Switch – Private VLAN in transparent mode

private-vlanswitchvlanvtp

Why do we have to set up the switch in transparent mode when dealing with private VLANs?

Best Answer

Cisco says:

You must configure VTP to transparent mode before you can create a private VLAN. Private VLANs are configured in the context of a single switch and cannot have members on other switches. Private VLANs also carry TLVs that are not known to all types of Cisco switches.

Reference: Private VLANs

Actually if you have a look at the structure of a Subset Advertisements packet in VTP v2 (used to annouce the VLANs) you won't find any option to announce a "private" VLAN. So it seems more an unsupported feature rather than a design choice.

Reference: Understanding VLAN Trunk Protocol (VTP)

At the end it seems that this feature is avaible with VTP v3

Key Benefits of VTP Version 3

...

In addition to supporting the concept of normal VLANs, VTP version 3 can transfer information regarding Private VLAN (PVLAN) structures.

Reference: VTP Version 3

Another quote:

Because VTP versions 1 and 2 do not support private VLANs, you must manually configure private VLANs on all switches in the Layer 2 network. If you do not configure the primary and secondary VLAN association in some switches in the network, the Layer 2 databases in these switches are not merged. This situation can result in unnecessary flooding of private VLAN traffic on those switches. VTP version 3 does support private VLANs, so you do not need to manually configure private VLANs on all switches in the Layer 2 network.

Reference: Private VLANs Across Multiple Switches

Related Solutions

Cisco ASA Transparent Mode Configuration – Layer2 DMZ with VLAN Translation

I don't have SUP7 to test, but it works on SUP6 and SUP32, I would presume SUP7 retains this functionality.

I've tested between JNPR M320 <-> SUP32, and 'vlan mapping JNPR SUP32' works just fine.

There is no need for QinQ, what the QinQ option does is it adds top tag to one particularly tag. So switchport vlan mapping 1042 dot1q-tunnel 42 would map incoming [1042] stack to [42 1042] stack. As opposed to switchport vlan mapping 1042 42 which maps incoming dot1q Vlan [1042] to dot1q Vlan [42].

JNPR M320 config:

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# show 
vlan-id 1042;
family inet {
    address 10.42.42.1/24;
}
{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show interfaces ge-0/1/0               
Physical interface: ge-0/1/0, Enabled, Physical link is Up
  Interface index: 135, SNMP ifIndex: 506
  Description: B: SUP32 ge5/1
  Link-level type: Flexible-Ethernet, MTU: 9192, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 00:12:1e:d5:90:7f, Hardware address: 00:12:1e:d5:90:7f
  Last flapped   : 2013-02-19 09:14:29 UTC (19w6d 21:12 ago)
  Input rate     : 4560 bps (5 pps)
  Output rate    : 6968 bps (4 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

SUP32 config:

SUP32#show run int giga5/1
Building configuration...

Current configuration : 365 bytes
!
interface GigabitEthernet5/1
 description F: M320 ge-0/1/0
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 switchport vlan mapping enable
 switchport vlan mapping 1042 42
 mtu 9216
 bandwidth 1000000
 speed nonegotiate
 no cdp enable
 spanning-tree portfast edge trunk
 spanning-tree bpdufilter enable
end

SUP32#show ru int vlan42
Building configuration...

Current configuration : 61 bytes
!
interface Vlan42
 ip address 10.42.42.2 255.255.255.0
end

SUP32#sh int GigabitEthernet5/1 vlan mapping  
State: enabled
Original VLAN Translated VLAN
------------- ---------------
  1042           42  

SUP32#sh int vlan42                           
Vlan42 is up, line protocol is up 
  Hardware is EtherSVI, address is 0005.ddee.6000 (bia 0005.ddee.6000)
  Internet address is 10.42.42.2/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:09, output 00:01:27, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 17 pkt, 1920 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     38 packets input, 3432 bytes, 0 no buffer
     Received 21 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     26 packets output, 2420 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

And

SUP32#ping 10.42.42.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.42.42.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SUP32#sh arp | i 10.42.42.1
Internet  10.42.42.1             12   0012.1ed5.907f  ARPA   Vlan42
SUP32#show mac address-table dynamic address 0012.1ed5.907f
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
Active Supervisor:
*  450  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   50  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   40  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   42  0012.1ed5.907f   dynamic  Yes          5   Gi5/1


user@m320# run ping 10.42.42.2 count 2 
PING 10.42.42.2 (10.42.42.2): 56 data bytes
64 bytes from 10.42.42.2: icmp_seq=0 ttl=255 time=0.495 ms
64 bytes from 10.42.42.2: icmp_seq=1 ttl=255 time=0.651 ms

--- 10.42.42.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.495/0.573/0.651/0.078 ms

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show arp no-resolve |match 10.42.42.2 
00:05:dd:ee:60:00 10.42.42.2      ge-0/1/0.1042        none

Cisco – Passing Traffic through Traffic Management Device in transparent mode

If all traffic needs to go from gi0/4 to gi0/3 and from gi0/2 to gi0/1 you could use layer 2 local switching. Configuration would be about:

connect Router1-TM GigabitEthernet0/4 GigabitEthernet0/3 
connect Router2-TM GigabitEthernet0/1 GigabitEthernet0/2

If your linecards do not support layer 2 local connect, then consider bridge-groups:

bridge irb
interface range GigabitEthernet0/4 , GigabitEthernet0/3
 bridge-group 1
interface range GigabitEthernet0/1 - 2
 bridge-group 2
!
bridge 1 protocol ieee
bridge 1 priority 128
bridge 2 protocol ieee
bridge 2 priority 128

However I'm dubious if bridge is actually in PFC, not at least up-to PFC3, I'm not sure about PFC4 (SUP2T).

Finally you have option to use QinQ:

interface range GigabitEthernet0/4 , GigabitEthernet0/3
 switchport
 switchport access vlan 42
 switchport mode dot1q-tunnel
 switchport nonegotiate
!
interface range GigabitEthernet0/1 - 2
 switchport
 switchport access vlan 43
 switchport mode dot1q-tunnel
 switchport nonegotiate
!

In this option VLAN 123 that comes from Router1, gets VLAN 42 on top of it [ 42 123 ], MAC addresses from ALL Router1 VLANs are populated in VLAN 42 mac-address-table. So then MAC lookup is done against VLAN 42 where we only have traffic-manager, once we send the frame out to traffic-manager, we pop VLAN 42 out.
Now after traffic manager send it OUT, again in VLAN 123, it gets VLAN 43 on top of it [ 43 123 ], and as previously MAC lookup is done for table 43, where we only have Router2, frame is sent out towards Router2 and VLAN 43 is popped out.

By default STP is not tunneled like rest of the traffic, but STP BPDU is directly visible to the switch, and switch will react to it normally, this is often undesirable. If STP BPDU needs to be tunneled as well you need feature called 'Layer 2 Protocol Tunnel' or L2PT.
L2PT is fancy word for DMAC address rewrite, when incoming frame has DMAC identifying the frame as special BPDU, such as STP, you rewrite the DMAC to some non-special address, for STP BPDU DMAC is written ingress to 01-00-0c-cd-cd-d0 then in egress the 01-00-0c-cd-cd-d0 DMAC id again rewritten back to STP DMAC.
Configuration is as follows:

 l2protocol-tunnel cdp
 l2protocol-tunnel lldp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp

You can use 'show l2protocol-tunnel interface giga0/1' to see counters for both directions of the MAC rewrite 'encap' means real DMAC was written to 01-00-0c-cd-cd-d0 and 'decap' means 01-00-0c-cd-cd-d0 was written back to real DMAC.

switch#show l2protocol-tunnel  interface giga1/0/6
COS for Encapsulated Packets: 5

Port       Protocol Shutdown  Drop      Encapsulation Decapsulation Drop
                    Threshold Threshold Counter       Counter       Counter
---------- -------- --------- --------- ------------- ------------- -------------
Gi1/0/6    cdp           ----      ----       2674827        263832            0

Best Answer

Related Solutions

Cisco ASA Transparent Mode Configuration – Layer2 DMZ with VLAN Translation

Cisco – Passing Traffic through Traffic Management Device in transparent mode

Related Topic