N7K Private VLAN with F2

Similar Messages

• Private vlan with MVR or any related solution

  I would like to enable MVR on C4507R+E on trunk port. Actually my current network setup is connecting two uplink from this switch to aggregation router as layer 2. And CPE is connected down this switch with private vlan configuration. I have attached interface configurations with this.
  I have to apply “mvr vlan 101 receiver vlan 104” in gig 1/1 interface to map the MVR vlan. But that is not supporting when the link is configured as “switchport mode private-vlan trunk”. Only this command is allowing if I configured as “swithport mode trunk”. But if it is normal trunk, private vlan services are not working. Please suggest your solution for this problem.
  According to cisco we can’t enable MVR in private vlan trunk port. Is there any other solution for this than ACL to block the stream from CPE to upwards at 4507 switch?
  (mvr working, but private vlan is not working)
  interface GigabitEthernet1/1
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode trunk
  mvr type source
  mvr vlan 101 receiver vlan 104
  mvr immediate
  spanning-tree guard loop
  end
  (private vlan working, but mvr is not working)
  interface GigabitEthernet1/2
  description "connected to CPE"
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode private-vlan trunk
  mvr type receiver
  mvr immediate
  spanning-tree guard loop
  end

  Hey,
  Correct, only one Isolated primary vlan is associated with Primary private vlan. Snippet from configuration guide:
  "A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it."
  HTH.
  Regards,
  RS

• Private vlan question

  I am replacing a standard set of switches out with ones that can support PVLAN's. All our switches currently have their ip address on vlan 1 and that is the subnet which the default gateway resides. The second switch acts as a redundant switch and will need the same vlans as the primary. Currently they are etherchanneled together. I want to setup a single private vlan with one isolated vlan and several community vlans. My question is where do I put the IP address? Do I still setup a vlan 1 interface as I have done all along? Or do I put the addrss on the primary private vlan? And I assume I will need to setup a trunk between the two switches, vs. etherchannel?

  Private VLANs provide Layer 2 isolation between ports within the same private VLAN. There are three types of private VLAN ports:
  •Promiscuous—A promiscuous port can communicate with all interfaces, including the community and isolated ports within a private VLAN.
  •Isolated—An isolated port has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous port. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
  •Community—Community ports communicate among themselves and with their promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities or isolated ports within their private VLAN.
  PVLANS are also knows as secondary vlans, they are always associated to primary vlans so they can communicate to other devices outside their subnet through the default gateway. The management ip address or sc0 if it's CAtOS will always be in primary vlan or if native IOS and it's interface vlan it will always be the primary vlan. so, to answer your question, the management ip address will be in primary vlan.
  –You cannot use the inband port, sc0, in a private VLAN.
  Note: With software release 6.3(1) and later releases, you can configure the sc0 port as a private VLAN port; however, you cannot configure the sc0 port as a promiscuous port.

• Private VLAN Problem

  I have a 6509 running with a Sup720 and the latest IOS. Trying to configure several ports as a private VLAN with the below config. Problem is, in addition to not being able to talk to each other, hosts can't talk to the promiscuous port. Thoughts?
  vlan 172
  private-vlan primary
  private-vlan association 472
  vlan 472
  private-vlan isolated
  interface GigabitEthernet4/7
  switchport
  switchport private-vlan mapping 172 472
  switchport mode private-vlan promiscuous
  no ip address
  no cdp enable
  interface GigabitEthernet4/8
  switchport
  switchport private-vlan host-association 172 472
  switchport mode private-vlan host
  no ip address
  no cdp enable
  interface GigabitEthernet4/9
  switchport
  switchport private-vlan host-association 172 472
  switchport mode private-vlan host
  no ip address
  no cdp enable

  That did the trick, thank you. I guess I missed that the first two times I read through the documentation. I still have one problem, though. I ended up configuring 5 ports, 1 in promiscuous mode in port 25, two in community mode in ports 11 and 12, and two in private mode in ports 13 and 14. The PIX was in port 25, the internet router and a Nortel Contivity were in the community ports as these need to talk to each other as well as the PIX, and two other devices that only need connectivity to the PIX were in the private ports. Traffic flowing from inside the network was moving through the PIX to the WAN router fine. Traffic flowing through the PIX to the private ports was working fine. Traffic through the Contivity to the PIX and the router were flowing fine. But, VPN connectivity through the WAN router to the PIX wouldn't work. It wasn't a configuration issue with the PIX or the router, because as soon as I put them all in a standard VLAN, it worked fine, so it had something to do with the PVLAN configuration, but it just didn't make sense to me. Everything else was working in all directions. Any ideas?

• Private-VLAN and EtherChannel

  Hi,
  On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
  The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
  I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
  The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
  How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
  Is there a way to solve this without replacing the Private-VLANs with VLANs?
  Thanks in advance for your help!

  From "EtherChannel Configuration Guidelines"
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
  Do not configure a private-VLAN port as part of an EtherChannel.

• Multi-VRF CE with Private VLANs

  Does anyone know if you can implement a VRF instance on a private vlan? I would assume so, and will lab it out as time permits, but was curious if anyone had tried it/knows one way or the other.

  Since both the platforms support VRF lite and MPLS VPN, you can use Frame-Relay as the encapsulation for sub interfaces with local DLCI switching.
  As the VRF configuration is not media dependent.
  HTH-Cheers,
  Swaroop
  Router 1
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  !--- This command disables LMI processing.
  interface Serial0/0.1 point-to-point
  !--- A point-to-point subinterface has been created.
  ip address 172.16.120.105 255.255.255.0
  ip vrf forwarding xxx
  frame-relay interface-dlci 101
  !--- DLCI 101 has been assigned to this interface
  Router 2
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  !--- This command disables LMI processing.
  interface Serial0/0.1 point-to-point
  !--- A point-to-point subinterface has been created.
  ip vrf forwarding xxx
  ip address 172.16.120.120 255.255.255.0
  frame-relay interface-dlci 101
  !--- DLCI 101 has been assigned to this interface

• Port-channel with Private VLANs on Nexus1000v

  Hi all,
  It says that private vlans are not supported on port-channel ports ont Nexus 1000v L2 Switching Guide.
  AFAIK, if you have two ports between ESX VEM and physical switch and both these ports are configured as 802.1Q and carrying the same VLANs, when the port which carries the traffic at the moment fails,  the other port do not failover automatically. This is mentioned in "Nexus 1000v Deployment Guide version 2" as ,
  "Individual Uplinks : A standard uplink is an uplink that is not a member of a PortChannel from the VEM to a physical switch. It provides
  no capability to load balance across multiple standard uplink links and no high-availability characteristics. When a  standard uplink fails, no secondary link exists to take over. Defining two standard uplinks to carry the same VLAN involves the risk of creating loops within the environment and is an unsupported configuration. Cisco NX-OS will post warnings when such a condition occurs. "
  Does anyone have any idea in order for the attached topology to work. Do I have to forward each and every VLAN from different ports ? If I do that how am I going to manage different VLANs and still have that hosts in the same primary VLAN with same IP subnet ?
  Thanks in advance.
  Dumlu

  Hi,
  You can't have M and F ports in single port channel irrespective what code version you are running , it will throw error on you..
  nor you can have m1 port channel one side and another f port channel other side , port channel 

• Switches 2950 with private-vlan

  Hi experts!
  Do you know if switches 2950 suport private-vlan? I upgrade IOS and try to configure PVLAN, but this switch model dont have the interface mode command "switchport private-vlan".
  best regards,
  Rodrigo A.

  See the below matix:-
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
  HTH>

• Private vlan over dot1q trunks with etherchannels

  Dear Freinds,
  I need to know whether can i use trunks in etherchannel for Private Vlans.
  regards
  Manish Shamjee

  Hello manish,
  You would need to elaborate more on that.
  Are you trying to 'trunk' primary private vlan's or secondary private vlans? Or are you trying to configure private vlans on ports that are etherchannels?
  Read this "Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive"
  The above is from the pvlan guidelines and restrictions found here:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979

• Hi all, need advice on OSPF and private vlans

  Hi all.
  I have a project to complete and need some help on the possible solution I can use.
  Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
  I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
  My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
  Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
  I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
  Any help and advice would be greatly appreciated.
  Cheers
  Steve

  Steve
  Thanks, that helps.
  GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
  It's good that area 7 is only for these users and not mixed up with other users.
  So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
  Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
  Can you confirm the above ?
  In terms of keeping them separate there are 2 possible choices. You can either -
  1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
  The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
  But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
  2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
  The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
  Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
  You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
  I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
  It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
  I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
  Jon

• How to setup Private VLAN in Small business switch SF200-24

  Dear All,
  According release notes 1.4 , private vlan is supported. I've upgraded my SF200-24 with firmware 1.4.0.88 and boot 1.3.5.06. The system information show firmware version 1.4.0.88 and boot version 1.3.5.06 after reboot. I can't find private vlan setup command on GUI. Please help me to setup private vlan. Thanks.

  Hi,
  Unfortunately PVLAN is not supported on 200 series. However you might be able to overcome this using general port concept.
  for example:
  isolated port - general 10P (PVID), 30U, drop tagged traffic
  community - 20UP, 30U, drop tagged traffic
  promiscuous - 30UP, 10U, 20U
  Note: primary vlan 30
  does it address your requirements?
  Aleksandra

• Private VLan in 3550

  we are going to purchase cisco 3550 switches for our DMZs setup, we would like to utilise the Private VLAN (PVLAN) features in order to protect our individual server from any attack or any compromise servers. Can any body highlight some more on this how best is this to configure pvlans in cisco 3550 switches and is there any issues with Checkpoint Firewall.
  where I will get step by step commands. I searched on cisco site but lost myself for finding the step by step documentation.
  I find one documentation which was very good but it is for cisco 6500 series switches. please see the link for that http://www.cisco.com/warp/customer/473/90.shtml
  Thanks in advance

  Here is a link that I hope helps you with your coinfiguration. See Configuring Protected Ports portion for the PVLAN feature.
  http://www.cisco.com/en/US/partner/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html
  I don't know any issues with specific vendor equipment (e.g. Checkpoint FW, etc).
  Hope this helps you,
  Don

• Heads Up: Private VLAN Sticky-ARP DHCP Issues

  Here is the scenario:
  Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.
  DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.
  A DHCP Server is offering 3 day leases.
  A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.
  The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.
  Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.
  Log messages show the following:
  %IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry
  The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979
  However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738
  There appears to be two sensible solutions to this problem:
  1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.
  2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.
  Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??
  Regards,
  Brad

  Excellent question.
  Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.
  Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.
  In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.
  Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.
  When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.
  In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.
  Brad

• Private VLAN

  Hi,
  I am creating Private VLAN on my 7606 Router on SVI interface.
  7606#sh vlan private-vlan
  Primary Secondary Type              Ports
  200     201       isolated          Fa4/13
  7606#sh run int f4/13
  Building configuration...
  Current configuration : 222 bytes
  interface FastEthernet4/13
   switchport private-vlan host-association 200 201
   switchport mode private-vlan host
   no ip address
   no cdp enable
  end
  when i connect a pc with Fa4/13 it remain "FastEthernet4/13 is down, line protocol is down (notconnect)". SVI interface is also down.
  STP-7606#sh int vlan 200
  Vlan200 is down, line protocol is down
    Hardware is EtherSVI, address is 0023.0419.1f40 (bia 0023.0419.1f40)
  Any idea?

  Hello
  here is the good link to understand the PVLAN
  http://www.cisco.com/warp/public/473/90.shtml
  regards
  Dhaval Tandel

• Private Vlan and Switchport Protected

  Dear All,
  My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
  How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
  Thanks.
  C.K.

  Hi C.k.,
  I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
  Try that and let us know.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
  HTH,
  -amit singh