A few questions regarding VLANs (Private VLAN / isolate-user-vlan)
Im having some troubles setting up isolate-user-vlan properly on A5120.
Following the examples I end up with a configuration such as (interface facing the client):
" port isolate-user-vlan host port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 100 to 101 untagged port hybrid pvid vlan 101 "
That is vlan100 is the (promiscious) one being sent to upstream device holding the ip which the clients use as default gateway.
However with the above configuration the client cannot reach its default gateway.
But if I alter the pvid setting so it becomes:
" port hybrid pvid vlan 100 "
then everything works as expected (client can ping its default gateway).
However, is still isolate-user-vlan being operational - how can I verify this (from within the A5120 itself)?
Is there some debug command I can use to see how the switch internally handles the traffic in terms of vlans (except for setting up two clients (one to gi 1/0/1 and one to gi 1/0/2) and see if their L2 traffic is seen by each other)?
Because running "display isolate-user-vlan" everything looks as it should, but running "display int brief" shows that all client-interfaces are set to PVID 100.
Doesnt this mean that setting "port hybrid pvid vlan 100" would shortcircuit/invalidate the isolate-user-vlan setting?
As I understand PVID (please correct me if im wrong) the PVID setting tells admin which vlan untagged traffic (which arrives at this interface) belongs to.
So in short...
Is this configuration really valid (look at the pvid setting) if you expect to use Private VLAN (isolate-user-vlan)?
" gi int 1/0/1 port isolate-user-vlan host port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 100 to 101 untagged port hybrid pvid vlan 100
gi int 1/0/2 port isolate-user-vlan host port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 100 102 untagged port hybrid pvid vlan 100
gi int 1/0/3 port isolate-user-vlan host port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 100 103 untagged port hybrid pvid vlan 100 "
Re: A few questions regarding VLANs (Private VLAN / isolate-user-vlan)
I can answer a few of my questions myself after some more experimenting:
- PVID is the vlan which untagged packets who arrives to a physical interface will be "sent" to. That is how this packet will be tagged internally within the device.
- The above means that correct setup using isolate-user-vlan is that the upstream interface shall have the promiscious (isolate-user-vlan) vlan as pvid, while downstream interfaces shall have the host (secondary) vlan as pvid.
However I have still not found out any good debug command I can use to verify that the isolate-user-vlan is properly setup and functioning as it supposed to (other than performing a physical test involving the clients).
Another observation is that the upstream interface doesnt seem to be able to send the promiscious vlan as a tagged vlan (port trunk) - only untagged is supported. Could somebody in here verify this?
