VLT enables
redundancy without the implementation of Spanning Tree Protocol (STP),
and provides a loop-free network with optimal bandwidth utilization.
Because the VLT LAG interfaces are terminated on two
different nodes, PVLAN configuration of VLT VLANs and VLT LAGs are
symmetrical and identical on both the VLT peers. PVLANs provide Layer
2 isolation between ports within the same VLAN. A PVLAN partitions
a traditional VLAN into sub-domains identified by a primary and secondary
VLAN pair. With VLT being a Layer 2 redundancy mechanism, support
for configuration of VLT nodes in a PVLAN enables Layer 2 security
functionalities. To achieve maximum VLT resiliency, you should configure
the PVLAN IDs and mappings to be identical on both the VLT peer nodes.
The association of PVLAN with the VLT LAG must also
be identical. After the VLT LAG is configured to be a member of either
the primary or secondary PVLAN (which is associated with the primary),
ICL becomes an automatic member of that PVLAN on both switches. This
association helps the PVLAN data flow received on one VLT peer for
a VLT LAG to be transmitted on that VLT LAG from the peer.
You can associate either a VLT VLAN or a VLT LAG to a
PVLAN. First configure the VLT interconnect (VLTi) or a VLT LAG by
using the
peer-link port-channel
id-number
command or the VLT VLAN by using the
peer-link port-channel
id-number peer-down-vlan vlan
interface number
command and the
switchport command. After you specify
the VLTi link and VLT LAGs, you can associate the same port channel
or LAG bundle that is a part of a VLT to a PVLAN by using the
interface
interface
and
switchport mode private-vlan commands.
When a VLTi port in trunk mode is
a member of symmetric VLT PVLANs, the PVLAN packets are forwarded
only if the PVLAN settings of both the VLT nodes are identical. You
can configure the VLTi in trunk mode to be a member of non-VLT PVLANs
if the VLTi is configured on both the peers. MAC address synchronization
is performed for VLT PVLANs across peers in a VLT domain.
Keep the following points in mind when you configure VLT
nodes in a PVLAN:
-
Configure the VLTi link to be in
trunk mode. Do not configure the VLTi link to be in access or promiscuous
mode.
-
You can configure a VLT LAG or port
channel to be in trunk, access, or promiscuous port modes when you
include the VLT LAG in a PVLAN. The VLT LAG settings must be the same
on both the peers. If you configure a VLT LAG as a trunk port, you
can associate that LAG to be a member of a normal VLAN or a PVLAN.
If you configure a VLT LAG to be a promiscuous port, you can configure
that LAG to be a member of PVLAN only. If you configure a VLT LAG
to be in access port mode, you can add that LAG to be a member of
the secondary VLAN only.
-
ARP entries are synchronized even
when a mismatch occurs in the PVLAN mode of a VLT LAG.
Any VLAN that contains at least one VLT port as
a member is treated as a VLT VLAN. You can configure a VLT VLAN to
be a primary, secondary, or a normal VLAN. However, the VLT VLAN configuration
must be symmetrical across peers. If the VLT LAG is tagged to any
one of the primary or secondary VLANs of a PVLAN, then both the primary
and secondary VLANs are considered as VLT VLANs.
If you add an ICL or VLTi link as a member of a primary VLAN, the
ICL becomes a part of the primary VLAN and its associated secondary
VLANs, similar to the behavior for normal trunk ports. VLAN parity
is not validated if you associate an ICL to a PVLAN. Similarly, if
you dissociate an ICL from a PVLAN, although the PVLAN parity exists,
ICL is removed from that PVLAN.
Association
of VLTi as a Member of a PVLAN
If a VLAN is
configured as a non-VLT VLAN on both the peers, the VLTi link is made
a member of that VLAN if the VLTi link is configured as a PVLAN or
normal VLAN on both the peers. If a PVLAN is configured as a VLT VLAN
on one peer and a non-VLT VLAN on another peer, the VLTi is added
as a member of that VLAN by verifying the PVLAN parity on both the
peers. In such a case, if a PVLAN is present as a VLT PVLAN on at
least one of the peers, then symmetric configuration of the PVLAN
is validated to cause the VLTi to be a member of that VLAN. Whenever
a change in the VLAN mode on one of the peers occurs, the information
is synchronized with the other peer and VLTi is either added or removed
from the VLAN based on the validation of the VLAN parity.
For VLT VLANs, the association between primary VLAN and
secondary VLANs is examined on both the peers. Only if the association
is identical on both the peers, VLTi is configured as a member of
those VLANs. This behavior is because of security functionalities
in a PVLAN. For example, if a VLAN is a primary VLT VLAN on one peer
and not a primary VLT VLAN on the other peer, VLTi is not made a part
of that VLAN.
MAC Synchronization
for VLT Nodes in a PVLAN
For the MAC addresses
that are learned on non-VLT ports, MAC address synchronization is
performed with the other peer if the VLTi (ICL) link is part of the
same VLAN as the non-VLT port. For MAC addresses that are learned
on VLT ports, the VLT LAG mode of operation and the primary to secondary
association of the VLT nodes is determined on both the VLT peers.
MAC synchronization is performed for the VLT LAGs only if the VLT
LAG and primary-secondary VLT peer mapping are symmetrical.
The PVLAN mode of VLT LAGs on one peer is validated against
the PVLAN mode of VLT LAGs on the other peer. MAC addresses that are
learned on that VLT LAG are synchronized between the peers only if
the PVLAN mode on both the peers is identical. For example, if the
MAC address is learned on a VLT LAG and the VLAN is a primary VLT
VLAN on one peer and not a primary VLT VLAN on the other peer, MAC
synchronization does not occur.
Whenever a change
occurs in the VLAN mode of one of the peers, this modification is
synchronized with the other peers. Depending on the validation mechanism
that is initiated for MAC synchronization of VLT peers, MAC addresses
learned on a particular VLAN are either synchronized with the other
peers, or MAC addresses synchronized from the other peers on the same
VLAN are deleted. This method of processing occurs when the PVLAN
mode of VLT LAGs is modified.
Because the VLTi
link is only a member of symmetric VLT PVLANs, MAC synchronization
takes place directly based on the membership of the VLTi link in a
VLAN and the VLT LAG mode.
PVLAN Operations
When One VLT Peer is Down
When a VLT port moves
to the Admin or Operationally Down state on only one of the VLT nodes,
the VLT Lag is still considered to be up. All the PVLAN MAC entries
that correspond to the operationally down VLT LAG are maintained as
synchronized entries in the device. These MAC entries are removed
when the peer VLT LAG also becomes inactive or a change in PVLAN configuration
occurs.
PVLAN Operations
When a VLT Peer is Restarted
When the VLT peer
node is rebooted, the VLAN membership of the VLTi link is preserved
and when the peer node comes back online, a verification is performed
with the newly received PVLAN configuration from the peer. If any
differences are identified, the VLTi link is either added or removed
from the VLAN. When the peer node restarts and returns online, all
the PVLAN configurations are exchanged across the peers. Based on
the information received from the peer, a bulk synchronization of
MAC addresses that belong to spanned PVLANs is performed.
During the booting phase or when the ICL link attempts
to come up, a system logging message is recorded if VLT PVLAN mismatches,
PVLAN mode mismatches, PVLAN association mismatches, or PVLAN port
mode mismatches occur. Also, you can view these discrepancies if any
occur by using the
show vlt mismatch command.
Interoperation
of VLT Nodes in a PVLAN with ARP Requests
When
an ARP request is received, and the following conditions are applicable,
the IP stack performs certain operations.
-
The VLAN on which the ARP request
is received is a secondary VLAN (community or isolated VLAN).
-
Layer 3 communication between secondary
VLANs in a private VLAN is enabled by using the
ip local-proxy-arp command in INTERFACE VLAN configuration mode.
-
The ARP request is not received on
the ICL
Under such conditions, the IP stack performs the
following operations:
The ARP request received on ICLs are not proxied,
even if they are received with a secondary VLAN tag. This behavior
change occurs because the node from which the ARP request was forwarded
would have replied with its MAC address, and the current node discards
the ARP request.
Scenarios for
VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN
The following table illustrates the
association of the VLTi link and PVLANs, and the MAC synchronization
of VLT nodes in a PVLAN (for various modes of operations of the VLT
peers):
Table 1. VLAN Membership
and MAC Synchronization With VLT Nodes in PVLAN
VLT LAG Mode
|
PVLAN Mode of VLT VLAN
|
ICL
VLAN Membership
|
Mac
Synchronization
|
Peer1
|
Peer2
|
Peer1
|
Peer2
|
Trunk
|
Trunk
|
Primary
|
Primary
|
Yes
|
Yes
|
Trunk
|
Trunk
|
Primary
|
Normal
|
No
|
No
|
Trunk
|
Trunk
|
Normal
|
Normal
|
Yes
|
Yes
|
Promiscuous
|
Trunk
|
Primary
|
Primary
|
Yes
|
No
|
Trunk
|
Access
|
Primary
|
Secondary
|
No
|
No
|
Promiscuous
|
Promiscuous
|
Primary
|
Primary
|
Yes
|
Yes
|
Promiscuous
|
Access
|
Primary
|
Secondary
|
No
|
No
|
Promiscuous
|
Promiscuous
|
Primary
|
Primary
|
Yes
|
Yes
|
- Secondary (Community)
|
- Secondary (Isolated)
|
No
|
No
|
Access
|
Access
|
Secondary (Community)
|
Secondary (Isolated)
|
No
|
No
|
|
|
Yes
|
Yes
|
Promiscuous
|
Promiscuous
|
Primary
|
Primary
|
Yes
|
Yes
|
- Secondary (Community)
|
- Secondary (Community)
|
Yes
|
Yes
|
- Secondary (Isolated)
|
- Secondary (Isolated)
|
Yes
|
Yes
|
Promiscuous
|
Trunk
|
Primary
|
Normal
|
No
|
No
|
Promiscuous
|
Trunk
|
Primary
|
Primary
|
Yes
|
No
|
Access
|
Access
|
Secondary (Community)
|
Secondary (Community)
|
Yes
|
Yes
|
- Primary VLAN X
|
- Primary VLAN X
|
Yes
|
Yes
|
Access
|
Access
|
Secondary (Isolated)
|
Secondary (Isolated)
|
Yes
|
Yes
|
- Primary VLAN X
|
- Primary VLAN X
|
Yes
|
Yes
|
Access
|
Access
|
Secondary (Isolated)
|
Secondary (Isolated)
|
No
|
No
|
- Primary VLAN X
|
- Primary VLAN Y
|
No
|
No
|
Access
|
Access
|
Secondary (Community)
|
Secondary (Community)
|
No
|
No
|
- Primary VLAN Y
|
- Primary VLAN X
|
No
|
No
|
Promiscuous
|
Access
|
Primary
|
Secondary
|
No
|
No
|
Trunk
|
Access
|
Primary/Normal
|
Secondary
|
No
|
No
|