Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7576
Views
5
Helpful
12
Replies

PVLAN and regular VLAN trunking

Go to solution
Marius Gunnerud
VIP
VIP

‎11-28-2015 10:10 AM - edited ‎03-08-2019 02:52 AM

We are looking at implementing PVLANs into our network.  I have done quite a bit of reading on the subject but have not found an exact answer to my concerns.

To my understanding, PVLANs will traverse regular trunk ports so long as both switches understand PVLANs (so no additional configuration needed on those trunk ports).  On the trunk that leads to our ASA we would need to configure that port as a PVLAN trunk since the ASA does not understand PVLANs.

The issue I am having is that I am unable to find any configuration examples that will allow both normal VLANs and PVLANs over that trunk.  This is the configuration I am thinking will be needed.  Can someone confirm this?  if this is correct, will adding this have any impact on current traffic (aka. a flap, some seconds down time...etc.)?

Int po1
desc trunk_to_ASA
switchport mode private-vlan trunk promiscuous
switchport private-vlan trunk native vlan 99
switchport private-vlan association trunk 2000 2001
switchport private-vlan trunk allowed <list of regular vlans>
switchport private-vlan mapping trunk
--
Please remember to select a correct answer and rate helpful posts
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎11-28-2015 11:12 AM

Let me explain it this way. I did not consider normal VLANs in my previous example.

1- You have Primary VLANs and associted community VLANs and Issolated VLANs

2- You have some normal VLANs.

You need to allow Primary VLANs and normal VLANs on trunk. You do not need to allow community VLANs and Issolated VLANs

On ASA, you need to create SVIs for primary VLANs and normal VLANs.

100 and 200 are primary VLANs. 101,102,201,202 are isolated or community VLANs. 300, 400 are normal VLANs..

switchport mode trunk private-vlan trunk promiscuous

switchport private-vlan mapping trunk 100 101,102

switchport private-vlan mapping trunk 200 201,202

switchport private-vlan trunk allowed 100,200,300,400

switchport private-vlan trunk native vlan [native]

On ASA, you only need to create interface VLAN 100,200,300,400.

Did I answer your question?

Masoud

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-28-2015 10:38 AM

Hello,

How many primary VLANs do you have on your switches. More than 1?

Masoud

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Masoud Pourshabanian

‎11-28-2015 10:45 AM

None configured yet.  But right now we are planning just one primary VLAN (2000) and one secondary VLAN (2001).  We also have around 100 normal VLANs and I need both the normal and private VLANs to coexist over the trunk port to the ASA.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎11-28-2015 10:51 AM

If you have only one primary VLAN, then switchport should be an access port.

100 is the only primary VLAN.

interface f0/1

Des to ASA

switchport mode private-vlan promiscuous

switchport private-vlan mapping 100 101

On ASA, you just need to assign the corresponding port to vlan 100, and then create an interface VLAN 100.

Masoud

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-28-2015 10:45 AM

Hello,

It should be something like this if you have more that one primary VLAN.

100 and 200 are primary VLANs.

switchport mode trunk private-vlan trunk promiscuous

switchport private-vlan mapping trunk 100 101,102

switchport private-vlan mapping trunk 200 201,202

switchport private-vlan trunk allowed 100,200

switchport private-vlan trunk native vlan [native]

On ASA, you only need to create interface VLAN 100 and 200.

Hope it helps,

Masoud

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Masoud Pourshabanian

‎11-28-2015 10:51 AM

Thats all well and good, but this is still just allowing private VLANs over the trunk.  Would I just need to add the normal VLANs to switchport private-vlan trunk allowed command (in addition to the primary VLANs) or is there more to it?

I have decided to use a promiscuous trunk port in case of future scalability.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎11-28-2015 11:02 AM

Yes, allowing just primary VLANs is enough because trunk interface just adds tag to primary VLANs. Isolated and Community VLANs are local.

"promiscuous PVLAN trunk".

Whenever a frame from a secondary VLAN is going to sent out such trunk, its 802.1Q tag will be rewritten with the appropriate primary VLAN ID

Masoud

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Masoud Pourshabanian

‎11-28-2015 11:02 AM

I may be misunderstanding, but your examples and you answers all seem to be limited to the private VLANs and not how normal VLANs come into play here in this scenario.  Could you provide a configuration example of how the configuration would look like if both normal and private VLANs are to go across the trunk link.

I also understand that I can use an isolated trunk for this but I would prefer to use a promiscuous trunk as this design can and most likely will be expanded on and I would like to not reconfigure, but instead just add to the configuration.

Thanks

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎11-28-2015 11:12 AM

Let me explain it this way. I did not consider normal VLANs in my previous example.

1- You have Primary VLANs and associted community VLANs and Issolated VLANs

2- You have some normal VLANs.

You need to allow Primary VLANs and normal VLANs on trunk. You do not need to allow community VLANs and Issolated VLANs

On ASA, you need to create SVIs for primary VLANs and normal VLANs.

100 and 200 are primary VLANs. 101,102,201,202 are isolated or community VLANs. 300, 400 are normal VLANs..

switchport mode trunk private-vlan trunk promiscuous

switchport private-vlan mapping trunk 100 101,102

switchport private-vlan mapping trunk 200 201,202

switchport private-vlan trunk allowed 100,200,300,400

switchport private-vlan trunk native vlan [native]

On ASA, you only need to create interface VLAN 100,200,300,400.

Did I answer your question?

Masoud

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Masoud Pourshabanian

‎11-28-2015 12:04 PM

Ok that is what I was thinking but wanted to get a clarification on.  Thanks!

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎11-28-2015 01:27 PM

Actually your configuration was correct. We just went back and forth to confirm it.

Best,

Masoud

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎11-28-2015 11:19 AM

Check the link below,

switchport private-vlan trunk allowed vlan vlan_list all | none | [add | remove | except] vlan_atom[,vlan_atom...]

Configures a list of allowed normal VLANs on a PVLAN trunk port.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/31sga/configuration/guide/config/pvlans.html

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎11-28-2015 11:27 AM

Adding to my previous comment.

I fonud something new. You even do not have to allow primary VLANs on trunk on Nexus. They will be added automatically. You just need to add normal VLANs. But adding primary VLANs make it more understandable for troubleshooting.

"The primary VLANs do not need to be explicitly added to the allowed VLAN list. They are added automatically once there is a mapping between primary and secondary VLANs"

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/421_n2_1/b_Cisco_n5k_layer2_config_gd_rel_421_N2_1/Cisco_n5k_layer2_config_gd_rel_421_N2_1_chapter5.html

Masoud

0 Helpful
Customers Also Viewed These Support Documents