Solved: Multiple PVLAN communities over PVLAN trunk

mattbauer · ‎06-20-2013

Hi All

Please have a look at the attached diagram to see my issue.

Basically, I need to connect multiple clients on the same network behind a switch that doesnt support PVLANs but still secure them from communicating with each other.

My thought was to create a different PVLAN community per customer and then configure the PVLAN trunk on SW1 with each community PVLAN. However I cannot add more than one secondary PVLAN to the PVLAN trunk.

Btw I do not have access to the layer 3 gateway at the top and cannot request any changes there.

Does anyone have any suggestions?

Thanks in advance!

Matt

Peter Paluch · ‎06-29-2013

Hello Matt,

Thank you for your reply.

Multiple community PVLANs are not going to help you here, unfortunately. The switchport private-vlan trunk mapping command you are mentioning is used to define a so-called isolated PVLAN trunk port, and the secondary PVLAN in this command must be an isolated secondary PVLAN (and each Private VLAN bundle can contain at most one secondary isolated PVLAN). Read more about the special trunk ports here:

https://supportforums.cisco.com/thread/2037752

This isolated PVLAN trunk would actually be the solution for you if the access switch you plan to use supported switchport protect or any other feature that causes two switchports in a single VLAN to be prevented from mutual communication. Please note that the switchport protect is a command supported even on older 2950 Catalyst switches. What kind of access switch are you using, then, if it does not support this command nor a similar feature?

If the access switch you are using does not support any feature similar to switchport protect then I currently see two ways of solving your problem:

If the access switch supports at least ACLs, you could use ACLs on the ports towards clients to allow the clients to communicate only with the gateway but not with each other.
If no ACLs are supported then the only solution I see is to simply create a separate VLAN for each client, forget about private VLANs altogether, and allocate a /30 subnet to each client. Obviously, lots of clients will require lots of VLANs, /30 subnets and SVIs on your distribution switch.

Best regards,

Peter

View solution in original post

mattbauer · ‎06-26-2013

Hi, anyone have any thoughts on this?

Thanks

Peter Paluch · ‎06-27-2013

Matt,

I would personally use PVLAN Edge feature on the access switch (the switchport protected command) and if possible, the so-called Isolated PVLAN Trunk port if the distribution switch supports it. Your solution does not ring to me but I am not sure if I got your idea correct. Perhaps you could expand a little on what you need to achieve.

In any case, without proper support for full PVLANs across your switched network, the solutions will only be approximate but they probably won't be able to provide the same level of isolation.

Best regards,

Peter

mattbauer · ‎06-27-2013

Hi Peter

Thanks for the reply.

Did you see the diagram? Im not sure how much more information I can give, but will give it a go:

I need client's 1 and 2 to be isolated from each other but the switch that they connect to does not support PVLANs (switchport protected is not supported either).

Ideally Id like a way to trunk client 1 and client 2's community vlan (202 and 302 respectively) to SW2.

The pvlan trunking ("switchport private-vlan association trunk") command works for one isolated or community vlan, but I cannot associate more than one.

ie: I'd like to be able to do this on SW1:

switchport private-vlan association trunk 102 202 302

But I cannot enter 302 (in addition to 202) into this command.

Thanks

Matt

Peter Paluch · ‎06-29-2013

Hello Matt,

Thank you for your reply.

Multiple community PVLANs are not going to help you here, unfortunately. The switchport private-vlan trunk mapping command you are mentioning is used to define a so-called isolated PVLAN trunk port, and the secondary PVLAN in this command must be an isolated secondary PVLAN (and each Private VLAN bundle can contain at most one secondary isolated PVLAN). Read more about the special trunk ports here:

https://supportforums.cisco.com/thread/2037752

This isolated PVLAN trunk would actually be the solution for you if the access switch you plan to use supported switchport protect or any other feature that causes two switchports in a single VLAN to be prevented from mutual communication. Please note that the switchport protect is a command supported even on older 2950 Catalyst switches. What kind of access switch are you using, then, if it does not support this command nor a similar feature?

If the access switch you are using does not support any feature similar to switchport protect then I currently see two ways of solving your problem:

If the access switch supports at least ACLs, you could use ACLs on the ports towards clients to allow the clients to communicate only with the gateway but not with each other.
If no ACLs are supported then the only solution I see is to simply create a separate VLAN for each client, forget about private VLANs altogether, and allocate a /30 subnet to each client. Obviously, lots of clients will require lots of VLANs, /30 subnets and SVIs on your distribution switch.

Best regards,

Peter

mattbauer · ‎06-30-2013

Peter thanks very much. You have answered my question. I cannot do what I want to do so I will find an alternate solution.

Thanks again.