Re: Multiple pvlan on the same interface

tgr78 · ‎10-25-2022

Hi,

In our network design, our PCs are connected each to a port in trunk mode on the switch because they belong to multiple vlans (traffic isolation). The PCs tag the data themselves.

Now we want to introduce pvlans to isolate PCs. We know that it is possible to do this with isolated pvlan on the PCs ports and promiscuous ports on the server ports; this works well with one isolated pvlan/primary pvlan.

But is it possible to configure multiple isolated pvlans on a single port?

For example on Cisco 4500 serie, I see Private VLAN Trunk Port which carries multiple secondary (isolated only) and non-PVLANs. Does it do the job? Otherwise how to do this on a Cisco switch?

Thanks for your help.

Example:

primary vlan 100 with isolated vlan 101, primary vlan 200 with isolated vlan 201
port 0/0 for PC1 configured as a "pvlan trunk port" with isolated vlan 101 and isolated vlan 201
port 0/1 for PC2 configured as a "pvlan trunk port" with isolated vlan 101 and isolated vlan 201
port 0/3 for server1 configured as a "promiscuous trunk port" with primary vlan 100 and primary vlan 200

Expected result:

=> Traffic denied between PC1 and PC2 on vlan 101 and 201
=> Traffic allowed between PC1 and server1 on vlan 100/101 and vlan 200/201
=> Traffic allowed between PC2 and server1 on vlan 100/101 and vlan 200/201

pieterh · ‎10-26-2022

AFAIK this is not possible
using private VLAN's packets are sent or received untagged on different VLANs hence the isolation
NB! this is a vlan PAIR
-> not suitable for trunk ports

the trunk port you mention in your setup is the place where upstream and downstream traffic for a private vlan pair come together

Thibault Groisil · ‎10-26-2022

Thank you Pieterh for your reply.

This means that it is not possible to have multiple primary vlans on a single port. So sad as it is possible to have the expected behaviour (multiple vlans on a trunk port, isolation between ports) on a single switch with the "switchport protected" command.