cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3942
Views
10
Helpful
4
Replies

Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

Bruce Hollis
Level 1
Level 1

I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.

The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:

1. Private vlan mapping on the SVI;

2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)

3. All Vlans are trunked between switches

4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).

I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

4 Replies 4

Bruce Hollis
Level 1
Level 1

For anyone interested: After spending a few more hours on this I believe the answer is in the capability of the FEX modules. Unfortunately this information doesn't seem to be listed anywhere in the 5.x version of the 5000/2000 Configuration Guide however in the 4.x  version, the Nexus 2000 Configuration Guide states:


The                 Fabric Extender supports Layer 2 VLAN trunks  and IEEE 802.1Q VLAN encapsulation. Host interfaces can be members of  private VLANs with the following restrictions:


  • You can configure a host interface as an isolated or  community access port only.

  • You cannot configure a host interface as a promiscuous  port.

  • You cannot configure a host interface as a private  VLAN trunk port.

This is consistant what I was seeing in the 5.x code.

1. As point one above states, host ports on the FEX modules can ONLY be configured as access ports for private vlans; and

2. Even though I was able to configure the port (or  port channel) as a private vlan secondary trunk, all private vlans were  not forwarding on any FEX trunk ports - however these vlans were  forwarding on trunk ports on the 5010.

Hope this information help.

Just incase any one is still interested, I have been fighting this same battle with Nexus 5596's and the B22HP FEX and have found the same results.

Also, here is the most recent configuration guide (5.x) that confirms Bruce's findings in the 4.x code.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_010100.html#con_1046108

Hello Emcmanamy, Bruce,

Thanks for your feedback.

Just like you, I have been facing the same problematic last months with my customer.

Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :

  • You can configure a host interface as an isolated or community access port only.

We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  

This ability is documented here =>

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903

  • You cannot configure a host interface as a promiscuous  port.

  • You cannot configure a host interface as a private  VLAN trunk port.

Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.

However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705

All these conditions are not met on a N5K interface.

Best regards.

Karim

I've run into the same issue but found a work around...

Switchport config prior to the change:

Name: Ethernet101/1/1

  Switchport: Enabled

  Switchport Monitor: Not enabled

  Operational Mode: trunk

  Access Mode VLAN: 1 (default)

  Trunking Native Mode VLAN: 1 (default)

  Trunking VLANs Allowed: 1-809,812-4094

  Voice VLAN: none

VLANs 810 & 811 are my PVLANs and they are excluded from the trunk

Switchport config after the change:

Name: Ethernet101/1/1

  Switchport: Enabled

  Switchport Monitor: Not enabled

  Operational Mode: trunk

  Access Mode VLAN: 1 (default)

  Trunking Native Mode VLAN: 1 (default)

  Trunking VLANs Allowed: 1-4094

  Voice VLAN: none

NOTE: All VLANs are now allowed on the FEX trunk port.

The command to enable this is: 'system private-vlan fex trunk'

Running NX-OS 5.2(1)N1(5)

Hope this helps someone.

Review Cisco Networking for a $25 gift card