Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
5
Helpful
3
Replies

Private-VLAN Problem

Go to solution
cscomuhammad
Level 1
Level 1

‎10-11-2015 12:08 AM - edited ‎03-08-2019 02:09 AM

Hello everyone

I have problem running Private VLAN using ASA Service module and Catalyst 6500 series switch.

Here is my scenario.

Running Private VLAN using VTP version 3 on cisco 6500 as a VTP server and creating VLANs as mentioned below

 SW 6500:

firewall multiple-vlan-interfaces
firewall switch 1 module 1 vlan-group 1
firewall switch 2 module 1 vlan-group 1
firewall vlan-group 1  2-1001

vlan 128
private-vlan  primary
private-vlan  association 129,130
 vlan 130
private-vlan  comunity
vlan 129
private-vlan  isolated

And configuring the interface connected to the host on the access switch

Access Switch:
interface GigabitEthernet2/0/1
 switchport private-vlan host-association 128 129
 switchport mode private-vlan host

 When I create primary SVI and then map the secondary VLANS on cisco 6500 everything is ok but the problem starts when I create interface VLAN 128 on ASASM, it seems they have no connectivity.

Is there anyone know where is my mistake or have any solution to this problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎10-11-2015 07:05 AM

Does 6500 SVI see ASA SVI when the corresponding vlan is not part of private vlan? I mean you have configured ASA correctly with security level and ICMP is allowed to test?

View solution in original post

3 Replies 3

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎10-11-2015 07:05 AM

Does 6500 SVI see ASA SVI when the corresponding vlan is not part of private vlan? I mean you have configured ASA correctly with security level and ICMP is allowed to test?

Go to solution
cscomuhammad
Level 1
Level 1
In response to Masoud Pourshabanian

‎10-14-2015 10:41 AM

yes, I have multiple SVI on ASA and they are working properly. the problem starts when I want to use private VLAN (no connectivity)

​therefor, I've checked arp cache on the host and the ASA but nothing to display.
I know ASA is working properly, is there any other configuration on 6500 that I haven't done ?​
0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to cscomuhammad

‎10-14-2015 03:43 PM

Hi,

it looks good to me. Here an example. Connect a host to one of the 6500 port and try to ping both 6500 and firewall.

6500


vlan 11
  private-vlan primary

vlan 12
  private-vlan isolated
!
vlan 13
  private-vlan community
!
vlan 14
  private-vlan community


vlan 11
  private-vlan primary
  private-vlan association 12-14


nterface Vlan11
 ip address 10.2.1.1 255.255.255.0
 private-vlan mapping 12-14

********************************
Firewal


interface Vlan11
 nameif inside
 security-level 100
 ip address 10.2.1.2 255.255.255.0

allow icmp( something like that)

icmp permit 10.2.1.0 255.255.255.0 inside

Hope it helps,

Masoud

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card