cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1046
Views
0
Helpful
5
Replies

PVLAN config in L2 environment

Hi all,

I have to configure PVLAN in an L2 environment to transport traffic between several hosts (more than 200) to a server. The requirement is that servers cannot communicate between each other, so I should use PVLAN because ACL L2 doesnt scale in this environment.

I need assistance to confirm if the configs that I am thinking are good to apply or something is missing/wrong.

This is a simple diagram of the situation:

cisco forum diagram.png

As you can see, each host is connected to an access switch (3750G-24TS) and then goes through a pair of 6509 switches to the server that is the default gateway.

Based on PVLAN desing, I have choose to use vlan 101 as secondary isolated and vlan 100 as primary pvlan.All have to be in a L2 environment

So here are the configs that i assume:

3750G-24TS - Access switch

Switch(config)# vtp mode transparent
Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 101

#uplink config:

Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101
Switch(config)# interface f0/13
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101

#host config:

Switch(config)# interface f0/10
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

Switch(config)# interface f0/11
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

6509-1 - core switch

Switch(config)# vtp mode transparent
Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 101

#downlink to 3750
Switch(config)# interface f0/20
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101

#interface to core switch -2
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101

#uplink to default gateway server
Switch(config)# interface f0/40
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101

6509-2 - core switch


Switch(config)# vtp mode transparent
Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 101

#downlink to 3750
Switch(config)# interface f0/22
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101

#interface to core switch -1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101

I would like some help to validate this configs, or if anything is wrong.

Thanks a lot in advance

5 Replies 5

Peter Paluch
Cisco Employee
Cisco Employee

Hello Christian,

I see no obvious issue with your configuration as suggested above. It would, in my opinion, work.

However, I have a question regarding a particular design choice. You are using promisc ports to interconnect your 3750 and 6509. That means that the entire 3750 is closed inside the secondary isolated PVLAN 101. This means that you can never have other VLANs brought to it, and your management VLAN can not be different from PVLAN 101. Is this what you want?

Usually, you would configure the links between between the 3750 and 6509 as ordinary trunks. This will allow you to both use all advantages of PVLANs and yet have other ordinary VLANs continuous between your 3750 and 6509.

Best regards,

Peter

Hello Peter,

First of all thanks for the response.

I understand your concern about having the interconnection between 6509/3750 using isolated ports. However, this interfaces would be exclusively dedicated for this kind of traffic (critical backup), so I am aware of using that. I have already have another interfaces up between them passing legacy vlans (including mgmt)

Anyway, even if i need to use same physical interface to interconect 6509 and 3750, that uses current legacy vlans, do you mean to should I add vlan 100 and vlan 101 in current trunk as ordinary vlans in order to solve the problem?

thanks in advance

regards,

Christian

Hello Christian,

I understand your concern about having the interconnection between  6509/3750 using isolated ports. However, this interfaces would be  exclusively dedicated for this kind of traffic (critical backup), so I  am aware of using that. I have already have another interfaces up  between them passing legacy vlans (including mgmt) 

Okay, I see. Makes sense.

Anyway, even if i need to use same physical interface to interconect  6509 and 3750, that uses current legacy vlans, do you mean to should I  add vlan 100 and vlan 101 in current trunk as ordinary vlans in order to  solve the problem?

You would simply configure ordinary, plain trunks between the 3750 and 6509 as if you were not using PVLANs at all. If you are not using switchport trunk allowed vlan on your trunks, everything would be working right out of the box. If you are using the list of allowed VLANs then the list should also include the complete list of primary and secondary PVLANs apart from other ordinary VLANs. What I am saying here is that PVLANs can be extended through trunks to other switches, while leaving the existing VLAN connectivity intact. You can mix PVLANs and VLANs on normal trunks without any issues.

Best regards,

Peter

Thanks Peter for your help.

Even if I add them in an existing trunk, I should configure the vlan as PVLAN in vlan database right?

Switch(config)# vtp mode transparent
Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 101

So in case I need it I will add them in a existing trunk. Things like PVST are going to be the same as the normal vlans right?

Another issue that I realized in Host and Server access ports, I have to configure them similar with the following config lines.

Switch(config)# interface f x/x

Switch(config-if)# switchport mode private-vlan promiscuous

Switch(config-if)# switchport private-vlan mapping 100 101

My quesiton is , traffic between host and server is going to be through primary vlan or secondary?

Thanks in advance

Best regards,

Hello Christian,

Even if I add them in an existing trunk, I should configure the vlan as PVLAN in vlan database right?

Can you be more specific about what do you mean by saying "add VLANs in an existing trunk"? I am not sure about the meaning of that statement. What commands would you use to do it?

Anyway, you should create the VLANs identically on all switches where they are used. If it is a normal VLAN, you create it on all switches just as a common, ordinary VLAN. If the added VLAN is a PVLAN of some sort (primary, secondary), then on all switches, it has to be created as a PVLAN. You simply create and use VLANs in a consistent way - once a PVLAN, always and everywhere a PVLAN; once a VLAN, always and everywhere a VLAN.

So in case I need it I will add them in a existing trunk. Things like PVST are going to be the same as the normal vlans right?

Yes, PVST and RPVST runs in PVLANs just like in any other VLANs.

Another issue that I realized in Host and Server access ports, I have to configure them similar with the following config lines.

Switch(config)# interface f x/x

Switch(config-if)# switchport mode private-vlan promiscuous

Switch(config-if)# switchport private-vlan mapping 100 101

Hmmm, this configuration would be appropriate for a server port, because the server needs to reside on a PVLAN promisc port. However, why would you want to configure a port towards a host in the same way? If hosts are connected to ports configured as shown here, they are all on promisc ports and they can all communicate with each other. You would completely lose their isolation, contrary to what you wanted to achieve.

A host port shall be configured as:

interface FastEthernet 0/1

  switchport mode private-vlan host

  switchport private-vlan host-association 100 101

My quesiton is , traffic between host and server is going to be through primary vlan or secondary?

If both host and server are connected to promisc ports then the communication will be carried exclusively by the primary PVLAN. That also means that if the promisc port is located on a different switch then the frame received on a promisc port will be tagged by the primary PVLAN number when it is forwarded via a trunk to the other switch.

If a host resides on a host isolated port (as shown in my example) while the server is on a promisc port then a frame received on the host port will be forwarded in the appropriate secondary PVLAN configured on the host port - in this case, the isolated secondary PVLAN 101. Such a frame can only be forwarded out promisc ports (untagged; neither host nor promisc ports perform any tagging whatsoever) and trunks, and on the trunk, the frame will be tagged with the appropriate secondary PVLAN. The receiving switch will receive the frame in the secondary PVLAN and because it is configured with identical set of PVLANs and their types and relations, it will also know that this frame can be forwarded out only through promisc ports and trunks (if any).

A frame received on a promisc port can be forwarded out through any other port which is associated either with the primary or any secondary PVLAN - meaning that it can be switched out through any other promisc port, any other secondary host port (isolated or community), and it can also be sent out through trunks, in which case it will be tagged with the primary PVLAN. A switch that receives a frame tagged with the primary PVLAN on a trunk will also know that such a frame can be forwarded out any associated promisc and secondary host ports, and further trunks.

This is why you have to keep the VLAN configuration consistent across all switches so that the treatment of frames is identical on each switch.

A quick review:

  • A frame received on a host port can be forwarded out through:
    • A promisc port on the same switch associated with the same primary PVLAN
    • A trunk port, in which case it will be tagged with the secondary PVLAN according to the configuration of the host port
    • A host port in the same primary/secondary PVLAN if the secondary PVLAN is a community PVLAN
  • A frame received on a promisc port can be forwarded out through:
    • A promisc port on the same switch associated with the same primary PVLAN

    • A trunk port, in which case it will be tagged with the primary PVLAN
    • A host port associated with the same primary PVLAN and a particular secondary PVLAN, regardless of the secondary PVLAN type
  • A frame received on a trunk port will be handled depending on the value of the VLAN tag
    • If the VLAN tag corresponds to the primary PVLAN, the frame is handled as if it was received on a promisc port
    • If the VLAN tag corresponds to the secondary PVLAN, the frame is handled as if it was received on a host port

I am not sure if this was intelligible... please feel welcome to ask further!

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco