cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3550
Views
0
Helpful
2
Replies

PVLAN types of Trunk Links

khaled.awdallah
Level 1
Level 1

Hello Guys,

I made this post in my Blog and I want you to review it and correct it if you please.

http://cisco-discussions.blogspot.com/2013/08/private-vlans-and-its-different-types.html

PVLAN types of Trunk Links

The different types of PVLAN trunk links is based upon the required connection between switches the you want to connect. Here are some scenarios that you may want to implement and what types of PVLAN trunks you may use.

Scenario #1: Normal Trunk

You need to propagate PVLANs between two or more switches which all are supporting the PVLAN feature,

Here you will use the normal trunk link between the two switches and the Secondary PVLANs will pass through the trunk normally just like any other normal VLAN with a single Tag.

For example:

  • When PC1 in VLAN 201 on Switch A try to connect to PC4 in Vlan 201 on Switch B, its traffic will go through the trunk with Tag 201 but Switch B will ban this traffic because of the nature of isolated PVLAN which prevent PCs inside to connect each other.
  • When PC2 in VLAN 202 on Switch A try to connect to PC5 in Vlan 202 on Switch B, its traffic will go through the trunk with Tag 202 and Switch B will forward it to PC5 port based on its MAC address table.
  • When the router send traffic for PC5 it send traffic on the promiscuous trunk (will be discussed later) with Tag 100 and it will carried through the normal trunk between the two switches with also tag 100 untill it reach switch 2 then it will consult its CAM table and find that PC5 in Vlan 100 and also in Vlan 202.


Scenario #2:

Promiscuous Trunk

(This type of trunk is supported on Catalyst 4500 and higher switches)

You need to a switch configured with PVLAN with a router using a trunk link (Router-on-a-stick) and use this trunk for InterVLAN-Routing between the PVLANs and other Normal VLANs.

Here you have PCs into the secondaries PVLANs which need to connect with another PC3 in VLAN 50 which is a normal VLAN. As normal when you want to make interVLAN routing you may use Router-On-A-Stick model which uses a trunk link from the switch side and sub-interfaces from router side.

Because the usual Promiscuous port is an access port and can't carry more than one vlan which was the Primary PVLAN, Cisco made the Promiscuous trunk port to solve this scenario.

The Promiscuous trunk port translates the secondary VLAN Tag to the Primary VLAN tag to send traffic to the router to perform Inter-Vlan Routing.

For example:

  • PC1 into VLAN 12 need to connect with another PC3 in VLAN 50 which is a normal VLAN, traffic originated from PC1 into VLAN 12 will be broadcast to the Promiscuous trunk port with Tag 12 the it will translate the Tag to vlan 10 which the router knows it.
  • When the router find it with Tag 10, it will receive it on the sub-interface of vlan 10 and forward it based on its destination IP as normal case.
  • When the router receive the reply from PC3 in VLAN 50 and based on the destination IP, it will forward it through the sub-interface of vlan 10 to the switch.
  • When the switch receive it with Tag 10, it consults the MAC address table of vlan 10 to know which PC has that destination MAC because the MAC address table of vlan 10 contains all learned MACs for PCs in Primary and secondary VLANs (10,11,12).

Scenario #3:

Secondary PVLAN Trunk

(This type of trunk is supported on Catalyst 4500 and higher switches)

This trunk is sometimes called Isolated PVLAN trunk but on the switch configuration CLI it is called as above.

This trunk link type is used when you need to extend an Isolated PVLAN through a switch which doesn't support the PVLAN feature.

The problem here is that if we made the trunk between the 4500 & 2950 switches as a normal trunk, this trunk won't follow the rules of Isolated VLAN which states that no inter-hosts communication inside the isolated VLAN so PC2 can communicate PC1 through that normal trunk.

For the previous reson, Cisco made the Isolated trunk port for expanding an Isolated VLAN through a non-PVLAN cabaple switch with preserving the rules of Isolated VLAN.

Isolated trunk port translate the primary vlan tag into the isolated secondary vlan tag to be able to communicate with the non-PVLAN cabalple switch.


For example: 4 cases

  1. PC4 from a normal VLAN 20 need to connect the PC3 on the 2950 switch.
    • The PC4 from VLAN 20 will send a normal traffic to the router and router will forward it through the promiscuous trunk port to VLAN 10 which is the primary VLAN as per the previous scenario#2.
    • the switch will receive this frame and consult its MAC address table to find the destination MAC.
    • let's suppose that it found it on the trunk with 2950 switch, then it will forward it to the 2950 switch and translate the Tag of 10 to 11 because the 2950 switch doesn't know VLANs except VLAN 11.
    • then the PC3 on 2950 switch receive it and reply on PC4 from vlanVLAN11 and when 4500 switch try to forward it to the router through the promiscuous trunk port, it will translate the tag to 10.

      2.  PC1 need to connect with PC 3:

    • PC1 will send the traffic to the 4500 switch which has the MAC of PC3 into is MAC address table of VLAN 11 (the host MACs into secondary PVLAN associated with both its attached secondary PVLAN as well as the primary PVLAN).
    • the 4500 switch will ban this communication due to Isolated VLAN rules.
      3. PC3 need to connect with PC1:
    • PC3 will send the traffic to 2950 switch the 2950 switch after consulting its CAM table will forward it through the trunk with tag11.
    • When 4500 switch see the traffic with tag 11 the it will consult its CAM table for destination MAC which will be present on its CAM and this traffic will be banned.
    • If the 4500 switch doesn't know where is the destination MAC it will flood the traffic through the promiscuous port only because communication inside Isolated VLAN is prohibited.
     4. if PC2 need to communicate with PC3:
    • It can be done successfully through the 2950 switch because it doesn't support the private VLAN concept.
    • The solution here is to configure the ports on VLAN 11 on 2950 switch as a Cisco protected ports.
    This scenario is valid if you also need to extend A Community PVLAN but you don't need to do the Step     4 which is related to Protected Ports.

    Conclusion of How Traffic go through different types of ports:

    1. Access Ports:
      1. Promiscuous ports: carry untagged traffic for Primary and Secondary PVLANs
      2. Host Ports:
        1. Isolated Ports: carry untagged traffic for Isolated PVLAN.
        2. Community Ports: carry untagged traffic for Community PVLAN.
      3. Protected Ports: it simulate as Isolated PVLAN but it is not related to PVLAN feature, this port is locally significant to the switch. Any protected port on a switch can't communicate at L2 to other Protected ports on the same switch, to communicate between two protected ports, it must be through L3 device.
    2. Trunk Ports:
      1. Normal Trunk: carry tagged traffic for all primary and secondary PVLANs and normal VLAN. Any traffic go through this trunk keeps the Tag of traffic without changing it.
      2. Promiscuous Trunk: carry tagged traffic for only primary and normal VLANs. Any traffic sourced from secondaries PVLANs is go through this trunk using the primary PVLAN tag.
      3. Secondary Trunk: carry tagged traffic for only secondary PVLANs. Any traffic sourced from primary & secondaries PVLANs is go through this trunk using the secondary PVLAN tag.
    Another article will be posted soon or an update will be made to this article to illustrate the configuration of each type of these trunks.

    2 Replies 2

    MARK BAKER
    Level 4
    Level 4

    Hi Khaled,

    I came across this good article while trying to figure out how to extend PVLAN from a physical network into a vmware network running on a blade server that has an integrated switch that doesn't support PVLANs.

    It looked like the isolated PVLAN trunk as you described it would be what I needed. I first started looking at this after reading somewhere that PVLAN support on a blade switch wasn't needed with the NEXUS 1000v. I have yet to verify that, but was thinking it may have to do with the isolated PVLAN trunk feature. Again, I haven't verified that it is supported on the 1000v.

    Anyway, my question is with the below that you noted in your post. I haven't seen anywhere yet that says you can pass community PVLANs across the isolated trunk. The NEXUS 7000 document I read actually says you can't add community PVLANS to the trunk. The documentation that I have read says the mapped secondary VLANs can only communicate with permiscuous ports. Since it is actually called ISOLATED PVLAN trunk it would seem that it doesn't support community PVLANs. Do you have documentation on this being supported?

    This is your note that I haven't been able to verify:

    This scenario is valid if you also need to extend A Community PVLAN but you don't need to do the Step 4 which is related to Protected Ports.
     

    Would placing the community VLANs in the normal VLAN list on the isolated PVLAN trunk maintain the PVLAN configuration?

    VLAN 10 - primary

    VLAN 11 - isolated

    VLAN 12 - community

    VLAN 20 - normal

    Isolated trunk = Isolated VLAN = 11 mapped to Primary VLAN 10, VLAN 12 and VLAN 20 configured as normal VLANs on trunk.

    Would traffic arriving on the trunk on VLAN 12 of the 4500 be able to communicate with the other devices in the community VLAN 12 and the router connected to the promiscuous trunk?

     

    Thank you,

    Mark

    I just realized that the router on the promiscuous trunk would not be able to communicate with devices in VLAN 12 on the non-PVLAN switch in my previous post question. The traffic would be tagged with the primary VLAN 10 and would not reach the devices in VLAN 12 on the non-PVLAN switch. If I configured VLAN 12 on the 4500 as an isolated trunk. I don't think devices on the 2950 in VLAN 12 would be able to communicate with the devices on the 4500 in VLAN 12. I think they would be able to communicate with the router at that point though.

    Does that sound right? If so, I don't understand why this functionality couldn't have been designed to include community VLAN support.

    Thank you,

    Mark

    Review Cisco Networking for a $25 gift card