Showing results for 
Search instead for 
Did you mean: 

Private VLAN help

Brian M

Ok, this is my first private VLAN and maybe I am not getting the concept here but my isolated port cannot ping the IP address of the Primary VLAN interface.

How do you route Isolated ports? Do I have to configure a port as a L2 promiscuous and attach a router there?


vlan 100

private-vlan primary

private-vlan association 101


vlan 101

private-vlan isolated

interface GigabitEthernet0/4

switchport private-vlan host-association 100 101

switchport mode private-vlan host

interface Vlan100

ip address

private-vlan mapping 101


4 Replies 4


your private vlan config is perfect.I dont see any issues.are you able to ping the svi from the switch?

Rising star
Rising star

Hi Brian,

Your private-vlan config seems to me OK.

There may be some other reason why you can't ping your primary vlan interface.

Did you put the ip address of interface Vlan100 into your pc as the default gateway address?

Is interface Gig0/4 a layer2 port? Is it up up ?

Can you ping interface Vlan100 from a PC that connects directly into a port assigned to vlan 100?

Just some ideas for troubleshooting.



GIG0/4 is a layer 2 port and it is up. I can only ping vlan 100 (from a PC in VLAN100)when I remove the private mapping from the SVI. The switch works fine in a standard VLAN setup but only works in private-vlan when I create a promiscuous port to a seperate router. Here is more info that hopefully helps.

Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(44)SE1, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Fri 07-Mar-08 00:10 by weiliu

Image text-base: 0x00003000, data-base: 0x01900000

HOUDMZ-01#sho int gig 0/4 swi

Name: Gi0/4

Switchport: Enabled

Administrative Mode: private-vlan host

Operational Mode: private-vlan host

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: 100 (DMZ_PRIMARY) 101 (DMZ_ISOLATED)

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan:


Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

HOUDMZ-01#sho int private-vlan map

Interface Secondary VLAN Type

--------- -------------- -----------------

vlan100 101 isolated

vlan100 102 community soon as I posted my last response I turned on IP Routing and voila.

This is kind of baffling though, even though I have no problem leaving IP Routing enabled should it work just fine without it being that I wasn't crossing VLAN boundries and just trying to ping an IP address within my own VLAN?

Who knows, maybe there's some secret logical madness Cisco has when it comes to private-vlans.

Thanks for all the help!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers