From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Sun Jun 17 2007 - 15:14:03 ART
And the worse thing is that Cisco has only 5 tracks in which you can become
"Expert".
What are your plans Peter after completing all the 5 tracks.
Will you redo all the tracks : ) just kidding.
On 6/17/07, Petr Lapukhov <petr@internetworkexpert.com> wrote:
>
> Thanks a lot, Muhammad! Acutally, passing CCIE labs, becomes a habit
> quickly
> when you work at IE :) The bad thing is that you may become addicted to
> the process ;)
>
> --
> Petr Lapukhov, CCIE #16379 (R&S/Security/SP)
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> 2007/6/16, Muhammad Nasim <muhammad.nasim@gmail.com>:
> >
> > Congrats Peter on becoming Tripple CCIE : )
> >
> > IE instructors seems to be going excellent these days
> >
> >
> > On 6/16/07, Mike Kraus (mikraus) <mikraus@cisco.com> wrote:
> > >
> > > In regards to:
> > > > Here's a quick question: Could you have two P-ports sharing the same
> > > primary
> > > VLAN, but having different secondary VLAN mappings?
> > >
> > > Yes, you can!
> > >
> > > 3560swt001(config)#vlan 850
> > > 3560swt001(config-vlan)#private-vlan primary
> > > 3560swt001(config-vlan)#vlan 851
> > > 3560swt001(config-vlan)#private-vlan isolated
> > > 3560swt001(config)#vlan 852
> > > 3560swt001(config-vlan)#private-vlan community
> > > 3560swt001(config-vlan)#vlan 850
> > > 3560swt001(config-vlan)#private-vlan association 851,852
> > > 3560swt001(config-vlan)#int fa0/11
> > > 3560swt001(config-if)#switchport mode private-vlan promiscuous
> > > 3560swt001(config-if)#switchport private-vlan mapping 850 add 851
> > > 3560swt001(config-if)#int fa0/12
> > > 3560swt001(config-if)#switchport mode private-vlan promiscuous
> > > 3560swt001(config-if)#switchport private-vlan mapping 850 add 852
> > >
> > > It seems that then the promiscuous port only responds to the
> > associated
> > > PVLANs. (In the above example, vlan 851 isolated hosts can talk to
> > > fa0/11, but they cannot talk to fa0/12 and vlan 852 community hosts
> > can
> > > talk to fa0/12, but they cannot talk to fa0/11).
> > >
> > >
> > > ________________________________
> > >
> > > From: petrsoft@gmail.com [mailto: petrsoft@gmail.com] On Behalf Of
> > Petr
> > > Lapukhov
> > > Sent: Saturday, June 16, 2007 5:09 AM
> > > To: Mike Kraus (mikraus)
> > > Cc: Anthony Bonilla; roehsler; ccielab@groupstudy.com
> > > Subject: Re: quick private vlan question
> > >
> > >
> > > An isolated or community Private Vlan (secondary) can only have ONE
> > > primary VLAN
> > > associated with it.
> > >
> > > Clearly, PVLAN concept is quite simple, but Cisco implemenation and
> > > configuration
> > > is somewhat confusing, with all that mapping and associations :) Here
> > is
> > > how I explain
> > > PVlans to myself.
> > >
> > > To begin with, let's start with a concept of Private VLAN domain. This
> >
> > > is the basic entity,
> > > and what it does, is specifies how an L2 briding domain (an L2
> > > broadcast ethernet *cable*)
> > > is split into *subdomains*. To understand the concept in-depth let's
> > > imagine that a VLAN
> > > is a *wire* or *cable* that interconnects many physical *ports*. Next
> > we
> > > need to loosen the
> > > concept of a *cable*, to have *subdomains within* and we come with a
> > > concept of a
> > > *Private VLAN*. Let's see now how Cisco did it:
> > >
> > > First they added different *port types*:
> > >
> > > - Isolated (I): Could only communicate with a *funnel* or a
> > Promiscuous
> > > port.
> > > - Community (C): Could communicate with it's *buddies* and *funnel*
> > > (Promisc port).
> > > - Promiscuous (P): Could communicate with anyone, and is a *funnel*.
> > >
> > > <>
> > > Let's stop for a second and recap that all the drama happens within a
> > > single L2 domain,
> > > a single *physical cable* like it was back in 10Base5 days :). So were
> > > still under the
> > > chains or MAC addess learning and flooding, and all those subdomains
> > > have nothing
> > > to do with L3 yet.
> > > <>
> > >
> > > To provide the required forwarding behavior, special *unidirectional*
> > > wires are introduced,
> > > These are new VLAN *types* (private VLANs) that have *different* frame
> >
> > > forwarding
> > > behavior than the rugular VLAN does:
> > >
> > > - Primary VLAN: forwards frames *downstream* (unidirectional!!) from P
> > > to I and C ports.
> > > This is an unidirectional broadcast media to feed traffic from P to
> > all
> > > other ports, and
> > > this is how *funnel* feeds all other ports.
> > >
> > > Secondary VLANs (upstream feeders):
> > >
> > > - Isolated VLAN: forwards frames *upstream* (unidir!) from I ports to
> > P
> > > ports. There is only
> > > ONE Isolated VLAN within a Private VLAN domain.
> > >
> > > - Community VLAN: forwards frames upstream from C to C ports and from
> > C
> > > to P ports.
> > > There could be many Community VLANs within a domain.
> > >
> > > OK, so far so good. Now we see that Private VLANs are just an
> > > unidirectional wires (not quite
> > > true with Community VLAN, which is only unidirectional with respect to
> > > C->P traffic flow). Clearly
> > > this is why we could only bind a Secondary to one Primary VLAN - it's
> > > just a wire, and we can't
> > > use it to send multiple traffic feeds.
> > >
> > > Let's move stright to the configuration part, and see what every
> > > configuration step accomplishes:
> > >
> > > Step 1: Create Primary and Secondary VLANs and bind them into PVLan
> > > domain:
> > >
> > > !
> > > ! Creating VLANs
> > > !
> > > vlan 100
> > > private-vlan primary
> > >
> > > vlan 101
> > > private-vlan isolated
> > >
> > > vlan 102
> > > private-vlan community
> > >
> > > !
> > > ! Associating
> > > !
> > > vlan 100
> > > private-vlan assoc 101,102
> > >
> > > What this step is needed for, is to group PVLANs into a domain and
> > > establish
> > > a formal association (for syntax checking and verifications).
> > >
> > > Step 2:
> > >
> > > Create Host ports and bind them to the respective PVLANs. Here you set
> >
> > > up
> > > *upstream* wires, to connect host ports to all possible Promiscuous
> > > ports
> > > (primary VLAN). Note that a host port belongs to different VLANs at
> > the
> > > same time:
> > > *downstream* primary and *upstream* secondary.
> > >
> > > interface Fast x/y
> > > switchport mode private-vlan host
> > > switchport private-vlan host-association 100 101
> > > !
> > > interface range Fast x/y - z
> > > switchport mode private-vlan host
> > > switchport private-vlan host-association 100 102
> > >
> > > Step 3:
> > >
> > > Create a promiscuous port, and bind *downstream* mapping. Here you add
> > > secondary VLANs whose traffic is received by this P port. Primary VLAN
> >
> > > is
> > > used to delived traffic downstream to all C/I ports as per their
> > > associations.
> > >
> > > interface Fast x/y
> > > switchport mode private-vlan promisc
> > > switchport private-vlan mapping 100 add 101,102
> > >
> > > Here's a quick question: Could you have two P-ports sharing the same
> > > primary
> > > VLAN, but having different secondary VLAN mappings?
> > >
> > > ---
> > >
> > > The last two questions left to be fully explained are mapping L2 PVLAN
> >
> > > domain to a SVI
> > > interface on a switch, and interconnecting PVLAN domains on multiple
> > > switches. I would
> > > gladly go into details explaining those, if someone would need it.
> > It's
> > > just that I already
> > > wrote too much :) Thanks for all your attention.
> > >
> > > HTH
> > >
> > > --
> > > Petr Lapukhov, CCIE #16379 (R&S/Security/SP)
> > > petr@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > >
> > >
> > > 2007/6/15, Mike Kraus (mikraus) < mikraus@cisco.com>:
> > >
> > > 3560swt001(config)#vlan 850
> > > 3560swt001(config-vlan)# private-vlan primary
> > > 3560swt001(config-vlan)#vlan 851
> > > 3560swt001(config-vlan)# private-vlan isolated
> > > 3560swt001(config-vlan)#vlan 850
> > > 3560swt001(config-vlan)# private-vlan association 851
> > > 3560swt001(config-vlan)#vlan 860
> > > 3560swt001(config-vlan)# private-vlan primary
> > > 3560swt001(config-vlan)# private-vlan association 851
> > > %Command rejected: invalid private vlan association between
> > > vlan860 and
> > > vlan851. VLAN 851 is already associated with VLAN 850.
> > >
> > > So, as the docs state: "An isolated or community VLAN can
> > have
> > > only one
> > > primary VLAN associated with it. "
> > >
> > >
> > > ________________________________
> > >
> > > From: Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com]
> > > Sent: Friday, June 15, 2007 10:08 AM
> > > To: Mike Kraus (mikraus)
> > > Cc: roehsler; ccielab@groupstudy.com
> > > Subject: Re: quick private vlan question
> > >
> > >
> > > can you share the whole configs - what is vlan851 configured
> > as?
> > >
> > >
> > > On 6/13/07, Mike Kraus (mikraus) < mikraus@cisco.com
> > > <mailto:mikraus@cisco.com> > wrote:
> > >
> > > Doesn't let you do it:
> > >
> > > Switch(config-vlan)#private-vlan association 851
> > > %Command rejected: invalid private vlan association
> > > between
> > > vlan860 and
> > > vlan851. VLAN 851 is already associated with VLAN 850.
> > >
> > > (3560 running 12.2(35)SE, advanced IP services)
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> > > [mailto: nobody@groupstudy.com] On
> > > Behalf Of
> > > roehsler
> > > Sent: Thursday, May 03, 2007 9:39 AM
> > > To: Anthony Bonilla
> > > Cc: ccielab@groupstudy.com
> > > Subject: Re: quick private vlan question
> > >
> > > Hi,
> > >
> > > Are you sure? Sorry for the confusion but I just read:
> > >
> > >
> > >
> > > http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg
> >
> > >
> > > /swpvlan.htm
> > >
> > > Which states:
> > >
> > > A primary VLAN can have one isolated VLAN and multiple
> > > community
> > > VLANs
> > > associated with it. An isolated or community VLAN can
> > > have only
> > > one
> > > primary VLAN associated with it.
> > >
> > > Thanks again.
> > >
> > > On 5/3/07, Anthony Bonilla <
> > > anthonybonilla.ccie@gmail.com <mailto:anthonybonilla.ccie@gmail.com> >
> >
> > > wrote:
> > > > Yes, you can use the same number for isolated VLANs
> > > and they
> > > will
> > > > still not be able to talk to each other. Thanks.
> > > >
> > > >
> > > >
> > > > On 5/3/07, roehsler <roehsler@gmail.com> wrote:
> > > > > Hi,
> > > > >
> > > > > Lets say I have multiple primary vlans:
> > > > >
> > > > > vlan_2
> > > > > vlan_3
> > > > > vlan_4
> > > > >
> > > > > And I have one isloated vlan:
> > > > >
> > > > > vlan_10
> > > > >
> > > > > Can I use the same isolated vlan in each/all of my
> > > primary
> > > vlans? I
> > > > > think the answer is yes.
> > > > >
> > > > > Thanks
> > > > >
> > > > > David
> > > > >
> > > > >
> > > >
> > >
> > > ______________________________________________________________________
> > > > _
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> > --
> > Muhammad Nasim
> > Network Engineer
> > SISCOM
> > Saudi Arabia
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
>
>
-- Muhammad Nasim Network Engineer SISCOM Saudi Arabia
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART