Hi Bryan Thanks for posting the configurations.
I did some investigations and this is what I learnt. The problem is that I don't have 3560 to verify end to end. Hence based on my understanding I have put the configurations below. I will later do it on the lab. Please let me know, if I am missing something. The PVLANs can be trunked using the following ways: 1) Using normal trunks - here the PVLANs are considered as normal vlans and trunked. 2) Using PVLANs trunks. [image: 194-b.gif] *Switch A* SwitchA(config)# *interface fastethernet 4/3* SwitchA(config-if)# *switchport mode private-vlan trunk promiscuous* SwitchA(config-if)# *switchport private-vlan mapping trunk 100 , 201 - 202** * *Switch B* Switch(config)# *interface fastethernet 5/2* Switch(config-if)# *switchport mode private-vlan trunk secondary* Switch(config-if)# *switchport private-vlan trunk allowed vlan 201,202* Switch(config-if)# *switchport private-vlan association trunk 100, 201-202* With regards Kingsley Charles On Fri, Jan 8, 2010 at 10:32 AM, Bryan Bartik <[email protected]> wrote: > Sure, here is the relevant portion of SW1 and SW2. I was just playing with > this a couple days ago, still fresh on my rack :) > > > Topology: > > R1/R3----SW1----SW2----R2 > > R1 is on f0/1 > R3 is on f0/3 > R2 is on f0/2 > Trunk is on f0/13 > > > Configuration: > > SW1: > > vlan 100 > private-vlan primary > private-vlan association 101 > ! > vlan 101 > private-vlan isolated > ! > interface FastEthernet0/1 > switchport private-vlan host-association 100 101 > > switchport mode private-vlan host > spanning-tree portfast > ! > interface FastEthernet0/3 > switchport private-vlan host-association 100 101 > > switchport mode private-vlan host > spanning-tree portfast > ! > interface FastEthernet0/13 > switchport trunk encapsulation dot1q > switchport mode trunk > > SW2: > > vlan 100 > private-vlan primary > private-vlan association 101 > ! > vlan 101 > private-vlan isolated > ! > interface FastEthernet0/2 > switchport private-vlan mapping 100 101 > > switchport mode private-vlan promiscuous > ! > interface FastEthernet0/13 > switchport trunk encapsulation dot1q > switchport mode trunk > > > Verification: > > R1 pings R2: > > R1#ping 192.168.120.2 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 192.168.120.2, timeout is 2 seconds: > .!!!! > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms > R1# > > R3 pings R2: > > R3#ping 192.168.120.2 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 192.168.120.2, timeout is 2 seconds: > .!!!! > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms > R3# > > R1 cannot ping R3: > > R1#ping 192.168.120.3 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 192.168.120.3, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > R1# > > > > On Thu, Jan 7, 2010 at 9:20 PM, Kingsley Charles < > [email protected]> wrote: > >> Exactly Bryan, that was the scenario that I was talking about. PVLANs >> across switchres. >> >> Can you please paste your configs. >> >> With regards >> Kings >> >> On Thu, Jan 7, 2010 at 9:20 PM, Bryan Bartik <[email protected]>wrote: >> >>> Charles, >>> >>> Not sure exactly what you mean but here is a scenario I was practicing >>> with, with no special configuration on the trunk between the 3560s. >>> >>> 2 devices in isolated vlan 101 ----> 3560 ----> 3560 -----> Router in >>> primary vlan 100 (with association to secondary vlan 101) >>> >>> The two devices could only communicate with the router and not each >>> other. >>> >>> Is this the type of scenario you are talking about? >>> >>> >>> On Thu, Jan 7, 2010 at 7:42 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> H Tyson >>>> >>>> I too was in the same lines but the following surprised me and hence I >>>> am preparing for PVLANs :-( >>>> >>>> >>>> Catalyst Platform >>>> >>>> PVLAN Supported Minimum Software Version >>>> >>>> Isolated VLAN >>>> >>>> PVLAN Edge (Protected Port) >>>> >>>> Community VLAN >>>> >>>> Catalyst 6500/6000 - Hybrid mode (CatOS on Supervisor and Cisco IOSĀ® on >>>> MSFC)<http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper09186a00800c8441.html> >>>> >>>> 5.4(1) on Supervisor and 12.0(7)XE1 on MSFC >>>> >>>> Yes >>>> >>>> Not Supported >>>> >>>> Yes >>>> >>>> Catalyst 6500/6000 - Native mode (Cisco IOSĀ® System software on both >>>> Supervisor and >>>> MSFC)<http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper09186a00800c8441.html> >>>> >>>> 12.1(8a)EX, 12.1(11b)E1 and later. >>>> >>>> Yes >>>> >>>> Not Supported >>>> >>>> Yes >>>> >>>> Catalyst 5500/5000 >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Catalyst 4500/4000 - >>>> CatOS<http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.1/configuration/guide/vlans.html#wp1028273> >>>> >>>> 6.2(1) >>>> >>>> Yes >>>> >>>> Not Supported >>>> >>>> Yes >>>> >>>> Catalyst 4500/4000 - Cisco >>>> IOS<http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/pvlans.html> >>>> >>>> 12.1(8a)EW >>>> >>>> Yes >>>> >>>> Not Supported >>>> >>>> Yes. 12.2(20)EW onwards. >>>> >>>> Catalyst >>>> 3550<http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_se/configuration/guide/swtrafc.html> >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Yes. 12.1(4)EA1 onwards. >>>> >>>> Not Supported >>>> >>>> Catalyst >>>> 2950<http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea2/configuration/guide/swtrafc.html> >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Yes. 12.0(5.2)WC1, 12.1(4)EA1 and later. >>>> >>>> Not Supported >>>> >>>> Catalyst >>>> 2900XL/3500XL<http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc5/swg/swports.html> >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Yes.12.0(5)XU (on 8MB switches only) onwards. >>>> >>>> Not Supported >>>> >>>> Catalyst 2948G-L3 / 4908G-L3 >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Catalyst 1900 >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Catalyst 8500 >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Catalyst >>>> 3560<http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swpvlan.html> >>>> >>>> 12.2(20)SE - EMI >>>> >>>> Yes >>>> >>>> Yes. 12.1(19)EA1 onwards. >>>> >>>> Yes >>>> >>>> Catalyst >>>> 3750<http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swpvlan.html> >>>> >>>> 12.2(20)SE - EMI >>>> >>>> Yes >>>> >>>> Yes. 12.1(11)AX onwards. >>>> >>>> Yes >>>> >>>> Catalyst 3750 >>>> Metro<http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_25_seg_seg1/configuration/guide/swpvlan.html> >>>> >>>> 12.2(25)EY - EMI >>>> >>>> Yes >>>> >>>> Yes. 12.1(14)AX onwards. >>>> >>>> Yes >>>> >>>> Catalyst >>>> 2940<http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swtrafc.html> >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Yes. 12.1(13)AY onwards. >>>> >>>> Not Supported >>>> >>>> Catalyst >>>> 2948G/2980G<http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/6.3and6.4/configuration/guide/vlans.html> >>>> >>>> 6.2 >>>> >>>> Yes >>>> >>>> Not Supported >>>> >>>> Yes >>>> >>>> Catalyst >>>> 2955<http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea2/configuration/guide/swtrafc.html> >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Yes. 12.1(6)EA2 onwards. >>>> >>>> Not Supported >>>> >>>> Catalyst >>>> 2970<http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.2_25_se/configuration/guide/swtrafc.html> >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Yes. 12.1(11)AX onwards. >>>> >>>> Not Supported >>>> >>>> Catalyst >>>> 2960<http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swtrafc.html> >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Yes. 12.2(25)FX and later. >>>> >>>> Not Supported >>>> >>>> Catalyst Express 500 >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> Not Supported >>>> >>>> >>>> >>>> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml >>>> >>>> With regards >>>> Kings >>>> >>>> On Thu, Jan 7, 2010 at 8:03 PM, Tyson Scott <[email protected]>wrote: >>>> >>>>> I thought you were asking about trunking between switches. Private >>>>> VLAN support on a trunk port is not supported on the 3560's >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>>> >>>>> Technical Instructor - IPexpert, Inc. >>>>> >>>>> Mailto: [email protected] >>>>> >>>>> Telephone: +1.810.326.1444, ext. 208 >>>>> >>>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>>> >>>>> eFax: +1.810.454.0130 >>>>> >>>>> >>>>> >>>>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >>>>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >>>>> Service Provider) Certification Training with locations throughout the >>>>> United States, Europe and Australia. Be sure to check out our online >>>>> communities at www.ipexpert.com/communities and our public website at >>>>> www.ipexpert.com >>>>> >>>>> >>>>> >>>>> *From:* Kingsley Charles [mailto:[email protected]] >>>>> *Sent:* Thursday, January 07, 2010 9:30 AM >>>>> *To:* Tyson Scott >>>>> *Cc:* [email protected] >>>>> >>>>> *Subject:* Re: [OSL | CCIE_Security] Private vlans >>>>> >>>>> >>>>> >>>>> Hi Tyson >>>>> >>>>> >>>>> >>>>> Please find the commands below. But I am not clear off where to use >>>>> "switchport >>>>> mode private-vlan trunk promiscuous" and >>>>> >>>>> "switchport mode private-vlan trunk secondary" >>>>> >>>>> >>>>> >>>>> Switch(config-if)# *switchport mode private-vlan trunk promiscuous* >>>>> >>>>> Switch(config-if)# *switchport private-vlan trunk native vlan 10* >>>>> >>>>> Switch(config-if)# *switchport private-vlan trunk allowed vlan 10, 3-4* >>>>> >>>>> Switch(config-if)# *switchport private-vlan mapping trunk 3 301, 302* >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Switch(config-if)# *switchport mode private-vlan trunk secondary* >>>>> >>>>> Switch(config-if)# *switchport private-vlan trunk native vlan 10* >>>>> >>>>> Switch(config-if)# *switchport private-vlan trunk allowed vlan 10. 3-4* >>>>> >>>>> Switch(config-if)# *switchport private-vlan association trunk 3 301*** >>>>> >>>>> >>>>> >>>>> >>>>> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1158145 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> With regards >>>>> >>>>> Kings >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Jan 7, 2010 at 7:45 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>> Hi Tyson >>>>> >>>>> >>>>> >>>>> I am not getting the commands but in the Cisco site, I saw that we have >>>>> separate switchport trunking commands for primary and secondary vlans. >>>>> >>>>> >>>>> >>>>> I am still searching >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> With regards >>>>> >>>>> Kings >>>>> >>>>> On Thu, Jan 7, 2010 at 7:40 PM, Tyson Scott <[email protected]> >>>>> wrote: >>>>> >>>>> It is just as normal trunking. You just need to configure the VLAN's >>>>> on each switch with the necessary perameters. >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>>> >>>>> Technical Instructor - IPexpert, Inc. >>>>> >>>>> Mailto: [email protected] >>>>> >>>>> Telephone: +1.810.326.1444, ext. 208 >>>>> >>>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>>> >>>>> eFax: +1.810.454.0130 >>>>> >>>>> >>>>> >>>>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >>>>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >>>>> Service Provider) Certification Training with locations throughout the >>>>> United States, Europe and Australia. Be sure to check out our online >>>>> communities at www.ipexpert.com/communities and our public website at >>>>> www.ipexpert.com >>>>> >>>>> >>>>> >>>>> *From:* [email protected] [mailto: >>>>> [email protected]] *On Behalf Of *Kingsley >>>>> Charles >>>>> *Sent:* Thursday, January 07, 2010 8:58 AM >>>>> *To:* [email protected] >>>>> *Subject:* Re: [OSL | CCIE_Security] Private vlans >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> I have an understanding on PVLAN trunking but with some confusions. >>>>> >>>>> >>>>> >>>>> Can some please explain how does PVLAN trunking works and necessary >>>>> commands to enable private primary and secondary vlan trunking. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> With regards >>>>> >>>>> Kingsley Charles >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Jan 7, 2010 at 7:05 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>> Hi all >>>>> >>>>> >>>>> >>>>> I am trying to configure private PVLANS. Here vlan 4 is the private >>>>> vlan and 5,6 are secondary vlans. >>>>> >>>>> >>>>> >>>>> Please let me know, if the below configuration is fine: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Switch(config)#vlan 4 >>>>> Switch(config-vlan)#private-vlan primary >>>>> >>>>> >>>>> Switch(config)#vlan 5 >>>>> Switch(config-vlan)#private-vlan community >>>>> >>>>> >>>>> Switch(config)#vlan 6 >>>>> Switch(config-vlan)#private-vlan isolated >>>>> >>>>> >>>>> Switch(config)#vlan 4 >>>>> Switch(config-vlan)#private-vlan association 5-6 >>>>> >>>>> >>>>> Switch(config)#int f0/1 >>>>> Switch(config-if)#switchport mode private-vlan promiscuous >>>>> Switch(config-if)#switchport private-vlan mapping 4 5-6 >>>>> >>>>> >>>>> Switch(config)#int f0/2 >>>>> Switch(config-if)#switchport mode private-vlan host >>>>> Switch(config-if)#switchport private-vlan host-association 4 5 >>>>> >>>>> >>>>> Switch(config)#int f0/3 >>>>> Switch(config-if)#switchport mode private-vlan host >>>>> Switch(config-if)#switchport private-vlan host-association 4 6 >>>>> >>>>> >>>>> Switch(config)#int vlan 4 >>>>> Switch(config-if)#private-vlan mapping 4 5-6 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> With regards >>>>> >>>>> Kingsley Charles >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >>> >>> -- >>> Bryan Bartik >>> CCIE #23707 (R&S, SP), CCNP >>> Sr. Support Engineer - IPexpert, Inc. >>> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >>> >> >> > > > -- > Bryan Bartik > CCIE #23707 (R&S, SP), CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
