[c-nsp] 6500 12.2SX* Port-Channel Private VLAN support

[Tim Durack]

Good to know. I actually want to do something like:

> vlan 44
>   private-vlan primary
>   private-vlan association 400
> !
>
> !
> vlan 400
>   private-vlan community
> !
> interface Port-channel1
>  switchport trunk encapsulation dot1q
>  switchport mode dynamic desirable
>  switchport private-vlan host-association 44 400
>  switchport mode private-vlan host
> !
> interface GigabitEthernet0/1
>  switchport trunk encapsulation dot1q
>  switchport mode dynamic desirable
>  channel-group 1 mode desirable
> !
> interface GigabitEthernet0/2
>  switchport trunk encapsulation dot1q
>  switchport mode dynamic desirable
>  channel-group 1 mode desirable
> !
>
> !
> interface GigabitEthernet0/23                   (Host1 SW1)
>  switchport private-vlan host-association 44 400
>  switchport mode private-vlan host
>
> !
> interface GigabitEthernet0/24           (Host2 SW1 or Host3 SW2)
>  switchport private-vlan host-association 44 400
>  switchport mode private-vlan host
> !
>
> end
>
> Switch2#ip access-list extended VACL
>  permit ip host 10.10.40.100 any
>  permit ip any host 10.10.40.100
>
> vlan access-map VACL 10
>  action forward
>  match ip address VACL
>
> vlan filter VACL vlan-list 400

And I want to avoid using VACLs 'cos they are a different format than
ip access-lists :-)

My thinking is more like:

6500
  |  |
  |  | Port-Channel
  |  |
L2 Switch

The 6500 is doing SVIs for VLAN L3 termination.

The L2 switch is non-cisco, but does have a very cisco-like cli. It
supports VLAN ACLs in the normal ip access-list format.

So I would have a primary VLAN that most devices are in, and a set of
secondary VLANs with certain classes of restricted access devices. The
restrictions are applied using VLAN ACLs on the L2 switch.

(Of course if I could apply ip access-lists to secondary VLANs on the
6500, I would rather do that. Less places to maintain ACLs.)

I don't (yet) have 6500 lab equipment to play with, so wondered if
anybody else has tried this.

Tim:>