Heads Up: Private VLAN Sticky-ARP DHCP Issues

Similar Messages

• Nexus 1000V private-vlan issue

  Hello
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  I need to transmit both the private-vlans (as promiscous trunk) and regular vlans on the trunk port between the Nexus 1000V and the physical switch. Do you know how to properly configure the uplink port to accomplish that ?
  Thank you in advance
  Lucas

  Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
  We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.

• Cisco sg200 voice vlan dhcp issue

  i have cisco sg200 50p connected to cisco 3750 switch. i just wanted to separate voice (vlan2) and data (vlan1) VLANS. I created vlan 2 as my voice VLAN and separate dhcp server for vlan 2 to give ip addresses to phones. however the ip phone connected to my voice vlan (vlan 2) is not receiving ip address from my dhcp server in vlan 2.
  the dhcp server is connected to 3750 switch with an access port (vlan2-voice)
  two switches are connected via trunk ports and allowed vlan 1&2
  ip phone is connected to sg200 via access port (vlan 2) - 
  note - there is no pc connected to ip phone
  I really appreciate if anyone can help me with this issue

  Hi Tom
  Thank you for the support. The phone is now getting the IP from the DHCP on its own VLAN (vlan2 )  according to  your configuration. However i need to configure the auto voice VLAN based on OUI feature which is in SG200 switch. 
  The problem is, the switch not allowed me to configure auto voice vlan feature when the port connected to IP phone is in ACCESS mode (it has to be a trunk). I know according to cisco catlyst guidelines this is totally incorrect bcz they say  "Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed"
  I think its not valid for Small business switches . Anyway, when i make the said port  TRUNK it works (by assigning 1U & 2T- automatically).But the phone does not  get an IP address from my DHCP server then. 
  Can you help me with this if I am missing some configuration. Thank you once again

• Hi all, need advice on OSPF and private vlans

  Hi all.
  I have a project to complete and need some help on the possible solution I can use.
  Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
  I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
  My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
  Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
  I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
  Any help and advice would be greatly appreciated.
  Cheers
  Steve

  Steve
  Thanks, that helps.
  GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
  It's good that area 7 is only for these users and not mixed up with other users.
  So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
  Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
  Can you confirm the above ?
  In terms of keeping them separate there are 2 possible choices. You can either -
  1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
  The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
  But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
  2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
  The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
  Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
  You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
  I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
  It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
  I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
  Jon

• WAP551 DHCP issue

  Hi,
  I have trouble with new WAP551 accesspoints.
  For supplying a new building on our campus we decided to use WAP551 accesspoints. Another building is working with WAP541 models an all is working fine.
  The accesspoints are working in cluster mode with 16 nodes. They are supplying multiple SSIDs in multiple VLANs with different DHCP Servers in some VLANs.
  When I start switching between the SSIDs I will not get a DHCP address. When I am going to look at the switchport, where the AP is connected, I cant see any DHCP Packet passing by. It seems that the AP stops passing DHCP. Sometimes it takes a few minutes, then suddendly a DHCP request passes by and my client gets an address.
  To isolate the issue, I took one of the new WAP551 to the old building and installed it there as single AP, but it is the same there (so it has nothing to to with my infrastructure of the campus) and the WAP541 are still working fine - I can switch between the SSIDs a couple of times and always get an DHCP address.
  I installed the latest firmware of 2015-01-19 - 1.1.2.3 - but no change - still the same.
  I have no idea whats going on, has anybody here new ideas?

  My name Eric Moyers. I am an Engineer in the Small Business Support Center.
  I am sorry to hear that you are experiencing this issue. 
  This seems to be a very involved network. In order to more quickly troubleshoot and resolve your issue, please call our support center and open a case so that one of our engineers can work directly with you.
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Eric Moyers
  .:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert
  Please rate helpful Posts and Let others know when your Question has been answered.

• Wierd DHCP Issue

  Hello All,
  I facing a very wierd  DHCP issue and would like to know your thoughts on it.
  I have my wired clients on vlan 1 and wireless cleints(eap-peap) on VLAN 2.
  We are facing an issue where multiple wired clients who were on access port vlan 1 are receiving IP address from wireless subnet(vlan2) -their DHCP server was the WLC virtual gateway IP address(1.1.1.1). This is causing an outage to few wired clients.
  The WLC trunk does not have vlan 1 allowed on its ports and all APs are in local mode and all on access vlan.
  I'm not entirely sure whats causing this, but only way I think this is possible is  that 'A Client' laptop has his network connections  bridged - his wired nic on VLAN 1 and wireless NIC on vlan 2, acting like a WGB, which is causing new wired clients(vlan1) DHCP broadcast request forwared through the bidge mode laptop to AP--> WLC. Do you think this is possible??
  Havent been able to identify which client is causing this issue yet.
  Has anyone faced a similar issue and anyway to block this through WLC/ACS policy?
  Thanks
  Jino

  Hi,
  Might we consider to make use of network monitor to take a look at the traffics for the 1.1.1.1 address?
  How to use Network Monitor to capture network traffic
  Download link here:
  Microsoft Network Monitor 3.4
  Best regards
  Michael Shao
  TechNet Community Support

• Private VLan in 3550

  we are going to purchase cisco 3550 switches for our DMZs setup, we would like to utilise the Private VLAN (PVLAN) features in order to protect our individual server from any attack or any compromise servers. Can any body highlight some more on this how best is this to configure pvlans in cisco 3550 switches and is there any issues with Checkpoint Firewall.
  where I will get step by step commands. I searched on cisco site but lost myself for finding the step by step documentation.
  I find one documentation which was very good but it is for cisco 6500 series switches. please see the link for that http://www.cisco.com/warp/customer/473/90.shtml
  Thanks in advance

  Here is a link that I hope helps you with your coinfiguration. See Configuring Protected Ports portion for the PVLAN feature.
  http://www.cisco.com/en/US/partner/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html
  I don't know any issues with specific vendor equipment (e.g. Checkpoint FW, etc).
  Hope this helps you,
  Don

• Very weird dhcp issue

  We've started 're-vlanning' our main location here, breaking up depts
  into their own vlans.
  All seems ok so far, aside from a real doozy.
  For the IT vlan, we have one address that will not talk to our web
  content mgmt appliance. It's the 2nd address in our assignable pool,
  and it doesn't matter if it's dhcp or statically assigned, that address
  will not talk to that device.
  That is the *only* device that cannot be reached from this particular
  address in our dept vlan, every other one works fine.
  Any ideas on this?
  Stevo

  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  > and it doesn't matter if it's dhcp or statically assigned, that
  > address
  So.... the title of this thread should actually be 'Very weird non-DHCP
  issue', since your own testing confirms this has nothing to do with DHCP?
  If you do a LAN trace on this machine as well as your web content
  management appliance do you see packets on either side? Both sides? If
  not on both sides but you do on the source (workstation) side see
  packets going out, then get LAN traces after each network device
  (switch, router, firewall, etc.) to see when the packets disappear.
  Feel free to post the LAN traces somewhere with descriptions of IPs,
  ports, and what you should be seeing, if you want to post them somewhere
  for review.
  Good luck.
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v2.0.18 (GNU/Linux)
  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  iQIcBAEBAgAGBQJP4jFPAAoJEF+XTK08PnB55aMP/3Rg9u6LX6jFCXGYuex/oXdS
  NZ/liqfCgjyIcykWWeKGgdtm2I7JZOcFiG8YW2le55mcltvCL1VJW +1VGng4kZER
  0f4hjfyQ3CcQ6HIU3RM6VL5U2Pblb80MsEQe0qo0xgtPXipmjs i7Q0xIv9p0wT7A
  7JMkfgM9tfuI5Yro+BDLfSIkFWicKuKs1sKpNugKalPuyyRrzW IiznoalIKFshon
  a40ETLJVZmngBYfqfeZL9nPNsFlveFNXrDkdbl2WbaprsHtNnA NwZfVUIlc5kOCT
  MknY0GXof4/tk149OVCCLgjEzoRtTIZH0BJTHQwW7ANkWUUNYwi49+Mk46V0o awl
  oe1aA+NK9gl2bWXWLCtTro4ERSVMvkcI0OffytrfcBsqdCKg/g3QPMjV3kiVEULI
  xnSTsqFgOl2qO8qGaL6FJtk39ZBnCwqDPtmoNt93OK4hAhWBuA Xihc+kiQHrwkpO
  O04quZu8qQG6A6qwFDr+r+QqarFR3kielfvi7H6o5iLfZn/sDhvijGOAknJVctH8
  j8fezki9PMznkcT+of2Oe4T99K9fChN2WFSgUKdlpkYSjbkmjP fdbWloou+WBjCm
  7hHwnAbKPPgoN8aPPfw9rG9E+K/0YW2kt4wRu79BEDvF6eMv0UdDPE1qPuw1ttmm
  jg2zzMZDkgIG39A0P3u7
  =+fCy
  -----END PGP SIGNATURE-----

• RV042 second DHCP issue

  Hy all,
  I  have a CISCO RV042 in a network with 2 subnets 192.168.1.x and  192.168.2.x and I want multiple DHCP on both subnets. How can I do that?
  If  I use a second router for the second subnet (192.168.2.x) to use its  DHCP. The bandwith management will work? Do I need port VLANs?
  The network is like this:
  The  RV042 is the main router thru it we acces the internet, it also suplies  DHCP 192.168.1.x, I enabled multiple subnet for 192.168.2.x.
  The  reason I want 2 subnets is beacause I have 2 acces points for wireless  clients and I want to use rate control on WAN with bandwith management  from RV042 too give wired clients more bandwith than wireless clients.
  I know that RV042 doesn't supply multiple dhcp like RV180,but I needed dual WAN.
  Thank You

  Hi,
  Thank you for the answer, but my issue remains, below I tried to write a little bit more
  If I make the configuration like this:
  On CISCO RV042:
  Port based VLANs:
  VLAN 1 on LAN 1
  VLAN 2 on LAN 2
  On AT-FS750/24 switch:
  Port-based VLANs:
  VLAN 1 for 2,3,4 ports where 2,3 are the AP's (TL-WA901ND) and 4 uplink to RV042
  VLAN 2 for the rest, let's say 5,6,7,8,9, etc ports that are for wired clients.
  Tagged-based (802.1q):
  VLAN ID 11 for 2,3,4 ports where 2,3 ports are tagged are the AP's (TL-WA901ND) and 4 untagged uplink to RV042.
  VLAN ID 22 for 2,3,4 ports where 2,3 ports are tagged are the AP's (TL-WA901ND) and 4 untagged uplink to RV042.
  On AP's (TL-WA901ND):
  Multi-SSID with tagged based VLAN:
  SSID 1 on VLAN ID 11
  SSID 2 on VLAN ID 22
  If I use the second router (not supporting VLANs) only for DHCP for the wired clients with the configuration:
  -In the WAN I'll plug RV042 LAN 2 (VLAN 2) and from its LAN 1 I'll connect LAN 5 (VLAN 2) in the switch.
  second router WAN:
  IP:    192.168.2.2
  SM:   255.255.255.0
  DG:   192.168.2.1
  DNS: 192.168.2.1
  For DHCP
  LAN1:
  IP:   192.168.3.3
  SM:  255.255.255.0
  It will work to split wireless from wired ?
  How can I split the 2 wireless networks in guests and business more efficient?
  Let's say the wireless clients from "SSID 1" have to have a guaranteed bandwidth.!
  How can I set it up so the wireless clients gets different IP class on the 2 wireless networks?
  Can I use the rate control from RV042 on the IP (192.168.2.2) of the second router?
  My problem is that I need all the subnet available from RV042 DHCP for the wireless clients (192.168.1.x), because RV042 can route only in class C (254).
  I configured the static IP's in 192.168.2.x subnet for Ethernet equipments, I used multiple subnets from RV042.
  Momentarily I use COS from the switch for the tagged VLAN to prioritize the traffic, but this is no longer an option for me.
  Can a CISCO RV180 make a difference in this configuration?
  Thank you,
  Dragos

• Private-VLan Cisco 2975

  Hi guys,
       I got an issue configuring Private-VLans on a cisco 2975 i know that it's not supported but it's there a way that i can configure a switchport on a Cisco 2975 switch and be able to communicate witch a Private-VLan on a 3750 switch

  Hi Eduardo,
  To prune a set of VLANs from a trunk manually, you should use the command
  switchport trunk allowed vlan remove vlan-list
  If, for example, 100 was the primary VLAN and 101, 102, 103 and 199 were the secondary VLANs associated with this primary VLAN, the command would be:
  switchport trunk allowed vlan remove 100-103,199
  Be careful when you do this in your production network. This command will cause that these VLANs are immediately disallowed on this trunk. If there are any clients in the removed VLANs on the 2975 switch, they will lose connectivity with the remainder of the network until you configure a separate connection between the 3750 and the 2975 placed into the particular secondary community VLAN.
  Best regards,
  Peter

• ARP Inspection issue

  3 switches in the same broadcast domain (transparent mode), approx 200 vlans. Trunk links between switches allow all vlans 1-4096
  I setup arp inspection for 1 particular vlan to troubleshoot an arp server issue, possibly an unintentionally arp MITM. Setup as follows:
  ip arp inspection vlan 100
  arp access-list DAI
  permit ip any mac any
  ip arp inspection filter DAI vlan 100
  ip arp inspection vlan 100 logging acl-match matchlog
  Once enabled some of the servers in each switch on vlan100 went into error disable mode and the Port channel between switches went into error disabled status, once I removed "no ip inspection vlan 100" and shut/no shut on the Port channel the Port channel came back up and I had to wade through and shut/no shut on all the error disabled server ports everything was back to normal.
  Am I right saying the problem was caused by not setting the Port Channels between switches to "arp inspection trust" and should I just leave all the server ports to untrusted (default). i.e for all inter switch links
  conf t
  int Po200
  ip arp inspection trust
  end
  then leave everything else is? Would this make the problem go away. I can't try now as Production kit, don't really have an ideal UAT lab as such yet.

  Hello stephendrkw,
  I believe you are right about the port channel causing the outage.
  Typically all host ports would be configured as untrusted and all switchports connected to other switches would be trusted.  Configuring a port as untrusted when it should be trusted, can cause an  outage. 
  If you suspect a MITM attack, you can go to a pc that you think may be sending the ip traffic to the wrong mac and at the command prompt, type "arp -a 192.168.1.1" and verify it has the correct mac address mapped to the ip address.  If it has the wrong mac, you can login to the switch then "show mac address-table address xxxx.xxxx.xxxx to locate the source of the MITM attack.
  On the switch side, you can type "show arp | i 192.168.1.1" and "show arp | i "mac address" to verify what mac is binded to the ip address. 
  Hope this helps....

• VRF and DHCP issue

  VRF and DHCP issue
  We have a 6500 ( 12.2 (33) SXH5 ) that has a VRF running for our guest network. On this 6500 resides the DHCP pool with a range defined for our guest network. We have a stack of 3750's (12.2 (46) SE) connected to the 6500 with a L3 connection. The 3750's have a local guest VLAN with its gateway defined in a VLAN interface. This VLAN on the 3750 has an IP helper address pointing to an IP within the VRF on the 6500. When debugging DHCP on the 6500, a request is received and sent back out. The client never receives this request.
  If a static IP is applied, the client is able to communicate anywhere within the VRF successfully (including pinging the IP within the helper-address. As many posts have pointed out - there is no VRF <name> under the ip dhcp pool <name> within the 6500. I am just wondering if anyone else has run into this and what their solution was.
  Thanks.

  Hi,
  I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case).

• Problems setting up public/private vlans on sg300-52 switches

  A real beginner here with a problem on how to setup 3 SG300-52 (in L2 mode) as per this diagram:
  Port 1 on all switches should be able to talk to each other and access the blob at the right.
  The ports 25 on the other hand should only be able to talk among themselves in their own
  private vlan. They are to carry sensitive traffic.
  So I created 3 vlans, vlan 78 for ports gi1, gi51 and vlan 10 for port25,49,50 and a dummy vlan: 666
  with the intent of segratating vlan 10 from vlan 78.
  My attempts so far have failed.
  ports gi49-50 are configured as trunk ports and gi1,gi51 as access ports as the following
  cli output (excerpts of the startup config):
  vlan database
  vlan 10,78,666
  exit
  interface vlan 1
  ip address 172.16.10.11 255.255.255.0
  no ip address dhcp
  interface gigabitethernet1
  switchport mode access
  switchport access vlan 78
  interface gigabitethernet25
  switchport mode access
  switchport access vlan 10
  interface gigabitethernet49
  switchport trunk allowed vlan add 10,78
  switchport trunk native vlan 666
  switchport default-vlan tagged
  interface gigabitethernet50
  switchport trunk allowed vlan add 10,78
  switchport trunk native vlan 666
  switchport default-vlan tagged
  interface gigabitethernet51
  switchport mode access
  switchport access vlan 78
  Ports gi1 can talk to each other and access the blob but ports 25 refuse to talk to each other. But as soon as I remove
  the access links to the blob they can! Obviously, at that point port gi1 lose access.
  Is such a topology feasable or even advisable?
  Thanks,
  jf

  Hi Jean,
  Here's a pretty picture
  Now I will explain.
  The layer 3 switch is going to service as your core switch.
  Vlan 78 looks like your BLOB connection.
  Vlan 10 and 666 look like they don't belong on the BLOB.
  So how to configure this-
  You will want to configure the switch that connects directly to the BLOB as the layer 3 switch depicted in my diagram.
  Layer 3 switch, follow this document
  https://supportforums.cisco.com/docs/DOC-27038
  Bear with me, I am making up random numbers since I don't know what you want or will use.
  So VLAN 78 looks like the BLOB and 10 and 666 are staying out of the BLOB.
  config t
  vlan database
  vlan 10, 78, 666
  int vlan 1
  ip address 192.168.1.254 /24
  int vlan 10
  ip address 192.168.2.254 /24
  int vlan 78
  ip address 192.168.3.254 /24
  int vlan 666
  ip address 192.168.4.254 /24
  Configure the port you want to go to the BLOB, I am assuming vlan 78.
  config t
  int gi01
  switchport mode access
  switchport access vlan 78 (that 3750, what is the native vlan of the port it is connecting to??)
  Next, configure the downlink port to connect the layer 2 switch
  config t
  int gi0/2
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666  (this will make the port native vlan 1 untagged, rest ports tagged)
  On the downstream switch you need to configure an uplink and downlink with the respective vlans. It will remain layer 2 mode.
  config t
  vlan database
  vlan 10, 78, 666
  int gi0/1
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666
  int gi0/2
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666
  Same thing for the last switch, it will remain layer 2 mode
  config t
  vlan database
  vlan 10, 78, 666
  int gi0/1
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666
  int gi0/2
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666
  Let me know if this works out or if it is not logical for you.
  -Tom
  Please mark answered for helpful posts

• Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

  I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
  The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
  1. Private vlan mapping on the SVI;
  2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
  3. All Vlans are trunked between switches
  4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
  I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

  Hello Emcmanamy, Bruce,
  Thanks for your feedback.
  Just like you, I have been facing the same problematic last months with my customer.
  Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
  You can configure a host interface as an isolated or community access port only.
  We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
  This ability is documented here =>
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
  You cannot configure a host interface as a promiscuous  port.
  You cannot configure a host interface as a private  VLAN trunk port.
  Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
  However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
  All these conditions are not met on a N5K interface.
  Best regards.
  Karim

• Private VLAN Problem

  I have a 6509 running with a Sup720 and the latest IOS. Trying to configure several ports as a private VLAN with the below config. Problem is, in addition to not being able to talk to each other, hosts can't talk to the promiscuous port. Thoughts?
  vlan 172
  private-vlan primary
  private-vlan association 472
  vlan 472
  private-vlan isolated
  interface GigabitEthernet4/7
  switchport
  switchport private-vlan mapping 172 472
  switchport mode private-vlan promiscuous
  no ip address
  no cdp enable
  interface GigabitEthernet4/8
  switchport
  switchport private-vlan host-association 172 472
  switchport mode private-vlan host
  no ip address
  no cdp enable
  interface GigabitEthernet4/9
  switchport
  switchport private-vlan host-association 172 472
  switchport mode private-vlan host
  no ip address
  no cdp enable

  That did the trick, thank you. I guess I missed that the first two times I read through the documentation. I still have one problem, though. I ended up configuring 5 ports, 1 in promiscuous mode in port 25, two in community mode in ports 11 and 12, and two in private mode in ports 13 and 14. The PIX was in port 25, the internet router and a Nortel Contivity were in the community ports as these need to talk to each other as well as the PIX, and two other devices that only need connectivity to the PIX were in the private ports. Traffic flowing from inside the network was moving through the PIX to the WAN router fine. Traffic flowing through the PIX to the private ports was working fine. Traffic through the Contivity to the PIX and the router were flowing fine. But, VPN connectivity through the WAN router to the PIX wouldn't work. It wasn't a configuration issue with the PIX or the router, because as soon as I put them all in a standard VLAN, it worked fine, so it had something to do with the PVLAN configuration, but it just didn't make sense to me. Everything else was working in all directions. Any ideas?