Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
0
Helpful
1
Replies

ASA vlan sub-interfaces with private vlans on 3750

fareed_farooqui
Level 1
Level 1

‎04-30-2009 08:44 AM - edited ‎03-11-2019 08:25 AM

Hi NetPros

I have two 5540 connected to a pair of 3750 stacked

I have established trunks with the pair of 5540s in active/standby and 3750 stacked switches

My configuration on ASAs is below

---------------------------------------------------------------------------------

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1

vlan 2

nameif DMZ1

security-level 50

ip address 172.16.1.9 255.255.255.0 standby 172.16.1.10

!

interface GigabitEthernet0/2.2

vlan 4

nameif DMZ2

security-level 70

ip address 172.16.2.9 255.255.255.0 standby 172.16.2.10

-------------------------------------------------------------------------------------

i can ping from 172.16.1.9 to 172.16.1.10

also from 172.16.2.9 to 172.16.2.10

the firewalls can ping each other.

The switch has Private vlan config as below in order to not allow hosts communcation between them but they should be able to connect to the firewall vlan interfaces.

-----------------------------------------------------------------------------------

vlan 2

name DMZ-Promiscuous

private-vlan primary

private-vlan association 3

!

vlan 3

name DMZ-Isolated

private-vlan isolated

!

vlan 4

name OM-dmz-promiscuous

private-vlan primary

private-vlan association 5

!

vlan 5

name OM-dmz-Isolated

private-vlan isolated

Also... host ports are configured as below

interface GigabitEthernet1/0/4

description Host_in_DMZ1

switchport private-vlan host-association 2 3

switchport mode private-vlan host

switchport nonegotiate

spanning-tree portfast

spanning-tree bpduguard enable

end

interface GigabitEthernet1/0/22

description DMZ2

switchport private-vlan host-association 4 5

switchport mode private-vlan host

switchport nonegotiate

spanning-tree portfast

spanning-tree bpduguard enable

end

--------------------------------------------------------------------------------------------

Is the Trunk configuration on 3750 below correct or do I need to specify any other private-vlan configs like switch " switchport mode private-vlan promiscuous". But these are only for access ports not trunks.. Hosts cannot communicate with the firewall interfaces ..Can someone please help me..

----------------------------------------

interface GigabitEthernet1/0/43

description ASA1 DMZ1/DMZ2 TRUNK

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport trunk allowed vlan 2-5

interface GigabitEthernet2/0/43

description ASA2 DMZ1/DMZ2 TRUNK

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport trunk allowed vlan 2-5

----------------------------------------------------

Thanks

Fareed

Labels:
0 Helpful
1 Reply 1

daisuketanabe
Level 1
Level 1

‎05-02-2009 03:46 AM

Hi

Yes, you will need to configure "switchport mode private-vlan promiscuous" if you want a port to be a PVLAN promiscuous mode.

The problem is, as far as I am aware, there is no way you can have promiscuos mode in switch trunk port. so only option is to use different switch port for each PVLAN.

You might be able to create sub-interfaces and assign PVLAN to sub-interfaces if it is supported by the switch. Not sure if 3750s can do that.

I hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card