I am trying to implement pvlans in our network and here is the simple description what I want to accoplish
I have a subnet 10.24.224.0/21 allocated for a DMZ subnet.
I configured the firewall interface as the promiscuous port.
I have 2 types of remote users (one using VPN and the other using Citrix) and I assigned a community vlan.
I also have some web servers, FTP servers and DNS servers. I want to assign these ports as isolated ports.
I have little confusion about isolated ports. When I assign the DNS server port as an isolated port, will it affect any queries directed towards it? I want external users and internal users to do a nslookup against this DNS server. In this case, do I need to configure this port as isolated or promiscuous?
Better Option would be to configure as promiscuous port.An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Refer URL
If the external and internal users are on different vlans from the DNS server vlan then you could configure the DNS server port as isolated and they will still be able to do DNS lookups. Promiscuous/community/isolated ports are only relevant to that specific vlan.
However if there are other servers on the same vlan as the DNS server that need to do DNS lookups then you cannot use an isolated port as they will be unable to talk to the DNS server. In this instance if you know which servers need to talk to the DNS server you could use community ports.
if you are not sure then do as previous poster suggested and use promiscuous - most things need DNS services.
Thanks for the replies. After reading the replies and also with limited lab environment testing, I have a better understanding now. Only thing I forgot to check is more than one port can be a promiscuous port. Correct?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...