09-12-2017 12:22 PM - edited 03-08-2019 12:00 PM
Hello,
I would have a question regarding the private vlan feature.
In a private vlan context, anyone could explain me the benefit of a port of type promiscuous trunk ?
As far as my knowledge, I know this port type is used when an equipement don't have the PVLAN enabled behind the port, so the promiscuous trunk port "rewrite" the secondary VLAN tag to the primary VLAN tag, to forward the frame with the primary vlan TAG, is this true ?
I ask this, because on my topology I have a normal trunk on my switch (with primary VLAN allowed only), connected to the router (with no pvlan), and when I ping the router from a isolated host behind a isolated port on my switch, it works... So why ? And this is why I'm thinking about the benefit of the promiscuous trunk port type.
Thanks you.
09-12-2017 01:09 PM
Hi Benoit,
This is really interesting. Ordinarily, this should not have worked because the pings from a host in an isolated secondary PVLAN would be sent through the trunk to the router tagged with the secondary PVLAN tag - the router should not understand that.
I wonder - is it possible to post a diagram of your topology, including the configuration of your router and the switch where the pinging host is connected?
By the way, your understanding of the promiscuous PVLAN trunk is correct - it rewrites the tags of all associated secondary PVLANs into the corresponding primary PVLAN ID.
Just wondering: Is it by any means possible that your router is connected to a promiscuous port? Please understand that promiscuous port and promiscuous PVLAN trunk are different things; a promiscuous port still acts only as an access port without any tagging; however, any secondary PVLAN port can communicate with a promiscuous port, regardless of the secondary PVLAN type. Could this be the case?
Thank you!
Best regards,
Peter
09-13-2017 02:05 AM - edited 09-13-2017 02:08 AM
Hi Peter,
Thanks for your response.
The topology is simple.
I have 1 switch (L2) with private vlan feature and connected to one router (L3).
Primary VLAN: 10, secondary Isolated VLAN: 11
vlan 10 private-vlan primary
private-vlan association 11
vlan 11
name Test_ISOLATED
private-vlan isolated
The switch has 3 ports as isolated port configured as this:
Isolated ports towards the hosts:
switchport mode private-vlan host
switchport private-vlan host-association 10
Behind these 3 ports I have 3 hosts, 3 differents OS.
And I have the uplink to the router, connected from the switch with this port configuration (not with apromiscuous port a talked):
switchport mode trunk
switchport trunk allowed vlan 10
And the same configuration on the router port. And when I ping ths router VIP from the isolated hosts, it works...
Thanks you.
09-13-2017 02:13 AM
Hi Benoit,
Isolated ports towards the hosts:
switchport mode private-vlan host
switchport private-vlan host-association 10
Is this configuration complete? Correctly, the last line should say:
switchport private-vlan host-association 10 11
Best regards,
Peter
09-13-2017 02:43 AM
Sorry Peter, yes my configuration is switchport private-vlan host-association 10 11 .
I forgot the secondary VLAN in my message.
09-13-2017 03:02 AM
Hi Benoit,
That's interesting :) What is the exact switch type and IOS version please?
Best regards,
Peter
09-13-2017 03:20 AM - edited 01-06-2018 11:35 AM
A **** with **** firmware version.
09-13-2017 03:30 AM
And additionnal information, I have a SVI of the Primary VLAN on the switch, but not used in my private VLAN context . The default gateway of my hosts are the router VIP (on the primary VLAN Subnet), which ping .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide