10-22-2014 03:01 PM - edited 03-01-2019 07:41 AM
We have a couple of 6800IA devices connected to a 6880 switch. There will be several end hosts connected to the IAs and we need to configure private isolated ports for some of those hosts. A firewall pair is also connected to the 6880.
Our plan is to configure the 6880 ports to the firewall pair as pvlan promiscuous ports, and the 6800IA ports as pvlan isolated ports. When we do this, a host on one of the isolated ports can ping the a host on another isolated port. This is not supposed to happen in the pvlan world.
Here is the configuration:
vlan 300
name DMZ-Outside-Primary
private-vlan primary
private-vlan association 301
!
vlan 301
name DMZ-Outside-Isolated
private-vlan isolated
interface TenGigabitEthernet1/5/1
description uplink to firewall A E0/8
switchport
switchport private-vlan mapping 300 301
switchport mode private-vlan promiscuous
end
interface TenGigabitEthernet2/5/1
description uplink to firewall B E0/8
switchport
switchport private-vlan mapping 300 301
switchport mode private-vlan promiscuous
end
interface GigabitEthernet101/1/0/47
switchport
switchport trunk allowed vlan 1
switchport private-vlan host-association 300 301
switchport mode private-vlan host
end
interface GigabitEthernet101/1/0/48
switchport
switchport trunk allowed vlan 1
switchport private-vlan mapping 300 301
switchport mode private-vlan host
spanning-tree portfast edge
end
Any idea why the two isolated hosts can ping each other?
10-23-2014 12:41 AM
Hi,
I think you can change the configuration like this to solve the problem, considering same isolated vlans should not reach each other!
vlan 300
name DMZ-Outside-Primary
private-vlan primary
private-vlan association 301 302
!
vlan 301
name DMZ-Outside-Isolated1
private-vlan isolated
!
vlan 302
name DMZ-Outside-Isolated2
private-vlan isolated
interface TenGigabitEthernet1/5/1
description uplink to firewall A E0/8
switchport
switchport private-vlan mapping 300 301 302
switchport mode private-vlan promiscuous
end
interface TenGigabitEthernet2/5/1
description uplink to firewall B E0/8
switchport
switchport private-vlan mapping 300 301 302
switchport mode private-vlan promiscuous
end
interface GigabitEthernet101/1/0/47
switchport
switchport trunk allowed vlan 1
switchport private-vlan host-association 300 301
switchport mode private-vlan host
end
interface GigabitEthernet101/1/0/48
switchport
switchport trunk allowed vlan 1
switchport private-vlan mapping 300 302
switchport mode private-vlan host
spanning-tree portfast edge
end
HTH
Houtan
10-23-2014 07:39 AM
I was under the impression the you can only have one isolated vlan in a primary vlan.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: