08-03-2009 06:40 AM - edited 03-06-2019 07:03 AM
Hi,
I have ASA firewall. The Interface is trunk containing 2 vlans (vlan100 vlan 200). That interface is connected to 3750 switch. On the 3750 switch, the vlan 100 and 200 are configured as private vlans which has some isolated and community ports. How can i make the switch interface connected to ASA to support private vlan in Promiscuous state as well as dot1q trunk?
FW-G0/0-----G1/0/1-3750Switch
FW-G0/0.100 vlan
FW-G0/0.200 vlan
SW G1/0/1 ??? trunk and promiscious
SW G1/0/2 pvlan 100 community 101
SW G1/0/3 pvlan 100 community 101
SW G1/0/4 pvlan 200 community 201
SW G1/0/5 pvlan 200 community 201
SW G1/0/6 pvlan 200 community 202
etc
is it possible?
08-03-2009 09:49 AM
Hello,
I am afraid this will probably not be possible on 3750 series.
What you need is a functionality that replaces the tag of the secondary VLAN with the tag of the appropriate primary VLAN when a frame goes out that trunk. Without this functionality, the frame will always contain the tag of the secondary VLAN and the ASA will not process it on its subinterface for the primary VLAN.
That functionality is supported on 4500 series switches - it is called the "Promiscuous Private VLAN Trunk Ports". You can find the description and the configuration examples here:
Unfortunately, the documentation for the 3750 series does not describe this functionality so I am afraid it is not supported there. You may want to experiment a bit and see if the commands from the 4500 will be accepted on your 3750 but I am afraid that this won't work.
Other than this, I do not see any other quick solution - except, of course, placing an extra switch between the ASA and the 3750, creating promiscuous ports on 3750 - one for each primary private VLAN, connecting those promisc ports to access ports on the extra switch (each into a different VLAN on that extra switch) and connecting that extra switch with a trunk to the ASA.
Best regards,
Peter
08-03-2009 11:21 AM
I agree with Mr. Peter and can confirm that only the 4500 supports "promiscuous trunks" and newer releases of Cat6500 but in CatOS.
08-03-2009 11:44 AM
Hello Jorgemario,
Thank you for your reply. Now, this is interesting. This Promiscuous Private VLAN Trunk functionality is actually a very useful feature that, in my opinion, should be present on all switch series that support Private VLANs. Could perhaps Cisco be persuaded to add this functionality to the 3560/3750 series as well? I am asking you because you are a Cisco employee :-)
Best regards,
Peter
09-15-2010 03:05 PM
Hello community,
Thanks for the information about promiscuous trunks with the command on IOS for 4500 : switchport mode private-vlan trunk promiscuous
I am trying to figure out under what circumstances promiscuous trunk is supported and configurable on CatOS.
Does someone of the community know how the concept in comparison with the 4500 works ? ie A special command exist to do this in 4500 ios, but what about CatOS ?
Do we only have to enter the above command to an already configured trunk port as per the above command ?
set pvlan mapping primary_vlan_id secondary_vlan_id mod/port
In fact I am affraid of the above message if I enter the command set pvlan mapping : Trunking ports are not Private Vlan capable.
=========
I think the documentation on this functionnality for CatOS is very rare and giving me troubles !
On the other hand it seems the documentation states implicitly it is supported
"Egress traffic on wrong vlan port occurs upon module reset when the promiscuous trunk port is configured with more than 32 mappings"
(check for bug CSCsh55275 => http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/catos/8.x/system/release/notes/OL_4498.html)
I am also wondering about the following sentence on the same link :
"On an MSFC port or a nontrunk promiscuous port, you can remap as many isolated or community VLANs as desired; however, while a nontrunk promiscuous port can remap to only one primary VLAN, an MSFC port can only connect an MSFC router."
If I sum up :
Does someone know from what CatOS version "promiscuous trunk" is supported and is there any document clearly stating it ?
Any suggestion would be appreicated !
Thanks a lot..
Karim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide