mikey250
asked on
private vlan layer 3 issue
hi i have the following equipment:
1 x 3550 layer 3 switch (ios c3550-i5q312-mz.121-22.ea2
1 x router
note: before i go ahead and configure this i am aware this is not an ideal setup as normally i would use a layer 2 2950 instead!!
question 1. i am not sure if i have the correct (ios) but according to my reading the servers can be on a separate vlan to my isolated users and still receive the ip addresses - is this correct if so i cannot complete my config below and would appreciate some help as i know ive got my reading back to front ?
server 1 - vlan 10
ip address 192.168.1.2 255.255.255.0
server 2 - vlan 20
ip address 192.168.2.2 255.255.255.0
client a - vlan 30
auto ip address from vlan 10
client b - vlan 40
auto ip address from vlan 20
config t
vlan 10
private-vlan community
vlan 20
private-vlan community
vlan 30
private-vlan isolated
vlan 40
private-vlan isolated
vlan 50
private-vlan primary
private-vlan association 10, 20, 30, 40
note: the above commands were successful
ip routing
interface fa0/1
no switchport
ip address 172.16.1.1 255.255.255.0
duplex full
speed 100
no shut
router eigrp 1
network 172.16.1.0
network 192.168.1.0
network 192.168.2.0
int vlan 50
ip address 172.16.1.1 255.255.255.0
private-vlan - command not accepted ???
question 2. once i have correctly configured my switch for (private vlans) i presume i would add the following as usual ?
int fa0/1
switchport trunk allowed vlan 10,20,30,40,50
switchport mode trunk
1 x 3550 layer 3 switch (ios c3550-i5q312-mz.121-22.ea2
1 x router
note: before i go ahead and configure this i am aware this is not an ideal setup as normally i would use a layer 2 2950 instead!!
question 1. i am not sure if i have the correct (ios) but according to my reading the servers can be on a separate vlan to my isolated users and still receive the ip addresses - is this correct if so i cannot complete my config below and would appreciate some help as i know ive got my reading back to front ?
server 1 - vlan 10
ip address 192.168.1.2 255.255.255.0
server 2 - vlan 20
ip address 192.168.2.2 255.255.255.0
client a - vlan 30
auto ip address from vlan 10
client b - vlan 40
auto ip address from vlan 20
config t
vlan 10
private-vlan community
vlan 20
private-vlan community
vlan 30
private-vlan isolated
vlan 40
private-vlan isolated
vlan 50
private-vlan primary
private-vlan association 10, 20, 30, 40
note: the above commands were successful
ip routing
interface fa0/1
no switchport
ip address 172.16.1.1 255.255.255.0
duplex full
speed 100
no shut
router eigrp 1
network 172.16.1.0
network 192.168.1.0
network 192.168.2.0
int vlan 50
ip address 172.16.1.1 255.255.255.0
private-vlan - command not accepted ???
question 2. once i have correctly configured my switch for (private vlans) i presume i would add the following as usual ?
int fa0/1
switchport trunk allowed vlan 10,20,30,40,50
switchport mode trunk
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
when i completed the ccnp course they discussed (private-vlan), so i am trying to implement it, assuming it is relevant.
normally i have 1 x cisco 2950 with the server & users on same switch and same vlan..
i have setup the following in passed but i have never added multiple servers:
- router on stick
- intervlan svi
note: i only have 4 x 2950 & 1 x 3550 & 2650, 3600 & 2500 routers - at this moment in time..legacy i know but using these for testing.
c2950-i6q412-mz.121-22.ea6
c3550-i5q312-mz.121-22.ea2
ive located the below link via (your originaly pvlan url) and it appears that my equipment above will not allow pvlan, but why except some commands, as per my main thread according to below url:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
note: if you look at my (main question) i attempted to configure for a private-vlan, but then got stuck at this part below:
int vlan 50
ip address 172.16.1.1 255.255.255.0
private-vlan - command not accepted ???
so wondering in what scenario this (private-vlan) is actually used, but you have advised it is specifically for (dmz) - oh ok i did not know this!! ?
note: i have never configured server1-dns/dhcp on vlan 2, server2-file on vlan 3, server3-exchange on vlan 4, server5-backup on vlan 5 assuming this is the normal for example since you mention below (dmz), so i wish to set something up so i can properly understand what is going on and why!!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml
"are you trying to keep user workstations from being able to communicate, even when they are on the same vlan ?"
- yes
"a normal thing to do is put your users on one or more vlans, and then your servers on one or more different vlans. route between your vlans and apply acls if desired on the layer 3 vlan interfaces."
- yes i wish to do this aswell but not sure what to do..
i am not even sure if private-vlans are supposed to be used for only (workgroup networks) and if a domain is configured then i am thinking (intervlan svis) is the correct decision, but i cannot get a proper answer for this... ?
normally i have 1 x cisco 2950 with the server & users on same switch and same vlan..
i have setup the following in passed but i have never added multiple servers:
- router on stick
- intervlan svi
note: i only have 4 x 2950 & 1 x 3550 & 2650, 3600 & 2500 routers - at this moment in time..legacy i know but using these for testing.
c2950-i6q412-mz.121-22.ea6
c3550-i5q312-mz.121-22.ea2
ive located the below link via (your originaly pvlan url) and it appears that my equipment above will not allow pvlan, but why except some commands, as per my main thread according to below url:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
note: if you look at my (main question) i attempted to configure for a private-vlan, but then got stuck at this part below:
int vlan 50
ip address 172.16.1.1 255.255.255.0
private-vlan - command not accepted ???
so wondering in what scenario this (private-vlan) is actually used, but you have advised it is specifically for (dmz) - oh ok i did not know this!! ?
note: i have never configured server1-dns/dhcp on vlan 2, server2-file on vlan 3, server3-exchange on vlan 4, server5-backup on vlan 5 assuming this is the normal for example since you mention below (dmz), so i wish to set something up so i can properly understand what is going on and why!!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml
"are you trying to keep user workstations from being able to communicate, even when they are on the same vlan ?"
- yes
"a normal thing to do is put your users on one or more vlans, and then your servers on one or more different vlans. route between your vlans and apply acls if desired on the layer 3 vlan interfaces."
- yes i wish to do this aswell but not sure what to do..
i am not even sure if private-vlans are supposed to be used for only (workgroup networks) and if a domain is configured then i am thinking (intervlan svis) is the correct decision, but i cannot get a proper answer for this... ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
if i configure my 3550 layer 3 switch for inter-vlan method then i would always do for example when using multiple vlans:
int vlan 50
ip address 172.16.1.1 255.255.255.0
private-vlan - command not accepted ???
int vlan 51
etc etc
int vlan 52
etc etc
new comments below:
i have now removed multiple communities) from my main question using 1 x community as below to simplify so i can understand where i loose my understanding:
i will go away and think about it as i do have the following config which does not show any inter-vlan:
config t
vlan 100
private-vlan primary
private-vlan association 100,120,130
vlan 120
private-vlan isolated
vlan 130
private-vlan community
int fa0/1
description connected to router towards isp
switchport mode private-vlan promiscous
switchport private-vlan mapping 100,120,130
int fa0/2
description connected to a standalone-host-pc1 (connnects direct to promiscous)
switchport private-vlan host
switchport private-vlan host-association 100,120
int fa0/3
description connected to server1
switchport private-vlan host
switchport private-vlan host-association 100,130
int fa0/8
description connected to pc1 (receives ip address from server1)
switchport private-vlan host
switchport private-vlan host-association 100,130
int vlan 50
ip address 172.16.1.1 255.255.255.0
private-vlan - command not accepted ???
int vlan 51
etc etc
int vlan 52
etc etc
new comments below:
i have now removed multiple communities) from my main question using 1 x community as below to simplify so i can understand where i loose my understanding:
i will go away and think about it as i do have the following config which does not show any inter-vlan:
config t
vlan 100
private-vlan primary
private-vlan association 100,120,130
vlan 120
private-vlan isolated
vlan 130
private-vlan community
int fa0/1
description connected to router towards isp
switchport mode private-vlan promiscous
switchport private-vlan mapping 100,120,130
int fa0/2
description connected to a standalone-host-pc1 (connnects direct to promiscous)
switchport private-vlan host
switchport private-vlan host-association 100,120
int fa0/3
description connected to server1
switchport private-vlan host
switchport private-vlan host-association 100,130
int fa0/8
description connected to pc1 (receives ip address from server1)
switchport private-vlan host
switchport private-vlan host-association 100,130
Okay so the above looks right. Now when you want the layer 3, you just add an
interface vlan 100
ip address x.x.x.x y.y.y.y
interface vlan 100
ip address x.x.x.x y.y.y.y
ASKER
ok so when i add the below and the fact that it is configured specifically for (private-vlans) and not the usual (inter-vlan routing), you are saying that the below knows to (just) connect to the (int fa0/1 promiscous port) and allow internet access...!
int vlan 100 - for example
ip address 172.16.1.x 255.255.255.252
when i think of router on stick or normal intervlan routing it is simular but confusing since im used to the others and not (private-vlans) methodology!!
int vlan 100 - for example
ip address 172.16.1.x 255.255.255.252
when i think of router on stick or normal intervlan routing it is simular but confusing since im used to the others and not (private-vlans) methodology!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok although it just seems foreign to me as never used this method before!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the example i have actually uses the following for (community 130) but i only used server1:
server1
server2
server3
i assumed each server may have different subnet to server1 so how would i do this ?
server1
server2
server3
i assumed each server may have different subnet to server1 so how would i do this ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
it was stupid of me to think of it that way, but as i did not think of a (dmz) for example as per (id 39607756) as previously i just assumed multiple ip subnets although (no it did not make sense to me)!!
so the following could be for example but on (same subnet)
serverb - exchange
serverc - file printserver
so the following could be for example but on (same subnet)
serverb - exchange
serverc - file printserver
Yes, they can be on the same subnet. You can then decide whether you want them in a community secondary and able to talk to on another, or in an isolated secondary and not able to talk to each other.
ASKER
what command is used to make a 2nd or 3rd server a secondary or third community ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok! i suppose my only question is, are private-vlans popular or are they just for financial or government institutions ?
I really can't say. I know we use them in our current backup environment in all of our data centers.
ASKER
ive done some work in a data center some years back but never had that knowledge or job description to get involved with that part, so i always thought it was just:
core - root bridge/routing protocol
core/dist1 - integrated together - root bridge/routing protocols/hsrp - active
core/dist2 - same as dist1 but hsrp - standby
access1 - vtp client
access2 - vtp client
for example, so from what you are saying (data centres) most probably use private-vlans
wondered if it was just: vtp server/root bridge/hsrp active & second distribution & client etc
core - root bridge/routing protocol
core/dist1 - integrated together - root bridge/routing protocols/hsrp - active
core/dist2 - same as dist1 but hsrp - standby
access1 - vtp client
access2 - vtp client
for example, so from what you are saying (data centres) most probably use private-vlans
wondered if it was just: vtp server/root bridge/hsrp active & second distribution & client etc
You're putting words in my mouth now. I didn't say they were primarily used in data centers. I just stated that we use them in our data centers for our backup environment.
Regarding that other question. I think we already discussed this in your other thread.
Regarding that other question. I think we already discussed this in your other thread.
ASKER
sorry :) i read what you said as was just looking for a must do this in this scenario but this is also done in my datacenter.
much appreciated!!
much appreciated!!
ASKER
much appreciated. sound advice!
ASKER
i understand some of what you say but need to know why my command want except so i can practically attempt task as not sure what step by step command syntax i should do.