Solved: Re: Private VLAN trunking question - Page 2

Sanjay Ramaswamy · ‎08-19-2010

I have a question on when to use private VLAN trunking. I have read when trunking to a device that is not PVLAN aware, you should use PVLAN trunking. If you are trunking between devices that are PVLAN aware the you should use regular trunking.

What it doesn't tell me is why. Why do we need to use private VLAN trunking?? If the PVLANs are tagged using dot1Q then what is the purpose of using PVLAN trunking - it is not clear what is gained.

Thanks in advance...

Stephan P. · ‎02-21-2023

Hello,

is it possible to have the promiscous port from a private Vlan on another switch?

I have different community PvLan on Switch1 and ther same commuty PvLan on Switch2. But only Switch 2 has an Uplink to Internet (Promiscous) over a Firewall.

Both Switches are Connected via Trunk to a CoreSwitch.
If it works, that a host in PvLan on Switch1 gets the Internet-Link on Switch2, how the Trunk Connection and especiasly the Core Switch should be configured?

Switch1: transparent
vlan 100
private-vlan primary
private-vlan association 101-102
!
vlan 101
private-vlan community
!
vlan 102
private-vlan community

interface GigabitEthernet1/0/1
switchport private-vlan host-association 100 101
switchport mode private-vlan host

interface GigabitEthernet1/0/2
switchport private-vlan host-association 100 102
switchport mode private-vlan host

interface GigabitEthernet1/0/49
description Uplink-Core
switchport trunk encapsulation dot1q
switchport mode Trunk

Switch2: transparent
vlan 100
private-vlan primary
private-vlan association 101-102
!
vlan 101
private-vlan community
!
vlan 102
private-vlan community

interface GigabitEthernet1/0/1
switchport private-vlan host-association 100 101
switchport mode private-vlan host

interface GigabitEthernet1/0/2
switchport private-vlan host-association 100 102
switchport mode private-vlan host

interface GigabitEthernet1/0/3
description Uplink-Internet
switchport private-vlan mapping 100 101-102
switchport mode private-vlan promiscuous

interface GigabitEthernet1/0/49
description Uplink-Core
switchport trunk encapsulation dot1q
switchport mode Trunk

CoreSwitch: VTP Server
vlan 100

interface GigabitEthernet1/0/1
description Uplink-Switch1
switchport trunk encapsulation dot1q
switchport mode Trunk

interface GigabitEthernet1/0/2
description Uplink-Switch2
switchport trunk encapsulation dot1q
switchport mode Trunk

also doesn't work:
CoreSwitch: VTP transparent
vlan 100
private-vlan primary
private-vlan association 101-102
!
vlan 101
private-vlan community
!
vlan 102
private-vlan community

interface GigabitEthernet1/0/1
description Uplink-Switch1
switchport trunk encapsulation dot1q
switchport mode Trunk

interface GigabitEthernet1/0/2
description Uplink-Switch2
switchport trunk encapsulation dot1q
switchport mode Trunk

------------------------------------------------------------------------------------------------

On Switch2, both PvLan Community Hosts get Internet Connection, on Switch1 there is no chance.
What is the Trick? Hopefully someone can help.

Joachim Weissenberger · ‎10-02-2025

I have a few other problems, and I'm stuck in some places and need help.

We have a

Cisco Firepower 1140
C9606 Core Switch
C9300l-48 Port

We want to roll out PVLAN to two buildings.

Building 1 will get VLAN 1096
Building 2 will get VLAN 1097

Community VLAN is 1198
Isolated VLAN is 1199

First problem
Community VLAN works on Switch 1
Isolated VLAN works on Switch 2

But when I go from Switch 1 community to Switch 2 community, it doesn't work.

Second problem
What do I need to configure on the core for the FW?
Since our FW was deployed on two instances on MGMT and DATA, it is sufficient to send a normal trunk with allowed to the FW. Routing is performed on our FW.

Third problem
I have a small test setup. Our problem is that we cannot reach the DHCP relay on the firewall. The relay is in VLAN 1096.

Config:

FW

Promiscupous Port config ? from Core to Fw YES OR NOT

DATA 1 / MGMT 1

Core 1

vlan 1096
name FU_MA_LAN
private-vlan primary
private-vlan association 1198,1199
!
vlan 1198
name TEST_VLAN_Community
private-vlan community
!
vlan 1199
name TEST_VLAN_Isolated
private-vlan isolated

interface TwentyFiveGigE1/5/0/8
description Uplink to Access Switch 2 with PVLAN
switchport trunk allowed vlan 52,53,1096
switchport private-vlan trunk native vlan 1096
switchport private-vlan trunk allowed vlan 1198,1199
switchport mode trunk
!
interface TwentyFiveGigE1/5/0/9
description Uplink to Access Switch 1 with PVLAN
switchport trunk allowed vlan 52,53,1096
switchport private-vlan trunk native vlan 1096
switchport private-vlan trunk allowed vlan 1198,1199
switchport mode trunk

#######################################################

ACCESS SWITCH 1
TE1/1/4

vlan 52
name Switch_MGMT
!
vlan 1096
name BASE_C
private-vlan primary
private-vlan association 1198,1199
!
vlan 1198
private-vlan community
!
vlan 1199
private-vlan isolated

interface GigabitEthernet1/0/1
switchport private-vlan host-association 1096 1198
switchport mode private-vlan host
!
interface GigabitEthernet1/0/2
switchport private-vlan host-association 1096 1198
switchport mode private-vlan host
!
interface GigabitEthernet1/0/3
switchport private-vlan host-association 1096 1199
switchport mode private-vlan host
!
interface GigabitEthernet1/0/4
switchport private-vlan host-association 1096 1199
switchport mode private-vlan host

interface TenGigabitEthernet1/1/4
switchport trunk allowed vlan 52,53,1096
switchport private-vlan trunk native vlan 1096
switchport private-vlan trunk allowed vlan 1198,1199
switchport mode trunk

TE1/1/4
interface TenGigabitEthernet1/1/4
description UPLINK zu Core TWE1/5/0/8
switchport trunk allowed vlan 52,53,1096
switchport private-vlan trunk native vlan 1096
switchport private-vlan trunk allowed vlan 1198,1199
switchport mode trunk

-------------------------------------------------------

ACCESS SWITCH 2

vlan 52
name Switch_MGMT
!
vlan 1096
name BASE_C
private-vlan primary
private-vlan association 1198,1199
!
vlan 1198
private-vlan community
!
vlan 1199
private-vlan isolated

interface GigabitEthernet1/0/1
switchport private-vlan host-association 1096 1198
switchport mode private-vlan host
!
interface GigabitEthernet1/0/2
switchport private-vlan host-association 1096 1198
switchport mode private-vlan host
!
interface GigabitEthernet1/0/3
switchport private-vlan host-association 1096 1199
switchport mode private-vlan host
!
interface GigabitEthernet1/0/4
switchport private-vlan host-association 1096 1199
switchport mode private-vlan host

TE1/1/4
interface TenGigabitEthernet1/1/4
description UPLINK zu Core TWE1/5/0/8
switchport trunk allowed vlan 52,53,1096
switchport private-vlan trunk native vlan 1096
switchport private-vlan trunk allowed vlan 1198,1199
switchport mode trunk

In Switch 1 Port 1 and 2 i can Ping the Host same in Switch 2

From Switch 1 Port 1 to Switch 2 Port 1 i can not.

Unfortunately, I am a little stumped. I hope someon can help me

THX and greetings Joe

Tobias Heisele · ‎10-06-2025

Hi Joe,

between the switches is only a "normal" trunk required, no "private-vlan trunk". Just allow all primary and secondary vlans on it.

Tobi

Joachim Weissenberger · ‎10-06-2025

Hello Tobi,

this is not my Problem, my Problem is that i cannot reach the DHCP Relay on the Firewall, and i have no promiscous Port from Core to FW. I anonymous the VLANs to others but the struktur is the same. Thx greetings Joe

Tobias Heisele · ‎10-06-2025

To the firewall a private-vlan trunk is required like you had in your configuration

interface <interface-name>
switchport mode private-vlan trunk promiscuous
switchport private-vlan mapping trunk <primary-vlan1> <secondary-vlans1>
switchport private-vlan mapping trunk <primary-vlan2> <secondary-vlans2>
switchport private-vlan trunk allowed vlan <primary-vlans>
switchport private-vlan trunk native vlan <primary-vlan>

Joachim Weissenberger · ‎10-06-2025

How can i transport the normal VLANS for Switch MGMT. this is only for private vlans. ? Can you show me from FW to Core and from Core to Access Switch. Can you show me on a picture. THX and really thx for the answer. How can i MGMT my Switch normal Vlan when i have a subinterface on the Firewall. Greeting Joe

Tobias Heisele · ‎10-06-2025

normal Vlans are like primary vlans

interface <interface-name>
switchport mode private-vlan trunk promiscuous
switchport private-vlan mapping trunk <primary-vlan1> <secondary-vlans1>
switchport private-vlan mapping trunk <primary-vlan2> <secondary-vlans2>
switchport private-vlan trunk allowed vlan <primary-vlans> <normal-vlans>
switchport private-vlan trunk native vlan <primary-/normal-vlan>

Joachim Weissenberger · ‎10-20-2025

VLAN 1072 BASE_NET_A

Community 1090

Isolated 1091

the others are normal VLANS

interface <interface-name>
switchport mode private-vlan trunk promiscuous
switchport private-vlan mapping trunk <primary-vlan1> <secondary-vlans1>
switchport private-vlan mapping trunk <primary-vlan2> <secondary-vlans2>
switchport private-vlan trunk allowed vlan <primary-vlans> <normal-vlans>
switchport private-vlan trunk native vlan <primary-/normal-vlan>

interface <interface-name>
switchport mode private-vlan trunk promiscuous
switchport private-vlan mapping trunk 1072 1090
switchport private-vlan mapping trunk 1072 1091
switchport private-vlan trunk allowed vlan 1072 1010 1020 1070 1071 1073 1074 1075 1080
switchport private-vlan trunk native vlan 1072

You said

switchport private-vlan trunk native vlan <primary-/normal-vlan>

Add tagsI can only one VLAN set to native.

Is the Port right

configured.

Tobias Heisele · ‎10-20-2025

Hi Joachim,

it's analog to a "normal" trunk - from the allowed vlans (which are primary or non-private vlans), you can pick one that should be native. It does not matter wheater it is a primary or a non-private vlan.

Joachim Weissenberger · ‎10-20-2025

My test setup is ready.
Unfortunately, it's not working; my clients in the BASE A network are not receiving IP addresses.

My problem is that the clients in the BASE_A_NETZ VLAN 1073 are not receiving a DHCP address. The relay is on the FW and the DHCP server is a VM on the Proxmox.

C9300 Switch 1 Port 20 Primary VLAN 1073

C9300 Switch 2 Port 20 Primary VÖAN 1073

Tomorrow I will test static IP.

What could be the reason that the clients are not getting an IP?

The admin client in VLAN 1010 is getting one, but it is not in the primary VLAN.

The for your help.

Greeting Joachim W.

Joachim Weissenberger · ‎10-20-2025

In the PDF is a mistake the Client is on the Port 20.

Tobias Heisele · ‎10-20-2025

The pVLAN config is looking good so far, but on your pTrunk to the FW, VL1073 is native Vlan while eth11.1073 on the filewall looks tagged to me. Are you sure VL1073 is untagged between FP and C9500?

Joachim Weissenberger · ‎10-20-2025

That is a good question i must looking that. On the Firewall i have a subnet in vlan 1073 with a Gateway 10.73.0.254. Today i have test the Client with a static IP and i dont get an Internet connection. Now I have to troubleshoot whether it's due to the connection between the core and the firewall or possibly the core to the access with a normal trunk. That it breaks up the broadcast with the secondary VLAN.

Joachim Weissenberger · ‎10-06-2025

OK nice i will test this.

My first test was Switch 1 with community to Switch 2 Community, and this was not working.

Did i need a promiscuous ports, when i go with Community Switch to Community Switch 2 ports.

Beste Grüße

Joe

Thx