Private-vlan SVI interface configuration

Unanswered Question
Mar 9th, 2007

Can anyone help explain why a host in one isolated vlan is able to ping another host in a different isolated vlan when using the following configuration?

vlan 500

name pvlan_test_1

private-vlan primary

private-vlan association 600

!

vlan 501

name pvlan_test_2

private-vlan primary

private-vlan association 601

!

vlan 600

name isolated_1

private-vlan isolated

!

vlan 601

name isolated_2

private-vlan isolated

interface FastEthernet1/0/23

switchport private-vlan host-association 501 601

switchport mode private-vlan host

interface FastEthernet1/0/24

switchport private-vlan host-association 500 600

switchport mode private-vlan host

interface Vlan500

ip address 10.1.1.1 255.255.255.0

private-vlan mapping 600

interface Vlan501

ip address 10.1.2.1 255.255.255.0

private-vlan mapping 601

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carenas123 Thu, 03/15/2007 - 11:53

It looks like bug CSCdj73967, which talks of the Catalyst 1900 and 2820 VLANs do not provide fully secured isolation between VLANs, and do not provide support for a single MAC address being learned on different ports in different VLANs simultaneously.

chris morris Fri, 03/16/2007 - 03:22

It does, however the switch in question is a Catalyst 3750-24TS running IOS 12.2 (25)SEB4.

ahmednaas Fri, 03/16/2007 - 05:19

Christopher,

Why not upgrade your software to 12.2(25)SEE3 and see what happens. If it is an IOS bug, it'll go away.

Francois Tallet Fri, 03/16/2007 - 09:15

This is expected behavior because private vlan is providing isolation at layer 2, not layer 3.

For instance, a L2 broadcast on one isolated port will not be received on any other isolated port (except promiscuous ports). Another example: if you put two hosts on different ports in the same isolated vlan (you don't need to create two different isolated vlans as you did in your config), they would not be able to communicate together even if they were in the same subnet. This because there is no L2 connectivity between isolated ports. On the other hand, if you add a router to a promiscuous port of this isolated vlan, then you'll be able to route between the two hosts (in the same subnet!).

If you want to prevent the two hosts to communicate together at layer 3, you need to implement some access lists.

Regards,

Francois

Actions

This Discussion