Private vlans and 2960 and 3560 switch

Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?

Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???

Similar Messages

  • LMS 2.6 and 2960-24TC-L switch

    Hi,
    I have a LMS 2.6 with the followings
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Campus Manager – 4.0.3
    RME – 4.0.3
    DFM– 2.0.3
    Cisco View – 6.1.2
    The Following switches are showng unknown.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    cisco WS-C2960G-24TC-L- 12.2(25)SEE2
    cisco WS-C2960-48TC-L   - 12.2(35)SE5
    In the device comatibility also i am not able to find the switches.
    I wanted to know whether i need to upgrade the LMS? if so then will the license on my existing LMS work on the new/Upgraded LMS
    BR// Rajiv

    Hello,
    When searching a documentation for LMS device support, it is better to search if exact SNMP sysObjectID is supported. You can execute following command on the LMS server to get the switch sysObjectID (find snmpwalk.exe file on your server, this is an example for default location):
    C:\Program Files\CSCOpx\objects\jt\bin>snmpwalk.exe -v2c -c 1.3.6.1.2.1.1.2
    (1.3.6.1.2.1.1.2  is the OID for sysObjectID variable.)
    I'm not sure if there is a device package for the particular switches, but you can always try to search for updates via LMS Web GUI:
    Common Services
    > Software Center > Device Update
    and:
    Common Services > Software Center > Software Update
    If your LMS server has Internet access, and you have valid CCO user ID with privileges to download the software, you can download and install all minor updates and device packages... Everything offered for download when using previous Web GUI tools is free if you have paid Cisco SAS support and works with the same LMS license you already  have.
    Do not forget to check for prerequisits (for example, sometimes is needed to install Mdf update for Common Services before installing some RME update...)
    Best regrads,
    Jasmina

  • Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

    I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
    The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
    1. Private vlan mapping on the SVI;
    2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
    3. All Vlans are trunked between switches
    4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
    I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

    Hello Emcmanamy, Bruce,
    Thanks for your feedback.
    Just like you, I have been facing the same problematic last months with my customer.
    Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
    You can configure a host interface as an isolated or community access port only.
    We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
    This ability is documented here =>
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
    You cannot configure a host interface as a promiscuous  port.
    You cannot configure a host interface as a private  VLAN trunk port.
    Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
    However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
    All these conditions are not met on a N5K interface.
    Best regards.
    Karim

  • Catalyst series - Private VLAN over trunk

    Hey every body
    I was planning to implement a Cisco Nexus 5596 in a data center as it supports private VLAN over trunk.
    But now, I av been forced to use a Cisco Catalyst series instead of the Nexus one.
    Based on the feature that is very important for my manager (private VLAN over trunk), which Catalyst switch can be replaced with the Nexus 5596? In other words, what Catalyst series switch works at the same scale and efficiency of Nexus 5596 and supports private VLAN over trunk feature?
    Cheers

    4500x Yes
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
    Nexus 5k Yes
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
    3850s
    They dont support pvs at all yet
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
    Restrictions for VLANs
    The following are restrictions for VLANs:
    The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
    The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
    Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
    Private VLANs are not supported on the switch.
    You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

  • DHCP and voice vlan on Cisco 3560 switch

    Greetings,
    I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
    1. Using the Cisco 3560 as a DHCP server - Config examples.  Do I need to use different subnets for the voice and data vlans?
    2. Layer 2 CoS QoS  - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
    Your assistance will be appreciated.

    Hi ,
    Cisco recommends that you have a separate vlan for  voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
    Here is the config guide for setting up IOS DHCP server:
    http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
    Here is the LAN qos recommendations:
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009

  • QoS on 3560, 2960 and 3750 does not work (Policy-map).

    Hi
    I am tryng to configure QoS on 3 switches (2960, 3560 and 3750) with this configuration:
    mls qos
    class-map match-all QOS_DATA_CLASS
      match access-group name QOS-DATA
    class-map match-all QOS_DEFAULT_CLASS
      match access-group name QOS-DEFAULT
    class-map match-all QOS_VOICE_CLASS
      match access-group name QOS-VOICE
    class-map match-all QOS_SIGNALING_CLASS
      match access-group name QOS-SIGNALING
    policy-map QOS-SOFTPHONE-POLICY
     class QOS_DEFAULT_CLASS
       set dscp default
     class QOS_SIGNALING_CLASS
       set dscp cs2
     class QOS_DATA_CLASS
       set dscp cs1
     class QOS_VOICE_CLASS
       set dscp cs3
    interface GigabitEthernet0/34
     no switchport
     ip address 10.10.11.1 255.255.255.252
     ip ospf network point-to-point
     priority-queue out 
     service-policy input QOS-SOFTPHONE-POLICY
    interface GigabitEthernet0/47
     switchport access vlan 150
     spanning-tree portfast
     service-policy input QOS-SOFTPHONE-POLICY
    ip access-list extended QOS-DATA
     permit tcp any any eq 22
     permit tcp any any eq 465
     permit tcp any any eq 143
     permit tcp any any eq 993
     permit tcp any any eq 995
     permit tcp any any eq 1914
     permit tcp any any eq ftp
     permit tcp any any eq ftp-data
     permit tcp any any eq smtp
     permit tcp any any eq pop3
    ip access-list extended QOS-DEFAULT
     permit ip any any
    ip access-list extended QOS-SIGNALING
     permit tcp any any range 2000 2002
     permit tcp any any range 5060 5061
     permit udp any any range 5060 5061
    ip access-list extended QOS-VOICE
     permit udp any any range 16384 32767
    but when I check the show commands I see that QoS is not working.
    CoreA#sh policy-map interface g0/34   
     GigabitEthernet0/34 
      Service-policy input: QOS-SOFTPHONE-POLICY
        Class-map: QOS_DEFAULT_CLASS (match-all)
          3 packets, 198 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name QOS-DEFAULT
        Class-map: QOS_SIGNALING_CLASS (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name QOS-SIGNALING
        Class-map: QOS_DATA_CLASS (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name QOS-DATA
        Class-map: QOS_VOICE_CLASS (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name QOS-VOICE
        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any 
    CoreA#sh policy-map interface g0/47 
     GigabitEthernet0/47 
      Service-policy input: QOS-SOFTPHONE-POLICY
        Class-map: QOS_DEFAULT_CLASS (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name QOS-DEFAULT
        Class-map: QOS_SIGNALING_CLASS (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name QOS-SIGNALING
        Class-map: QOS_DATA_CLASS (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name QOS-DATA
        Class-map: QOS_VOICE_CLASS (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name QOS-VOICE
        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any 
    What do I do bad?
    The flow is the next:
    Computer with CIPC --------> Switch 2960 or 3560 or 3750 ------------------> switch core ---------------> CIPC
    I have wireshark in a port mirror on switch 2960, 3560 and 3750. In wireshark I always see the packets marked with default label.
    I hope you can help me.
    Regards.

    Try this config:
    policy-map QOS-SOFTPHONE-POLICY
     class QOS_VOICE_CLASS
       set dscp cs3
     class QOS_SIGNALING_CLASS
       set dscp cs2
     class QOS_DATA_CLASS
       set dscp cs1
     class class-default
       set dscp default
    BR

  • Hi all, need advice on OSPF and private vlans

    Hi all.
    I have a project to complete and need some help on the possible solution I can use.
    Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
    I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
    My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
    Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
    I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
    Any help and advice would be greatly appreciated.
    Cheers
    Steve

    Steve
    Thanks, that helps.
    GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
    It's good that area 7 is only for these users and not mixed up with other users.
    So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
    Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
    Can you confirm the above ?
    In terms of keeping them separate there are 2 possible choices. You can either -
    1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
    The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
    But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
    2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
    The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
    Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
    You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
    I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
    It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
    I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
    Jon

  • Catalyst 2960 and SGE500 switches

    Hi,
    Can we  on the same network use Cisco Catalyst 2960 and Cisco SGE500 switches and share the same VLANs ?

    Hi,
    I didn't find VLAN support in key feautures of SGE500 but I'm sure it is there. For VLAN sharing you must configure trunk between switches. The number of VLAN must be the same (exluded some cases).
    For sharing VLAN information (VLAN count, names etc) the switches must support VTP protocol, not sure that SGE500 support it. But VTP is not necessary for trunking between switches.

  • Private Vlan and Switchport Protected

    Dear All,
    My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
    How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
    Thanks.
    C.K.

    Hi C.k.,
    I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
    Try that and let us know.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
    HTH,
    -amit singh

  • Private VLAN and ASA subinterfaces

    Gents,
    I have a dmz 3750 switch and i want to introduce private VLAN on this switch. This switch is connected to cisco ASA with trunk (subinterface for each primary VLAN) because we have multiple dmz. How the configuration on both sides will be ?.
    If private VLANs can't be used with ASA subinterfaces, what  solution can be done in this scanario ?
    Thanks,

    I would think the ASA doesn't care. The Pvlans are configured on the switch. The port that the ASA is connected too will be promiscuous.
    To see how to configure it, check out this guide (a long in depth read but worth it):
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html
    Regards,
    Ian
    If I hepled please rate me.

  • Private vlan and HSRP

    Hi, guys. I have a question about Private Vlan and HSRP implement. In my network topology, there are 2 switch 6509 as core switches and Internet outlet. There are a 3750 as a distribute swtich, and 3550 as a access swtich. the topology is as below:
    | |
    7609----7609
    | |
    3750
    |
    3550
    |
    servers
    Now there are some Server will connect to 3550, and 3750 and 3550 will be treated as Layer 2 switch, that is these servers's default gateway will be on vlan interface on 7609, and I have configured HSRP between the vlan on 2 6509. My question is how to implement private vlan on 3550 with HSRP on 7609, so that these servers can have redundancy gateway, and be kept isolated between other servers.

    It looks like the 3550 do not support private VLAN.
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml
    More info. on private VLAN :
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00802c30c4.html#wp1138148
    Did you configure the VLAN trunking between 7609, 3750 and 3550 ? Once we enable the VLAN trunking then the server can plug to the assigned VLAN and communicate to the 7609 via the trunk w/o interference w/ other VLAN. However, you have to enable the VLAN routing at 7609 to make it able to connect to other VLAN user if you want.
    Hope this helps.

  • Private-VLAN and EtherChannel

    Hi,
    On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
    The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
    I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
    The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
    How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
    Is there a way to solve this without replacing the Private-VLANs with VLANs?
    Thanks in advance for your help!

    From "EtherChannel Configuration Guidelines"
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
    Do not configure a private-VLAN port as part of an EtherChannel.

  • How to set up VLAN for DATA and VOIP on SRW248G4P switch?

    Hi guys,
    I am totally new and was given this task to complete. I  really really need help.
    We are using one network 192.168.1.0
    Shared  with data and voip.
    CISCO C870, 5 switches LINKSYS SRW248G4P .
    The  email wrote:-
    On the Linksys switch;
    - create two  different VLANs one for voice and one for data.
    - put a firewall  between the two VLANs (between voice and data) and only enable certain  ports to flow to voice network (inbound tcp 8443 and ssh )
    What  should i do guys? I really need a dumb guide now.
    I know its simple for  you guys but i am not a smart IT fella. Whats the  step by step?

    If the switch is new or you have support on this, then you might try calling the support center.  Here is a link:
    https://www.myciscocommunity.com/community/smallbizsupport
    On the right hand side you can find links to the support center.
    Here is a link to the guide:
    http://www.cisco.com/en/US/products/ps9967/prod_maintenance_guides_list.html
    @ the bottom of this link you can find your switch model, you want the larger of the two.  In this guide it shows you how to create a second vlan.
    Will your router be the firewall between the two?
    Kindest regards,
    Andrew Lissitz

  • AAA and 3560 Switch + CNA

    Hi
    Has anyone got this to work?
    CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
    I can’t get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
    this is the aaa conf.
    aaa authentication login default group tacacs+ local
    aaa authentication login no_tacacs enable
    aaa authentication enable default enable group tacacs+ none
    aaa authorization exec default group tacacs+ local
    aaa authorization exec no_tacacs none
    aaa authorization commands 15 default group tacacs+ if-authenticated local
    aaa authorization commands 15 no_tacacs none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    ip http server
    ip http authentication aaa

    Hi
    No. I get the prompt for username and password.
    and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I can’t live with that.

  • Netflow on 2960 and 3560 !!

    Dear all,
    I am trying to configure netflow on cisco catalyst 2960(12.250 SE4) and 3560G(12.250 ) switches for mcafee network security manager.
    But netflow command is not supported for this mcafee device. 
    I want to know, is there any process to configure netflow on this device?
    thanks in advance.

      As far as I know those switches do not support any kind of netflow .

Maybe you are looking for