[c-nsp] 6500 12.2SX* Port-Channel Private VLAN support

Tim Durack tdurack at gmail.com
Tue Jan 13 15:12:36 EST 2009 

(Resurrecting an old email chain.)

I'm trying to use private-vlans on a SUP720 with SVIs, without success.

Config looks like:

interface GigabitEthernet1/5
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 3,48,348,648,948
 switchport private-vlan mapping 48 948
 switchport mode trunk
 switchport nonegotiate
 channel-group 48 mode active
 spanning-tree guard root
end

interface Port-channel48
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 3,48,348,648,948
 switchport mode trunk
 switchport nonegotiate
 mls qos trust dscp
 lacp fast-switchover
 spanning-tree guard root
end

interface Vlan48
 description USR_48
 ip address 10.1.48.3 255.255.255.0
 ip directed-broadcast 100
 ip pim sparse-mode
 private-vlan mapping 948
 arp timeout 300
 standby delay minimum 30 reload 60
 standby version 2
 standby 0 ip 10.1.48.1
 standby 0 priority 90
 standby 0 preempt delay minimum 300 reload 300
end

I can see arp entries being learned:

RTR-1#sh ip arp vl48
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.48.3               3   001b.0de7.7780  ARPA   Vlan48
Internet  10.1.48.2               -   001b.0de7.7bc0  ARPA   Vlan48
Internet  10.1.48.1               -   0000.0c9f.f000  ARPA   Vlan48
Internet  10.1.48.4               2   0019.bb0d.4d00  ARPA   Vlan48 pv 948
Internet  10.1.48.254             1   001e.3718.0cbb  ARPA   Vlan48 pv 948

But I cannot ping devices in the private-vlan, nor can devices ping the SVI.

I know the Cisco docs say private-vlans and etherchannels don't mix,
but they aren't very clear. I've tried without the etherchannel with
the same problem.

Any ideas?

On Wed, Nov 7, 2007 at 8:23 PM, Tim Durack <tdurack at gmail.com> wrote:
> On Nov 7, 2007 6:02 PM, Matt Buford <matt at overloaded.net> wrote:
>> > Good to know. I actually want to do something like:
>> [...]
>> >> interface Port-channel1
>> >>  switchport trunk encapsulation dot1q
>> >>  switchport mode dynamic desirable
>> >>  switchport private-vlan host-association 44 400
>> >>  switchport mode private-vlan host
>>
>> I'm confused about something else here.  Why do you have dot1q listed when
>> your switchport mode is not trunk?  You need to choose between vlan
>> tagging/trunking, or untagged private vlan host port.  You can't be both.
>
> That's because I'm not used to the Cisco way of doing things. For me
> it's just tagged or untagged :-)
>
>> As for the Etherchannel restriction, my guess is that it is simply an ASIC
>> restriction.  Heck, on many (or all?) of the faste cards you can't even do
>> Etherchannel in the same group of 12 ports as a pvlan host port.  Since I
>> use pvlan host ports heavily toward customers, I'm forced to just say that I
>> do not support VLAN tagging downstream - ever.  If I supported even 1, then
>> suddenly I'd have a group of 11 other ports that techs would have to
>> remember can't be used for any regular pvlan customers.  On cards like
>> ES-X6148-GE-TX the features are incompatible across groups of 24 ports!  Too
>> confusing, so I just don't allow tagging.  The only tagging I do is on gbic
>> based gig ports, which each have their own ASIC.
>>
>> You *CAN* tag private vlans through etherchannels.  You just can't make an
>> etherchannel into a pvlan host port.
>
> Okay - that's what I'm looking for. This is a distribution switch,
> hosts will be attached to a connected access switch.
>
> There will be no "host" ports on the distribution, just "trunk" ports.
> If I can group VLANs, I can maintain the same IP subnet, applying
> different ACLs at the access layer.
>
>> From a production distribution level switch - trimmed down a bit:
>>
>> vlan 900
>>  name pvlan
>>   private-vlan primary
>>   private-vlan association 901-902,905
>> !
>> vlan 901
>>  name pvlan-isolated
>>   private-vlan isolated
>> !
>> ! not bothering to list the other parts of this pvlan
>> !
>> interface Port-channel1
>>  switchport
>>  switchport trunk encapsulation dot1q
>>  switchport mode trunk
>>  no ip address
>> !
>> interface GigabitEthernet7/1
>>  switchport
>>  switchport trunk encapsulation dot1q
>>  switchport mode trunk
>>  no ip address
>>  channel-group 1 mode desirable
>> !
>> interface GigabitEthernet7/12
>>  switchport
>>  switchport trunk encapsulation dot1q
>>  switchport mode trunk
>>  no ip address
>>  channel-group 1 mode desirable
>>
>> Then, downstream of Po1 there is another 6500 in an access layer role which
>> also contains vlan 900-902,905 and uses these for pvlan host ports.
>
> This seems logical, but the documentation isn't entirely clear. I'll
> give this a shot!
>
> Tim:>
>

More information about the cisco-nsp mailing list