Configuring Private VLANs

How to configure private VLANs on the Cisco 3560 switch.

The private-VLAN feature addresses two problems that service providers face when using VLANs:

•Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers that the service provider can support.

•To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can waste the unused IP addresses and cause IP address management problems.

Using private VLANs addresses the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers.

Private VLANs partition a regular VLAN domain into subdomains and can have multiple VLAN pairs—one for each subdomain. A subdomain is represented by a primary VLAN and a secondary VLAN.

There are two types of secondary VLANs:

•Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.

•Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

•Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.

Primary and secondary VLANs have these characteristics:

•Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.

•Isolated VLAN —A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway.

•Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN.

A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private-VLAN servers from an administration workstation.

In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN.

You can use private VLANs to control access to end stations in these ways:

•Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers.

•Configure interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway.

You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private-VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure Cisco 3560X private VLANs on all intermediate devices, including devices that have no private-VLAN ports.

Configuring MSDP

How to configure the Multicast Source Discovery Protocol (MSDP) on the Catalyst 3750X switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains.

MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.

To use this feature, the switch must be running the IP services image.

Configuring a Default MSDP Peer

In this software release, because BGP and MBGP are not supported, you cannot configure an MSDP peer on the local switch by using the ip msdp peer global configuration command. Instead, you define a default MSDP peer (by using the ip msdp default-peer global configuration command) from which to accept all SA messages for the switch. The default MSDP peer must be a previously configured MSDP peer. Configure a default MSDP peer when the switch is not BGP- or MBGP-peering with an MSDP peer. If a single MSDP peer is configured, the switch always accepts all SA messages from that peer.

shows a network in which default MSDP peers might be used. a customer who owns Switch B is connected to the Internet through two Internet service providers (ISPs), one owning Router A and the other owning Router C. They are not running BGP or MBGP between them. To learn about sources in the ISP's domain or in other domains, Switch B at the customer site identifies Router A as its default MSDP peer. Switch B advertises SA messages to both Router A and Router C but accepts SA messages only from Router A or only from Router C. If Router A is first in the configuration file, it is used if it is running. If Router A is not running, only then does Switch B accept SA messages from Router C. This is the default behavior without a prefix list.

If you specify a prefix list, the peer is a default peer only for the prefixes in the list. You can have multiple active default peers when you have a prefix list associated with each. When you do not have any prefix lists, you can configure multiple default peers, but only the first one is the active default peer as long as the router has connectivity to this peer and the peer is alive. If the first configured peer fails or the connectivity to this peer fails, the second configured peer becomes the active default, and so on.

The ISP probably uses a prefix list to define which prefixes it accepts from the customer's router.

Routing from 3560 to DSL modem not working

I'm setting up a lab switch, WS-C3560X-24T-L   to a DSL router/modem and i cannot seem to get the routing from VLAN100 to the DSL router/ modem to work.
int g0/1 is connected to the DSL router/ modem
int g0/10 is connect to the client (10.10.100.10)

From the 3560, I can ping the DSL router (192.168.1.1), the client (10.10.100.10) and I can ping the internet.
From the client connected to to the 3560, I can ping the g0/1 interface IP address (192.168.1.201), but not the DSL router (192.168.1.1).
From the DSL router, I can ping the internet and the 3560 g0/1 ip address (192.168.1.201) but cannot ping the client (10.10.100.10)

Config from 3560 follows:

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3560Lab1-DLS2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
vtp domain TestLab
vtp mode transparent
ip routing
ip name-server 4.2.2.2
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 100
name Home_VLAN
interface GigabitEthernet0/1
description To DSL
no switchport
ip address 192.168.1.201 255.255.255.0
!
<snip>
!
interface GigabitEthernet0/10
description Client
switchport access vlan 100
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 10.10.100.1 255.255.255.0
!
!
router eigrp 100
network 10.10.100.0 0.0.0.255
network 192.168.1.0 0.0.0.255
!
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1

I'm actually not sure. I have uverse and the modem that they supply allows you to put all of your traffic into a dmz. I had my router on the dmz interface which allowed my public address to be assigned to my router instead of the modem. The problem with that in this situation is that the 3560 doesn't support natting as far as I know, so it doesn't make sense to put your public ip on you switch.

So, another test that you could do if you wanted is to put your lan side ip on your dsl modem on the 10 subnet. Then you'd have to change the ip on vlan 10, but you'd be able to see if your 10.x.x.x host could get on the internet. I'm almost sure that's what this is. Now it doesn't explain why you couldn't ping between devices on the same switch in different vlans earlier though. You have the vlan created and a l3 svi attached with routing on, so those subnets are locally connected and should be able to route between vlans with no issue. Through all of this, I'm not sure if that part was ever fixed. Have you checked the ios version that you're on to see if you're running the latest?

If you decide to do the internal lan side address change on the dsl modem and it works, I'm afraid that you may not be able to segment your network into different subnets if you can't nat them via the modem. You could still create your vlans for internal testing, but they wouldn't be able to get on the internet because of the natting issue. This is one reason a lot of people on the forums will put a cisco router in between their dsl modem and switches. You could also do WS-C3560X-24T-S   this with an ASA as well.

cisco 3750 VLAN

I would like to make 1 VLAN100 in 3750 totally separate from other few VLAN1,2,3,4,5 in cisco WS-C3750V2-24PS-S with routable.  This 3750 I will going to use EIGRP.  Please help.

VLAN100 cannot be routed (I just need it for public internet sharing)
VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 can be routed each other (for internal subnet routing)

If you are just going to use VLAN100 for L2-transport and it will be routed by the ISP-router you can just create VLAN100 on your switches and not create any VLAN100-interfaces or include them in your routing process.

Just like Simen said, DON'T create interface vlan 100 and it should be ok. Create only vlan 100.

For vlans 1,2,3,4,5 create vlans in a common manner and also create the appropriate interfaces. Enable ip routing on your switch and you are done.

For other routing purposes (connection to other routers, ISP) you can use the EIGRP you mentioned.

es you are correct.

conf t # vlan 10  >>> This will create vlan 10 in the vlan database.

Conf t# int vlan 10 >>> This will create interface vlan 10.

NOTE: Interface vlan to be up and running,  you need to have the vlan 10 present in the vlan database and there should be one link which is up and forwarding the vlan 10. (Either assign the access port to vlan 10 or if you have any trunk port that makes the vlan to be up if that trunk port is configured to allowed vlan all.).

* Only if you want routing to be enabled between the networks have WS-C3750X-24P-S  an ip address assign to every VLAN. Any VLAN which you dont want routing dont have an ip address assign to it.

c3750 not manageable

I started experiencing a weird problem with one of my WS-C3750X-12S-S   today. It seems that connectivity to the managment IP has become sporadic...
I can ping it and get maybe 2-3 responses, then a couple minutes of no responses. However, the switch is still passing traffic normally, users connected to it are not experiencing any symptoms.

Switch is running IOS 12.2(44)SE2 and is connected via 802.1q trunk to 2801 with only 2 VLANs. There's really not a lot of traffic going through this switch. I can't connect to the switch from the directly connected router or elsewhere on my network.

I sat with my finger on the "Get Tree" button in my SNMP MIB Browser, to try gathering some data when it became available to begin narrowing down where the issue could be. Here's what I've found / checked so far:
CPU (via CISCO-PROCESS-MIB):
around 5-10% for all 3 values (1 sec, 5 sec etc)
Memory:
There is pleanty of memory free, nothing out of the ordinary
Syslog:
Log messages are not getting to Syslog server, but the few I've pulled via SNMP look normal. Just interfaces state changes mostly, which is normal at this location.
Interfaces(via MIB-2 interfaces table):
no input or output errors on uplink port or any other ports for that matter, looks very clean.
ARP
Verified ARP on the 2801 is staying the same for the IP of the switch.
Other Observations:
I was able to connect for a few seconds and noticed NTP wasn't syncing.
When the switch is replying to Pings, response times are high (300 - 1900[?!]ms). I verified those high ping response times were not due to latency on the location's WAN connection (T1 is at low utilization)
Issue started today at some point. No changes were made to the switch or environment at that location.

I'm not able to reboot the device at the moment, I hope to do that this weekend, but I was curious if anyone has seen anything similar and had a fix other than rebooting. I'm not even sure if rebooting will help. Its odd that I can't manage the switch, but it is still passing voice and data traffic like it was yesterday.

 We saw something kind of similar in a 6 switch stack .  But our problem appeared to be the  stackmaster had a slow memory leak and occassionally we would not be able to manage the stack for awhile then it would come back  . Switch and port  utilizations once we got in were low across all 6 switches .  I'm speculating in our case because this box is used  as a jump box  into the rest of the net and maybe  it was not releasing memory resources once we got out . We were also getting low free memory warnings from a snmp monitoring tool. We reloaded the entire 6 switch stack and so far we have not seen a WS-C3750V2-48PS-S    reoccurence, think we are at 12.2.35SE something .

c3750 not manageable

I started experiencing a weird problem with one of my WS-C3750X-48T-L   today. It seems that connectivity to the managment IP has become sporadic...

I can ping it and get maybe 2-3 responses, then a couple minutes of no responses. However, the switch is still passing traffic normally, users connected to it are not experiencing any symptoms.

Switch is running IOS 12.2(44)SE2 and is connected via 802.1q trunk to 2801 with only 2 VLANs. There's really not a lot of traffic going through this switch. I can't connect to the switch from the directly connected router or elsewhere on my network.

I sat with my finger on the "Get Tree" button in my SNMP MIB Browser, to try gathering some data when it became available to begin narrowing down where the issue could be. Here's what I've found / checked so far:

CPU (via CISCO-PROCESS-MIB):

around 5-10% for all 3 values (1 sec, 5 sec etc)

Memory:

There is pleanty of memory free, nothing out of the ordinary

Syslog:

Log messages are not getting to Syslog server, but the few I've pulled via SNMP look normal. Just interfaces state changes mostly, which is normal at this location.

Interfaces(via MIB-2 interfaces table):

no input or output errors on uplink port or any other ports for that matter, looks very clean.

ARP

Verified ARP on the 2801 is staying the same for the IP of the switch.

Other Observations:

I was able to connect for a few seconds and noticed NTP wasn't syncing.

When the switch is replying to Pings, response times are high (300 - 1900[?!]ms). I verified those high ping response times were not due to latency on the location's WAN connection (T1 is at low utilization)

Issue started today at some point. No changes were made to the switch or environment at that location.

I'm not able to reboot the device at the moment, I hope to do that this weekend, but I was curious if anyone has seen anything similar and had a fix other than rebooting. I'm not even sure if rebooting will help. Its odd that I can't manage the switch, but it is still passing voice and data traffic like it was yesterday. Thanks

  We saw something kind of similar in a 6 switch stack .  But our problem appeared to be the  stackmaster had a slow memory leak and occassionally we would not be able to manage the stack for awhile then it would come back  . Switch and port  utilizations once we got in were low across all 6 switches .  I'm speculating in our case because this box is used  as a jump box  into the rest of the net and maybe  it was not releasing memory resources once we got out . We were also getting low free memory warnings from a snmp monitoring tool. We reloaded the entire 6 switch stack and so far we have not seen a reoccurence, think we are at WS-C3750X-24T-S   something .

 

Catalyst 2900 XL CMS does not load

I recently acquired a Cisco 2951    that was taken out of service and I am trying to use it at home. I have it setup as a stand alone switch, and I can access the switch from another PC by my web browser and the IP of the switch. I found out that the switch has IOS release 12.0(5)WC3. What I am trying to do is access the switch by the CMS from the switch main page and it starts to load then the Java application fails and all I get is a blank screen. I would like update the software to 12.0.(5)WC16 but I don't know how to upgrade it using the Telnet? Is it possible to use Win XP, IE7 & the latest version of Java to access the CMS page? I read in some documentation that IE5 or 5.5 and Java Plug-in 1.3.1 is supported...

Update:

I have been doing some messing around and I got it to work. I updated the switch software from 12.0(5)WC3b to 12.0(5)WC16 using a TFTP server that was free from SolarWinds. After I got that updated I tried Win2000, IE 5.0, Java plug-in 1.3.0 & 1.3.1. I did not get this configuration to work. I then tried WinXP with IE7 & the Java plug-in 1.4.0 and it worked great! So I answered my own questions...

This first post of such types in the whole of netpro !!! ques & ans on the same post :) pls mark the Cisco 2901-SEC   post as solved which can help others..