4500x/sup7le seems to be missing 'switchport protected'. I find this really strange but I'm now looking for a way to mimic the behaviour of ME-series UNI/NNI behaviour.
Router -- 4500x --- ( many access switches )
I want to isolate the mac domains of the access switches to minimize mac-table requirement of access equipment.
Private Vlan seems like a messy solution since I want to preconfig 4k vlans and just have a bunch of trunk ports that does not require custom configuration.
Does anyone have a good suggestion on how to realise UNI/NNI-behaviour on 4500x?
ok, so a couple things you may be running into:
- First, the "L" version of the SUP-7e, is the "lite" or low capability model, hence it being so much cheaper.
- Second, IP image.
Can you send the output from a "show version"?
AFAIK, the 4500x is supposed to be sup7, but I tested the command on some regular 4500's wth sup7le and got the same behaviour
The 4500x is running 3.7.2E/ipbase:
boot system flash bootflash:cat4500e-universalk9.SPA.03.07.02.E.152-3.E2.bin
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.07.02.E RELEASE SOFTWARE (fc1)
License Information for 'WS-C4500X-32'
License Level: ipbase Type: Permanent
Next reboot license Level: ipbase
No, that is not the issue.
I booted the 4500x in 'entservices' to verify and there is still not 'switchport protected' available.
Protected port aka private vlan edge port is not supported on 4500 switches as you have private vlans feature available on this platform which can provide same functionality and more.
I'm sorry but I have not been able to understand how to produce a configuration which does not merge isolated vlans into a primary vlan,
private vlan seems to more suited to isolate end hosts rather than my purpose of isolating access switches.
How would I create the following setup.
uplink 1-4094 vlans tagged
| ( NNI)
| | ( UNI/ENI )
| access switch with 1-4094vlans
| ( UNI/ENI )
access switch with 1-4094vlans
where the access switches are isolated from each other, similar to a NNI / UNI/ENI-setup?
I can't think of a easy way of doing what you have planned with private vlans. I am sure you may have thought about this but still asking if the access switches can be L3 connected to the 4500 so you have them in their own broadcast domain. I know this is too simple a thing to have not been considered.
Hopefully others on this forum can think of more creative ways to accomplish this requirement.
Yes, L3 does not fit into the overall design here. Currently I'm leaning towards doing Q-in-Q on the 'downstream' ports and just have my router handle the encap/decap but this is not optimal from a multicast pov.
So, I'm really hoping for something creative.
When you say iosated do you mean vlan isolation between each switch or or not to have an extended l2 domain?
pvlans (you don't want this?)
or just manual pruning of the trunks between the access and L3 switch
I want to have l2 isolation in the same vlans between 'downstream' ports. Same as a E-tree setup.
Basically 'switchport protected' would have provided the correct function. Or "split-horizion group" in a bridge domain on a asr box.
It seems I can not configure this with private vlan. I would not mind private vlan but it does not seem to be able to configured in the preferred way. It seems to be only designed for a few vlans.
then vlan acls (vacls)can be utilised - these control traffiic within a vlan
i have the same problem on my Cat4500e Sup7E. As i found, you can make an isolated trunk as private-vlan trunk secondary only ify you have connected to this port a cat4500 series or higher, that supports private vlan. I am wondering on this and i am very very confused that there is such a big incompatibility between series. There is a big big hole and you will have a big problem if you want to upgrade your core switch that you have used simple protected ports before.
It will be a better way to choose another vendor than Cisco, becouse only way as i found on cisco tool is to upgrade Sup7 to Sup8E! And that is just crazy.
Sup 8 supports Private-Vlan Edge that looks be the same as the simple function as Protected port on Much cheaper Cat2960 switches.