cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2710
Views
0
Helpful
9
Replies

Private-vlan trunk promiscuous to ASA FW

huvsga
Level 1
Level 1

Hi

Can anybody answer me if I have understand private-vlan promiscuous trunk ports for the CAT 4500 switch.

Lets say you have a dmz switch with different dmz vlans. Some of the vlans are standard vlans and some are private-vlans. The routing between all the vlans are done in an ASA that are connected to a trunk port to the switch.

Lets say you have these vlans

Standard vlan.

10 IP 10.10.10.0/24

20 IP 10.20.20.0/24

Private-vlans

vlan 30 Primary IP 10.30.30.0/24

vlan 300 Community

vlan 400 Community

vlan 40 Primary IP 10.40.40.0/24

vlan 400 Community

vlan 401 Community

ASA Has a trunk port with subinterfaces for vlans 10,20,30,40 and ip 10.X.X.1/24 on all interfaces.

The switch is configured with this

interface fastethernet 5/2

switchport mode private-vlan trunk promiscuous

switchport private-vlan trunk allowed vlan 10,20,30,40

switchport private-vlan mapping trunk 30 300,301

switchport private-vlan mapping trunk 40 400,401

The question?

Will the ASA be promiscuous for the private-vlans and can it also handle the standard vlans. Can the traffic between the different ip subnets be forwarded (if permitted acl in asa exists)?

But the secondary community private-vlans under same primary vlan should not talk to each other.

Regards

Simon

9 Replies 9

aghaznavi
Level 5
Level 5

You can enable promiscuous mode in your ASA device. If ASA runs advanced IPS software that provides further security inspection either in inline mode or promiscuous mode.

Ok thanks for your reply!

But the question I ask for isn't for IPS or IDS functions. I mean promiscuous for private-vlan solution. I know that a vlan interface on a switch can be promiscuous for a private vlan, and because that interface can talk to all hosts in the private-vlan and you can provide routing between subnets.

Here I want the ASA to be promiscuous for the private vlans and provide routing between the different subnets.

Is that possible?

Brian M
Level 1
Level 1

Did you ever get an answer for this? I have the same problem.

No I haven't. Would be nice if someone could explain this.

I have the exact same issue/query..

Could one of the NetPro Gurus please look at this..

Thanks

dario.didio
Level 4
Level 4

Hi,

Yes this is possible like you have configured in your example.

Normally, a promiscuous port belongs only to 1 VLAN, the primary VLAN. This Primary VLAN is then mapped to the secondary VLAN(s). This way for example, a router belongs to the primary VLAN and is default gateway for the devices in all the secondary VLANs, without knowledge of them.

Imagine a multilayer switch and an access switch. the multilayer switch is default gw for vlans 10,20,30 and has no knowledge of PVLANs. On the access switch, VLANs 10,20 and 30 are primary PVLANs mapped to respectively 101,102 - 201,202 and 301,302. The access switch would now need 3 separate connections towards the core switch because he needs a promiscuous port (to translate the primary to secondary VLANs), but a promiscuous port can only belong to 1 VLAN. additionally, there is also a management VLAN on the access switch, so a fourth connection is needed to transport the normal VLANs between core and access.

This is why the feature promiscuous trunk was added. a promiscuous trunk port is a port that can carry

- multiple primary VLANs

- standerd VLANs

If we use a promiscuous trunk in our previous example (where we needed 4 connections between core and access) we now only need 1.

The trunk is configured as promiscuous, allowing the 3 primary VLANs and the management VLAN. the primary VLANs are mapped to their secondary VLANs usng the

switchport private-vlan mapping trunk 10 100,101

command.

Note that this feature is not supported on most devices, only C4500 and C4948.

HTH,

Dario

Thanks for the explanation Dario..

I have a 3750 WS-C3750G-48TS with c3750-ipbasek9-mz.122-40.SE running on it and I cant seem to find the commands to make a promiscious trunk

switchport mode private-vlan trunk promiscuous

and

switchport private-vlan mapping trunk 10 100,101

Is Do you think upgrading to a newer ios or would suffice..

Thanks

Hello,

like said in my previous post, this feature is only supported on C4500, C4948 and ME4900.

It is not supported on C3750.

HTH,

Dario

Thanks for the explanation. That was what I looked for. My cat4500:s is in production network and I haven't been able get some time to try. But now I will.

Thanks again!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: