03-11-2008 05:00 AM - edited 03-05-2019 09:40 PM
Hi
Can anybody answer me if I have understand private-vlan promiscuous trunk ports for the CAT 4500 switch.
Lets say you have a dmz switch with different dmz vlans. Some of the vlans are standard vlans and some are private-vlans. The routing between all the vlans are done in an ASA that are connected to a trunk port to the switch.
Lets say you have these vlans
Standard vlan.
10 IP 10.10.10.0/24
20 IP 10.20.20.0/24
Private-vlans
vlan 30 Primary IP 10.30.30.0/24
vlan 300 Community
vlan 400 Community
vlan 40 Primary IP 10.40.40.0/24
vlan 400 Community
vlan 401 Community
ASA Has a trunk port with subinterfaces for vlans 10,20,30,40 and ip 10.X.X.1/24 on all interfaces.
The switch is configured with this
interface fastethernet 5/2
switchport mode private-vlan trunk promiscuous
switchport private-vlan trunk allowed vlan 10,20,30,40
switchport private-vlan mapping trunk 30 300,301
switchport private-vlan mapping trunk 40 400,401
The question?
Will the ASA be promiscuous for the private-vlans and can it also handle the standard vlans. Can the traffic between the different ip subnets be forwarded (if permitted acl in asa exists)?
But the secondary community private-vlans under same primary vlan should not talk to each other.
Regards
Simon
03-17-2008 07:17 AM
You can enable promiscuous mode in your ASA device. If ASA runs advanced IPS software that provides further security inspection either in inline mode or promiscuous mode.
03-17-2008 07:47 AM
Ok thanks for your reply!
But the question I ask for isn't for IPS or IDS functions. I mean promiscuous for private-vlan solution. I know that a vlan interface on a switch can be promiscuous for a private vlan, and because that interface can talk to all hosts in the private-vlan and you can provide routing between subnets.
Here I want the ASA to be promiscuous for the private vlans and provide routing between the different subnets.
Is that possible?
04-20-2008 06:56 PM
Did you ever get an answer for this? I have the same problem.
05-02-2008 01:48 AM
No I haven't. Would be nice if someone could explain this.
05-05-2009 04:27 AM
I have the exact same issue/query..
Could one of the NetPro Gurus please look at this..
Thanks
05-05-2009 05:36 AM
Hi,
Yes this is possible like you have configured in your example.
Normally, a promiscuous port belongs only to 1 VLAN, the primary VLAN. This Primary VLAN is then mapped to the secondary VLAN(s). This way for example, a router belongs to the primary VLAN and is default gateway for the devices in all the secondary VLANs, without knowledge of them.
Imagine a multilayer switch and an access switch. the multilayer switch is default gw for vlans 10,20,30 and has no knowledge of PVLANs. On the access switch, VLANs 10,20 and 30 are primary PVLANs mapped to respectively 101,102 - 201,202 and 301,302. The access switch would now need 3 separate connections towards the core switch because he needs a promiscuous port (to translate the primary to secondary VLANs), but a promiscuous port can only belong to 1 VLAN. additionally, there is also a management VLAN on the access switch, so a fourth connection is needed to transport the normal VLANs between core and access.
This is why the feature promiscuous trunk was added. a promiscuous trunk port is a port that can carry
- multiple primary VLANs
- standerd VLANs
If we use a promiscuous trunk in our previous example (where we needed 4 connections between core and access) we now only need 1.
The trunk is configured as promiscuous, allowing the 3 primary VLANs and the management VLAN. the primary VLANs are mapped to their secondary VLANs usng the
switchport private-vlan mapping trunk 10 100,101
command.
Note that this feature is not supported on most devices, only C4500 and C4948.
HTH,
Dario
05-05-2009 06:17 AM
Thanks for the explanation Dario..
I have a 3750 WS-C3750G-48TS with c3750-ipbasek9-mz.122-40.SE running on it and I cant seem to find the commands to make a promiscious trunk
switchport mode private-vlan trunk promiscuous
and
switchport private-vlan mapping trunk 10 100,101
Is Do you think upgrading to a newer ios or would suffice..
Thanks
05-05-2009 06:45 AM
Hello,
like said in my previous post, this feature is only supported on C4500, C4948 and ME4900.
It is not supported on C3750.
HTH,
Dario
05-05-2009 10:50 PM
Thanks for the explanation. That was what I looked for. My cat4500:s is in production network and I haven't been able get some time to try. But now I will.
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide