Private VLANs - is this configuration right?

Similar Messages

• Private VLAN and ASA subinterfaces

  Gents,
  I have a dmz 3750 switch and i want to introduce private VLAN on this switch. This switch is connected to cisco ASA with trunk (subinterface for each primary VLAN) because we have multiple dmz. How the configuration on both sides will be ?.
  If private VLANs can't be used with ASA subinterfaces, what  solution can be done in this scanario ?
  Thanks,

  I would think the ASA doesn't care. The Pvlans are configured on the switch. The port that the ASA is connected too will be promiscuous.
  To see how to configure it, check out this guide (a long in depth read but worth it):
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html
  Regards,
  Ian
  If I hepled please rate me.

• SUP WS-X45-SUP6-E & private-vlan community

  All,
  I tried to upgrade Cisco 6500 from Sup-2 to Sup-6 running IOS cat4500e-entservicesk9-mz.122-40.SG.bin.
  After upgrade everything came back up normal , no problem with hardaware.
  Except with private VLAN community.
  After this upgrade I can not configure "Private VLAN comunity" on this switch.
  AUNN00RS_XXXXX(config-vlan)#private-vlan community
  % Invalid input detected at '^' marker.
  AUNN00RS_MGMT1(config-vlan)#private-vlan     ?    
    association  Configure association between private VLANs
    isolated     Configure the VLAN as an isolated private VLAN
    primary      Configure the VLAN as a primary private VLAN
  It works absolutely fine with Sup-2 running same IOS.
  AUAN00RS_XXX(config-vlan)#private-vlan ?
    association  Configure association between private VLANs
    community    Configure the VLAN as a community private VLAN
    isolated     Configure the VLAN as an isolated private VLAN
    primary      Configure the VLAN as a primary private VLAN
  Regards
  Sachin

  I just checked the command reference:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/40sg/command/reference/cmdref.html
  And it should be there....I couldn't find any related bugs.
  Do you have the option of upgrading the IOS? The latest is 12.2(53) SG3
  Regards,
  Ian

• Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

  I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
  The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
  1. Private vlan mapping on the SVI;
  2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
  3. All Vlans are trunked between switches
  4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
  I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

  Hello Emcmanamy, Bruce,
  Thanks for your feedback.
  Just like you, I have been facing the same problematic last months with my customer.
  Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
  You can configure a host interface as an isolated or community access port only.
  We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
  This ability is documented here =>
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
  You cannot configure a host interface as a promiscuous  port.
  You cannot configure a host interface as a private  VLAN trunk port.
  Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
  However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
  All these conditions are not met on a N5K interface.
  Best regards.
  Karim

• Catalyst 3550 Privat-VLAN

  Hi,
  I was about to purchase a 3560 for my home lab to do private VLANS because I read that 3550s do not supprt pvlan. Till my suprise i can see the commands to do a private-vlan configuration on my 3550:
  (config-vlan)#private-vlan ?
    association       Configure association between private VLANs
    community         Configure the VLAN as a community private VLAN
    isolated          Configure the VLAN as an isolated private VLAN
    primary           Configure the VLAN as a primary private VLAN
    twoway-community  Configure the VLAN as a two way community private VLAN
  Can any tell me why everyone says their not supported though the commands are availble?
  Thanks in advance
  Bart

  Hi Bart,
  The IOS is obviously compiled from a common code base that is shared also for Catalyst 3560 and similar platforms. That is why you see the commands actually present. However, if you try to define a Private VLAN (either primary or secondary) and exit the VLAN configuration mode, you will get a platform error message, indicating the switch hardware could not be programmed for the Private VLAN operation.
  Private VLANs require hardware support, and if the underlying platform has no hardware provisions for supporting Private VLANs, they will not be available even if the switch IOS itself has the management features built in, as is in your case. True, the Private VLAN management commands should have not been enabled in the IOS for your platform but it's just the way it is...
  Best regards,
  Peter

• Configure Private VLAN on 3750 & 2960

  Hi All,
  ( R ) ------ [ 3750 ] ------- [ 2960 A ]
                          |------------ [ 2960 B ]
  I had these VLAN on the 3750 & 2960:
  - Vlan 8 (mgnt Vlan), Vlan 17, Vlan 34, Vlan 35
  Basically I had already configure switchport protected on all the port on the 2960 except the uplink to 3750.
  2960 Configure
  On uplink to 3750
   switchport mode trunk
  On end device port 
   switchport trunk native vlan 35
   switchport trunk allowed vlan 34,35
   switchport mode trunk
   switchport protected
   spanning-tree portfast
  How do I go about configure private VLAN on the 3750? 
  3750 Configure
  On downlink to 2960
   switchport mode trunk
  Interface vlan8
   ip address 10.8.0.1 255.255.255.0
  Interface vlan17
  ​ ip address 10.17.0.1 255.255.255.0
  Interface vlan34
  ​ ip address 10.34.0.1 255.255.255.0
  Interface vlan35
  ​ ip address 10.35.0.1 255.255.255.0
  What I want to achieve is to send all the VLAN 8, 17, 34, 35 from 2960 to 3750 and 3750 to 2960. But at the same time prevent 2960 A client from talking to 2960 B client on VLAN 35? 

  I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.
  But you can configure with private vlan.
  let's say client A is in port f0/1 and client B in port f0/2
  Parent (main) VLAN is 100 and child is 999
  You would configure the VLANs in ALL switches.
  vlan 999
  private-vlan isolated
  vlan 100
  private-vlan primary
  private-vlan association 999
  Now you would need to configure the ports.
  int range f0/1 - 2
  switchport mode private-vlan host
  switchport private-vlan host-association 100 999
  If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.
  interface vlan 100
  private-vlan mapping 999
  That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).
  If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.
  wrote too much, if this answers your question let me know, or we can create a practical scenario for it.

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Hi I am from Spain and I am new on Macworld, recently I have bought a Mac Book pro, the keyboard is not configured rightly when I have to write @ I have to press g instead of @ key , how can I solve this problem ?. Thanks in advance.

  Hi ,
  I am from Spain and I am new in MacWorld, recently I have bought  a MacBook Pro , but teh keyboard is not configured rightly, when I want to write @ I have to press g instead of the @ key, or the symbol for questions ?, I have to press :: key. Please how can I solve this problem ?. Thanks in advance.
  BR,
  XAvier

  xavier85 wrote:
  I am new in MacWorld
  Sorry to disappoint you, but this isn't MacWorld.
  when I want to write @ I have to press g instead of the @ key
  Are you sure you don't have to press ⌥-G (Option-G) to get @?
  Anyway, sounds like a keyboard/keyboard layout mismatch.
  Go to System Preferences > Language & Text > Input Sources. From "Select input methods to use" enable (check) the following
  Keyboard & Character Viewer
  U.S.
  Spanish
  Spanish - ISO
  Also enable "Show Input menu in menu bar".
  The Input menu should appear to the right of your menu bar, with the icon of a national flag. From this menu, choose "Show Keyboard Viewer". Then compare the layout displayed by Keyboard Viewer with the label on your MBP's keyboard. If it doesn't match, choose a different layout from the Input menu.
  My suspicion is that you're using a US keyboard with a Spanish keyboard layout, hence the difference you noted.

• Heads Up: Private VLAN Sticky-ARP DHCP Issues

  Here is the scenario:
  Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.
  DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.
  A DHCP Server is offering 3 day leases.
  A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.
  The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.
  Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.
  Log messages show the following:
  %IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry
  The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979
  However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738
  There appears to be two sensible solutions to this problem:
  1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.
  2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.
  Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??
  Regards,
  Brad

  Excellent question.
  Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.
  Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.
  In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.
  Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.
  When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.
  In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.
  Brad

• SF 300 private-vlan

  Hi,
  I am working on a SF 300 . I favor the cli over the web-interface.
  I will like to make a private-vlan community but do not know if my sequence of commands are right or allowed.
  Can someone point me in the right direction please ?
  MedSwitch#configure terminal
  MedSwitch(config)#vlan da
  MedSwitch(config-vlan)#vlan 50
  MedSwitch(config-vlan)#private-lan community
  % Unrecognized command
  This is my first experience with cisco switches. I am a beginner.
  Thanks.
  -Luis

  Hi Luis, this switch does not support private vlan. You may use protected port features (PVE, private vlan edge). This concept means if there is a port with protected port toggle, any other protected port cannot communicate amongst themselves. This behaves sort of like an "isolated port". However, any port that is not a protected port may communicate to the protected port which operates similar to a "promiscuous port".
  If you need vlan separation it will be accomplished through ACL or routing functions.
  -Tom
  Please mark answered for helpful posts

• Problems setting up public/private vlans on sg300-52 switches

  A real beginner here with a problem on how to setup 3 SG300-52 (in L2 mode) as per this diagram:
  Port 1 on all switches should be able to talk to each other and access the blob at the right.
  The ports 25 on the other hand should only be able to talk among themselves in their own
  private vlan. They are to carry sensitive traffic.
  So I created 3 vlans, vlan 78 for ports gi1, gi51 and vlan 10 for port25,49,50 and a dummy vlan: 666
  with the intent of segratating vlan 10 from vlan 78.
  My attempts so far have failed.
  ports gi49-50 are configured as trunk ports and gi1,gi51 as access ports as the following
  cli output (excerpts of the startup config):
  vlan database
  vlan 10,78,666
  exit
  interface vlan 1
  ip address 172.16.10.11 255.255.255.0
  no ip address dhcp
  interface gigabitethernet1
  switchport mode access
  switchport access vlan 78
  interface gigabitethernet25
  switchport mode access
  switchport access vlan 10
  interface gigabitethernet49
  switchport trunk allowed vlan add 10,78
  switchport trunk native vlan 666
  switchport default-vlan tagged
  interface gigabitethernet50
  switchport trunk allowed vlan add 10,78
  switchport trunk native vlan 666
  switchport default-vlan tagged
  interface gigabitethernet51
  switchport mode access
  switchport access vlan 78
  Ports gi1 can talk to each other and access the blob but ports 25 refuse to talk to each other. But as soon as I remove
  the access links to the blob they can! Obviously, at that point port gi1 lose access.
  Is such a topology feasable or even advisable?
  Thanks,
  jf

  Hi Jean,
  Here's a pretty picture
  Now I will explain.
  The layer 3 switch is going to service as your core switch.
  Vlan 78 looks like your BLOB connection.
  Vlan 10 and 666 look like they don't belong on the BLOB.
  So how to configure this-
  You will want to configure the switch that connects directly to the BLOB as the layer 3 switch depicted in my diagram.
  Layer 3 switch, follow this document
  https://supportforums.cisco.com/docs/DOC-27038
  Bear with me, I am making up random numbers since I don't know what you want or will use.
  So VLAN 78 looks like the BLOB and 10 and 666 are staying out of the BLOB.
  config t
  vlan database
  vlan 10, 78, 666
  int vlan 1
  ip address 192.168.1.254 /24
  int vlan 10
  ip address 192.168.2.254 /24
  int vlan 78
  ip address 192.168.3.254 /24
  int vlan 666
  ip address 192.168.4.254 /24
  Configure the port you want to go to the BLOB, I am assuming vlan 78.
  config t
  int gi01
  switchport mode access
  switchport access vlan 78 (that 3750, what is the native vlan of the port it is connecting to??)
  Next, configure the downlink port to connect the layer 2 switch
  config t
  int gi0/2
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666  (this will make the port native vlan 1 untagged, rest ports tagged)
  On the downstream switch you need to configure an uplink and downlink with the respective vlans. It will remain layer 2 mode.
  config t
  vlan database
  vlan 10, 78, 666
  int gi0/1
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666
  int gi0/2
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666
  Same thing for the last switch, it will remain layer 2 mode
  config t
  vlan database
  vlan 10, 78, 666
  int gi0/1
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666
  int gi0/2
  switchport mode trunk
  switchport trunk allowed vlan add 10, 78, 666
  Let me know if this works out or if it is not logical for you.
  -Tom
  Please mark answered for helpful posts

• Hi all, need advice on OSPF and private vlans

  Hi all.
  I have a project to complete and need some help on the possible solution I can use.
  Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
  I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
  My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
  Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
  I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
  Any help and advice would be greatly appreciated.
  Cheers
  Steve

  Steve
  Thanks, that helps.
  GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
  It's good that area 7 is only for these users and not mixed up with other users.
  So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
  Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
  Can you confirm the above ?
  In terms of keeping them separate there are 2 possible choices. You can either -
  1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
  The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
  But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
  2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
  The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
  Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
  You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
  I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
  It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
  I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
  Jon

• Private VLan in 3550

  we are going to purchase cisco 3550 switches for our DMZs setup, we would like to utilise the Private VLAN (PVLAN) features in order to protect our individual server from any attack or any compromise servers. Can any body highlight some more on this how best is this to configure pvlans in cisco 3550 switches and is there any issues with Checkpoint Firewall.
  where I will get step by step commands. I searched on cisco site but lost myself for finding the step by step documentation.
  I find one documentation which was very good but it is for cisco 6500 series switches. please see the link for that http://www.cisco.com/warp/customer/473/90.shtml
  Thanks in advance

  Here is a link that I hope helps you with your coinfiguration. See Configuring Protected Ports portion for the PVLAN feature.
  http://www.cisco.com/en/US/partner/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html
  I don't know any issues with specific vendor equipment (e.g. Checkpoint FW, etc).
  Hope this helps you,
  Don

• Multi-VRF CE with Private VLANs

  Does anyone know if you can implement a VRF instance on a private vlan? I would assume so, and will lab it out as time permits, but was curious if anyone had tried it/knows one way or the other.

  Since both the platforms support VRF lite and MPLS VPN, you can use Frame-Relay as the encapsulation for sub interfaces with local DLCI switching.
  As the VRF configuration is not media dependent.
  HTH-Cheers,
  Swaroop
  Router 1
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  !--- This command disables LMI processing.
  interface Serial0/0.1 point-to-point
  !--- A point-to-point subinterface has been created.
  ip address 172.16.120.105 255.255.255.0
  ip vrf forwarding xxx
  frame-relay interface-dlci 101
  !--- DLCI 101 has been assigned to this interface
  Router 2
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  !--- This command disables LMI processing.
  interface Serial0/0.1 point-to-point
  !--- A point-to-point subinterface has been created.
  ip vrf forwarding xxx
  ip address 172.16.120.120 255.255.255.0
  frame-relay interface-dlci 101
  !--- DLCI 101 has been assigned to this interface

• Private Vlan and Switchport Protected

  Dear All,
  My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
  How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
  Thanks.
  C.K.

  Hi C.k.,
  I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
  Try that and let us know.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
  HTH,
  -amit singh