cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1770
Views
4
Helpful
3
Replies

pvlan routing issue 3750

beartoe1900
Level 1
Level 1

Hello,

Working with a 3750 and pvlans. I cannot route to any pvlan other than the promiscuous port. As far as I can tell I have Laver 3 routing enabled….but then again it’s not working!?!

Basically I’m separating out servers from workstations through pvlans and want to use ACLs security. With the current setup I have all ip, tcp and icmp traffic allowed to any any but still not working. Cannot ping or RDP to any system outside of their pvlan.

Please help…loosing too many brain cells…save the brain cells…..!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

clock timezone UTC -8

switch 1 provision ws-c3750g-24ts-1u

system mtu routing 1500

vtp mode transparent

authentication mac-move permit

ip subnet-zero

ip routing

ip domain-name xxxxxxxxxxxxxxxxx

ip name-server xxx.xxx.xxx.xxx

!

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 100

  private-vlan primary

  private-vlan association 101-103

!

vlan 101

name LAN

  private-vlan community

!

vlan 102

name Secure

  private-vlan community

!

vlan 103

name Servers

  private-vlan community

!

!

!

interface GigabitEthernet1/0/1

switchport private-vlan host-association 100 103

switchport mode private-vlan host

!

interface GigabitEthernet1/0/2

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport private-vlan mapping 100 101-103

switchport mode private-vlan promiscuous

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

mls qos trust dscp

auto qos voip trust

macro description cisco-router

spanning-tree portfast trunk

spanning-tree bpduguard enable

!

interface GigabitEthernet1/0/6

description Adm - NIC 1

switchport private-vlan host-association 100 101

switchport mode private-vlan host

interface GigabitEthernet1/0/24

description SV01 - NIC 2

switchport private-vlan host-association 100 102

switchport mode private-vlan host

!

interface Vlan1

no ip address

!

interface Vlan3

no ip address

!

interface Vlan100

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group 100 in

ip access-group 100 out

private-vlan mapping 101-103

!

interface Vlan101

no ip address

shutdown

!

ip default-gateway xxx.xxx.xxx.xxx

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 100 permit icmp any any

!

3 Replies 3

crobenstein
Level 1
Level 1

Hi Ron, if I understand your problem correctly, you can successfully connect from device to device within (say) vlan 101, but not from vlan 101 to 102 or 103.  You're using the same SVI for all of these, so they're all in the same subnet, so you wouldn't be routing between them but switching.  I'm pretty sure connectivity is barred between different community vlans so you need to go through an L3 device (SVI) i.e. you need a different SVI for each vlan for the ACLs to filter the traffic, seemingly negating the pvlan requirement.

Thanks

John

Hey John,

Thanks for the quick response..You are correct with me being able to access anything within the plvan community and the promiscuous port. I can also ping the svi ip from any pvlan but that is the end of the story. From what I understand, when using pvlans SVI needs to be setup in transparent mode and you can only setup for the primary pvlan which propagates to the secondary pvlans....still looking into it further.

"Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs"

3750 manual page 471

For all others that are ripping out their hair on layer 3 communication on pvlans without having a router that can proxy arp......after 5 days of pain

What needs to happen is local proxy arp and ip proxy arp both needs to be enabled on the primary pvlan interface. After that ACLs will control traffic between community pvlans.

peace out!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco