I would have a question regarding the private vlan feature.
In a private vlan context, anyone could explain me the benefit of a port of type promiscuous trunk ?
As far as my knowledge, I know this port type is used when an equipement don't have the PVLAN enabled behind the port, so the promiscuous trunk port "rewrite" the secondary VLAN tag to the primary VLAN tag, to forward the frame with the primary vlan TAG, is this true ?
I ask this, because on my topology I have a normal trunk on my switch (with primary VLAN allowed only), connected to the router (with no pvlan), and when I ping the router from a isolated host behind a isolated port on my switch, it works... So why ? And this is why I'm thinking about the benefit of the promiscuous trunk port type.
This is really interesting. Ordinarily, this should not have worked because the pings from a host in an isolated secondary PVLAN would be sent through the trunk to the router tagged with the secondary PVLAN tag - the router should not understand that.
I wonder - is it possible to post a diagram of your topology, including the configuration of your router and the switch where the pinging host is connected?
By the way, your understanding of the promiscuous PVLAN trunk is correct - it rewrites the tags of all associated secondary PVLANs into the corresponding primary PVLAN ID.
Just wondering: Is it by any means possible that your router is connected to a promiscuous port? Please understand that promiscuous port and promiscuous PVLAN trunk are different things; a promiscuous port still acts only as an access port without any tagging; however, any secondary PVLAN port can communicate with a promiscuous port, regardless of the secondary PVLAN type. Could this be the case?
Thanks for your response.
The topology is simple.
I have 1 switch (L2) with private vlan feature and connected to one router (L3).
Primary VLAN: 10, secondary Isolated VLAN: 11
vlan 10 private-vlan primary
private-vlan association 11
The switch has 3 ports as isolated port configured as this:
Isolated ports towards the hosts:
switchport mode private-vlan host
switchport private-vlan host-association 10
Behind these 3 ports I have 3 hosts, 3 differents OS.
And I have the uplink to the router, connected from the switch with this port configuration (not with apromiscuous port a talked):
switchport mode trunk
switchport trunk allowed vlan 10
And the same configuration on the router port. And when I ping ths router VIP from the isolated hosts, it works...