Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
1. Private vlan mapping on the SVI;
2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
3. All Vlans are trunked between switches
4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

Hello Emcmanamy, Bruce,
Thanks for your feedback.
Just like you, I have been facing the same problematic last months with my customer.
Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
You can configure a host interface as an isolated or community access port only.
We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
This ability is documented here =>
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
You cannot configure a host interface as a promiscuous  port.
You cannot configure a host interface as a private  VLAN trunk port.
Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
All these conditions are not met on a N5K interface.
Best regards.
Karim

Similar Messages

  • Private vlan question

    I am replacing a standard set of switches out with ones that can support PVLAN's. All our switches currently have their ip address on vlan 1 and that is the subnet which the default gateway resides. The second switch acts as a redundant switch and will need the same vlans as the primary. Currently they are etherchanneled together. I want to setup a single private vlan with one isolated vlan and several community vlans. My question is where do I put the IP address? Do I still setup a vlan 1 interface as I have done all along? Or do I put the addrss on the primary private vlan? And I assume I will need to setup a trunk between the two switches, vs. etherchannel?

    Private VLANs provide Layer 2 isolation between ports within the same private VLAN. There are three types of private VLAN ports:
    •Promiscuous—A promiscuous port can communicate with all interfaces, including the community and isolated ports within a private VLAN.
    •Isolated—An isolated port has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous port. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
    •Community—Community ports communicate among themselves and with their promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities or isolated ports within their private VLAN.
    PVLANS are also knows as secondary vlans, they are always associated to primary vlans so they can communicate to other devices outside their subnet through the default gateway. The management ip address or sc0 if it's CAtOS will always be in primary vlan or if native IOS and it's interface vlan it will always be the primary vlan. so, to answer your question, the management ip address will be in primary vlan.
    –You cannot use the inband port, sc0, in a private VLAN.
    Note: With software release 6.3(1) and later releases, you can configure the sc0 port as a private VLAN port; however, you cannot configure the sc0 port as a promiscuous port.

  • Double Private VLAN

    I want to ask if my Vswitch on the VM ware has using 1st time Private VLAN and at the N5K can I use apply second time Private VLAN?
    VM Servers <--- Trunk---> N5K            
    First VM has primary vlan say 100
    First VM secondary vlan say 101,102,103
    Second VM has primary vlan say 200
    Second VM secondary vlan say 201,202,203
    So will N5K able to has following PVLAN config
    Primary VLAN 300
    Secondary VLAN say 100,200

    Vlad,
    From networks connected behind router1 need to reach networks connected behind router2
    ------[router1]--------------gig1/4[vdmz]gig2/16----------------[router2]-------
    gig1/4 is community vlan 121
    gig2/16 is in community vlan 119
    Primary vlan is Vlan116
    VDMZ is our 6503 configured with private vlans.
    some more of the config is this (and I do have a 6503 with an mscf daughter card):
    interface Vlan116
    description vendor-dmz public/private primary vlan
    ip address 10.248.15.2 255.255.255.128 secondary
    ip address 211.121.108.66 255.255.255.192
    ip access-group 140 in (this one has a permit any any at the end)
    no ip redirects
    no ip unreachables
    private-vlan mapping 117-122
    ip route 10.82.35.0 255.255.255.0 211.121.108.96
    (where 211.121.108.96 is address of router1)
    I have a bgp peering with 211.121.108.90 which is router2.
    in router1 they can see the routes advertised via bgp and also in router2 they
    can see the route for 10.82.35.0 that I advertise to them via bgp.
    I really appreciate your help,
    Alban

  • Private-VLAN using Nexus 7010 and 2248TP FEX

    I have a Nexus 7010 with several 2248TP FEX modules.
    I am trying to configure a Private VLAN on one of the FEX host ports.
    I see in the documentation you can't do promiscous but I can't even get the host only configuration to take.
    Software
      BIOS:      version 3.22.0
      kickstart: version 6.0(2)
      system:    version 6.0(2)
    sho run | inc private
    feature private-vlan
    vlan 11
      name PVLAN_Primary
      private-vlan primary
      private-vlan association 12
    vlan 12
      name PVLAN_Secondary
      private-vlan isolated
    7010(config)# int e101/1/48
    7010(config-if)#
    7010(config-if)# switchport mode ?
      access        Port mode access
      dot1q-tunnel  Port mode dot1q tunnel
      fex-fabric    Port mode FEX fabric
      trunk         Port mode trunk
    Switchport mode private-vlan doesn't even show up!!!!!!
    If I try this command it says its not allowed on the FEX port.
    7010(config-if)# switchport private-vlan host-association 11 12
    ERROR: Requested config not allowed on fex port
    What am I doing wrong?????
    Todd

    Have you found a solution to this?
    -Jeremy

  • Private Vlans and trunk mode

    if we have a primary vlan 100 associate with it
    vlan 11 over {fa0/2 work as host mode} , vlan 12 over {fa0/3 work as host mode} they work as secondry community vlan
    and vlan 13 as isolated secondry vlan over {fa0/4 host mode}
    How we can route between private vlans 11,12,13 and {vlan 50 fa0/5 access mode}
    cloud we use the fa 0/1 which connected to L3 device as promiscouous mode and trunk mode at the same time or what ... ??
    and

    Private vlan's are all on the same subnet, so from what you are writing I see:
    100-------------------------------
    | | |
    | | |
    11 12 13
    Fa0/2 fa/03 fa0/4
    and you want to route to Vlan 50, correct?
    In that case you need to trunk vlan 100 to a vlan interface and make sure that vlan 50 also has a routed interface on the same device.

  • Private vlan over dot1q trunks with etherchannels

    Dear Freinds,
    I need to know whether can i use trunks in etherchannel for Private Vlans.
    regards
    Manish Shamjee

    Hello manish,
    You would need to elaborate more on that.
    Are you trying to 'trunk' primary private vlan's or secondary private vlans? Or are you trying to configure private vlans on ports that are etherchannels?
    Read this "Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive"
    The above is from the pvlan guidelines and restrictions found here:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979

  • Private-VLAN and EtherChannel

    Hi,
    On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
    The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
    I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
    The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
    How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
    Is there a way to solve this without replacing the Private-VLANs with VLANs?
    Thanks in advance for your help!

    From "EtherChannel Configuration Guidelines"
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
    Do not configure a private-VLAN port as part of an EtherChannel.

  • EtherChannel and Vlan trunk

    I am trying to have 3 group of 4 GigE ports on the 3560G as a etherchannel and connect to 4 dells.
    On gi0/7 - 10 the trunk config seems to work but I am not able to route between the switches. Here is the config ...
    Can anyone take a look tell me what's missing? Much appreciated!
    Building configuration...
    Current configuration : 3422 bytes
    ! Last configuration change at 00:35:24 UTC Sat Jul 9 2005
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    hostname cisco_switch_b
    enable secret xxxx
    enable password xxx
    ip subnet-zero
    ip routing
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    interface Port-channel1
    switchport access vlan 5
    switchport trunk encapsulation dot1q
    switchport mode trunk
    interface GigabitEthernet0/1
    description To Internet Router
    no switchport
    ip address 10.1.1.2 255.255.255.0
    ip helper-address 10.1.1.8
    interface GigabitEthernet0/2
    interface GigabitEthernet0/3
    interface GigabitEthernet0/4
    interface GigabitEthernet0/5
    interface GigabitEthernet0/6
    interface GigabitEthernet0/7
    description To Dell_switch_1
    switchport access vlan 5
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    spanning-tree portfast
    interface GigabitEthernet0/8
    switchport access vlan 5
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    spanning-tree portfast
    interface GigabitEthernet0/9
    switchport access vlan 5
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    spanning-tree portfast
    interface GigabitEthernet0/10
    switchport access vlan 5
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    spanning-tree portfast
    interface GigabitEthernet0/11
    description To Dell_switch_2
    switchport access vlan 6
    spanning-tree portfast
    interface GigabitEthernet0/12
    switchport access vlan 6
    spanning-tree portfast
    interface GigabitEthernet0/13
    switchport access vlan 6
    spanning-tree portfast
    interface GigabitEthernet0/14
    switchport access vlan 6
    spanning-tree portfast
    interface GigabitEthernet0/15
    description To Dell_switch_3
    switchport access vlan 7
    switchport mode access
    spanning-tree portfast
    interface GigabitEthernet0/16
    switchport access vlan 7
    switchport mode access
    spanning-tree portfast
    interface GigabitEthernet0/17
    switchport access vlan 7
    switchport mode access
    spanning-tree portfast
    interface GigabitEthernet0/18
    switchport access vlan 7
    switchport mode access
    spanning-tree portfast
    interface GigabitEthernet0/19
    interface GigabitEthernet0/20
    interface GigabitEthernet0/21
    interface GigabitEthernet0/22
    interface GigabitEthernet0/23
    interface GigabitEthernet0/24
    interface GigabitEthernet0/25
    interface GigabitEthernet0/26
    interface GigabitEthernet0/27
    interface GigabitEthernet0/28
    interface Vlan1
    no ip address
    shutdown
    interface Vlan5
    ip address 10.1.5.1 255.255.255.0
    interface Vlan6
    ip address 10.1.6.1 x.x.255.0
    ip helper-address 10.1.5.7
    interface Vlan7
    ip address 10.1.7.1 x.x.x.0
    ip helper-address 10.1.5.7
    ip default-gateway 10.1.1.1
    ip classless
    ip http server
    access-list 100 permit ip host 0.0.0.0 host 255.255.255.255
    access-list 100 permit udp host 10.1.5.1 host 10.1.5.7 eq bootps
    access-list 100 permit udp host 10.1.5.1 host 10.1.5.7 eq bootpc
    access-list 100 permit udp host 10.1.5.7 host 10.1.5.1 eq bootps
    access-list 100 permit udp host 10.1.5.7 host 10.1.5.1 eq bootpc
    access-list 100 permit ip host 0.0.0.0 host 255.255.255.0
    control-plane
    line con 0
    exec-timeout 0 0
    line vty 0 4
    password xxx
    no login
    line vty 5 15
    password xxx
    no login
    ntp server 10.1.5.7
    end

    Here is an example to configure EtherChannel:
    Cisco Catalyst 3560 Switch Configuration
    Set MDIX automatic – To enable cisco catalyst to accept cross cable and straight cable connection
    # config t
    # int range g0/1 – 28
    # switchport mode access - Configure Cisco catalyst to normal switch port
    # speed auto
    # duplex auto
    # mdix auto
    # end
    # show controllers Ethernet-controller
    # copy running-config startup-config
    Configure Etherchannels – support redundancy and network load balancing
    # config t
    # int range g0/23 – 24
    # switchport mode access
    # switchport mode vlan 1
    # channel-group 5 mode active
    # exit
    Configure Etherchannels load balancing
    # config t
    # port-channel load-balance src-dst-mac
    # exit
    Configure IP Address:
    # config t
    # int vlan 1
    # ip address 10.xx.xx.xx 255.255.252.0
    # ip default-gateway 10.xx.xx.1
    # config t
    # int range g0/19-20
    # channel-group 2 mode active
    # config t
    # int range g0/17-18
    # channel-group 3 mode active
    # channel-group mode 3 desirable
    # int port-channel 3
    # switchport mode access
    # config t
    # int range g0/15-16
    # channel-group 4 mode active
    # show etherchannel summary – to check Etherchannel port status
    Regards,
    Junhan
    IT Specialist

  • Pvlan etherchannel and trunk

    Hi all,
    one simple question: is it possible to trunk a cat 6500 to a cat 4500 with an etherchannel and transport a private vlan (in my case 1 isolated lan) ?
    Thanks in advance.

    I don't think this is possible

  • Nexus 1000V private-vlan issue

    Hello
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:Standardowy;
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman";
    mso-ansi-language:#0400;
    mso-fareast-language:#0400;
    mso-bidi-language:#0400;}
    I need to transmit both the private-vlans (as promiscous trunk) and regular vlans on the trunk port between the Nexus 1000V and the physical switch. Do you know how to properly configure the uplink port to accomplish that ?
    Thank you in advance
    Lucas

    Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
    We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.

  • Private-VLAN trunk on 3560X

    Hi,
    I need to create Private-VLANs on 3650X, but is possible to configure this technology with 3560X switch and IOS 12.2(55)SE5?. I attach the topology.
    I want to configure the private VLANs on the VLAN 30, the isolated VLAN is the number 100 and the community VLAN is the 200. I guess that the interfaces trunk has to be set as promiscuous mode, is that correct?
    If the trunk is configuring as promiscuous mode, what happened with the others VLANs (10, 20 and 40), and what is the correct configuration for the interfaces trunk?

    Hi,
    Follow the config guide on how to configure private vlans:
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swpvlan.html
    HTH

  • Private VLAN Promiscuous Trunk Port - Switches which support this function

    Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

    4500x Yes
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
    Nexus 5k Yes
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
    3850s
    They dont support pvs at all yet
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
    Restrictions for VLANs
    The following are restrictions for VLANs:
    The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
    The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
    Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
    Private VLANs are not supported on the switch.
    You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

  • Catalyst series - Private VLAN over trunk

    Hey every body
    I was planning to implement a Cisco Nexus 5596 in a data center as it supports private VLAN over trunk.
    But now, I av been forced to use a Cisco Catalyst series instead of the Nexus one.
    Based on the feature that is very important for my manager (private VLAN over trunk), which Catalyst switch can be replaced with the Nexus 5596? In other words, what Catalyst series switch works at the same scale and efficiency of Nexus 5596 and supports private VLAN over trunk feature?
    Cheers

    4500x Yes
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
    Nexus 5k Yes
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
    3850s
    They dont support pvs at all yet
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
    Restrictions for VLANs
    The following are restrictions for VLANs:
    The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
    The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
    Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
    Private VLANs are not supported on the switch.
    You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

  • Private vlan and HSRP

    Hi, guys. I have a question about Private Vlan and HSRP implement. In my network topology, there are 2 switch 6509 as core switches and Internet outlet. There are a 3750 as a distribute swtich, and 3550 as a access swtich. the topology is as below:
    | |
    7609----7609
    | |
    3750
    |
    3550
    |
    servers
    Now there are some Server will connect to 3550, and 3750 and 3550 will be treated as Layer 2 switch, that is these servers's default gateway will be on vlan interface on 7609, and I have configured HSRP between the vlan on 2 6509. My question is how to implement private vlan on 3550 with HSRP on 7609, so that these servers can have redundancy gateway, and be kept isolated between other servers.

    It looks like the 3550 do not support private VLAN.
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml
    More info. on private VLAN :
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00802c30c4.html#wp1138148
    Did you configure the VLAN trunking between 7609, 3750 and 3550 ? Once we enable the VLAN trunking then the server can plug to the assigned VLAN and communicate to the 7609 via the trunk w/o interference w/ other VLAN. However, you have to enable the VLAN routing at 7609 to make it able to connect to other VLAN user if you want.
    Hope this helps.

  • Private Vlan and Switchport Protected

    Dear All,
    My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
    How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
    Thanks.
    C.K.

    Hi C.k.,
    I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
    Try that and let us know.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
    HTH,
    -amit singh

Maybe you are looking for