ISE to dynamiclly push Private Vlans on Access switch deployments

Similar Messages

• Spanning vlans across access switches in distribution block.... please help

  Hi All
  Can someone please explain why Cisco states that in a Campus Hierarchical modle if Vlans are spanned across Access switches in a distribution block, then the Distrubution to distribution link should be Layer 2. Is this really necesary or just a recommendation, and if so why? Can't this link be a L3 link when spanning vlans across Access switches in distribution block, as I understand the benefit of having a L3 distribution to distribution link so that SPT is avoided.
  Please help

  Hello,
  The cisco recommended design is L3 links, but these is only possible if you have no vlans you need to span over the hole network.
  It depends on your topology or what you want achieve.
  If you need for one or more vlan's spanned the LAN, you need to use a layer 2 connection between all switches and between distribution too.
  In my company we have for example a few vlans for restricted areas, like device management or else, so we can't use L3 Links in the distribution area because these vlan's are terminated at the firewall. I think these is good thing.
  I would recommend you if you don't have to span one or more vlan's across the network to use L3 Links, specially in the case of redundancy way's. So you need no spanning-tree, but need to use other protocols like GLBP or else. The works faster and are not so confusing (for some people) as STP.
  best regards,
  Sebastian

• How to setup the trunk for private vlans across 2 switches (Both are SF300-24)

  Dear All,
  I have 2 switches which are SF300-24.
  Switch 1 is connected to Internet Router for all clients on swith1 and switch 2.
  The clients on switch 1 & switch 2 don’t communicate each other.
  Port1~Port24 on switch 1 & switch 2 are isolated ports.
  Gigaport1 on switch1 is connected to gigaport1 on switch2.  
  Gigaport2 on switch2 is connected to Internet Router.
  The VLAN 100 is for isolated ports.
  The native VLAN is 1.
  Please help me how to configure the case. Thanks for your help.

  I think he's just looking for PVE.  You can enabled 'protected port' on a port by port basis.
  Here's the excerpt from the admin guide.
  Protected Port
  —Select to make this a protected port. (A protected port is
  also referred as a Private VLAN Edge (PVE).) The features of a protected port
  are as follows:
  Protected Ports provide Layer 2 isolation between interfaces (Ethernet
  ports and LAGs) that share the same VLAN.
  Packets received from protected ports can be forwarded only to
  unprotected egress ports. Protected port filtering rules are also applied
  to packets that are forwarded by software, such as snooping
  applications.
  Port protection is not subject to VLAN membership. Devices connected
  to protected ports are not allowed to communicate with each other, even
  if they are members of the same VLAN.

• Private vlan across switches in NX-OS

  Hi,
  I'm trying to make a scenario to span private vlan across multiple switches but I couldn't get this to work in NX-OS N7K.
  My topology is similar to the one in the picture attached.
  I tried to ping from isolated host vlan 201 in switch A to isolated host vlan 202 in switch B. Promiscuous trunk port has been configured to upstream router in Switch A. From switch a to switch b is a normal trunk port.
  But still, I can't establish any connectivity from host vlan 201 to host vlan 202.
  Any suggestion?
  thanks

  Jerry -
  Any idea why? This breaks the ability to use moderately complex ACLs. For example - how would you configure scavenger class traffic to ignore some traffic, and mark other?
  Carole

• Private VLAN and ASA subinterfaces

  Gents,
  I have a dmz 3750 switch and i want to introduce private VLAN on this switch. This switch is connected to cisco ASA with trunk (subinterface for each primary VLAN) because we have multiple dmz. How the configuration on both sides will be ?.
  If private VLANs can't be used with ASA subinterfaces, what  solution can be done in this scanario ?
  Thanks,

  I would think the ASA doesn't care. The Pvlans are configured on the switch. The port that the ASA is connected too will be promiscuous.
  To see how to configure it, check out this guide (a long in depth read but worth it):
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html
  Regards,
  Ian
  If I hepled please rate me.

• Securing Vlans by access lists

  Hi,
  I have configured some vlans using a cisco catalyst 2950 switch and a cisco 2611 XM router. I configurated the router for intervlan routing with encapsulation 802.1q and all is running good. Now I started with introducing some access policies between vlans by the use of acls but it seemed to me I have not clear the packet filtering mechanism (e.g. inbound versus outbound packets, etc.). I succeded in stopping access between 2 vlan in bidirectional way, but I don't know the best way to permit traffic from vlan1 to vlan2 while stopping traffic from vlan2 to vlan1.
  Help me please!

  check out the following link for information on Securing Networks with Private VLANs and VLAN Access Control Lists :
  http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

• Private VLAN support on actual HW

                     Hi all,
  I'm currently thinking about a private Vlan based solution for a special demand.
  Now for my initial investigation i need tio have something like a Pvlan HW support matrix.
  Means I'd like to know which switches in cisco portfolio supporting PVLAN's.
  Additional I'm wondering cause most of the PVLAN documentation relative old.
  How about PVLAN support. Is Pvlan on Access switches still (and in future) featured by Cisco?
  thanks for your comments
  Dieter

  Hi Dieter,
  You could see this detail using Cisco Feature Navigator tool which is avilable on the cisco web site.
  1. Go to below site
  http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
  2. Select the Feature button and type the Feature which you would like verify. If you press continue button, you can supported code as well as platform
  If you would like to know about any specific product support detail, please inform me, i can share information whether it supports or not.
  Inform me if you need more detail.
  Regards,
  Aru

• Private VLANs - is this configuration right?

  Hi
  I have a 4500 that has a vlan (10) on it that none of the clients should talk to each other. I am going to configure this as a isolated vlan. This VLAN is propagated to a 6500 that has the IP address of this VLAN, from what I have read I need to create a primary vlan (99) and then create the client vlan (10) as a isolated vlan within this (99).
  Is this correct?
  If anyone has a good doc on PVLANs please let me know! The docs on Cisco seem to be lacking.
  Cheers

  Here is an example.. Vlan 83 is the promiscuous VLAN, I left in a port on vlan 230 that has a host on it.
  no file verify auto
  spanning-tree mode pvst
  spanning-tree extend system-id
  spanning-tree vlan 83,100-101,210,230,248-250 priority 24576
  vlan internal allocation policy ascending
  vlan 83
  name DMZ_VLAN
  private-vlan primary
  private-vlan association 100-101,210,230,248
  vlan 100
  name hinfwe-vlan
  private-vlan community
  vlan 101
  name hinneo-vlan
  private-vlan community
  vlan 210
  name IPASS
  private-vlan community
  vlan 230
  name DNS-GSS
  private-vlan community
  vlan 248
  name ADP-Internal
  private-vlan community
  interface GigabitEthernet1/0/1
  description GSS-01 83.200
  switchport private-vlan host-association 83 230
  switchport mode private-vlan host
  no logging event link-status
  speed 100
  duplex full
  no snmp trap link-status
  spanning-tree portfast
  spanning-tree guard root
  interface GigabitEthernet1/0/24
  description Firewall_Uplink
  switchport access vlan 83
  switchport private-vlan mapping 83 100-101,210,230,248-250
  switchport mode private-vlan promiscuous
  speed 1000
  duplex full
  spanning-tree portfast
  spanning-tree guard root
  HTH
  CHris

• Private Vlan config

  I have a question regarding private Vlan config. I have a DMZ switch where I need to be able for a particuilar server to communicate to the reset of the servers on port 8686 and deny the rest of the communications between them. I have this server on a poremiscuios mode and the other servers on isolated ports.For security reason how can apply this access list? on which vlan? I am running IOS on the switch connecting these servers. Thanks for your help

  the port is that the server(10.3.1.50. 255.255.0.0) that need to talk to all server is attached to:
  interface GigabitEthernet1/0/18
  description DZ1WEBSD001
  switchport private-vlan host-association 50 51
  switchport mode private-vlan promiscuous
  speed 100
  duplex full
  no mdix auto
  The subnet is 10.3.1.0 255.255.0.0
  Basically the 10.3.1.50 need to talk to all servers on this subnet on port 8686 and deny evrything else
  Thanks

• Private VLAN quiestions. Help neede urgently.

  Does anyone know that does 3560 support trunking on promiscuous ports? I have a situation where I have servers on isolated p.vlan 2000 on distribution layer switch. I don't want to do any p.vlan configuration to Core. So can communication happen between Core and servers on isolated vlan 2000 if the only vlan that goes through the trunk link is the primary vlan 2001? Or do I have to put the isolated vlan also to the allowed vlans on trunk? and also every community vlan that I have?
  So what I'am asking is that do the devices that don't have p.vlan on, see all the community vlans etc. or do they only see the primary VLAN? So if I would have a server on the core switch on VLAN 2000 would it be able to communicate with servers that are on the isolated vlan 2000 on the distribution layer switch. The core switch would not have any private vlan configuration on it, just normal vlan config.
  Can I have normal VLAN on the switch where I have Private VLANs?

  Does anyone know that does 3560 support trunking on promiscuous ports?
  >> NO, A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private-VLAN servers from an administration workstation. A trunk port server more than one vlan - secondary or primary therefore from the above it will break that rule hence it is not supported, at least on this platform.
  I have a situation where I have servers on isolated p.vlan 2000 on distribution layer switch. I don't want to do any p.vlan configuration to Core. So can communication happen between Core and servers on isolated vlan 2000 if the only vlan that goes through the trunk link is the primary vlan 2001? Or do I have to put the isolated vlan also to the allowed vlans on trunk?
  >> Putting an isolated vlan in the trunk will not cause the other devices in the same private vlan to talk to an isolated port. An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
  and also every community vlan that I have?
  >> See above, isolated port will not talk to anyone at all except the promiscuous port.
  So what I'am asking is that do the devices that don't have p.vlan on, see all the community vlans etc. or do they only see the primary VLAN?
  >> devices that are in the same secondary community vlan can see each other and the promiscous port. Isolated vlan can only talk to promiscuous port.
  So if I would have a server on the core switch on VLAN 2000 would it be able to communicate with servers that are on the isolated vlan 2000 on the distribution layer switch. The core switch would not have any private vlan configuration on it, just normal vlan config.
  >> No, isolated vlan are isolated, they can only talk to promiscuous ports which are normally the port to the default gateway, if the default gateway router is an external router. It sounds like you should be putting them in secondary commmunity vlan if you want them talking to one another.
  Can I have normal VLAN on the switch where I have Private VLANs?
  >> Yes, you may.
  Please rate helpful posts.

• Private vlan trouble?

  I have the following private vlan configuration:
  What do I have to do in order for the networks sitting behind router1 and router2
  to talk to each other.
  I have verified that both routers have the correct routes on their routing table
  vlan 116
  name primary
  private-vlan primary
  private-vlan association 117-122
  vlan 119
  name torouter2
  private-vlan community
  vlan 121
  name torouter1
  private-vlan community
  interface GigabitEthernet2/16
  description Connection to router2
  switchport
  switchport private-vlan host-association 116 119
  switchport mode private-vlan host
  no ip address
  speed 100
  duplex full
  spanning-tree portfast
  interface GigabitEthernet1/4
  description Connection to router1
  switchport
  switchport private-vlan host-association 116 121
  switchport mode private-vlan host
  no ip address
  speed nonegotiate
  spanning-tree portfast
  thank you very much,
  Alban

  Vlad,
  From networks connected behind router1 need to reach networks connected behind router2
  ------[router1]--------------gig1/4[vdmz]gig2/16----------------[router2]-------
  gig1/4 is community vlan 121
  gig2/16 is in community vlan 119
  Primary vlan is Vlan116
  VDMZ is our 6503 configured with private vlans.
  some more of the config is this (and I do have a 6503 with an mscf daughter card):
  interface Vlan116
  description vendor-dmz public/private primary vlan
  ip address 10.248.15.2 255.255.255.128 secondary
  ip address 211.121.108.66 255.255.255.192
  ip access-group 140 in (this one has a permit any any at the end)
  no ip redirects
  no ip unreachables
  private-vlan mapping 117-122
  ip route 10.82.35.0 255.255.255.0 211.121.108.96
  (where 211.121.108.96 is address of router1)
  I have a bgp peering with 211.121.108.90 which is router2.
  in router1 they can see the routes advertised via bgp and also in router2 they
  can see the route for 10.82.35.0 that I advertise to them via bgp.
  I really appreciate your help,
  Alban

• Private-VLAN using Nexus 7010 and 2248TP FEX

  I have a Nexus 7010 with several 2248TP FEX modules.
  I am trying to configure a Private VLAN on one of the FEX host ports.
  I see in the documentation you can't do promiscous but I can't even get the host only configuration to take.
  Software
    BIOS:      version 3.22.0
    kickstart: version 6.0(2)
    system:    version 6.0(2)
  sho run | inc private
  feature private-vlan
  vlan 11
    name PVLAN_Primary
    private-vlan primary
    private-vlan association 12
  vlan 12
    name PVLAN_Secondary
    private-vlan isolated
  7010(config)# int e101/1/48
  7010(config-if)#
  7010(config-if)# switchport mode ?
    access        Port mode access
    dot1q-tunnel  Port mode dot1q tunnel
    fex-fabric    Port mode FEX fabric
    trunk         Port mode trunk
  Switchport mode private-vlan doesn't even show up!!!!!!
  If I try this command it says its not allowed on the FEX port.
  7010(config-if)# switchport private-vlan host-association 11 12
  ERROR: Requested config not allowed on fex port
  What am I doing wrong?????
  Todd

  Have you found a solution to this?
  -Jeremy

• Private Vlans and trunk mode

  if we have a primary vlan 100 associate with it
  vlan 11 over {fa0/2 work as host mode} , vlan 12 over {fa0/3 work as host mode} they work as secondry community vlan
  and vlan 13 as isolated secondry vlan over {fa0/4 host mode}
  How we can route between private vlans 11,12,13 and {vlan 50 fa0/5 access mode}
  cloud we use the fa 0/1 which connected to L3 device as promiscouous mode and trunk mode at the same time or what ... ??
  and

  Private vlan's are all on the same subnet, so from what you are writing I see:
  100-------------------------------
  | | |
  | | |
  11 12 13
  Fa0/2 fa/03 fa0/4
  and you want to route to Vlan 50, correct?
  In that case you need to trunk vlan 100 to a vlan interface and make sure that vlan 50 also has a routed interface on the same device.

• Double Private VLAN

  I want to ask if my Vswitch on the VM ware has using 1st time Private VLAN and at the N5K can I use apply second time Private VLAN?
  VM Servers <--- Trunk---> N5K            
  First VM has primary vlan say 100
  First VM secondary vlan say 101,102,103
  Second VM has primary vlan say 200
  Second VM secondary vlan say 201,202,203
  So will N5K able to has following PVLAN config
  Primary VLAN 300
  Secondary VLAN say 100,200

  Vlad,
  From networks connected behind router1 need to reach networks connected behind router2
  ------[router1]--------------gig1/4[vdmz]gig2/16----------------[router2]-------
  gig1/4 is community vlan 121
  gig2/16 is in community vlan 119
  Primary vlan is Vlan116
  VDMZ is our 6503 configured with private vlans.
  some more of the config is this (and I do have a 6503 with an mscf daughter card):
  interface Vlan116
  description vendor-dmz public/private primary vlan
  ip address 10.248.15.2 255.255.255.128 secondary
  ip address 211.121.108.66 255.255.255.192
  ip access-group 140 in (this one has a permit any any at the end)
  no ip redirects
  no ip unreachables
  private-vlan mapping 117-122
  ip route 10.82.35.0 255.255.255.0 211.121.108.96
  (where 211.121.108.96 is address of router1)
  I have a bgp peering with 211.121.108.90 which is router2.
  in router1 they can see the routes advertised via bgp and also in router2 they
  can see the route for 10.82.35.0 that I advertise to them via bgp.
  I really appreciate your help,
  Alban

• Private vlan and HSRP

  Hi, guys. I have a question about Private Vlan and HSRP implement. In my network topology, there are 2 switch 6509 as core switches and Internet outlet. There are a 3750 as a distribute swtich, and 3550 as a access swtich. the topology is as below:
  | |
  7609----7609
  | |
  3750
  |
  3550
  |
  servers
  Now there are some Server will connect to 3550, and 3750 and 3550 will be treated as Layer 2 switch, that is these servers's default gateway will be on vlan interface on 7609, and I have configured HSRP between the vlan on 2 6509. My question is how to implement private vlan on 3550 with HSRP on 7609, so that these servers can have redundancy gateway, and be kept isolated between other servers.

  It looks like the 3550 do not support private VLAN.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml
  More info. on private VLAN :
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00802c30c4.html#wp1138148
  Did you configure the VLAN trunking between 7609, 3750 and 3550 ? Once we enable the VLAN trunking then the server can plug to the assigned VLAN and communicate to the 7609 via the trunk w/o interference w/ other VLAN. However, you have to enable the VLAN routing at 7609 to make it able to connect to other VLAN user if you want.
  Hope this helps.