Re: N7K Private VLAN issue

msmyj · ‎10-15-2018

--I'm testing rolling out Private VLANs for isolation of servers in a DMZ. As an interim step I've created a couple of host ports on an isolated private VLAN and attached workstations to these interfaces on our N7K to check the set up. After configuration of the promiscuous ports, host ports and Prim/Secondary VLANs, these hosts can neither successfully ping the promiscuous trunk port to our firewall, nor can the firewall ping either host. Clearly, I've misconfigured something and the main odd thing I've found is that the Primary Private VLAN is administratively down and I can not change it to be administratively up...

Vlan170 is down (Administratively down), line protocol is down, autostate enabled
Hardware is EtherSVI, address is 18ef.63e9.9241
# conf t
(config)# int vlan 170
(config-if)# no shut
(config-if)# end
# sh int vlan 170
Vlan170 is down (Administratively down), line protocol is down, autostate enabled

--Looking at the configs for a host port, a promiscuous port, and VLANs...

# sh running-config interface ethernet 3/21

interface Ethernet3/21
switchport
switchport mode private-vlan host
spanning-tree bpduguard enable
switchport private-vlan host-association 170 171
no shutdown

# sh running-config interface ethernet 1/31

interface Ethernet1/31
switchport
switchport mode private-vlan trunk promiscuous
switchport private-vlan mapping 170 171
switchport private-vlan trunk allowed vlan 170-171
switchport private-vlan mapping trunk 170 171
no shutdown

# sh int private-vlan mapping
Interface Secondary VLAN Type
--------- -------------- -----------------
vlan170 171 isolated

# sh running-config vlan 170

vlan 170
private-vlan primary
private-vlan association 171

# sh running-config vlan 171

vlan 171
private-vlan isolated

--So I'm wondering what's keeping this from working as expected. Open to a healthy dose of criticism and/or helpful suggestions.

Francesco Molino · ‎10-17-2018

Hi

Can you share your config please and the version of nx-os you're running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

msmyj · ‎10-18-2018

Hi Franceso,

We're running release 6.2 (10). Attached is a config with some details omitted.

Any suggestions appreciated.

Thanks,

-M

Francesco Molino · ‎10-22-2018

I didn't forget you. It's just I've lot of work these weeks. I'll come back asap

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

msmyj · ‎10-23-2018

Thank you Francesco. I know about having a too much work and too little time.

Francesco Molino · ‎10-26-2018

Your config looks like ok. I believe your firewall is attached to one of your promiscuous port?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

msmyj · ‎10-27-2018

Thanks for taking a look Francesco. Yes our Sonicwall is connected via 10GB fiber to our core on a promiscuous port. I cannot ping from the firewall to the isolated host port as I said. I found that the Private VLAN was down administratively and would not come up with a regular "no shutdown" command. After fixing that issue I could ping the VLAN gateway (172.17.3.254/22) successfully from both hosts. Neither host (172.17.3.1, 172.17.3.3) can ping the other in what is expected behavior in an the PVLAN. Unfortunately, neither host can ping the interface of the firewall (172.17.0.1).

I shut down one of the two promiscuous ports I had on the VLAN to simplify the config for testing. Next, I'm going to move a test workstation to the promiscuous port and see if I can ping it from one of the isolated VLAN test workstations to validate configurations and perhaps get an idea if the issue is with the firewall. It's possible, in my current understanding, that the Sonicwall simply can not deal with packets coming from a PVLAN. To be clear, networking works fine on several of the other 17 interfaces that connect to our core to the firewall so this is not an initial set up issue with this model firewall. We simply have not used PVLANs previously so getting these models to work together is the challenge.

Once I've done some further testing I'll update this ticket to keep you in the loop.