The art of Private Vlans
I've been having trouble with setting up private vlans. I'm using a 3560 switch in transparent mode. No matter what I do I keep the following error message : "*Mar 1 03:09:30.237: %PV-6-PV_SVI_DOWN: Vlan 10's interface remains down because this vlan is a secondary vlan."
I know it is a secondary vlan because thats what its supposed to be. VLAN10 is secondary community and vlan 50 is the primary.
the config is as follows
vlan 10
private-vlan community
!
vlan 20,30,40
!
vlan 50
private-vlan primary
private-vlan association 10
!
vlan 100,999
!
!
!
!
interface FastEthernet0/1
switchport access vlan 10
switchport private-vlan host-association 50 10
switchport mode private-vlan host
switchport nonegotiate
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 10
switchport private-vlan host-association 50 10
switchport mode private-vlan host
switchport nonegotiate
!
interface FastEthernet0/4
!
interface FastEthernet0/5
switchport access vlan 50
switchport private-vlan mapping 50 10
switchport mode private-vlan promiscuous
switchport nonegotiate
Primary Secondary Type Ports
50 10 community Fa0/1, Fa0/3, Fa0/5
I know it is a secondary vlan because thats what its supposed to be. VLAN10 is secondary community and vlan 50 is the primary.
the config is as follows
vlan 10
private-vlan community
!
vlan 20,30,40
!
vlan 50
private-vlan primary
private-vlan association 10
!
vlan 100,999
!
!
!
!
interface FastEthernet0/1
switchport access vlan 10
switchport private-vlan host-association 50 10
switchport mode private-vlan host
switchport nonegotiate
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 10
switchport private-vlan host-association 50 10
switchport mode private-vlan host
switchport nonegotiate
!
interface FastEthernet0/4
!
interface FastEthernet0/5
switchport access vlan 50
switchport private-vlan mapping 50 10
switchport mode private-vlan promiscuous
switchport nonegotiate
Primary Secondary Type Ports
50 10 community Fa0/1, Fa0/3, Fa0/5
I'm an Xpert at nothing apart from remembering useless information that nobody else cares about.
Comments
-
vishaw1986 Member Posts: 40 ■■□□□□□□□□Hey ,
interface FastEthernet0/5
switchport access vlan 50
switchport private-vlan mapping 50 add 10
switchport mode private-vlan promiscuous
switchport nonegotiate
Check if this works -
MrXpert Member Posts: 586 ■■■□□□□□□□Hi
I tried this but it didn't work.
But thenI found this
If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI.
source http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/pvlans.html
So maybe that explains why it doesn't work on SVIs. Only router on a stick will work?I'm an Xpert at nothing apart from remembering useless information that nobody else cares about. -
vishaw1986 Member Posts: 40 ■■□□□□□□□□Hey ,
I had through the link , that made a good explanation :
Firstly we create the private VLAN in order to make the isolation inside a single VLAN domain .
In private VLAN we have to VLAN's inside it including
Primary - visible to outer network and include Promiscuous port . This port can communicate with all ports including isolated and community in secondary VLAN . Also this is the port which is connected to the L3 device for the inter vlan communication and communication to the external network .
and Secondary - inside a primary VLAN (isolated and community )
SVI : Because of this we configure the L3 VLAN SVI for the Primary VLAN because it contain the Promiscuous port which is connected to the external network ( L3 device ) . So dats the reason we can't make the Secondary VLAN SVI active . -
wave Member Posts: 342Hi
I tried this but it didn't work.
But thenI found this
If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI.
source Catalyst 6500 Release 12.2SX Software Configuration Guide - Private VLANs (PVLANs) [Cisco Catalyst 6500 Series Switches] - Cisco Systems
So maybe that explains why it doesn't work on SVIs. Only router on a stick will work?
Nice work - I hadn't thought about this before but it makes sense.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP