Private vlan edge port & STP

Similar Messages

• SF 300 private-vlan

  Hi,
  I am working on a SF 300 . I favor the cli over the web-interface.
  I will like to make a private-vlan community but do not know if my sequence of commands are right or allowed.
  Can someone point me in the right direction please ?
  MedSwitch#configure terminal
  MedSwitch(config)#vlan da
  MedSwitch(config-vlan)#vlan 50
  MedSwitch(config-vlan)#private-lan community
  % Unrecognized command
  This is my first experience with cisco switches. I am a beginner.
  Thanks.
  -Luis

  Hi Luis, this switch does not support private vlan. You may use protected port features (PVE, private vlan edge). This concept means if there is a port with protected port toggle, any other protected port cannot communicate amongst themselves. This behaves sort of like an "isolated port". However, any port that is not a protected port may communicate to the protected port which operates similar to a "promiscuous port".
  If you need vlan separation it will be accomplished through ACL or routing functions.
  -Tom
  Please mark answered for helpful posts

• Private vlans and 2960 and 3560 switch

  Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?

  Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
  Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???

• How to setup the trunk for private vlans across 2 switches (Both are SF300-24)

  Dear All,
  I have 2 switches which are SF300-24.
  Switch 1 is connected to Internet Router for all clients on swith1 and switch 2.
  The clients on switch 1 & switch 2 don’t communicate each other.
  Port1~Port24 on switch 1 & switch 2 are isolated ports.
  Gigaport1 on switch1 is connected to gigaport1 on switch2.  
  Gigaport2 on switch2 is connected to Internet Router.
  The VLAN 100 is for isolated ports.
  The native VLAN is 1.
  Please help me how to configure the case. Thanks for your help.

  I think he's just looking for PVE.  You can enabled 'protected port' on a port by port basis.
  Here's the excerpt from the admin guide.
  Protected Port
  —Select to make this a protected port. (A protected port is
  also referred as a Private VLAN Edge (PVE).) The features of a protected port
  are as follows:
  Protected Ports provide Layer 2 isolation between interfaces (Ethernet
  ports and LAGs) that share the same VLAN.
  Packets received from protected ports can be forwarded only to
  unprotected egress ports. Protected port filtering rules are also applied
  to packets that are forwarded by software, such as snooping
  applications.
  Port protection is not subject to VLAN membership. Devices connected
  to protected ports are not allowed to communicate with each other, even
  if they are members of the same VLAN.

• Private vlan over dot1q trunks with etherchannels

  Dear Freinds,
  I need to know whether can i use trunks in etherchannel for Private Vlans.
  regards
  Manish Shamjee

  Hello manish,
  You would need to elaborate more on that.
  Are you trying to 'trunk' primary private vlan's or secondary private vlans? Or are you trying to configure private vlans on ports that are etherchannels?
  Read this "Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive"
  The above is from the pvlan guidelines and restrictions found here:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979

• Private vlan with MVR or any related solution

  I would like to enable MVR on C4507R+E on trunk port. Actually my current network setup is connecting two uplink from this switch to aggregation router as layer 2. And CPE is connected down this switch with private vlan configuration. I have attached interface configurations with this.
  I have to apply “mvr vlan 101 receiver vlan 104” in gig 1/1 interface to map the MVR vlan. But that is not supporting when the link is configured as “switchport mode private-vlan trunk”. Only this command is allowing if I configured as “swithport mode trunk”. But if it is normal trunk, private vlan services are not working. Please suggest your solution for this problem.
  According to cisco we can’t enable MVR in private vlan trunk port. Is there any other solution for this than ACL to block the stream from CPE to upwards at 4507 switch?
  (mvr working, but private vlan is not working)
  interface GigabitEthernet1/1
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode trunk
  mvr type source
  mvr vlan 101 receiver vlan 104
  mvr immediate
  spanning-tree guard loop
  end
  (private vlan working, but mvr is not working)
  interface GigabitEthernet1/2
  description "connected to CPE"
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode private-vlan trunk
  mvr type receiver
  mvr immediate
  spanning-tree guard loop
  end

  Hey,
  Correct, only one Isolated primary vlan is associated with Primary private vlan. Snippet from configuration guide:
  "A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it."
  HTH.
  Regards,
  RS

• Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

  I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
  The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
  1. Private vlan mapping on the SVI;
  2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
  3. All Vlans are trunked between switches
  4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
  I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

  Hello Emcmanamy, Bruce,
  Thanks for your feedback.
  Just like you, I have been facing the same problematic last months with my customer.
  Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
  You can configure a host interface as an isolated or community access port only.
  We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
  This ability is documented here =>
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
  You cannot configure a host interface as a promiscuous  port.
  You cannot configure a host interface as a private  VLAN trunk port.
  Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
  However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
  All these conditions are not met on a N5K interface.
  Best regards.
  Karim

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Port-channel with Private VLANs on Nexus1000v

  Hi all,
  It says that private vlans are not supported on port-channel ports ont Nexus 1000v L2 Switching Guide.
  AFAIK, if you have two ports between ESX VEM and physical switch and both these ports are configured as 802.1Q and carrying the same VLANs, when the port which carries the traffic at the moment fails,  the other port do not failover automatically. This is mentioned in "Nexus 1000v Deployment Guide version 2" as ,
  "Individual Uplinks : A standard uplink is an uplink that is not a member of a PortChannel from the VEM to a physical switch. It provides
  no capability to load balance across multiple standard uplink links and no high-availability characteristics. When a  standard uplink fails, no secondary link exists to take over. Defining two standard uplinks to carry the same VLAN involves the risk of creating loops within the environment and is an unsupported configuration. Cisco NX-OS will post warnings when such a condition occurs. "
  Does anyone have any idea in order for the attached topology to work. Do I have to forward each and every VLAN from different ports ? If I do that how am I going to manage different VLANs and still have that hosts in the same primary VLAN with same IP subnet ?
  Thanks in advance.
  Dumlu

  Hi,
  You can't have M and F ports in single port channel irrespective what code version you are running , it will throw error on you..
  nor you can have m1 port channel one side and another f port channel other side , port channel 

• Private VLAN

  Hi,
  I am creating Private VLAN on my 7606 Router on SVI interface.
  7606#sh vlan private-vlan
  Primary Secondary Type              Ports
  200     201       isolated          Fa4/13
  7606#sh run int f4/13
  Building configuration...
  Current configuration : 222 bytes
  interface FastEthernet4/13
   switchport private-vlan host-association 200 201
   switchport mode private-vlan host
   no ip address
   no cdp enable
  end
  when i connect a pc with Fa4/13 it remain "FastEthernet4/13 is down, line protocol is down (notconnect)". SVI interface is also down.
  STP-7606#sh int vlan 200
  Vlan200 is down, line protocol is down
    Hardware is EtherSVI, address is 0023.0419.1f40 (bia 0023.0419.1f40)
  Any idea?

  Hello
  here is the good link to understand the PVLAN
  http://www.cisco.com/warp/public/473/90.shtml
  regards
  Dhaval Tandel

• Private Vlan help

  I have read the documentation (http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a44.html). Still need a bit more clarification. The concept of Primary vs isolated? Is the Private-Vlan primary command run at the Core, intermediate and edge switches or is the isolated setting at the edge device only.

  ok
  here goes
  private vlans are designed to protect traffic right?
  there are several concepts here
  isolated-can only talk out through the promiscuous port I.E. to it's default gateway
  community ports-these are ports where say 2 devices on same l2 network should be allowed to talk to each other and then out to promiscuous port.
  So you can have multiple community ports isolated ports and such within a private vlan.
  Real world example
  I have l3 network
  10.1.1.X
  machine 1-should not be able to talk to anyone on same switch, only out to internet.
  gets an isolated port
  Mmachines 2-3 need to talk to each other cause they do db replication but no one else and are on same vlan.
  these get a community port.
  HTH
  Chris

• Is it better to use router port versus vlan member port?

  Hi CSC,
  This is more of a philosophical or "best practices" question.
  I have a Cisco 3550 at the home office. Connected to the 3550 is a number of branch offices by way of T1 circuits or VDSL modems. They all come to the home office, where we have a central internet connection and server farm for our entire organization.
  Except for one special case branch office, we don't forsee the need for appearances of the  home office vlan at the branch office sites. In that case, we bring it  into a trunk port at the home office, and at the special case branch office we have a dell 3024  switch and tag some ports as vlan 18 (the home office) or vlan 27 (the  special case branch office).
  We also do not forsee a need for the vlan from one branch office to appear at another branch office.
  They are all (except for the special case mentioned above) currently configured something like this:
  interface FastEthernet0/1
  description home office
  switchport access vlan 18
  switchport mode access
  interface FastEthernet0/2
  description t1 to branch office 1
  switchport access vlan 19
  switchport mode access
  interface Vlan18
  description subnet for home office
  ip address 192.168.18.1 255.255.255.0
  interface Vlan19
  description subnet for branch office 1
  ip address 192.168.19.1 255.255.255.0
  Is it better, in terms of reduced network complexity or performance on my 3550, to do something like this instead?
  That is, to make the interfaces router ports as opposed to vlan member ports?
  Of course, if we ever DID need to have appearances of the home office vlan at branch office sites, or appearances of one branch office's vlan at another branch office, we would lose that flexibility.
  interface FastEthernet0/1
  description home office
  switchport access vlan 18
    switchport mode access
  interface FastEthernet0/2
  description t1 to branch office 1
  ip address 192.168.19.1 255.255.255.0
  interface Vlan18
  description subnet for home office
  ip address 192.168.18.1 255.255.255.0
  no vlan 19

  Hello,
  In my opinion there is no 100% right answer here. I think it depends also about network forecast. I'll try to add here some thoughts:
  - if you use trunk interfaces from home to branch and SVI for L3 connection, in terms of scalability is much easier to expand (you have now only one p2p L3 link, but in future you'll need another one; if the port is a trunk one, you just configure another SVI interface, allow vlan on trunk and your good to go)
  - trunk interfaces involve more configuration (L2 interface and SVI L3 interface)
  - if you add in the home office another switch to existing one, and for some reason you have misconfiguration in STP / VTP, then you can run into problems like loops, vlan database modification (e.g. VTP server mode and the new added switch has a higher revision number than existing one)
  - L3 physical interfaces are easier to configure and less complex, but in case you want to scale to additional p2p link will be harder
  - L3 configuration is easier to troubleshoot as you avoid the L2 complexity
  - in terms of packet exchange a L3 interface will exchange less packets than a L2 trunk with SVI (I'm talking here about control traffic, not user traffic)
  - with L2 trunk you can have other problems like if somebody is "smart enough" to add a new switch into the existing switch (if you have a switch there) at the branch location; imagine that the new switch due to misconfigurated STP became root bridge; you have a large STP domain.
  As I said, there is no good or bad approach. You have to guide yourself about forecasts in your network. For example if you know that a branch location will not be extended in the next 2 years, then go ahead with L3 interface and that's it. On the other hands if you have doubts you can add for another location L2 trunk with SVI. You can mix this two solution to obtain the best results for your network characteristics.
  Cheers,
  Calin

• How to setup Private VLAN in Small business switch SF200-24

  Dear All,
  According release notes 1.4 , private vlan is supported. I've upgraded my SF200-24 with firmware 1.4.0.88 and boot 1.3.5.06. The system information show firmware version 1.4.0.88 and boot version 1.3.5.06 after reboot. I can't find private vlan setup command on GUI. Please help me to setup private vlan. Thanks.

  Hi,
  Unfortunately PVLAN is not supported on 200 series. However you might be able to overcome this using general port concept.
  for example:
  isolated port - general 10P (PVID), 30U, drop tagged traffic
  community - 20UP, 30U, drop tagged traffic
  promiscuous - 30UP, 10U, 20U
  Note: primary vlan 30
  does it address your requirements?
  Aleksandra

• Private VLan in 3550

  we are going to purchase cisco 3550 switches for our DMZs setup, we would like to utilise the Private VLAN (PVLAN) features in order to protect our individual server from any attack or any compromise servers. Can any body highlight some more on this how best is this to configure pvlans in cisco 3550 switches and is there any issues with Checkpoint Firewall.
  where I will get step by step commands. I searched on cisco site but lost myself for finding the step by step documentation.
  I find one documentation which was very good but it is for cisco 6500 series switches. please see the link for that http://www.cisco.com/warp/customer/473/90.shtml
  Thanks in advance

  Here is a link that I hope helps you with your coinfiguration. See Configuring Protected Ports portion for the PVLAN feature.
  http://www.cisco.com/en/US/partner/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html
  I don't know any issues with specific vendor equipment (e.g. Checkpoint FW, etc).
  Hope this helps you,
  Don

• Nexus 1000V private-vlan issue

  Hello
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  I need to transmit both the private-vlans (as promiscous trunk) and regular vlans on the trunk port between the Nexus 1000V and the physical switch. Do you know how to properly configure the uplink port to accomplish that ?
  Thank you in advance
  Lucas

  Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
  We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.