promiscous trunk port on 3750

yoguz · ‎02-05-2010

Hi there,

Is there a way to configure promiscous trunk port on Catalyst 3750 switch?

I couldn't find "switchport mode private-vlan trunk promiscous" command in my 3750. It has only "switchport mode private-vlan promiscous" and "switchport mode private-vlan host".

IOS is (C3750-IPBASEK9-M), Version 12.2(50)SE.

Regards,

yasemin

Reza Sharifi · ‎02-05-2010

Hello Yasemin,

A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

Have a look at 3750 config guide below:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swpvlan.html

HTH

Reza

yoguz · ‎02-05-2010

Thanks for your message Reza. I know the functionality of primary VLAN. But I want the same port to be Promiscous port and trunk at the same time. Because my gateway for all of my VLANs is connected to that trunk port. On the other hand one of the VLANs is primary vlan.

I checked most of the documentation, it seems that, Catalyst 4500 ans Nexus has this functionality, but I'm not sure if 3750 can do.

Any new idea?

Thanks,

yasemin

Reza Sharifi · ‎02-05-2010

Hello Yasemin,

I tried it on a 3750-E running 122-52.SE. It is either or, not both at the same time.

Here is the config before "witchport mode private-vlan promiscuous"

Switch(config-if)#do sh run int gi2/0/1
Building configuration...

Current configuration : 99 bytes
!
interface GigabitEthernet2/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
end

Switch(config-if)#

And here is the config after I add the command

Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#do sh run int gi2/0/1
Building configuration...

Current configuration : 118 bytes
!
interface GigabitEthernet2/0/1
switchport trunk encapsulation dot1q
switchport mode private-vlan promiscuous
end

Switch(config-if)#

HTH

Reza

yoguz · ‎02-08-2010

Hi Reza,

Yes I have the same result. But I 'm wondering if it is related with IOS or chassis. I mean is it possible to have this feauter/parameter with an other IOS version of 3750 or it's impossible.

Nexus 1000V and Cat 4500 has the "switchport mode private-vlan trunk " command, why not 3750?

Regards,

yasemin

jroussy · ‎10-26-2010

I have the same problem, do someone know the answer?

SDaniels1 · ‎01-12-2011

I too want to do this (my plan was to trunk 'DMZ' interfaces from an AS

A down to a 3750 and then do PVlans).

I soon ran into the issue of how can it be a trunk and a PV-promiscuous at the same time.

googling I found the switchport mode private-vlan trunk
command and like you saw that it only seems to apply to the 4500 (I didn't spot Nexus

as you have).

I would like to think that Cisco will add this feature into IOS updates for some IPBase

models lower down as PVlans without being able to do a trunked uplink really

takes away from the usefulness of them (IMHO).

You (we) could of course bodge this by trunking to a (another) switch and then doing an access

uplinks down to the 3750, but this is not ideal as its wasting ports on the 3750.

Oh well ..........

Zizhen Gao · ‎01-12-2011

Yasemin,

Unfortunately this is not supported on the 3750. It's currently a hardware limitation on the platform.

zz

Michael Famin · ‎02-28-2011

An possible workarond that I've used in the same senarion is to use VACL instead.

It's a bit more config, and it's more troublesome to maintain.

So instead of using private VLAN's I use the following config:

(Assuming VLAN 100, Network 192.168.1.0/24 and ASA IP 192.168.1.1)

!

vlan 100

name Simulated_PVLAN

!

ip access-list extended ACL_VACL_100

permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1

permit ip host 192.168.1.1 192.168.1.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

permit ip any 192.168.1.0 0.0.0.255

!

vlan access-map VACL_100 10

action forward

match ip address ACL_VACL_100

!

vlan filter VACL_100 vlan-list 100

!

This will let the hosts on the vlan speak to the ASA, and allow them to send traffic out to the outside, but not let them speak to each other.

Would have been a lot easier with an "switchport type private-vlan trunk promiscous" though...