Hello,
I am running into an issue using Private Vlans on a Cisco Catalyst 3650 running the latest iOS 12 (Gibraltar) release. I have private vlan setup and promiscuous ports in the primary vlan are able to ping machines outside of their vlan mapping. Is this the expected behavior in a private vlan or is their something wrong with my configuration?
Thanks for any feedback!
Current running configuration (Promiscuous Port 1 is able to ping ports in VLAN 11 even though it is not mapped to VLAN 11)
Switch#sh vlan private
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 3 isolated Gi0/0, Gi0/1, Gi0/2
10 11 community Gi0/2, Gi1/0
10 21 community Gi0/1, Gi0/3
vlan 3
private-vlan isolated
!
vlan 10
private-vlan primary
private-vlan association 3,11,21
!
vlan 11
private-vlan community
!
vlan 21
private-vlan community
!
!
interface GigabitEthernet0/0
switchport private-vlan host-association 10 3
switchport mode private-vlan host
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport private-vlan mapping 10 3,21
switchport mode private-vlan promiscuous
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport private-vlan mapping 10 3,11
switchport mode private-vlan promiscuous
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
switchport private-vlan host-association 10 21
switchport mode private-vlan host
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
switchport private-vlan host-association 10 11
switchport mode private-vlan host
media-type rj45
negotiation auto
!
Switch#sh int status
Port Name Status Vlan Duplex Speed Type
Gi0/0 connected 10,3 a-full auto RJ45
Gi0/1 connected 10 a-full auto RJ45
Gi0/2 connected 10 a-full auto RJ45
Gi0/3 connected 10,21 a-full auto RJ45
Gi1/0 connected 10,11 a-full auto RJ45