[c-nsp] 6500 12.2SX* Port-Channel Private VLAN support

Matt Buford matt at overloaded.net
Wed Nov 7 18:02:10 EST 2007 

> Good to know. I actually want to do something like:
[...]
>> interface Port-channel1
>>  switchport trunk encapsulation dot1q
>>  switchport mode dynamic desirable
>>  switchport private-vlan host-association 44 400
>>  switchport mode private-vlan host

I'm confused about something else here.  Why do you have dot1q listed when 
your switchport mode is not trunk?  You need to choose between vlan 
tagging/trunking, or untagged private vlan host port.  You can't be both.

As for the Etherchannel restriction, my guess is that it is simply an ASIC 
restriction.  Heck, on many (or all?) of the faste cards you can't even do 
Etherchannel in the same group of 12 ports as a pvlan host port.  Since I 
use pvlan host ports heavily toward customers, I'm forced to just say that I 
do not support VLAN tagging downstream - ever.  If I supported even 1, then 
suddenly I'd have a group of 11 other ports that techs would have to 
remember can't be used for any regular pvlan customers.  On cards like 
ES-X6148-GE-TX the features are incompatible across groups of 24 ports!  Too 
confusing, so I just don't allow tagging.  The only tagging I do is on gbic 
based gig ports, which each have their own ASIC.

You *CAN* tag private vlans through etherchannels.  You just can't make an 
etherchannel into a pvlan host port.

>From a production distribution level switch - trimmed down a bit:

vlan 900
 name pvlan
  private-vlan primary
  private-vlan association 901-902,905
!
vlan 901
 name pvlan-isolated
  private-vlan isolated
!
! not bothering to list the other parts of this pvlan
!
interface Port-channel1
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
!
interface GigabitEthernet7/1
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
 channel-group 1 mode desirable
!
interface GigabitEthernet7/12
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
 channel-group 1 mode desirable

Then, downstream of Po1 there is another 6500 in an access layer role which 
also contains vlan 900-902,905 and uses these for pvlan host ports.

More information about the cisco-nsp mailing list