Private VLANs – In depth explanation of terminology and theory, configuration, verification, and tons of troubleshooting!

I’ve come to find through the labbing below, that the above Topology doesn’t work, as the Primary VLAN is the subnet that all Secondary VLANs must reside in, so I spent a lot of time spinning my wheels trying to figure that out on my own.

A couple other things to mention right up front to help understand info in post:

• Dotq Trunks will carry Private VLAN info between switches for them to talk, however the same PVLAN config needs to be mirrored on both switches
• EtherChannels cannot have any PVLAN configuration provided
• SVI’s can also serve as the Promiscuous Port, does not need to be physical interface
• Physical ports require Primary to Secondary Mapping, SVI’s only need Secondary when configuring as Promiscuous Ports

I may at some point clean up all my troubleshooting, but for now I just wanted to add needed to know tid bits in here as I understand them better.

Before anything I will cover all the Terminology for Private VLANs, as there is a bit

There are two different types of Private VLAN and three Port types that reside within them, along with some rules as to how they connect, to avoid confusion I am going to bullet point some information and then connect it all together by VLAN type.

Private VLAN Types:

• Primary (Parent)
• Secondary (Child)

Private VLAN Port types:

• Promiscuous – Talks to all other Port types, Switch interfaces, everything
• Community – Talks with other Hosts within its Community, and Promiscuous Port
• Isolated – Completely isolated from all other Ports except the Promiscuous Port

The Primary (Parent) Private VLAN Type

The Primary VLAN is the Private VLAN domain, as Secondary VLAN types are mapped to Primary VLANs to communicate with the network, as Primary VLANs are the only Private VLAN type that can contain Promiscuous Ports that will talk to anything.

Promiscuous Port types are required for Layer 3 Gateways (Routers / MLS Switches) for the network to function properly, as the Promiscuous Port types carry traffic to the Hosts within the Secondary VLAN types and allow them to communicate.

A Primary VLAN can be mapped to multiple Secondary VLAN types, however Secondary VLAN types can only be mapped to a single Primary VLAN type, but Secondary VLANs / Port types can be mapped to Multiple Promiscuous Ports at a time.

A Promiscuous Port can only serve a single Primary VLAN at a time, but can serve several Secondary VLANs at a time, so long as they are in the same Private VLAN Domain.

Promiscuous Ports CAN serve multiple Secondary VLANs / Ports, but they are not designed solely to serve Secondary VLAN / Ports, and may not have any Secondary Private VLAN configuration mapped to it at all (used for other network functions).

To use an Analogy: The Primary VLAN type is like the Trunk of a Tree, which has several branches growing off of it (Secondary VLAN types), with twigs growing off of those branches (Ports in Secondary VLANs).

The Secondary (Child) Private VLAN Type(s)

This Secondary VLAN type actually refers to the two types of Secondary VLANs, which are Community VLANs, and Isolated VLANs – Both of which contain Ports.

Community VLANs allow Ports to talk among their fellow community members, but not across different Community VLANs, or to Isolated Port types.

Isolated VLANs can contain multiple Isolated Ports within them, but they cannot communicate with each other, but rather only perform unidirectional communication with the Promiscuous Port it is mapped to.

All Port types can and will talk to the Promiscuous Port on the Switch, Community Ports have to stay within their own Community VLANs with Port communication, and Isolated Ports only talk to the Promiscuous Port for that Primary VLAN it is mapped to.

This is kind of a flow chart for Private VLAN communication restrictions

Technically all Secondary Ports in the above diagram can talk to the Primary VLAN Promiscuous Port, however for clarity sake I wanted to illustrate the explanation I have been stumbling through, which I think will become more clear with some labbing.

Explanation of Topology configuration and connectivity test before labbing!

In case you are thinking “Holy cow that Topology looks great, what all is it?”

• Host A and B in VLAN 10, Secondary Community VLAN 100
• Host C and D in VLAN 20, Secondary Isolated VLAN 200
• MLS SW1 configured for Primary VLAN 300
• I’ve made SW2 Fa1/0/11 a L3 Routed Port for a Layer 3 Gateway
• I’ve added a Loopback1 to SW2 to simulate an Internet Gateway
• I’ve configured EIGRP AS 1 on SW1 and SW2 to share routes

So this Topology should be able to demonstrate Private VLANs pretty damn well 🙂

That being said, what do you do before you begin labbing? Test connectivity!

I am not really sure what is pingable at this point, so I am just going to test pings around on the different hosts before any Private VLAN Configuration, this is SW1 IP Route table:

SW1#sh ip route
(Codes Redacted)

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.0.2
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Vlan1
L 10.0.0.1/32 is directly connected, Vlan1
C 10.0.10.0/24 is directly connected, Vlan10
L 10.0.10.10/32 is directly connected, Vlan10
C 10.0.20.0/24 is directly connected, Vlan20
L 10.0.20.20/32 is directly connected, Vlan20
100.0.0.0/24 is subnetted, 1 subnets
D 100.100.100.0 [90/130816] via 10.0.0.2, 00:52:26, Vlan1
SW1#

I am not sure if I should make SW1 Fa1/0/11 a Routed Port yet, so I set the default gateway to the IP Address of SW2’s Routed Port, so lets test connectivity!

Host A ping output to all IP Addresses in the Topology (if you want to skip)

HostA#ping 10.0.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
HostA#ping 10.0.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
HostA#ping 10.0.20.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.2, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 1/2/4 ms
HostA#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
HostA#ping 100.100.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HostA#

We are officially hitting all Hosts, SW2’s Routed Port, all the way to the Loopback1 interface configured on SW2 as an Internet Gateway – We are good to go!

IP Route Tables and Connectivity looks good, we are go for launch!

Lab time!

Configuration of Private VLANs on SW1:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 100
SW1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN

SW1(config-vlan)#private-vlan community ?
<cr>

SW1(config-vlan)#private-vlan community
%Private VLANs can only be configured when VTP is in transparent/off mode.

SW1(config-vlan)#

First major lesson of the lab immediately – To configure Private VLANs you must turn on VTP then configure it for Transparent mode!

VTP Transparent mode configuration

SW1(config-vlan)#exit
SW1(config)#vtp domain CCNP
Changing VTP domain name from NULL to CCNP
SW1(config)#
*Mar 1 04:28:17.503: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CCNP.
SW1(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
SW1(config)#

Lets try that again:

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 200
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#vlan 300
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN

SW1(config-vlan)#private-vlan association ?
WORD VLAN IDs of the private VLANs to be configured
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list

SW1(config-vlan)#private-vlan association add ?
WORD VLAN IDs of the private VLANs to be configured

SW1(config-vlan)#private-vlan association add 100,200 ?
<cr>

SW1(config-vlan)#private-vlan association add 100,200

So that is it for setting up the Private VLANs initially, what we’ve learned so far:

• VTP must be turned on and configured into Transparent mode first
• You can configure your Secondary VLANs before the Primary config
• Upon Primary Config, you must “associate” your Secondary VLAN #’s

Configuring interface Fa1/0/11 (connected to L3 Gateway) in Promiscuous mode:

SW1(config)#int fa1/0/11
SW1(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dot1q-tunnel set trunking mode to TUNNEL unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
private-vlan Set private-vlan mode
trunk Set trunking mode to TRUNK unconditionally

SW1(config-if)#switchport mode private-vlan ?
host Set the mode to private-vlan host
promiscuous Set the mode to private-vlan promiscuous

SW1(config-if)#switchport mode private-vlan promiscuous ?
<cr>

SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#

Now this interfaces “Mode” has been configured for Private-VLAN Promiscuous, and we can begin configuring mapping to our Private VLANs!

Configuring Promiscuous Port mapping:

SW1(config-if)#switchport private-vlan ?
association Set the private VLAN association
host-association Set the private VLAN host association
mapping Set the private VLAN promiscuous mapping

SW1(config-if)#switchport private-vlan mapping ?
<1006-4094> Primary extended range VLAN ID of the private VLAN promiscuous
port mapping
<2-1001> Primary normal range VLAN ID of the private VLAN promiscuous
port mapping

SW1(config-if)#switchport private-vlan mapping 300 ?
WORD Secondary VLAN IDs of the private VLAN promiscuous port mapping
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list

SW1(config-if)#switchport private-vlan mapping 300 100,200
SW1(config-if)#

So again a quick bullet point of configuring / mapping the Promiscuous Port:

• First must enable “mode private-vlan promiscuous”
• Define mappings with “private-vlan mapping (Primary) (Secondary,Secondary)”
• DO NOT use “add” in this command or you will add another Primary VLAN!

Configuring Host ports for their Private VLANs:

SW1(config)#int ra fa1/0/1 – 2
SW1(config-if-range)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dot1q-tunnel set trunking mode to TUNNEL unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
private-vlan Set private-vlan mode
trunk Set trunking mode to TRUNK unconditionally

SW1(config-if-range)#switchport mode private-vlan ?
host Set the mode to private-vlan host
promiscuous Set the mode to private-vlan promiscuous

SW1(config-if-range)#switchport mode private-vlan host ?
<cr>

SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#
*Mar 1 04:49:11.617: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to down
*Mar 1 04:49:12.581: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
*Mar 1 04:49:12.598: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down
SW1(config-if-range)#

These ports apparently do not embrace change very well.

Out of curiosity I checked one out Fa1/0/1’s line status:

SW1(config-if-range)#do sh int fa1/0/1
FastEthernet1/0/1 is up, line protocol is down (notconnect)

So I toasted the line Protocol, hopefully that comes back up while finishing the mapping configuration of the Port to its new Private VLAN.

Continuing configuring Host A and B for Private VLAN 100:

SW1(config-if-range)#switchport ?
access Set access mode characteristics of the interface
autostate Include or exclude this port from vlan link up calculation
backup Set backup for the interface
block Disable forwarding of unknown uni/multi cast addresses
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority Set appliance 802.1p priority
private-vlan Set the private VLAN configuration
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
<cr>

SW1(config-if-range)#switchport private-vlan ?
association Set the private VLAN association
host-association Set the private VLAN host association
mapping Set the private VLAN promiscuous mapping

SW1(config-if-range)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association

SW1(config-if-range)#switchport private-vlan host-association 300 100
SW1(config-if-range)#
*Mar 1 04:55:56.686: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
*Mar 1 04:55:56.702: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
SW1(config-if-range)#

That command is a mouthful, but one good take away is that when configuring the Ports whether its Promiscuous or a Host, you always put the Primary VLAN # first then the Secondary VLAN #’s that you will be mapping to.

For a Promiscuous port it goes Primary then all Secondary separated by commas, and on Host Ports (host-association) it is the Primary #, then the Secondary VLAN # that the host will be mapped to!

Out of pure curiosity I did a verification “sh vlan brief”:

SW1(config-if-range)#do sh vlan bri

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/5, Fa1/0/6, Fa1/0/7
Fa1/0/8, Fa1/0/9, Fa1/0/10
Fa1/0/12, Fa1/0/13, Fa1/0/14
Fa1/0/15, Fa1/0/16, Fa1/0/17
Fa1/0/18, Fa1/0/19, Fa1/0/20
Fa1/0/21, Fa1/0/22, Fa1/0/23
Fa1/0/24, Gi1/0/1, Gi1/0/2
10 VLAN0010 active
20 VLAN0020 active Fa1/0/3, Fa1/0/4
100 VLAN0100 active
200 VLAN0200 active
300 VLAN0300 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SW1(config-if-range)#

I think I just did Cisco magic, I made interfaces disappear from their VLAN, and not reappear in their new VLAN #! 🙂

Configuring Hosts C and D for Private VLAN 200:

SW1(config)#int ra fa1/0/3 – 4
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#
*Mar 1 05:06:31.301: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down
*Mar 1 05:06:32.274: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to down
*Mar 1 05:06:32.282: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to down
SW1(config-if-range)#switchport private-vlan host-association 300 200
SW1(config-if-range)#
*Mar 1 05:06:41.862: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to up
*Mar 1 05:06:41.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
SW1(config-if-range)#

I didn’t notice this on the first range of Host ports, but the VLAN SVI Interface went down with the interfaces line-protocol, but never came back up – Good behavior to note!

So we already know the interfaces disappeared from the VLAN table, so I tried “sh ip int brief” just to see what it shows:

SW1(config-if-range)#do sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.0.0.1 YES manual up up
Vlan10 10.0.10.10 YES manual up down
Vlan20 10.0.20.20 YES manual up down

So where do we verify what Private VLANs are configured?

Private VLAN verification commands!

There is one main one, but there is another all-purpose verification command that gives some Private VLAN info as well:

SW1#sh vlan private-vlan ?
type Private VLAN type information
| Output modifiers
<cr>

SW1#sh vlan private-vlan

Primary  Secondary   Type            Ports
    ——-       ———    —————–     ——————————————
    300          100         community   Fa1/0/1, Fa1/0/2
    300          200            isolated       Fa1/0/3, Fa1/0/4

SW1#

This is the money shot right here for verification, you can verify the Primary / Secondary / What interfaces are configured as which type. This is really a great command.

However there is also a verification command with gigantic output to use:

SW1#sh int switchport
Name: Fa1/0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 300 (VLAN0300) 100 (VLAN0100)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
300 (VLAN0300) 100 (VLAN0100)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

It is such a gigantic output, but just pay dirt filled with little gold nuggets to pick out, especially with Private VLAN information being almost half the out!

So thinking about how to find which interface is the Promiscuous Port for the Primary VLAN, I realized I configured the wrong port, so a quick fix here:

SW1(config)#int fa1/0/11
SW1(config-if)#no switchport mode private-vlan promiscuous
SW1(config-if)#no switchport private-vlan mapping 300 100,200
SW1(config-if)#int fa1/0/12
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#
*Mar 1 05:24:22.392: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 05:24:22.400: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Vlan1) is down: interface down
*Mar 1 05:24:23.381: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/12, changed state to down
SW1(config-if)#switchport private-vlan mapping 300 100,200
SW1(config-if)#
*Mar 1 05:24:41.190: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/12, changed state to up
SW1(config-if)#

This is a fairly big problem (I think), because though the line-protocol of the interface came back up, the VLAN 1 SVI line-protocol is pegged which means no EIGRP currently.

Bad:

SW1(config-if)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
Vlan1 10.0.0.1 YES manual up down
Vlan10 10.0.10.10 YES manual up down
Vlan20 10.0.20.20 YES manual up down

Worse:

SW1(config-if)#do sh ip route
(Codes redacted)

Gateway of last resort is not set

SW1(config-if)#

It even removed my static default route from the IP Route Table!!

Now the fun part of labbing – The Troubleshooting section!

My first thought was to start pings from SW1 to connected hosts, but we just got done dividing them up into hidden corners of the network, so my first thought is “Try to ping between Community Hosts!” :

HostA#ping 10.0.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
HostA#

Given that they are within the same VLAN, Private or not, that isn’t very satisfactory. I’ll spare the ping output, but Host C and D are not going anywhere, because with VLAN 1 line-protocol down we have absolutely no routing happening on SW1.

Soooooooo….

I am going to give it a total shot in the dark here, and see if there is any options to configure SW2’s Routed Port into a Private-VLAN Promiscuous Port as well:

SW2(config-if)#switchport mode private-vlan promiscuous
Command rejected: Fa1/0/11 not a switching port.
SW2(config-if)#

Well that logically makes sense, however the Promiscuous Port is supposed to be a Layer 3 facing Gateway, is it not?

I’ll try configuring SW2 back to a switchport, applying private-vlan configs, and see what happens here:

SW2(config-if)#switchport
SW2(config-if)#
*Mar 1 05:43:21.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to down
SW2(config-if)#
*Mar 1 05:43:23.720: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to up
*Mar 1 05:43:24.727: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to up
SW2(config-if)#switchport mode private-vlan promiscuous
SW2(config-if)#
*Mar 1 05:43:38.828: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to down
SW2(config-if)#switchport private-vlan mapping 300 100,200
SW2(config-if)#

Nothing going on here, so I configure it back to a Routed Port with its IP Address set.

So I finally found the issue – You have to create an SVI for the Primary Private VLAN

As all regular VLANs will die once you hit them with Private-VLAN configs, you need to create an SVI for your Primary VLAN, with an IP Address on the same subnet as your remote Layer 3 Gateway:

SW1(config)#int vlan 300
SW1(config-if)#
*Mar 1 05:52:02.589: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan300, changed state to up
SW1(config-if)#ip add 10.10.10.1 255.255.255.0

SW1(config-if)#private-vlan ?
mapping Set the private VLAN SVI interface mapping

SW1(config-if)#private-vlan mapping ?
WORD Secondary VLAN IDs of the private VLAN SVI interface mapping
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list

SW1(config-if)#private-vlan mapping 100,200 ?
<cr>

SW1(config-if)#private-vlan mapping 100,200
SW1(config-if)#
*Mar 1 05:53:10.042: %PV-6-PV_MSG: Created a private vlan mapping, Primary 300, Secondary 100
*Mar 1 05:53:10.051: %PV-6-PV_MSG: Created a private vlan mapping, Primary 300, Secondary 200
SW1(config-if)#

Jumped over to SW2 to update EIGRP to have the 10.10.10.0/24 network, haven’t got EIGRP back up yet, but can now ping across the link:

SW1#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/8 ms
SW1#

I got it.

I completely forgot to add the new network to SW1 EIGRP config as well:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#router eigrp 1
SW1(config-router)#network 10.10.10.0 0.0.0.255
SW1(config-router)#
*Mar 1 06:04:53.284: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.10.10.2 (Vlan300) is up: new adjacency
SW1(config-router)#

Immediately back in business!

Things are looking much better, and I’m not quite sure what “right” looks like

Got a bit more in the IP Route table on SW1 now (reconfigured the default route):

SW1#sh ip route
(Codes redacted)

Gateway of last resort is 10.10.10.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Vlan300
L 10.10.10.1/32 is directly connected, Vlan300
100.0.0.0/24 is subnetted, 1 subnets
D 100.100.100.0 [90/130816] via 10.10.10.2, 00:01:22, Vlan300
SW1#

That Loopback IP shows me we are in business, but I would like to verify that Isolated Hosts can still leave communicate with the Promiscuous Port, and not quite sure how to go about doing that.

I think the answer has to be creating additional SVI interfaces for the Secondary VLANs, cause I can’t imagine routing is going to occur with no SVI for the Private VLAN, hmm.

Pings from Host A to either side of the Promiscuous Port:

HostA#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostA#ping 10.10.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostA#

So the way I see it, for IP Routing to occur, those Private VLANs must require an SVI.

Nope, adding a secondary SVI for VLAN 100 with a new IP Address caused the Promiscuous Port to go down, and changed the IP Address on VLAN 300 – So its kind of like how making a change to a Port-Channel will change the bundled Ports in it… kind of.

An explanation to the long bout of troubleshooting I did below – Good to know!

First of all, a huge sigh of relief when I finally saw this:

HostA#ping 100.100.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HostA#

So while I was configuring the interfaces in their new Private VLANs, it was taking down the original VLANs they were members of, hence taking down their SVI / Gateway to route traffic out of their subnets which I just assumed the Private VLAN would take over.

Once I configured the Primary VLAN SVI Interface 300, and I got the messages saying the interfaces were now mapped, I didn’t realize it was using interface SVI 300 as its default gateway (so they need to be in its same subnetwork).

So the fix for this was to place hosts in the 10.10.10.0/24 subnet between the SVI 300 and the Routed Port, then I was able to get my traffic to SW2, which was my Layer 3 gateway which then performed its Inter-Vlan routing to allow me to ping 100.100.100.1.

So the configuration was correct, I was just missing the SVI / Primary VLAN logic, and spent a LOT of time staring at debugs and configs trying to figure it out!

I do feel vindicated that my configuration was solid, however seeing the SVI’s for the hosts subnets going down should have sent up red flags, thats what happens when you study for way too long I guess 🙂

So I simply needed to realize the only SVI active was 300, adjust host IP addresses to be in that subnet, and pings started flying around – Sometimes its the simplest things!