Problem with PVLAN, Cat 4500 and Community VLAN

Unanswered Question
Apr 22nd, 2010
User Badges:

A customer trying to implement PVLAN in the network. It's a simple setup, see attachment, with one dot1q trunk in with two secondary PVLAN and one trunk with a primary PVLAN. This works well if only one secondary VLAN is used and configured as “isolated”, but as soon as we change this to “community” PVLAN it stops working.

Isolated can’t be used as the customer have two VLAN on the trunk, and that’s not supported. Can only map on secundary to one primary.

The question is now, is this configuration with a trunk, with two “community” PVLAN, mapped to one primary PVLAN on another trunk supported. Reading different documentation and sometimes it say that community PVLAN is not supported in the Catalyst 4500 platform, sometimes with exceptions.

Or am I just missing something in the configuration?

Sup IV

Software: Version 12.2(44)SG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Sat, 05/08/2010 - 13:47
User Badges:
  • Cisco Employee,

Hello,


I am not sure if this issue is still relevant so please ignore this if you already solved it.


The PVLAN deployment in that network is unusual because neither Cat2960 nor the HP blade server switch understand the concept of private VLANs (correct me if I am wrong... the Cat2960 certainly does not support private VLANs, perhaps the HP does?). If there are no other switches in the network that support the private VLANs then I do not quite understand what is your customer trying to achieve by implementing PVLANs.


Regarding the PVLAN support on Cat4500: the PVLANs are not supported with Supervisor Engine 6-E. As you are using the SupIV, the PVLANs should be supported.


Is it perhaps possible to better describe what is your customer trying to achieve? The current configuration example you have provided is somewhat confusing and I do not understand what is its goal.


Best regards,

Peter

jhedstr2 Sat, 05/08/2010 - 22:04
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hi Peter,

Thanks for your answer.

The reason the customer want to implement PVLAN is that they have many servers that should not have access to each other, but is the same time need access to a backup server.

It is possible to implement PVLAN within one switch, many incoming VLAN are mapped to one primary VLAN, so the design is not that wrong.

I actually opened a TAC case, and after many phone calls and Webex sessions, we found some documentation with the answer.

Community VLAN is not supported on a PVLAN trunk port. Only isolated port are supported. Very difficult to find this documentation.

Isolated port don’t work for the setup, since you can only map on isolated VLAN to one private, and that wouldn’t help us.

We consider switches from the ME-series that should have this support. Or just use VRF in the 4500.


Kind regards

Johan

Peter Paluch Sun, 05/09/2010 - 00:49
User Badges:
  • Cisco Employee,

Hello Johan,


Thank you for responding.


It is possible to implement PVLAN within one switch, many incoming VLAN are mapped to one primary VLAN, so the design is not that wrong.


I agree - but this intention was not clear from the original Visio file.


On 4500 switches, there are actually three different trunks supported, each behaving slightly differently:


  • Standard trunk port - conveys all primary and secondary VLANs without any limitations or tag rewrites
  • Isolated PVLAN trunk port - rewrites the primary VLAN tag to the defined (single) secondary isolated VLAN tag
  • Promiscuous PVLAN trunk port - rewrites all associated secondary VLAN tags (isolated and community) to the primary VLAN tag


The documentation does describe this but not in such obvious way. I have to admit that I have had my share of troubles understanding what the isolated and promisc PVLAN trunk ports were about.


But let's get back to the original intention. You have created a couple of secondary VLANs on the Cat4500 - I assume that all are community VLANs. Is that so? Second, in which VLANs are the clients on the 2960G switch and on the HP blade?


Best regards,

Peter

Actions

This Discussion