The art of Private Vlans

MrXpertMrXpert Member Posts: 586 ■■■□□□□□□□
I've been having trouble with setting up private vlans. I'm using a 3560 switch in transparent mode. No matter what I do I keep the following error message : "*Mar 1 03:09:30.237: %PV-6-PV_SVI_DOWN: Vlan 10's interface remains down because this vlan is a secondary vlan."

I know it is a secondary vlan because thats what its supposed to be. VLAN10 is secondary community and vlan 50 is the primary.

the config is as follows


vlan 10
private-vlan community
!
vlan 20,30,40
!
vlan 50
private-vlan primary
private-vlan association 10
!
vlan 100,999
!
!
!
!
interface FastEthernet0/1
switchport access vlan 10
switchport private-vlan host-association 50 10
switchport mode private-vlan host
switchport nonegotiate
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 10
switchport private-vlan host-association 50 10
switchport mode private-vlan host
switchport nonegotiate
!
interface FastEthernet0/4
!
interface FastEthernet0/5
switchport access vlan 50
switchport private-vlan mapping 50 10
switchport mode private-vlan promiscuous
switchport nonegotiate


Primary Secondary Type Ports



50 10 community Fa0/1, Fa0/3, Fa0/5
I'm an Xpert at nothing apart from remembering useless information that nobody else cares about.

Comments

  • vishaw1986vishaw1986 Member Posts: 40 ■■□□□□□□□□
    Hey ,

    interface FastEthernet0/5
    switchport access vlan 50
    switchport private-vlan mapping 50 add 10
    switchport mode private-vlan promiscuous
    switchport nonegotiate

    Check if this works
  • MrXpertMrXpert Member Posts: 586 ■■■□□□□□□□
    Hi

    I tried this but it didn't work.

    But thenI found this
    If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI.
    source http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/pvlans.html

    So maybe that explains why it doesn't work on SVIs. Only router on a stick will work?
    I'm an Xpert at nothing apart from remembering useless information that nobody else cares about.
  • vishaw1986vishaw1986 Member Posts: 40 ■■□□□□□□□□
    Hey ,

    I had through the link , that made a good explanation :

    Firstly we create the private VLAN in order to make the isolation inside a single VLAN domain .

    In private VLAN we have to VLAN's inside it including
    Primary - visible to outer network and include Promiscuous port . This port can communicate with all ports including isolated and community in secondary VLAN . Also this is the port which is connected to the L3 device for the inter vlan communication and communication to the external network .
    and Secondary - inside a primary VLAN (isolated and community )

    SVI : Because of this we configure the L3 VLAN SVI for the Primary VLAN because it contain the Promiscuous port which is connected to the external network ( L3 device ) . So dats the reason we can't make the Secondary VLAN SVI active .
  • wavewave Member Posts: 342
    MrXpert wrote: »
    Hi

    I tried this but it didn't work.

    But thenI found this
    If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI.
    source Catalyst 6500 Release 12.2SX Software Configuration Guide - Private VLANs (PVLANs)  [Cisco Catalyst 6500 Series Switches] - Cisco Systems

    So maybe that explains why it doesn't work on SVIs. Only router on a stick will work?

    Nice work - I hadn't thought about this before but it makes sense.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
Sign In or Register to comment.