Cannot Configure Private VLANS on VLANS with a VE configured

  • 1
  • Question
  • Updated 2 weeks ago
  • (Edited)

ICX7150-C12 Router(config)#vlan 160 name Data by port

ICX7150-C12 Router(config-vlan-160)#router-interface ve 160

ICX7150-C12 Router(config-vlan-160)#pvlan type community
Error: Private VLANs cannot be configured on vlans with ve configured


ICX7150-C12 Router(config)#vlan 1234 name Restricted by port

ICX7150-C12 Router(config-vlan-1234)#pvlan type isolated

ICX7150-C12 Router(config-vlan-1234)#router-interface ve 1234
Error - can not configure ve on a secondary private vlan



I know what it is saying, but why won't it let me do that??


What I am trying to do is create a VLAN with no Layer-2 Bridging for PCI compliance (i.e Credit card readers... they must NOT have any connectivity to any other device on the network per the latest PCI compliance documents).

Here is what I want to do...  Trying to make a VLAN that is normal for such things as computers and printers (i.e. devices can talk to one another and the primary VLAN, which is the WAN on 1/2/1.)

Another similar VLAN for Voice the only difference will ultimately be that tagged interfaces will be assigned, there will for sure be "inline-power," lldp-med, and untagged ports for the native VLAN (dual-mode depreciated).  Voice VLAN will be configured on interfaces, etc.  This one will be community too, though I doubt it matters as the call manager is on the other side of the WAN.

Trying to then make a VLAN without layer-2 bridging, so a device can talk only to the primary VLAN, which is the WAN).

ALL VLANS mapped to the WAN port.

The WAN is the Internet connection.


Routing statements and helpers on the VEs...  

Basically, an extended ACL to stop any Layer-3 communication to any of private IP ranges 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8 while still allowing communication to DHCP and ultimately Internet traffic.

Here is what I have envisioned... Doesn't seem that it will work.



device(config)# vlan 160 Data by port
device(config-vlan-160)# router-interface ve 160
device(config-vlan-160)# pvlan type community

device(config)# vlan 1234 name PCI-Compliance-Data by port
device(config-vlan-1234)# pvlan type isolated
device(config-vlan-1234)# router-interface ve 1234
device(config-vlan-1234)# exit

device(config)# vlan 703 name Voice by port
device(config-vlan-703)# tagged ethernet 1/1/1 to 1/1/48
device(config-vlan-703)# router-interface ve 703
device(config-vlan-703)# pvlan type community
device(config-vlan-703)# exit



device(config)# vlan 321 name WAN by port
device(config-vlan-321)# untagged ethernet 1/2/1
device(config-vlan-321)# router-interface ve 321
device(config-vlan-321)# pvlan type primary

device(config-vlan-321)# pvlan mapping 160 ethernet 1/2/1
device(config-vlan-321)# pvlan mapping 1234 ethernet 1/2/1
device(config-vlan-321)# pvlan mapping 703 ethernet 1/2/1


interface ve 160
 port-name Default Gateway
 ip address 10.1.8.1 255.255.248.0
 ip helper-address 1 10.1.50.1
 ip helper-address 2 10.1.50.2
!
interface ve 321
 port-name Metro-E Circuit
 ip address 10.250.205.46 255.255.255.252
!
interface ve 703
 port-name VoIP Gateway
 ip address 10.240.13.1 255.255.255.0
 ip helper-address 1 10.1.50.1
 ip helper-address 2 10.1.50.2
!

interface ve 1234
 port-name Restricted Default Gateway
 ip follow ve 160
 ip helper-address 1 10.1.50.1
 ip helper-address 2 10.1.50.2
 ip access-group NO_RFC1918 out
!

ip access-list extended NO_RFC1918
 permit ip any host 10.1.50.1
 permit ip any host 10.1.50.2
 deny ip any 10.0.0.0 0.255.255.255
 deny ip any 172.16.0.0 0.15.255.255
 deny ip any 192.168.0.0 0.255.255
 permit ip any any
!




Any ideas?




P.S. don't worry about the 48 ports above and the fact I actually tried to configure a 7150-C12-PD.  I was simply testing and happened to have one in arms reach.





Photo of NETWizz

NETWizz

  • 89 Posts
  • 21 Reply Likes

Posted 3 weeks ago

  • 1
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 10 Posts
  • 2 Reply Likes
Hello, 

We believe you are trying to route Layer 3 traffic among secondary vlans using vri,  right ? 
As virtual routing interfaces (vri) cannot be created on a private vlan, another approach is to have an external router to a trunk port of the primary VLAN. The trunk port of the primary VLAN is a promiscuous port and can communicate with all the ports in the PVLAN.
Photo of NETWizz

NETWizz

  • 89 Posts
  • 21 Reply Likes
Good Afternoon:

Yes; in fact, the VRI routing works perfect in the current implementation, which I have currently configured using VEs on a 6610.  Currently we have not implemented the private VLANs described.

The Layer-2 Devices we have are different flavors of ICX-7150 and ICX-6430 units with PoE+.  Same switch family.

***

Are you saying I can configure the VLAN isolation levels on the Layer-2 device then trunk it into the Layer-3 device?

Can you please give me a quick config snippit or example?  

***


Where I am confused is that my isolated VLAN will be 1234 on the Layer-2 device (simple enough to setup).

Trunking 1234 between the Layer-2 and Layer-3 device will again be (straight forward).


Question is that within the isolated VLAN the interfaces are not promiscuous, so how would those Layer-2 Frames be transmitted on that trunk ("tagged" interface)?

***

I do see commands such as:
pvlan mapping 1234 ethernet 1/2/1

Wouldn't that interface 1/2/1 above be in a different "primary" VLAN?  

If yes, then wouldn't my VLAN 1234 traffic come in on a different VLAN once it goes through the trunk from the Layer-2 to the Layer-3 Device?

****

Please post a brief snipping of just one (1) "isolated" VLAN say on a Layer-2 device and how you are going to trunk it into a Layer-3 device "tagged" etc... and on the Layer-3 device there is a configured VRI (router-interface) for that VLAN.

Thank you


(Edited)