Private VLAN help

Unanswered Question
Apr 19th, 2008
User Badges:

Ok, this is my first private VLAN and maybe I am not getting the concept here but my isolated port cannot ping the IP address of the Primary VLAN interface.


How do you route Isolated ports? Do I have to configure a port as a L2 promiscuous and attach a router there?


Thanks!!


vlan 100

private-vlan primary

private-vlan association 101

!

vlan 101

private-vlan isolated



interface GigabitEthernet0/4

switchport private-vlan host-association 100 101

switchport mode private-vlan host



interface Vlan100

ip address 192.168.1.254 255.255.255.0

private-vlan mapping 101

end



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nambi_gct Sat, 04/19/2008 - 20:22
User Badges:
  • Bronze, 100 points or more

your private vlan config is perfect.I dont see any issues.are you able to ping the svi from the switch?

Istvan_Rabai Sat, 04/19/2008 - 23:25
User Badges:
  • Gold, 750 points or more

Hi Brian,


Your private-vlan config seems to me OK.


There may be some other reason why you can't ping your primary vlan interface.


Did you put the ip address of interface Vlan100 into your pc as the default gateway address?


Is interface Gig0/4 a layer2 port? Is it up up ?


Can you ping interface Vlan100 from a PC that connects directly into a port assigned to vlan 100?


Just some ideas for troubleshooting.


Cheers:

Istvan

BrianMitchellTX Sun, 04/20/2008 - 11:21
User Badges:

GIG0/4 is a layer 2 port and it is up. I can only ping vlan 100 (from a PC in VLAN100)when I remove the private mapping from the SVI. The switch works fine in a standard VLAN setup but only works in private-vlan when I create a promiscuous port to a seperate router. Here is more info that hopefully helps.



Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(44)SE1, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Fri 07-Mar-08 00:10 by weiliu

Image text-base: 0x00003000, data-base: 0x01900000



HOUDMZ-01#sho int gig 0/4 swi

Name: Gi0/4

Switchport: Enabled

Administrative Mode: private-vlan host

Operational Mode: private-vlan host

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: 100 (DMZ_PRIMARY) 101 (DMZ_ISOLATED)

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan:

100 (DMZ_PRIMARY) 101 (DMZ_ISOLATED)

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL


Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none


HOUDMZ-01#sho int private-vlan map

Interface Secondary VLAN Type

--------- -------------- -----------------

vlan100 101 isolated

vlan100 102 community








BrianMitchellTX Sun, 04/20/2008 - 11:27
User Badges:

ahggg....as soon as I posted my last response I turned on IP Routing and voila.


This is kind of baffling though, even though I have no problem leaving IP Routing enabled should it work just fine without it being that I wasn't crossing VLAN boundries and just trying to ping an IP address within my own VLAN?


Who knows, maybe there's some secret logical madness Cisco has when it comes to private-vlans.


Thanks for all the help!!

Actions

This Discussion