08-03-2011 02:06 AM - edited 03-07-2019 01:31 AM
I have a problem about Private VLAN. I sreach it in google in three days, but one people use this as difficult as my case. Hope someone can help.
My core switch in Cisco 4503, and I have two access switch Cisco 2960. I have a router with support many 802.1q subinterface.
I connect all device to Core switch as following
Core GigabitEthernet1/1<-->Router GigabitEthernet1/1
Core GigabitEthernet1/2<-->Access2 GigabitEthernet1/1
Core GigabitEthernet1/3 <--> Access2 GigabitEthernet1/1
I have a lot of VLAN in the switch. I only want to isolate VLAN 100 traffic (all traffic within VLAN 100 can only connect to the router). I want to keep all other VLANs as normal.
I know 2960 does not support PVLAN. I configuared protected port in 2960. But I also want to isolate VLAN 100 traffic in the core switch also such that device cannot connect each other over two switch in VLAN 100.
Core
Vlan100
name Wireless
private-vlan primary
private-vlan association 101
Vlan101
private-vlan isolated
interface GigabitEthernet1/1
description Connect to router with trunk link
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,99,100,401-440,501-540
switchport private-vlan trunk allowed vlan 100,101
switchport private-vlan mapping 100 101
switchport mode private-vlan trunk promiscuous
spanning-tree portfast trunk
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,401-440
switchport private-vlan trunk native vlan 1
switchport private-vlan trunk allowed vlan 100,101
switchport private-vlan association trunk 100 101
switchport mode private-vlan trunk
switchport nonegotiate
spanning-tree portfast trunk
end
interface GigabitEthernet1/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,501-540
switchport private-vlan trunk native vlan 1
switchport private-vlan trunk allowed vlan 100,101
switchport private-vlan association trunk 100 101
switchport mode private-vlan trunk
switchport nonegotiate
spanning-tree portfast trunk
end
Access1
interface GigabitEthernet0/1
description Connect to 4503
switchport trunk allowed vlan 1,100,401-440
switchport mode trunk
switchport nonegotiate
Access2
interface GigabitEthernet0/1
description Connect to 4503
switchport trunk allowed vlan 1,100,501-540
switchport mode trunk
switchport nonegotiate
My my whole network stop after I input above command.
Would anyone tell me what is the problem?
I want following question
1) Would "switchport trunk allowed" and "switchport private-vlan trunk allowed vlan" atcive at the same time?
2) In my access switch, this is not support PVLAN. Do you mean I need to change VLAN100 to VLAN101?
3) In my route should I keep subinterface in VLAN100 or need to more to VLAN101?
Thank you very much!
08-03-2011 04:45 AM
MIchael
Can you be more specific in your requirements. You say you want to isolate vlan 100 which suggests you mean vlan 100 should not be be allowed to talk to any other vlan. You don't need private vlans for that.
So perhaps i am misunderstanding the question ?
Jon
08-03-2011 05:03 AM
Thanks for you reply.
My problem is not on the traffic between different VLAN. My router will do the routing for that.
VLAN100 is for my wireless devices. I does not want device in VLAN100 can connect with each other. I want VLAN 100 device only conect to my router.
I have other VLAN 1,99,401-440,501-540. Those VLAN are for my wired devices. I want them to be a normal VLAN. This mean device within the normal VLAN can ping each other within the same VLAN. My router will handle the routing
between different VLAN.
My problem is 2960 does support PVLAN. I am not sure the trunk port setting between 2960 and 4503. The should accpect VLAN 100 or 101 in 2960?
My next problem is the setting for the trunk port connected to the router. My router does not support PVLAN also.
08-03-2011 06:16 AM
Hello Michael,
I believe this could be done using special PVLAN trunk types. I am not going to explain them here but it is crucial that you make yourself familiar with them. I suggest reading this thread, that is where I originally explained their working:
https://supportforums.cisco.com/thread/2037752
I am currently not entirely sure that the special PVLAN trunk ports are capable of carrying all VLANs instead of just the PVLANs but I assume they can, otherwise, their existence would not make much sense. So let us simply try to correct the configuration as follows.
The ports on C4500 toward your access switches must be configured as PVLAN isolated trunk ports:
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport private-vlan trunk native vlan 1
switchport private-vlan trunk allowed vlan 1,100,101,401-440
switchport private-vlan association trunk 100 101
switchport mode private-vlan trunk
switchport nonegotiate
interface GigabitEthernet1/3
switchport trunk encapsulation dot1q
switchport private-vlan trunk native vlan 1
switchport private-vlan trunk allowed vlan 1,100,101,501-540
switchport private-vlan association trunk 100 101
switchport mode private-vlan trunk
switchport nonegotiate
I have also noticed that you are using spanning-tree portfast trunk on your C4500 ports towards the 2960 switches. This is very dangerous and should never be done - I have removed that command from my configurations above, and so should you. If you want to have rapid convergence, run RSTP or MSTP between your switches.
The trunk ports on your access switches will be configured as follows:
Access1:
interface GigabitEthernet0/1
description Connect to 4503
switchport trunk allowed vlan 1,101,401-440
switchport mode trunk
switchport nonegotiate
Access2:
interface GigabitEthernet0/1
description Connect to 4503
switchport trunk allowed vlan 1,101,501-540
switchport mode trunk
switchport nonegotiate
All your ports on C2960 switches where the wireless clients are connected must be configured as access ports in the VLAN 101, not in VLAN 100. Furthermore, they should be protected using the switchport protected command.
The C4500 port towards your router should be configured as PVLAN promisc trunk port:
interface GigabitEthernet1/1
description Connect to router with trunk link
switchport trunk encapsulation dot1q
switchport private-vlan trunk allowed vlan 1,99,100,401-440,501-540
switchport private-vlan mapping trunk 100 101
switchport mode private-vlan trunk promiscuous
spanning-tree portfast trunk
The router should have a subinterface created for VLAN 100 (not for VLAN 101).
Give this a try please and let us know.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide