PVLAN - packet missing VLAN?

Unanswered Question

I am currently testing some PVLAN configurations and so far almost everything matches what I am expecting to see.

The most confusing part of the testing is that when I connect a sniffer and run ICMP packets back and forth I can not find the VLAN tag anywhere.  The packet matches what I would expect to see on a native VLAN, but the PVLANs I am testing with are 950-959.

Does anyone know why I would not see PVLAN packets with tagged vlan information?

Does anyone have an example of a PVLAN packet with a tagged vlan they wouldn't mind showing me?

Any information about this problem or about the formation of the packets for PVLAN will be most helpful.

Thank you in advance for your knowledge, time, and assistance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

ansalaza, the first link doesn't work.

The testing base is as follows:

3550(host) ---promiscuous[950] --- {   6509(main switch)  } ---community[953]---3550(host)

                                                                                    ^ ---community[954]---3750(host)

                                                                        ^---isl trunk---3750(switch2)---isolated[952]---3750(host)

                                                            ^---isl trunk---3750(switch1)

We have used up to 2 laptops to test with and of course the 4 host switches as well..  The entire test bed is configured for a /24 network.

If we connect a laptop to switch1 on a community 953 host port and send a ICMP to the 3550(host) that is connected on the community 953 host port the sniffer shows a ICMP packet that is just a basic native vlan ICMP packet.  i.e. no vlan tag.

This path takes them accross a isl trunk on switch 1 and then thru the 6509 accross to the recieving host.

Alexis Brenes, with the TAC Switching Team, had this to say about PVLAN and tags:

I was doing some research about your questions and it seems due to the nature
of  private-vlans we cannot capture the VLAN tag. The private-vlans doesn't
have a dot1q tag we can see or capture.

In normal configurations the trunk ports are the ones we use to capture tag packets
however as I said before the PVLAN doesn’t have a tag.

This creates a whole new set of questions for me.

1) How do you troubleshoot PVLAN without vlan tags?

2) At the packet level how does the switch know if a packet is allowed to go somewhere?

--2a) At what point does the switch say "you are not allowed to go here" and why?

Does anyone else feel that the lack of awareness toward this magical technology we call PVLANs is dangerously under-documented?


This Discussion

Related Content