Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1660
Views
0
Helpful
3
Replies

Private VLAN Problem (Very Difficult)

michaelchung
Level 1
Level 1

‎08-03-2011 02:06 AM - edited ‎03-07-2019 01:31 AM

I have a problem about Private  VLAN. I sreach it in google in three days, but one people use this as  difficult as my case. Hope someone can help.

My core switch in Cisco 4503, and I have two access switch Cisco 2960. I have a router with support many 802.1q subinterface.

I connect all device to Core switch as following

Core GigabitEthernet1/1<-->Router GigabitEthernet1/1

Core GigabitEthernet1/2<-->Access2 GigabitEthernet1/1

Core GigabitEthernet1/3 <--> Access2 GigabitEthernet1/1

I  have a lot of VLAN in the switch. I only want to isolate VLAN 100  traffic (all traffic within VLAN 100 can only connect to the router). I want to keep all other VLANs  as normal.

I know 2960 does not support PVLAN. I configuared protected port in 2960. But I also want to isolate VLAN 100 traffic in the core switch also such that device cannot connect each other over two switch in VLAN 100.

Core

Vlan100

name Wireless

   private-vlan primary

  private-vlan association 101

Vlan101

  private-vlan isolated

interface GigabitEthernet1/1

description Connect to router with trunk link

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,99,100,401-440,501-540

switchport private-vlan trunk allowed vlan 100,101

switchport private-vlan mapping 100 101

switchport mode private-vlan trunk promiscuous

spanning-tree portfast trunk

interface GigabitEthernet1/2

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,100,401-440

switchport private-vlan trunk native vlan 1

switchport private-vlan trunk allowed vlan 100,101

switchport private-vlan association trunk 100 101

switchport mode private-vlan trunk

switchport nonegotiate

spanning-tree portfast trunk

end

interface GigabitEthernet1/3

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,100,501-540

switchport private-vlan trunk native vlan 1

switchport private-vlan trunk allowed vlan 100,101

switchport private-vlan association trunk 100 101

switchport mode private-vlan trunk

switchport nonegotiate

spanning-tree portfast trunk

end

Access1

interface GigabitEthernet0/1
description Connect to 4503
switchport trunk allowed vlan 1,100,401-440
switchport mode trunk
switchport nonegotiate

Access2

interface GigabitEthernet0/1
description Connect to 4503
switchport trunk allowed vlan 1,100,501-540
switchport mode trunk
switchport nonegotiate

My my whole network stop after I input above command.

Would anyone tell me what is the problem?

I want following question

1) Would "switchport trunk allowed" and "switchport private-vlan trunk allowed vlan" atcive at the same time?

2) In my access switch, this is not support PVLAN. Do you mean I need to change VLAN100 to VLAN101?

3) In my route should I keep subinterface in VLAN100 or need to more to VLAN101?

Thank you very much!

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎08-03-2011 04:45 AM

MIchael

Can you be more specific in your requirements. You say you want to isolate vlan 100 which suggests you mean vlan 100 should not be be allowed to talk to any other vlan. You don't need private vlans for that.

So perhaps i am misunderstanding the question  ?

Jon

0 Helpful

michaelchung
Level 1
Level 1
In response to Jon Marshall

‎08-03-2011 05:03 AM

Thanks for you reply.

My problem is not on the traffic between different VLAN. My router will do the routing for that.

VLAN100 is for my wireless devices. I does not want device in VLAN100 can connect with each other. I want VLAN 100 device only conect to my router.

I have other VLAN 1,99,401-440,501-540. Those VLAN are for my wired devices. I want them to be a normal VLAN. This mean device within the normal VLAN can ping each other within the same VLAN. My router will handle the routing

between different VLAN.

My problem is 2960 does support PVLAN. I am not sure the trunk port setting between 2960 and 4503. The should accpect VLAN 100 or 101 in 2960?

My next problem is the setting for the trunk port connected to the router. My router does not support PVLAN also.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to michaelchung

‎08-03-2011 06:16 AM

Hello Michael,

I believe this could be done using special PVLAN trunk types. I am not going to explain them here but it is crucial that you make yourself familiar with them. I suggest reading this thread, that is where I originally explained their working:

https://supportforums.cisco.com/thread/2037752

I am currently not entirely sure that the special PVLAN trunk ports are capable of carrying all VLANs instead of just the PVLANs but I assume they can, otherwise, their existence would not make much sense. So let us simply try to correct the configuration as follows.

The ports on C4500 toward your access switches must be configured as PVLAN isolated trunk ports:

interface GigabitEthernet1/2
 switchport trunk encapsulation dot1q
 switchport private-vlan trunk native vlan 1
 switchport private-vlan trunk allowed vlan 1,100,101,401-440
 switchport private-vlan association trunk 100 101
 switchport mode private-vlan trunk
 switchport nonegotiate

interface GigabitEthernet1/3
 switchport trunk encapsulation dot1q
 switchport private-vlan trunk native vlan 1
 switchport private-vlan trunk allowed vlan 1,100,101,501-540
 switchport private-vlan association trunk 100 101
 switchport mode private-vlan trunk
 switchport nonegotiate

I have also noticed that you are using spanning-tree portfast trunk on your C4500 ports towards the 2960 switches. This is very dangerous and should never be done - I have removed that command from my configurations above, and so should you. If you want to have rapid convergence, run RSTP or MSTP between your switches.

The trunk ports on your access switches will be configured as follows:

Access1:

interface GigabitEthernet0/1
 description Connect to 4503
 switchport trunk allowed vlan 1,101,401-440
 switchport mode trunk
 switchport nonegotiate

Access2:

interface GigabitEthernet0/1
 description Connect to 4503
 switchport trunk allowed vlan 1,101,501-540
 switchport mode trunk
 switchport nonegotiate

All your ports on C2960 switches where the wireless clients are connected must be configured as access ports in the VLAN 101, not in VLAN 100. Furthermore, they should be protected using the switchport protected command.

The C4500 port towards your router should be configured as PVLAN promisc trunk port:

interface GigabitEthernet1/1
 description Connect to router with trunk link
 switchport trunk encapsulation dot1q
 switchport private-vlan trunk allowed vlan 1,99,100,401-440,501-540
 switchport private-vlan mapping trunk 100 101
 switchport mode private-vlan trunk promiscuous
 spanning-tree portfast trunk

The router should have a subinterface created for VLAN 100 (not for VLAN 101).

Give this a try please and let us know.

Best regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card