Alcatel Unleashed

The #1 Worldwide board for technical support on Alcatel-Lucent Voice & Data gear.
https://alcatelunleashed.com/

Setting up private VLANs (PVLANs)

https://alcatelunleashed.com/viewtopic.php?t=33905

Page 1 of 1

Setting up private VLANs (PVLANs)

Posted: 28 Jul 2025 02:08
by PSOZ16
Hello ALL,

I need help setting up private VLANs (PVLANs).

I have a production network where I want to set up a PVLAN to increase security.

My problem is that when I set up a PVLAN on an access switch, I can't find a solution for forwarding traffic to the core via the existing uplink. It's not possible to tag a PVLAN on a link that already has existing VLANs configured.

When I try to assign a PVLAN to the uplink, I get the following error message
ERROR: A VPA already exists for this port

I understand that it's possible to connect two switches with an ISL link and transmit the PVLAN information, and that a promiscuous port has a connection to all other PVLAN ports. However, I don't know how to transport this via an uplink.

Has anyone done this before? Does anyone have any tips?

As an example, an excerpt from the config

OS6860E-P24 > sh vlan
vlan type admin opera ip mtu name
------+-------+-------+------+------+------+------------------
1 hour Ena Dis Ena 1500 VLAN 1
127 std Ena Dis Ena 1500 RCFG-DYN-VLAN
170 hours Ena Dis Ena 1500 test
400 hrs Ena Ena Dis 1500 VLAN 400
500 pvlan-p Ena Ena Ena 1500 test PV Lan
501 pvlan-i Ena Ena Dis 1500 PVLAN 501
502 pvlan-c Ena Dis Dis 1500 PVLAN 502
2390 hrs Ena Ena Dis 1500 VLAN 2390
2391 std Ena Ena Dis 1500 VLAN 2391
2392 hrs Ena Ena Dis 1500 VLAN 2392
2393 std Ena Ena Dis 1500 VLAN 2393
2394 std Ena Ena Dis 1500 VLAN 2394
2395 std Ena Ena Dis 1500 VLAN 2395
2396 std Ena Ena Dis 1500 VLAN 2396
2397 std Ena Ena Dis 1500 VLAN 2397

OS6860E-P24 > sh pvlan mem
pvlan port type status port type
-------+---------+------------------+------------+------------
501 1/1/16 untagged forwarding isolated

OS6860E-P24 >
OS6860E-P24 >
OS6860E-P24 > show vlan members port 1/1/1
vlan type status
--------+----------+---------------
2390 tagged forwarding
2391 tagged forwarding
2392 tagged forwarding
2393 tagged forwarding
2394 tagged forwarding
2395 tagged forwarding
2396 tagged forwarding
2397 tagged forwarding
2402 untagged forwarding

OS6860E-P24 >
OS6860E-P24 > pvlan 500 mem port 1/1/1 tagged
ERROR: A VPA already exists for this port

Re: Setting up private VLANs (PVLANs)

Posted: 28 Jul 2025 13:30
by silvio
You find the answers in the guide. To share the same pvlan between more than one switch you need to use isl-ports (inter switch link).
BR Silvio

Re: Setting up private VLANs (PVLANs)

Posted: 29 Jul 2025 02:04
by PSOZ16
Hi Silvio,

Thanks for your answer.
Yes, an ISL port is required to transfer PVLANs from one switch to another.

But how can I transfer PVLANs from my access switch if I only have one uplink to the core and there are already VLANs on it?

In a new installation, I can work with PVLANs right from the start and define the uplinks as ISL links.

But in a brownfield installation, I don't see any way to introduce PVLANs without having to redesign the entire network. Unfortunately, that's not possible in a live network.

I'd be happy if I overlooked something and it still works somehow.

Thanks
Ciao Paul

Re: Setting up private VLANs (PVLANs)

Posted: 30 Jul 2025 01:43
by silvio
I have tested it. Same port as ISL and "normal" tagged is possible.

Code: Select all

> vlan 2201 members port 1/1/21 tagged
> pvlan 500 members port 1/1/21 isl
> show pvlan members
pvlan   port      type               status       port-type
-------+---------+------------------+------------+------------
500     1/1/21    tagged             inactive     isl
This is not possible at the PVLAN access ports - only at the ISL.

BR Silvio

Re: Setting up private VLANs (PVLANs)

Posted: 04 Aug 2025 02:06
by PSOZ16
Hi Silvio,

Thanks for your help and for spending your time with my problem.


304 / 5.000
I think I've found the error.

It's only possible to assign a PVLAN to an uplink that already has VLANs configured if the untagged VLAN is VLAN1.

If any other untagged VLAN is configured on the port, the error occurs.

Thanks for your help.

Bye, Paul


OS6860E-P24 > show vlan mem port 1/1/4
vlan type status
--------+-----------+---------------
2001 tagged inactive
2002 tagged inactive
2402 untagged inactive

OS6860E-P24 > show pvlan
pvlan type admin oper mtu name
------+----------+-------+------+------+------------------
500 Primary Ena Ena 1500 Test-PV-Lan
501 Isolated Ena Ena 1500 PVLAN 501
502 Community Ena Ena 1500 PVLAN 502

OS6860E-P24 > pvlan 500 members port 1/1/4 isl
ERROR: An existing VPA exists on the port. ISL port can only have an existing static tagged VPA

OS6860E-P24 > no vlan 2402 mem po 1/1/4

OS6860E-P24 >
OS6860E-P24 >
OS6860E-P24 > show vlan members port 1/1/4
vlan type status
--------+-----------+---------------
1 untagged inactive
2001 tagged inactive
2002 tagged inactive

OS6860E-P24 > pvlan 500 members port 1/1/4 isl

OS6860E-P24 >
OS6860E-P24 >
OS6860E-P24 > show pvlan members
pvlan port type status port-type
-------+---------+------------------+------------+------------
500 1/1/4 tagged inactive isl
500 2/1/13 tagged forwarding promiscuous
501 1/1/9 untagged forwarding isolated

OS6860E-P24 >
OS6860E-P24 > show vlan members port 1/1/4
vlan type status
--------+-----------+---------------
1 untagged inactive
2001 tagged inactive
2002 tagged inactive

OS6860E-P24 >

Re: Setting up private VLANs (PVLANs)

Posted: 04 Aug 2025 11:17
by silvio
Great that you have found a solution.
best regards
Silvio
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited