Private vlan promiscuous port configuration on ISR 1100 series router

AlexW22 · ‎07-06-2023

I am trying to configure a couple community and isolated private vlans. Successfully specified the primary and secondary (community/isolated) vlans but when I want to specify the promiscuous port I simply don’t get the option to enter: switchport mode private-vlan promiscuous
My only options are switchport mode access | dynamic | trunk
What am I missing here?

I’ve looked at these 4 guides:
https://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/pvlans.pdf
https://youtube.com/watch?v=xl3_zgaZuH8&feature=shareb
https://youtube.com/watch?v=Gpi_lunzsik&feature=shareb

To my knowledge the ISR should support this functionality but I might be wrong.
Thank you in advance for any advice!

MHM Cisco World · ‎07-06-2023

switchport mode private-vlan promiscuous <<- this config in SW toward router, you here config private in router itself so I dont think you will find this command in router.

AlexW22 · ‎07-06-2023

Thanks for your reply!

Isn't it weird that i can configure primary and secondary community/isolated vlans without being able to assign a promiscuous port on the router?

Would have liked to at least isolate a few switchports on this ISR to only access the internet and not the other connected hosts on the switch. Any suggestions in this regard?

MHM Cisco World · ‎07-06-2023

I check and indeed there is promiscuous port in Router (with ehter capability)
so
do
interface x/x
switchport <<- once without any other keyword
switchport ..........

try this way

AlexW22 · ‎07-06-2023

Thank you for your reply!
When doing this I get:

switchport
% incomplete command.

--------------------------------------

switchport ?
access Set access mode characteristics of the interface
autostate Include or exclude this port from vlan link up calculation
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this interface
port-security Security related command
priority Set appliance 802.1p priority
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes

--------------------------------------

switchport mode private-vlan promiscuous
^
% Invalid input detected at '^' marker.

--------------------------------------

switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally

MHM Cisco World · ‎07-08-2023

switchport mode access <<- add this
then check
switchport ?

KJK99 · ‎07-06-2023

@AlexW22

You may be missing the private-vlan association part. For example:

vlan 81
private-vlan isolated
vlan 80
private-vlan primary
private-vlan association add 81
interface fa0/24
switchport mode private-vlan promiscuous
switchport private-vlan mapping 80 81

Kris K

AlexW22 · ‎07-07-2023

Highly appreciate your answer!

I did make the association without the word "add" so I tried again but unfortunately without any luck. The situation is still unchanged.

When I run:
show vlan private-vlan

The primary and secondary vlans are listed but under type it lists "non-operational".
As mentioned before I am not able to assign a promiscuous port yet.

KJK99 · ‎07-07-2023

@AlexW22

Maybe you have some other commands there that affect the port mode. I have never tried to use a promiscuous port for Internet access. My promiscuous ports are very simple. I have servers connected to them.

Kris K

AlexW22 · ‎07-07-2023

I am starting to suspect that this feature of private-vlans is not supported on the ISR 1100 series. Weird that it lets you create a vlan and set it as a community/isolated private-vlan.

Wondering if I can work around this for the part of the network that I intended to be an isolated private-vlan. Assign a new vlan id to every switchport and attach all the ("isolated") vlans created to the ("promiscuous") port.

MHM Cisco World · ‎07-07-2023

give some time I need half day to be sure that this feature available or not in ISR

AlexW22 · ‎07-08-2023

Ok thank you! I am patiently awaiting your reply

MHM Cisco World · ‎07-08-2023

can you try
switchport access vlan x
then
switchport ? <<- check if the private vlan keyword appear
thanks and sorry for make you wait
MHM

AlexW22 · ‎07-08-2023

Thanks for the quick reply!
I tried switchport access vlan <primary>

Then when trying:
switchport mode ?

I still gett only the option for:
access | dynamic | trunk.

Were you able to find out if this feature is supported?

I think I simulate community private-vlan functionality with normal vlans. Is there another way I can isolate single ports that can not communicate to one another but only with a "promiscuous port" like in an isolated private-vlan? I could assign a unique vlan ID to a number of switchports but I don't think I can assign multiple vlans to a single port to function like the promiscuous port. Any thoughts given that this is a router?

Private vlan promiscuous port configuration on ISR 1100 series router

You may be missing the private-vlan association part. For example:vlan 81private-vlan isolatedvlan 80private-vlan primaryprivate-vlan association add 81interface fa0/24switchport mode private-vlan promiscuousswitchport private-vlan mapping 80 81

You may be missing the private-vlan association part. For example:

vlan 81
private-vlan isolated
vlan 80
private-vlan primary
private-vlan association add 81
interface fa0/24
switchport mode private-vlan promiscuous
switchport private-vlan mapping 80 81