Re: Private-vlan SVI interface configuration

chris morris · ‎03-09-2007

Can anyone help explain why a host in one isolated vlan is able to ping another host in a different isolated vlan when using the following configuration?

vlan 500

name pvlan_test_1

private-vlan primary

private-vlan association 600

!

vlan 501

name pvlan_test_2

private-vlan primary

private-vlan association 601

!

vlan 600

name isolated_1

private-vlan isolated

!

vlan 601

name isolated_2

private-vlan isolated

interface FastEthernet1/0/23

switchport private-vlan host-association 501 601

switchport mode private-vlan host

interface FastEthernet1/0/24

switchport private-vlan host-association 500 600

switchport mode private-vlan host

interface Vlan500

ip address 10.1.1.1 255.255.255.0

private-vlan mapping 600

interface Vlan501

ip address 10.1.2.1 255.255.255.0

private-vlan mapping 601

carenas123 · ‎03-15-2007

It looks like bug CSCdj73967, which talks of the Catalyst 1900 and 2820 VLANs do not provide fully secured isolation between VLANs, and do not provide support for a single MAC address being learned on different ports in different VLANs simultaneously.

chris morris · ‎03-16-2007

It does, however the switch in question is a Catalyst 3750-24TS running IOS 12.2 (25)SEB4.

ahmednaas · ‎03-16-2007

Christopher,

Why not upgrade your software to 12.2(25)SEE3 and see what happens. If it is an IOS bug, it'll go away.

blue phoenix · ‎02-18-2017

I don't know if this helps...

On my reading with private vlans with SVI's, once you configure private-vlan mapping [secondary private vlan id], it is the equivalent command of making that interface as a promiscuous port that can reach anyone. However, the 2 isolated ports even if on the same subnet and same secondary vlan will not see each other. Think of it your 2 isolated ports are connected to 2 PC's that acquires IP via DHCP. So the 2 hosts on the 2 isolated ports can't reach each other BUT can reach the DHCP server on a different broadcast domain/subnet/network...

Cheers,

Francois Tallet · ‎03-16-2007

This is expected behavior because private vlan is providing isolation at layer 2, not layer 3.

For instance, a L2 broadcast on one isolated port will not be received on any other isolated port (except promiscuous ports). Another example: if you put two hosts on different ports in the same isolated vlan (you don't need to create two different isolated vlans as you did in your config), they would not be able to communicate together even if they were in the same subnet. This because there is no L2 connectivity between isolated ports. On the other hand, if you add a router to a promiscuous port of this isolated vlan, then you'll be able to route between the two hosts (in the same subnet!).

If you want to prevent the two hosts to communicate together at layer 3, you need to implement some access lists.

Regards,

Francois