Solved: There is no communication between PVLANs in the same community

Ahmed Abdullahi · ‎03-05-2012

Hello,

On my lab switch I have two Private VLANs ( 201 and 202 ) . They are configurated to be in the same "community" but devices on them are unable to ping each other.

The device on PVLAN 201 have ip address 10.80.22.85 mask 255.255.255.0 the device on PVLAN 202 has ip address 10.80.22.72 mask 255.255.255.0 and the router has ip address 10.80.22.1 mask 255.255.255.0

Do I have a config mistake?

==================================================================================================

service compress-config
!
hostname Ashburn4948
!
boot-start-marker
boot-end-marker
!
!
!

ip subnet-zero
!
!
ip vrf mgmtVrf
!
vtp mode transparent
!
power redundancy-mode redundant
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name Public_VLAN
private-vlan primary
private-vlan association 201-202
!

vlan 201
name V1_PVLAN
private-vlan community
!
vlan 202
name SS_PVLAN
private-vlan community
!

!
interface GigabitEthernet1/1
description Connection to Router Interface Gig0/0/1
switchport access vlan 10
switchport private-vlan mapping 10 201-202
switchport mode private-vlan promiscuous
!

!

interface GigabitEthernet1/33
description V1_Devices
switchport private-vlan host-association 10 201
switchport mode private-vlan host
!

!
interface GigabitEthernet1/34
description V1_Devices
switchport private-vlan host-association 10 201
switchport mode private-vlan host
!
!

interface GigabitEthernet1/35
description SS_Devices
switchport private-vlan host-association 10 202
switchport mode private-vlan host
!
!
interface GigabitEthernet1/36
description SS_Devices
switchport private-vlan host-association 10 201
switchport mode private-vlan host
!
interface GigabitEthernet1/39
description SS_Devices
switchport private-vlan host-association 10 202
switchport mode private-vlan host
!
interface Vlan1
no ip address
!
interface Vlan80
ip address 10.0.80.11 255.255.255.0
!
interface Vlan90
ip address 192.168.11.1 255.255.255.240
!
interface Vlan110
ip address x.x.x.x 255.255.255.248
!
interface Vlan120
ip address 192.168.12.1 255.255.255.0
!
interface Vlan2097
ip address 172.16.70.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.11.2
ip route 10.50.0.0 255.255.0.0 172.16.70.1
ip route 14.1.1.0 255.255.255.0 172.16.70.1
ip route 172.16.1.0 255.255.255.0 172.16.70.1
ip route 192.168.1.0 255.255.255.0 172.16.70.1
ip route 192.168.30.0 255.255.255.0 172.16.70.3

!
!
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
!
!

end

Peter Paluch · ‎03-05-2012

Hi Ahmed,

I thought PVLAN was used to disable communication between devices that  are on the same subnet and that I could use the router on port gig1/1 to  "route" between the two pvlan?

No, that is not the point of PVLANs. Their intention is to partition an existing VLAN (primary PVLAN) into sub-VLANs (secondary PVLANs) that either allow the communication of their own members (community PVLANs) or disallow it completely (isolated PVLAN). However, communication between two secondary VLANs of an arbitrary type is always prohibited.

What I was trying to achive was to secure the devices from seeing each  others MAC address , I still need them to be able to communicate using  IP addresses.

Hmmm... You should create an isolated secondary PVLAN and put all stations into this PVLAN. That will prevent them from ever communicating directly. Furthermore, on the router, you deactivate sending ICMP Redirects and configure the Local Proxy ARP feature on its interface that will allow it to respond for any ARP request with its own MAC address. Please note that this is quite a dangerous feature because if there are any stations in this PVLAN (perhaps in some community secondary PVLANs) that should be able to talk to each other directly, it will lead to ARP conflicts (both the router and the station will respond to the ARP for the station's address). Hence, this configuration would be ideal only if the entire PVLAN contained a single isolated secondary PVLAN and no other community PVLANs.

The router would be configured as follows:

interface Gi0/0/1

no ip redirects

ip local-proxy-arp

Once again, all your stations must be put into the same secondary PVLAN of the isolated type.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎03-05-2012

Ahmed,

I believe what you observed is correct. Stations in different private VLANs will not be able communicate with each other. Because of the community type VLAN, stations within VLAN 201 will be capable of communicating together, and stations within VLAN 202 will also be capable of communicating together. However, stations from VLAN 201 can not communicate with stations in VLAN 202 and vice versa. After all, it would not make sense - why would you want to create two VLANs if their members should be so or so able to talk to each other?

The community means that within this particular VLAN, stations can talk to each other. However, two different private VLANs are not allowed to communicate with each other no matter what - even if they are mapped under the same primary private VLAN.

Best regards,

Peter

Ahmed Abdullahi · ‎03-05-2012

Peter,

I thought PVLAN was used to disable communication between devices that are on the same subnet and that I could use the router on port gig1/1 to "route" between the two pvlan? What I was trying to achive was to secure the devices from seeing each others MAC address , I still need them to be able to communicate using IP addresses.

Thanks,

Ahmed

Peter Paluch · ‎03-05-2012

Hi Ahmed,

I thought PVLAN was used to disable communication between devices that  are on the same subnet and that I could use the router on port gig1/1 to  "route" between the two pvlan?

No, that is not the point of PVLANs. Their intention is to partition an existing VLAN (primary PVLAN) into sub-VLANs (secondary PVLANs) that either allow the communication of their own members (community PVLANs) or disallow it completely (isolated PVLAN). However, communication between two secondary VLANs of an arbitrary type is always prohibited.

What I was trying to achive was to secure the devices from seeing each  others MAC address , I still need them to be able to communicate using  IP addresses.

Hmmm... You should create an isolated secondary PVLAN and put all stations into this PVLAN. That will prevent them from ever communicating directly. Furthermore, on the router, you deactivate sending ICMP Redirects and configure the Local Proxy ARP feature on its interface that will allow it to respond for any ARP request with its own MAC address. Please note that this is quite a dangerous feature because if there are any stations in this PVLAN (perhaps in some community secondary PVLANs) that should be able to talk to each other directly, it will lead to ARP conflicts (both the router and the station will respond to the ARP for the station's address). Hence, this configuration would be ideal only if the entire PVLAN contained a single isolated secondary PVLAN and no other community PVLANs.

The router would be configured as follows:

interface Gi0/0/1

no ip redirects

ip local-proxy-arp

Once again, all your stations must be put into the same secondary PVLAN of the isolated type.

Best regards,

Peter

Ahmed Abdullahi · ‎07-11-2012

Peter,

I did that and it worked. Thanks.

Peter Paluch · ‎07-11-2012

Ahmed,

Thank you for letting me know!

Best regards,

Peter