cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
312
Views
0
Helpful
4
Replies

private vlan trouble?

alban.dani
Level 1
Level 1

I have the following private vlan configuration:

What do I have to do in order for the networks sitting behind router1 and router2

to talk to each other.

I have verified that both routers have the correct routes on their routing table

vlan 116

name primary

private-vlan primary

private-vlan association 117-122

vlan 119

name torouter2

private-vlan community

vlan 121

name torouter1

private-vlan community

interface GigabitEthernet2/16

description Connection to router2

switchport

switchport private-vlan host-association 116 119

switchport mode private-vlan host

no ip address

speed 100

duplex full

spanning-tree portfast

interface GigabitEthernet1/4

description Connection to router1

switchport

switchport private-vlan host-association 116 121

switchport mode private-vlan host

no ip address

speed nonegotiate

spanning-tree portfast

thank you very much,

Alban

4 Replies 4

vladrac-ccna
Level 5
Level 5

Hello Alban,

Where's your promiscous port?

Switch# configure terminal

Switch(config)# interface Gig X/X

Switch(config-if)# switchport mode private-vlan promiscuous

Switch(config-if)# switchport private-vlan mapping 116 add 119 121

Switch(config-if)# end

let us know,

Vlad

Vlad,

thank you.

I do not have a promiscuos port configured.

If I configure one what do I connect to it?

Thanks

Alban

I think you should read the following document for a better clarification on the subject:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swpvlan.htm

this is for 3560, but you'll find it on other IOS versions and platforms.

the promiscous port will be the port that is allowed to communicate with all other interfaces, so usually is the port connected to a router.

I'm not what is your requirements on this scenario.

Please give us more details, we could find a better configuration for you.

Vlad

Vlad,

From networks connected behind router1 need to reach networks connected behind router2

------[router1]--------------gig1/4[vdmz]gig2/16----------------[router2]-------

gig1/4 is community vlan 121

gig2/16 is in community vlan 119

Primary vlan is Vlan116

VDMZ is our 6503 configured with private vlans.

some more of the config is this (and I do have a 6503 with an mscf daughter card):

--------------------------------------------------------------------

interface Vlan116

description vendor-dmz public/private primary vlan

ip address 10.248.15.2 255.255.255.128 secondary

ip address 211.121.108.66 255.255.255.192

ip access-group 140 in (this one has a permit any any at the end)

no ip redirects

no ip unreachables

private-vlan mapping 117-122

ip route 10.82.35.0 255.255.255.0 211.121.108.96

------------------------------------------------------------------

(where 211.121.108.96 is address of router1)

I have a bgp peering with 211.121.108.90 which is router2.

in router1 they can see the routes advertised via bgp and also in router2 they

can see the route for 10.82.35.0 that I advertise to them via bgp.

I really appreciate your help,

Alban

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco