Solved: Private VLAN Multiple Promiscuous Ports Mapping to Different Community VLANs?

TylerPereira9835 · ‎05-29-2020

Hello,

Is it possible in a Private VLAN to have multiple promiscuous ports in the Primary VLAN map to separate Community VLANs? I would like each individual promiscuous port to communicate with only 1 specific Community VLAN and the Isolated VLAN in the Private VLAN configuration. Below is an image of the configuration I am try to accomplish.

Using GNS3 I have a simulated configuration that I think should work but I am finding that both promiscuous ports can ping the machines in both Community VLANS 21 and 11. Below is the configuration I am running in the simulated environment.

Show Private VLAN (Promiscuous Ports are Gi0/1 & Gi02 )

Switch#sh vlan private

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      3         isolated          Gi0/0, Gi0/1, Gi0/2
10      11        community         Gi0/2, Gi1/0
10      21        community         Gi0/1, Gi0/3

vlan 3
  private-vlan isolated
!
vlan 10
  private-vlan primary
  private-vlan association 3,11,21
!
vlan 11
  private-vlan community
!
vlan 21
  private-vlan community
!

!
interface GigabitEthernet0/0
 switchport private-vlan host-association 10 3
 switchport mode private-vlan host
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 switchport private-vlan mapping 10 3,21
 switchport mode private-vlan promiscuous
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 switchport private-vlan mapping 10 3,11
 switchport mode private-vlan promiscuous
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/3
 switchport private-vlan host-association 10 21
 switchport mode private-vlan host
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/0
 switchport private-vlan host-association 10 11
 switchport mode private-vlan host
 media-type rj45
 negotiation auto
!

Switch#sh int status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/0                        connected    10,3       a-full   auto RJ45
Gi0/1                        connected    10         a-full   auto RJ45
Gi0/2                        connected    10         a-full   auto RJ45
Gi0/3                        connected    10,21      a-full   auto RJ45
Gi1/0                        connected    10,11      a-full   auto RJ45

Thanks for any feedback!

paul driver · ‎06-11-2020

Hello
Your configuration looks fine and just to confirm my understanding is the promiscuous ports should only communicate with their associated host mappings, infact i should be able to lab this up on real hardware myself - ill get back to you

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎06-11-2020

Hello

Please review attached file which shows that promiscuous port only should reached there related hots mapping.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎05-29-2020

Hello,

I remember running into this issue a while ago. GNS3 does support the configuration, but private Vlans don't work. It seems to be a bug in GNS3...

paul driver · ‎06-01-2020

Hello

@TylerPereira9835 wrote:

Hello,

Is it possible in a Private VLAN to have multiple promiscuous ports in the Primary VLAN map to separate Community VLANs? I would like each individual promiscuous port to communicate with only 1 specific Community VLAN and the Isolated VLAN in the Private VLAN configuration. Below is an image of the configuration I am try to accomplish.

Just to confirm - Yes it is.
What you are experiencing here is possible a bug in the simulation vm software for the switch (GNS3 or VIRL), On real hardware this should work accordingly.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

TylerPereira9835 · ‎06-02-2020

Thanks for the quick responses. I was able to finally test this out on real hardware. I am using a Catalyst 3650 switch running iOS XE 16.3. Unfortunately I am still seeing the same issue using the same configuration I have posted in this thread. The promiscuous ports assigned are able to ping all community ports in the private vlan instead of the single community port that is assigned to it. Is there a specific command that I am missing to assign/map the promiscuous port to a specific community vlan?

paul driver · ‎06-11-2020

Hello
Your configuration looks fine and just to confirm my understanding is the promiscuous ports should only communicate with their associated host mappings, infact i should be able to lab this up on real hardware myself - ill get back to you

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎06-11-2020

Hello

Please review attached file which shows that promiscuous port only should reached there related hots mapping.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul