Solved: Pvlan on ISR4451 using trunk

gpardoen · ‎02-13-2019

Has anyone already tried to use private vlan on ISR4451 using a switch module?

Is there any guidelines to follow? Especially regarding the configuration of the ethernet-internal links, promiscuous port, promiscuous on trunk support? and BDI vs SVI.

In our setup, we are connecting an ESXi server on the switch module which will be configured with private vlan and as soon as we enable this private vlan configuration on the ESXi, the communication breaks. At this stage, BDI is configured on the router side, and the interconnect carry the vlans in a trunk.

Few caveats of the setup:

- Internal interconnect between switch module and router is just a trunk, again no support for trunk promiscuous, so no one seems to take care of the pvlan secondary to primary mapping going out on the promiscuous? Suggestion? move the L3 to the switch module, and route in between?

- Due to the lack of support for private vlan on trunk, the primary and the secondary vlan are allowed up to the ESXi. Letting the ESXi the choice of using the primary directly (ie without using pvlan esxi config), and using the secondary (i.e. with activating the pvlan config and using the port group associated to the secondary vlan)

Thanks in advance for your help

Config detail

switch module side:

vlan 24
name xx
private-vlan primary

private-vlan association 28

vlan 28

name xx
private-vlan isolated

! Internal connections towards the router, configured as trunk.
! No support for trunk promiscuous? Who is doing the secondary to primary mapping?

interface GigabitEthernet0/25

switchport trunk encapsulation dot1q

switchport mode trunk

switchport protected

spanning-tree portfast trunk

!

interface GigabitEthernet0/26

switchport trunk encapsulation dot1q

switchport mode trunk

switchport protected

spanning-tree portfast trunk

!

! Trunk towards the ESXi server allowing both primary and secondary.
! This is 'workaround' to allow both primary and secondary vlan up to the ESXi.
! Testing shows that it gives the right isolation (from a ESXi perspective).

interface GigabitEthernet0/15

switchport trunk encapsulation dot1q

switchport trunk native vlan 998

switchport trunk allowed vlan 24,28

switchport mode trunk

switchport nonegotiate

no cdp enable

spanning-tree portfast trunk

!

On the router side:

interface Ethernet-Internal1/0/0

description internal connection to switch module

no negotiation auto

no mop enabled

no mop sysid

service instance 24 ethernet

encapsulation dot1q 24

rewrite ingress tag pop 1 symmetric

bridge-domain 24 split-horizon group 0

!

interface BDI24

vrf forwarding <VRF>

ip address xxx

no ip redirects

ip sticky-arp ignore

no ip proxy-arp

standby version 2

standby 24 ip xxx

standby 24 priority 110

standby 24 authentication md5 key-string xxx

no cdp enable

astapell · ‎02-14-2019

Hello gpardoen,

I had the same problem :-)
The SM can support both SVI and private-vlan mapping with ipservices license.
I didn't manage to pass pvlan over the internal connection. As a result I'd move L3 to SM and perform routing.

for the SM:
interface Vlan24
vrf forwarding <VRF>
ip address xxx
standby 24 ip xxx
...
private-vlan mapping 28

interface Vlan99
vrf forwarding <VRF>
ip address yyy

In the host create the related bridge-domain:
interface BDI99
vrf forwarding <VRF>
ip address yyy
no cdp enable

interface Ethernet-Internal1/0/0
service instance 99 ethernet
encapsulation dot1q 99
rewrite ingress tag pop 1 symmetric
bridge-domain 99 split-horizon group 0

if you enabled platform switchport svi just replace the host configuration with Vlan99 and allow vlan over Eth-Int1/0/0

View solution in original post

astapell · ‎02-14-2019

Hello gpardoen,

I had the same problem :-)
The SM can support both SVI and private-vlan mapping with ipservices license.
I didn't manage to pass pvlan over the internal connection. As a result I'd move L3 to SM and perform routing.

for the SM:
interface Vlan24
vrf forwarding <VRF>
ip address xxx
standby 24 ip xxx
...
private-vlan mapping 28

interface Vlan99
vrf forwarding <VRF>
ip address yyy

In the host create the related bridge-domain:
interface BDI99
vrf forwarding <VRF>
ip address yyy
no cdp enable

interface Ethernet-Internal1/0/0
service instance 99 ethernet
encapsulation dot1q 99
rewrite ingress tag pop 1 symmetric
bridge-domain 99 split-horizon group 0

if you enabled platform switchport svi just replace the host configuration with Vlan99 and allow vlan over Eth-Int1/0/0

gpardoen · ‎02-14-2019

Thanks astapell, this is indeed an interesting workaround.

I will try it and let you know.

gpardoen · ‎02-22-2019

I got the confirmation from Cisco TAC that private vlan is only supported on the SM card and consequently private vlan awareness is lost when traffic leave the Switch Module. Therefore, the SVI related to pvlan needs to be terminated on the SM. Then, to route out, using a L3 interconenct is indeed a working solution.