Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Private VLAN help

Ok, this is my first private VLAN and maybe I am not getting the concept here but my isolated port cannot ping the IP address of the Primary VLAN interface.

How do you route Isolated ports? Do I have to configure a port as a L2 promiscuous and attach a router there?


vlan 100

private-vlan primary

private-vlan association 101


vlan 101

private-vlan isolated

interface GigabitEthernet0/4

switchport private-vlan host-association 100 101

switchport mode private-vlan host

interface Vlan100

ip address

private-vlan mapping 101


New Member

Re: Private VLAN help

your private vlan config is perfect.I dont see any issues.are you able to ping the svi from the switch?

Re: Private VLAN help

Hi Brian,

Your private-vlan config seems to me OK.

There may be some other reason why you can't ping your primary vlan interface.

Did you put the ip address of interface Vlan100 into your pc as the default gateway address?

Is interface Gig0/4 a layer2 port? Is it up up ?

Can you ping interface Vlan100 from a PC that connects directly into a port assigned to vlan 100?

Just some ideas for troubleshooting.



New Member

Re: Private VLAN help

GIG0/4 is a layer 2 port and it is up. I can only ping vlan 100 (from a PC in VLAN100)when I remove the private mapping from the SVI. The switch works fine in a standard VLAN setup but only works in private-vlan when I create a promiscuous port to a seperate router. Here is more info that hopefully helps.

Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(44)SE1, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Fri 07-Mar-08 00:10 by weiliu

Image text-base: 0x00003000, data-base: 0x01900000

HOUDMZ-01#sho int gig 0/4 swi

Name: Gi0/4

Switchport: Enabled

Administrative Mode: private-vlan host

Operational Mode: private-vlan host

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: 100 (DMZ_PRIMARY) 101 (DMZ_ISOLATED)

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan:


Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

HOUDMZ-01#sho int private-vlan map

Interface Secondary VLAN Type

--------- -------------- -----------------

vlan100 101 isolated

vlan100 102 community

New Member

Re: Private VLAN help soon as I posted my last response I turned on IP Routing and voila.

This is kind of baffling though, even though I have no problem leaving IP Routing enabled should it work just fine without it being that I wasn't crossing VLAN boundries and just trying to ping an IP address within my own VLAN?

Who knows, maybe there's some secret logical madness Cisco has when it comes to private-vlans.

Thanks for all the help!!

CreatePlease to create content