Hi Tyson Bryan's configuration was perfect.
I was just tellling him the reason why he was seeing primary vlan alone on the promiscuous port. The mapping command instructs the promiscuous port which secondary vlans it should recieve and serve. Why do we need an association command under the host ports? What does it actually do? Please share your thoughts. With regards Kings On Fri, Jan 8, 2010 at 9:55 PM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > It is correct that the promiscuous port is going to run over the primary > VLAN but the secondary VLAN's still need to be mapped to the promiscuous > ports. The configuration that Bryan put below is right on. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Friday, January 08, 2010 11:06 AM > *To:* Bryan Bartik > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Private vlans > > > > From the Cisco docs, this what I understand. > > > > The isolated vlans takes the traffic from isolated ports to the promiscuous > ports. > > > > The commnunity vlans takes the traffic from a community port to other > community port and promiscuous ports. > > > > The primary vlans takes the traffic from promiscuous port to isolated or > community ports. > > > > Hence, the promisuous port will run on the primary vlan only. > > > > But still, I may be wrong. > > > > > > > > With regards > > Kings > > On Fri, Jan 8, 2010 at 7:51 PM, Bryan Bartik <[email protected]> wrote: > > Here is the new config, let me know if there is something I am missing. The > private vlan trunk commands of course do not exist, but this is what I see. > > R1 = SW1 f0/1 (promiscuous) > R3 = SW1 f0/3 (isolated 101) > R2 = SW2 f0/2 (isolated 101) > > R2 and R3 can ping R1, but not each other. > > > > SW1: > > vlan 100 > private-vlan primary > private-vlan association 101 > ! > vlan 101 > private-vlan isolated > ! > interface FastEthernet0/1 > > switchport private-vlan mapping 100 101 > switchport mode private-vlan promiscuous > ! > > interface FastEthernet0/3 > switchport private-vlan host-association 100 101 > switchport mode private-vlan host > > ! > interface FastEthernet0/13 > switchport trunk encapsulation dot1q > switchport mode trunk > > SW2: > > vlan 100 > private-vlan primary > private-vlan association 101 > ! > vlan 101 > private-vlan isolated > ! > interface FastEthernet0/2 > > switchport private-vlan host-association 100 101 > switchport mode private-vlan host > > ! > interface FastEthernet0/13 > switchport trunk encapsulation dot1q > switchport mode trunk > > Verification > > R2 pings R1: > > R2#ping 192.168.120.1 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 192.168.120.1, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms > > R3 pings R1: > > R3#ping 192.168.120.1 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 192.168.120.1, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms > R3# > > R2 cannot ping R3: > > R2#ping 192.168.120.3 > > > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 192.168.120.3, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > > R2# > > The interesting thing I find is that spanning-tree runs for vlan 100 and > 101 runs over the trunks, but only 100 runs over the host/promiscuous ports. > Let me know if there is a mistake I made somewhere. > > > > On Thu, Jan 7, 2010 at 10:29 PM, Marko Milivojevic <[email protected]> > wrote: > > On Fri, Jan 8, 2010 at 06:02, Bryan Bartik <[email protected]> wrote: > > Sure, here is the relevant portion of SW1 and SW2. I was just playing with > this a couple days ago, still fresh on my rack :) > > > Topology: > > R1/R3----SW1----SW2----R2 > > R1 is on f0/1 > R3 is on f0/3 > R2 is on f0/2 > Trunk is on f0/13 > > > > > > Try this: > > > > Make R1 promiscuous and have R2 and R3 isolated. See if R2 and R3 can ping > each other ... > > > > -- > > Marko Milivojevic - CCIE #18427 > > Senior Technical Instructor - IPexpert > > > > Mailto: [email protected] > > Telephone: +1.810.326.1444 > > Fax: +1.810.454.0130 > > Community: http://www.ipexpert.com/communities > > > > -- > Bryan Bartik > CCIE #23707 (R&S, SP), CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
