Private VLAN support on actual HW

Similar Messages

• Private VLAN support on Cisco SF220

  Hi!
  is there a plan to add support of Private VLANs on SF220?

  Hi,
  We currently do not have plans to support Private VLANs.

• Private Vlan support on CAT3850

  Hello , i need to configure private vlans on Catalyst 3850 .
  On this page is said that 3850 does support this technology
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html
  But i can't  configure it because there is no such commands in CLI
  3850(config-vlan)#pri?
  % Unrecognized command
  Does it support it or will it support private vlans in future?

  Dmitry
  There does seem to be conflicting information. The link you provide does say they are supported but looking at the config guide it says -
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.
  full link -
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg_chapter_0100.html
  So it looks like with this release at least, they are not available. I don't know whether they are scheduled to be included in a later release of the software.
  Perhaps someone from Cisco can comment. The product page certainly needs updating as it seems the configuration guide is the correct one.
  Edit - i have posted a link to this thread in the Technical Documentation forum to ask for clarification although a Cisco person is still not guaranteed to answer.
  Jon

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Hi all, need advice on OSPF and private vlans

  Hi all.
  I have a project to complete and need some help on the possible solution I can use.
  Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
  I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
  My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
  Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
  I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
  Any help and advice would be greatly appreciated.
  Cheers
  Steve

  Steve
  Thanks, that helps.
  GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
  It's good that area 7 is only for these users and not mixed up with other users.
  So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
  Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
  Can you confirm the above ?
  In terms of keeping them separate there are 2 possible choices. You can either -
  1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
  The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
  But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
  2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
  The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
  Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
  You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
  I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
  It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
  I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
  Jon

• Catalyst 3550 Privat-VLAN

  Hi,
  I was about to purchase a 3560 for my home lab to do private VLANS because I read that 3550s do not supprt pvlan. Till my suprise i can see the commands to do a private-vlan configuration on my 3550:
  (config-vlan)#private-vlan ?
    association       Configure association between private VLANs
    community         Configure the VLAN as a community private VLAN
    isolated          Configure the VLAN as an isolated private VLAN
    primary           Configure the VLAN as a primary private VLAN
    twoway-community  Configure the VLAN as a two way community private VLAN
  Can any tell me why everyone says their not supported though the commands are availble?
  Thanks in advance
  Bart

  Hi Bart,
  The IOS is obviously compiled from a common code base that is shared also for Catalyst 3560 and similar platforms. That is why you see the commands actually present. However, if you try to define a Private VLAN (either primary or secondary) and exit the VLAN configuration mode, you will get a platform error message, indicating the switch hardware could not be programmed for the Private VLAN operation.
  Private VLANs require hardware support, and if the underlying platform has no hardware provisions for supporting Private VLANs, they will not be available even if the switch IOS itself has the management features built in, as is in your case. True, the Private VLAN management commands should have not been enabled in the IOS for your platform but it's just the way it is...
  Best regards,
  Peter

• Private vlan with MVR or any related solution

  I would like to enable MVR on C4507R+E on trunk port. Actually my current network setup is connecting two uplink from this switch to aggregation router as layer 2. And CPE is connected down this switch with private vlan configuration. I have attached interface configurations with this.
  I have to apply “mvr vlan 101 receiver vlan 104” in gig 1/1 interface to map the MVR vlan. But that is not supporting when the link is configured as “switchport mode private-vlan trunk”. Only this command is allowing if I configured as “swithport mode trunk”. But if it is normal trunk, private vlan services are not working. Please suggest your solution for this problem.
  According to cisco we can’t enable MVR in private vlan trunk port. Is there any other solution for this than ACL to block the stream from CPE to upwards at 4507 switch?
  (mvr working, but private vlan is not working)
  interface GigabitEthernet1/1
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode trunk
  mvr type source
  mvr vlan 101 receiver vlan 104
  mvr immediate
  spanning-tree guard loop
  end
  (private vlan working, but mvr is not working)
  interface GigabitEthernet1/2
  description "connected to CPE"
  switchport private-vlan trunk allowed vlan 101-104
  switchport private-vlan association trunk 200 102
  switchport private-vlan association trunk 300 101
  switchport mode private-vlan trunk
  mvr type receiver
  mvr immediate
  spanning-tree guard loop
  end

  Hey,
  Correct, only one Isolated primary vlan is associated with Primary private vlan. Snippet from configuration guide:
  "A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it."
  HTH.
  Regards,
  RS

• How to setup Private VLAN in Small business switch SF200-24

  Dear All,
  According release notes 1.4 , private vlan is supported. I've upgraded my SF200-24 with firmware 1.4.0.88 and boot 1.3.5.06. The system information show firmware version 1.4.0.88 and boot version 1.3.5.06 after reboot. I can't find private vlan setup command on GUI. Please help me to setup private vlan. Thanks.

  Hi,
  Unfortunately PVLAN is not supported on 200 series. However you might be able to overcome this using general port concept.
  for example:
  isolated port - general 10P (PVID), 30U, drop tagged traffic
  community - 20UP, 30U, drop tagged traffic
  promiscuous - 30UP, 10U, 20U
  Note: primary vlan 30
  does it address your requirements?
  Aleksandra

• Multi-VRF CE with Private VLANs

  Does anyone know if you can implement a VRF instance on a private vlan? I would assume so, and will lab it out as time permits, but was curious if anyone had tried it/knows one way or the other.

  Since both the platforms support VRF lite and MPLS VPN, you can use Frame-Relay as the encapsulation for sub interfaces with local DLCI switching.
  As the VRF configuration is not media dependent.
  HTH-Cheers,
  Swaroop
  Router 1
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  !--- This command disables LMI processing.
  interface Serial0/0.1 point-to-point
  !--- A point-to-point subinterface has been created.
  ip address 172.16.120.105 255.255.255.0
  ip vrf forwarding xxx
  frame-relay interface-dlci 101
  !--- DLCI 101 has been assigned to this interface
  Router 2
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  !--- This command disables LMI processing.
  interface Serial0/0.1 point-to-point
  !--- A point-to-point subinterface has been created.
  ip vrf forwarding xxx
  ip address 172.16.120.120 255.255.255.0
  frame-relay interface-dlci 101
  !--- DLCI 101 has been assigned to this interface

• Private Vlan and Switchport Protected

  Dear All,
  My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
  How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
  Thanks.
  C.K.

  Hi C.k.,
  I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
  Try that and let us know.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
  HTH,
  -amit singh

• Private vlan question

  I am replacing a standard set of switches out with ones that can support PVLAN's. All our switches currently have their ip address on vlan 1 and that is the subnet which the default gateway resides. The second switch acts as a redundant switch and will need the same vlans as the primary. Currently they are etherchanneled together. I want to setup a single private vlan with one isolated vlan and several community vlans. My question is where do I put the IP address? Do I still setup a vlan 1 interface as I have done all along? Or do I put the addrss on the primary private vlan? And I assume I will need to setup a trunk between the two switches, vs. etherchannel?

  Private VLANs provide Layer 2 isolation between ports within the same private VLAN. There are three types of private VLAN ports:
  •Promiscuous—A promiscuous port can communicate with all interfaces, including the community and isolated ports within a private VLAN.
  •Isolated—An isolated port has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous port. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
  •Community—Community ports communicate among themselves and with their promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities or isolated ports within their private VLAN.
  PVLANS are also knows as secondary vlans, they are always associated to primary vlans so they can communicate to other devices outside their subnet through the default gateway. The management ip address or sc0 if it's CAtOS will always be in primary vlan or if native IOS and it's interface vlan it will always be the primary vlan. so, to answer your question, the management ip address will be in primary vlan.
  –You cannot use the inband port, sc0, in a private VLAN.
  Note: With software release 6.3(1) and later releases, you can configure the sc0 port as a private VLAN port; however, you cannot configure the sc0 port as a promiscuous port.

• Private vlans

  Hi I'm trying to configure some private vlans on a cat 3550, I cant really find any good configuration example
  can anyone provide me with a Config example
  cheers
  per

  PVLAN capabilities on 3550 are very limited. 3550 does not support Community and Isolated VLANs but only Protected ports. The following pages should help
  http://www.cisco.com/warp/public/473/63.html#topic1
  http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swtrafc.htm#wp1158863
  PS: Remember to rate useful posts.

• SF 300 private-vlan

  Hi,
  I am working on a SF 300 . I favor the cli over the web-interface.
  I will like to make a private-vlan community but do not know if my sequence of commands are right or allowed.
  Can someone point me in the right direction please ?
  MedSwitch#configure terminal
  MedSwitch(config)#vlan da
  MedSwitch(config-vlan)#vlan 50
  MedSwitch(config-vlan)#private-lan community
  % Unrecognized command
  This is my first experience with cisco switches. I am a beginner.
  Thanks.
  -Luis

  Hi Luis, this switch does not support private vlan. You may use protected port features (PVE, private vlan edge). This concept means if there is a port with protected port toggle, any other protected port cannot communicate amongst themselves. This behaves sort of like an "isolated port". However, any port that is not a protected port may communicate to the protected port which operates similar to a "promiscuous port".
  If you need vlan separation it will be accomplished through ACL or routing functions.
  -Tom
  Please mark answered for helpful posts

• Private vlan edge port & STP

  Hi:
  Is it possible (and a good design to avoid layer 2 loops) to combine the stp and protected ports features on uplinks ports of an edge "non-transit switch"?
  The uplinks ports that i would like to have also as protected ports will be dot1q trunks, anyway i have read that protected ports are also supported with dot1q on 3750 switches... my doubt is, if you already have STP working on these uplink ports, may the protected-port feature help to avoid the undesirable efects of a loop or it is not designed for this purpouse?
  Regards and TIA.
  Juan

  The PVLAN edge (protected port) is a feature that has only local significance to the switch (unlike Private Vlans), and there is no isolation provided between two protected ports located on different switches. A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port in the same switch. Traffic cannot be forwarded between protected ports at L2, all traffic passing between protected ports must be forwarded through a Layer 3 (L3) device

• Private VLAN quiestions. Help neede urgently.

  Does anyone know that does 3560 support trunking on promiscuous ports? I have a situation where I have servers on isolated p.vlan 2000 on distribution layer switch. I don't want to do any p.vlan configuration to Core. So can communication happen between Core and servers on isolated vlan 2000 if the only vlan that goes through the trunk link is the primary vlan 2001? Or do I have to put the isolated vlan also to the allowed vlans on trunk? and also every community vlan that I have?
  So what I'am asking is that do the devices that don't have p.vlan on, see all the community vlans etc. or do they only see the primary VLAN? So if I would have a server on the core switch on VLAN 2000 would it be able to communicate with servers that are on the isolated vlan 2000 on the distribution layer switch. The core switch would not have any private vlan configuration on it, just normal vlan config.
  Can I have normal VLAN on the switch where I have Private VLANs?

  Does anyone know that does 3560 support trunking on promiscuous ports?
  >> NO, A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private-VLAN servers from an administration workstation. A trunk port server more than one vlan - secondary or primary therefore from the above it will break that rule hence it is not supported, at least on this platform.
  I have a situation where I have servers on isolated p.vlan 2000 on distribution layer switch. I don't want to do any p.vlan configuration to Core. So can communication happen between Core and servers on isolated vlan 2000 if the only vlan that goes through the trunk link is the primary vlan 2001? Or do I have to put the isolated vlan also to the allowed vlans on trunk?
  >> Putting an isolated vlan in the trunk will not cause the other devices in the same private vlan to talk to an isolated port. An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
  and also every community vlan that I have?
  >> See above, isolated port will not talk to anyone at all except the promiscuous port.
  So what I'am asking is that do the devices that don't have p.vlan on, see all the community vlans etc. or do they only see the primary VLAN?
  >> devices that are in the same secondary community vlan can see each other and the promiscous port. Isolated vlan can only talk to promiscuous port.
  So if I would have a server on the core switch on VLAN 2000 would it be able to communicate with servers that are on the isolated vlan 2000 on the distribution layer switch. The core switch would not have any private vlan configuration on it, just normal vlan config.
  >> No, isolated vlan are isolated, they can only talk to promiscuous ports which are normally the port to the default gateway, if the default gateway router is an external router. It sounds like you should be putting them in secondary commmunity vlan if you want them talking to one another.
  Can I have normal VLAN on the switch where I have Private VLANs?
  >> Yes, you may.
  Please rate helpful posts.