cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
597
Views
0
Helpful
2
Replies

Does the 6800IA device support private vlans?

jkeeffe01
Level 1
Level 1

We have a couple of 6800IA devices connected to a 6880 switch.  There will be several end hosts connected to the IAs and we need to configure private isolated ports for some of those hosts.  A firewall pair is also connected to the 6880.

 

Our plan is to configure the 6880 ports to the firewall pair as pvlan promiscuous ports, and the 6800IA ports as pvlan isolated ports.  When we do this, a host on one of the isolated ports can ping the a host on another isolated port.  This is not supposed to happen in the pvlan world.

 

Here is the configuration:

vlan 300
 name DMZ-Outside-Primary
  private-vlan primary
  private-vlan association 301
!
vlan 301
 name DMZ-Outside-Isolated
  private-vlan isolated

interface TenGigabitEthernet1/5/1
 description uplink to firewall A E0/8
 switchport
 switchport private-vlan mapping 300 301
 switchport mode private-vlan promiscuous
end

interface TenGigabitEthernet2/5/1
 description uplink to firewall B E0/8
 switchport
 switchport private-vlan mapping 300 301
 switchport mode private-vlan promiscuous
end

interface GigabitEthernet101/1/0/47
 switchport
 switchport trunk allowed vlan 1
 switchport private-vlan host-association 300 301
 switchport mode private-vlan host
end

interface GigabitEthernet101/1/0/48
 switchport
 switchport trunk allowed vlan 1
 switchport private-vlan mapping 300 301
 switchport mode private-vlan host
 spanning-tree portfast edge
end

Any idea why the two isolated hosts can ping each other?

2 Replies 2

Hi,

I think you can change the configuration like this to solve the problem, considering same isolated vlans should not reach each other!

 

vlan 300
 name DMZ-Outside-Primary
  private-vlan primary
  private-vlan association 301 302
!
vlan 301
 name DMZ-Outside-Isolated1
  private-vlan isolated

!
vlan 302
 name DMZ-Outside-Isolated2
  private-vlan isolated

interface TenGigabitEthernet1/5/1
 description uplink to firewall A E0/8
 switchport
 switchport private-vlan mapping 300 301 302
 switchport mode private-vlan promiscuous
end

interface TenGigabitEthernet2/5/1
 description uplink to firewall B E0/8
 switchport
 switchport private-vlan mapping 300 301 302
 switchport mode private-vlan promiscuous
end

interface GigabitEthernet101/1/0/47
 switchport
 switchport trunk allowed vlan 1
 switchport private-vlan host-association 300 301
 switchport mode private-vlan host
end

interface GigabitEthernet101/1/0/48
 switchport
 switchport trunk allowed vlan 1
 switchport private-vlan mapping 300 302
 switchport mode private-vlan host
 spanning-tree portfast edge
end

HTH

Houtan

 

I was under the impression the you can only have one isolated vlan in a primary vlan.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: