[c-nsp] 6500 12.2SX* Port-Channel Private VLAN support

Tim Durack tdurack at gmail.com
Wed Nov 7 20:23:47 EST 2007


On Nov 7, 2007 6:02 PM, Matt Buford <matt at overloaded.net> wrote:
> > Good to know. I actually want to do something like:
> [...]
> >> interface Port-channel1
> >>  switchport trunk encapsulation dot1q
> >>  switchport mode dynamic desirable
> >>  switchport private-vlan host-association 44 400
> >>  switchport mode private-vlan host
>
> I'm confused about something else here.  Why do you have dot1q listed when
> your switchport mode is not trunk?  You need to choose between vlan
> tagging/trunking, or untagged private vlan host port.  You can't be both.

That's because I'm not used to the Cisco way of doing things. For me
it's just tagged or untagged :-)

> As for the Etherchannel restriction, my guess is that it is simply an ASIC
> restriction.  Heck, on many (or all?) of the faste cards you can't even do
> Etherchannel in the same group of 12 ports as a pvlan host port.  Since I
> use pvlan host ports heavily toward customers, I'm forced to just say that I
> do not support VLAN tagging downstream - ever.  If I supported even 1, then
> suddenly I'd have a group of 11 other ports that techs would have to
> remember can't be used for any regular pvlan customers.  On cards like
> ES-X6148-GE-TX the features are incompatible across groups of 24 ports!  Too
> confusing, so I just don't allow tagging.  The only tagging I do is on gbic
> based gig ports, which each have their own ASIC.
>
> You *CAN* tag private vlans through etherchannels.  You just can't make an
> etherchannel into a pvlan host port.

Okay - that's what I'm looking for. This is a distribution switch,
hosts will be attached to a connected access switch.

There will be no "host" ports on the distribution, just "trunk" ports.
If I can group VLANs, I can maintain the same IP subnet, applying
different ACLs at the access layer.

> From a production distribution level switch - trimmed down a bit:
>
> vlan 900
>  name pvlan
>   private-vlan primary
>   private-vlan association 901-902,905
> !
> vlan 901
>  name pvlan-isolated
>   private-vlan isolated
> !
> ! not bothering to list the other parts of this pvlan
> !
> interface Port-channel1
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport mode trunk
>  no ip address
> !
> interface GigabitEthernet7/1
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport mode trunk
>  no ip address
>  channel-group 1 mode desirable
> !
> interface GigabitEthernet7/12
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport mode trunk
>  no ip address
>  channel-group 1 mode desirable
>
> Then, downstream of Po1 there is another 6500 in an access layer role which
> also contains vlan 900-902,905 and uses these for pvlan host ports.

This seems logical, but the documentation isn't entirely clear. I'll
give this a shot!

Tim:>


More information about the cisco-nsp mailing list