Cisco in their wisdom of offering the 3850 series decided to only offer protected edge ports on the 3850 switches. However, around later versions they have offered proper PvLAN functionality.
one thing crossed my mind whilst looking at using PvLANs on a pair of Cisco 3750 switches to meet a specific requirement in a network. Add in a HP C7000 to the mix and a pinch of 2960’s then you start to think and or try out some crazy ideas.
its a great way to learn a little bit more or cement your understanding!
- Can I have a port in an access vLAN and allow it to communicate with another device in an isolated vLAN? No! The isolated PvLAN port is as its name says, isolated. Devices connected can only communicate with a promiscuous port.
- Okay, can I do this with a community vLAN, by having a device on an access port defined using the same vLAN ID as the community? No! That won’t work either. However, you could obviously make it a community port.
- What about if I trunk to switches running with same PvLAN configurations. Can I trunk the two switches just using a normal .1Q vLAN trunk port? Yes!
- Cool, so if I trunk in the same way to a 2960 from the 3750 and then place a port in an access vLAN matching either the primary or secondary PvLAN then I can plug my devices into it and they’ll work? No! Again the PvLAN configuration will stop this from working.
- what can I do? You could look at the Cisco 4500 series switches. These have new features which is a promiscuous trunk port and or an isolated trunk port.
Well it’s not the answer I wanted but was fun trying.