cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2410
Views
5
Helpful
6
Replies

Private VLAN over OTV

Alex Pham
Level 1
Level 1

Hi,

Anyone has implemenented PVLAN over OTV? Is there any restriction to it?

Thanks.

Alex

1 Accepted Solution

Accepted Solutions

Hi Alex,

I saw your question while playing myself with Private-VLANs and OTV and the idea to combine it (just for LAB purpose :-) ) and having problem's to make it work (and found no answer here).

 

The answer: it works, but not out of the box.

 

The Problem is that secondary Private-VLAN's don't have any CAM Table entries associated, which is a problem for OTV which doesn't forward any unknown Unicast. You need to make static CAM Entries on the OTV VDC's pointing to the OTV internal Interface for the Private VLAN Devices on that local site. That way you get the necessary OTV route entries (selective OTV unicast flooding didn't work for me).

Hope you are still interested in the answer to your question, it was great fun to think about this little problem.

 

Simon

View solution in original post

6 Replies 6

carlvarg
Cisco Employee
Cisco Employee

Hi, on documentation there is no limitation between PVLAN and OTV see links (Limitations with Other Features)

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/layer2/configuration/guide/Cisco_Nexus_7000_Series_NX-OS_Layer_2_Switching_Configuration_Guide_Release_5-x_chapter6.html#con_1344136

(Guidelines and Limitations for OTV)

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/OTV/config_guide/b_Cisco_Nexus_7000_Series_NX-OS_OTV_Configuration_Guide.pdf

 

Hi Alex,

I saw your question while playing myself with Private-VLANs and OTV and the idea to combine it (just for LAB purpose :-) ) and having problem's to make it work (and found no answer here).

 

The answer: it works, but not out of the box.

 

The Problem is that secondary Private-VLAN's don't have any CAM Table entries associated, which is a problem for OTV which doesn't forward any unknown Unicast. You need to make static CAM Entries on the OTV VDC's pointing to the OTV internal Interface for the Private VLAN Devices on that local site. That way you get the necessary OTV route entries (selective OTV unicast flooding didn't work for me).

Hope you are still interested in the answer to your question, it was great fun to think about this little problem.

 

Simon

SO I'm Currently trying to Implement this and I tried Static Cam Entrys and without Entries and have issues wither way

 

I have taken a Community PVLAN  and a Host Associated port on one side of the OTV and the host port on same secondary vlan on other side. 

Cannot ping

Flip it to Promiscous port on one side  with Association Starts to ping.

 

Thinking through the logic I looked at the Mac address table of the primary vlan and had the mac info of the host/Secondary Comm Vlan, and looked at the otv route statement and had the Mac seen attached to the primary vlan coming from the Correct side.  both sides.

 

So the Static Cam Statement didnt make sense.  Even so I tried it, and it still did not work.

Just to ensure I understand the Logic on the OTV VDC  Cam Statement

mac address-table static "MAC-ADD" vlan X int E1/10 " L2 interface that your learning the mac from already"

 

The mac should be the mac of host port in which the secondary vlan host resides.

 

Running ver 6.2(8)

 

Running OTV for 20 normal Vlan no issues on this code since August.

 

Any thoughts??

 

 

 

 

I think I know What Im dong wrong and will attempt this tomorrow.  

otv flood mac 0000.2101.1111 vlan 72

  to flood unknown unicast accros OTV similar to the way that you would for MLB VMACs.

Aries Fernandes
Cisco Employee
Cisco Employee

Hi Alex,

There is no such restriction from OTV. What you define in the access-interface and the overlay interface will be allowed.

Do revert back if you have any more specifics you wanted to know related to OTV.

Thanks,

Aries

Alex Pham
Level 1
Level 1

Hi Simon,

I have no chance to actual implement PVLAN over OTV as the environment i'm working with is live. I ended up with traditional method of using port-based ACL. However, it's still great to know that the combination of PVLAN and OTV actually works. 

 

Thank you for sharing your experience and test result. 

Regards,

Alex

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: