I have setup a promiscuous VETH port group on a 1000v. I have found it works, as in the veth port group can ping all VM's in the secondary community and isolated vLans.
My problem is that Cisco is saying this is NOT supported. They state that the only ports that can be configured as promiscuous are eth ports. This eliminates any possibilty of having VM's have promiscuous access to any PVLan zone.
Why then does the CLI allow for applying "switchport mode private-vlan promiscuous" to a vethernet interface?
port-profile type vethernet SamplePP
vmware port-group
switchport mode private-vlan promiscuous
switchport private-vlan host-association 555 521
switchport private-vlan mapping 555 520-530,532
no shutdown
state enabled
What function is served by applying a promiscuous PVLan to a eth interface?
We support promiscous on eth interfaces so you can extend the PVLAN implementations northbound into your physical network. To do this we have to be able to support promisicous trunk on the eth interfaces.
Generally you don't want VMs to be on a promiscious network as then they can see all the traffic from all VMs. I assume you are doing something with your network config that you want a VM to see all traffic?
louis
Generally you don't want to, but what if we want to. Let's say for example we want a sniffer VM to monitor all traffic, or a authentication server available for all the various VM's in the various secondary PVLans be able to get to.
Is it possible to setup promiscious PVLans on vEth interfaces?
If yes, why would Cisco allow it, but not support it?
Engineering says they do allow and support it. The Doc team is updating the documentation so you are safe to set veth ports as promiscuous ports for PVLAN.
louis