Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
0
Replies

Private VLAN's interaction with ESXi and firewall

Alexander Samuelsson
Level 1
Level 1

‎01-26-2023 03:24 AM

I have a SG350 switch between a ESXi host and a PaloAlto firewall.

I'm trying to use private-vlan but I cant get any traffic to work between them.

Topology:
ESXi - SG350 - Firewall(gateway)

The configuration in short looks like this:
ESXi;

private vlan in DVS - 302 Primary vlan, 702 Isolated


DP-VM - Isolated 302,702

DVS-uplink - Trunk 0-4094

 

SG350;

Interface vlan 302

private-vlan primary

private-vlan association add 702

Interface vlan 702

private-vlan isolated

GE1-3(connection to ESXi 3 different host NICs)

Switchport mode trunk

Switchport trunk allowed vlan all

TGE1(connection to firewall)

Switchport mode private-vlan promiscuous

switchport private-vlan mapping 302 add 702

 

The port in the firewall has subinterfaces with subnets + tags.

 

Since ESXi and SG350 are both private-vlan aware it should work with regular trunks between those but PaloAlto are not, thats why I have to use a promiscuous port.

Is this a correct understanding? Why doesnt it work?

I dont have any VTP commands in the SG350 switch cli, it seems to use GVRP instead. Should that be enabled or not?

Is there something else in a SG350 that has to be disabled/enabled in order for private-vlan to work?

 

Br,

Alex

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card