[c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

Sven 'Darkman' Michels sven at darkman.de
Tue Jan 26 08:06:14 EST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pavel, rest,

sorry for coming back on the topic. I had now the time to play with the setup
a bit more and run into a problem: pvlans are not working well.

The config:
having a core router 6509 with a port channel on two gigE Ports (Gi3/13 and 15)
configured as follow:
interface Port-channel1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 330-349
 switchport mode trunk
 no ip address
 flowcontrol receive on
 flowcontrol send on
end

both ports have the following config:
interface GigabitEthernet3/13
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 330-349
 switchport mode trunk
 no ip address
 flowcontrol receive on
 flowcontrol send on
 no cdp enable
 channel-group 1 mode on

The PVLAN is 334,335:
interface Vlan334
 ip address xx.xx.xx.1 255.255.255.0
 ip verify unicast source reachable-via rx
 no ip redirects
 ip sticky-arp ignore
 no ip proxy-arp
 no ip mroute-cache
 private-vlan mapping 335
end

VLan config:
vlan 334
 name ISOLATOR-FOR-335
  private-vlan primary
  private-vlan association 335
end

vlan 335
 name ISOLATED-BY-334
  private-vlan isolated
end

VLAN335 has no interface, of course.

Po1 is connected to a 3560G switch, Ports 49 and 50 configured as Po1 on the
Switch:

interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 330-336
 switchport mode trunk
 ip arp inspection trust
 ip dhcp snooping trust
end

interface GigabitEthernet0/49
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 330-336
 switchport mode trunk
 ip arp inspection trust
 udld port
 channel-group 1 mode on
 ip dhcp snooping trust
end

(same for 50).

and the vlan config:
vlan 334
 name transport-335
  private-vlan primary
  private-vlan association 335
end

vlan 335
 name lan
  private-vlan isolated
end

And the lan port:
interface GigabitEthernet0/41
 switchport private-vlan host-association 334 335
 switchport mode private-vlan host
 switchport nonegotiate
 speed auto 10 100
 no cdp enable
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 10
end

its just a small device connected to check if ping works fine so far.

Now the problem: ping from 6509:

c6509#ping ip xx.xx.xx.13 repeat 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
..!.!
Success rate is 40 percent (2/5), round-trip min/avg/max = 1/1/1 ms
c6509#ping ip xx.xx.xx.13 repeat 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
....!
Success rate is 20 percent (1/5), round-trip min/avg/max = 1/1/1 ms

This is far away from beeing good :(

The interesting thing: I have vlan336 on the same setup as normal vlan,
where a small dmz is located. This one works perfectly: no loss, ping
is okay... So it seems to be a problem related to the pvlan itself, not
to the setup, right?
I also shutted one port for the channel to see if that helps, but no luck :(

I've no more ideas, beside removing the Portchannel and try again, which would
be sad...

Thanks and regards,
Sven

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkte6MUACgkQQoCguWUBzBye5gCfSslgfNCokmM2Qizd5wpoiHvE
AKEAoJZluXFPj7CpI/k8sube4R4s5des
=urBf
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list