08-16-2013 02:42 PM - edited 03-07-2019 02:59 PM
Hello Guys,
I made this post in my Blog and I want you to review it and correct it if you please.
http://cisco-discussions.blogspot.com/2013/08/private-vlans-and-its-different-types.html
PVLAN types of Trunk Links
The different types of PVLAN trunk links is based upon the required connection between switches the you want to connect. Here are some scenarios that you may want to implement and what types of PVLAN trunks you may use.
Scenario #1: Normal Trunk
You need to propagate PVLANs between two or more switches which all are supporting the PVLAN feature,
Here you will use the normal trunk link between the two switches and the Secondary PVLANs will pass through the trunk normally just like any other normal VLAN with a single Tag.
For example:
Scenario #2:
Promiscuous Trunk
(This type of trunk is supported on Catalyst 4500 and higher switches)
You need to a switch configured with PVLAN with a router using a trunk link (Router-on-a-stick) and use this trunk for InterVLAN-Routing between the PVLANs and other Normal VLANs.
Here you have PCs into the secondaries PVLANs which need to connect with another PC3 in VLAN 50 which is a normal VLAN. As normal when you want to make interVLAN routing you may use Router-On-A-Stick model which uses a trunk link from the switch side and sub-interfaces from router side.
Because the usual Promiscuous port is an access port and can't carry more than one vlan which was the Primary PVLAN, Cisco made the Promiscuous trunk port to solve this scenario.
The Promiscuous trunk port translates the secondary VLAN Tag to the Primary VLAN tag to send traffic to the router to perform Inter-Vlan Routing.
For example:
Scenario #3:
Secondary PVLAN Trunk
(This type of trunk is supported on Catalyst 4500 and higher switches)
This trunk is sometimes called Isolated PVLAN trunk but on the switch configuration CLI it is called as above.
This trunk link type is used when you need to extend an Isolated PVLAN through a switch which doesn't support the PVLAN feature.
The problem here is that if we made the trunk between the 4500 & 2950 switches as a normal trunk, this trunk won't follow the rules of Isolated VLAN which states that no inter-hosts communication inside the isolated VLAN so PC2 can communicate PC1 through that normal trunk.
For the previous reson, Cisco made the Isolated trunk port for expanding an Isolated VLAN through a non-PVLAN cabaple switch with preserving the rules of Isolated VLAN.
Isolated trunk port translate the primary vlan tag into the isolated secondary vlan tag to be able to communicate with the non-PVLAN cabalple switch.
For example: 4 cases
2. PC1 need to connect with PC 3:
Conclusion of How Traffic go through different types of ports:
06-08-2014 03:50 AM
Hi Khaled,
I came across this good article while trying to figure out how to extend PVLAN from a physical network into a vmware network running on a blade server that has an integrated switch that doesn't support PVLANs.
It looked like the isolated PVLAN trunk as you described it would be what I needed. I first started looking at this after reading somewhere that PVLAN support on a blade switch wasn't needed with the NEXUS 1000v. I have yet to verify that, but was thinking it may have to do with the isolated PVLAN trunk feature. Again, I haven't verified that it is supported on the 1000v.
Anyway, my question is with the below that you noted in your post. I haven't seen anywhere yet that says you can pass community PVLANs across the isolated trunk. The NEXUS 7000 document I read actually says you can't add community PVLANS to the trunk. The documentation that I have read says the mapped secondary VLANs can only communicate with permiscuous ports. Since it is actually called ISOLATED PVLAN trunk it would seem that it doesn't support community PVLANs. Do you have documentation on this being supported?
This is your note that I haven't been able to verify:
This scenario is valid if you also need to extend A Community PVLAN but you don't need to do the Step 4 which is related to Protected Ports.
Would placing the community VLANs in the normal VLAN list on the isolated PVLAN trunk maintain the PVLAN configuration?
VLAN 10 - primary
VLAN 11 - isolated
VLAN 12 - community
VLAN 20 - normal
Isolated trunk = Isolated VLAN = 11 mapped to Primary VLAN 10, VLAN 12 and VLAN 20 configured as normal VLANs on trunk.
Would traffic arriving on the trunk on VLAN 12 of the 4500 be able to communicate with the other devices in the community VLAN 12 and the router connected to the promiscuous trunk?
Thank you,
Mark
06-08-2014 07:43 AM
I just realized that the router on the promiscuous trunk would not be able to communicate with devices in VLAN 12 on the non-PVLAN switch in my previous post question. The traffic would be tagged with the primary VLAN 10 and would not reach the devices in VLAN 12 on the non-PVLAN switch. If I configured VLAN 12 on the 4500 as an isolated trunk. I don't think devices on the 2950 in VLAN 12 would be able to communicate with the devices on the 4500 in VLAN 12. I think they would be able to communicate with the router at that point though.
Does that sound right? If so, I don't understand why this functionality couldn't have been designed to include community VLAN support.
Thank you,
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide