DHCP query on an SVI with PVLAN enabled.

Hi all

 

Topology:  Subnet is 192.168.2.0/24

RI- 192.168.2.1

R3-192.168.2.3

R5-192.168.2.5

R1(f0/0)------  (0/1)SW1(0/3)-------(f2/0)R3

                              (0/5)

                                 |

                                 |

                               R5

 

I have configured primary vlan 7, and secondary vlans 77, 87 as community and 97 as isolated.  I was able to test reachability within community, outside community, isolated, and promiscuous ports.  ( I have not included the other private vlan configs here...)

 

Now I have made SW1 a DHCP server and excluding the IP addresses above and the SVI ip address of 192.168.2.254.  I have also removed R5 static IP and made it to acquire it's IP via DHCP

 

R5

R5#sh run int f0/0
interface FastEthernet0/0
description TO SW1
ip address dhcp
duplex auto
speed auto

========

SW1

ip dhcp pool SVI-PVLAN
network 192.168.2.0 255.255.255.0

ip dhcp excluded-address 192.168.2.1 192.168.2.3
ip dhcp excluded-address 192.168.2.254

interface Vlan7
ip address 192.168.2.254 255.255.255.0
no ip redirects
ip local-proxy-arp ####even without this I still could not make R5 acquire and IP address.

ip route-cache same-interface
private-vlan mapping 77,87,97 ###even without this I still could not make R5 acquire and IP address.

 

interface GigabitEthernet0/5
description TO R5
switchport access vlan 7
switchport mode access

 

Am I looking at the concept wrong?  I am trying to create a single vlan where there are users and servers.  Users will acquire IP via DCHP and the servers have static IP.

 

TROUBLESHOOTING DONE:

I have created another SVI 17 and member g0/5 of R1 to vlan 17.  I have created a dhcp pool with 192.168.3.0/24.  R1 was able to get an IP address so I know that DHCP is working on ordinary SVI.  Does that mean an SVI with PVLAN can't be used for DHCP?

 

 

Thanks,

Comments

  • If the DHCP server is the switch where private-vlans is implemented, the switch can ONLY have an IP in the primary vlan, as you configure it, and that SVI is gonna by default be the promiscuous port (pormiscuous port ALWAYS belongs to the primary VLAN);so the switch receives the DHCP client messages inbound on the layer 2 interface which is in the isolated or community VLAN (so fix your Gi0/5 interface so that it's not an access mode interface, but a private-vlan mode interface); for the switch to intercept that DHCP message, you need to allow the promiscuous port to speak with that secondary VLAN, which is this command "private-vlan mapping 77,87,97"; proxy-arp or local proxy-arp has nothing to do in this game, that configuration is useless;

    Test it again like this and it has to work.

  • Hi,

    thanks for your reply.  the DHCP server is a router that is hops away from the access switches.  I try to simulate a real network scenario of a campus network where there are new vlans on a new building and is communicating to the data center building via OSPF or some other dynamic routing protocol.

    I'll try to simulate it again since I was able to reach the SVI of the PVLAN...


    On Tuesday, October 4, 2016 10:58 PM, cristian. matei <[email protected]> wrote:


    If the DHCP server is the switch where private-vlans is implemented, the switch can ONLY have an IP in the primary vlan, as you configure it, and that SVI is gonna by default be the promiscuous port (pormiscuous port ALWAYS belongs to the primary VLAN);so the switch receives the DHCP client messages inbound on the layer 2 interface which is in the isolated or community VLAN (so fix your Gi0/5 interface so that it's not an access mode interface, but a private-vlan mode interface); for the switch to intercept that DHCP message, you need to allow the promiscuous port to speak with that secondary VLAN, which is this command "private-vlan mapping 77,87,97"; proxy-arp or local proxy-arp has nothing to do in this game, that configuration is useless;

    Test it again like this and it has to work.



    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx


Sign In or Register to comment.