Private-Vlan SVI query

blue phoenix · ‎02-16-2017

Hi all,

PC1#sh run int e0/1

!

interface Ethernet0/1

no switchport

ip address 192.168.1.1 255.255.255.0

duplex auto

end

PC1#sh run all | i ip route

ip route-cache

ip route static adjust-time 60

ip route static inter-vrf

ip route 0.0.0.0 0.0.0.0 192.168.1.254

=================================

PC2#sh run int e0/2

!

interface Ethernet0/2

no switchport

ip address 192.168.1.2 255.255.255.0

duplex auto

end

PC2#sh run all | i ip route

ip route-cache

ip route static adjust-time 60

ip route static inter-vrf

ip route 0.0.0.0 0.0.0.0 192.168.1.254

=================================

Switch(config)#vtp mode transparent

Setting device to VTP Transparent mode for VLANS.

Switch(config)#vlan 20

Switch(config-vlan)#pri

Switch(config-vlan)#private-vlan pri

Switch(config-vlan)#private-vlan primary

Switch(config-vlan)#vlan 200

Switch(config-vlan)#pri

Switch(config-vlan)#private-vlan comm

Switch(config-vlan)#private-vlan community

Switch(config-vlan)#vlan 20

Switch(config-vlan)#private-vlan association 200

=================================

Switch(config)#int range e0/1 -2

Switch(config-if-range)#switchport private-vlan host-association 20 200

Switch(config-if-range)#switchport mode private-vlan host

=================================

Switch#sh vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

20 200 community Et0/1, Et0/2

=================================

PC1#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 2/4/6 ms

PC1#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 - aabb.cc00.0110 ARPA Ethernet0/1

Internet 192.168.1.2 0 aabb.cc00.0220 ARPA Ethernet0/1

PC2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/7 ms

PC2#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 0 aabb.cc00.0110 ARPA Ethernet0/2

Internet 192.168.1.2 - aabb.cc00.0220 ARPA Ethernet0/2

=================================

THERE ARE NO SVI's configured yet up to here!!!

=================================

NOW I will configure the SVI

=================================

Switch(config)#int vlan 20

Switch(config-if)#ip add

*Feb 16 10:55:59.980: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down

Switch(config-if)#ip add 192.168.1.254 255.255.255.0

Switch(config-if)#no shut

Switch(config-if)#

*Feb 16 10:56:17.855: %LINK-3-UPDOWN: Interface Vlan20, changed state to up

*Feb 16 10:56:18.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up

=================================

NOW I will map the SVI to the private-vlan

=================================

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#int vlan 20

Switch(config-if)#private-vlan mapping 200

Switch(config-if)#

==================================

I CAN STILL PING FROM BOTH PC's

==================================

PC1#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

PC1#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 - aabb.cc00.0110 ARPA Ethernet0/1

Internet 192.168.1.2 0 aabb.cc00.0220 ARPA Ethernet0/1

PC2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/8 ms

PC2#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 0 aabb.cc00.0110 ARPA Ethernet0/2

Internet 192.168.1.2 - aabb.cc00.0220 ARPA Ethernet0/2

==================================

BUT PC's CAN'T PING their Gateways... and the switch can't ping the PC's, the arp table shows incomplete...

==================================

PC1#ping 192.168.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

PC1#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 - aabb.cc00.0110 ARPA Ethernet0/1

Internet 192.168.1.2 0 aabb.cc00.0220 ARPA Ethernet0/1

Internet 192.168.1.254 0 Incomplete ARPA

PC2#ping 192.168.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

PC2#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 0 aabb.cc00.0110 ARPA Ethernet0/2

Internet 192.168.1.2 - aabb.cc00.0220 ARPA Ethernet0/2

Internet 192.168.1.254 0 Incomplete ARPA

Switch#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Switch#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Switch#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 0 Incomplete ARPA

Internet 192.168.1.2 0 Incomplete ARPA

Internet 192.168.1.254 - aabb.cc80.0300 ARPA Vlan20

Switch#sh int vlan 20 pri

Switch#sh int vlan 20 private-vlan mapping

Interface Secondary VLANs

--------- --------------------------------------------------------------------

vlan20 200

Switch#sh ip int brie | ex unass

Interface IP-Address OK? Method Status Protocol

Vlan20 192.168.1.254 YES manual up up

Switch#ping 192.168.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms

==================================

DID I MISS A CONFIG HERE?

Can anyone test this on a live box since I am only using emulators for this IOL to be exact and maybe just maybe private-vlans with SVI's works with live boxes...

willwetherman · ‎02-16-2017

Hi,

I have consolidated and checked your configuration below and it is spot on. I suspect that the issue is with IOL. I have not used IOL before for labbing/testing so others may be able to share their experiences when configuring private VLANs under this platform.

vtp mode transparent
!
vlan 200
private-vlan community
!
vlan 20
private-vlan primary
private-vlan association 200
!
interface range eth0/1-2
switchport private-vlan host-association 20 200
switchport mode private-vlan host
!
interface Vlan20
ip address 192.168.1.254 255.255.255.0
private-vlan mapping 200

blue phoenix · ‎02-16-2017

Thanks for getting back... I have been banging my head on the table for 2 days now since I can't get a hold on our lab switch and the lab boys are not responding to my request :(.

Thanks for confirming since I exhausted all blogs/discussions/cisco forums and cisco documents and I can't seem to find anyting missing. But as you know I might so I have to ask this question.

Cheers,