Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Private VLAN across trunk to older model cisco switches

I am looking into the possibility of using private vlan's for some dmz implementations however I do have what may be some very rudimentary questions. It seems straightforward how to configure the primary/secondary vlan configuration as well as associating them. However in my case I would be looking to configure the PVLAN on a 6500-vss platform acting as the router while all of the hosts which I would desire to have in the isolated vlan would be spread out across a number of older Cisco switches which only support "protected port" setup or Procurve switches all of which I do not have budget to replace with something newer.


So in my scenario I would have a 6500 connected by trunk to multiple switches which only support a protected port setup such as a Procurve (top of rack) or a Cisco 2950. As the Procurve or 2950 would not support Private VLAN setup, do I then just configure the secondary vlan to be allowed across the trunk from the 6500, configure that vlan on the Procurve or 2950 (as vtp will not foward the info for the secondary vlan) and assign that vlan to the host port as well as setting it as a protected port and this will communicate just fine across the trunk to the router as well as stopping the protected port in top of rack switch 1 from being able to communicate to a protected port in top of rack 2,3,etc?


If the above scenario is what needs to be done, do I just use a regular trunk or do I have to use a PVLAN trunk?


Any assitance is greatly appreciated.

Thanks.

2 REPLIES
Cisco Employee

Re: Private VLAN across trunk to older model cisco switches

Hello,

You will need to configure the port from 6500 towards the HP or 2950 either as an isolated port or as a PVLAN isolated trunk. This kind of trunk takes care of two important facts:

  • When a frame in the isolated secondary PVLAN comes into the 6500 via this trunk, it will not be forwarded out any other isolated PVLAN trunk nor any isolated port. It will be forwarded only through normal trunks and through promiscuous ports. This way, the 6500 will keep the 2950 and HP switches isolated from each other.
  • When a frame received on a promisc port is being forwarded out this trunk, the VLAN tag of the primary VLAN will be replaced with the tag of the secondary isolated PVLAN.

Otherwise, the idea you are proposing is very sound: to define the VLAN ID that corresponds to the isolated secondary PVLAN on the 2950 and the HP, and to use those switches' local features (such as protected ports) to keep those ports isolated. Note, however, that if you decide to use a trunk towards your 2950/HP switches, it cannot be a normal trunk because you need the functionality of the PVLAN isolated trunk to replace the tag of the primary VLAN with the tag of the secondary isolated PVLAN, and to make sure that frames received on this trunk port are not plainly forwarded out other similar trunks.

Best regards,

Peter

New Member

Private VLAN across trunk to older model cisco switches

Sorry for the delay in getting back on this, but just to verify a couple things before I attempt this.

If I have say 2 hosts that I want isolated and they exist on 2 different 2950 switches which are trunked to my 6500 I would have to setup each of the trunk's as PVLAN trunks. Does this in essence isolate all traffic between the 2 2950's at that point? I only ask as there will be other devices on these 2950's which I do not want to isolate traffic on, just wanting to do this on particular vlan's. If it would isolate traffic from being forwarded between the switches with the PVLAN trunks this would create other issues for me.

Thanks.

496
Views
0
Helpful
2
Replies