Showing results for 
Search instead for 
Did you mean: 

PVLAN - packet missing VLAN?

Level 1
Level 1

I am currently testing some PVLAN configurations and so far almost everything matches what I am expecting to see.

The most confusing part of the testing is that when I connect a sniffer and run ICMP packets back and forth I can not find the VLAN tag anywhere.  The packet matches what I would expect to see on a native VLAN, but the PVLANs I am testing with are 950-959.

Does anyone know why I would not see PVLAN packets with tagged vlan information?

Does anyone have an example of a PVLAN packet with a tagged vlan they wouldn't mind showing me?

Any information about this problem or about the formation of the packets for PVLAN will be most helpful.

Thank you in advance for your knowledge, time, and assistance.

5 Replies 5

Level 1
Level 1

Since no one replied in 24 hours I put in a cisco support ticket.  Let's see if Cisco knows.

Not seen the tagging on a 802.1Q or ISL trunk link? Could you provide us with the monitor session config?

Have you tried the destination encapsulation option:

Private VLANs Across Multiple Switches

Regular Trunks
Private VLAN Trunks

ansalaza, the first link doesn't work.

The testing base is as follows:

3550(host) ---promiscuous[950] --- {   6509(main switch)  } ---community[953]---3550(host)

                                                                                    ^ ---community[954]---3750(host)

                                                                        ^---isl trunk---3750(switch2)---isolated[952]---3750(host)

                                                            ^---isl trunk---3750(switch1)

We have used up to 2 laptops to test with and of course the 4 host switches as well..  The entire test bed is configured for a /24 network.

If we connect a laptop to switch1 on a community 953 host port and send a ICMP to the 3550(host) that is connected on the community 953 host port the sniffer shows a ICMP packet that is just a basic native vlan ICMP packet.  i.e. no vlan tag.

This path takes them accross a isl trunk on switch 1 and then thru the 6509 accross to the recieving host.

Alexis Brenes, with the TAC Switching Team, had this to say about PVLAN and tags:

I was doing some research about your questions and it seems due to the nature
of  private-vlans we cannot capture the VLAN tag. The private-vlans doesn't
have a dot1q tag we can see or capture.

In normal configurations the trunk ports are the ones we use to capture tag packets
however as I said before the PVLAN doesn’t have a tag.

This creates a whole new set of questions for me.

1) How do you troubleshoot PVLAN without vlan tags?

2) At the packet level how does the switch know if a packet is allowed to go somewhere?

--2a) At what point does the switch say "you are not allowed to go here" and why?

Does anyone else feel that the lack of awareness toward this magical technology we call PVLANs is dangerously under-documented?

Just need to remove "http:// http://" from the link:

Original link

Still not sure where is the capture been taken? What is the monitor session configuration on the Switch?

Review Cisco Networking for a $25 gift card