From: Mike Kraus \(mikraus\) (mikraus@cisco.com)
Date: Sat Jun 16 2007 - 10:53:02 ART
In regards to:
> Here's a quick question: Could you have two P-ports sharing the same
primary
VLAN, but having different secondary VLAN mappings?
Yes, you can!
3560swt001(config)#vlan 850
3560swt001(config-vlan)#private-vlan primary
3560swt001(config-vlan)#vlan 851
3560swt001(config-vlan)#private-vlan isolated
3560swt001(config)#vlan 852
3560swt001(config-vlan)#private-vlan community
3560swt001(config-vlan)#vlan 850
3560swt001(config-vlan)#private-vlan association 851,852
3560swt001(config-vlan)#int fa0/11
3560swt001(config-if)#switchport mode private-vlan promiscuous
3560swt001(config-if)#switchport private-vlan mapping 850 add 851
3560swt001(config-if)#int fa0/12
3560swt001(config-if)#switchport mode private-vlan promiscuous
3560swt001(config-if)#switchport private-vlan mapping 850 add 852
It seems that then the promiscuous port only responds to the associated
PVLANs. (In the above example, vlan 851 isolated hosts can talk to
fa0/11, but they cannot talk to fa0/12 and vlan 852 community hosts can
talk to fa0/12, but they cannot talk to fa0/11).
________________________________
From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
Lapukhov
Sent: Saturday, June 16, 2007 5:09 AM
To: Mike Kraus (mikraus)
Cc: Anthony Bonilla; roehsler; ccielab@groupstudy.com
Subject: Re: quick private vlan question
An isolated or community Private Vlan (secondary) can only have ONE
primary VLAN
associated with it.
Clearly, PVLAN concept is quite simple, but Cisco implemenation and
configuration
is somewhat confusing, with all that mapping and associations :) Here is
how I explain
PVlans to myself.
To begin with, let's start with a concept of Private VLAN domain. This
is the basic entity,
and what it does, is specifies how an L2 briding domain (an L2
broadcast ethernet *cable*)
is split into *subdomains*. To understand the concept in-depth let's
imagine that a VLAN
is a *wire* or *cable* that interconnects many physical *ports*. Next we
need to loosen the
concept of a *cable*, to have *subdomains within* and we come with a
concept of a
*Private VLAN*. Let's see now how Cisco did it:
First they added different *port types*:
- Isolated (I): Could only communicate with a *funnel* or a Promiscuous
port.
- Community (C): Could communicate with it's *buddies* and *funnel*
(Promisc port).
- Promiscuous (P): Could communicate with anyone, and is a *funnel*.
<>
Let's stop for a second and recap that all the drama happens within a
single L2 domain,
a single *physical cable* like it was back in 10Base5 days :). So were
still under the
chains or MAC addess learning and flooding, and all those subdomains
have nothing
to do with L3 yet.
<>
To provide the required forwarding behavior, special *unidirectional*
wires are introduced,
These are new VLAN *types* (private VLANs) that have *different* frame
forwarding
behavior than the rugular VLAN does:
- Primary VLAN: forwards frames *downstream* (unidirectional!!) from P
to I and C ports.
This is an unidirectional broadcast media to feed traffic from P to all
other ports, and
this is how *funnel* feeds all other ports.
Secondary VLANs (upstream feeders):
- Isolated VLAN: forwards frames *upstream* (unidir!) from I ports to P
ports. There is only
ONE Isolated VLAN within a Private VLAN domain.
- Community VLAN: forwards frames upstream from C to C ports and from C
to P ports.
There could be many Community VLANs within a domain.
OK, so far so good. Now we see that Private VLANs are just an
unidirectional wires (not quite
true with Community VLAN, which is only unidirectional with respect to
C->P traffic flow). Clearly
this is why we could only bind a Secondary to one Primary VLAN - it's
just a wire, and we can't
use it to send multiple traffic feeds.
Let's move stright to the configuration part, and see what every
configuration step accomplishes:
Step 1: Create Primary and Secondary VLANs and bind them into PVLan
domain:
!
! Creating VLANs
!
vlan 100
private-vlan primary
vlan 101
private-vlan isolated
vlan 102
private-vlan community
!
! Associating
!
vlan 100
private-vlan assoc 101,102
What this step is needed for, is to group PVLANs into a domain and
establish
a formal association (for syntax checking and verifications).
Step 2:
Create Host ports and bind them to the respective PVLANs. Here you set
up
*upstream* wires, to connect host ports to all possible Promiscuous
ports
(primary VLAN). Note that a host port belongs to different VLANs at the
same time:
*downstream* primary and *upstream* secondary.
interface Fast x/y
switchport mode private-vlan host
switchport private-vlan host-association 100 101
!
interface range Fast x/y - z
switchport mode private-vlan host
switchport private-vlan host-association 100 102
Step 3:
Create a promiscuous port, and bind *downstream* mapping. Here you add
secondary VLANs whose traffic is received by this P port. Primary VLAN
is
used to delived traffic downstream to all C/I ports as per their
associations.
interface Fast x/y
switchport mode private-vlan promisc
switchport private-vlan mapping 100 add 101,102
Here's a quick question: Could you have two P-ports sharing the same
primary
VLAN, but having different secondary VLAN mappings?
---The last two questions left to be fully explained are mapping L2 PVLAN domain to a SVI interface on a switch, and interconnecting PVLAN domains on multiple switches. I would gladly go into details explaining those, if someone would need it. It's just that I already wrote too much :) Thanks for all your attention.
HTH
-- Petr Lapukhov, CCIE #16379 (R&S/Security/SP) petr@internetworkexpert.com
Internetwork Expert, Inc. http://www.InternetworkExpert.com
2007/6/15, Mike Kraus (mikraus) <mikraus@cisco.com>:
3560swt001(config)#vlan 850 3560swt001(config-vlan)# private-vlan primary 3560swt001(config-vlan)#vlan 851 3560swt001(config-vlan)# private-vlan isolated 3560swt001(config-vlan)#vlan 850 3560swt001(config-vlan)# private-vlan association 851 3560swt001(config-vlan)#vlan 860 3560swt001(config-vlan)# private-vlan primary 3560swt001(config-vlan)# private-vlan association 851 %Command rejected: invalid private vlan association between vlan860 and vlan851. VLAN 851 is already associated with VLAN 850.
So, as the docs state: "An isolated or community VLAN can have only one primary VLAN associated with it. "
________________________________
From: Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com] Sent: Friday, June 15, 2007 10:08 AM To: Mike Kraus (mikraus) Cc: roehsler; ccielab@groupstudy.com Subject: Re: quick private vlan question
can you share the whole configs - what is vlan851 configured as?
On 6/13/07, Mike Kraus (mikraus) < mikraus@cisco.com <mailto:mikraus@cisco.com> > wrote:
Doesn't let you do it:
Switch(config-vlan)#private-vlan association 851 %Command rejected: invalid private vlan association between vlan860 and vlan851. VLAN 851 is already associated with VLAN 850.
(3560 running 12.2(35)SE, advanced IP services)
-----Original Message----- From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of roehsler Sent: Thursday, May 03, 2007 9:39 AM To: Anthony Bonilla Cc: ccielab@groupstudy.com Subject: Re: quick private vlan question
Hi,
Are you sure? Sorry for the confusion but I just read:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg
/swpvlan.htm
Which states:
A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it.
Thanks again.
On 5/3/07, Anthony Bonilla < anthonybonilla.ccie@gmail.com <mailto:anthonybonilla.ccie@gmail.com> > wrote: > Yes, you can use the same number for isolated VLANs and they will > still not be able to talk to each other. Thanks. > > > > On 5/3/07, roehsler <roehsler@gmail.com> wrote: > > Hi, > > > > Lets say I have multiple primary vlans: > > > > vlan_2 > > vlan_3 > > vlan_4 > > > > And I have one isloated vlan: > > > > vlan_10 > > > > Can I use the same isolated vlan in each/all of my primary vlans? I > > think the answer is yes. > > > > Thanks > > > > David > > > > >
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART