Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
0
Helpful
1
Replies

pvlan

despoina venieri
Level 1
Level 1

‎06-08-2022 03:22 AM

Our objective is to support segregation / policy management / distinct access policies on a per host basis inside a LAN (SD-Access type of solution)

The basic restriction we face is that the LAN isn’t segmented into multiple VLANs- there is one broadcast domain / FLAT VLAN and the customer has specifically requested to not perform re-addressing

It seems that one possible solution would be to rely on PRIVATE VLAN – PVLAN implementation shown in this link

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-1000-series-switches/white-paper-c11-743809.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/layer2/503_U2_1/b_Cisco_n3k_layer2_config_guide_503_U2_1/b_Cisco_n3k_layer2_config_gd_503_U2_1_chapter_0101.pdf

 

“ Promiscuous port—A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs or no secondary VLANs that are associated to that port…”

My question is the following:

  • How many isolated VLANs can we setup? Can we have multiple isolated VLANs, that communicate only with their respective promiscuous ports ?
  • How many promiscuous ports can we have ? can we “assign” a promiscuous port role to a Host / machine / server or does this absolutely have to be a router that provides connectivity to the internet or another external network?

 

 

Please provide info/insight 

Best regards

Depy V

 

 

 

Labels:
0 Helpful
1 Reply 1

Flavio Miranda
VIP
VIP

‎06-08-2022 05:50 AM

Hi

Considering SDA with DNAC.  Nexus and Catalyst 1K seems not to be supported.

You can see all supported here:

https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/dnac_compatibility_matrix/index.html 

 

About your requirement, I dont see as a problem, actually the opposite. I had a situation recently where it was necessary segmentation and the DNAC only allow contiguous segment on the DHCP. That was for wifi. I had to add one vlan per floor but DNAC supports only one scope per SSID which forced me to use one big network for the whole site.

 For lan network it is different but I dont see problem on broadcast domain.

 

I dont see the concept of Isolated vlan on cisco SDA but you can rely on SGT for segmentation.

0 Helpful
Customers Also Viewed These Support Documents