Cisco – Is it possible for a private VLAN to have two simultaneous SVI mappings

ciscoswitchingvlan

In our environment, we run our computers inline with Cisco IP phones to our switch. The problem is that our phones are on a separate VLAN from our normal access traffic. I would like to know if it is possible to map the private VLAN to both our access and voice SVIs. On top of that, is it possible to have our access and voice "layer 2" VLAN statements associated with the same private VLAN? Even if these two queries are possible, is can I assign the physical ports to have multiple private VLAN associations? (This seems like a mouthful. I apologize)

Here is an example of what I have setup already:

vlan 101
 name WKS-VLAN
 private-vlan primary
 private-vlan association 1000,2000
!
vlan 254
 name VOIP-VLAN
!
 vlan 1000
  private-vlan isolated
!
vlan 2000
 private-vlan community

SVIs:

interface Vlan101
 description WKS-VLAN
 ip address x.x.x.x 255.255.252.0
 private-vlan mapping 1000,2000
!
interface Vlan254
 description VoIP-VLAN
 ip address x.x.x.x 255.255.255.0
!

Example Port:

interface GigabitEthernet2/46
 switchport private-vlan host-association 101 1000
 switchport mode private-vlan host

Thanks in advance for any help!

Best Answer

Q: It is possible to map the private VLAN to both our access and voice SVIs? A: No. You are creating "In theory" a bridge between two main VLANs.

Q: Is it possible to have our access and voice "layer 2" VLAN statements associated with the same private VLAN? A: This is like haveing the same VLAN name on two different networks. The private VLAN scope is within its main VLAN. Technically it would not make the private VLAN part of two main VLANs but it might be against the allowed configuration to have the same name for two private VLANs on the same switch. I am not sure but logically it would be confusing.

Q: Can I assign the physical ports to have multiple private VLAN associations? A: I cant think of a reason for doing so except for the 'P' port which you will need to do on at least one port/SVI.

Check this link for a great explaination on private VLANs.

Related Solutions

Cisco – When not to create a SVI for a L2 VLAN

You might not want to make a L2 SVI if you use VTP pruning. If pruning is on, an unused VLAN will be pruned from the trunk, resulting in less unnecessary broadcast/flooding traffic. However, creating an SVI, creates an "active" interface on your switch. A quick check in GNS3 gives the following:

R1#show vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/1, Fa1/2, Fa1/3, Fa1/4
                                                Fa1/5, Fa1/6, Fa1/7, Fa1/8
                                                Fa1/9, Fa1/10, Fa1/11, Fa1/12
                                                Fa1/13, Fa1/14, Fa1/15
3    VLAN0003                         active
4    VLAN0004                         active
[output omitted]

R1#show interfaces trunk

Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1

Port      Vlans allowed on trunk
Fa1/0     1-4094

Port      Vlans allowed and active in management domain
Fa1/0     1,3-4

Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1

Now, if I go to R2, connected to Fa1/0 and type R2(config)#int vlan 3, we will see the following:

R2#show run interface vlan 3
Building configuration...

Current configuration : 38 bytes
!
interface Vlan3
 no ip address
end
R2#show run | include vlan 3
R2#

As you can see, no interfaces in VLAN 3, except the SVI. And back on R1:

R1#show interfaces trunk

Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1

Port      Vlans allowed on trunk
Fa1/0     1-4094

Port      Vlans allowed and active in management domain
Fa1/0     1,3-4

Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1,3

As you can see, VLAN 3 just came up on the trunk, adding to the traffic levels on your trunks.

Cisco WLC: Per user authentication, many Vlans, few SSIDs

If you don't need to confuse your users with multiple VLANs, don't do it. Leverage the tools you have. You mentioned you have ISE and you should be able to do all this with one SSID. As AdnanG already mentioned, you can utilize the profiling features of ISE to classify the devices.

Your ACS should be able to tie into the MS AD authentication and be able to provide user authentication and group information.

From there, you just need to combine the user/groups with the device profiles and then tie it to a VLAN. So, for instance, if the device is identified as a cell phone and the user is part of "group A", then the get put in the "group A - internet" VLAN.

I haven't done it personally with ISE, so can't give exact steps, but this is how Cisco marketing is selling ISE in the BYOD space. I also know of several people who have done similar setups to what is suggested. I would start by looking through this Cisco BYOD document that would give you a general overview of how BYOD is done with with Cisco ISE.

Best Answer

Related Solutions

Cisco – When *not* to create a SVI for a L2 VLAN

Cisco WLC: Per user authentication, many Vlans, few SSIDs

Related Topic

Cisco – When not to create a SVI for a L2 VLAN