Re: PVLAN context, role of promiscuous trunk port

Benoit Desbiolles · ‎09-12-2017

Hello,

I would have a question regarding the private vlan feature.

In a private vlan context, anyone could explain me the benefit of a port of type promiscuous trunk ?

As far as my knowledge, I know this port type is used when an equipement don't have the PVLAN enabled behind the port, so the promiscuous trunk port "rewrite" the secondary VLAN tag to the primary VLAN tag, to forward the frame with the primary vlan TAG, is this true ?

I ask this, because on my topology I have a normal trunk on my switch (with primary VLAN allowed only), connected to the router (with no pvlan), and when I ping the router from a isolated host behind a isolated port on my switch, it works... So why ? And this is why I'm thinking about the benefit of the promiscuous trunk port type.

Thanks you.

Peter Paluch · ‎09-12-2017

Hi Benoit,

This is really interesting. Ordinarily, this should not have worked because the pings from a host in an isolated secondary PVLAN would be sent through the trunk to the router tagged with the secondary PVLAN tag - the router should not understand that.

I wonder - is it possible to post a diagram of your topology, including the configuration of your router and the switch where the pinging host is connected?

By the way, your understanding of the promiscuous PVLAN trunk is correct - it rewrites the tags of all associated secondary PVLANs into the corresponding primary PVLAN ID.

Just wondering: Is it by any means possible that your router is connected to a promiscuous port? Please understand that promiscuous port and promiscuous PVLAN trunk are different things; a promiscuous port still acts only as an access port without any tagging; however, any secondary PVLAN port can communicate with a promiscuous port, regardless of the secondary PVLAN type. Could this be the case?

Thank you!

Best regards,
Peter

Benoit Desbiolles · ‎09-13-2017

Hi Peter,

Thanks for your response.

The topology is simple.

I have 1 switch (L2) with private vlan feature and connected to one router (L3).
Primary VLAN: 10, secondary Isolated VLAN: 11

vlan 10 private-vlan primary
private-vlan association 11

vlan 11
name Test_ISOLATED
private-vlan isolated

The switch has 3 ports as isolated port configured as this:
Isolated ports towards the hosts:
switchport mode private-vlan host
switchport private-vlan host-association 10

Behind these 3 ports I have 3 hosts, 3 differents OS.

And I have the uplink to the router, connected from the switch with this port configuration (not with apromiscuous port a talked):
switchport mode trunk
switchport trunk allowed vlan 10

And the same configuration on the router port. And when I ping ths router VIP from the isolated hosts, it works...

Thanks you.

Peter Paluch · ‎09-13-2017

Hi Benoit,

Isolated ports towards the hosts:
switchport mode private-vlan host
switchport private-vlan host-association 10

Is this configuration complete? Correctly, the last line should say:

switchport private-vlan host-association 10 11

Best regards,
Peter

Benoit Desbiolles · ‎09-13-2017

Sorry Peter, yes my configuration is switchport private-vlan host-association 10 11 .
I forgot the secondary VLAN in my message.

Peter Paluch · ‎09-13-2017

Hi Benoit,

That's interesting :) What is the exact switch type and IOS version please?

Best regards,
Peter

Benoit Desbiolles · ‎09-13-2017

A **** with **** firmware version.

Benoit Desbiolles · ‎09-13-2017

And additionnal information, I have a SVI of the Primary VLAN on the switch, but not used in my private VLAN context . The default gateway of my hosts are the router VIP (on the primary VLAN Subnet), which ping .