cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
2
Replies

Private VLANs trunked with other campus VLANs

Josh Morris
Level 3
Level 3

We have a typicaly environment, access, distribution, core, all switches are 6500s.

I have a lab environment where machines should not talk to each other, so I think private vlans would be good for this.

The problem is that the access connects to the distribution with a 802.1q trunk, while the distribution connects to the core with an 802.1q trunk. See the attached image for reference.

Capture.JPG

In this case, I would configure the primary vlan (888) on the two access switches, as well as the isolated (886) and the community (887), and set the associations.

vlan 886

name Isolated_PVLAN

private-vlan isloated

vlan 887

name Community_PVLAN

private-vlan community

vlan 888

private-vlan primary

private-vlan association 886,887

exit

The host ports would be set as such.

interface g3/40

switchport mode private-vlan host

switchport private-vlan host-association 888 886

My question is where to I put the promiscuous port? Is it on the uplink between the access and distribution? And If I configure it as I have below, what about the other VLANs that are needed at the access switch? Do they still pass through the trunk as normal, even with the private-vlan configuration? Or would every other VLAN need to be configured as a secondary private-vlan on the promiscuous port?

interface g5/1

switchport mode private-vlan promiscuous

switchport private-vlan mapping 888 886,887

Also, would VLAN access-lists be a better method for controlling this traffic?

2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

Hi Josh,

The problem is that the access connects to the distribution with a  802.1q trunk, while the distribution connects to the core with an 802.1q  trunk

Hmm, so are you saying that access/distro and distro/core are both using normal 802.1q trunks? This is what the statement says but I am not sure if I understand it correctly, as you seem to have tried to put something into contrast while there is none.

My question is where to I put the promiscuous port?

A promisc port is an untagged port that is allowed to communicate with any port in any secondary PVLAN associated with the particular private PVLAN. Configuring a physical promisc port would be necessary only if you wanted to connect to a shared resource that by itself resides in the primary PVLAN, such as a shared printer, disk array, server etc. However, if you simply need a port towards a default gateway then the correct solution is to create SVIs for the primary PVLAN on your distribution switches and configure these SVIs as promisc ports, i.e.

interface Vlan 888

private-vlan mapping 886,887

Here I assume that you are performing your inter-VLAN routing on your distribution switches. Interconnections between your switches should remain configured as normal 802.1Q trunks. Most certainly, you do not want to configure them as promisc ports.

Please note that in order for each and every switch to maintain the appropriate isolation for community and isolated PVLANs, each switch in your network should be configured with the same set of secondary and primary PVLANs, their types and association.

Feel welcome to ask further!

Best regards,

Peter

Thanks Peter.

To complicate things further, L3 is not happening on the distribution. Our distribution layer currently serves as a port aggregation layer. L3 happens at the core. So all building up links from the core are .1q trunks.

There is also not an SVI for the 888 VLAN. This is simply a VLAN where the gateway is a set of firewalls. This basically extends a firewalled network within the campus buildings.  We are in the process os addressing this, but need a solution now for these particular machines to keep them from talking to each other. (Recently, one machine became infected and infected many others in the VLAN)

But concerning the private-vlans, if I'm understanding you're response, I could create the community/isolated VLANs on the core, distribution, and access switches. I would NOT define the switch uplinks as primary ports. I would just use an SVI (will not have an IP address) mappnig the community/isolated ports to it. This seems simple enough. Note, we are using VTP client/server and I understand that none of this is possible without going to VTP transparent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: