Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1795
Views
0
Helpful
5
Replies

Private VLAN routing

Kenneth Goh
Level 1
Level 1

‎12-06-2017 04:41 AM - edited ‎02-21-2020 06:54 AM

Please help as I am trying to understand what kind of layer 3 traffic are process, since Isolated vlan hosts only talk to Promiscuous port and hosts within a community vlan (do not talk to hosts in other community vlan) but can talk to each other and Promiscuous port. I can't see where inter-vlan routing is required here?

 

From what I read, to allow Layer 3 processing of private VLAN ingress traffic, VLAN interface of a primary VLAN. Isolated and community VLANs secondary VLANs can be mapped to the L3 interface (VLAN network interface of a primary VLAN). 

 

 

 

0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎12-06-2017 05:15 AM

Hi @Kenneth Goh

 

 Promiscuous ports can talk with Layer 3 gateway, right? And with Isolated VLANs, correct? That´s where Inter-vlan routing comes in place. If you have inter-vlan routing on gateway then you can communicate through Layer 3 between hosts in Isolated vlans. Is that make sense?

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Kenneth Goh
Level 1
Level 1
In response to Flavio Miranda

‎12-06-2017 05:40 AM

I notice my Windows endpoints connected to Isolated ports could still ping to host connected to Promiscuous port. All my Windows endpoints did not have default gateway configured. So I not sure where’s the L3 traffic?
0 Helpful

Flavio Miranda
VIP
VIP
In response to Kenneth Goh

‎12-06-2017 06:38 AM

On this specific situation this happen due layer e communication, I mean, when you ping the gateway from your Win machine it will send an ARP request asking who has the IP x.x.x.x. This arp request will get to your gateway through the promiscuous port and eventually the gateway will respond to it, thus allowing the communication.

 However, if you try to ping a different IP address in a different Vlan, for example, the communication will fail. On this case, the same ARP request will be sent but no one will reply to it, this, failing the communication.

 For this case, specifically, you need the Win machine to have a default gateway configured. So that, instead ARP request, the Win machine will send this to gateway. That´s why inter-vlan routing comes in place again.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Kenneth Goh
Level 1
Level 1
In response to Flavio Miranda

‎12-06-2017 06:12 PM

But private vlan is about having 1 same subnet for primary & secondary vlan. For routing to happen default gateway needs to be configured on the Win machine. But with or without default gateway on the 2 Win machine and with both connected to isolated port, they still cannot ping to each other but can still ping to promiscuous port which I think this is the correct behavior, so I am not sure is what layer 3 traffic are required?

I am also not sure when you mentioned with inter-vlan routing it allows communicate through Layer 3 between hosts in Isolated vlans. But only 1 isolated vlan is allow on a switch so each isolated hosts can only talk to promiscuous port only.

 

Router ---router Fa0/0 to access port (Promis port)--- Switch1----trunk----Switch2

0 Helpful

Kenneth Goh
Level 1
Level 1
In response to Flavio Miranda

‎12-08-2017 05:54 PM

To route Layer 3 traffic between isolated and community VLANs, you may connect a router to a promiscuous port.
Any example scenario on this?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card