Re: Private-VLAN SVI routing

phil_carter · ‎12-16-2008

Hello,

I am trying to configure private vlans on a few 3750 switches where the primary VLAN is a layer-3 SVI on a 3750. I can get secondary community VLANs talking within each community, but nothing can talk to the primary VLAN default gateway (the SVI). I can only mapping the secondary VLANs to the interface:

!

interface vlan 50

ip address 10.6.35.254 255.255.240.0

private-vlan mapping 51-52

!

...there is no option to set it as a promiscuous interface...

Installing a router and connecting to a 3750 via a promiscuous port (mapping all the secondary VLANs), works fine.

Is this a known issue with layer-3 interfaces on switches? Is there a solution?

Many thanks

Phil

Giuseppe Larosa · ‎12-16-2008

Hello Phil,

the commands you have issued are correct but something could be missing.

1) when creating an SVI you need to add a

no shut

2) check the vlan 50 status with

sh int vlan50

it has to be up/up

normal SVI interfaces have the autostate concept : they are up/up only if there is at least a L2 port either access or trunk in STP forwarding for the Vlan.

here should be enough to do the no sh

Hope to help

Giuseppe

phil_carter · ‎12-17-2008

Hello,

Layer-2 VLANs all configured correctly (50 primary with 51 and 52 secondary community VLANs). Layer-3 SVI is up/up and enabled. Trunk ports exist and there is something in each VLAN.

Community VLANs can talk within each VLAN (ie VLAN51 can talk to other ports in VLAN51 and 52 to 52), but nothing can ping the primary VLAN 50 SVI.

config used:

!

interface vlan50

ip address 10.6.35.254 255.255.240.0

private-vlan mapping 51-52

no shut

!

interface f0/1

description VLAN51 host 10.6.35.40

switchport mode private-vlan host

switchport private-vlan host-association 50 51

speed 100

duplex full

spanning-tree portfast

no shut

!

interface f0/2

description VLAN51 host 10.6.35.100

switchport mode private-vlan host

switchport private-vlan host-association 50 51

speed 100

duplex full

spanning-tree portfast

no shut

!

10.6.35.40 can ping 10.6.35.100 and vice-versa, but nothing can ping the default gateway 10.6.35.254.

If I connect a router to the 3750 which has a layer-3 interface and config the 3750 switchport as a promiscuous port it works OK:

Router:

interface f0/0

description facing switch

ip address 10.6.35.254 255.255.240.0

speed 100

duplex full

no shut

!

Switch:

interface f1/0/24

description connection to router

switchport mode private-vlan promiscuous

switchport private-vlan mapping 50 51-52

speed 100

duplex full

no shut

Do private-vlans not work with SVI's?? If so, how do you configure them to work?

Thanks

Phil

viyuan700 · ‎12-17-2008

can you check the output of this command

show interfaces private-vlan mapping

phil_carter · ‎12-17-2008

outputs below:

Switch#sh vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

50 51 community Fa1/0/1, Fa1/0/2

50 52 isolated

Switch#sh int private-vlan mapping

Interface Secondary VLAN Type

--------- -------------- -----------------

vlan50 51 community

vlan50 52 isolated

Thanks

Phil

Giuseppe Larosa · ‎12-17-2008

Hello Phil,

excuse me for the basic question

have you defined the primary vlan at layer2 ?

conf t

vlan 50

private-vlan primary

private-vlan association 51-52

this is needed as it is needed the command under the SVI interface vlan 50

Hope to help

Giuseppe

phil_carter · ‎12-18-2008

Hello,

Yes - all VLANs fine at Layer-2 (see previous outputs provided).... it works fine when configuring a promiscuous port to a router, just not when trying to speak via an SVI (with secondary VLANs mapped to it)...

Thanks

Phil