Multi-VRF CE with Private VLANs

Similar Messages

• Port-channel with Private VLANs on Nexus1000v

  Hi all,
  It says that private vlans are not supported on port-channel ports ont Nexus 1000v L2 Switching Guide.
  AFAIK, if you have two ports between ESX VEM and physical switch and both these ports are configured as 802.1Q and carrying the same VLANs, when the port which carries the traffic at the moment fails,  the other port do not failover automatically. This is mentioned in "Nexus 1000v Deployment Guide version 2" as ,
  "Individual Uplinks : A standard uplink is an uplink that is not a member of a PortChannel from the VEM to a physical switch. It provides
  no capability to load balance across multiple standard uplink links and no high-availability characteristics. When a  standard uplink fails, no secondary link exists to take over. Defining two standard uplinks to carry the same VLAN involves the risk of creating loops within the environment and is an unsupported configuration. Cisco NX-OS will post warnings when such a condition occurs. "
  Does anyone have any idea in order for the attached topology to work. Do I have to forward each and every VLAN from different ports ? If I do that how am I going to manage different VLANs and still have that hosts in the same primary VLAN with same IP subnet ?
  Thanks in advance.
  Dumlu

  Hi,
  You can't have M and F ports in single port channel irrespective what code version you are running , it will throw error on you..
  nor you can have m1 port channel one side and another f port channel other side , port channel 

• Switches 2950 with private-vlan

  Hi experts!
  Do you know if switches 2950 suport private-vlan? I upgrade IOS and try to configure PVLAN, but this switch model dont have the interface mode command "switchport private-vlan".
  best regards,
  Rodrigo A.

  See the below matix:-
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
  HTH>

• Private vlan with MVR or any related solution

  I would like to enable MVR on C4507R+E on trunk port. Actually my current network setup is connecting two uplink from this switch to aggregation router as layer 2. And CPE is connected down this switch with private vlan configuration. I have attached interface configurations with this.
  I have to apply “mvr vlan 101 receiver vlan 104” in gig 1/1 interface to map the MVR vlan. But that is not supporting when the link is configured as “switchport mode private-vlan trunk”. Only this command is allowing if I configured as “swithport mode trunk”. But if it is normal trunk, private vlan services are not working. Please suggest your solution for this problem.
  According to cisco we can’t enable MVR in private vlan trunk port. Is there any other solution for this than ACL to block the stream from CPE to upwards at 4507 switch?
  (mvr working, but private vlan is not working)
  interface GigabitEthernet1/1
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode trunk
  mvr type source
  mvr vlan 101 receiver vlan 104
  mvr immediate
  spanning-tree guard loop
  end
  (private vlan working, but mvr is not working)
  interface GigabitEthernet1/2
  description "connected to CPE"
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode private-vlan trunk
  mvr type receiver
  mvr immediate
  spanning-tree guard loop
  end

  Hey,
  Correct, only one Isolated primary vlan is associated with Primary private vlan. Snippet from configuration guide:
  "A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it."
  HTH.
  Regards,
  RS

• Multi-VRF

  Hi.
  I intend to understand what a multi-vrf is, but the bottm line is, I don't seem to understand them very well.
  I was asked about it and I was surprised that I was not able to find an easy way to explain them.
  If you are to explain what a multi-vrf is, how would you do it?
  What are the basic ups and downs?
  Thanks

  Hello Jayson,
  a Multi-VRF CE is a device that has multiple VRFs and is shared between different customers and is generally owned and managed by the service provider.
  From a technical point of view the multi-VRF CE has a subset of the features of an MPLS PE.
  It has the capability to segregate traffic of different customers and to support address overlapping but:
  there is no support of MPLS forwarding so there are only VRF access links both to the customer both to the real MPLS PE.
  There is no support/need of the MP-BGP for address-family Vpnv4.
  The uplink is usually made with an high speed 802.1Q trunk where each vlan carried is mapped to a different VRF/Customer.
  The customer benefits are the sharing of the CE device and of the high speed uplink(s).
  Scalability is the issue in comparison with a real PE:
  a PE with N VRFs can use N+1 interfaces (N access links + 1 MPLS backbone link)
  a multi VRF CE with N VRFs needs 2*N interfaces (for each VRF one link towards the customer and one towards the SP PE)
  The same is true for the routing relationships: on each VRF a different routing relationship exist with PE (it can be eBGP in VRF or IGP OSPF or EIGRP in VRF) while a real PE has one/two BGP relationships with the RRS and this is enough for all defined VRFs.
  Often a Multi-VRF CE is a multilayer switch that can offer high port density at a cheap price.
  Hope to help
  Giuseppe

• Configure Private VLAN on 3750 & 2960

  Hi All,
  ( R ) ------ [ 3750 ] ------- [ 2960 A ]
                          |------------ [ 2960 B ]
  I had these VLAN on the 3750 & 2960:
  - Vlan 8 (mgnt Vlan), Vlan 17, Vlan 34, Vlan 35
  Basically I had already configure switchport protected on all the port on the 2960 except the uplink to 3750.
  2960 Configure
  On uplink to 3750
   switchport mode trunk
  On end device port 
   switchport trunk native vlan 35
   switchport trunk allowed vlan 34,35
   switchport mode trunk
   switchport protected
   spanning-tree portfast
  How do I go about configure private VLAN on the 3750? 
  3750 Configure
  On downlink to 2960
   switchport mode trunk
  Interface vlan8
   ip address 10.8.0.1 255.255.255.0
  Interface vlan17
  ​ ip address 10.17.0.1 255.255.255.0
  Interface vlan34
  ​ ip address 10.34.0.1 255.255.255.0
  Interface vlan35
  ​ ip address 10.35.0.1 255.255.255.0
  What I want to achieve is to send all the VLAN 8, 17, 34, 35 from 2960 to 3750 and 3750 to 2960. But at the same time prevent 2960 A client from talking to 2960 B client on VLAN 35? 

  I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.
  But you can configure with private vlan.
  let's say client A is in port f0/1 and client B in port f0/2
  Parent (main) VLAN is 100 and child is 999
  You would configure the VLANs in ALL switches.
  vlan 999
  private-vlan isolated
  vlan 100
  private-vlan primary
  private-vlan association 999
  Now you would need to configure the ports.
  int range f0/1 - 2
  switchport mode private-vlan host
  switchport private-vlan host-association 100 999
  If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.
  interface vlan 100
  private-vlan mapping 999
  That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).
  If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.
  wrote too much, if this answers your question let me know, or we can create a practical scenario for it.

• Private vlan trouble?

  I have the following private vlan configuration:
  What do I have to do in order for the networks sitting behind router1 and router2
  to talk to each other.
  I have verified that both routers have the correct routes on their routing table
  vlan 116
  name primary
  private-vlan primary
  private-vlan association 117-122
  vlan 119
  name torouter2
  private-vlan community
  vlan 121
  name torouter1
  private-vlan community
  interface GigabitEthernet2/16
  description Connection to router2
  switchport
  switchport private-vlan host-association 116 119
  switchport mode private-vlan host
  no ip address
  speed 100
  duplex full
  spanning-tree portfast
  interface GigabitEthernet1/4
  description Connection to router1
  switchport
  switchport private-vlan host-association 116 121
  switchport mode private-vlan host
  no ip address
  speed nonegotiate
  spanning-tree portfast
  thank you very much,
  Alban

  Vlad,
  From networks connected behind router1 need to reach networks connected behind router2
  ------[router1]--------------gig1/4[vdmz]gig2/16----------------[router2]-------
  gig1/4 is community vlan 121
  gig2/16 is in community vlan 119
  Primary vlan is Vlan116
  VDMZ is our 6503 configured with private vlans.
  some more of the config is this (and I do have a 6503 with an mscf daughter card):
  interface Vlan116
  description vendor-dmz public/private primary vlan
  ip address 10.248.15.2 255.255.255.128 secondary
  ip address 211.121.108.66 255.255.255.192
  ip access-group 140 in (this one has a permit any any at the end)
  no ip redirects
  no ip unreachables
  private-vlan mapping 117-122
  ip route 10.82.35.0 255.255.255.0 211.121.108.96
  (where 211.121.108.96 is address of router1)
  I have a bgp peering with 211.121.108.90 which is router2.
  in router1 they can see the routes advertised via bgp and also in router2 they
  can see the route for 10.82.35.0 that I advertise to them via bgp.
  I really appreciate your help,
  Alban

• Double Private VLAN

  I want to ask if my Vswitch on the VM ware has using 1st time Private VLAN and at the N5K can I use apply second time Private VLAN?
  VM Servers <--- Trunk---> N5K            
  First VM has primary vlan say 100
  First VM secondary vlan say 101,102,103
  Second VM has primary vlan say 200
  Second VM secondary vlan say 201,202,203
  So will N5K able to has following PVLAN config
  Primary VLAN 300
  Secondary VLAN say 100,200

  Vlad,
  From networks connected behind router1 need to reach networks connected behind router2
  ------[router1]--------------gig1/4[vdmz]gig2/16----------------[router2]-------
  gig1/4 is community vlan 121
  gig2/16 is in community vlan 119
  Primary vlan is Vlan116
  VDMZ is our 6503 configured with private vlans.
  some more of the config is this (and I do have a 6503 with an mscf daughter card):
  interface Vlan116
  description vendor-dmz public/private primary vlan
  ip address 10.248.15.2 255.255.255.128 secondary
  ip address 211.121.108.66 255.255.255.192
  ip access-group 140 in (this one has a permit any any at the end)
  no ip redirects
  no ip unreachables
  private-vlan mapping 117-122
  ip route 10.82.35.0 255.255.255.0 211.121.108.96
  (where 211.121.108.96 is address of router1)
  I have a bgp peering with 211.121.108.90 which is router2.
  in router1 they can see the routes advertised via bgp and also in router2 they
  can see the route for 10.82.35.0 that I advertise to them via bgp.
  I really appreciate your help,
  Alban

• SUP WS-X45-SUP6-E & private-vlan community

  All,
  I tried to upgrade Cisco 6500 from Sup-2 to Sup-6 running IOS cat4500e-entservicesk9-mz.122-40.SG.bin.
  After upgrade everything came back up normal , no problem with hardaware.
  Except with private VLAN community.
  After this upgrade I can not configure "Private VLAN comunity" on this switch.
  AUNN00RS_XXXXX(config-vlan)#private-vlan community
  % Invalid input detected at '^' marker.
  AUNN00RS_MGMT1(config-vlan)#private-vlan     ?    
    association  Configure association between private VLANs
    isolated     Configure the VLAN as an isolated private VLAN
    primary      Configure the VLAN as a primary private VLAN
  It works absolutely fine with Sup-2 running same IOS.
  AUAN00RS_XXX(config-vlan)#private-vlan ?
    association  Configure association between private VLANs
    community    Configure the VLAN as a community private VLAN
    isolated     Configure the VLAN as an isolated private VLAN
    primary      Configure the VLAN as a primary private VLAN
  Regards
  Sachin

  I just checked the command reference:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/40sg/command/reference/cmdref.html
  And it should be there....I couldn't find any related bugs.
  Do you have the option of upgrading the IOS? The latest is 12.2(53) SG3
  Regards,
  Ian

• Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

  I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
  The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
  1. Private vlan mapping on the SVI;
  2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
  3. All Vlans are trunked between switches
  4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
  I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

  Hello Emcmanamy, Bruce,
  Thanks for your feedback.
  Just like you, I have been facing the same problematic last months with my customer.
  Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
  You can configure a host interface as an isolated or community access port only.
  We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
  This ability is documented here =>
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
  You cannot configure a host interface as a promiscuous  port.
  You cannot configure a host interface as a private  VLAN trunk port.
  Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
  However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
  All these conditions are not met on a N5K interface.
  Best regards.
  Karim

• 3745 Multi VRF with modules ??

  Hi,
  Please anyone can tell wheather Gig modules are supported on 3745 and if yes then how many? Also please tell which is the Gig module I could not find on cisco.com.
  And also do the onboard LAN ports support Multi VRF function ?
  Thanks
  NK

  We use VRFLite with the onboard LAN ports and it works just as expected.
  hth
  -birgit

• N7K Private VLAN with F2

  I got the below error message when I config private vlan on N7K with F2 module
  Error: while enabling/disabling service: private-vlan, err: Private-vlan is not allowed in F2 VDC (0x40e4005d)
  Any one know about it?

  user8750011 wrote:
  Hi - I been through best practice for deploying coherence in production but could not find one related to this.
  My project has high bandwidth requirement between coherence cluster nodes, resulting an app architecture to setup private vlan inteface for application to listen on, for cluster's internal communication and another interface to face production traffic. Wondering if anyone has done this type of setup and success / failure stories.
  Also interested to know how to configure traffic from production interface to application's interface ( considering i have 2 bonded interface within one box, one for production, another for high bandwidth private vlan where application will listen). These are running RHEL.
  Thanks in advance for your help :).
  -R.
  Edited by: user8750011 on Feb 23, 2012 4:19 PMHi R,
  This is a usual practice to have 2 NICs for security reasons seperating the internal and external traffic. AFAIU you question, you can configure the NIC to be used for Coherence using the property "tangosol.coherence.localhost". This would ensure that Coherence uses this NIC for communication and the other NIC can be used for other purposes.
  Hope this helps!
  Cheers,
  NJ

• Private vlan over dot1q trunks with etherchannels

  Dear Freinds,
  I need to know whether can i use trunks in etherchannel for Private Vlans.
  regards
  Manish Shamjee

  Hello manish,
  You would need to elaborate more on that.
  Are you trying to 'trunk' primary private vlan's or secondary private vlans? Or are you trying to configure private vlans on ports that are etherchannels?
  Read this "Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive"
  The above is from the pvlan guidelines and restrictions found here:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979

• Multi-VRF on the same device

  Hi, I have a certain design that I am thinking of implementing however need some help to understand the feasability as well as confirm if it is indeed possible to do it. It is sort of like configuring multi-vrf on the same device and leak routes from them into a global routing table. It seems impractical to do it however if I want to limit connectivity between various vlan's on a L3 level without ACL's this seems the better option. Please do correct me if that is not so.
  Design
  A device which has a number of vlan interfaces on the north side let's say a 6500 configured with a number of vlan's. Each vlan has its own vrf. The SVI interfaces are where I apply the ip vrf forwarding XXX command. This device will be like the PE I assume?
  Now I might be running various routing protocols (EIGRP, RIP, Static, BGP) within these vrf's with the devices on the other end that have no idea about vrf's. Since I have a number of routes I have learnt within their own vrf's I want to either export all these routes into the global table or create a global vrf where I can export all these routes.
  The reason being that I want to propogate all these routes to the south side. The south side interface of this PE 6500 is physically connected to a firewall via a L3 point-to-point interface. That firewall's south interface in turns connects to another switch.
  I am going to form a BGP session with between the Top PE 6500 Switch and the bottom switch and I would like to propogate all the routes that I have in their own individual vrf's on the Top 6500 PE switch to the bottom switch via BGP.
  I don't think I can run MP-BGP due to the firewalls being in the physical path. Besides I would like to run a normal BGP IPv4 session between the top and bottom switch to keep it simple and familiar.
  The reason I would like to have every vlan in its own vrf is to limit connectivity between the vlan's without configuring ACL's. It provides a bit more security between the VLAN's.
  What I am not sure about is how the packet forwarding would work or if it would work at all.
  Thx for your help.

  Hi Vikram,
  Firstly, you mentioned that the reason for going down this path is for security between the different VLANs. Have you looked at Private VLANs as another option?
  Certainly leaking routes between different VRFs can be achieved and I would recommend having a 'Shared VRF' that you leak in and out of. Having the Firewall between the PE nodes does present an issue both for BGP as well as LDP peering if you wanted to establish a MP-BGP session. From what you have mentioned above, this solution might over-complicate what you are trying to do.
  Are the network ranges in each VLAN also unique?
  Can the Firewall run IGP? If so, maybe you could run Private VLANs and the use an IGP to propogate the networks through the FW across to your other switch? If you were to establish a BGP session between the switches each side of the FW, the FW would also need to either become a BGP peer or have IGP enabled. Each BGP node would then need to inject the BGP routes into IGP. If this isnt done, the FW will drop traffic as there would not be a suitable route.
  Are the resources through the FW shared or are they also client connected networks?
  Trent Husking

• VRF-Lite with 6500 w/ Sup720

  I am working with a customer who would like to utilize path isolation in their network using VRF-Lite. I am currently debating between the use of GRE tunnels vs. VLANs between 3 core switches they currently have in place today. This is going to be overlay network on top of what they currently have. The core is all L2 today with 802.1q trunks between each of 3 cores in a ring topology. Closets are single homed into the core throughout.
  My question is regarding GRE vs. VLANs. Currently, we are looking at having to deploy 12 VRFs to support 12 seperate network types they would like to isolate. The Access layer switches will trunk to the cores where the core will apply VRFs to specific VLANs based on their role.
  Which is going to be a more scalable solution from a performance and adminstration standpoint. GRE, VLANs, or MPLS?
  Currently the GRE implementation is going to require that we configure many loopbacks and tunnels on each core in order to get the VRFs talking to each other in each core. The VLAN approach will require 24 VLANs per core (assuming we would go with PTP vs Multipoint for routing inside the VRF).
  Any thoughts on which way to proceed? From what i have read GRE is more appropriate when you have multiple hops between VRF tables, which in this case we do not. I am just concerned with loopbacks,tunnels, and then routing on top of that the GRE solution will lack scalability as they add more VRFs. A PTP VLAN will pose a similar problem without the need for loopbacks which should simplify the solution.
  Can we use MPLS here and just do PE to PE MPLS and still get the VRF segmentation we need between cores?
  I would like eventually migrate the entire core to L3 completely but today we are stuck with having to support legacy networks (DEC/LAT/SNA) and have to keep some L2 in place.
  Whats the best approach here?

  Shine,
  I actually ended up with basically the same design you are talking about here except that I ended up adding a couple 6500 +FWSM and NAC L3/L2 CAM/CAS into the mix.
  Here is the high level overview
  1. Every Closet had a minimum of 6 VLANs - unique to the stack or closet switch - Subnets were created for each VLAN as well - no spanning of L2 VLANs across switch stacks.
  2. VLANs were assigned for - Voice, Data, LWAPP VLAN, Guest/Unauthorized, Switch/Device Management, and at least 1 special purpose VLAN - (Lab, Building Controls, Security, etc).
  3. Then we trunked all the VLANs back to 1 of 3 cores - 6509s with Sup-720s
  4. Each Core 6509 was configured for each L2 VLAN with a L3 SVI (The VLANs configured here were not configured on any other cores - we didn't have available fiber runs to do any type of redundant pathing across multiple cores so it wasn't valid in this design to configure VLAN SVIs on more than one core).
  5. Each L3 SVI was assigned to the appropriate VRF based on use - Voice, Data, LWAPP, etc
  6. Spanning-Tree Roots for all VLANs trunked to a core were specific to that core - they did not trunk between Cores - no loops
  7. Each Core was connected via a L2 Trunk that carried Point to Point VLANs for VRFs traffic - We had an EIGRP AS assigned to each VRF on the link - so we had 6 VRFs and 6 EIGRP AS per trunk.
  8. This design occurred on each core x2 as it connected to the other cores in a triangle core fashion.
  9. Each of the Cores had a trunk to to 6500 with a FWSM configured - VRF/L3 PTP VLAN design continued here as well
  10. The 6500+FWSM was configured with multiple SVIs and VRFs - we had to issue mult-vlan mode on the FWSM to get it to work.
  11. Layer 2 NAC was configured with VLAN translation coming into the Core 6500/FWSM for Wireless in L2 InBand Mode - the L3 SVIs were configured on the clean side of the NAC CAM so traffic was pulled through the CAM from from the dirty side - where the controller mapped host SSIDs to appropriate VLANs. We only had to configure a couple host VLANs here - Guest and Private so this was not much of an issue - Private was NAC enabled, Guest VLAN/SVI was mapped to a DMZ on the firewall
  12. For Layer 3 NAC we justed used an out of band CAM configurations with ACLs on the Unauthorized VLAN
  It worked like a charm.
  If I had to do it all over again I would go with MPLS/BGP for more scalability. Configuring trunks between the cores and then having the mulitple EIGRP AS/PTP VLANs works well in networks this small but it doesn't scale indefinately. It sounds like your network is quite large. I would look into MPLS between a set of at least 3-4 Core PE/CE devices. Do you plan on building a pure MPLS core for tagged switched traffic only? Is your campus and link make up significant enough to benefit from such a flexible design?