[c-nsp] IBM CIGESM aggregation and Private VLANs.
Adrian Chung
adrian at enfusion-group.com
Sun Aug 17 21:43:04 EDT 2008
Apologies if this has been discussed before on this list, feel free to point
me in the right direction, though the usual searches didn¹t turn anything
up.
A couple of questions about Private VLANs between PVLAN speaking switches
and non-PVLAN speaking switches.
In the process of setting up a couple of Cisco Intelligent Gigabit Ethernet
Switch Modules - these are the Cisco 2950-like switches that come as a
modular option in IBM Blade Center server chassis. They have 4 external
uplink ports and no private VLAN support.
We¹re connecting them up to a couple of 6500s over port-channelled bundles
but are running up against questions surrounding private VLANs and trunking
particularly between switches which do and do not support PVLANs.
For argument sake, lets say the 6500s have an isolated PVLAN numbered 101,
where the primary is 100. On the CIGESM side, there is no support for
PVLANs, and the blades themselves only have 2 NICs. Because there are more
than 2 VLANs to carry into each blade, the OS is configured for VLAN
tagging. In testing, if we tag VLAN 101 in the OS, no communication to
other isolated or promiscuous PVLAN ports happens across the trunk on the
6500.
If we tag VLAN 100 in the OS, the OS has communication to all of the
promiscuous ports and none of the other isolated ports, just like a proper
isolated PVLAN port would.
If I check the mac-address-table on the CIGESM trunk-port side, I see both
entries for VLAN 100 (mapping back, all correspond to promiscuous ports) and
VLAN 101 (mapping back, corresponding to isolated ports).
Weird thing is, even if an interface tagged VLAN 101 is brought up in the
OS, and a tcpdump is run on it, no traffic from other isolated PVLAN 101
ports is ever seen.
A couple of questions around this behaviour:
1. Does anyone actually know how PVLANs are tagged and carried across a
regular trunk? Is it simply tagged with the appropriate primary or
secondary VLAN tags and expected that the receiving switch understands
PVLANs and maps the secondaries the same way as the sender?
2. The scenario above with the OS tagging the primary VLAN but still
seemingly maintaining isolation from other isolated ports and being able to
reach promiscuous ports is technically fine, but what security issues
surround this configuration? Cisco's documentation touches upon making sure
that all switches involved in PVLAN trunking support PVLANs to ensure that
no security is lost...
3. Does anyone else use CIGESMs and have requirements to see more than two
VLANs inside the OS which are a mix of both regular and PVLAN ports, and if
so, how do you configure your environment?
(As an aside, this particular H blade chassis supports additional CIGESM
modules and the blades can take an additional two NICs, which would mean we
could have 4 CIGESMs and the problem goes away -- except for the fact that
that means there's no room for Fiber Channel connectivity, which is also a
requirement).
--
Adrian Chung
More information about the cisco-nsp
mailing list