10-22-2014 03:01 PM - edited 03-01-2019 07:41 AM
We have a couple of 6800IA devices connected to a 6880 switch. There will be several end hosts connected to the IAs and we need to configure private isolated ports for some of those hosts. A firewall pair is also connected to the 6880.
Our plan is to configure the 6880 ports to the firewall pair as pvlan promiscuous ports, and the 6800IA ports as pvlan isolated ports. When we do this, a host on one of the isolated ports can ping the a host on another isolated port. This is not supposed to happen in the pvlan world.
Here is the configuration:
vlan 300
name DMZ-Outside-Primary
private-vlan primary
private-vlan association 301
!
vlan 301
name DMZ-Outside-Isolated
private-vlan isolated
interface TenGigabitEthernet1/5/1
description uplink to firewall A E0/8
switchport
switchport private-vlan mapping 300 301
switchport mode private-vlan promiscuous
end
interface TenGigabitEthernet2/5/1
description uplink to firewall B E0/8
switchport
switchport private-vlan mapping 300 301
switchport mode private-vlan promiscuous
end
interface GigabitEthernet101/1/0/47
switchport
switchport trunk allowed vlan 1
switchport private-vlan host-association 300 301
switchport mode private-vlan host
end
interface GigabitEthernet101/1/0/48
switchport
switchport trunk allowed vlan 1
switchport private-vlan mapping 300 301
switchport mode private-vlan host
spanning-tree portfast edge
end
Any idea why the two isolated hosts can ping each other?
10-23-2014 12:41 AM
Hi,
I think you can change the configuration like this to solve the problem, considering same isolated vlans should not reach each other!
vlan 300
name DMZ-Outside-Primary
private-vlan primary
private-vlan association 301 302
!
vlan 301
name DMZ-Outside-Isolated1
private-vlan isolated
!
vlan 302
name DMZ-Outside-Isolated2
private-vlan isolated
interface TenGigabitEthernet1/5/1
description uplink to firewall A E0/8
switchport
switchport private-vlan mapping 300 301 302
switchport mode private-vlan promiscuous
end
interface TenGigabitEthernet2/5/1
description uplink to firewall B E0/8
switchport
switchport private-vlan mapping 300 301 302
switchport mode private-vlan promiscuous
end
interface GigabitEthernet101/1/0/47
switchport
switchport trunk allowed vlan 1
switchport private-vlan host-association 300 301
switchport mode private-vlan host
end
interface GigabitEthernet101/1/0/48
switchport
switchport trunk allowed vlan 1
switchport private-vlan mapping 300 302
switchport mode private-vlan host
spanning-tree portfast edge
end
HTH
Houtan
10-23-2014 07:39 AM
I was under the impression the you can only have one isolated vlan in a primary vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide