Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
5
Helpful
8
Replies

Private VLAN Promiscuous Port Problem

AminK
Level 1
Level 1

‎04-30-2025 05:27 AM

Hello Community.

I have a very odd problem in my network. There is a N5K-C56128P that I have several private-vlans on it. Now one of these Pimary-VLANS has 269 Community-VLANS on it that are working properly and see their gateway on firewall which is a promiscuous port.

Due to my workplace requirements, I asked to create a new Community-VLAN under this vlan which would be the 270th one.

Now all of new community vlan members can ping each other but,

The problem is no matter what I do, They can't see the Gateway which is my promiscuous port firewall.

I associate this new vlan with my primary vlan, I allowed it on all of my trunks, And I mapped it to my firewall promiscuous port. 

Any help will be greatly appreciated. 

Labels:
0 Helpful
8 Replies 8

Torbjørn
VIP
VIP

‎04-30-2025 05:42 AM

Can you post the configuration of the VLANs and the ports in question?
This is just a guess, but is that the mapping between the primary VLAN and secondary VLAN might absent under the interface config? The minimal interface config for a promiscuous port looks something like this:

SW1(config)#interface fa0/24
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 500 501

 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

AminK
Level 1
Level 1
In response to Torbjørn

‎05-01-2025 02:00 AM

Hello and thank you for your response.

Yes there is indeed mapping under promiscuous port and also the new vlan is associated with primary vlan in switch settings.

Our first guess was there is a limitation for number of private vlans that can be created in N5K but couldn't find any document that support this idea.

By the way this is our bootimage file: n6000-uk9.7.3.5.N1.1.bin and is a little old.

0 Helpful

Torbjørn
VIP
VIP
In response to AminK

‎05-01-2025 10:33 AM

You might want to upgrade the OS to adhere to general best practices, but I don't think it will solve this specific issue. 

Are your secondary VLANs associated to your primary VLAN?

SW1(config)# vlan { primary VLAN id }
SW1(config-vlan)# private-vlan association { secondary VLANs }

It would help a lot in troubleshooting this if you post the configuration for your primary vlan, secondary vlan, the promiscuous port config and your secondary vlan ports. 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

paul driver
VIP
VIP

‎05-01-2025 11:50 PM

Hello

@AminK wrote:

Now all of new community vlan members can ping each other but,

The problem is no matter what I do, They can't see the Gateway which is my promiscuous port firewall.

As you have 269 other vlans i would say you would have the cfg correct, could this then be firewall policy negating that new vlan?




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

AminK
Level 1
Level 1
In response to paul driver

‎05-02-2025 01:23 AM - edited ‎05-02-2025 01:24 AM

Thank you for your response. As a matter of fact yes, I doubted that maybe my firewall is acting up. So I attached a spare router to my Nexus and applied the same config and mappings for promiscuous port under it. Only difference was that I did less mappings as I thought maybe that's the problem. What was the Result? Same as firewall port. Other VLANS working correctly and see router IP but not this new vlan members. That's what makes it very odd.

And about posting config, I would be happy to do it but I am in an Air-Gapped network and they won't let me extract config and post it online. But I can post you what I did in my lab and worked perfectly:

vlan 1202 
  private-vlan primary
  private-vlan association 3440,3550,3660
!         
vlan 3440 
  private-vlan community
!         
vlan 3550 
  private-vlan community
!         
vlan 3660 
  private-vlan isolated
!
interface Ethernet0/0
 switchport private-vlan mapping 1202 3440,3550,3660
 switchport mode private-vlan promiscuous
!
interface Ethernet0/3
 switchport private-vlan host-association 1202 3550
 switchport mode private-vlan host

 

0 Helpful

Torbjørn
VIP
VIP
In response to AminK

‎05-02-2025 02:02 AM

Your lab config is correct. If your VLAN & port configs are matching in production it shouldn't be a private vlan specific configuration error. Could you try to configure the promiscuous port on the same switch as one of your community vlan ports and see if the result changes?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

AminK
Level 1
Level 1
In response to Torbjørn

‎05-02-2025 07:03 AM

Yeah when I do that they can ping each other like any other community VLAN members. All things work as expected. The problem happens when traffic wants to go on promiscuous port. As a matter of fact I tried with another new vlan, I did all associations and mappings, and guess what. That didn't work either. Like I'm hitting some kind of limitation that says you can't associate any new VLANs with primary VLAN.

0 Helpful

Torbjørn
VIP
VIP
In response to AminK

‎05-02-2025 11:40 AM

I haven't heard of any such limitation, but then again I have never worked with that many private VLANs. It won't solve your issue, but it could be interesting to see if you get the same result if you try to create a new primary vlan and secondary vlan and see if that works.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
Customers Also Viewed These Support Documents