Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

pvlan question

Hi All,

I am trying to implement pvlans in our network and here is the simple description what I want to accoplish

I have a subnet 10.24.224.0/21 allocated for a DMZ subnet.

I configured the firewall interface as the promiscuous port.

I have 2 types of remote users (one using VPN and the other using Citrix) and I assigned a community vlan.

I also have some web servers, FTP servers and DNS servers. I want to assign these ports as isolated ports.

I have little confusion about isolated ports. When I assign the DNS server port as an isolated port, will it affect any queries directed towards it? I want external users and internal users to do a nslookup against this DNS server. In this case, do I need to configure this port as isolated or promiscuous?

Any help would be appreciated.

4 REPLIES
Silver

Re: pvlan question

Better Option would be to configure as promiscuous port.An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Refer URL

http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html

Hall of Fame Super Blue

Re: pvlan question

If the external and internal users are on different vlans from the DNS server vlan then you could configure the DNS server port as isolated and they will still be able to do DNS lookups. Promiscuous/community/isolated ports are only relevant to that specific vlan.

However if there are other servers on the same vlan as the DNS server that need to do DNS lookups then you cannot use an isolated port as they will be unable to talk to the DNS server. In this instance if you know which servers need to talk to the DNS server you could use community ports.

if you are not sure then do as previous poster suggested and use promiscuous - most things need DNS services.

New Member

Re: pvlan question

Hi All,

Thanks for the replies. After reading the replies and also with limited lab environment testing, I have a better understanding now. Only thing I forgot to check is more than one port can be a promiscuous port. Correct?

Hall of Fame Super Blue

Re: pvlan question

Yes you can have multiple promiscuous ports.

HTH

233
Views
0
Helpful
4
Replies
CreatePlease to create content