04-21-2024 10:51 AM - edited 04-21-2024 01:31 PM
Hello all,
I am wondering if someone can help me to understand what's going on behind the hood with PVLANS on Cisco Catalyst. What I am trying to achieve may be totally the wrong application for PVLANS. If so lmk.
Questions:
Environment:
Goals:
My config so far:
I do not work with cisco every day so please someone help me understand what's going on.
Also if you see something wrong with my config or something that can be improved please critique.
Thank you,
Eric B.
Solved! Go to Solution.
04-21-2024 11:39 AM
Hello @Eric chi
Private VLANs (PVLANs) are a Cisco feature designed to provide a way to isolate traffic on the same primary VLAN. They allow you to isolate certain hosts while still allowing others to communicate with a designated promiscuous port
Let's go through your questions and address them with explanations and suggestions for troubleshooting.
Question 1: DHCP Address Source
If your PVLAN Primary interface is receiving a DHCP address from an unknown source, it’s possible that:
- A DHCP server exists on another VLAN, and there's some bridging allowing the traffic to cross over.
- There’s a configuration issue causing unexpected traffic flow.
To determine where the DHCP address is coming from:
1.Check DHCP Server Locations: Determine which devices in your environment are acting as DHCP servers. You can trace these devices by checking which interfaces are configured to serve DHCP.
2. Isolate DHCP Traffic: If you don't want the PVLAN Primary to get DHCP addresses, ensure there are no DHCP servers in the associated community or promiscuous VLANs. Check the ip helper-address configuration in any associated VLANs, as this can forward DHCP requests to a specific server.
Question 2a: Understanding Private VLANs and VLAN 1
PVLANs allow isolation within a primary VLAN. There are three types:
Promiscuous: Communicates with all other ports.
Community: Communicates with other ports in the same community and promiscuous ports.
Isolated: Communicates only with promiscuous ports.
The PVLANs do not inherently interact with VLAN 1 unless specifically configured to do so.
Question 2b: Promiscuous Port Traffic
A promiscuous port can pass traffic for the primary VLAN and any associated community or isolated VLANs. It does not automatically pass traffic for VLAN 1 unless it is explicitly configured to do so. If you're seeing traffic from VLAN 1, ensure the promiscuous port is mapped only to the PVLAN and not inadvertently configured to connect to other VLANs.
Question 3: Assigning Different Default Gateways to Different VLANs
Yes, you can assign different default gateways to different VLANs. This is typically achieved with:
Inter-VLAN Routing: Use a Layer 3 interface (SVI) on the switch for each VLAN. You can assign IP addresses and default gateways to each SVI, allowing routing between VLANs.
Static Routes: You can set up static routes pointing to specific gateways for each VLAN, allowing traffic to be routed accordingly.
To configure default gateways for VLANs:
1. Create SVIs for Each VLAN:
shell
interface Vlan10
ip address 192.168.10.1 255.255.255.0
interface Vlan20
ip address 192.168.20.1 255.255.255.0
2. Set Default Gateways:
shell
ip route 0.0.0.0 0.0.0.0 192.168.10.254 # Default gateway for VLAN 10
ip route 0.0.0.0 0.0.0.0 192.168.20.254 # Default gateway for VLAN 20
If you require more help with specific configurations, sharing detailed configurations and network topology might yield more specific advice.
04-22-2024 04:31 AM
Hi @Eric chi
Creating a SVI for a Private VLAN's Primary VLAN lets you route traffic without breaking its isolation. It's a way to add Layer 3 (routing) while keeping Layer 2 isolation (no direct communication between isolated segments). Just make sure to use proper routing rules and security to keep things secure and isolated.
If it is helpful to you, Then rate it.
>_<
04-21-2024 11:39 AM
Hello @Eric chi
Private VLANs (PVLANs) are a Cisco feature designed to provide a way to isolate traffic on the same primary VLAN. They allow you to isolate certain hosts while still allowing others to communicate with a designated promiscuous port
Let's go through your questions and address them with explanations and suggestions for troubleshooting.
Question 1: DHCP Address Source
If your PVLAN Primary interface is receiving a DHCP address from an unknown source, it’s possible that:
- A DHCP server exists on another VLAN, and there's some bridging allowing the traffic to cross over.
- There’s a configuration issue causing unexpected traffic flow.
To determine where the DHCP address is coming from:
1.Check DHCP Server Locations: Determine which devices in your environment are acting as DHCP servers. You can trace these devices by checking which interfaces are configured to serve DHCP.
2. Isolate DHCP Traffic: If you don't want the PVLAN Primary to get DHCP addresses, ensure there are no DHCP servers in the associated community or promiscuous VLANs. Check the ip helper-address configuration in any associated VLANs, as this can forward DHCP requests to a specific server.
Question 2a: Understanding Private VLANs and VLAN 1
PVLANs allow isolation within a primary VLAN. There are three types:
Promiscuous: Communicates with all other ports.
Community: Communicates with other ports in the same community and promiscuous ports.
Isolated: Communicates only with promiscuous ports.
The PVLANs do not inherently interact with VLAN 1 unless specifically configured to do so.
Question 2b: Promiscuous Port Traffic
A promiscuous port can pass traffic for the primary VLAN and any associated community or isolated VLANs. It does not automatically pass traffic for VLAN 1 unless it is explicitly configured to do so. If you're seeing traffic from VLAN 1, ensure the promiscuous port is mapped only to the PVLAN and not inadvertently configured to connect to other VLANs.
Question 3: Assigning Different Default Gateways to Different VLANs
Yes, you can assign different default gateways to different VLANs. This is typically achieved with:
Inter-VLAN Routing: Use a Layer 3 interface (SVI) on the switch for each VLAN. You can assign IP addresses and default gateways to each SVI, allowing routing between VLANs.
Static Routes: You can set up static routes pointing to specific gateways for each VLAN, allowing traffic to be routed accordingly.
To configure default gateways for VLANs:
1. Create SVIs for Each VLAN:
shell
interface Vlan10
ip address 192.168.10.1 255.255.255.0
interface Vlan20
ip address 192.168.20.1 255.255.255.0
2. Set Default Gateways:
shell
ip route 0.0.0.0 0.0.0.0 192.168.10.254 # Default gateway for VLAN 10
ip route 0.0.0.0 0.0.0.0 192.168.20.254 # Default gateway for VLAN 20
If you require more help with specific configurations, sharing detailed configurations and network topology might yield more specific advice.
04-22-2024 03:59 AM - edited 04-22-2024 04:39 AM
!Edited for typo correction!
Hello @Kumaresan Ravichandran and thank you for your quick response,
Your response did not appear on the community until after I revised at 1pm CST for some reason despite you posting the response at 11am CST so maybe these are moderated?
So to recap, After the DHCP problem was solved after hours of wasted time totally downing everything EXCEPT the PVLAN configured devices and eliminating all possible rogue DHCP sources I contacted ISP TAC again and found out that the person who I spoke with previously was new and not yet certified on the wan type and we were able to determine that the MAC auth was the issue with the DHCP as it was serving me into a blackhole as unauthed due to the previous tech not knowing the old one needed to be cleared from the auth table first. (ISP Incompetence)
So PROMISCUOUS PVLAN ports ONLY communicate within the PVLAN and ONLY communicate with ALL ports WITHIN the assigned PVLAN unless specifically directed to do otherwise.
I believe you've answered most of my questions, Thank you, but I now have a 1 more question for clarification.
Now as to your response to creating SVI's on VLANS.
Can I create SVI's for PVLAN PRIMARY's without breaking its inherent isolation properties just as I would for a standard VLAN or are there other considerations or caveats?
04-22-2024 04:31 AM
Hi @Eric chi
Creating a SVI for a Private VLAN's Primary VLAN lets you route traffic without breaking its isolation. It's a way to add Layer 3 (routing) while keeping Layer 2 isolation (no direct communication between isolated segments). Just make sure to use proper routing rules and security to keep things secure and isolated.
If it is helpful to you, Then rate it.
>_<
04-22-2024 04:55 AM
Thank you @Kumaresan Ravichandran , You have been of much assistance in allowing my brain to cool.
My issues have really only arisen out of the lack of specificity in the wording in Cisco's official documentation in describing VLAN and PVLAN in relation to where the traffic goes and doesn't go specifically in the PVLAN segment of the 2000+ page Administration manual for IOS-XE v3.11.10e and other older resources regarding the topic.
So for your answers I have accepted this as a solution.
Thank you so much,
Eric B.
04-22-2024 05:46 AM
Thank you, @Eric chi I'm glad I could help clarify things and give you some relief. Cisco's documentation can be challenging to navigate, especially with complex topics like VLANs and PVLANs. It's great to hear that my explanations provided the guidance you needed.
If you need further assistance with network infrastructure related or anything else, Post here our community ready to assist you.
Thanks again for your kind words!
>_<
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide