tnx for the response peter.

as i stated, i assumed differently regarding communications between a

pvlan promiscuous port and other ports in the same primary vlan, but

not in any pvlan.

we're in an academic setting.

i have a bunch of student labs, each w/ 20 or so workstations, all on

the same vlan, w/

no pvlans config'd yet.

all these labs are in one building, which connects to the data center

via fiber optics port

on the same switch. there's a 4500e chassis glc-sx in a module in each switch.

i thought i'd do one lab at a time, configuring it as a pvlan

community, and configuring

the fiber optics uplink in the lab building as promiscuous.

all this is because we have a killer applic, called netop, which

transmits the instructors

screen to each workstation in the lab. when we have 1 lab doing this, it's ok.

but when we have a handful of labs doing this, the delay in

presentation of the teachers

screen on the student workstations is unbearable, and often the applic

behaves unacceptably. no only delays, but stations will disconnect

altogether. it's particularly bad

when the instructor does things like scrolling. seems to be network

traffic issues, so looks like time to isolate the labs. i could config

each lab as a separate primary vlan,

but this will require reconfig of our firewall/routers also. i figured

that doing it all at level 2

would be easier and a nice clean solution too.

any opinion on this?

what you enlighten me to means that i can't do it 1 lab at a time, but

i'll have to go 'cold turkey' configuring each lab as it's own pvlan

community at once, all talking to the servers

in the data center via the same uplink, which will be promiscuous.

labs which are not yet pvlan config'd will probably not be able to get

to the data center

according to wha t you explained.

tnx

ams

Hello ams,

The NetOp School - yes, I know the software. I am surprised it generates that much traffic that it interferes with PC and/or network operation.

A solution would indeed be to split your VLAN into several secondary community private VLANs, one secondary community PVLAN for each lab, and have all these secondary community PVLANs covered by a single primary PVLAN.

The transition will be disruptive, and you will need to have a maintenance window scheduled for this. I would recommend first creating a new primary PVLAN and associated secondary community PVLANs beforehand (you do not need to schedule a maintenance window for this preparatory step). Your current VLAN would be left intact during this process. Afterwards, you start reassigning the individual labs into appropriate secondary community PVLANs, perhaps also creating promisc ports and SVI for the primary PVLAN if necessary. At the end of this process, your current VLAN will be unused and all hosts will have migrated under secondary PVLANs associated with the new primary PVLAN.

Knowing your topology would be helpful. Do you believe you could post a diagram of your network?

Best regards,

Peter

i happy to see that i understand the pvlan principles ok.

i was just unaware that the promiscuous port doesn't talk to ports which are not in a pvlan even if they're in the same

primary vlan. (even though 'p' can mean primary and private it's my understanding that everyone understands that

pvlan means private-vlan.)

anyway, our topology is very simple:

all lab stations <-rj45 ports-> 4500 switch (labs)   <-glc-sx ports-> 4500 switch (data center) <--> fw/router port (checkpoint r75)

btw, we're also in parallel, migrating from netop school to netop vision.

this is a newer product which supposedly solves some win7 based problems w/ the 'school' product.

when the local netop support organization heard that we're running 7-8 labs, with each lab config'd so that the

instructor transmits to a separate lab, they said that we can expect problems if we don't isolate the labs at the

infrastructure level.

the check we performed showed that the 'school' product didn't have performance issues unless the instructor

did a lot of scrolling or video streaming.

it turns out that in practice, they do lots of these 2 activities with the netop.

tnx

ams

Hello ams,

When talking about PVLANs, the 'P' stands for 'Private'.

i was just unaware that the promiscuous port doesn't talk to ports which are not in a pvlan even if they're in the same primary vlan. 

I am sorry but this does not make sense. We are probably understanding the terms differently.

A PVLAN, i.e. a Private VLAN, without any designation of primary/secondary, is a cluster of VLANs:

• exactly one primary PVLAN that represents this cluster to the outside world
• an arbitrary count of secondary community PVLANs
• at most one secondary isolated PVLAN

All the secondary PVLANs are uniquely associated to their primary PVLAN. Hence, a port associated with a secondary PVLAN is immediately also a member of the primary PVLAN as well. In addition, you have no way of assigning a port into a primary PVLAN only - it is always associated with a particular secondary PVLAN (isolated or community port) or with a set of secondary PVLANs (the promisc port).

From this viewpoint, I do not understand what you mean by this:

ports which are not in a pvlan even if they're in the same primary vlan

If a port is in a primary PVLAN, it must clearly be a member of at least one secondary PVLAN. How can then a port be "not in a pvlan even if they're in the same primary vlan"? Can you perhaps clarify that in more detail?

Best regards,

Peter

When talking about PVLANs, the 'P' stands for 'Private'.

yes, i understood this from the outset.

i think what threw me off was that 'private' sort of contradicts 'promiscous'.

it wasn't clear to me (until u clear it up for me) exactly how promiscous the promiscous port was,

and exactly how private is is, since we're talking about privatge vlans.

i was just unaware that the promiscuous port doesn't talk to ports which are not in a pvlan even if they're in the same primary vlan.

i had thought that a port in promiscous mode can talk to any port in the same vlan that it is associated with.

now i inderstand that the promisous port talks only to ports in pvlans with which it is associated.

I am sorry but this does not make sense. We are probably understanding the terms differently.

A PVLAN, i.e. a Private VLAN, without any designation of primary/secondary, is a cluster of VLANs:

• exactly one primary PVLAN that represents this cluster to the outside world
• an arbitrary count of secondary community PVLANs
• at most one secondary isolated PVLAN

All the secondary PVLANs are uniquely associated to their primary PVLAN. Hence, a port associated with a secondary PVLAN is immediately also a member of the primary PVLAN as well. In addition, you have no way of assigning a port into a primary PVLAN only - it is always associated with a particular secondary PVLAN (isolated or community port) or with a set of secondary PVLANs (the promisc port).

From this viewpoint, I do not understand what you mean by this:

ports which are not in a pvlan even if they're in the same primary vlan

i had thought that a promiscous port can talk not only w/ ports in pvlans with which it is associated,  but also

with any port in the vlan (regular vlan, not private) that is is configured to.

no i understand that a promiscous port can talk ONLY to any port in a pvlan that it's associated with.

If a port is in a primary PVLAN, it must clearly be a member of at least one secondary PVLAN. How can then a port be "not in a pvlan even if they're in the same primary vlan"? Can you perhaps clarify that in more detail?

again, thans lots,

ams