[c-nsp] 6500 12.2SX* Port-Channel Private VLAN support

Collins, Richard (SNL US) richard.1.collins.ext at nsn.com
Wed Oct 24 11:25:30 EDT 2007 

I tried testing this with a 2 trunk etherchannel between two switches.


Host1 and Host2 connected to SW1  (3560)
Host3 connected to SW2 (3560)

I used the secondary VLAN 400 as community for all these hosts.
I found I could create a vlan filter list on SW2 which blocked Host1 <>
Host3
but allowed Host2 <> Host3.  Without the filter both Host1 and Host2
could
communicate with Host3. Host3 ip address 10.10.40.100


Switch1 and SWitch2#sh run

!
version 12.2

vtp mode transparent

!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending

!
vlan 44
  private-vlan primary
  private-vlan association 400
!

!         
vlan 400
  private-vlan community
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode dynamic desirable
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode dynamic desirable
 channel-group 1 mode desirable
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode dynamic desirable
 channel-group 1 mode desirable
!

!
interface GigabitEthernet0/23                   (Host1 SW1)
 switchport private-vlan host-association 44 400
 switchport mode private-vlan host

!
interface GigabitEthernet0/24           (Host2 SW1 or Host3 SW2)
 switchport private-vlan host-association 44 400 
 switchport mode private-vlan host
!

end

Switch2#ip access-list extended VACL
 permit ip host 10.10.40.100 any
 permit ip any host 10.10.40.100

vlan access-map VACL 10
 action forward
 match ip address VACL

vlan filter VACL vlan-list 400

  
-Rich


>
>Having a hard time figuring out if this is supported:
>
>6500 12.2SX*, secondary VLANs mapped to primary VLAN, on top of a
port-channel.
>
>The docs make it look like private VLANs and port-channels are
>mutually exclusive, but I can't see why that would be the case.
>
>What I want to achieve is a group of VLANs on a port-channel, all
>sharing the same IP network. Private VLANs look like the way to do
>this. I can then apply ACLs on the secondary VLANs at the downstream
>access switch.
>
>If I could apply regular ACLs to a secondary VLAN this could be much
simpler.
>
>Tim:>

More information about the cisco-nsp mailing list