Solved: Re: private vlans - feature set support

devendrakarthik · ‎12-20-2010

Hi,

Cisco always mentions private vlans are not supported by lanbase and requires minimum of ipbase featureset. I always wondered why is it so as private vlans is an L2 feature and why would it require ipbase for this. I could nt find much of information talking about private vlans at the frame level given the fact that they are cisco proprietary. Is it just a limitation due to internal ios coding or any specific reason?

Thanks & Regards,

Devendra Karthik.

Peter Paluch · ‎12-21-2010

Hello Devendra,

Private VLANs are both software and hardware dependent. Frame switching including VLAN isolation is performed in hardware, and because the private VLANs are actually sets of previously distinct separate VLANs with additional rules about their mutual communication, the hardware must support these special rules as well (for example, replicating a frame with the primary VLAN ID onto all ports in all associated secondary VLANs). In addition, the operating system - the IOS - must also support this feature so that it can be configured, communicated to other switches (if using VTPv3) and most important, downloaded into the hardware switching fabric.

The hardware dependency cannot be avoided. That is probably the reason why the 2950, 2960 and 3550 series switches do not support Private VLANs. Why the PVLANs are supported in the "IP Base" - well, I would not personally assume any special meaning about the 'IP' in the feature set name. The IP Base is the lowest feature set available for 3560 series Catalysts, and in turn, the 3560 is the lowest switch series that supports the PVLANs as of now. So in essence, saying that the minimum feature set for PVLANs is the "IP Base" simply means that you must use the 3560 with the lowest IOS feature set or higher.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎12-21-2010

Hello Devendra,

Private VLANs are both software and hardware dependent. Frame switching including VLAN isolation is performed in hardware, and because the private VLANs are actually sets of previously distinct separate VLANs with additional rules about their mutual communication, the hardware must support these special rules as well (for example, replicating a frame with the primary VLAN ID onto all ports in all associated secondary VLANs). In addition, the operating system - the IOS - must also support this feature so that it can be configured, communicated to other switches (if using VTPv3) and most important, downloaded into the hardware switching fabric.

The hardware dependency cannot be avoided. That is probably the reason why the 2950, 2960 and 3550 series switches do not support Private VLANs. Why the PVLANs are supported in the "IP Base" - well, I would not personally assume any special meaning about the 'IP' in the feature set name. The IP Base is the lowest feature set available for 3560 series Catalysts, and in turn, the 3560 is the lowest switch series that supports the PVLANs as of now. So in essence, saying that the minimum feature set for PVLANs is the "IP Base" simply means that you must use the 3560 with the lowest IOS feature set or higher.

Best regards,

Peter

devendrakarthik · ‎12-21-2010

Thanks Peter for detailed explanation. Somewhat clarified the way pvlan work.

But your minimum feature set logic may not hold good for models with licenses(for example, 3560X for which lanbase feature set is lowest possible but still doesnt support private vlans).

Regards,

Karthik.

Peter Paluch · ‎12-21-2010

Hello,

Thank you for correcting me Well, at least I gave it a shot

Anyway, once again, I would not depend too much on the meaning of the feature set alone. The feature sets are simply sets of features, and these sets have more or less intuitive names. It is up to Cisco software engineers to decide which particular feature is going to which feature set, and it may not be always purely logical from a technical standpoint, but it may also be a marketing decision. You are completely right, the PVLAN is strictly a Layer2 issue and does not need any "IP" in order to work. Then again, I assume that the "LAN Base" feature set for the universal image-based switches actually "downgrades" them to Layer2 switches similar to 2960, and these switches do not support the PVLAN feature neither.

That is how I see it.

Best regards,

Peter