Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

L3 communication for private VLAN?

This thread has been viewed 15 times
  • 1.  L3 communication for private VLAN?

    Posted Mar 14, 2023 01:55 PM

    We are looking to convert our DMZ to a private VLAN. After getting a functional lab setup, the requirements changed and now we need to allow certain traffic between devices on the PVLAN. It seems like the usual method to accomplish this is to enable 'proxy arp' on the upstream router connected to the promiscuous port. We are connected to a Palo Alto which doesn't have this feature. Additionally, I ran a PCAP on the PA and it isn't seeing broadcast traffic anyways so this workaround wouldn't work with our current setup anyways. I looked further into documentation on this and found this on an HP article about PVLANs:

    "For one Community VLAN member to communicate with a different Community VLAN member, the Community Port traffic has to go out the uplink to the Primary VLAN."

    This sounds like traffic between devices on a community first needs to exit the promiscuous port and hit the upstream router, so I tested this as well by setting up two devices on the same community (VLAN 12) as well as two devices on different communities (VLAN 12 & 13). I didn't find this to be the case as traffic never hit the PA and was either blocked or allowed on the switch level.

    Any ideas on what I could be doing wrong here, or a workaround I could implement to accomplish this? General setup below:

    Switch 1 (6300)

    vlan 10
       private-vlan primary
    vlan 11
        private-vlan isolated primary-vlan 10
    vlan 12
        private-vlan community primary-vlan 10
    vlan 13
        private-vlan community primary-vlan 10

    int 1/1/1-1/1/2 (Isolated user ports)

    vlan access 11

    private-vlan port-type secondary


    int 1/1/3-1/1/4 (Community user ports)

    vlan access 12

    private-vlan port-type secondary

    int 1/1/5-1/1/6 (Community 2 user ports)

    vlan access 13

    private-vlan port-type secondary

    int 1/1/24 (Link to Palo Alto)

    vlan trunk native 1

    vlan trunk allowed 10

    private-vlan port-type promiscuous

    Palo Alto

    ip address

  • 2.  RE: L3 communication for private VLAN?

    Posted Mar 16, 2023 06:38 AM

    A good start would be this video, which has at 03:07 a diagram of how PVLAN works in CX Switching. What you found in HP documentation may be obsolete as it probably refers to different switch types.

    It's unlikely that your Palo Alto will do L2 switching within the VLAN, nor it will receive the L2 traffic for other devices in the same VLAN. From the diagram in the video:

    • Put devices that only need to communicate to the default gateway in an isolated secondary VLAN.
    • Put devices that need to communicate between each other directly (L2) in the same community secondary VLAN. You can have multiple community VLANs if you need to have different groups of systems that need to communicate between them, to the promiscuous ports (your firewall), but not to any systems in other communities or isolated VLANs.
    • Put your Palo Alto in the primary VLAN (promiscuous).

    Note that this can become very messy and hard to troubleshoot. Another option is to create additional VLANs and let the firewall L3 route between those for more granular control and better visibilty/logging.

    Traffic between systems in the same VLAN will not flow over a gateway/router, but direct between the systems. Not fully sure about the statement that you found as it confuses me as well.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.