cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1783
Views
0
Helpful
12
Replies
Philip Olsson
Beginner

No 'switchport protected' on 4500x/sup7le?

Hi,

4500x/sup7le seems to be missing 'switchport protected'. I find this really strange but I'm now looking for a way to mimic the behaviour of ME-series UNI/NNI behaviour.

Topo

Router -- 4500x --- ( many access switches ) 

I want to isolate the mac domains of the access switches to minimize mac-table requirement of access equipment.

Private Vlan seems like a messy solution since I want to preconfig 4k vlans and just have a bunch of trunk ports that does not require custom configuration.

Does anyone have a good suggestion on how to realise UNI/NNI-behaviour on 4500x?

Regards
Philip

12 REPLIES 12
casanavep
Participant

ok, so a couple things you may be running into:

- First, the "L" version of the SUP-7e, is the "lite" or low capability model, hence it being so much cheaper.   

- Second, IP image.

Can you send the output from a "show version"?

Hi Casa,

AFAIK, the 4500x is supposed to be sup7, but I tested the command on some regular 4500's wth sup7le and got the same behaviour

The 4500x is running 3.7.2E/ipbase:

boot system flash bootflash:cat4500e-universalk9.SPA.03.07.02.E.152-3.E2.bin

Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.07.02.E RELEASE SOFTWARE (fc1)

License Information for 'WS-C4500X-32'
License Level: ipbase Type: Permanent
Next reboot license Level: ipbase

Regards, 
Philip

I think "ipbase" is your issue.  That is an advanced feature.

Hi!

No, that is not the issue.

I booted the 4500x in 'entservices' to verify and there is still not 'switchport protected' available.

Regards, 
Philip

Protected port aka private vlan edge port is not supported on 4500 switches as you have private vlans feature available on this platform which can provide same functionality and more.

-Raj

Hi Rajesh,

I'm sorry but I have not been able to understand how to produce a configuration which does not merge isolated vlans into a primary vlan,

private vlan seems to more suited to isolate end hosts rather than my purpose of isolating access switches.

How would I create  the following setup.

uplink 1-4094 vlans tagged 

| ( NNI) 

4500 

|  |  ( UNI/ENI )

|  access switch with 1-4094vlans

| ( UNI/ENI )

access switch with 1-4094vlans

where the access switches are isolated from each other, similar to a NNI / UNI/ENI-setup?

Regards,

Philip

I can't think of a easy way of doing what you have planned with private vlans. I am sure you may have thought about this but still asking if the access switches can be L3 connected to the 4500 so you have them in their own broadcast domain. I know this is too simple a thing to have not been considered.

Hopefully others on this forum can think of more creative ways to accomplish this requirement.

-Raj

Hi Rajesh,

Yes, L3 does not fit into the overall design here. Currently I'm leaning towards doing Q-in-Q on the 'downstream' ports and just have my router handle the encap/decap but this is not optimal from a multicast pov.

So, I'm really hoping for something creative.


Regards,

Philip

Hello

When you say iosated do you mean vlan isolation between each switch or or not to have an extended l2 domain?

pvlans (you don't want this?)

vrf lite

svi racls

or just manual pruning of the trunks between the access and L3 switch

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

I want to have l2 isolation in the same vlans between 'downstream' ports. Same as a E-tree setup. 

Basically 'switchport protected' would have provided the correct function. Or "split-horizion group" in a bridge domain on a asr box.

It seems I can not configure this with private vlan. I would not mind private vlan but it does not seem to be able to configured in the preferred way. It seems to be only designed for a few vlans. 

Regards,

Philip

Hello

then vlan acls (vacls)can be utilised - these control traffiic within a vlan 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
David Kondicz
Beginner

Hello Philip,


i have the same problem on my Cat4500e Sup7E. As i found, you can make an isolated trunk as private-vlan trunk secondary only ify you have connected to this port a cat4500 series or higher, that supports private vlan. I am wondering on this and i am very very confused that there is such a big incompatibility between series. There is a big big hole and you will have a big problem if you want to upgrade your core switch that you have used simple protected ports before.

It will be a better way to choose another vendor than Cisco, becouse only way as i found on cisco tool is to upgrade Sup7 to Sup8E! And that is just crazy.


Sup 8 supports Private-Vlan Edge that looks be the same as the simple function as Protected port on Much cheaper Cat2960 switches.


Br

Dave