Solved

PVLAN Promiscuous port not not forwarding packets to router.

Posted on 2013-06-19
7
1,071 Views
Last Modified: 2016-11-23
Hello Experts,

I have a Dell Powerconnect 7024 connected downstream from a Sonicwall NSA 3500.
I'm attempting to setup a VMware host behind the Powerconnect and utilize Private Vlans to separate VMs.

Primary Private Vlan is 59
Isolate = 100
Community1 = 213
Community2 = 223

I believe I have the configuration below correct however none of my VM's can ping the gateway (172.16.0.1).

The Sonicwall router is plugged into interface Gi1/0/1 and my lab server is plugged into Gi1/0/12

My question is 2 part.

First question is any idea as to why I can't ping the firewall from my VM's? (I have them setup with a distributed switch and are in the primary vlan (59).

Second Question is it possible to have multiple secondary vlans on a single physical interface. For example could I have the isolate vlan and both my community vlan's utilize a single interface?


Here is my running configuration:


console#show running-config

!Current Configuration:
!System Description "PowerConnect 7024, 5.1.0.1, VxWorks 6.6"
!System Software Version 5.1.0.1
!System Operational Mode "Normal"
!
configure
vlan 59,100,213,223
exit
vlan 59
private-vlan primary
private-vlan association 100,213,223
exit
vlan 100
private-vlan isolated
exit
vlan 213
private-vlan community
exit
vlan 223
private-vlan community
exit
slot 1/0 2    ! PowerConnect 7024
--More-- or (q)uit
stack
member 1 2    ! PCT7024
exit
interface out-of-band
ip address 192.168.2.1 255.255.255.0 0.0.0.0
exit
ip default-gateway 172.16.0.1
ip route 0.0.0.0 0.0.0.0 172.16.0.1 253
interface vlan 1
ip address 172.16.0.2 255.255.255.0
exit
username "root" password ee940cf388b41e947b04a25aab769645 privilege 15 encrypted
ip ssh server
!
interface Gi1/0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 59 100-250
exit
!
interface Gi1/0/12
switchport mode private-vlan host
switchport private-vlan host-association 59 100
exit
--More-- or (q)uit
snmp-server engineid local 800002a2035c260ad98a1e
snmp-server agent boot count 2
enable password ee940cf388b41e947b04a25aab769645 encrypted
exit

console#
0
Comment
Question by:kinetik20
  • 4
  • 3
7 Comments
 
LVL 4

Expert Comment

by:iammorrison
Comment Utility
I come from the cisco world and dont deal with dell network gear much but heres at least some guidance...

In order for a physical interface to be a member of multiple vlans, it must a trunk port. A port tagged for access to a vlan can only be associated to one vlan. There is nothing in that config that clearly states either of those Gig interfaces are trunk ports (again not overly familiar with Dell nomenclature), so that may be your first hurdle (also an answer to your questions). Both interfaces would need to be configured as trunk ports if you want the vms from different vlans to reach the gateway.
0
 
LVL 4

Author Comment

by:kinetik20
Comment Utility
In my research I've come across a lot of cisco pvlan info that has applied to the dell gear. The CLI is very very similar. Would you have an idea of how you would configure my above desired config for a cisco switch? Perhaps I can translate that into the dell gear.
0
 
LVL 4

Expert Comment

by:iammorrison
Comment Utility
in the cisco world it would go something like:

conf t
int gig1/0/1
switchport mode trunk
switchport trunk allowed vlan <vlan number or range>

and you would perform the same thing on gig1/0/12
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 4

Author Comment

by:kinetik20
Comment Utility
Well I tried trunking the ports but that did not work either.
0
 
LVL 4

Accepted Solution

by:
iammorrison earned 500 total points
Comment Utility
you also need to configure the interface on the sonic wall as a trunk, I should have included that
0
 
LVL 4

Author Closing Comment

by:kinetik20
Comment Utility
Thank you. Turns out this is the case and the sonicwall does not support trunking. Any help finding a comparable Cisco firewall that would and support at least 25 ipsec vpn tunnels?
0
 
LVL 4

Expert Comment

by:iammorrison
Comment Utility
Glad I could help! I would look into the Cisco ASA devices,  maybe the 5510 and move up from there if you require more horsepower!
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Teach the user how to configure vSphere Replication and how to protect and recover VMs Open vSphere Web Client: Verify vsphere Replication is enabled: Enable vSphere Replication for a virtual machine: Verify replicated VM is created: Recover replica…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now