Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2164
Views
0
Helpful
2
Replies

Private VLANs on FEX

Go to solution
f-cagica
Level 1
Level 1

‎08-14-2012 07:23 AM - edited ‎03-07-2019 08:20 AM

Hello *,

regarding PVLANs and the Nexus, my understanding is that we cannot configure Private VLANs on a FEX trunk port with a NX-OS release older than 5.1(3)N2(1) for the Nexus5548... Is there any known workaround for this limitation (appart from performing a SW upgrade)?

Thank you in advance,

Fernando

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
krahmani323
Level 3
Level 3

‎08-15-2012 08:48 AM

Hello Fernando, 

I would say it all depends of your current architecture (where is the promiscuous port, routing device and so on…).

Maybe you are trying to extend a pvlan domain to an ESX vdswitch or a Nexus 1000v.;

If it is not possible to upgrade to 5.1(3)N2(1) and activate the ‘PVLAN on FEX trunk’ feature, please find some ideas :

  • Define the vlans to be secured as pvlans only on the END switches (* On the VMware vdSwitch, N1k, ..  *  On the outgoing switch where the promiscuous port is locally configured) but not on the N5k where they will be defined as regular vlans.

       Hence those vlans could be allowed on the FEX trunks, they will just be used for the transport of the flows.

       The drawback is that we may not connect ‘private-vlan hosts’ on the N5k/N2k (at least in the same pvlan domain).

  • Define and connect the trunk directly on the 5548 => Depending on the number of trunks you will need to define, some GLC-T are to be used for the connection.
  • Still depending on your environment => With the Nexus 1000v it is possible to define the uplink as a ‘promiscuous trunk’ directly connected to the routing device.
  • If possible within you environment and devices capabilities define the vlans to secure as regular vlans and implement ACLs to define the communication matrix.
  • I have never tested it and do not think it is a good idea =>  To dedicate interfaces for each pvlan between the N2K and the downstream resource.

If there is other alternatives there are welcomed.

Hope that helps.

Best regards.

Karim

View solution in original post

0 Helpful
2 Replies 2

Go to solution
krahmani323
Level 3
Level 3

‎08-15-2012 08:48 AM

Hello Fernando, 

I would say it all depends of your current architecture (where is the promiscuous port, routing device and so on…).

Maybe you are trying to extend a pvlan domain to an ESX vdswitch or a Nexus 1000v.;

If it is not possible to upgrade to 5.1(3)N2(1) and activate the ‘PVLAN on FEX trunk’ feature, please find some ideas :

  • Define the vlans to be secured as pvlans only on the END switches (* On the VMware vdSwitch, N1k, ..  *  On the outgoing switch where the promiscuous port is locally configured) but not on the N5k where they will be defined as regular vlans.

       Hence those vlans could be allowed on the FEX trunks, they will just be used for the transport of the flows.

       The drawback is that we may not connect ‘private-vlan hosts’ on the N5k/N2k (at least in the same pvlan domain).

  • Define and connect the trunk directly on the 5548 => Depending on the number of trunks you will need to define, some GLC-T are to be used for the connection.
  • Still depending on your environment => With the Nexus 1000v it is possible to define the uplink as a ‘promiscuous trunk’ directly connected to the routing device.
  • If possible within you environment and devices capabilities define the vlans to secure as regular vlans and implement ACLs to define the communication matrix.
  • I have never tested it and do not think it is a good idea =>  To dedicate interfaces for each pvlan between the N2K and the downstream resource.

If there is other alternatives there are welcomed.

Hope that helps.

Best regards.

Karim

0 Helpful

Go to solution
f-cagica
Level 1
Level 1
In response to krahmani323

‎08-17-2012 09:38 PM

Hello Karim,

thank you for your answer. Confirms my suspiction. Will have to analyse all the options to see if the current scenario still allows for PVLAN in the end devices...

Thanks and Best regards,

Fernando

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card