Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1647
Views
0
Helpful
13
Replies

Private vlan promiscuous port configuration on ISR 1100 series router

AlexW22
Level 1
Level 1

‎07-06-2023 08:32 AM - edited ‎07-06-2023 08:33 AM

I am trying to configure a couple community and isolated private vlans. Successfully specified the primary and secondary (community/isolated) vlans but when I want to specify the promiscuous port I simply don’t get the option to enter: switchport mode private-vlan promiscuous
My only options are switchport mode access | dynamic | trunk
What am I missing here?

I’ve looked at these 4 guides:
https://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/pvlans.pdf
https://youtube.com/watch?v=xl3_zgaZuH8&feature=shareb
https://youtube.com/watch?v=Gpi_lunzsik&feature=shareb

To my knowledge the ISR should support this functionality but I might be wrong.
Thank you in advance for any advice!

MicroNugget: Private VLANs
MicroNugget: Private VLANs
cisco.com/c/en/us/td/docs/switches/lan/catalyst...
Start learning cybersecurity with CBT Nuggets. https://courses.cbt.gg/security In this video, Keith Barker covers private VLANs (virtual local area networks). He'll walk through the process of gaining entry through a universal access point and then how traffic is separated into isolated or ...
Understanding Private VLANs
Understanding Private VLANs
youtube.com/watch?v=Gpi_lunzsik&feature=shareb
Save 25% on Charles & Kevin's CCNA, ENCOR, and ENARSI Video Training Series CCNA: https://kwtrain.com/ccna ENCOR: https://kwtrain.com/encor ENARSI: https://kwtrain.com/enarsi *********************************** In this video, we cover a security feature for your Cisco Catalyst switches. It's ...
0 Helpful
13 Replies 13

MHM Cisco World
VIP
VIP

‎07-06-2023 08:39 AM

switchport mode private-vlan promiscuous <<- this config in SW toward router, you here config private in router itself so I dont think you will find this command in router.

0 Helpful

AlexW22
Level 1
Level 1
In response to MHM Cisco World

‎07-06-2023 10:43 AM - edited ‎07-06-2023 10:47 AM

Thanks for your reply!

Isn't it weird that i can configure primary and secondary community/isolated vlans without being able to assign a promiscuous port on the router?

Would have liked to at least isolate a few switchports on this ISR to only access the internet and not the other connected hosts on the switch. Any suggestions in this regard?

0 Helpful

MHM Cisco World
VIP
VIP
In response to AlexW22

‎07-06-2023 11:52 AM

I check and indeed there is promiscuous port in Router (with ehter capability)
so 
do 
interface x/x
switchport <<- once without any other keyword 
switchport ..........

try this way

0 Helpful

AlexW22
Level 1
Level 1
In response to MHM Cisco World

‎07-06-2023 01:37 PM - edited ‎07-06-2023 01:54 PM

Thank you for your reply!
When doing this I get:

switchport
% incomplete command.

--------------------------------------

switchport ?  
  access         Set access mode characteristics of the interface
  autostate      Include or exclude this port from vlan link up calculation
  host             Set port host
  mode           Set trunking mode of the interface
  nonegotiate  Device will not engage in negotiation protocol on this interface
  port-security Security related command 
  priority          Set appliance 802.1p priority
  protected      Configure an interface to be a protected port
  trunk             Set trunking characteristics of the interface
  voice             Voice appliance attributes

--------------------------------------

switchport mode private-vlan promiscuous
                          ^
% Invalid input detected at '^' marker.

--------------------------------------

switchport mode ?
  access   Set trunking mode to ACCESS unconditionally
  dynamic  Set trunking mode to dynamically negotiate access or trunk mode
  trunk    Set trunking mode to TRUNK unconditionally

0 Helpful

MHM Cisco World
VIP
VIP
In response to AlexW22

‎07-08-2023 12:17 AM

switchport mode access <<-  add this 
then check 
switchport ?

0 Helpful

KJK99
Level 3
Level 3

‎07-06-2023 06:41 PM

@AlexW22 

You may be missing the private-vlan association part. For example:

vlan 81
private-vlan isolated
vlan 80
private-vlan primary
private-vlan association add 81
interface fa0/24
switchport mode private-vlan promiscuous
switchport private-vlan mapping 80 81
Kris K
0 Helpful

AlexW22
Level 1
Level 1
In response to KJK99

‎07-07-2023 03:13 AM

Highly appreciate your answer!

I did make the association without the word "add" so I tried again but unfortunately without any luck. The situation is still unchanged.

When I run:
show vlan private-vlan

The primary and secondary vlans are listed but under type it lists "non-operational".
As mentioned before I am not able to assign a promiscuous port yet.

0 Helpful

KJK99
Level 3
Level 3
In response to AlexW22

‎07-07-2023 05:04 AM

@AlexW22 

Maybe you have some other commands there that affect the port mode. I have never tried to use a promiscuous port for Internet access. My promiscuous ports are very simple. I have servers connected to them.

Kris K
0 Helpful

AlexW22
Level 1
Level 1

‎07-07-2023 12:44 PM

I am starting to suspect that this feature of private-vlans is not supported on the ISR 1100 series. Weird that it lets you create a vlan and set it as a community/isolated private-vlan.

Wondering if I can work around this for the part of the network that I intended to be an isolated private-vlan. Assign a new vlan id to every switchport and attach all the ("isolated") vlans created to the ("promiscuous") port.

0 Helpful

MHM Cisco World
VIP
VIP
In response to AlexW22

‎07-07-2023 12:51 PM

give some time I need half day to be sure that this feature available or not in ISR

0 Helpful

AlexW22
Level 1
Level 1
In response to MHM Cisco World

‎07-08-2023 06:01 AM

Ok thank you! I am patiently awaiting your reply

0 Helpful

MHM Cisco World
VIP
VIP

‎07-08-2023 06:13 AM

can you try 
switchport access vlan x 
then 
switchport ? <<- check if the private vlan keyword appear
thanks and sorry for make you wait 
MHM

0 Helpful

AlexW22
Level 1
Level 1
In response to MHM Cisco World

‎07-08-2023 07:44 AM - edited ‎07-08-2023 07:48 AM

Thanks for the quick reply!
I tried switchport access vlan <primary>

Then when trying:
switchport mode ?

I still gett only the option for:
access | dynamic | trunk.

Were you able to find out if this feature is supported?

I think I simulate community private-vlan functionality with normal vlans. Is there another way I can isolate single ports that can not communicate to one another but only with a "promiscuous port" like in an isolated private-vlan? I could assign a unique vlan ID to a number of switchports but I don't think I can assign multiple vlans to a single port to function like the promiscuous port. Any thoughts given that this is a router?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card