[c-nsp] pvlan (Private Vlan) setup question
John Kougoulos
koug at intracom.gr
Fri Jul 9 09:50:44 EDT 2010
> Thanks John.
>
> That seems viable. My only concern is if I have more and more customers
> coming into distribution, the config could get hairy.
>
> I was hoping I could make a different isolated vlan on the second 3750
> switch. And then I was hoping that a ping from isolated vlan to isolated vlan
> from switch to switch would fail.
> But I was wrong, it is somehow pinging even after I changed the isolated vlan
> on the second 3750 from 666 to 667.
>
> Am I wrong is thinking that it should not ping?
I'm a bit confused. Normally, if you have a private vlan (a primary vlan
and an isolated one) that spans multiple switches, you should not be able
to ping from switch to switch.
In your configuration, you had configured the uplink ports as promiscuous,
instead of regular trunk, that's why you could ping each other.
In the case where your edge switch does not support private vlans (eg 3550
29xxXL etc), I think that you could use a feature on 4500 switches called
private vlan trunk (haven't tested it). Another option is to configure a
separate vlan for each edge switch, configure the ports on the edge switch
as "switchport protected", and then use cables on the 65xx to connect the
edge VLAN to private-isolated ports on the same 65xx (kind of ugly, but
it works), or use the trick that Jon Harald Bøvre suggested.
Regards,
John
More information about the cisco-nsp
mailing list