cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6999
Views
0
Helpful
12
Replies

Private VLAN's interaction with firewall

chris
Level 1
Level 1

Hi,

We currently have a HP blade platform which has two Cisco CBS30X0 switches built into it running Version 12.2(55)SE. These are connected to two Cisco

C2960 aggregation switches running Version 12.2(44)SE6. According to this article I need to upgrade these to 12.2(25)FX:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

1.)This will according to that article only allow me to create edge ports on them, is this a hardware limitation or am I just not finding what firmware I need to upgrade them to, in order to allow the creation of community VLANs?

We have these aggregation switches conncted directly to multiple types of firewalls which take care of each of our clients networks including internet access etc. We are wasting many VLANs and IP addresses with our current setup so I am hoping to move over to using private VLANs. The setup of the private VLANs looks simple enough.

2.)When the private VLAN's try to communicate, all info will be sent directly to the layer 3 device I gather, which will not need to know anything about the private VLANs?

Thanks for your help,

Chris

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hi Chris,

The 2960 do not support Private VLANs even with the most recent IOS version. What they do support are protected switchports, a functionality sometimes called the Private VLAN Edge, hence the confusion. These ports essentially behave as members of an isolated secondary VLAN but the isolation is not preserved between two different switches, i.e. two protected ports on the same switch will not be able to communicate, but two protected ports on different switches will be able to communicate, unlike ports in real isolated secondary VLAN.

The 12.2(25)FX is probably the first IOS shipped with 2960 at all, years and years ago. Installing it would be a huge, huge downgrade - don't do that! Your 12.2(44)SE6 is just fine, there is no need to tamper with it.

1.)This will according to that article only allow me to create edge  ports on them, is this a hardware limitation or am I just not finding  what firmware I need to upgrade them to, in order to allow the creation  of community VLANs?

The lack of PVLAN functionality on 2960 series is most probably hardware related (apart from marketing decision, of course). While I have quite vocally vouched for inclusion of full Private VLAN functionality to the 2960 switches, I have been informed that this functionality may be hardware dependent and 2960 may not have the required hardware to perform the necessary operations.

You will not be able to create any private VLANs on 2960, neither community nor isolated nor primary. What you will be able to do - and you are even able to do it right now - is to use the switchport protected command on selected ports to make them behave as isolated ports. That's about it, however.

2.)When the private VLAN's try to communicate, all info will be sent  directly to the layer 3 device I gather, which will not need to know  anything about the private VLANs?

Members of different secondary VLANs under the same primary VLAN are not supposed to communicate at all. That is why you created the PVLAN in the first place. Members in secondary VLANs of different PVLANs treat themselves simply as hosts in different IP networks, and communicate accordingly via a router.

The router does not need to know about PVLANs but its configuration depends on how it is connected to your switched topology. If it uses dedicated ports then no knowledge about any VLANs is necessary. The ports would be configured as promisc ports on the switches, and on the router, they would simply be configured with IP addresses without any special encapsulation. If performing router-on-stick, however, the situation is complicated because the switch connected to the router must intelligently replace the tags of secondary VLANs with the tags of associated primary VLANs when the frames are forwarded to the router. Such a special trunk is called the PVLAN Promisc Trunk, and is supported only on Cat4500 and higher.

All in all, the full PVLAN support is available only on 3560 and higher. With 2960, you will not be able to deploy the full PVLAN functionality. I am not sure about the blade switches. Sorry to disappoint you here.

Best regards,

Peter

View solution in original post

12 Replies 12

Peter Paluch
Cisco Employee
Cisco Employee

Hi Chris,

The 2960 do not support Private VLANs even with the most recent IOS version. What they do support are protected switchports, a functionality sometimes called the Private VLAN Edge, hence the confusion. These ports essentially behave as members of an isolated secondary VLAN but the isolation is not preserved between two different switches, i.e. two protected ports on the same switch will not be able to communicate, but two protected ports on different switches will be able to communicate, unlike ports in real isolated secondary VLAN.

The 12.2(25)FX is probably the first IOS shipped with 2960 at all, years and years ago. Installing it would be a huge, huge downgrade - don't do that! Your 12.2(44)SE6 is just fine, there is no need to tamper with it.

1.)This will according to that article only allow me to create edge  ports on them, is this a hardware limitation or am I just not finding  what firmware I need to upgrade them to, in order to allow the creation  of community VLANs?

The lack of PVLAN functionality on 2960 series is most probably hardware related (apart from marketing decision, of course). While I have quite vocally vouched for inclusion of full Private VLAN functionality to the 2960 switches, I have been informed that this functionality may be hardware dependent and 2960 may not have the required hardware to perform the necessary operations.

You will not be able to create any private VLANs on 2960, neither community nor isolated nor primary. What you will be able to do - and you are even able to do it right now - is to use the switchport protected command on selected ports to make them behave as isolated ports. That's about it, however.

2.)When the private VLAN's try to communicate, all info will be sent  directly to the layer 3 device I gather, which will not need to know  anything about the private VLANs?

Members of different secondary VLANs under the same primary VLAN are not supposed to communicate at all. That is why you created the PVLAN in the first place. Members in secondary VLANs of different PVLANs treat themselves simply as hosts in different IP networks, and communicate accordingly via a router.

The router does not need to know about PVLANs but its configuration depends on how it is connected to your switched topology. If it uses dedicated ports then no knowledge about any VLANs is necessary. The ports would be configured as promisc ports on the switches, and on the router, they would simply be configured with IP addresses without any special encapsulation. If performing router-on-stick, however, the situation is complicated because the switch connected to the router must intelligently replace the tags of secondary VLANs with the tags of associated primary VLANs when the frames are forwarded to the router. Such a special trunk is called the PVLAN Promisc Trunk, and is supported only on Cat4500 and higher.

All in all, the full PVLAN support is available only on 3560 and higher. With 2960, you will not be able to deploy the full PVLAN functionality. I am not sure about the blade switches. Sorry to disappoint you here.

Best regards,

Peter

chris
Level 1
Level 1

Hi Peter,

Thank you for the very informative answer. The main goal here would have been to save VLANs. We are currently using an ASA5520 as our layer3 device, would that be capable of the PVLAN Promisc Trunk you mentioned? It is a bit of a dissapointment as I think this would have worked well, maybe we will be able to upgrade the switches and make use of the feature in the future. Thanks again!

Kind regards,

Chris

Hi Chris,

Sadly, to my best knowledge, the ASA does not support PVLAN Promisc Trunks. Note that this feature is not necessary if the L3 device that provides routing between VLANs (including PVLANs) is a Layer3 switch supporting PVLANs, because it already has the necessary routing features. The ASA could then further be connected to another normal switchport or perhaps to a routed port on this switch. Would you actually intend to have more than a single PVLAN (consisting of one primary PVLAN and an arbitrary number of community secondary PVLANs and at most one isolated PVLAN)?

Thank you very much for your generous rating!

Best regards,

Peter

Hi,

Yes, the nature of the enviroment we are in requires that we have many small subnets, some for the same clients which need certain ports allowed between them but everything else blocked so the firewall would have made this nice and easy. I suppose that we could get away with using one PVLAN as we could address this using one of our hosting LANs. But I am not sure when we will be able to upgrade our current switches so hopefully this is not a hardware limitation and this feature becomes available on the 2960's.

Thanks again,

Chris

Hi Peter,

I realise that it has been a while since the start of this thread and I appologise for that. We are finally at a stage where we need to make a descision as to how we are going to move forward. I want to propose the a solution to the business but just wanted to make sure that I understand exactly what you said before I do.

All of the servers are virtual machines on the C7000 Blade server in the diagram with the built in Cisco CBS3020 switches which I have checked and they do support PVLANs. From what you said I gather I would either need to get a router with a physical interface dedicated to each seconday VLAN and a 3650 or higher switch, or I could keep the ASA's in place and purchase Cat4500's or higher which support PVLAN Promisc Trunks, which I think will be the cheaper and easier solution.

I have attached a diagram of the proposed solution, would this be able to support the PVLANs properly and help us to preserve VLANs?

                          

Thanks,

Chris 

Hello Chris,

Nice to hear from you again. How are you?

I could keep the ASA's in place and purchase Cat4500's or higher which support PVLAN Promisc Trunks

Yes, that would work.

I have attached a diagram of the proposed solution, would this be able  to support the PVLANs properly and help us to preserve VLANs?

Yes, it should. The links from the Cat4500 towards the ASA boxes will need to be configured as PVLAN Promisc Trunks, and the ASA boxes will have to be configured with subinterfaces for each primary PVLAN.

Be sure to verify the necessary IOS version and the Supervisor version with the Cisco Feature Navigator at http://cisco.com/go/fn for the PVLAN Promisc Trunk support.

Best regards,

Peter

Hi Peter,

Thanks for the reply you were very helpful once again! I will get back to you if I need any more help.

Kind regards,

Chris

Hello Chris,

You are very much welcome! Let me know if this works for you - I certainly hope it will do.

Best regards,

Peter

I hope this thread isn't too old to reach either of you.  I find myself in a similar situation.  I need to move to a new ASA from a FWSM and have PVLANs that need to be moved.  If I understood the above posts correctly, I need to configure a physical port on the 3750 connecting to the ASA with promiscuous mode, create the primary vlan interface on the ASA?  I am unable to get this working and am not sure of my config

Our setup is very similar to the above poster, except we have 6500's not 4500's and a 3750 providing logical connections to the external and dmz

Any help would be great.

Hello Daniel,

First of all, do you need to extend a trunk towards the ASA, i.e. does the ASA need to see many VLANs? If you do not need that then the easiest thing to do would be to connect the ASA to a promisc host port on the 3750. This port does not use tagging so the ASA would be configured without any subinterfaces, just as if it was connected to a completely normal router.

Only if you needed to extend a trunk towards the ASA that also, among other VLANs, carries the secondary PVLANs, only in this case you would need a special PVLAN trunk.

Please try to explain your current setup and also be so kind to post the existing configuration of the ports on the 3750 and the ASA. Thank you!

Best regards,

Peter

Thank you for replying,

We do extend the trunk to our firewalls.  We terminate most of our vlans at the firewall

here is the config off the interface of the 3750 that is conencted to the ASA

3750 Stack

interface GigabitEthernet2/0/19

switchport access vlan 590

switchport mode private-vlan promiscuous

ASA

interface GigabitEthernet0/0.590

vlan 590

nameif

security-level 0

ip address 9.1.1.1 255.255.255.0

We have 6500's connected to a 3750 stack that connect to our firewalls

The vlans are configured on the 6500 and on the 3750 stack as well. 

Hello Daniel,

I am afraid that you won't be able to accomplish this with the 3750. Here's an idea why:

If you configure a normal trunk from 3750 towards the ASA, it will forward all traffic with appropriate VLAN tags. Specifically, traffic received on ports assigned to secondary PVLANs (community or isolated) will be carried on this trunk with the tag set to the VLAN ID of the particular secondary PVLAN. The ASA has no understanding of PVLANs and it can not know that, say, VLANs 101 till 199 are all associated with the primary PVLAN ID 100. It treats all VLANs as totally unrelated and separate from each other.

What you would need is to automatically retag the secondary PVLAN IDs to the appropriate associated primary PVLAN ID as the tagged frames exit the trunk towards the ASA box. This way, the ASA would see only the primary PVLAN ID and have all traffic come to just a single subinterface. This retagging type of trunk is called a promisc PVLAN trunk but the only platforms that currently support it are 4500 and 4900. The 3750 does not support it, not even the 6500 - and I was shocked just now when I checked the Feature Navigator to see that this support is not present on the 6500 Catalyst.

Your current configuration is an incomplete configuration of a host promiscuous port, i.e. a port that can talk to any other secondary isolated/community or promisc port within the same primary PVLAN. However, it is not a trunk. You can compare its operation to a normal access port if the primary PVLAN was just a normal, ordinary VLAN.

My question is: how many primary PVLANs do you run? If you have just a single primary PVLAN (with an arbitrary number of secondary PVLANs under it), can you afford allocating a separate physical port for it on your ASA? My idea is to connect the ASA via the promisc host port using a dedicated port (no tags, hence no hassle), and leave other VLANs connected to the ASA via the existing trunk.

Looking forward to reading your answer.

Best regards,

Peter