[c-nsp] pvlan (Private Vlan) setup question

Matt Buford matt at overloaded.net
Fri Jul 9 09:55:07 EDT 2010 

On Fri, Jul 9, 2010 at 8:29 AM, Erik Witkop <ewitkop at gmail.com> wrote:

> Thanks John.
>
> That seems viable. My only concern is if I have more and more customers
> coming into distribution, the config could get hairy.
>
> I was hoping I could make a different isolated vlan on the second 3750
> switch. And then I was hoping that a ping from isolated vlan to isolated
> vlan from switch to switch would fail.
> But I was wrong, it is somehow pinging even after I changed the isolated
> vlan on the second 3750 from 666 to 667.
>
> Am I wrong is thinking that it should not ping?


If you don't tag between the distribution and access layer, you can pass
pvlans around (as the only VLAN on the cable) but you have to do it
non-redundantly.

On the other hand, if you tag between the access and distribution layer, you
can carry the pvlan (and other VLANs) on the same cable and include
redundant uplinks.

Sample:

distribution2:

vlan 101
 name backups-primary
  private-vlan primary
  private-vlan association 102
!
vlan 102
 name backups-isolated
  private-vlan isolated
!
interface GigabitEthernet1/1
 description distribution1
 switchport
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/2
 description access1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102

distribution1:

vlan 101
 name backups-primary
  private-vlan primary
  private-vlan association 102
!
vlan 102
 name backups-isolated
  private-vlan isolated
!
interface GigabitEthernet1/1
 description distribution2
 switchport
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/2
 description access1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102


access1:

vlan 101
 name backups-primary
  private-vlan primary
  private-vlan association 102
!
vlan 102
 name backups-isolated
  private-vlan isolated
!
interface GigabitEthernet1/1
 description distribution1 uplink
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102
!
interface GigabitEthernet1/2
 description distribution2 uplink
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102
!
interface GigabitEthernet1/3
 description server1
 switchport
 switchport private-vlan host-association 101 102
 switchport mode private-vlan host
 no ip address
 spanning-tree portfast


With this configuration, you can connect any number of access switches to
your distribution switches and the pvlan you have created will properly
enforce communication rules between "host" or "promiscuous" ports connected
to any switch within the network.  I use this heavily for providing secure
backups to thousands of servers throughout my datacenters.  Servers can
connect their backups NIC to any port on any switch and we simply set the
pvlan on that port. The server will then only be able to communicate with
the promiscuous ports (which also can be located anywhere within the
network).  Typically a network consists of ~20 access switches plus 2
distribution switches.

More information about the cisco-nsp mailing list