Re: Private VLANs and routers

From: Adhu Ajit (adhu_ajit@yahoo.com)
Date: Tue Oct 31 2006 - 21:45:42 ART

• Next message: Joe Chang: "Re: "point to multipoint non-broadcast" mode"
• Previous message: Adhu Ajit: "Re: "point to multipoint non-broadcast" mode"
• Maybe in reply to: Adhu Ajit: "Private VLANs and routers"
• Next in thread: Brian Dennis: "RE: Private VLANs and routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I extrapolated "Catalyst security, other security features" from the blueprint to mean Private VLANs. With 4 switches in the fray, I felt that it is better to err on the side of "over-knowing" switch features.
  -Adhu

Mike O <mikeeo@msn.com> wrote:
  Are private vlans on the blue print? or is that considered "advanced
configuration"?

>From: Adhu Ajit
>Reply-To: Adhu Ajit
>To: Petr Lapukhov
, ccielab@groupstudy.com
>Subject: Re: Private VLANs and routers
>Date: Tue, 31 Oct 2006 09:52:24 -0800 (PST)
>
>Petr, you are right. All the VLANs are actually part of the same subnet and
>same primary VLAN. What was I thinking when I wrote my first email ??!!
>
> So the router port will just behave as a regular ehthernet interface
>without any trunks terminating on it. The promiscous switch port will just
>be an access port on the primary VLAN.
>
> Thanks for the clarification.
>
>Petr Lapukhov
wrote:
> No, you just configure router link as an "access" link in VLAN 100
>(primary).
>You don't need any subinterfaces, and no tagged frames should reach the
>router.
>
>Remember, all nodes share *same* subnet, and *same* primary VLAN
>in essense. It's just level 2 that makes difference, though this is
>transparent
>to end devices (in sense they don't see "additional" VLANs)
>
>interface fa x/y
> description == Link to router
> switchport mode private-vlan promisc
> switchport private-vlan mapping 100 add 10 , 20 , 30
>
>You only need trunks to transport private VLANs between switches.
>
>HTH
>
> 2006/10/31, Adhu Ajit : Folks, let's say that
>VLANs 10 and 30 are community VLANs and VLAN 20 is a isolated VLAN. They
>all use VLAN 100 as the main VLAN to reach the router. (In other words, the
>promisicuous port on the switch is part of VLAN 100 and VLANs 10, 20 and 30
>are mapped to 100)
>
> When I configure the dot1q trunk interface on the router, I'm assuming
>that I would create one sub-interface each for VLAN 10, 20, 30 and 100.
>
> Any caveats/gotchas that I should know about ?
>
> Thanks in advance.
>
>
>
>---------------------------------
>Everyone is raving about the all-new Yahoo! Mail.
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>--
>Petr Lapukhov, CCIE #16379
>petr@internetworkexpert.com
>
>Internetwork Expert, Inc.
>http://www.InternetworkExpert.com
>Toll Free: 877-224-8987
>Outside US: 775-826-4344
>
>
>---------------------------------
>Access over 1 million songs - Yahoo! Music Unlimited Try it today.
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

 
---------------------------------
We have the perfect Group for you. Check out the handy changes to Yahoo! Groups.

• Next message: Joe Chang: "Re: "point to multipoint non-broadcast" mode"
• Previous message: Adhu Ajit: "Re: "point to multipoint non-broadcast" mode"
• Maybe in reply to: Adhu Ajit: "Private VLANs and routers"
• Next in thread: Brian Dennis: "RE: Private VLANs and routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:07 ART