Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1947
Views
4
Helpful
3
Replies

pvlan routing issue 3750

beartoe1900
Level 1
Level 1

‎06-15-2010 02:40 PM - edited ‎03-06-2019 11:35 AM

Hello,

Working with a 3750 and pvlans. I cannot route to any pvlan other than the promiscuous port. As far as I can tell I have Laver 3 routing enabled….but then again it’s not working!?!

Basically I’m separating out servers from workstations through pvlans and want to use ACLs security. With the current setup I have all ip, tcp and icmp traffic allowed to any any but still not working. Cannot ping or RDP to any system outside of their pvlan.

Please help…loosing too many brain cells…save the brain cells…..!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

clock timezone UTC -8

switch 1 provision ws-c3750g-24ts-1u

system mtu routing 1500

vtp mode transparent

authentication mac-move permit

ip subnet-zero

ip routing

ip domain-name xxxxxxxxxxxxxxxxx

ip name-server xxx.xxx.xxx.xxx

!

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 100

  private-vlan primary

  private-vlan association 101-103

!

vlan 101

name LAN

  private-vlan community

!

vlan 102

name Secure

  private-vlan community

!

vlan 103

name Servers

  private-vlan community

!

!

!

interface GigabitEthernet1/0/1

switchport private-vlan host-association 100 103

switchport mode private-vlan host

!

interface GigabitEthernet1/0/2

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport private-vlan mapping 100 101-103

switchport mode private-vlan promiscuous

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

mls qos trust dscp

auto qos voip trust

macro description cisco-router

spanning-tree portfast trunk

spanning-tree bpduguard enable

!

interface GigabitEthernet1/0/6

description Adm - NIC 1

switchport private-vlan host-association 100 101

switchport mode private-vlan host

interface GigabitEthernet1/0/24

description SV01 - NIC 2

switchport private-vlan host-association 100 102

switchport mode private-vlan host

!

interface Vlan1

no ip address

!

interface Vlan3

no ip address

!

interface Vlan100

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group 100 in

ip access-group 100 out

private-vlan mapping 101-103

!

interface Vlan101

no ip address

shutdown

!

ip default-gateway xxx.xxx.xxx.xxx

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 100 permit icmp any any

!

Labels:
0 Helpful
3 Replies 3

crobenstein
Level 1
Level 1

‎06-15-2010 03:16 PM

Hi Ron, if I understand your problem correctly, you can successfully connect from device to device within (say) vlan 101, but not from vlan 101 to 102 or 103.  You're using the same SVI for all of these, so they're all in the same subnet, so you wouldn't be routing between them but switching.  I'm pretty sure connectivity is barred between different community vlans so you need to go through an L3 device (SVI) i.e. you need a different SVI for each vlan for the ACLs to filter the traffic, seemingly negating the pvlan requirement.

Thanks

John

0 Helpful

beartoe1900
Level 1
Level 1
In response to crobenstein

‎06-15-2010 04:16 PM

Hey John,

Thanks for the quick response..You are correct with me being able to access anything within the plvan community and the promiscuous port. I can also ping the svi ip from any pvlan but that is the end of the story. From what I understand, when using pvlans SVI needs to be setup in transparent mode and you can only setup for the primary pvlan which propagates to the secondary pvlans....still looking into it further.

"Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs"

3750 manual page 471

0 Helpful

beartoe1900
Level 1
Level 1
In response to beartoe1900

‎06-18-2010 05:56 PM

For all others that are ripping out their hair on layer 3 communication on pvlans without having a router that can proxy arp......after 5 days of pain

What needs to happen is local proxy arp and ip proxy arp both needs to be enabled on the primary pvlan interface. After that ACLs will control traffic between community pvlans.

peace out!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card