Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4001
Views
5
Helpful
5
Replies

pvlan promiscuous port and port-channel issue

ricewu2006
Level 1
Level 1

‎08-11-2015 10:53 AM - edited ‎03-08-2019 01:19 AM

Hi, guys

    Could anyone please help me out here?

    My scenario is as follows:

    The access switch is connected to a server with two ports G0/45 and G0/46. The two ports are also in the port-channel 2.

    From show interface results, only individual ports are up/up, while the port-channel2 port is down/down(not connected).

    =================

    interface GigabitEthernet0/45
    description server PCI NIC1
    switchport access vlan 321
    switchport private-vlan mapping 321 339    ///
    switchport mode private-vlan promiscuous   ///
    switchport nonegotiate
    speed 1000
    duplex full
    channel-group 2 mode on

   

    interface GigabitEthernet0/46
    description server PCI NIC2
    switchport access vlan 322
    switchport private-vlan mapping 322 337-338
    switchport mode private-vlan promiscuous
    switchport nonegotiate
    speed 1000
    duplex full
    channel-group 2 mode on

    ==============================

    1. why would this happen? Any port within a private vlan shouldn't be included in the port-channel? If the individual port is up/up while port-channel is down/down, can the traffic still be forwarded from the server to the outside through these two individual ports?

 

    2. G0/46 and G0/45 are connected to the server as promiscuous port. For port G0/46, Vlan 322 is primary. My question is that do we need to use "switchport access vlan 322" on G0/46? For several examples I've learned, this command is not used.

 

    Thanks!

 

Labels:
0 Helpful
5 Replies 5

Peter Paluch
Cisco Employee
Cisco Employee

‎08-11-2015 12:22 PM

Hi,

The configuration of ports Gi0/45 and Gi0/46 differs. For example, one uses switchport access vlan 321 while the other uses switchport access vlan 322; one uses switchport private-vlan mapping 321 339 while the other uses switchport private-vlan mapping 322 337-338. These ports cannot actively form an EtherChannel because they are not equal - they are not identically configured and they do not act the same as a result. Most probably, this is the reason why the Port-channel2 interface stays down.

For ports to form an EtherChannel, their configuration must be - with the exception of some insignificant commands - identical, and moreover, their configuration must also be identical with the configuration of the Port-channel interface itself. Only then the Port-channel will be active.

If these ports are intentionally configured in a different way then they cannot be bundled in an EtherChannel.

As for the switchport access vlan commands, they are indeed superfluous and should be removed for clarity. As a matter of rule, switchport access ... commands have effect only when the port is acting as an access port (most often, thanks to switchport mode access). If the port is not an access port - and now it isn't - then the switchport access vlan command is ignored.

Best regards,
Peter

0 Helpful

ricewu2006
Level 1
Level 1
In response to Peter Paluch

‎08-11-2015 09:09 PM

Hi, peter

    Thanks for the reply.

    Right now the individual port is up/up while the port-channel is down/down. I'm just wondering if the NIC on the server can still work?

    For example, if the ip address of the server is 1.1.1.1/24, connected to G0/46 (promiscuous port), while some other server 1.1.1.2/24 is connected to port G0/40 as community private-vlan 337, can I ping 1.1.1.2 from server 1.1.1.1?

    Plus, the following is the portchannel 2 config and show int g0/46 switchport

=======================

interface Port-channel2
 description Connect to Data Domain
 switchport access vlan 322
 switchport mode access
 switchport nonegotiate

=======================

MYauNSclay11109#sh int g0/46 swi     
Name: Gi0/46
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous (suspended member of bundle Po2)
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 322 (primary)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 322 (DataDomain_192.168.165.0s24) 337  338
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan:
  322 (DataDomain_192.168.165.0s24) 337  338  
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

0 Helpful

paul driver
VIP
VIP

‎08-11-2015 12:39 PM

Hello

following from Peters post

You also seem to have two promisciuos ports defined for pvlan association 

as for the etherchannel I am on the understanding they are not supported for pvlan and as  Peter states they are not indentical so this looks like possibly ghost entry

 

sh pvlan

sh plvan mapping

will  show you the host associations to the primary vlan you have posted

 

Rps

paul

 

 

 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ricewu2006
Level 1
Level 1
In response to paul driver

‎08-11-2015 09:45 PM

Thanks, Paul.

And show vlan private-vlan might be the only way to show the mapping.

I updated my reply to Peter.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to ricewu2006

‎08-12-2015 07:26 AM

Hi,

Paul is right - there is a limitation imposed on Private VLAN ports - they can not be a member of EtherChannels. I did not know that; Paul - rated as deserved. The Configuration Guide for Catalyst 3560 states this specifically:

Do not configure ports that belong to a PAgP or LACP EtherChannel as private-VLAN ports. While a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive.

See the details here:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/15-0_2_se/configuration/guide/scg3560/swpvlan.html#pgfId-1055972

I am afraid that you will simply not be able to have your two promiscuous ports bundled in an EtherChannel. Technically, there should not be a problem with this but unfortunately, these switches do not support it.

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents