Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1975
Views
0
Helpful
7
Replies

PVLANs and "daisy-chained" switches

Go to solution
francis.oconnor.ctr
Level 1
Level 1

‎03-20-2013 09:16 AM - edited ‎03-07-2019 12:22 PM

We have a few C3750E switches in our environment. To lock down host L2 traffic between each host we utilize PVLANs. Due to the requirements presented we cannot do any trunking with the primary vlans so each promiscuous port has it's dedicated physical routed interface on the router. Within this design, scalability is an issue and now we are out of ports on the router to facilitate the uplinks. As new equipment and requirements are added management now wants to hang additional switches (also using PVLANs) off of the current switches running the PVLAN. This is not my design, I am just trying to provide a solution with what is currently in affect. I guess my question is, is there away to "daisy-chain" switches and still have the security with the PVLANs on both the "child" sw and the "parent" sw? I have done some initial testing, but with them both locked down with PVLAN, and using one of the host (PVLAN) ports as the uplink for the "child" sw it doesn't work. Which is what I would expect, given how PVLANs work; however if I wipe the "child" sw, and leave it as a "dumb" sw it works, then of course the security aspect is taken away. So, given these requirements does anyone know a way to make two "daisy-Chained" switches function with PVLAN running with one promiscuous port off the parent sw to the router? Thanks for you time/help.

-Wayne

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to francis.oconnor.ctr

‎03-22-2013 08:55 AM

Hello wayne,

Cheers for the feedback,

FYI - the vlan 20/30 would need a ip address assigned but only to the primary pvlan svi to allow the seconaries to communcatie with either other.

Trunking would be good, and as for the security aspect of it. These trunks can be filtered just allow certain vlans to cross and to avoid double tagging and vlan hopping the native vlan can be tagged also.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
7 Replies 7

Go to solution
paul driver
VIP
VIP

‎03-20-2013 03:51 PM

help Wayne.

I have really grasped this daisy chain setup and why your not able to trunk between the two switches.
could post the config

Res
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
francis.oconnor.ctr
Level 1
Level 1
In response to paul driver

‎03-21-2013 06:11 AM

Thanks for the reply. It's not that we "can't" trunk between the switches, but it was a security posture dictated by management. No trunking, so for each Primary Vlan there is a physical connection up to the routed interface. They want to hang another switch off the existing user sw that is running PVLANs. Can the new switch that will be hanging off the existing switch(w/ PVLANs) run PVLANs as well. Will this work with PVLANs configured? I can't post the config, but this is an example of how it's setup.

Vlan 10

private-vlan isolated

Vlan 20

Private-vlan primary

private-vlan association 10

Gi1/0/1 - 23

switchport private-vlan host-assocation 20 10

switchport private-vlan mapping 20 10

switchport mode private-vlan host

Gi1/0/24

switchport private-vlan mapping 20 10

switchport mode private-vlan promiscuous

interface vlan20 (uplink to rtr)

ip address x.x.x.x 255.255.255.192

private-vlan mapping 10

Can I hang a new switch with it's ports configured as private-vlan host ports off of one of the host ports on the current sw? I haven't seen anything in the documentation where it says it can't work but I haven't had any success. My thinking...

Exist. SW: (Uplink port for "New sw" -Host Port-gi1/0/1) vlan 10 --mapped--->(Uplink to rtr -Prom Port-gi1/0/24) vlan 20. 

New SW: (Host Ports) vlan 30 --mapped------>(Uplink port to "existing sw" -Prom Port) Vlan 10

Hope this clarifies.

Thanks

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to francis.oconnor.ctr

‎03-21-2013 06:36 AM

Hello Wayne,

I suppose if you have if the router is providing the communication between the vlans it seems possible

Regards the your config:

  • switch vtp mode needs to be transparent
  • on SVI you may need to add a secondary ip's for the vlan 10/30 is the primary doesn't cover them

interface vlan20 (uplink to rtr)

ip address x.x.x.x 255.255.255.192

ip address x.x.x.x y.y.y.y.y sec ( vlan 10)

ip address x.x.x.x y.y.y.y.y sec ( vlan 30)

private-vlan mapping 10,30

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
francis.oconnor.ctr
Level 1
Level 1
In response to paul driver

‎03-22-2013 08:28 AM

Thanks for the reply Paul,

I did some more testing yesterday, and just tried to add another promiscuous on the primary switch (configured for vlan 20-same as primary vlan) to connect to a promiscuous port configured the same on the secondary switch. Then configured the host ports on the secondary sw as the same as on the host ports on the primary sw. Then of course mapped/associated them to that port, in hopes that the primary sw's main promiscuous port would forward and receive any L2 traffic to the second promiscuous port in the same vlan...just as it would the host ports, so any L2 traffic would get passed down to/from host on the secondary traffic. But with no luck. The promiscuous ports protocol would never come up.

As far as what I posted earlier, I think you are right...I would have to carve out more IP space for vlan 30, but even then for that to pass through the primary sw up to the router, which has a routed interface, that router connection would have to be configured for virtual interfaces, being at that point you are routing different subnets...or can you assign those vlans secondary IPs in that same subnet? I haven't messed with that.

In any case, this is a lot of work, just to avoid trunking. I think I am going to have to sit down with management and just push for trunking. The security stance was put up for a vulnerability identified (I am assuming long ago) because of vlan hoping, which can be nullified by native vlan tagging, so I think my effort is better server pushing that. Thanks again Paul

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to francis.oconnor.ctr

‎03-22-2013 08:55 AM

Hello wayne,

Cheers for the feedback,

FYI - the vlan 20/30 would need a ip address assigned but only to the primary pvlan svi to allow the seconaries to communcatie with either other.

Trunking would be good, and as for the security aspect of it. These trunks can be filtered just allow certain vlans to cross and to avoid double tagging and vlan hopping the native vlan can be tagged also.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
francis.oconnor.ctr
Level 1
Level 1
In response to paul driver

‎03-22-2013 01:58 PM

One Last question Paul,

From reading online I see that I should be able to configure the trunk port as "switchport mode private-vlan trunk secondary /trunk promiscous". Not clear on which one I should be using, trunk secondary or trunk promiscous.

Finally, I don't get those options when trying to configure the switchport mode on the interface. Possibly because the ios version the 3750 hasn't been updated. Not sure what version it is..12.2?. I will have to check that , but I was suprised I didn't see the options, I figured I would see them even with an older ios version running on the 3750. Could there be a configuration setting that is preventing those options from being available? Thanks again for the help!

0 Helpful

Go to solution
paul driver
VIP
VIP

‎03-22-2013 03:21 PM

Hello

not to sure but I think "switchport mode private-vlan trunk secondary /trunk promiscous".

is for 4500+ switches

need to verify this


thanks for the rating and if you want any futher assistance with this inbox me and we can work on it

res
paul

Sent from Cisco Technical Support Android App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card