Re: Private VLAN Problem

jcmartin · ‎02-13-2006

I have a 6509 running with a Sup720 and the latest IOS. Trying to configure several ports as a private VLAN with the below config. Problem is, in addition to not being able to talk to each other, hosts can't talk to the promiscuous port. Thoughts?

vlan 172

private-vlan primary

private-vlan association 472

vlan 472

private-vlan isolated

interface GigabitEthernet4/7

switchport

switchport private-vlan mapping 172 472

switchport mode private-vlan promiscuous

no ip address

no cdp enable

interface GigabitEthernet4/8

switchport

switchport private-vlan host-association 172 472

switchport mode private-vlan host

no ip address

no cdp enable

interface GigabitEthernet4/9

switchport

switchport private-vlan host-association 172 472

switchport mode private-vlan host

no ip address

no cdp enable

smilburn · ‎02-13-2006

Isolated ports on a private vlan will never communicate with each other, that's the way they are supposed to work. If you want hosts on the private vlan to communicate you need to put them into a _community_.

The following is a great reference to isolated, community, and promiscous ports along with steps for creating a pvlan and mappings.

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a00800fb5ab.html#1093407

jcmartin · ‎02-13-2006

I understand that, and it is exactly why we set up PVLANs. The problem is that they also couldn't communicate with the promiscuous port.

jcmartin · ‎02-15-2006

So can anyone tell me if I've done something wrong in the config?

matthew.mcbride · ‎02-15-2006

Config looks good from what I can tell. Question... where are you defining L3? If you're using an SVI on the 6509 then the mapping will need to be defined there as well. Let me know what you find.

-m2

Roberto Salazar · ‎02-15-2006

Are the port/vlan "active"?

Just maybe you should look at this, per config guide:

24-Port Restriction:

In all releases, this "24-port restriction" applies to the WS-X6548-GE-TX and WS-X6148-GE-TX 10/100/1000 Mb Ethernet switching modules. Within groups of 24 ports (1-24, 25-48), do not configure ports as isolated ports or community VLAN ports when one port within the group of 24 ports is any of these:

–A trunk port

–A SPAN destination port

–A promiscuous private VLAN port

While one port within the group of 24 ports is one of these, any isolated or community VLAN configuration for other ports within the 24 ports is inactive. To reactivate the ports, remove the isolated or community VLAN port configuration and enter shutdown and no shutdown commands.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979

jcmartin · ‎02-17-2006

That did the trick, thank you. I guess I missed that the first two times I read through the documentation. I still have one problem, though. I ended up configuring 5 ports, 1 in promiscuous mode in port 25, two in community mode in ports 11 and 12, and two in private mode in ports 13 and 14. The PIX was in port 25, the internet router and a Nortel Contivity were in the community ports as these need to talk to each other as well as the PIX, and two other devices that only need connectivity to the PIX were in the private ports. Traffic flowing from inside the network was moving through the PIX to the WAN router fine. Traffic flowing through the PIX to the private ports was working fine. Traffic through the Contivity to the PIX and the router were flowing fine. But, VPN connectivity through the WAN router to the PIX wouldn't work. It wasn't a configuration issue with the PIX or the router, because as soon as I put them all in a standard VLAN, it worked fine, so it had something to do with the PVLAN configuration, but it just didn't make sense to me. Everything else was working in all directions. Any ideas?

Roberto Salazar · ‎02-17-2006

I am not sure about the VPN, but isn't VPN adding additional encapsulation to the packet? I am not sure what is the issue with the VPN traffic not able to go through the switch when PVLAN is enabled on the port.