Hi friend,

Thank you for your answer , I really appreciate it but I need to configure the same port as a promiscuous and trunk port the configuration that is available in this site is for the catalyst 4500 switches and not for 3560 switches, I have tried the following commandes but they didn't work on that specific switch :

# interface Gi0/1

#switchport mode private-vlan trunk promiscuous  ( at that level I have an error and i can't execute the rest of the commands)

#switchport private-vlan association trunk 10 20,30

#switchport private-vlan  trunk allowed vlan 10 40  (10 is the primary Vlan and 40 is the management vlan)

#switchport private-vlan trunk vlan 40

#end

This commands don't work with Catalyst 3560 switch I hope that any body can tell me if there is another solution or alternative.

Thank you,

Hi,

Can you apply the commands and provide the exact error message you are getting?

Also, can you post the output of "sh version"?

HTH

Hello,

Here is the version of the catalyst switch 3560 : (int the attachement)

For executing these commands I need to go to the office I will publish the result of these commands tomorow inshaellah,

Thank you,

Hello Harazi, Reza,

Please allow me to join.

Catalyst 3560 does not support Promisc PVLAN trunks. To my best knowledge, the only switch that supported them was a Catalyst 4500 series.

The question is whether you need the Promisc PVLAN trunk at all. Its purpose is to automatically rewrite all secondary PVLAN tags on outgoing frames to the corresponding primary PVLAN tag. This is required only in cases where all of the following constraints are met:

1. The device connected to the trunk does not support PVLANs, such as an ASA box or a common router
2. The device needs to access several standard (non-PVLAN) VLANs across the trunk
3. The device needs to access all hosts under a specific primary PVLAN and all of its associated secondary PVLANs

Are you in such a situation?

Please note that if you simply want to extend the PVLANs to another device that understands PVLANs, you need to use a normal trunk port without any special type.

If you need to allow the device to access all hosts under a particular primary PVLAN (and thus all associated secondary PVLANs) but do not require it to talk to hosts in any other standard VLANs, you can connect the device to a promiscuous host port (not a trunk - it's not going to use tagging).

Finally, if the device needs to talk both to the primary PVLAN and other standard VLANs, then the only solution I can see is to use two ports: One of them will be a promiscuous host port just for the PVLAN, and the other will be a normal trunk for the remaining standard VLANs.

Try analyzing carefully what is it you are trying to accomplish. It would perhaps be better if, instead of saying what tool you need, you explained us what is your goal. It may turn out that you do not need that tool at all.

Best regards,
Peter

Hello friends,

Thank you very much for your help Sharifi and Paluch  , here is the output of the show version command on the Catalyst 3560 switch:

Switch2#show version
Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE9, RELE
ASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Mon 03-Mar-14 22:36 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02D00000
 
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE
 (fc1)
 
Switch2 uptime is 1 day, 15 minutes
System returned to ROM by power-on
System image file is "flash:/c3560-ipbasek9-mz.122-55.SE9/c3560-ipbasek9-mz.122-
55.SE9.bin"
 
 
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

And here is the message error that I got when I excute the promiscuous trunk port commands :

Switch2(config)#interface Gi  1/1
Switch2(config-if)#switchport mode private-vlan trunk promiscuous
                                                ^
% Invalid input detected at '^' marker.
 
Switch2(config-if)#switchport private-vlan association trunk 10 20,30
                                                       ^
% Invalid input detected at '^' marker.
 
Switch2(config-if)#switchport privtae-vlan  trunk alloxed vlan 10,40
                                  ^
% Invalid input detected at '^' marker.
 
Switch2(config-if)#switchport privtae-vlan  trunk native vlan 40
                                  ^
% Invalid input detected at '^' marker.

My goal is not to extend the PVLAN to another device since the second devise don't understand Private Vlans but to talk both the PVLAN and Vlan traffic to that second device and the probleme that when I try to configure the port which links the both switches I got these error messages, I hope that there is another solution without utilising two ports of the switch.

Thank you for your kind attention to the matter, looking forward to hering bach from you.

Best regards,

Hello  Sharifi , Paluch  ,

I have tried the solution of cofiguring two separate ports:

I have configure a trunk port in the two switches and I have chose another port  for configuring the promiscuous port on the Catalyst  3560 switch, now the other extrimity of this port wich is plugged in the normal switch how shoul I configure it to be able to recognise the PVLAN? Do I have to affecte this port to the primary VLAN as a normal vlan in this normal switch?

Best regards,

Hi Harazi,

now the other extrimity of this port wich is plugged in the normal switch how shoul I configure it to be able to recognise the PVLAN? Do I have to affecte this port to the primary VLAN as a normal vlan in this normal switch?

I assume you are asking about configuring the remote switch that is connected to a promisc port.

The port of the remote switch that connects to the promisc port should be configured as a normal access port placed in the primary PVLAN as its access VLAN. Promisc ports do not use VLAN tags and behave as access ports residing in the primary PVLAN.

You should specifically take care to use the switchport trunk allowed vlan on the other trunk port between the Cat3560 and the remote switches to remove all PVLANs (both primary and secondary) from this trunk.

Best regards,
Peter