Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
3
Replies

Trunking Private VLANs

wwbishop2
Level 1
Level 1

‎04-21-2010 04:44 PM - edited ‎03-06-2019 10:44 AM

Hi all, I have a scenario that requires broadcasts to be blocked at my main headswitch (WS-C6506_s720 - IOS 12.2(18)SXD7b) which is running as simply a L2 headswitch right now, and not routing. I have two ports going upstream to two 7206VXR routers, and out the door.

This switch feeds 10 IDF closests, all containing C3550-24-PWR running IOS 12.2(44)SE6. I have an end-to-end vlan scenario with VTP pruning, as I need all my vlans available on each switch at any given time.

Quite simply, all I need to accomplish is to block all traffic (broadcasts especially) coming from a host in VLAN100 off switch X, to only reach the router, and not travel to every other switch on the backbone. i.e., a host in VLAN100 on the other side of the building will NOT see this broadcast.

I'm sniffing around Private VLAN configuration in the cat6k on each of the trunk ports feeding the IDFs, but I'm not clear as to how to configure it to ONLY block VLAN100 at the 6k, and still allow all other VLANs to talk across the network freely.

Hope this makes sense Thanks in advance, any config examples would be great.

Wayne

CCNP

Labels:
0 Helpful
3 Replies 3

Marko Leopold
Level 1
Level 1

‎04-21-2010 11:08 PM

Hello!

Well a little picture of the network would be nice, but according to your wishes for VLAN 100 i would say the private VLAN thing will be usefull. Just configure the client ports as host-ports and the router as a promiscious-port. so the clients can only talk to the router. because you have vtp you dont need to worry about the trunk ports. here is a little configuration you can use.

vlan 100
name prim_PVLAN

private-vlan primary
private-vlan association 120

vlan 120
name P_prim_PVLAN
  private-vlan isolated

interface GigabitEthernet1/1
description Router

switchport private-vlan mapping 100 120
switchport mode private-vlan promiscuous
spanning-tree bpduguard disable

interface GigabitEthernet2/2
description clients
switchport private-vlan host-association 100 120
switchport mode private-vlan host
spanning-tree bpduguard disable

Should work with it. But check on trunks that the VLAN 120 is carried properly.

Marko

0 Helpful

wwbishop2
Level 1
Level 1
In response to Marko Leopold

‎04-22-2010 08:50 AM

My confusion lies with the secondary vlan120 you mentioned. How does that relate to vlan100? Thanks for the response!

Also I read somewhere that VTP needed to be set to transparent to accomplish what I need... is this accurate?

0 Helpful

Marko Leopold
Level 1
Level 1
In response to wwbishop2

‎04-26-2010 12:55 AM

Yes, you are right. You only can set it with vtp mode transparent The VLAN 120 is the isolated VLAN. There will reside all the isolated hosts. Isolated hosts can only communicate with promiscious ports (router ports as default-gateway for example), but can't communicate with each other. Therefor you have the VLAN 120 associated with VLAN 100.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card