04-26-2013 08:51 AM - edited 03-07-2019 01:03 PM
We have a typicaly environment, access, distribution, core, all switches are 6500s.
I have a lab environment where machines should not talk to each other, so I think private vlans would be good for this.
The problem is that the access connects to the distribution with a 802.1q trunk, while the distribution connects to the core with an 802.1q trunk. See the attached image for reference.
In this case, I would configure the primary vlan (888) on the two access switches, as well as the isolated (886) and the community (887), and set the associations.
vlan 886
name Isolated_PVLAN
private-vlan isloated
vlan 887
name Community_PVLAN
private-vlan community
vlan 888
private-vlan primary
private-vlan association 886,887
exit
The host ports would be set as such.
interface g3/40
switchport mode private-vlan host
switchport private-vlan host-association 888 886
My question is where to I put the promiscuous port? Is it on the uplink between the access and distribution? And If I configure it as I have below, what about the other VLANs that are needed at the access switch? Do they still pass through the trunk as normal, even with the private-vlan configuration? Or would every other VLAN need to be configured as a secondary private-vlan on the promiscuous port?
interface g5/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 888 886,887
Also, would VLAN access-lists be a better method for controlling this traffic?
04-26-2013 09:10 AM
Hi Josh,
The problem is that the access connects to the distribution with a 802.1q trunk, while the distribution connects to the core with an 802.1q trunk
Hmm, so are you saying that access/distro and distro/core are both using normal 802.1q trunks? This is what the statement says but I am not sure if I understand it correctly, as you seem to have tried to put something into contrast while there is none.
My question is where to I put the promiscuous port?
A promisc port is an untagged port that is allowed to communicate with any port in any secondary PVLAN associated with the particular private PVLAN. Configuring a physical promisc port would be necessary only if you wanted to connect to a shared resource that by itself resides in the primary PVLAN, such as a shared printer, disk array, server etc. However, if you simply need a port towards a default gateway then the correct solution is to create SVIs for the primary PVLAN on your distribution switches and configure these SVIs as promisc ports, i.e.
interface Vlan 888
private-vlan mapping 886,887
Here I assume that you are performing your inter-VLAN routing on your distribution switches. Interconnections between your switches should remain configured as normal 802.1Q trunks. Most certainly, you do not want to configure them as promisc ports.
Please note that in order for each and every switch to maintain the appropriate isolation for community and isolated PVLANs, each switch in your network should be configured with the same set of secondary and primary PVLANs, their types and association.
Feel welcome to ask further!
Best regards,
Peter
04-26-2013 10:41 AM
Thanks Peter.
To complicate things further, L3 is not happening on the distribution. Our distribution layer currently serves as a port aggregation layer. L3 happens at the core. So all building up links from the core are .1q trunks.
There is also not an SVI for the 888 VLAN. This is simply a VLAN where the gateway is a set of firewalls. This basically extends a firewalled network within the campus buildings. We are in the process os addressing this, but need a solution now for these particular machines to keep them from talking to each other. (Recently, one machine became infected and infected many others in the VLAN)
But concerning the private-vlans, if I'm understanding you're response, I could create the community/isolated VLANs on the core, distribution, and access switches. I would NOT define the switch uplinks as primary ports. I would just use an SVI (will not have an IP address) mappnig the community/isolated ports to it. This seems simple enough. Note, we are using VTP client/server and I understand that none of this is possible without going to VTP transparent.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: