Hello,

The configuration looks good to me as well.

1- VTP should be configured as Transparent mode brefore we create the privatre lvans.

Yes unless VTPv3 is configured. With VTPv3, Private VLANs can be used just fine. VTPv3 is capable of advertising Private VLANs, their types and associations.

2- My opinion would be to create the Primary vlan first followed by secondary and isolated.

As far as I recall, this would not work. In the definition of the primary PVLAN, you have to refer to secondary VLANs that map to the primary PVLAN, and these secondary PVLANs must be created first. Otherwise, the private-vlan association command will be rejected:

SW-Dist1(config-vlan)#private-vlan association 555

%Command rejected: invalid private vlan association between vlan666 and vlan555. VLAN 555 data is not available.

SW-Dist1(config-vlan)#

3- once done Just check the vlan mapping to confirm by issueing command: show interface private-vlan mapping.

Good command; I didn't know that one. And of course, show vlan private-vlan is also useful.

Best regards,

Peter

Hello,

I must of done something wrong guys.  I put 2 PC's into the community ports and they cannot ping each other or the local router, and a PC can't ping the router either when in an isolated port.  I've attach the config to the first post.

When creating these new private VLANs do I need to create them as SVIs?  As I use just VLAN10 I wasn't sure if these additional private VLANs need to be treated as if I am just adding a new VLAN.

Thanks

Andy,

You have multiple post open for the same query!

https://supportforums.cisco.com/thread/2205007

https://supportforums.cisco.com/thread/2205689

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

My apologies, I thought that was on the Cisco learning forum not this one, please use this one. 

Andy,

You have two PVLAN Primarys specified

also your ports dont are not PVLAN host mode.

switchport private-vlan host-association 100 101

switchport mode private-vlan host

switchport private-vlan host-association 100 102

switchport mode private-vlan host

interface FastEthernet0/10

description isolated ports

switchport access vlan 10

switchport private-vlan host-association 100 102

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/11

description community ports

switchport access vlan 10

switchport private-vlan host-association 100 101

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Paul,

Let me try this.  The other private vlan was an old one I was trying with, eventhough it isn't inuse will it cause an issue, as ther can be only 1 private VLAN?

As 2 new VLANs are required (100 102), do these need to be treated as SVIs too?

Thanks

Hello Andy

No svi required, not unless you wish communication between multiple community vlans

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Thanks and just so I know, you mentioned I have 2 private VLANs, one I haven't removed from the config yet (VLAN 200), but will it cause an issue being on there as it isn't being used?

Regards

Andy

Hello,

VLAN 200), but will it cause an issue being on there as it isn't being used? = NO it wont but remove it or remove the Pvlan status  when you can as you are only allowed one PVLAN primary.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

I've added the "switchport mode private-vlan host" command to the ports which will have the hosts attached, for the server and router I guess I just need "switchport mode private-vlan promiscuous"?

3560-01#sh vlan private-vlan

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

100     101       community

100     102       isolated

3560-01#show interface private-vlan mapping

Interface Secondary VLAN Type

--------- -------------- -----------------

3560-01#

Thanks

Hello Andy,

Yes, switch ports facing server and router will be in "switchport mode private-vlan promiscuous" state.

Also I saw in your configuration almost all switch ports in access vlan 10, you should delete this command. When you apply ->

switchport private-vlan host-association 100 102 or 101

switchport mode private-vlan host

switch ports are either in vlan 102 or 101.

Best Regards

Please rate all helpful posts and close solved questions

The network was just a single VLAN (10) before I needed to introduce private VLANs to secure the single VLAN.  I thought VLAN 10 would remain and private VLANs just worked within this VLAN?  If I want to keep VLAN 10 as the main VLAN would I just make the primary private VLAN 10, that way I can keep the SVI as it is?

I noticed the show commands list no ports in either community or isolated, which I thinks relates to this vlan 10 issue on ports.

Regards

Hello andy
that is correct . No need to configure the svi whatsoever unless you want connection between multiple plvans secondary's

Apologies but I cannot see your config as I am on an iPad and it won't open your attachment

Res
paul

Sent from Cisco Technical Support iPad App