[c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

Wed Jan 13 04:27:03 EST 2010

Hello Sven,

If I understood you correctly you can get around these limitations by
using the PVLAN feature on the end-user ports only and not on the
internal switch-to-switch links. On those links you can use normal
"trunk" ports and spread the PVLAN to your 6509 and terminate it on L3
VLAN int.

Access layer example for end-user port somewhere in the deeps of the
switched fabric:
interface FastEthernet0/1
 switchport mode private-vlan host
 switchport private-vlan host-association 10 100

Access layer trunk port:
interface GigabitEthernet0/1
 switchport mode trunk

On your distribution (6509) you configure:

interface Vlan10
 ip sticky-arp ignore <--- this is important as PVLAN VLAN interface
gets sticky arp by default (for some unknown reason)
 no ip proxy-arp
 private-vlan mapping 100

and normal trunk port towards the switch fabric:
interface GigabitEthernet6/1
 switchport mode trunk

Yes this is probably suboptimal to what you would like to accoplish
however the end effect is that the end-user ports cannot communicate
with each other - which is probably what you want.

Another alternative is the "private-vlan trunk" feature which is
described over here
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
- the trouble is that AFAIK currently it works only on C4500.

-pavel skovajsa

On Wed, Jan 13, 2010 at 7:03 AM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi there,
>
> i'd like to use the pvlan feature from Cisco for two networks. I already read
> a lot of documentation on the pvlan feature on ciscos page and mayn other blog
> posts etc. and already know, that it seems not to be possible to use the pvlan
> feature with etherchannel/port groups on any device. A part from no information
> *why* this is not possible, i have no idea, how to complete the following setup:
>
> I'd like to have my PVLAN connected to my "core" network in a kind of redundancy
> and "more" bandwidth. The PVLAN has GBIT enabled devices, the uplink to the core
> should be more than one GBIT (to ensure that no single device is able to fill
> the uplink, but also able to use max of avaiable bandwidth). Sadly, a TGigE Uplink
> is not yet possble. As switches we have 3560G and the core is currently a 6509.
> At least the redundancy is important, so i could try it with "backup-interface" on
> the 6509, but this would limit the pvlan to 1GigE, which is not exactly what i
> want.
> Another problem is, that i currently plan to deploy two isolated pvlans on the
> 3560 switches, which "should" be no problem if i use two different primary vlans
> (a primary may only carry one isolated pvlan at a time), but it seems to be not
> possible to use one uplink/trunk port for two different isolated pvlan setups?
> If thats true, i would need at least four ports (two for each isolated pvlan) just
> to get the redundancy and would not have any uplink >1GigE...
>
> Did i miss anything? is there a way to get the redundancy and the bandwidth? may
> i use two isolated pvlans on the same uplink? Is there some way to use something
> "like" etherchannel with pvlans? Or is there a way to change the setup in a way
> i would get pvlan + more bandwidth + redundancy without all of these problems or
> limitations? ;)
>
> Thanks and regards,
> Sven
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAktNYjQACgkQQoCguWUBzByRRgCgqzWhNR6O/GNSjQZUhjAMw/+z
> rrAAoK4X2X5ti4MibH7r1dUUCDpf/S05
> =3btI
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>