[c-nsp] Secondary VLAN deployment on Metro ETTH

Pavel Skovajsa pavel.skovajsa at gmail.com
Wed Nov 25 05:09:12 EST 2009 

Hello,

Probably I do not have luck for proper audience for the questions below,
whatever the case I have began to test the Private VLAN deployment, and ran
into strange packet drop issue.

The test topology is simple:  C7606 Gi1/22 -----fiber-----> Gi0/1
ME3400-24TS-A -> Fa0/3 client PC

The PVLAN is simple enough to post.

7606 running 12.2(33)SRC4:

vlan 14
name test
 private-vlan primary
 private-vlan association 140

vlan 140
name test_secondary
 private-vlan isolated

interface Vlan14
description test
ip vrf forwarding ext
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
private-vlan mapping 140

interface GigabitEthernet1/22
description To_testing_ME3400-24-TS
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-61,63-4094
switchport mode trunk
switchport nonegotiate
logging event link-status
load-interval 30
no snmp trap link-status


ME3400-24-TS-A running 12.2(52)SE:

vlan 14
name test
 private-vlan primary
 private-vlan association 140

vlan 140
name test_secondary
 private-vlan isolated

interface GigabitEthernet0/1
port-type nni
switchport mode trunk
ip dhcp snooping trust

interface FastEthernet0/3
 description test_secondary_vlan
 switchport private-vlan host-association 14 140
 switchport mode private-vlan host
 load-interval 30
 storm-control broadcast level pps 30
 storm-control multicast level pps 30
 ip dhcp snooping limit rate 100


Before the PVLAN is configured I have nice connectivity from the 7606 to the
client PC:
7606#ping vrf ext 1.1.1.2 repeat 1000 size 1400

Type escape sequence to abort.
Sending 1000, 1400-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/12 ms

However the moment I configure PVLAN (see above) I get this:
7606#ping vrf ext 1.1.1.2 repeat 1000 size 1400

Type escape sequence to abort.
Sending 1000, 1400-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!
!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!
!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!
!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!
!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!
!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!
!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!
!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!
!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!
!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!
.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!.
!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!
!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!
!!.!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!
!!!!!!!!!!!.!!!!!!!!
Success rate is 92 percent (926/1000), round-trip min/avg/max = 1/2/28 ms

Which is a very interesting output (besides nice ASCII art) because the
packet drop is regular - 12 pings work, 13th does not, 12 pings work, 13th
does not ...Thinking about it now, maybe it has to do something with the
number 13 :)

-pavel skovajsa

On Mon, Nov 23, 2009 at 3:47 PM, Pavel Skovajsa <pavel.skovajsa at gmail.com>
wrote:
> Hi all,
>
> I am planning to implement Secondary VLANs feature on a Metro ETTH
> based on ME3400+76k. I have read various docs about the best I found
> is on
http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/
>
> I have couple questions/scenarios I want to doublecheck with you:
> 1. Anybody using VPTv3 do disseminate the PVLAN info?
> 2. What if there are 3rd party switches in the environment placed
> randomly between the ME3400?
>
> Here is my train of thought:
>    - From the explanations in the various docs I understood that the
> MAC address table for *downstream traffic* is stored in primary VLAN
> table
>    - The reverse upstream traffic is stored in secondary VLAN MAC table
>    -> hence it follows (not written anywhere) that in order to
> properly switch the traffic and not flood it, the PVLAN implementation
> must do lookups in JOINED primary+secondary mac address table.
>
> Now the problem might lie in having 3rd party switches placed
> *between* ME3400 - they have no idea about the PVLANs hence forward it
> according to their VLAN tables -> which are are NOT joined -> hence
> the traffic is flooded on them.
>
>
> -pavel skovajsa
>

More information about the cisco-nsp mailing list