03-10-2010 12:05 AM - edited 03-06-2019 10:04 AM
Hi,
I have a server which is connected to a Cat3750 via a vlan trunk with 3 vlans.
Two of them are normal vlans, the third should be the isolated vlan of a private vlan.
In this isolated vlan the server should only be able to talk to the promiscuous port which is connected to the default gateway.
I already read the "configuring private vlans" section of the configuration guide but I didn't found any hint for this scenario
What I found was the statement "An isolated port sends a broadcast only to the promiscuous ports or trunk ports". So am I right that the server will get broadcasts from other isolated ports when I use normal trunk configuration?
Does anybody know how to configure the switchport the server is connected to?
I use the following example config:
===
vlan 100
private-vlan primary
private-vlan association 200
vlan 200
private-vlan isolated
!
vlan 501
name normalvlan1
!
vlan 502
name normalvlan2
!
interface GigabitEthernet1/0/1
descrition servertrunk
switchport mode trunk
switchport trunk allowed vlan 200,501,502
spanning-tree portfast
!
interface GigabitEthernet1/0/48
description defaultgateway
switchport private-vlan mapping 100 200
switchport mode private-vlan promiscuous
spanning-tree portfast
===
Best Regards,
Thorsten
03-10-2010 01:09 AM
Hi Thorsten,
as far as I know, pvlan access is an access-port feature:
"PVLAN ports cannot be trunk ports, cannot channel, cannot have dynamic VLAN membership, and cannot be a Switched Port Analyzer (SPAN) destination."
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml (Additional Notes)
Greetz. Hakan
03-10-2010 05:14 AM
You are correct but in Cat4500 manual I just found a feature called "Isolated Private VLAN Trunk Ports" (http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/53SG/configuration/pvlans.html#wp1181903).
It seems to be the feature I'm looking for but I'm using Cat3750 which does not support isolated pvlan trunks.
You can use protected ports on Cat3750 but if using vlan trunks the whole trunk is configured isolated (http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_50_se/configuration/guide/swtrafc.html#wp1029319)
Does anybody else know a solution?
03-10-2010 07:42 AM
Hi,
PVLAN trunks are only supported on a limited number of platforms, but not C3750 due to hardware limitations.
A possible solution could be to use, if available on your server, a second NIC. one interface is a trunk carrying the normal vlans, the other is an access port in your PVLAN.
HTH,
Dario
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide