Private Vlans and trunk mode

Similar Messages

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Catalyst series - Private VLAN over trunk

  Hey every body
  I was planning to implement a Cisco Nexus 5596 in a data center as it supports private VLAN over trunk.
  But now, I av been forced to use a Cisco Catalyst series instead of the Nexus one.
  Based on the feature that is very important for my manager (private VLAN over trunk), which Catalyst switch can be replaced with the Nexus 5596? In other words, what Catalyst series switch works at the same scale and efficiency of Nexus 5596 and supports private VLAN over trunk feature?
  Cheers

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Private vlan and HSRP

  Hi, guys. I have a question about Private Vlan and HSRP implement. In my network topology, there are 2 switch 6509 as core switches and Internet outlet. There are a 3750 as a distribute swtich, and 3550 as a access swtich. the topology is as below:
  | |
  7609----7609
  | |
  3750
  |
  3550
  |
  servers
  Now there are some Server will connect to 3550, and 3750 and 3550 will be treated as Layer 2 switch, that is these servers's default gateway will be on vlan interface on 7609, and I have configured HSRP between the vlan on 2 6509. My question is how to implement private vlan on 3550 with HSRP on 7609, so that these servers can have redundancy gateway, and be kept isolated between other servers.

  It looks like the 3550 do not support private VLAN.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml
  More info. on private VLAN :
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00802c30c4.html#wp1138148
  Did you configure the VLAN trunking between 7609, 3750 and 3550 ? Once we enable the VLAN trunking then the server can plug to the assigned VLAN and communicate to the 7609 via the trunk w/o interference w/ other VLAN. However, you have to enable the VLAN routing at 7609 to make it able to connect to other VLAN user if you want.
  Hope this helps.

• Create 2 new VLANs and Trunk

  Hi
  I am working with a service provider to segment inbound traffic for a client. Rather than creating a seperate fibre circuit, we have opted for two new VLANs and a trunk to the upstream router.
  The equipment we are working on is a Cisco Catalyst 2900XL, IOS (tm) C2900XL Software (C2900XL-H-M), Version 11.2(8)SA2, RELEASE SOFTWARE (fc1)
  Current configuration:
  version 11.2
  no service pad
  no service udp-small-servers
  no service tcp-small-servers
  hostname
  enable secret
  ip subnet-zero
  ip domain-name
  ip name-server
  interface VLAN1
  ip address
  no ip route-cache
  interface FastEthernet0/1
  speed 10
  duplex full
  spantree portfast
  interface FastEthernet0/2
  speed 100
  duplex full
  spantree portfast
  interface FastEthernet0/3
  spantree portfast
  interface FastEthernet0/4
  shutdown
  spantree portfast
  interface FastEthernet0/5
  shutdown
  spantree portfast
  interface FastEthernet0/6
  shutdown
  spantree portfast
  interface FastEthernet0/7
  shutdown
  spantree portfast
  interface FastEthernet0/8
  shutdown
  spantree portfast
  ip default-gateway
  snmp-server community private
  snmp-server community public
  line con 0
  exec-timeout 0 0
  stopbits 1
  line vty 0 4
  password
  login
  end
  I need to creat VLAN 2 and VLAN 3. Traffic currently running through VLAN 1 will be segmented between these two VLANs with a trunk to an upstream router.
  vlan database commands don't appear to be working. At this stage I only want to create the VLANs. Can anyone recommend a command reference?

  Hi Paresh!
  Good to hear from you!
  User Access Verification
  Password:
  >en
  Password:
  #sh vtp status
  ^
  % Invalid input detected at '^' marker.
  It doesn't accept the command.
  Here are the results of a show ? from enable mode:
  publicswitch#sh ?
  access-lists
  accounting
  aliases
  arp
  boot
  buffers
  cdp
  clock
  configuration
  controllers
  debugging
  file
  forward
  history
  hosts
  html
  interfaces
  ip
  line
  location
  logging
  mac-address-table
  memory
  port
  privilege
  processes
  queue
  queueing
  registry
  reload
  rhosts
  rmon
  running-config
  sessions
  snmp
  spantree
  stacks
  startup-config
  subsys
  tcp
  tech-support
  terminal
  users
  version
  Thanks

• Private-VLAN and EtherChannel

  Hi,
  On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
  The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
  I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
  The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
  How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
  Is there a way to solve this without replacing the Private-VLANs with VLANs?
  Thanks in advance for your help!

  From "EtherChannel Configuration Guidelines"
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
  Do not configure a private-VLAN port as part of an EtherChannel.

• Private Vlan and Switchport Protected

  Dear All,
  My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
  How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
  Thanks.
  C.K.

  Hi C.k.,
  I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
  Try that and let us know.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
  HTH,
  -amit singh

• Private VLAN and ASA subinterfaces

  Gents,
  I have a dmz 3750 switch and i want to introduce private VLAN on this switch. This switch is connected to cisco ASA with trunk (subinterface for each primary VLAN) because we have multiple dmz. How the configuration on both sides will be ?.
  If private VLANs can't be used with ASA subinterfaces, what  solution can be done in this scanario ?
  Thanks,

  I would think the ASA doesn't care. The Pvlans are configured on the switch. The port that the ASA is connected too will be promiscuous.
  To see how to configure it, check out this guide (a long in depth read but worth it):
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html
  Regards,
  Ian
  If I hepled please rate me.

• Private vlans and 2960 and 3560 switch

  Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?

  Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
  Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???

• Native Vlan and Trunking

  Hi Folks,
  I am having a doubt with native Vlan in trunk ports.
  In a topology of 3 switches. Switch A is connected with switchB and SwitchC on uplinks. Can I configure the different native vlans for 2 different trunk for switch A.
  Like I am having 3 vlan,s configured in switch A with VTP domain transparent(1,500,900-Vlans configured). Same configuration is there in B & C too.
  So can we use 999 as a native vlan for trunk between A&B and native vlan 1 for trunk configured between A&C.

  yes possible, if specific reasons. Already discussed several times on this forum. Pls refer this link:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4e88

• Vlans and trunks etc

  Can someone please tell me the main reason for having a vlan and server/clients setup, why do we need this setup, Please give simple explanation.
  thanks
  Carl

  The main reasons to break networks down into VLAN's is Security and to minimise broadcasts. With Security I mean the ability to block or restrict access between networks with the use of ACL's, firewalls etc. The general rule of thumb when deploying networks is /23 subnets (500 or so hosts) for IP-only networks and /24 subnets (250 hosts) when using multiprotocol. This way you reduce the broadcast domain and so can contain the amount of broadcasts within the each VLAN.
  The general practise now is also to deploy 2 unique VLAN's per access switch (1 Voice & 1 Data). This prevents the need to span VLAN's across multiple Access Layer switches and minimises the STP sizes and subsequently any STP issues from spanning network-wide. Designing your network this way also makes troubleshooting and understanding issues easier as you generally have very strict data paths between hosts; no trying to overlay your STP network over your Layer-3 network to see the logical & physical paths.
  I would also disagree with the previous post regarding VTP. Yes it does simply the creation of VLAN's in a large Layer-2 campus environment, but the Layer-2 environment is what we are trying to move away from. Using VTP Transparent or disabling VTP promotes better practise amongst your IT staff and prevents any VTP mishaps that are always network-wide.
  HTH
  Andy

• Native VLAN and Trunks on Bridges

  I have a need for different Native VLANs on the radio side and the ethernet side. Can this be done on the non-root 1410 bridge?
  The radio native VLAN is to support the management on teh 1410 bridges. I also need to attach a single device from another VLAN on the non-root bridge and I do not want to have to put in a switch just to break out that needed VLAN.

  The bridge supports only one SSID. You should assign the SSID to the native VLAN
  1.Create subinterfaces on the radio and Ethernet interfaces.
  2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
  3. Assign a bridge group to each VLAN.
  4. (Optional) Enable WEP on the native VLAN.
  5. Assign the bridge's SSID to the native VLAN.
  To assign an SSID to a VLAN and how to enable a VLAN on the bridge radio and Ethernet ports
  For further information click this link.
  http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.3_8_JA/configuration/guide/p38vlan.html

• VLANs and Trunking

  Okay, I know this is not strictly a Cisco question as the switches in question are HP ProCurve 2524's, but hopefully I'll be granted a pardon for that. I'm trying to create a network with two VLANs who don't speak to each other but can each access the internet on their own through a Cisco 1721 router. I know I need to set up two different VLANs on the network and that I'll set up access-lists and subinterfaces on the one fast ethernert interface on the router. But here's the real question: the network I need to keep separate is all on switch 3. So obviously, I put every port on that switch on VLAN 2. Now, switch 3 goes to port 0/24 on switch 2. So I put interface 0/24 on switch 2 into VLAN 2 as well, and make switch 2's uplink, port 0/25 a trunking port. Here's the problem though: switch 2 is connected to switch 1, which is connected to the router. Obviously I can't make that incoming port on switch 1 part of VLAN 2, since some traffic from VLAN 1 will be coming through it! Do I simply set up switch 1's uplink port to do trunking and leave it at that, or is there some sort of strangeness I need to do in order to get switch 1 to pass along traffic from both VLAN 1 and VLAN 2 to the router?

  I think you've got the right idea there. Configure the interface between the router and switch1 as a trunk interface. Then, create ethernet sub-interfaces on the 1721 for both of the VLANs. If you don't want inter-vlan traffic between the VLANs, create appropriate ACLs on these two sub-interfaces.
  That should do it.
  Hope that helps - pls rate the post if it does.
  Paresh

• Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

  I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
  The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
  1. Private vlan mapping on the SVI;
  2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
  3. All Vlans are trunked between switches
  4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
  I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

  Hello Emcmanamy, Bruce,
  Thanks for your feedback.
  Just like you, I have been facing the same problematic last months with my customer.
  Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
  You can configure a host interface as an isolated or community access port only.
  We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
  This ability is documented here =>
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
  You cannot configure a host interface as a promiscuous  port.
  You cannot configure a host interface as a private  VLAN trunk port.
  Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
  However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
  All these conditions are not met on a N5K interface.
  Best regards.
  Karim

• Configure Private VLAN on 3750 & 2960

  Hi All,
  ( R ) ------ [ 3750 ] ------- [ 2960 A ]
                          |------------ [ 2960 B ]
  I had these VLAN on the 3750 & 2960:
  - Vlan 8 (mgnt Vlan), Vlan 17, Vlan 34, Vlan 35
  Basically I had already configure switchport protected on all the port on the 2960 except the uplink to 3750.
  2960 Configure
  On uplink to 3750
   switchport mode trunk
  On end device port 
   switchport trunk native vlan 35
   switchport trunk allowed vlan 34,35
   switchport mode trunk
   switchport protected
   spanning-tree portfast
  How do I go about configure private VLAN on the 3750? 
  3750 Configure
  On downlink to 2960
   switchport mode trunk
  Interface vlan8
   ip address 10.8.0.1 255.255.255.0
  Interface vlan17
  ​ ip address 10.17.0.1 255.255.255.0
  Interface vlan34
  ​ ip address 10.34.0.1 255.255.255.0
  Interface vlan35
  ​ ip address 10.35.0.1 255.255.255.0
  What I want to achieve is to send all the VLAN 8, 17, 34, 35 from 2960 to 3750 and 3750 to 2960. But at the same time prevent 2960 A client from talking to 2960 B client on VLAN 35? 

  I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.
  But you can configure with private vlan.
  let's say client A is in port f0/1 and client B in port f0/2
  Parent (main) VLAN is 100 and child is 999
  You would configure the VLANs in ALL switches.
  vlan 999
  private-vlan isolated
  vlan 100
  private-vlan primary
  private-vlan association 999
  Now you would need to configure the ports.
  int range f0/1 - 2
  switchport mode private-vlan host
  switchport private-vlan host-association 100 999
  If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.
  interface vlan 100
  private-vlan mapping 999
  That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).
  If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.
  wrote too much, if this answers your question let me know, or we can create a practical scenario for it.