03-20-2013 09:16 AM - edited 03-07-2019 12:22 PM
We have a few C3750E switches in our environment. To lock down host L2 traffic between each host we utilize PVLANs. Due to the requirements presented we cannot do any trunking with the primary vlans so each promiscuous port has it's dedicated physical routed interface on the router. Within this design, scalability is an issue and now we are out of ports on the router to facilitate the uplinks. As new equipment and requirements are added management now wants to hang additional switches (also using PVLANs) off of the current switches running the PVLAN. This is not my design, I am just trying to provide a solution with what is currently in affect. I guess my question is, is there away to "daisy-chain" switches and still have the security with the PVLANs on both the "child" sw and the "parent" sw? I have done some initial testing, but with them both locked down with PVLAN, and using one of the host (PVLAN) ports as the uplink for the "child" sw it doesn't work. Which is what I would expect, given how PVLANs work; however if I wipe the "child" sw, and leave it as a "dumb" sw it works, then of course the security aspect is taken away. So, given these requirements does anyone know a way to make two "daisy-Chained" switches function with PVLAN running with one promiscuous port off the parent sw to the router? Thanks for you time/help.
-Wayne
Solved! Go to Solution.
03-22-2013 08:55 AM
Hello wayne,
Cheers for the feedback,
FYI - the vlan 20/30 would need a ip address assigned but only to the primary pvlan svi to allow the seconaries to communcatie with either other.
Trunking would be good, and as for the security aspect of it. These trunks can be filtered just allow certain vlans to cross and to avoid double tagging and vlan hopping the native vlan can be tagged also.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
03-20-2013 03:51 PM
help Wayne.
I have really grasped this daisy chain setup and why your not able to trunk between the two switches.
could post the config
Res
Paul
Sent from Cisco Technical Support iPad App
03-21-2013 06:11 AM
Thanks for the reply. It's not that we "can't" trunk between the switches, but it was a security posture dictated by management. No trunking, so for each Primary Vlan there is a physical connection up to the routed interface. They want to hang another switch off the existing user sw that is running PVLANs. Can the new switch that will be hanging off the existing switch(w/ PVLANs) run PVLANs as well. Will this work with PVLANs configured? I can't post the config, but this is an example of how it's setup.
Vlan 10
private-vlan isolated
Vlan 20
Private-vlan primary
private-vlan association 10
Gi1/0/1 - 23
switchport private-vlan host-assocation 20 10
switchport private-vlan mapping 20 10
switchport mode private-vlan host
Gi1/0/24
switchport private-vlan mapping 20 10
switchport mode private-vlan promiscuous
interface vlan20 (uplink to rtr)
ip address x.x.x.x 255.255.255.192
private-vlan mapping 10
Can I hang a new switch with it's ports configured as private-vlan host ports off of one of the host ports on the current sw? I haven't seen anything in the documentation where it says it can't work but I haven't had any success. My thinking...
Exist. SW: (Uplink port for "New sw" -Host Port-gi1/0/1) vlan 10 --mapped--->(Uplink to rtr -Prom Port-gi1/0/24) vlan 20.
New SW: (Host Ports) vlan 30 --mapped------>(Uplink port to "existing sw" -Prom Port) Vlan 10
Hope this clarifies.
Thanks
03-21-2013 06:36 AM
Hello Wayne,
I suppose if you have if the router is providing the communication between the vlans it seems possible
Regards the your config:
interface vlan20 (uplink to rtr)
ip address x.x.x.x 255.255.255.192
ip address x.x.x.x y.y.y.y.y sec ( vlan 10)
ip address x.x.x.x y.y.y.y.y sec ( vlan 30)
private-vlan mapping 10,30
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
03-22-2013 08:28 AM
Thanks for the reply Paul,
I did some more testing yesterday, and just tried to add another promiscuous on the primary switch (configured for vlan 20-same as primary vlan) to connect to a promiscuous port configured the same on the secondary switch. Then configured the host ports on the secondary sw as the same as on the host ports on the primary sw. Then of course mapped/associated them to that port, in hopes that the primary sw's main promiscuous port would forward and receive any L2 traffic to the second promiscuous port in the same vlan...just as it would the host ports, so any L2 traffic would get passed down to/from host on the secondary traffic. But with no luck. The promiscuous ports protocol would never come up.
As far as what I posted earlier, I think you are right...I would have to carve out more IP space for vlan 30, but even then for that to pass through the primary sw up to the router, which has a routed interface, that router connection would have to be configured for virtual interfaces, being at that point you are routing different subnets...or can you assign those vlans secondary IPs in that same subnet? I haven't messed with that.
In any case, this is a lot of work, just to avoid trunking. I think I am going to have to sit down with management and just push for trunking. The security stance was put up for a vulnerability identified (I am assuming long ago) because of vlan hoping, which can be nullified by native vlan tagging, so I think my effort is better server pushing that. Thanks again Paul
03-22-2013 08:55 AM
Hello wayne,
Cheers for the feedback,
FYI - the vlan 20/30 would need a ip address assigned but only to the primary pvlan svi to allow the seconaries to communcatie with either other.
Trunking would be good, and as for the security aspect of it. These trunks can be filtered just allow certain vlans to cross and to avoid double tagging and vlan hopping the native vlan can be tagged also.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
03-22-2013 01:58 PM
One Last question Paul,
From reading online I see that I should be able to configure the trunk port as "switchport mode private-vlan trunk secondary /trunk promiscous". Not clear on which one I should be using, trunk secondary or trunk promiscous.
Finally, I don't get those options when trying to configure the switchport mode on the interface. Possibly because the ios version the 3750 hasn't been updated. Not sure what version it is..12.2?. I will have to check that , but I was suprised I didn't see the options, I figured I would see them even with an older ios version running on the 3750. Could there be a configuration setting that is preventing those options from being available? Thanks again for the help!
03-22-2013 03:21 PM
Hello
not to sure but I think "switchport mode private-vlan trunk secondary /trunk promiscous".
is for 4500+ switches
need to verify this
thanks for the rating and if you want any futher assistance with this inbox me and we can work on it
res
paul
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide