Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
2
Helpful
5
Replies

Vlans and PVLANS are frying my brain (Revised)

Go to solution
Eric chi
Level 1
Level 1

‎04-21-2024 10:51 AM - edited ‎04-21-2024 01:31 PM

Hello all, 
I am wondering if someone can help me to understand what's going on behind the hood with PVLANS on Cisco Catalyst. What I am trying to achieve may be totally the wrong application for PVLANS. If so lmk.

Questions:

  1. I am having trouble wrapping my mind around PVLANS and also understanding where the traffic actually resides with a PVLAN.
    Can it exist while never touching VLAN 1 (Default or Native VLAN).

  2.  Does a PVLAN promiscuous port pass VLAN 1 (Default or Native VLAN) and or other standard NON-PVLANS if it is mapped to ONLY PVLANS?

  3. Can I assign different ip default-gateways to different VLANS?
    If so, how is this achieved? Through grouping? Lists? 

Environment:

  • Cat4500-e sup8e, ios-xe 3.11.10e, entservices.

Goals:

  1. I have multiple WAN connections that I want to ISOLATE and SEPARATE out.
  2. I want to use the CATALYST 4500 as my OUTBOUND ROUTER.
  3. I want to do BGP on ONE of my WAN connections (the one that supports it).
  4. My environment has multiple NON-VLAN aware NON-CISCO routers as subs for nat.
  5. I want to have my WAN incoming links on separate PVLANS that never communicate with VLAN 1.
  6. The WAN's may NEVER INTERACT unless EXPLICITLY DEFINED by a ROUTE.
  7. The WAN's need to be separated out with some ports that need to be ISOLATED and SOME that CAN TALK to each other.
  8. I want to do ROUTING on the PRIMARY PVLAN Between Community and an eventual ISOLATED VLAN for servers.

My config so far:

  1. I've set VTP off.
  2. I've created a PVLAN PRIMARY and a PVLAN COMMUNITY that are associated in PVLAN PRIMARY config.
  3. I've assigned a switchport to Gi 3/1 (wan incoming) as SWITCHPORT MODE PRIVATE-VLAN HOST and assigned the INTERFACE PVLAN HOST and set association to PRIMARY and COMMUNITY PVLANS.
  4. I assigned a switchport to Gi 3/2 as SWITCHPORT PRIVATE-VLAN PROMISCUOUS then mapped it to PVLANS PRIMARY and COMMUNITY.
  5. I have VLAN 1 with NO switchports assigned except mgmt interface and a 10.x.x.x assigned to the default gateway and Fa1 for management.
  6. All of my unused switchports are down in an isolated vlan.
  7. All but one wan serves DHCP and Serving IP requires dhcp lock after authorizing mac address.
  8. It is at this point I realize no traffic is passing to the promiscuous PVLAN port. This is when I went into INTERFACE VLAN for PVLAN primary and assigned it ip address DHCP.
    t̶h̶i̶n̶k̶i̶n̶g̶ ̶W̶A̶N̶ ̶w̶o̶u̶l̶d̶ ̶p̶a̶s̶s̶ ̶a̶n̶ ̶I̶P̶ ̶a̶d̶d̶r̶e̶s̶s̶ ̶t̶o̶ ̶t̶h̶e̶ ̶i̶n̶t̶e̶r̶f̶a̶c̶e̶ ̶P̶V̶L̶A̶N̶ ̶a̶s̶ ̶a̶ ̶c̶l̶i̶e̶n̶t̶ ̶a̶n̶d̶ ̶t̶h̶e̶n̶ ̶I̶ ̶c̶o̶u̶l̶d̶ ̶j̶u̶s̶t̶ ̶s̶e̶t̶ ̶a̶ ̶s̶t̶a̶t̶i̶c̶ ̶r̶o̶u̶t̶e̶ ̶t̶o̶ ̶o̶n̶e̶ ̶o̶f̶ ̶m̶y̶ ̶N̶a̶t̶ ̶r̶o̶u̶t̶e̶r̶s̶ ̶o̶n̶ ̶P̶V̶L̶A̶N̶ ̶P̶r̶i̶m̶a̶r̶y̶ ̶p̶o̶i̶n̶t̶i̶n̶g̶ ̶a̶t̶ ̶t̶h̶e̶ ̶P̶V̶L̶A̶N̶ ̶p̶r̶o̶m̶i̶s̶c̶u̶o̶u̶s̶ ̶p̶o̶r̶t̶ ̶b̶u̶t̶ ̶i̶n̶s̶t̶e̶a̶d̶ ̶i̶t̶ ̶i̶s̶ ̶a̶s̶s̶i̶g̶n̶i̶n̶g̶ ̶a̶ ̶D̶H̶C̶P̶ ̶a̶d̶d̶r̶e̶s̶s̶ ̶f̶r̶o̶m̶ ̶a̶n̶ ̶u̶n̶k̶n̶o̶w̶n̶ ̶s̶o̶u̶r̶c̶e̶ ̶i̶n̶ ̶a̶ ̶n̶e̶t̶w̶o̶r̶k̶ ̶t̶h̶a̶t̶ ̶i̶s̶ ̶d̶e̶f̶i̶n̶i̶t̶e̶l̶y̶ ̶N̶o̶t̶ ̶t̶h̶e̶ ̶w̶a̶n̶ ̶a̶n̶d̶ ̶N̶o̶t̶ ̶V̶l̶a̶n̶ ̶1̶.̶
    Note: Stricken text was solved. It was ISP incompetence.

I do not work with cisco every day so please someone help me understand what's going on.

Also if you see something wrong with my config or something that can be improved please critique.

Thank you,

Eric B.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kumaresan Ravichandran
Level 1
Level 1

‎04-21-2024 11:39 AM

Hello @Eric chi 

Private VLANs (PVLANs) are a Cisco feature designed to provide a way to isolate traffic on the same primary VLAN. They allow you to isolate certain hosts while still allowing others to communicate with a designated promiscuous port

Let's go through your questions and address them with explanations and suggestions for troubleshooting.

Question 1: DHCP Address Source
If your PVLAN Primary interface is receiving a DHCP address from an unknown source, it’s possible that:
- A DHCP server exists on another VLAN, and there's some bridging allowing the traffic to cross over.
- There’s a configuration issue causing unexpected traffic flow.

To determine where the DHCP address is coming from:
1.Check DHCP Server Locations: Determine which devices in your environment are acting as DHCP servers. You can trace these devices by checking which interfaces are configured to serve DHCP.
2. Isolate DHCP Traffic: If you don't want the PVLAN Primary to get DHCP addresses, ensure there are no DHCP servers in the associated community or promiscuous VLANs. Check the ip helper-address configuration in any associated VLANs, as this can forward DHCP requests to a specific server.

Question 2a: Understanding Private VLANs and VLAN 1
PVLANs allow isolation within a primary VLAN. There are three types:
Promiscuous: Communicates with all other ports.
Community: Communicates with other ports in the same community and promiscuous ports.
Isolated: Communicates only with promiscuous ports.

The PVLANs do not inherently interact with VLAN 1 unless specifically configured to do so.

 Question 2b: Promiscuous Port Traffic
A promiscuous port can pass traffic for the primary VLAN and any associated community or isolated VLANs. It does not automatically pass traffic for VLAN 1 unless it is explicitly configured to do so. If you're seeing traffic from VLAN 1, ensure the promiscuous port is mapped only to the PVLAN and not inadvertently configured to connect to other VLANs.

Question 3: Assigning Different Default Gateways to Different VLANs
Yes, you can assign different default gateways to different VLANs. This is typically achieved with:
Inter-VLAN Routing: Use a Layer 3 interface (SVI) on the switch for each VLAN. You can assign IP addresses and default gateways to each SVI, allowing routing between VLANs.
Static Routes: You can set up static routes pointing to specific gateways for each VLAN, allowing traffic to be routed accordingly.

To configure default gateways for VLANs:
1. Create SVIs for Each VLAN:
shell
interface Vlan10
ip address 192.168.10.1 255.255.255.0

interface Vlan20
ip address 192.168.20.1 255.255.255.0
2. Set Default Gateways:
shell
ip route 0.0.0.0 0.0.0.0 192.168.10.254 # Default gateway for VLAN 10
ip route 0.0.0.0 0.0.0.0 192.168.20.254 # Default gateway for VLAN 20


If you require more help with specific configurations, sharing detailed configurations and network topology might yield more specific advice.

View solution in original post

Go to solution
Kumaresan Ravichandran
Level 1
Level 1

‎04-22-2024 04:31 AM

Hi @Eric chi 

  Creating a SVI for a Private VLAN's Primary VLAN lets you route traffic without breaking its isolation. It's a way to add Layer 3 (routing) while keeping Layer 2 isolation (no direct communication between isolated segments). Just make sure to use proper routing rules and security to keep things secure and isolated.

If it is helpful to you, Then rate it.

>_<

View solution in original post

5 Replies 5

Go to solution
Kumaresan Ravichandran
Level 1
Level 1

‎04-21-2024 11:39 AM

Hello @Eric chi 

Private VLANs (PVLANs) are a Cisco feature designed to provide a way to isolate traffic on the same primary VLAN. They allow you to isolate certain hosts while still allowing others to communicate with a designated promiscuous port

Let's go through your questions and address them with explanations and suggestions for troubleshooting.

Question 1: DHCP Address Source
If your PVLAN Primary interface is receiving a DHCP address from an unknown source, it’s possible that:
- A DHCP server exists on another VLAN, and there's some bridging allowing the traffic to cross over.
- There’s a configuration issue causing unexpected traffic flow.

To determine where the DHCP address is coming from:
1.Check DHCP Server Locations: Determine which devices in your environment are acting as DHCP servers. You can trace these devices by checking which interfaces are configured to serve DHCP.
2. Isolate DHCP Traffic: If you don't want the PVLAN Primary to get DHCP addresses, ensure there are no DHCP servers in the associated community or promiscuous VLANs. Check the ip helper-address configuration in any associated VLANs, as this can forward DHCP requests to a specific server.

Question 2a: Understanding Private VLANs and VLAN 1
PVLANs allow isolation within a primary VLAN. There are three types:
Promiscuous: Communicates with all other ports.
Community: Communicates with other ports in the same community and promiscuous ports.
Isolated: Communicates only with promiscuous ports.

The PVLANs do not inherently interact with VLAN 1 unless specifically configured to do so.

 Question 2b: Promiscuous Port Traffic
A promiscuous port can pass traffic for the primary VLAN and any associated community or isolated VLANs. It does not automatically pass traffic for VLAN 1 unless it is explicitly configured to do so. If you're seeing traffic from VLAN 1, ensure the promiscuous port is mapped only to the PVLAN and not inadvertently configured to connect to other VLANs.

Question 3: Assigning Different Default Gateways to Different VLANs
Yes, you can assign different default gateways to different VLANs. This is typically achieved with:
Inter-VLAN Routing: Use a Layer 3 interface (SVI) on the switch for each VLAN. You can assign IP addresses and default gateways to each SVI, allowing routing between VLANs.
Static Routes: You can set up static routes pointing to specific gateways for each VLAN, allowing traffic to be routed accordingly.

To configure default gateways for VLANs:
1. Create SVIs for Each VLAN:
shell
interface Vlan10
ip address 192.168.10.1 255.255.255.0

interface Vlan20
ip address 192.168.20.1 255.255.255.0
2. Set Default Gateways:
shell
ip route 0.0.0.0 0.0.0.0 192.168.10.254 # Default gateway for VLAN 10
ip route 0.0.0.0 0.0.0.0 192.168.20.254 # Default gateway for VLAN 20


If you require more help with specific configurations, sharing detailed configurations and network topology might yield more specific advice.

Go to solution
Eric chi
Level 1
Level 1
In response to Kumaresan Ravichandran

‎04-22-2024 03:59 AM - edited ‎04-22-2024 04:39 AM

!Edited for typo correction!
Hello @Kumaresan Ravichandran and thank you for your quick response, 

Your response did not appear on the community until after I revised at 1pm CST for some reason despite you posting the response at 11am CST so maybe these are moderated?

So to recap, After the DHCP problem was solved after hours of wasted time totally downing everything EXCEPT the PVLAN configured devices and eliminating all possible rogue DHCP sources I contacted ISP TAC again and found out that the person who I spoke with previously was new and not yet certified on the wan type and we were able to determine that the MAC auth was the issue with the DHCP as it was serving me into a blackhole as unauthed due to the previous tech not knowing the old one needed to be cleared from the auth table first. (ISP Incompetence)

So PROMISCUOUS PVLAN ports ONLY communicate within the PVLAN and ONLY communicate with ALL ports WITHIN the assigned PVLAN unless specifically directed to do otherwise.

I believe you've answered most of my questions, Thank you, but I now have a 1 more question for clarification.

Now as to your response to creating SVI's on VLANS. 

Can I create SVI's for PVLAN PRIMARY's without breaking its inherent isolation properties just as I would for a standard VLAN or are there other considerations or caveats?

 

 

0 Helpful

Go to solution
Kumaresan Ravichandran
Level 1
Level 1

‎04-22-2024 04:31 AM

Hi @Eric chi 

  Creating a SVI for a Private VLAN's Primary VLAN lets you route traffic without breaking its isolation. It's a way to add Layer 3 (routing) while keeping Layer 2 isolation (no direct communication between isolated segments). Just make sure to use proper routing rules and security to keep things secure and isolated.

If it is helpful to you, Then rate it.

>_<

Go to solution
Eric chi
Level 1
Level 1
In response to Kumaresan Ravichandran

‎04-22-2024 04:55 AM

Thank you @Kumaresan Ravichandran , You have been of much assistance in allowing my brain to cool.

     My issues have really only arisen out of the lack of specificity in the wording in Cisco's official documentation in describing VLAN and PVLAN in relation to where the traffic goes and doesn't go specifically in the PVLAN segment of the 2000+ page Administration manual for IOS-XE v3.11.10e and other older resources regarding the topic.
So for your answers I have accepted this as a solution. 

Thank you so much,

Eric B.

0 Helpful

Go to solution
Kumaresan Ravichandran
Level 1
Level 1
In response to Eric chi

‎04-22-2024 05:46 AM

Thank you, @Eric chi  I'm glad I could help clarify things and give you some relief. Cisco's documentation can be challenging to navigate, especially with complex topics like VLANs and PVLANs. It's great to hear that my explanations provided the guidance you needed.

If you need further assistance with network infrastructure related or anything else, Post here our community ready to assist you. 

Thanks again for your kind words!

>_<

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card