From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Sat Jun 16 2007 - 15:53:01 ART
Congrats Peter on becoming Tripple CCIE : )
IE instructors seems to be going excellent these days
On 6/16/07, Mike Kraus (mikraus) <mikraus@cisco.com> wrote:
>
> In regards to:
> > Here's a quick question: Could you have two P-ports sharing the same
> primary
> VLAN, but having different secondary VLAN mappings?
>
> Yes, you can!
>
> 3560swt001(config)#vlan 850
> 3560swt001(config-vlan)#private-vlan primary
> 3560swt001(config-vlan)#vlan 851
> 3560swt001(config-vlan)#private-vlan isolated
> 3560swt001(config)#vlan 852
> 3560swt001(config-vlan)#private-vlan community
> 3560swt001(config-vlan)#vlan 850
> 3560swt001(config-vlan)#private-vlan association 851,852
> 3560swt001(config-vlan)#int fa0/11
> 3560swt001(config-if)#switchport mode private-vlan promiscuous
> 3560swt001(config-if)#switchport private-vlan mapping 850 add 851
> 3560swt001(config-if)#int fa0/12
> 3560swt001(config-if)#switchport mode private-vlan promiscuous
> 3560swt001(config-if)#switchport private-vlan mapping 850 add 852
>
> It seems that then the promiscuous port only responds to the associated
> PVLANs. (In the above example, vlan 851 isolated hosts can talk to
> fa0/11, but they cannot talk to fa0/12 and vlan 852 community hosts can
> talk to fa0/12, but they cannot talk to fa0/11).
>
>
> ________________________________
>
> From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
> Lapukhov
> Sent: Saturday, June 16, 2007 5:09 AM
> To: Mike Kraus (mikraus)
> Cc: Anthony Bonilla; roehsler; ccielab@groupstudy.com
> Subject: Re: quick private vlan question
>
>
> An isolated or community Private Vlan (secondary) can only have ONE
> primary VLAN
> associated with it.
>
> Clearly, PVLAN concept is quite simple, but Cisco implemenation and
> configuration
> is somewhat confusing, with all that mapping and associations :) Here is
> how I explain
> PVlans to myself.
>
> To begin with, let's start with a concept of Private VLAN domain. This
> is the basic entity,
> and what it does, is specifies how an L2 briding domain (an L2
> broadcast ethernet *cable*)
> is split into *subdomains*. To understand the concept in-depth let's
> imagine that a VLAN
> is a *wire* or *cable* that interconnects many physical *ports*. Next we
> need to loosen the
> concept of a *cable*, to have *subdomains within* and we come with a
> concept of a
> *Private VLAN*. Let's see now how Cisco did it:
>
> First they added different *port types*:
>
> - Isolated (I): Could only communicate with a *funnel* or a Promiscuous
> port.
> - Community (C): Could communicate with it's *buddies* and *funnel*
> (Promisc port).
> - Promiscuous (P): Could communicate with anyone, and is a *funnel*.
>
> <>
> Let's stop for a second and recap that all the drama happens within a
> single L2 domain,
> a single *physical cable* like it was back in 10Base5 days :). So were
> still under the
> chains or MAC addess learning and flooding, and all those subdomains
> have nothing
> to do with L3 yet.
> <>
>
> To provide the required forwarding behavior, special *unidirectional*
> wires are introduced,
> These are new VLAN *types* (private VLANs) that have *different* frame
> forwarding
> behavior than the rugular VLAN does:
>
> - Primary VLAN: forwards frames *downstream* (unidirectional!!) from P
> to I and C ports.
> This is an unidirectional broadcast media to feed traffic from P to all
> other ports, and
> this is how *funnel* feeds all other ports.
>
> Secondary VLANs (upstream feeders):
>
> - Isolated VLAN: forwards frames *upstream* (unidir!) from I ports to P
> ports. There is only
> ONE Isolated VLAN within a Private VLAN domain.
>
> - Community VLAN: forwards frames upstream from C to C ports and from C
> to P ports.
> There could be many Community VLANs within a domain.
>
> OK, so far so good. Now we see that Private VLANs are just an
> unidirectional wires (not quite
> true with Community VLAN, which is only unidirectional with respect to
> C->P traffic flow). Clearly
> this is why we could only bind a Secondary to one Primary VLAN - it's
> just a wire, and we can't
> use it to send multiple traffic feeds.
>
> Let's move stright to the configuration part, and see what every
> configuration step accomplishes:
>
> Step 1: Create Primary and Secondary VLANs and bind them into PVLan
> domain:
>
> !
> ! Creating VLANs
> !
> vlan 100
> private-vlan primary
>
> vlan 101
> private-vlan isolated
>
> vlan 102
> private-vlan community
>
> !
> ! Associating
> !
> vlan 100
> private-vlan assoc 101,102
>
> What this step is needed for, is to group PVLANs into a domain and
> establish
> a formal association (for syntax checking and verifications).
>
> Step 2:
>
> Create Host ports and bind them to the respective PVLANs. Here you set
> up
> *upstream* wires, to connect host ports to all possible Promiscuous
> ports
> (primary VLAN). Note that a host port belongs to different VLANs at the
> same time:
> *downstream* primary and *upstream* secondary.
>
> interface Fast x/y
> switchport mode private-vlan host
> switchport private-vlan host-association 100 101
> !
> interface range Fast x/y - z
> switchport mode private-vlan host
> switchport private-vlan host-association 100 102
>
> Step 3:
>
> Create a promiscuous port, and bind *downstream* mapping. Here you add
> secondary VLANs whose traffic is received by this P port. Primary VLAN
> is
> used to delived traffic downstream to all C/I ports as per their
> associations.
>
> interface Fast x/y
> switchport mode private-vlan promisc
> switchport private-vlan mapping 100 add 101,102
>
> Here's a quick question: Could you have two P-ports sharing the same
> primary
> VLAN, but having different secondary VLAN mappings?
>
> ---
>
> The last two questions left to be fully explained are mapping L2 PVLAN
> domain to a SVI
> interface on a switch, and interconnecting PVLAN domains on multiple
> switches. I would
> gladly go into details explaining those, if someone would need it. It's
> just that I already
> wrote too much :) Thanks for all your attention.
>
> HTH
>
> --
> Petr Lapukhov, CCIE #16379 (R&S/Security/SP)
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
>
> 2007/6/15, Mike Kraus (mikraus) <mikraus@cisco.com>:
>
> 3560swt001(config)#vlan 850
> 3560swt001(config-vlan)# private-vlan primary
> 3560swt001(config-vlan)#vlan 851
> 3560swt001(config-vlan)# private-vlan isolated
> 3560swt001(config-vlan)#vlan 850
> 3560swt001(config-vlan)# private-vlan association 851
> 3560swt001(config-vlan)#vlan 860
> 3560swt001(config-vlan)# private-vlan primary
> 3560swt001(config-vlan)# private-vlan association 851
> %Command rejected: invalid private vlan association between
> vlan860 and
> vlan851. VLAN 851 is already associated with VLAN 850.
>
> So, as the docs state: "An isolated or community VLAN can have
> only one
> primary VLAN associated with it. "
>
>
> ________________________________
>
> From: Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com]
> Sent: Friday, June 15, 2007 10:08 AM
> To: Mike Kraus (mikraus)
> Cc: roehsler; ccielab@groupstudy.com
> Subject: Re: quick private vlan question
>
>
> can you share the whole configs - what is vlan851 configured as?
>
>
> On 6/13/07, Mike Kraus (mikraus) < mikraus@cisco.com
> <mailto:mikraus@cisco.com> > wrote:
>
> Doesn't let you do it:
>
> Switch(config-vlan)#private-vlan association 851
> %Command rejected: invalid private vlan association
> between
> vlan860 and
> vlan851. VLAN 851 is already associated with VLAN 850.
>
> (3560 running 12.2(35)SE, advanced IP services)
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On
> Behalf Of
> roehsler
> Sent: Thursday, May 03, 2007 9:39 AM
> To: Anthony Bonilla
> Cc: ccielab@groupstudy.com
> Subject: Re: quick private vlan question
>
> Hi,
>
> Are you sure? Sorry for the confusion but I just read:
>
>
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg
>
> /swpvlan.htm
>
> Which states:
>
> A primary VLAN can have one isolated VLAN and multiple
> community
> VLANs
> associated with it. An isolated or community VLAN can
> have only
> one
> primary VLAN associated with it.
>
> Thanks again.
>
> On 5/3/07, Anthony Bonilla <
> anthonybonilla.ccie@gmail.com <mailto:anthonybonilla.ccie@gmail.com> >
> wrote:
> > Yes, you can use the same number for isolated VLANs
> and they
> will
> > still not be able to talk to each other. Thanks.
> >
> >
> >
> > On 5/3/07, roehsler <roehsler@gmail.com> wrote:
> > > Hi,
> > >
> > > Lets say I have multiple primary vlans:
> > >
> > > vlan_2
> > > vlan_3
> > > vlan_4
> > >
> > > And I have one isloated vlan:
> > >
> > > vlan_10
> > >
> > > Can I use the same isolated vlan in each/all of my
> primary
> vlans? I
> > > think the answer is yes.
> > >
> > > Thanks
> > >
> > > David
> > >
> > >
> >
>
> ______________________________________________________________________
> > _
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Muhammad Nasim Network Engineer SISCOM Saudi Arabia
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART