Kingsley,
much like the command "switchport access vlan 100" puts the host port into vlan 100. The command switchport private-vlan host-association <prim> <sec> adds the port to the primary VLAN number. The secondary mapping simply states who the port is allowed to communicate with. HTH I didn't read far enough into Bryans email to realize you were answering a question for him. Sorry about that. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Friday, January 08, 2010 11:46 AM To: Tyson Scott Cc: Bryan Bartik; [email protected] Subject: Re: [OSL | CCIE_Security] Private vlans Hi Tyson Bryan's configuration was perfect. I was just tellling him the reason why he was seeing primary vlan alone on the promiscuous port. The mapping command instructs the promiscuous port which secondary vlans it should recieve and serve. Why do we need an association command under the host ports? What does it actually do? Please share your thoughts. With regards Kings On Fri, Jan 8, 2010 at 9:55 PM, Tyson Scott <[email protected]> wrote: Kingsley, It is correct that the promiscuous port is going to run over the primary VLAN but the secondary VLAN's still need to be mapped to the promiscuous ports. The configuration that Bryan put below is right on. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Friday, January 08, 2010 11:06 AM To: Bryan Bartik Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Private vlans >From the Cisco docs, this what I understand. The isolated vlans takes the traffic from isolated ports to the promiscuous ports. The commnunity vlans takes the traffic from a community port to other community port and promiscuous ports. The primary vlans takes the traffic from promiscuous port to isolated or community ports. Hence, the promisuous port will run on the primary vlan only. But still, I may be wrong. With regards Kings On Fri, Jan 8, 2010 at 7:51 PM, Bryan Bartik <[email protected]> wrote: Here is the new config, let me know if there is something I am missing. The private vlan trunk commands of course do not exist, but this is what I see. R1 = SW1 f0/1 (promiscuous) R3 = SW1 f0/3 (isolated 101) R2 = SW2 f0/2 (isolated 101) R2 and R3 can ping R1, but not each other. SW1: vlan 100 private-vlan primary private-vlan association 101 ! vlan 101 private-vlan isolated ! interface FastEthernet0/1 switchport private-vlan mapping 100 101 switchport mode private-vlan promiscuous ! interface FastEthernet0/3 switchport private-vlan host-association 100 101 switchport mode private-vlan host ! interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk SW2: vlan 100 private-vlan primary private-vlan association 101 ! vlan 101 private-vlan isolated ! interface FastEthernet0/2 switchport private-vlan host-association 100 101 switchport mode private-vlan host ! interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk Verification R2 pings R1: R2#ping 192.168.120.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.120.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms R3 pings R1: R3#ping 192.168.120.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.120.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms R3# R2 cannot ping R3: R2#ping 192.168.120.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.120.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2# The interesting thing I find is that spanning-tree runs for vlan 100 and 101 runs over the trunks, but only 100 runs over the host/promiscuous ports. Let me know if there is a mistake I made somewhere. On Thu, Jan 7, 2010 at 10:29 PM, Marko Milivojevic <[email protected]> wrote: On Fri, Jan 8, 2010 at 06:02, Bryan Bartik <[email protected]> wrote: Sure, here is the relevant portion of SW1 and SW2. I was just playing with this a couple days ago, still fresh on my rack :) Topology: R1/R3----SW1----SW2----R2 R1 is on f0/1 R3 is on f0/3 R2 is on f0/2 Trunk is on f0/13 Try this: Make R1 promiscuous and have R2 and R3 isolated. See if R2 and R3 can ping each other ... -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Community: http://www.ipexpert.com/communities -- Bryan Bartik CCIE #23707 (R&S, SP), CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
