Hello ALL,
I need help setting up private VLANs (PVLANs).
I have a production network where I want to set up a PVLAN to increase security.
My problem is that when I set up a PVLAN on an access switch, I can't find a solution for forwarding traffic to the core via the existing uplink. It's not possible to tag a PVLAN on a link that already has existing VLANs configured.
When I try to assign a PVLAN to the uplink, I get the following error message
ERROR: A VPA already exists for this port
I understand that it's possible to connect two switches with an ISL link and transmit the PVLAN information, and that a promiscuous port has a connection to all other PVLAN ports. However, I don't know how to transport this via an uplink.
Has anyone done this before? Does anyone have any tips?
As an example, an excerpt from the config
OS6860E-P24 > sh vlan
vlan type admin opera ip mtu name
------+-------+-------+------+------+------+------------------
1 hour Ena Dis Ena 1500 VLAN 1
127 std Ena Dis Ena 1500 RCFG-DYN-VLAN
170 hours Ena Dis Ena 1500 test
400 hrs Ena Ena Dis 1500 VLAN 400
500 pvlan-p Ena Ena Ena 1500 test PV Lan
501 pvlan-i Ena Ena Dis 1500 PVLAN 501
502 pvlan-c Ena Dis Dis 1500 PVLAN 502
2390 hrs Ena Ena Dis 1500 VLAN 2390
2391 std Ena Ena Dis 1500 VLAN 2391
2392 hrs Ena Ena Dis 1500 VLAN 2392
2393 std Ena Ena Dis 1500 VLAN 2393
2394 std Ena Ena Dis 1500 VLAN 2394
2395 std Ena Ena Dis 1500 VLAN 2395
2396 std Ena Ena Dis 1500 VLAN 2396
2397 std Ena Ena Dis 1500 VLAN 2397
OS6860E-P24 > sh pvlan mem
pvlan port type status port type
-------+---------+------------------+------------+------------
501 1/1/16 untagged forwarding isolated
OS6860E-P24 >
OS6860E-P24 >
OS6860E-P24 > show vlan members port 1/1/1
vlan type status
--------+----------+---------------
2390 tagged forwarding
2391 tagged forwarding
2392 tagged forwarding
2393 tagged forwarding
2394 tagged forwarding
2395 tagged forwarding
2396 tagged forwarding
2397 tagged forwarding
2402 untagged forwarding
OS6860E-P24 >
OS6860E-P24 > pvlan 500 mem port 1/1/1 tagged
ERROR: A VPA already exists for this port
Hi! - I moved the server over the week end to handle the daily incoming connections (about 200K/day) but it looks like I aimed too low for the resources. I'm going to have to move this server (hopefully for the last time) this week. I'm sorry for the interruption.
Setting up private VLANs (PVLANs)
Re: Setting up private VLANs (PVLANs)
You find the answers in the guide. To share the same pvlan between more than one switch you need to use isl-ports (inter switch link).
BR Silvio
BR Silvio
Re: Setting up private VLANs (PVLANs)
Hi Silvio,
Thanks for your answer.
Yes, an ISL port is required to transfer PVLANs from one switch to another.
But how can I transfer PVLANs from my access switch if I only have one uplink to the core and there are already VLANs on it?
In a new installation, I can work with PVLANs right from the start and define the uplinks as ISL links.
But in a brownfield installation, I don't see any way to introduce PVLANs without having to redesign the entire network. Unfortunately, that's not possible in a live network.
I'd be happy if I overlooked something and it still works somehow.
Thanks
Ciao Paul
Thanks for your answer.
Yes, an ISL port is required to transfer PVLANs from one switch to another.
But how can I transfer PVLANs from my access switch if I only have one uplink to the core and there are already VLANs on it?
In a new installation, I can work with PVLANs right from the start and define the uplinks as ISL links.
But in a brownfield installation, I don't see any way to introduce PVLANs without having to redesign the entire network. Unfortunately, that's not possible in a live network.
I'd be happy if I overlooked something and it still works somehow.
Thanks
Ciao Paul
Re: Setting up private VLANs (PVLANs)
I have tested it. Same port as ISL and "normal" tagged is possible.
This is not possible at the PVLAN access ports - only at the ISL.
BR Silvio
Code: Select all
> vlan 2201 members port 1/1/21 tagged
> pvlan 500 members port 1/1/21 isl
> show pvlan members
pvlan port type status port-type
-------+---------+------------------+------------+------------
500 1/1/21 tagged inactive isl
BR Silvio
Re: Setting up private VLANs (PVLANs)
Hi Silvio,
Thanks for your help and for spending your time with my problem.
304 / 5.000
I think I've found the error.
It's only possible to assign a PVLAN to an uplink that already has VLANs configured if the untagged VLAN is VLAN1.
If any other untagged VLAN is configured on the port, the error occurs.
Thanks for your help.
Bye, Paul
OS6860E-P24 > show vlan mem port 1/1/4
vlan type status
--------+-----------+---------------
2001 tagged inactive
2002 tagged inactive
2402 untagged inactive
OS6860E-P24 > show pvlan
pvlan type admin oper mtu name
------+----------+-------+------+------+------------------
500 Primary Ena Ena 1500 Test-PV-Lan
501 Isolated Ena Ena 1500 PVLAN 501
502 Community Ena Ena 1500 PVLAN 502
OS6860E-P24 > pvlan 500 members port 1/1/4 isl
ERROR: An existing VPA exists on the port. ISL port can only have an existing static tagged VPA
OS6860E-P24 > no vlan 2402 mem po 1/1/4
OS6860E-P24 >
OS6860E-P24 >
OS6860E-P24 > show vlan members port 1/1/4
vlan type status
--------+-----------+---------------
1 untagged inactive
2001 tagged inactive
2002 tagged inactive
OS6860E-P24 > pvlan 500 members port 1/1/4 isl
OS6860E-P24 >
OS6860E-P24 >
OS6860E-P24 > show pvlan members
pvlan port type status port-type
-------+---------+------------------+------------+------------
500 1/1/4 tagged inactive isl
500 2/1/13 tagged forwarding promiscuous
501 1/1/9 untagged forwarding isolated
OS6860E-P24 >
OS6860E-P24 > show vlan members port 1/1/4
vlan type status
--------+-----------+---------------
1 untagged inactive
2001 tagged inactive
2002 tagged inactive
OS6860E-P24 >
Thanks for your help and for spending your time with my problem.
304 / 5.000
I think I've found the error.
It's only possible to assign a PVLAN to an uplink that already has VLANs configured if the untagged VLAN is VLAN1.
If any other untagged VLAN is configured on the port, the error occurs.
Thanks for your help.
Bye, Paul
OS6860E-P24 > show vlan mem port 1/1/4
vlan type status
--------+-----------+---------------
2001 tagged inactive
2002 tagged inactive
2402 untagged inactive
OS6860E-P24 > show pvlan
pvlan type admin oper mtu name
------+----------+-------+------+------+------------------
500 Primary Ena Ena 1500 Test-PV-Lan
501 Isolated Ena Ena 1500 PVLAN 501
502 Community Ena Ena 1500 PVLAN 502
OS6860E-P24 > pvlan 500 members port 1/1/4 isl
ERROR: An existing VPA exists on the port. ISL port can only have an existing static tagged VPA
OS6860E-P24 > no vlan 2402 mem po 1/1/4
OS6860E-P24 >
OS6860E-P24 >
OS6860E-P24 > show vlan members port 1/1/4
vlan type status
--------+-----------+---------------
1 untagged inactive
2001 tagged inactive
2002 tagged inactive
OS6860E-P24 > pvlan 500 members port 1/1/4 isl
OS6860E-P24 >
OS6860E-P24 >
OS6860E-P24 > show pvlan members
pvlan port type status port-type
-------+---------+------------------+------------+------------
500 1/1/4 tagged inactive isl
500 2/1/13 tagged forwarding promiscuous
501 1/1/9 untagged forwarding isolated
OS6860E-P24 >
OS6860E-P24 > show vlan members port 1/1/4
vlan type status
--------+-----------+---------------
1 untagged inactive
2001 tagged inactive
2002 tagged inactive
OS6860E-P24 >
Re: Setting up private VLANs (PVLANs)
Great that you have found a solution.
best regards
Silvio
best regards
Silvio
