EtherChannel on private-vlan ports 3560G

Unanswered Question
Aug 17th, 2009

I am trying to configure LACP EtherChannel on a Cat-3560G.

I connected several server to different Cat-3560G switches on isolated privat-vlan-port. I have one backup-system that I connect on promiscuous port on one single Cat-3560G. All devices are in the same L2 domain. So far this works like expected.

Now I am trying to configure LACP EtherChannel for the backup-system to increase throuput. I wanted to to like in the Cisco Document ID: 98469. Unfortunately EtherChannel configuration is not possible on private-vlan-port.

Any workaround for this problem?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnspaulding Wed, 08/19/2009 - 06:50

You need to configure the channel on a non-private-vlan. Thats the only work around I know. You can always restrict the access with an VLAN ACL.

indicomtg Sun, 08/23/2009 - 23:28

Ok. I will use ACL instead of private VLAN. Unfortunately It's not as simple as privat VLAN and less secure (?)

johnspaulding Mon, 08/24/2009 - 04:47

Well, You can get almost as secure as you want it. You could use a VACL

Basically you break it down like this:

access-list TRAFFIC permit (traffic incoming and outgoing to the VLAN)

than create you vlan access-map

vlan access-map TEST 10

match address TRAFFIC

action forward

vlan access-map TEST 20

action drop

vlan filter-list TEST vlan 100 (number of you vlan)

In the first access-map that referances the access-list TRAFFIC you permit all your traffic here. This traffic can be inside the vlan itself too.

example - permit tcp host 10.205.0.1 host 10.205.0.2 - In the same subnet

So thi is a good way to secure traffic inside the vlan you apply to that port. You have full control over what allowed inside and outside with this VACL

Here a good read:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swacl.html

Actions

This Discussion