Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
872
Views
0
Helpful
3
Replies

Private VLAN between 2 switch stacks

icehckyplyr22
Level 1
Level 1

‎08-28-2020 11:44 AM

I am trying to setup an Isolated Private VLAN and running into some issue mixing the enterprise & SMB environments. I have a few switch ports I want to configure to talk to the internet only and not allow the devices connected to these ports to talk to each other. I have created an Isolated VLAN 510, with a primary VLAN500 to put these hosts in.

 

The switchports these devices plug into are on a Cisco SG350x switch in which I have configured 2 VLANs, 500 (Primary VLAN) & 510 (Secondary VLAN)

 

icehckyplyr22_0-1598640012440.png

 

The ports I am connecting to my host devices are configured as Private VLAN – Host port

 

interface GigabitEthernet4/0/46

 loopback-detection enable

 switchport mode private-vlan host

 switchport access vlan 510

switchport private-vlan host-association 500 510

 

Now here is where I am confused, my SG350x switch stack is connected to Cisco 3860 stack via fiber uplinks. I have these fiber uplinks configured in a LAG to connect the two switch stacks. This LAG is configured as a trunk carries my various VLANs across (I do not have 510 in this trunk). My Cisco 3860 stack has an uplink to my firewall which I am trying to get these two ports to communicate with for DHCP/Internet access.

 

Do I configure the same Private VLAN settings on the Cisco 3860 stack and tag my uplink port to my firewall as Private VLAN promiscuous port?

 

My uplink port on the 3860 to my firewall is a trunk with a few VLANs, the others not having anything to do with my Private VLAN, will that make a difference?

Labels:
0 Helpful
3 Replies 3

paul driver
VIP
VIP

‎08-29-2020 02:02 AM - edited ‎08-29-2020 11:21 PM

Hello

How many switchports do you want to negate communicating with each ohter ,if it just a smal amount then a simple protected port should accomplish this and when applied will negate communication to other protoected ports

int xx

switchport protected


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

icehckyplyr22
Level 1
Level 1
In response to paul driver

‎08-29-2020 09:44 AM

This could work but I have multiple switches in which these devices connect, from what I read this only works for ports on the same switch.

0 Helpful

paul driver
VIP
VIP
In response to icehckyplyr22

‎08-29-2020 10:24 AM - edited ‎08-29-2020 11:30 PM

Hello

As I said the protected port may not be a viable solution for you however regards it’s capabilities As it’s a Layer 2 port security feature it should protect communication for hosts residing within the same vlan on the same or different switch if that is you have a extended vlan design topology.

Regards your current setup the trunk port connecting to the FW is your promiscuous port so you need to specify that trunk as the pvlan promiscuous port

switchport mode trunk private vlan trunk promiscuous 

switchport private vlan mapping trunk 500 510

switchport private vlan allowed vlan all 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card