I have an ASA that I am trunking 3 DMZ networks over the same Gig link to a 6500 (catos) switch. I am looking to configure PVLAN on one of the DMZs, but I don't have any ports available on the ASA to move the DMZ to. The reason I would need to move it is because I cannot configure the trunk port as a PVLAN Promiscuous port.
I have an option that I wanted to post here to see if there are any reasons not to do it this way.
Currently the dmz is on vlan 100 being trunked to the ASA along with vlans 101 and 102. I am thinking that I can configure a PVLAN setup using vlan 50 as the primary PVLAN and vlan 51 as the secondary (isolated) PVLAN. I was thinking of moving all servers from the 100 VLAN to the 51 VLAN and then remove all ports from VLAN 100 except for 1. I would then connect the promiscuous access port with 50 and 51 PVLAN mapping to the single VLAN 100 port on the same switch. VLAN 100 is already being trunked to the ASA. This way I still have the PVLAN and still have connectivity to the ASA.
Does anyone know of a reason why this shouldn't be done?
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...