contain the tag of the secondary VLAN and the ASA will not process it on its subinterface for the primary VLAN.


That functionality is supported on 4500 series switches - it is called the "Promiscuous Private VLAN Trunk Ports". You can find the description and the configuration examples here:


http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/12.2/53SG/configuration/pvlans.html#wp1181949


Unfortunately, the documentation for the 3750 series does not describe this functionality so I am afraid it is not supported there. You may want to experiment a bit and see if the commands from the 4500 will be accepted on your 3750 but I am afraid that this won't work.


Other than this, I do not see any other quick solution - except, of course, placing an extra switch between the ASA and the 3750, creating promiscuous ports on 3750 - one for each primary private VLAN, connecting those promisc ports to access ports on the extra switch (each into a different VLAN on that extra switch) and connecting that extra switch with a trunk to the ASA.


Best regards,

Peter


jbrenesj Mon, 08/03/2009 - 11:21
User Badges:
  • Silver, 250 points or more

I agree with Mr. Peter and can confirm that only the 4500 supports "promiscuous trunks" and newer releases of Cat6500 but in CatOS.

Peter Paluch Mon, 08/03/2009 - 11:44
User Badges:
  • Cisco Employee,

Hello Jorgemario,


Thank you for your reply. Now, this is interesting. This Promiscuous Private VLAN Trunk functionality is actually a very useful feature that, in my opinion, should be present on all switch series that support Private VLANs. Could perhaps Cisco be persuaded to add this functionality to the 3560/3750 series as well? I am asking you because you are a Cisco employee :-)


Best regards,

Peter


krahmani323 Wed, 09/15/2010 - 15:05
User Badges:
  • Silver, 250 points or more

Hello community,


Thanks for the information about promiscuous trunks with the command on IOS for 4500 : switchport mode private-vlan trunk promiscuous


I am trying to figure out under what circumstances promiscuous trunk is supported and configurable on CatOS.

Does someone of the community know how the concept in comparison with the 4500 works ? ie A special command exist to do this in 4500 ios, but what about CatOS ?


Do we only have to enter the above command to an already configured trunk port as per the above command ?

set pvlan mapping primary_vlan_id secondary_vlan_id mod/port


In fact I am affraid of the above message if I enter the command set pvlan mapping :

Trunking ports are not Private Vlan capable.

=========

I think the documentation on this functionnality for CatOS is very rare and giving me troubles !


On the other hand it seems the documentation states implicitly it is supported

"Egress traffic on wrong vlan port occurs upon  module reset when the promiscuous trunk port is configured with more  than 32 mappings"

(check for bug CSCsh55275  => http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/catos/8.x/system/release/notes/OL_4498.html)


I am also wondering about the following sentence on the same link :

"On an MSFC port or a nontrunk promiscuous port,  you can remap as many isolated or community VLANs as desired; however,  while a nontrunk promiscuous port can remap to only one primary VLAN, an  MSFC port can only connect an MSFC router."


If I sum up :

Does someone know from what CatOS version "promiscuous trunk" is supported and is there any document clearly stating it ?


Any suggestion would be appreicated !

Thanks a lot..

Karim

Actions

This Discussion