PVLAN spec query re: isolated ports and trunking PVLANs

haferrein04 · ‎02-16-2024

Background: implementing PVLAN support in some firmware, not a network engineer.

I think I can work this out by logic, but I'm not a net-eng, so a little unsure of my rationale, would love someone else to either tell me my thinking is correct, or tell it's not and why. Much appreciated.

I was wodnering if isolated ports can talk to promisc ports on another switch in the same PVLAN.

I wouldn't think that would be ok. I was thinking, the second question becomes, can promiscuous ports of a PVLAN be spread across multple switches, and I was thinking that's probably not ok to do, since typically a router is on the other end of the promiscuous ports (and there are probably only multiple promisc ports for LAG purposes). In any event, wouldn't two routers on the subnet fight with each other for control unless they were configured to coordinate with each other?

Mightn't an MC-LAG setup be used with promisc ports across both switches in the same PVLAN going to two routers ... that seems elaborate when there's HSRP or VRRP.

So ... can isolated ports talk to promisc ports on other switches? Can promisc ports in a given PVLAN be spread across multiple switches?

router login 192.168.l.l

liviu.gheorghe · ‎02-17-2024

Hello @haferrein04 ,

I was wodnering if isolated ports can talk to promisc ports on another switch in the same PVLAN.

The answer is yes, they can. Trunk ports between switches can carry traffic between isolated, community and promiscuous ports and isolated or community port traffic can enter or leave the switch through a trunk interface.

I wouldn't think that would be ok. I was thinking, the second question becomes, can promiscuous ports of a PVLAN be spread across multple switches, and I was thinking that's probably not ok to do, since typically a router is on the other end of the promiscuous ports (and there are probably only multiple promisc ports for LAG purposes). In any event, wouldn't two routers on the subnet fight with each other for control unless they were configured to coordinate with each other?

I see no reason why promiscuous ports cannot be spread across multiple switches. You are thinking of First Hop Redundancy protocols like HSRP and VRRP. Yes, they will "fight" with each other - they are in the same broadcast domain, private or not - in order to elect the router who will manage the Virtual IP and MAC address that the host on the vlan use for default gateway.

Mightn't an MC-LAG setup be used with promisc ports across both switches in the same PVLAN going to two routers ... that seems elaborate when there's HSRP or VRRP.

In this case the Multi Chassis LAG will not be very useful because the STP which will determine there is a loop topology and will block one of the links.

The Multi Chassis LAG, or MEC, is used in conjunction with other technologies like VSS, StackWise or vPC which basically makes from 2 individual chassis a single virtual one. You connect a host, router, switch with a link to each of the two chassis and the etherchannel configured on the host, router, switch is configured to the virtual chassis and there is no need for STP and you can use both links.

So ... can isolated ports talk to promisc ports on other switches? Can promisc ports in a given PVLAN be spread across multiple switches?

Yes and yes.

Here you can find a short and useful description of Private Vlans: https://learningnetwork.cisco.com/s/article/a-quick-summarized-view-to-private-vlan-pvlan-x

Hope it helps.

Regards, LG
*** Please Rate All Helpful Responses ***