Hi Bryan
Thanks for posting the configurations.
I did some investigations and this is what I learnt. The problem is
that I don't have 3560 to verify end to end. Hence based on my
understanding I have put the configurations below. I will later do
it on the lab.
Please let me know, if I am missing something.
The PVLANs can be trunked using the following ways:
1) Using normal trunks - here the PVLANs are considered as normal
vlans and trunked.
2) Using PVLANs trunks.
Switch A
SwitchA(config)# interface fastethernet 4/3
SwitchA(config-if)# switchport mode private-vlan trunk promiscuous
SwitchA(config-if)# switchport private-vlan mapping trunk 100 , 201
- 202
Switch B
Switch(config)# interface fastethernet 5/2
Switch(config-if)# switchport mode private-vlan trunk secondary
Switch(config-if)# switchport private-vlan trunk allowed vlan 201,202
Switch(config-if)# switchport private-vlan association trunk 100,
201-202
With regards
Kingsley Charles
On Fri, Jan 8, 2010 at 10:32 AM, Bryan Bartik <[email protected]>
wrote:
Sure, here is the relevant portion of SW1 and SW2. I was just
playing with this a couple days ago, still fresh on my rack :)
Topology:
R1/R3----SW1----SW2----R2
R1 is on f0/1
R3 is on f0/3
R2 is on f0/2
Trunk is on f0/13
Configuration:
SW1:
vlan 100
private-vlan primary
private-vlan association 101
!
vlan 101
private-vlan isolated
!
interface FastEthernet0/1
switchport private-vlan host-association 100 101
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/3
switchport private-vlan host-association 100 101
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
SW2:
vlan 100
private-vlan primary
private-vlan association 101
!
vlan 101
private-vlan isolated
!
interface FastEthernet0/2
switchport private-vlan mapping 100 101
switchport mode private-vlan promiscuous
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
Verification:
R1 pings R2:
R1#ping 192.168.120.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.120.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
R1#
R3 pings R2:
R3#ping 192.168.120.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.120.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
R3#
R1 cannot ping R3:
R1#ping 192.168.120.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.120.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
On Thu, Jan 7, 2010 at 9:20 PM, Kingsley Charles <[email protected]
> wrote:
Exactly Bryan, that was the scenario that I was talking about.
PVLANs across switchres.
Can you please paste your configs.
With regards
Kings
On Thu, Jan 7, 2010 at 9:20 PM, Bryan Bartik <[email protected]>
wrote:
Charles,
Not sure exactly what you mean but here is a scenario I was
practicing with, with no special configuration on the trunk between
the 3560s.
2 devices in isolated vlan 101 ----> 3560 ----> 3560 -----> Router
in primary vlan 100 (with association to secondary vlan 101)
The two devices could only communicate with the router and not each
other.
Is this the type of scenario you are talking about?
On Thu, Jan 7, 2010 at 7:42 AM, Kingsley Charles <[email protected]
> wrote:
H Tyson
I too was in the same lines but the following surprised me and hence
I am preparing for PVLANs :-(
Catalyst Platform
PVLAN Supported Minimum Software Version
Isolated VLAN
PVLAN Edge (Protected Port)
Community VLAN
Catalyst 6500/6000 - Hybrid mode (CatOS on Supervisor and Cisco IOSĀ®
on MSFC)
5.4(1) on Supervisor and 12.0(7)XE1 on MSFC
Yes
Not Supported
Yes
Catalyst 6500/6000 - Native mode (Cisco IOSĀ® System software on both
Supervisor and MSFC)
12.1(8a)EX, 12.1(11b)E1 and later.
Yes
Not Supported
Yes
Catalyst 5500/5000
Not Supported
Not Supported
Not Supported
Not Supported
Catalyst 4500/4000 - CatOS
6.2(1)
Yes
Not Supported
Yes
Catalyst 4500/4000 - Cisco IOS
12.1(8a)EW
Yes
Not Supported
Yes. 12.2(20)EW onwards.
Catalyst 3550
Not Supported
Not Supported
Yes. 12.1(4)EA1 onwards.
Not Supported
Catalyst 2950
Not Supported
Not Supported
Yes. 12.0(5.2)WC1, 12.1(4)EA1 and later.
Not Supported
Catalyst 2900XL/3500XL
Not Supported
Not Supported
Yes.12.0(5)XU (on 8MB switches only) onwards.
Not Supported
Catalyst 2948G-L3 / 4908G-L3
Not Supported
Not Supported
Not Supported
Not Supported
Catalyst 1900
Not Supported
Not Supported
Not Supported
Not Supported
Catalyst 8500
Not Supported
Not Supported
Not Supported
Not Supported
Catalyst 3560
12.2(20)SE - EMI
Yes
Yes. 12.1(19)EA1 onwards.
Yes
Catalyst 3750
12.2(20)SE - EMI
Yes
Yes. 12.1(11)AX onwards.
Yes
Catalyst 3750 Metro
12.2(25)EY - EMI
Yes
Yes. 12.1(14)AX onwards.
Yes
Catalyst 2940
Not Supported
Not Supported
Yes. 12.1(13)AY onwards.
Not Supported
Catalyst 2948G/2980G
6.2
Yes
Not Supported
Yes
Catalyst 2955
Not Supported
Not Supported
Yes. 12.1(6)EA2 onwards.
Not Supported
Catalyst 2970
Not Supported
Not Supported
Yes. 12.1(11)AX onwards.
Not Supported
Catalyst 2960
Not Supported
Not Supported
Yes. 12.2(25)FX and later.
Not Supported
Catalyst Express 500
Not Supported
Not Supported
Not Supported
Not Supported
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
With regards
Kings
On Thu, Jan 7, 2010 at 8:03 PM, Tyson Scott <[email protected]>
wrote:
I thought you were asking about trunking between switches. Private
VLAN support on a trunk port is not supported on the 3560's
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco
CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
Security & Service Provider) Certification Training with locations
throughout the United States, Europe and Australia. Be sure to check
out our online communities at www.ipexpert.com/communities and our
public website at www.ipexpert.com
From: Kingsley Charles [mailto:[email protected]]
Sent: Thursday, January 07, 2010 9:30 AM
To: Tyson Scott
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Private vlans
Hi Tyson
Please find the commands below. But I am not clear off where to use
"switchport mode private-vlan trunk promiscuous" and
"switchport mode private-vlan trunk secondary"
Switch(config-if)# switchport mode private-vlan trunk promiscuous
Switch(config-if)# switchport private-vlan trunk native vlan 10
Switch(config-if)# switchport private-vlan trunk allowed vlan 10, 3-4
Switch(config-if)# switchport private-vlan mapping trunk 3 301, 302
Switch(config-if)# switchport mode private-vlan trunk secondary
Switch(config-if)# switchport private-vlan trunk native vlan 10
Switch(config-if)# switchport private-vlan trunk allowed vlan 10. 3-4
Switch(config-if)# switchport private-vlan association trunk 3 301
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1158145
With regards
Kings
On Thu, Jan 7, 2010 at 7:45 PM, Kingsley Charles <[email protected]
> wrote:
Hi Tyson
I am not getting the commands but in the Cisco site, I saw that we
have separate switchport trunking commands for primary and secondary
vlans.
I am still searching
With regards
Kings
On Thu, Jan 7, 2010 at 7:40 PM, Tyson Scott <[email protected]>
wrote:
It is just as normal trunking. You just need to configure the
VLAN's on each switch with the necessary perameters.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco
CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
Security & Service Provider) Certification Training with locations
throughout the United States, Europe and Australia. Be sure to check
out our online communities at www.ipexpert.com/communities and our
public website at www.ipexpert.com
From: [email protected]
[mailto:[email protected]] On Behalf Of
Kingsley Charles
Sent: Thursday, January 07, 2010 8:58 AM
To: [email protected]
Subject: Re: [OSL | CCIE_Security] Private vlans
I have an understanding on PVLAN trunking but with some confusions.
Can some please explain how does PVLAN trunking works and necessary
commands to enable private primary and secondary vlan trunking.
With regards
Kingsley Charles
On Thu, Jan 7, 2010 at 7:05 PM, Kingsley Charles <[email protected]
> wrote:
Hi all
I am trying to configure private PVLANS. Here vlan 4 is the private
vlan and 5,6 are secondary vlans.
Please let me know, if the below configuration is fine:
Switch(config)#vlan 4
Switch(config-vlan)#private-vlan primary
Switch(config)#vlan 5
Switch(config-vlan)#private-vlan community
Switch(config)#vlan 6
Switch(config-vlan)#private-vlan isolated
Switch(config)#vlan 4
Switch(config-vlan)#private-vlan association 5-6
Switch(config)#int f0/1
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#switchport private-vlan mapping 4 5-6
Switch(config)#int f0/2
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 4 5
Switch(config)#int f0/3
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 4 6
Switch(config)#int vlan 4
Switch(config-if)#private-vlan mapping 4 5-6
With regards
Kingsley Charles
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
--
Bryan Bartik
CCIE #23707 (R&S, SP), CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
--
Bryan Bartik
CCIE #23707 (R&S, SP), CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
