Catalyst series - Private VLAN over trunk

Similar Messages

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Private vlan over dot1q trunks with etherchannels

  Dear Freinds,
  I need to know whether can i use trunks in etherchannel for Private Vlans.
  regards
  Manish Shamjee

  Hello manish,
  You would need to elaborate more on that.
  Are you trying to 'trunk' primary private vlan's or secondary private vlans? Or are you trying to configure private vlans on ports that are etherchannels?
  Read this "Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive"
  The above is from the pvlan guidelines and restrictions found here:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979

• Private Vlans and trunk mode

  if we have a primary vlan 100 associate with it
  vlan 11 over {fa0/2 work as host mode} , vlan 12 over {fa0/3 work as host mode} they work as secondry community vlan
  and vlan 13 as isolated secondry vlan over {fa0/4 host mode}
  How we can route between private vlans 11,12,13 and {vlan 50 fa0/5 access mode}
  cloud we use the fa 0/1 which connected to L3 device as promiscouous mode and trunk mode at the same time or what ... ??
  and

  Private vlan's are all on the same subnet, so from what you are writing I see:
  100-------------------------------
  | | |
  | | |
  11 12 13
  Fa0/2 fa/03 fa0/4
  and you want to route to Vlan 50, correct?
  In that case you need to trunk vlan 100 to a vlan interface and make sure that vlan 50 also has a routed interface on the same device.

• Catalyst 3550 Privat-VLAN

  Hi,
  I was about to purchase a 3560 for my home lab to do private VLANS because I read that 3550s do not supprt pvlan. Till my suprise i can see the commands to do a private-vlan configuration on my 3550:
  (config-vlan)#private-vlan ?
    association       Configure association between private VLANs
    community         Configure the VLAN as a community private VLAN
    isolated          Configure the VLAN as an isolated private VLAN
    primary           Configure the VLAN as a primary private VLAN
    twoway-community  Configure the VLAN as a two way community private VLAN
  Can any tell me why everyone says their not supported though the commands are availble?
  Thanks in advance
  Bart

  Hi Bart,
  The IOS is obviously compiled from a common code base that is shared also for Catalyst 3560 and similar platforms. That is why you see the commands actually present. However, if you try to define a Private VLAN (either primary or secondary) and exit the VLAN configuration mode, you will get a platform error message, indicating the switch hardware could not be programmed for the Private VLAN operation.
  Private VLANs require hardware support, and if the underlying platform has no hardware provisions for supporting Private VLANs, they will not be available even if the switch IOS itself has the management features built in, as is in your case. True, the Private VLAN management commands should have not been enabled in the IOS for your platform but it's just the way it is...
  Best regards,
  Peter

• Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

  I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
  The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
  1. Private vlan mapping on the SVI;
  2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
  3. All Vlans are trunked between switches
  4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
  I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

  Hello Emcmanamy, Bruce,
  Thanks for your feedback.
  Just like you, I have been facing the same problematic last months with my customer.
  Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
  You can configure a host interface as an isolated or community access port only.
  We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
  This ability is documented here =>
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
  You cannot configure a host interface as a promiscuous  port.
  You cannot configure a host interface as a private  VLAN trunk port.
  Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
  However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
  All these conditions are not met on a N5K interface.
  Best regards.
  Karim

• Catalyst 2960 - IBM/Cisco IGESM - Trunk port configuration

  Good day all!
  I am new in Cisco world and try to configure a trunk between a Catalyst 2960 switch and a IBM Blade Center IGESM switch (manifactured by Cisco).
  Unfortunately, it seems that the network traffic doesn't cross the trunk link.
  I have followed (at least, I think so) the instructions given on the different Cisco documentation papers but I can't find the mistake in my configuration (lack of experience :-( !).
  Both switches are using IOS. 2960 uses IOS 12.2(25)FX and IGESM uses IOS 12.2(22)EA8.
  The ports are connected through a cross-over cable Cat5e.
  Please find below the configuration for each ports:
  Catalyst 2960:
  Name: Gi0/1
  Switchport: Enabled
  Administrative Mode: trunk
  Operational Mode: trunk
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: dot1q
  Negotiation of Trunking: On
  Access Mode VLAN: 200 (Workstation VLAN)
  Trunking Native Mode VLAN: 200 (Workstation VLAN)
  Administrative Native VLAN tagging: enabled
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk Native VLAN tagging: enabled
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: none
  Trunking VLANs Enabled: 1,99,200
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Capture VLANs Allowed: ALL
  Protected: false
  Unknown unicast blocked: disabled
  Unknown multicast blocked: disabled
  Appliance trust: none
  IBM/Cisco IGESM:
  Name: Gi0/20
  Switchport: Enabled
  Administrative Mode: trunk
  Operational Mode: trunk
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: dot1q
  Negotiation of Trunking: On
  Access Mode VLAN: 200 (Workstation VLAN)
  Trunking Native Mode VLAN: 200 (Workstation VLAN)
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: none
  Trunking VLANs Enabled: 1,99,200
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Capture VLANs Allowed: ALL
  Protected: false
  Unknown unicast blocked: disabled
  Unknown multicast blocked: disabled
  Appliance trust: none
  For my test, I try to ping a blade (connected to IGESM) in VLAN 200 from a workstation connected to Catalyst 2960 (in VLAN 200 too). From a network anaylser (ethereal), I can see the ARP broadcast from each side but none are going across the trunk link.
  I am a bit lost about this problem and would be grateful for any assistance in solving it!
  Many, many thanks in advance for your time!
  Best regards,
  Fabian

  Hi Glen!
  Both switches (Catalyst 2960 & IGESM) are brand new and most ports are still reflecting manufacturer's default configuration. Vlan 2 is the default native vlan for IGESM ports (excluding ports used for switch management which use vlan 1 as most Cisco switches).
  I changed the native vlan for g0/5 on IGESM to 200. Now, ports g0/5 (access mode) and g0/20 (trunk mode) are on native vlan 200. On g0/5 is installed Windows 2003 instance (firewall disabled). The only purpose is to receive and send ping request to test connectivity.
  My workstation is connected to 2960 switch on port fa0/1 (please find the configuration below). I can successfully ping other vlan 200 machines connected on the same switch. For testing purpose, I try to ping the blade machine connected on port g0/5 on IGESM.
  Configuration of fa0/1:
  Name: Fa0/1
  Switchport: Enabled
  Administrative Mode: dynamic auto
  Operational Mode: static access
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: native
  Negotiation of Trunking: On
  Access Mode VLAN: 200 (Workstation VLAN)
  Trunking Native Mode VLAN: 200 (Workstation VLAN)
  Administrative Native VLAN tagging: enabled
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk Native VLAN tagging: enabled
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: none
  Trunking VLANs Enabled: ALL
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Capture VLANs Allowed: ALL
  Protected: false
  Unknown unicast blocked: disabled
  Unknown multicast blocked: disabled
  Appliance trust: none
  Is there any other information I could provide to better help you to understand the configuration?
  Cheers!
  Fabian

• Private vlan with MVR or any related solution

  I would like to enable MVR on C4507R+E on trunk port. Actually my current network setup is connecting two uplink from this switch to aggregation router as layer 2. And CPE is connected down this switch with private vlan configuration. I have attached interface configurations with this.
  I have to apply “mvr vlan 101 receiver vlan 104” in gig 1/1 interface to map the MVR vlan. But that is not supporting when the link is configured as “switchport mode private-vlan trunk”. Only this command is allowing if I configured as “swithport mode trunk”. But if it is normal trunk, private vlan services are not working. Please suggest your solution for this problem.
  According to cisco we can’t enable MVR in private vlan trunk port. Is there any other solution for this than ACL to block the stream from CPE to upwards at 4507 switch?
  (mvr working, but private vlan is not working)
  interface GigabitEthernet1/1
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode trunk
  mvr type source
  mvr vlan 101 receiver vlan 104
  mvr immediate
  spanning-tree guard loop
  end
  (private vlan working, but mvr is not working)
  interface GigabitEthernet1/2
  description "connected to CPE"
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode private-vlan trunk
  mvr type receiver
  mvr immediate
  spanning-tree guard loop
  end

  Hey,
  Correct, only one Isolated primary vlan is associated with Primary private vlan. Snippet from configuration guide:
  "A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it."
  HTH.
  Regards,
  RS

• 3750 bandwidth limitation between the same vlan over the trunk

  Hi All,
  I have 2 3750G series switches on the trunk link. some machines are part of vlan1 on the switch 1 and some machines are the part of the same vlan1 on the other switch2. I need to limit the bandwidth between the switches for the vlan1. picture is attached.
  I tried to do through the modulare policy frame work (class-map/service-map and policy-map using the police command) but problems are
  1) 3750 does not support output service policy, so i cannot apply the policy on the output of the trunk link.
  2) I can apply the input policy but it will be only for one machine but not for the others on the same switch. if i apply the policy on per port basis then every port has separate bw limitation. I require to limit the bandwidth on per vlan basis on the trunk port. like vlan 1 takes 10 MB, VLAN2 takes 10 MB on the trunk link when communicating between the same vlans.
  Is there any solution for that scenario? your help in this case will be higly appriciated. As its the layer 2 communication, its hard for me to find the solution. if it was layer 3 then i can do it easily by using the rate-limit commmand on the interface.
  thanks

  On the 4500 series we use vlan-range for this,
  conf t
  qos aggregate-policer 10MB 10 mbps 1250000 byte conform-action transmit exceed-action drop
  policy-map 10MB
  class class-default
  police aggregate 10MB
  interface GigabitEthernet1/1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,10,12,15
  switchport mode trunk
  switchport nonegotiate
  vlan-range 1
  service-policy input 10MB
  service-policy output 10MB
  end
  dunno if the 3750's have the same options

• Multiple VLANs over 1300 series bridges

  Hi
  I am looking to connect a small external building to a main campus building by wireless bridge. The building i want to connect currently has two vlans, can the 1300 series bridges carry multiple vlans over the wireless bridge link? If so can anyone point me towards s document that explains it?
  Many thanks
  Simon

  Hi Simon,
  Yes they can, here is a link, i hope it helps you, look at the "Bridge configuration" title.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  Regards,
  Milton Tizoc.

• Private-VLAN trunk on 3560X

  Hi,
  I need to create Private-VLANs on 3650X, but is possible to configure this technology with 3560X switch and IOS 12.2(55)SE5?. I attach the topology.
  I want to configure the private VLANs on the VLAN 30, the isolated VLAN is the number 100 and the community VLAN is the 200. I guess that the interfaces trunk has to be set as promiscuous mode, is that correct?
  If the trunk is configuring as promiscuous mode, what happened with the others VLANs (10, 20 and 40), and what is the correct configuration for the interfaces trunk?

  Hi,
  Follow the config guide on how to configure private vlans:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swpvlan.html
  HTH

• How to setup the trunk for private vlans across 2 switches (Both are SF300-24)

  Dear All,
  I have 2 switches which are SF300-24.
  Switch 1 is connected to Internet Router for all clients on swith1 and switch 2.
  The clients on switch 1 & switch 2 don’t communicate each other.
  Port1~Port24 on switch 1 & switch 2 are isolated ports.
  Gigaport1 on switch1 is connected to gigaport1 on switch2.  
  Gigaport2 on switch2 is connected to Internet Router.
  The VLAN 100 is for isolated ports.
  The native VLAN is 1.
  Please help me how to configure the case. Thanks for your help.

  I think he's just looking for PVE.  You can enabled 'protected port' on a port by port basis.
  Here's the excerpt from the admin guide.
  Protected Port
  —Select to make this a protected port. (A protected port is
  also referred as a Private VLAN Edge (PVE).) The features of a protected port
  are as follows:
  Protected Ports provide Layer 2 isolation between interfaces (Ethernet
  ports and LAGs) that share the same VLAN.
  Packets received from protected ports can be forwarded only to
  unprotected egress ports. Protected port filtering rules are also applied
  to packets that are forwarded by software, such as snooping
  applications.
  Port protection is not subject to VLAN membership. Devices connected
  to protected ports are not allowed to communicate with each other, even
  if they are members of the same VLAN.

• Private Vlan support on CAT3850

  Hello , i need to configure private vlans on Catalyst 3850 .
  On this page is said that 3850 does support this technology
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html
  But i can't  configure it because there is no such commands in CLI
  3850(config-vlan)#pri?
  % Unrecognized command
  Does it support it or will it support private vlans in future?

  Dmitry
  There does seem to be conflicting information. The link you provide does say they are supported but looking at the config guide it says -
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.
  full link -
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg_chapter_0100.html
  So it looks like with this release at least, they are not available. I don't know whether they are scheduled to be included in a later release of the software.
  Perhaps someone from Cisco can comment. The product page certainly needs updating as it seems the configuration guide is the correct one.
  Edit - i have posted a link to this thread in the Technical Documentation forum to ask for clarification although a Cisco person is still not guaranteed to answer.
  Jon

• Catalyst 6500 Block Switching Between Trunk Ports

  Hello all,
  I have a Catalyst 6509-E with SUP2T and a WS-68xx series SFP line card. On this line card I will have 5 trunk connections going to ME3400 4 port access switches. There is one tagged VLAN allowed on all trunk ports and it is the same across them all. I need to have one trunk connection be allowed to switch to all ports within this VLAN and the remaining 3 ports be denied to switch between eachother. The remaining three ports would only be able to switch to the primary trunk port.
  For informational purposes I want to point out that the downstream ME3400 access switches are performing QinQ on each connection so that when the traffic reaches the 6509 it will be double tagged.
  Traditionally I have been able to do this on 12 port ME3400s using the built in UNI/NNI structure and on ME3800/3600 switches using EVCs and the "split-horizon" keyword on the bridge domain. However, the 6500 doesn't seem to support either one of these commands.
  Does anyone have any ideas on how to accomplish this?

  I'm really not all that savvy on private VLANs but I did look at them as an option. Would they be affective on trunk ports? Most config examples I have seen have shown them applied on access ports.
  Can't see switchport protected:
  6509(config-if)#switchport protected
                                            ^
  % Invalid input detected at '^' marker.

• Private-VLAN and EtherChannel

  Hi,
  On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
  The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
  I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
  The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
  How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
  Is there a way to solve this without replacing the Private-VLANs with VLANs?
  Thanks in advance for your help!

  From "EtherChannel Configuration Guidelines"
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
  Do not configure a private-VLAN port as part of an EtherChannel.