Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
8
Helpful
8
Replies

Private VLAN quiestions. Help neede urgently.

ttl-systems
Level 1
Level 1

‎07-31-2006 11:27 AM - edited ‎03-03-2019 04:18 AM

Does anyone know that does 3560 support trunking on promiscuous ports? I have a situation where I have servers on isolated p.vlan 2000 on distribution layer switch. I don't want to do any p.vlan configuration to Core. So can communication happen between Core and servers on isolated vlan 2000 if the only vlan that goes through the trunk link is the primary vlan 2001? Or do I have to put the isolated vlan also to the allowed vlans on trunk? and also every community vlan that I have?

So what I'am asking is that do the devices that don't have p.vlan on, see all the community vlans etc. or do they only see the primary VLAN? So if I would have a server on the core switch on VLAN 2000 would it be able to communicate with servers that are on the isolated vlan 2000 on the distribution layer switch. The core switch would not have any private vlan configuration on it, just normal vlan config.

Can I have normal VLAN on the switch where I have Private VLANs?

Labels:
0 Helpful
8 Replies 8

jackyoung
Level 6
Level 6

‎07-31-2006 06:18 PM

Please check below link :

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00805b57c2.html

Where the trunk can carry the PVLAN. Sorry I cannot test it. I believe you need to setup L3 switching if PVLAN communicate to normal VLAN. Or try to setup same VLAN ID in core switch (in lab environment) to test it.

Hope this helps.

0 Helpful

Roberto Salazar
Level 8
Level 8

‎07-31-2006 09:03 PM

Does anyone know that does 3560 support trunking on promiscuous ports?

>> NO, A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private-VLAN servers from an administration workstation. A trunk port server more than one vlan - secondary or primary therefore from the above it will break that rule hence it is not supported, at least on this platform.

I have a situation where I have servers on isolated p.vlan 2000 on distribution layer switch. I don't want to do any p.vlan configuration to Core. So can communication happen between Core and servers on isolated vlan 2000 if the only vlan that goes through the trunk link is the primary vlan 2001? Or do I have to put the isolated vlan also to the allowed vlans on trunk?

>> Putting an isolated vlan in the trunk will not cause the other devices in the same private vlan to talk to an isolated port. An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

and also every community vlan that I have?

>> See above, isolated port will not talk to anyone at all except the promiscuous port.

So what I'am asking is that do the devices that don't have p.vlan on, see all the community vlans etc. or do they only see the primary VLAN?

>> devices that are in the same secondary community vlan can see each other and the promiscous port. Isolated vlan can only talk to promiscuous port.

So if I would have a server on the core switch on VLAN 2000 would it be able to communicate with servers that are on the isolated vlan 2000 on the distribution layer switch. The core switch would not have any private vlan configuration on it, just normal vlan config.

>> No, isolated vlan are isolated, they can only talk to promiscuous ports which are normally the port to the default gateway, if the default gateway router is an external router. It sounds like you should be putting them in secondary commmunity vlan if you want them talking to one another.

Can I have normal VLAN on the switch where I have Private VLANs?

>> Yes, you may.

Please rate helpful posts.

ttl-systems
Level 1
Level 1
In response to Roberto Salazar

‎08-01-2006 08:07 AM

>> Putting an isolated vlan in the trunk will not cause the other devices in the same private vlan to talk to an isolated port. An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

>>>My distribution layer is just layer 2 switched to the core. So it doesn't make any sense to use p.vlans on my d.layer does it? Because devices in private vlans can't go any further than the switch they are connected. Because trunk ports can't be promiscuous ports. Am I right??? So i would need a layer 3 link between distribution layer and core that would be promiscuous port? Any other way to do this? Thanks for your answers.

0 Helpful

ttl-systems
Level 1
Level 1
In response to Roberto Salazar

‎08-02-2006 03:42 AM

What I'm saying that I have servers that just need to contact their gateway (isolated is perfect for this). I also have servers that need to communicate with spesific servers (community is perfect for this). And I have a monitoring server (promiscuous is perfect for this) The question is that can the isolated and community vlans communicate with their GW because the GW is not on the switch that the servers are connected to. The GW is on a core switch that is trunk linked to the switch that has these servers.

0 Helpful

vladrac-ccna
Level 5
Level 5
In response to ttl-systems

‎08-02-2006 06:36 AM

Hello there,

why dont you check the following link, and give it a try:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/pvlans.htm#wp1122974

I think this might work, ie. promiscous port on a trunk interface.

Vlad

0 Helpful

Roberto Salazar
Level 8
Level 8
In response to vladrac-ccna

‎08-02-2006 06:57 AM

Just so it's clear, what the Cat4500 supports that does not necessarily means it's supported in other platforms.

3560 Private vlan configuration guide:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swpvlan.htm#wp1039067

No support for promiscuous trunk on 3560.

ttl-systems
Level 1
Level 1
In response to vladrac-ccna

‎08-02-2006 09:51 PM

This one seems to apply only to 4500 series. When I tried this I only get these options:

switchport mode private-vlan ?

host Set the mode to private-vlan host

promiscuous Set the mode to private-vlan promiscuous

No trunkin option here :(

And when I make promiscuous port from the trunk port it looses its trunk status and vise versa.

0 Helpful

CSCO10408957
Level 1
Level 1
In response to ttl-systems

‎08-02-2006 10:03 PM

When you configure private VLANs, the switch must be in VTP transparent mode.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swpvlan.htm

Customers Also Viewed These Support Documents