Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
0
Helpful
4
Replies

Is it possible to extend PVLAN (Community Secondary VLAN) across a trunk?

ovt
Level 4
Level 4

‎04-20-2005 08:19 AM - edited ‎03-02-2019 10:31 PM

Hi!

I've set up PVLANs on Cat6k and it works pretty well. For example, 6500 Community ports can successfully communicate to each other and Isolated ports are isolated from each other. Also, I have many non-PVLAN (access) ports on the 6500. Now I need to extend Community VLANs and non-PVLAN VLANs to the Cat3550 switch which is not PVLAN-capable.

Is it possible to do that with a trunk?

I've noticed that learning on PVLAN Isolated and Community ports is done for Primary VLAN (not Isolated/Community VLAN). This probably means that frames are tagged with Primary VLAN number when passed from Isolated port to the trunk.

For example:

6500#sh vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

100 111 isolated Fa3/27, Fa3/28, Fa3/48

100 112 community Fa3/25, Fa3/26, Fa3/48

6500#sh mac-address-table dynamic

Legend: * - primary entry

vlan mac address type learn ports

------+----------------+--------+-----+--------------------------

* 100 000e.d70b.1560 dynamic Yes Fa3/25

The VLAN 100 is a Primary VLAN.

I've created "interface vlan 100" on the Cat3550 (other end of the trunk), but cannot ping it from a PC attached to the Community port:( At the same time I can ping this interface from the 6500 and I can ping PC attached to the 6500 Community port from the 6500 (6500 also has "interface vlan 100" configured with "private-vlan mapping"). The diagram:

PC --- IsolatedPort - 6500 --- trunk --- remote 3550 with "int vlan 100"

So, PC -> remote int vlan 100 -- doesn't work

6500 -> PC - ok

6500 -> remote int vlan 100 - ok.

All IPs are in the same IP subnet.

Can anobody explain this?

Does this mean that PVLANs cannot be extended across a trunk link?

Labels:
0 Helpful
4 Replies 4

aashish.c
Level 4
Level 4

‎04-20-2005 05:46 PM

Hi,

You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that SUPPORT private VLANs. To maintain the security of your private-VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure private VLANs on all intermediate devices, including devices that have no private-VLAN ports.

But in your case, next hop switch i.e. 3550 doesnt support private-vlan, so it will not work and above facility doesn`t apply in your scenario.

here is the URL which explain this :

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sea/3750scg/swpvlan.htm#wp1038379

regards

aashish C

0 Helpful

ovt
Level 4
Level 4
In response to aashish.c

‎04-20-2005 10:20 PM

Thanks for the replay!

Ok, in this case could you please explain the difference between trunking to a device that SUPPORT PVLANs and to a device that doesn't support PVLANs?

I think that the local device (6500 in my case) has no idea about the remote device. This means that the same encapsulation is used whether a remote device support PVLANs or not. This in turn means the following: if trunking to the non-PVLAN-capable device doesn't work then cisco uses non-standard encapsulation over the trunk to carry Secondary VLAN traffic.

What do you think about this point?

0 Helpful

aashish.c
Level 4
Level 4
In response to ovt

‎04-21-2005 12:37 AM

Hi,

The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.

Trunking standard is not different in carrying private vlans or normal vlans. Its a matter of type of vlan. If on destination switch you do not have secondary vlans created then data will not be delivered.

A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. But on destination 3550, there is no primary vlan or secondary vlans created. Vlan 100 is acting as a normal vlan NOT a Private Vlan.

So, I do not think that hosts in community vlan can acces other data vlans. Gining a vlan number 100 on 3550 doesnt mean that you will be able to access that Vlan.

I hope this clarifies your doubt.

Regards

aashish C

0 Helpful

ovt
Level 4
Level 4
In response to aashish.c

‎04-21-2005 07:12 AM

The bottom line: community VLANs can be trunked to a remote switch, isolated VLAN cannot. It doesn't matter whether a remote switch PVLAN-capable or not.

The tag assigned is corresponding Community VLAN number, but learning is done for Private VLAN number.

Of course, if community VLANs are trunked to non-PVLAN-capable switch we loose all the PVLAN security benefits.

6500 IOS 12.2(18)SXD

Regard,

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful
Customers Also Viewed These Support Documents