I hope i post this on the right place but i have some issues with understanding private vlans.
In my network i have a 3560 connected to a 2950 and soon a 2960.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
! vlan 10 private-vlan primary private-vlan association 50 ! vlan 50 private-vlan isolated ! vlan 100 name DMZ2 interface GigabitEthernet0/1 switchport private-vlan host-association 10 50 switchport mode private-vlan host ! UP AND UNTIL interface GigabitEthernet0/14 switchport private-vlan host-association 10 50 switchport mode private-vlan host ! interface GigabitEthernet0/15 switchport private-vlan mapping 10 50 switchport mode private-vlan promiscuous speed 1000 duplex full ! interface GigabitEthernet0/16 switchport private-vlan mapping 10 50 switchport mode private-vlan promiscuous speed 1000 duplex full ! interface GigabitEthernet0/21 description VLAN100 switchport access vlan 100 switchport mode access switchport nonegotiate ! interface GigabitEthernet0/22 description VLAN100 switchport access vlan 100 switchport mode access switchport nonegotiate ! interface GigabitEthernet0/23 description VLAN100 switchport access vlan 100 switchport mode access switchport nonegotiate ! interface GigabitEthernet0/24 description VLAN100 switchport access vlan 100 switchport mode access switchport nonegotiate speed 1000 duplex full ! ! interface Vlan1 no ip address ! interface Vlan100 ip address 10.0.10.240 255.255.255.0 ! ip default-gateway 10.0.10.241 !
Now with the upcoming addition of a 2960 i wonder the following: should i make a trunk for this or can i just do something like this:
1 2 3 4 5
! interface GigabitEthernet0/20 switchport private-vlan host-association 10 50 switchport mode private-vlan host !
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
! vlan 50 private-vlan primary private-vlan association 61 ! vlan 61 private-vlan isolated ! interface GigabitEthernet0/16 UPLINK PORT switchport private-vlan mapping 50 61 switchport mode private-vlan promiscuous ! interface GigabitEthernet0/1 ACCESS PORTS switchport private-vlan host-association 50 61 switchport mode private-vlan host !
The above configuration would suggest i make the 3560 port to the 2960 a isolated private vlan. Then at the 2960 side i add a promiscuous port with as primary vlan 50 which is the isolated vlan of the 3560. Then to make all the ports on the 2960 private i make a new isolated vlan 61.
My idea is like this traffic from the 2960 goes from isolated vlan 61 (on 2960) > primary 50 > isolated 50 (on 3560 now) > primary 10. Can someone tell me if it works like this?
The already configured 2950 i cannot access but the 3560 port configured for the link to it is a isolated port (giga0/5). It also gives a native vlan mismatch (which i think could be solved by changing the native vlan on the 2950). So i cannot use the 2950 as an example cause i cannot access it. Though i believe it's just a default configuration (aka password an not much else).
Hopefully it's a bit clear in what i'm asking.
Thanks in advance,
Neither 2950 nor 2960 series switches actually support Private VLANs. If they supported the Private VLANs then you would interconnect them with a completely usual, ordinary trunk port. As each switch would be configured with an identical VLAN database (primary and secondary VLANs and their types), each switch would correctly handle the frames. Unfortunately, things are not going to be that easy without the PVLAN support on 2950/2960.
Also, the manipulation of the VLAN IDs as you suggested (61->50->50->10) is not correct for Private VLANs. The secondary VLAN ID is maintained throughout the entire switched domain and always remains the same - it gets set when a frame first enters a private-vlan host port and stays that way. The primary VLAN ID is used only when a frame came through the promiscuous port so that all switches know that this particular frame is to be delivered to every port in each associated secondary VLANs.
The problem now is that you cannot maintain the isolation of the secondary VLANs on the 2950/2960 switches. Essentially, these VLANs can be extended to the 2950/2960 switches but on them, they will lose all their private VLAN capabilities and features and become ordinary VLANs.
If all you need is to extend an isolated VLAN then I suggest the following:
- On 3560, make the port towards the 2950/2960 a private-vlan host port in an isolated VLAN
- On 2950/2960, make the port towards the 3560 to be an access port in the appropriate VLAN
- On 2950/2960, furthermore, configure all remaining ports as access ports and in addition, use the command switchport protected on all of them to prevent one such port from communicating with another. Do not use this command on the uplink towards the 3560
This way, you can extend an isolated VLAN to a switch that does not support isolated VLANs. Similarily, you can extend a single (not multiple) community VLAN onto 2950/2960, the only difference would be in not using the switchport protected command on the 2950/2960. However, you cannot extend multiple community VLANs onto 2950/2960 switch because it will not be capable of handling them properly (it has no concept of primary VLAN and if a frame came in marked with primary VLAN ID, the switch would not replicate it on all ports in secondary VLANs as it is supposed to do).
This might be a bit confusing. I have had my own share of misunderstanding the PVLAN feature Feel free to ask further!