Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Private VLAN over OTV

Hi,

Anyone has implemenented PVLAN over OTV? Is there any restriction to it?

Thanks.

Alex

  • Other Data Center Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi Alex,I saw your question

Hi Alex,

I saw your question while playing myself with Private-VLANs and OTV and the idea to combine it (just for LAB purpose :-) ) and having problem's to make it work (and found no answer here).

 

The answer: it works, but not out of the box.

 

The Problem is that secondary Private-VLAN's don't have any CAM Table entries associated, which is a problem for OTV which doesn't forward any unknown Unicast. You need to make static CAM Entries on the OTV VDC's pointing to the OTV internal Interface for the Private VLAN Devices on that local site. That way you get the necessary OTV route entries (selective OTV unicast flooding didn't work for me).

Hope you are still interested in the answer to your question, it was great fun to think about this little problem.

 

Simon

6 REPLIES
Cisco Employee

Hi, on documentation there is

Hi, on documentation there is no limitation between PVLAN and OTV see links (Limitations with Other Features)

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/layer2/configuration/guide/Cisco_Nexus_7000_Series_NX-OS_Layer_2_Switching_Configuration_Guide_Release_5-x_chapter6.html#con_1344136

(Guidelines and Limitations for OTV)

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/OTV/config_guide/b_Cisco_Nexus_7000_Series_NX-OS_OTV_Configuration_Guide.pdf

 

New Member

Hi Alex,I saw your question

Hi Alex,

I saw your question while playing myself with Private-VLANs and OTV and the idea to combine it (just for LAB purpose :-) ) and having problem's to make it work (and found no answer here).

 

The answer: it works, but not out of the box.

 

The Problem is that secondary Private-VLAN's don't have any CAM Table entries associated, which is a problem for OTV which doesn't forward any unknown Unicast. You need to make static CAM Entries on the OTV VDC's pointing to the OTV internal Interface for the Private VLAN Devices on that local site. That way you get the necessary OTV route entries (selective OTV unicast flooding didn't work for me).

Hope you are still interested in the answer to your question, it was great fun to think about this little problem.

 

Simon

New Member

SO I'm Currently trying to

SO I'm Currently trying to Implement this and I tried Static Cam Entrys and without Entries and have issues wither way

 

I have taken a Community PVLAN  and a Host Associated port on one side of the OTV and the host port on same secondary vlan on other side. 

Cannot ping

Flip it to Promiscous port on one side  with Association Starts to ping.

 

Thinking through the logic I looked at the Mac address table of the primary vlan and had the mac info of the host/Secondary Comm Vlan, and looked at the otv route statement and had the Mac seen attached to the primary vlan coming from the Correct side.  both sides.

 

So the Static Cam Statement didnt make sense.  Even so I tried it, and it still did not work.

Just to ensure I understand the Logic on the OTV VDC  Cam Statement

mac address-table static "MAC-ADD" vlan X int E1/10 " L2 interface that your learning the mac from already"

 

The mac should be the mac of host port in which the secondary vlan host resides.

 

Running ver 6.2(8)

 

Running OTV for 20 normal Vlan no issues on this code since August.

 

Any thoughts??

 

 

 

 

New Member

I think I know What Im dong

I think I know What Im dong wrong and will attempt this tomorrow.  

otv flood mac 0000.2101.1111 vlan 72

  to flood unknown unicast accros OTV similar to the way that you would for MLB VMACs.

Cisco Employee

Hi Alex,There is no such

Hi Alex,

There is no such restriction from OTV. What you define in the access-interface and the overlay interface will be allowed.

Do revert back if you have any more specifics you wanted to know related to OTV.

Thanks,

Aries

New Member

Hi Simon,I have no chance to

Hi Simon,

I have no chance to actual implement PVLAN over OTV as the environment i'm working with is live. I ended up with traditional method of using port-based ACL. However, it's still great to know that the combination of PVLAN and OTV actually works. 

 

Thank you for sharing your experience and test result. 

Regards,

Alex

801
Views
5
Helpful
6
Replies