[c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

Pavel Skovajsa pavel.skovajsa at gmail.com
Tue Jan 26 09:02:12 EST 2010 

Hi Sven,

I had not exactly the same but similar issues but with 7606 - see
http://www.mail-archive.com/cisco-nsp@puck.nether.net/msg26651.html. I
learned from TAC that the issue was with the fact that I used it in
combination with VRFs and the traffic got incorrectly punted into 7606
MSFC CPU where there are hardware rate limiters (show mls rate-limit).

Anyway, try upgrading the 6509 I am sure some old SXD code has number
of bugs around this.

-pavel


On Tue, Jan 26, 2010 at 2:06 PM, Sven 'Darkman' Michels <sven at darkman.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Pavel, rest,
>
> sorry for coming back on the topic. I had now the time to play with the setup
> a bit more and run into a problem: pvlans are not working well.
>
> The config:
> having a core router 6509 with a port channel on two gigE Ports (Gi3/13 and 15)
> configured as follow:
> interface Port-channel1
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 330-349
>  switchport mode trunk
>  no ip address
>  flowcontrol receive on
>  flowcontrol send on
> end
>
> both ports have the following config:
> interface GigabitEthernet3/13
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 330-349
>  switchport mode trunk
>  no ip address
>  flowcontrol receive on
>  flowcontrol send on
>  no cdp enable
>  channel-group 1 mode on
>
> The PVLAN is 334,335:
> interface Vlan334
>  ip address xx.xx.xx.1 255.255.255.0
>  ip verify unicast source reachable-via rx
>  no ip redirects
>  ip sticky-arp ignore
>  no ip proxy-arp
>  no ip mroute-cache
>  private-vlan mapping 335
> end
>
> VLan config:
> vlan 334
>  name ISOLATOR-FOR-335
>  private-vlan primary
>  private-vlan association 335
> end
>
> vlan 335
>  name ISOLATED-BY-334
>  private-vlan isolated
> end
>
> VLAN335 has no interface, of course.
>
> Po1 is connected to a 3560G switch, Ports 49 and 50 configured as Po1 on the
> Switch:
>
> interface Port-channel1
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 330-336
>  switchport mode trunk
>  ip arp inspection trust
>  ip dhcp snooping trust
> end
>
> interface GigabitEthernet0/49
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 330-336
>  switchport mode trunk
>  ip arp inspection trust
>  udld port
>  channel-group 1 mode on
>  ip dhcp snooping trust
> end
>
> (same for 50).
>
> and the vlan config:
> vlan 334
>  name transport-335
>  private-vlan primary
>  private-vlan association 335
> end
>
> vlan 335
>  name lan
>  private-vlan isolated
> end
>
> And the lan port:
> interface GigabitEthernet0/41
>  switchport private-vlan host-association 334 335
>  switchport mode private-vlan host
>  switchport nonegotiate
>  speed auto 10 100
>  no cdp enable
>  spanning-tree bpduguard enable
>  ip dhcp snooping limit rate 10
> end
>
> its just a small device connected to check if ping works fine so far.
>
> Now the problem: ping from 6509:
>
> c6509#ping ip xx.xx.xx.13 repeat 5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
> ..!.!
> Success rate is 40 percent (2/5), round-trip min/avg/max = 1/1/1 ms
> c6509#ping ip xx.xx.xx.13 repeat 5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
> ....!
> Success rate is 20 percent (1/5), round-trip min/avg/max = 1/1/1 ms
>
> This is far away from beeing good :(
>
> The interesting thing: I have vlan336 on the same setup as normal vlan,
> where a small dmz is located. This one works perfectly: no loss, ping
> is okay... So it seems to be a problem related to the pvlan itself, not
> to the setup, right?
> I also shutted one port for the channel to see if that helps, but no luck :(
>
> I've no more ideas, beside removing the Portchannel and try again, which would
> be sad...
>
> Thanks and regards,
> Sven
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkte6MUACgkQQoCguWUBzBye5gCfSslgfNCokmM2Qizd5wpoiHvE
> AKEAoJZluXFPj7CpI/k8sube4R4s5des
> =urBf
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list