Private Vlans - HELP !

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I'm trying trying to configure private vlans, but my switches just aren't having it. Anytime I try to set up the primary, my switches reject it. Never mind the community or isolated.

Current operating mode is transparent and VTP version is 2.

Both switches are catalyst 3550s. Could this be the reason I'm having a problem ?

I'm totally out of ideas at this point. Need help.



3550/1#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
VTP Operating Mode : Transparent
VTP Domain Name : BCMSN
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x51 0x50 0x19 0xE5 0x78 0x87 0x32 0x34
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
3550/1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
3550/1(config)#int fa0/24
3550/1(config-if)#switchport
3550/1(config-if)#switchport encapsulation dot1q
3550/1(config-if)#
00:04:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
3550/1(config-if)#
00:04:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
3550/1(config-if)#switchport mode trunk
3550/1(config-if)#
00:04:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
3550/1(config-if)#
00:04:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
3550/1(config-if)#vlan 100
3550/1(config-vlan)#exit
3550/1(config)#int fa0/24
3550/1(config-if)#switchport
3550/1(config-if)#switchport mode access
3550/1(config-if)#switchport access vlan 100
3550/1(config-if)#exit
3550/1(config)#vlan 100
3550/1(config-vlan)#private-vlan primary
3550/1(config-vlan)#private-vlan association 101-102
3550/1(config-vlan)#vlan 101
3550/1(config-vlan)#
00:06:37: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/1(config-vlan)#
00:06:37: %PM-4-PVLAN_TYPE_CFG_ERR: Failed to set VLAN 100 to a primary VLAN
3550/1(config-vlan)#private-vlan community
Command rejected: invalid private vlan type assignment. VLAN 101 data is not available.
3550/1(config-vlan)#int vlan 100
3550/1(config-if)#n
00:08:13: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/1(config-if)#no sh
00:08:13: %PM-4-PVLAN_TYPE_CFG_ERR: Failed to set VLAN 101 to a community VLAN
3550/1(config-if)#no shut
00:08:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up
3550/1(config-if)#no shut
3550/1(config-if)#int vlan 101
3550/1(config-if)#no shut
3550/1(config-if)#exit
3550/1(config)#vlan 101
3550/1(config-vlan)#private-vlan community
Command rejected: invalid private vlan type assignment. VLAN 101's interface is not administratively down and cannot be set to secondary VLAN.
3550/1(config-vlan)#exit
3550/1(config)#int vlan 101
3550/1(config-if)#shut
3550/1(config-if)#exit
3550/1(config)#
00:09:28: %LINK-5-CHANGED: Interface Vlan101, changed state to administratively down
00:09:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan101, changed state to down
3550/1(config)#vlan 101
3550/1(config-vlan)#private-vlan community
3550/1(config-vlan)#vlan 102
3550/1(config-vlan)#
00:10:10: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/1(config-vlan)#
00:10:10: %PM-4-PVLAN_TYPE_CFG_ERR: Failed to set VLAN 101 to a community VLAN
3550/1(config-vlan)#private-vlan isolated
Command rejected: invalid private vlan type assignment. VLAN 102 data is not available.
3550/1(config-vlan)#exit
3550/1(config)#
00:10:43: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/1(config)#
00:10:43: %PM-4-PVLAN_TYPE_CFG_ERR: Failed to set VLAN 102 to a isolated VLAN
3550/1(config)#int vlan 102
3550/1(config-if)#no shut
3550/1(config-if)#shut
3550/1(config-if)#exit
3550/1(config)#
00:11:05: %LINK-5-CHANGED: Interface Vlan102, changed state to administratively down
00:11:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan102, changed state to down
3550/1(config)#vlan 102
3550/1(config-vlan)#private-vlan isolated
3550/1(config-vlan)#exit
3550/1(config)#
00:11:36: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/1(config)#
00:11:36: %PM-4-PVLAN_TYPE_CFG_ERR: Failed to set VLAN 102 to a isolated VLAN
3550/1(config)#exit
3550/1#
00:11:43: %SYS-5-CONFIG_I: Configured from console by console
3550/1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
3550/1(config)#int fa0/24
3550/1(config-if)#switchport trunk allowed vlan 100
3550/1(config-if)#exit
3550/1(config)#exit
3550/1#
3550/1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
3550/1(config)#vlan 100
3550/1(config-vlan)#private-vlan primary
3550/1(config-vlan)#vlan 101
3550/1(config-vlan)#
00:10:40: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/1(config-vlan)#
00:10:40: %PM-4-PVLAN_TYPE_CFG_ERR: Failed to set VLAN 100 to a primary VLAN
3550/1(config-vlan)#exit
3550/1(config)#exit

3550/2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
3550/2(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
3550/2(config)#vtp domain BCMSN
Changing VTP domain name from philgroup to BCMSN
3550/2(config)#vtp
00:19:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
3550/2(config)#vtp
00:19:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up
3550/2(config)#vtp version ?
<1-2> Set the adminstrative domain VTP version number

3550/2(config)#vtp version 2
3550/2(config)#vlan 100
3550/2(config-vlan)#exit
3550/2(config)#int fa0/24
3550/2(config-if)#switchport
3550/2(config-if)#switchport trunk encapsulation dot1q
3550/2(config-if)#
00:21:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
3550/2(config-if)#
00:21:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
3550/2(config-if)#switchport mode access
3550/2(config-if)#switchport access vlan 100
3550/2(config-if)#exit
3550/2(config)#vlan 100
3550/2(config-vlan)#private-vlan primary
3550/2(config-vlan)#exit
3550/2(config)#vl
00:22:30: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/2(config)#vlan 101
3550/2(config-vlan)#exit
3550/2(config)#vlan 102
3550/2(config-vlan)#exit
3550/2(config)#vlan 100
3550/2(config-vlan)#private-vlan primary
3550/2(config-vlan)#private-vlan association 101-102
3550/2(config-vlan)#vlan 101
3550/2(config-vlan)#
00:24:25: Unimplemented Function: pm_platform_vlan_set_pvlan_type
00:24:25: Unimplemented Function: pm_platform_vlan_set_pvlan_association
00:24:25: Unimplemented Function: pm_platform_vlan_set_pvlan_association
3550/2(config-vlan)#private-vlan community
3550/2(config-vlan)#vlan 102
3550/2(config-vlan)#p
00:24:52: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/2(config-vlan)#private-vlan isolated
3550/2(config-vlan)#exit
3550/2(config)#int
00:25:08: Unimplemented Function: pm_platform_vlan_set_pvlan_type
3550/2(config)#int vlan 100
3550/2(config-if)#
00:25:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up
3550/2(config-if)#no shutdown
3550/2(config-if)#private-vlan mapping 101,102
^
% Invalid input detected at '^' marker.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Headache,

According to the "Private VLAN Catalyst Switch Support Matrix", the Catalyst 3550 does not support: 1) PVLAN Supported Minimum Software Version and 2) Isolated VLAN.

Source:

1. Private VLAN Catalyst Switch Support Matrix - Cisco Systems - http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

 

Thanx a ton, r.h.lee.

I suspected as much.

Damn !

How the hell is one supposed to study for this, short of buying a couple of 3560s or 3750s ?

The kind of practicals they have in the BCMSN cisco press book are ridiculous. You need at least three access layer switches and three distribution layer switches just to set up a decent lab. And the 3550s just don't cut it.

This sucks.

 

That sucks. 3550s are expensive enough...let alone 3750s. I sold my 3550 not wanting to pursue the switching test as of yet. Maybe it wasn't such a bad choice. Maybe I need 3 *ACK* 3750s.

I wonder what the 3750 supports that the 3550 doesn't? I will have to do some research...

 

Hey...I found the following article about private VLANs...but I still am not exactly clear on why we want private vlans except to make network support more difficult to troubleshoot.

Is it used to create an DMZ within a network?

http://www.ciscopress.com/articles/article.asp?p=29803&seqNum=6&rl=1

 

I'm just learning about this myself. But from what I've read, pvlans are used by service providers to deploy hosting services and network access to devices that reside in the same subnet but only communicate with back up servers, default gateways or outside networks.

The highest level of the pvlan is the primary vlan. This primary can have many childen. These children are called secondary vlans.

There are two types of secondary vlans.

The first type is the community vlan. Members of this vlan are allowed to communicate with each other, but not with other community vlans in the same subnet.

The second type is the isolated vlans. Members of this vlan are not even allowed to talk to each other, let alone other vlans in the same subnet. The only access they have to the outside world are to the routers and servers that they are mapped to. These routers and servers are known as promiscuous ports.

The reason service providers use pvlans is to minimise (wasteful) use of ip subnets and to enhance security.

That's my understanding of it anyway.

 

One handy use for isolated vlans is in the dmz. Suppose you have a group of servers in the dmz - put them in isolated vlans, that way they cannot communicate with each other. If a server is compromised it cannot be used as a point of attack against anything else. Since servers in a dmz don't usually talk with each other, an isolated vlan is useful.

Spice_Weasel

 

Wow...that is pretty informative. Thanks!

 

Had a private VLAN issue tonight at work. Actually we had a production mainframe job that abended. (I don't do that sort of thing so our production guys were working on the job). Turns out they had to get Unix involved. We use the scheduler on the mainframe (ZEKE/ZEB) to schedule jobs on our different servers. Unix found a duplicate IP Addy in the error log. So we went on a wild goose chase for a mac address. Couldn't ping the IP Addy listed. Couldn't locate the MAC address. Luckily we have a tool that lists (If documented well) all the network addresses and which switch the servers would be connected to. So we looked up the subnet in this tool. Found a server in the same subnet checked the switch ip address listed and SSH'd to that switch. A show mac-add-table | include (xxxx.xxxx.xxxx) showed which port it was on. Again luck would have it and a good description on the port was listed with the server name. That server name had AR in the designation. Indicating a Archive Server. At this point one of the guys on the conference call recalled a new Archive Server IP Addressing project. The port was in a Private Vlan which is why we couldn't ping it. So since this server wasn't in production we admin shut the port. Cleared arp and mac. Reset the job and reran it. Lots of followup today will be done.

Leason Learned? Proper documentation when you make Add/Move/Changes to your network.

Also a prepared mind helps in troubleshooting. I don't know everything about private vlans. Next to nothing really. But I knew of the concept which helped isolate and discuss the project.

 

Gosh !

I wish I could have been there.