Hello,

I am having troubles to configure PRIVATE VLANs on Cisco ME 4900. The scenario is as follows:

We need to connect several DSLAMs on the 4900 switch, every DSLAM has 4 VLANs configured (VOIP service, MGMT, ADSL Private, ADSL Public), and sends the traffic for each service tagged with appropriate VLAN id according to the table:

VOIP: 608

MGMT: 594

ADSL PRIVATE: 2900

ADSL PUBLIC: 2930

On the DSLAM side it is very simple configuration, just a normal trunk with 4 VLANs transversing the link. On the 4900 I need to isolate the traffic for ADSL PRIVATE & PUBLIC service so DSLAMs connected to the same switch do not have L2 connectivity between them. For VOIP and MGMT they must communicate with each other. DSLAM acts also as a VOIP GW so it must communicate with other DSLAMs for VOIP service. Also VLAN 200 is configured on ME 4900 for switch management traffic.

This 4900 Switch connects to MPLS PE router, which offers L3 VPN service for VOIP & MGMT service, and L2 VPN for ADSL service (PPPoE traffic to BRAS). Fortunately we have ES+ linecard to support many ethernet features. I tried this config:

1) VOIP, DSLAM-MGMT, MPLS-MGMT configured as normal VLANs

2) ADSL PUBLIC & PRIVATE configured as isolated secondary VLANs, primary VLAN for ADSL PRIVATE is 2008, for PUBLIC 2308

3) Configure DSLAM facing ports on ME 4900 as private-vlan trunks

4) Configure ME 4900 uplink port to MPLS PE as a private-vlan promiscous trunk

5) Configure ethernet services on MPLS PE for each tag that comes from ME 4900 (ES+ cards are awesome, i love them:D )

6) Apply L3 VPN service for VOIP and DSLAM-MGMT, and L2 VPN for ADSL service.

Below is the configuration on ME 4900, port Gi1/1 is DSLAM port, and Te1/29 is uplink to MPLS PE router:

vlan 200

name MPLS-MGMT

vlan 608

name VOIP

vlan 594

name DSLAM-MGMT

vlan 2008

name ADSL-PRIV-PRIMARY

  private-vlan primary

  private-vlan association 2900

vlan 2308

name ADSL-PUB-PRIMARY

  private-vlan primary

  private-vlan association 2930

vlan 2900

name ADSL-PRIV-SECONDARY

  private-vlan isolated

vlan 2930

name ADSL-PUB-SECONDARY

  private-vlan isolated

interface GigabitEthernet1/1

description "Link to DSLAM"

switchport trunk encapsulation dot1q

switchport private-vlan trunk allowed vlan 594,608,2008,2308,2900,2930

switchport private-vlan association trunk 2008 2900

switchport private-vlan association trunk 2308 2930

switchport mode private-vlan trunk

interface TenGigabitEthernet1/29

description "Uplink to MPLS PE"

switchport trunk encapsulation dot1q

switchport private-vlan trunk allowed vlan 1,200,594,608,2008,2308,2900,2930

switchport private-vlan association trunk 2008 2900

switchport private-vlan association trunk 2308 2930

switchport mode private-vlan trunk promiscuous

interface vlan 200

ip vrf forwarding MPLS-MGMT

ip address x.x.x.x y.y.y.y

Below is some part of the MPLS PE (7609-S) configuration, interface Te3/1 goes to ME 4900:

interface TenGigabitEthernet3/1

description 10G_link_L1-KOR-C7609-01_TenGigabitEthernet3/1_T2-POG-C4924-01_TenGigabitEthernet1/29

ip arp inspection limit none

no ip address

service instance 200 ethernet

  description MANAGEMENT SERVICE FOR METRO SWITCHES

  encapsulation dot1q 200

  rewrite ingress tag pop 1 symmetric

  bridge-domain 200

!

service instance 594 ethernet

  description MANAGEMENT SERVICE FOR DSLAMs

  encapsulation dot1q 594

  rewrite ingress tag pop 1 symmetric

  bridge-domain 594

!

service instance 608 ethernet

  description VOIP SERVICE FOR DSLAMs

  encapsulation dot1q 608

  rewrite ingress tag pop 1 symmetric

  bridge-domain 608

!

service instance 2008 ethernet

  description DSLAM ADSL PRIVATE SERVICE

  encapsulation dot1q 2008

  rewrite ingress tag pop 1 symmetric

  bridge-domain 2008

!

service instance 2308 ethernet

description DSLAM ADSL PUBLIC SERVICE

  encapsulation dot1q 2308

  rewrite ingress tag pop 1 symmetric

  bridge-domain 2308

interface vlan 200

ip vrf forwarding MPLS-MGMT

ip address a.a.a.a b.b.b.b //this is also the default gw for ME 4900 switch.

interface vlan 594

ip vrf forwarding  DSLAM-MGMT

ip address c.c.c.c d.d.d.d

interface vlan 608

ip vrf forwarding VOIP

ip address e.e.e.e f.f.f.f

interface vlan 2008

xconnect <Remote PE which is connected to BRAS> <VC-ID> encapsulation mpls

interface vlan 2308

xconnect <Remote PE which is connected to BRAS> <VC-ID> encapsulation mpls

After doing all this config, it seems that VOIP, MPLS-MGMT and DSLAM-MGMT service is ok, the SVI interface on PE is reachable from DSLAM. Also ME 4900 learns the MAC Address of the PPPoE client (Subscriber behind DSLAM), but on PE router I don't see this MAC address learned.

Output from ME 4900

T2-POG-ME4924-01#sh mac address-table interface gigabitEthernet 1/1

Unicast Entries

vlan   mac address     type        protocols               port

-------+---------------+--------+---------------------+--------------------

594    00d0.d021.6348   dynamic ip                    GigabitEthernet1/1   

608    00d0.d021.6348   dynamic ip                    GigabitEthernet1/1   

2008    202b.c1d4.9ac6   dynamic other                 GigabitEthernet1/1

Output from MPLS PE:

L1-KOR-C7609-01#sh mac address-table dynamic
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
   608  00d0.d021.6348   dynamic  Yes         80   Te3/1 efp_id 608
   594  00d0.d021.6348   dynamic  Yes        225   Te3/1 efp_id 594
   594  00d0.d021.6a60   dynamic  Yes        225   Te3/1 efp_id 594
   608  00d0.d021.6a60   dynamic  Yes         20   Te3/1 efp_id 608
   594  00d0.d021.630a   dynamic  Yes        225   Te3/1 efp_id 594
   608  00d0.d021.630a   dynamic  Yes         65   Te3/1 efp_id 608
   594  00d0.d021.6b2e   dynamic  Yes        225   Te3/1 efp_id 594
   608  00d0.d021.6b2e   dynamic  Yes         65   Te3/1 efp_id 608
   200  c471.feed.2e3f   dynamic  Yes         65   Te3/1 efp_id 200
   594  00d0.d021.6b14   dynamic  Yes        225   Te3/1 efp_id 594
   608  00d0.d021.6b14   dynamic  Yes        225   Te3/1 efp_id 608
   608  00d0.d021.6ade   dynamic  Yes        225   Te3/1 efp_id 608
   594  00d0.d021.6ade   dynamic  Yes        225   Te3/1 efp_id 594
   594  00d0.d021.6a5e   dynamic  Yes        225   Te3/1 efp_id 594
   608  00d0.d021.6a5e   dynamic  Yes        225   Te3/1 efp_id 608

I am suspecting that something strange is happening on the private-vlan promiscuous trunk, look at this output on ME 4900:

T2-POG-ME4924-01#sh interfaces gigabitEthernet 1/1 trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi1/1       trunk-pvlan      802.1q         trunking      none

Port        Vlans allowed on trunk
Gi1/1       594,608,2008,2308,2900,2930

Port        Vlans allowed and active in management domain
Gi1/1       594,608,2008,2308,2900,2930

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/1       594,608,2008,2308

T2-POG-ME4924-01#sh interfaces tengigabitEthernet 1/29 trunk

Port        Mode             Encapsulation  Status        Native vlan
Te1/29      trunk-pvlan-pro  802.1q         trunking      1

Port        Vlans allowed on trunk
Te1/29      1,200,594,608,2008,2308,2900,2930

Port        Vlans allowed and active in management domain
Te1/29      1,200,594,608

Port        Vlans in spanning tree forwarding state and not pruned
Te1/29      1,200,594,608

I am not very experienced with private vlan tricks, but at least this last command should list on spanning tree forwarding state also the ADSL VLANs or not?

Here is the output of the show interface switchport:

T2-POG-ME4924-01#sh interfaces gigabitEthernet 1/6 switchport
Name: Gi1/6
Switchport: Enabled
Administrative Mode: private-vlan trunk secondary
Operational Mode: private-vlan trunk secondary
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: 594,608,2008,2308,2900,2930
Administrative private-vlan trunk associations:
    2008 (ADSL-PRIV-PRIMARY) 2900 (ADSL-PRIV-SECONDARY)
    2308 (ADSL-PUB-PRIMARY) 2930 (ADSL-PUB-SECONDARY)
Administrative private-vlan trunk mappings: none
Operational private-vlan:
  2008 (ADSL-PRIV-PRIMARY) 2900 (ADSL-PRIV-SECONDARY)
  2308 (ADSL-PUB-PRIMARY) 2930 (ADSL-PUB-SECONDARY)
Operational Normal VLANs: 594,608
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

T2-POG-ME4924-01#sh interfaces tenGigabitEthernet 1/29 switchport
Name: Te1/29
Switchport: Enabled
Administrative Mode: private-vlan trunk promiscuous
Operational Mode: private-vlan trunk promiscuous
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: 1
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: 1,200,594,608,2008,2308,2900,2930
Administrative private-vlan trunk associations:
    2008 (ADSL-PRIV-PRIMARY) 2900 (ADSL-PRIV-SECONDARY)
    2308 (ADSL-PUB-PRIMARY) 2930 (ADSL-PUB-SECONDARY)
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Also this is strange:

T2-POG-ME4924-01#sh spanning-tree mst configuration
Name      [ELB-KOR-RING]
Revision  0     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-199,201-593,595-607,609-2007,2009-2307,2309-2899,2901-2929
          2931-4094
1         200,594,608,2308,2930
2         2008,2900
-------------------------------------------------------------------------------

T2-POG-ME4924-01#sh spanning-tree interface gigabitEthernet 1/6

Mst Instance        Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0                Desg FWD 20000     128.6    P2p
MST1                Desg FWD 20000     128.6    P2p
MST2                Desg FWD 20000     128.6    P2p

T2-POG-ME4924-01#sh sp
T2-POG-ME4924-01#sh spanning-tree int
T2-POG-ME4924-01#sh spanning-tree interface gi
T2-POG-ME4924-01#sh spanning-tree interface te1/29         
no spanning tree info available for TenGigabitEthernet1/29

Has anyone any idea what is wrong here?????

Sorry for all this long and tedious writing, i hope someone looks at it.

Looking forward for a suggestion from you.

Regards,

Arber.