Announcement

Collapse
No announcement yet.

Private VLAN Configuration 3750-X

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Private VLAN Configuration 3750-X

    Hi ,
    Need help; I have a requirement, were in our 2 departments (Sales & Mkting) Switches SW2 & SW3 respectively connected to SW1. (All are Cisco 3750X switches)

    SW1 interface G1/45 is a trunk interface carrying 2 VLANS (VLAN705 carry DHCP & Multicast traffic; VLAN700 will be use for Management of SW1 ONLY.)

    These STB’s and PC behind each SW2 or SW3 would be accessing Multicast Channels and will be getting IP address from DHCP server.

    Challenge:-

    1) The DHCP broadcast request from each STB or PC from individual VLAN101 & VLAN102 should be terminated /Forwarded inside VLAN705 Only on SW1 so that these STB’S can get DHCP IP and Multicast Streams.
    2) For isolations between both depts., I want to use Private VLANs to achieve this, please let me know the port and switch configurations for SW1 & SW2 i.e what would be the Configuration on ports G1/2, G1/3 on SW1 & port G1/0/3 & G1/0/8 on SW2 and other related global configuration for enabling private VLAN communication?
    Current Configuration on SW1:-
    interface Vlan705
    Ip address 20.20.0.8 255.255.0.0
    !
    interface Vlan700
    Ip address 192.168.10.2 255.255.255.240
    !
    interface GigabitEthernet1/45
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 700,705
    switchport mode trunk
    !
    Ip routing
    !
    ip multicast-routing distributed

    Any quick help in configuration is highly appreciated, no clear clue on private VLANS configurations; read though but no luck.
    Attached Files

  • #2
    Re: Private VLAN Configuration 3750-X

    Private Vlans are a big topic I suggest you look at the cisco documentation. Also remember in order to support private vlans your switches need to be in Transparent Mode.

    So with private vlans you create your primary vlan and then your secondary community or isolated vlans. Remember that Community Vlans can only talk to other Community Vlans and Promiscuous ports. Isolated vlans cant talk to anyone but Promiscuous ports.

    There is plenty of documentation for Private Vlans on cisco.com. Just need to look and read. Another easier option would be to use VACL's (VLAN Access-list) on your SVI's on Switch 1 to filter the inter-vlan traffic. You could also use Port ACLS at the switchport level on SW2 and SW3 to accomplish the same thing. Or just use regular ACL's on the SVI's on Switch 1. There are many ways to filter that traffic. Private vlans are great but you really need to think about the design etc.

    [QUOTE]The DHCP broadcast request from each STB or PC from individual VLAN101 & VLAN102 should be terminated /Forwarded inside VLAN705 Only on SW1 so that these STB’S can get DHCP IP and Multicast Streams./QUOTE]

    For DHCP for the clients just use the ip helper-address command on your SVI's on Switch 1

    interface Vlan705
    Ip address 20.20.0.8 255.255.0.0
    ip helper-address 10.10.9.10
    !
    interface Vlan700
    Ip address 192.168.10.2 255.255.255.240
    ip helper-address 10.10.9.10
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Private VLAN Configuration 3750-X

      I read few docs on pvt vlan but cant able to get the DHCP request doing on VLAN705 which will take to DHCP server...
      So i was looking to have more clarity on the configurations...One more question..
      1)Is the ip-helper address can we configure on any SVI or Ethernet interface having any IP address configured ? Or we can configure ip helper-address without any LAYER3 interface without IP address configured...
      2)The LAYER3 interface need to have IP address configured from the same subnet which DHCP is going to assign to the clients ? I mean DHCP whill assign the IPs to the clients whos bootp request is forwrded from a interface whos IP doesnt known to DHCP pool ?

      Comment


      • #4
        Re: Private VLAN Configuration 3750-X

        Like I said private vlans can be tricky. You are better off using VACL's or ACL's on the SVI's to filter your traffic. Yes in order to use the ip helper-address there needs to be a layer 3 address on the interface. The ip address on the SVI would correlate what ip address dhcp gives out so if you put it on int vlan 705 that would be for clients on that subnet.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X